The widespread acknowledgement of the so-called advanced persistent threat and the growing influx of emerging technologies into the workplace is an alarming one-two punch that surely has led to sleepless nights for many security professionals. But if there is any sense of comfort to come of today's complex – and seemingly unprecedented – IT security challenges, innovation might be it, say experts.
Since the burst of the dot-come bubble more than a decade ago, the marketplace has been mired in a compliance slump, many say, in which product creation and resulting sales largely have been driven by the need for organizations to satisfy security checklists. Of course, there are notable exceptions, but as a general rule, buyers have not called on vendors to create best-of-breed solutions because their main priorities rest with easing the compliance headache and appeasing auditors.
“Compliance is a big burden on innovation,” says Ravi Sandhu, executive director of the Institute for Cybersecurity at the University of Texas at San Antonio. “People have developed innovative compliance tools, but compliance by itself is an overall drag on achieving real security. It kind of distracts you from the real problems.”
And there are, indeed, real problems. Between well-funded, clandestine corporate raids and the arrival of technologies – such as cloud computing, mobile devices and Web 2.0 – into the business environment, the curtain has been raised on just what security practitioners are now up against.
“Those things are happening in parallel,” says Alberto Yépez, managing director of Trident Capital, a venture capital firm based in Palo Alto, Calif. “That's why the need for security products and innovation is paramount right now. It is happening faster than the PC ever took off.”
The best response, some say, is with cutting-edge ideas.
Douglas Maughan, director of the cybersecurity division at the U.S. Department of Homeland Security's Advanced Research Projects Agency (HSARPA), part of the Science and Technology Directorate, is trying to isolate those breakthrough inspirations.
One of the responsibilities of Maughan and his team is to seed small businesses with capital to create new innovation and transition to the marketplace. DHS selects one category each year – 2010 was network survivability, recovery and recognition; 2009 was software assurance tools and techniques – and then solicits proposals from prospective candidates. (This year's category is expected to be announced soon.)
Five companies win Phase One funding, which totals about $100,000 and is used to create a prototype. If the design is promising enough to HSARPA evaluators, one or two of those firms receive another $750,000 to further develop the product so it can become commercialized.
Some rookie companies actually prefer to deal with government rather than seek support from angel or private investors.“Not all small entrepreneurs know how to navigate the venture landscape,” Maughan says.
He says the program, known as SBIR, or Small Business Innovative Research, is done to not only help those fledgling organizations that need a financial boost, but also to carry out a primary mission of DHS: to protect critical infrastructure. The hope, he says, is that the products that make it to market help accomplish exactly that.
And there have been numerous HSARPA success stories. Since 2004, SBIR has provided Phase Two funding rounds for 22 companies, resulting in eight commercial products currently available. Three of the winning firms have carried their maturity all the way to acquisition.
Maughan points to an eight-employee business, Komoku, founded in 2004. The firm, which sprung out of the University of Maryland, built rootkit detection technology.
“By the time we hit 2007, malware was very prevalent, and they were being courted by McAfee, Symantec and Microsoft,” Maughan recalls. (Microsoft ended up buying Komoku in 2008 for an undisclosed amount.)
Another HSARPA initiative is known as the Broad Agency Announcement (BAA), which bankrolls a wider array of organizations, including academic entities, large businesses and research labs that create ideas that fall under one of 14 topics, including metrics, usability and combating insider threats – the latter, an area with obvious growth opportunity considering the developments around WikiLeaks.
BAA entries are judged on their potential, and winners can receive up to a few million dollars to put toward research, development and getting the product tested and out to market.
“SBIR is usually a specific topic, whereas Broad Agency Announcement is not looking for a specific solution,” Maughan says. “It gives people more room to think outside the box.”
Young blood
Based on recent statistics, now would appear to be an ideal time to join the security arena. According to Gartner, worldwide security software revenue was forecast to surpass $16.5 billion in 2010, an 11.3 percent increase from 2009.
Most of that revenue is being earned by the largest IT players and system integrators, however. Many of these vendors have built up robust product lines, thanks in part to mergers and acquisitions (M&A).
Last year certainly was an active one on the M&A front. Between July 1 and Oct. 4, the security industry saw $10 billion in deals, punctuated by Intel's $7.68 billion buy of McAfee. Still, despite the widespread trend of cash-rich Silicon Valley tech giants swallowing security-specific vendors, Mark Heesen, president of the National Venture Capital Association (NVCA), says there remains “tremendous promise” for start-ups – this, despite the fact that investment in security steadily has dropped over the past decade.
According to statistics from PricewaterhouseCoopers, NVCA and Thomson Reuters, the amount of venture investment in software security peaked at nearly $1.1 billion (103 deals) in 2000 before falling sharply following the bubble bursting. The number of deals spiked again in the mid-2000s, only to fall to a mere 45 in 2009, with $186 million in investment.
The economy isn't the only factor that may deter start-up capital. According to Elad Yoran, founder and CEO of Security Growth Partners, losing pure-plays, such as McAfee and ArcSight, also can discourage investment.
“Companies like these play a critical role in the security market ecosystem as natural acquirers of innovative security start-ups,” Yoran wrote in a recent column for SC Magazine. “With fewer potential buyers, fewer ‘liquidity events' will result, and VCs and other early-stage investors will be even less willing to back security start-ups.”
As a result, those companies that fail to invoke the fundamentals – a large market opportunity, differentiated intellectual property, a proven team, a go-to market strategy and committed investors – will find significant barriers to entry, says Yépez of Trident Capital.
But if innovation is to survive and prosper, the burden will fall on these start-ups. “Despite major vendors seeking to consolidate, opportunities exist for smaller niche players and product specialization, and local expertise is expected to remain a valued factor,” says Matthew Cheung, senior research analyst at Gartner.
That is because many of the larger solution providers, especially those that are public companies, have slashed their research-and-development (R&D) budgets over the past decade or so due to factors such as the dot-com bust and the 2008 financial collapse, says Yépez.
“They report their financials on Wall Street,” he says. “They get measured on their growth and their bottom line. Investing too much in research takes away from profitability…The ability to spend in R&D is always compromised when the market is not growing.”
To keep pace, many bellwethers now actually consider acquisitions to be the modern-day equivalent of home-grown R&D. But even if the security field is indeed entering another golden age of innovation, it won't come to fruition if businesses keep their checkbooks in their pockets due to increased budget pressures.
“We can innovate until the cows come home, but if people don't buy…” Yépez says.
Innovation defined
So exactly what kind of innovation needs to happen? Certainly difficult-to-detect threats – such as Operation Aurora, Zeus and Stuxnet – the rise of cloud computing, the emergence of consumer technologies in the workplace, and growing internet connectivity for everything ranging from microwaves to the power grid all are calling for the development of specific solutions to combat the problems they present.
But point solutions may not be the answer, says Jon Oltsik, principal analyst at Enterprise Strategy Group. Instead, there needs to be technology built that can solve scaling issues and track real-time threats to provide an overall, up-to-the-minute answer of what is happening in one's environment.
“The definition of innovation is changing in security,” he says. “It has got to be broader-based. It has got to be adding value to existing threat management tools or adding a layer of integration into the overall security landscape…I really think the next level of innovation is going to be big innovation, [with] a couple of rounds of funding of $100 million.”
Adrian Lane, analyst and CTO at Securosis, an IT security research and advisory firm, agrees that many of the mechanisms necessary to combat today's threats are in place – they now must be integrated and consolidated in such a way to make them more effective.
“I am not really seeing any new technologies or innovation,” he opines in a recent blog post. “[There are] not a lot of problems that we don't have some solutions for. Have we reached a point where the flood of innovation has created enough tools, and now we just need to use them properly?”
His vision may prove prescient around identity management. “I think most enterprises have done some kind of identity management or single sign-on,” the University of Texas' Sandhu says. “But they are now facing a situation where services in the cloud are being offered by external parties. They'll have to integrate their internal ID management systems with external ones, and that's going to be a challenge.”
But start-ups must be careful not to innovate for the sake of innovation, Yépez says. He recalls public key infrastructure, or PKI, which was wrought with cost and complexity challenges, and as a result, shunned by many organizations for years.
“Security innovation comes out of necessity,” he says. “We need more innovation because we are not able to contain the attacks…It comes because you and I want to be able to do our Christmas shopping [online without being infected].”
And while some, like Maughan, insist that compliance has not completely stymied innovation – he simply believes that compliance mandates should include avant-garde requirements, such as DNSSEC – the threat terrain may be the one soon steering security dollars.
“I don't think compliance is going to drive the ship much longer,” Oltsik says. “Unless compliance gets a lot more strict, I'd say the threat landscape is much more likely to impact you than a compliance violation.”
No matter what the drivers, Maughan is hopeful that innovation in cybersecurity has become a discipline it its own right. In fact, top IT officials in Washington recently announced a partnership among Maughan's division, the National Institute of Standards and Technology (NIST) and the Financial Services Sector Coordinating Council, which represents banks, insurance companies and investment firms. The goal of the alliance is to “accelerate the deployment of network test beds for specific use cases that strengthen the resiliency, security, integrity and usability of financial services and other critical infrastructures' functions, processes and people,” according to blog post written by federal CTO Aneesh Chopra, and Howard Schmidt, national cybersecurity coordinator.
“I think there's more interest than ever,” Maughan says, pointing to a recent “Industry Day” that attracted nearly 700 security technologists and enthusiasts wanting to learn about how DHS can help them secure funding for new projects.
One of those just may turn out to be the next Komoku, the rootkit detection start-up whose technology is now part of the Windows Update process.
“A small government investment is now deployed on 500 million machines globally,” Maughan likes to point out.
