Critical Infrastructure Security

2013 Industry Innovators: Data protection

Data protection is, of course, a rather large group that covers a lot of territory and encompasses a variety of tools and services. The idea of data protection is at the core of information security. After all, if it were not for the data, we wouldn't need all of these elaborate protections. So, as we've said many times, since it's all about the data why not go straight to the data and protect it directly? Easier to say, as is the case with most types of protection in our digital world, than it is to do.

There is more than one mode of data protection. One is ensuring that data is not exfiltrated from within the enterprise as the result of some sort of malware or a malicious (or careless) user. Another is avoiding the frauds that encourage careless behavior on the part of employees. Yet another is a hybrid approach that ties many levels of protection together on a single coherent platform. We saw all of those this year. And we are treating one of the vendors somewhat differently than in previous years.

In previous years, we have looked at a flagship product and used that as the exemplar for the organization. We picked a product that was, as well, particularly innovative in its own right. We did that this year, mostly, but we have begun – starting over the past couple of years – to see the integrated platform with clip-in modules more and more frequently. This year, in this group, we saw that especially prominently. So much so that we saw that itself as the innovation and have treated it as such. However, it is our bet that you will see more and more of this until it defines the industry. The real change is that increasingly the snap-in modules may be third-party products or tools. That is a big deal in our view.

So, with all of that as background, let's take a look at some intriguing products and companies, not to mention platforms. This group might well be a harbinger of things to come in future years. At any rate, we here in SC Labs certainly think so.


We were looking at our notes for this Innovator and at the top of the page, we scribbled: Not your father's AV. If ever there was a true statement about Damballa, that would have to be it in a nutshell. The current thinking about malware infections is: “You're infected. Get over it.” Getting over it means that the big problem is not stopping the infection, it's containing it and preventing damage. That is exactly what this Innovator does, and it does that in a clever way. While other anti-malware products use signatures, behavior analysis (of the malware) and heuristics to root out suspected bugs, Damballa uses behavior of the network to tell it where the infections are.


Vendor: Damballa 

Flagship Product: Failsafe

Cost: $51,180/year (includes hardware and software support). 

Innovation: Focuses on rapid threat containment instead of threat entry prevention. 

Greatest Strength: Use of Big Data paradigm to pinpoint malware infections without signatures and without delay..

This Innovator places appliances in the enterprise and analyzes data flows and changes in network behavior that indicate an infection. By applying Big Data constructs and doing the analysis in the cloud, the product takes advantage of 22.5 billion records per day that the Damballa data scientists can use for analysis. This is a technical, mathematically-intensive approach and it applies Big Data in ways that it never yet has been applied in the malware world. These records come from sources on an ongoing basis.

As the data scientists at Damballa come up with new behavioral models based on their analysis of new data received, they deploy the models to the sensors on the networks being protected. This allows a granular analysis of network behavior and application of the newest models immediately. The short description of this process is: study the data, analyze the network traffic, build models, discover which devices are infected, and take action.

This approach works well because the behavioral model is the key. Signatures are either too tight to be of use or too loose to avoid false positives. It is important to track activity over time rather than focusing on an individual event. 

Often Damballa is well ahead of the AV industry in containing an infection on a network. This is because this Innovator is more interested in watching the network traffic and looking for illicit communications.



Vendor: Fixmo 

Flagship Product: Fixmo EMP (Enterprise Mobility Platform) 

Cost: $5/per device/per month. 

Innovation: Separates personal apps and data from organizational apps and data on tablets and smartphones in a BYOD environment. 

Greatest Strength: Clear vision of the problem and the solution along with the ability to execute on the vision.

Fixmo solves a very important problem: The need to separate personal data from organizational data on a mobile device. The idea behind bring-your-own-device (BYOD) is that an employee can use their smartphone or tablet for business, obviating the need for the employer to provide those tools to all employees and for employees to have multiple devices to cover personal and business use. The good news is that this a bit of a boon for both employee and employer. The bad news is that it potentially puts organizational data at risk. Fixmo solves that problem by separating the two types of data and containerizing the organizational data.

Most BYOD users grudgingly accept the consequences of using their own devices for organizational data. Some of those consequences include the potential destruction of personal data if the device needs to be wiped remotely due to loss, theft or password fumbles. However, if the data is separated, control over organizational data becomes easier and less onerous for the user. It is easier because organizational data is easier to locate if it is only where it is supposed to be, rather than spread around the device.

The Fixmo EMP (Enterprise Mobility Platform) takes the different functionalities needed to secure the mobile device and manages that security and combines them into a single platform. For example, Sentinel checks to make sure that the device is in a secure state while SafeZone applies encryption and strong authentication.

So what makes this, apparently straightforward, approach to securing organizational data on a mobile device innovative? When we looked at this for the first time last year, there was not the breadth of coverage that there is now and still we thought that it was an innovative approach. The main reason then as now was that there is a real challenge in simply identifying at-risk data in mobile devices that share space between personal and business data. 

Personal apps may have access to areas of the device that, while appropriate for personal use, pose significant risk for business use. Fixmo creatively solves the identification problem and that, once solved, opened the gates for securing the business data – while leaving the user relatively free to manage personal data in whatever way desired.



Vendor: McAfee, an Intel company 

Flagship Product: McAfee Email Protection 

Cost: Ranges from $5 to $25/per user/per year, depending on user count and term commitment; includes support. 

Innovation: An overall platform that integrates all of the components of the security stack. 

Greatest Strength: Rather than focus on products, the company focuses on solving problems.

This is a tough one to describe on the individual product level. The product box says that industry icon McAfee's flagship product is Email Protection. Perhaps that is as good as any of this Innovator's fine products that we might select, but if we were to point at a single flagship product it would not be on their list of hardware or software. It would be innovation itself. When we sat down with the Innovator at this company, the conversation quickly moved from products to why the company puts such a high premium on innovation.

We found one response to our enquiries particularly intriguing: The company has innovated more in the last three years than in the last 10. Why, we wondered? We liked that answer as well: “If you are not innovating, you are dying. There is no such thing as a cash-cow security product anymore.” This has become the mantra for McAfee, a company that was born out of the growth of viruses in the late 1980s, especially since being acquired by Intel. It now has the funding to look long-term and is now less concerned about short-term results than on “innovative ownership of their space.” That spells staying power.

This Innovator took the position five years ago that the market would be supported by the security-connected enterprise, so it built an overall platform that integrates all of the components of the security stack. But, it is not just innovative, it is accelerating innovation at a faster pace. This allows the company's ecosystem partners to slot into its platform. So it doesn't just innovate, it enables innovation.

The approach to innovation, from a purely operational perspective, is itself creative. The company encourages “startups” to develop and run inside the company. As a result, the company can attract and keep the best and brightest engineers, an important aspect of success. “We now have the best retention of engineers in the past 10 years,” we were told by Mike Fey, the company's EVP and worldwide CTO. “If you want to keep engineers, you have to give them interesting things to do.” That certainly seems to have worked out well for this Innovator that, quite literally, shaped the anti-malware market nearly 30 years ago.


If this Innovator was not such a good fit for this issue, it might be worth it to include it just for the name. We must admit the first time we saw this company we had to take a pretty deep look at it to make sure that it was serious. Trust us: It is very serious. The principals came to this company from the cream of the crop of incident response organizations. Over time, they realized that it was pretty useless – in fact it often did more harm than good – to conduct a once per year social engineering attack, write a report and move on. Employees pushed back hard, believing they had been entrapped, and little if any behavior was changed. What to do?


Vendor: PhishMe  

Flagship Product: PhishMe

Cost: PhishMe is an annual subscription based on the number of recipients in the organization with prices starting at $10,000.

Innovation: Information security training, especially social engineering training, in a way that actually encourages participation and demonstrates consistent positive results. 

Greatest Strength: Creativity and a deep knowledge of the problem to be solved.

The solution to the problem was phish soon and phish often. And, keep the employees aware of the ongoing training and even include real phishing messages in the training that have targeted employees. 

Once an employee succumbs to a phishing attempt, remedial training begins immediately in the form of more than 20 individual training modules. The training, according to this Innovator, is fun – but with an underlying seriousness that works quite well. Phishing and, particularly, spear phishing are the primary social engineering vectors used by attackers. 

To combat the various types of phishing attacks, PhishMe uses Click-only, Data entry, Attachment-based, and Double Barrel (a patent-pending technology that simulates conversational phishing techniques by sending two emails – one benign and one containing a malicious element – to train users on this tactic used by APT actors).

PhishMe also has a unique benchmarking capability that compares anonymized results data with similar info from other customers. This helps organizations understand where they stand relative to other organizations that are potential targets. Once a scenario is run, its results are compared to the results of the same scenario run against other PhishMe customers. If we were giving awards for the most creative and unusual way to solve a tough security challenge, this Innovator would certainly be right at the top of our list.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.