From the standpoint of selecting Innovators, this group is a tough one. The notion of security infrastructure is undergoing significant updating and we are not certain that the process is complete, let alone mature. The evaporation of the perimeter has made the idea of an infrastructure a bit fuzzy and, certainly, the notion of a surety infrastructure is an equally gray area. We did a quick Google search on the term and found that even experts could not agree on a definition. So with that crystal clear discussion – as kids would say, “not” – we're off to the races.
The evaporation of the perimeter has made the idea of an infrastructure a bit fuzzy...
What we decided to use as a benchmark was the notion that a security infrastructure comprises those things that impart security in the classic sense – confidentiality, integrity and availability – to the enterprise. We really don't care what the enterprise model is – it could be cloud-based, software data center, hardware data center, whatever – it still needs that good old C-I-A to make it secure. The systems that overlay the enterprise and enforce these functions in accordance with the enterprise security policy make up the security architecture. Feel free to disagree, of course...as there are so many definitions.
The two Innovators we have selected for this rather fuzzy designation approach security infrastructure differently but they follow our rule: One allows segmentation of a hybrid network – business and such functions as industrial control systems – into a secure whole. The other is a watchdog that ensures that the network does not change without the administrator knowing about it, and permits ongoing testing to make certain that effective controls and configurations are in place.
While the second Innovator may challenge our definition a bit, we must remember that part of the security process is assurance. Without assurance we have no confidence that the rest of the security architecture is behaving as expected. So, while the choice may seem to stretch a point, we are confident that the incumbent is a completely appropriate choice for this category. Besides, it's our definition, so we can apply it as we think appropriate. We do think that you'll agree, though.
Vendor Tempered Networks
Flagship product HIPswitch security solution Cost Starts at $9,995.
Innovation Cryptographic trust management, orchestration and the ability to protect things that cannot protect themselves.
Greatest strength Ability to isolate dissimilar network segments into an enterprise while maintaining the security of each segment.
This is a very young company, an outgrowth of technology developed by the founders at a major aerospace company. At the aerospace firm, the objective was to secure the manufacturing line. The technology developed over a 10-year period and the founders then productized the technology.
The main purpose of the Tempered Networks system is to meet the cybersecurity and connectivity needs of organizations that require protection for business critical infrastructure, communications and vulnerable endpoints. This allows mixing of different types of networks in a coherent enterprise without exposing any part of the enterprise to compromise. Only trusted (whitelisted) devices are allowed on the network which uses HIP – host identity protocol – for network communication. The intent is to allow devices to communicate safely over TCP/IP.
HIP replaces host IDs with a cryptographic key and the device does not need to use TCP/IP as the visible transport, so it no longer is identifiable. The system uses cryptographic trust management and the company's orchestration tool, the Conductor, to manage the trust relationships in real time. This approach cloaks devices in an overlay network on top of TCP/IP, taking away the IP footprint. This tends to simplify networking because the overlay is a flat network.
Before Internet of Things was a buzz-phrase, this Innovator was using a hub-and-spokes approach so that each device was on its own overlay. By doing this, devices and sub-networks of various types – including many that now are considered part of the IoT – can be mixed in a single enterprise without interacting with each other. One of the most obvious applications of this technique is mixing a business systems network with a network of industrial control systems (ICS), such as SCADA.
Devices talk through orchestration, and any type of communications is permitted. A new feature is grouping, allowing devices to be placed in groups and all devices in a group can respond to a single policy. The system treats legacy ICS with no IP address as serial over IP. There also is a virtual version of the company's HIP switch that can run in the cloud. Viewing this Innovator's system in the context of the kill chain, it stops the recon step. The idea is that you can't breach what you can't see.
Vendor Pwnie Express
Flagship product Pwn Pulse
Cost Depends on configuration.
Innovation The obvious one is the form factor, but underneath that is the significant functionality that makes the Pwn Plug and the Pwn Pro used with Pwn Pulse a paragon of network visibility.
Greatest strength These folks have one of the best crystal balls in the business – they really know how to predict an important emerging niche – and exploit it.
This is one of our personal favorites. To start, the name is said, “Pony Express,”the Pwn being the hacker version of “own." This is appropriate because the Pwnie Express tools allow users to “own" the security on the enterprise network through increased visibility and the ability to test systems easily.
We first encountered PwnieExpress some years back when we wrote up a First Look review on the company. In those days, one of this Innovator's product lines was a penetration testing tool disguised as something other than a computer – one, for example, looked like a power strip. The idea was that a red team could penetrate a facility, plant the power strip – which likely would not be noticed – and go away. The power strip had the ability to connect to the network, giving the red team access to an in-house hacking tool.
While we thought that was pretty cool, we were concerned that it could be misused. Apparently so was the company because it started to modify its offerings to more universal applications. The evolution of the power strip (and other disguised kits) into the Pwn Plug, the Pwn Pro and the Pwn Pad put the company squarely in the corporate marketplace, and when this Innovator took the management and visibility of the devices to the cloud – their Pwn Pulse offering – the company's business exploded.
Today, you can deploy Pwn Plugs and Pwn Pros throughout your enterprise to watch the network – both wired and wireless – for rogue activity, conduct penetration tests and spot unauthorized users joining the network. Then you can take your Pwn Pad – a pen testing tool on a tablet – and do a bit of a walk-about to see what your network – especially the wireless one – looks like, and what vulnerabilities it might have.
While the obvious innovation is the form factor – the Pwn Plug looks like a square, overgrown hockey puck and the Pwn Pro looks a lot like a Wi-Fi access point – the big deal in our view is that by deploying Pwn Plugs and Pwn Pros throughout your physical plant you get a solid view of everything that is going on in your enterprise all in one place on Pwn Pulse. For the wireless side this is very important.
We tested the Pwn Plug in the depths of Levi's Stadium, home of the San Francisco 49ers and the most high tech football stadium in the world with more than 12,000 Wi-Fi access points. We ran a single Pwn Plug during the World Cup soccer match last spring with about 75,000 fans in the stadium. The single device followed several thousand Wi-Fi users and many of the access points. Obviously, we were impressed.