RSA « SecureThinking

Posts tagged RSA

Wednesday, May 26, 2010

Wither VeriSign? Further Consolidation in the Security Marketplace

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

How could this happen? VeriSign used to have more brand equity in Internet infrastructure security than anybody. They built public certificate authorities and secured widespread adoption of their root certificates starting in 1995 – and along with Thawte, they were the first root CA to have certificates installed in Netscape Navigator. They became inextricably linked with the Padlock Icon revolution of browsers. VeriSign purchased Thawte Technologies from Mark Shuttleworth for $575 Million in stock in 1999 – more than $850 million in today’s money – and owned the two largest Certificate Authorities online. They took a commanding role in the Managed Security Services space, buying Guardent in 2003. Along the way, they built significant businesses in secure mail, payment processing and professional services.

VeriSign also acquired Network Solutions in 2000 and started building out an enhanced Naming & Directory Services group, which controls .com, .net, .cc, and .tv. They used to operate .org as well but had to give it up in 2003. VeriSign claims it operated comfortably in excess of 30 billion DNS inquiries every day, and the company operates the internet’s two root name servers.

Yet in the past several months – culminating in the most recent announcement of Symantec’s acquisition of the “authentication services” business for $1.28B – VeriSign has pared itself down to have little to do with enabling security at all. The company sold its MSS business in mid-2009, and messaging, reselling, and various other units have all moved on or disappeared. VeriSign’s press release of May 19 even says, “Following the close of this transaction, VeriSign’s remaining business will consist of its Naming Services business, which contributed approximately $162 million or 61 percent of the company’s revenues in the quarter ended March 31, 2010.”

VeriSign was originally a spinoff from RSA, intended to commercialize the cryptography technologies required to create X.509 certificates and build a services business around them. They did so, very successfully, and as a result invited a lot of competition. Ultimately, many of these businesses saw tremendous increases in price pressure, and a tendency towards commoditization, and its profitability waned. You can make up some of the difference if you can increase sales volume, but only to a point; eventually, your overhead and organization becomes the limiting factor, and you can’t afford to support the business any further.

Yet security has only increased in prominence in the past 10 years. Why does VeriSign believe they should no longer make a business of it? It’s hard to say. Despite VeriSign being a public company, mandatory financial reporting didn’t include a detailed breakdown of P&L by business unit, and historically those numbers have been deliberately opaque. A simple example: when SecureWorks acquired the VeriSign MSS business, the press release claimed that the combined revenues were “greater than $100M,” yet the industry scuttlebutt on each company’s individual run rates would have led us to expect a figure closer to $200 million at the time.

The market has changed. At its peak, VeriSign’s stock traded at more than $258 (in February 2000) and now hovers around $27. Its market cap today is $5 billion, compared to an on-paper peak of almost $50 billion at the height of the dot-com boom.

Profits don’t come easily, and opportunities to innovate require a lot more insight and discipline than they used to. That’s the same trend any market will experience – it’s standard business school 101 stuff. Yet rather than stay and fight, VeriSign has decided to abandon its roots and focus purely on a market in which it holds something close to a monopoly interest.

There is no doubt that internet directory and naming services will continue to grow and be essential, but what happens when the other TLD registrars prepare for their next phase of growth? VeriSign needs to bring its significant intellectual capital and resources to bear on increasing its scope of services and opportunity for its customers, rather than entrenching itself around the chosen core.

Friday, March 5, 2010

Past the Point of PCI

By: Sushila Nair, Product Manager, Managed Security Solutions Group,

BT MSSG &

Sanjay Mehta, Senior Vice President, Breach Security

The nirvana of that moment in time when you are completely secure without a single vulnerability in sight is unfeasible and, even if it were possible, it would be fleeting. Despite our fondest wishes for this moment, we accept the fact that our networks are vulnerable and are in a constant state of flux, causing the vulnerabilities to alter and the risks to change. Organizations struggle with how to continue to develop their core business while managing their risk and doing it all with fewer people and resources than they had last year. The only way this is possible is to work smarter – but how does that translate into practice?

We accept that our security is flawed, so it becomes critical that we place security devices wherever we have high or unacceptable risk. It is essential that the security alerts from security products like WAFS, firewalls, IDS/IPS as well as host information and application logs are centralized. The devices we select are critical and should be chosen in line with risk. It is worth bearing in mind that web applications are one of our largest areas of risk and were one of the key areas of focus in PCI DSS 1.2 which was based on the forensics of card breaches.

Once the devices are selected, then the complexity of managing this new technology comes into place and again, outsourcing is a serious option for companies that are constrained by head count. The footprints of what has happened on our network is in our log files, and it’s impossible to check the multitude of consoles for the vast array of product that we have, so it is critical we centralize our log files and have the capability to correlate and look for patterns of attacks. Unfortunately, security breaches are not limited to 9 to 5 or business hours, so our security monitoring framework must be built to take this intelligence, look for patterns of attacks and be manned 24×7.

This week’s RSA Conference pinpointed the problem of treating compliance as a single point in time.

Most companies breathe a sigh of relief once PCI compliance is “achieved” via an audit or code review. IT professionals move on to the next priority, and often, compliance “maintenance” is forgotten. In doing so, they fail to understand that audits and code reviews are outdated the moment they are completed. Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews. And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications.

In today’s compliance landscape, it’s simply not enough to know that a problem exists. Sophisticated web application security solutions help companies mitigate problems. Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

Vulnerability Scans and
Code Reviews

VS.

Web Application Firewalls

Looks at one web application at a single point in time.

Provides real-time, continuous security for all protected web applications.

Must be repeated for each application change.

Profiles each application’s acceptable behavior and automatically learns changes.

May not cover every line of code.

Secures the entire web application.

Can result in inconsistent findings due to vendor interpretations.

Provides factual information on vulnerabilities.

Does not fix vulnerabilities that are found.

Serves as a “virtual patch” that protects each application’s vulnerabilities.

Is expensive.

Offers immediate ROI.

Wednesday, March 3, 2010

Evil Memes: Toby Weir-Jones Guest Blogs for Jennifer Leggio’s ‘Social Business’

By Toby Weir-Jones, Vice President Product Management, Managed Security Solutions Group, T Global Services

Internet memes are harmless, right? Fun little things that make you giggle, right? According to Toby Weir-Jones these innocent memes have a much darker side. Today, as part of Jennifer Leggio’s RSA week guest blogger series, Toby explores the security implications of a business’s decision to enter the social media space as well as suggesting some social media-security best practices for those who have taken the plunge.

To read Toby’s post click below:

A few years ago, in 2006 – ancient history in social media – various researchers proposed methodologies to study how quickly a meme can spread. Some tried to characterize based on qualitative attributes of the meme itself, such as how funny it was, or how socially relevant, while others avoided those grey areas and focused instead on the quantitative attributes of network owners who posted links or tracked referral URLs. In both cases, the general conclusions were fairly predictable: given a good story, it can go viral and appear everywhere within hours . . .