Symantec offers security for the enterprise

President John Schwarz talks about the evolution of security technology

AS PRESIDENT AND COO of Symantec, John Schwarz has been quietly reinventing the company as a provider of security software for the enterprise. In the last few months, Symantec has also moved to acquire no less than four other security vendors as part of the process. In an interview with InfoWorld Editor in Chief Michael Vizard and Test Center Director Steve Gillmor, Schwartz talks about Symantec’s future product strategy and the evolution of security technology.

InfoWorld: What is the driving force behind Symantec’s acquisitions?

Schwarz: These four businesses contribute some very important, complementary products and services to our portfolio. As we matured from being a consumer product company to now serving largely enterprises, we’re also maturing on a scale of growing from a point product organization to delivering solutions that are more capable of dealing with the entire spectrum of the customer security requirements. A solution to us is having the technology to do protection of the network, the individual application, and the ability to manage the security environment. We are a couple of months away from delivering a very comprehensive management system for security, which is going to be able to take events or input from devices that are in the network and give the operator or the security manager a single console, single dashboard for understanding what’s happening in the entire environment.

InfoWorld: What companies did you buy and why?

Schwarz: First, we bought a company that is called Mountain Wave. The company was funded by DARPA [Department of Defense’s Advanced Research Projects Agency] to build specifically high-end, real-time data correlation tools for taking a very high volume of events and being able to aggregate, concentrate, and statistically simplify the data so that a single human being can see and understand input from tens of thousands of different devices instantly and be able to take action. Mountain Wave brings us that technology, and we’ll be integrating it into the security management system to give us that high-level data correlation, data integration.

The second business we bought is a company called Security Focus. They are the owner of the definitive, most comprehensive repository of vulnerabilities [and] security problem definitions. They track 7,500 products, they have sensors in 14,000 different networks around the world, and they have 55,000 subscribers. They give these subscribers access to the most recent, most current, best analysis on the issues that they need to be aware of as security professionals.

The third business we’ve acquired is also a services business. This is a company called Riptech, which has a managed, outsourced security operation center where they take over the job of monitoring customers’ networks for the purpose of tracking their security performance and compliance with the security policy. They also have a technology which they use as the dashboard for the operator.

The fourth business we bought is called Recourse. They have a very high-speed network intrusion detection solution that runs at something like 20 times the speed of what’s generally available in the marketplace today.

InfoWorld: In the past, vendors tried to market suites of security products, but the customers want best-of-breed tools. So what is different about this approach?

Schwarz: It’s really not so much a suite or a bundle as much as it’s an integrated solution. The view we have is, to protect yourself against blended threats you really have got to have multilayered protection at each level of the network. And in order for the customer to be able to manage this stuff, you really want to have as integrated a multilayer solution as you possibly can get. Our strategy is in fact to take these pieces, integrate them ourselves to the extent we own the technology, and deliver complete, integrated products. To the extent we don’t own the technology or the customer already has other stuff implemented, like Check Point or Cisco, we’ll be able to manage those environments from our portfolio.

InfoWorld: So your framework will then be able to extend out to other assets on the network?

Schwarz: The product we have built has an architecture which is able to deal with any event, whatever the source. The dashboard that we’re putting together is very flexible and it can be custom-defined for a given implementation. You could design it to be a network management environment, if that’s what you desire, or an application-level environment, if that’s what you desire.

InfoWorld: How is this approach going to be different from the network management consoles that already exist?

Schwarz: Customers are monitoring security at many layers in the organization today. They are spending too much money and don’t have the resources or the skill to get it done, so they need simplification. Secondly, each product they buy today in this best-of-breed category brings its own management interface. Customers can’t deal with the complexity and amount of data.

InfoWorld: How has anti-virus software evolved over the years?

Schwarz: Typically, anti-virus software is used today to defend against any malicious code — not against intrusion by human beings but code which is migrating through the environment. Whether it’s a virus or a worm or a Trojan horse or just badly behaving code doesn’t really matter. What’s happening to the anti-virus technology is that more and more so-called behavioral heuristics or anomaly analyses are being added so that you’re not just looking for known definitions of signatures of known viruses, but you’re looking in a sense for any code that has aspects of malicious behavior — code that has buffer overflow characteristics or code that is calling routines that it has no business calling, code that’s looking at data that it should have no business looking at. Our anti-virus [software] today is intelligent enough to detect a lot of these types of behaviors. Over time, it’s possible to speculate that intrusion detections and anti-virus technologies will merge into one, which is another reason why we are so keen on making sure that we have a strong play there. We’re also looking at introducing anti-spam content into our anti-virus tools. We actually begin to think or begin to talk of this whole arena as content scanning rather than anti-virus per se.

InfoWorld: What security challenges do the advent of Web services present?

Schwarz: We are actually implementing a firewall at each layer of the network. Our integrated solutions have firewalls at the servers and at the desktops — Firewalls which are remotely configurable and remotely surveillable, so that you can make sure that they remain configured the way that they need to be. These firewalls have the unique feature of actually being OSI stack Level 7 firewalls, so that we actually can understand the application that we are surveilling, not just the actual application traffic. As the server or the application-level security tools mature and improve, you can actually custom-focus the firewall at a Web site or at an e-mail server or at a database server.

InfoWorld: What’s your take on the state of wireless security?

Schwarz: Wireless, in essence, requires that you at least introduce a VPN for every one of those connection points. You have to ensure that the traffic can be interrupted and monitored and that the addresses can’t be stolen. Whether that’s an adequate solution or not remains to be seen, but it is the least you must do today. We have a VPN solution that we offer to customers to deal with that. Ultimately, I would imagine that the wireless LANs themselves will include VPN as a basic component, but it’s not there today.

InfoWorld: What is your relationship with Cisco like as you move into the enterprise space?

Schwarz: We are working with Cisco on several levels. What we’ve been able to come to grips with is that when it comes to anti-virus-type solutions and when it comes to the desktop level of protection, Cisco is a pretty amenable partner to work with us to provide that level of capability. They themselves would like to get closer to the desktop because it provides an extended market opportunity for them. When it comes to delivering the security protection at the gateway or delivering, for that matter, firewalls anywhere in the network, we compete and we will continue to compete. The difference between Cisco and us is that they clearly are very much hardware-focused, they clearly are very much focused on unique, proprietary operating systems. We are a very multiplatform software company.

InfoWorld: If you listen to Microsoft and Intel, they will have the security problems associated with computing licked next year, greatly reducing the need for Symantec products. What’s your take on their efforts?

Schwarz: They’re under-estimating the great creativity of the bad guys, for one. And they’re over-estimating the ability of the hardware guys or Microsoft to deliver on the promises that they are making. We believe that Microsoft clearly has to do what they’re working on. They have to improve the security of the basic platform and they could probably help us by delivering the sort of APIs that are a little easier to work with than what they are today. I suspect that’s what Palladium and all those efforts are really all about. I’m sure that Palladium itself, secure as they might make it, will be found breakable. And if you take wireless, there is a whole new world out there which is probably going to be only partially Microsoft. As these devices get more intelligent and more programmable, we’ll see a significant arrival of new malicious behavior code coming on those platforms. Instant messaging offers a whole new gateway for malicious code to be implemented and delivered, and all those holes need to be plugged.

InfoWorld: How can you make it easier for people to plug all the holes in their network?

Schwarz: There is a product that’s typically called “vulnerability management” which we offer and other people do, which does a complete sweep of the entire network, top to bottom, and looks for compliance with password standards, looks for compliance with the patch requirements that keep your systems as up to date and secure as possible. In essence, [it] looks for compliance with your security policy. It sniffs out such things as open 802.11 lines, it sniffs out lack of VPN tunnels, and it gives you a very comprehensive report for the entire scope of the network that you’ve tested. You can then use that to build plans for correction and implementation. Single sign-ons help a lot because the biggest problem people typically have is having multiple passwords that they have to deal with, which makes the system insecure just by definition because these passwords [are] forgotten or mislaid or whatever. So moving to a good access management is a very important part of the solution.

InfoWorld: What’s your take on the state of security standards? Right now, it seems like there is a lot of overlap.

Schwarz: Unfortunately, I suspect that’s going to be the state of the world for quite some time to come. The security bodies or the standards bodies around the security domain are very weak. There is very little that’s being done by us as the industry, nothing by the government, and the universities are AWOL. There’s a lot of work to be done, but very little actual work going on. If Microsoft, IBM, or even Cisco wanted to take a lead and drive a set of standards, we might see some action. But even then, my experience is that there is a lead time of a couple years to define a standard and a lead time of another couple of years before you see significant implementation. And by the time you implement, the standard is typically not very useful. So it’s problematic.

InfoWorld: How has the changed nature of the world’s political climate upped the ante around security?

Schwarz: There is enough forensic data to suggest that the sophistication of the people who are causing these problems has grown by several orders of magnitude. The volume of [the] problem is still largely related to script kiddies or just people fooling around. But we are seeing sophisticated attacks which are really a combination of a virus and a denial-of-service attack, where a virus takes over a bunch of computers, makes them into zombies, and then targets a specific site or a specific URL. Moreover, we are seeing attacks that are directed at data, which is quite new. Most attacks to [date] have been directed at finding addresses or denying access or bringing your computer down. We are now seeing attacks that actually are designed to either damage data or steal data, which are primarily associated with espionage.

InfoWorld: So at the end of the day, do we ever get to the point where security is a process totally hidden from the end-user?

Schwarz: I think so, aside from the password itself, or some hardware equivalent to the password. You never see our anti-virus, you never see [it]. It operates by itself, it updates itself, it calls home when it has a problem, [and] it deletes the virus without you necessarily knowing that it happened. I think the intrusion detection technology is coming along to be almost as automated. The firewall technology is really an administrative problem, not a user problem, so you don’t get to see that anyway. I think we’re very close to delivering an environment where it’s transparent to the end-user.

Source: www.infoworld.com