As Cyber Threats Mature, So Do Boston-Area Security Firms: RSA, Fidelis, Cyber-Ark, and More
Sometimes what’s bad for companies is good for business. That’s the case for a number of Massachusetts security software firms. These days, the Boston area seems to have renewed its claim as an epicenter of cyber security activity.
In the wake of the recent, much-publicized cyber attack on RSA Security, a division of Hopkinton, MA-based EMC (NYSE: EMC), I thought it would be a good time to check on efforts to meet new cyber threats by some local security companies. RSA classified the attack on its system last week as an “advanced persistent threat”—a phrase used to describe a sophisticated effort to target software applications, sensitive data, or end users—but the firm was vague about exactly how it was hacked, what kinds of data were stolen, and what risks its customers face. (RSA said it is working closely with customers, but security expert Bruce Schneier wrote in a blog post that “the company has lost its customers’ trust.”)
This kind of advanced threat is a far cry from the corporate hacking of the past couple of decades. Companies used to be able to defend themselves from rogue hackers by deploying technologies around the perimeter of their network—such as firewalls and “deep packet inspection,” which detects things like viruses and worms as they enter the network. But advanced persistent threats are what defense and intelligence agencies are used to seeing from nation-states (from China to the Middle East to Eastern Europe) trying to hack into government databases—except now their targets include banks, insurance companies, tech firms (Google, Adobe, and others), and critical infrastructure like energy and chemical firms.
All is not lost yet. In addition to big companies like EMC/RSA (which also includes security technology from Network Intelligence), a number of smaller but established software companies are working on ways to combat the latest security threats. One of these companies is Fidelis Security Systems, a nine-year-old firm in Waltham, MA, that is giving corporations and government agencies the ability to continuously identify and analyze threats from within their networks, down to the level of applications, files, and individual sessions.
That’s apparently crucial for fighting advanced persistent threats, which can take the form of anything from malware embedded in a PDF file to tricking an employee into accessing a website and then exploiting a software bug. “When somebody decides to make you a target, they will persistently and, in a very targeted way, try to infiltrate your network,” says Fidelis CEO Peter George.
One big emerging trend is government agencies working together with corporations to try to thwart such attacks. This increased cooperation was evident at the RSA Conference in San Francisco last month, George says, where a number of forums and panels featured “three-star generals sitting side by side with business leaders.” The U.S. government, he says, is “working in collaboration with the biggest enterprises in the world to show them best practices, to show them how to fight advanced threats.”
All of this points to a major mindset shift when it comes to corporate data security. “Organizations should continue to act under the assumption that the attackers are already inside, rather than dedicate excessive time and resources to securing their perimeter,” says Adam Bosnian, executive vice president at Cyber-Ark Software, a Newton, MA-based security company that specializes in managing privileged users and protecting against insider threats, among other things.
Fidelis and Cyber-Ark are part of a thriving cluster of Boston-area security companies that also includes Arbor Networks, Bit9, NitroSecurity, Q1 Labs, Veracode, and Verdasys. I haven’t checked with each firm this month, but at least Fidelis and Cyber-Ark are both growing and profitable—and I get the sense that reports of cyber attacks don’t hurt their business. Fidelis, for one, says it plans to double its revenues and add to its 50-plus employee roster this year.
“We’re entering this market that’s beginning to form around network analysis, visibility, and monitoring,” George says. “It’s a big market in the early stages.”
Further down the road, a number of research efforts are aiming to change the security landscape more fundamentally. One major new initiative is the U.S. Defense Advanced Research Projects Agency’s CRASH program, which is managed by MIT computer scientist Howie Shrobe. (CRASH stands for Clean-state design of Resilient, Adaptive, Survivable Hosts.) The program, which kicked off in the fall, involves research teams at 15 organizations around the country including MIT, Northeastern University, Yale University, BAE Systems, and BBN Technologies (Raytheon). The teams are focusing on a wide swath of areas such as processor architectures, operating systems, programming languages and environments, and hardware and software design analysis.
The basic idea—and it’s an ambitious one—is to redesign computers from the ground up with security in mind. The details get technical pretty fast, but the analogy DARPA uses is that software and hardware can be redesigned from core principles that emulate living organisms: namely, computers could have immune systems that automatically adapt to intruders (and reconfigure), and they could exhibit more diversity across systems, and over time, so that attackers are continually kept off-balance.
These ideas aren’t really new, of course, but the program aims to push the technology envelope and see what kinds of new systems can be demonstrated in the next few years. That could lead to new companies forming around things like advanced architectures, operating systems, and adaptive software. Even if CRASH or other programs are successful, though, they won’t become the be-all, end-all for cyber security. That’s because of at least two reasons: the human element will continue to make computers vulnerable; and more advanced threats will keep popping up to counter any new hardware or software.