ATLANTA—When Internet Security Systems Inc. began in 1994, it was one of the pioneers in the intrusion-detection and vulnerability-assessment markets. The companys Internet Scanner software, written by founder and chief technology officer Christopher Klaus, was one of the first applications to be able to find and fix software vulnerabilities. But security threats and attacks have morphed and become far more sophisticated in the last nine years, making such capabilities less effective. In response, ISS recently introduced its new Dynamic Threat Protection system, designed to identify and thwart unknown attacks while theyre in progress. Senior Editor Dennis Fisher sat down with Klaus at ISS headquarters last week to discuss the new technology and its application in the evolving security landscape.
eWeek: How did this strategy come about? Its obviously something youve been working on for quite a while.
Klaus: Its been kind of the missing link in this industry for a while. Patch management isnt working. People do vulnerability assessments and they get this huge book of vulnerabilities and dont know what to do with it. We just use vulnerability detection as a feedback loop in threat detection and assessment to say, where are you not protected? If you think about security as a car, most people just sell you one piece, like a transmission or an engine without telling you that you need the other parts. Were providing people a sports car to go from point A to point B. The customer needs to be educated at a higher level to say, Youre really buying a car and its not just all these little pieces. We wanted it all integrated as one protection system.
eWeek: Im sure youve talked to a lot of customers about this already. Is this something that they see the need for?
Klaus: The customers get it pretty quickly. Most companies are still at the manual protection stage where they have to actually go out and touch every machine in order to update it. And when you get that big book of vulnerabilities, its analysis paralysis. Where do I start? This stuff is best served as a platform.
eWeek: Do you see any direct competition for this already out there?
Klaus: Trying to glue it all together is extremely difficult. Weve really been working toward this since we started the company almost 10 years ago. Ive yet to see a very large rollout of best-of-breed that has all of this.
eWeek: Do you expect other vendors to try and duplicate it?
Klaus: I expect it, but dont know if its possible. To build all of these pieces in an integrated fashion is really hard.
Page Two
: Stopping Attacks in Their Tracks”>
eWeek: Whats the thinking behind the virtual patch technology?
Klaus: Over time, people have become dependent on vendor-released patches as the first line of defense. But the average amount of time it takes to get one of those out is about six months from the time the vulnerability is found. We can provide the same kind of protection on the agent without affecting the underlying application. The standard security expert answer has been to go and turn off whatever services youre not using. But that can take a long time and sometimes you have to go into the registry and mess around and you never know what can happen. So we said, lets just block it instead of turning it off. Its much easier, its cheaper and its just as effective. It can prevent attack packets from getting to the target. Its the same protection level as a patch without really changing the system. We just need to make sure were accurately detecting the packets. Our goal is to reduce false positives to zero.
eWeek: The protection against unknown attacks is clearly a big part of this.
Klaus: Yeah, were investing in a lot of technologies to detect unknown attacks. We cant prevent everything. But anyone who tells you they can detect them all is selling snake oil. Were just at the beginning of all of this.