ISS Sticks with Its Game Plan

Q&A: Internet Security Systems CEO Tom Noonan says his company's move into hardware put it on course.


CEO Tom Noonan has been with Internet Security Systems Inc. since the Atlanta companys humble beginnings in 1994 as a startup with one product written by a college student. Noonan and that college student, Christopher Klaus, built ISS into one of the larger pure security vendors in the world on the strength of Internet Scanner and a handful of other software offerings and then decided to turn 180 degrees in 2003 and jump into the hardware world. The companys Proventia intrusion prevention appliances have faced stiff competition, and ISS has had its ups and downs in the last two years. News Editor Dennis Fisher sat down with Noonan recently to discuss the companys future and why Noonan believes ISS is better-positioned than ever before.

When you announced Proventia a couple years ago, you essentially were betting the future of ISS, which had been a software company, on hardware. Do you think at this point that was a good bet?

We took Proventia from zero in the second quarter of 2003. In 2003, we were at $23 million and in 2004, $72 million, so we tripled the business, and obviously that creates an enormous amount of excitement. I think our two biggest competitors last year in IPS [intrusion prevention systems] were McAfee [Inc.] and TippingPoint [Technologies Inc.]. We were better than double McAfee and better than triple TippingPoint. A whole bunch of things have changed since. We changed the distribution model from almost entirely direct. [Now] were 73 percent channel.

Why did you do that?

The thinking was, we can live only so long as a niche security player with a direct sales model. If were going to build a scalable enterprise solution with Proventia ESP [Enterprise Security Platform], we have to be able to reach deeper into new markets. The metric that Im most excited about is that 10 percent of our business in 2003 was new customers. We had gotten to a point in this company that we were serving almost no new customers. The good news is that we have a customer base thats the envy of the industry. Big, distributed environments. But in 2004, over 30 percent of our revenue was new customers.

The thing Im most excited about is that innovation is at the heart of the transformation. We didnt go out and buy [a company] with some cool technology. We built it from the ground up. Youve known ISS for a long time, but we just got to the point where we got fat on our own successes at the end of the bubble. I look back on it, and I think we are without question the only intrusion detection, vulnerability detection company that survived. If we went through and looked at all of the companies we competed against, what we usually see is innovative upstarts with some interesting features, and they get acquired and go away. We are not going to go away any time soon. We have no debt and $225 million on the balance sheet. But this is a competitive game. If you dont bring your A game, youre toast. Were doing everything we can to get our A game out there, and its starting to show.

So whats the next step in the transformation process?

One of the things we wanted to talk about was our new Virus Prevention System technology. What it does is introduce a whole new era of zero-day protection for malicious executables because it pre-executes them. VPS is based on the belief that behavior is more important than signature. VPS pre-executes [suspect applications] in a virtual machine so they cant touch the OS, cant touch memory, cant touch other applications, cant touch anything. They are totally suspended inside the system, and VPS watches their behavior. If the behavior is bad, VPS quarantines the program. If [behavior is] good, the system allows the program to execute, but a signature is created for [future detection].

ISS has been fairly quiet for a couple of years since you rolled out Proventia, and there has been a lot of movement from the other IPS vendors in terms of new capabilities and speed gains. Does it seem that the industry has passed you by?

No. We have spent so much money and effort and time working on the platform that weve been devoid of news probably for two years besides getting out the piece products. So taking what we have today, which is 0 to 2 gigs, you will see us take that from 2 to 100 gigs in a 12-month period. And probably a terabyte in the distant future, but not-too-distant future, so we can start attacking the highways and backbones.

But it wont be long before companies such as McAfee and TippingPoint make their next leaps, too. Raw speed isnt going to be enough to differentiate you.

One of the things youll see from Proventia ESP is the massive scale, and thats not just for bragging rights. The question is, Where are you going to go with these high-end systems? Every one of the major telcos say that in major worm outbreaks, 80 percent to 90 percent of traffic is worm traffic. So one of the strategies we have, very clearly, is to move out into that highway with the enormous throughput. Its why we built stateful redundancies into this platform because if youre going to go into the backbone, you have to know where you are and where youre going. It took us about a year longer to build because that has never been done in the intrusion prevention world before. We had to go back into the core engine and start all the way down at the kernel and build it up, so its a big innovation for us. The second thing you will see us doing is filling out the Proventia ESP product set. Youll see dedicated VOIP [voice over IP] security products, dedicated mail security products, Web security products. We have all the capabilities, and it doesnt require us to build anything.

You mentioned wanting to get more new customers as opposed to just serving the existing ones. Whats the strategy for doing that?

I really like the ramp were on; weve ramped from 10 percent to 35 percent new in two years, and I think well grow that. And the Proventia ESP platform is built on technology thats part of the DNA of ISS. We have come up with both active and passive capability built into Proventia ESP. When a new box comes on the network, when it requests a DHCP [Dynamic Host Configuration Protocol] address, we go out and make sure its up to our standards. Then were actively scanning and continuously assessing for vulnerabilities, and thats very attractive to customers. Which is very different than the old Internet Scanner world. Its amazing that we survived, knowing that what we were doing was creating so much more work for our customers. Someone walking in with the Internet Scanner was like someone walking in with the black sword of death.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.