ISS’s CTO on 2006 – botnet armies and security services online

Christopher Rouland is the chief technology officer for Internet Security Systems, (ISS). He is responsible for guiding the company’s overall technology strategy. Prior to his appointment as CTO, Rouland served as the vice president, for ISS’s X-Force Research and Development team, which supports the US Department of Homeland Security with daily briefings to update and advise the US government.

Rouland is credited with the discovery and naming of the Slammer worm. He also initiated a White House press conference to alert global media to the secondary damaging impacts of the Code Red worm.

He has also held positions as a software developer, network architect and vice president of distributed technology for Lehman Brothers. He is a member of the Institute of Electrical and Electronics Engineers (IEEE) and the Association of Computing Machinery (ACM).

Brian McKenna recently interviewed Rouland for Infosecurity at the RSA 2006 conference in San José.

It’s been said at this conference that 2005 was the year when zero day attacks stopped being folklore and started becoming a reality. Is that how you saw 2005 in terms of malware?

A zero day attack is an attack you are unprepared for, for which there is no remediation. Certainly we see an ever shrinking window of disclosure to exploitation. Disclosure to exploitations in the 90’s where months or years. Then it was weeks or months, and now disclosure to exploitation today is in hours or days.

But I wouldn't date the threat to 2005. The bigger change I saw in 2005 was really the sunset of the self-propagating, self-navigating internet worm. We saw that replaced with revenue generating malicious code, completely. Just as we’ve seen in the internet economy and the real economy merge together, the computer underground and the criminal underground have also joined together.

And, it reflects itself in the type of malicious code we see today. It’s now a revenue generation property. The computer underground is today driven by a purely incentive competition model. They only get paid if they generate revenue from their attacks. It’s a radical change.

Could you say a little bit more about what that change involves? Is it just technical change?

It’s a business change. The top revenue generator in the criminal computer underground is spam. Most ISPs now block spam, so the only way to distribute it is to use a compromised computer. So malcode has changed in the last two years. We started to see that change in 2004.

So today the core revenue — the plasma in the blood — is spam, and things are kind of wrapped around spam. The key thing is to successfully launch these types of attacks with spam, you need to have a foothold or an infection in some place, in a bot. For-profit hacking to the mass market saw its real the real debut in 2005.

In 2006 I think we’ll begin to see that extend to the civilian, if you will. Individuals using mobile phones with Voice over IP will be vulnerable. And the early adopters of VoIP aren’t necessarily technocrats.

Coming back to the underground, it’s often said in the press that cyber crime is moving from being hackers doing cool stuff for the sake of it to being organized crime, Do you think that’s being over played?

No.

But we are talking quite small numbers financially.

The revenue numbers for computer crime last year allegedly exceeded international narcotics levels.

Do you believe that?

I think it’s high. I don’t know if it’s that high. It would be interesting even to see if they’re in the same ball park. Take the top spam guy in Russia who was assassinated — was that someone tired of getting spam? Or was it because the spammer did not pay his botnet bill? My money’s on the latter.

In 2006, bot armies will replace the worm.

Talking to your enterprise customers, would you say that this change in the threat landscape is of real concern to them?

The fact that cyber crime has moved to a more for-profit model, is absolutely of concern to them. The top concern in 1998 was “my web page will be defaced”; the concern today is that “my intellectual property will be stolen and sold”.

So there is a shift to data protection?

Yes, and less concern about the latest Windows bug. And they are also concerned about web application security and global device security.

It’s quite interesting that the first keynote speaker here from the traditional security space, outside of RSA’s Art Coviello, was John Thompson, chairman and CEO of Symantec. Do you think that’s significant? It seems that we have here a takeover of security by the mainstream IT companies.

As to how RSA selects and schedules speakers, you’ll have to ask them! I don’t know. It’s not representative of the industry.

Okay, but you could tell a story about how mid-tier vendors, like ISS, are being squeezed from above by the big infrastructure players, and being ankle-bitten from below by the smaller suppliers. How would you respond to that line? What makes ISS stand out in the market in 2006?

If you look at the security space, we continue to see point players emerge to solve point problems. The challenge is, when you talk about the customer, they don’t want that. I was talking to a customer this morning who effectively was saying: “we already have to install a dozen agents on our servers, don’t give us another agent to install! In fact, take two agents off our server, and that will get our attention”.

So, the days of point products to solve point problems are over. Smaller vendors coming up from the bottom will have to come up and learn how to integrate and leverage security architectures.

The bigger players, including ISS, can’t expect to deliver a suite-type solution; we’ve got to address the newer problems. A key to do that is to develop a platform where new security problems can be solved in an on-demand fashion.

So, our offerings begin to mix a blend of services and traditional software and hardware, to solve problems but that line will become transparent to the user.

So, we continue to have new problems to be solved with technology and one of the ways of ISS is adapting to it is by opening up our own platform, so that smaller vendors can interface with our technology, and the customers will only be required to use a single management interface with a portal, and we do that by publishing our interfaces our API’s, we don’t want to be a closed system we want to be an open system. It’s going to allow everybody to inter-operate with our platform.

How does that differ from what you have been doing historically?

It’s a big change because historically we’ve had a closed architecture, where we have only managed our own products.

You’re saying, then, that 2006 is an inflection point year for ISS. Why is that?

The big change is linked to this open architecture, and this online services delivery. Historically, I think online efforts were slow to gain traction because customers were concerned about outsourcing of security. I have not heard that argument in 2005. I think the market is separated into those who simply can’t outsource their security – the most sensitive government agencies. But most companies now are opening up to the idea of outsourcing their security. The problem is so challenging, the talent is so difficult to find, it’s such a distraction to the business model, and so on.

For example, I was talking to a big bank in Chicago. And they were talking about how much they like Snort. They said “we really like Snort because we like to write our own signatures for the IDS”. And they had a team of six people who write signatures for Snort. Now, their CIO was there and he said: “We are a bank! Why are we writing signatures for an IDS!”

The final nail in the coffin was: “How many anti-virus signatures did you write this month? Of course they didn’t do that but IDS signatures were cool”.

Picking up on what you were saying about bigger companies being more comfortable with outsourcing security, is that because the customer is changing, there is less of a security sell and more of a CIO sell?

There are a couple of shifts. One of the shifts is that the security buyer in many cases is the recommender in the networking shop of the buyer. A lot of security technologies have moved into the core of the network. A lot of security is being delivered as appliances, for example. And some of our recent announcements have been for that, to appeal to the networking buyer.

But again the solution sell is at the C-level. One of the additional upsides to delivering online as services is that you can add new functionalities without having to release software per se. So if you want to add a new type of Sox report, it’s not a service pack that we have to issue. You can just deliver that through a portal. So you can add more solutions more quickly through this method.

So ISS is part of a software-as-a-service trend?

Absolutely. That is strategic to us, to deliver online.