Five Security Vendors to Keep an Eye On 2010

There are always the obvious leaders in the information security market place that interested observers should keep an eye out for, this is especially true of larger IT vendors that at any moment could drastically change the market by, hmmm I don’t know, buying ISS for example. Of course large vendors like RSA, IBM, McAfee, Symantec, and Cisco aside, there are some very interesting companies to keep an eye out for. Here are five of those companies.

5. Breach Security

Let’s be honest, Breach Security is not the Web Application Firewall (WAF) market leader. Nor will Breach approach that level within the near future. What makes Breach Security a company to watch is the fact that the company largely seems ripe for acquisition. While the company is not the market leader, it is in fact a market contender from a technology perspective. As such if a larger company with a more rounded product suite and better sales channels were to acquire Breach, Breach Security’s technology could rapidly become the market leading solution.

The web application security market is still relatively small, as such the WAF market is really not a five vendor market (Imperva, F5, Citrix, Breach, and Cisco). However, the market has a lot of potential to grow, should larger vendors evangelize the technology as web application attacks continues to grow. This has not gone unnoticed by some of the larger vendors making acquisitions. Of course in terms of Breach, any moves will be dependent on an acquiring companies preference between acquiring a market or creating one. Regardless, expect a big move within the space within a year or two and don’t be surprised if the move involves Breach.

4. Bit9

It is hard to deny that the endpoint application whitelisting story is becoming more than a little bit boring. The technology is sound, the security and compliance benefit is resounding, and the reality is that the technology is not resonating well within the market. Evangelizing whitelist technology is easy, selling whitelist technology is a bit more difficult. As a result Bit9 is still not the endpoint security giant that in many respects it rightly should be. Of course this difficulty is also confounded by market competitors, such as CoreTrace and McAfee through the acquisition of Solidcore, who are also taking a portion of the overall endpoint application whitelisting market.

What separates Bit9 and makes it an extremely interesting company to watch however, is Bit9′s large repository of known application hashes. In order to reduce the amount of leg work necessary to deploy Bit9 technology, Bit9 created a large hash repository of non-malicious applications. This repository and the delivery mechanism for the repository to endpoints is extremely valuable considering the growing market for a list based approach to threat. The combination of the two makes Bit9′s technology highly sought after by larger security vendors, market competitors and a lot of security purist customers. Bit9 currently offers access to that database through portal access that allows users to compare files against the database, while this is useful for investigative purposes it is merely a glimpse and does not allow vendors to leverage the database to it’s fullest extent.

Expect Bit9 to continue to trickle through the security market through partnerships that leverage Bit9 technology. In addition, expect Bit9 or Bit9 like technology to be sought after as by McAfee competitors as McAfee attempts to stake out a market with their Solidcore solution.

3. Qualys

While this list was meant to point out the less obvious companies to watch, it is difficult to ignore a company like Qualys. Qualys has historically leveraged non-security related technology, namely SaaS, to deliver high quality capabilities without a ton of headache. In addition, Qualys makes intelligent business decisions, such as the early integration with Payment Card Industries Data Security Standards (PCI-DSS) to dominate their respective markets.

Philippe Courtot (Chairman and CEO) runs Qualys with a frank no BS approach to business that is quickly becoming the stuff of legend. Regardless, it is difficult to argue that the man is not a visionary and it is clear that Qualys is a tightly run ship with an excellent executive team whose ability to execute is quickly becoming the example for privately owned security vendors.

Qualys will be an interesting company to watch because the company is reaching a size where it makes sense for another firm to either acquire the company or for Qualys to do an Initial Public Offering (IPO) and go public. It many ways this movement is long overdue. In addition, Qualys has largely staked it’s ground in the increasingly commoditized vulnerability management market. Thus, in order to grow, Qualys will be forced to venture into new arenas. Evidence of this can be seen in some of their newer offerings which focus on website malware and GRC.

Expect Qualys to continue to expand their range with a more full product portfolio and partnerships.

2. Mandiant

There is currently a great void when it comes to the realm of a single source for security leadership. While Mandiant may not be able to fully fill that void with their current products and capabilities, it has allowed them to stake out a key role in the market place as leaders in incident response. Mandiant has gained visibility as being a leader in investigative services in extremely difficult to investigate incidents. Their ability to work arm-in-arm with other larger vendors has allowed them to play the middle ground and assert themselves as thought leaders in the incident response realm. These services in tandem with their current product portfolio has allowed Mandiant to play in a realm where other incident response vendors such as Guidance Software and Access Data have struggled, the realm of enterprise IT security.

As of currently the Mandiant product portfolio does not necessarily resonate well within many larger vendors 2010 market strategy, however, as Mandiant continues to assert itself as a leader, the company becomes more of attractive to vendors who have a large product portfolio but lack thought leadership notoriety. In addition, as incidents continue to be inevitable, the market will likely shift more towards Mandiant’s product approach of assisting enterprises in handling incidents. This of course will increase Mandiant’s profitability and make it a target for acquisition. In 2010 however, expect Mandiant to continue to stake out security leadership through incident response, and highly interesting partnerships such as the already existing partnership with Bit9.

1. NetWitness

To be frank about it, NetWitness currently has the holy grail of security solutions. Ok wait, before anyone goes tearing apart this website in anger at that statement please continue reading. NetWitness does not possess the end all for security technology, however, consider the innovations in security technology over the past five years, despite all innovations 99% of information technology defense is dependent on firewalls, IPS, gateway antivirus, and endpoint security technology. In some more advanced cases there is likely an intermixing of web content filtering, ADS, and DLP solutions as well. Now consider what Netwitness offers in the context of these environments, NetWitness offers the technology that serves as the mortar between all of these technologies.

Netwitness’ unique technology allows organizations to review their network traffic with full packet captures. NetWitness then combines that basic capability with geolocation integrations, threat feed integrations with organizations such as SANS, SRI, and Shadowserver in order to deliver a product that upon discovery four years ago, my counterpart on my government incident response team described only as, “nasty.” This of course is not to mention that NetWitness integrates with industry leading technology such as the IBM SiteProtector IPS management system to make searching all of this data easier for security professionals. All that said, the underlying reason NetWitness is such an interesting company is because they have taken all of the capabili ties that security professionals have been wishing they had and scaled it to large enterprises.

In addition, NetWitness is a magnet for talented security professionals, especially those with US Government security experience, having hired such notable characters as Amit Yoran and Shawn Carpenter. Given the overall diaspora that has occurred within the security marketplace the collection of highly visible talent such as this is nothing less than eye opening. There is little doubt that this has lent itself to the consistent growth numbers posted by NetWitness.

Given these characteristics one can expect NetWitness to continue growing rapidly and/or be acquired for a large sum over the next three to five years (if not sooner).

(Honorable Mention)

Rapid7

Rapid7 is competing in a Qualys world, which most certainly is not easy. The company, which is currently focused almost entirely on vulnerability management, is staking out new ground in an increasingly commoditized market. This is a hard fought battle to stake out competitive differentiation against existent market leaders Qualys and nCircle as well as other market competitors such as eEye, McAfee, and Tenable who all have relatively large market shares.

Rapid7 was able to generate some market momentum with the recent acquisition of the Metasploit project. The commercial offering of Metasploit has allowed Rapid7 to explor some new venues for profit, however, what really makes Rapid7 interesting is their approach to the market. As of currently Rapid7 plays host to vulnerability assessment products, penetration testing products, and professional services, these basic lines of solutions are the foundation for other successful models that attracted highly talented security professionals in the past. With names like H.D. Moore, Rapid7 is poised to gain further market momentum and offer a somewhat attractive hub for more talent. Of course this road is not without several speed bumps.

Expect Rapid7 to continue a highly visible marketing agenda that within a year has already included the release of a freeware vulnerability scanner and the acquisition of Metasploit. In addition expect Rapid7 to carve out a better foothold in the vulnerability management market as other competitors continue to slide.

More Needs To Be Done To Protect CMS

The security industry is not doing enough to secure web Content Management Systems (CMS). With the recent attack on WordPress enabled sites hosted on GoDaddy and over 125 exploits released in the month of April for Joomla! vulnerabilities alone, this message is important enough to state plainly. Unfortunately, due to a wide variety of circumstances, this issue is largely not understood by the security community.

This is no small part due t the fact that CMS attacks are often extremely difficult to detect. It is an unfortunate reality that the vast majority of protection products are not capable of honing in on CMS attacks. Rather, most protection products either focus in on the generic web application attack aspects of CMS attacks (or they simply detect nothing). For example, the following published exploit against Lisk CMS (OSVDB-64778) would most likely trigger a broad detection of “SQL Injection” in IPS products and web application firewalls. However, would not, without deeper investigation, allow a security professional to know that the attack was actually aimed at LiSK CMS.

Example (From htbridge.ch)

http://URL/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+–+

While the broad generalization of this type attack string is certainly understandable the question is, is it helpful? On one hand, a generic alert allows a security professional to take immediate action to possibly prevent issues from within their network infrastructure and also allows them to broadly categorize the attack. On the other hand, the alert does not inform the security professional of the underlying issue. Thus, never allowing them to get to the root cause without time consuming analysis. This makes the the collection of metrics on these types of attacks even more difficult. As a result, statistics backed reports rarely, if ever, cite CMS as a growing vector for attack.

Unfortunately, whether strong statistics exist or not, the fact of the matter is CMS is under attack. While most of the major CMS vendors provide some-level of security through research and response processes, frankly the level necessary to secure freeware open-source CMS applications is too daunting of a task for these organizations to tackle alone. It is therefore imperative that the security community, especially the vendor community, better supports CMS security efforts. Until that support is available. Please be ready to receive more E-mails like the one below…

When Did We Lose the Endpoint Security Fight?

First let me be specific when I mention “malware.”? When I’m talking about malware I am lumping together any type of malicious piece of software that can harm an end-user or system.? This means viruses, worms, trojans, keyloggers, rootkits, backdoors, etc. With that out of the way, I have to say that recent experiences in dealing with both security professionals and IT professionals has left me wondering, when did we concede defeat to malware? I have found myself explaining on multiple occasions to end users that “viruses happen.”? Which is as if to say, “Sorry nothing we can do about it, it’s just a side effect of using a computer.”

WHAT?!

When did we did we give up in the fight for protecting our networks from malware?? Furthermore, why, with advancing technology aren’t we better addressing the issues relating to malware? The search for the answers to these questions has sent me down a virtual memory lane of the incidents and virus outbreaks that have truly shaped the modern day IT security world. In the end though, I found that the answer was simple, we conceded defeat when we became unwilling to move off of broken and backwards endpoint security models.

Consider the History

From Cloner to Conficker (1982-2009) security has always been a step behind malicious attacks. The introduction of malware to the world at large came in the form of somewhat damaging and annoying but simple pieces of software that we termed viruses. The simplicity of these pieces of software yielded a relatively simple solution that we termed antivirus software. These early ancestors of modern day “Internet Security Suites” worked in a relatively simple fashion. Early antivirus would search files for a particular signature and if that signature matched a known bad signature, the antivirus would mitigate the issue.? Unfortunately, because Internet was nowhere near as large or as useful as it is today, most antivirus signature engines were not updated regularly. This means that as infected floppy disks were being passed from machine to machine, most systems were left vulnerable to the new or avant-garde attacks of the day.

However, because the number of viruses in the wild was relatively small (by today’s standards), antivirus companies were able to produce a reasonably high level of assurance that their software would protect their customer’s systems.? Furthermore, because antivirus software quite clearly did not enjoy the industry adoption that modern day relatives do, it made sense that the solutions were reactive in nature. Most organizations were looking to purchase antivirus software because they had experienced an incident or were experiencing an incident. Thus, it made sense that antivirus technology could be installed to alleviate a problem that already existed as opposed to try and prevent a problem from arising. In fact this model for solving known security issues worked so well for many organizations that antivirus software became a de facto security solution.

Then something interesting happenned, computers became interconnected through various networking technologies and viruses became self-propogating over various mechanisms.? Eventually we would call many of these self-propogating viruses worms because they were capable of traveling from computer to computer on their own (through wire tunnels). Early worms such as the “Morris Worm” wreaked havoc on networks all across the world. These worms exploited software vulnerabilities in ways that the IT community had never considered before. Instead of modernizing the endpoint antivirus solutions already adopted by many organizations, most sought network technologies to try and prevent worms from accessing propogation vectors. For example many integrated firewalls and gateway appliances that often scanned E-mails for viruses. However, most of the antivirus technologies available went unchanged, they were still using the exact same signature based scanning techniques in an attempt to address the changing threat landscape.

It was not until the massive flood of malware such as Code Red, Nimda, Klez, Blaster, Netsky, Sasser,Slammer and a myriad of others that we really started to see changes. More sophisticated antivirus solutions became anti-malware solutions or Internet Security Suites that integrated endpoint security technology such as host-based firewalls, host-based IPS, host-based spam filters, privacy protection, and even vulnerability management solutions. These technologies however were purposed to prevent malware from exploiting vulnerable vectors on an endpoint and wouldn’t prevent malware that was legitimately delivered to the system or was delivered over a vulnerability that the other technologies were not as of yet aware of.? Therefore antivirus engine models also began to evolve to be inclusive of technologies such as heuristic based malware detection, behavior detection, file analysis, and file emulation.

However, even with these innovations endpoint anti-malware alone does not offer a high-level of security assurance. Thus, most organizations have also integrated multiple network technologies in an attempt to try and complement the capabilities of endpoint ant-imalware. Technologies such as NAC which prevents users who may be infected from accessing the network segements of supposedly malware free machines, Intrusion Prevention Systems (IPS) which stop a multitude of network based attacks from exploiting endpoints, firewalls which also prevent a multitude of attacks, and Network Behavioral Analysis Detection Systems (NBADS) which detects covert channels used by malware.

While all of these technologies working together properly does offer a much higher-level of security assurance, unfortunately there are still a great deal of malware related issues. Unfortunately malware has evolved to take advantage of the logical cracks between the seperate security technologies used in these models.

How Does This Outline the Defeat?

The security community has been doomed to fail in the fight against malware from the very beginning. We built our models based on a last line of defense that is totally reactive. Anti-malware technology has made giant leaps in effectiveness with enhanced technologies such as heuristic or behavioral based detection. Unfortunately, that technology will always be reactive to the constantly evolving threat environment. Furthermore, the security community has been doomed to fail because instead of addressing that simple base issue, we have decided to attempt to tack-on new technology. This has done little more than grow network complexity and blur the lines of what technology is really responsible for preventing malware related issues. Of course don’t get me wrong I am a MAJOR advocate of network-based security technology such as content filters, IPS, firewalls, NBADS, and others. There are a multitude of reasons why these technologies are necessary. However, the underlying issue of malware still remains, we are doomed to concede defeat until we relieve ourselves of the blacklist endpoint anti-malware strategy.

Is There Light at the End of the Tunnel?

Quite possibly.? The continued proliferation and maturity of whitelist anti-malware models offers a great deal of hope. Whitelist anti-malware breaks the trend of endpoint security solutions predicated primarily on a reactive approach to security. Whitelist anti-malware simply focuses on what is allowed on a system as opposed to what is not. Of course this could cause a great deal of management overhead for organizations who have dynamic environments. However, as whitelist anti-malware has continued to mature most leaders in the space have made this a key focus area for the development that has gone into their products. And at this point, Whitelist anti-malware technology is a HOT topic in the market.

Many leaders are now capable of assisting security focused organizations in making the transition from ineffective blacklist models towards more effective, easy to manage, whitelist models. In fact, whitelist technology already has one of the best penetration rates in organizations focused on building the best security model possible from the ground up. Organizations such as those conforming to NERC/CIP standards have been especially keen on adopting endpoint whitelist technology. Besides the benefits of compliance and security, there are also major benefits in configuration change and control for adopters.

The rapid adoption of This has interesting future implications as the solidification of endpoints will allow organizations to focus on other areas outside of malware related incident response and endpoint security. As a result one would expect security postures to begin becoming more solid from the ground up. This could cause a far more sensible evolution in the methodolgy with which security models are built. Of course, at this point, one can only hope.

ITsec Industrial Centers of Excellence

The IT security community is a small world, especially within the vendor community. In the security market it is not uncommon for comapnies to be staffed by personnel who maintain close relationships with other personnel of fierce market competitors. Often times this is because those now fierce competitors were once co-workers. This is really no surprise as it is my personal belief that the best security professionals come from environments where they were surrounded by other excellent security professionals. Regardless, in doing a bit of research I have determined that there are industrial centers of excellence that produce highly capable and innovative security professionals. Below are a few of the industrial centers of excellence that I have personally come across (in no particular order).

(IBM) ISS/ISS X-Force

The IBM ISS X-Force is one of the strongest teams of security researchers and developers in the world. More to the poin t, they are possibly the best team of vulnerability researchers outside of government-sponsored hacker teams. Before the saturation of vulnerability research, it would have been difficult to have an in-depth conversation about the IT security market without talking about the heavy influence of the ISS X-Force. Even major conferences devoted entire tracks to topics that amounted essentially to discussion of what it takes to be an X-Force member. There were certainly other teams similar to the X-Force in early on, but few were as large or as prestigious by any means. Today the X-Force still exists but largely exists in an environment where vulnerability research is becoming increasingly saturated. Thus, while much of their work is still of an industry leading caliber, getting the message out is far more difficult. Regardless, the ISS X-Force has graduated many of the industries best known personalities including a few who have had a major impact on the security market. Below are a few notable areas where ISS and especially X-Force alumni can be found making an impact.

Notable Companies Founded By ISS X-Force Alumni:

• Cambia (now a division of nCircle)
• Endgame Systems
• Errata Security
• Spi Dynamics (now HP Application Security Center)

Noteable Companies With ISS X-Force Alumni Working at Top-Levels:

• McAfee
• Teramark
• Axis Capital
• Breach Security
• Arcsight
• TopLayer Security
• Cisco
• Immunity Security
• Damballa
• IBM (Obviously)

SPI Dynamics

SPI Dynamics, currently HP Application Security Center, is an industry leading web application security vendor. In it’s pre-acquisition form, SPI employed some of the industries best and brightest security researchers, product managers, and evangelists. After the acquisition of SPI Dynamics, a number of noteable employees left to start their own companies or take on leadership roles within other security firms. Furthermore, HP ASC still employs several noteable people such as SPI founder Caleb Sima and Matt Wood with whom the industry can still expect big things from. While SPI Dynamics could technically be seen as an extension of the ISS as founders Brian Christiansen and Caleb Sima are both ISS alumni, SPI grew to a large enough company and has had enough alumni make an impact on the industry to be noted in their own right. Today SPI alumni can be seen taking on the difficult task of trying to attain application security from very high ranks within notable companies. Furthermore, these professionals have combined with o ther groups noted in this list here to work on avant-garde technologies that the industry should fully expect to see more of in the future.

Noteable Companies Founded By SPI Alumni:

• GOTO Metrics LLC
• Zoompf
• Silvexis

Noteable Companies With SPI Alumni Working at Top-Levels:

• Zscaler
• Purewire
• FishNet Security
• Lancope
• Veracode
• Microsoft
• SecureWorks

The United States Air Force Computer Emergency Response Team (AFCERT), Office of Special Investigations (AFOSI), and Information Warfare Center

There are several notable US government Computer Emergency Response Teams and Incident Response Teams that are highly recognizable and extremely capable. However, few command the same level of respect as the team that was previously known as the United States Air Force Computer Emergency Response Team. Of the few CERT’s, CSIRT’s, and CIRT’s of such a caliber, I run into AFCERT alumni most often in my analyst coverage. I do not pretend to know why this is the case, it could be because AFCERT has graduated more alumni, it could be strictly coincidence.

What I do know is that these alumni have made major waves in the information security market, both from a financial perspective and from an industry wide education perspective. As you may note, I have also included the Air Force office of Special Investigations and Information Warfare Center ?in this section. I honestly do not know what the relationship of these teams has been or how closely those specializing in computer security and digital forensic investigations worked together while within the military. I do however, know that in the private sector, as alumni, they have together produced ground breaking research and capabilities. I personally spent a great deal of time reading the books and periodicals these alumni have published in order to gain a better understanding of major security issues, especially relating to incident response.

Noteable Companies Founded By AFCERT Alumni:

• Denim Group
• Wheel Group(Now a part of Cisco)
• Mandiant
• CoreTrace

Noteable Companies With AFCERT Alumni Working at Top-Levels

• Cisco (obviously)
• General Electric
• Foundstone
• CSC
• SAIC
• Bank of America
• Federal Data Systems, Inc.
• ManTech
• AT&T
• Various other defense contractors

@stake (now a part of Symantec, also back on it’s own in L0pht, and in Veracode)

I honestly do not know how to characterize the @stake story, it’s happy, it’s sad, it’s happy again, I really don’t know. For those who have followed closely they saw one of the industries best security teams swallowed up by the giant that is Symantec. Next followers saw that team more-or-less fade into oblivion. Then followers saw the @stake team re-emerge in the form of L0pht, iSec Partners, Veracode and others. Each of these organizations produces products or services that are innovative and industry leading. I previously worked in an organization where I am proud to say my colleague purchased the last copy of LC5 before Symantec murd—-ugh–discontinued support due to US Government export regulations. Regardless, @stake members have left a heavy footprint on the IT security market from both a business perspective and from a historic perspective. In all honesty, if you have not yet run into some version of SQL Slammer (a warm created based on code demonstrated in an @stake Blackhat presentation) in your studies or in security monitoring or you haven’t snickered at the backdoor program Back Orifice (a program created by an @stake alumnus), you probably need to hit the security books. (much of this came from?http://en.wikipedia.org/wiki/@stake yes I used Wikipedia as a reference)

Noteable Companies Founded By @stake Alumni:

• iSec Partners
• Veracode
• Novosecure
• Security Objectives

Noteable Companies With @stake Alumni Working at Top-Levels

• BBN Technologies
• Application Security Inc.
• Adobe
• L.E.K Consulting
• NEOhapsis
• Yahoo!
• Safelight Security Advisors
• Deloitte
• Forrester Research (although it pains me to do so they are a competitor of mine at EMA, I’ll give a nod to Andy Jaquith)
• Endgame systems
• Rapid7

The NSA/ NSA Intern Programs

By this I mean the actual NSA, not an NSA center of excellence or some type of certified academic program. I’ll be honest, this is an arena where I don’t particularly have too much insight and I don’t want any insight. I’ll merely say this, the NSA has over the years employed a lot of smart people, a lot of smart people. Sometimes these people don’t advertise their work background and sometimes they do. The gentlemen who gave me my start in information security very proudly lets people know that he began his career at the NSA. During my analysis I have often heard of graduates of the NSA Summer Intern program and of NSA alumni in general. I do know that these folks have proliferated all throughout the industry in a manner that I could spend hours listing out all the notable companies they now work for. However, given the cloak and dagger nature of the company I will merely close with, they could be anywhere (and I hope you realize that’s a joke)
Noteable Companies Founded By the NSA Alumni:

• Immunity Security
• Stach and Liu

Noteable Companies With NSA Alumni Working at Top-Levels:

• Cisco
• Google
• ICSA
• NASDAQ
• Microsoft
• Various Defense contractors
• State of Michigan
• Symantec
• Accuvant Labs

Other Notable Organizations that Have Made Major Contributions

• Ernst and Young: Alumni founded several companies including Foundstone and now work all throughout industry
• Trident Data Systems: Alumni founded several companies, however Trident Data Systems was a second stop for many AFCERT alumni. Trident Data Systems Alumni also started notable consulting practices, including Deloitte’s security consulting practice with ERS and the Denim Group.
• Various government agencies: Too many to name here but the problem is that this again is an environment that over the years has been highly diluted.
• Stanford University: Alumni have founded several notable companies including Dasient and Coverity
• Carnegie Melon: Former home of US-CERT is certainly a top-tier University for security professionals. However, outside of federal government I run into these graduate less often.

Up-and-Comers

• The Sourcefire Vulnerability Research Team (VRT): This is an extremely passionate team of people who are all focused on security. That many passionate people working together on a regular basis is bound to advance them professionally in their skills capabilities and innovative thoughts. Although not quite the caliber or maturity of the X-Force these talents are likely to have a growing impact on industry.
• Trustwave and especially Spiderlabs: Again a vulnerability research team much like the X-Force although not quite on the same level of maturity as of yet. Regardless, the Spiderlabs team has been an extremely attractive place for passionate security researchers to land. If these professionals ever leave, they will no doubt have a large effect on the industry (which is easy to say because several of them have already). Alternatively, if they should chose to stay at Trustwave, ?you should expect to hear more about these professionals which includes David Byrne (one of the authors of Grendel Scan).
• WhiteHat Security: Excellent environment for training web application penetration testers and researchers. Lead by Jeremiah Grossman, Arian Evans, Bill Pennington, and previously Trey Ford, WhiteHat is pulling in young talent and training those talents to be better. The program is likely to produce highly qualified people.
• Rapid7: With the acquisition of Metasploit Rapid7 combines several notable industry figures with a hacker rockstar persona. These are attractive traits for young passionate security professionals. One could easily expect many talents to migrate towards this company and should those talents ever leave, they could do very interesting things.
• Any major vulnerability research team should they have a large exodus. There are a lot of other highly capable vulnerability research teams whose alumni could have a major impact on the security industry should there be any type of exodus. These teams include but are not limited to what was formerly McAfee Avert labs, MSRC, and Trend Micro’s research team.

A Bit of Perspective on the Metasploit Acquisition

Anytime a major open-source security project like Metasploit is touched by the commercial arm it is a big deal. Thus, I felt the need to put together some thoughts regarding the acquisition of the Metasploit project, an industry leader in exploitation frameworks by Rapid7, an innovative vulnerability management vendor. The acquisition will no doubt have a lot of people talking and unfortunately will likely spur some drama within the security community, largely because of the concerns around any potential changes to the open-source nature of the Metasploit project. Which although I think the community should not be concerned as the acquisition will in the end benefit them, I will throw out one minor caution…It is much easier to produce controversial technology when it calls into question the decision making of a project than it is when it calls into question the decision making of a company.

That being said, I want to reiterate my earlier point, this will in the benefit both Metasploit and Rapid7.

Why This is Good For Metasploit

In looking at this from an analyst perspective, one must separate the hype and controversy from the cold hard facts. The fact is that the Metasploit project is an open-source pillar of the security community and anytime anything changes in one of those pillars their is a tendency for the security community to, well, overreact. Hopefully this won’t be the case with the acquisition of Metasploit. The benefits for Metasploit are very clear, a few of which are:

• Metasploit will still be an open-source project
• HD Moore is now working on Metasploit fulll time
• The Metasploit team will now consist of a professional staff including a GUI developer, an exploit developer, and a QA engineer
• Metasploit will have the benefit of Rapid7′s much larger test and development infrastructure
• Metasploit will benefit from Rapid7′s resources including some well-known security minds that could potentially add interesting things to the Metasploit framework

Put simply, Metasploit will now have a few more dollars and cents backing their efforts. Which means that the designers will be able to focus more attention to develop the project to better meet the needs of users. Rapid7 was really a perfect fit for the Metasploit project since Rapid7 employs several very talented developers and vulnerability researchers. Furthermore, in terms of business culture there are very few organizations whose management could take on the Metasploit project, Rapid7 is one of those organizations.

Why This is Good for Rapid7

I have no doubt that I will take some heat for this statement but…but the acquisition is primarily a great marketing tool. On the one hand it will bring in growth in capabilities but I don’t see that having a major market impact. More on that to come. Where I see this being good for Rapid7 is in the realm of brand recognition amongst security professionals. ?Metasploit is one of the top 5 Security Tools according to Fydor’s Top 100 Security Tools survey which was conducted in 2006. While this list is due for an update the point is that Rapid7 NeXpose competitors Qualys Qualysguard, Tenable Nessus, eEye Retina, SAINT, ISS Security Scanner, GFI Languard, and even SARA (which is no longer in development) all made the list. Rapid7 NeXpose did not.?When considering the capabilities of NeXpose in comparison to some of these competitors it becomes clear that Rapid7 simply does not have the market recognition they should. The fact that Rapid7′s brand is now on the Metasploit project will largely change this.

The other major benefit that Rapid7 will have is simply in gaining talent. Already they have gained talent by hiring HD Moore as a CSO, further benefits will come in the form of the talent that the Metasploit project will attract.

Some Vulnerability Management Market Perspective

In all likelyhood the acquisition of Metasploit by Rapid7 will not have a major impact on the vulnerability management market other than to move up Rapid7 in terms of overall brand recognition. On the one hand it is a very interesting maneuver by Rapid7 and they are getting one of the industries most recognized names in the Metasploit project (and in HD Moore in general) on the other hand the vulnerability management market is no longer predicated on evangelism or hacker rockstar persona. That is not to say that the move was not an excellent one for Rapid7. From a marketing perspective alone, the acquisition will without a doubt show Rapid7 a major return on investment.

Rather this merely means that the acquisition will not change business as usual in the vulnerability management market, at least not at the level of current leaders. Though, there is a real opportunity to grab some of the market share currently held by vendors perceived to have fallen off in the vulnerability management radar. However, Rapid7 had that opportunity to begin with. Thus, I must reiterate that the acquisition of Metasploit will garner attention but will not alone have a major impact on the market.

It is easy to forget that Qualys, a leader in the vulnerability management market, gained the majority of their market share through an intelligent business model and not through a hacker rockstar persona. In fact when Qualys began gaining major market traction eEye, not Qualys, held the image of the hacking rockstars within the market. At that time though Qualys intelligently aligned themselves with the PCI Data Security Standard and an easier implementation model (in a SaaS standard solution). The result was an easy to justify ROI and a simple implementation methodology. I can speak first hand to this because at that time I was still working as the?vulnerability management Coordinator within a large enterprise and I had both eEye and Qualys for enterprise solutions.

Why both? Simply because the purchase of eEye’s REM product failed to meet the needs of that organization. At the time ensuring PCI compliance?(section six) was difficult when utilizing products from Qualys competitors due to the close alignment of Qualys with PCI (mind you this was well before CVSS scoring). ?This was extremely frustrating for non-Qualys customers, including yours truly, and in the end, when compared to the cost of using eEye as a long term solution (including implementation, hosting, and management costs) it made more sense to just bring in Qualys.

Thus, while the lower-level operational staff who are focused on the technology may want to try Rapid7 because of interesting capabilities, higher-level management will be less keen on the idea because the ROI is more difficult to justify when one considers that a well-tuned business process could potentially be impact ed. In order for Rapid7 to really take over the marketshare of leaders in the space they will have to be able to show the business justification alongside of the enhanced capabilities.

Some Exploitation Framework Market Perspective

On the other side of this acquisition the exploitation framework market will feel the Impact at its very Core, pun intended. That is to say the real impact of this acquisition will be felt by Core Security, a leader in commercial vulnerability exploitation frameworks. One of Core Security’s difficulties in gaining better market adoption and moving more product has been to justify their product against a marketplace where one major competitor is free and another one comes at a minor cost. In other words Core had to show their customers why they should pay a premium price for an exploitation framework. One of their primary reasons was that their exploits were QA tested and therefore far less likely to cause any type of disruption or outage. The acquisition of Metasploit by Rapid7 promises to change this differentiator for Core Security as Rapid7 will be designating resources to the Metasploit project over the next six months and HD Moore, now the CSO of Rapid7 has publicly announced intentions to hire at least one QA engineer.

Fortunately however it is not unreasonable to believe that the exploitation framework market is big enough for all three vendors. It is not infeasible for one organization to have licenses for Immunity Canvas and Core Impact while still utilizing the Metasploit framework. Although Core has as of the past year taken a more enterprise approach to penetration testing, none of these products are particularly expensive by comparison to most enterprise security products. Canvas comes at a cost of $1,495 for 10 seats (unless you want support or early updates), Core Impact does not publicly display their prices but I can say from my personal experience under GSA pricing one copy of Impact is in many cases a P-card purchase (depending on your limit), and finally Metasploit is free.?So really one could more or less get all three solutions for the price of, well, Core Impact. ?Which in my personal opinion is well worth the investment.

Answering this question will not only impact Core Security but will also impact the penetration testing market as a whole. Previously Core Security was one of the primary evangelists for penetration testing as part of enterprise security strategies. It is not unlikely that Core will have to shift some of that attention and focus towards evangelizing the value of their product lines given the price. This begs the question will Rapid7 pick up the slack for evangelizing penetration testing? Maybe. But then I have to ask what is the value to Rapid7.

Instead it makes much more sense for Rapid7 to reap the benefits of the brand recognition delivered by the Metasploit project name, for Metasploit to reap the benefits of a commercially backed company, and for Core Impact to invest more resources into differentiating their products from Metasploit. ?All the while efforts to push penetration testing as a critical component of security strategies will be reduced.