Friday 24 April 2009

BoxSentry Ditches Challenge/Response; Fights False Positives

Update Apr 25 6.30am UTC: fix name of product (thanks, Meng)

Singapore-based BoxSentry has historically been known as a challenge/response spam filter vendor. Readers will probably be aware that I'm no fan of C/R.

As time goes by, BoxSentry has gradually de-emphasized C/R, but until recently it was still sending challenges for a small but significant proportion of the spam it received -- and hence was sending unsolicited "replies" to people who had never sent email to the BoxSentry user.

Manish GoelManish Goel, BoxSentry's CEO, confirmed to me that his company no longer uses C/R. That's great news for Internet users. Well done, Manish; I know that I and others have been thorns in your side for a while about this; I appreciate your good humour in our occasional, heated debates!

Manish also brought other news. While beefing up their technology base -- in part to compensate for the loss of the C/R layer -- the company has developed new techniques to better identify false positives.

BoxSentry has wrapped the new techniques in a product it's calling LogiQ. The idea is that it can run alongside a traditional spam filter and automatically retrieve any false positives it finds.

As an illustration, Manish offered a "typical" example: over the test period, a deployed spam filter from one of the well-known vendors delivered 11,500 legitimate messages, but LogicQ found an additional 680 false positives in the filter's quarantine. That's a roughly average false positive rate, in my experience. Not the exactly state-of-the-art, but pretty representative of deployed spam filters. It might equate to one false positive every week per user.

Manish says that 100% of the false positives identified with these new techniques really are false positives -- although they may not catch all of them.

A bold claim; I'm looking forward to digging into the details of the techniques under NDA...

Thursday 23 April 2009

AVG loves its freeloaders

AVG makes one of the last free AV products. Here at RSA, I talked to this guy, AVG CEO JR Smith, about why his company is sticking with the freemium model...

According to Smith, it's great having the majority of their "customers" who don't pay for the product. It makes lead generation really easy. Not only are they able to up-sell consumer users who download the free version, but many of those consumers also recommend the use of AVG inside of the SMB in which they work.

Add to that the valuable stream of real-time feedback that their users' installations provide about threats on the Web pages that they discover, and one starts to understand why the company is growing at a claimed 80% annually.

Astaro drops its R&D-led roadmap

This is Angelo Comazzetto. A Canadian, of Italian heritage, living in the U.S., working for a German company.

When I met him last year, his business card said something like Evangelist. These days, he's the product manager for Astaro's line of low-cost Unified Threat Protection appliances. Dspite his title change, he's not lost his passionate, high-energy, rapid-fire delivery style ;-)

Some notes from our meeting:
  • "600 new features" in the past year
    • based on win/loss analysis and other customer requests
    • no longer R&D-led roadmap!
    • Versions 7.2, 7.3, 7.4 all "major" releases
  • Now uses Commtouch for anti-spam, Astaro loves them
  • Astaro has dropped Kaspersky: too expensive and inaccurate
  • Moved to Postgres from MySQL
  • Added full https content inspection
    • Several options for deploying the proxy certificates to user PCs
  • Network balancing across several connections
  • Supports the proprietary Cisco IPsec client
    • So can have people move from obsolete Cisco PIX and ASA to Astaro
    • Supports iPhone VPN client (nice demo)

Yubi-who? Easy single-signon, one-time-password auth.

This is Stina Ehrensvärd, the CEO of Yubico.

You may have heard of their product, especially if you listen to Steve Gibson and Leo Laporte's Security Now podcasts. It's called Yubikey: a tiny, single-signon, one-time-password USB device.

It emulates a keyboard. Touch the button and it types this moment's password. So it's something you have; when combined with something you know -- a static password -- you have the simplest form of two-factor authentication.

As you might guess from her name, it's a Swedish company, which Stina told me that it was built around the vision of fixing banking and paypal fraud. The idea is that banks would save money lost to fraud, some of which they could donate to charities.

Which is nice.

BitDefender defends its position in the AV market

What a nice man Florin Talpeş is. The CEO of BitDefender is a pleasant, thoughtful personality.

My guess is he's not going to allow BitDefender to make the same mistake as certain other Eastern-European AV companies, who got too big too quickly and rested on their laurels. Cough-Kaspersky-cough.

BitDefender is very proud of its recent successes in comparative testing. It's touting a meta-analysis of several recent tests, which show the company tied with Symantec for top spot, in terms of malware detection accuracy.

Wednesday 22 April 2009

Varonis: the jelly-to-the-peanut-butter of net file shares

This isn't my usual area, but I had such an interesting and thought-provoking meeting with Varonis's Johnnie Konstantis that I wanted to blog a few notes...

Varonis produces a management tool to help IT do "unstructured data governance." In other words, it helps people manage the random dumping grounds of opaque files sitting around on shared drives. Compliance and e-discovery are the watchwords here.

Varonis is very proud of its EMC partnership. EMC resells the product to its disk array customers. EMC is also a customer: with 40K users of 420 file servers storing almost a petabyte of data.

More notes:
  • It integrates with ActiveDirectory and ensures that file system permissions adhere to policy.
  • It offers a richer user interface for permissions than Windows itself.
  • You can navigate and drill into Windows server access logs, which is useful for e-discovery.
  • It also helps you ensure your super-users aren't snooping on sensitive data.
  • It helps you find the business owner of data, which is important for e-discovery.
  • It can flag potential permission revocations (e.g., where a user hasn't used that permission in a while, because the user has changed jobs)

Commtouch's new OEM Web security business

At the RSA Conference yesterday, I sat down for a friendly chat with Amir Lev, the CTO of Commtouch.

Commtouch is best known for its OEM anti-spam engine, which is licensed by a long list of well-known email security vendors.

In January, the company launched a Web security service, using a similar architecture and business model as its anti-spam technology. In other words, it's a hybrid of a managed service—cloud-based, if you insist—that maintains a database of known Web pages, plus an OEM engine that queries the database and intelligently caches the results.

Why do it in the cloud? Amir argues that it's hard to categorize the whole Internet, as the database gets huge and the changes are too big to push the updates in a timely manner.

The service categorizes the known threats so that OEMs can produce different types of products. For example, an product focussed on anti-phishing, which will major on the web pages categorized as fake bank portals, etc.

Amir argues that being an OEM is a good place to be, as the industry continues to move to a "soup-to-nuts" UTP model. Commtouch's vendor customers will often specialize in one or two areas and license the rest conventionally.

More controversially, Amir also argues that it's risky to build a strategice relationship with a small, niche company that offers an OEM solution, because if they're bought out, they may lose the OEM strategic focus.

Well, he would say that, wouldn't he?

Tuesday 21 April 2009

Abaca's radical anti-spam tech wins at Yahoo!

At the RSA Conference, I was almost blinded by the huge grins on the faces of the Abaca reps.

As you may recall, Abaca has a really interesting spin on the spam filtering problem. Finely-tuned mathematics and a big database of receiver statistics give back up some truly impressive claims. As I said last year, I'm reasonably convinced that it's not just a silly FUSSP.

For over a year, Abaca has been working on a deal with Yahoo! to add the technology—which they now call CLX—to the spam filtering mix. A few months ago, I heard unofficially that Yahoo! agreed to roll it out.

Now, Abaca is announcing that the rollout has been hugely successful, and Yahoo! is extremely satisfied with the result. Nice going.

As an update, here's the (claimed) highlights of the Abaca technology:
  • Guaranteed accuracy of at least 99% catch rate (with money-back contract terms)
  • Claimed false positive rate is infinitesimal (I calculate their claims equate to one in a million messages)
  • After bootstrapping with recipient email statistics, no user training is required, but can be individualized by users clicking the Spam/Not-spam buttons
  • By its nature, it's extremely scalable—a single small server can handle 90 million messages per hour
Of course, I can't verify these claims, but it would appear that Yahoo! effectively has.

Equally, I don't know how close to reality the false positive figures are -- at best they're based on user reports alone, which usually tend to significantly under-state the reality. But, again, if the Yahoo! user reports are anything close to 1:1,000,000, then Abaca has something really worth shouting about.

Websense (finally) gets appliance religion

I sat down with the folks from Websense, here at the RSA Conference. Their big news is that they've finally come out with a pre-built appliance.

It's easy to be cynical. It wouldn't be hard to see this as Websense being "late to the party." Naturally, the company doesn't view it that way.

Websense didn't want to simply take its existing software platform and stuff it into a 19" rack. It already has 3rd parties who do that, which it says it's happy with.

Websense saw the need for a complete platform refresh. We're seeing the first fruits of this work in the new V10000 appliance.
  • It's based around a virtualized environment, based on Linux and the Xen hypervisor.
  • First version is simply a Web gateway / security proxy, but future add-ons will include DLP
  • Customers will be able to run multiple instances on one box.
  • A new centralized management platform can control a mixture of appliances and similar functionality provided by the Websense managed service (based on technology from the BlackSpider acquisition).