Sometimes what’s bad for companies is good for business. That’s the case for a number of Massachusetts security software firms. These days, the Boston area seems to have renewed its claim as an epicenter of cyber security activity.
In the wake of the recent, much-publicized cyber attack on RSA Security, a division of Hopkinton, MA-based EMC (NYSE: [[ticker:EMC]]), I thought it would be a good time to check on efforts to meet new cyber threats by some local security companies. RSA classified the attack on its system last week as an “advanced persistent threat”—a phrase used to describe a sophisticated effort to target software applications, sensitive data, or end users—but the firm was vague about exactly how it was hacked, what kinds of data were stolen, and what risks its customers face. (RSA said it is working closely with customers, but security expert Bruce Schneier wrote in a blog post that “the company has lost its customers’ trust.”)
This kind of advanced threat is a far cry from the corporate hacking of the past couple of decades. Companies used to be able to defend themselves from rogue hackers by deploying technologies around the perimeter of their network—such as firewalls and “deep packet inspection,” which detects things like viruses and worms as they enter the network. But advanced persistent threats are what defense and intelligence agencies are used to seeing from nation-states (from China to the Middle East to Eastern Europe) trying to hack into government databases—except now their targets include banks, insurance companies, tech firms (Google, Adobe, and others), and critical infrastructure like energy and chemical firms.
All is not lost yet. In addition to big companies like EMC/RSA (which also includes security technology from Network Intelligence), a number of smaller but established software companies are working on ways to combat the latest security threats. One of these companies is Fidelis Security Systems, a nine-year-old firm in Waltham, MA, that is giving corporations and government agencies the ability to continuously identify and analyze threats from within their networks, down to the level of applications, files, and individual sessions.
That’s apparently crucial for fighting advanced persistent threats, which can take the form of anything from malware embedded in a PDF file to tricking an employee into accessing a website and then exploiting a software bug. “When somebody decides to make you a target, they will persistently and, in a very targeted way, try to infiltrate your network,” says Fidelis CEO Peter George.
One big emerging trend is government agencies working together with corporations to try to thwart such attacks. This increased cooperation was evident at the RSA Conference in San Francisco last month, George says, where a number of forums and panels featured “three-star generals sitting side by side with business leaders.” The U.S. government, he says, is “working in collaboration with the biggest enterprises in the world to show them best practices, to show them how to fight advanced threats.”
All of this points to a major mindset shift when it comes to corporate data security. “Organizations should continue to act under the assumption that the attackers are already inside, rather than dedicate excessive time and resources to securing their perimeter,” says Adam Bosnian, executive vice president at Cyber-Ark Software, a Newton, MA-based security company that specializes in managing privileged users and protecting against insider threats, among other things.
Fidelis and Cyber-Ark are part of a thriving cluster of Boston-area security companies