In-Depth

Sworn to Protect

As the real-time intrusion prevention market grows, so do the number of players ready with solutions. One player hoping to make strides is NFR Security, with their flagship product, Sentivist.

• By Michael Domingo
• 12/14/2005

MCPmag.com: Give us an overview of NFR Security: when was it founded, what's the company's mission?

Andre Yee: NFR Security was founded in late 1996. We have several hundred customers worldwide, most of them in the U.S. We're a leader in real-time threat protection solutions for enterprise networks. That means we protect you against automated malware, against the theft of information, against existing vulnerabilities inside of your applications, as well as unauthorized changes in your network. We're used by many of the largest companies.

Is your target enterprise or small- to medium-sized businesses?

We actually service a wide range. I'd say our sweet spot tends to be small- to medium-sized businesses. One of the is our ability to scale, the ability to sift through information and highlight the essential, critical infomraton to protect your network. I should say that our flagship product is an intrusion prevention product that sits in your network and it functions as a really smart firewall. It can do far more than a firewall. It can detect malicious code that's carried in the traffic and block that malicious attack in line. This flagship product has been out for a little more than a year and we've won several awards during that time, including Datamation Enterprise Security Product of the Year,

You're talking about your flagship product, Sentivist? Can you give us some insight into the development of the product and what some of your customers are saying about it?

This product has a core detection engine, it's an intrusion prevention product. We sell it both as software as well as an appliance. Intrusion prevention is built on good detection. If you can't detect well, you're certainly in no position to prevent malicious traffic. One of the things we do really well is detect attacks [using] what we call a hybrid detection engine that uses multiple modes of detection. Our signatures are exploit-based. In other words, they'll detect specific exploits. And they're vulnerability-based, [so that] even though there isn't a known exploit, if there's a known vulnerability, it'll function as a virtual patch, if you will, which would protect you against the exploitation of that vulnerability.

The other method we use is called protocol anomaly protection. A lot of zero-day attacks are leveraged off of protocol anomalies and misuse of protocols. We'll protect you against that as well.

How is your real-time protection different from solutions that come from Symantec or companies like Fortinet?

I believe there's a lot of confusion in the marketplace. Essentially, we protect you through what we call the dynamic shielding architecture. What we believe we represent is the next generation in intrusion prevention that we believe is moving from being appliance-centric to architecture-centric. The dynamic shielding architecture, which is the core of our "secret sauce," creates an architecture that's aware, adaptive, and actionable. Let me explain what that means.

A lot of intrusion prevention systems today are focused on detecting attack traffic. It's focused on ensuring that malicious traffic, mostly from the outside, is detected and, hopefully, prevented. What it's not able to do is detect unauthorized changes in your network. For instance, if you're a Microsoft IIS shop, you use IIS as your Web server. If you're a large enterprise, and some decides in a remote site to put in an old, unpatched version of Apache, most security managers using intrusion prevention tools today would not be able to detect that.

What our system is, as I said, aware, adaptive, and actionable. We'll actually detect the presence of this non-compliant, unauthorized server being deployed on your network. Then we're adaptive. We'll auto-update signatures to ensure that you're protected for Apache. Remember, if you're an IIS shop and you aren't covered for Apache, we'll automatically update our signatures to ensure that you're turned on for the Apache coverage. And finally, we're actionable through our Sentivist protection center user interface. You can quarantine that server and ensure that no one uses it until you get a chance to check it out and ensure that it's safe.

What is your typical sales challenge? Is your product usually pitted against other real-time protection products, or is it replacing passive security measures?

The great challenge for us, in terms of the sale, is not so much a displacement. The market that we're in, if you believe some of the analysts's claim that this market will grow at better than 70 percent over the next two years…certainly, it's a fast growing market. It's not all about just displacing existing [solutions]. The reality is that our big challenge as a small company is getting to the short list. If we get to the short list and are evaluated, we tend to do very well. We actually win a very high percentage [of them] whenever we go through a technical evaluation. The net of it is, if customers are interested in a technically superior product - and we'll go through a technical eval - the product speaks for itself and we'll generally win the business.

Being a small company, our challenge is getting that visibility so that we get in that technical eval.

You announced a solution to protect systems from a host of vulnerabilities that were eventually fixed in [Microsoft's] Patch Tuesday bulletin. In particular was the Windows 2000 exploit. Have any of your customers come to you relating any experiences of potential exposure to any of the vulnerabilities in that bulletin?

We provide protection ahead of that. When these vulnerabilities are released, we'll release a set of vulnerability-based signatures. Kind of think of them as a "virtual patch" that protects you even when you don't have your patch current. By loading our signatures in your environment, even though there isn't a specific exploit…vulnerability means there's a potential exploit. Even without that potential exploit, you can be sure you're protected. So, it's proactive protection for your system.

There haven't been any reported exploits of those vulnerabilities so far in our customer base.

There are reports that the Zotob worm will be surfacing. Should your customers be doing some serious hand-wringing at this point? (I feel like I already know the answer to that question.)

They shouldn't be concerned about it. First of all, users of our product are supported by what we call the Rapid Response Team, a team of security experts who do nothing but look for early outbreaks of these worms or even reported vulnerabilities. We ensure that we put our signatures out, either exploit- or vulnerability-based signatures, to ensure that you're protected. So, as far as our customers are concerned, they shouldn't have anything to worry about.

Listen to this interview! Check it out on MCP Radio at http://mcpmag.com/webcasts/mcpradio/radio.asp?id=168.