Sworn to Protect
As the real-time intrusion prevention market grows, so do the number of players ready with solutions. One player hoping to make strides is NFR Security, with their flagship product, Sentivist.
According to some surveys, the rise in computer threats will spur
the market for intrusion prevention and detection products. One research
firm, Instat/MDR believes those markets combined can bring in $1.4 billion
in 2008. One such company on the IPS side is NFR Security, whose CEO,
Andre Yee, took time out last October to talk with
Michael Domingo as the company was releasing its flagship IPS appliance,
MCPmag.com: Give us an overview of NFR Security: when was it
founded, what's the company's mission?
Andre Yee: NFR Security was founded in late 1996. We have several
hundred customers worldwide, most of them in the U.S. We're a leader in
real-time threat protection solutions for enterprise networks. That means
we protect you against automated malware, against the theft of information,
against existing vulnerabilities inside of your applications, as well
as unauthorized changes in your network. We're used by many of the largest
Is your target enterprise or small- to medium-sized businesses?
We actually service a wide range. I'd say our sweet spot tends to be
small- to medium-sized businesses. One of the is our ability to scale,
the ability to sift through information and highlight the essential, critical
infomraton to protect your network. I should say that our flagship product
is an intrusion prevention product that sits in your network and it functions
as a really smart firewall. It can do far more than a firewall. It can
detect malicious code that's carried in the traffic and block that malicious
attack in line. This flagship product has been out for a little more than
a year and we've won several awards during that time, including Datamation
Enterprise Security Product of the Year,
You're talking about your flagship product, Sentivist? Can you give
us some insight into the development of the product and what some of your
customers are saying about it?
This product has a core detection engine, it's an intrusion prevention
product. We sell it both as software as well as an appliance. Intrusion
prevention is built on good detection. If you can't detect well, you're
certainly in no position to prevent malicious traffic. One of the things
we do really well is detect attacks [using] what we call a hybrid detection
engine that uses multiple modes of detection. Our signatures are exploit-based.
In other words, they'll detect specific exploits. And they're vulnerability-based,
[so that] even though there isn't a known exploit, if there's a known
vulnerability, it'll function as a virtual patch, if you will, which would
protect you against the exploitation of that vulnerability.
The other method we use is called protocol anomaly protection. A lot
of zero-day attacks are leveraged off of protocol anomalies and misuse
of protocols. We'll protect you against that as well.
How is your real-time protection different from solutions that come
from Symantec or companies like Fortinet?
I believe there's a lot of confusion in the marketplace. Essentially,
we protect you through what we call the dynamic shielding architecture.
What we believe we represent is the next generation in intrusion prevention
that we believe is moving from being appliance-centric to architecture-centric.
The dynamic shielding architecture, which is the core of our "secret
sauce," creates an architecture that's aware, adaptive, and actionable.
Let me explain what that means.
A lot of intrusion prevention systems today are focused on detecting
attack traffic. It's focused on ensuring that malicious traffic, mostly
from the outside, is detected and, hopefully, prevented. What it's not
able to do is detect unauthorized changes in your network. For instance,
if you're a Microsoft IIS shop, you use IIS as your Web server. If you're
a large enterprise, and some decides in a remote site to put in an old,
unpatched version of Apache, most security managers using intrusion prevention
tools today would not be able to detect that.
What our system is, as I said, aware, adaptive, and actionable. We'll
actually detect the presence of this non-compliant, unauthorized server
being deployed on your network. Then we're adaptive. We'll auto-update
signatures to ensure that you're protected for Apache. Remember, if you're
an IIS shop and you aren't covered for Apache, we'll automatically update
our signatures to ensure that you're turned on for the Apache coverage.
And finally, we're actionable through our Sentivist protection center
user interface. You can quarantine that server and ensure that no one
uses it until you get a chance to check it out and ensure that it's safe.
What is your typical sales challenge? Is your product usually pitted
against other real-time protection products, or is it replacing passive
The great challenge for us, in terms of the sale, is not so much a displacement.
The market that we're in, if you believe some of the analysts's claim
that this market will grow at better than 70 percent over the next two
years…certainly, it's a fast growing market. It's not all about just
displacing existing [solutions]. The reality is that our big challenge
as a small company is getting to the short list. If we get to the short
list and are evaluated, we tend to do very well. We actually win a very
high percentage [of them] whenever we go through a technical evaluation.
The net of it is, if customers are interested in a technically superior
product - and we'll go through a technical eval - the product speaks for
itself and we'll generally win the business.
Being a small company, our challenge is getting that visibility so that
we get in that technical eval.
You announced a solution to protect systems from a host of vulnerabilities
that were eventually fixed in [Microsoft's] Patch Tuesday bulletin. In
particular was the Windows 2000 exploit. Have any of your customers come
to you relating any experiences of potential exposure to any of the vulnerabilities
in that bulletin?
We provide protection ahead of that. When these vulnerabilities are released,
we'll release a set of vulnerability-based signatures. Kind of think of
them as a "virtual patch" that protects you even when you don't
have your patch current. By loading our signatures in your environment,
even though there isn't a specific exploit…vulnerability means there's
a potential exploit. Even without that potential exploit, you can be sure
you're protected. So, it's proactive protection for your system.
There haven't been any reported exploits of those vulnerabilities so
far in our customer base.
There are reports that the Zotob worm will be surfacing. Should your
customers be doing some serious hand-wringing at this point? (I feel like
I already know the answer to that question.)
They shouldn't be concerned about it. First of all, users of our product
are supported by what we call the Rapid Response Team, a team of security
experts who do nothing but look for early outbreaks of these worms or
even reported vulnerabilities. We ensure that we put our signatures out,
either exploit- or vulnerability-based signatures, to ensure that you're
protected. So, as far as our customers are concerned, they shouldn't have
anything to worry about.
Listen to this interview! Check it out on MCP Radio at http://mcpmag.com/webcasts/mcpradio/radio.asp?id=168.
Michael Domingo has held several positions at 1105 Media, and is currently the editor in chief of Visual Studio Magazine.