BoxSentry Ditches Challenge/Response; Fights False Positives

Update Apr 25 6.30am UTC: fix name of product (thanks, Meng)

Singapore-based BoxSentry has historically been known as a challenge/response spam filter vendor. Readers will probably be aware that I'm no fan of C/R.

As time goes by, BoxSentry has gradually de-emphasized C/R, but until recently it was still sending challenges for a small but significant proportion of the spam it received -- and hence was sending unsolicited "replies" to people who had never sent email to the BoxSentry user.

Manish Goel, BoxSentry's CEO, confirmed to me that his company no longer uses C/R. That's great news for Internet users. Well done, Manish; I know that I and others have been thorns in your side for a while about this; I appreciate your good humour in our occasional, heated debates!


Manish also brought other news. While beefing up their technology base -- in part to compensate for the loss of the C/R layer -- the company has developed new techniques to better identify false positives.

BoxSentry has wrapped the new techniques in a product it's calling LogiQ. The idea is that it can run alongside a traditional spam filter and automatically retrieve any false positives it finds.

As an illustration, Manish offered a "typical" example: over the test period, a deployed spam filter from one of the well-known vendors delivered 11,500 legitimate messages, but LogicQ found an additional 680 false positives in the filter's quarantine. That's a roughly average false positive rate, in my experience. Not the exactly state-of-the-art, but pretty representative of deployed spam filters. It might equate to one false positive every week per user.

Manish says that 100% of the false positives identified with these new techniques really are false positives -- although they may not catch all of them.

A bold claim; I'm looking forward to digging into the details of the techniques under NDA...

AVG loves its freeloaders

AVG makes one of the last free AV products. Here at RSA, I talked to this guy, AVG CEO JR Smith, about why his company is sticking with the freemium model...

According to Smith, it's great having the majority of their "customers" who don't pay for the product. It makes lead generation really easy. Not only are they able to up-sell consumer users who download the free version, but many of those consumers also recommend the use of AVG inside of the SMB in which they work.

Add to that the valuable stream of real-time feedback that their users' installations provide about threats on the Web pages that they discover, and one starts to understand why the company is growing at a claimed 80% annually.

Astaro drops its R&D-led roadmap

This is Angelo Comazzetto. A Canadian, of Italian heritage, living in the U.S., working for a German company.

When I met him last year, his business card said something like Evangelist. These days, he's the product manager for Astaro's line of low-cost Unified Threat Protection appliances. Dspite his title change, he's not lost his passionate, high-energy, rapid-fire delivery style ;-)

Some notes from our meeting:

• "600 new features" in the past year
  • based on win/loss analysis and other customer requests
  • no longer R&D-led roadmap!
  • Versions 7.2, 7.3, 7.4 all "major" releases
• Now uses Commtouch for anti-spam, Astaro loves them
• Astaro has dropped Kaspersky: too expensive and inaccurate
• Moved to Postgres from MySQL
• Added full https content inspection
  • Several options for deploying the proxy certificates to user PCs
• Network balancing across several connections
• Supports the proprietary Cisco IPsec client
  • So can have people move from obsolete Cisco PIX and ASA to Astaro
  • Supports iPhone VPN client (nice demo)

Yubi-who? Easy single-signon, one-time-password auth.

This is Stina Ehrensvärd, the CEO of Yubico.

You may have heard of their product, especially if you listen to Steve Gibson and Leo Laporte's Security Now podcasts. It's called Yubikey: a tiny, single-signon, one-time-password USB device.

It emulates a keyboard. Touch the button and it types this moment's password. So it's something you have; when combined with something you know -- a static password -- you have the simplest form of two-factor authentication.

As you might guess from her name, it's a Swedish company, which Stina told me that it was built around the vision of fixing banking and paypal fraud. The idea is that banks would save money lost to fraud, some of which they could donate to charities.

Which is nice.

BitDefender defends its position in the AV market

What a nice man Florin Talpeş is. The CEO of BitDefender is a pleasant, thoughtful personality.

My guess is he's not going to allow BitDefender to make the same mistake as certain other Eastern-European AV companies, who got too big too quickly and rested on their laurels. Cough-Kaspersky-cough.

BitDefender is very proud of its recent successes in comparative testing. It's touting a meta-analysis of several recent tests, which show the company tied with Symantec for top spot, in terms of malware detection accuracy.

Varonis: the jelly-to-the-peanut-butter of net file shares

This isn't my usual area, but I had such an interesting and thought-provoking meeting with Varonis's Johnnie Konstantis that I wanted to blog a few notes...

Varonis produces a management tool to help IT do "unstructured data governance." In other words, it helps people manage the random dumping grounds of opaque files sitting around on shared drives. Compliance and e-discovery are the watchwords here.

Varonis is very proud of its EMC partnership. EMC resells the product to its disk array customers. EMC is also a customer: with 40K users of 420 file servers storing almost a petabyte of data.

More notes:

• It integrates with ActiveDirectory and ensures that file system permissions adhere to policy.
• It offers a richer user interface for permissions than Windows itself.
• You can navigate and drill into Windows server access logs, which is useful for e-discovery.
• It also helps you ensure your super-users aren't snooping on sensitive data.
• It helps you find the business owner of data, which is important for e-discovery.
  
• It can flag potential permission revocations (e.g., where a user hasn't used that permission in a while, because the user has changed jobs)

Commtouch's new OEM Web security business

At the RSA Conference yesterday, I sat down for a friendly chat with Amir Lev, the CTO of Commtouch.

Commtouch is best known for its OEM anti-spam engine, which is licensed by a long list of well-known email security vendors.

In January, the company launched a Web security service, using a similar architecture and business model as its anti-spam technology. In other words, it's a hybrid of a managed service—cloud-based, if you insist—that maintains a database of known Web pages, plus an OEM engine that queries the database and intelligently caches the results.

Why do it in the cloud? Amir argues that it's hard to categorize the whole Internet, as the database gets huge and the changes are too big to push the updates in a timely manner.

The service categorizes the known threats so that OEMs can produce different types of products. For example, an product focussed on anti-phishing, which will major on the web pages categorized as fake bank portals, etc.

Amir argues that being an OEM is a good place to be, as the industry continues to move to a "soup-to-nuts" UTP model. Commtouch's vendor customers will often specialize in one or two areas and license the rest conventionally.

More controversially, Amir also argues that it's risky to build a strategice relationship with a small, niche company that offers an OEM solution, because if they're bought out, they may lose the OEM strategic focus.

Well, he would say that, wouldn't he?

Abaca's radical anti-spam tech wins at Yahoo!

At the RSA Conference, I was almost blinded by the huge grins on the faces of the Abaca reps.

As you may recall, Abaca has a really interesting spin on the spam filtering problem. Finely-tuned mathematics and a big database of receiver statistics give back up some truly impressive claims. As I said last year, I'm reasonably convinced that it's not just a silly FUSSP.

For over a year, Abaca has been working on a deal with Yahoo! to add the technology—which they now call CLX—to the spam filtering mix. A few months ago, I heard unofficially that Yahoo! agreed to roll it out.

Now, Abaca is announcing that the rollout has been hugely successful, and Yahoo! is extremely satisfied with the result. Nice going.

As an update, here's the (claimed) highlights of the Abaca technology:

• Guaranteed accuracy of at least 99% catch rate (with money-back contract terms)
  
• Claimed false positive rate is infinitesimal (I calculate their claims equate to one in a million messages)
  
• After bootstrapping with recipient email statistics, no user training is required, but can be individualized by users clicking the Spam/Not-spam buttons
• By its nature, it's extremely scalable—a single small server can handle 90 million messages per hour

Of course, I can't verify these claims, but it would appear that Yahoo! effectively has.

Equally, I don't know how close to reality the false positive figures are -- at best they're based on user reports alone, which usually tend to significantly under-state the reality. But, again, if the Yahoo! user reports are anything close to 1:1,000,000, then Abaca has something really worth shouting about.

Websense (finally) gets appliance religion

I sat down with the folks from Websense, here at the RSA Conference. Their big news is that they've finally come out with a pre-built appliance.

It's easy to be cynical. It wouldn't be hard to see this as Websense being "late to the party." Naturally, the company doesn't view it that way.

Websense didn't want to simply take its existing software platform and stuff it into a 19" rack. It already has 3rd parties who do that, which it says it's happy with.

Websense saw the need for a complete platform refresh. We're seeing the first fruits of this work in the new V10000 appliance.

• It's based around a virtualized environment, based on Linux and the Xen hypervisor.
• First version is simply a Web gateway / security proxy, but future add-ons will include DLP
• Customers will be able to run multiple instances on one box.
• A new centralized management platform can control a mixture of appliances and similar functionality provided by the Websense managed service (based on technology from the BlackSpider acquisition).

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

2factor: Interesting Encryption Technology (RSA)

2factor is primarily an encryption technology licensing business -- the company sells its technology to OEMs. The core technology is called Real Privacy Management (RPM).

It works by calculating symmetric private keys (i.e., it doesn't use a public/private key pair). Each party in a transaction has a private key, which it presents to a trusted intermediary. The pair of keys defines a series of encryption keys, to be used in sequence.

2factor says the benefits are:

1. Very fast encryption (the calculations can be done using register arithmetic); perhaps 100x as fast as Diffie-Hellman, for example.
   
2. Provably secure, unlike elliptic curves for example.
3. The trusted-intermediary architecture can be generalized, permitting a federated model.
   

Voltage also has a Hybrid Service (RSA)

Hybrid services seem to be quite the theme on this weblog, for some reason. I just talked to Voltage Security, which announced something called "Connected VSN" today.

Now, I know what VSN is -- the Voltage Security Network. It's a hosted service that implements the key management for Voltage-style identity-based encryption (IBE). The idea being that instead of on-premise key management, you centralize the key generation in the cloud. This is similar to the architecture used by Identum (now part of Trend Micro). But what's the "Connected" bit all about?

There's a class of customer who wants to do outbound encryption at the gateway -- possibly driven by local policy -- but doesn't want to provide the decryption service to non-local users. This type of hybrid architecture is what Connected VSN is for.

The sender has an on-premise Voltage appliance that manages keys and performs outbound encryption. Recipients then use the VSN service hosted by Voltage to decrypt the message.

IronKey: an Encrypted USB Flash Drive on Steroids (RSA)

Update (April 16): IronKey yesterday “announced full FIPS 140-2 Level 2 security validation ­ at the product level, rather than the more typical component-level validation.” Shame it’s “only” level 2, but I guess that’s a start and is probably more than adequate for the vast majority of applications.

IronKey isn't just another encrypted USB flash drive-key-stick-thingy. For a start, the company makes a big thing of their claim that IronKey is the only such device designed from the start to be secure (as opposed to a flash drive that's had security "bolted-on", presumably). Well, that's an interesting claim, but of arguable merit. However, there are other aspects that are worth talking about:

1. This key will self-destruct -- if you try to disassemble it, or if you enter the wrong password too many times, the IronKey doesn't just wipe itself, it destroys the flash memory, the company says.
2. It's not just a device, but also a service -- if you register the device on IronKey's Web site, the company offers password recovery/escrow and access to IronKey's own TOR anonimizing network (i.e., a private network, not the usual public one).
3. It also acts as a 2FA device -- a firmware update will add the necessary logic to make it act as a Verisign VIP device, for two-factor authentication. An "enterprise" version of the device will also have similar support for RSA SecurID.
   

Shipping now for Windows XP and Vista. Mac and Linux support are "nearly ready".

Love him or hate him, the episode of Steve Gibson's podcast about IronKey has more about the device, including an interview with IronKey CEO, Dave Jevans (yes, that Dave Jevans).

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).