For example, Ryan Bagnulo, vice president and head of software architecture and innovation at Wachovia, says he'd like to see more industry action on automating security-policy administration based on the Organization for the Advancement of Structured Information Standards' eXtensible Access Control Markup Language.
Sometimes entire groups of users stand up and declare they need something new. The Jericho Forum wants to see a new generation of products and services designed for the world of e-commerce, where traditional firewall-edge boundaries are vanishing.
User demand will have the final say about whether security startups pan out as the successes their founders envision -- or end up as brief footnotes in the epic of networking. Here are our selections for 10 security newcomers worth watching:
Whatever happened to last year's 10 security companies to watch?
2Factor
Founded: 2006
Headquarters: Maumee, Ohio
Funding: $1.6 million in first-round financing
CEO: David Burns
What the company offers: Real Privacy Management (RPM) software that offers continuous, two-factor user authentication and data encryption based on a patented, real-time algorithm that limits the opportunity for intrasession hack attacks and threats.
Why it's worth watching: Authenticating users has become a security best practice, but once is not enough. Methods such as public-key infrastructure (PKI) authenticate the user at first logon but leave the session open to hacker attacks thereafter. By performing continuous mutual authentication and encryption during every transmission between client and server, 2Factor reduces the potential for data theft and fraud by closing the window of opportunity for hackers.
How the company got its start: After working in cryptography for many years, founder and chief scientist Paul McGough saw the need for a simpler, more nimble and more effective alternative to PKI and other security technologies. The company claims RPM is based on provable mathematics, is as much as 100 times faster than PKI, and can be deployed quickly and easily in any type of software, chip or device.
Where the company got its name: A reference to two-factor security, where the first factor is "what you know" (typically a user name and password) and the second factor is "what you have" (typically some type of card or token).
Customers: The company says it's in discussions with several major financial institutions, plus mobile phone operators, digital media companies, government agencies and large healthcare institutions -- but won't name names.
NetWitness
Founded: 2006
Headquarters: Herndon, Va.
Funding: $7.5 million from undisclosed angel investors
CEO: Amit Yoran
What the company offers: NextGen, a security product that monitors and analyzes inbound and outbound traffic and stores and analyzes it based on users, applications and content. Why it's worth watching: Business and government agencies are under pressure to boost network security and comply with numerous regulatory requirements to show they're meeting security policies. Thus, there's growing demand for tools to do this. How the company got its start: Amit Yoran, former National Cyber Security Director at the U.S. Department of Homeland Security and also founder of security-services firm Riptech, was familiar with the version of NetWitness developed by CTX for national-intelligence agencies. Yoran last year led the buyout of ManTech's product assets, acquired when that company bought CTX. Where the company got its name: It "witnesses" network traffic. Customers: Washington, D.C.-area law-enforcement and intelligence agencies for which NextGen was developed originally. The latest commercial version, developed for broader use, was released in September. Palo AltoNetworks What the company offers: The PA-4000 Series network devices, introduced in June, which use a so-called App-ID application-classification technology to inspect about 450 applications traversing the PA-4000 hardware and apply security rules to these applications. Why it's worth watching: Enterprises are frustrated with their traditional perimeter firewalls, because firewall ports increasingly are opened up to allow business traffic, particularly over Port 80. The PA-4000 line is offered as a transitional technology that works behind traditional, port-based firewalls to monitor applications and apply security rules to them. How the company got its start: CTO Nir Zuk worked on some of the earliest firewalls at Check Point Software and later founded OneSecure, which was acquired by NetScreen Technologies, later acquired by Juniper Networks. Over time, Zuk observed that the relationship between ports and applications was diminishing, and he devised a method to look at the content itself through a new type of firewall he had invented. Where the company got its name: Zuk, who selected it, reportedly lives in Palo Alto, Calif. Customers: Constellation Energy and Mercy Hospital in Baltimore, and the city of Seattle. Provilla What the company offers: The LeakProof data-leak prevention product, released in January 2007. Why it's worth watching: LeakProof isn't the first product to prevent the unauthorized transmission of sensitive content. However, Provilla's founders, who hail from Chinese universities but are developing the product in the United States, think they've come up with a better mousetrap: their DataDNA fingerprinting technology that scans file servers to create a signature for each document. Cosmopolitan in its outlook, Provilla's software supports the Japanese, Chinese and French languages in addition to English, as the founders look to building an international customer base. How the company got its start: Co-founder Fei Huang was principal engineer at Sygate (later acquired by Symantec), which designed one of the earliest host-based network-access-control products. Huang teamed with Liwei Ren, a mathematician specializing in algorithms and pattern-matching, to come up with a desktop agent to detect unauthorized use of sensitive data. Where the company got its name: "Pro" stands for protecting, and "villa" is Latin for village, so the name indicates that the company's technology protects a community of people. Customers: Orchard Supply Hardware, Richard Fleishman & Associates, Sony-Ericsson Chinese joint venture. Distribution agreement with BigFix and Reconnex. Robot Genius What the company offers: Syberus behavior-based malware-detection client software, an antimalware browser plug-in and the RGcrawler Web-crawling technology that looks for malware executables on the Internet. Why it's worth watching: Although signature-based antivirus technology has a venerable history defending against known threats, the security industry is looking at other methods, such as behavior-based defenses that identify and block threats based on behavior. Robot Genius has come up with its own approach to malware detection to determine unsafe executables, and it could get picked up by the larger industry under a licensing plan. How the company got its start: Hsu and CTO James Hormuzdiar teamed on start-up SafeWeb, sold it to Symantec for $26 million in 2003, and decided to continue working together to found another company to develop a new way to protect against malware. Where the company got its name: Implies the technology's ability to replicate automatically the downloading and testing of executables off the Internet. Customers: Not disclosed. SailPoint What the company offers: Compliance IQ, identity risk-management software to help enterprises reduce business risk and become compliant by better understanding identity data. The software provides business context to the information generated by IT systems that report on which users have access to what data, offering sophisticated reporting and analytics for decision support. Why it's worth watching: The company's product attempts to make sense of the reams of identity data generated by IT systems and applications; it's one thing to know what users are doing, it's another to combine that information with data about what they are allowed to do. Companies that combine the two stand a better chance of identifying fraud, theft and misuse. IDC estimated in 2006 the market for identity and access-management compliance will grow by 25 percent per year until it reaches $2 billion in 2010. How the company got its start: McClain and SailPoint co-founder Kevin Cunningham stayed on at WaveSet when Sun acquired it in late 2003, but not for long. In 2005 with $5 million in funding behind them, the pair left Sun and began developing the technology behind Compliance IQ, which launched at Network World's DEMO 07 conference last January. Where the company got its name: "Sailpoint" or "point of sail" is a term used to describe a sailboat's course in relation to the wind. To reach a destination, sailpoints must be adjusted continuously to harness the wind as efficiently as possible and to maintain safe control of the boat -- the company believes the same is true of enterprise IT governance. Customers: Financial services and manufacturing firms, which the company declined to identify. Sentrigo What the company offers: Database security monitoring tool, Hedgehog, released in June for the Oracle database. Why it's worth watching: The Hedgehog software can be used in monitoring or blocking mode to warn security administrators about attempted SQL injection or buffer-overflow attacks. Because Hedgehog also looks at larger database actions, it also watches what insiders are doing, based on set policies. How the company got its start: CTO Slavik Markovich, an expert in database architecture, sensed an opportunity on the security front and headed up basic product design and development. Sentrigo just added Guy Rinat as vice president of R&D, an activity formerly managed by Markovich, who will devote more time to new-product development and customer interaction. Where the company got its name: They focused on the word "sentry" and came up with Sentrigo. Customers: N.E.W. Customer Service Companies Venafi What the company offers: Systems management for encryption at the client and server levels. Client Encryption Manager and Server Encryption Manager automate many of the manual tasks associated with administering encryption technology -- including keys and certificates --such as making sure that installed software with optional encryption settings has them turned on. The company plans to add encryption-management products for storage, backup systems, network devices and infrastructure in the near future. Why it's worth watching: Venafi focuses on making encryption more accessible for enterprises by lessening its associated administrative headaches. The company says this promotes compliance, data security and risk mitigation. How the company got its start: Spun out of IMCentric, a custom-engineering company that was automating encryption for a Fortune 500 company. The custom product that was developed turned into Venafi's offering. Where the company got its name: Comes from the Latin root "vena," meaning vein or root, and "fides," Latin for trust or faith. Venafi says it manages the root of trust. Customers: The company claims 10 of the world's top financial-services companies are customers, as well as three telecommunications giants. Veracode What the company offers: SecurityReview is an automated service that does security testing and remediation of in-house and commercial applications. Enterprises submit the applications they would like reviewed to Veracode, which uses patented binary and Web-scanning technology to find flaws and suggest fixes. Why it's worth watching: According to Gartner, 70 percent of all enterprise vulnerabilities reside in the software that organizations buy and run. Veracode's team of application-security experts are trained to spot such weaknesses, and can do so because the company's service examines binary code instead of source code to avoid trade-secret concerns. By reviewing an application's binary code the service can analyze not just the program but also third-party libraries it may call, as well as its interactions with other software. How the company got its start: Its founders' ambition was to reduce the number of software vulnerabilities in the world. They call their approach the "democratization of security" because usually only companies with very deep pockets have the time and money to spend on checking and remediating software security flaws. The technology behind Veracode's service was first developed by @stake (since acquired by Symantec) in 2002. Where the company got its name: "Ver," from the Latin "truth," was added to "code" to describe how the company looks for the "truth" in software. Customers: Cisco, Digivera, Telus. WebLOQ What the company offers: Virtual Private Community (VPC), a private communications service that forms virtual business communities whose members can send and receive encrypted e-mail, documents and other exchanges safely. The service sets up a private domain name for each user and gives them a related e-mail address reserved for private communications with other WebLOQ users. VPC is available as a hosted service, with a version that companies can run internally slated for release early next year. Why it's worth watching: Instead of trying to protect communications at the edges of corporate networks, WebLOQ secures the transit channel itself. By having encrypted communications only with other members of a community, users are freed from spam, viruses, phishing, and other e-mail Internet threats. However, such secure communications requires that both parties use the service. The company hopes to bring the concept of online community to the business world while ridding e-mail of the many threats plaguing it today. How the company got its start: Chairman, CTO, and former ISP head George Sidman became intrigued with the idea of securing Internet communications. He formed a team at his ISP to begin working on the problem in 2003 and launched the service in 2007. Where the company got its name: Sidman was amazed that no one had trademarked "LOQ" (pronounced "lock") as a brand. The company now has trademarked the terms WebLOQ and LOQ, intending to launch a brand around the latter. Customers: Database vendor Objectivity. Company says some major banks, law firms and police agencies are testing the service.
Founded: 2005
Headquarters: Alviso, Calif.
Funding: $28 million from Globespan Capital Partners, Greylock Partners and Sequoia Capital
CEO: Dave Stevens
Founded: February 2005
Headquarters: Mountain View, Calif.
Funding: $10 million in private funding; investors include Hitachi Systems
CEO: Antonio Espinosa
Founded: 2005
Headquarters: Oakland, Calif.
Funding: $2 million from Kingdon Capital and Venio Capital Partners
CEO: Stephen Hsu
Founded: 2005
Headquarters: Austin
Funding: $14 million from venture capital firms including Austin Ventures, Lightspeed Venture Partners, Origin Partners and Silverton Partners
CEO: Mark McClain
Founded: 2006
Headquarters: Kfar Saba, Israel; U.S. office in Woburn, Mass.
Funding: $3.5 million from Benchmark Capital
CEO: Nathan Shuchami
Founded: 2004
Headquarters: Salt Lake City
Funding: $20 million in venture capital from Foundation Capital, Origin Partners, and UV Partners.
CEO: Trell Rohovit
Founded: 2007
Headquarters: Burlington, Mass.
Funding: $19.5 million from venture capital firms 406 Ventures, Atlas Venture and Polaris Venture Partners
CEO: Former Symantec executive Matt Moynahan
Founded: January 2004 (in stealth mode until the service launched in September)
Headquarters: Monterey, Calif.
Funding: More than $3 million from high-net-worth individuals, no venture capital
CEO: Neal Smith
