Cisco aims IronPort at the spam menace
Why spammers are like dogs.
By Cara Garretson, Network World | Network World US | Published: 01:00, 05 June 2007
In January, Cisco announced plans to acquire IronPort Systems, maker of communications security appliances, citing synergies between Cisco's threat mitigation, communications, policy control, and management products, and IronPort's messaging and web protection products.
This acquisition won't be like most of the ones Cisco makes, says Scott Weiss, the founder and CEO of IronPort, because IronPort won't be integrated into the networking giant, but operated instead as a separate unit.
Weiss says Cisco is treading carefully into the messaging security space because it's a new area for the company, but IronPort has been in business since 2000, selling web and email security appliances to organisations. Network World senior editor Cara Garretson recently spoke with Weiss about the US$830 million Cisco acquisition, where email security is going and yes, why spammers are so much like dogs.
How do you see Cisco and IronPort's products fitting together?
Strangely enough, the plans are not to integrate the two companies: We're one of three out of Cisco's approximately 130 acquisitions that will not be integrated into the mother ship. And I think that bodes well for our customers, at least in the short term. Cisco is walking slowly in this market, mainly because it's a bit different from some of the other security markets... it's not just a piece of network gear, we're selling services on top of the boxes we sell. Cisco's plans, which have been publicly disclosed, are that IronPort is not going to be just another product line of Cisco. Cisco intends to 'build a centre of gravity' around IronPort, so we'll keep operating as an independent business unit, and the plan is potentially to bring in more acquisitions and products under the IronPort moniker.
So what does the acquisition mean for enterprise customers?
Cisco is very strong in the firewall/VPN area, and the firewall as a device does a really good job of locking all the doors. That said, there are two doors left wide open for communications, Port 80 and Port 25. I look at IronPort as saying 'The doors are open, but now we've put a layer of airport security there -- we've got a scanner, and we're only letting in and out what's needed.' So on the Web port and email port, that fills a more granular level of security for those communication holes.
A few acquisitions of messaging security companies have been made in the past year in addition to this one. Does that say something about where is the function of email security headed? Is it meant to be integrated with other products and not a stand-alone product?
I do think email and web security may merge, or become different facets of a similar category. When you're protecting against threats in your organisation, whether they be viruses or spyware, they can come through either protocol. So, as the people putting these threats together become more sophisticated and start blending those threats, I think the defences also need to be blended. Vendors just doing email will need to get into the web business. When you secure what's coming into the building and what's leaving the building, the competencies you need are for both [web and email], so I think there are a lot of synergies there to be leveraged. But you can take from the fact that Cisco wanted to keep us separate that we're not going to be part of a switch or router or firewall per se, it's just a different class of solution.
We've been hearing a lot lately about the importance of data-leak prevention; do you view the internal threat to be more dangerous to an enterprise than the external threat?
It differs by industry, just how threatening it is. If an employee really wants to take data, they can print it out, they can do it in different ways, and there's just no way that you could stop them. To think you're going to come up with a foolproof solution to a determined employee who wants to get data out of your company, I think that's almost impossible. But taking some prudent steps and looking at what's leaving via email or the Web is important, and increasingly being demanded by customers, especially in various segments such as financial. I don't think it's an industry-toppling problem, I think it's more 'I'd like to check that box and say we're monitoring it.' Not to say there aren't instances of intellectual property leaving the building.
After years of spam volumes declining, 2006 saw a significant increase in the amount of junk headed for in-boxes. What's going on?
The rise in volume is because more people are getting into the business, and the people that are in the business realise spam's a money-maker. People have a profit motive to get into that business; it's not just for fun, now you can really make some money. It's a team-on-team sport, we [anti-spam vendors] try to field the best team and come up with defences but the reality is these guys have test accounts on every major ISP; they're like a dog with a zap collar, they keep trying the fence until they find a weakness and pound it unmercifully. The weakness last year was image spam, which was really a difficult problem to solve. These guys figured out they could send an image and by randomising a pixel they could make it through traditional spam filters.
But it's like airport security -- we weren't having people take their shoes off until Richard Reid tried to blow one of his shoes up. We didn't have to check our water, then someone figures out you can combine two liquids and make a bomb out of that, too. Spammers are innovative, and we've got to stay on top of them. When we see something new or different, we've got to plug that hole immediately. Things like when spammers figured out this past year that many spam filters rely on humans to write rules, and humans have to sleep and don't typically work on Sunday nights, so they send all their spam between 2 and 4am, in a very short window, and it just zipped past all these folks. We see their innovation and we have to innovate as well.
What is the next set of features that communications-security vendors must add to their products to remain competitive and keep up with enterprises' needs?
We just bought PostX; encryption by and large hasn't been rolled out in email, it seems absurd since for every important web transaction we immediately go to a secure pipe, but everything in email flies over the Internet in free text. I think email authentication is something people are starting to take seriously. Image analysis is becoming increasingly interesting, watching what's coming in and going out via images, since most images now are sent via email.
You've been tracking spam for a long time. What's your favourite spammer trick?
Every one is a little amusing. For example, putting fake text in from books that might be Homer's Odyssey. Anti-spam engines put a score on how spam my each email is, if it has capital letters, if it has a link, there are many different vectors when trying to determine spam. One of my favourites is when the spammers put things in to improve their scores - to hoodwink the filters. It's like dressing up in a disguise to get through airport security: 'If I'm dressed as a police officer, maybe they won't shake me down so much.'