Data Security Company Locks Up Ex-NSA Official

0
Data Security Company Locks Up Ex-NSA Official
Hard-Wired: Chief Executive Sachin Nayyar at the West L.A. office of Securonix.

Contract worker Edward Snowden’s notoriety came after he stole masses of data from the National Security Agency. Now, the former No. 2 guy at the NSA has teamed up with security software firm Securonix in West Los Angeles to help businesses avoid the type of security breach that burned his old employer.

Securonix’s products monitor a company’s network and identify suspicious activity. They’re not looking for viruses or malware but rather track abnormal behavior by people with inside access.

That’s why the founder and chief executive of Securonix, Sachin Nayyar, cold-called John Chris Inglis earlier this year and asked him to join the firm’s advisory board. Nayyar thought Inglis, who served as deputy director of the NSA from 2006 until January of this year, a period that included the Snowden firestorm, was the perfect spokesman for his company as the NSA was hacked by someone who had legitimate access through the “perimeter” – passwords or signatures that secure entry to a network.

“He’s an example that the focus cannot be on the perimeter but on the data,” Nayyar said.

He sold his previous Internet security company, Vauu, to Sun Microsystems in 2007 and took an executive position with the Santa Clara software giant, which is now a part of Oracle Corp. in Redwood City, but left the firm to start Securonix in 2008 because he saw a market opportunity for an analytics-based security company. He brought Tanuj Gulati on board as chief technology officer to spearhead the design of the company’s algorithms.

Securonix, headquartered on Century Boulevard near Los Angeles International Airport, has about 100 employees, located in several offices throughout the country and one in India. Nayyar said it has been profitable from the beginning and does more than $10 million a year in revenue.

The company offers several tiers of service, ranging in cost from $30,000 a year to north of $1 million. Its pricing is on the high end of the industry scale. It has about 30 customers, most in the United States; some are in the banking and finance sectors. Nayyar did not want to name any customers.

The type of data analysis performed by Securonix is comparable with what credit card companies have used to combat fraud for years. They look at charges that fall outside of normal spending patterns to make judgment calls about whether a card is being used legitimately.

However, many network administrators still rely on access protection such as passwords and signatures as their main forms of security. This doesn’t account for people like Snowden who have legitimate access to the network but are themselves compromised, or last year’s security breach at Target Corp. in Minneapolis, when perpetrators got access to the retailer’s network through credentials stolen from a third-party vendor. Although the Target hack was technically done by people outside the company, they used insider access to do their damage.

“You have to presume that the network is not secure and you have to defend it in real time in every place,” Inglis said. “It’s not to say boundary defenses are no longer useful. But if you presume that you’re going to be perfect there, you’re going to be disappointed.”

Big industry

Securonix operates in an industry that does international business of $60 billion each year, according to data from PricewaterhouseCoopers. Players in this space range from individual consultants to giants such as Symantec Inc. in Mountain View and McAfee Inc., a division of Intel Corp. in Santa Clara.

Cybersecurity expert Stan Stahl, president of Citadel Information Group Inc. in Mount Olympus, said, “The perimeter’s dead. You’ve got to defend the perimeter, but you also have to do other things. Included in these other things has to be behavioral analytics.”

Businesses already spend millions of dollars on software that gathers the type of data that would reveal suspicious activity, but they often don’t do anything with it until it’s too late. The Target breach was a good example.

The retailer had purchased a $1.6 million network security system from FireEye Inc. in Milpitas that worked as planned, detecting malware the hackers installed on the company’s network and alerting its headquarters. But nobody acted on the warning until it was too late. According to Nayyar, this was because there was nothing or nobody there to make sense of the data and connect the dots.

“You see the Target chief executive leaving after putting all the pieces in place and he still could not stop the attack,” Nayyar said. “FireEye pointed it out and nobody looked at it because there were no analytics.”

While Securonix might have had a head start, other firms such as FireEye and CrowdStrike in Irvine are starting to add behavioral analytics to their network security products.

“The traditional anti-malware folks are all trying to look at behavioral analytics,” Stahl said. “It’s going to be a crowded space because everybody recognizes that anti-virus is dead.”

No posts to display