Is Your Site's Traffic "Good" or "Dangerous"?

A talk with security whiz Taher Elgamal, whose new network-security company aims to go far beyond standard firewall safety

By Alex Salkever

When you try to enter your credit-card number onto an e-commerce site and see a little padlock icon on the bottom of the browser, you know that page is encrypted and your data is relatively safe. For that, you can thank Taher Elgamal. While he was chief scientist at Netscape Communications, Elgamal invented this industry-standard encryption mechanism, known as secure socket layer (SSL). One of the leading figures in the field of online security, Elgamal also played a role in developing key parts of digital-signature technology and public-key cryptographic data-encryption systems that are now commonly used worldwide.

Now, Elgamal is off on a new pursuit. His Internet security company, Securify, is rolling out new software that keeps tabs on computer networks to prevent intruders and misuse of those networks. Called SecurVantage, the software watches for the authentication "handshakes" exchanged between machines as they connect and checks that against a complex registry of acceptable connections. If the connection appears to be dangerous, the system will alert Securify personnel, who watch over customers' networks. It's very similar to what America Online does with security on its network.

Elgamal is also a strong proponent of "managed security," where companies outsource their security to specialized companies. Recently, I spoke with him about the state of network security. Here are edited excerpts from our conversation:

Q: Why managed security?


There are several answers to this. The strongest is connectivity. Once two networks are connected to each other, in spite of the fact that one network has spent tens of millions of dollars on internal security processes, you have no control or visibility into what policies and procedures on the other side look like. So you would prefer to have someone that has a broader capability to monitor than you might have in your company.

Furthermore, I have had the advantage of running a security consulting company for three years. And it's very difficult to actually scale a security consulting company. The talent in security is very, very minimal. The number of people worldwide who actually understand and can deliver credible security consulting services is actually a lot smaller than what it should be.

Q: So what's the opportunity there?


The opportunity is, we've actually automated a lot of the policies and a lot of the procedures we used as a consulting company. That means fewer people can watch over more companies. We manage the security of the network remotely using technology we built. We've been developing the technology all along. But we are now shifting our model to become a managed-security service.

Q: So the mountain comes to Mohammed instead of Mohammed going to the Mountain?


Right, but we have a better system. Securify wants to make businesses understand first what their requirements are. We look at the correct behavior first. We want to make sure that every business understands what the network is supposed to do. Then when you monitor against that, you can actually determine what the violations are.

Q: How does this differ from existing network management?


We define a security event as any connection between two machines. So when we sniff [study] the traffic on the network, we actually determine if there is a proper kind of Web transaction between two machines and whether these fit parameters of a proper connection. We can scan by URL name, password link, whatever is associated with that particular transaction. That way you know that your customers are going to the right places, and they are supplying the right credentials.

Q: How is this different from the way a firewall functions today, where there's a set of rules that determines if this access is O.K. but that access isn't?


Firewalls are built on ports, not on events. So if you get inside a firewall, you're basically inside the firewall. It is not going to say that you have the right to access this URL but not that URL.

Q: And how is this different from what other managed-security companies are doing right now?


Here's the difference. If you are running an intruder-detection system (IDS), which is what most managed-security firms do, you actually wait until the intrusion happens. You read the log off the IDS or off of the UNIX machine or off of the firewall, and try to determine whether something bad happened an hour ago. Our service does this in real time based in an understanding we have about what network traffic should look like -- not just traffic up to the firewall but inside the perimeter.

Q: So what kinds of advantages will this create?


We can tell you exactly how much of the traffic on your network is "good" traffic, meaning traffic that should be there. And that could prevent some things. For example, we found a guy that was running his own business off of the company's network. That's interesting because there was no technical violation of any kind. There was no intrusion. There's no obvious violation. But it's wrong traffic. So this is business security. The business needs to know and enforce what it wants the network to do. And that's what we offer.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.