Network Security Evolves: An Interview with CA’s Ian Hameroff

Computer Associates is not your average software developer. This US$5 billion company — one of the largest in the industry — designs software to help businesses manage critical aspects of their IT operations and to help programmers automate their daily work. The company’s software products, which work with almost every commercially available hardware platform and all types of common software operating systems, focus on six main areas: enterprise management, security, storage, application lifecycle management, application development and business intelligence.

Having traditionally focused on business-level software, Computer Associates announced this week at Comdex that it will offer a free one-year subscription to its eTrust EZ Armor antivirus and firewall desktop security suite. The move, which could end up hurting competitors Symantec and Network Associates, already has pushed shares of both competitors’ stock down. It is CA’s first major move into the consumer space, a field in which Symantec has been the leader and has enjoyed stellar success during a recent string of virus outbreaks.

The big question seems to be how Microsoft will market the CA antivirus product. In a company statement, CA said it will “aggressively promote” the offer as part of Microsoft’s “Protect Your PC” campaign, an effort by Microsoft to help consumers reduce the threat of malicious computer attacks. But if that means Microsoft markets the CA product similarly to the way it has handled its XP firewall, it might not affect Symantec’s business on the consumer desktop.

Clearly, Computer Associates is sailing into new waters, but judging by the company’s successes in the past at the enterprise level, it is more than up to the challenge. TechNewsWorld turned to Ian Hameroff, Security Strategist and Director of Research and Response at Computer Associates, for an exclusive interview to talk about the company’s latest security strategies. In addition to being director of CA’s security and response team, Hameroff is responsible for the communication process that alerts CA’s customers, partners and the media to new computer security threats, such as viruses, worms, new vulnerabilities and security attacks.

TechNewsWorld: CA traditionally has focused on business applications rather than the consumer desktop. Why the partnership now with Microsoft and the push to the consumer desktop?

Ian Hameroff: CA’s focus is, and continues to be, on developing quality management solutions for our corporate customers. Addressing the risk to business continuity presented by virus attacks doesn’t start and stop at the corporate network boundaries. Instead, it requires both businesses and home users to maintain a fundamental level of defense — at a minimum, antivirus and firewall protection — which in turn significantly reduces the risk of attacks like Klez, SoBig and Blaster succeeding.

Today’s businesses employ a fairly complete strategy for protecting their desktops and servers against viruses, making it tougher for virus authors, so these guys have turned their attentions to exploiting more vulnerable home computers. For example, studies have shown that more than 60 percent of home computer users neglect to update their antivirus every day — or, worse, don’t even have a solution installed.

This damaging impact to businesses — our customers — is evident when you consider that SoBig.F was programmed to “phone home” to 20 computers for potentially even more destructive instructions. These very 20 computers were all compromised home computers hooked up to a broadband connection.

With so many home users unaware of the vulnerabilities that exist, they are unknowingly or unintentionally spreading the havoc recent attacks have caused. We are making it as easy as reading the morning newspaper to get protected and at no cost. A partnership with Microsoft means together we can reach the world as part of the extensive “Protect Your PC” program.

TNW: What effect do you think this partnership will have on the security of Windows systems in the long run?

Hameroff: Our — CA’s and Microsoft’s — mutual goal is to elevate the level of security on home computers to that which is currently employed on enterprise desktops. This is especially important for those running somewhat older versions of Windows, like 98 or NT, who do not have the security benefits built into later releases of the operating system. This will ultimately result in a great reduction in the rapid spread and impact of viruses on enterprises currently being bombarded by attacks spreading in and from the home PC space.

By offering an enterprise-caliber solution — which is built for ease-of-use by all levels of computer users — through an aggressive campaign with Microsoft, we are making it exceedingly easy for Windows users to protect themselves and vastly harder for virus creators to succeed.

TNW: On a technical level, what differentiates CA’s security software from competitors Symantec and McAfee?

Hameroff: A great question for CA, since we offer our enterprise customers much more than just antivirus and firewall technology. CA’s eTrust brand of security management solutions delivers the tools necessary to manage all aspects of security for a business’ critical computing infrastructure. This includes digital user identities, enforcement of access policies, discovery and remediation of vulnerabilities and managing the whole of a corporation’s security infrastructure.

One of the many technical differentiations between us and competitors like a McAfee or a Symantec is our rich years of experience in building enterprise-caliber security solutions. CA has been — since our earliest days in security going back to 1982 — securing the world’s mainframes to today’s infrastructure. With nearly 25 eTrust solutions, each product incorporates our overall passion for seamless integration between components (from within CA and from third parties), enterprise scalability and extensive platform and application coverage. Even our antivirus solution hails from being among the very first network-focused antivirus solutions, which means such important features like automated downloading of the latest virus-detection signatures has been a part of our product from the very first release.

Another great differentiator, particularly for our antivirus software, is our record of awards for detection capabilities. CA has received more than thirty VB100% awards from Virus Bulletin, including the distinction of having earned more than any other vendor in the space.

TNW: What projects at CA are you personally working on these days?

Hameroff: It’s a great time to be at CA with the innovative work within the eTrust brand unit. I am working on growing our global security research-and-response organization and the way that team interacts with our customers, partners and the media when a new virus, worm or vulnerability rears its ugly head. This is no small task for any company, but with CA’s extensive understanding of all the platforms and applications enterprises are using and the importance that plays in driving our customers’ business, we have nearly the power of all 16,000 of CA’s employees helping address the risks introduced by cyber-attack threats. I also continue to travel through the world to meet with customers and evangelize our eTrust brand of security management solutions, which in itself is a very fulfilling endeavor.

TNW: What do you think about the state of computer security today as an industry?

Hameroff: By and large, computer security is in a very interesting state. For many geographic regions of the world and business verticals, security has begun an evolutionary shift from being purely preventative — blocking technology — to being a business enabler.

Much of this is being driven by a greater understanding by all layers of a business’ management of the highly important role information security plays in maintaining business continuity, but will be further driven to the forefront by regulations and the competitive nature of the marketplace.

Take, for example, privacy. Privacy is now a competitive differentiator, whether a business realizes it or not. It is much more than a posted privacy policy; it’s about providing a highly personalized user experience, but removing the chance of having personal information ending up in someone else’s unauthorized hands. Just ask yourself, would you shop on an online store that had a track record of information compromise?

In addition, we have found that many organizations have implemented a patchwork of traditional and some nontraditional security tools, but without any intercommunication or cooperation between these individual elements. Often referred to as a “defense in depth” strategy, today’s state of security measures have resulted in slower response to security threats due to a deluge of information — such as log events and alerts — sent to administrators with no easy way to make sense of which end is up. Add that to the challenges of keeping up with the latest fixes to critical security vulnerabilities and meeting service levels demanded by today’s “point and click” world, and it can be quite overwhelming to combat potential interruption risks to a business’ operations.

Dealing with this flood of security data would be like receiving millions of e-mails each and every day. There will be a lot of spam; there will be a lot of useful e-mail with some having higher priority that require faster attention than others. How would you find that digital needle in this gigabyte haystack?

TNW: Do you think this situation will ever improve?

Hameroff: As the golden rule of security states, there’s no such thing as 100 percent security. That is why it’s so important to measure improvement by how much risk to the business has been reduced. And this is why it is equally important to approach this challenge from a management perspective.

Just as I mentioned earlier, some of the greatest challenges in security come not from just a failure to deploy the right security controls, but instead are the end result of not having the right management around all of it to keep it focused on meeting the objectives of an organization’s security policy.

Bringing management into the picture will vastly improve the security posture of a corporation’s critical infrastructure, but like addressing virus attacks, it doesn’t start and stop at the corporate network’s firewall. Instead, processes and transactions need to have a security conscience component wrapped around it that in turn will yield maximal reduction of risk. But again, there is no such thing as 100 percent security, but there can be 100 percent application of security management.

TNW: Technically speaking, do you believe Linux is more secure than Microsoft software? Or is Linux simply less targeted by malware writers?

Hameroff: I feel it is worth stating up-front that any computing platform, if left in a default state and poorly maintained over its lifetime, could quickly fall prey to even the most unsophisticated hacker. The reason we see more malware attacks aimed at Windows is based on the pure fact it is the most prevalent desktop operating system in the world and was built with features to make usage as easy as possible. Bearing in mind that the vast majority of virus creators author their attacks with one major goal in mind — to spread — they create malware for a platform or application that is in wide use by a wide cross-section of users.

In essence, if you want to start a forest fire, you start one in a forest.

Linux is still less common in the average computing environment, especially for home users, so virus creators have set their sights elsewhere. But Linux users shouldn’t be lax about security just because it appears that the odds are stacked against Windows. As Linux expands even further in general use, we need to apply the lessons learned over the last 15 years of computer virus history, or Linux could meet a similar fate.

TNW: A couple of years ago, CA was making the push toward Web services. What is your attitude toward Web services these days? What does the horizon look like for CA’s software strategy?

Hameroff: Web services infrastructures like those based on Microsoft’s .NET or J2EE are being widely adopted by our client base. They provide standards-based interoperability that enables rapid service creation and delivery. However, Web services need to be managed in order for them to reach their full potential. This includes service-level management, security and availability management.

Delivering these required management needs is a major part of CA’s overall managing-on-demand strategy and is reflected through our brands. ETrust’s role in this overall strategy is key and is reflective in the types of solutions we are driving to market, like the recently announced eTrust Identity and Access Management Suite and its ability to enable business to adopt secured and personalized Web services as an integrated aspect of their entire enterprise’s computing infrastructure.

TNW: How did CA become such a large company in such a short time?

Hameroff: I really feel it is attributable to the core values that drive our company. CA’s commitment to putting our customers first, to innovation and to quality are not just bullet points on a Web site; they are what we use to measure our success and maximize the value we will deliver to our customers and shareholders.

TNW: As such a large company, how — on the technical level — do you keep everything interoperating, focused and integrated? In other words, can you share a few things about your internal code-sharing or knowledge-management strategies?

Hameroff: Integration is not just a buzzword at CA, it’s our passion; it’s something that is ingrained in our culture, our way of thinking and our delivery of solutions.

We leverage one of the greatest advantages CA has in our extensive management-technology brands by using common components — like our CA common services or portal technology — across our solutions.

Of course, all of this is conducted with a keen eye on quality in our innovation, and CA has certainly established the enterprise software industry’s high-water mark as evident in our worldwide ISO 9001 and 9002 certification. That’s a mark of excellence we are proud to be the very first in our industry to achieve.

TNW: Anything else you’d like to add?

Hameroff: Certainly. I’d like to invite your readers to learn more about the “Protect Your PC” program by visiting Microsoft.com/security/protect/.