Anti-botnet vendors plug in
A small group of IT security startups are hoping to cash in on the rise of
the botnet scourge as businesses -- telecommunications carriers and Internet
service providers, in particular -- seek new methods for stopping the attacks.
While larger security software makers, including Symantec, McAfee, and Trend
Micro, have built botnet-fighting functions into their existing products, and
carrier security specialists such as Arbor Networks have added tools for detecting
the threats in their network monitoring systems, a handful of smaller companies
are attempting to market themselves as purists in the anti-botnet field.
As carriers, ISPs, and large enterprises investigate techniques to keep computers
on their networks, and those of their customers, from being recruited into the
zombie armies of botnet-controlled devices, some experts say that there may
be a market for stand-alone technologies that address the problem -- at least
for the next several years.
"If you look at the change in the characteristics of malware attacks over
the last year, and the public outrage over data breaches, private and government
organizations have reached a point where the botnet issue is directly accessible,"
said Nick Selby, analyst at The 451 Group.
"Botnets are very relevant to data loss, and without question, customers
are looking for in-the-cloud protection and clean pipes; the problem is too
complex for any individual user to deal with alone, even large enterprise users,"
he said. "Anti-botnet vendors could see compliance and media-fueled growth
because everyone understands the issue of data loss."
Just as Webroot was able to build and maintain a business dedicated to fighting
spyware -- even in the face of competition from larger rivals who built tools
for warding off those attacks into their integrated security suites -- vendors
staking a claim to the anti-botnet space contend that there will be plenty of
demand for their specialized skills.
Perhaps the two best-known providers making noise in the segment are FireEye,
a Silicon Valley startup backed by funding from Sequoia Capital and Norwest
Venture Partners, and Damballa, an Atlanta-based company with roots at Georgia
Tech backed by Sigma Partners and Noro-Moseley Partners.
Leaders with both companies maintain that their businesses are already taking
off as botnets take over.
"These networks of infected PCs have become, in essence, the world's largest
computing grids. They dwarf the world's supercomputers in terms of their power,
so that tells you something about the severity of the overall threat,"
said Ashar Aziz, chief executive of FireEye, who maintains there are currently
as many as 150 million botnet-infected computers worldwide.
"This is the actual infrastructure that connects all the malware, spam,
and denial-of-service attacks," he said. "A feature built into an
end-point client is not going to solve the problem on its own; large enterprises
and carriers are looking for something today that is going to help them keep
their assets from being victimized."
In addition to the carrier crowd, Aziz said that a growing number of large
enterprises are seeking to take things into their own hands to ensure that their
networks aren't being exploited by botnet commanders.
Not only are large companies fearful of having their assets used as proxies
by all sorts of attackers, and any potential fines that such activity or related
data loss could lead to, he said, they are also hoping to avoid the embarrassment
of having machines inside their walls publicly revealed as spam and malware
Throughout 2007, researchers at network security technology vendor Support
Intelligence repeatedly detailed spam runs emanating from well-known businesses,
including Bank of America, Intel, and Nationwide Insurance, that were thought
to be driven by botnet-infected computers.
At the core of the company's anti-botnet technology, delivered via its appliances,
is its FireEye Analysis and Control Technology (FACT) engine, which looks for
suspicious traffic, confirms attacks, and blocks access from infected devices
to other machines on a network.
Using the information being drawn from its customers, which already include
a number of large North American carriers and Fortune 1,000 companies, according
to the CEO, FireEye claims that it also has the ability to backtrack its way
through the networks of infected machines to scope out the size of botnet operations
and work with carriers to snuff out the infrastructure.
Aziz contends that even if anti-botnet technologies become digested in broader
suites by most companies or through carrier-provided services, FireEye -- whose
virtualization-based technology was originally positioned for use in network
access control (NAC) systems when it was founded in 2004 -- will be able to
turn a profit by providing the intelligence needed by those systems to identify
and track the attacks.
"The capability to build this intelligence about the botnets themselves
is a sizable business opportunity. These companies offering services will need
to constantly feed new data into their gateways," he said. "We feel
this is a viable business model, finding the infrastructure that is out there
and helping people understand where it lives and how it works."
Damballa, which takes it name from the realm of voodoo spirits, is already
marketing its capabilities to both enterprises and carriers in a number of different
For instance, the company already offers three deployment options to enterprise
customers: its Global Surveillance Network, a subscription service that alerts
users if any of their machines are infected by known botnets; its Enterprise
Protection package, which uses sensors placed on clients' networks to look for
attacks; and its Extended Enterprise Protection offering, which utilizes sensors
outside companies' firewalls to look for attempts by botnets to connect to users'
It markets comparable services for carriers and other security OEMs.
Damballa leaders said that the key to earning a spot inside more companies'
operations will be the continued evolution and maturation of the threats themselves,
and the company's unique ability to chart botnet behavior.
"We definitely see a best-of-breed opportunity for fighting botnets. It
depends on the customer, but most of the success we're finding is with organizations
who already have a lot of security technologies in place but still find themselves
dealing with this problem," said Tripp Cox, vice president of engineering
at Damballa, which was founded in late 2006.
"These companies are getting green lights from other products telling
them that everything is OK, but they are still finding out about compromises
inside their networks," he said. "A lot of the larger security players
will have to have something in their suite to address the problem, and there's
definitely potential for consolidation at some point in this space, but if you
look at a problem like spam, there's a history there of companies building a
stand-alone business to solve problems like this."
The 451 Group's Selby said that there will likely be growth of the anti-botnet
segment before any industry consolidation takes place, despite a wide number
of companies --ranging from anti-virus vendors to massive carriers with managed
security services -- who want to take on a broader piece of the market.
"It would seem to make sense for these [anti-botnet] companies to cut
deals with ISPs to have better visibility into their networks and botnet activity
in general, as they already have," the analyst said. "This is a market
that should see expansion as botnets continue to become a bigger problem for