Anti-botnet vendors plug in

New wave of IT startups gains attention as carriers, ISPs, and large enterprises seek stand-alone botnet-blocking technologies to protect their systems and networks

A small group of IT security startups are hoping to cash in on the rise of the botnet scourge as businesses -- telecommunications carriers and Internet service providers, in particular -- seek new methods for stopping the attacks.

While larger security software makers, including Symantec, McAfee, and Trend Micro, have built botnet-fighting functions into their existing products, and carrier security specialists such as Arbor Networks have added tools for detecting the threats in their network monitoring systems, a handful of smaller companies are attempting to market themselves as purists in the anti-botnet field.

As carriers, ISPs, and large enterprises investigate techniques to keep computers on their networks, and those of their customers, from being recruited into the zombie armies of botnet-controlled devices, some experts say that there may be a market for stand-alone technologies that address the problem -- at least for the next several years.

"If you look at the change in the characteristics of malware attacks over the last year, and the public outrage over data breaches, private and government organizations have reached a point where the botnet issue is directly accessible," said Nick Selby, analyst at The 451 Group.

"Botnets are very relevant to data loss, and without question, customers are looking for in-the-cloud protection and clean pipes; the problem is too complex for any individual user to deal with alone, even large enterprise users," he said. "Anti-botnet vendors could see compliance and media-fueled growth because everyone understands the issue of data loss."

Just as Webroot was able to build and maintain a business dedicated to fighting spyware -- even in the face of competition from larger rivals who built tools for warding off those attacks into their integrated security suites -- vendors staking a claim to the anti-botnet space contend that there will be plenty of demand for their specialized skills.

Perhaps the two best-known providers making noise in the segment are FireEye, a Silicon Valley startup backed by funding from Sequoia Capital and Norwest Venture Partners, and Damballa, an Atlanta-based company with roots at Georgia Tech backed by Sigma Partners and Noro-Moseley Partners.

Leaders with both companies maintain that their businesses are already taking off as botnets take over.

"These networks of infected PCs have become, in essence, the world's largest computing grids. They dwarf the world's supercomputers in terms of their power, so that tells you something about the severity of the overall threat," said Ashar Aziz, chief executive of FireEye, who maintains there are currently as many as 150 million botnet-infected computers worldwide.

"This is the actual infrastructure that connects all the malware, spam, and denial-of-service attacks," he said. "A feature built into an end-point client is not going to solve the problem on its own; large enterprises and carriers are looking for something today that is going to help them keep their assets from being victimized."

In addition to the carrier crowd, Aziz said that a growing number of large enterprises are seeking to take things into their own hands to ensure that their networks aren't being exploited by botnet commanders.

Not only are large companies fearful of having their assets used as proxies by all sorts of attackers, and any potential fines that such activity or related data loss could lead to, he said, they are also hoping to avoid the embarrassment of having machines inside their walls publicly revealed as spam and malware delivery stations.

Throughout 2007, researchers at network security technology vendor Support Intelligence repeatedly detailed spam runs emanating from well-known businesses, including Bank of America, Intel, and Nationwide Insurance, that were thought to be driven by botnet-infected computers.

At the core of the company's anti-botnet technology, delivered via its appliances, is its FireEye Analysis and Control Technology (FACT) engine, which looks for suspicious traffic, confirms attacks, and blocks access from infected devices to other machines on a network.

Using the information being drawn from its customers, which already include a number of large North American carriers and Fortune 1,000 companies, according to the CEO, FireEye claims that it also has the ability to backtrack its way through the networks of infected machines to scope out the size of botnet operations and work with carriers to snuff out the infrastructure.

Aziz contends that even if anti-botnet technologies become digested in broader suites by most companies or through carrier-provided services, FireEye -- whose virtualization-based technology was originally positioned for use in network access control (NAC) systems when it was founded in 2004 -- will be able to turn a profit by providing the intelligence needed by those systems to identify and track the attacks.

"The capability to build this intelligence about the botnets themselves is a sizable business opportunity. These companies offering services will need to constantly feed new data into their gateways," he said. "We feel this is a viable business model, finding the infrastructure that is out there and helping people understand where it lives and how it works."

Damballa, which takes it name from the realm of voodoo spirits, is already marketing its capabilities to both enterprises and carriers in a number of different models.

For instance, the company already offers three deployment options to enterprise customers: its Global Surveillance Network, a subscription service that alerts users if any of their machines are infected by known botnets; its Enterprise Protection package, which uses sensors placed on clients' networks to look for attacks; and its Extended Enterprise Protection offering, which utilizes sensors outside companies' firewalls to look for attempts by botnets to connect to users' computers.

It markets comparable services for carriers and other security OEMs.

Damballa leaders said that the key to earning a spot inside more companies' operations will be the continued evolution and maturation of the threats themselves, and the company's unique ability to chart botnet behavior.

"We definitely see a best-of-breed opportunity for fighting botnets. It depends on the customer, but most of the success we're finding is with organizations who already have a lot of security technologies in place but still find themselves dealing with this problem," said Tripp Cox, vice president of engineering at Damballa, which was founded in late 2006.

"These companies are getting green lights from other products telling them that everything is OK, but they are still finding out about compromises inside their networks," he said. "A lot of the larger security players will have to have something in their suite to address the problem, and there's definitely potential for consolidation at some point in this space, but if you look at a problem like spam, there's a history there of companies building a stand-alone business to solve problems like this."

The 451 Group's Selby said that there will likely be growth of the anti-botnet segment before any industry consolidation takes place, despite a wide number of companies --ranging from anti-virus vendors to massive carriers with managed security services -- who want to take on a broader piece of the market.

"It would seem to make sense for these [anti-botnet] companies to cut deals with ISPs to have better visibility into their networks and botnet activity in general, as they already have," the analyst said. "This is a market that should see expansion as botnets continue to become a bigger problem for everyone."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies