Home > Security

Computerworld - There's no shortage of reasons for corporate IT managers to be concerned - very concerned - about external threats to the security of their systems. Trojan horses and viruses that enter organizations as executable e-mail attachments are abundant, and antivirus software doesn't always catch them.
Finjan Software Inc.'s response is SurfinShield Corporate and SurfinGate, software that actively monitors downloaded active content, including executables, ActiveX and Java scripts, on individual desktops and at e-mail gateways.
By monitoring code behavior, Finjan's products let companies enforce security policies by automatically blocking malicious activity before it causes damage to PCs. "The days of relying on reactive security products to stop malicious code attacks are over," says Phil Kantz, president and CEO of the San Jose-based start-up. "Companies cannot afford to wait hours or days for security updates to be protected from new attacks."

Phil Kantz, CEO of Finjan Software, says his company's products take a proactive, rather than reactive, approach to security. Finjan Software Inc. 12860 Zanker Road, Suite 201 San Jose, Calif. 95134 (408) 981-1690 Web: www.finjan.com Niche: Its software monitors executable e-mail attachments and other active content and blocks suspicious behavior. It protects by monitoring activity, rather than relying on virus signatures. Company officers: • Phil Kantz, acting president and CEO; • Jeff Feuer, vice president and chief financial officer; • Yigal Edery, director, research and development Milestones: • January 1998: Company founded, SurfinGate released. • Q1 1999: SurfinShield Corporate released. • July 2000: Awarded a U.S. patent for the code inspection technology. Employees: 60 Burn Money: $20 million from Bessemer Venture Partners LLC, Star Ventures Capital LLC, RRE Ventures LLC, CSK Venture Capital Co. and Security Dynamics, a subsidiary of RSA Data Security. Products/pricing: SurfinShield Corporate 5.5: $59 per seat; SurfinGate 5.6: $49 per seat. Customers: European Parliament, U.S. Pentagon, IRS, others. Red flags for IT: The products won't help with pre-existing viruses. Some antivirus software vendors are adding this capability. Products are a supplement to, not a replacement for, antivirus software.

A security analyst at a major Northwest retailer, who declined to be named, can attest to that. "I saw SurfinShield, and then six months later, the Melissa virus hit," he says. "We decided to segment the responsibility of dealing with these threats by installing the desktop version, mainly because we had very few means of identifying the attacks before they hit."
He says the product has successfully blocked subsequent active content attacks before they could do damage.
"Finjan's software controls code behavior before it becomes active," says Christian Christiansen, an analyst at Framingham, Mass.-based IDC. "It caches attacks before they can do harm."
"Monitoring programs for malicious behavior, or sandboxing, has come of age and proved its effectiveness against worms like 'I Love You' and Anna Kournikova," says Yigal Edery, Finjan's director of research and development.
Plus, Internet worms can change their characteristics every four to six hours, which is faster than antivirus software vendors can turn around virus signature updates, adds Dave Kroll, the firm's director of marketing.
SurfinShield Corporate runs on each PC in the background, watching for file violations and checking for attempts to delete files, access registries or access the operating system. It also has a central console for setting policy, monitoring and administering SurfinShield across all desktops.
Administrators can also set policies that let some ActiveX controls in while blocking others. "We needed to offer software that allows for specific controls to run software that uses ActiveX controls like WebEx, while still enforcing security policies," says Kroll. "SurfinShield does that."
Finjan's SurfinGate protects e-mail gateways running on Windows NT, Windows 2000 or Unix servers. Finjan says its customers include the Internal Revenue Service, the European Parliament and the Pentagon.
People Problem
When installing SurfinShield Corporate on desktops, IT managers may need to overcome some user resistance, the Northwest retailer discovered. "We also had to explain to our 600 desktop users why we were installing this; we weren't trying to censor what they looked at, but rather we had to block applets that posed a threat to our system," says the company's security analyst.
He did have a few other issues. The security signatures in SurfinShield were corrupted when desktop users installed Microsoft's Internet Explorer 5, but Finjan fixed this in its current version, the analyst says. And SurfinShield doesn't audit the behavior of macros.
"What using SurfinShield brought to my attention is that when you attach to any Web site, you are basically giving that Web site entire rights to your system," says the security analyst. "We tell people, 'Thou shalt not open executables.' But they do it anyway. SurfinShield is now blocking that."

---

The Buzz: State of the Market
Riding the Cybercrime Wave


Finjan is at the right place at the right time. Gartner Inc. in Stamford, Conn., estimates that the economic cost of cybercrimes will increase 1,000% to 10,000% through 2004, and attacks generated through executable e-mail attachments are an increasing part of the mix.
Finjan operates in a specialized security space: Its products perform real-time monitoring of inbound active content in e-mail attachments and block associated activity produced by these viruses. But because the software can accommodate different profiles, administrators can allow certain types of ActiveX content to flow to the end user. This is called "white listing," and a few competitors in the field also offer some degree of this customization.
According to IDC analyst Christian Christiansen, the market for this type of software is hard to gauge because it's part of larger offerings from companies such as Islandia, N.Y.-based Computer Associates International Inc. CA's eTrust product, for example, works within the Unicenter TNG Framework to block some types of active content but normally reacts only to known viruses.
Some vendors of intrusion detection software are also adding blocking of active content for servers. For example, Atlanta-based Internet Security Systems Inc. recently added such capabilities to its RealSecure intrusion detection software.
As for offerings from traditional antivirus vendors, Gartner analyst Bill Malik says Symantec Corp. in Cupertino, Calif., and Network Associates Inc. in Santa Clara, Calif., offer similar capabilities but Finjan's is more advanced.
Pelican Security Inc.
Chantilly, Va.
www.pelicansecurity.com
Pelican Security's SafeTnet desktop software also detects and isolates downloaded active content. But unlike Finjan, the company says its products let users secure applications and systems by determining who has access to make changes. It blocks content by determining what can be changed, as opposed to what can be let through.

Read more about Security in Computerworld's Security Topic Center.