But even a task that never ends has to have a beginning, and more often than not it goes something like this: What do I have that needs to be protected, and how well or not is it protected now? Sometimes the best thing to do is call in someone from the outside to look at it all with fresh eyes. And sometimes the answers can be shocking.

It’s the sort of thing that Rapid7, a fast-growing security firm based in Boston, specializes in. While some security firms are more the cops on the beat, hired to keep things in check based on established rules and policies, Rapid7 is one you call when you want to know how the bad guys will try — and try they will — to get through whatever security measures are already in place.

The firm also owns Metasploit, an open source service that’s essentially an early-warning system about new vulnerabilities. Twice in the last year, new research by Rapid7 — released to the wider world through Metasploit — has caught my attention: Once it was about Java, and the other item was about how the methods employed in Stuxnet could be used to create new ways to attack public infrastructure.

I recently had a chance to ask Rapid7 CEO Mike Tuchen some questions about his company and the interesting role it’s playing in trying to clear up a lot of ambiguity about IT security that so many CIOs find frustrating. My first question was to ask Tuchen to explain from a high level what Rapid7 does.

AllThingsD: Mike, the thing I always think of when I talk to security companies is that the scope of the problem is constantly moving. If I were to use a football metaphor, it would be that the goalposts are always changing. And yet there’s another metaphor that fits as well: That of a medical triage, because once you know you have problems, there’s the matter of determining which one to fix first. What does Rapid7 do to help companies sort all this out?

Tuchen: We think of the security market as breaking out into “front-end” and “back-end” activities. Front-end activities are the assessments we do to proactively answer questions like: What’s my security posture? Where am I strong, and where am I vulnerable? What should I do to become more secure? That’s where we fit. 

Back-end activities are the enforcement and remediation efforts to protect data or networks that typically act in real time in response to threats detected including firewalls, anti-virus applications and so on.

We’re finding that as the threats are constantly growing and changing, there’s a lot of interest in assessment. The reality is that we’re seeing a new breach on average of once per day for the last 18 months or so. So when things are moving that fast, who wouldn’t want to know where their weaknesses are and what are the most important things they need to do to lower the chance of a being one of those companies breached? Our customers are telling us that once they’ve done the assessment, they’re able to set their priorities for the next 12 to 24 months. If you haven’t done an assessment, there’s a good chance you’ll buy a back-end product that doesn’t solve all your problems because you never knew what all the problems were in the first place. That’s how budgets tend to spin out of control.

So one big question around security is around the shift to the cloud. There are still a lot of people who don’t trust systems they can’t touch, but with the cost savings, the shift is looking more real every day. What does that shift mean for you and for your clients?

The first question you have to ask is “what do I have?” It’s kind of self-evident: You can’t secure what you don’t know about. Cloud services can make this trickier by adding another question into the mix: “Where is it?” And it gets even dicier when you take into consideration all the virtual machines that can be turned on and off at will and moved from one physical machine to another. The boundaries get a lot less well-defined. So the first step is discovery: What do you have, where is it, and what controls are in place? 

The next step is determining what types of threats you’re likely to face and figuring out what’s working to head them off and what’s not. After that you put together a strategy for improvement. 

Generally speaking, the best approaches we’ve seen start with basic hardening techniques. You take some concrete actions that are designed to make it more costly and difficult for attackers to establish a beachhead on your systems. Next, you lock down the perimeter as tightly as possible, and train employees to recognize and resist social engineering attacks.

When it comes to assessing the security of cloud offerings and software-as-a-service applications, it’s a matter of getting comfortable with the security that the vendor has in place. Our own experience with this has been pretty bleak. It’s clear that the industry as a whole has work to do there. 

Like what?

Attackers have the advantage right now. Even the largest and most sophisticated companies are getting breached on a regular basis. I think there are three things that need to happen: We need to do a better job of information-sharing about risks, methods, and actors so that companies don’t have to start from scratch. We also need to make security simpler. Right now it’s way too complex, and there are too many products that target specific problems that tend to be important to only the biggest of companies. And even those companies can barely stitch them all together into a coherent solution. For everyone else in the world it’s pretty much impossible to do that.

We’re working on a lot of this. We run an annual conference called UNITED to bring together innovative defenders to share ideas. It stands for “Using New Ideas To Enhance Defense.” We’ve committed $100,000 to sponsor some projects we like to call the “Magnificent7” and there will be no strings attached to the funding.

Washington seems to have finally awakened to the wider IT security threats. We hear a lot of talk coming out of Congress about cybersecurity. What, if anything, do you expect to come out of these efforts?

There are two security bills, SOPA and CISPA, that have gained a fair amount of attention lately. SOPA focuses on the illegal downloading of music, videos, software and other counterfeit goods that affect a wide variety of industries. These are the low-hanging fruit when it comes to online crime.

CISPA focuses on sharing private sector consumer data with the government to protect national security interests. The intent with CISPA is to legally protect private companies when they share consumer information with government and law enforcement entities. This information would not be available to the public at large and is highly scrutinized by privacy advocates. The information would be used to try to protect the country’s critical infrastructure. But if it were to become law, it won’t change the status quo of organizations and consumers fending for themselves when it comes to information security.

Also if they’re passed, they only affect U.S. citizens. These laws will not prevent foreign entities from engaging in piracy or breaching U.S. corporate or civilian assets. Companies will still be under non-stop attacks from persistent adversaries.

You raised a big bunch of funding last fall with a $50 million investment led by TCV. What are you going to do with all that money?

We’ll use it for three major initiatives: First, we’re doubling down on expanding our existing engineering teams. We doubled the team in 2010, nearly doubled it in 2011, and plan to double it again in 2012. Second, we’re accelerating our international expansion. We just hired a regional VP for Europe and are expanding our European and Asia-Pacific operations with new offices in Amsterdam, Hong Kong and Sydney. Finally, we’re looking to acquire terrific companies with passionate teams that want to join forces with Rapid7 to change the security world.

You acquired the Metasploit Project in 2009. How has that deal worked out and what does it say about the companies you may yet acquire? What are your plans for future acquisitions?

Metasploit has been great for Rapid7. We first started thinking about Metasploit when Chad Loder, one of our co-founders, came up with the idea of integrating an existing product with Metasploit. We discussed it with HD Moore, the founder of Metasploit, and he was equally excited about the idea of integrating the products together. In a week or two we had a working prototype. Right then we realized that we’d found something special: A passionate, driven entrepreneur who shared a lot of our vision and values, a product that logically works together with our existing product, a huge and engaged community of expert security insiders and a business that was ready to be commercialized. We asked HD if he’d like to join forces with us, and he agreed. We were able to build a team around HD, and together we’ve built the Metasploit business into a leader in its category. 

In that case we learned that founder and team are critical. It also made it easier to build the rest of the team around HD from the bottom up. Now we’re actively looking for companies that play in markets that make sense for us, and products that have a solid foundation for the future. We haven’t yet found another opportunity that fits all of these areas.

I get that Rapid7 is growing; you’ve got an impressive list of customers that includes Anadarko Petroleum, Teradyne, Liz Claiborne and the U.S. Postal Service. Can you share some basic metric that shows how much you’re growing?

Our revenue for the last seven years is over 90 percent per year, and we’ve grown more than 70 percent in each of the last two years. And we have more than 2,000 customers. We’ve been lucky to be in a market where the demand is increasing because threats are escalating.

GitHub, which internally is primarily a Mac company, had last year introduced a similar Mac client, which is now widely used. The clients sync users’ code to the cloud, and are built to be simple in order to attract new and less-savvy users, Wanstrath said.

The bootstrapped San Francisco-based company has 1.6 million registered developers and hosts nearly three million projects. Where GitHub started as half open source, half private code, over time it has become much more about open source.

The Windows client is in part a move to make the tool more appealing to companies, many of which are still afraid to put their code in the cloud, Wanstrath said. Private repositories is where GitHub makes its money; open source project hosting is free.

GitHub did have a security hole exploited earlier this year; Wanstrath made assurances that the company has security as a top priority.

For those who don’t remember, Carrier IQ is a start-up that sells software that tracks various goings-on inside a cellphone to help cellular carriers and device makers better understand problems on the device.

An uproar occurred last November after a report suggested that the company might be logging all of a user’s activities. Even as Carrier IQ clarified what it was and wasn’t doing, concerns over the product remained.

The Mountain View, Calif., start-up didn’t lose any of its major customers entirely, but its software is definitely installed on fewer phones now than it was before the controversy.

But its executives insist that software that resides on the device, like its own, is critical to understanding connection issues, battery drain and other problems that plague today’s smartphones.

“Having us there is really the only way the industry is going to make improvements that are necessary,” VP Andrew Coward said in an interview at the CTIA trade show in Orlando. “Our technology can take 10 minutes off a customer support call.”

Carrier IQ has taken a couple key steps in its effort to change its image.

Earlier this year, Carrier IQ announced plans to create a way for customers to see firsthand some of the data that is being captured on their phones. That process is still ongoing as Carrier IQ works with the cellular firms to suss out which data they want to share and in what forms.

On Tuesday, the company announced it has hired former Verizon lawyer Magnolia Mansourkia Mobley as its new general counsel and chief privacy officer.

Mansourkia Mobley said that the company is looking to be a strong voice in a broader industry discussion around privacy.

“I don’t think this is something that is limited to Carrier IQ,” she said, saying it is an issue affecting the whole online world. “We plan to be an active member of those discussions.”

The solution, she said, isn’t for Carrier IQ and other small companies to do a lot of work creating their own customer Bill of Rights.

“I don’t think that’s an effective way of delivering something that is meaningful to a consumer,” she said.

The company has also shifted some of its attention more globally. For example, while the company had a booth at Mobile World Congress in Barcelona, it opted not to do the same here in New Orleans.

Although it would always love more U.S. business, Coward said the company is already well known here and counts three of the big four U.S. carriers (not Verizon) as its customers, along with Leap Wireless.

“We’re spending a lot of time in Europe right now,” Coward said. “The same issues with handsets exist globally. It’s not just a U.S. issue.”

RELATED POSTS:

• With No Apple or Amazon at CTIA, iPad Rivals Free to Sling Arrows
• Sprint, Verizon, AT&T and T-Mobile CEOs Square Off in New Orleans
• Remember Carrier IQ? Well, It’s Still Around and Kicking.
• Sprint Product Exec: Launching LTE Devices Before Network Just Makes Sense
• FCC Chairman: Rejection of AT&T’s T-Mobile Deal Isn’t Causing Higher Prices
• Boingo Adds VPN and Crowdsource Hotspot Data to Its Wi-Fi Software
• T-Mobile CTO: Network Should be Ready for iPhone Users by Q4
• Interview: AT&T’s Glenn Lurie on Being the New Sheriff in Town
• Another Day, Another PayPal-esque Digital Wallet: Here’s MasterCard’s High-Tech Billfold
• CTIA Gets Down to Business in the Big Easy
• AT&T Aims to Break Into the Home-Security Business
• Interview: CTIA Boss Steve Largent Aims To Keep Conference From Being Lost in the Shuffle

First of all, it adds technology that can help users when logging in to unprotected hotspots. Traditionally, so-called virtual private networking (VPN) software was used to log in to a corporate firewall. But VPNs also serve another important purpose — they help secure the data that is being sent.

Secondly, Boingo is adding data on a whole bunch of new hotspots — some 70,000 — that its users have sniffed out during the past year. The software adds only those networks that people have been successful at connecting to.

Indeed, Boingo has learned a lot since introducing the software a year ago.

For instance, it now knows some of the most popular Wi-Fi network names. In addition to AT&T’s vast network, among the most popular networks are Denver’s airport, Hilton hotels and United’s airport clubs, as well as the default names of popular router vendors like Netgear and D-Link. Good old “Internet” is also in the Top 10.

As for countries where Boingo users found the most free hotspots, the U.S. was, naturally, first, followed by the U.K., Canada, Brazil, France, Spain, Germany, Italy and South Korea.

In the U.S., the most crowdsourced free hotspots were found in Miami, Atlanta, New York and Los Angeles. San Francisco did not make the Top 10.

As for who contributed the most data, Boingo isn’t naming names, for privacy reasons. But it did say the top contributor connected to 69 different networks in a 100-day period, generating more than 2,000 connections.

RELATED POSTS:

• With No Apple or Amazon at CTIA, iPad Rivals Free to Sling Arrows
• Sprint, Verizon, AT&T and T-Mobile CEOs Square Off in New Orleans
• Remember Carrier IQ? Well, It’s Still Around and Kicking.
• Sprint Product Exec: Launching LTE Devices Before Network Just Makes Sense
• FCC Chairman: Rejection of AT&T’s T-Mobile Deal Isn’t Causing Higher Prices
• Boingo Adds VPN and Crowdsource Hotspot Data to Its Wi-Fi Software
• T-Mobile CTO: Network Should be Ready for iPhone Users by Q4
• Interview: AT&T’s Glenn Lurie on Being the New Sheriff in Town
• Another Day, Another PayPal-esque Digital Wallet: Here’s MasterCard’s High-Tech Billfold
• CTIA Gets Down to Business in the Big Easy
• AT&T Aims to Break Into the Home-Security Business
• Interview: CTIA Boss Steve Largent Aims To Keep Conference From Being Lost in the Shuffle

For his part, AT&T’s Glenn Lurie says he’s a bit surprised by everyone else’s surprise. The move, he says, is a natural fit for the communications company.

First off, the security business today is highly fragmented. Only ADT, with about 6 million homes, has much scale. Secondly, he says, there is an opportunity to offer far more services than are typically provided.

“It is ripe for someone to come in and do something new,” Lurie told AllThingsD in an interview at CTIA in New Orleans on Monday.

The company announced AT&T Digital Life — a service that uses wireless to provide all manner of home security and automation services. AT&T plans to offer everything from basic security service to full-scale home automation, with its workers handling everything from installation to monitoring. Pricing has not been announced.

It’s all part of AT&T’s broader plan to find new businesses to complement its wireless and landline business. Lurie says it’s not unlike its move into the TV game several years back, with U-Verse.

“Companies like us have to continue to look for these opportunities,” he said.

To show off its plans, AT&T has rented an 1860s-era house in New Orleans’ Garden District. It took only a couple of hours, Lurie said, to outfit it with a full set of sensors and monitors. With jazz playing in the background and a spread of appetizers that included alligator sausage, the company took reporters on tours of the house, showing off how an iPad can be used to monitor things throughout the home.

AT&T plans to test the Digital Life service this summer in Atlanta and Dallas. AT&T hasn’t announced how it will grow for now, but Lurie said the company’s plan is to offer it nationwide.

“We do view this as a significant growth opportunity, revenue-wise, in 2013,” he said. The company paved the way for the service with its late 2010 acquisition of a company called Xanboo.

The company is also working with carriers overseas to allow them to offer similar services. AT&T divulged its plans in that area back in February and several carriers have signed on, Lurie said, though he didn’t have any names to share.

RELATED POSTS:

• With No Apple or Amazon at CTIA, iPad Rivals Free to Sling Arrows
• Sprint, Verizon, AT&T and T-Mobile CEOs Square Off in New Orleans
• Remember Carrier IQ? Well, It’s Still Around and Kicking.
• Sprint Product Exec: Launching LTE Devices Before Network Just Makes Sense
• FCC Chairman: Rejection of AT&T’s T-Mobile Deal Isn’t Causing Higher Prices
• Boingo Adds VPN and Crowdsource Hotspot Data to Its Wi-Fi Software
• T-Mobile CTO: Network Should be Ready for iPhone Users by Q4
• Interview: AT&T’s Glenn Lurie on Being the New Sheriff in Town
• Another Day, Another PayPal-esque Digital Wallet: Here’s MasterCard’s High-Tech Billfold
• CTIA Gets Down to Business in the Big Easy
• AT&T Aims to Break Into the Home-Security Business
• Interview: CTIA Boss Steve Largent Aims To Keep Conference From Being Lost in the Shuffle

At CTIA on Monday, Ma Bell is announcing AT&T Digital Life, its competitor to ADT and other security services. The idea is that AT&T installs a home base unit that taps AT&T’s cellular networks and can connect via Wi-Fi and other methods to any number of devices in the house, from cameras and window sensors to locks, thermostats, appliances and motion detectors.

The company plans to have trials of the service this summer in Atlanta and Dallas. During the trial, customers can use their own wired broadband to connect to their system and then remotely control the system from phones, tablets or PCs.

“We’re planning a unique suite of services, from start to finish, that will give homeowners control of their property and their possessions through an easy to navigate user interface,” AT&T Senior VP Kevin Petersen said in a statement.

RELATED POSTS:

• With No Apple or Amazon at CTIA, iPad Rivals Free to Sling Arrows
• Sprint, Verizon, AT&T and T-Mobile CEOs Square Off in New Orleans
• Remember Carrier IQ? Well, It’s Still Around and Kicking.
• Sprint Product Exec: Launching LTE Devices Before Network Just Makes Sense
• FCC Chairman: Rejection of AT&T’s T-Mobile Deal Isn’t Causing Higher Prices
• Boingo Adds VPN and Crowdsource Hotspot Data to Its Wi-Fi Software
• T-Mobile CTO: Network Should be Ready for iPhone Users by Q4
• Interview: AT&T’s Glenn Lurie on Being the New Sheriff in Town
• Another Day, Another PayPal-esque Digital Wallet: Here’s MasterCard’s High-Tech Billfold
• CTIA Gets Down to Business in the Big Easy
• AT&T Aims to Break Into the Home-Security Business
• Interview: CTIA Boss Steve Largent Aims To Keep Conference From Being Lost in the Shuffle

The bug, dubbed NotCompatible, is the first Android bug to spread this way, according to mobile-security specialist Lookout. The Trojan poses as a system update and, while the current version doesn’t appear to do harm, it could be used in malicious ways.

“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy,” Lookout said in a blog post.

In order for a device to be infected, the user would have to install the downloaded Trojan, Lookout said.

“Based on our initial investigation, we’ve confirmed that a number of websites have been compromised,” Lookout said. “However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low.”

There’s an interesting new fundamental thought emerging among computer security companies. The logic goes like this: First, your digital assets are going to be attacked. Second, no matter what preparations you make to defend those assets, a determined attacker is going to find a hole or a method of penetrating your defenses that you didn’t think of.

Most attacks are relatively cheap to carry out, because they’re not that sophisticated. More often than not, attackers copy the methods they use from each other. Attacks are inexpensive, and most attackers have the luxury of limitless time.

The exception is attacks using so-called “zero day” vulnerabilities, where a previously unknown vulnerability, usually in the operating system, is used to gain access to a system. Most — but not all — of the time, once a zero-day vulnerability is seen and documented, the weaknesses it reveals are patched, making it the type of weapon that can be used only once.

As such, zero-day vulnerabilities are often traded on the black market and sold at a high price. For example, when the Stuxnet worm — the malware that was used to attack and sabotage the Iranian nuclear program — was first discovered, security researchers were impressed that it used no fewer than four distinct zero-day vulnerabilities in Microsoft Windows. So many used at once indicated that the cost to carry out the attack was high, leading to the conclusion that only a state-sponsored attacker would have the funds to carry it out. This led to the logical conclusion that either the U.S. or Israel had been behind Stuxnet.

I bring it up because Stuxnet is an example of the conclusion of this new fundamental thought I mentioned at the start. Why not make attacks expensive for the attackers? The early estimates on Stuxnet put its cost at $3 million, and it is believed that it required a team of 10 skilled programmers and as long as six months to develop. It was not a cheap attack. It was expensive.

That’s the idea behind Shape Security, which today announced that it has landed a $6 million Series A round of venture capital funding led by Kleiner Perkins Caufield & Byers and TomorrowVentures, the fund led by Google Chairman Eric Schmidt.

Peter Wagner, a former partner at Accel Partners, as well as executives from LinkedIn, Twitter, and Facebook, will also join the round. Ted Schlein, managing partner at Kleiner Perkins, has joined the board of directors, along with Gaurav Garg, a limited partner at Sequoia Capital and personal investor in the round.

We don’t as yet know a great deal about Shape Security or its intentions. But we do know who’s running it: According to this filing with the U.S. Securities and Exchange Commission, its CEO is Derek W. Smith. Another key exec and director is Sumit Agarwal, the former head of Google’s mobile product management, who in 2010 took a post in the Department of Defense as senior adviser for Cyber Innovation.

Another key exec is Troy Tribe, who appears to be the same person who used to be VP for business development at Solera Networks, which specializes in network-security analytics and forensics.

This is the second time in as many weeks that I’ve noticed a security company talking about changing the economics for attackers. The first was Crowdstrike, which announced that it had hired Shawn Henry from the FBI and landed a $26 million investment from Warburg Pincus. Neither has said yet exactly what you do to make launching a computer attack more expensive. I’m certainly eager to know more.

It has been a long time since anyone thought seriously about the encryption debate that hung over the discussion around privacy rights in the 1990s. It has also been a long time since Phil Zimmermann — creator of the Pretty Good Privacy software that so many people adopted to encrypt their email — was the target of a federal criminal investigation that derived from his making it widely available for download. The government dropped its case in 1996. Today, PGP is the most widely used encryption program in the world. PGP, the company, is part of Symantec, and encrypting your email is now super easy, though most people don’t go to the trouble of doing it.

PGP is the reason Zimmermann is going to be inducted into the Internet Hall of Fame today, at a dinner in Geneva. Which, of course, raises the question: What is he doing these days?

The answer: Launching a new venture. It’s called Silent Circle, for which Zimmermann has teamed up with two former Navy SEALs and one of his PGP Corp. co-founders. The plan is to offer encrypted email, encrypted mobile calls, encrypted VOIP teleconferencing and encrypted instant messaging, all in one place.

Joining Zimmermann in Silent Circle are Mike Janke, a former Navy SEAL sniper, special operations communications expert and privacy advocate; Vic Hyder, another former Navy SEAL and founder of Maritime Security; and Jon Callas, a cryptographer and Zimmermann’s co-founder of PGP Corp., whose current day job is CTO at Entrust.

Silent Circle will offer services both to consumers and corporations, but also to human-rights groups, dissidents and nongovernmental organizations working in dangerous or sketchy places where governments tend to monitor communications. There’s also a promise of no backdoors offered for any individual, organization or government.

Though Silent Circle is now running a private beta, the plan, as I understand it, is to launch a public beta on July 15. We’ll hear more about it then.

Update: I initially spelled Zimmermann’s name with only one N. Sorry about that.

The German telecommunications firm is working with the security start-up to protect its large base of European Android users.

“We see a growing challenge to how we can secure our smartphones,” Deutsche Telekom Senior VP Heikki Makijarvi said in a telephone interview. Makijarvi said that his company can do a lot to secure its network, but that only goes so far when users are downloading any number of third-party applications.

Lookout’s global reach helps since new threats can crop up anywhere in the world.

“They detect it wherever it happens,” he said, even in “China or Asia where we do not have operations.”

As part of the deal, Lookout will also get some space at a Berlin office and work with Deutsche Telekom to develop new services over the next six to nine months. Lookout CEO John Hering said both Europe generally and Germany specifically are key markets when it comes to awareness about security and privacy. That makes Germany a particularly good place to try out new services.

“For us this is more than just a distribution relationship,” Hering said.

(Image via Vladru |Shutterstock)

The company has signed Shawn Henry, the FBI’s former executive assistant director of the Criminal, Cyber, Response, and Service Branch, as the new president of its services subsidiary, CrowdStrike Services. Henry is a 24-year FBI veteran who led some of the Bureau’s biggest cybercrime cases.

Crowdstrike was launched by two veterans of McAfee, the security software concern that’s now a unit of chip giant Intel: George Kurtz, McAfee’s former CTO, and Dmitri Alperovitch, its former Vice President of Threat Research.

Not a great deal has yet been disclosed about Crowdstrike’s approach to security, but in the February 22 blog post announcing the launch of the company, Kurtz explained that, having seen the results of investigations into several high-profile cyber attacks, the current state of security practice is akin to the old French Maginot Line that was intended to keep out the Germans.

Kurtz argued that once you know your enemy — the party that’s attacking you — the key to success in stopping their attacks on your digital assets is to raise the cost of the human-powered portions of their attacks. “The only way to accomplish that is by forcing them to change the way they conduct the human-led parts of their intrusions, such as reconnaissance, lateral movement, identification of valuable assets, and exfiltration,” Kurtz wrote.

Henry did a short video announcing his move, and I embedded it below.

We all know how that turned out. Dell first conquered the PC market, and the ultracompetitive environment it created drove several companies out of the market: IBM sold its PC business to Lenovo; Gateway sold itself to Acer; Hewlett-Packard acquired Compaq. Other lesser players are all but forgotten.

It’s as if Dell was a victim of the hyperefficient world it created. HP is now the world’s biggest PC maker, followed by China’s Lenovo, with Dell in third place on a global basis, as of last quarter.

PCs — consumer and business PCs — still amount to about half of Dell’s business. But there’s another way to look at Dell, and that’s from the point of view of its enterprise business. I learned this in a recent conversation with Steve Felice, Dell’s chief commercial officer. I also learned that the consumer PC business, for which Dell is still widely known in the U.S., amounts to about one-fifth of its business, while its enterprise lines of business, including commercial PCs, amount to 50 percent.

It’s all part of the long-term transformation that has been underway at Dell for a few years now. The company recently did three acquisitions in as many days, the most significant of which was for Wyse Technology.

That caught my attention. But first I wanted Felice’s reaction to the findings of a J.P. Morgan survey of 100 CIOs, saying that the release of Microsoft’s Windows 8 wouldn’t be much of a catalyst for PC buying at large companies.

(We had a pretty good talk, so, arbitrarily, I left in an eighth question from our exchange.)

AllThingsD: Steve, there’s a survey out from J.P. Morgan recently that says that CIOs from large companies don’t see Windows 8 as the sort of thing that would get them buying PCs again. That, to me, could be interpreted as bad news for Dell. Is it?

Felice: I don’t think so. Operating system changes have never been a catalyst, at least not in the corporate world. Consumers and small businesses take off with it right away. Corporations have rollout schedules, and they stick to them. Some of them are just starting to deploy Windows 7. They do their three-year roll-out schedules, and when it’s time they’ll go to Windows 8. About 55 percent of our business are the larger mid-sized and up public companies. The other 45 percent are small businesses and consumer. We’ll see some buying within that 45 percent. On the others, they will go on their normal schedule.

On the enterprise side, I was just with a bunch of CIOs here, and there are some very common themes about why I think they are going to spend some money. And it’s really to continue a transformation of their own infrastructure, to take advantage of virtualization and cloud computing and bigger pipes to transport information. There is a pretty common theme that there is more opportunity to get more out of assets. There is more optimism around moving away from legacy architectures and into open systems. The whole concept of being more “open to open” is there. We view that as good, because we’re the pure play when it comes to moving to open architectures.

What are the CIOs you talk to worried about these days?

Security. It’s easily in the top three concerns. We think we added to our portfolio two of the best assets out there. One is intended to tell you how to figure out what’s going on in their world. That’s what SecureWorks, a company we acquired recently, does. It analyzes your infrastructure and tells you where your threats are coming from and how to prevent them. And then we just announced the acquisition of SonicWall. They built a nice unified threat-management platform. From my viewpoint, it helps enable the movement to open. Some people are afraid to leave the proprietary world because they think it’s more secure.

Where are you on mobile? I read that you just killed a smartphone model. Where is Dell going on the mobile front?

I would characterize the last couple of years as us experimenting with what form factors and operating environments will work. The good thing is that we’ve never overextended ourselves in mobile, yet we’ve launched a lot of products, and we’ve learned a lot from them. We’ve launched tablets — 5-inch, 7-inch, 10-inch. We’ve launched them in emerging markets first, we’ve launched them in developed markets first. We’ve launched smartphones around the world. So we have an active smartphone that we just launched in China, and one in Japan. We just end-of-lifed one in the U.S., which is what I think you’re referring to. We have a road map of other products that are coming up. We are predominantly a commercial-oriented business that has some consumer business, but the lines are blurring.

What we’ve learned is to look at the consumer from the commercial side, not the other way around. Some companies who have done well in mobility are all about consumers and entertainment. And looking at the consumer as an individual, without any regard to how they might interact on the professional side of their life. Executives of any company I talk to say these devices are driving them crazy. They don’t know what’s happening to their information, how they get it back, nor how to interact with the other devices that people are bringing into the workplace. Or how to support them and control them. No one is dealing with that. So, generally, you’re going to see Dell think more broadly about the mobile ecosystem. When you next see devices from Dell, you’ll see us thinking more about the security of them, the end-to-end aspects of managing them, from the data center to the end user.

And yet what I’m hearing from a lot of companies is that they’re just adopting iPads, mainly because the bosses have them and love them. This is how Apple is penetrating the enterprise. How is Dell going to compete with that?

It’s unique, no question. And so it’s got some infatuation aspects to it. But then I talk to these customers, and because there isn’t a lot of alternatives, what they’re tolerating is pretty interesting. They say they have one of those products. Then the problems start coming out. First, the office applications don’t work very well, and they have trouble reading PowerPoint decks. And then they can’t wirelessly print easily, and some days they’re not able to get on the network at the office. And I look at that and say, they’re tolerating a lot because they like the form factor. Our conclusion is that there need to be some alternatives.

We’ve got the Dell XPS 13 Ultrabook, and we take it around and show it to customers, and invariably the decision-maker wants one. And then he says that if he had this, he never would have bothered with the tablet. So we took a consumer-oriented product and put pro support on it, and showed that to CIOs and said that if their executive team used it, they’d get the same support as they would on their Latitude product. So when it breaks, someone will come to the office and fix it, and you don’t have to go stand in line at the Apple store. Then we put image management on it. If you want a corporate image that has to be managed, we’ll do that. Institutions want thin and light devices, but they also want the options to secure and support them. The other thing that is happening, with ARM, you’ll get even more form factors.

Well, let’s talk about the PC, then. People keep talking about the decline of the PC. The research houses keep predicting market declines, and sometimes they materialize and sometimes they don’t. But even so, the numbers — at least globally — are flat to slightly up. Yet when you drill down to different regions, you see very different stories, with different countries growing like crazy. How does Dell see this right now?

This is a weighted math problem. The lowest growth rates are in the developed world, which will remain more of a replacement cycle world. The U.S. is like that because PC penetration is very high. Then you go to India and China, where it’s very low. What’s happening is that the emerging markets, where combined, they will be bigger than the developed world. And they are still growing rapidly, so the math is going to reverse itself. You’ll still see low-single-digit growth rates in the developed world, but healthy growth rates in emerging markets — but the emerging markets will be bigger. We still see double-digit growth in China. Look at Indonesia, there’s 300 million people just starting to buy PCs. As these countries industrialize and get more mature, they just need basic computing.

And how do those markets develop?

It comes back to the first thing I talked about. These countries don’t have the legacy baggage. They’ll grow, they’ll industrialize, they’ll need more infrastructure. And what will they buy? They’ll buy standard servers, storage, and open systems. This is happening in China, and its why we’re No. 1 in servers there.

Do you think people still associate Dell with the PC and don’t give it enough credit for its greater focus on the enterprise?

I’d have to say yes. Some of that is our own doing. We have this very large direct model, and we have a tendency to talk to customers one on one. So we tend not to do a lot of brand advertising. So our consumer advertising is more visible. If you ask people randomly what portion of our business is consumer, they’d say it’s more than half, but in fact it’s only about 20 percent. And if you ask people what portion of our business is servers and storage, they don’t know, but it’s more than 50 percent.

If you combine consumer and commercial PCs, how much is that?

About half is PC, and that’s global. But I think with all the acquisitions we’ve done, and a lot more customer testimonials we’re doing, the perception is changing. We’ve done some targeted testing of campaigns where we say, ‘Do you know that Dell does this?’ The perception of Dell as an enterprise provider skyrocketed. Brazil is an interesting case, because we entered the server and storage market there before the PC market. That’s because the only way to really be successful in Brazil with PCs is to have your own manufacturing there, because of the stiff tariffs. So in Brazil, Dell is thought of as an enterprise company. You’ll see more of a commitment this year to do more brand-oriented advertising around the enterprise.

Even though it’s one of the newest entrants to the Silicon Valley scene, social and mobile games company Zynga has already joined a small club of publicly traded tech companies paying for their executives’ personal security.

It’s no surprise that tech execs — the subject of increasing media attention — want to protect themselves, their families and their homes.

But only a handful of them do so with corporate money, according to documents filed with the Securities and Exchange Commission.

On March 14, for example, Zynga (which declined to comment for this article) disclosed to the SEC that it spent $1.37 million on CEO Mark Pincus’s security in 2011. By contrast, many far more established companies, including Yahoo, Apple, AOL, Intel, LinkedIn, Netflix, Adobe and Electronic Arts, do not pay for — or do not disclose details about — any security for their top brass.

As a recent article in The Wall Street Journal noted: “Among the 180 large companies analyzed by Hay Group so far for a coming pay survey, 24 reported amounts for CEO-security compensation that ranged from less than $1,000 to nearly $1.7 million.”

Zynga is third in costs, with only Lockheed Martin and Oracle clocking in higher.

As you might expect, the firms that sell them and the businesses that pay for them say that security packages are necessary expenses for the bottom line, rather than perks.

“Corporations want to make sure that the leadership within the company is not worried about their personal safety,” said Kenn Kurtz, CEO of security firm Steele International.

Hewlett-Packard, which has paid for some of its execs’ security in the past, said in its most recent proxy statement that protection is only disclosed to the SEC as a perk because “there is an incidental personal benefit.”

But for HP, at least, the numbers suggest that there’s more at play than just concern for the current leadership.

Its two recently resigned CEOs, Mark Hurd and Léo Apotheker, received $362,899 and $398,384 in home security benefits respectively on their way out the door, according to HP’s 2010 and 2011 proxy statements.

Never mind the fact that Apotheker led HP for less than a year or that, in his eleven months as CEO, the company’s stock dropped by more than 46 percent.

An HP spokesperson was only willing to reiterate the official explanation for the expenses. But, after hearing how much Zynga spent on security for Pincus in 2011, he chuckled and said: “As long as someone has a [bigger] number.”

Maybe not surprisingly, the biggest winner in Silicon Valley’s corporate-paid executive security scene is a much more stable CEO: Oracle’s Larry Ellison, the third richest person in the world. Between 2007 and 2011, Oracle, which did not return a request for comment, paid for more than $7.6 million worth of security for Ellison’s home in Woodside.

Kurtz said the specific reasons companies are willing to pay to safeguard their execs are all over the map. For example, that pricey protection Mark Pincus got in 2011? Zynga would tell the SEC only that the expense was motivated by “specific security threats” against Pincus and his family. In fact, Pincus got a restraining order against Vera Svenchina, a woman who allegedly left strange and threatening emails and voicemails for the Zynga CEO.

Facebook CEO Mark Zuckerberg — whose company covered $692,679 worth of security in 2011 — has also had to deal with a stalker. Last year, the social networking company executive obtained a restraining order against Pradeep Manukonda, a man who allegedly followed him in person and online.

Thankfully, violent or dangerous incidents involving tech executives are few and far between. The goal for security agents is usually to prevent incidents that cause personal embarrassment or damage to the company’s brand. Most famously, in 1998, protesters attacked then-Microsoft CEO Bill Gates in Brussels, Belgium — not with weapons, but with four cream pies.

Kurtz stressed that his employees are more like personal assistants than Hollywood-style bodyguards. “Unfortunately, there’s not a lot of sexiness in the job,” he said. “It’s 95 percent monotonous observation, with five percent spikes of exhilaration.”

By my scorecard, the article amounts to the first public comment Apple has made on the subject, period. And it’s very interesting indeed, especially in light of all the flak the company had been taking over what appeared, to some eyes, to have been an inadequate response.

First and foremost, Apple says, it is working on software to detect and remove the malware from an infected machine. Secondly, the company says it is working with Internet service providers around the world to disable the servers that are being used as the “command and control” network that’s basically telling compromised machines what to do.

Apparently it’s this effort that has caused trouble for the security outfit Dr. Web, which originally discovered the vulnerability in the first place: In working on shutting down the C&C servers, Apple apparently got servers that Dr. Web had used to track the spread of the outbreak shut down as well, according to this report on Forbes.com.

The vulnerability that allowed the malware to get through in the first place wasn’t in Apple’s Mac OS X itself, but in Oracle’s Java. Apple agrees with me at least with regard to machines running older versions of Mac OS: Disable it.

Anyway, here’s Apple’s article, in its entirety:

About Flashback malware
Summary

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Products Affected

Java, Mac OS X 10.6, OS X Lion

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.

Apple is developing software that will detect and remove the Flashback malware.

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

Additional Information

For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences.

Naturally, Windows apologists, sick of being the target of a decade of malware-based ridicule, were quick to jump up and down and scream that the Mac’s newfound market success has made it the next natural target for malware creators.

One thing that has been lacking of yet is a course of action for the 1 percent of Macs in use that have been hit with the malware. Kaspersky Labs, which did a thorough analysis of the malware today launched a Web-based tool to determine if your Mac is among those known to have contracted it.

The tool checks the Mac’s UUID number against a database of machines known to be affected and tells you if you have it, and if you don’t know what a UUID number is, it shows you how to find it.

If your machine turns out to be among the anointed 1 percent who some say are the harbingers of a new apocalyptic phase for Mac security, there is a removal tool.

So now that we’re nearing the end of this kerfuffle, what can we glean from this incident on the state of Mac security? First off, it’s necessary, as always, to include a hedging statement. In the investing world we often hear the phrase “Past performance is not an indication of future results.” It means that unknown, unforseen circumstances can always bring about a substantial variation in a known and established pattern.

On the subject of security the pattern has been this: Occasionally, a vulnerability, sometimes nothing more than a proof of concept, sometimes something a little more threatening, such as this Flashback malware or the MacDefender one that occurred last year, appears and re-opens the discussion. After years of marginal market share, the Mac now represents a juicy new target for malware creators, and Mac users are in for a rude awakening.

Indeed, various pundits have been saying that some onset of significant serious trouble for Mac owners is just over the horizon. This indeed could happen. A new supervirus could emerge tomorrow that causes all kinds of unforseen troubles. But it hasn’t yet.

Windows still remains a target. As recently as 11 months ago, Microsoft’s own data showed that of the 420,000 Windows users who downloaded a then-new malware removal tool, those who had infections averaged 3.5 threats per machine. And of the top 10 threats seen at that time, seven were the result of vulnerabilities in Java, something you should probably consider turning off, whether your computer runs Windows or Mac OS.

As of today, for those 600,000 people whose Macs are infected, they’re averaging only one threat per machine.

One is still too many, especially if it’s a bad one. And clearly Apple can’t act like it’s impervious to security concerns, yet there’s no evidence that it is. Just slow. Some critics have said Apple didn’t respond quickly enough to this latest outbreak, especially in light of the fact that Flashback/Flashfake took advantage of a Java vulnerability that has been known for about a month. Apple clearly could have and should have responded faster.

Apple last year hired David Rice, a former U.S. Navy Information warrior, so it has at the top of its security team a well-respected executive with a history of thought leadership on the subject.

The current state and future of Mac security will be a topic I hope AllThingsD’s Kara Swisher and Walt Mossberg ask Apple CEO Tim Cook about on the stage at D:10 next month. One hopes he’ll give us some visibility into the urgency or lack thereof with which Apple views the evolving threat landscape.

But if this is the worst that the malware creators can dish out, I still like my chances on the Mac. The apocalypse isn’t here yet.

Mr. Chambers, who was responding to a question at a Wall Street Journal event, didn’t cite any specific actions by Huawei, which competes with Cisco in sales of networking equipment. But he suggested that, by contrast, Cisco is considered trustworthy by governments around the world.

Read the rest of this post on the original site »

The news, released Sunday night in a statement, came after the company received a fresh blow over the weekend when Visa Inc. yanked its seal of approval from the company.

Read the rest of this post on the original site »

The full extent of the breach couldn’t be determined, one of the people said. It wasn’t immediately clear if cardholders have been hit by fraudulent transactions.

Read the rest of this post on the original site »

At a meeting in Washington, the Senate Armed Services Subcommittee on Emerging Threats and Capabilities heard testimony from experts that, essentially summarized, goes like this: The attackers already have access to the systems, so rather than try to lock them out, it’s now a matter of managing them, now that they’re in. Just as in the real world, spies are going to get into the country whether you want them to or not. So, knowing that they’re there, it makes more sense to make their day-to-day spying activities as difficult and costly as you can. DOD security practices currently focus on trying to keep intruders out.

“I think we have to go to a model where we assume that the adversary is in our networks,” James Peery, director of the Information Systems Analysis Center at the Sandia National Lab, told legislators, as reported by Threatpost, a blog produced by security firm Kaspersky Labs. “They’re on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

The hearing echoed some things we’ve been hearing on the security front from the likes of Art Coviello, the EMC vice president and former CEO of RSA Security, who spoke to AllThingsD recently.

Current practice calls for perimeter-based defenses that aim to put a defensive ring around a network to keep intruders out. That thinking is out of date and in need of a significant rethink, the panelists said. It should be noted that most of the agencies represented at the hearing were doing what government executives usually do when they go before the U.S. Senate: Jockeying for more funding.

That is, except for one agency: Michael Wertheimer, director of research and development at the super-secret National Security Agency (NSA), an agency whose budget is classified to begin with, said that current levels are sufficient, but that money needs to be spent more wisely. Then again, the NSA just built a massive data center in the Utah desert, which didn’t exactly come cheap.

You can watch a video of the 81-minute hearing here.

And it brings with it a lot of benefits.

“Organizations that have embraced (bring-your-own-device programs) have reported improved productivity and employee retention, enhanced mobility, a more flexible work environment and improved IT value to the business,” PricewaterhouseCoopers notes in a recent paper.

Plus, of course, it can save companies a boatload of money.

The question, then, is if and how businesses try to secure the corporate data that is inevitably finding its way onto these devices.

That was the topic of a panel I moderated at the Bubble Over Barcelona event held last week, just outside the grounds of Mobile World Congress. Folks from Lookout Mobile Security, Box, Enterproid and Appcelerator debated the pros and cons associated with this new era of mobility.

Most of the panel and audience felt that added security was a small price to pay for the added productivity that companies get with us strapped to our smartphones.

Extra thanks to Enterproid’s Alexander Trewby for being a good sport as the audience and I grilled him on some of his less-than-popular opinions, such as the notion that businesses shouldn’t have to pay for personal phone calls or home broadband.

It was a lively discussion. And, while I can’t promise you cava or tapas, there is a YouTube video of the panel:

RELATED POSTS:

• Tablets That Have a Certain Feel to Them
• A Lytro in Hand Helps Bring Mobile World Congress Into Focus
• Coming Soon: Phones That Learn to Rest When You Do
• Microsoft Won’t Support Some Business Features on ARM, but Will Offer “Windows to Go”
• Windows 8 Hits the Really Big Screen (Video)
• Microsoft Says Hola to Windows 8 Beta in Barcelona
• Microsoft Won’t Support Some Business Features on ARM, but Will Offer “Windows to Go”
• Google’s Schmidt Insists Android “A Real Operating System”
• Samsung’s Not Doing Well in the Tablet Market? You Don’t Say …
• Interview: Clearwire CEO Sees 4G Opportunities Where Rival LightSquared Stumbled
• RIM Exec: Developers Like Us Just Fine, Thanks
• Intel Announces More Phone Customers, Plans for Speedier Chips
• Mum on Own Phone Plans, Facebook Aims to Make Mobile Web App-Friendly
• Sony Insists It’s Not Just Playing Around When It Comes to Phones
• The Inside Story of Nokia’s 41-Megapixel Camera Phone: Five Years in the Making
• With Lumia 610, Nokia Aims To Take Windows Phone To a New Low (Price)
• Nokia’s Strategy Comes Into Focus in Barcelona
• HTC Introduces the One Phone It Hopes Will Help It Regain Footing (Well, the Several Phones)
• Sony Aims to Remake Name for Itself in Phones
• LG Shows Its Hand in Barcelona (After Already Tipping It)
• With Latest Galaxy, Samsung Looks to Project Its Android Lead
• Barcelona Subway Strike Averted on Eve of Mobile World Congress
• Complete Coverage of Mobile World Congress

]]> http://allthingsd.com/20120305/companies-let-workers-bring-their-own-devices-but-at-what-cost-video/feed/ 0 http://allthingsd.com/20120229/please-just-kill-yourself-now/ http://allthingsd.com/20120229/please-just-kill-yourself-now/#comments Thu, 01 Mar 2012 07:59:26 +0000 Eric Johnson http://allthingsd.com/?p=179596

So here’s a plea: if you have anything to do with security in a distro, and think that my kids (replace “my kids” with “sales people on the road” if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.

– Linus Torvalds’s rant on Google+ about his negative experience with openSUSE on his MacBook Air, after his daughter was was asked for a root password in order to print from the machine

It went on to explain some of the circumstances of the attack, a little bit about what data was taken, and then later conceded that at least some of that information was used to launch an ultimately unsuccessful attack against the defense contractor Lockheed Martin.

Last year was a tough one for RSA. Its security tokens, which generate six-digit numbers that act as a second constantly-changing password to help keep intruders out of sensitive computer systems, are the backbone of the security systems of many companies and government agencies.

Art Coviello, the onetime CEO of RSA and now executive vice president of its parent EMC, will be giving a keynote address tomorrow at the annual RSA Security Conference in San Francisco. I thought it might be a good chance to talk with him about the legacy of the attack on RSA, see if there was anything new he could share about what was learned about the attack, and how what happened is shaping RSA’s thinking about the computer security landscape.

AllThingsD: Art, You’ll be speaking at RSA about a year after the infamous attack on your company. How are you approaching the speech, and what are you going to say?

Coviello: Part of what I’ll be talking about is the renewed sense of dedication we have to our mission, our responsibility to customers to regaining and maintaining their confidence. And also applying the lessons learned and sharing them vigorously, not only with our attack, but some of the other attacks that we have privileged insight into. And the bottom line is that we do hope, in the final analysis, that people have more of a sense of urgency in protecting themselves, because the truth of the matter is that we weren’t alone. The theme will be how security has to change from the kind of perimeter defenses that seemed to be dissolving even before our attack, to the requirement for more resilient security based on intelligence that you can get on a more real-time basis. So I’ll be outlining RSA’s vision for intelligence-driven security.

It will be a fairly strong call to action for the industry. We’ve had a great run in creating a trusted digital world, for all its weaknesses and idiosyncrasies. But as you see with trends like the consumerization of IT, we’ve never had a generation of employees and consumers that has been as technology-savvy as we have today, and in many instances they’re getting ahead of the enterprise IT organization’s ability to absorb the technologies they use day in and day out. And that puts an even bigger burden, from a security perspective, on IT organizations. And so they need to manage what they can’t directly control, and secure what they can’t directly control, and that means perimeters are nonexistent. So how do you get the intelligent controls you do have deployed more intelligently, so that even if things are out of reach, they’re not out of your ability to secure them? Our attack did not only raise awareness, but also the action level of people.

The attack that RSA suffered last year caught a lot of people by surprise. For those who haven’t kept track, have there been any new disclosures or information disclosed since, or is there anything new that you’ve learned?

No. And the funny part about it, as with all things in the press, if nothing bad happens, nothing gets written about. To date, there has been only one instance where it has been suggested that the information stolen from us has been used in another attack. And that was Lockheed Martin. And that attack was unsuccessful. There have been no other attacks, and believe me, we have stayed close with law enforcement and other sources, and have run down every one of these that has been reported, and there’s no substantiation of even another attempted attack, let alone a successful one. So we stand by the original decision we made in March, which was to announce that information had been stolen, to announce that you couldn’t launch a direct attack with the information stolen, and that if you took the remediation steps that we advised our clients to take, you’d be fine.

I think — and this is my theory — the attacker thought that they would be able to get in, steal the information they got from us without being caught, and then steal information from others, and combine them. And, quite frankly, because of our quick action in detecting that we were breached and some information stolen, we blew their cover. I can’t think of a reason to explain why they would go to all that trouble and you would only see one instance of a follow-up attack, and that one instance was stopped. And that got lost in all the coverage.

The impression I got was that the attacker seemed to get that this was an attack that was only partially successful, and that whoever it was — the speculation was that it was China — they only got a little of what they had hoped to get, and once detected, the jig was up. Is that more or less how you see it?

I couldn’t put it better than that. And we said that everything we saw pointed to a nation-state, but we never had the smoking gun to point to a particular country as the source of the attack.

So then what happened after the attack was that, since a lot of people and companies and government agencies had put a lot of faith in the RSA dongles and your system to keep people out, there was a bit of a crisis with that faith.

Totally true, let me step in here. That was one of the issues we had to wrestle with when the Lockheed incident happened. Because of the Lockheed thing, people thought we had to issue new tokens to everyone. That was not the case. We continued to stand by the remediation. But we had to recognize the angst and the perception among customers. And that is why we had to offer to replace the tokens. And sure, there were a number of customers who did, but the vast majority did not. No one likes the fact that it happened, but our concern right from day one was for the customers. The proof of the pudding is that our customers are still taking tokens. We’ve lost a negligible number of customers. And, in fact, we’ll be talking this week about some surveys showing that people are still buying tokens.

So you say in your remarks you plan to talk about real-time security intelligence, which is something I’ve talked about with IBM recently. Is real-time intelligence the direction where the entire security industry has to go?

First of all, the NetWitness — and this is another irony in all this — I signed the purchase and sale agreement to purchase NetWitness just a few days before the attack on RSA. And one of the reasons we bought it is that we had it deployed all across EMC. And we viewed it as being very effective in spotting anomalies in network traffic. So the issue today, especially with the porous perimeters that we have, is not whether or not you can or will be breached, because you can be breached. The issue is how fast can you spot it.

The Verizon data-breach report (PDF here) says that more than 90 percent of exfiltrations occur within hours or days of the initial breach. But about 79 percent of breaches aren’t spotted until weeks after they occur. We were able to see the attack in progress, which is why we were able to minimize the information that did get out, and we were within a blink of an eye of stopping the attack altogether. And it was based on this NetWitness technology. But since we acquired it, we have been leveraging it to see not just movements of packets, but to combine with our (Security Event Management) product to not just log information, but ingest all kinds of contextual information. This is unprecedented in security technology and, frankly, IBM doesn’t have it.

And one of the things that I’ll be saying in the keynote is that the age of Big Data has arrived for security, and it has. It is a Big Data problem. If you’re going to be able to spot these attacks in real time and have a resilient security system, as opposed to one that breaks and doesn’t bend, which is what the perimeter defenses do today, then you have to have real-time analytical capability. Only today do we have the storage and analytical capability, and the ability to deploy it at scale. One disadvantage of the attackers is that they are not legitimate. There will always be something in how they get access, or what they do, that will allows us to find them out.

The observation I made in talking with IBM last week is that there are so many new problems and threats emerging that it’s not only difficult to keep track of them, but it’s also hard to filter security vendors who offer conflicting visions and products they all say are a panacea. CIOs are getting confused, and are having a hard time calibrating their priorities. How do they find any clarity these days?

Let me read a line from my keynote: We have to stop being linear thinkers, blindly adding controls on top of failed models. It’s the model itself that is broken. If a vendor is coming to you, saying, “I’ve got this new control, just add it to this uncoordinated silo of controls that already exist,” then they are not doing you much of a service. What we’re advocating is that people double down on some of the qualitative things that have nothing do with technology. So the first element of having what we call an intelligence-driven security system is doing a better job of assessing and managing risk. And I’m going to put a challenge out to the audience, and I’m going to say that no one does this meaningfully, and no one does it well.

So what needs to change?

When I talk about understanding the threats outside-in, as well as inside-out, what I mean is not only understanding what your material assets are, but marrying that knowledge to an understanding of who might attack you, how they might come at you. The next step is getting leverage from the controls that you have. You have to disinvest in some. Let’s face it, 10 or 12 years ago, antivirus signatures numbered in the tens of thousands. Now they number in the tens of millions. How can that make any sense? As soon as you have a signature, someone has a new virus to overcome it. It’s these static models that don’t bend, but break, that have to change. The controls that we have have to be more intelligent.