Is Zero Day a Cash Cow?

Here's the big chicken-and-egg problem of IT security: Traditional intrusion-and-prevention systems rely on a virus signature to identify the attack, but what do you do if you have been targeted by a new, unknown virus whose signature is not yet known? (See Security Approaches Day Zero.)

Increasingly, security vendors are launching products that target the initial effects of an attack, rather than the virus signature. This could be, for example, a PC that suddenly starts sending out thousands of emails after being infected by a virus. Known as "zero day" technologies, these products can then isolate the rogue device before other machines are infected.

Paul Proctor, vice president of analyst firm Meta Group Inc.says that the market for these types of product is turning into an "arms race," with vendors increasingly looking to add new capabilities.

This week, after three years in the research lab, California vendor eEye Digital Security became the latest firm to enter the zero-day fray. The companys new "Blink" product works by installing a software agent on devices such as laptops, PCs, and servers (see eEye Launches Blink).

The agents, which are managed from a central point in the data center, use a network firewall to prevent unauthorized programs from running on the device. They can also control unauthorized connectivity from other devices and detect non-compliance with security policies, according to the vendor.Targeted at large-scale enterprises, the software works in the network layer within a device’s operating system. According to Firas Raouf, eEye Digital’s COO, this enables Blink to capture infected packets of data before they reach the operating system's process layer, where applications reside.

But eEye Digital is not the only player in this space. A number of vendors already have offerings to protect against the unexpected. These include Platform Logic Inc.'s AppFire Suite, eTrust Access Control from Computer Associates International Inc. (CA) (NYSE: CA), and Sana Security Inc.'s Primary Response.

However, execs at eEye Digital are putting Blink up against the best known zero-day product on the market: Cisco Systems Inc.’s (Nasdaq: CSCO) Cisco Secure Agent.

CSA works by analyzing the behavior of servers and desktops. In a previous incarnation, it was Okena's StormWatch product. After acquiring the security specialist last year (see Cisco Completes Okena Buy), Cisco “launched” CSA.

Blink is a good example of how startups can rival Cisco by beefing up the capabilities of zero-day security, according to Meta Group's Proctor. “It looks like they have got a decent offering,” he says. "If this is an arms race, they have got a lot of bullets."But, there’s a catch. Proctor warns that, if they are not deployed carefully, zero-day technologies can cause problems such as setting off false alarms -- or even create problems themselves.

”Enterprises that want to use these products have got to go in expecting to do some work to configure them properly so that they don’t cause a denial of service,” he says.

— James Rogers, Site Editor, Next-gen Data Center Forum