Rational Survivability

This fourth instance of Take 5 interviews Shlomo Kramer, Founder and CEO of Imperva.

First a little background on the victim:

In 2006, Shlomo Kramer was selected by Network World magazine as one of 20 luminaries who changed the network industry.

Prior
to founding Imperva, Mr. Kramer co-founded Check Point Software
Technologies Ltd. in 1993. At Check Point, he served in various
executive roles through 1998 and as a member of the board of directors
through 2003. While at Check Point, Mr. Kramer played a key role in
defining and creating several category-defining products and solutions,
including FireWall-1, VPN-1, FloodGate-1, Check Point’s OPSEC alliance,
and Check Point’s security appliance program.

Mr. Kramer has
participated as an early investor and board member in a number of
security and enterprise software companies including Palo Alto
Networks, Serendipity Technologies, and Trusteer. Mr. Kramer received a
Masters degree in Computer Science from Hebrew University of Jerusalem
and a Bachelor of Science degree in Mathematics and Computer Science
from Tel Aviv University.

Questions:

1) As most people know, you are a co-founder of Check Point and the CEO of Imperva.  You’re a serial entrepreneur who has made a career of bringing innovation to the security market.  What are you working on now that is new and exciting?

All my time has been devoted in the last few years to Imperva. This project continues to excite me. After five years of hard work, it is very rewarding to see Imperva being recognized as the leader in application data security and compliance. Imperva delivers data governance and protection solutions for monitoring, audit, and security of business applications and databases. This is really a hot issue for organizations given the new threat landscape, regulations such as PCI and SOX and the ever increasing privacy legislation. I have always believed what we do at Imperva will define a new product category and the last couple of years have been a big step towards that.

I am also involved as an investor and board member in a number of other great security startups.  One example is Palo Alto Networks (www.paloaltonetworks.com), a next-generation firewall company. Their products provide full visibility and policy control over applications across all ports, all protocols, all the time–with no performance degradation. We’ve just launched the company, it’s an exciting time for Palo Alto Networks.

Another great company I am involved with is Trusteer (www.trusteer.com). Trusteer addresses the critical problem of protecting on-line transaction. Trusteer came up with a revolutionary way to protect online business from any "client-side" identity threat such as phishing, pharming, and crimeware. Helping business strengthen consumer trust, reduce costs, and differentiate online services is a big challenge and Trusteer has a very interesting and unique solution.

2) So tell us more about Palo Alto Networks on whose Board you sit.   The company has assembled an absolutely amazing group of heavy hitters from industry.  Either you’ve already got the company sold to Cisco and everyone’s signing on for the options or this is really going to be huge.  What’s so different  about what PAN is doing?

Existing firewalls are based on Stateful Inspection, which employs a port and protocol approach to traffic classification. The problem existing firewall vendors face is the fact that much of their core technology (Stateful Inspection) is over a dozen years old and new applications have found a variety of ways to evade or bypass them with relative ease. Attempts to fix the problem by firewall vendors include ‘bolting-on’ Intrusion Prevention (IPS) or Deep Packet Inspection as an additional feature have proven unsuccessful, resulting in significant issues with accuracy, performance and management complexity.

Starting with a blank slate, the Palo Alto Networks founders took an application-centric approach to traffic classification thereby enabling visibility into-and control over-Internet applications running on enterprise networks. The PA-4000 Series is a next-generation firewall that classifies traffic based on the accurate identification of the application, irrespective of the port, protocol, SSL encryption or evasive tactic used.

3) Having been an early adopter of Check Point, Imperva, Vidius, Skybox, Sanctum, etc. I clued in long ago to the power of the Israeli influence in the security industry.   Why are so many of the market leading technologies coming out of Israel? What’s in the water over there?

Really the start was with IDF based incubation of security know-how some 20 years ago. That for sure has been the case when we started Check Point. Over the years, an independent security community has emerged and by now it is very much a self perpetuating eco-system. I am very proud of being one of the founders not only of Check Point and Imperva but also of this broader Israeli security community.

4) We haven’t had a big worm outbreak in the last couple of years and some would argue it’s quiet out there. While identity theft leads the headlines these days, what’s the silent killer lurking in the background that people aren’t talking  about in the security industry?

When we started Imperva in 2002, security was all about worms – it was about a “my attack is bigger than yours” hacker mentality. We believed that future threats would be different and would be focused on targeted attacks.  We placed a bet that the motive of hackers would shift from ego to profit.  We’ve definitely seen that trend materialize over the last couple of years. On the server side, 50% of data leakage involves SQL-injection attacks and XSS is increasingly a leading threat, especially with the added complexity of Web 2.0 applications. Additionally, on the client side we are seeing many more targeted attacks, all the way down to the specific brokerage and on-line banking system you are using. The crimeware infecting your laptop cannot be addressed by a generic, negative logic solution, like anti-virus or anti-spyware, nor will strong authentication help circumvent its malice.
These targeted attacks on business data and on-line transactions are the focus of both Imperva and Trusteer. Imperva focuses on the server side of the transaction while Trusteer focuses on the client side.

5) With Imperva, you’re in the Web Application Security business.  What’s your take on the recent acquisitions by IBM and HP and how they are approaching the problem.  For companies whose core competencies are not focused on security, will this sort of activity really serve the interest of the customer of is it just opportunism?

Just to clarify, Imperva is actually in the application data security and compliance business, a major component of which is Web application security.  Securing databases and big enterprise applications are also part of that picture, as well as addressing regulatory mandates around data usage.  It’s all interrelated.

I think the moves by HP & IBM validate a general trend that we at Imperva have been evangelizing for some time — that application security is a huge issue, and we as an industry really need to get serious about protecting business applications and data.

I would argue that they won’t solve application security and compliance issues with these acquisitions alone.  The reason is that these solutions are only scratching the surface of the issues.  For one, most organizations use packaged applications and don’t have access to modify the source code to fix the issues they might find.  And lots of organizations take a long time to fix code errors even if they do have the capability to modify the code.  This argues for an independent mechanism to implement protections outside the code development / fix process. 

But the larger issue is scope – the data that organizations ultimately want to protect usually lives in a database and is accessed by a variety of mechanisms –applications are one, but direct access by internal users and other internal systems is another huge area of risk.  So addressing only one part of the application’s relationship to this data is not enough.  In my opinion, addressing the whole application data system is ultimately the way to address the core application and data security issue.