Mad Dog 21/21: Monkey Business
May 2, 2011 Hesh Wiener
It had been a long, difficult day for Tarzan. He was pleased to finally make that last swing into his tree house, where Jane was waiting. “Honey,” he said, securing the vine so it would be ready in the morning, “it’s a jungle out there.” The fictional jungle in which Tarzan lived had its share of two- and four-legged miscreants, but it was a safe haven compared to that digital sewer, the Internet, where IBM is trying to build a trade in security.
IBM dove into the deep end of the security business about five year ago when it bought Internet Security Systems for $1.3 billion. At the time, ISS was getting most of its revenue from sales of security appliances and a services business based on updates and support of those devices; in addition, ISS had acquired a couple other companies with security software products. The current set of offerings is largely tucked into IBM’s Tivoli products group but Big Blue still offers security services that are woven into its services business.
In an effort to gain visibility and build up business, IBM has been trying to gain mindshare by publishing reports derived from its research into threat patterns. One series is a large semi-annual study of the full range of security threats. Another is a shorter quarterly publication that concentrates on one or just a few topics in each edition. By writing the book, or many books, on computer security, IBM may achieve success the way Tarzan’s creator did when he went into publishing.
Edgar Rice Burroughs brought Tarzan the ape-man to the public 99 years ago. Tarzan’s life subsequently unfolded in more than two dozen novels. Burroughs was born in Chicago, but went west, ending up in California, where he bought a ranch. This property, which Burroughs named Tarzana, grew into the eponymous town. In addition to the Tarzan series, Burroughs wrote a heap of books set far from the jungles of Africa, including a series of science fiction stories set on Mars. Burroughs also wrote westerns.
As his work caught on, he moved from writing into publishing, successfully printing his own novels and making a pile of money during the Depression. He grew and changed considerably, but never lost his sense of adventure. Well into his 60s when America entered World War II, Burroughs decided it would be fun becoming a war correspondent, closing a career loop that began when, in his youth, he had been a cavalryman in what was then the Arizona Territory.
In Tarzan of the Apes, the seminal Tarzan novel, the protagonist, raised by gorillas, at first speaks only gorilla language but manages to teach himself how to read and write English through books that had belonged to his deceased parents. Later, with help from an adventurer who befriends him, Tarzan learns to speak French and English. He figures out how to pass himself off as a citizen of contemporary Western civilization . . . but he remains at heart a uniquely wild creature.
Had Burroughs lived a half-century later, his interest in the tension between the true nature of a character and the way others perceive that character might have made him an astute observer of malware and spam, data that looks like one thing but turns out to be quite another, or possibly an analyst of the people who create this sort of stuff.
IBM could use somebody with Burroughs’s gifts about now. It has gotten pretty far into the computer security business, offering hardware, software, and services. IBM’s reports on security threats are jam-packed with analysis of nefarious activities ranging from the most destructive malware to run-of-the-mill junk email. But so far IBM has not mastered explaining itself as a security company even if it has done a pretty good job analyzing the hot issues. Somehow, IBM has not been able to gain the mindshare it needs to become a top player in this segment.
But it’s not as if IBM has utterly failed. It has done a very good job getting the attention of top consulting firms like Forrester Research. But for a number of pretty good reasons, including the fact that computer security is mainly a matter of Windows and Windows applications security, IBM seems to be having a difficult time persuading users that Big Blue is the place to go for protective services. If you raise the topic of computer security vendors in your office, chances are people will talk about Norton or its parent, Symantec, plus McAfee, now a member of the Intel family. Computer professionals may also mention Cisco Systems and Juniper Networks or talk about some ambitious firewall vendors. IBM just isn’t all that high on the list.
One of IBM’s problems is its conflicted focus. It can provide services directly but it also says it wants to work through resellers. But IBM’s most loyal resellers are the ones that are authorized dealers in IBM servers, and IBM servers are not at all the main focus of the security business. IBM’s own data shows that security threats hit endpoints, and endpoints mean Windows clients, Macs, Android machines, iPads, iPhones, and anything else that packs a Web browser. Sure, malware can get to a server and some kinds of malware are designed to invade Web servers, but for the most part the entry point for the predatory code is going to be an end user’s computer, smart phone, or tablet device. Even the kind of stuff that goes after databases, SQL injection attacks, come at their targets through client machines.
So it’s understandable that after putting five years and ten figures into the game, IBM is just not happy with the results. Or, perhaps more accurately, it is pleased that big name consultants see that Big Blue is a serious player but disappointed that end users simply don’t appreciate all the effort IBM has put in.
What IBM seems to be having trouble with is something that malware creators are great at: shaping the behavior of computer users.
The people who hack together viruses, Trojans, and email cons are adept at exploiting the gullible. Malware is often built to appear benign or even useful from the outside; it must successfully masquerade as legitimate software to hit its target. Malware often needs a bit of help from a computer user to spring its trap. Typically, the code requires require some initiating action ranging from a mere mouse click to a complete package download and installation. The malware creator must persuade a skeptical facilitator to trust something that will, pretty soon, prove to be quite untrustworthy.
Similarly, spam often carries messages that are deceptive in a somewhat different way. Some spam simply wants to get the recipient’s attention, after which its message will deliver customers to the vendor whose wares are promoted by the spam. Other spam tries to persuade the mark to disclose personal information, account names or numbers, password data or other valuable material. Still other spam wants to get a live browser pointed at a hostile server; once the link has been exercised, the attack server will take it from there.
But not all threats fool end users into clicking or typing things they will ultimately regret. One of the most famous bits of malware that has been in the headlines recently, Stuxnet, is believed to have been propagated via USB memory devices, which can start executable code as soon as they are plugged into a computer. If you wonder how this can happen among people who are technologically sophisticated, the way atomic energy scientists are presumed to be, maybe you should start by talking to IBM, and not about Stuxnet but about the time last year when it handed out infected USB memory sticks at an Australian security conference.