Newsletter

September 27, 2000

Protection: Security

Tripwire Teams With Lloyds On Cyber Insurance

Worried about sustaining financial losses from a security breach? Perhaps you should consider cyber insurance.

Tripwire, Inc., of Portland, Ore., and Lloyd's of London recently announced an agreement to offer a 10% discount on a Lloyd's e-Comprehensive cyber insurance policy to customers who properly deploy Tripwire's file integrity software. This follows an announcement in July by Counterpane Internet Security of San Jose, Calif., that it would offer customers the ability to purchase cyber insurance policies that are likewise backed by Lloyd's.

It makes sense for insurance companies to get in bed with security firms because the security companies can minimize the risk insurers have to assume when covering a company for cyber breaches.

"As a software provider, we're dealing with cyber risk on a daily basis," says Wyatt Starnes, Tripwire's CEO. About 18 months ago, his company hired a consultant to look into whether insurance companies were offering policies to cover the risk associated with e-commerce. The consultant led him to Simon Milner, an associate with JLT Risk Solutions, a Lloyd's broker who developed the e-Comprehensive policy.

Milner says the idea for e-Comprehensive came to him about four years ago when an academic healthcare facility asked whether any of the various policies it had would cover cyber perils. The answer was no, but Milner quickly put together the first iteration of e-Comprehensive.

"We are quite sure that the policy we put together, launched in October 1997, was the first dedicated hacker policy offered in the marketplace," he says.

But such policies have been slow to catch on in a big way, Starnes says. "One factor was that the insurers didn't have the tools and the know-how to really get in and understand the full degree of risk," he says. "If they don't understand the risk, it's hard to set premiums and actively promote their products."

The value Tripwire brings to the table is helping the insurance company understand what's at risk and to help a company get back online faster following a security breach. The latter is important because the Lloyd's insurance policy covers damage done after the breach, so the faster the damage is controlled, the less the insurer has to pay.

"Insurance doesn't guarantee that you never have an accident, just that we'll help you get back on the road afterwards," Starnes says. Tripwire helps in that effort by essentially taking a snapshot of any key databases and applications, to establish a baseline of what a system should look like. Should an intruder get in, Tripwire can pinpoint what was changed and help users quickly get the system back to its previous, normal state.

The e-Comprehensive policy covers "first party perils," meaning damage to the policy owner's network and any implications of that damage, such as loss of business revenue as a result of a hack. Such repercussions are covered for one year after an attack, Milner says. Also covered is the cost to reconstruct lost or damaged data and the electronic theft of money from a policy holder's bank account.

"Another thing that sets us apart is we will cover the value of the intellectual property if it has been underwritten appropriately," he says. For example, if a pharmaceutical company is developing a new drug and assigns a value to that intellectual property in its application form, the value can be covered if the property is compromised.

Starnes notes that Tripwire isn't a requirement for the e-Comprehensive policy, but customers are given incentives to use the product through the 10% discount. While the price of an e-Comprehensive policy varies widely depending on factors such as the nature of the business and number of employees, the discount can mean significant savings. For example, Milner says a U.S. distribution company that has about $3 billion in annual revenue and 6,000 employees paid approximately $500,000 for a $50 million policy, mainly to cover the network that supports its distribution efforts.

www.tripwire.com
www.lloyds.com

Infrastructure: Systems Management

Optika Targets E-Transaction Management

Grapple with transaction management over the Internet, and you might find yourself with a nice business opportunity.

That's the plan of Optika of Colorado Springs, Colo., which is positioning to support transaction management over the Web. Founded in 1988, Optika's origins are in managing paper-based business transactions. Its products included Accorde Context, for capturing, storing and retrieving contents such as electronic data interchange transactions, faxes and forms. That product has been Web-enabled.

Accorde Process is a workflow automation tool that can deliver relevant information to desktops that also have been Web-enabled. Accord Resolve is a new product that links to the other two and supports collaboration around transaction issues. Resolve supports discussion and resolution of the issues.

A study done of more than 160 Optika customers by IDC, a Framingham, Mass., research firm, showed that more 11% of business transactions experienced a problem requiring intervention. The average cost to process a problem transaction was $45, $30 higher than a normal transaction. Paper-based methods were the primary means of processing business transactions, scoring more than 90%, while electronic/Web transaction processing was just more than 30%.

The market these products support could be called Collaborative Commerce. Or it could be called Web Resolution, or Transaction Problem Resolution, or Coordination Services or Linkage - it depends on which analyst group wins out. But the focus is high-volume business-to-business transactions. "No one else is doing this," said Steve Maegdlin, vice president of product marketing. He might be right.

Optika prices the product at $100,000 for a site fee including 25 virtual offices. The software runs on Windows NT and uses the Microsoft IIS Web server engine.

The company faces challenges in getting its message across. "Nobody is raising their hand and saying they want to address the transactions issues" around B2B commerce, Meagdlin said. "Gaining mindshare is the biggest challenge."

A resaearch brief from Forrester Research, Inc., a Cambridge, Mass., research firm, characterized Optika's offering as a "resolution hub" that captures the context of a failed e-business transaction thus letting trading partners resolve problems. The inability of Web markers to notify all parties when an order cannot be completed is putting the onus for successful transactions squarely on users, the Forrester Brief suggested.

IT Sourcing

The Adrenaline Rush to Build E-Business

Visionary businesspeople looking to build the next generation digital businesses may need a shot of Adrenaline.

That's the hope of The Adrenaline Group of Washington, D.C., formed in 1997 to help businesses build advanced applications that offer high value-add to their customers. The company focuses on product management, high skilled development and "extreme" project management. They first get involved by understanding the business of the customer and defining requirements. Once the technical expertise needed is understood and the project begins, the project management begins. "We help IT organizations manage a portfolio of initiatives," said Scott McLoughlin, chairman and CEO of Adrenaline Group.

Most projects are broken into eight to 10 milestones, each marked by a deliverable asset. Clients are involved with the Adrenaline Group team, and the interaction is constant. "It doesn't follow the Gantt chart view of the world," McLoughlin said.

Pricing is based on time and materials; the average engagement costs customers approximately $900,000, he said. Adrenaline has 65 customers to date. They include start-ups, "dot.corps" and technology companies. Customers include Linuxcare, Inc., the Washington Post, Petsmart.com and Panasonic Online.

Technologies favored by Adrenaline include server-side Java, Win 32 C++, Linux, Solaris, CVS, Oracle, Emacs, open source tools and their own middleware called Rush. In the XML area, the company has worked on XML remote procedure call (RPC) code.

Andrenaline is also conversant in the Simple Object Access Protocol (SOAP), the protocol originated by Microsoft for accessing objects on the Web that is winning broad industry support. SOAP employs XML syntax to sent commands using HTTP. "SOAP comes out of the XML RPC effort," McLoughlin said.

The company hires experts in their focused technology areas. Cofounder and CEO McLoughlin worked at the Futures Group, Conscious Computing and FreeLoader, Inc., where he managed the development of an Internet push technology product. That company was sold for $38 million. Cofounder Greg DuPertuis, president of Adrenaline, also worked at FreeLoader as director of software development. He has programmed in C++, Java and Lisp.

Other team members include:

• Alden Hart, CTO, before joining Adrenaline was vice president of software development for CyberCash, Inc., where he was responsible for system architecture. The CyberCash transaction process system handles hundreds of millions of dollars per month from more than 15,000 merchants and is said to be the largest currently on the Internet.
• Wayne Bovier, practice lead, also worked at FreeLoader, Inc., as product manager of FreeLoader Television. He also worked for Wired Digital as production manager for LiveWired.
• Jonathan David, practice lead, was a cofounder and vice president of technical operation at Student Net Publishing, Inc., which produces TFVGrid.Com, a syndicated TV listing services, and Student.com, a national portal for college students. He has been an advocate of open source software in the enterprise since Student Net switched to Apache on Linux.
• Jocelyn Bryne, vice president of business development, worked at Linuxcare and Microsoft before Andrenaline. At Linuxcare, she headed the Web strategy and competitive intelligence efforts. At Microsoft, she developed a marketing strategy aimed at understanding the business decision-maker.

www.adrenaline.com

Protection: Security

Sigaba Offers Simplified E-mail Security

In World War II, the U.S. developed a machined called Sigaba to enable high-level officials to send encrypted messages to one another. Other countries had similar machines, but Sigaba was the only encryption device whose scheme was never cracked by an enemy during the war. (By contrast, the Allies rather early on cracked Germany's Enigma machine, as detailed in the compelling book, The Ultra Secret, by F.W. Winterbotham.)

The last working copy of the machine sits in a submarine in San Francisco Bay. With that in mind, an e-mail encryption company in San Mateo, Calif., named itself after the machine when it was founded in 1999, according to Richard Bliss, vice president of marketing for Sigaba Corp.

Sigaba offers software that Bliss says makes it easy for users to encrypt and decrypt mail messages, combatting what he says has been the biggest problem with e-mail encryption tools to date. Bliss cites a recent study at Carnegie Mellon University dubbed "Why Johnny Can't Encrypt," in which 20 graduate students were given instructions on how to use the Pretty Good Privacy Protocol to encrypt an e-mail message. Fewer than half the students could complete the task in the allotted 90 minutes, he said.

SigabaSecure uses a plug-in module that works with popular e-mail programs and services, including Eudora, Outlook, Lotus Notes, Netscape Messenger, Novell GroupWise, Yahoo! Mail and Microsoft's Hotmail. To send a secure message, users merely click a button. The plug-in then makes a Secure Sockets Layer (SSL) call to a SegabaSecure server. If it's the first time the user is employing the tool, the server will ask for his e-mail address and password. Once authenticated, the server passes a key down to the plug-in, which uses the key to encrypt the mail message via the Blowfish algorithm. The key is good only for that message; it is never used again. A distribution list of the recipients that the sender has authorized to receive the message is then sent to the server.

At the recipient end, one of two scenarios will play out. If the recipient already has the SigabaSecure plug-in, the secure message will be tagged as a Sigaba message and the plug-in will establish an SSL session with the server. The server will check its distribution list to make sure the recipient is authenticated for that message. If so, the server ships a key to the plug-in, which uses it to decrypt the message. The message is then dropped into the recipient's in-box in the clear.

If the recipient doesn't have the SigabaSecure plug-in, he will receive a message full of jibberish but the first two lines will explain that the message is encrypted and offer a URL to click on to download the plug-in.

The whole process adds a small amount of overhead, but Bliss says keys are passed in less than a second and a one-page Microsoft Word document will likewise be encrypted or decrypted in less than a second.

The weak link in the Sigaba setup is the password. Essentially, if you know a user's e-mail password, you can "steal" his Sigaba key. Bliss says this is the equivalent of a VeriSign level 1 digital certificate. "Whatever piece requires human intervention is always going to be your weak link," he says. The next generation of the product, due out by early November, will be able to support digital certificates for authentication, offering a higher level of security.

Sigaba offers SigabaSecure as both a service for individuals and as a product that enables enterprises to set up a secure mail service for employees and business partners. The client software is available free from Sigaba while the server component, also due out in early November, will be priced for traditional enterprise use at about $1 per month per user, with a $500 minimum, for unlimited usage. For companies that are in the business of sending out e-mail, Sigaba charges about 3 cents per transaction.

In the enterprise scenario, the server software sits next to an SMTP mail gateway. Messages are sent in the clear locally but are encrypted as they pass through the gateway. The server can enforce policies that dictate which messages should be encrypted, such as all communications with a particular partner company.

www.sigaba.com

For more information on this topic in the future, register Here.