Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Interview with Todd Bransford of Cyveillance

By Stephen Northcutt

Thank you Todd, can we start by introducing what Cyveillance is?

Cyveillance is a cyber intelligence company. What we do is provide an additional layer of security by scanning outside the traditional network perimeter to identify threats on the open Internet. We call this an intelligence-led approach to security.

Intelligence-led security has been used in the physical world for decades. Think about us average consumers. To physically protect ourselves from threats, we put locks on our doors and windows, we install motion detectors and alarm systems and we put fences around our yards. Beyond this, we count on our local police to keep our streets safe, our armed forces to protect our borders and the intelligence agencies of our governments to identify potential threats emanating from other regions of the world. Individually, none of these security approaches adequately protects us from all forms of threats. But when used together, these varied approaches allow most of us to sleep well at night knowing we are safe from security risks.

The cyber world is no different. Enterprises harden their perimeters with firewalls, anti-virus and access control systems. They layer cyber intelligence on top of these technologies to provide security for their customer interactions happening in other regions of the Internet. This is where Cyveillance comes in.

Cyveillance first began delivering intelligence about Internet-based threats to enterprises back in 1998. At the time, many of the early Internet innovators were plagued by competitors and predators that were diverting customers and revenues through search engine gaming, cyber squatting and counterfeit product distribution. To help companies manage their revenues and customer trust, Cyveillance developed technology to continuously scan the Web and identify actionable threats for remediation.

I understand, SANS has that problem all the time, someone will register "GIAC-Training.Com" and put up a fake site. It is a huge problem. It used to be that you just needed to register your domain name for .com, .org, .net, nowadays SANS has over a hundred domains for things that sound similar to us. How else are things changing?

Good point, Stephen. Well, since those early days at Cyveillance, the scope and nature of Internet-based risks have changed dramatically. Many of today’s threats are extremely malicious and reflect the operations of highly sophisticated and organized criminals. To help our customers proactively identify and manage these evolving risks, Cyveillance expanded its original technology to monitor the dynamic and transient portions of the Internet, including blogs, message boards and spam email, as well detect new threats, such as information leaks, insider threats, compromised identities, Web-based malware distribution and phishing attacks.

Where do you get the information from Todd, couldn't you just find that with a Google search?

Cyveillance exclusively gathers information from the public Internet using specialized technology. The technology was expressly built to comprehensively detect online threats rather than index popular Web content for the purpose of generating advertising revenues like a search engine does. Therefore, it covers far more ground than traditional search engines.

NOTE: Cyveillance responded to this question by showing SANS intellectual property expert examples of web pages that infringed on SANS trademark that in fact, we could not find using Google.

OK, I'm impressed, how do you do this?

Cyveillance’s continuous monitoring technology thoroughly sweeps the Internet - monitoring and collecting information from domain name servers, Web sites, millions of blogs, message boards, IRC/Chat channels, spam emails, bot networks and more.

Most recently, Cyveillance expanded beyond enterprise solutions and we began using our technology to generate OEM Content products for use by service providers, search engines and security companies to directly protect consumers from Internet threats. Today, over 30 million global consumers are protected by Cyveillance through partnerships with service providers that include AOL, Microsoft, Intersections and Trusted ID.

So it is more than brand, you are also offering Identity management services as well then. Can you talk a bit about a customer that is willing to be used as a case study, their problem and how you helped.

In the energy sector, Constellation Energy partnered with Cyveillance to identify threatening online discussions that targeted their facilities and employees. In addition, they were concerned about information leaks on the Internet. As documented in a 2006 article in eWeek (,1895,1914978,00.asp), Cyveillance proactively alerted Constellation Energy to coordinated plans by anti-nuclear activists involving one of its facilities. In addition, Cyveillance turned up intellectual property (IP) that was being leaked to the Internet by former employees. In each case, Cyveillance’s Internet monitoring services provided Constellation Energy with the ability to identify and proactively mitigate issues that were identified quickly and effectively and minimize their impact.

There are a couple of sites that have posted reports critical[1,2] of Cyveillance, what is your response to them?

From time to time, people post their opinions about Cyveillance and intelligence-led security on the Internet. I have directly spoken with a number of these individuals. In most cases, once you get past the misinformation that is out there, I find that these people simply don’t like the fact that they cannot choose who sees the information they have chosen to post to the public Internet. Often these are solid individuals who, believe it or not, never really considered the fact that what they put online is available for everyone to see. Think about how many people volunteer detailed personal information in their blog profiles or on their myspace pages. Most forget to consider how this information is a boon to identity thieves because they assume only their friends will read it.

There is also a smaller group of individuals who do things like construct conspiracy theories or are trying to hide the fact that they are engaged in unlawful activities. If you read through the sites that these types of people maintain, it is usually easy to understand their motivations. Given what we do at Cyveillance, I think postings like these are to be expected.

Fair enough, Google's mission statement is to index the world's information[3] so if it is on the web they will probably find it and no one seems to be too upset about that. Todd, can you share a bit about where you plan to be in a year or two, what is hot?

We anticipated the online risks that would accompany the Internet’s second wave, what many call Web 2.0. In this next wave, millions of people are now harnessing the Internet to network with each other socially, create and share content and buy products and services in even greater amounts and in more dynamic ecommerce environments.

Yes, yes, it is amazing, I think they call it social media, and it certainly introduces security issues, where does Cyveillance fit into that?

Through our monitoring of the Internet, we see Cyveillance at the forefront of helping to manage Web 2.0 data sources that get richer as people use them. Through better, more proactive management of threats to information, infrastructure, individuals and their interactions, our customers can protect their relationships with their own customers. This produces a win-win for enterprises and consumers.

Please expand on that just a bit, perhaps give me an example. SANS has lots of customers; how could we be at risk from content from social media sites? Is the biggest risk someone saying something bad about us?

This goes far beyond tracking consumer opinions on social media sites. We ’re talking about malicious threats with clear financial motivation.

A very topical example is malware. We’re seeing a strong trend toward using the Web as the attack vector for distributing malware to consumer computers. Just by visiting a particular Web page, consumers are infected with sophisticated malware that tracks where they go online, records their keystrokes and screen scrapes the display on their monitors. Personally identifiable information, as well as user names and passwords are then forwarded by the malware to command and control servers operated by the criminals. The consumer never knows what hit them.

The reason this is scary is because in the Web 2.0 world, it is easy for a criminal to inject malware directly in social content. SANS customers who visit these social media sites may never know that their machines are infected until after they realize financial and identity-theft related crimes have occurred.

Interesting, I will have to think about that some. Finally, Todd, can you tell the reader just a tad about yourself.

I have spent the last 19 years working in software and technology companies, spending most of my time in product management and marketing-related roles, including the last seven years here at Cyveillance. Like many of the people working at Cyveillance and in the broader security industry, I have found the higher purpose of helping to defend against online risks that threaten consumers, children and corporations to be a particularly gratifying experience.