Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Interview with Steve Slater, founder of Security Compliance Corporation (SCC)

By Stephen Northcutt

Dr. Steve Slater is Founder and President of Security Compliance Corporation (, a privately held software company building solutions for information security compliance and identity auditing. Steve is also a SANS author and instructor for Security 615: Secure Internet Presence – LAMP.

Thanks for sharing your thoughts with us Steve, how did you get into the security field in the first place?

Like most people, my entry into the Information Security industry was due to a unique turn of events. While working on my PhD in the Nuclear Engineering department of UC Berkeley, I needed as much computing power as I could find. So I taught myself system administration and ran the department's computers. This was back when SunOS 4.1.3 was the latest and greatest. Then one day I saw myself logged into my system from China! Since I was firmly planted at Berkeley, I knocked the intruder off and went to work finding out how it happened, more importantly, how to prevent it from happening again. This was decidedly the beginning of a fascination with computer security and learning how computers, networks, and attackers really work.

After completing my degree, I was recruited by both the Lawrence Berkeley National Laboratory for a research opportunity, and the University of Illinois at Urbana-Champaign, home of the NCSA, for a tenure-track faculty position. For my thesis, I developed a 3D mathematical model of a nuclear reactor core, and used parallel computational analysis to solve what was essentially a coupled system of very large matrices. Because of that computational background, I was needed ½ time in nuclear and ½ time in computer science. While both opportunities were exciting, my wife and I had the entrepreneurial spirit and wanted to start a business. This was the same time as the rise of the dot-com craze in Silicon Valley, so we decided to start a consulting company focusing on Information Security. Over the past twelve years, we have had terrific projects, such as building and managing the Internet firewalls for Bank of America, designing the infrastructure for BofA's Internet Banking, and numerous network and web application security assessments.

A few years ago, I was also offered a tremendous opportunity by The SANS Institute to be the lead author and instructor for Security 615, also known as "The LAMP class." In five days, we take you from start to finish with Apache, MySQL, PHP, and Web Application Security. This class is a "must do" for anyone charged with designing or supporting a LAMP application.

That has been quite a journey getting the LAMP course in the field; the 600 level courses are a lot harder to write because it is advanced material. And, of course, this is a hot month with the PHP vulnerabilities being announced. 1 So, now that you are in the security world, you started to see an unmet need. Can you tell us more about that?

Shortly after the passage of the Sarbanes-Oxley (SOX) Act, we started seeing many new audit processes with both our own clients, as well as with students at SANS Conferences. One universal constant was the need to audit the access rights of users to key business applications. What was so alarming was the incredible amount of manual processes being performed to meet these audit requirements. A typical company would generate hundreds of spreadsheets and email them to thousands of users for review. Moreover, each one was a different format depending upon the application being reviewed. It was (and is still today) a very great burden for nearly every organization we meet with.

Right, I remember setting a script to do this for the Windows XP boxes in the office; I found the basic instructions to audit user access of files, folders, and printers in Windows XP on a Microsoft web site2, but cannot imagine trying to extend that to the enterprise. So this was your revelation?

Absolutely Stephen! We then realized that the industry needed a solution that did not exist, and founded Security Compliance Corporation (SCC) in 2005. The mission of SCC is to provide automated solutions to labor-intensive compliance efforts. Our first product, Access Auditor, is designed from the ground up to specifically target the need for user access rights certification. It's not just related to SOX; other regulations such as HIPAA and FISMA (in NIST SP800-53) require this same auditing of access rights.

OK, you certainly have the buzz words in place, what is your approach to simplifying the task of auditing user roles and access?

In a nutshell, Access Auditor discovers and consolidates users' access rights across the enterprise, and provides a workflow for the re-certification process. We initiate and track remediation when inappropriate privileges are discovered, alert to changes in user access levels, discover orphaned user accounts, show access rights still in place for terminated users, and more. One of our customers' Director of Information Protection and Security, Todd Berman of The PMI Group, summarized it quite well when he said that "Access Auditor is able to provide the single pane of glass view into user access rights."

I've gotta tell you Steve, one of the things I enjoy about our industry is watching the young companies bring the new products into the space, then seeing them grow and mature. I understand that SourceFire IPO'd today. Have you taken venture, or is this a privately funded effort?

Private and as a privately-funded startup, we don't have the same advantages that venture-funded enterprises have in regards to financial resources. We must closely control our costs to maintain a strong value proposition to our customers, and rely heavily on grass-roots, word-of-mouth referrals. So while that is challenging until we build some brand awareness and momentum, it is very rewarding to know that we can run our business the way we believe a company should be run, with honesty and integrity.

Well, it is the harder path. But, as you say, the benefits are control, and of course, if you do manage to sell or IPO, wow, with no dilution, make sure you wave to me as your drive by in your luxury car! So, what is your focus for business growth for the next year or two?

Being independent of the VCs also allows us to focus completely on the customer. We have flexibility in sales agreements. We can deliver personalized service to each customer. We can focus on features that are truly useful and not ones that simply market fluff. Our initiatives are driven by our customers' desire to improve how audits happen. Dollars spent on labor addressing compliance to SOX, GLBA, etc. are minimized, while value is created with an automated system that is fully integrated in the compliance process. Business applications are audited according to our customer's policies. It's their requirements that dictate how business is done.

Do you think your experience teaching for SANS helps you with your business?

Coming from a long history of security consulting and teaching, I regularly hear what customers need, and I designed Access Auditor to be intuitive and free of techno-jargon. We have delivered a simple to use product that adds great value and simplifies our customers' lives. We can usually provide a positive ROI in under a year, and have our solution deployed and adding value in a matter of days.

Thanks for sharing your short term plan, what is your longer term vision for Security Compliance Corporation (SCC)? 4

Our long-term plan for SCC is to become the one-stop destination for compliance automation tools. We have a road map planned that targets compliance-related pain points with simple and effective automation solutions. In 3-5 years from now, when we have a hundreds of customers whose lives are happier because they no longer worry about costly compliance tasks, we will know that we have achieved our mission and pushed for positive change in the industry.