Software vendor CA Technologies is best known for its mainframe, business-to-business and distributed computing offerings. As an expansion of its enterprise-based offerings, the company also offers a data loss prevention suite called CA Technologies Data Protection. Formerly known as CA Technologies DataMinder, CA Technologies Data Protection is capable of supporting large enterprises with thousands of users and desktops. The DLP software suite components include CA Data Protection Endpoint, CA Data Protection for Networks, CA Data Protection for Stored Data and CA Email Supervision.

Data scanners

This CA Technologies Data Protection suite is able to protect data at rest, data in transit and data in use. It also integrates with CA Technologies Identity and Access Management products to allow access to sensitive information based on content and data classification. CA Technologies Data Protection is also able to quarantine data and protect sensitive information by granting or blocking access based on the reviewer's access privileges.

Endpoint agents

CA Data Protection Endpoint agents are application plug-ins for securing data at rest that execute on an endpoint device. These agents can monitor user activity and execute capture and control actions based on DLP policy. They either work with a gateway server or report directly to the DLP central management server. The agents are also able to continue policy enforcement even if disconnected from the central management server. CA Data Protection Endpoint is able to encrypt data sent to removable media. This action is controlled in part by the Client File System Agent (CFSA). In addition to monitoring local file copy actions, the CFSA is able to enforce policy for synchronization folders connecting to cloud resources such as Drop Box.

Network security

The CA Data Protection for Networks network appliance is able to control SMTP, web browser, webmail and social media HTTP/HTTPS traffic, instant messaging and peer-to-peer messaging such as Skype. Using SPAN ports, it can function as a passive DLP monitoring tool or be deployed in line to block sensitive data traffic, including decoding SSL traffic while inline.

Stored data

CA Data Protection for Stored Data secures data at rest by protecting and controlling sensitive information stored in network file shares and document repositories, public folders, ODBC sources and information collaboration servers such as Microsoft SharePoint. It can recognize and classify over 300 file types including HTML, XML, ZIP and others. CA Data Protection for Stored Data can also conduct full and partial fingerprinting of text and graphical content in order to the file content's transmission and usage. The product's scalable and distributed architecture enables file scan rates of up to 500 gigabytes per hour.

Email data

CA Email Supervision controls and reports on sensitive email in motion and at rest for popular email servers such as Microsoft Exchange and Lotus Domino as well as mail transport agents such as sendmail and postfix. The CA Email Supervision lightweight agent is deployed at the email sever and supports any number of email policies designed to product an organization from potentially criminal as well as unintentional sensitive data exposure. Supported email endpoints include laptops, virtual desktops and smartphones for DLP controls inside and outside the corporate network.


CA Technologies' DLP suite offers several components and features designed to address a wide array of data protection needs for large enterprises. CA Data Protection cover endpoints and data in use as well as data in transit on the network, data at rest in storage or databases, and mobile and cloud data as well. The product suite comes with 24/7 technical support from CA Technologies; free training and educational courses are also available for customers. Organizations interested in pricing and licensing terms for CA Data Protection products should contact the vendor or authorized CA reseller partners.

Next Steps

Part one of this series looks at the basics of data loss prevention products

Part two examines the business case for DLP products

Part three explores usage scenarios for DLP products

Part four focuses on procuring DLP products

Part five offers insight on selecting the right DLP product

Part six compares the best DLP products on the market

This was last published in November 2016



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

If time is money in business, speed is security in infosec. HawkEye Analytics Platform is the big data component of the HawkEye set of security tools from Hexis Cyber Solutions, while HawkEye G offers integrated threat detection and automated response. Both are designed to provide comprehensive products to critical requirements in big data security analytics while putting an emphasis on speed.

HawkEye AP: Big data security analytics

HawkEye AP is a layered data management platform providing core services from data ingestion up through reporting and analysis. The foundation of the data management system is the Event Collection component, an extraction, transformation and load service that includes connectors to over 250 types of source systems. These sources include Windows servers, web servers, firewalls, databases, logs, NetFlow sources and SNMP sources.

The platform is designed to parse through hundreds of different data formats automatically. Data ingested by the event collection component is stored in the platform's vent data warehouse, a write once database optimized for columnar storage. The write once feature ensures the integrity of data by preventing tampering at the lowest levels of data access. It also allows database designers to avoid the overhead mechanisms needed in other databases that support update operations. The Event Database supports standard SQL and business intelligence tools so customers deploy third-party reporting tools to support their security reporting.

While traditional BI reporting tools may be helpful in some cases, the volume of data and fine grained attributes captured in security event information can make it difficult to find useful information. The analysis component of the HawkEye AP incorporates user management and some reporting functionality specifically designed for security information. These reporting tools further support a Dashboard, Reports and Investigation module that provides an HTML5 console for a single point of access to security data.

HawkEye G: Threat detection

To further support analysis and reduce the volume of data infosec professionals have to contend with, the HawkEye AP provides a thread detection component called HawkEye G. This incorporates machine learning and statistics techniques to help identify patterns, classify data and help infosec professionals focus on the most informative parts of all available security data.

HawkEye AP, coupled with HawkEye G, offers a comprehensive platform for big data security analytics. While HawkEye AP collects data from servers and network devices, HawkEye G includes endpoint agents for gathering data in real time for user devices. HawkEye G also has modules for detecting events at network edges as well as from third-party platforms.

Significant security events are usually a small percentage of all events recorded. Searching for malicious activity on an active business network is a prime example of searching for the proverbial needle in the haystack. HawkEye G incorporates a proprietary ThreatSync technology that verifies threats to reduce false positives using host and network correlation techniques. It also prioritizes events to help infosec professionals focus on the most important threats.

HawkEye also includes policy driven automated response to events. This can be especially important when infosec staff is limited and automated responses are needed to keep up with suspicious events on the network.

Pricing, support and deployment

Hexis Cyber Solutions' HawkEye AP is a software platform that is designed to sit between an enterprise's security operations center and the existing networking and security infrastructure. In addition to the HawkEye AP platform, Hexis also offers a managed service option for those who would rather delegate management and maintenance to the vendor.

Pricing is available by contacting Hexis Cyber Solutions directly. The company offers 24-hour support through its customer portal as well as phone support during normal business hours or 24/7, depending on your service-level agreement. Hexis Cyber Solutions' professional services group is available to help with planning, implementation and ad hoc analysis. The company also partners with EMC, Palo Alto Networks, SourceFire and Cerner.


Big data security analytics requires both scalable data management and advanced analysis tools that support infosec operations. The combination of HawkEye AP and HawkEye G cover both of those fundamental requirements. HawkEye G will be especially appealing to organizations that want the ability to query an event database using standard business intelligence reporting tools. For its part, the managed service option will likely appeal to small and midsize businesses that want the capabilities of the HawkEye platform, but do not have resources on staff to manage and maintain a big data security analytics platform.

Editor's note: The HawkEye G technology was recently acquired by WatchGuard. It's unclear how this will affect its integration with HawkEye AP.

Next Steps

In part one of this series learn about the basics of big data security analytics

In part two discover the business case for big data security analytics

In part three find out how to evaluate big data analytics platforms

In part four compare the top big data security analytics products

This was last published in September 2016

SearchSecurity: Security Wire Daily News

The vast majority of traffic traversing an organization's network is probably benign, but what about the small fraction of traffic that isn't? How can it tell benign from malicious before it's too late? This is the challenge that has driven the development of security analytics tools such as the Lancope StealWatch FlowCollector.

Analyzing network traffic

Security analytics products are designed to collect a variety of information types, and then integrate, analyze and classify content and events to enable security and system administrators to identify potentially malicious activity. Some security analytics tools tailor their analysis to network traffic, while others incorporate diverse data from server logs and endpoint devices. The common characteristic of all security analytics products, however, is the ability to ingest large volumes of data and quickly identify suspicious activity.

Like other security analytics tools, the Lancope StealthWatch FlowCollector aims to consolidate data from across the network, such as routers, switches and firewalls. It uses NetFlow and IPFIX flow data collected from firewalls, routers and other network devices to achieve its mission.

Data collected at routers is used to analyze traffic entering or leaving the network. Lancope's StealthWatch FlowCollector also considers traffic between devices on the network. This is especially important for detecting malicious activity that occurs within the network boundaries. For example, a disgruntled employee might make a copy of a database backup to take to a competitor using a laptop and storage device connected to the network. This kind of event may not leave any traces in inter-network traffic flows.

Scalability is always a consideration when capturing network traffic. A single StealthWatch FlowCollector is designed to support up to 4,000 devices generating as many as 240,000 flows per second. At peak scalability, a properly configured StealthWatch FlowCollector system can process up to 50,000 sources and six million flows per second. StealthWatch FlowCollector includes the ability to detect duplicate flow data as well.

One company's anomaly is another's norm

The concept of anomalous behavior on a network is fairly easy to understand: it is something out of the ordinary. The first job of an anomaly detection system is to determine the baseline for a particular network. The StealthWatch FlowCollector creates a baseline of all IP traffic, which then supports analytics for detecting anomalies in either network traffic or host behavior.

The StealthWatch FlowCollector also includes host-centric analysis, such as host and application profiling and OS fingerprinting. This is useful for detecting outside of typical patterns of use on a host.

In addition, the analytics product provides reporting on device activity, such as host reporting, router interface tracking, and bandwidth accounting and reporting. There is also support for packet level performance metrics and quality of service reporting.

Lancope StealthWatch FlowCollector can go beyond base level network reporting to detect unauthorized hosts and web servers as well as misconfigured firewalls.

Lancope offers 24/7 customer support via phone and online portal. Enterprise premium support is also available for those organizations that want more proactive assistance with planning and deployments. A community portal offers access to documentation, knowledge base articles and training videos. For more information on pricing and licensing, contact Lancope.


Predicting malicious activity is difficult, even with large volumes of data and the most sophisticated analysis techniques. Baselines -- meanwhile -- change, sometimes slowly over time. This can impact the false positive rate of alerts, so care must be exercised when balancing the need to minimize false alarms with the desire to not miss a real threat because alert thresholds were too high.

If there is malicious activity on IT infrastructure, it is probably leaving a trace of some kind in network traffic, which tools like the Lancope StealthWatch FlowCollector can detect. This tool can profile a normal baseline of activity and then detect variations from that norm, and can alert administrators to potentially malicious activity.

 StealthWatch FlowCollector is especially useful for network administrators and security professionals who need to monitor network-level activities across complex infrastructures.

Editor's Note: Lancope was recently acquired by Cisco. While Lancope still operates as a separate company, the acquisition could impact the Lancope StealthWatch product line, including the FlowCollector series.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was first published in September 2016

SearchSecurity: Security Wire Daily News

Businesses and government agencies are at risk of an increasing array of information security threats such data theft, malware, denial-of-service attacks and even compromise by insiders. No single security control or policy can address all threats. Instead, IT needs to deploy multiple measures. A key challenge for InfoSec professionals is to collect and integrate data on security events from the array of security controls deployed to protect assets. This is where security analytics comes in.

NetBeat MON from Hexis Cyber Solutions, is a security analytics product designed to help protect medium-sized businesses, specifically ones with multiple locations.

In a nutshell, NetBeat MON is a monitoring appliance that observes network activity within any network and its devices. Hexis presents the benefits of the product as supporting "network hygiene." That is, understanding and managing the contents of network traffic using tools such as packet capture and analysis, network flow analysis and intrusion detection.

Combining open source tools

Hexis Cyber Solutions did not reinvent the proverbial wheel when it comes to network monitoring, but it did combine well-established open source tools to bring cost-effective, consolidated monitoring to a broader market. NetBeat MON combines the features of five open source network monitoring tools: ntop, Wireshark, Suricata, Snorby and dumpcap.

  • Ntop is a network traffic sorting tool that supports IPv4 and IPv6. The tool allows you to sort IP traffic using multiple criteria, including source, destination and protocol.
  • Wireshark is a network protocol analysis tool that allows for both live traffic capture and offline analysis, including voice over IP. Information captures with Wireshark can be viewed in either a GUI or the TTY-mode TShark utility, and packet lists can be assigned a color scheme to help with sorting and analysis.
  • Suricata is a tool developed by the Open Information Security Foundation. The tool is used for monitoring network traffic, as well as providing combined intrusion detection system/intrusion prevention system functionality. Admins can also write rules to specific protocols, as opposed to receiving ports.
  • Snorby is a network security monitoring tool built using Ruby on Rails. Reporting features include the ability to classify events into predefined or custom categories for future reports. Additionally, the tool can integrate with OpenFPC, a packet capture tool.
  • Lastly, dumpcap is a tool for network traffic dumping. Dumpcap captures packet data in pcap-ng files, although libpcap formatting is also available. Features include customizable UIs, automated patching and remote management, as well as analysis, NetFlow and packet capture capabilities.

Deployment options

The deployment of NetBeat MON is dependent upon an organization's operation. The product requires the deployment of individual appliances at each of its locations. These appliances are either configured as a Master or a Minion unit upon setup -- the capabilities and duties of each unit follow. The Master unit will most likely be deployed at an organization's central office, allowing for centralized management of the Minions.

Each unit offers 8x DIMM RAM slots, 4 x 3.5-inch hard drive bays (hot-swappable), and an Intel i350 Dual Port GB Ethernet port. The NetBeat MON racks are built on Intel Xeon processors. See here for a full specification list.

As for purchasing and support, the NetBeat MON appliance is available only through channel partners. Single-call support is provided for one year after purchase, after that it is $ 1,500 per unit per year. The Hexis support team can answer questions regarding the open source tools that make up NetBeat MON, but does not provide direct support. Hardware issues are solved by sending the malfunctioning device back for repair.


No business or organization is too small to be the target of malicious cyber activities. Small and midsize business with limited resources can leverage open source security analytics tools without breaking their capital expenditure budgets.

Unfortunately, unless someone on staff is familiar with the implementation details of the range of open source tools in use, then deploying and maintaining a set of well integrated applications is difficult. NetBeat MON relieves some of that burden with a consolidated package of security analytics tools that does not demand an enterprise-scale budget to pay for it.

Editor's note: Hexis Cyber Solutions was recently acquired by WatchGuard, which may impact the NetBeat MON security analytics product line.

Next Steps

Part one of this series explains the basics of security analytics products

Part two of this series examines the use cases for security analytics

Part three of this series looks at how to procure security analytics products

Part four of this series compares the best security analytics products on the market

This was first published in September 2016

SearchSecurity: Security Wire Daily News

Alongside Microsoft and Adobe, SAP released this week its monthly security updates to address a total of 19 vulnerabilities, including three high severity issues.

The September 2016 Patch Day fixes include 11 security notes, 3 updates to previous notes, and 5 support package notes. Three of the flaws they resolve have been rated “high,” while the rest are considered “medium.”

Many of the vulnerabilities are missing authorization checks, which is one of the most common type of problems found in SAP products, but the patches also address information disclosure, denial-of-service (DoS), cross-site scripting (XSS) and SQL injection issues.

According to ERPScan, a company that specializes in protecting SAP and Oracle business-critical enterprise resource planning (ERP) systems, two of the three most severe vulnerabilities affect SAP Adaptive Server Enterprise (ASE), a relational model database management product.

The security holes are SQL injection flaws that allow attackers to execute specially crafted SQL queries.

“[ASE] stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers,” ERPScan wrote in a blog post.

“Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute,” the company explained.

The third most serious issue patched this month is a DoS vulnerability affecting the SAP Business Objects BI Launchpad product.

A report published by ERPScan last month revealed that, through June 2016, SAP had issued more than 3,660 security notes and support package notes to address thousands of vulnerabilities.

Security firm Onapsis reported that some of these vulnerabilities affected more than 10,000 of SAP’s customers. In May, Onapsis warned that up to 36 global businesses had been hacked through a SAP product flaw that was patched five years ago.

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: SAP Patches Critical Clickjacking Vulnerabilities

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

All organizations face cyberthreats, but large enterprises face a particularly challenging set of problems. By their nature, larger organizations have many more devices and network points of access to secure. This creates an often unwieldy attack surface to protect.

In addition, larger organizations are often subject to regulatory compliance that requires data and systems controls across their infrastructure. They must also deal with the issue of scale. IT products and services that work well for small and midsize companies may not scale to meet the volumes of data and equipment that must be protected in a large enterprise.

Enter Juniper Networks' JSA Series Secure Analytics, a security analytics and analysis platform designed to meet the needs of larger enterprises.

Analysis for multiple security domains

The JSA Series includes modules to support multiple types of security analytics and analysis. These include models to handle log analysis, threat analysis and compliance reporting.

Log analytics provides tools to collect logs from across an organization and centrally store and analyze their content. This enables both real-time alerting and forensic analysis of events that have occurred in the past.

The threat analytics module spans areas typically covered by network operations and security analytics. By collecting and analyzing information from multiple sources, the module can identify suspicious activities across a range of event types. This kind of broad analytics capability is essential for detecting advanced threats that can occur as a series of steps over extended periods of time. Threat analytics builds on the Secure Analytics platform's capabilities with regard to collecting security logs, host and application logs as well as network application flow logs.

The compliance module helps infosec professionals demonstrate enforcement of policies and procedures required by various regulations. The platform supports reporting for Payment Card Industry Data Security Standard, HIPAA and other broadly applicable regulations.

Analyzing enterprise scale security data

Large enterprises must address the needs of multiple sites of various sizes and with varying types of security requirements. The JSA Series spans a range of deployment options to meet those needs. The product family is available in four different versions.

The JSA3800 and JSA5800 are appliances designed for larger enterprises, while the JSA7500 is designed for carriers and other enterprises with exceptionally large volumes of data. For lightweight deployments, the virtual appliance version may be sufficient, for example.

Because the JSA Series platform employs a distributed architecture, it is possible to start with one appliance and add others as demand grows. In addition to meeting scalability demands, appliances can be configured in hot standby mode to enable rapid failover from a primary appliance to the hot standby.

The JSA Series can be purchased directly from Juniper Networks or through a channel partner. Juniper Networks offers professional services to help with planning, building and deploying the JSA Series.


Security analysis and analytics is challenging, and it becomes even more difficult at enterprise scales. Attackers, meanwhile, may be willing to work slowly in order to avoid detection. And since larger organizations tend to be geographically diverse, multiple data centers and offices require security controls -- such as security analytics and analysis -- to be available to local and remote networks. Enterprises also need continuous security protection from high availability controls that will scale to meet the demands of an enterprise.

Juniper's Secure Analytics platform is designed to meet all of these needs, with components to ingest and analyze a range of data as well as supporting additional compliance requirements. While it may be more than some organizations require -- particularly small and midsize enterprises -- the JSA Series is the kind of product that large enterprises could easily turn to for security analytics and analysis.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was first published in September 2016

SearchSecurity: Security Wire Daily News

Information security is no longer just about implementing a set of best practices or point products like antimalware, network configurations and authentication mechanisms. All of those things are still required, of course, but they are no longer the end of the story. Organizations need the ability to analyze what is happening on their networks in real time.

This starts with assuming that some element of their security controls will be compromised. Enterprises today need to be looking for signs of that compromise. This is where security analytics comes in. Click Security is a company that provides a set of analytics tools focused on areas of security analytics, including profiling, investigating, responding and analyzing actor behaviors within an organization's network.

These tools allow infosec professionals to collect and analyze information about events on the network, identify particularly suspicious activity and then take action to mitigate potential risk of those activities. Here's a closer look at the tools within the Click Security Analytics suite.

Click Security Profiler

Click Security Profiler provides an interface for analyzing both actors and events within an infrastructure. These tools collect data from multiple sources, including network traffic, logs and file events. The Profiler uses event correlation to group discrete events into higher level logical collections. It also provides a risk ranking of actors and events to help front line security analysts assess the relative importance and priority in the face of multiple threats.

Click Stream Security Investigator

Click Stream Security Investigator is a tool for viewing attacker activity at a higher level of aggregation than provided by the Profiler. With the Investigator, events are consolidated and visualized at a level that allows analysts to better assess the key events in the attacker's progress. This sequence of events, known as the kill chain, identifies key events in the progression on an attack. Attacks typically start with reconnaissance, followed by delivery of some kind of attack vector, installation of command and control tools and eventually exploitation of the capabilities that attacker has established. Understanding this typical course of events in an attack, and being able to identify them from network, log and other data is a key to deploying countermeasures to mitigate the risks of an attack.

The Responder

The Responder is an application that applies lockdown policies in response to events. The application includes a graphical user interface displaying key metrics about the number of times policies have been triggered.

Actor Analytics Framework

The Actor Analytics Framework is a central hub for collecting and analyzing security related event data. The framework is designed to collect data on security events, analyze those events with emphasis on actor-oriented activities and incorporates threat intelligence to create a broad view of the actors and event contexts.

Click Security's Actor Analytics Framework also implements kill chain profiling and intelligence management. It utilizes in-memory analytics techniques to examine incoming events and links them to previous events by the same actor. Third-party intelligence data is added to context information collected from Click Security tools.

Prior to being acquired by Alert Logic, Click Security introduced new functionality for its analytics suite, including Actor Context Graph, an interactive visualization feature designed to help admins correlate events with related data.

Pricing and support

Click Security offers support services online and over the phone. For those looking for direct support, Click Security works with partners as well. Contact parent company Alert Logic for additional details on pricing, licenses and support.


The Click Security Analytics tools address key information gathering and analysis stages needed to detect, understand and respond to a cyberattack. In spite of security best practices, the state of today's information security landscape leaves many with the feeling it is only a matter of time before our systems are attacked, if they have not been attacked already. Security analytics tools such as Click Security's Actors Analytics Framework are needed to respond to the kinds of attacks that are all too common today.

Security analytics tools, such as Click Stream, generate valuable information but are not standalone tools, such as malware scanners. Organizations with dedicated information security professionals who understand attack strategies and methods will get the most from Click Security. The combination of tools, such as Profiler, Responder and the Actor Analytics Framework, create a complete security analytics solution. It's important to note that Click Security was acquired by Alert Logic last spring, and Alert Logic said its intention was to "quickly integrate the Click Security employees and technology" into its Cloud Defender platform. This could change how Click Security Analytics is sold and supported in the future.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was first published in September 2016

SearchSecurity: Security Wire Daily News


Established enterprises as well as startups have much to consider when deciding how to build and launch a security solution that makes sense for their business and customers. While you can employ a variety of formal tech strategy frameworks, the following lightweight approach offers a reasonable starting point for defining security product plans by posing several fundamental questions. This common sense methodology is based on my experience of building infosec solutions, but it is broad enough to apply to other types of products.

Market Segmentation

The idea of market segmentation stems from the notion that different types of customers have different needs. How to group customers with similar needs depends on your vision for the company and its products.

Geographic segmentation assumes that product requirements or go-to-market plans for customers in one country are different from those in another. For instance, it’s not unusual for a startup to begin by focusing on prospective clients in its own locale—be it a city, state or country that the firm’s founders know well—for proof-of-concept deployments and then expanding to a larger market, such as the United States.

Another way to segment the market is to look at different industries where prospective customers might reside. For example, a company that’s building an anti-ransomware solution might perceive the need for such a solution among hospitals or law firms and focus on this vertical.  Prospective clients in other verticals, say energy companies, might value such a product differently and might seek different capabilities that would overextend the startup’s limited resources.

Yet another approach to market segmentation involves considering the size of a customer, perhaps in terms of the number of endpoints, offices or employees that require protection. Small and mid-sized businesses (SMBs) tend to have different security needs and price expectations than more sophisticated enterprises. Not only does the size of the customer’s’ business influence the product’s desired features, but also the expected deal size affects the ability to build and motivate a sales force that can reach prospective clients.

The questions to ask in relation to market segmentation include:

  • What market segments are we targeting?
  • How are they similar and different?
  • How will we reach prospective customers?

Product Capabilities

Once you understand the type of customers the product will be targeting, it’s time to dig deeper into understanding their needs, then map them to the product’s capabilities. Think beyond generic security requirements such as data protection, threat detection or incident response. Be more specific to understand which gaps might exist in the products currently available to relieve infosec-related pain points.

If the product focuses on better network defenses, what advantages does it compare to existing firewall or Unified Threat Management (UTM) technologies? If your firm’s expertise is in security data analytics, why should customers value your approach over their existing Security Information and Event Management (SIEM) deployment? If you’re proposing a better way to fight malware, how does your product fit with established anti-virus solutions?

You should also consider how your product plans compare to those of other security firms that might be competing with you. If you’ve spotted a customer need, there is a chance that other individuals and companies are also working feverishly to address it. Understand who your competitors might be and determine how your solution might be different than theirs.

Outline the scenarios where a competitor’s product might offer more value than yours. Along the same lines, determine where your firm might have an advantage. Develop your plans to build upon your strength. Decide whether you have the resources to close the gap in those scenarios where you competitors might be stronger, or whether you will focus on opportunities where you will most likely prevail.

In addition, consider what is the smallest set of features you need to build into your solution to attract your initial customers. The advantages of starting out with such a minimum viable product (MVP) include the ability to start generating revenue, earning early reference clients and receiving real-world feedback related to your business strategy and product roadmap.

Ask yourself questions such as:

  • What are your solution’s key benefits?
  • How unique is the value proposition?
  • What capabilities should form the first release?

Sales Engagement

Your decisions related to market segmentation and product capabilities need to account for the reach, expertise and motivations of your sales force. Take the time to understand how the sales team is set up and, if applicable, contribute to the team’s design on the basis of your understanding of the security market and its participants.

What you can learn about customers’ product expectations or reception based on sales activities to date? In an established firm, such interactions could have been conducted by the formal sales team. In a startup, even if the team doesn’t exist yet, informal sales conversations might have involved you, the company’s founders or your other colleagues.

In large organizations, the product you’re building might not have its own dedicated sales force. Instead, you could be sharing the sales team with other products, some of them potentially unrelated to security. This sometimes means that your product will be competing for sales people’s attention with other solutions that your organization offers. Understand such internal dynamics and consider how you might be able to encourage sales folks to focus on the products important to you and to your company. Give thought to how the capabilities of your product might strengthen the value proposition of the other products your company has been selling.

If you’re planning the go-to-market strategy for the product, consider whether you’ll be able to reach prospective customers directly using your company’s own sales force. A better approach in some situations might be to establish a sales channel that brings your solution to customers via a reseller model. Reaching SMB clients is especially difficult using a direct sales force due to the challenges of building and managing a large sales organization whose members tend to work on numerous, but relatively small deals.

If you can influence the choice of a sales person that will be aligned to the product, consider what security knowledge he or she should possess. It might be hard to find a sales expert within the specific infosec niche that your product is targeting. You could be better off working with a less specialized sales rep who has earned the trust of buyers through good work and relationship-building, and pair this person with a technical sales engineer.

Even before your product is released into the world, there is much to learn from sales discussions with prospective customers. These interactions validate assumptions regarding market segmentation and desired features. They also help identify early adopters that might be interested in testing pre-released versions of your solution.

Seek to answer the following questions:

  • In which markets has the sales force gotten traction so far?
  • What’s prospects’ negative feedback regarding product ideas or prototypes?
  • What capabilities get customers most excited?

Pricing Model

Pricing your product properly is as essential as having the right set of features and being able to reach customers through a skilled sales force. You’ll need to estimate how much your customers will value the benefits of your solution and determine what budgets might be available to them to fund the purchase. This can be very tricky.

Consider whether you’re going to charge customers an initial one-time licensing fee with recurring maintenance fees, or whether you’ll follow a subscription model. It often makes sense to align the timing of your expenses with the timing of your revenues. If your solution has recurring monthly costs (for instance associated with storing customer’s data or hosting your application) then it makes sense to position your product as Software as a Service (SaaS) and charge predictable, monthly fees. Even with monthly feels, you might need to charge initial installation or activation fees to cover the associated costs.

Of course, you’ll need to account for customers’ preferences and constraints when deciding how whether to charge one-time or recurring fees. Some customers might have a fund for one-time costs that are considered capital expenses (CapEx), while others might not have the ability to put up a lot of money for the initial purchase and will need to pay monthly out of their operating expense (OpEx) budget.

Pricing the product requires a firm understanding of your initial and ongoing costs. You could take your costs, mark them up by the expected profit margin, and come up with a price. Be careful to consider this only your minimum price and use it as a sanity check on deals where discounts might need to be offered. Ultimately, the price should be based on how much the customer values the solution’s benefits.

Price the product based on customer-perceived value, not on costs. For instance, the marginal cost of your anti-malware software might be a few cents per endpoint, but if the product addresses a significant pain point in a unique way, the customer might pay several dollars for it. Not only does your solution need to work well for this approach to work, but your sales team needs to be sufficiently mature to understand customer needs and position your product’s benefits. You can try explaining the return on investment (ROI) of the product, but I’m not a fan of this approach in the context of information security.

For salespeople to be motivated to sell your product, your pricing model needs to account for compensating them for their efforts. This is typically done by paying the sales person commission for a deal in a manner that aligns the person’s interests with those of the company. Watch out for a potential mismatch in subscription products where the sales person’s goals are focused on hitting quarterly revenue or profit targets, but your commission trickles in gradually on a monthly basis for years after the deal was closed.

Questions to ask of yourself:

  • How much should you charge for the product?
  • What are the associated initial and recurring costs?
  • Is revenue aligned to costs and incentives?

Product Delivery

Understanding the intricacies of installing and supporting the product are critical to the success of the overall solution. For example, customers might prefer the ease of rolling out an agentless forensic analysis tool to the alternative that requires installing the software on every endpoint in the enterprise. On the other hand, the capabilities of the tool that runs locally on might surpass the agentless solution. Understand your customers’ priorities and strike the right balance between functionality and ease-of-use when designing the product.

Furthermore, consider what effort is required on an ongoing basis to achieve the product’s full potential. For instance, a change detection tool might need regular tuning to avoid alarms that arise after routine system maintenance. Customers need to understand what time they will need to devote to get the most value from your solution. You also need to determine what ongoing support or maintenance task your firm will need to provide (e.g., upgrading software, troubleshooting problems, updating signatures, etc.).

You should also determine what tasks your company’s staff will need to perform when deploying the product for a new customer. With some solutions, this is a simple as enrolling users via your spiffy web-based SaaS portal. More sophisticated products might demand a formal project on the customer’s premises, for instance if you need to integrate your malware sandbox with the client’s email and web gateways.

Security products that require complex integration will need to be deployed by a well-staffed team of skilled consultants or implementation specialists. If you’re working in a software company that doesn’t have a strong services component, this might become your bottleneck to signing up clients. If that’s the case, either plan to build the appropriate team, partner with another company to provide this service, or adjust product plans to avoid relying as much on the human element for deployment.

If your product includes back-end software that runs in a datacenter, consider whether these components will be hosted outside the customer’s environment, or whether you will allow customers to deploy your software into their own data center. If you’ll be doing the hosting, determine how each client’s application instances or data will be separated from each other. Also understand what audits, certifications and security attestations for your infrastructure and application customers might require.

Some clients will welcome the ease of deploying a SaaS application hosted by you in an external cloud; others might demand their own dedicated instance. The more sensitive the data that your product is handling, the greater the need that an enterprise customer will want their own, local deployment.

Ask yourself these questions:

  • What is product deployment like?
  • What ongoing support is necessary?
  • What are the staffing requirements?

Wrapping It Up

Building a product is a risky, stressful and ultimately fulfilling endeavor. The methodology above proposes some common-sense questions you should ask yourself, your colleagues and your customers when preparing to build a security solution. There is certainly more to be said about each aspect of this aspect of product management, but answering these questions offers a reasonable starting point for the project. The following diagram summarizes this approach.



Lenny Zeltser