prepared by: developing a successful market entry strategy for the federal cyber security enterprise...
Post on 20-Dec-2015
224 views
TRANSCRIPT
Prepared by:
Developing a Successful Market Entry Strategy for the Federal Cyber Security Enterprise
---IT Security Entrepreneur’s Forum (ITSEF)
Workshop: Session 4, Track 14:30-5:30 PM
March 15, 2011
Policy Still Chasing Threats
In response to numerous Internet worms, viruses, and hacks, the Federal government created many new laws and policies, which in turn resulted in market opportunities to supply the Federal government and certain industries (e.g. healthcare) with cybersecurity products and services.
2
© Civitas Group llc 2011 – Proprietary and Confidential
1990 2000 201019801970
Attacks/Incidents
The Privacy Act of 1974
HIPPA 1996 OMB - (M-07-16) 2007
Byzantine Foothold (2007)
Titan Rain (2004)Moonlight
Maze (1998-99)
Solar Sunrise (1998)
Slammer (2003)
CNCI 2008
60 Day Review 2009
Patriot Act 2001
Computer Fraud and Abuse Act 1984
Y2K Efforts
SoBig (2003)Code Red (2001)
Love Bug (2000)Melissa (1999) Klez (2002)
Nimda (2001)BugBear (2002)
Conficker (2009)
Morris (1988)
E-Government Act of 2002 FISMA 2002
OMB – (M-02-09) 2002Homeland Security Act 2002
OMB - (M-04-04) 2003
1st National Strategy 2003CAN-SPAM Act 2003
National Information Infrastructure Protection Act 1996
Electronic Communications Privacy Act 1986
Rockefeller-Snowe 2009
DOD-DHS MOA 2010
Lieberman-Collins-Carper 2010
Veterans BHCITA 2006
OMB - (M-06-16) 2006
Stuxnet (2009)
There is no “one-size-fits all” cyber capability…
3
Domain User <<< Target System <<< Adversary’s Network <<< ISP <<< HTTP HTTP >>> Perimeter Firewall >>> Client Server >>> Internal Firewall >>> Endpoint >>> User
CapabilityComputer Network Attack
Electronic Warfare
Computer Network Exploitation
Counter-Intelligence
Computer Network Defense / Support
Perimeter Security
Situational Awareness
Active Monitoring Information Protection
Activity
Step (t+5): Determine available weapon-target paring and report options to C2
Step (t+4): Distribute root-kit, key-logger, or other malicious HW/SW payload
Step (t+3): Conduct network recon and identity priority systems for takeover
Step (t+2): Mask intrusion and coordinate mission objectives
Step (t+1): Conduct network surveillance; locate and exploit a backdoor
Step (t-1): Prevent compromise of outer firewall, VPN, WLAN, or other access
Step (t-2): Detect and respond to anomalous network activity or data leakage
Step (t-3): Measure deviation of traffic and/or user actions from baseline data
Step (t-4): Ensure integrity of user’s identity and credentials
Step (t-5): Enforce policy compliance at the end-point
Step (t-6): Encrypt data-at-rest; develop policies to restrict and track data-in-motion
Solution / Service
Command & Control
Software, Hardware, Network, & Application Engineering Skills
High-Speed Exploitation & Analysis; Cryptology (code-breaking)
Stegano-graphy; Attack Heuristics; Information Sharing
Automated Port-Scanning; Pre-Zero Day Exploit ID
Vulnerability Assessment; Penetration Testing; DNSSEC
SIEM ; Internet Intelligence; HoneyPots
IDS/IPS; Content Filtering
ID Manage-ment; MLS
Host-based Security;Policy Compliance;Mail Filtering
Encryption;Database Security; App/Server Hardening
Deep Packet Inspection
Associated CNCI
Funding
Foundational investmentsA10 - Deterrence Strategy
A9 - “Leap Ahead” Tech (attribution)
A1 - TICs; A2 - Classified Networks
A5 - Situational Awareness
A2 - IDSA3 - IPS(sensors)
A2 -Classified Networks
N/A - Revamped C&A Process (continuous)
A9 - “Leap Ahead” Tech (encryption)
Specialized Companies
KEYW; Zytel; EndGame Systems;Scitor; Zeta Associates; EWA
Core Security
Narus; ArcSight; LookingGlass
Bivio; NetWitness
TCS;Pangia
TripWire;BigFix
Abraxas;SafeNet
ATTACK / EXPLOIT DEFEND / SUPPORT
Proprietary & Confidential
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 $-
$2,000
$4,000
$6,000
$8,000
$10,000
$12,000
$14,000
Consolidated Federal Cyber Security Spending ($11B)
IT Security Spending CNCI
Consolidated Federal Cyber Security Spending
4
Disclosed Federal cyber security spending is expected to exceed $55 billion over the next five years. While the Traditional IT Security component remains vulnerable to flattening IT budgets, CNCI and associated classified spending remains immune from such budgetary shocks – and will continue to drive immediate growth.
Historical Projected
Market Components
1) Cyber Security Spending Labeled
CNCI (Intel Budget)
2) Traditional IT Security Spending (Federal IT Budget)
3) Remapping of Legacy/Analog IO
Programs (Classified – not depicted)
While CNCI funds are believed to be growing at a steady rate (in excess of 5% CAGR), they only account for 35% of the overall cyber security spending by government.
The majority of funds – labeled here as “Traditional IT security” – are closely tied to macro shifts in general IT spending, which is currently undergoing a major shock.
These estimates are more conservative than select market research firms, but they have already been validated by two events: 1) the FY11 IT budget request was actually lower than that received in the previous year; and 2) additional details regarding future budget cuts at DoD suggests Defense-centric IT expenditures will grow at roughly half the rate of Civilian IT spending, which in turn, will have a significant impact on “embedded” IT security spending going forward.
Proprietary & Confidential
Schism Between CNCI and Traditional IT Security Spending Creates Bifurcated Market
5
Our view of Federal cyber security spending is clearly segmented along customer lines. When and how CNCI impacts a wider set of government stakeholders introduces uncertainty regarding the timing of new investment priorities that diverge from the long legacy of FISMA compliance.
IC
DOD (.mil)
DHS (.gov)
Federal Civilian (.gov)
Market Fragmentation
Conventional IT Security Firms
Traditional Government Contractors
Supporting DoD/IC
CNCIFocus
Long-Term
Short-Term
Recent Developments
Eliminating the Gap
• Post of Cyber Security Coordinator established at White House
• CYBERCOM successfully stood up• Updates to FISMA passed as part of the
House’s FY11 Defense Authorization Bill include provisions for continuous, real-time monitoring
Widening the Gap
• Decrease of 1.6% for FY11 IT Budget Request
• FedRAMP is expected to become operational during Q1-CY11 – but current documentation appears geared towards low/moderate FIPS 199 requirements
• Interim version of a National Cyber Incident Response Plan (NCIRP) met with criticism from industry
• National Strategy for Trusted Identities in Cyberspace does not established clear next steps analogous to HSPD-12
Proprietary & Confidential
State & Local/CIKR
Competing Cyber Security Mentalities Helps Create Two Customer Classes
6
• 1. Prote
ct • (Static
Rules)
• 3. Respo
nd• (Incid
ent Management & Digita
l Foren
sic)
• Capability • Sustainment
Traditional – Layering of Point Solutions to Achieve “Defense-in-Depth” (and
point-in-time compliance)
CNCI – Establishing a “Response Cycle” that Effectively Limits Impact of Cyber
Attacks (continuous)
Proprietary & Confidential
CNCI Ecosystem
7Civitas Group
Proprietary & Confidential
The CNCI ecosystem presents a comparatively more hospitable market for emerging technology companies. However, new entrants will need to address multiple barriers to entry and a service-oriented market.
Competitive Environment(Moderate)
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Lower than traditional • Clearances• Contract vehicles• Channel congestion, varies
by sub-segment
• Compelled by innovation and need for good solutions
• Funded• Variety of involved
agencies
• Evolving environment with room for multiple approaches in some areas
• High complexity
• Mixed depending on agency, but with pockets of fragmentation allowing opportunities
Key Federal Customers
9
The key activities currently receiving the bulk of CNCI funds point to DOD, NSA, DHS, and DOJ as the critical Federal customers on which to focus. Within DOD, the main sub-components of interest are CYBERCOM (formerly JFCC-NW and JTF-GNO), DISA, and DC3. The NCIJTF is an additional critical element to the CNCI, which cuts across DOJ, DOD, and NSA.
Activity Lead Agency; Supporting Agencies
1 – Trusted Internet Connections (TICs) Owned by individual agencies; oversight by DHS; enforcement by OMB
2 – Passive Intrusion Detection(Current EINSTEIN) DHS (US-CERT); NSA; TIC agencies
3 – Intrusion Prevention (Future EINSTEIN)
NSA / JFCC-NW (Cybercom); DHS / US-CERT; DISA / JTF-GNO (Cybercom)
5 – Situational Awareness DNI led; DIA / IC-IRC; DHS /NCCIC, NCSC & US-CERT; NSA / NTOC, DISA / JTF-GNO; DOD / DC3; FBI; and Agency CERTs
7 – Classified Network Security NSA; DISA / JTF-GNO (Cybercom); Components and civilian agencies
9 – Leap-Ahead Technologies DARPA, IARPA, NSF
National Cyber Investigative Joint Task Force FBI, DOD / DC3, NSA
Proprietary & Confidential
Key Contract VehiclesIn the near-term, CNCI-related funds will flow primarily through existing contracts and contract vehicles. Federal customers will seek the “path of least resistance” for acquiring needed cyber security products and services. DISA’s ENCORE II contract vehicle has been identified as the preferred vehicle across DOD and for some IC components. DHS’s upcoming EAGLE II contract vehicle will be critical for accessing key DHS IT and cyber security programs.
NASA’s SEWP IV and HHS’s CIO-SP2i contract vehicles are also widely used across both the Federal civilian agencies and DOD customers.
10
Federal Customer Preferred Vehicle(s)
Department of Defense
ENCORE IISITE (formerly DIESCON 3 and ICE2)ITES-2SStrategic Services Sourcing (S3)NETCENTS 1,2
Department of Homeland Security EAGLE / EAGLE2
Department of Justice ITSS-3
Proprietary & Confidential
Rank ContractorDISA DIA Army USAF NSA DHS DOJ
ENCORE II
DIESCON 3 ICE 2 SIA ITES-2S S3 NETCENTS CNCI
Contracts EAGLE ITSS-3
1 Lockheed Martin
2 Northrop Grumman
3 Booz Allen Hamilton
4 BAE Systems
5 CSC
6 CACI
7 General Dynamics
8 SRA International
9 Pragmatics
10 SAIC
11 HP / EDS
12 IBM
13 L-3 Communications
14 Unisys
15 Perot Systems (Dell)
Competitive Environment
11
Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton hold the most number of key IT product or service contract vehicles across the major Federal customers.
Proprietary & Confidential
State & Local Governments Focusing Almost Exclusively on Cost-Cutting
12
Top S&L Technology Investments
Identified by INPUT
Match to Priority Technologies,
Applications, & Tools Identified by
NASCIO
IT Infrastructure Consolidation
Virtualization, Cloud Computing
Decision-Support ToolsBusiness Intelligence & Analytics ApplicationsWaste, Fraud, & Abuse
Prevention
Public Safety Force Multipliers Legacy application
modernization / renovationCommunity Supervision
for Non-Violent Offenders
Sources: INPUT’s State of the Public Sector (April 2010), NASCIO’s State CIO Priorities for 2011 (October 2010), NASCIO-Deloitte Cyber Security Study (September 2010), & NASCIO-TechAmerica 2010 State CIO Survey (August 2010)
From NASCIO Surveys:• Security ranks only 7th on State CIO Priorities for
2011 – displaced by budget and cost control measures
From Deloitte Surveys:• Only 13% of State CISOs reported utilizing
established metrics to demonstrate business value of security investments (ROI)
• 42% of State CISOs reported having no privacy program in place
• The most common security function to outsource at the S&L level was identified as “threat management and monitoring services” (24% of respondents)
From TechAmerica Surveys:• 64% of State CIO predict a decrease in IT budget
for 2011-2013 period• 54% of State CIO are actively investigating cloud
computing, but have not approved a pilot program yet
Proprietary & Confidential
State & Local Market
13
The S&L component of the market is the smallest in terms of size – but represents one of the most active areas in terms of SaaS cloud deployments (which have already yielded issues for security practitioners).
State City Solution Vendor
CA City of Carlsbad Communication / Collaboration Microsoft
CA City of Los Angeles E-Mail / Productivity Google
FL City of Orlando E-mail / Productivity Google
GA City of Canton E-mail / Productivity Google
MD Prince George’s County School District E-mail / Productivity Google
NM Office of the Attorney General E-mail / Productivity Google
NJ Transit Authority CRM Salesforce
OR Klamath County E-mail / Productivity Microsoft
WI Department of Natural Resources
Communication / Collaboration Microsoft
FL City of Miami Platform (311 Service) Microsoft
VA Information Technologies Agency
Platform (App Development) Amazon
CO Office of Information Technology Hybrid (Shared Services) Google
UT Department of Technology Services Hybrid (Shared Services) Salesforce; Google
MI Department of Technology Infrastructure Pilot Unknown
in $
mill
ions
Source: Vivek Kundra & Federal CIO Council, “State of Public Sector Cloud Computing,” May 2010.
Source: Civitas analysis drawing from NASBO State Expenditure Report, Gartner IT Metrics for Government / Public Sector, & INPUT’s State of the Public Sector
Active Cloud Deployment & Associated Vendor
Proprietary & Confidential
New En
gland (6
)
Mid-Atla
ntic (5)
Great L
akes
(5)
Plains (
7)
Southea
st (12)
Southwest
(4)
Rocky M
ountain (5
)
Far W
est (6
)0
100
200
300
400
500
600
700
800
Distribution of IT Security Spending Across States by Region in FY10
($3.2B Total)
Finan
cial S
ervice
s
Informati
on Tech
nology
Communications
Health
care
Defense
Industrial
Base*
Energ
y
Transp
ortation
0
2000
4000
6000
8000
10000
12000
Spending on IT Security in Relevant CI/KR Sectors ($30B)
Estimated Total U.S. Market Concentration within Top 50 Firms
Proprietary & Confidential
Commercial Market
14
Our view of commercial spending is composed of those industries that present a high-risk of cyber attack, and consequently demonstrate robust IT security spending. These sectors align to the government’s definition of select critical industries (CI/KR) – which collectively, represent nearly $30B in IT-Sec spending.
-2.0% CAGR (conservative)
+7.0% CAGR(volatile)
+2.7% CAGR
+7.2% CAGR
+4.2% CAGR
+5.8% CAGR
+2.8% CAGR
Sources: Survey results above taken from PwC’s 2011 Global State of Information Security; Sizing model to the right based on Civitas analysis drawing from Gartner’s 2010 IT Metrics, Industry Vertical Spend, and IT Security Spend – as well as publically available financial data from the top 50+ firms within each industry (CAGRs based on aggregated industry reports).
Types of security incidents 2008 2010
Data exploited 16% 27%
Network exploited 20% 25%
System exploited 15% 23%
Application exploited 17% 16%
Network device exploited n/a 20%
Social engineering (human exploited) 15% 15%
Unknown vector 44% 33%
CI/KR Sectors Profiled in this
Study (7)
Public-Private Nexus
Attack Vector / Vulnerability Policy Initiatives
Banking & Finance
• FBIIC• FS-ISAC
Theft of PII; temporarily disrupt payment systems; permanently corrupt electronic records to undermine national accounts
• MOU signed by NIST, DHS (S&T), and the FS-SCC (December 2010)
Communications • NRIC Disrupting communications prior to a kinetic attack
• United States Information and Communications Enhancement Act
Defense Industrial Base
• AIA• NDIA
Theft of IP; Compromise supply chain of equipment that is used to respond to an act of war
• DIB Initiative (Information Sharing)
Energy • NERC• FERC
Compromise of SCADA control systems leading to outage, overload, or industrial accident
• Bulk Power System Protection Acto Multiple legislative efforts to
secure the electrical “smart grid”
Healthcare and Public Health
Theft of IP & PII; compromise of IT systems to alter treatment and/or dosage of medicine applied to patients
• Project BioShield (BARDA)• National Public Health Information
Systems (PHIN/EWIDS)
Information Technology
• US-CERT• IT-ISAC
Theft of IP & PII; undermine confidence in digital infrastructure that supports electronic transactions in all CI/KR
• National Cyber Exercises
Transportation Systems
Instigate a midair collision, derailment, or aground-ment of passenger or cargo vessel; disrupt ability to move supplies and assets to an emergency zone
• Surface and Maritime Protection Programs (TWIC)
• Aviation Screening and Security Operations
Commercial Entities Propelled by Threat and Lack of Government Intervention
15
We observe higher potential growth rates (> 3% CAGR) within the commercial sector – especially as the private sector continues to stabilize and push ahead on security issues viewed as unique to a given industry.
Proprietary & Confidential
Case Example: LookingGlass
16Civitas Group
Proprietary & Confidential
Looking Glass started with a unique capability developed based on insight into customer needs. Slow sales cycles and lack of service components have slowed penetration, but use of the product is accelerating
Competitive Environment
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Lack of GWAC vehicle • Contracting cycle• Certification• Security clearances• Minimal integrator uptake
• Slow• Champion essential• Ad hoc buys with
year end money• Service offerings by integrators
• Capabilities for development
• Customer insightEntry
Looking Glass Lessons
“Everything is long” • After they had an identified buyer with a need and resources to
purchase, took 11 months to get under contract• Lesson – know contracting and vehicles and help the customer be
efficient
Need a champion• Even after being under contract, implementation challenges continued• Prime contractor changes exacerbate the problem• Lesson – need a strong internal champion• Lesson – incorporating service support into contract essential
Integrators were competitor not channel
17Civitas Group
Proprietary & Confidential
Case Example: Cloudshield
18Civitas Group
Proprietary & Confidential
CloudShield began its existence in 2000, showcasing how DPI could be used to optimize network traffic at large service providers. This strategy was significantly impacted by the Telecom Crash of 2002. Government was not initially conceived of as the primary customer, until alternative uses of DPI became well-socialized.
Competitive Environment
• Less than commercial• Internal build can be key
competitor
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Cleared personnel • Sales cycles• Vehicles• Privacy concerns
• Sophisticated, technical
• FedCiv market bought more like commercial
• New solutions possible to deal with expanding network traffic
• Homegrown solutions
• Other providers in market (e.g. Bivio) but limited number
• Foreign entry restricted
Cloud Shield – Keys to Success
Parallel roadmap commercial and FederalGetting clearances was essential
• Clearances were necessary to be able to fully understand government needs and effectively
• Tailored products to support customer missions
Product service mix should be mostly product for VC backed companies
• Margin for services restricted by SI competition and government contracting
• Product offering with SI service support was good approach
19Civitas Group
Proprietary & Confidential
Traditional Ecosystem
20Civitas Group
Proprietary & Confidential
The Traditional IT Security is characterized by suppliers who dominate the ecosystem, an overly restrictive contracting environment for new entrants, and compliance-driven buyer behavior. New entry will require seeking early adopters who recognize the current need and your technologies unique advantages.
Competitive Environment
(more intense)
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Higher than CNCI• Sales cycles• Contract vehicles• Certifications
• Compliance with FISMA, standards
• Budget conscious• Emerge slowly given
large installed base
• Significant buyer concentration e.g. among AV vendors
Case Example: Bit9
21Civitas Group
Proprietary & Confidential
Bit 9 is a white listing solution with rapidly growing penetration of market (quadrupled 2009 to 2010).
Competitive Environment
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Government contract vehicle• Government ecosystem• Certifications
• Buying behavior varies - some aggressive
• Civ agencies buy pilots; slower
• DoD difficult; large incumbents
• Many alternatives to white listing
• But mitigated as part of layered defense
• Channels owned by large providers
• Concentrated making new entry harder
Bit 9 Keys to Success
Learn the buyer• All agencies are not alike – there are early adopters and others
followers; some are more sophisticated than others (e.g. IRS)• Learn the ecosystem; analogy to commercial sector• Expect policy and budget “side swipes”
Commit to DC – • Expect a year or longer to begin to get sales productivity• Grow a DC presence; supplement in the meantime• Executives should commit time to learning and being present in DC
Direct contact with customer – do not depend on partners• Ultimately sales are similar to private sector –starts with marketing
and sales calls and direct customer contact
22Civitas Group
Proprietary & Confidential
Case Example: Invincea
23Civitas Group
Proprietary & Confidential
Invincea, a virtual browser security solution, introduced a fundamentally new approach (i.e. quarantine) to online activity.
Competitive Environment
Barriers to New Entry
Buyer Behavior
Threat of Alternative Approaches
Supplier Power
• Certification • Long buying cycles,
especially for new product category
• Complexity of buyer• Buyers evaluating
due to complexity• Firewalls• Networked based
solutions for sensing malware
• Channels dominated by major providers of alternate end point solutions
Invincea lessons
Government is a long sales cycle – VCs must be understanding• Diversify revenue sources: critical infrastructures and FFRDCs can be
sources of near term revenue• R&D can be a good source of funding and usually can keep IP• Continuing resolution has slowed progress
Enterprise/end point sales more difficult• Buyers tend to be network appliance focused• Certifications necessary – net-worthiness• Multiple buyers and influencers – senior security personnel,
technology scouts – not always the actual buyer
24Civitas Group
Proprietary & Confidential
BACK-UP SLIDESAppendix:
25Proprietary & Confidential
Structural Changes to DHS (Cyber)
26
The NCC and several NCSD components are expected to be reorganized under the recently-established National Cyber Security and Communications Integration Center (NCCIC).
National Cybersecurity and Communications
Integration Center (NCCIC)
National Communications
System (NCS)
Office of Emergency Communications
National Cyber Security Division
(NCSD)
Office for Cyber Security and Communications (CS&C)
Critical Infrastructure
Protection Branch
National Coordinating Center
(NCC)
US-CERT
NCSC
FNS
NSD
GCSM
CCPA
(US-CERT Incident Response and Watch Operations Activities only)
Proprietary & Confidential
A Depiction of the U.S. Cyber Security Market
27
1. IT Security
2. CNCI
4. Network-Reliant Sectors
Size MarketCustomer Spending FocusAlignment with Product/Service
Fede
ral G
over
nmen
tCo
mm
erci
al
DOD IA Programs (CND)
Select Focus Areas
Diverse - No Regulatory
Drivers (yet)
A. Protect (e.g., vulnerability analysis, red-teaming)
B. Monitor, Analyze, & Detect (e.g., intrusion detection, indications and warning)
C. Respond (e.g., incident reporting and analysis)
D. Capability Sustainment (e.g., eval, training)
A. Network Security (e.g., data loss prevention, deep packet inspection, external threat feeds)
B. Risk Management / Mitigation (e.g., SIEM)
C. Post-Incident Response (e.g., digital forensics, intrusion analytics)
A. Active Sensors (e.g., deep packet inspection)
B. Situational Awareness (e.g., visualization tools, enhanced info-sharing)
C. Attribution (e.g., digital forensics)
D. Offensive Capabilities (e.g., analytical tools and human capital for CNE/CNA operations)
~$7.5B
~$3.5B
~$30B
INCR
EASI
NG
CO
NFO
RMIT
Y /
CON
SIST
ENCY
OF
INVE
STM
ENTS
~$3.2B
S&L
Gov
3. IT SecurityGeared Towards
Continuing Budget Crisis
A. Cost-Cutting Technologies
B. Substitution for Essential Services
Proprietary & Confidential