Making an End-Run

When Tyson asked Boswell if he would install a new security appliance that would scan AGIA's network for vulnerabilities—and do so right away—Boswell said no; the network wasn't ready to be tested. So Tyson, who already had the appliance picked out, wound up making a corporate end-run around Boswell and appealing—successfully, it turned out—to CEO Wigle.

Cybersecurity is a young field, and much of the technical innovation is coming from first- and second-generation products, says Jon Oltsik, an analyst with Enterprise Strategy Group. Smaller companies may use free open-source tools like Snort and Nessus, but those are notoriously difficult to manage. Nessus, for example, scans networks for flaws the way a hacker would, by shooting bad data packets at them to see if they can be exploited.

Tyson talked with his own Web developer, Jim Mannix, about using Nessus, but did a Web search and found a startup called PredatorWatch instead. PredatorWatch's strength, says Oltsik, is that it has "baked" open source modules into a package suitable for companies whose technology staff has to handle security along with everything else.

The appliance, which runs on a secured version of Linux, finds IP addresses and scans the hardware or software associated with them for Common Vulnerabilities and Exposures (CVEs), a federally funded list of flaws maintained by the Mitre Corp. When it finds flaws—a Web server with an extra open port, for example, like the one that attackers probably used to take control of the hosting company's server—it can flag them. PredatorWatch also integrates with automated patch management software and issues reports classifying vulnerabilities by severity. Each is identified by IP address and can include likely scenarios of attack, suggested remedies, and any impact on a company's regulatory requirements.

Tyson had never heard of PredatorWatch, and when he called he was surprised that CEO Gary Miliefsky himself answered the phone. But PredatorWatch was an IBM business partner with three customer references, and Miliefsky was accustomed to taking calls from distressed executives.

Boswell resisted. He, too, had years of experience with cybersecurity, and wasn't convinced that PredatorWatch had the best approach. He had sent questions to Tyson: Who'd maintain PredatorWatch? How would sensitive reports be kept inside the building? How would AGIA's network handle potential traffic?

At AirTouch Cellular in the 1980s, Boswell supervised engineers who would hack the Sun operating system so they could install their favorite tools. Occasionally the network would crash. Boswell feared PredatorWatch would behave like Nessus, which is also known to crash networks, and he didn't know how much stress AGIA's network could take, particularly with the traffic already generated by the new Cisco phone system.

In retrospect, Boswell also admits he felt his job would be on the line if PredatorWatch discovered vulnerabilities in AGIA's network that should have been caught by his department.

So that's when Tyson made his end-run, bypassing Boswell and going to Wigle to make his case. Waiting until 2005 was unacceptable, Tyson argued; AGIA had to do something immediately. Wigle gave him the go-ahead.

With no choice but to go forward, Boswell negotiated the terms of PredatorWatch's installation with Tyson. They agreed that the box would run once a month on Sunday nights, when network traffic was low, so Boswell would have ample time to monitor its effects. Mannix pointed PredatorWatch at three Web servers and within a half-hour, the box was issuing reports.

As Boswell had feared, it found vulnerabilities that his department didn't know about—open ports, an out-of-date service pack for SQL Server, and unauthorized write permissions that would allow intruders to place files on one Web server.

But Boswell's biggest fear—that he'd lose his job—never materialized. He thinks that's because he was able to fix everything PredatorWatch found. Also, he says, "Nothing was so bad that it kept me awake."

In fact, Boswell is now happily in charge of PredatorWatch, which he upgraded to an IBM xSeries server so it can scan the entire enterprise—so far, over 50 servers, 300 workstations and the Cisco phone system, as well as laptops brought in from outside the building. Although he declines to reveal what new security products he's adding, Boswell says PredatorWatch's reports on vulnerabilities found and fixed make it easier for him to make the case to his boss, the chief financial officer.

Tyson, meanwhile, says AGIA is ready to expand its business on the Internet—whenever the rest of the insurance industry is ready to make the leap.

Agia Base Case

Headquarters: 1155 Eugenia Place, Carpinteria, CA 93013

Phone: (805) 566-9191

Business: Sells, markets and administers insurance programs for affinity groups such as the National Rifle Association; aggregate membership of over 40 million.

Chief Marketing Officer: Bill Tyson

Financials: National, privately held company with 300 employees.

Challenge: Expand amount of business done online while protecting customer information from cybersecurity breaches, at an affordable cost.

Baseline Goals:

Take orders for entire product line over the Web by 2007, up from 15% to 20% today.

Discuss AGIA: Identity Crisis   >>> Be the FIRST to comment on this article!

>>> More Past News Articles          >>> More By Deborah Gage