duquesne
Research Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

2010: Cyber Crime gets worse, Cyber War gets serious and Kaspersky Lab gets ready

A conversation with Eugène Buyakin, COO of Kaspersky Lab



2010: Cyber Crime gets worse, Cyber War gets serious and Kaspersky Lab gets ready
Nearly everyone has heard the ancient Chinese curse, “may you live in interesting times”.

From stone hammers to the internet, technology has always been the great “game changer”, overturning established rules and upsetting the balance of power between people and between organizations.

In 2010, the Stuxnet malware attack - presumably on the Iranian nuclear program – looks like a game changer, suggesting that the planet is on the verge of becoming seriously more “interesting” and that cyber warfare is about to get serious.

Cyber crime already is serious business. In 2010 it got worse, with malware in particular becoming more sophisticated and attacks more severe. Lots of money is moving over the Internet, and so (of course) criminals are getting increasingly organized to get their hands on it, often with easily available malware toolkits like the ZeuS botnet.

Duquesne sat down recently with Eugène Buyakin, COO of Kaspersky Lab that is headquartered in Moscow, to discuss these issues, together with some of the company's business plans going forward.

Kaspersky Lab

Russia has a long history of producing top notch scientists, mathematicians, chess players … and computer hackers. In this context, it’s not surprising that Russia has also produced “white hat” security experts.

Long known for anti-virus products for personal computers, Kaspersky Lab is in fact a well respected and fast growing player in the broader domain of end point security. It is a private company run by its founders, with over 2000 employees and doing business in over 100 countries.

The company’s researchers are particularly respected for technical expertise in malware and for round-the-clock anti-threat intelligence.

Cyber Crime: a “C2C” ecosystem

According to Eugène Buyakin, the public as a whole doesn’t really understand that “cyber crime today is very organised crime”, with different people and different gangs having specialised roles as in any mature business. “We might call it C2C business, Criminal to Criminal.”

Specialisation is particularly developed in the case of botnets - networks of infected computers often used for malware delivery – which are very popular with Russian cybercriminals. A chart from the paper “The botnet ecosystem”, by Kaspersky malware expert Vitaly Kamluk, illustrates the point.

2010: Cyber Crime gets worse, Cyber War gets serious and Kaspersky Lab gets ready
The “customers” of the botnet (on the right) use it to access the data of compromised computers. “Carders”, for example, make their profits through confidential financial information such as credit card numbers, client account identifiers and pass words. Other types of customers include extortionists and unscrupulous competitors, who may, for example, launch DDoS attacks on their victims as well as spammers who, according to Kaspersky Lab, send about 85% of their volume from botnets.

The criminal customers are supported by an entire ecosystem including the botnet owner and a network of technical suppliers who provide services such as writing malware or “bullet proof hosting” of the botnet command and control center.

The model is international, with participants working together over the Internet. The business may, for example, look to countries with a long tradition of hacking to find malware specialists while choosing jurisdictions with weak regulatory and judicial systems to site command and control centers. Victims, like the criminals, may be anywhere. Sometimes emerging countries are targeted, taking advantage of relatively weaker security and control in their financial systems, while at other times developed countries may be preferred due to higher average wealth.

While criminal activity on the Internet takes many forms, botnets have become a key driver in the growth of cyber crime over the last several years, due in large part to their efficient and flexible business model.

Another dangerous trend, observed by Kaspersky Lab researchers in 2010, is the increasing sophistication of malware, leading to more severe attacks.

A good example of all this was provided in October with the announcement, by the FBI and several counterpart national agencies, of the breakup of an intentional cyber crime ring and the arrest of dozens of people in the US, Britain and Ukraine. The ring had succeeded in stealing over 70 million dollars from on line accounts in US and other banks, using a version of the ZeuS botnet.

While the announcement is of course welcome news, its main impact may be simply to increase awareness of the problem. The deterrent value of occasional spectacular arrests is doubtful. Criminals change their tactics frequently, and it can reasonably be expected that there will be plenty of new candidates.

Cyber War: critical infrastructure at risk

The situation with cyber crime may be bad, but the next trend - cyber warfare – may well be worse.

According to Eugène Buyakin, “We are especially worried about cyber terrorism, particularly in the form of attacks on critical infrastructure such as electricity grids, transportation networks and major industrial sites. The Stuxnet worm is probably just the beginning …”

2010: Cyber Crime gets worse, Cyber War gets serious and Kaspersky Lab gets ready
The company’s researchers were involved early in the fight against Stuxnet - a malware of (officially) unknown origin - which attacks industrial control systems that are used in oil pipelines, power plants, large communication systems, airports, ships, even military installations.

They discovered two of the four “zero-day vulnerabilities” in Windows exploited by the worm and worked closely with Microsoft during the creation and release of patches for these vulnerabilities.

The company sees Stuxnet as a sophisticated malware attack carried out by a well-funded, highly skilled team with intimate knowledge of industrial control … and possibly conducted with nation-state backing.

There has been considerable speculation about the worm’s target, which was suspected to be the Iranian nuclear program. There have in fact been numerous reports of program delays due to malfunctioning enrichment centrifuges. The President of Iran, although not usually the most reliable of sources, has now publicly affirmed that the program was indeed attacked by Stuxnet.

While creating delay in the Iranian nuclear program may be a desirable objective, the emergence of Stuxnet seen more broadly is an extremely worrisome development. It may be the first time that a malware has, so to speak, crossed from the virtual to the physical world, with instructions to destroy industrial systems.

Stuxnet can be considered as a working prototype of a very dangerous “cyber-weapon” and the apparent - if partial - success of the attack will surely encourage others. If this new type of malware follows the usual technology commoditization process (as it almost certainly will), then such weapons could one day be within the reach, not just of nation states, but of at least some terrorist organizations. They may even be able to buy them over the Internet.

Business plans in a changing market

Kaspersky Lab is well established as a high tech “consumer brand”, with around 65% of its revenues in the B2C market for end point security. It is now looking to leverage that strength to expand in the business market.

At first glance, this strategy might seem surprising. In recent years, the dynamic consumer tech market has become the overall driver of innovation and growth, compared to the slower moving IT business market. In end point security, however, the business side seems to be showing the fastest growth.

According to Eugène Buyakin, the market “is in the early stages of the convergence of corporate and personal devices for business, with the merging of consumer and corporate IT security requirements. More and more, companies have to secure not only each corporate node, but every personal device that connects to the infrastructure too. “

There seems to be a feedback loop in action in the market. The explosion in “consumer type” devices in e-business is driving complex - and increasingly critical - endpoint security requirements for corporate information systems, hence the high growth … and possibly a window of opportunity for the Russian company.

Kaspersky Lab already has a B2B product offering, which has had reasonable success, especially in the SMB market space. Selling into the corporate market, however, will require a rich – and highly manageable – product set that can provide malware protection for all of the diverse elements of large and complex information systems. Recent announcements are a step in this direction, and more can be expected in 2011.

2010: Cyber Crime gets worse, Cyber War gets serious and Kaspersky Lab gets ready
Looking forward, the company has also outlined its overall development priorities, as illustrated in the graphic taken from a recent presentation by Eugène Buyakin.

Kaspersky Lab is planning to expand its offering beyond anti-malware software, into related areas such as Data Loss Protection, Network Security and Hosted Security Services.

On a geographical basis, the company also expects to accelerate growth and increase in a big way its presence outside of its traditional markets in Western and Eastern Europe. Asia-Pacific is a particular focus.

Duquesne Group feedback

Taken together, these business plans are – to say the least – ambitious.

On first analysis, the strategy makes sense. Changes in the market are in fact opening attractive opportunities for growth. The development priorities are based on the time tested approach of “strategic congruence”, leveraging core expertise (in this case, malware) and strength in current market segments to expand in – or to invade – “adjacent”, closely related segments.

Still, successful execution will be even more important than the strategy. No one doubts Kaspersky Lab’s technical expertise, but execution will be very challenging on the managerial, financial, human and commercial levels.

Here, we will limit our comments to three commercial issues that are critical for the move into the corporate market.

  • First, the Russian company will be facing a whole new level of competition, against strong and determined rivals, mostly American, with entrenched positions to defend. Some of them have access to the deep pockets of a parent company, for example McAfee with Intel and RSA with EMC. The company needs to be very selective about where – and how – it chooses to fight.

  • Second, Kaspersky Lab has always been essentially an indirect company, with a good reputation in the channels. For the corporate market, channel (and partner) management will become even more important and difficult. The company has in fact brought in some new talent in this area.

    It might also want to consider some new types of commercial alliances, possibly with a networking “challenger”. Partnering with services companies could be an interesting option, including for example cloud service providers who want to offer “Security as a Service”.

  • Third and finally, mindshare will be a key success factor. The company is known and respected in the consumer (and SMB) markets, but the brand is almost invisible in the corporate space. Current initiatives such as sponsoring will of course help increase awareness, but that is not enough for IT decision makers who are exposed all the time to the campaigns and messages of the competition.

    We think that Kaspersky Lab should aim for “thought leadership”. It has some interesting ideas, for example, concerning Total Cost of Protection (TCP) that could be fleshed out and built into a powerful marketing tool. Overall, Kaspersky Lab has outstanding intellectual resources, but they need to be turned into customer mindshare.

Wrapping up the conversation

As the session came to an end, we asked Eugène Buyakin for his take on the “big picture”.

“Our business plans are ambitious, but it’s about more than just financial success. It’s also about who we want to be as a company … and the contribution that we can make.”

Looping back to the beginning of our conversation, he added: “Cyber crime and cyber war – especially cyber terrorism – are very serious and dangerous problems. At Kaspersky Lab, we intend to do our part, but these problems are bigger than any one company … or any one country. To face up to them, all of us will have to work together.”

Wednesday, December 29th 2010
Duquesne Advisory
Newsletter To subscribe to the Duquesne Advisory Newsletter, please enter your e-mail address.

Duquesne Advisory

Duquesne Advisory Ltd is a European firm, headquartered in the UK, dedicated to researching, understanding and advising clients worldwide on opportunities and trends in Information and Communications technology.

Research

Duquesne Advisory delivers in-depth analyses of Information and Communications Technologies, their implementations and their markets. Research is based on critical observation of the market by the analysts and their on-going contacts with the vendor community, together with hands-on, practical experience in consulting engagements.

Consulting

The analysts of Duquesne Advisory leverage the Firm’s ongoing market and technology research to undertake high added value consulting engagements for both ICT users and ICT providers. Focused on client service, their approach is rigorous and methodical, and at the same time pragmatic and operational.