Prepared by: Developing a Successful Market Entry Strategy for the Federal Cyber Security Enterprise --- IT Security Entrepreneur’s Forum (ITSEF) Workshop:

Prepared by:

Developing a Successful Market Entry Strategy for the Federal Cyber Security Enterprise

---IT Security Entrepreneur’s Forum (ITSEF)

Workshop: Session 4, Track 14:30-5:30 PM

March 15, 2011

Policy Still Chasing Threats

In response to numerous Internet worms, viruses, and hacks, the Federal government created many new laws and policies, which in turn resulted in market opportunities to supply the Federal government and certain industries (e.g. healthcare) with cybersecurity products and services.

2

© Civitas Group llc 2011 – Proprietary and Confidential

1990 2000 201019801970

Attacks/Incidents

The Privacy Act of 1974

HIPPA 1996 OMB - (M-07-16) 2007

Byzantine Foothold (2007)

Titan Rain (2004)Moonlight

Maze (1998-99)

Solar Sunrise (1998)

Slammer (2003)

CNCI 2008

60 Day Review 2009

Patriot Act 2001

Computer Fraud and Abuse Act 1984

Y2K Efforts

SoBig (2003)Code Red (2001)

Love Bug (2000)Melissa (1999) Klez (2002)

Nimda (2001)BugBear (2002)

Conficker (2009)

Morris (1988)

E-Government Act of 2002 FISMA 2002

OMB – (M-02-09) 2002Homeland Security Act 2002

OMB - (M-04-04) 2003

1st National Strategy 2003CAN-SPAM Act 2003

National Information Infrastructure Protection Act 1996

Electronic Communications Privacy Act 1986

Rockefeller-Snowe 2009

DOD-DHS MOA 2010

Lieberman-Collins-Carper 2010

Veterans BHCITA 2006

OMB - (M-06-16) 2006

Stuxnet (2009)

There is no “one-size-fits all” cyber capability…

3

Domain User <<< Target System <<< Adversary’s Network <<< ISP <<< HTTP HTTP >>> Perimeter Firewall >>> Client Server >>> Internal Firewall >>> Endpoint >>> User

CapabilityComputer Network Attack

Electronic Warfare

Computer Network Exploitation

Counter-Intelligence

Computer Network Defense / Support

Perimeter Security

Situational Awareness

Active Monitoring Information Protection

Activity

Step (t+5): Determine available weapon-target paring and report options to C2

Step (t+4): Distribute root-kit, key-logger, or other malicious HW/SW payload

Step (t+3): Conduct network recon and identity priority systems for takeover

Step (t+2): Mask intrusion and coordinate mission objectives

Step (t+1): Conduct network surveillance; locate and exploit a backdoor

Step (t-1): Prevent compromise of outer firewall, VPN, WLAN, or other access

Step (t-2): Detect and respond to anomalous network activity or data leakage

Step (t-3): Measure deviation of traffic and/or user actions from baseline data

Step (t-4): Ensure integrity of user’s identity and credentials

Step (t-5): Enforce policy compliance at the end-point

Step (t-6): Encrypt data-at-rest; develop policies to restrict and track data-in-motion

Solution / Service

Command & Control

Software, Hardware, Network, & Application Engineering Skills

High-Speed Exploitation & Analysis; Cryptology (code-breaking)

Stegano-graphy; Attack Heuristics; Information Sharing

Automated Port-Scanning; Pre-Zero Day Exploit ID

Vulnerability Assessment; Penetration Testing; DNSSEC

SIEM ; Internet Intelligence; HoneyPots

IDS/IPS; Content Filtering

ID Manage-ment; MLS

Host-based Security;Policy Compliance;Mail Filtering

Encryption;Database Security; App/Server Hardening

Deep Packet Inspection

Associated CNCI

Funding

Foundational investmentsA10 - Deterrence Strategy

A9 - “Leap Ahead” Tech (attribution)

A1 - TICs; A2 - Classified Networks

A5 - Situational Awareness

A2 - IDSA3 - IPS(sensors)

A2 -Classified Networks

N/A - Revamped C&A Process (continuous)

A9 - “Leap Ahead” Tech (encryption)

Specialized Companies

KEYW; Zytel; EndGame Systems;Scitor; Zeta Associates; EWA

Core Security

Narus; ArcSight; LookingGlass

Bivio; NetWitness

TCS;Pangia

TripWire;BigFix

Abraxas;SafeNet

ATTACK / EXPLOIT DEFEND / SUPPORT

Proprietary & Confidential

FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 $-

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

Consolidated Federal Cyber Security Spending ($11B)

IT Security Spending CNCI

Consolidated Federal Cyber Security Spending

4

Disclosed Federal cyber security spending is expected to exceed $55 billion over the next five years. While the Traditional IT Security component remains vulnerable to flattening IT budgets, CNCI and associated classified spending remains immune from such budgetary shocks – and will continue to drive immediate growth.

Historical Projected

Market Components

1) Cyber Security Spending Labeled

CNCI (Intel Budget)

2) Traditional IT Security Spending (Federal IT Budget)

3) Remapping of Legacy/Analog IO

Programs (Classified – not depicted)

While CNCI funds are believed to be growing at a steady rate (in excess of 5% CAGR), they only account for 35% of the overall cyber security spending by government.

The majority of funds – labeled here as “Traditional IT security” – are closely tied to macro shifts in general IT spending, which is currently undergoing a major shock.

These estimates are more conservative than select market research firms, but they have already been validated by two events: 1) the FY11 IT budget request was actually lower than that received in the previous year; and 2) additional details regarding future budget cuts at DoD suggests Defense-centric IT expenditures will grow at roughly half the rate of Civilian IT spending, which in turn, will have a significant impact on “embedded” IT security spending going forward.


Schism Between CNCI and Traditional IT Security Spending Creates Bifurcated Market

5

Our view of Federal cyber security spending is clearly segmented along customer lines. When and how CNCI impacts a wider set of government stakeholders introduces uncertainty regarding the timing of new investment priorities that diverge from the long legacy of FISMA compliance.

IC

DOD (.mil)

DHS (.gov)

Federal Civilian (.gov)

Market Fragmentation

Conventional IT Security Firms

Traditional Government Contractors

Supporting DoD/IC

CNCIFocus

Long-Term

Short-Term

Recent Developments

Eliminating the Gap

• Post of Cyber Security Coordinator established at White House

• CYBERCOM successfully stood up• Updates to FISMA passed as part of the

House’s FY11 Defense Authorization Bill include provisions for continuous, real-time monitoring

Widening the Gap

• Decrease of 1.6% for FY11 IT Budget Request

• FedRAMP is expected to become operational during Q1-CY11 – but current documentation appears geared towards low/moderate FIPS 199 requirements

• Interim version of a National Cyber Incident Response Plan (NCIRP) met with criticism from industry

• National Strategy for Trusted Identities in Cyberspace does not established clear next steps analogous to HSPD-12


State & Local/CIKR

Competing Cyber Security Mentalities Helps Create Two Customer Classes

6

• 1. Prote

ct • (Static

Rules)

• 3. Respo

nd• (Incid

ent Management & Digita

l Foren

sic)

• Capability • Sustainment

Traditional – Layering of Point Solutions to Achieve “Defense-in-Depth” (and

point-in-time compliance)

CNCI – Establishing a “Response Cycle” that Effectively Limits Impact of Cyber

Attacks (continuous)


CNCI Ecosystem

7Civitas Group


The CNCI ecosystem presents a comparatively more hospitable market for emerging technology companies. However, new entrants will need to address multiple barriers to entry and a service-oriented market.

Competitive Environment(Moderate)

Barriers to New Entry

Buyer Behavior

Threat of Alternative Approaches

Supplier Power

• Lower than traditional • Clearances• Contract vehicles• Channel congestion, varies

by sub-segment

• Compelled by innovation and need for good solutions

• Funded• Variety of involved

agencies

• Evolving environment with room for multiple approaches in some areas

• High complexity

• Mixed depending on agency, but with pockets of fragmentation allowing opportunities

Key Federal Customers

9

The key activities currently receiving the bulk of CNCI funds point to DOD, NSA, DHS, and DOJ as the critical Federal customers on which to focus. Within DOD, the main sub-components of interest are CYBERCOM (formerly JFCC-NW and JTF-GNO), DISA, and DC3. The NCIJTF is an additional critical element to the CNCI, which cuts across DOJ, DOD, and NSA.

Activity Lead Agency; Supporting Agencies

1 – Trusted Internet Connections (TICs) Owned by individual agencies; oversight by DHS; enforcement by OMB

2 – Passive Intrusion Detection(Current EINSTEIN) DHS (US-CERT); NSA; TIC agencies

3 – Intrusion Prevention (Future EINSTEIN)

NSA / JFCC-NW (Cybercom); DHS / US-CERT; DISA / JTF-GNO (Cybercom)

5 – Situational Awareness DNI led; DIA / IC-IRC; DHS /NCCIC, NCSC & US-CERT; NSA / NTOC, DISA / JTF-GNO; DOD / DC3; FBI; and Agency CERTs

7 – Classified Network Security NSA; DISA / JTF-GNO (Cybercom); Components and civilian agencies

9 – Leap-Ahead Technologies DARPA, IARPA, NSF

National Cyber Investigative Joint Task Force FBI, DOD / DC3, NSA


Key Contract VehiclesIn the near-term, CNCI-related funds will flow primarily through existing contracts and contract vehicles. Federal customers will seek the “path of least resistance” for acquiring needed cyber security products and services. DISA’s ENCORE II contract vehicle has been identified as the preferred vehicle across DOD and for some IC components. DHS’s upcoming EAGLE II contract vehicle will be critical for accessing key DHS IT and cyber security programs.

NASA’s SEWP IV and HHS’s CIO-SP2i contract vehicles are also widely used across both the Federal civilian agencies and DOD customers.

10

Federal Customer Preferred Vehicle(s)

Department of Defense

ENCORE IISITE (formerly DIESCON 3 and ICE2)ITES-2SStrategic Services Sourcing (S3)NETCENTS 1,2

Department of Homeland Security EAGLE / EAGLE2

Department of Justice ITSS-3


Rank ContractorDISA DIA Army USAF NSA DHS DOJ

ENCORE II

DIESCON 3 ICE 2 SIA ITES-2S S3 NETCENTS CNCI

Contracts EAGLE ITSS-3

1 Lockheed Martin

2 Northrop Grumman

3 Booz Allen Hamilton

4 BAE Systems

5 CSC

6 CACI

7 General Dynamics

8 SRA International

9 Pragmatics

10 SAIC

11 HP / EDS

12 IBM

13 L-3 Communications

14 Unisys

15 Perot Systems (Dell)

Competitive Environment

11

Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton hold the most number of key IT product or service contract vehicles across the major Federal customers.


State & Local Governments Focusing Almost Exclusively on Cost-Cutting

12

Top S&L Technology Investments

Identified by INPUT

Match to Priority Technologies,

Applications, & Tools Identified by

NASCIO

IT Infrastructure Consolidation

Virtualization, Cloud Computing

Decision-Support ToolsBusiness Intelligence & Analytics ApplicationsWaste, Fraud, & Abuse

Prevention

Public Safety Force Multipliers Legacy application

modernization / renovationCommunity Supervision

for Non-Violent Offenders

Sources: INPUT’s State of the Public Sector (April 2010), NASCIO’s State CIO Priorities for 2011 (October 2010), NASCIO-Deloitte Cyber Security Study (September 2010), & NASCIO-TechAmerica 2010 State CIO Survey (August 2010)

From NASCIO Surveys:• Security ranks only 7th on State CIO Priorities for

2011 – displaced by budget and cost control measures

From Deloitte Surveys:• Only 13% of State CISOs reported utilizing

established metrics to demonstrate business value of security investments (ROI)

• 42% of State CISOs reported having no privacy program in place

• The most common security function to outsource at the S&L level was identified as “threat management and monitoring services” (24% of respondents)

From TechAmerica Surveys:• 64% of State CIO predict a decrease in IT budget

for 2011-2013 period• 54% of State CIO are actively investigating cloud

computing, but have not approved a pilot program yet


State & Local Market

13

The S&L component of the market is the smallest in terms of size – but represents one of the most active areas in terms of SaaS cloud deployments (which have already yielded issues for security practitioners).

State City Solution Vendor

CA City of Carlsbad Communication / Collaboration Microsoft

CA City of Los Angeles E-Mail / Productivity Google

FL City of Orlando E-mail / Productivity Google

GA City of Canton E-mail / Productivity Google

MD Prince George’s County School District E-mail / Productivity Google

NM Office of the Attorney General E-mail / Productivity Google

NJ Transit Authority CRM Salesforce

OR Klamath County E-mail / Productivity Microsoft

WI Department of Natural Resources

Communication / Collaboration Microsoft

FL City of Miami Platform (311 Service) Microsoft

VA Information Technologies Agency

Platform (App Development) Amazon

CO Office of Information Technology Hybrid (Shared Services) Google

UT Department of Technology Services Hybrid (Shared Services) Salesforce; Google

MI Department of Technology Infrastructure Pilot Unknown

in $

mill

ions

Source: Vivek Kundra & Federal CIO Council, “State of Public Sector Cloud Computing,” May 2010.

Source: Civitas analysis drawing from NASBO State Expenditure Report, Gartner IT Metrics for Government / Public Sector, & INPUT’s State of the Public Sector

Active Cloud Deployment & Associated Vendor


New En

gland (6

)

Mid-Atla

ntic (5)

Great L

akes

(5)

Plains (

7)

Southea

st (12)

Southwest

(4)

Rocky M

ountain (5

)

Far W

est (6

)0

100

200

300

400

500

600

700

800

Distribution of IT Security Spending Across States by Region in FY10

($3.2B Total)

Finan

cial S

ervice

s

Informati

on Tech

nology

Communications

Health

care

Defense

Industrial

Base*

Energ

y

Transp

ortation

0

2000

4000

6000

8000

10000

12000

Spending on IT Security in Relevant CI/KR Sectors ($30B)

Estimated Total U.S. Market Concentration within Top 50 Firms


Commercial Market

14

Our view of commercial spending is composed of those industries that present a high-risk of cyber attack, and consequently demonstrate robust IT security spending. These sectors align to the government’s definition of select critical industries (CI/KR) – which collectively, represent nearly $30B in IT-Sec spending.

-2.0% CAGR (conservative)

+7.0% CAGR(volatile)

+2.7% CAGR

+7.2% CAGR

+4.2% CAGR

+5.8% CAGR

+2.8% CAGR

Sources: Survey results above taken from PwC’s 2011 Global State of Information Security; Sizing model to the right based on Civitas analysis drawing from Gartner’s 2010 IT Metrics, Industry Vertical Spend, and IT Security Spend – as well as publically available financial data from the top 50+ firms within each industry (CAGRs based on aggregated industry reports).

Types of security incidents 2008 2010

Data exploited 16% 27%

Network exploited 20% 25%

System exploited 15% 23%

Application exploited 17% 16%

Network device exploited n/a 20%

Social engineering (human exploited) 15% 15%

Unknown vector 44% 33%

CI/KR Sectors Profiled in this

Study (7)

Public-Private Nexus

Attack Vector / Vulnerability Policy Initiatives

Banking & Finance

• FBIIC• FS-ISAC

Theft of PII; temporarily disrupt payment systems; permanently corrupt electronic records to undermine national accounts

• MOU signed by NIST, DHS (S&T), and the FS-SCC (December 2010)

Communications • NRIC Disrupting communications prior to a kinetic attack

• United States Information and Communications Enhancement Act

Defense Industrial Base

• AIA• NDIA

Theft of IP; Compromise supply chain of equipment that is used to respond to an act of war

• DIB Initiative (Information Sharing)

Energy • NERC• FERC

Compromise of SCADA control systems leading to outage, overload, or industrial accident

• Bulk Power System Protection Acto Multiple legislative efforts to

secure the electrical “smart grid”

Healthcare and Public Health

Theft of IP & PII; compromise of IT systems to alter treatment and/or dosage of medicine applied to patients

• Project BioShield (BARDA)• National Public Health Information

Systems (PHIN/EWIDS)

Information Technology

• US-CERT• IT-ISAC

Theft of IP & PII; undermine confidence in digital infrastructure that supports electronic transactions in all CI/KR

• National Cyber Exercises

Transportation Systems

Instigate a midair collision, derailment, or aground-ment of passenger or cargo vessel; disrupt ability to move supplies and assets to an emergency zone

• Surface and Maritime Protection Programs (TWIC)

• Aviation Screening and Security Operations

Commercial Entities Propelled by Threat and Lack of Government Intervention

15

We observe higher potential growth rates (> 3% CAGR) within the commercial sector – especially as the private sector continues to stabilize and push ahead on security issues viewed as unique to a given industry.


Case Example: LookingGlass

16Civitas Group


Looking Glass started with a unique capability developed based on insight into customer needs. Slow sales cycles and lack of service components have slowed penetration, but use of the product is accelerating



Buyer Behavior


Supplier Power

• Lack of GWAC vehicle • Contracting cycle• Certification• Security clearances• Minimal integrator uptake

• Slow• Champion essential• Ad hoc buys with

year end money• Service offerings by integrators

• Capabilities for development

• Customer insightEntry

Looking Glass Lessons

“Everything is long” • After they had an identified buyer with a need and resources to

purchase, took 11 months to get under contract• Lesson – know contracting and vehicles and help the customer be

efficient

Need a champion• Even after being under contract, implementation challenges continued• Prime contractor changes exacerbate the problem• Lesson – need a strong internal champion• Lesson – incorporating service support into contract essential

Integrators were competitor not channel

17Civitas Group


Case Example: Cloudshield

18Civitas Group


CloudShield began its existence in 2000, showcasing how DPI could be used to optimize network traffic at large service providers. This strategy was significantly impacted by the Telecom Crash of 2002. Government was not initially conceived of as the primary customer, until alternative uses of DPI became well-socialized.


• Less than commercial• Internal build can be key

competitor


Buyer Behavior


Supplier Power

• Cleared personnel • Sales cycles• Vehicles• Privacy concerns

• Sophisticated, technical

• FedCiv market bought more like commercial

• New solutions possible to deal with expanding network traffic

• Homegrown solutions

• Other providers in market (e.g. Bivio) but limited number

• Foreign entry restricted

Cloud Shield – Keys to Success

Parallel roadmap commercial and FederalGetting clearances was essential

• Clearances were necessary to be able to fully understand government needs and effectively

• Tailored products to support customer missions

Product service mix should be mostly product for VC backed companies

• Margin for services restricted by SI competition and government contracting

• Product offering with SI service support was good approach

19Civitas Group


Traditional Ecosystem

20Civitas Group


The Traditional IT Security is characterized by suppliers who dominate the ecosystem, an overly restrictive contracting environment for new entrants, and compliance-driven buyer behavior. New entry will require seeking early adopters who recognize the current need and your technologies unique advantages.


(more intense)


Buyer Behavior


Supplier Power

• Higher than CNCI• Sales cycles• Contract vehicles• Certifications

• Compliance with FISMA, standards

• Budget conscious• Emerge slowly given

large installed base

• Significant buyer concentration e.g. among AV vendors

Case Example: Bit9

21Civitas Group


Bit 9 is a white listing solution with rapidly growing penetration of market (quadrupled 2009 to 2010).



Buyer Behavior


Supplier Power

• Government contract vehicle• Government ecosystem• Certifications

• Buying behavior varies - some aggressive

• Civ agencies buy pilots; slower

• DoD difficult; large incumbents

• Many alternatives to white listing

• But mitigated as part of layered defense

• Channels owned by large providers

• Concentrated making new entry harder

Bit 9 Keys to Success

Learn the buyer• All agencies are not alike – there are early adopters and others

followers; some are more sophisticated than others (e.g. IRS)• Learn the ecosystem; analogy to commercial sector• Expect policy and budget “side swipes”

Commit to DC – • Expect a year or longer to begin to get sales productivity• Grow a DC presence; supplement in the meantime• Executives should commit time to learning and being present in DC

Direct contact with customer – do not depend on partners• Ultimately sales are similar to private sector –starts with marketing

and sales calls and direct customer contact

22Civitas Group


Case Example: Invincea

23Civitas Group


Invincea, a virtual browser security solution, introduced a fundamentally new approach (i.e. quarantine) to online activity.



Buyer Behavior


Supplier Power

• Certification • Long buying cycles,

especially for new product category

• Complexity of buyer• Buyers evaluating

due to complexity• Firewalls• Networked based

solutions for sensing malware

• Channels dominated by major providers of alternate end point solutions

Invincea lessons

Government is a long sales cycle – VCs must be understanding• Diversify revenue sources: critical infrastructures and FFRDCs can be

sources of near term revenue• R&D can be a good source of funding and usually can keep IP• Continuing resolution has slowed progress

Enterprise/end point sales more difficult• Buyers tend to be network appliance focused• Certifications necessary – net-worthiness• Multiple buyers and influencers – senior security personnel,

technology scouts – not always the actual buyer

24Civitas Group


BACK-UP SLIDESAppendix:

25Proprietary & Confidential

Structural Changes to DHS (Cyber)

26

The NCC and several NCSD components are expected to be reorganized under the recently-established National Cyber Security and Communications Integration Center (NCCIC).

National Cybersecurity and Communications

Integration Center (NCCIC)

National Communications

System (NCS)

Office of Emergency Communications

National Cyber Security Division

(NCSD)

Office for Cyber Security and Communications (CS&C)

Critical Infrastructure

Protection Branch

National Coordinating Center

(NCC)

US-CERT

NCSC

FNS

NSD

GCSM

CCPA

(US-CERT Incident Response and Watch Operations Activities only)


A Depiction of the U.S. Cyber Security Market

27

1. IT Security

2. CNCI

4. Network-Reliant Sectors

Size MarketCustomer Spending FocusAlignment with Product/Service

Fede

ral G

over

nmen

tCo

mm

erci

al

DOD IA Programs (CND)

Select Focus Areas

Diverse - No Regulatory

Drivers (yet)

A. Protect (e.g., vulnerability analysis, red-teaming)

B. Monitor, Analyze, & Detect (e.g., intrusion detection, indications and warning)

C. Respond (e.g., incident reporting and analysis)

D. Capability Sustainment (e.g., eval, training)

A. Network Security (e.g., data loss prevention, deep packet inspection, external threat feeds)

B. Risk Management / Mitigation (e.g., SIEM)

C. Post-Incident Response (e.g., digital forensics, intrusion analytics)

A. Active Sensors (e.g., deep packet inspection)

B. Situational Awareness (e.g., visualization tools, enhanced info-sharing)

C. Attribution (e.g., digital forensics)

D. Offensive Capabilities (e.g., analytical tools and human capital for CNE/CNA operations)

~$7.5B

~$3.5B

~$30B

INCR

EASI

NG

CO

NFO

RMIT

Y /

CON

SIST

ENCY

OF

INVE

STM

ENTS

~$3.2B

S&L

Gov

3. IT SecurityGeared Towards

Continuing Budget Crisis

A. Cost-Cutting Technologies

B. Substitution for Essential Services


Documents

Prepared by: Developing a Successful Market Entry Strategy for the Federal Cyber Security Enterprise --- IT Security Entrepreneur’s Forum (ITSEF) Workshop: