iDefense Hones Risk Management, Cyberthreat Consulting Role

By Marianne Dunn, Staff WriterInfrastructure Defense Inc. of Alexandria, Va., which just struck an information exchange partnership with Carnegie Mellon University's Computer Emergency Response Team (CERT) Coordination Center, is poised to sign up new government and commercial customers, company officials said.Founded in August 1998 and known as iDefense, the company draws about 60 percent of its business from the commercial sector and the remainder from government clients. But that mix is shifting and could soon change substantially, company officials said.Among the privately held company's clients are Citigroup, Microsoft Corp. and the British Ministry of Defence. While most of its government business is Defense Department-related, company officials are "working on a number of other potential contracts," said Jerry Irvine, media and public relations director at iDefense.The company, which provides a combination of risk assessment, risk management and consulting and cyberthreat intelligence, helps its clients "understand and defend against the growing business risks associated with dependence on electronic information and communications networks," said James Adams, chief executive officer of iDefense. "In the battle to protect critical operating systems, intelligence is key."The former chief executive officer of United Press International, Adams heads up the company, whose 30 employees were drawn from the Air Force, the Clinton administration's critical information assurance office, the Navy and the private sector.iDefense can act as an intelligence arm for a business that will search for threats and vulnerabilities through open sources and has other arrangements that can bring its customers proprietary information. The exchange program with the CERT center is one example of the latter, company officials said.Under that program, iDefense will be named an external user of the CERT coordination center's Knowledgebase, an extensive compilation of information technology vulnerabilities, attacker methods and security incident impacts. The CERT Coordination Center is part of the Networked System Survivability Program at the Software Engineering Institute, a federally funded research and development center sponsored by the Department of Defense and operated by Carnegie Mellon University.The pilot exchange program also calls for iDefense to share its own proprietary knowledge base with the center. The arrangement is unique in that it is the first such partnership between CERT and a private company, said Irvine. iDefense officials said the relationship will benefit both public and private sectors. "Access to accurate, timely information is key to enabling organizations to protect their information infrastructures," said Rich Pethia, CERT Coordination Center director. "This relationship will enhance the ability of both the CERT/CC and iDefense to meet the information needs of the communities they serve."From the center, iDefense will learn about the latest methods of electronic attack and the countermeasures available to thwart them. The center will use the relationship to improve its understanding of critical private industry systems and learn about industry's perspective on the list of threats to critical infrastructure.Jerry Grossman, a director with the investment banking firm Houlihan Lokey Howard & Zukin of McLean, Va., called cybersecurity a growing market opportunity. "After the turn of the year, after Y2K issues settle down, information security will be a dominant theme," he said. Adams agreed that business in the government space will pick up after Jan. 1. "Post Y2K, everyone will have a hard lesson on how the information revolution has created a new range of dependencies," he said. "These dependencies create vulnerabilities."The company has no direct competition that offers the full range of security risk management and auditing coupled with the cyberthreat intelligence arm, iDefense officials said. But executives know that could change as startups are founded and larger information technology conglomerates add intelligence and risk management to their menus."But startups are hard work. Many are called; few survive," said Adams. "A big company could recognize this as a large opportunity and pull its resources. But big companies always move slow." For the time being, he said, iDefense is way ahead of the competition. "We have come a long way in a year and have had to learn to apply the lessons we have learned," Adams said. "Anyone coming after us will have to learn a lot, too."