SignaCert Profile: Coming Out of Stealth Mode

By Kate McPherron, technology evangelist

Measuring what is ‘good’ in an enterprise IT system to stay stable and secure by correcting degradation, drift and change

Founded by Wyatt Starnes in 2004, SignaCert delivers software and subscription services that provide 100% enterprise-wide integrity verification. The company’s products enable business and government organizations to measure, validate and maintain the state of their enterprise infrastructure using a known, trusted reference. The company is privately held, and is funded by $10 million of venture capital from Doll Capital Management, Intel Capital, Smart Forest Ventures, Smith Investments and others.

The following interview with Wyatt Starnes and Bill Bradley of SignaCert took place in January 2007.

KM: How did the idea for SignaCert arise?
Wyatt Starnes: I’ve found that the traditional approach to enterprise management and security has largely been perimeter centric and highly reactive, that is; focused at trying to keep the bad stuff out. And while there has been (and still is) real value to this approach, it has reached a point of diminishing returns for customers. It is also increasingly difficult to keep up because the external threats are increasing, and the attacks are getting more sophisticated.

The SignaCert approach is approaching the problem from another angle. Most IT departments dangerously assume that what was originally deployed (on an IT device) is what is still loaded/running today. This IT blind spot is the source of many common enterprise security and system management issues.

We decided to look at the problem differently: What if we reduced our complete reliance on bad list detection/filtering, and focused on measuring and managing against the good things? What if you managed to what you do know within your enterprise? If you think about it – trying to identify and defend against all of the bad things that are targeting the IT devices is an infinite challenge at best. However, with best practices, understanding the desired configuration environment of a device is finite and manageable.

That’s where we come in…we’ve spent the last two plus years building – in many cases working directly with independent software vendors (ISVs) and OEMs – a reference repository of many of the operating systems (OS) and applications files commonly used in most IT environments. Additionally, we have developed highly capable harvesting technology which allows customers to add their unique and proprietary software.

With this method you now have a trusted reference that covers 100% of your enterprise and can be used to measure and manage your network in a much more proactive way. We’ve been calling this a “simple revolution.” We are providing the power fine-grain knowledge – the ability to prove – that all of your systems and endpoints are deployed and configured as desired/intended.

Now for the first time you systematically prove that your IT devices have the correct and desired configuration environment (configuration build AND integrity measurements), and that each data element on that device is as you expect and desire. And the SignaCert method allows you to measure and validate to the trusted reference throughout the lifetime of the device usage, not simply upon build or deployment.

How the ideas evolved into a business

KM: Why has partnership development been so important?

WS: The first objective was to get people to look at this and see that the blind spot really does exist, and that it’s one of the major elements causing IT to be hard for companies to manage and secure. In order to solve that problem well we had to gain cooperation among software and hardware vendors. One of the reasons we’ve been in stealth mode for three years now is the tremendous amount of partnership development that has had to go on.

KM: How do industry standards relate to your work?

WS: A very large percentage of our partner and technical work was spent to establish industry standards, so that customers can run any software they want and the mechanism of validation is the same. In order to be most pervasive, methods like this need to be based on standards – a standardized industry approach to data measurement and verification provides a consistent and accurate means for customers to report the state of their platforms.

KM: How does your development model affect your customers?

One of the interesting dynamics we discovered is that the partners, not customers, would drive this, even though customers ultimately pay the price for security, reliability and availability in the cost of incremental hardware/SW systems, add-ons or lack of efficiency in all the IT people it takes to manage the system.

It’s really a supply-side issue, because suppliers are having a much harder time differentiating this year’s offerings from last year’s. Increasingly purchases are driven by security, manageability and cost of ownership – trust issues. The supply side has finally begun to realize they have to work together to make a safer offering for their customers, or they risk not selling like they used to. I don’t think we’re seeing commoditization; I think what we’re seeing is an interim saturation point that’s based on manageability, safety, reliability and trust issues.

KM: Is this an unusual pattern?

This is a similar pattern to what other industries have gone through. Ask someone the last time they flew if the plane was a Boeing or Airbus, and if it was running GE or Rolls Royce engines. The business process of an airline is to get you to point A to point B for reasonable dollars in a predictable way; it’s not about the brand of the equipment. Fundamentally, that’s where IT needs to go: to care that whatever the platform, IT delivers its business promise: trustable, reliable and dependable.

We help our supplier partners by creating this instrumentation mechanism to deliver higher trust solutions than there were a year or two ago. That’s a tremendous benefit for both the supply side and the consumer side.

To be this stealthy for this long is a little bit unique for me, but there’s been a tremendous amount of technology and partner development behind the scenes. Frankly, we just wanted to stay heads down and focus on building the product and understanding the customer needs. We’re out with customers a lot. This product was not built behind closed doors. It’s been built very much in cooperation with customers and partners. We’re very fortunate to have such strong partnerships and customer access.

After years of “stealth” comes the unveiling

KM: Tell us about your product unveiling.

WS: On January 31, 2007, we introduced a tiered architecture that’s intended initially to be deployed by large enterprise customers, both commercial and government. At the core of these offerings is the Enterprise Trust Server (ETS) that lives in the customer’s enterprise and contains very precise measurements of the all the software components, including the OS, applications and platforms, that the customer has deployed throughout the enterprise, making it quite easy to sample and measure, to be sure what is running is what is expected. The benefit to customers is simple: to the extent that all the software running critical business processes is trusted and can be verified, the system is going to be more stable, reliable and secure. This is the first offering in the marketplace that does that.

Another part of SignaCert’s offering is the Global Trust Repository (GTR), a large database of software measurements that were captured in cooperation with the large software vendors including Sun, Intel, Microsoft, IBM and numerous others. The GTR is a trusted reference that allows customers to verify the integrity of their enterprise.

KM: Can you give us more detail on how these products work?

WS: We’re working with the notion of “mean time to failure.” In IT, this applies to system availability: How long does the system operate until it breaks and when it does break, how long does it take to repair? Just like with an auto or appliance, the goals are simple: to run as long as possible, anticipate and prevent factors that lead to failure, and if the system does fail, to fix it as quickly as possible.

SignaCert helps customers maximize the mean time to failure and also helps if the system does fail, alerting as soon as something changes, and showing precisely what changed. We give detailed and fine-grained information for how to repair and return the system to a trusted state. This is a highly versatile product and customers use it in many different ways. For instance, when making a VPN connection, the enterprise can request the health of my local system, and decide if my system is safe to access the network. The industry has been stymied by VPN security for a number of years, and we’ll add a tremendous amount of value to that scenario.

KM: Tell us how else customers will benefit from these products.

WS: Other ways that companies will benefit from SignaCert and its products:

• First, tangible economic benefits: When systems are more reliable, stable, faster to repair, there is simply more run time for the same dollars.
• Second, being more secure. For instance, credit card vendors who deploy this and reduce the number of security incidents in which they have to pay out money see tangible results. 
• Third, better regulatory compliance. Customers subject to HIPAA, Sarbanes-Oxley, SEC and other regulations benefit if they can prove their systems are compliant, primarily by avoiding fines. And those fines, as we’ve seen in the paper recently, can be significant.

Although there are a wide variety of benefits, we’re focusing this initial launch on three use cases:

• Gold image verification: Proactively define OS, applications and configurations for your multi-platform systems, and continually validate their state against a trusted reference.
• Endpoint integrity: Gain greater control and reliability by knowing the current state of your systems.
• Regulatory compliance: Deliver fine-grained verification of your enterprise and prove it is deployed as intended.

SignaCert is an Oregon company

KM: Why did you choose to base SignaCert in Oregon?

WS: We’re located here because we love Oregon and it’s a great place for this kind of technology company. We have a rich history of technology innovation, starting with companies like Tektronix. Although it’s not one of our major markets, it turns out this is a great hub, a great place to operate from, since we do a lot of business in Asia, a lot on the East Coast in DC, New York and Boston, as well as the Bay Area.

Portland has the feel of a progressive urban culture. We’re downtown, where we contribute to and benefit from that progressive feel, whereas a lot of software companies in other areas are in suburban business parks. We have assembled a world-class team who are primarily Oregon-based. Paul Nadeau, our CFO and VP of operations, comes to us from Tripwire and Frank Tycksen, VP of engineering, was with Intel’s Trusted Platforms Lab. We hired our president and COO, Amal Chaudhuri, out of Wall Street and he’s happy to be moving, so it’s also a great place to recruit to. We are fairly active in the community with industry associations like SAO, OEF and others. Even our funding has local aspects; about half of it is from in the area, with Intel Capital and others, which reflects well on the area’s contribution to the company.

Where SignaCert is headed

KM: So where do you go from here?

WS: We’ve been pretty R&D- and product-centric for the last couple of years. An obvious evolution will be in a direction that faces the marketplace, layering in more messaging and selling. I expect SignaCert to grow rapidly; right now we’re about two-thirds R&D, and one-third marketing and support, but a year from now, we expect to be 50:50 with the growth in sales and marketing. That ratio may even skew to sales and support over time. The market potential is tremendous.

About the Author
Kate McPherron, a technology evangelist, has helped technology and industrial firms manage and market their products and services for the past 20 years. She can be reached at klm54@cornell.edu.