DOC-14384 - DNS Botnet Feasibility Report v5.1

Summary:

The passage provides valuable insights into the challenges of selling a technology solution related to DNS architecture across various client setups. To address these challenges, recommendations are made as follows: 1. **Multi-Step Approach for Solution Deployment:** - Initiate with ESP Professional Services to roll out the first opportunities (Section 1). This approach allows learning and refining design requirements before transitioning to ESP Tipping Point for a full product release. It also ensures optimization of technology integration and potential ArcSight enhancements while considering long-term goals and profitability margins. 2. **Architecture Discovery:** - Conduct architecture discovery tailored to the specific setup (client environment) including virtualized environments, outsourced solutions, or no pre-existing DNS infrastructure (Section 1). This involves understanding different architectures and potentially different hardware configurations. 3. **Discovery Process for Architecture Discovery:** - Determine who will conduct the architecture discovery: either HP Labs (currently qualified but not a delivery organization) or PS (Product Support) through training (Section 2). Define criteria for acceptable vs. unacceptable candidates based on market research. 4. **Market Size and Criteria:** - Recognize that there is an attractive market size due to the variability in DNS architectures, which requires further discovery of what constitutes a "normal" setup (Section 2). This involves understanding client requirements and specifications for successful deployment. 5. **POC and Deliverables:** - Focus on building a proof of concept (POC) for a single appliance targeting completion by October 31st, involving hardware, software installation, configuration, architecture analysis, blacklisting lists setup, webserver configurations, and ArcSight alerting system integration among other tasks (Section 1). 6. **Consulting Opportunities:** - Explore ongoing consulting opportunities related to best practices and optimizing technology performance with existing infrastructure such as ArcSight integration after initial deployment (Section 1). 7. **Team for Delivery:** - Establish a skilled team capable of handling hardware building, software installation, configuration, analysis, etc., given the complexity of deploying this solution without a plug-and-play approach (Section 1). HP Labs is currently equipped but not part of the delivery organization. 8. **Determining the Team Selling the Solution:** - Identify and establish a clear, unified team responsible for selling and delivering the solution effectively, ensuring consistency in offering and avoiding conflicts between different teams (Section 2). This should be one channel where customers can go for this specific solution. 9. **Knowledge Transfer:** - Provide thorough training to the chosen team to ensure they understand all technical aspects of the solution's architecture, installation, etc., involving HP Labs and the new delivery/consulting team (Section 2). This includes commitment from both parties to guarantee a smooth transition of expertise. 10. **Selling the Solution:** - Ensure the seller or team responsible for selling this new solution has a vested interest in the success of the solution, focusing on providing strategic value and customer satisfaction rather than just financial gain (Section 2). This should be someone or a team not primarily motivated by product-based commissions. In conclusion, these recommendations aim to address gaps in organizational structure for handling complex solutions not derived from existing products during knowledge transfer and sales representation. They suggest establishing unified teams, conducting comprehensive training, and ensuring primary motivation for the seller is customer satisfaction rather than solely financial gain.

Details:

The feasibility report on the DNS analytics & botnet hunter technology, developed out of HP Labs, highlights the potential for commercializing a professional services offering around this innovative cyber security tool. Key points include: 1. **Commercialization Possibility**: There is potential to build a professional service around the DNS analytics & botnet technology due to its ability to simplify complex issues in cybersecurity by providing actionable alerts from large data streams like DNS with minimal false positives. 2. **Market Interest and Potential**: The technology's focus on simplifying security processes for enterprises could be appealing, particularly as cyber threats become more sophisticated. However, the market size remains uncertain, making it challenging to predict demand effectively. 3. **Technology Explanation**: The DNS analytics & botnet hunter works by analyzing DNS data to identify potential security issues and generate alerts. It requires a combination of hardware, software, and professional services for optimal performance. 4. **Cost Consideration**: Given the complexity and integration requirements, the solution could be costly for large enterprises. Pricing will need careful consideration to balance cost with value offered. 5. **Team Responsibilities**: A specialized team with top-level executive buy-in is crucial for overcoming challenges in commercializing this technology. This includes commitment to training technical teams and ongoing support post-installation. 6. **Commercialization Challenges**: The main challenges include the high cost of the solution, lack of ongoing client support, uncertainty about market size, and the need for significant technical training for both internal teams and clients. In conclusion, while there are potential benefits to commercializing this technology through professional services, several critical factors must be addressed including market understanding, financial planning, and robust team management to mitigate risks effectively. ESP consultants train on DNS architecture and installation, with the aim of creating a solution that includes hardware (ESP PS), software (Vertica), services, and possibly additional products not yet specified. The ESP PS will require commitment from 1-2 consultants to learn these skills, and initial training involves shadowing HP Labs experts during sales and delivery phases. For each deal, the ESP PS nominee must scope and price it individually due to no included ESP products. Specifics of order placement (combining hardware, software, and services) will need to be determined by a resource. The solution must include all necessary hardware and software purchases, such as Vertica, which requires installation assistance from ESP PS. Vertica pricing is reduced for these solutions, with the first client receiving special discounted rates. Overhead in covering development costs for this technology involves resources from HP Labs, ESP PS consultants, and ESP Solutions Innovation, totaling an estimated 140 hours of combined commitment. The innovation focuses on analyzing DNS traffic to filter out known-good data, leaving a manageable stream useful for security purposes like detecting botnet infections or other advanced persistent threats (APTs) and compliance issues. The HP Labs algorithm focuses on analyzing just 1% of the data collected from networks to identify actionable alerts related to botnets, such as data exfiltration, inappropriate web surfing, and DNS attacks. This method has proven effective in detecting 12 actionable events per day with minimal false positives, providing a valuable stream of real-time alerts about infected hosts within advanced persistent attack scenarios. The technology is appealing due to its effectiveness in solving a hard problem in a client-friendly manner, offering a manageable amount of daily alerts for botnet-infected hosts. There's potential for scalability and expansion into new markets such as cloud services, telcos, and DNS providers. The initial market interest has been found with 10 clients willing to purchase the solution at $250k for small/entry-level and $1M for large/advanced solutions, potentially generating sales of $2-$8 million in the first year. Competitively, Damballa is one of the major players in this space, along with Netwitness. The technology operates through hardware-based network packet sniffers placed strategically on a tap that has access to all DNS traffic, utilizing intelligence and advanced algorithms for analysis. The solution described is designed to intercept and analyze DNS traffic from a network, specifically aiming to drop 99% of it as "known good" while analyzing the remaining 1% for suspicious activity related to botnet communication. This analysis involves checking if hosts are communicating with blacklisted sites or non-existent domain names. The solution's architecture includes:

• Hardware components including servers and a Vertica cluster (with disk space estimated at 3TB, potentially expandable based on client needs).

• Software tools such as HP Labs innovation software for DNS analysis, ArcSight Logger for logging and alerting, and optionally ArcSight ESM for further action based on alerts.

• A webserver for hosting a GUI tool with a dashboard that displays vertices useful for hunt teams.

• Vertica license ranging from 100TB to 180TB depending on specific client requirements.

The solution involves setting up servers, installing necessary software, configuring the Vertica cluster and ArcSight Logger, and integrating with ArcSight ESM. The process includes architecture discovery, hardware provisioning, software installation, and integration setup. Educated guesses for the cost of this solution include:

• Architecture Discovery (10 hours) at $3,000.

• Hardware costs (servers and Vertica cluster) totaling around $60,000 each.

• Software licenses such as Vertica ranging from $100,000 to $180,000, depending on the scope of client needs.

These estimates are subject to change based on specific requirements and risks associated with being a first-of-its-kind solution. This innovation involves setting up a DNS botnet solution on a client site, including hardware ordering, installation, configuration, training, and ongoing maintenance. The estimated total cost for this project is $409,000 USD, broken down into various components such as software (webserver and Linux), services for hardware order and build, Vertica install and configure, DNS botnet solution installation, environment tuning, client training, buffer for unknown hours, and travel expenses. Regarding the team to commercialize this innovation, three possible options are considered: ESS, ESP Tipping Point, and ESP Professional Services. ESS could potentially build this as a managed service on a cloud deployment option but faces concerns about not being able to make it an official supported product for optimal profit margins and stability. ESP Tipping Point could develop the solution into an appliance within the Tipping Point brand, though there are concerns that it would not be optimized for ArcSight use or work seamlessly with it. Additionally, this method requires services which is not plug-and-play. ESP Professional Services has the potential to set up the solution in a way that optimizes both the technology and integration with ArcSight (ESM, Logger, and Data Hunter). While they cannot make it an official supported product for optimal profit margins and stability, this approach could be beneficial for learning and refining the design requirements before transitioning to ESP Tipping Point for a full product release. Recommendation: Start with ESP Professional Services to roll out the first opportunities, transition to ESP Tipping Point after initial learnings, and build services around it without conflict once fully developed. This multi-step approach allows for optimization of technology integration and potential ArcSight enhancements while also considering the long-term goals and profitability margins for all involved parties. The text discusses challenges in selling a technology solution related to DNS architecture across various client setups, including enterprise environments with up to 600 DNS servers, virtualized setups, outsourced solutions, and those without any existing DNS infrastructure. To be successful, the sales process involves understanding and adapting to different architectures, which can vary widely among enterprises. Key points: 1. **Architecture Discovery**: The technology tested in an enterprise with 6 DNS clusters is scalable but may not fit all clients due to setups like virtualized environments (e.g., AWS), outsourced solutions, or no pre-existing DNS infrastructure. This requires a tailored approach and potentially different hardware configurations. 2. **Discovery Process**: Questions arise regarding who will conduct the architecture discovery for potential clients:

• Currently, only HP Labs is qualified but not a delivery organization; training within PS (Product Support) would be necessary.

• Criteria for acceptable vs. unacceptable candidates need to be defined and potentially refined through market research.

3. **Market Size**: The variability in DNS architectures suggests that enough clients meeting specific criteria exist to maintain an attractive market size, but this requires further discovery and understanding of what constitutes a "normal" setup. 4. **POC and Deliverables**: Tipping point is working on a proof of concept (POC) for a single appliance; the target completion date is October 31st. This involves building hardware, installing software, configuring settings, conducting architecture analysis, understanding blacklisting lists, setting up webservers for reports, and integrating with ArcSight alerting systems among other tasks. 5. **Consulting Opportunities**: Beyond initial deployment, there are opportunities for ongoing consulting related to best practices and optimizing the technology's performance with existing infrastructure (e.g., ArcSight integration). 6. **Team for Delivery**: Given the complexity of deploying this solution without a plug-and-play approach, it necessitates a skilled team that can handle hardware building, software installation, configuration, analysis, and other related tasks. At present, HP Labs is equipped to handle these responsibilities but they are not part of the delivery organization. The passage outlines the challenges in delivering a specific solution, which involves transferring knowledge from HP Labs to another team for further distribution and sales. Key questions are raised regarding the structure of the transfer process: 1. **Determining the Team Selling the Solution:**

• A clear, unified team needs to be identified that will handle all aspects of selling and delivering this solution effectively. This involves ensuring consistency in offering and avoiding conflicts between different teams competing for sales. The passage suggests creating a single channel where customers can go for this specific solution, indicating that one designated team should manage the entire process from knowledge transfer to delivery.

2. **Knowledge Transfer:**

• Once the team is chosen, it must undergo thorough training to understand and be proficient in the solution's architecture, installation, etc. This requires commitment from both HP Labs and the new delivery/consulting team to ensure a smooth transition of expertise. Training should cover all necessary aspects to guarantee knowledgeable staff who can effectively represent and explain the solution.

3. **Selling the Solution:**

• The passage addresses the issue of commission conflicts that arise with solutions not tied to products, suggesting that this specific innovation does not fall into such a category yet presents similar challenges in sales representation. Questions are posed about:

• Who will be responsible for selling this new solution? Ideally, this person or team should have a vested interest in the success of the solution since they won't directly benefit from product-based commissions. Their focus should ideally shift to providing strategic value and customer satisfaction rather than just revenue generation.

In summary, the passage points out that there are gaps in the organizational structure for handling complex solutions not derived from existing products, especially concerning knowledge transfer and sales representation. Key questions revolve around establishing a unified team for selling and delivering the solution, conducting comprehensive training for this team to understand all technical aspects, and ensuring the seller's primary motivation is customer satisfaction rather than solely financial gain.