Sandstorm Enterprises

In the Boardroom With...
Mr. James Van Bokkelen
Sandstorm Enterprises, Inc. Thanks for joining us today, James. Please give our audience an overview of your background and your role at Sandstorm Enterprises.

James Van Bokkelen: Sandstorm is the third startup I've been involved with; the first was PTC, a touch-tone/voice response company, the second was FTP Software, a pioneer in putting PCs on the Internet, that went public on NASDAQ in 1993. FTP was a fun place - rapid growth, good cash flow and a lot of high-energy interaction with customers and other Internet software developers. I participated in several important Internet standards efforts and learned a lot about protocols, supportable software and interoperability.

Sandstorm was my introduction to the IT security arena. We founded the company in 1998, with a focus on "Tools with Sharp Edges", new software and technologies to cover some of the gaps in the then-state-of-the-art. Now, in 2006, we've got two products with a pure security focus, and two more general purpose tools with many security applications. Sandstorm's NetIntercept is a network forensics and analysis appliance that inspects data entering and leaving the organization via the Internet. Please give us an overview of NetIntercept, other offerings in Sandstorm's product line and the key competitive advantages which are offered.

James Van Bokkelen:
PhoneSweep was our first product. Before it came out in 1998, people needing to secure their perimeters against rogue modems had to use the same low-level wardialing tools as their attackers. We excelled in ease of use, robustness, throughput, reporting and tech support, and captured most of the market in a year or two.

Our telephone honeypot, Sandtrap, was an offshoot of the PhoneSweep technology, and it was another first: There's no other commercial tool for detecting and trapping wardialers.

NetIntercept is aimed at a broader audience: A second-generation network analysis tool, it lets you work with connections and sessions between machines on the network, rather than individual packets. It is a superior choice for a security professional who needs to pursue illicit activity or analyze the aftermath of an attack.

LANWatch has the longest history of any of our products, as it goes back to NetWatch, the first graphical Ethernet packet monitor developed at MIT in 1983. Sandstorm purchased it primarily to use as a packet viewer for NetIntercept, but we offer it as an independent product as well. We understand you've had several impressive winsin the U.S. Government sector. Without divulging any confidential or sensitive information, can you tell us about 1 or 2 success stories?

James Van Bokkelen: With PhoneSweep, it's more a question of which governments and agencies aren't using it. We're the go-to people, and telephone scanning is a recommended practice. Only a few groups have the "not invented here" mentality that would keep them from coming to us. With NetIntercept, it's not just the U.S. Government: we've sold NetIntercept in a number of countries. Some sites are doing event analysis; others are doing routine monitoring of traffic. International customers have a completely different perspective on accidental leaks of confidential information than our commercial customers: there are more leaks; many of their personnel know it, and there's much more at stake. What about wins at the State and Local level?

James Van Bokkelen: Below the national level, there isn't the same focus on security. Our PhoneSweep sales are concentrated in money-handling departments like taxation and pension management. NetIntercept sales to states, cities and counties are mostly being used operationally, and to detect and investigate abuse of resources and harassment. Sandstorm Enterprises also serves security consulting firms. Can you provide some examples of these relationships?

James Van Bokkelen: Most consulting firms, big or small, offer telephone scanning services. They don't advertise the details, but they almost always deliver with PhoneSweep. The product's template driven report system was designed for customization by consulting firms, and it's been very successful in that regard.

NetIntercept isn't widely owned by consulting firms, because traffic archiving, event analysis and routine monitoring are site-specific and done on an ongoing basis, rather than engagement by engagement. But we have quite a few sites where the security function has been outsourced to a contractor who runs NetIntercept for their customers. Let's turn to the enterprise verticals for a moment. Are there success stories in the finance, healthcare, and other verticals you'd like to mention?

James Van Bokkelen: It's a rare financial firm that doesn't either own PhoneSweep, or hire a consulting firm for periodic sweeps. We've also sold a lot of NetIntercept there, primarily for event analysis; those firms have enough at stake that they can't just trust a signature-driven IDS to catch everything that matters. Healthcare, high-tech and manufacturing firms in competitive markets have similar types of concerns. We noticed the following favorable mention about NetIntercept in "Digital Evidence and Computer Crime" (2nd Edition, 04), "NetIntercept's graphical user interface allows the examiner to select criteria for filtering such as source and destination IP addresses within a certain time period. Also, NetIntercept interprets protocols rather than simply making assumptions based on default ports." That's a pretty impressive endorsement. Any comments? Are there any nominations, awards or other press mentions you'd like to talk about?

James Van Bokkelen: We earned that: NetIntercept's competition shows you a web page by passing captured HTML to a browser. We capture the connections that fetch the page contents and correlate them to the HTML. We showed the author that we had the advertising images from the original page view, while competitors fetched new ones.

PhoneSweep got a lot of press when it was first introduced, but since it's become an industry standard, it hasn't been quite as newsworthy. Still, we usually get a few mentions when we release new features. For example, we have recently released new versions of NetIntercept, PhoneSweep, and Sandtrap, with good results. Any projects in the International market?

James Van Boskkelen: We've marketed our products internationally since the beginning. PhoneSweep has sold well outside the US because we make it easy to use with different local or PBX dialing and signaling standards. NetIntercept got several internationally-oriented features in version 3.1, and was recently chosen over an established competitor at a large European telecommunications firm. Government mandates and new legislation are driving public and private sector enterprises to improve the security of their networks. Some examples include: Sarbanes Oxley and HIPAA. What's your perspective on these mandates? Are these mandates market drivers for your business? What about other market drivers for Sandstorm?

James Van Bokkelen: I think the mandates and response to date have been overly focused on paper and bureaucracy. They haven't achieved as much real attention to security and understanding of information flows as I'd like. Their only role as market drivers for us is to the extent that they hold the upper echelons of organizations responsible for lapses. And when management discovers they bear ultimate liability for information leaks, resources get allocated to purchase tools like ours. "Phishing" and "pharming" threats are becoming more prevalent and sophisticated but many end-users still do not understand these terms and how these threats can lead directly to identity theft or damage a company's brand. Please give our audience an overview of "Phishing". What can enterprises do to prevent these attacks from happening and what can individuals do to protect themselves?

James Van Bokkelen: Phishing is the use of email and web pages for a broad range of social engineering attacks, usually on people as private individuals rather than specifically as employees. Scaring or tricking people into giving their credit card number to a phony web site is a lot easier and less risky than putting on a bogus police uniform and knocking on doors. But protection and prevention is the same, whether you're in a home or business situation -- don't blindly follow directions received from an email or web page, don't click links sent via email, even if they claim to be from a company you have a business relationship with. Be aware of the possibility of fraud, and pay attention to the web sites you visit and the email you're reading. Enterprises should certainly have intelligent policies in place, but social engineering works on individuals, and it's the individual employees who need to be aware of the possibility of being "phished". Please tell us about Sandstorm's key strategic relationships such as with Resellers and Partners.

James Van Bokkelen: We have a number of Resellers and VARs who offer our products in various markets in the US and elsewhere. We also have relationships with two companies who are in the process of repackaging and incorporating NetIntercept technology in their own products. The portion of our revenue they contribute varies, but in some quarters it has been substantial. What resources are available at for end-users?

James Van Bokkelen: For PhoneSweep customers, we provide an example Modem Use Policy. Organizations ought to have a policy in place, regardless of how aggressively they scan for violations, and our draft makes a good starting point.

We have demo versions of our products that you can download and use. You can also get copies of our NetIntercept White Paper. Thank you very much for your time today, James. Is there any other subject you would like to talk about?

James Van Bokkelen: I'd like to say a few words on interoperability and standards. The Internet is founded on systems from a company being able to talk to other systems made by other companies that conform to the same standards. I put a lot of work into interoperability and standards at FTP Software, and without it the Internet would not be what it is today. But if consumers and companies take the Internet's interoperability for granted, it will inevitably be eroded: Every vendor (and I'm sure there's at least one that comes to your mind) secretly hopes for a proprietary monopoly. Our recent tolerance of foolish patents and broadened definitions of intellectual property doesn't help. Awareness and understanding of standards helps everyone, particularly in the security industry.