RSA Conference is a coming-out party for trio of start-ups

Three security start-ups will debut this week at the RSA Conference looking to make a mark in protecting enterprise customers against attack from inside and outside their organizations.

Intrusic is expected to unveil a server application called Zephon, which runs on FreeBSD. Zephon can find intruders invading compromised systems by copying and analyzing network traffic.

"Zephon is the name from the Old Testament - and John Milton's Paradise Lost - for the angel who guards heaven," says Intrusic CEO Bruce Linton. The angel Zephon touches a frog to reveal Satan. Intrusic's Zephon software is supposed to unmask hackers masquerading as insiders after successfully stealing the network credentials of employees or trading partners.

Zephon - which Intrusic co-founder and President Jonathan Bingham says is being installed at The Home Depot in Atlanta; Caritas Christi Health Care in Boston, a chain of six hospitals; and Mohegan Sun Casinos in Uncasville, Conn. - works by analyzing servers, desktops, applications and traffic flows.

Network activity "will seem complex and chaotic at first," Linton says. "But it's rare that a desktop will act as a server, for example. And there are certain ways a mail server should behave." Zephon is designed to zero in on a compromise and deliver that information to a management console. The software sells for roughly $150,000.

Intrusic has 12 employees, with security guru and @Stake founder Peiter "Mudge" Zatko the chief scientist. The company is funded with less than $1 million from venture firm Draper Fisher Jervetson plus undisclosed funding from the founders.

Privately funded Tablus is tackling the prickly problem of keeping sensitive corporate data from flying out via a network. The Tablus product, an appliance called Content Alarm, monitors outbound network traffic for sensitive content, says Jim Nisbet, founder and CEO.

"We have to make an analysis quickly when it's a question of proprietary source code or human resources document, for example," Nisbet says.

The Tablus Content Alarm, which starts at $29,000, works by having agent software on servers where there's sensitive data subject to restricted access. It tracks changes to that content, and Content Alarm recognizes when portions of it might be sent out of the network.

Tablus is among a handful of other start-ups, including Vericept, Vidius and Vontu, that are taking on the challenge of flagging sensitive data when it makes a sudden, unexpected move. Each vendor has a slightly different approach, some using keyword or pattern-matching. Users contend various approaches can work but worry about false positives - or just failure to recognize an unauthorized transfer.

One Tablus beta tester, online games developer Perpetual Entertainment, says Tablus Content Alarm has produced a low number of false positives. "It works at wire speed and it's nonintrusive," says Mark Rizzo, the firm's vice president of operations.

The third start-up making its debut this week, Skybox Security, has the goal of identifying network vulnerabilities and tracking the remediation process with a product called Skybox View that would typically cost about $250,000.