Computerworld

The security game changes when the bad guys are backed by foreign governments

  • John Dix (Network World)
  • 13 August, 2012 15:41

Fidelis Security Systems has an interesting perspective on the world of security, working, as it does, with the U.S. government to keep other countries from prying into some of our nation's most critical networks. Now that many of those same countries are after intellectual property housed by enterprise shops, commercial customers are knocking at Fidelis' door looking for help. Network World Editor in Chief John Dix talked to Fidelis CEO Peter George about the shifting threat landscape and what companies are doing to cope.

Let's start with a baseline question. How do you sum up the state of enterprise security today? Are we winning or losing the war?

The conventional wisdom, which I agree with, is we're behind, the gap is getting bigger and we're at a critical moment where we need to find a different approach if we're going to protect intellectual property and the things we have at risk. And customers are really getting it now. A couple of years ago if you went to the RSA conference and talked to CSOs in the oil and gas industries about the problem of nation-state adversaries penetrating critical infrastructure, half of them would get it, but the other half wouldn't. That's all changed now. This year at RSA, that group of CSOs is huddled in a corner, not just together, but also with stakeholders from the federal government who understand the threat and the guys in ponytails and sandals who are really smart security guys trying to figure out how to get in front of the problem. It's a national security problem and everyone's very aware of it and budgets are being applied, which didn't happen a couple of years ago.

EDITORIAL: Failure of Senate to pass Cybersecurity Act leaves us all at risk

Are you seeing responses from organizations across the board, or just in key industries like financial services?

This is an evolving thing, right? So a couple of years ago it was half the critical markets and now it's everybody in that, so that's moving downstream. But everybody in the Fortune 2000 that are concerned about their security posture are concerned about this particular problem -- a nation-state, an adversary, trying to steal something for financial gain. Which is really different from the old problem of a young kid trying to hack the network for fun. So the stakes are higher and it's a bigger issue. Smaller companies who may have less to lose or are not a primary target, are also looking for ways to manage the risk/reward. So a managed security service, for example, might be a good approach if they can't afford to buy the technology and the people to run it.

What's your take on advanced persistent threats?

When most people think about APT they think it's a "what" but it's actually a "who." And the "who" is somebody from a nation-state trying to steal something that's important for financial gain. That's the problem we're really focused on. So the "who" is a person or group of people. I was recently with a guy who ran security for a really important telco in New York, and he was saying that he just came back from a security conference and they were talking about how, for example, the Chinese are organizing. The Chinese are not a bunch of individuals trying to penetrate the network. It's 150 Chinese who, like a battalion, are told, "Here's what we're going after and here's the threat vector we want you to use, because the goal is to compromise this particular company or this particular critical infrastructure." They're moving in that way. So it's a "who" or a collection of "whos."

You say nation-state, so this isn't organized crime, the attacks are actually backed by foreign governments?

Absolutely. Not every government, but certain governments. It's a national pastime in China -- it's recognized as something good -- but of course they deny it. We have this really important tool that a lot of first responders use when there's a breach. They go in with our tool and get visibility on the network and do forensics to find out what happened. One of our partners got called into a company who said, "We believe the Chinese are stealing our designs for these handbags and mass producing them because the knockoffs are making it to market before we can get out the original." They used our tool to find out it was a plant in some far-off place in China. So yes, it's well organized. Yes, it's state funded.

Our roots were in protecting classified information and dealing with cyber-espionage, and four years ago when Google got breached and put their hand up and said, "Hey, we just got breached by the Chinese," thousands of other companies put their hands up and said, "That happened to me too." All of a sudden what got put on the table is nation-states looking to steal intellectual property and identities. Anything that can be used for profit is at risk. It's the crown jewels of every company in the United States, everything from patents on formulas and algorithms to customer lists and bank account numbers. Nobody is immune. And if you're at a high risk for an advanced threat, you ought to start behaving like you've already been compromised because you probably have and don't know it.

Is it your experience that most companies believe their security is adequate?

Everyone's trying to mitigate their risk and this is a really, really hard problem. In fact, nobody's solved it yet. So every company is trying to understand how they fill in the gaps to mitigate their risk. Any vendor who's saying "we can solve the APT problem" is not telling the truth. No single point product can do it. So people are putting in tools to give them visibility into the problem and to fortify their security.

Most of my customers would tell me they have a best-in-class security stack that keeps the bad guys from breaking into their network. That stack would consist of a firewall, IPS, antivirus and some kind of SIEM to give them visibility into what's going on. And for traditional security protection, that's a good stack to have. But the adversaries are figuring out how to penetrate the network. Malware is one of the ways. I think malware is responsible for about 30% of the compromises, meaning if you just address malware you're exposed at 70%.

When we think about the problem, we think about the life cycle of the threat, which has four legs. There is infiltration, which could be malware or they can hack in, etc. Then there's communications with an external malicious command and control system. The third leg is the propagation leg, where they move laterally inside your network, looking for higher levels of authority so they can access what they want. Then there's the exfiltration piece, which is how we got into this business, because we are the top data exfiltration company in the world, based on what Gartner says. We can face the internal part of the network and make sure nothing leaves.

But the four legs of the life cycle are the things that are important and malware is one of those legs and represents only about 30% of the problem.

So you got your start with the exfiltration part of this, but today address all four parts?

We do. And that's an interesting question, because when I joined the company four and a half years ago we were then and today in the Gartner Data Leak Prevention Quadrant. But in those days DLP was just a broken business process. It was really inadvertent data leakage. Say a good guy trying to work on something over the weekend and sending a sensitive document to his Gmail account. That's what DLP used to be, because there were no nation-states trying to steal intellectual property, there were just good guys doing not-so-good things. And there are lots of good technologies to solve that.

But if you're a malicious insider or you're a nation-state and you can penetrate the network and you want to exfiltrate data, you're not doing it out Port 80, you're not doing it out of the email port, because somebody's watching that. You're going to bury it deep inside an attachment and you're going to send it out a port that nobody's looking at. And that's what we did better than anyone in the world. We're the only company in the world that can sit in the network and see applications and content and threats buried deep inside of the applications on all ports, inbound and outbound of a network.

There are 65,656 ports in a firewall and we're the only company in the world that can give you visibility in and out. So again, if you're a good guy doing a not so good thing, you're going to send it to your email account and someone can see that. But if you're a malicious insider, you're going to bury it deep inside a JPEG, rename it, compress it three times, and send it out a high port that nobody's watching. Well, that's what we were really good at, and when that became the problem, all of a sudden what we did different than everyone else became really important.

So the profile of our customer base has changed dramatically. It was 90% federal agencies four and a half years ago, and this year and we'll be better than 50%/50% government and commercial, maybe even more commercial, because the threat factor has moved to the commercial enterprise. That part of our business is booming right now.

Speaking of the government, the Senate just failed to muster enough votes to pass the Cybersecurity Act of 2012 (S. 2105), which would have made operators of critical national infrastructure meet new security requirements and encourage federal agencies to share security information with private enterprises. What do you make of that?

PG: We thought the Cybersecurity Act was really important because it would bring the federal government, which has threat intelligence about the adversary, together with commercial enterprises. [The latter] were fighting the hacker down the street. Now they're fighting nations that have their own national security intelligence agencies. That's who they have to keep out of their network, and they need our country to help them. The federal government has insight into that threat vector that commercial CSOs don't have. They have been battling this adversary and protecting classified information for a long time, so they know how to do that. They have tools and really smart people that are valuable to this problem. And I find commercial CSOs are thirsty for that. They want that advice.

So we need those two groups to come together and share information. It's going on unofficially already. We'll go to Wall Street and talk about what we do and when they know our background the door will shut and they'll tell us they're sharing information with certain agencies. So there's some of that going on. But a framework for formalizing that, I think, would be really important. I think this bill was an attempt to move that agenda forward, and now we probably won't hear about it again until the other side of the election, which isn't good.

Going back to your statement that, if you're a likely target, you should operate under the presumption that you're already compromised, is that in fact what you find when you're first brought in?

Every one of our customers wants to do a proof-of-concept, and more often than not they have an "Oh my God" moment. But that isn't always a nation state stealing something. It might be information leaving the network inadvertently that's not causing a problem. But sometimes you'll find a smoking gun. I'll give you a real live example. We have an eval going right now with a biotech company and during the eval we saw the Chinese had compromised the network and were moving laterally across servers. But it doesn't always happen that way. Having said that, I do believe that the majority of Fortune 1000 commercial enterprises, if they're not already compromised now, they're going to be soon.

OK. Any closing thoughts?

Only that, having spent 10 years solving the problem in the federal government, I think we're in a unique position to really help commercial customers. We not only have the tool, but we have the smarts and know-how.

Read more about wide area network in Network World's Wide Area Network section.