Hugh Thompson on Simplifying SecurityBlue Coat CTO: Shift Focus to Constants, Not Variables
The technology landscape in the past decade has changed in ways that are unprecedented, quickly causing legacy architectures and security paradigms to become defunct in dealing with a new breed of risks and threats. Companies considered low risk, which previously could make to with an antivirus solution and a firewall, now find their digital defenses under assault and breached. The game has changed. The focus in security needs to change, then, from the variables to the things that remain constant to enable continuous protection in a dynamic threat landscape says Dr. Hugh Thompson, CTO and Senior VP at Blue Coat - Sunnyvale, California-based provider of security and networking solutions.
"It is a very interesting time for security. Vendors with very similar messaging are vying for market share, and it is a sorting-out period for people in the security space," Thompson says. "How do we decide upon and measure the things that matter and the things that seem important at this point, but are fated to ebb and flow?"
Thompson proposes applying the statistical concept of "Degrees of Freedom." The idea is to find a model that can treat the changing landscape as a variable in an equation that can keep changing without affecting the final outcome of the equation.
The human element of security is one such constant, he says. However, with people, education and efforts at security awareness have largely been unsuccessful, and this is something he doesn't expect will change.
"I think there has been a huge amount of recidivism for people who have made bad choices, saw that they made the bad choice and still do it again the next day in a different context," he says.
In this broad-ranging interview with Information Security Media Group - the first of two parts -Thompson shares his opinion of the current landscape in security and lessons learned from all the changes that the industry has seen. Thompson also shares insight on:
- The changes in the attacker profiles;
- The concept of "Degrees of Freedom;"
- Developments that are redefining security and Blue Coat's security philosophy.
Thompson is Chief Technology Officer and Senior Vice President at Blue Coat. Also Blue Coat's CMO, he has been with Blue Coat for three years. He has more than a decade of experience creating methodologies that help organizations build more secure systems and has co-authored three books on the topic. For the past five years, Thompson has served as the program committee chairman for RSA Conference, the world's largest information security gathering, where he is responsible for guiding the technical content at both the U.S. and European RSA Conferences. He also sits on the Editorial Board of IEEE Security and Privacy Magazine. Has written several technical books on computer security and has taught computer security at Columbia University for five years.
Edited excerpts from the conversation follow.
On Degrees of Freedom
VARUN HARAN: What is the most exciting thing in security today for you? What is the security philosophy that finds most resonance with you today?
DR. HUGH THOMPSON: Flexibility of security systems and degrees of freedom. This is a statistical concept and we are trying to indoctrinate it into the way we are looking at building our products and acquiring assets at Blue Coat. If you compare the security industry to any other, the amount of volatility that we have had, the changes in the types of technologies - something is important, then it loses significance, then it's important again, endpoint security is the prime example. You need to invest in security technologies and people that can adapt and rapidly onboard new tech, in an environment that is highly unstable.
At a philosophical level, it's about simplifying security, to things that are constant, and the things that we think may change. So degrees of freedom is a variable in an equation that can vary, but doesn't impact the final outcome of the equation. Blue Coat has taken that philosophy to heart - it is very open from a standards and API perspective. [See: Balancing Innovation with Risk]
It is a very interesting time for security. Vendors with very similar messaging are vying for market share, and it is a sorting out period for people in the security space. How do we decide upon and measure the things that matter and the things that seem important at this point but are fated to ebb and flow?
HARAN: Can you elaborate more on this idea of things that change and things that don't, what are some of the constants and variables in the security space that you have observed?
THOMPSON: There are constants in security, but there are multiple variables that change over time. The main driver for that, I think, is that the environment that we are in is so dynamic. In Asia in particular, you look at the penetration of smart phones. That was never envisioned when we designed the core security architectures 10 years ago.
Another interesting example is the idea around password resets. 20 years ago, it was a brilliant idea to do password resets using biographical questions like where you attended school, your mother's maiden name etc. Today if you had to make that decision, using biographical data is a terrible idea. People are more knowable at a distance than they ever have been at any point in the past. All this information is available as a digitized public record. In this industry, something that is at a point in time a great decision, could be a bad decision very quickly, as context and the environment changes.
One constant is the human element of security. I think people have and will continue to make security-oriented mistakes with technology. I don't see that changing. In security there has been a lot of effort to teach people about security hygiene, but I don't think that has been effective at all. I think there has been a huge amount of recidivism for people who have made bad choices, saw that they made the bad choice and still do it again the next day in a different context.
HARAN: How have attackers diversified in this new landscape?
THOMPSON: I'd say cyber criminals are a distinct group, and in my head they are still cyber criminals - folks that are distinctly profit oriented. The tactics that they used have evolved from breaking in, smash and grab, to more innovative ways of monetizing data like ransomware. I'd say the cyber criminals are still after money, and their organizational maturity has changed.
Other group of attackers, like hacktivists, are a puzzle to some folks in security because it modifies the targeting. Companies that were hitherto not traditional targets of cyber-attacks find themselves very much at risk. Hacktivist attacks tend to be very loud and very public. Their goal is to embarrass the company and damage its reputation. This is a new vector companies are trying to cope with.
The nation-state attacks are a completely different animal, too, because they are the opposite of a hacktivist attack - their goal is to remain silent. They are usually after intellectual property or control, to establish a beachhead inside an organization's infrastructure. Very well-funded with lots of interesting people on the payroll.
Those three groups are redefining how security is being approached today.
HARAN: Articulate for me some of the developments in the technology space that are redefining security? Blue Coat has been at the center of a lot of M&A activity - could you walk us through some of the interesting ones?
THOMPSON: It's been a busy time for Blue Coat. The company has grown substantially in the past three year, since the company got taken private. Some of our acquisitions worth mentioning include the acquisition of Solera networks for their full packet capture, record, save to disk analytics tech. We also bought the Netronome's SSL decryption business, which is a high bandwidth, high throughput SSL decrypt services that can feed devices, package it back up and send it on. That is the highest growth area of our business - we can't make those boxes fast enough. I think it's because how quickly the world switched over to HTTPS. We bought Norman Shark for their sandboxing technology - to add their sandbox into our secure web gateway system.
There have been seismic changes in the security space in the last five years. Massive adoption of mobile device, massive connectivity of kinetic devices to the internet, and social media. I think there has been a sea change in attackers as well. Five years ago, a company without credit card or other monetizable information could have been considered relatively safe. The rise of hacktivism and nation state threats has changed targeting significantly.
All this has forced us to go back and reimagine a bunch of fundamental principles that were etched in stone in security.
Tune in for part II of this interview, where Hugh Thompson's shares his views on Breach Disclosure, the future of Security and where to invest your security dollar.