The security game changes when the bad guys are backed by foreign governments

Fidelis Security Systems has an interesting perspective on the world of security, working, as it does, with the U.S. government to keep other countries from prying into some of our nation's most critical networks. Now that many of those same countries are after intellectual property housed by enterprise shops, commercial customers are knocking at Fidelis' door looking for help. Network World Editor in Chief John Dix talked to Fidelis CEO Peter George about the shifting threat landscape and what companies are doing to cope.

Let's start with a baseline question. How do you sum up the state of enterprise security today? Are we winning or losing the war?

The conventional wisdom, which I agree with, is we're behind, the gap is getting bigger and we're at a critical moment where we need to find a different approach if we're going to protect intellectual property and the things we have at risk. And customers are really getting it now. A couple of years ago if you went to the RSA conference and talked to CSOs in the oil and gas industries about the problem of nation-state adversaries penetrating critical infrastructure, half of them would get it, but the other half wouldn't. That's all changed now. This year at RSA, that group of CSOs is huddled in a corner, not just together, but also with stakeholders from the federal government who understand the threat and the guys in ponytails and sandals who are really smart security guys trying to figure out how to get in front of the problem. It's a national security problem and everyone's very aware of it and budgets are being applied, which didn't happen a couple of years ago.

EDITORIAL: Failure of Senate to pass Cybersecurity Act leaves us all at risk

Are you seeing responses from organizations across the board, or just in key industries like financial services?

This is an evolving thing, right? So a couple of years ago it was half the critical markets and now it's everybody in that, so that's moving downstream. But everybody in the Fortune 2000 that are concerned about their security posture are concerned about this particular problem -- a nation-state, an adversary, trying to steal something for financial gain. Which is really different from the old problem of a young kid trying to hack the network for fun. So the stakes are higher and it's a bigger issue. Smaller companies who may have less to lose or are not a primary target, are also looking for ways to manage the risk/reward. So a managed security service, for example, might be a good approach if they can't afford to buy the technology and the people to run it.

What's your take on advanced persistent threats?

When most people think about APT they think it's a "what" but it's actually a "who." And the "who" is somebody from a nation-state trying to steal something that's important for financial gain. That's the problem we're really focused on. So the "who" is a person or group of people. I was recently with a guy who ran security for a really important telco in New York, and he was saying that he just came back from a security conference and they were talking about how, for example, the Chinese are organizing. The Chinese are not a bunch of individuals trying to penetrate the network. It's 150 Chinese who, like a battalion, are told, "Here's what we're going after and here's the threat vector we want you to use, because the goal is to compromise this particular company or this particular critical infrastructure." They're moving in that way. So it's a "who" or a collection of "whos."

You say nation-state, so this isn't organized crime, the attacks are actually backed by foreign governments?

Absolutely. Not every government, but certain governments. It's a national pastime in China -- it's recognized as something good -- but of course they deny it. We have this really important tool that a lot of first responders use when there's a breach. They go in with our tool and get visibility on the network and do forensics to find out what happened. One of our partners got called into a company who said, "We believe the Chinese are stealing our designs for these handbags and mass producing them because the knockoffs are making it to market before we can get out the original." They used our tool to find out it was a plant in some far-off place in China. So yes, it's well organized. Yes, it's state funded.

Our roots were in protecting classified information and dealing with cyber-espionage, and four years ago when Google got breached and put their hand up and said, "Hey, we just got breached by the Chinese," thousands of other companies put their hands up and said, "That happened to me too." All of a sudden what got put on the table is nation-states looking to steal intellectual property and identities. Anything that can be used for profit is at risk. It's the crown jewels of every company in the United States, everything from patents on formulas and algorithms to customer lists and bank account numbers. Nobody is immune. And if you're at a high risk for an advanced threat, you ought to start behaving like you've already been compromised because you probably have and don't know it.

Is it your experience that most companies believe their security is adequate?

Everyone's trying to mitigate their risk and this is a really, really hard problem. In fact, nobody's solved it yet. So every company is trying to understand how they fill in the gaps to mitigate their risk. Any vendor who's saying "we can solve the APT problem" is not telling the truth. No single point product can do it. So people are putting in tools to give them visibility into the problem and to fortify their security.

Most of my customers would tell me they have a best-in-class security stack that keeps the bad guys from breaking into their network. That stack would consist of a firewall, IPS, antivirus and some kind of SIEM to give them visibility into what's going on. And for traditional security protection, that's a good stack to have. But the adversaries are figuring out how to penetrate the network. Malware is one of the ways. I think malware is responsible for about 30% of the compromises, meaning if you just address malware you're exposed at 70%.

When we think about the problem, we think about the life cycle of the threat, which has four legs. There is infiltration, which could be malware or they can hack in, etc. Then there's communications with an external malicious command and control system. The third leg is the propagation leg, where they move laterally inside your network, looking for higher levels of authority so they can access what they want. Then there's the exfiltration piece, which is how we got into this business, because we are the top data exfiltration company in the world, based on what Gartner says. We can face the internal part of the network and make sure nothing leaves.

But the four legs of the life cycle are the things that are important and malware is one of those legs and represents only about 30% of the problem.

So you got your start with the exfiltration part of this, but today address all four parts?

We do. And that's an interesting question, because when I joined the company four and a half years ago we were then and today in the Gartner Data Leak Prevention Quadrant. But in those days DLP was just a broken business process. It was really inadvertent data leakage. Say a good guy trying to work on something over the weekend and sending a sensitive document to his Gmail account. That's what DLP used to be, because there were no nation-states trying to steal intellectual property, there were just good guys doing not-so-good things. And there are lots of good technologies to solve that.

But if you're a malicious insider or you're a nation-state and you can penetrate the network and you want to exfiltrate data, you're not doing it out Port 80, you're not doing it out of the email port, because somebody's watching that. You're going to bury it deep inside an attachment and you're going to send it out a port that nobody's looking at. And that's what we did better than anyone in the world. We're the only company in the world that can sit in the network and see applications and content and threats buried deep inside of the applications on all ports, inbound and outbound of a network.

There are 65,656 ports in a firewall and we're the only company in the world that can give you visibility in and out. So again, if you're a good guy doing a not so good thing, you're going to send it to your email account and someone can see that. But if you're a malicious insider, you're going to bury it deep inside a JPEG, rename it, compress it three times, and send it out a high port that nobody's watching. Well, that's what we were really good at, and when that became the problem, all of a sudden what we did different than everyone else became really important.

So the profile of our customer base has changed dramatically. It was 90% federal agencies four and a half years ago, and this year and we'll be better than 50%/50% government and commercial, maybe even more commercial, because the threat factor has moved to the commercial enterprise. That part of our business is booming right now.

Speaking of the government, the Senate just failed to muster enough votes to pass the Cybersecurity Act of 2012 (S. 2105), which would have made operators of critical national infrastructure meet new security requirements and encourage federal agencies to share security information with private enterprises. What do you make of that?

PG: We thought the Cybersecurity Act was really important because it would bring the federal government, which has threat intelligence about the adversary, together with commercial enterprises. [The latter] were fighting the hacker down the street. Now they're fighting nations that have their own national security intelligence agencies. That's who they have to keep out of their network, and they need our country to help them. The federal government has insight into that threat vector that commercial CSOs don't have. They have been battling this adversary and protecting classified information for a long time, so they know how to do that. They have tools and really smart people that are valuable to this problem. And I find commercial CSOs are thirsty for that. They want that advice.

So we need those two groups to come together and share information. It's going on unofficially already. We'll go to Wall Street and talk about what we do and when they know our background the door will shut and they'll tell us they're sharing information with certain agencies. So there's some of that going on. But a framework for formalizing that, I think, would be really important. I think this bill was an attempt to move that agenda forward, and now we probably won't hear about it again until the other side of the election, which isn't good.

Going back to your statement that, if you're a likely target, you should operate under the presumption that you're already compromised, is that in fact what you find when you're first brought in?

Every one of our customers wants to do a proof-of-concept, and more often than not they have an "Oh my God" moment. But that isn't always a nation state stealing something. It might be information leaving the network inadvertently that's not causing a problem. But sometimes you'll find a smoking gun. I'll give you a real live example. We have an eval going right now with a biotech company and during the eval we saw the Chinese had compromised the network and were moving laterally across servers. But it doesn't always happen that way. Having said that, I do believe that the majority of Fortune 1000 commercial enterprises, if they're not already compromised now, they're going to be soon.

OK. Any closing thoughts?

Only that, having spent 10 years solving the problem in the federal government, I think we're in a unique position to really help commercial customers. We not only have the tool, but we have the smarts and know-how.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Dix

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place