An interview with Michael Oldham, posted by Security Solutions Watch.
SecuritySolutionsWatch.com: You mentioned that technologies today aren’t doing enough to manage security in a comprehensive manner. Can you elaborate on that?
Michael Oldham: Sure. And first, I have to say that it’s not that we don’t have great, inventive security products in the world today. There are a great many of them. But, that’s the problem. Most organizations have too many of them.
Security has grown up with a cycle of problem/solution. We find a problem and someone smart comes up with a solution to fix that problem. When the internet was just starting out we had a bunch of universities and government agencies tied into a big network. Then, Robert Morris invented a worm and created the first major security breach by infecting all the interconnected systems. We now had a problem with this new interconnected world… so some smart people came up with a new technology to solve it… a firewall. This solved the problem and now people were happy again.
But, this is a cycle that has repeated over and over. We have a new issue that shows up and someone creates a solution to resolve it. Because of this, we now have lots and lots of different security products in our environments. But, even though we’re protecting ourselves from these specific threats, we’re complicating our environment tremendously with each new innovation.
As an example, look at Mobile Devices. They roared onto the scene and made a big splash in people’s personal lives. But, corporations weren’t ready for this dramatic change so they just said no. But the pressure continued. People wanted to use their smartphones at work.
In comes a great new innovative technology called Mobile Device Management. It was designed to manage mobile devices and it allowed companies to solve the security and access issues created by these new devices. This was pretty inventive and was a pretty rapidly adopted technology.
But here’s the problem. MDM, like the many other earlier technologies, was designed to solve one particular problem… how to deal with mobile devices. It doesn’t care about laptops or desktops. It doesn’t care about what applications you’re connecting to… it’s just designed to help someone manage mobile devices. Most organizations have a lot more going on than just mobile devices. So, MDM now becomes another technology that has to be managed by the IT organization. It requires its own resources, has its own costs and has a level of expense with it that is unique to that technology.
This is on top of every other technology that an organization already has in place to manage every other security problem.
And here’s the thing … most of these technologies come from different vendors and they don’t talk to each other! You have a bunch of disparate security technologies, each doing their own thing, not talking to each other, as your primary defense for your organization.
You can’t even get comprehensive reporting to tell you who accessed what across the entire organization. Someone has to try to compile all that information from all those products… or buy yet another product that knows how to extract all that information from all those products. It’s pretty crazy when you think about it.
Can you imagine your favorite sports team working like this? Think about it, ten individuals doing their own thing independently, without talking to the others? And each one has their own coach who manages their training individually too? I think you get the point. It’s hard to win a game like this. It’s very challenging to manage and be effective.
This is what security in most organizations is like. It’s no wonder we have all sorts of security breaches. The more products you have in your security infrastructure, the more weak points you can have.
We need to do it better. We need to get more comprehensive solutions.
SecuritySolutionsWatch.com: It seems to me there’s a lot of potential for comprehensive solutions out there from what you’ve said. Why aren’t there more of these solutions out there?
Michael Oldham: Exactly. Why don’t companies just build an all-inclusive security product? This is a competitive area, so why haven’t other companies done this already?
I asked myself the same questions.
There are really two types of security companies out there. This is a gross over simplification of course, but it generally is true.
The first is the large, well-established organization that has been doing security for a long time. They tend to have multiple product offerings that are quite mature and they have lots of resources. The second type of company is the small, innovative kind. They are creative and motivated but they are comparatively small and have far fewer resources.
Let’s take the smaller, innovative companies first. They are nimble and have a lot of capability. But, they are typically quite resource constrained. So, to succeed, they must focus. You’ll see that most successful companies have a laser focus on solving a particular security problem. If they’re successful, they will branch out a bit, but almost always within their silo of expertise. MDM is a good example of this. Many companies came out with MDM solutions. The successful companies then branched out by creating more features like Mobile Application Management, Containers or other novel and creative expansions of the existing base technology. But, it’s still within their security silo. Eventually, if they are successful enough, they get purchased by the larger companies. Because of their need to focus to become successful, they aren’t in a position to create a very broad security product.
When we look at the large, established players, they are honestly a victim of their own success to a large degree. The problems they face are entirely different. Innovation is difficult in large companies. It’s not that they don’t have great, smart and innovative people. They do. But, what they also have are some very significant limiting factors.
First, they have a bunch of cash cow products that they’ve developed. These products are the basis for their success and they can’t just chuck them out and start over again with something new. They need to keep these products going to continue their revenues and make their revenue forecasts. Without these major successful products, they have serious issues.
The second limiting factor is their own spectrum of products. When you’re developing internally, you have to work with all the other products you have out there. You have to make sure that your newer technology works with all the other technologies. It has to be managed from the tools that the company has built and it has to conform to certain internally set standards. None of this is bad, but it creates a swamp where good ideas get bogged down for long periods of time. The bigger the company and the more successful products you have… the slower innovation happens.
So these big companies tend to buy the innovation by purchasing the smaller, innovative companies. This speeds up part of the process. But, integration of new technologies can be just as difficult as development for these companies. It just takes a long time to get a product integrated with their other technologies.
So the bottom line here is that it’s very difficult for big and small companies alike to develop a broad, comprehensive security solution. Given enough time and market demand, the large organizations will likely get around to it. But it can take many years for that to happen.
SecuritySolutionsWatch.com: Can we discuss the current customer environment for a moment? BYOD results in many threats…and not only from bad guys always looking for the weakest link into the network…Unintentional Insider Threats (UITs) is an equally serious challenge where employees/users might innocently click on phishing messages, visit to nefarious websites, run risky/outdated software, or fall into any number of other traps. What are your thoughts Michael regarding “best practices” that should be followed in this environment?
Michael Oldham: Phishing attacks and targeted Spearphishing attacks are becoming greater threats these days. They seem to be one of the more popular avenues of attack and they can have some very high success rates. But, the potential threats are going to continue to evolve at a very rapid pace. The truth is, there’s always a risk no matter what you end up doing. There are a lot of very smart criminals in the world, and they are better financed than most IT departments.
The first defense against these types of attacks is education. People need to be educated about security issues so that they can be aware of these issues. They have to know how to question whether something is real or not. The first step is to let them know that they can question it, and what to do if they think something is suspicious.
I’ll give you an example, a company I spoke with had a situation recently. The CEO of the company sent an email to the CFO directing him to wire a substantial amount of money to a particular account. The CFO, having been similarly directed before, wired the money.
The problem was the CEO never sent that note. Hackers were inside the company and had been reading correspondences from the CEO, and analyzing the way he wrote his emails, particularly ones directing the CFO to wire funds. They made this email look very convincing. But, upon closer inspection (after the fact), they noticed the email origin was not from the company’s URL, but from the same URL with the last letter of .COM cut off to be .CO. Upon normal examination, it looks legitimate. But, the company didn’t have in place a process by which the CFO would double-check with the CEO outside of email to verify the wire of this substantial amount of money. The result, they lost the money completely. No chance to recover it.
Education and verification is very important. It’s crucial that people know not to click links inside emails they receive as well. There are many examples of good practices that people should adopt. They are easy to find.
A good security solution can help as well. There is no perfect security product that exists, so combining good practices with good security technology can make a huge difference.
One problem that exists is people phishing for credentials. The person gets a note from the HR department or the IT manager saying, “As part of our audit, each employee must confirm their username and password. Please click here to do so by the end of the day today.” It looks official and I can almost guarantee that you will get a number of people who will follow the directions.
The problem is this goes to an external website that is harvesting the credentials for that company.
Normally, those credentials would give the hacker free reign to go in and get whatever that user’s credentials would allow. And, it would give access to their email, at least if not more, so they can send other messages to other people within the company.
This is where you need a smarter security solution like our Total Access Control solution, better known as TAC.
With TAC, you can have multiple layers of authentication, in fact, three or more factors. The first would be the credentials, which in this example, the hacker has just stolen. We can also bind hardware credentials to the user’s account, so if someone using the credentials tries to log on without the proper hardware device, they still can’t get in. Now, if we add a multi-factor authentication to this, you have three full factors of authentication before allowing the user to gain access. The benefit here is, it all happens without making it any harder for the end user.
This is just an example, but of course there are many more ways you can provide stronger security and more extensive validation with TAC too.
So, in this case, the fact that the user made a mistake in sending out their username and password to a hacker, does not cost the company any pain because without the multifactor authentication AND without the actual approved hardware device, the hacker can never get access, even if they have the user’s credentials.
Read the full interview here.