For better cybersecurity, skip the shiny toy—invest in people and processes
This week, security professionals will descend on Washington, D.C. to discuss hacks, cracks, and breaches at Hewlett-Packard’s (HPQ) Protect 2014 conference. It’s a timely event: this summer has seen a string of news headlines for corporations that have been victims of cyber crime, from simple embarrassments (Sony’s broad Playstation Network outage) to more serious exchanges (Target and Home Depot’s nationwide customer data breaches).
Ahead of his conference keynote, Fortune chatted with Art Gilliland, the company’s general manager for enterprise and security products, about what he planned to say to his beleaguered peers in light of this year’s peculiarities. Here’s what he had to say—edited and condensed for clarity, of course.
F: What’s on the menu for this year?
AG: One of the big themes of the program is, how do you turn intelligence or information into action in the security space? If you look at some customer breaches that have happened, in a lot of cases it’s not that the companies’ systems don’t indicate that there’s a problem, it’s just that there’s so much information bombarding the security professionals. It’s almost information overload. They don’t have a way to interpret what’s real and what’s just noise.
I’ll give you an example. If I geek out on you too much, just tell me to ease up a bit.
Please, geek away.
All right, here we go. Let’s talk about the Domain Name System. DNS is basically an address book of where things are on the Internet, and every time you access the Internet you basically ask a question of the DNS. If you look at DNS logins, for example, there’s a massive amount of information that comes out, because every request is logged and every response is logged. For HP, for example, in one single day it’ll generate about 24 billion DNS log events. There’s no way for a human being, or even a system in some cases, to process that much information from one single device.
So we invented a way to literally cut through all of the normal noise in DNS. We cut out about 99% of the noise down to about only 240 million logs—which is still a lot—but it’s now narrowed down to things that are unusual happening in the DNS. When you start to look at that and combine and correlate those events with other available information, like bad IP addresses or known malicious actors in the community, you can very quickly find infections in your system and zero in on exact IP addresses, exact users that have problems.
You’re looking for symptoms?
Absolutely. If you look at most of the newer technologies trying to fight advanced threats, that is what they do. Almost all of this infectware, malware, all of that stuff always calls out to somebody to tell it what to do. I would be willing to bet that 99.99% of all infections have some request to somebody outside the organization via the DNS to say, “OK, I’m in. Tell me what to do.”
The ability to actually block the bad guys from getting in, I think we’ve kind of lost that game. The real game is, how do you find them as fast as possible after they’re inside, and before they’ve stolen data? If you look at the mean time to detection for breaches last year, the average was something like 243 days. If you can reduce that to a week, you’re a world-class rock star.
Isn’t that terrifying, the notion that a week is good enough?
Yeah, it is. I mean, here’s the thing. The year before last the mean time to detection was 416 days based on the data we’ve seen. Last year it was 243 days. We’ve made massive improvements. But to your point—my god—they’re still in there for like eight months! If you think about trying to get it down to a week, that’s pretty good.
Is that an aspirational target or something that’s actually on the horizon?
I think it will happen in different places at different speeds. Most organizations are so focused on the hot, shiny new toy that they don’t invest enough in the people and processes to actually deliver the value they need. The skills required are also really, really scarce in the industry. In research that we published, we found about 40% of [junior-level] security jobs are vacant. At the senior and manager level you’re looking at vacancy rates of over 50%. Even the people who should know how to do this and know how to run it, in a lot of cases, they don’t even exist.
You know, Cisco’s chief security officer, John Stewart, told us the same thing earlier this year.
Every customer talks about that gap—that skill gap. They’re really having a hard time hiring people. It’s a big challenge for the industry.
So given all of this, what is the mentality of the people to which you’re presenting your keynote? With all of the recent headlines, are they on edge?
There is a level of optimism in the security profession because, for the first time in a very long time, senior executives that control the budget are thinking about—and worried about—security. The light is shining really bright on the security folks. What’s happening is the attention and the budget and the investment and the expertise are starting to arrive. I think that more focus is on the security domain now in the last two years than at any time in the last 15 years that I’ve been in the industry.
I have conversations now with the CEOs of companies. If you would have asked me five years ago, I was talking to the IT manager. When the board of directors will talk to a vendor about something, that is a different profile. You’re on the level of ERP [Enterprise Resource Planning —Ed.] systems now at this point, that level of investment. Even though the cost of security is, in most cases, a small fraction of peoples’ IT budgets, that level of visibility is massive and there’s some optimism there.
How much is the steady march of breaches and hacks and every kind of cybersecurity situation coloring the conversation as you head into the conference? Is Apple’s iCloud celebrity nude photos incident, for example, top of mind? What about Home Depot or JPMorgan Chase?
I try not to be an ambulance chaser. The reality is that everyone in the audience at a security event, we know all this stuff. This isn’t like, “Hey guys, we’ve been trying to tell you for a long time that if somebody’s determined and they want to get in they’re going to.”
Historically—and this is, I guess, the cynical or sarcastic side—the way we got an incremental budget in security was either you failed an audit or you got a breach. Nothing rains money from the sky like a failed audit or breach. Because the breaches are so consistent now, companies that haven’t experienced a breach can go and talk to the senior people and they can be proactive. I can guarantee you the CEO of Lowe’s is having a conversation with his security people saying, “Are we vulnerable to that, because of the home depot thing?” The budgets are flowing and people are just like, “OK, I’ve got to spend it. How do I spend it effectively and can I get the right people that I need?”
You mentioned that a new product, Application Defender, that’s going to be a centerpiece of HP’s conference. You also mentioned this concept of the shiny, new toy. What makes App Defender not another shiny, new toy?
To a certain extent, it is a shiny new toy. Is it a new tool? Absolutely, it is. Do we think it’s a tool that’s focused on one of the biggest parts of a breach? Yes, it is. To be fair, I’m the product guy. I build the product. But the real focus of our solution, honestly, is to try and make it so you can take action. They’re integrated into the workflow that customers have to do to respond.
Looking past the conference, what’s the next big, thorny problem you’re working on?
The big one is the massive shift in the IT infrastructure that’s going on. HP calls it the “new style of IT.” Essentially it’s this massive adoption of delivering services from the cloud or from a sort of style of cloud. The reality is that more and more corporate infrastructure is not going to be owned by the company. For example, I can work with my customer relationship management system sitting in a coffee shop from my mobile device. In that scenario, my temporary work network has been created completely outside of my organization. That reality in a lot of companies changes the way you do security. Most of the protections that exist actually protect right on the server or the laptop or the network—and if you don’t own any of those things, how do you enforce security? You’ve got to be more information and user centric in the way you do that. You’ve got to find ways of inserting security controls into these temporary corporate environments that are created on infrastructure that you don’t own. We’re really investing in that.
During HP’s last earnings call, Meg [Whitman, HP’s chief executive] was talking about how the company’s revenue outlook was looking a bit flat. What are HP’s priorities, and where does that leave the enterprise security business?
Meg has been pretty consistent in her message that she gives to the Street around what the priorities are for the company in terms of where we see the growth for the business. Those are: investments in our cloud infrastructure and the cloud solutions we’re doing; big data, which is sort of using information to make better decisions faster within an organization; and, as a support to these two things, security.
From my perspective, we have a very high profile [within the company]. We have a very good solid place to play in the strategy. Now, to be fair, HP is a large business. If you look at the revenue, and we talk somewhat publicly about the revenue sides of it, security as a business itself—while profitable because it’s software—is relatively small in terms of revenue size. I think that what security will be for HP is an enabler for our cloud services and how we deliver big data solutions. We will help companies secure those environments, secure those transitions to the new style of IT.
Will it stay that way? As you said, it seems the money is only now just starting to flow toward security.
I think, relative to where we are, we obviously have aspirations to grow a lot more. But even the largest security company in the world, let’s say Symantec, their security revenue is probably $3 billion or $3.5 billion. [Editor’s note: Symantec’s revenue for its fiscal year 2014 was $6.7 billion; $1.3 billion was from information security.] And so even if we become the largest security company in the world, in a $120 billion company . . . you get my point. We’re going to be, I think, strategic. Meg says it’s strategic. I believe it’s strategic. I’m working as if it is strategic. We’re driving a lot of investment into it.
In your past keynotes, you’ve referenced Star Wars. What does it have to do with cybersecurity?
I started talks the last two years’ with a Star Wars anecdote because I have an 8-year-old son and daughter, twins, and they love Star Wars. The last couple of times they’ve said some things that are pretty funny. My son will ask me which ones are my favorite characters. So we go through the litany of characters and my son doesn’t allow me to pick the same ones over and over again, so I’ve got to learn them all. But I asked him which ones are his favorite characters and all of his favorite characters are always the bad guys. So, I asked him, you know, “Hey, why are your favorite characters the bad guys?” His commentary, without even missing a beat, was, “Daddy, they have way cooler weapons.”
So that was how I started my keynote this year at RSA. And then we talked about the need to focus less on the silver bullet and more on people and processes. That’s what’s going to make you safe: not the new tool, but how you use them. So that was kind of the setup. The stories actually tell a better story than just geek speak.
To be fair, we did tell you to geek away.
I hope I did a little bit of that for you guys.