Improving the Browser: A Q&A with Authentic8’s Scott Petry

At RSA 2019, Early Adopter Research’s (EAR) Dan Woods met with a number of cybersecurity experts and asked them a range of questions about the current cybersecurity landscape. In one such interview, for the EAR Podcast, he spoke with Scott Petry, the CEO of Authentic8. This is an edited version of the conversation that can be heard in full on the podcast.

Woods: Can you tell us about yourself?

Petry: Sure thing, I’m cofounder and CEO of Authentic8 and we built Silo, the cloud browser. It’s an intuitively obvious idea but maddeningly complex to get people to really understand and embrace it. The browser is the biggest risk area in the environment. It’s the thing that people use to get on the Internet. Instead of running the browser on the local device where it processes all the code that comes down from all the various websites, with Silo, the browser lives in the cloud. All code is executing in the cloud. The users interact with nothing more than an encrypted remote display of that browser session. You get a fresh browser when you start and when the user finishes the session, the browser is torn down and thrown away.

So anything that would normally come in the browser stays in the virtual browser, which is in the cloud?

Exactly right. To a user, it feels like a normal local browser. In fact, it can be interacted with inside a tab of their local browser, but all the execution is in a remote host. It’s like watching a Netflix movie instead of running the DVD in your local DVD player.

The first question I have is about zero trust, which is the idea that you no longer have to have a perimeter — everybody in every server is protected as a unit responsively to what they try to get to. And some companies that are all cloud actually pull this off and they don’t have firewalls, but everybody else is going to have this environment where your perimeter is, where your network is and then you’ll have the outside of that space where you don’t have a perimeter. But it seems like zero trust is just another authentication mechanism inside the carpeted space. How would you say this is going to play out? Because it seems to be kind of a confusing landscape.

We seem to do this a lot in the cybersecurity space where we take a catchphrase or a keyword and it means different things to different people. Zero trust as a concept is really interesting. In fact, it harkens back to the days of access and authentication where, in very simple terms, the idea was if I’m inside my firewall, I should have full access to everything. If I’m outside my firewall, I have to go through a different set of steps in order to get access. When you see lateral movement of malicious code inside of the organization, you want to rethink your internal trust model. So it’s a perfect thing for identity and access management to get back to the point where you’re skeptical. Entitlements of users shouldn’t be fail open. They should be fail closed. But when the terms become marketing catchwords, they mean different things to different people. And we’re guilty of this as well. When we say Silo on our website right now, it’s the browser for a zero trust web, the idea being you don’t want to trust anything. Whether you’re consuming internal resources, you don’t want to trust a user to be proper with the data. You don’t want them to potentially leak it. If you’re consuming name-brand external resources like a reputable website that might have an advertising network that got corrupted or if you’re for legitimate reasons going to a pseudo-reputable or sketchy website for research purposes or other functions, you don’t want to trust any code that you can’t vouch for. And the browser is predicated on executing arbitrary third-party code from a variety of sources. And we say you can’t trust anything in that world. I think the idea of looking skeptically at what user entitlements are and enforcing better authentication to get access to resources is nothing but a good thing. The thing I don’t like is when I try to log into a website and it makes me solve a puzzle and pick out the thing that says, how many street signs are in this grid? I have to solve the captcha before getting into the website.

Right. So you’re saying that the paradigm of zero trust is maybe defined by Google in the BeyondCorp architecture. And then, the way it’s been implemented by various cybersecurity vendors has now got us to a point where the definition is nebulous. For you it’s basically a philosophical position.

It is.

While for other people it’s more like a network architecture.

Or product capabilities that enable some of the things. Zero trust is in the eye of the beholder or the provider, but we do think about it in the context of the philosophical engagement that users have with web code.

One of the things that frustrates me about zero trust is if it was implemented according to its first principles, something should go away when you use a zero trust model and what should go away is the perimeter, but what’s happening is people are doing zero trust and nothing goes away, because they can’t get rid of the perimeter yet. Which brings me to my next question, which is why is cybersecurity always additive? It seems like every generation of cybersecurity adds new capabilities and new products, people adopt those products but nothing ever goes away. When are we going to get to a point where we will start meaningfully pruning?

I love this question and I’m going to really try to bite my tongue so it doesn’t sound like a product advertisement. We’ve been talking a lot about the expanded scope and scale of the things people need to do to be secure. Research shows, and I’ll get my sources wrong, but I think it was Cisco that said the average enterprise has 70 cybersecurity vendors. The second stat that we think is staggering was from Dimensional Research which says almost 75% of CISOs interviewed say the role of the cybersecurity professional is changing because of this exceedingly complicated heterogeneous environment and they can’t find staff to keep up. So if you look at those trends I have more vendors, those vendors deliver more stuff, I’ve got to hire staff to manage it but I’m struggling and then you overlay the increase in exploits — these are trends that don’t end well. It’s getting worse for IT across all facets of the equation. But if you think about what we do where the browser actually executes out in the cloud instead of the endpoint, you shift 100% of your web exploit surface area away from your environment. It allows you to do some things immediately that dramatically improve the internal IT situation. I’m not talking about soft costs or process costs; I’m talking about hard cost recouping. If you don’t have web code reaching the endpoint, your zero day surface area on the endpoint is pretty minimal, and you don’t need AI-enabled next-gen AV. Things like Windows Defender that come with the OS are perfectly sufficient when your surface area is the USB thumb drive or a macro exploit that might be on an Exchange file or something like that if you have a static rendering on the local device, object file rendering on a local device. If you think about the 90% of websites that are now delivering their payload via an encrypted channel, that means you have to get way more sophisticated with your network infrastructure to do inspection of those conversations. If you run the browser in the cloud, we do TLS break inspect in the browser itself and audit everything that’s going on in the browser. You don’t need any additional networking infrastructure.

What you’re saying is that your approach to pruning would be one in which you try to refactor the surface area so that you can simplify the threat, you can simplify the possible threats and they have simpler solutions that would protect you?

That’s exactly right, at the client, at the network, as well as at the gateway. I need to have my endpoints secure. You don’t need a sophisticated AV if you have no zero day surface area. At the network, I don’t need to do TLS inspection or CASB auditing of my user activity if I have robust logging in the application that the user is using all the time, which is the browser. And at the gateway, today we have very sophisticated conditional exception handling for your SWG to allow your user to get your secure web gateway to allow a user to get to a website or not. You don’t need a secure web gateway. And so our whole approach is to say how simple can it get?

The next question I have plays into the idea of the refactoring that you mentioned and that is we now have a world in which we still have mostly on premise cybersecurity solutions. An increasing number of those solutions are powered by connections to the cloud where they’re accessing machine learning or other kinds of collaborative mechanisms. We also have some legitimate cloud-based solutions that are providing cybersecurity. How do you see the portfolio that the CISO manages migrating to the cloud? What will be the steps that go forward and how will products change as that migration takes place?

The answer we like the best is to take the core asset, the application, much like storage moved from on prem to the cloud or back office applications for onboarding/offboarding employees or accounting packages or ERP have moved from on prem to the cloud, we’d love to see that phenomenon happen the same way with the browser as the asset moving to the cloud where you get all the commensurate benefits of the cloud migration. I don’t think we’ll see that though. I think we’re going to see it unfortunately in the piecemeal manner that the cybersecurity solutions have been established to date. We see now a lot of the SIEM analysis, a lot of the log aggregation on SIEM analysis, a lot of the analytics that scientists need to do to look at anomalous events and figure things out, the real knowledge research work moving to the cloud. You see data feeds, the threat intel feeds like from Recorded Future or others moving to the cloud. I wish we could just jump right to the answer, which is to migrate the applications themselves out to the cloud and they can be centrally controlled.

It seems like when you do that then you can actually do the real zero trust. You can live without a perimeter when everything is in the cloud. But it’s not going to be very soon that most companies get there.

It’s really hard. And Google, for their model even owning the Chromebook and the hardware and the software stack and the access to services, they’re not a completely perimeter-less organization either. We as a secure cloud browser vendor, we can assume all of our apps are in the cloud, but when we have to fill out our compliance forms for our FedRAMP, there are certain things that are mandated by the regulatory bodies that you have to have. And one of those things is secure, perimeter-based controls. The compliance frameworks aren’t written for zero trust.

There used to be the hard perimeter with the crunchy center. And then, the idea was to say everywhere is a perimeter, there is no perimeter, make every asset hardened. That’s definitely the direction we see things going. And there are a few encouraging trends. I do think the Google model of zero trust, or the conversations that I think some of the analysts are starting to have around software-defined perimeter where you move some of the inherent controls up to cloud-based assets away from the carpeted areas you’re talking to. I think it makes sense, because managing this cocktail of stuff, it’s just untenable long term.

Let’s now pick up on that idea of how you can improve your management. The next question I wanted to ask is about ops discipline. Would CISOs be better off if they didn’t buy the next cybersecurity capability but instead invested that money in increasing their operational discipline? By that, I mean configuration management, patch management, getting a good inventory, being able to expand automation, being able to expand agility and responsiveness.

I could not agree with that more. I’m going to bastardize a quote from Alex Stamos, but he speaks about this a lot where he says, we fixate on the shiny newest exploit while the true vulnerability is the stuff below the surface, the basic standard stuff we’re not doing well. We spend an inordinate amount of time on the exotic when we should be addressing the mundane. That’s not his quote, but that’s the theme of his quote so a tip of the hat to him. I did a presentation to a legal security summit that I called “Back to Basics” and I took every major exploit from the last year or two years and broke it down. It covered the Target exploit and I said, this wasn’t a nation-state actor. They didn’t segregate their network, so the HVAC consultant could drop malware on the point of sale system. Why on earth would the network that the HVAC consultant is connected to be connected to the network that you run your point of purchase system on? It makes no sense. Segregate your networks. It’s a simple lesson. There’s all kinds of data out there. You don’t need to buy any AI-enabled, machine-learning SIEM with virtual scientists to tell you what to do in order to tell you to close a port on your damn firewall. I think operational discipline and internal good housekeeping is a big area.

What do you think gets in the way of just doing it?

I’m not a psychologist, but I think it’s that we think there are technology solutions to everything. There’s the industry. Look at the flea market that is RSA. It’s great. It’s a fun environment, but if you’re a rational buyer, how do you separate signal from noise here? The industry is telling you to buy new stuff, buy more stuff. The discipline seems to be reserved for the people that are doing rational security service, pen testers, white hat hackers, et cetera. Today, IT is in the business of telling users they can’t do things because of the risk. This has created a cultural shift in IT that has transformed it from being a value-added resource to being the organization that’s trying to put up barriers in order to minimize risk. It’s a hard question. I don’t know how we change that, but for the rational organizations that follow the NIST frameworks and think about good housekeeping, it’s a better path than buying the next new widget.

The people are the ultimate perimeter and it’s hard to get people to take cybersecurity seriously, to really adopt good practices to realize that it’s important that everybody worry about it. Have you run into companies that are actually good at training and maintaining a cybersecurity awareness culture outside of the obvious suspects like the intelligence communities or financial services?

Even the intelligence communities and the financial services firms have insiders that inadvertently leak information or expose resources. That’s a really hard one. One of my favorite customers is the CIO of a major metropolitan city government. He has a T-shirt on that says you can’t program out stupid. His approach has been to take away the ability for users to hurt the business and it starts with the admin having the CSO or the CIO, in this instance, having a strategy to say, how can I enable my business by minimizing the ability for them to screw it up? It’s a different perspective than am I keeping all my technology topped off with the latest and greatest. He thinks about internal business processes. He thinks about where he is vulnerable from his audit perspective. He thinks about how are my users going to go about their day. They’re also subject to the Freedom of Information Act when the city is subpoenaed for certain information. How am I going to be able to service those requests? His perspective is much more of a holistic what’s my work environment, what am I trying to do as a business and how do I enable my users rather than what technology do I need to install to check off my checklist.

My last question is that a lot of people that I’ve run into who are CTOs, CIOs or CISOs have had to buy cyber insurance because they were forced to by their CEO or board. Many of the people don’t want to do it, because the insurance is new. It’s got a lot of exceptions. It’s got a lot of escape hatches so they don’t have to pay. And what it explicitly covers is not that wide in scope. It doesn’t really cover the primary damage of the attack. It puts CISOs in a difficult position, because if they argue directly against it they rarely win. On the other hand, you could then say the one play would be to try to get the smallest, cheapest policy just to check the box off. But I think there must be a way also of changing the conversation so that even if you do end up buying it, the process of doing that improves more than just your insurance coverage.

I think what you said in the end is I hope the direction it goes. And we see this in the healthcare market as the Fitbit or the Apple watch has been strapped to every employee’s wrist, healthcare providers or insurance payers now have the ability to help employees be more active and lead a healthier lifestyle. Companies with certain metrics and stats, everybody loves a leaderboard, they get lower premiums. I hope that happens with cybersecurity. The obvious gap is there’s no baseline audit that says, are you doing this and this? Are those things that are going to make you more secure? Do you know what resources are at risk? This is how you’re protecting and managing it. We’re giving you a security score. Here’s your premium. We can insure you differently based on the profile of the data that’s at risk and the measures that you take. Until it gets to that point, and there are organizations like UpGuard or Security Scorecard or others that are starting to try to do some of that outside-in assessment, but until the insurance companies basically force some common criteria for what is a secure versus an insecure environment, I think it’s just going to be a placebo as you described. If Equifax were to have had cybersecurity insurance, shouldn’t the insurance company have known they weren’t patching their web server before writing the policy?