Changing Cybersecurity Behavior: A Q&A with Cylance’s Malcolm Harkins
At RSA 2019, Early Adopter Research’s (EAR) Dan Woods spoke with a number of leaders in cybersecurity. In this interview for the EAR Podcast, he sat down with Malcolm Harkins, chief security and trust officer of Cylance. Woods asked Harkins his three key cybersecurity questions for 2019 and dove into the topics that are most impacting CISOs right now. This is an edited version of their conversation that can be heard in full on the EAR Podcast.
Woods: Can you explain what Cylance is and does in context of the NIST framework of identify, protect, detect, respond and recover?
Harkins: What we do in the context of the NIST cybersecurity framework is at an endpoint, whether it be a PC, a laptop, a server, on multiple operating systems. We identify prior to the execution of code, what is good and bad. We do it based upon our artificial intelligence machine learning. We extract millions of features that allow us to identify that good and bad, protect the system from the execution of malicious code, and that in essence is the automated detection and response cycle so you don’t need to recover from a cyber event. But we also have an additive product called Optics. Optics is like a flight data recorder: a cryptographically stored and protected set of processes and other things that are running on the machine that, when you want it to go do additional detection and recovery and response, you could use that product to search for issues in your environment or gain additional forensics.
Is that second product about detecting things that may have gotten through?
It can be used to hunt and go look for things that might be in your environment. It could also be used in a traditional endpoint detection response space, where again you can use it for detection and response activities with your forensics team or your hunting team. But it also has the capabilities for what we’re doing with a prevention based EDR. Because you can use certain behaviors and anomalies that you can create rules on, and we call them ML packs—machine learning packs that will basically take the detection capabilities and turn it back into a preventative product for things that might be fileless or other attack techniques that might get past other controls in execution of code.
What is EDR?
EDR is a category of products that’s called endpoint detection and response. They’re basically after the fact technologies that people use to react to an event once it occurs.
In essence you are creating a product that has similar goals to anti-virus, which is stopping bad code from executing, and also some of the goals next generation firewalls had, which is stopping bad things from coming in. And you’ve got a new approach to that, and that’s what Cylance does.
True. It’s a completely new approach. It’s a re-imagination of the approach. And I would actually argue that some of the firewalls and traditional antivirus, they might have had the goal of stopping it but the reality is they never actually achieved that goal.
Now we’re going to go through three questions. These questions are intended to give CISOs some education about how they can think about these important issues. The first question is about zero trust. What does zero trust mean in practice? Is zero trust another additive responsibility? Does it take anything away? Zero trust means the idea that any entity inside a what was formerly thought of as a zone of trust inside the firewall now has to establish it’s trust every time.
I think in many ways the concept of zero trust is born out of the failures of the security industry. The firewalls, the anti-virus, the data loss prevention software, the hygiene efforts, all those things didn’t actually deliver the trust that was necessary to protect the integrity of the information assets, physically and logically. So that concept of just saying, “I now have to start with the fact that nothing can be trusted,” is because we’ve not stopped the cyber risk cycle. Now, there’s another element of zero trust that was born out of the concept of BeyondCorp, that Google had put out a few years ago where the perimeters have vanished. Things are in clouds, you’ve got apps, they’re on prem, they’re off prem. And so in those types of environments you also have to approach trust differently and you have to think about how do I establish trust in an application. How do I establish trust in that device is Malcolm’s device, and how do I establish trust that Malcolm is Malcolm on that system.
But even in the Google case, they have an incredible ability to manage the suspicion of everybody inside their environment with all sorts of proprietary technology. Yet, they have all of the perimeter defense to stop people from getting in. So the zero trust zone isn’t replacing the old paradigm. It sits inside the old paradigm. And I guess that’s what I see as in some ways redundant or silly part of zero trust is having zero trust but we’re going to still create the zone of trust. It would be one thing if vendors were saying, “Hey, you don’t need all that. We’ve done such a good with zero trust, you no longer need perimeter security.” But nobody is saying that.
Well I think that the historical notion of the perimeter is again different. I had a view years ago, from literally the early 2000s, that people are the perimeter. And people are the perimeter for a few reasons. They are where computing is happening. We’ve moved personal computing to a laptop to my Fitbit to my phone, to all those wearables. So it’s with me, it’s computing and communicating all the time but people are also the perimeter because they’re the decision makers. They’re the ones that have made lousy risk decisions in some cases, that have allowed the risk cycle to occur and people are also the creators of technology, who’ve created technology with vulnerabilities. And so I think we have to think about the entire notion of trust and the notion of the perimeter in different ways than we’ve historically done.
Our thinking of a zero trust world is way ahead of the implementation of the zero trust technology that we have right now. That’s the point I’m trying to make. Have any of your customers turned off their firewalls?
In some cases they have on their client-based firewall. Their network firewall, they’ll need to have some level of a perimeter there. But client firewalls, we’ve had some that have done that. It’s replacing host intrusion prevention which doesn’t really prevent stuff. It’s replacing traditional antivirus. I’ve actually had customers and friends and peers that have shut off and de-scoped DLP solutions. Because when I ask them why they bought DLP, they had said to prevent intellectual property from being ex-filled by the bad guys. And I say, if they can get past the signature based antivirus, if they can get past your intrusion detection systems, what makes you think they’re not going to get passed signature based DLP?
That’s a perfect segue into the second question and that is so far it seems like cybersecurity has been completely additive. We started out with antivirus, then we went with firewalls, then there are all sorts of deception technology and everything else that you see being added at this show this year. And I have yet to find anybody who has done a significant amount of pruning of their portfolio. Most portfolio adjustments are adding new stuff. That can’t continue forever. What do you see as solutions that can be pruned from portfolios and how would this pruning take place?
In some cases I think the answer is yes, I think things have been pruned. But the notion of defense in depth has actually turned into expense in depth. It’s been more, more, more, more, more: we’re buying more of the same crap that didn’t work, and adding it back in. So we’ve ballooned our investments, we’ve ballooned our staffing, we have gorged at the table that the cybersecurity industry continues to lay out in this all you can eat buffet of buy more, more, more. The reason for that is – and many in the industry don’t like me saying this, but the security industry profits from the insecurity of computing. So at a macroeconomic level, the industry has no economic incentive to solve the problem. They have the profit motive to sell more, to need more resources.
You mentioned one case where you said that if you really accept that a solution like DLP (data loss protection) is going to work then you’re basically assuming that something is likely to get in or someone is likely to act badly and then try to escape with data throughout your system. Now what you’re saying is that if you can create a confidence level in all of the other protections around that, you can say, “I’m so confident that I don’t think that anything is going to act that way, and I can turn some of that off.”
That’s definitely true but you also have to look at it in terms of controls. Is the control designed and implemented in a strong fashion, or is it insufficient or flawed? DLP is fundamentally insufficient and flawed. When it’s there to prevent the theft of data, I label something top secret. That becomes the signature. If I’m an insider and I have access to that top secret document, I know the signature that the DLP system’s going to look for, in which case I call it grandmother’s cookie recipe. I get past the signature. If I’m a bad guy who’s gotten into the environment, I know it’s top secret, I package it up, I encrypt it. I get past the DLP signature. The only thing DLP is good for is for a check the box compliance program and for keeping an honest employee from making an honest mistake in sending data someplace that they shouldn’t.
So the principle of pruning, you’re saying, is to increase your confidence of incoming threats so that you could stop looking for outgoing problems?
The notion of pruning for me is one around outcomes. Forget about the features and capabilities of the products. Are they delivering the business outcome that you bought it to do? Did it stop malicious code with a high degree of efficacy? Did it stop the misuses of assets by an employee? There are business outcomes we’ve got to do and look at it and say if it’s not delivering the outcome, then why have the control? The three business outcomes I’ve always looked at for the controls that I’m buying or deploying are what does it do to these three states: What is the change to my risk style? What is the change to my total cost to controls, and what friction is creating on the business processes and on the users? If you have a solution like Cylance Protect with a high degree of efficacy that prevents the execution of malicious code, you can slow down your patching regimes and that’s a cost issue. And patching actually introduces risks in addition to being expensive. So you can play with a lot of different dials when you actually look at the business outcomes you’re trying to achieve.
What you’re saying is that the pruning will happen if you focus on a complete set of business outcomes that you define as adequate cybersecurity and create a bunch of systems that deliver those outcomes, and then systems that are redundant to those outcomes you can prune?
Correct. But that will only happen if the executive management of a company holds the chief Information security officer or chief security officer accountable to those outcomes on risk, total cost, and control friction.
My next question is about cloud migration. Most cybersecurity spending is for systems that sit on premise. Most of those systems however do have a cloud component now. Usually it’s machine learning or AML or some other collaborative set of data that’s being shared. So it’s not that the on premise systems aren’t cloud powered or cloud enhanced, but they’re on premise. If you look at what people are writing checks for, they’re still writing checks for stuff that they’re putting on premise. So how much is going to actually migrate to the cloud and how will this migration take place?
The notion that cloud or not cloud is one we’ve got to change a bit. Even for Cylance, our agent is on your device so it’s an on prem agent because it’s on the device. The management infrastructure is in the cloud. And so we don’t have a dependency on the cloud for the efficacy of control and most of the things that you’ve got to tease out—some people are going to say we’re all on the cloud. What happens when I’m on a plane and I’m not connected to the network? I’m completely exposed. That’s why we’ve architected our solution so that the efficacy of control is not dependent upon the cloud. The management of the control and the policies and the automation that gives you yield off of your capabilities is in the cloud. So you don’t have infrastructure cost.
What you’re saying is that there’s going to be a strong case for on premise, effective controls that run in a disconnected mode and deliver that protection, no matter whether they’re connected to the cloud or not. As soon as you say all of my security is in the cloud, you’re saying that if I could disconnect you from the cloud, then you wouldn’t have that security?
Yes. Basically what I’m saying is if you have devices, you want an effective capability on that device to protect it whether it’s connected to the cloud or not. The cloud should enhance and again reduce the infrastructure cost, reduce all those other burdens, but a lot of folks who are saying my security is all on the cloud, it’s because they don’t know how to actually execute locally with a high degree of efficacy and a high degree of efficiency. And by on prem it is not that you need the infrastructure, it is the fact that the agent is on your device. And operates autonomously and independent from the cloud with the same efficacy of control. And the management capabilities around that are in the cloud so that again you don’t have the infrastructure cost and burden that you do with traditional approaches.
Let’s go to our bonus questions. In the research mission Creating a Balanced Cybersecurity Portfolio, I take a financial portfolio analysis view of the CISO allocating spending over various categories. And so in allocating that spending it seems to me that there are choices about allocating spending to non-cybersecurity aspects that actually would have a huge cybersecurity impact. What if we asked CISOs to consider taking five to ten percent of your budget away from what they consider cybersecurity and spending and instead putting it into operational discipline and improving their operational discipline, their measurement of that, their training, their preservation of that, their constant looking for new ways of improving your operational definition; the discipline through automation of configuration and on. Do you think that would be a beneficial tradeoff for most CISOs?
I think limiting the scope of the CISO’s job to just the traditional things and then the domain of IT is incredibly narrow. I think the CISO role or chief security and trust office role as I like to see it is very broad. It encompasses privacy. It encompasses business continuity and disaster recovery. It encompasses a variety of legal compliance items. It encompasses traditional InfoSec. It also encompasses product security, because every company is becoming a technology company. They’re creating apps; they’re putting technology into the products and services they sell. So for me, the CISO should evolve toward a chief security and trust officer role across all that, and they also need to get out of not only looking at their own budget and in essence taking an approach of innovation comes through starvation, and where am I going to starve myself of things to drive a level of innovation as well as they need to think in the total cost realm. They need to look at the entirety of the corporate spending and the corporate tax, and look at that as a budget that they can actually use.
For me the question is not one of balancing, like a calculus equation. It’s one of optimization. How do you optimize each of the coefficients in front of each of the variables in this multivariate equation? Because when you’re balancing I’m going to say I’m going to trade off privacy versus security, I’m going to trade off user experience versus security. That is flawed thinking; that is what perpetuates the problems we have. We have to think about architecturally how do we do all of it and then when we fall a little bit short, then we make the hard calls and make the tradeoffs. But don’t start from the tradeoff perspective because you’re always going to sub-optimize one thing.
The next bonus question is about cyber culture. How can cybersecurity education and training be made part of everyday life in a company?
We’ve all got to do the basic training of the employees, but for me, those that get it broaden their risk mission. If I’m delivering health care, how can a mistake in information security cost somebody their life? If I’m creating cars, how can a mistake in a connected car kill somebody? If I’m feeding the homeless, how can an information risk disrupt my ability to feed people who are hungry? There are connected items in that flow and so I always look at it from that perspective and try and really understand what the organization’s doing and connect the dots of the cyber risk to that and then figure out the direct impacts and the indirect impacts.
What you’re saying is that it’s a lot more boring to say, “Hey, you know make sure you patch this or update your iPhone or whatever,” and that’s one thing. Another thing is to say, “Here’s a list of things that you can do to make sure that nobody gets killed in our hospital.” And if you’re doing everything on this list, you’ve helped our patients. That’s the way to motivate it.
Exactly. I think a lot of security teams have the “Safeguard information asset blah, blah, blah” statement type-thing. Three simple words: Protect to enable. If you’re not protecting to enable the people, the data, and the business, you’re getting in the way, you’re wasting money and you’re not achieving the business outcome.
Let’s talk about cyber insurance. I’m on a variety of chief technology officer lists and I’m a member of a chief technology officer club and a lot of people are being asked to buy cybersecurity insurance and none of them want to. But they all end up buying it. Cybersecurity insurance has an incredibly narrow set of conditions described under which the policy would actually pay. There are all sorts of escape hatches that they have in the policies that would help them avoid payment. Yet CISOs can’t win this battle of avoiding buying this insurance. Do you agree with my analysis and how can CISOs win the battle of buying inadequate insurance?
By and large I do agree with your analysis. I think the cybersecurity insurance marketplace is the wild, wild west. There are too many caveats, conditions, and fine print details that create an escape clause for the insurer. Having said that, I do think there is an appropriate place for insurance, just like there is for fire, flood, earthquake, and automobile. The question becomes what’s the premium you are paying, what coverage are you getting, and recognizing that insurance coverage doesn’t mitigate risk, it just provides financial support for covering some of the damages. Insurance doesn’t prevent the risk from occurring; it just provides some potential repayment for your expenditures if a risk manifests.