Achieving Cybersecurity Integration: A Q&A with Fortinet’s Phil Quade

This Q&A is part of a series of conversations Dan Woods of Early Adopter Research conducted while at RSA 2019 for the EAR Podcast. In this interview, he speaks with Phil Quade, CISO of Fortinet. Woods and Quade covered a variety of topics such as zero trust and cybersecurity migration to the cloud. This is an edited version of their conversation that can be heard in full on the podcast.

Woods: What does Fortinet do and could you use the NIST framework as a way to explain your capabilities?

Quade: Fortinet is a company that does womb to tomb security or IoT to cloud security. We execute a strategy called the OODA loop where we’re able to observe, orient, decide and act which is fundamentally what the NIST cybersecurity framework is about. It’s about having the capability to detect things happening before they turn bad, doing a mitigation when things do turn bad or cleaning up afterward informed by good shared situation awareness. Fortinet specializes in having plenty of detectors to detect risky conditions, plenty of actuators to be able to mitigate risky conditions and then overall insight and visibility so you can have a greater understanding of where you’re at risk, where you’re mitigating risk and where you need to be planning for the future.

You have next generation firewalls, which is the foundation of the company but what are the product categories that are under the Fortinet umbrella?

Fortinet started with its base product being a firewall, called FortiGates. That was back in the earlier days of firewalls and they were called connection-oriented firewalls, and connection-oriented firewalls made sure that A only talked to B and if A wants to talk to C, then a firewall would block it. The next generation of firewalls was more content-oriented. It’s evaluating the content of that communication and deciding what goes through, what doesn’t and which one needs a little bit more examination, like a sandbox feature where you take something offline, detonate it in a detonation chamber, in a sandbox, examine it for malicious indicators and then decide whether to allow it to pass or not. The third generation firewalls are intent-based security. That would allow you to greatly reduce the complexity that it would take for anyone to manage your system by having a human being describe the intent behind the security policy and have the computer science behind their firewalls themselves. So the foundational product of Fortinet is FortiGates, but as I eluded to a little bit earlier, we have a suite of products all well-integrated that work in the front of the firewall, side by side with the firewall and much further upstream.

What are those products?

I put them into three main categories. The first category is your core network, the things that exist in your own datacenter, all types of firewalls and other appliances that do analysis inside your core network. Another category would be appliances that work virtually. Whether it be visibility, analysis, integration, automation, all the functionality that we have in physical appliances are available in cloud-oriented appliances, whether that be private cloud, public cloud or multi-cloud. So category two is virtualized solutions. The third category, I would call endpoint-oriented solutions. Endpoint as we’ve known it historically has been the desktop, then the laptop, then the tablet, and now our smartphones. We have a whole category of solutions that work to allow secure access and secure operations of those endpoints.

The first question I have is about zero trust. It’s a great concept because the idea is that you will have a bunch of users or servers all connecting to whatever they need to connect to and at some point their request for a connection will be evaluated and they will then either get with that connection or get it in a certain way that will ensure security. The perimeter doesn’t need to exist because you’re protecting every entity that’s inside your purview. But now people are implementing zero trust even though they’re inside a protected network. What does zero trust mean in this current environment we’re in, where most companies aren’t completely cloud and living in a perimeter-less environment?

Zero trust is like saying if you’re going to drink, drink a lot, which is not always great advice. Meaning, the theoretical trend behind zero trust is that you control access at the most discreet level to every single person or object. In a practical sense, the implementation becomes too complex and too unwieldy to do that. The better approach we should be talking about is segmentation. Segmentation has been around for a long time, and that’s about putting the appropriate boundary around assets and things that matter. So as you alluded to earlier, the preeminent cybersecurity strategy of 10–12 years ago was doing boundary defense, we’d create a virtual and physical boundary around our networks and we would do something called active cyber defense. We would detect and mitigate in cyber-relevant time and we’d inform it by specialized intelligence or information, active cyber defense. But mobility, wireless and some other things meant that that boundary, that physical and virtual boundary, became less apparent, it gradually was morphing away. The importance of segmentation has risen dramatically just in the past years as our assets need to be protected no matter where they are, even if those assets move around. I call that particular strategy, agile segmentation, the ability to do segmentation, protect your assets no matter where they might be. Another important component of the segmentation strategy is the granularity of what you can enforce it. There’s macro-segmentation and there’s micro-segmentation.

The idea is whatever you’re doing, with segmentation it’s fine because when something wakes up and joins the network, you’re deciding what segment it’s going to live inside of and what it has access to?

Yes. I think that the marketing around zero trust has outpaced the headlights. I think the computer science and strategy around it is more about segmentation.

The next question I have is about portfolio pruning. What I mean by portfolio pruning is the idea that at some point in the history of cybersecurity, we should get to a point where you have fewer cybersecurity components, fewer cybersecurity products and vendors. Now, what’s happening it seems is that we are getting to a point where every generation of cybersecurity adds a new collection of components. Do you think we’ll ever get to an era where we actually do have the ability to prune and shrink the size of the capabilities in our portfolios?

Absolutely. It’s not that we’re pruning the capabilities, I think we’re going to prune the complexity of managing those capabilities. The capabilities will become stronger and stronger, the complexity necessary to execute those capabilities will become easier and easier. At Fortinet, we wholly embrace the strategy that you can have multiple components and if they are independently trying to defend your network, you’re only as strong as your weakest component. But if they’re collaborating in defending your network, their sum is greater than the individual parts. But we need to prune. What we need to prune is the complexity required to manage an integrated defense because the complexity is causing too many errors by the operators of these defenses. And we need to prune the individualism of all these different capabilities. The trend today is to go with a vendor like Fortinet that has a very wide range of capabilities but importantly they’re well-integrated to reduce complexity and do defenses now. If you’re starting your strategy in architecture from scratch, I would no doubt go with the single vendor implementation of well-integrated, single implementation based on speed and integration at Fortinet. That’s not practical for most people, they’re not starting from scratch, so what you need is not just a rip and replace solution but something that can be well-integrated into an existing solution. Fortinet provides that in a couple of different ways. Number one, you can build out from a small core of our suite of products that work over our security fabric to get those products to work together. But importantly, many other vendors are a part of something we call the security fabric alliance that allows other vendor’s products connected to the Fortinet security fabric and we can very, very richly collaborate in their defenses. Let me give you a quick example. Today, the Fortinet architecture over the fabric is connected to something called FortiGuard Lab. That’s where we over 200 people doing threat research about all the bad things that might happen to networks. We form indicators, we push them all across the security fabric, Fortinet devices consume them and block bad things from happening. However, we also have fabric alliance partners and if they see something bad happening they might say, “Hey, please examine this, Fortinet component.” The Fortinet component goes and examines it, produces some insights and pushes it back out to the requesting fabric partner but also pushes out to all the Fortinet appliances on the network.

What you’re saying is that the answer is integration is necessary and required. Yes, it’s true that having one integrated set of products under the umbrella of one vendor provides you some advantages but you’re also living in the real world where people have existing whatever it is and if you’re saying it’s all or nothing as a vendor you’re going to be kicking yourself out of a lot situations? And Fortinet is primarily, although you’ve done acquisitions, 80–90% of your product is all based on stuff that was built from scratch by Fortinet?

That’s what lets us achieve strong integration and reduce complexity. We have the fastest firewalls on earth and the interface you would use to configure that firewall is the exact same interface you’d have if you had a virtual firewall in the cloud or a little one over on your desktop. It’s the same, indigenous operating system developed by a common group of US and Canadian developers. Integration done from scratch is tighter and less complex than other.

The next question I have is about cloud migration. Every component that’s on premise these days seems to have some aspect of it that does connect to a central cloud, whether to provide data that has ML learning that makes it smarter or to get access to the freshest threats or whatever. But the bulk of cybersecurity spending is on devices that are on premise. And even though we think of the cloud as a massive new trend, if you look at cybersecurity especially, the cloud-centric products are like 10% of the spending. How is this transition to cloud-based cybersecurity going to take place?

You asked an appropriate, complex question. The cloud, of course, is primarily about agility and scalability, it provides large amounts of storage or large amounts of high performance computing available to folks who otherwise couldn’t afford it. So it’s not a lower cost solution, it’s simply a flexible and agile way to get that data or compute power. But if you’re going to do data or computing in the cloud, you need to make sure you have secure solutions. We think the answer is most companies will be hybrid cloud. They’ll have some assets in their own data centers, they’ll have some assets in private cloud, and they’ll even have some assets in public cloud. Certainly, that’s where larger enterprises are. There are advantages of being in each of those places so I don’t expect a complete migration to the cloud.

How will that affect cybersecurity products? Will they become gradually just more cloud-based or do you see the on premise hardware-based systems lasting a long time?

The latter, for sure. We’ve talked about what are the fundamental elements of cybersecurity and as I alluded to earlier, one of them is integration and connectivity among devices and the second one is speed. If you’re going to be in the cybersecurity business, you’d better be as fast as humanly or physically possible. You do that by having on prem, hardware-oriented clients. If you’re going to run a carrier infrastructure, you need to be really, really fast. So you’ve got to have the fastest things out there.

I have three other questions. The first question is whether CISOs would be better off taking that next budget that they have for the new cybersecurity capability and instead investing it in training or education or process monitoring or whatever is needed to increase the operational discipline?

I think you start by building up the infrastructure based on speed and integration, number one. Number two, you make sure you have in place the right type of patching in training so that vulnerabilities don’t bite you and human errors don’t bite you. You can highly leverage automation to compensate for those vulnerability detections and mitigations as well as using automation to help detect and mitigate human errors. With those right types of hygiene in place, both hardware and software hygiene and user hygiene, that’s when you can start moving to the more advanced strategies where you use automated analytics to look for other more deeply hidden vulnerabilities and more complex attacks. But I think you’re spot on, Dan, that it starts with building on a good foundation, next you make sure you have your foundations in place, the foundational strategies in place, highly automated and then you move on to your big strategies.

If you think about people being the perimeter, you have a never ending battle to make them aware and smart and bought into good cybersecurity practices. You want everybody in the company saying, “That’s really a bad idea. That’s going to hurt us if you do that.” Do you know of anybody who is really good at creating a cybersecurity culture and what methods do they use to kind of infuse that thinking inside their company?

I’d say that there’s probably two or three things that I would do to really build that great culture in reality cybersecurity. So I’m an internal CISO myself, I’m responsible for making sure that our enterprise IT is safe and secure and the people who are using it are making good choices. It starts with good training, making sure that the people know what their responsibilities are and that they have practice in making sure they’re making good decisions. The second major thing I would do is to use machines to help compensate for the inevitable mistakes that we humans make because we’re tired or sloppy or didn’t do training. Maybe we can use automation to look for evidence of an unwise behavior and question the user to see if they really want to do that seemingly risky behavior. Then the third thing, I would run some type of background processing that is in a more broader context looking for just unusual behaviors among the people for when someone actually does turn bad. You need some type of deeper analytic scans of your network to understand what normal behavior is and what abnormal behavior is and have the ability to detect that and block that.

Are there any industries that are good at this that you could call out?

I’m going to give you a perhaps surprising answer and I’m going to move over into the operational technology space. In the OT world, they’re focused on safety and reliability because if bad things happen in the operational technology space, people get hurt, people lose lives, large swaths of the population don’t get essential services that all of us are dependent upon. So to answer your question, I really look up to the operational technology folks who deal all the time with the safety and reliability of critical manufacturing, the industrial automation that takes place there and the OT that’s used in our critical infrastructures as well.

The last question is about cyber insurance. I know a lot of CIOs, CTOs and CISOs who are being strongly encouraged to buy cyber insurance policies. A lot of them are frustrated by this because they don’t think that the insurance is that good. The money spent on it gets coverage that is highly contingent and often doesn’t pay out. Would what you advise a CISO who is being encouraged or forced to buy cybersecurity insurance?

Good question. I think there is a conversation you can have with a C suite, whether it be the CEO, CFO or CTO. And it’s about risk. As we all know, in cyberspace, risk is some combination of a threat, a vulnerability and a bad consequence that you don’t want to happen. To me, to manage risk you have to mitigate each one of those components. And only when we’re precise enough to understand what the levels are for each of those, the threat, the vulnerability and bad consequence, will we be more capable of driving down that risk. So how do you drive down risk? You do so in two major ways, one, with technical countermeasures and, two, with insurance. So you mitigate as much of the technical risk as you can reasonably do and you use insurance to cover the risk that can’t be addressed technically. The good news is that CEOs aren’t necessarily technologists meaning they don’t really understand the ins and outs of vulnerabilities and threats, but they’re really good about surviving the bad consequences they want to avoid. So if you can put things in those terms, you can really have a meaningful conversation with the C suite about risk and the necessary buy-down of risks through technical measures and through insurance.