Can Cybersecurity Portfolios Be Pruned? A Podcast with Rajarshi Gupta of Avast Software

Continuing the series of interviews Dan Woods of Early Adopter Research conducted at RSA 2019, in this installment, he spoke with Rajarshi Gupta, VP of AI at Avast Software, a cybersecurity vendor. Woods and Gupta covered key cybersecurity questions for 2019, as well as discussing Avast Software’s place in the market. Their conversation covered: 

* 1:00 – Avast’s place in the cybersecurity marketplace
* 6:30 – How to ensure the right people have the right access
* 7:15 – Is portfolio pruning possible in cybersecurity?
* 16:45 – What models should companies be using to train their AI-based cybersecurity?

Listen below:

Q&A

Woods: Can you explain what Avast Software does?

Gupta: Sure. Avast is one of the largest consumer security companies in the world. We have almost 300 million PC users, and 140 million mobile users. That’s a very large customer base from which we get our data and we evaluate security from all of those customers.

What exactly does the product do?

Our primary product is antivirus. We protect people from the different files that they see, and it’s traditional antivirus as you know it. But we have a large suite of other security projects that includes VPN, Cleaner, a small and medium business product for enterprises, as well as products for our telco partners. And they sell those through their channels.

I assume all the other ones are sold through channels as well?

Consumer products are direct to consumers and we sell them through our direct marketing. The telco products for family safety are sold through our telco partners, and then the small and medium business is through our usual enterprise channels.

The first question I have is about zero trust. The ideal model of zero trust is that the perimeter should go away and that you should just be able to protect the device and allow access based on what you know about the person. There’s no safety zone anymore. But in practice, we’re just not seeing that model be put into place. Most people still have a perimeter still. Given that complexity and that confusion, what do you think zero trust really means?

The first thing you mentioned is that people still follow a perimeter model. And in general for an enterprise, the perimeter model really doesn’t work because it’s a simple loss probability. If you imagine that any device from the perimeter that is going out to the world has a one percent chance of being infected, well then if you have 1,000 devices than the chance that you’re infected is 1 minus 0.99 to the power of thousand, which is almost nearly 1. That means if you have any reasonable number of devices, a few hundred, a thousand, you will always be breached by somebody or the other. Therefore, to look futuristically, it should entirely be a zero trust model, whereby you don’t imagine that you have a perimeter and things inside should be unprotected, but the model should absolutely be such that people that get access are the ones who need the access. And people get access based on what they are doing, what is their environment, and what are they trying to access. So as a security researcher I am a very strong proponent of the zero trust model. You can never trust that the perimeter will not be breached because with almost probability 1, your perimeter will be breached.

I’ve seen there are a couple of companies that are completely cloud based, where everybody is using cloud infrastructure for all of their work and they actually don’t have a perimeter. But almost everybody else does have some sort of perimeter. Do you see that changing anytime soon?

The industry is going toward much more of a cloud based model, whereby many things are going to the cloud. With the cloud, there is of course no concept of a perimeter. You still have the concept that you need to protect your endpoints, and it’s up to the centralized cloud to ensure that the endpoints that are accessing the cloud is not affected, is not corrupted, or it has not been breached already. So that is the major industry trend that is moving us away from perimeter.

The only other place I’ve seen where people are getting close to getting rid of theperimeter are companies like Google, who invented the idea of this perimeter-less security in their BeyondCore model. It seems that very slowly, people are going to become more like them.

Right. Google is a company that did a great job by first adopting the BeyondCore model and then by sharing that through the rest of the world through their white papers and their best practices and so on. So yes, if you ask me as a personal believer, that is a great model. There is no zero and one in the security world. It’s always probabilities. You are either more likely to be infected, more likely to be risky, or you are less likely to be risky. And depending on what you are doing and how valuable the thing is that you are trying to do, it is a model that is worth pursuing.

Now I want to move onto my next question about portfolio pruning of cybersecurity. It seems like with every generation of cybersecurity we get more and more solutions. It seems like we never have any sort of pruning going on, where a new solution removes the need for previous generations of solutions. Why do you think that we haven’t gone to the point of really pruning the portfolio?

I wouldn’t completely agree with your statement that no pruning goes on. I have worked in the enterprise security world before, and one of the things that you are always doing when you are trying to sell to a CISO is you are describing whether you’re going after replacement dollars or your going after new dollars. In general it is true that when a CISO of a large company is trying to evaluate any new security player, they do look at it in terms of whether it’s replacement or new. Having said that, two things are happening. First of all, there are new dollars every year and new dollars means it’s easier to get the new dollars than the replacement dollars. It’s always easier to say this is extra security. The other point is that new threats are coming on continuously and old threats are not going away. If you just look at what we were describing before, people still have a lot of laptops. Therefore, all the perimeter-based security that people needed and the endpoint security people needed are still there. A lot of stuff has moved to the cloud, so therefore people need to add the cloud security model. And now people are adding hundreds and thousands of IOT devices in their offices, and you need IOT security. So it’s not necessarily the fact that people are adding all this security, it’s the fact that the world is getting more complex.

You would think that at some point it would be possible to have new componentry that would be able to reduce the footprint but you’re saying when you use replacement dollars, you’re not really pruning, you’re just getting a better web application firewall than the worst one?

That’s actually a very good point. I think it’s up to the CISOs of the world to evaluate the security solutions and realize that certain solutions do become obsolete, and you don’t need them anymore. There is a bloating and that becomes, itself, a complexity because how all of these different security solutions act with each other. You should try to reduce it but realize that your attack surface does keep increasing.

It seems like it’s been ten years that people have said antivirus is dead. But we still have antivirus vendors with big booths and lots of users here at RSA, McAfee, Symantec, you, others. Why do people keep saying antivirus is dead?

I think that’s a great question for a company like Avast, whose primary business is in the field of PC antivirus. We’ve been gaining market share, and we’ve been gaining in the number of people who are using it because simply the problem has not gone away. People still see a vast amount of attacks that happen through files that come through your website or JavaScript or files that are downloaded from the machine or come to your email. AV will go away when V, the viruses, go away. And the viruses are not going away any time soon.

Why do people say antivirus is dead then?

I think the people who are saying it, there is a bit of wishful thinking that this is a solved problem when it’s not. And then there’s of course the hype coming from companies who are trying to pursue or project a different kind of problem, or different kind of solution, who feel or are trying to convince people that antivirus is no longer necessary.

My next question is about cloud migration. How do you think the migration to the cloud will affect the cybersecurity market?

It’s a two sided coin. On the positive side, the Android marketplace and the apple app store are great examples when a very centralized cloud based model is able to reduce the prevalence of malware by significant margins. And they have been able to do it by centralizing their security and putting a very strict filter on everything that you put in. Unlike on your computers or on your email, every app that you put on your phone gets “vetted” to some extent before it comes to it. Now, the exact flip side of the coin is if you put all of your information into the cloud, it becomes a much bigger target. So this complete slew of hacks like the Marriott attack or the British Airways attack, they are all happening because people are keeping all of the information in one place, which makes it very lucrative for people to go after them. If everyone kept their private data on their own computer yes, people could possibly steal it but it wouldn’t be as cost effective.

Now let’s talk about that question about evaluating AI claims. Anybody in the tech business doesn’t have to be told about how that the latest trend becomes associated with your product, whether it’s cloud washing or powering with containers. That’s an old pattern in technology marketing. But in the world of AI, we have this interesting phenomenon because it’s so large and wide, and it’s real. We now finally have the data that we never had before. We have the computing resources on demand that we never had before. And those two things have allowed us to make algorithms that have actually been around for 30 years actually work. But now I’m a buyer. And somebody comes to me with a product and says, “Hey, I’ve got a great AI product,” how do you deal with that as a buyer and evaluate that claim so that you can understand whether it’s meaningful or not?

I totally agree with you that there has been a lot of hype around AI in every field, particularly in the field of security. It’s a big challenge for the CEO, CIO, or the CISO to figure out who’s telling the truth and who’s expanding on their actual solution. Short of doing a full-fledged test, there are fairly few questions that can be asked to determine this. The first and most important question is what are you training your models on? When a company or a startup comes to you with a solution that says AI, the first and most important question to ask is what data have you trained your models on? Then evaluate, is this data coming from five companies or 500 companies? It’s not just the quantity of data that matters, it’s the diversity of data.

Let’s say they pass that test. What would be the next thing you would ask?

Once they pass the test about the data, you need to ask them about the type of models that they’re building, and then show real examples. Also another very interesting question is the evolution of the model. Because security as a field of AI is very unique. It’s about the only field of AI where we really have an adversary. It’s the only field – not vision, not speech, not natural languages, not self driving cars—security is the only field of AI where we have a true adversary that’s trying to evade your model. And that adversary will do everything in his or her power to evade the model that you’ve built, so it’s absolutely essential for security models to be adaptive, and to be able to adapt very quickly.

Do you think people would be better off investing in more operational discipline such as better configuration management, patch management, inventory of their assets and automation, rather than investing in another cybersecurity component?

That’s a hard question. Clearly people should be doing that, and that certainly helps. If you go back to old English there’s prevention is better than cure, and a stitch in time saves nine. All of that is arguing that yes, the dollar spent doing good hygiene is almost always better than trying to fix the problem after it has happened.

Why do you think people seem to kind of under-invest in those realms?

Partly because of the human in the loop. It’s much easier to buy and deploy a cybersecurity solution than to train 5,000 people in your organization not to used 12345678 as a password. In most cases bad hygiene or bad cyber hygiene and bad configuration is coming from human beings who are doing it for their simplicity.

Who have you seen done a good job of actually training the human perimeter, which is a very important perimeter? How can you encourage the culture of cybersecurity in an organization, outside of the usual suspects like financial services and the intelligence communities?

In cybersecurity, there’s a statement that there are only two types of companies: ones that have been breached, and ones that don’t know they’ve been breached. It’s a really hard question. I don’t know the answer and I don’t work in enterprise security because we are a consumer company, so I can’t really give you a list of companies who I feel are better than the other. In the consumer space, we are definitely seeing major changes, major differences in cyber hygiene. There are parts of the world that have much better cyber hygiene than others.

Like who?

We’ve recently been doing a research study with Stanford University whereby we’ve been looking at the risk profile in your homes and devices in your home. As part of that, one of the results we found was that some regions of the world, like North American and Europe, have a percentage, maybe two or three percent of their devices, that have poor passwords. On the other hand, the exact type of devices, let’s say your wifi routers, have poor passwords in the order of twelve or fourteen percent in parts of Asia and parts of Eastern Europe. That’s a 5–6x difference in the percentage of devices that have bad software. It’s not only coming from the human perimeter, it’s also coming from the fact that devise that are sold, some of the devices force you to change the password, and some of the devices don’t force you and are perfectly okay having admin/admin as their password.

The last question I have is about cyber insurance. A lot of CISOs and CTOs and CIOs are being forced to buy cyber insurance. Many of them don’t like it because they feel like it’s bad insurance, and it doesn’t pay, and it’s easy to get out of. There are a lot of escape hatches for the insurance company. But arguing against it vigorously doesn’t necessarily mean you won’t have to get it. How can you take the demand for cybersecurity insurance and turn it into something positive?

I’m not an expert in this at all. I’ve only been in the area as working in AI and as working in cybersecurity. We are much more in the business of quantifying the risk, of figuring out how good or bad something is.

Right, but the data isn’t there yet. The actuarial models are very good about when you and I will die, they’re very bad about whether or not our companies will be breached.

That is true. That’s a very good scientific point. It’s a much easier question to calculate which company is more or less likely to be breached than to calculate what the actual probability of being breached is because the probability of being breached has a very important angle, important player, which is the attacker. So your chance of dying depends on what you do but it also depends on whether your country suddenly goes to war, and somebody invades your country. So it’s that second piece which makes the absolute probability calculation very difficult. But the relative probability calculation, we do have a lot of data right now.