In the security hot seat

As a company focused on preventing security attacks, Symantec is itself a bigger target for hackers and virus writers, says its chief information security officer Tim Mather.

newsmaker Like most information security professionals, Tim Mather's job is to focus on keeping hackers out of his company's network and ensuring all systems are updated with the latest patch.

And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious attacks.

But the difference here is, Mather works for security firm Symantec. As chief information security officer of a company popularly known for its antivirus products, he faces challenges somewhat unique to his role.

In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of who they are. In fact, unbeknownst to the hackers who launched them, some of these attempts have gotten "pretty close", he says.

He also talks about how he copes with these challenges, why he would never hire former hackers, and warns that the multitude of compliance regulations today is getting in the way of ensuring security.

Q: What is it like being in charge of security for Symantec, a company that depends on it for a living?
A: I have responsibilities for the security of our internal networks, all our extranets and our partner connections. Because we're a security company, we also run our security infrastructure based on our own products. My team gets heavily involved with beta testing and actual deployment of those products.

And because of who we are, we get an average of 20 to 30 solicitations, proposals or propositions, whatever you want to call it, from companies on a weekly basis asking us to buy their company, their technology, and so on. After the business development people have had an initial look at it, I get called in to see if I would buy the technology as a customer. What's interesting about that is I get to see a lot of small companies, what they're working on. Many of these are very small and very new businesses. Some of them have quite cutting-edge technology.

Another component is with regard to audit compliance, specifically security. So my team is at the forefront of security, the standards, the architecture, the policies and on a limited basis, some operational aspects of product testing and audit compliance. This includes regulatory compliance, so things like Sarbanes-Oxley fall under my responsibility from the IT side. That is a major drain of my time.

The accounting scandals at the Enrons and WorldComs gave rise to regulations such as the Sarbanes-Oxley Act (SOX). Besides Symantec, has regulatory compliance become a big focus for other companies, too, in terms of security?
Absolutely. Regulatory compliance has become a huge issue. It is an enormous investment in time and resources (in terms of people) and the cost is not insignificant at all. Sarbanes-Oxley for Symantec alone is an eight-figure sum. It's an investment worth multiple millions in dollars.

The issue I have with regulations, while they're well-intended, is that you have a real proliferation of them. They've gone from being a good idea to being a distraction, to what it is now which is a diversion on security. The sheer number of them is actually weakening enterprises, many of which have to comply with multiple regulatory compliance guidelines. That's a huge burden on companies.

So what really needs to happen instead is a harmonization of those requirements. Different regulatory bodies need to get together to say that, for example, 80 percent of their requirements can be shared. So if you audit for one, you get credit, so to speak, for the other regulatory requirements and guidelines that you need to meet. And leave maybe only 20 percent of those requirements which are specific to that particular framework.

But right now, having multiple independent regulatory frameworks that companies have to comply with…that is a real business problem.

Are you saying that right now one regulatory body comes in and gives a list of requirements that may be similar, and at a high percentage of duplication, to another list from a second regulatory body?
Absolutely. Very rarely do companies operate in a single location anymore. How many banks here in Singapore have to not only comply with the (local) monetary authority's regulations, but also have operations overseas that are subject to Basel II, SOX in the United States, and probably the European Union Privacy Directive requirements if they operate in Europe. How many different regimes are they subjected to?

The issue is so bad in Britain that you are seeing companies publicly disparage government authorities on this. They are literally saying, enough, and not only enough, get rid of some of these. You're killing business.

So making sure that Enron, WorldCom, and all of these others don't happen again is a very good thing. But there's a better way to do that.

For example, you can think about HIPAA (Health Insurance Portability and Accountability Act) in the United States and along with whatever other countries have for their respective healthcare industries. Maybe that should become the responsibility of the World Health Organization. So that's something that can happen in our industry where all the countries accept the international accounting standards, and we can drive it through that.

You're never going to get a single framework internationally for all companies because that doesn't meet the granularity that's necessary to ensure you don't have problems. But for certain industry sectors, why do you have multiple requirements and multiple regulatory regimes? Why can't we have international standards?

Speaking of compliance and security policies, are there any policies in Symantec that might be different from other non-security firms? Anything that's unique to your firm simply because of who you are?
No, as far as scope-wise, I'm sure we're very similar to other companies. As far as granularity we're probably far tighter than other companies because security is our business. The possibility of an incident for us, is far more serious than it may be for other companies. A security breach for someone in the retail industry probably doesn't have the same significance as far as it would for Symantec, and the damage to our brand, and the damage that it would do to our customers who are willing to trust us.

Does that mean you don't sleep at night?
No, I do sleep at night. It just means I have a lot to think about, before I go to sleep!

Does automation help lessen the worry?
Absolutely. Wherever possible, we do want to automate and we do automate. The issue becomes about how you coordinate all that automation, especially with regard to reporting and the correlation of events. But if you have an opportunity, you always want to automate for a couple of reasons.

People like to take days off like weekends and nights. Or they get sick occasionally or they go on vacations sometimes. That's good but when you are trying to ensure consistency, you still need to be able to run (the network securely) regardless. And let's not kid ourselves…when do you think the most electronic break-ins occur at companies? Nights and weekends, of course.

Automation is a good thing not only because of the timing, but also to ensure you're consistent in your testing and checks. Does my Stockholm office have the same configurations as what we're set here in Singapore? Do people at the two sites understand English to the same degree that they actually understand (how to carry out) the same configurations and settings? And when I say to run at midnight GMT, what does that mean to everybody? Who did I drag in at 3 o'clock in the morning versus someone else's office hours? So there're a number of reasons why you want to automate. It's more efficient, it's more consistent and therefore the integrity of the testing is far higher.

Are there areas that you just don't feel comfortable automating?
Two common areas usually come up. One of which is automating the patching of servers. The technical capability exists. The issue is with servers, particularly those running mission-critical applications, can you trust that you will be able to patch without actually breaking your application? And for most companies, unfortunately, the answer to that is still no. In fact, it will probably be no for a while. So it's still a case of manually testing the patch first and then rolling it out.

Another area where there's still a reluctance to automate is with regard to response. My firewall and IDS (intrusion detection system) have detected an attack. Do I trust the fact that it has properly classified or categorized that attack, and it is not instead turning off legitimate traffic? Was it a false positive? Everyone talks about false negatives but people don't generally pay attention to false positives, with one exception to that and that's spam. False positives become quite an issue, too, for people. They can take legitimate traffic and misclassify that as an attack.

One of the problems with security policies is that they can be tough to enforce. How do you then implement a system which is enforcement-free, so to speak? For example, tools that scan devices for the latest patches before giving them access to the network. Can they help do that?
Nobody's there yet. If you're leading to an analogy that Cisco Systems has with NAC (Network Admission Control) or Microsoft with Quarantine, these are on the right track. We're a participant in Cisco's NAC. We share that goal and are working with Cisco and other vendors to help make that a reality.

What tools like that will do initially is provide a big improvement over what we have today. But to be honest, from my perspective, it's still limited. Ideally, we would go much further than that. First of all, you need to have a way to detect all types of devices across the network. Due to basic infrastructure reasons, that's not always possible today. If you can do that, if you can detect all devices that are connecting, you then have to do two other things.

Number one, to have universal authentication and authorization. Most businesses today don't even know who's on their network, and can't tell you with any certainty. Let alone can they determine if that user should be on that system. That's very tough to do itself. Second, you have to determine the state of the device. Those are tall orders. And remember, we're not just talking about desktops and laptops. These days, we're talking about PDAs and cell phones. Next year, we'll probably be talking about my watch authenticating into the network. The form factor will change. And these are running on how many operating systems, connecting over how many different media?

Zero-day attacks seem to be getting nearer to becoming a reality. How should we address this?
Oh, that's very real. And it's not just the fact that an attack is out and there isn't a patch for it. It's the fact that the exploit already exists and nobody knows the vulnerability was there. If you look at the threat lifecycle here, there are two time lags. First, the time when a vulnerability is discovered and a patch made available. Second, the time the vulnerability is discovered, which may not be the same as the time it's announced publicly, to when the exploit is available. And this is the one that is shrinking. A zero-day exploit is the exploit arrives before the vulnerability is even announced.

It used to be that the patch beat the exploit. The time difference between the two has shrank substantially. And now in many cases, you're lucky if the patch actually beats the exploit, let alone the time it takes to apply the patch which, in an enterprise, can be considerable.

Personally, what are you most worried about? Not knowing what all the vulnerabilities are or not being able to come up with a patch before the exploit is available?
No, my worry is actually something different. My worry is there'll be a sophisticated attack that combines different attack methods. Keep in mind that we, the security professionals, have for years preached defense in depth. And the whole idea of that is to buy time so that if something gets through one layer of defense, you're not completely wide open at that point. Something else will slow it or stop it to buy you time until you can maybe apply a patch, for instance.

But if you get a combination attack, a 1-2 punch, that effectively gets through your defense, then your enterprise just got KOed (knocked out). That's my worry. It takes some sophistication to do, some coordination to actually pull something like that off. But that's coming.

Take worms, for example, which are no longer being used simply as worms. They're now used to spread into SMTP engines, which are then used to send spam. Think about this for a moment. Worms being used to spread mail engines for spam purposes…it's kind of interesting, to be honest, too bad it's illegal. In a perverse way, it actually shows some kind of business sense from the hackers. If I'm a spammer, I no longer have to worry about opening a Hotmail account and trying to jam 10 million e-mail messages through that account before Microsoft shuts me down. Now, I can walk over to a hacker, get him to write a virus that compromises 15,000 systems worldwide and use each of these compromised systems to send 1,000 e-mail messages an hour a day. Not only that, because it's compromised and I now own it or rent it from the virus writer, I can use it again and again. That's a perfect example of increasing sophistication in attacks.

Are you worried because there isn't a solution to this yet, or that it might just get too good or sophisticated?
I'm worried because I don't know what I don't know. I'm also worried because, due to the chair that I sit in, we're quite the target. We get huge amounts of electronic trash thrown at us just because of who we are.

Just how much trash would that be exactly?
The last time I checked, we stopped counting at 2,001 (attacks a day). Today, not all of those are highly sophisticated. A lot of those, quite honestly, are pretty unsophisticated, probably from some so-called script kiddies firing off a script at us. But it's enough for the logs and sensors to record it, and enough for there to be an alert on it. It's not so much that I'm going to act on, but it's more than just an event.

But some of them, we looked at and thought: 'Wow, that's interesting. This guy got pretty close. Think about what would have happened if this was changed to that…that probably would have worked.' That gets scary.

And sometimes you don't see it again because they don't realize how close they are. Other times, it shows up again. We can see this happening and it's not just us, various other sensing networks out there also see that. Virus writers will try a version of a virus and put it out there. At first try, it might not go anywhere nor spread very rapidly. Three weeks later, it's back as a new and improved version and one that spreads. They've corrected a problem, and they're getting better. That's not an unusual scenario at all.

What do you have in mind that could possibly fend these so-called combination attacks? Is awareness the best defense?
Awareness is one, but defense in depth is what you have to do.

So really, how do you sleep at night?
Well, there's only so much you can do!

Will you hire ["black"] hackers to join your team? You know, so you can get them off the streets?
No, absolutely not, absolutely not. Wouldn't even touch them with a 10-foot pole!

You don't think you can change them?
No, not even going there. Couldn't care less. Just get out of here. Not even the smart ones…not even going to talk to them. That's not the type of people we want. And this idea that they've reformed themselves, I don't buy it, not in the least.

Hackers will be hackers?
Yes, I think so, yes. There's not a whole lot of good talent out there, but honestly, I find no reason to hire those people. There's talent if you look for it even though it may be expensive sometimes because, to be honest, there's not enough to go around.