Security: It's all in the software

Security-industry veteran and venture capitalist Ted Schlein says chief security officers' time should be spent on engineering, not network security
Written by Cath Everett, Contributor

Ted Schlein, a partner at venture capitalist firm Kleiner Perkins Caufield & Byers, has been in the information-security business for more than 20 years. He started his career in the sector in 1986 as a marketing manager at Symantec, after graduating from the University of Pennsylvania.

During the course of his studies, he found time to set up two companies, one of which — Reality Technologies — he sold to gaming giant Electronic Arts. Schlein continued in the same vein at Symantec by developing Norton Utilities for the Apple Mac.

As a result, he was promoted to head up the vendor's utilities division, where he built Symantec's AntiVirus program for the Mac, an application that helped create the market for anti-malware software. In October 1996, Schlein was headhunted by Kleiner Perkins Caufield & Byers to run its Java Fund and has since invested in such success stories as Google.

ZDNet.co.uk recently caught up with Schlein to get his thoughts on why current approaches to IT security aren't working and what the solutions might be. 

Given your experience in antivirus product development on the Mac, it would be good to kick off with the perennial question of whether, in your opinion, Apple products are inherently more secure than Microsoft's?
I don't think the Mac is inherently more secure than PCs, as they get hacked too, but usually in a different setting — at home or in small offices — and you do not read about this. Most major corporations have PCs deployed, so these tend to be the target of more attacks, since this is how the large corporations are run.

Where do you think the information security industry is at today?
I think that we've failed as an industry to protect users' information and data. And the reason that I say we've failed is because the number of exploits and breaches and the amount of dollars lost goes up a lot year-on-year, despite the fact that billions of dollars are spent trying to protect corporate networks and data. That's the industry's report card.

As a result, even though I designed and shipped commercial antivirus software when I was at Symantec, my investment philosophy shifted about five years ago. The way that we've approached technology doesn't scale, because systems can't be islands unto themselves. We can't say that everything inside the firewall is good and everything outside is bad, which was built into the security philosophy from the start. The idea was to identify what's bad and keep it off machines, using things like firewalls and intrusion-detection and prevention systems.

The problem now is that the enemy we're fighting has gotten smarter and is using more sophisticated weapons, so the stakes have gotten much higher. In the past, it was about the casual hacker but there's much more money in it now and it's become big business. However, we, as an industry, are fighting the situation in the same way, so there's a fundamental disjoint.

I think the biggest issue is that we need to change who is providing the defences and how we provide the defences. In the past, the "who" part was the network operations guys, and they basically put in a box to stop malicious data packets.

So what is the solution to the problem, in your opinion?
In future, software engineers have to be responsible for security. Engineering principles have to be built into security and applied by the people creating the software. It's about software flaws, not bugs, and hackers take advantage of the fact that the software being written is insecure.

So the idea is that, if we're able to detect when the software has vulnerabilities or flaws in it and remove them from the code, they become impenetrable to attack. It's the same thing as inventing a vaccination, such as polio, and giving it to people when they're born. So solutions have to be developed. It's a very hard problem though because systems are made up of multiple applications and flaws have to be traced through the code all at once.

But, about five years ago, I asked myself whether this problem was solvable with technology and whether it was possible to automate the process to make it scaleable. And that's when I found Fortify. It's their mission, and they believe that security has to be done from the inside out, not the inside in. If we're able to get this done, the idea is that, eventually, we won't need firewalls, intrusion-detection systems and so on, as they won't have a role and hackers will be unemployed.

What are the key inhibitors to adopting this approach in your view?
Inertia. Marketplaces are resistant to change and people don't like hearing that engineering should be responsible for…

…security and that chief security officers' time should be spent on engineering, not network security.

Typically, most big organisations have security auditors that ensure software has had a minimum amount of testing before it's deployed. So, if we could get them on board to ensure that testing took place from the outset, it would happen. But, at the end of the day, this has to be driven from the top down. The people at the top have to realise that this is an important thing to do and look at how they're going to start protecting themselves better.

Until information-security considerations are built into software from the ground up, what else can organisations do to safeguard their systems and data more effectively?
The second thing that's very important is, in the past, we focused on looking for code that was bad. But the problem with that approach is that you only know if something is bad after it's been bad. So dealing with zero-day attacks can't happen with this methodology because they haven't already been proven to be bad.

So I say we should invert the problem. We know what's good, so [we should] only allow code to run that's good. If we only allow good things to run, bad things can't execute and can't do bad things. If we're able to do that, we won't even care whether a Trojan or worm is flying around because they can't do anything.

So the key to it is: can you validate what's good and enforce that so only those things can execute and run? And that's why I invested in a company called Bit9. It has a database of hash files, which are essentially fingerprints of files that can verify which code is legal or not.

It has over six billion files registered in its global software registry and there are about 20 million applications that are allowed to execute. This encompasses nearly everything that you'd ever run, but the software checks the code is legitimate and locks down client machines. When anyone develops any software, they generate a hash file so Bit9 validates if something is legal. The company is just getting started and has about 40 to 50 customers, but only allowing what is good is brand new and it's threatening to the establishment.

What new threats do you expect to appear over the next few years?
One of my big worries is consumer confidence. Whenever people hear about data being lost or that something bad has happened with a company they trusted at one point, it shakes their confidence and that's a major inhibitor to adoption of the internet.

It's a macro trend and that means we have to do things to ensure that consumers are confident. As a result, I've invested in another company, LifeLock, which is all about identity-theft protection. It allows you to put fraud alerts at credit bureaux so, if someone steals your identity and tries to use it, they'll be prevented from doing so, which means that they can't do anything bad with it. It's a great service, which gives consumers peace of mind, and that's very important.

Editorial standards