Carbon Black, a privately held firm, is a leading provider of security software covering 'next-generation' antivirus and endpoint protection, incident response and application control for servers and other critical systems. ZDNet recently sat down with CEO Patrick Morley to learn more about the company, and hear his views on the current state of cybersecurity.
We began by asking Morley for a high-level view of Carbon Black's origins and ethos.
"Carbon Black is based in Boston and has about 3,300 customers worldwide today -- companies in every sector that's targeted, including financial services, manufacturing, oil and gas, tech and so on. We've got about 800 employees. The company was founded [in 2002] by two gentlemen that were trained by the government to be 'offensive hackers' -- basically, trained as hackers, but to do better things on behalf of the government. What they recognised when they came out into the private sector was how vulnerable companies were, and how ill-prepared companies were to be able to find them."
"If you think about the state of security over the last 30 years, really there's been two primary methods of trying to stop the bad guys: firewalls and network security of some type, and then antivirus. What Carbon Black's founders recognised is that, since the data -- be it credentials, intellectual property, healthcare records etcetera -- is all on the device, then device security is really, really important."
"What Carbon Black offers is a platform that allows you to better protect your endpoints -- desktops, laptops, servers, IoT-type devices -- from the adversary. In today's world, with increasingly remote workers, with the fact that we're all leveraging services that are outside the network -- sitting in the cloud -- and the fact that we're all using multiple devices to connect to those services, the device is becoming more and more its own perimeter, where it has to be capable of protecting itself."
Does Carbon Black's current product portfolio cover all the required cybersecurity bases?
"The primary focus of our portfolio has been on allowing you to cover the complete lifecycle of security: it starts with doing everything you can to stop the bad guys -- but in today's world you assume they may get a foothold, so you have to be able to detect the bad guys, respond really quickly, and then remediate. And then the cycle starts again. In the old days, our general view was: 'If we build a wall as high as we can, the bad guys won't get in'. But what we've recognised is that, given enough time, energy and dollars, the bad guys will always get in. So in that model, instead of being reactive you have to be proactive: you're always watching, you're always vigilant, doing everything you can to stop the common malware, and also the more advanced stuff, but you're also prepared for the day they get in."
"The basic premise of the company, across all of the products we offer [Cb Defense, Cb Response and Cb Protection], is that by collecting the right data, at the right time, we're able to see behaviours and patterns that tell us the bad guys, the adversaries, are actually in. We can detect it, we can stop it and we can help you remediate it."
"Common malware still drops a file on your machine, but increasingly the attacks we see that are able to exfiltrate data are leveraging more 'living off the land' attacks -- using utilities that ship with the OS. With PowerShell on Windows, for example, they're not putting any new file down -- basically, antivirus is blind to the attack. So they're using utilities that ship with Windows -- or with macOS or Linux -- to do the whole operation."
You mentioned 3,000-plus customers: what's the mix between enterprises and SMEs?
"We sell to both, and a lot of it has to do with where they are in their security-maturity curve. We certainly sell to the largest companies in the world -- we have 30 of the Fortune 100 today, but we also go all the way down to companies with a couple of hundred employees."How does Carbon Black's approach compare to that of other next-generation players? Is Streaming Prevention your main USP?
"Our number-one focus with Streaming Prevention is, 'when good software does bad things'. Fundamentally, when you look at the other providers in the marketplace, there's a perspective that 'I can detect everything in advance'. Streaming Prevention allows us, in real time, to watch behaviours and then leverage the exact same technology that has totally changed the way stocks get traded: with high-speed trading, I'm collecting a lot of data in real time, and then I'm making decisions -- 'do I want to buy or trade this stock?' -- and instead of tracking five attributes, I might track a hundred or a thousand different pieces of information. That technology, of collecting lots of data, in real time, streaming it all and making decisions very quickly, is a fundamental differentiator for Carbon Black -- the ability to make those decisions in real time, and see when good software is doing bad things."
How does that work with the agent software on endpoints, and what happens when endpoints are offline?
"Most of the computational power is on the back end, in the cloud -- that's where the analytics engine sits. We collect a lot of data, roll that data up and do analysis in the cloud. At the same time, we push down sets of patterns onto the agent, so the agent's also doing a first view -- and if it's a common sequence, an advanced attack we've seen before, we can stop it. The agent has a set of rules, but the more advanced analysis is happening in the cloud, and that allows us to stop things that other vendors can't. Also, the data that we collect allows us to do things that, we would argue, our competitors cannot, because we collect more data than any of them."
Are you confident that Carbon Black offers data protection at all stages -- on endpoints, in transit, in the data centre?
"You can certainly go after data in transit, but the most common thing with attackers -- whether they're organised crime, a nation state or anything else -- is, they're looking for the data at rest. Once they're resident [in the network] they essentially do exploration to map the organisation, figure out where the data resides, look at their shopping list, and go after the data where it sits. We sit on desktops and laptops, and in the data centre, so we're protecting the data where it is. We also sit on many other non-traditional devices, whether that's medical equipment, devices that control power plants, manufacturing plants or oil rigs etcetera. Cb Protection is used extensively on non-traditional devices, from drones to gas pumps."
IoT security is clearly the next big battleground -- how is that likely to play out?
"First off, IoT is quite fragmented right now, and what we're protecting today is what I would consider to be the early stuff. IoT is going to get protected in two ways: at the device level, where you have an agent running; or, for lightweight devices that can't even run an agent or get patched, you're going to see those protected on the back end. Depending on where they sit in the value chain, some devices will be protected on the endpoint, and some will be protected at the control point on the back end."
You mentioned patching, but even when patches are available, they're not always applied -- as we saw with the WannaCry attack...
"At the highest level, Carbon Black stops WannaCry -- our customer community was protected. But the market today is dominated by antivirus, and antivirus is 30 years old, and was not effective against WannaCry. You combine that with human behaviour -- the number-one thing that WannaCry played off of is the knowledge that organisations are behind on their patching -- and you get WannaCry. If you patched and still used AV, you'd be protected. If you used Carbon Black, you'd be protected even if you didn't patch."
What about devices like MRI scanners running embedded operating systems? They're often overlooked in patching regimes...
"If you look at most of the manufacturers who are embedding Windows on their solutions -- whether that's SCADA devices, control systems, medical equipment, any of these non-traditional devices -- what they say is, if you touch it, you void the warranty. So if I buy an MRI machine, for example, I know it's not patched -- but it's connected to the network, so I know I'm vulnerable. But if I try and patch it, I void the warranty. So either I go against the manufacturer and patch it, or if I'm not patching it I'm going to use something like Carbon Black, because I'm so fearful of the fact that I'm vulnerable."
Another problem with industrial and medical networks is air-gapping between production and other systems...
"We see this consistently within manufacturing plants, where they're leveraging Windows or Linux -- there's not much, if any Mac -- for the control systems. You try and air-gap everything, but there are two primary issues. One is, you walk into the manufacturing plant floor one day and your mobile device is low on juice, so you plug it in -- we saw a plant go down like this: someone plugged in their device, it had malware on it...took the plant down. The other reason is, I buy the new super-cool device and, for one reason or another, I've got to blow a hole through the firewall because I have to access a particular device in real time -- that one IP connection now, in essence, pollutes my whole manufacturing floor. So there's two issues going on right now: the way we work as humans, bringing things into the environment; and the fact that you've got new devices coming online that can't be air-gapped that well."
Does that mean we'll see damaging IoT attacks for a while yet?
"What it should say to all of us is that we're still early in this new world order: everything is hyper-connected, and security as an issue is only going to get larger throughout our generation, and our kids' generation. It's a game-changer for governments, for companies, for consumers."
Generally, the bad guys seem to be getting better and better organised: are the good guys likely to get on top of this any time soon?
"A week before WannaCry I was interviewed by a local publication in Boston, and they asked: 'Where do you think we are with ransomware?' I said 'We are so early in ransomware, and the reason is so simple: two years ago ransomware was a 50 million dollar problem...last year it was a billion-dollar problem.' If you look at the money to be made in ransomware, it's only going in one direction, and that's up -- because it's an easy way to make money. Also, from a legislation and law enforcement standpoint, we are so woefully behind in the way we work together as countries. You end up with a situation where there are lots of gaps for the adversaries to leverage, and so they can drive these attacks without a lot of fear they're going to get nailed."
"Actually, the ability of law enforcement organisations in Western Europe, the US and certain Asian countries to figure out who did it is much better today than it was even a few years ago. And yet, our ability to go after them and bring them to justice -- it takes years."
Vendors like Carbon Black obviously have competitive positions to defend, but is the security industry good enough at sharing threat intelligence?
"I think we're getting much better, but we're still behind -- one of the reasons being that, traditionally, security companies felt they could do it all. We've been huge advocates of sharing intel, and all of our products are built on open, RESTful APIs, with the idea that we can integrate with any other product in the stack -- that includes both sharing our data and integrating the product. One vendor cannot do it all: if you talk to a typical CIO or CISO, they'll tell you they have anything from 30 to 70 security products, so we have to work together. We are behind where the adversary is -- and that's at a company level. If you look at it on a national level, you've got some of the same issues: intelligence sharing is something we're still trying to figure out how to do effectively.
You mentioned the multiplicity of security products on the market: is there a shakeout on the way, and how does Carbon Black see its future?
"I think cybersecurity is one of the most important tech sectors in the world today, and that's why we've seen the dramatic growth it's going through. Last year, venture capital firms invested over three billion dollars in cyber; the year before that it was about the same number. Billions and billions have been put into funding cybersecurity companies -- too much money, and they're not all going to make it. We're in a fragmented market where there are going to be a few big winners -- and Carbon Black, which has made four acquisitions in the last few years, is one of those winners. If you look at the tech IPO market over the last few months, it's actually been very strong: an IPO is a capital-raising event, and also a great branding event -- it's a natural path for growing a company, but we haven't publicly announced any plans in that area."
CEOs have lost their jobs following cyberattacks, and there's plenty of survey information on the cost of data breaches. Do you think there's now adequate awareness of cybersecurity in the C-suite?
"There is a way to go yet, absolutely. We're on a curve: ten years ago there were very few CISOs or CSOs -- today that's a very common role. Ten years ago the expenditure for IT security as a percentage of the overall IT budget was much smaller. Today, boards and CEOs are much more aware, and are talking to their CISOs much more regularly -- but there's still a way to go."
Everyone talks about artificial intelligence and machine learning these days: what's your view on its importance in cybersecurity?
"We use machine learning -- think about the way we work: we collect all this data, we roll that data back up and do a set of analytics in the cloud...we use machine learning aggressively in there, on our cloud services. Machine learning and AI, those are tools that you use, that can be applied in very different ways, and they absolutely have a place -- it's just not the be-all and end-all."
Of course, the bad guys can use readily available AI and ML tools too: are we getting into a new arms race in this area?
"That's one of the reasons cyber is so interesting. Unlike other sectors, where I'm up against a set of competitors in order to generate customer value, in cyber I have two constituents: I compete with my competitors, and I compete with the adversary -- and that drives an arms race very, very fast. If you look at nation states and organised crime, they are doing some of the most advanced stuff in order to make money. WannaCry was not technically advanced, but for certain targets, adversaries are going to be willing to do much more advanced things. You can see that in the whole business around leveraging bitcoin, with exploitation kits -- it's a business, building a whole supply chain, all automated. That's what you would do in a regular company."
What's your mental picture of the 'threat matrix' of bad actors versus industry sectors for the next year or so?
"If you look over the last four years, every year you've had different major sectors targeted -- financial services, retail, health...last year we saw a lot of government, and this year too. I can't predict which sectors will get hit next, but given what we've seen with ransomware etcetera, I think that broad-based attacks that impact consumers all the way through to large organisations is a trend that's not going away anytime soon. That's because organised crime can make a lot of money with these ransomware attacks."
"Behind the scenes, there are still a lot of nation-state attacks going on out there, and another trend you're going to see is new types of attacks driven by nation states or politically motivated groups. The same way you see terrorism in the physical world, it's a tool that can be used in the virtual world, as effectively, for not a lot of money. You're going to see some of these fringe groups becoming active, leveraging cyber as a way to do harm to other countries -- as a small entity you can do harm to someone bigger, same as in the physical world. We've not really seen that yet; that's going to come."
Recent events have prompted the inevitable calls from politicians for more internet regulation and encryption backdoors. As a security software vendor, how do you view these developments?
"I think it's a real challenge. We're still figuring out what laws work in the physical world, never mind the virtual world, so we're very immature right now in the way that we regulate the internet. I don't think we have it right yet: if you look at the Patriot Act, or the UK's 'Snoopers' Charter' [the Investigatory Powers Act 2016], you really have to debate what the rights of the individual are versus the rights of the government. Then if you look at what happened just recently [the London Bridge terror attack], we as the population say 'wait a minute, why can't we figure this thing out?'"
"In the end, the officials we elect, and the way we try to influence them, will have an impact on the way these laws get done. I don't think we have it right yet -- putting in backdoors, I don't think that's a good solution. There's more work to be done, and my hope would be that a lot of smart work is done between government and private companies, because I think private companies can help out on this too."