The SC interview online: Patrick Peterson
In an online exclusive, SC Editor Paul Fisher questions Ironport's VP of Technology, Patrick Peterson. Read his unique take on the emerging security challenges of cloud computing and Web 2.0, the difficulty of educating Ironport's customer base and how the war on cyber crime could be lost if we don't change mindset.
SC Magazine: Tell me about your job at IronPort
I have the best job in the world. I go out and talk to the biggest banks and ISPs and to the security and research conferences to find out what’s going on in the business and on the security side.
I find out how much the people at IronPort and Cisco know about current threats and cybercriminal activity and we figure out ways to stop it. And then I go back out and share with the world our vision and where we’re going.
It’s a lot of fun and, in particular for a phenomenally paranoid person like me, it’s a great job; but it’s also a terrible job because there’s an infinite amount of opportunities and things for us to do.
So it’s kind of a sales job but with a bit more of a research side to it?
It’s much more a kind of CTO role, I don’t set the product roadmap, I don’t manage people who write code, but I figure out what’s going on in the industry and devise the technical ways to keep up with the industry.
I’ve spent a lot more time recently trying to influence engineering from a knowledge and awareness point of view. The company has grown and suddenly the engineers, who before knew what our customers were doing with the product, are three steps removed. We have something called the Sunshine Program, which is designed to get customers and industry luminaries to talk to the engineers about any security concerns they might have.
Those are the kinds of things that I focus on.
Every time you go out and do this, are you surprised how things are changing? What kind of feedback do you bring back here?
Very much so. I think there’s a strange bifurcated situation in the market right now. Sometimes I am shocked at the sophisticated security threats and some companies’ knowledge, awareness and responsiveness to them.
It’s very strange in the market. There are maybe only five or six percent of companies that have really understood how the security game has changed and they are scrambling, not just with the vendors, but also with their own business processes, data leakage issues and the realisation that there is no perimeter.
The vendor hype is something that we come up against quite a lot. Because, at the end of the day one wants to sell something, but it’s always difficult to get a clear answer on what the real threat is, what kind of threats are happening, where they’re coming from – what’s your take?
You are absolutely right. The majority of the security industry does respond based on what has happened recently. I am sure right now that people at TJX are working on a great data leakage solution but maybe before that I don’t think they were.
The number one concern I have is the web. The browser is not yet able to discern between the good and the bad. The criminals have been extremely innovative [on the web] and they are far ahead of most security solutions on the market
Part of what’s holding us back is people believing that because they have a firewall and anti-virus they do not need to worry about this.
The simple answer is many of the threats today go through port 80 or port 443, your firewall is setting up a connection, it’s getting the content, and doing its job. The desktop anti-virus does a good job of stopping what it knows but the bad guys generate stuff it doesn’t know far faster than the AV guys can do anything about it.
Do you think that the next generation web technologies are making things even worse?
IBM is going to develop its own in the cloud application, called Blue Cloud. But that is moving so fast, security is already struggling and now everyone is saying ‘Great, I will have my applications on the web’. What’s your view on how we cope with this shift?
That is a massively difficult problem. People just keep on adding technology that runs on your browser, which has more and more privileged access – Ajax for example.
IronPort is doing some interesting, innovative things in the area but nobody has a solution. People may have different degrees of security, but I think we have to buckle down and basically figure out, for the next two or three years, how to make the internet as secure as it should be.
Most enterprises today don’t use MySpace or Facebook – that’s changing. I’ve seen research stuff put on YouTube and professors using Facebook. Most enterprises are not ready for this change.
Another security analyst I spoke to said that blocking MySpace, Facebook, etc is not the answer. It doesn’t work for the business because people want to use these tools. So they need to work out ways of making them safe and acceptable to use.
Yes, and there used to be a time when companies blocked access to email and the web - that’s a stopgap and it’s going to be less and less viable.
Another thing that concerns me is recently we’ve seen really clever targeted attacks. There was one that came in where the attackers were going on company websites, finding out who the executives were and sending them emails that claimed to be for business purposes.
There have been research studies on this at a university in Indiana. A phishing attack on the students was created, with version A just a regular phishing attack. In version B the attacker actually looked up someone they knew on Facebook and claimed to be a friend of theirs. The response rates to version B were much bigger.
I’m worried that in some cases employees in security departments think they need to improve their firewalls or spam filtering, when really they should take a step back and understand that the enemy has changed.
The attacks are far more sophisticated and the challenge for us is how do we get that message out?
So can you do that as IronPort or as an industry, given this situation is arising and arising very quickly?
I think there are a couple of things. The first one is just awareness: concrete, rational examples without the vendor hype to try to make people aware.
The second one is a real focus on what we call the blended threat and web security. The bad guys are out there looking for vulnerable websites, compromising them.
I think the third thing is that we need long-term solutions to these problems that are much bigger than any vendor or technology. No matter what we do, if we build the best, most perfect widgets in the world, that doesn’t solve the problem because not everyone will buy them. We are never going to respond to every new threat in the universe in real time – so we need to have sustained ways of changing the balance of power.
Right now far too much power and control is in the criminal’s hands, we need to shift that balance, independent of any vendor’s technology.