Does the Hathaway Resignation Signal Movement Toward a Cyber Czar?

Yesterday I posted about the two-month anniversary of the May 29 announcement by the White House regarding the creation of the Cyber Czar position and the subsequent lack of progress in finding someone to fill that position.  The proverbial plot thickened that afternoon when it was announced that Melissa Hathaway, acting cyberspace director for the White House National Security and Homeland Security councils, had resigned from her post.

I do not know Ms. Hathaway nor do I claim to be close to the process of selecting the Cyber Czar, so at best what I can do is engage in a well worn tradition here in the Washington D.C. area and speculate.   Numerous reports have said that Ms. Hathaway was interested in the role as she was the lead in creating the Cyberspace Policy Review that defined this new position.  In my view, logic and reason would indicate that if she were going to be the Cyber Czar they would have appointed her at the announcement in May rather than have this uncomfortable and undefined gap we are living with today.  So while reports say she withdrew her name two weeks ago, I suspect that the realization that she was not the administration’s choice came much earlier.  Regardless, the work done on the review was broad and extensive, and she should be recognized for helping to move the dialogue about IT security forward.   I wish her the best in her new endeavors.

I am hopeful that Ms. Hathaway’s departure is an indication that the administration is close to having a name for the position and her exit was designed to make the transition more seamless.   I do not question her stated motives, but having her voluntarily leave prior to the announcement of the cyber czar makes for a much cleaner transition for the President and eliminates the need to orchestrate what could have been an awkward departure.   If the administration is not close to having a candidate, then her resignation will likely have the effect of forcing the administration to accelerate the process as her departure eliminates the safety net that existed with her in the role, albeit as a lame duck.   Or we are faced with the third scenario that the administration is really not that committed to cyber security and that all of this has been fanfare and flag waving with no real sense of urgency.   I sincerely hope that this is not the case, but the administration can only blame itself for creating lingering doubts with the two months of post-May 29 silence.

The next several days should be telling.  If the administration indeed has their person for the job, then I suspect they will give the Hathaway resignation a couple of days to recede from the public consciousness and then make the announcement.  Or we will go back to the awkward silence that, in my opinion, shouts volumes.  Let us hope this marks the way forward.

It is August, and the White House has Thrown Out More First Pitches Than Cyber Czar Nominees

Here we are at the last Friday of the month, marking the two month anniversary of the announcement by the White House of the creation of a Cyber Czar to help centralize the cyber security activities of the federal government and build bridges to the private sector.   And in those two months the President has thrown out more first pitches to baseball games than names for the position. 

As a CEO, I am expected to be right more times than I am wrong, but this is one case where I had hoped not to be right.  When you balance the lack of forward movement with stories such as the one by Brian Krebs of the Washington Post on how much sensitive data has been leaked because of peer-to-peer applications, the outlook is not good.  We were already in a game of catch up, and valuable time has been lost while the gap grows larger.

In this case, actions do speak louder than words, and every day that passes (with no announcement) makes the proclamations of May 29 seem increasingly empty.  After two months it is fair to ask the administration about the next steps and when we will see them.  If no one is interested in the post, then the administration must see that as a clear indicator that the post has not been properly defined and empowered and make the changes necessary to move forward.  The alternative is to find a gamer who will take the job as currently defined only to face a certainly difficult climb to success.

I applaud your stated objective to make cyber security a priority, Mr. President.  But after two months, we need to hear something instead of silence so we know that the initiative is moving forward.

Triumfant Elevated to McAfee’s Sales Teaming Program

Last week, McAfee announced that Triumfant had been elevated to McAfee’s invitation-only Sales Teaming Program tier in the Security Innovation Alliance (SIA).   In the words of McAfee, partners participating in the Sales Teaming Program “complement the McAfee product portfolio, and enable the McAfee sales force and channel to drive more complete security solution relationships with enterprise customers.” You can view the entire McAfee press release here.

We at Triumfant are excited about our growing relationship with McAfee and are very pleased how their partner team has been open minded about learning what our offering can do and how it can be of benefit to McAfee’s customers.  We have spoken to all of the major AV vendors in the past six months and we have found McAfee to be the most progressive in this regard, which I believe speaks volumes about their commitment to their customers and their broader security requirements. 

When we present Triumfant Resolution Manager to prospective customers, writers and analysts, we are often asked if we see our product as a replacement to traditional signature based protection.  Our answer has always been an emphatic “no” as we believe that such technology has a vital and necessary place in endpoint protection, and that Triumfant is a logical and synergistic complement to antivirus software.  To their credit, McAfee took the time to understand our position and had the vision to view Triumfant as accretive to their portfolio rather than as competitive. 

We look forward to working with McAfee more closely over the next several months as we continue to deepen our integration with both the McAfee sales team and at the product level with ePolicy Orchestrator.  McAfee’s renewed vision for endpoint security is helping them gain tremendous momentum in the market, and it is our privilege to experience some of their enthusiasm and energy as a partner.

The White House Cyber Security Initiative: One Month Gone, No Cyber Czar, No Progress

On May 29, President Obama stepped to the microphone and assured all of us that cyber security would be a top priority for his administration. He cited the need to protect the country against the direct attacks on our infrastructure by other countries. He spoke of a “cyber czar” that would help centralize the cyber security activities of the federal government and build bridges to the private sector. And the White House delivered the Cyberspace Policy Review.

The White House has followed up this grand show with…absolutely nothing. Zip. Zilch.

While many in the IT Security industry applauded the event and used all of the hyperbolic adjectives to praise the announcement, I could not help but be concerned. And so far the follow-up and execution has done nothing to take away my fears. One of my specific concerns was why the announcement was made without the cyber czar in place. It is now July and the Obama administration has not yet identified the person to lead this effort. Most concerning is that names for frontrunners have been scarce in a town where speculating on who-will-get-what-post is a full-time hobby. I simply cannot believe that no one is qualified, so my logical conclusion is that those being considered are being scared away by a role that either lacks real power or is too poorly defined (or both). If I am correct, then landing an effective leader will be problematic and the initiative will have little hope of success, as the role absolutely requires someone who can facilitate effective first steps and overcome the obstacles of the politics at hand.

I normally like to be right, but in this case I would have welcomed the opportunity to have been proven wrong. But unless we can roll up the Cyberspace Policy Review and use it to beat away malicious attacks, the cyber initiative is off to a less than promising start. We are stuck at the starting line without a leader, and from all appearances without even the most modest of next steps on the horizon.

I think it is time for the IT Security community to cease the platitudes to the Obama Administration and instead call for immediate progress. We are already behind, and we will never catch up if we cannot make even the first constructive steps forward.

Detecting the Work of the Maliciously Intended Insider

The recent arrest of a retired State Department worker and his wife accused of spying for Cuba for 30 years brings into focus one of the other great capabilities of Triumfant’s technology.  Because Triumfant can see all of the changes on an endpoint machine as well as the work done to cover up those changes, Triumfant Resolution Manager is uniquely capable of detecting the work of the maliciously intended insider. 

In this case, as well as the case for others like Robert Hanssen, the methods for transferring information was very “old school” and did not represent a deep grasp of technology.  Walter Kendall Myers and his wife, Gwendolyn Steingraber Myers, often relayed information to their Cuban handlers by exchanging shopping carts at the grocery store and Robert Hanssen was arrested after leaving a package under a wooden footbridge in a Northern Virginia park.   Such techniques do not lead one to believe either party was terribly computer savvy, but begs the question of the amount of damage done if they had cyber expertise.  It also, unfortunately, begs the question of what activity is potentially being done by those with cyber expertise that is going undetected.

Maliciously intended insiders are a real threat to organizations because the majority of defensive software and endpoint protection is created to prevent intrusions from outside the organizational walls and based on previous knowledge of the attack.  But malicious insiders work from a position of trust and introduce the human factor that normally takes their work outside of the paths of known attacks.  They may directly pull information from confidential or sensitive sources and directly funnel that information out.  Or they may place maliciously intended programs on machines such as key loggers to collect information.  Or they may make subtle changes to machines to make them vulnerable to the eventual installation of malware.

The common factor in this activity is change.  The maliciously intended insider must make changes, even subtle ones, to an endpoint machine to perform their activity.  Triumfant can of course detect change, as well as detect the attempts to cover up the evidence of change.  The fact is, there is almost no way (not that anyone can tell us, anyway) of making changes to a machine without us being able to see those changes.  And because the work of the insider would change an endpoint machine into a state that would be anomalous in comparison to other machines, Triumfant would not only detect the change, but would flag it as a problem and then do the analysis to look for other changes that it could logically associate with the detected change to provide a complete picture of the activity. 

Only a tool with the depth and breadth of scan scope and the ability to quickly identify changes can perform these functions.  Which narrows the list of tools that fit that requirement to one: Triumfant.  We talk a lot about the ability of Triumfant to see the malicious attacks that other signature based tools miss, and we have also discussed the ability of Triumfant to protect the endpoint environment from acts of ignorance and incompetence by continuously enforcing security policies and configurations.  But the protection of your company or government agency from threats on the inside is also a critical functionality that Triumfant brings to the table.  I would also add that the President’s new cyber czar needs to ensure that this topic is front and center as he or she begins to address the issues in the White House Cyberspace Policy Review.

One CEO’s Not So Rosey Take on the Cyberspace Policy Review

The President’s Cyberspace Policy Review was issued on Friday, and I suppose I should get in the long line of CEO’s from the IT security market and commend the study as “groundbreaking” or “impactful” or “a giant leap forward”.  I do believe the study was a first, albeit small, step in the right direction.  Defining the depth of the problem, calling for cooperation with the private sector, and creating a position responsible for the nation’s cyber security are all positive steps to be sure.  But after reading the report again I find myself very disappointed by what was released, as I saw very little in the report that showed tangible, immediate steps forward. 

I therefore have to step out of that line and join the very small group that is not patting the back of the government for a job well done.  I have picked up on some indirect dissent in the market with some writers using terms like “…so far…” until they see more meat on the bones.   John Pescatore, the respected Gartner Analyst on IT security notes in his blog post on the subject that the review “recommends response over prevention” and adds that it is “basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires”.    

As the CEO of a small IT Security company, perhaps my direct interaction with our customers and prospects provide me a better glimpse of what is going on in the real world in a less sanitized, more firsthand way than most.  Specifically I have seen the results of attempts to implement security policy in the federal space without well defined enforcement.  In Triumfant’s role as a certified NIST SCAP vendor for FDCC Compliance, I have seen large agencies that not only do not adhere to FDCC Compliance mandates; they do not appear to have a plan in place to begin the process in the near term.  Numerous stories chronicle how agencies continue to miss the OMB deadlines, which I attribute to the fact that there is no enforcement or consequence of non-compliance.  I see organizations that have liberal personal use policies that allow their employees to fill endpoint machines that handle sensitive data with games and music sharing applications that have known vulnerabilities.  These vulnerabilities have already been traced as the source of the compromise of sensitive information about the President’s own helicopter and the nation’s most advanced strike fighter (which apparently has not yet been resolved).

I also found the Sputnik reference in the document to be quite disarming.  Lyndon Johnson’s declaration that he did not want to go to sleep by the light of a Russian Moon was against a threat that would take at least a decade to progress past the simplicity of the Sputnik launch and America was already well on its way toward launching its own satellite.  The Sputnik analogy disintegrates when you consider that it is generally accepted that cyber criminals from foreign lands have already infiltrated the power grid and other critical elements of the country’s infrastructure.  We are not ten years from losing command and control – the evidence shows that we already have.  The time to ramp up science and mathematical skills has already been ceded.  Real action is required, and those actions must have enforcement teeth to succeed.  More years of analysis and broad suggestions will only put us further behind.

I am also concerned that the Whitehouse is not looking past the larger companies in IT security for guidance on the way forward.  I have said it before – the solutions for many of the problems we face will not be found in the center of the exhibit hall at RSA, yet those were the companies visible at the announcement.  To be clear, I am in no way implying that these companies are in any way corrupt or lack a commitment to the United States.  But when change is a necessity, it is best not to look toward those who stand to benefit most for more of the same as agents of change.  It is obvious that many of the changes needed to take significant steps forward will potentially upset the status quo and may therefore be disruptive to the established revenue streams that these companies enjoy. 

One does not have to look far for an example.  General Motors filed for bankruptcy protection yesterday on the heels of the earlier bankruptcy filings for Chrysler.  It was not that long ago that the government looked to GM and the other auto manufacturers for solutions to fossil fuel consumption.  But there was little incentive for these companies to innovate and upset the profitable ecosystem that they enjoyed, and they ceded that role to global automakers whose ultimate success has been a significant contributing factor to the demise of GM and the others.  I would also add that these automakers did not step up to fuel efficiency until the government added enforcement in the form of stiff corporate penalties if aggregate MPG ratings did not reach certain thresholds – again showing the need for teeth to drive progress. 

I have some other concerns about the review.  Why was the announcement pushed to a Friday of a short holiday week?  That hardly gives the impression that this is front and center in the administration’s priorities.  Why is the Cyber Czar position a less prominent position than promised during the campaign and less than those in the Whitehouse were hoping for?  Combining these subtle signals with the lack of hard and tangible detail in the review and I am not feeling a sense of urgency nor am I confident that we will move from rhetoric to action in the near term. 

The evidence is all around us – the time for conversation is well past.  If this report is followed by tangible and concrete actions that result in real changes that have a sense of urgency and a structure of rigid enforcement with real consequences for noncompliance, than I will be the first to applaud.  But right now you can mark me down as underwhelmed and unimpressed by this first step.

Introducing the Worldwide Malware Signature Counter

Today Triumfant added a malware signature counter to our Web site to represent an up-to-the-second counter of the number of signatures required by traditional signature based tools.  The counter is designed to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable.

The counter uses the statistics from Symantec’s “Global Internet Security Threat Report – Trends for 2008″, published in April of 2009 as the statistical foundation and simply extrapolates the growth rates in new attacks – and therefore the companion signatures – seen in 2008 into 2009.  We used the Symantec data because it is in the public domain, because they are a credible market leader, and because they have an exemplary research capability.  But we also used this report because we thought it was a fair set of numbers given that they come from a vendor who, like most in the IT security market, relies heavily on signatures for defensive capabilities and were therefore not inflated to make a point.

Just what is that point?  The world of cyber crime is simultaneously accelerating and evolving in ways that no one would have predicted three years ago.  According to Symantec, the total number of signatures increased approximately 265% year-to-year from 2007 to 2008.  The total number of signatures created in 2008 exceeded the total number of signatures written to-date by 60%, adding 1.6M signatures to the cumulative total of 1M signatures.  If these growth rates continue, and the curve appears to be actually geometric instead of linear, over 4M new signatures will need to be written in 2009.

Customers are promised innovation, but are delivered more of the same in what we have come to call the process of “perfecting the obsolete”.  So why is the industry moving slowly?  I address this in detail in a previous post called An RSA Keynote from the Outer Aisles – Demand Disruption, but essentially the movement away from the reliance on signatures is simply too disruptive to the comfortable ecosystem that has been created, and even the customers are partially complicit because they do not demand change. 

Triumfant is not looking to beat the “AV is dead” drum as we believe that antivirus software will always have a place in a defense-in-depth strategy.  but we do believe that continued reliance on antivirus software in the face of the mounting evidence is not a reasonable or prudent strategy.   And do not lose the perspective that each one of the 1.6M new signatures represents a response to a new unknown attack or a variant of an existing attack that therefore evaded the signature based software at a rate generally reported to be fifty percent.  I would be remiss to add that there are likely many more such attacks that have yet to be discovered, as the daily headlines point to attacks that go months undetected.

So the questions begged by the counter are simple.  How many signatures must we write before we hit the tipping point?  How much data and money and intellectual property must be stolen before the market demands change?  How many people who have entrusted personal data to organizations with the belief that these organizations would protect that data must have their privacy compromised?  When is the market going to stop supporting the self serving ecosystem and engage in some constructive conversation about evolving defensive software to meet the obvious threat?

The counter was designed to be a visual reminder of the mess we are sliding toward.  The counter will accelerate to match the accelerating rate of the problem, and soon will be incrementing every eight seconds by year end.   There are alternative ways to detect and remediate malicious activity and I would respectfully suggest that you and your organization owe it to yourself and your stakeholders, customers, and employees to start to look into these alternatives to signature based tools sooner rather than later.  The counter is ticking.