In recent days, Symantec Corp. announced that more than 120 companies have joined forces with Symantec to drive down the cost and complexity of cyber security, while improving response times to protect enterprises against sophisticated threats. The ecosystem includes major players like AWS, Box, IBM Security, Microsoft, Oracle, ServiceNow and Splunk, as well as dozens of other technology innovators, who are now building or delivering more than 250 products and services that integrate with Symantec’s Integrated Cyber Defense (ICD) Platform.
Symantec's CEO Greg Clark has been in the cyber security field for three decades. He has founded and sold multiple companies. He was the CEO of Blue Coat when Symantec acquired the company. In his current perch as the head of the combined company, he leads, by some measures, the largest cyber security company in the world. I sat down with him to talk about the recent announcement, but also to get his thoughts on the evolving threat landscape, as well as to talk about his extraordinary career path.
(To listen to an unabridged podcast version of this interview, please click this link. To listen to future articles like this one, please follow me on Twitter @PeterAHigh.)
Peter High: You have been a security executive multiple times over, you founded DASCOM, E2open, and Mincom, and you have been a CEO at Blue Coat Systems and now Symantec. Why did you choose to go into security?
Greg Clark: Way back, I worked at Bell Laboratories, where I was heavily involved with the Unix operating system and subsystems. In doing so, I learned a great deal about the fundamentals of operating systems and how technologies were secured. I was working at the Unix Systems Lab when the World Wide Web was invented. We looked at the HTTP daemon, and I said to some of my colleagues that if we put some security on this, it could change the world. We ended up moving to Santa Cruz, California, and we started a company called DASCOM to work on bringing some security principles to the web. I spent extensive time working on operating systems and security systems throughout the '90s, and I read a great deal of code. If you ever start a company without venture funding, you quickly learn a great deal about finance. Because of this, I tell many people that I got my MBA on the street, which is largely true.
DASCOM was eventually acquired by IBM. i went on to work at IBM as a distinguished engineer for security systems. In my mind, I had solved all of the security problems, so I started a supply chain company with IBM called E2open, which later went public on the Nasdaq. E2open became an important piece of the aerospace and defense supply chain, as well as the electronic supply chain. Following E2open, I did another turnaround at Mincom, which was successful, and then I joined Blue Coat in 2011 as CEO. Strangely enough, the primary DASCOM product was a reverse proxy in the utility access manager product line, and Blue Coat was the leader in forward proxies. While I consider myself a technical CEO, my fundamental ethos is around security systems, and I love working in this area.
High: You have been in security for three decades now. The problems that you were solving three decades ago were extremely different than what you are solving today, which is emblematic of how dynamic this space is. Could you talk about that evolution?
Clark: As you mentioned, security is constantly changing because the methods and techniques that the bad guys use will always change. Because of this, you can never predict what the big attack vector is going to be several years down the line. For example, no one would have been able to predict the pollution on computers for bitcoin mining several years ago, but that happened. As you think about capacity inside of a security company, you have to make sure that you have resources working on tradecraft and the over-the-horizon problems. You have to keep your ear to the ground regarding what is happening in the black hat community around tradecraft, the vulnerabilities and the exploitation of those. If you are the CIO or CSO, the product is important, but the agility of the organization and its ability to adapt to what is showing up is what is most critical. For example, DevOps is a huge attack surface, and if you get an implant similar to NotPetya, which did catastrophic damage at a number of companies, you must be able to react. If bad guys can get into the development cycle of commercial software, it is a serious problem. Adversaries are working extremely hard to exploit this problem, so the supply chain of software is extremely important. You need to know how to fight and protect the supply chain against threats. In order to do so, you need research labs, and you need some over-the-horizon radar. That is just one example.
A year from now it will be a different story, and a year from then, it will be something else. As you think about the short list of partners that you need, keep in mind that software expands to consume all available resources in every company in the industry. At Symantec, there is a separation between our R&D and our research labs. Research does not report up to the R&D P&L, so they have time to spend on the future. I believe it is important to ask your long-term vendors how they think about their research structure. Time after time, Symantec has proven to be the first to find or protect something, so I believe we have good credit there.
High: We are sitting in Silicon Valley, the heart of innovation, and with each innovation comes new surface areas that black hats can exploit to gain access to the enterprise. What is your team’s process of determining what the new vectors are, and from there, responding to them?
Clark: I believe we have immense visibility into what is currently happening in the attack surfaces of the world and the threats that are getting through. We have a substantial managed security service business, and we are monitoring these advanced threat problems for huge multinationals around the world. We are seeing a great deal of activity from that, which gives us a unique point of view. Outside of the United States, we are seeing some serious malware platforms that are executed by one state against another state, similar to what the Iranians would do to the entities in Saudi Arabia. You do not see these types of attacks on critical infrastructure inside the U.S. because there would be serious consequences.
While we are able to be present in these places, it is hard for others to see what we see because they do not have the scale or the breadth of deployment that we do. I believe this significantly differentiates us, even from large regional telecom players. These players have a strong purview of what is happening in the region, but they are not seeing it globally. Furthermore, we are heavily deployed on the endpoint, and threats show up there. Whether that be a mobile endpoint, a Mac, or a Windows-based computer, we are seeing a great deal of activity that is extremely helpful to us. We have done a great job at quickly analyzing and deploying protections against new threats, and customers value that we have such a strong point of view as to what is going on globally.
High: One of the challenges for the modern CIO or CSO is developing an ecosystem around them as the threats evolve. What advice do you have for CIOs who are thinking about the ecosystem to assemble around them?
Clark: There are several questions I would implore CIOs to ask their vendors.
- What are you doing around the closed mobile operating system? At Symantec, we do not call them closed mobile operating systems, we call them modern operating systems. The binaries that are running on these operating systems have been validated by the vendor and stamped ok. iOS, Windows 10 S, and mobile pod are good examples because we believe that all platforms will be mobile in the future. It is essential to determine how you are going to protect threat and risk in that mobile environment;
- Companies are beginning to move a great deal of workload to other companies’ infrastructure, such as Amazon’s, Microsoft’s, and Google's cloud, because the economic cycle of not running them yourself is extremely beneficial. It is critical to determine what you are going to do about the attack surface there;
- How open are you? Companies need to be open because there is no single company that can solve all of the security problems. Because of this, your core vendors need to be open with their APIs, their business agreements, and with the opportunity to integrate with your worst competitors in the best interest of the customers.
You should ask those questions to your vendors and see how they respond. If their answer is not strong, I do not believe that vendor will be a long-term part of your platform. In the new world of mobile plus cloud, you have to have a strong story in those areas, and in order to have success, you have to be open.
At Symantec, we have made a large investment in these modern closed operating systems, [learning] how to take care of them, and how to detect anomalous behavior. This is where the world of deep learning, AI, behavioral analytics, and the ability to enhance your view of an endpoint over time as it is being used comes in. While something may start off risky, a few minutes later, you may have a different point of view that is less risky.
The question regarding if you can trust the infrastructure is going to be one of the hottest topics discussed at the RSA conference. This usually comes under the banner of zero trust. We are hearing a great deal about Huawei and what we can trust and what we cannot. This week, we are hearing the U.S. say, “No Huawei," while the British are saying, "We believe we can manage untrusted infrastructure." This is moving the discussion to say, "Do we truly trust the infrastructure?" I believe that is how we should think about it in the cloud era. I have a point of view that says you cannot trust any of it. Instead, you should rebuild the trust within the context of the application resource, the data you are accessing, who the user is, where the user is, the endpoint the user is on, and everything else that is on it. You have to build that from the ground up with the context of access to the data that you are responsible for. I believe that security is an overlay on the infrastructure. Similar to what happened with Skype, WhatsApp, and WeChat with an overlay on the telecom, it is going to be different infrastructure run by different people.
If you are on many different WiFis throughout the day, and if your company has given you a constant coverage protection model across all of that, you do not have to redo anything. While access to the resources that you were using at the corporation may have changed when you were in different risk profiles, you could still function without having to take control of it, re-login, retouch something, or grab out some token. Zero trust infrastructure allows us to deliver a product to the market that makes massive changes in the software-defined perimeter, which involves the people and the application that you are accessing. As we move into the world of running on everyone else's infrastructure, we can make many changes, and what we are doing in integrated cyber defense is a huge piece of it.
High: Could you elaborate on how the cyber defense platform you are developing is oriented?
Clark: There are a few pieces of integrated cyber defense as a concept.
- A technical blade about how we should think about integrating different elements and making them work;
- A business blade, which is one of the top sets of security products that you would self-integrate as a CIO or CISO. There is a set of those that should come together integrated, and there are a set of vendors that make them.
At Symantec, we believe we can give you an economic change in delivering those pre-integrated. By doing so, your endpoints and the encrypted communication to the bridges and the cloud are taken care of, so your CIO or CISO organization does not have to put them together. The procurement cost and the through life sustainment costs are significantly cheaper. There are many challenges when you are trying to hold together three clouds from a self-integrated story in terms of the changes that are coming in and making sure they still work. However, when it is cloud-delivered it is doable. I believe there is an economic story around integrated cyber defense and vendor consolidation. It is about which pieces belong together and which do not, so we want to give you the pieces that belong together in an integrated way. We want to do that at an economic shift that allows you to do more with the resources that you already have so you can solve some of the problems that are not already solved.
In the media, you hear a great deal about which platform is better and which one is going to win. However, I believe there will be more than one that is successful. Many of these platforms are coming up through next-generation firewall vendors or companies similar to us. We believe the discussion around firewalls and firewall safety is an infrastructure-layer discussion, and it needs a robust security story. When you are running on multiple infrastructures in the cloud trying to drive a security program that is anchored in a piece of infrastructure, that is likely going to be challenging. However, we believe that is a vibrant market, and there needs to be strong technology there. Cisco, Fortinet, Check Point, and Palo Alto Networks are doing a good job there. We do not control the running on everyone else's infrastructure, so you need an overlay that is different. At Symantec, we are focusing on that part of the market. We are fond of what we have in our integrated cyber defense platform and our APIs’ ability to integrate with other products that are not in the core products we integrate. In this area, we have a program for independent software vendors [ISVs] that can build into our platform fabric. That program is doing exceptionally well, and we have quite a few of them that have built products there.
I always say you do not have a platform until another vendor has built products for it and makes money with it as a result of people buying it. I believe this is a great checkpoint in determining a successful platform. As an example, we have a great relationship with a company called Bay Dynamics, which acts as an orchestrator for data protection violations, and they have built on top of our platform. We have a huge install base of data protection technology, and as events come, they can correlate and orchestrate those events to automate resolutions. This is currently an extremely popular product because it is hanging off the side of Symantec’s integrated cyber defense platform using the APIs that many of our customers have gotten great results from. I believe we made a big dent on the company's revenue because of this.
We truly believe in that platform. It has to be there, and we need it to integrate the pieces that we deliver. Our web proxies, cloud access broker, data protection, and multi-factor authentication callback are all built on our integrated cyber defense exchange platform. If we did not have that platform, we would not be able to integrate between development teams. We are eating our own cooking on that, and I believe we have some great examples of ISVs that are also in there.
Customers sometimes call us and ask us to integrate with our hottest competitors, which we do. We have built plenty of integrations between core parts of our product line and a competitive product because it is in the best interest of the customers.
High: Much of what you are doing is allowing people to shift from reactive to proactive defense, which is extremely important. Could you talk a bit about leveraging technology to do what humans cannot do?
Clark: We are in an era where prevention matters. Some companies who got malware such as WannaCry or NotPetya reported that there were only seven minutes between the first infection and disaster. You cannot just have a set of hunters who can look at the malware, think about it, collect some data, and then work on it. The detection element of cyber defense needs to be closely tied to the prevention side because you have to automate the shutdown of these type of problems. Even if you shut something down that you should not have, that is substantially better than having to spend $350 million cleaning up a mess. Because we are in this era of prevention, we need automation. If you run a managed security service business similar to ours, you understand standard run books regarding what you do when something happens. All the big SOCs in the world, whether they be in a financial organization, government or a telco, implement standard procedures for different types of problems.
We believe that those procedures can largely be automated and enhanced using artificial intelligence [AI]. Fixes to certain events, such as a penetrated Microsoft laptop, can largely be automated. If they have some AI watching it, the AI can get smarter over time as to how to auto-detect that better. Similar to what is happening in the workflow automation industry with companies such as UiPath and Automation Anywhere, we can use those same techniques hanging off the side of an integrated cyber defense platform to automate what is happening on the edges. In doing so, we believe we can take a great deal of expense out of the security administration.
On the prevention and detection side, we had an experience when WannaCry came out several years ago. Some government entities called us and said, "We know your software knows how to stop WannaCry, can you tell everyone else how to?" We responded saying that our AI convicted the threat, and we were trying to figure out why. Luckily for us, the AI worked, it shut the malware down, and today, we have better tooling in our AI to understand why. We have a huge implementation in our endpoint and network technologies of AI and deep learning to improve our ability to defend. We are one of the vendors that has seen exemplary results from AI in cyber defense, and because of that, the propagation of WannaCry and other modern semantic problems did not happen. Before AI was trendy and some of the AI unicorns even launched, we started a center for machine learning and AI intelligence. While I believe we are under-marketed regarding our skills around deep learning and AI, it is truly embedded in our products, and it is delivering results.
High: You have been in security for so long. How has some of this translated into your personal life as friends ask you what steps they should take to make sure their information is secure.
Clark: I believe that the defining topic for this generation will be privacy, specifically consumer privacy and the obligation for enterprises to protect and defend that. We are not a reactor to the media fervor around privacy, but instead, we have been ahead of it. Prior to the inspection that Google and Facebook are getting now, and long before privacy jumped to the front of mind for leaders, companies, and consumers, we started a privacy lab in Germany that was well received. At Symantec, we are working in two areas for that.
- Our consumer brands under Norton and LifeLock are heavily invested in consumer privacy;
- We are always working with companies to help them understand and protect their data better.
On a personal side, I am heavily invested in delivering solutions for consumer privacy and helping organizations that are custodians of consumer data do so safely and responsibly. An example of when people in my personal life showed up was when it was reported in the VPNFilter that nation-states were in the WiFi. That day, nearly everyone on my street knocked on my door asking what was going on and what they needed to do.
Cyberspace is always going to be in the consumer space because we are forever changed, similar to how the radio and telephone changed how we live forever. As a result, everyone has a responsibility to take care of their safety in cyberspace. We have worked hard to bring the Norton product to a service for normal citizens all over the world to make individuals and their families safer in cyberspace. To do so, we have four pillars that we are delivering as our cyber safety umbrella under one brand.
- A malware platform on all of the devices we have historically been famous for;
- An identity protection pillar, which is designed to protect you from the many ways in which thieves can profit on your good credit;
- A privacy vector, which has two pieces. It is a communications privacy layer, similar to a VPN. Further, it provides an ability to start a browser session that does not leave personal exhaust. If I want to google a heartburn drug, I do not want a healthcare provider buying that search term to enhance their record of me. If they do so and I am buying these meds in my twenties, my health insurance will be expensive in my fifties;
- Home and family safety. This involves questions such as, "Where are my kids," and, "Are they sleeping at night?"
When I was checking my son into college in Australia last weekend, I bought a computer at the local computer store, and I was told that I needed a security agent on the computer. When I asked which one is the best, he told me Norton is because Norton has a good talk track. In response, I told him, "That is right. I am the CEO of Symantec." I am proud about this, and I believe we have a great brand around the world. Every time you check out a shopping cart the past few years, there has been a Norton check mark next to the checkout button. Even people who have no special knowledge of IT have a cyber safety affinity with that mark.
My personal goal is to make people safer, and I love working on cybersecurity problems. Cybersecurity is far better than any other tech because it has a real purpose. We are working against truly bad people who are trying to wage serious havoc for their own profit. I want to stop simply blocking and stopping and move towards consequences. While this brings risk to your company because bad people may want to prove a point, I believe that we need to have more consequences on the black hat side. The FBI and DOJ have passed legislation saying that if developing countries do not have cybercrime laws on their books, they may face U.S. sanctions in a few years. I applaud this work, and I believe that national governments around the world need to bring down these consequences. I want our brand to be associated with the notion that if you try to steal from companies that we protect, there is a higher chance of getting caught. This is similar to having fewer break-ins because you have a dog in your home. In this case, it is not that they are unable to break in, it is that they do not want to try because of the potential consequences.
Peter High is President of Metis Strategy, a business and IT advisory firm. His latest book is Implementing World Class IT Strategy. He is also the author of World Class IT: Why Businesses Succeed When IT Triumphs. Peter moderates the Forum on World Class IT podcast series. He speaks at conferences around the world. Follow him on Twitter @PeterAHigh.
