Are We Losing the Fight against Cyberattacks?

As cybersecurity expert Matthew Todd writes:

“The total number of emerging risks is growing exponentially by the day. Years ago, five percent was reasonable. Today, five percent seems like a ridiculous dream.”

As the annual RSA conference tackles cybersecurity trends and new threats, we asked Tom Gillis to weigh in. Here’s what VMware’s networking and security general manager had to say.

Q: Are businesses losing the fight against cyberattacks?

The Changing Tides of Enterprise Security: A CISO's Perspective

Gillis: If you think back maybe 20 years ago to the first big viruses, they were all email-born. Viruses like the “Melissa” virus and the “I Love You” virus all had hundreds of millions of victims—very large-scale dissemination. But they didn’t really do anything, so they were just sort of a nuisance for businesses.

Today, the number of attacks is much smaller. We see attacks with a population of one. But that attack is targeted to Equifax or the Democratic National Committee or to Sony. The implication, the cost, the impact of these attacks is several orders of magnitude higher. Overall, the damage done by cyberattacks has been steadily rising. In economic terms, are businesses winning the fight against cyberattacks? No, we have to do more.

Q: How do business leaders change the paradigm?

Gillis: The question that people ask is: “If we’re not winning the fight, what do we do?” The answer is you could try harder with existing approaches. But even to the common observer, we’re reaching a point of diminishing returns. (We’re) coming up with a slightly smarter machine learning algorithm or a slightly better set of signatures. Is that really going to make me safer?

At VMware, we have a totally different idea. As opposed to trying to focus on the things we know to be bad, what if we focus on the things we know to be good? And we can wrap them with protection. That is a radical new approach to security that I think is highly additive to that which exists today.

What is intrinsic security? Get the definition at Radius:

Q: What does intrinsic security mean?

Gillis: One of my favorite topics is understanding the difference between intrinsic security and integrated security.

Many infrastructure companies focus on integrated security, which takes existing security products and packages them as, let’s say, a blade in a data center switch. Actually, in my past life, I ran the firewall business where you built a blade and we put it in a switch, and we sold tons of that. That’s convenient, but it doesn’t fundamentally change what that firewall does. It’s still the same firewall.

At VMware, we talk about intrinsic security. What intrinsic security means is that we take advantage of functionality that is intrinsic to our platform. And our platform is virtualization. We have the ability to introspect and understand what’s happening in an application in a very unique way, because we booted the application.

Q: What is known good?

The Rising Costs of Cybersecurity Breaches

Gillis: If you look at what the security industry is doing as a whole, they’re using a variety of techniques… all designed to answer the question: “I’ve seen this or I’ve seen something like this before, and I know it to be bad.” That’s the known bad.

We focus on the known good.

If you know how a server in your data center is running… you can draw an envelop around possible behaviors for this application. Anything that’s outside of that envelop is suspect and should be stopped.

Q: What is a service-defined firewall?

Gillis: Perimeter firewalls are designed to solve a very particular problem, which is how do I filter traffic from an almost infinite number of unknown hosts, unknown servers, that are sending random traffic into me. I have to figure out what’s good and bad. … They’re all trying to figure out friend from foe. But for internal traffic, it’s almost a completely different design center from an engineering standpoint.

As opposed to dealing with an infinite number of unknown servers, you’re dealing with a finite number of extremely well-known servers. There’re no random servers running in your data center. You know exactly what’s running in there, and you know how it should behave. By focusing on this internal problem, it allows us to develop that pattern of known good and build security-enforcement capabilities specific to the internal—or what we sometimes call east-west—use case. This is very different than what a perimeter firewall does.

Learn more: