Cyberspace Security: The Symantec View

As chief technology officer, Rob Clyde sets the technology vision and strategy for anti-virus vendor Symantec Corp. Clyde is a pioneer in the development of security products, leading development for intrusion detection and policy compliance products.

Throughout his career, Clyde has worked with leading Fortune 500 companies and government agencies to implement sound and practical security policies and solutions. He was a member of the executive team that created Axent Technologies, an early innovator in the information security market. In 1980, Clyde was a founder of Clyde Digital Systems, a Utah-based enterprise security software company before merging with Raxco Software 11 years later. Clyde Digital is credited with creating the first commercial intrusion detection system. Clyde is a founding board member of the IT industry’s Information Sharing and Analysis Center (IT-ISAC) and currently serves as treasurer on the Executive Committee. In this in-depth interview, Clyde discusses best practices for securing cyberspace and why we’re seeing an increasing number of computer viruses.

Q: What comprises a company’s critical infrastructure and how do you know if yours is adequately protected?

Your critical infrastructure is going to consist of the information assets that comprise those areas of your company that are essential to doing business. In today’s world typically, that includes your backend systems, your customer facing systems and your Web servers, since more and more business is done online. Email is also now typically a more common form of communication than the telephone so that’s pretty key, so there’s quite a gamut of systems that need to be taken care of. We’ve learned the ability for users to be able to use their notebooks and groupware products is also pretty key. Most employees have a difficult time doing their work without that. It’s pretty hard to go back to the old systems; it’s hard for people to even remember what they were so it’s highly important for those various systems all the way down to end user systems and the network to be available for them to do their jobs.

Q: What needs to be done to better secure cyberspace?

There are some real key aspects there. What you’re basically looking for is to make sure information that is shared across cyberspace is protected and — we’re starting to get better to make sure they are protected and integrity of those systems is protected, in other words, that you can trust them and know they aren’t being tampered with, like stock systems and banking systems and at same time know that someone isn’t breaking into my systems and making changes. The third area is availability, making sure legitimate users can get into systems. When they can’t that’s called Denial of Service. There’s an acronym: CIA — confidentiality, integrity and availability, and those are the three cornerstones and objectives of a security program and that’s what we’re looking for in cyberspace and our own organizations.

Q: How will the threat of war in the Middle East impact our country’s IT infrastructure?

Obviously one of the concerns we have is there is potential for attacks on our critical infrastructures and that’s one of the reasons why the White House came out with The National Strategy to Secure Cyberspace. We may have a war and no cyber threats will occur although we know attacks in the past have occurred. Email could be disrupted or more concerted attacks on banks, energy, etc. I don’t think we’re adequately protected at this point in time. All organizations know they still have some distance to go — but there are some pretty key questions to address: does your organization have an incident response process? Do they know what to do if there is a cyber attack? Are measures put in place proactively to protect against holes, are virus definitions up to date? Those are typically things that need to be put in place ahead of time and unfortunately, when we do studies and look at organizations, rarely are [the results] real positive ahead of time.

Why? Because organizations are big and complex and they change and at the same time particularly, new vulnerabilities are being discovered constantly. Literally we will get 70 some-odd vulnerabilities discovered every week and it’s a real challenge to keep up with those. You need automated systems in place to be sure the patches are being brought up to date. You want to make sure your antivirus definitions are up to date and have a mechanism in place to update them. Companies are doing a little better in that area. But it’s something to make sure you’re properly prepared for. You need to make sure users don’t have too easy to figure out passwords. You need good application levels firewalls. That’s a higher layer in the protocol stack. Most firewalls tend to run at a lower or network-level layer. The problem has been the most recent attacks have been able to go beyond the low level firewall attacks since they aren’t application-level cognizant. The application firewall runs at layer seven and the network firewall runs at layer four in the TCP/IP protocol. Particularly for externally facing firewalls, in other words, the firewall that connects you to the Internet. For traffic that’s coming in to your network from the outside world we would highly recommend a layer seven firewall.

Q: What do we need to do to prepare for potential cyber attacks?

Having an incident response plan in place. We also recommend that organizations join their respective ISACs (Information Sharing and Analysis Centers). You’ll see those talked about in the National Strategy for Securing Cyberspace. There are ISACs for each of the major industry sectors: financial, telecom, energy, petro and chemical. I happen to belong to the IT ISAC. — If your organization hasn’t joined an ISAC, now is the time. They share information about pending attacks and have links into the federal government so they can share information with them as well. The idea is to get information about early attacks and share proprietary information with other banks, for example so they can be adequately protected as well. It also gives you a way to share best practices so that’s your direct link. If the federal government knew something about an [impending] financial attack, they probably would share that with the FS (Financial Services) ISAC. At this point in time, other than the financial services arena, I don’t think we’ve gotten the level of participation in terms of people joining all the ISACs that would be useful during the event of a cyber attack.

Q: The Aberdeen Group recently issued a report that says security incidents — everything from viruses and worms to hacks and insider sabotage — are expected to skyrocket this year. Why do you think that is the case?

I’m not sure I agree they’re going to skyrocket more than last year because they went way up last year, too. We’re at huge numbers already. By our projections, we had 800 million attempted infections by malicious code (viruses and worms) in 2002 and we had about 80,000 network intrusions attempted. Those are just estimates gathered from various sensors we have. We’re certainly expecting that number to go up in 2003 but I’m not sure I’m ready to say the growth rate for 2003 will be higher than 2002. That said, it was extremely high in 2002 over 2001there were about 650 million malicious code infection attempts in 2001 and about 55,000 network intrusion attempts.

Q: Why does the number keep growing?

First of all, it’s easer to do. There are vast amounts of information on the Internet that teach you how to hack and tools that teach you how to create viruses and malicious code. There are more companies and servers on the Internet and that creates a larger base of things that can be attacked. So it’s easier to do, and there are more targets and combined, that makes for a pretty natural recipe for continued growth. The vulnerabilities that get exploited, like holes in operating systems, also continues to grow. In 2002 over 2001, there was an 84 percent growth in the number of vulnerabilities according to the most recent security threat report Symantec issued. So that means systems get more vulnerabilities and you need to patch those swiftly and it’s a struggle when you have 84 percent annual growth. It’s not easy to keep up with that. When you have natural change processes built into your systems you can’t just make changes easily. You can’t just throw that in without going through processes and that slows down how quickly you can deploy those patches. The danger is if you apply the patch without testing it on your production system you run the risk that the production system could fail. So the good news is you patched your system but you created another problem.

On the other hand you have bad guys trying to exploit those problems even more quickly because they know there’s a vulnerability threat window — the time between the problem being announced and the patch being applied and if you carry out an attack that exploits that vulnerability before the good guys can apply the patch, it will be very successful. Most vendors have now jumped right on vulnerabilities, frankly, so in general when the public learns about a vulnerability the patch is usually available at the same time. So there’s a very small window there. The problem is not there. The problem is how long it takes the customer to deploy the patch. Six months is how long it takes bad guys to exploit the vulnerability after the patch is made available. The fact that it is so successful indicates there are so many companies that haven’t applied the patch. What we’re worried about is as time moves on that timeframe will decrease, meaning the bad guys will get exploits out sooner. A day zero attack is the day the bad guys launch an exploit.

Q: What else is occupying the bulk of your attention these days?

I work heavily on helping come up with solutions for customers that help improve their ability to protect their infrastructure while lowering the cost of that protection. We believe that takes two critical aspects: improving management’s ability to get a holistic view, so for example, what is my security posture? Am I well prepared for attacks? What is my incident management? The other aspect would be to simplify the security systems out there so you don’t have to have so many disjointed solutions and could integrate those together. By doing those two things: the overall management view and tight integration between the security solutions out there, you simplify security, provide better visibility and lower the total cost of ownership.

Q: What is your proudest professional achievement?

Probably that I was one of the cofounders of Axent Technologies (security software) and helping to grow that company from zero to $100 million and taking it public. I did that in about four to five years.

Q: What advice would you give someone looking to advance their career the way you have?

Make sure you have a good understanding of your industry and of the various needs customers have in that industry. Know who the players are, talk to them, understand what they’re look for and ideally come up with a few solutions that really solve the most pressing problems. Probably one of the biggest ones in security specifically, is people like to make security sound really hard and really difficult and my experience has been it can be understood and you can get your arms around it if you spend some time; typically about a year on security. It doesn’t have to be a deep dark secret and black art. Basic management skills can be applied to security.

Q: What keeps you awake at night?

I worry about day zero attacks and multiple blended threats — fast-moving attacks being launched at the same time in cyber space. To date we tend to get them in ones, twos. Combined with physical attacks on our infrastructure.

Q. What do you do in your spare time?

I like to fly fish and deep sea fish. I enjoy camping, vacationing with my family. I don’t get enough spare time, that’s my main complaint.

If you know of a CIO or CTO who would like to be profiled, please contact Esther Shein at [email protected].