Cyber-attacks have become increasingly complex where actors exploit systems at the core to obtain control of software, applications, and workloads – bypassing traditional security solutions for their own gain. Clearly our traditional defensive tools and approaches are not enough to protect our organizations. I recently sat down with David Reilly, former Bank of America CIO, to discuss why we need an additional layer of defense for applications and workloads that focuses on understanding and protecting the application code itself, and why deterministic protection allied to probabilistic solutions can deliver the comprehensive protection companies need.
With a successful career in enterprise technology, infrastructure and as CIO at some of the world’s largest financial institutions, David is known for his ability to see around the corner, anticipating the next big IT challenges company leaders will face and the capabilities required to address them. Following are some of the highlights from our webinar, “Deterministic Protection: Shifting to the New Normal for Cloud Security”.
Furneaux: In the current geopolitical situation, how do you think the threat landscape compares to where we were 10 or 20 years ago?
Reilly: As abhorrent as the situation is today with the war, it seems there are always one or two existential accelerators that increase the cyber risk that an organization has to defend against. What has really changed is the extent to which every practitioner on the technology team must be an agent of cyber protection. We simply can’t rely solely on cyber professionals. Infrastructure professionals, data professionals in the Chief Data Officer (CDO) organization and application development teams all have to play a first-person role in affording cyber protection every day. Securing the perimeter and the traditional tools like antivirus tools (AV) and data loss prevention (DLP) continue to be important, but you have to think about your code and your data as primary assets that must be secured over and above traditional network perimeter protection.
Furneaux: As we have evolved into a cloud world, I see a heightened interest from CIOs to understand how to protect the software that runs their businesses in a more runtime or real-time way than we’ve been able to do in the past. Have you seen that shift in thinking among company leaders?
Reilly: I think the awareness, level of proficiency and expectations of boards, executives and regulators have ratcheted up and it is entirely appropriate. Every business is a digital business. Technology professionals must be able to answer the question: How do you know that your systems, services and code you deliver, and that all our businesses rely on, is only doing what it is supposed to do and that any changes made were sanctioned and approved? That may seem like a basic question, but it is a fundamental question that, as a CIO, I felt we must be able to answer.
The software that we either buy, build or both, has a defined and finite number of actions that it can take. To have a platform that enables me to learn all the permutations that an executable could manifest at runtime, even if it is a very large number, and then know if anything deviates from that I can get an alert or remediate in real-time, was the protective measure I was looking for as a CIO. Sometimes that deviation is the result of a genuine mistake that was made because of the pace at which we are working, and not malicious activity. Regardless, to know software is performing in a way that was approved is a very different and enhanced level of protection. As a CIO, this puts you in a position allied with your infrastructure, data and cyber team and gets that coding team a step closer to first-person responsibility and understanding if their code is secure by design.
Furneaux: We call that deterministic protection and we developed it using a “First Principles” way of thinking to attack the problem of protecting software fully while it is running. One of the most important things we do – and we patented – is that knowing process which we call application mapping. For the last decade or so, the security industry has worked on analytics, detection and response and using clouds to look at patterns. This approach often takes too long to find the attack, and also does not stop unknown attacks where there is no pattern.
When you move to dynamic mapping it allows you to unlock the protection of software at runtime. In milliseconds you can detect, block and remediate. It turns traditional approaches upside down. For instance, one of our financial customers told us that when Log4j happened, they knew their workloads were already protected so there was no need to go through a patching fire drill. They could schedule the scanning and remediation as it works with their environment and could even do more mainline upgrades versus patch remediation. They weren’t letting their guard down, but instead taking advantage of the breathing room deterministic protection gives them, to make the best decisions for their organization.
What do you think as a CIO, are some of the things that are important for us to deliver above and beyond the deterministic protection itself, since we’re coming into complicated and demanding environments?
Reilly: Deterministic protection has never been more important because the sources from which different businesses use software and code is only growing. The risk is increasing because you have in-house developed applications, cloud-deployed applications, open-source applications, third-party applications and the fourth and fifth parties they rely on, and, increasingly, “citizen developer” roles are emerging. Individuals outside of an IT team, in a controlled manner, are creating code and software to enhance the customer experience, create efficiencies, etc. Deterministic protection is meeting the moment; regardless of where the software comes from, I know that it is only doing what it is supposed to do.
I’m curious to hear from you, what are some of the other aspects of this level of protection that are important for organizations to understand?
Furneaux: Security leaders are responsible for building the security stack, but as you said at the outset of our discussion, they are working in partnership with the CIO, CDO and other leaders too. We built our deterministic protection platform to meet key demands across the team, including:
- It doesn’t touch the software itself
- No source code is needed to do the mapping
- Impact to performance is minimal, maybe 1-3% of peak performance of workloads
- It works across the range of software in use from any source
- It works across different IT environments – cloud, on-prem, legacy, hybrid and air-gapped
Recently, I sat down with nine customers over three days in the Middle East while I attended the Gulf Information Security Expo & Conference. I was delighted to hear from CIOs and CISOs that they were really pleased with the dynamic mapping for the entire software stack, the product experience, and the architecture and now saw the need to deploy it in more places across their organizations.