Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Bill Crowell

“The network is so connected and so interconnected that, quite frankly, there are just too many communications that go under the security network defenses. What we should be evolving into is the capability to protect the data, so we should protect it through robust encryption, role-based authentication, segmentation of the network so that not everyone in the company has access to everything -- the same way we do in physical security.”

William (Bill) Crowell is a Partner at Alsop Louie Partners and independent consultant specializing in information technology, security, and intelligence systems. He has held a series of senior positions at the National Security Agency and was one of Security Magazine's 25 Most Influential People in the Security Industry in 2008.

Brian Contos:              

Welcome to the Cybersecurity Effectiveness podcast sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Bill Crowell. Welcome to the podcast, Bill.

Bill Crowell:                

Thank you very much, Brian. It's good to be here.

Brian Contos:                

So, Bill, before we get going, if you could give our listeners some of your background. You have a tremendous career and continue to have a tremendous career, and I think you followed a very unique path to get from where you were to where you are today. I was hoping you could spend a few minutes just sharing that with our listeners.

Bill Crowell:                

Certainly. In fact, I guess I'm on my fifth career now.

Brian Contos:                

Only five, Bill? Come on.

Bill Crowell:                

Only five. I began right out of college my first career at the National Security Agency. I was recruited right off campus by them. One of the great things about my time there was that I had the opportunity to become involved in virtually every part of their intelligence and also their information security or cybersecurity missions.It's rare that people get to be in so many different aspects of the business, but I was fortunate enough to do that. I guess [in] my first operational businesses there were, in signals intelligence where I worked on some of the more important targets around the world. I also spend time in research and development, primarily focused on research and development for signals intelligence tools and capabilities for military applications. Aircraft, ships, ground based, many, many different aspects of collecting signals intelligence.

Bill Crowell:                

Spent some time in counter-intelligence science and technology exploiting radars and missile systems and weapons systems of various types and space systems. Then from that I went on to run essentially all of the assets that were involved in the intelligence of theCold War. So, it was a very important, very exciting assignment and one that I enjoyed probably more than any other assignment I had there. I went from that to the financial side and the planning side as a deputy director for planning and programs. I didn't like that job, so I actually quit the Agency and went into the aerospace industry where I started a new business for the start up aerospace company that was aimed at building satellites. Essentially designing and building satellites. Of a very special type, and still classified what I did so I can't talk about that.

Bill Crowell:                

I was asked to come back to the Agency after that assignment in the industry, and I came back as the executive director, then the deputy director for operations running worldwide operations.I finished my career there as a deputy director of the Agency. With those leader assignments I spent an awful lot of time in areas that were involved with information security or cybersecurity kinds of activities, particularly during my time as the deputy director where I was primary spokesman for the Agency on those kinds of subjects.

Bill Crowell:                

When I retired, I went almost directly to Silicon Valley and joined a small company called Cylink. It was a public company focused on most of the major areas of security at the time, cybersecurity at the time, which were public key infrastructure and certificates and all that a company public key, cryptography, encryption systems that were used by large industrial giants, authentication systems that were used by mostly enterprise companies, and a few other areas of security that at the time were important but have faded over the years. I ran that company as a public company for a little over five years and then we sold it to a well-known company in the area, but really we did a merger, and that was SafeNet. SafeNet went on to become a billion dollar plus company. I stayed as a consultant for many many years and then later joined their board when they were taken private by a private equity firm.

Bill Crowell:                

So, the next phase of my career was to essentially become an investor and a board member on a number of security companies, all of which had successful exits. There was ArcSight where you and I met and spend some time together. There was Narus, Broadware Technologies, Proximex, SafeNet because I did join the board of SafeNet when it went private, and a number of others. I won't list them all. But in all there were 12 that had successful exits, and three of those had billion dollar plus exits.

Bill Crowell:                

Then finally I joined a venture capital firm Alsop-Louie Partners in San Francisco and I'm still a partner in Alsop-Louie Partners. I was a general partner for fund three and now I'm just a partner in fund four, remain engaged in fund two. So, it's been a fun, fun adventure participating in so many areas of the security industry and the intelligence community. In addition to doing all of that I've spent a little time giving back to the intelligence community by being on various Boards and advisory groups and so on within DOD and the intelligence community. That's the short summary.

Brian Contos:                

Ha, that's the short summary of an incredible and continuing career. It's interesting, Bill. I've known you for over 15 years and every time I hear you talk about your past I always learn something else that you've left out from that list of accomplishments which is amazing. When you mentioned ArcSight, and that's where we met. And shortly thereafter, we wrote a book together, of course, Physical and Logical Security Convergence.

Brian Contos:                

During that same time period, we had a very small early podcast that we're doing at ArcSight. I remember bringing you on and we were talking about the threat landscape and how it was changing. I'm wondering if you could, let's not go back to the beginning of your career, but let's go back maybe to that time period at ArcSight, 15 years ago until today. What types of changes are you seeing in the threat landscape? How have things changed basically in the last 15 years?

Bill Crowell:                

Well, there have been massive changes in the threats and not so massive changes in the security industry and how it attempts to deal with those threats. So, let me kind of summarize: the biggest changes, in 2008, I think we saw for the first time advanced persistent threats. They actually were discovered at that time in the Department of Defense Networks, and these were networks that were not connected to the internet. So, the interesting thing is, how did they get delivered? The answer is, they were delivered by various means, most of which focused on getting people to connect things to the network that they were not supposed to.

Bill Crowell:                

Things like USB bombs, memory bombs, and a lot of other devices that contain the advanced persistent threat code. I refer to APTs as the "land and expand attack." Essentially, what advanced persistent threat does, or an APT does is, it deploys a small amount of code, penetrates the external perimeter. Usually subverting the firewall or getting around the firewall very often through subverting people who give up their credentials through various means, which I'll talk about as well, and once they've landed inside the network, then they begin to expand toall parts of the network and to put various kinds of resources in place to collect information, collect credentials, collect data, collect all kinds of information, and through a command and control capability or a beaconing capability, deliver all of that information back to the attacker.

Bill Crowell:                

So, that's been the biggest change in my mind. Some of the others have been DDoS attacks, distributed denial of service attacks, which have been particularly devastating to some of the kinds of industries that require continuous access to websites, things like online banking. Another has been the widespread and sophisticated use of what's called phishing attacks. A phishing attack is essentially an email or some other mechanism of delivery that tricks the recipient into clicking on my link that connects them to the attacker and allows the attacker to collect his credentials, in most cases, but sometimes other information as well.

Bill Crowell:                

Another big change, and I think the one that has caused such an enormous growth in the footprint of cybercrime has been the monetization of many or most of the cyber breaches that have occurred. Whether it's Home Depot or Target or the many, many others that occur almost weekly now, these breaches have resulted in the monetization of the attacks by collecting credit cards, bank account information, skimming bank ATMs as another broadly used technique. And even phishing people who are authorized to initiate wire transfers. That kind of thing has happened to almost all of the small and medium sized companies that use wire transfers as a day-to-day method of transferring money.

Bill Crowell:                

One of the more recent ways of monetizing attacks has been ransomware. Ransomware is where the attacker essentially seizes all of the data and backup data of the company and encrypts it, and then essentially exploits that by requesting payment through Bitcoin or other online currencies before they will release the encrypted data back to the owner. This has been a particularly bad attack because very often the victim pays the ransom and still doesn't get their data back, and that it's particularly [cumbersome] when that happens.

Bill Crowell:                

I won't go through all of the rest of them. I'll just mention some botnets where you essentially take over hundreds of thousands of computers, have not only persisted but they are now available for rent by almost anyone who wants to use them for denial of service attacks. There has been a lot of IP threat, intellectual property theft, an done of the newer things is what's called a drone, a drive-by download, and associated with it as malvertising, where you essentially click on an ad and it infects the computer that clicks on it. Supply chain manipulation which we could certainly talk about, and man-in-the-middle crypto attacks where they break the encryption by posing as somebody in the middle of the communication.And finally, the biggest one of all -- one that continues to plague everyone --is unpatched software. If you leave the software, the operating system, and other pieces of your daily life and Data Domain unpatched, then those weaknesses become exploited by all manner of nation states, cyber criminals, and hacktivists. Well, that should just about summarize it!

Brian Contos:                

Ha-ha, summarizing 15 years in cybersecurity is not the easiest thing to do succinctly, but that's a great list. It's interesting as you're going through that, some of those key items were the prior 15 years as well. If you think about patching and looking for vulnerabilities on your systems and et cetera, et cetera. I think that was a very strong aggregate the last 15 years. You mentioned something early on, which was the industry. How do you feel the industry has evolved or maybe in some cases fail to evolve to address these newer threats?

Bill Crowell:                

Well, I'm one of the industry's biggest critics when it comes to shortcomings and being able to deliver solutions that serve the entire digital marketplace today. I think the industry has failed to evolve primarily because it's fostered too many point solutions.Point solutions that only solve a piece of the problem. For example, we talked about patching. There have been companies that have been created to essentially check all of your patching, but they aren't currently easy to use. They don't work well and they are used, and they haven't succeeded in getting people to actually patch on a timely basis because of other impediments.

Bill Crowell:                

In a nutshell, there are very few integrated approaches to modern day cyber threats. In fact, Brian, you andI had the opportunity to see a company ArcSight really grow and become a very sizable company, which was eventually sold to HP, primarily because it was an integrating force in the cyber domain. Essentially, it allowed people to look at the logs from all of their security devices and do correlation of events that were happening with the firewall, with the antivirus, with the applications in their network, all of these various elements. So, it was successful because it was an integrating force. Unfortunately, it was an integrating force and what I call a rearview mirror approach to security, which pretty much dominates our industry. That is, only being able to find something after it's happened and after the damage has already been done.

Bill Crowell:                

So, there's very little in the way of new basic defenses. I mean, essentially what we have, we still have firewalls, we still have encryption, we still have authentication, we still have antivirus, and these are all mainstay solutions. And what we are getting is just hundreds, literally hundreds of new companies with "novel approaches" to those basic capabilities. I mean, even the marketing is all about "next generation firewalls" or "next generation authentication," or "automated authentication" or "biometric authentication." So, they're all just variations on a theme in your will. The only thing that seems to be a little bit newer is the so-called MVR malware, hunting, and remediation. The real hope is that both machine learning and artificial intelligence are emerging as ways of automating some of the security products and also achieving a level of integration that we haven't been able to achieve up to now.

Bill Crowell:                

I know you remember me using this term, but the way I used to characterize it, Brian, was that the security industry is 1,000 points of light and no illumination.

Brian Contos:                

That's right. The incandescent light bulb, it creates a lot of heat and sometimes a byproduct happens to be a little bit of light. You know, Bill, you bring up some good points there. I think a lot of products in the security industry are something new but not necessarily something different. And all these next generation things. I mean,100 years ago, what do we call cars? What do we call them today? Cars. We don't say it's a next generation car, even if it's electric car. So, there is a lot of me to type solutions out there.

Brian Contos:                

We do things like this, but we do it in a new way. Do you think that's part of the problem when you're... You interact with CISOs, CEOs, Boards, all over the world all the time. And there' sa consensus that people simply aren't getting value from their security tools.Whether it's endpoint or network or email or cloud or whatever the case might be. What do you think the reason for this is? Why is there so much waste? Waste in time and money and resources. Is it because there's simply are too many products out there, it's that the products don't work, they're too hard to configure. Are there are a handful of driving forces behind this inefficiency?

Bill Crowell:                

There are, and let's start with, there are too many products and the marketing of those products essentially always sounds the same. In fact, I have a very dear friend, Regis McKenna, who's kind of the marketing guru of Silicon Valley. We were recently talking and he had gone online to take a look at some of the security companies because I was asking them some questions about marketing in the security area. He said, "Bill, I just was totally and completely blown away at how I could read the marketing materials of 15 companies and it didn't matter what they did. They all sounded the same."

Bill Crowell:                

So, the first thing is we have too many products. The second problem we have is that we don't have enough training people to be able to use those products. I understand that the average tenure of a CISO is now less than 2.1 years. The staff that they have has a turnover rate of about 25% per year and sometimes more. So, if you're a company and you're marketing to CISOs and to their security experts on their staff, you have an ever-changing part of the audience, and by the time you get a proof of concept accepted, the person who was going to actually use their time to try it out is gone. And so, you have to start the process all over again.

Bill Crowell:                

Then the third notable thing is that companies, whether it's CEOs, or Boards, or heads of business units, very often are not focused on or involved in trying to respond with security solutions that serve their businesses. So, we see a lot of CIOs and CISOs is being fired after a breach, but we're also seeing a lot of CEOs and Boards being fired after breaches, because they didn't pay enough attention.

Brian Contos:                

You know, we talked a lot about what CISOs and the CIOs and security directors and red teams and blue teams and groups like that should be concerned, with what they should be focusing on as it relates to security, and I think there's a lot of information out thereabout that, but you interact with a lot of CEOs and Boards, what is it thatCEOs and Boards, folks that might not have more than a few minutes a day to think about cybersecurity? What are some of the things that they should bethinking about? What should they be focusing on at their levels?

Bill Crowell:                

I think they should be focusing on either having the right level of protective services in the company with measuring metrics and, that can actually point to trends and how well the company is able to resist breaches and threats. That would be an important piece of it. The second part of it, and I'm very involved in this now with one of my companies, a company called Security First, is that a lot of the security products in the past have been focused on protecting the perimeter. Essentially the moat. Building a moat around the network.

Bill Crowell:                

Well, the network is so connected and so interconnected that quite frankly, there are just too many cables that go under the moat. Communications that go under the moat. So, what we should be evolving into is a capability to protect the data because after all, what are the people who are attacking after? They're after the data. So, protecting the data through robust encryption, role-based authentication, segmentation of the network so that not everyone in the company has access to everything, the same way we do in physical security. You and I talked about that a lot when we were writing the book about the convergence of physical and logical security. There's a lot that the network people and the logical security people could learn from physical security. Namely, that there's a different lock on every door and not everyone in the company can access every space, every physical space in the company, and certainly not every file cabinet in the company. So, we need to start thinking about segmenting the network inside the company, protecting the data from general access and being much more explicit about who can access what.

Brian Contos:                

Yeah. It's funny you mentioned.We'll go back to your NSA days... There wasn't just one lock with one key, one file cabinet with a master key, and some of those very basic things and what I find and what I tell people is, "Yeah, in a lot of cases you probably do have some good products and you probably also have some buzzword bingo."You walk around NSA or any big security conference these days, everything's blockchain, IoT in the cloud, whatever, whatever, whatever. There's a lot of buzz words, and people feel compelled with that.

Bill Crowell:                

Security of the year.

Brian Contos:                

Right! What I tell folks is, in a lot of these cases, you probably have solutions that you just simply haven't optimized, you're just not getting the value out of it that it could provide. Maybe you're running a default configuration, or maybe it's a SIEM. We'll use the SIEM examples, again. A SIEM that's pulling in data or was supposed to be pulling in data from products that no longer exist or the parsing has changed or the time stamping's wrong and things start to rot. They start to decay, they start to drift, if you will. So, a lot of the times it's just making the stuff that you have actually do what you want, let alone going out and buying the next new shiny thing. Now, you might want the next new shiny thing, you might even need the next new shiny thing, but what about all the other stuff you probably already have in your infrastructure? Is that actually working, providing value? I think that's where we see a ton of waste these days.

Bill Crowell:                

But the other part of the customer industry, that is the end user, that is really not well served and that's the small and medium sized businesses. There's such a shortage of trained cybersecurity people in the country today that those companies actually cannot find and cannot afford to hire cybersecurity people. As a net result, inmost cases their CIO, who's really just an advanced IT guy and not a not aC-level person, is the person who has to provide whatever security is going to be provided. And it's pretty basic. It's firewalls and antivirus, and maybe a little bit of anti-malware, some phishing training for their employees, but it's very unsophisticated and it's primarily unsophisticated because they just can't afford it.

Brian Contos:                Yeah. No, I think you're absolutely right. We tend to talk about government agencies and Fortune 500than Global 2000s, but that's the tip of the pyramid. You look at that big middle and that's that mid-sized market that oftentimes they have the exact same issues that they're concerned with. They can't afford, however, to try out four or five different IPSs over the period of a couple years because they don't have the budget, they don't have the ability to go out and say,"Hey, we're going to invest in product A and if it fails we'll go ahead and buy product B." They have to get it right, I think, a lot more often because they simply don't have the breathing room or the budgets to be as, we'll say incorrect, or make mistakes some of these bigger organizations can.

Brian Contos:                

Bill, as we wrap up here, there's a question and we like to ask everyone that comes on the show. And that's, who's your favorite superhero or super villain and why?

Bill Crowell:                

I actually like superhero movies, but I have never thought about which one I really liked most. And I decided on Captain America.

Brian Contos:                

Oh, there you go.

Bill Crowell:                

The reasoning was that he has integrity, and that's probably the thing I value the most. He's not infallible, but he admits when he's wrong.

Brian Contos:                

Yeah. And you know what? He's a character that came out in the early 1940s. Yeah, just as almost as early, not as early as like people like Superman and Batman. But I agree with you. I think that integrity is one of the endearing factors of him that's probably made him a success for all these generations. That's an awesome pick. Thank you for sharing that.

Brian Contos:                

Well, thank you, Bill, and thanks to all listeners for joining us today and be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog