Q&A: ThreatTrack Chief Details Enterprise Security Plans
Julian Waits, the CEO of GFI's new spinoff ThreatTrack, discusses how his company intends to stand out in the growing federal and large-enterprise security space, especially in the new era of international cyber-attacks.
GFI Software this month said it has decided to spin out its enterprise security software technology business into a separate company called ThreatTrack Security. Backed by the same investors, Clearwater, Fla.-based ThreatTrack will target large government and defense agencies, as well as major enterprise business, including retailers and financial services firms.
Julian Waits, a veteran of the IT security industry and longtime friend of GFI CEO Walter Scott, will lead the newly formed company as its chief executive. In an interview with Redmond magazine editor Jeff Schwartz, Waits explained why GFI spun out its security business and how he sees using predictive analytics and big data to help customers anticipate advanced persistent threats before they strike.
J.S.: Why did GFI decide to spin out its security business?
Waits: GFI as a company is 100 percent focused on the needs of small and medium businesses, meaning business entities that have roughly 1,000 users or less. As we looked at our security business, a great part of the growth outside of what we're already doing with Vipre, which has been focused primarily around our SandBox technology, and what we're doing with our ThreatIQ product. Today, sandboxing and advanced business threats aren't as big an issue in SMBs as they are today in enterprises and federal agencies. So we decided as a business to spin off the security business unit so it can focus on that and optimize it, while GFI continues to focus on small and medium business. Of course, we still have a core competency and a strong commitment to small and medium businesses and the consumers, but we're expanding our footprint into the federal government and late enterprises.
Will GFI continue to own a stake in this new company or will it be a totally separate business?
It's a completely separate company, though we do have the same investors. You can think of it as sister-portfolio companies.
Are you sharing R&D or any other types of properties?
We have OEM arrangements across both entities. For instance, in Vipre today -- specifically in the premium offering, both on the consumer and business side -- we OEM components of GFI's LanGuard. And in many of GFI’s products, the MAX AV product and Vipre is included in the solutions. We'll continue to license technology from each other.
How much presence have you made into the enterprise?
What started all of this -- over the last six to nine months in the sandboxing side of the business, we've had over 100 percent growth year-over-year, and all of those customers have been federal and enterprise. Unfortunately, I'm not at liberty to share their names, but they're all household names. Think about it as large enterprises that are primarily concerned with targeted attacks and other forms of advanced malicious activity that concern them. From an industry perspective, you should assume large retailers, large oil and gas companies, and large financial institutions, which are all included in the customers that we've closed.
With so many security companies targeting that segment, how do you see ThreatTrack standing out?
When you look at all of the companies entering this space, they're all basically "detections-are-us." Now what's happening is they're moving from what's already known to the stuff that's new that you haven't seen before. The issue is no one is really focused on remediating these issues. From our standpoint, detecting it is only half the battle. The real thing is when you'll be able to remediate the issue. Like a lot of other players in this space, FireEye and Palo Alto Networks, where they have network-based systems that are designed to look for new malware, none of them are addressing the issue of remediation and we plan to do both. We don't want to be another one of the 27 security tools that a customer buys to help pinpoint that there was a malicious file that came to the network. I want to pinpoint and I want to resolve it.
How do you manage to get on the radar screens of CIOs and CSOs at large enterprises, given your heritage in the small- and medium-business market?
It's all word of mouth. We've done a small amount of marketing while we were under the GFI moniker, but it has primarily been work of mouths. At trade shows we'll sit there and one of the world's largest retailers comes in and says, "We need one of those because we get phishing attacks that are changing on us daily and there's no amount of AV or firewall or IP that we can buy that we can deal with this because they can only deal with what's known already."
What are the biggest threats you're dealing with?
You have to separate it between the ones that are enterprise customers and the federal government. We [GFI] were actually one of the vendors involved with discovering Flame from a federal government perspective. I've actually done a webinar on it. Again, under the GFI moniker, it wasn't a business we wanted to emphasize as not something we've made a lot of hay over but we were one of the vendors there. When you look at large enterprises, it just depends on the nature of their business. In the case of the retailer, it's people trying to come up with an interesting way to steal credit card numbers and other personal information that can be used to steal your money. With our oil and gas customers, it's primarily around malware created by environmentalists. By using our toolsets, we can help our customers more proactively get in front of them.
For those not familiar with your toolset, how does it address these threats?
There's no such thing as a standard signature from one AV product to the next but the truth is most things are signature based, whether it's IDS, IPS or AV. So by using our SandBox [marketed by the new company as ThreatAnalyzer], it gives a full behavioral analysis of what's going on in the particular file, and...you can use that to create your own customized signature that you can then create and basically put inside whatever perimeter tool that you're currently using. That's the way our customers have been currently using it. They capture the behavior, they create a signature that they then place inside of Qualys or Rapid7 or whatever the tool happens to be that they use or they use for correlation purposes in ArcSight.
To what extent are your tools being used to address threats coming from China, Iran, Russia and North Korea to address some of these large-scale attacks?
I can tell you today ThreatAnalyzer is used in over 60 percent of the U.S. cyber defense infrastructure with large three-letter defense agencies who were already involved in that fight. We're used. Pretty much [if] you name the agency, they're a customer.
These attacks are getting faster and wreaking more havoc than ever. Where do you see this going?
I wake up every morning terrified by what new things are going to come out, be it from a cyber-espionage or a warfare perspective. It's only going to get worse. It's not going to get better based on our own internal intelligence that we've done. And we cooperate very much with the federal government. There's information that we're privy to that most people don't get. Our goal is to make our solution smarter and smarter. We do believe that you have to not only cover the network but also cover the end points. There's a set of heuristics, especially using big data techniques such as genetic algorithms and machine algorithms and a plethora of things against a Hadoop database, that allow us to basically get a detection from what currently takes us three or four days to an hour or less. We call it ThreatNet.
Are enterprises becoming more proactive as these threats heat up?
Enterprises want to become more proactive. The big issue is they still think about it from [the perspective of] "How do we respond to a threat once it occurs?" So they look at tools like ours and others and it still becomes "How do you fit in the overall ecosystem of what we're using?" The way we're approaching the problem is to create a set of strategic relationships, which we already have around HP around ArcSight and companies like RSA with NetWitness. When we integrate into many of the tools, even to the point where our tools are embedded in the case of NetWitness Spectrum, they use our SandBox in the case of selling that. We're more proactive in the overall ecosystem because with the enterprise, 90 percent ask, "How are we going to respond to it?" While they desperately want to get in front of it, they know most of the time they're going to be reacting to it. The more tools they can put in place, not only to detect it but to help in the response process, like being able to create an auto-remediation as we're going to do.
What do you see as the next key advance in countering these threats?
I do think it's associated with big data. One of the biggest voids in the market is being able to get more and more data from a customer set. For instance, there's a large set of my customers that classify the data so they won't share, mainly in the federal and intelligence industries. Whereas on the enterprise side, they've shown a huge interest in being able to share with us if it means that we can remediate faster with things they haven't seen before. The more of that data we can collect, the more fancy analytics stuff we can use to do our job a lot faster. There's no way we'll be able to anticipate an APT before it's created. God knows they're becoming more and more sophisticated. All we can do is become more sophisticated about how rapidly we can respond to it and it's going to take a community to do that.
Has President Obama's executive order last month helped motivate companies to share information?
Tremendously. In our sales pipeline and our closures this quarter, we've seen an uptick that's directly related to the national address that he did.
To what extent has the BYOD movement created security issues that need to be addressed. Is that an area you've been addressing?
Absolutely. We have an Android SandBox today, which quite frankly we weren't sure about how we were going to market it late last year, so we went out and met with some of our customers in the Washington, D.C. area in New York. And we were blown away with the amount of interest that they have with the ATKs that have happened in the Android world. Of course if you see any of this data, there's more and more malware statistically on the Andorid platform than almost anything right now. It's a huge issue. We'll see what happens. Now we're hearing more things happening in the iOS world and the Apple world. There's not a huge concern over that but there's a huge concern as it relates to Android.
How are you leveraging the GFI partnerships, including with Microsoft, or are you establishing your own?
As a division, we just took those partnerships with us. Microsoft is a very strategic partner to us. I'm not at liberty to say everything that we do with them but suffice to say, our tools are used on their network every day.
Given your long tenure in the IT security industry, how would you characterize the current state of affairs?
I think this is one of the most exciting times to be involved. The last couple of years has been stagnant in terms of security vendors providing new technologies to address a lot of these more complex problems. But I think based on, quite frankly, a lot of the marketing of FireEye and Palo Alto, and more specifically the Mandiant report that came out where it finger-pointed China as being very much involved in cyber offenses on their part and corporate espionage, it just brought to life everything that's going on. So the industry is going through a renaissance from a security perspective. Everyone is understanding it's not just what we know, we have to deal with the stuff that's coming out every day faster.
Can that be done or are we all toast no matter what we do?
The thing that bothers me about all of this is I still believe 80 percent of security problems are risk management problems. What you have to focus on first are the systems and the applications that are most critical to your environment. Many enterprises approach security almost the same way they approach compliance. It's more about "Let's make sure we don't get caught this way because this became big news and if it happens to us, we're in The Wall Street Journal and we'll all lose our jobs," and it's less about true risk mitigation.
I think it all starts around a process completely built around people and the processes they use in their environment and technology should be used third. Are there a set of perimeter defenses and AV technologies that everybody should have? Absolutely. It comes down to what's the most critical. If I'm an operating entity, my financial systems are absolutely critical. If I can't send out a bill, I go out of business. If I'm a software company, I have to make sure my development systems are protected. If I'm taking a sales view of my Web site and I've done things proactively, again from a risk mitigation perspective, be assured I can do business no matter what happens. The DDoS attacks, what's our response to that? What we're doing is going after advanced, persistent threats added to what's known. The key thing is to really start with a risk mitigation strategy for your enterprise.
How do you see addressing cloud computing in terms of protecting data, as well as providing your technology as a SaaS offering?
Today at GFI, one of the products they have that they OEM'd from us using their own cloud-based infrastructure is called GFI Cloud. That's for those who want all the protection of AV on their endpoints from a business perspective but not have to deal with all of the administration associated with doing so. We used to call it a micro SMB market but what we've found is even larger enterprises are considering it just as larger enterprises are considering outsourcing all their e-mail, just like Office 365 and Google are moving forward. We have a two-pronged strategy. The first component is to provide our AV technology through a cloud-based infrastructure today through GFI [and that] in the near future will be offered by us directly. The second component on that is to utilize [and] to build these next-gen solutions like ThreatNet. In the past, ThreatNet has been used on a small scale by us to protect files from our customers to do some form of correlations, primarily for building remediation for files we haven't seen before. Our next generation of ThreatNet customers will have to opt out rather than opt in. In some industries they'd never opt in. Again, whether it's federal or intelligence, we'll have to have a specialized network, but we plan to take everything we possibly can, put it in a cloud-based offering again, utilizing Hadoop with analytics to just really unleash the data that we're getting about what's going on the environment.
Speaking of Hadoop, how many experts have you brought on board to advance the use of big data analytics to predict future threats?
What we're advocating is whether you're involved in the project or not, our entire engineering department is being educated on Hadoop and the associated systems. In our case, it happens to be Cloudera we're using to implement this. I really do think it's where security is going.