Straight out of Austin, Texas, TK Keanini landed in London recently for a whistle-stop stay. Infosecurity's Mike Hine caught up with him to get some security insight from the front line...
To start off, tell us a little bit about your current role and what that involves
I’m a CTO in charge of advanced research and product strategy for Lancope. We ship a product that essentially allows enterprises to have the type of visibility on their network that is required. We make it difficult to impossible for adversaries to hide.
Why is that important?
Back when I started in the industry it was all about getting into [the] network and a lot of the defensive measures were focused on making your network impenetrable. That is pretty much over. There are just too many access vectors both technically and socially. The game today, particularly from the adversary side, is to remain hidden. In essence they have to carry out multiple series of operations to accomplish their task and we basically make it impossible for them to carry this out. Prior to exfiltration you want to detect them and shut them down.
Could you delve a little more into the specifics of how this technology works?
The feasibility of this visibility comes from turning the actual network into a sensor grid. Instead of having to deploy a bunch of sensors, routers and switches can actually exhibit an accounting format called Netflow. The IETF has a standard called IPFIX. In essence, it’s all the transaction information from the routers and switches. The interesting thing about that data set is no one can encrypt it – it has to be in the clear because the routers and switches have to use it. It is essentially the general ledger to the entire network and it’s very affordable to collect. So we basically turn the entire network into that sensor grid and analyze that data set. From the algorithms we have we can tell whether something is anomalous, whether credentials have been stolen, and whether data has been hoarded.
How do you perceive the general state of the security industry?
Human behavior doesn’t necessarily change until something really bad happens. As much as you want to tell someone they should do something, it’s how we all behave. The good news about retail getting run over as badly as it did this year is that it’s going to force a change in behavior. In particular, the retail industry that was hit the hardest is going to evolve – they’re going to be working security into their business continuity plans. The same could be said of the individual that got CryptoLocker; they will probably start getting a back-up plan. I think we’re behind, but the good news is that we are making it a little harder for adversaries to operate.
So do you think public awareness of cybersecurity matters is improving?
The topic is certainly easier to talk about. Back in the day I’d be at dinner parties and I’d have to go into a long explanation about what I do – but nowadays I have someone’s grandmother down the street wanting to talk to me about Anonymous. I think through the media everyone has a different understanding. Whether they have an understanding that enables them to be actionable is questionable. I think that is still driven by personal experience.
What are the most significant challenges facing security professionals at the moment?
People are only starting to realize that the whole security effort is everyone’s problem. It is really difficult today to say that it’s a retail problem, or a consumer problem, or a supply chain problem. You and I are so interconnected in ways we don’t even imagine. So much personal data is being stored in somebody else’s custody, and when that’s violated it’s still the individual’s problem. It’s getting harder and harder to understand how to manage that risk. I think it’s going to get a lot worse before it gets better.
So it’s an issue of how we can effectively ascribe responsibility?
I think about how industries have stabilized over time. Particularly at scale, there’s always an entity that is given the trust because no individual can actually be an expert in so many domains. Everything is so interconnected that it’s incredibly difficult for me to be able to secure everything. On an individual basis, we’re looking at homes, wearables, everything becoming more interconnected. Even this problem set we have today will probably multiply by 100. We are then looking at systems, not necessarily individual components. So much trust is being delegated by necessity, but there is so little assurance around that.
On that note, what types of threat does the internet of things raise?
Human cognition has its limits and we’re well beyond that limitation. There’s only so much we can store in our memories. Both defenders and attackers have the same limitation. But who is going to have the toolset to run the algorithms? To analyze from a certain attack vector how something can be compromised? These pathways are, I think, well beyond cognition. So we need something to compute or calculate these things, much like modern supply chains do a lot of their management. There are too many systems connected to systems and we can’t comprehend it at the component level. My role is to look at some of these disruptors and develop advanced research to these problems. The whole reason why certain retailers were attacked from the supply chain side, or are being attacked from their employee or customer side, is because the walls around the firm actually have gotten higher – so attackers just find a different access vector.
And finally, what do you make of the encryption technology that has drawn criticism from law enforcement recently?
I think that most encryption technology, while technically sound, is too technical for the common person to use. There is just too much key management that only the experts can do correctly. That’s a problem because wherever there’s a weakness, the adversaries are able to trick the non-experts into using it in ways that defeat the security of the technology. In terms of the privacy angle, it is the expert criminal that is always going to be able to use the technology in ways that the real people that fight crime are going to have a hard time finding. The only people law enforcement will be able to catch are the dumb criminals. What we should be worried about is the smart people, the people we haven’t caught.