As Vice President, CTO Office at Fortinet, Darren Turnbull is responsible for ensuring that the development of Fortinet’s solutions align to both the functional and performance requirements across a range of technologies and network environments. Turnbull has rich experience in developing Fortinet’s various security solutions that are deployed across more than 2,18,000 customer sites globally.
On his recent India visit he spoke at length about threat landscape, new OEM vendors, CISO’s priorities and other aspects affecting the security posture of organizations.
How deadly is the threat landscape today and why should CIOs/ CISOs be worried about the security posture at their organization?
Deadly sounds a bit of an emotional word. But there is certainly an increased attention given to what should companies do in the event of breach. There is emergent acceptance that while you can protect yourselves against most threats, you can’t protect yourselves against everything. Something will go wrong and you can’t do anything to pretend that it will not happen to you.
If you haven’t been hacked, it is probably that you have not been looked into hard enough. Everyone is a bit nervous in cyberspace wanting as much protection either as they can afford or they can deploy as per requirements. It is all about managing the risk - what you need to protect, how much protection should be given for a particular asset and implementing the appropriate strategy.
We are now integrating Fortinet’s wide product range across the board for additional protection with FortiGATE coupled with sandbox technology. This gives extra percentage points for protection for the organizations and the ability to know what’s coming in and going out of the network.
Most vendors claim ‘best-in-breed’ Sand box technology, global threat intelligence centers etcetera. But breaches have increased in number and become sophisticated.
If you build a bigger defense, one needs a more sophisticated weapon to attack it. The danger lies in the fact that organizations reach a point where they believe they have complete protection but actually they don’t. And that opens a risk for something to happen.
Security companies obviously don’t have tons of supplies of money to throw at all threats. They have to manage budgets, manage costs and they have to look at what they are doing. And how far and how high they can build that wall - at what cost - remains a challenge.
What about the challenge from Palo Alto Networks, FireEye making noises in the market and claiming to be ‘next-gen layer 7, APT blocker’ security companies?
Fortinet has always prided itself on its engineering capability and technology. To counter the noise from the competitors, we prove our edge. We are very supportive of organizations like NSS who have the ability to prove the same. We don’t pay for the tests. We don’t always come out with ‘best in the test’. But we are very supportive of that approach because the worst thing can be thinking you are secure because of the marketing hype but you are not.
Through internal testing at our end with our competitors, the catch rates are vastly different in the organization’s network compared to what they can detect. False security is no security. And that’s where marketing and security don’t make a comfortable bet for us.
You mean APT and next-gen firewall are mere marketing jargons in the security industry.
They are convenient marketing labels to an extent. But we need labels as a useful hook to hang a conversation with the customer. But we shouldn’t let the labels define our work. For instance, the threat bit in APT (Advanced Persistent Threats) is obvious. But how does one gauge if it’s an advanced threat and to what degree?
The definition of the next-gen firewall (introduced few years ago) becomes a legacy firewall for today’s times. Could the new product from a company like ours be termed ‘new next-gen firewall’? We are now losing out on the language and it is not making much sense. The main objective is ensuring what you want to protect in the emerging threat landscape with a competent security solution.
Fortinet is one of the largest security appliance vendor globally. Will greater acceptance of software or virtual based security appliances lead to the death of hardware based ones?
No. A range of problems can be addressed with hardware appliances. At last count Fortinet had 60+ types of hardware appliances and we have more hypervisors than anyone else in the market.
We don’t align ourselves with false marketing around ‘this plus this’ for the customers. We look at securing what people do and not dictate what people should do. We are not married to the whole notion of hardware or nothing. We are married to flexibility through our operations (with huge number of features) and offering as many form factors as necessary. There is hypervisor support in high performance firewall, rugged SCADA industry of control firewall, and we have the entire breadth in the market. It is not only that we are known only for hardware or the fastest firewall in the world.
Fortinet’s story with end-point security and DLP is not strong (compared to other vendors) as its dominance in network security space.
We have an end point security product for over twelve years now and our growing revenue indicates the market uptake. We integrated the end point product with FortiGATE a couple of years ago. For bigger setups of hundreds of thousands of desktops, we have enterprise manager to manage those clients with similar security policies as the main firewall to keep it unified and uniform.
We have DLP as a feature within FortiOS but it is not the best product in its class. As we fight other battles, we would be fighting this one as and when ready. Internally we have a wheel of protection that does application detection, URL filtering, DLP, APT and other things and then there’s dark space. Our job is take all these things and make dark space as small as possible. In our next release there would be more controllers to cloud applications which will apply to DLP too. I don’t want to over commit on DLP capability but it continues to be an important part of our solution.
CIOs in India in general are keener to protect the laptops and desktops in the network than their employees’ mobile devices. Isn’t that dangerous?
People are changing organizations rather than the age-old ‘organization changes people' phenomenon. Employees have access to not only their personal space but they can work from anywhere. The ‘flexibility’ option of ‘work-from-home’ is good for companies but it is about securing the data - data in transit or rest. You can’t disconnect the employees from the security story.
More and more applications linking to Facebook, messenger chat etcetera (and accessed through mobiles) form the part of social engineering landscape and they also could be a way in to the network. The freedom people get when connected however does lower your guard. Everyone – consumers and enterprise users- are connected to the internet but they should always remember ‘Internet is connected to them’.
Why do hackers stay a step or two ahead of security vendors ?
It is a classic argument that hackers have to be lucky once. Vendors and our customers have to be lucky every day. You don’t hear about the attacks that failed because you don’t know about that attempt and secondly it makes no news. You only hear about successful attacks. There are high profile incidents happening and there are probably others which do not get reported.
A list of Dos and Don’ts for CIOs in 2015 and beyond.
The key thing is don’t think you have solved the problem. Don’t be comfortable and also don’t panic. Don’t listen too much to the marketing hype which exists for awareness raising. Understand your environment and related risks under the norm of normal discipline at your workplace.
As we understand the landscape better and talk more about it, it has not changed much fundamentally. There will always be bad guys and there will always be good guys. Some good guys will accidentally become bad guys because they get socially engineered. But there are also bad guys inside and outside. What has always changed over the years are the tools that we have to protect and the tools for attack.
More number of attacks by bad guys means good money for the security companies like Fortinet.
That’s always the temptation to believe so. If we knew what was coming next we would be quickly protecting organizations from that threat but that’s not the case. In case of breach, our team figures out whether it’s a new feature, a new signature, or a new way of looking at the threat. We are from time to time put on the back foot by these threats framed by someone else. We research to understand the threat and build the expertise while collaborating with other agencies.
We don’t pretend that we know everything in the security world. If we knew what the next big threat was, we would be looking at lottery numbers.