Want CNET to notify you of price drops and the latest stories?

In the security hot seat

Symantec's network security chief, Tim Mather, talks about attacks on his company, the folly of regulations and why he'd never hire a hacker.

11 min read
Like most information security professionals, Tim Mather focuses on keeping hackers out of his company's network and ensuring all systems are updated with the latest patch.

And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious ones.

But the difference here is that Mather works for Symantec. As chief information security officer at a company known for its antivirus products, he faces challenges particular to his role.

In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of what it is. Some of these attempts have gotten "pretty close," he says.

He also talks about how he copes with these challenges, why he would never hire former hackers, and why today's many compliance regulations are getting in the way of ensuring security.

Q: What is it like being in charge of security for Symantec, a company that depends on it for a living?
Mather: I have responsibilities for the security of our internal networks, all our extranets and our partner connections. Because we're a security company, we also run our security infrastructure based on our own products. My team gets heavily involved with beta testing and actual deployment of those products.

And because of who we are, we get an average of 20 to 30 solicitations, proposals or propositions--whatever you want to call it--from companies on a weekly basis asking us to buy their company, their technology and so on. After the business development people have had an initial look at it, I get called in to see if I would buy the technology as a customer. What's interesting about that is I get to see a lot of small companies, what they're working on. Many of these are very small and very new businesses. Some of them have quite cutting-edge technology.

The sheer number of regulations is actually weakening enterprises.

Another component is with regard to audit compliance, specifically security. So my team is at the forefront of security, the standards, the architecture, the policies and, on a limited basis, some operational aspects of product testing and audit compliance. This includes regulatory compliance, so things like Sarbanes-Oxley fall under my responsibility from the IT side. That is a major drain of my time.

The accounting scandals at the Enrons and WorldComs gave rise to regulations such as the Sarbanes-Oxley Act (SOX). Besides Symantec, has regulatory compliance become a big focus for other companies, too, in terms of security?
Mather: Absolutely. Regulatory compliance has become a huge issue. It is an enormous investment in time and resources (in terms of people), and the cost is not insignificant at all. Sarbanes-Oxley for Symantec alone is an eight-figure sum. It's an investment worth multiple millions in dollars.

The issue I have with regulations, while they're well-intended, is that you have a real proliferation of them. They've gone from being a good idea to being a distraction, to what it is now which is a diversion on security. The sheer number of them is actually weakening enterprises, many of which have to comply with multiple regulatory compliance guidelines. That's a huge burden on companies.

So what really needs to happen instead is a harmonization of those requirements...Very rarely do companies operate in a single location anymore. How many banks here in Singapore have to not only comply

SOX cheat sheet
with the (local) monetary authority's regulations, but also have operations overseas that are subject to Basel II, SOX in the United States, and probably the European Union Privacy Directive requirements if they operate in Europe? How many different regimes are they subjected to?

Making sure that Enron, WorldCom and all of these others don't happen again is a very good thing. But there's a better way to do that.

Speaking of compliance and security policies, are there any policies at Symantec that might be different from other nonsecurity companies? Anything that's unique to your company, simply because of who you are?
Mather: No, as far as scopewise, I'm sure we're very similar to other companies. As far as granularity, we're probably far tighter than other companies, because security is our business. The possibility of an incident for us is far more serious than it may be for other companies. A security breach for someone in the retail industry probably doesn't

have the same significance as far as it would for Symantec and the damage to our brand and the damage that it would do to our customers who are willing to trust us.

Does that mean you don't sleep at night?
Mather: No, I do sleep at night. It just means I have a lot to think about, before I go to sleep.

Does automation help lessen the worry?
Mather: Absolutely. Wherever possible, we do want to automate, and we do automate. The issue becomes about how you coordinate all that automation, especially with regard to reporting and the correlation of events. But if you have an opportunity, you always want to automate for a couple of reasons.

People like to take days off, like weekends and nights. Or they get sick occasionally or they go on vacations sometimes. That's good, but when you are trying to ensure consistency, you still need to be able to run (the network securely) regardless. And let's not kid ourselves?when do you think the most electronic break-ins occur at companies? Nights and weekends, of course.

Automation is a good thing, not only because of the timing, but also to ensure you're consistent in your testing and checks. Does my Stockholm office have the same configurations as what we're set here in Singapore? Do people at the two sites understand English to the same degree that they actually understand (how to carry out) the

Most businesses today don't even know who's on their network and can't tell you with any certainty if that user should be on that system.
same configurations and settings? And when I say to run at midnight GMT, what does that mean to everybody? Who did I drag in at 3 o'clock in the morning versus someone else's office hours?

So there're a number of reasons why you want to automate. It's more efficient, it's more consistent, and therefore the integrity of the testing is far higher.

Are there areas that you just don't feel comfortable automating?
Mather: Two common areas usually come up. One of which is automating the patching of servers. The technical capability exists. The issue, is with servers, particularly those running mission-critical applications, can you trust that you will be able to patch without actually breaking your application? And for most companies, unfortunately, the answer to that is still "no." In fact, it will probably be "no" for a while. So it's still a case of manually testing the patch first and then rolling it out.

Another area where there's still a reluctance to automate is with regard to response. My firewall and IDS (intrusion detection system) have detected an attack. Do I trust the fact that it has properly classified or categorized that attack, and it is not instead turning off legitimate traffic? Was it a false positive?

Everyone talks about false negatives, but people don't generally pay attention to false positives, with one exception to that, and that's spam. False positives become quite an issue, too, for people. They can take legitimate traffic and misclassify that as an attack.

One of the problems with security policies is that they can be tough to enforce. How do you then implement a system that is enforcement-free, so to speak? For example, tools that scan devices for the latest patches before giving them access to the network. Can they help do that?
Mather: Nobody's there yet. If you're leading to an analogy that Cisco Systems has with NAC (Network Admission Control) or Microsoft with Quarantine, these are on the right track. We're a participant in Cisco's NAC. We share that goal and are working with Cisco and other vendors to help make that a reality.

What tools like that will do initially is provide a big improvement over what we have today. But to be honest, from my perspective, it's still limited. Ideally, we would go much further than that. First of all, you need to have a way to detect all types of devices across the network. Due to basic infrastructure reasons, that's not always possible today. If you can do that, if you can detect all devices that are connecting, you then have to do two other things.

No. 1: to have universal authentication and authorization. Most businesses today don't even know who's on their network and can't tell you with any certainty--let alone can they determine--if that user should be on that system. That's very tough to do itself.

Second, you have to determine the state of the device. Those are tall orders. And remember, we're not just talking about desktops and laptops. These days, we're talking about PDAs and cell phones. Next year, we'll probably be talking about my watch authenticating into the network. The form factor will change. And these are running on how many operating systems, connecting over how many different media?

Zero-day attacks seem to be getting nearer to becoming a reality. How should we address this?
Mather: Oh, that's very real. And it's not just the fact that an attack is out, and there isn't a patch for it. It's the fact that the exploit already exists, and nobody knows the vulnerability was there.

If you look at the threat lifecycle here, there are two time lags. First, the time when a vulnerability is discovered and a patch made available. Second, the time the vulnerability is discovered--which may

not be the same as the time it's announced publicly--to when the exploit is available. And this is the one that is shrinking. A zero-day exploit is the exploit arrives before the vulnerability is even announced.

It used to be that the patch beat the exploit. The time difference between the two has shrunk substantially. And now in many cases, you're lucky if the patch actually beats the exploit, let alone the time it takes to apply the patch which, in an enterprise, can be considerable.

Personally, what are you most worried about? Not knowing what all the vulnerabilities are, or not being able to come up with a patch before the exploit is available?
Mather: No, my worry is actually something different. My worry is there'll be a sophisticated attack that combines different attack methods. Keep in mind that we, the security professionals, have for years preached defense in depth. And the whole idea of that is to buy time so that if something gets through one layer of defense, you're not completely wide open at that point. Something else will slow it or stop it, to buy you time until you can maybe apply a patch, for instance.

But if you get a combination attack, a one-two punch, that effectively gets through your defense, then your enterprise just got KOed (knocked out). That's my worry. It takes some sophistication to do, some coordination to actually pull something like that off. But that's coming.

Take worms, for example, which are no longer being used simply as worms. They're now used to spread into SMTP engines, which are then used to send spam. Think about this for a moment. Worms being

This idea that hackers have reformed themselves--I don't buy it, not in the least.
used to spread mail engines for spam purposes?it's kind of interesting, to be honest--too bad it's illegal.

In a perverse way, it actually shows some kind of business sense from the hackers. If I'm a spammer, I no longer have to worry about opening a Hotmail account and trying to jam 10 million e-mail messages through that account before Microsoft shuts me down. Now, I can walk over to a hacker, get him to write a virus that compromises 15,000 systems worldwide and use each of these compromised systems to send 1,000 e-mail messages an hour a day. Not only that, because it's compromised and I now own it or rent it from the virus writer, I can use it again and again. That's a perfect example of increasing sophistication in attacks.

Are you worried because there isn't a solution to this yet, or that it might just get too good or sophisticated?
Mather: I'm worried because I don't know what I don't know. I'm also worried because, due to the chair that I sit in, we're quite the target. We get huge amounts of electronic trash thrown at us just because of who we are.

Just how much trash would that be exactly?
Mather: The last time I checked, we stopped counting at 2,001 (attacks a day). Today, not all of those are highly sophisticated. A lot of those, quite honestly, are pretty unsophisticated, probably from some so-called script kiddies firing off a script at us. But it's enough for the logs and sensors to record it, and enough for there to be an alert on it. It's not so much that I'm going to act on, but it's more than just an event.

But some of them, we looked at and thought: 'Wow, that's interesting. This guy got pretty close. Think about what would have happened if this was changed to that?that probably would have worked.' That gets scary.

And sometimes you don't see it again, because they don't realize how close they are. Other times, it shows up again. We can see this happening, and it's not just us, various other sensing networks out there also see that. Virus writers will try a version of a virus and put it out there. At first try, it might not go anywhere nor spread very rapidly. Three weeks later, it's back as a new and improved version and one that spreads. They've corrected a problem, and they're getting better. That's not an unusual scenario at all.

What do you have in mind that could possibly fend off these so-called combination attacks? Is awareness the best defense?
Mather: Awareness is one, but defense in depth is what you have to do.

So really, how do you sleep at night?
Mather: Well, there's only so much you can do.

Will you hire hackers to join your team? You know, so you can get them off the streets?
Mather: No, absolutely not, absolutely not. Wouldn't even touch them with a 10-foot pole.

You don't think you can change them?
Mather: No, not even going there. Couldn't care less. Just get out of here. Not even the smart ones...not even going to talk to them. That's not the type of people we want. And this idea that they've reformed themselves--I don't buy it, not in the least.

Hackers will be hackers?
Mather: Yes, I think so, yes. There's not a whole lot of good talent out there, but honestly, I find no reason to hire those people. There's talent if you look for it, even though it may be expensive sometimes because, to be honest, there's not enough to go around.  

Eileen Yu of CNETAsia reported from Singapore.