Bit9 thinks you're fighting a new war using old weapons. The Waltham, MA-based company says traditional security products are no match against todays malware and advanced persistent threats, and that a new approach — one based on trust — is better suited than blacklists and other reactive solutions.
In this installment of the IDG Enterprise CEO Interview Series, Bit9 chief executive Patrick Morley explains how the company's security platform changes life for security pros and he talks about Bit9's plans to make securing mobile devices easier. He also discussed the company's partnerships with network-based security solutions like FireEye and Palo Alto Networks, and explored the changing role of the CISO in corporate America.
John Gallant: Give me the background and history of Bit9. What problems did you set out to solve and what have you accomplished since you launched?The original hypothesis behind Bit9 was that we were doing security the wrong way. For the last 20 years we've been focused on trying to find all the bad in the world and stopping the bad. What we've seen over the last few years is that that approach, that black-listing approach, trying to find and stop all the bad, does not work.
Patrick Morley:
When the company was founded there was a vision that people would wake up one day and realize this, and that the right way to focus security was really a different type of model, one that was more proactive, one that was positive, and that was really based on the concept of trust, the same way we run our own lives. Essentially, I trust you or I trust someone that you trust. The general hypothesis behind the company and the vision was that we're going to build a technology that allows organizations to only allow software to run that's trustworthy.
How do you put that into action, this concept of trust and a network of trust?
Conceptually it's easy for people to get, but it actually is harder to do than you would think inside of a lot of enterprises. And I don't mean from a technology standpoint. I mean for people to actually realize that the right way to do security is to not be reactive. It's not to just slide a network device into the rack or deploy a piece of software on the endpoint, but to actually think through more holistically the strategy on how security should be architected inside of the enterprise.
[Enterprise risk management: The basics]
One of the things that we ask organizations to do as part of our solution is that we ask them to think through who should be running what inside of an enterprise. Do you really need 7,000 employees to have access to anything that they want on the Internet? Do you want to have software arriving on your servers or at your data center that you may not know about? We actually have them think about how software arrives and propagates inside of the enterprise.
I've been here five years. Five years ago when you sat with people and had that discussion, in many cases it was a foreign discussion, having them think so proactively about security. But the world has changed in the last 24 or 36 months, and when you meet with organizations about this now, I think their heads are much more along this line — not just about my solution, but I think in general around security.
So our heritage, the company's heritage is focused on flipping them all the other way. Let's only allow trusted software to run inside of an enterprise. We do that with a pretty traditional three-tier model. We have a piece of software that sits on a machine, whether that's your laptop device or it's a server sitting in the data center, and then we have a central on-premises console that enables the IT organization, the security organization, to manage the solution.
Then we have a set of cloud-based services that help enable the technology. Our technology does two fundamental things. The first thing it does is it sits on that machine and watches everything, and it does it all in real time. It records everything that's happening on that machine. The second thing it does is it actually implements policies and only allows certain things to run. And you can run the product in either mode. If you run us with policies turned on, which means we're only going to allow certain software to run, that enables you to stop software, APT's [advanced persistent threats], that you've not seen before.
It's very easy to buy malware that organizations can use to get into your company or my company or others. There's a lot of that out there and available on the market. We say if we don't know what the software is we're not going to allow it to run, because we don't trust it and we don't know it. That's the policy-based engine, and that's enabled us to do some really interesting things over the last few years. We stopped Flame. We stopped Stuxnet. So in that mode we only allow trusted software to run. And we help enterprises that are highly targeted by the APT to protect their IP.
How does the cloud piece of that fit in?
There are two ways you can define trust. One way you can define trust is by allowing IT to decide what they want to allow or not allow inside the environment. So IT would say: "I'll trust anything that I push out or I'll trust Microsoft or IBM." That's easy for software that I push out, but many users pull software down from the Internet all the time.
In the cloud we have a number of services. One of the services that we have up there is a reputation service that allows the IT organization to essentially say to their user community: "You can download anything you want as long as Bit9s Reputation Service says it's trustworthy. You can download it and we won't interfere." That's oriented towards the stronger enforcement side around "I really want to stop that stuff from happening."
We have over 1,000 customers today. Many of them are in the global 5,000, tremendous brands across a lot of different verticals, very horizontal. We've seen a lot of oil and gas in last 12 months, a lot of critical systems in the last 12 months. We have a lot of high-tech customers. For the last four and a half years we have built up a clientele of companies that needed to stop APTs and were using us to only allow trusted software to run. Last fall we had a set of customers come to us — three of them actually, two of which were tech companies in the Bay Area — and say: "We want to show you how we're using your product in a way that's different than the way you're positioning it today, and it's very, very powerful for us."
We record everything in real time and they were using all of that data, all the information that we provide, to do a lot of the core activities around response, responding to the malicious actor. Just to give you a few examples, one of the customers was taking all of that data, and any time anything happened inside the enterprise, they would use our data for their IR [incident response] team to figure out well, what happened on John's machine? I can see exactly what files executed, what registry changes were made. I can see if memory changes were made. I can track all that using the Bit9 data. They were using us from a response standpoint.
We had another customer who had built a set of threat indicators. They would take all that recording and they would look for anomalies that were indicators of APTs. Something gets executed out of the recycle bin. Adobe Acrobat drops an executable file. Why would you ever do that? That's a common approach. You've got extension names in files that are nonsensical. They had built a set of indicators looking for APTs that actually were quite successful. That same customer had also done some integration with their network products as well. So last fall we talked to these customers and we made the decision to productize a lot of these offerings — less around the enforcement side, which is the trust-based, only allow trusted software to run, and more around providing intelligence and response capabilities to these highly targeted organizations.
From a functionality standpoint, we've essentially said we provide four things for our customers in the Bit9 Security Platform. We provide them with visibility, we provide them with detection, we provide them with forensics, and we provide them with protection. So those four fundamental areas are where we can help highly targeted organizations deal with advanced persistent threats.
You mentioned that one of the things in the cloud is Reputation Services. What else is in the cloud?
Those indicators that I talked about, what we call ATIs, Advanced Threat Indicators, are in the cloud and get pushed down to customers. And as our threat team sees new things in the market, they develop new ATIs to get put up in the cloud and get pushed down to customers. Tremendously valuable because as a customer, as I consume these ATIs, they show me places where an APT is and they do it in real time and it's a great detection methodology.
In this mobile world we have lots of people like me who are downloading stuff to phones all the time. How does your solution provide protection in a mobile environment?
Today we offer our solution on Windows. We're announcing Mac GA [general availability] to customers. We've been in Mac LA [limited availability] since the fall of last year. We're going to have a similar announcement in Q3 on Linux. On the mobile side we've been underway with a mobile project internally since last year, and we haven't made any public announcements yet. But the basic idea on mobile, it will follow the model we're in right now, which is to provide organizations with real-time intelligence, visibility on the front end, and then protection if they want that as well. We're going to do the exact same thing on mobile. The same strategy holds true. And we'll make those announcements in the second half of this year.
When you make the Mac announcement, does that cover all the Apple operating systems or specifically operating systems for desktop?
It's the OS X stuff, the Mountain Lion, Snow Leopard, all those.
In terms of this reputation service, how do you decide that something is trustworthy?
We gather executable content of software that's being used out there. We have a number of indicators that go into our assessment. Who's using it out there right now within our customer base? Who published it? Do we know that publisher? Do we know where the software actually came from? What are others saying about that? In addition to our own information and our own research team, we also leverage other feeds. We use all of that to come up with a threat score as well as a trust score. That tells us how trustworthy that software is. We go in at the hash level.
One of the interesting things that we've seen is that the malicious actor out there is using software that's valid to embed files to get into organizations. One of the examples that I give is that we had a customer who had built a solution that incorporated Google Earth. When we installed our product, the first thing our reputation service said was Google Earth is not trustworthy. Why isn't Google Earth trustworthy? Because there was a file in there that was a malware dropper. They changed one file in Google Earth. What they were building was quite sensitive.
Are your products replacing other security products, or do they complement the kinds of security tools people already have in their environment?
The world has changed. Organizations recognize that. The current AV Suites out there are like low-end insurance. I want it there but they're really not that effective. There has to be a new paradigm. So in the data center we're a replacement. Customers will put us in as the primary protection mechanism in the data center on their servers. On the endpoint, certainly in some environments they'll use us as a replacement technology.
But increasingly what we see is they're laying us on top of their EPP Suite as another platform thats all around next-gen protection, but also around response and real-time intelligence. Over the last few years, companies have spent millions of dollars buying lots of new products on the network side to gain new visibility. I bought Xen technologies. I bought a network analysis product. I bought a malware analysis product like FireEye, next-gen firewalls like Palo Alto. On the endpoint I haven't done a lot of new things. I've been using the same stuff we've been using for 20 years. You've added all that functionality on the network, where Ive really increased my visibility into what's happening. I have to do the same thing on the endpoint. We provide a great new mechanism to do that. I was out yesterday on the West Coast visiting a customer of ours whos a Fortune 50 customer. This is the exact discussion that we had. The fact is that by us providing this visibility and this intelligence on endpoints and servers, we really help provide, for the IT security organization, a much more holistic view of whats happening in their environment. That's why we announced these partnerships with FireEye and Palo Alto Networks with the goal of providing our customers and our joint customers with the full lifecycle from the network side all the way down to the endpoint and back, so that IT organizations can understand exactly whats happening.
From an IT or security person's point of view, how does this change their life? Where does it reduce work? What do they focus on differently?