Bit9 CEO: Trust-based model the new weapon in war against malware

Bit9 thinks you’re fighting a new war using old weapons. The Waltham, MA-based company says traditional security products are no match against todays malware and advanced persistent threats, and that a new approach -- one based on trust -- is better suited than blacklists and other reactive solutions.

In this installment of the IDG Enterprise CEO Interview Series, Bit9 chief executive Patrick Morley explains how the company’s security platform changes life for security pros and he talks about Bit9’s plans to make securing mobile devices easier. He also discussed the company’s partnerships with network-based security solutions like FireEye and Palo Alto Networks, and explored the changing role of the CISO in corporate America.

John Gallant: Give me the background and history of Bit9. What problems did you set out to solve and what have you accomplished since you launched?The original hypothesis behind Bit9 was that we were doing security the wrong way. For the last 20 years we’ve been focused on trying to find all the bad in the world and stopping the bad. What we’ve seen over the last few years is that that approach, that black-listing approach, trying to find and stop all the bad, does not work.

Patrick Morley:

When the company was founded there was a vision that people would wake up one day and realize this, and that the right way to focus security was really a different type of model, one that was more proactive, one that was positive, and that was really based on the concept of trust, the same way we run our own lives. Essentially, I trust you or I trust someone that you trust. The general hypothesis behind the company and the vision was that we’re going to build a technology that allows organizations to only allow software to run that’s trustworthy.

How do you put that into action, this concept of trust and a network of trust?

Conceptually it’s easy for people to get, but it actually is harder to do than you would think inside of a lot of enterprises. And I don’t mean from a technology standpoint. I mean for people to actually realize that the right way to do security is to not be reactive. It’s not to just slide a network device into the rack or deploy a piece of software on the endpoint, but to actually think through more holistically the strategy on how security should be architected inside of the enterprise.

[Enterprise risk management: The basics]

One of the things that we ask organizations to do as part of our solution is that we ask them to think through who should be running what inside of an enterprise. Do you really need 7,000 employees to have access to anything that they want on the Internet? Do you want to have software arriving on your servers or at your data center that you may not know about? We actually have them think about how software arrives and propagates inside of the enterprise.

I’ve been here five years. Five years ago when you sat with people and had that discussion, in many cases it was a foreign discussion, having them think so proactively about security. But the world has changed in the last 24 or 36 months, and when you meet with organizations about this now, I think their heads are much more along this line -- not just about my solution, but I think in general around security.

So our heritage, the company’s heritage is focused on flipping them all the other way. Let’s only allow trusted software to run inside of an enterprise. We do that with a pretty traditional three-tier model. We have a piece of software that sits on a machine, whether that’s your laptop device or it’s a server sitting in the data center, and then we have a central on-premises console that enables the IT organization, the security organization, to manage the solution.

Then we have a set of cloud-based services that help enable the technology. Our technology does two fundamental things. The first thing it does is it sits on that machine and watches everything, and it does it all in real time. It records everything that’s happening on that machine. The second thing it does is it actually implements policies and only allows certain things to run. And you can run the product in either mode. If you run us with policies turned on, which means we’re only going to allow certain software to run, that enables you to stop software, APT’s [advanced persistent threats], that you’ve not seen before.

It’s very easy to buy malware that organizations can use to get into your company or my company or others. There’s a lot of that out there and available on the market. We say if we don’t know what the software is we’re not going to allow it to run, because we don’t trust it and we don’t know it. That’s the policy-based engine, and that’s enabled us to do some really interesting things over the last few years. We stopped Flame. We stopped Stuxnet. So in that mode we only allow trusted software to run. And we help enterprises that are highly targeted by the APT to protect their IP.

How does the cloud piece of that fit in?

There are two ways you can define trust. One way you can define trust is by allowing IT to decide what they want to allow or not allow inside the environment. So IT would say: “I’ll trust anything that I push out or I’ll trust Microsoft or IBM.” That’s easy for software that I push out, but many users pull software down from the Internet all the time.

In the cloud we have a number of services. One of the services that we have up there is a reputation service that allows the IT organization to essentially say to their user community: “You can download anything you want as long as Bit9s Reputation Service says it’s trustworthy. You can download it and we won’t interfere.” That’s oriented towards the stronger enforcement side around “I really want to stop that stuff from happening.”

We have over 1,000 customers today. Many of them are in the global 5,000, tremendous brands across a lot of different verticals, very horizontal. We’ve seen a lot of oil and gas in last 12 months, a lot of critical systems in the last 12 months. We have a lot of high-tech customers. For the last four and a half years we have built up a clientele of companies that needed to stop APTs and were using us to only allow trusted software to run. Last fall we had a set of customers come to us -- three of them actually, two of which were tech companies in the Bay Area -- and say: “We want to show you how we’re using your product in a way that’s different than the way you’re positioning it today, and it’s very, very powerful for us.”

We record everything in real time and they were using all of that data, all the information that we provide, to do a lot of the core activities around response, responding to the malicious actor. Just to give you a few examples, one of the customers was taking all of that data, and any time anything happened inside the enterprise, they would use our data for their IR [incident response] team to figure out well, what happened on John’s machine? I can see exactly what files executed, what registry changes were made. I can see if memory changes were made. I can track all that using the Bit9 data. They were using us from a response standpoint.

We had another customer who had built a set of threat indicators. They would take all that recording and they would look for anomalies that were indicators of APTs. Something gets executed out of the recycle bin. Adobe Acrobat drops an executable file. Why would you ever do that? That’s a common approach. You’ve got extension names in files that are nonsensical. They had built a set of indicators looking for APTs that actually were quite successful. That same customer had also done some integration with their network products as well. So last fall we talked to these customers and we made the decision to productize a lot of these offerings -- less around the enforcement side, which is the trust-based, only allow trusted software to run, and more around providing intelligence and response capabilities to these highly targeted organizations.

From a functionality standpoint, we’ve essentially said we provide four things for our customers in the Bit9 Security Platform. We provide them with visibility, we provide them with detection, we provide them with forensics, and we provide them with protection. So those four fundamental areas are where we can help highly targeted organizations deal with advanced persistent threats.

You mentioned that one of the things in the cloud is Reputation Services. What else is in the cloud?

Those indicators that I talked about, what we call ATIs, Advanced Threat Indicators, are in the cloud and get pushed down to customers. And as our threat team sees new things in the market, they develop new ATIs to get put up in the cloud and get pushed down to customers. Tremendously valuable because as a customer, as I consume these ATIs, they show me places where an APT is and they do it in real time and it’s a great detection methodology.

In this mobile world we have lots of people like me who are downloading stuff to phones all the time. How does your solution provide protection in a mobile environment?

Today we offer our solution on Windows. We’re announcing Mac GA [general availability] to customers. We’ve been in Mac LA [limited availability] since the fall of last year. We’re going to have a similar announcement in Q3 on Linux. On the mobile side we’ve been underway with a mobile project internally since last year, and we haven’t made any public announcements yet. But the basic idea on mobile, it will follow the model we’re in right now, which is to provide organizations with real-time intelligence, visibility on the front end, and then protection if they want that as well. We’re going to do the exact same thing on mobile. The same strategy holds true. And we’ll make those announcements in the second half of this year.

When you make the Mac announcement, does that cover all the Apple operating systems or specifically operating systems for desktop?

It’s the OS X stuff, the Mountain Lion, Snow Leopard, all those.

In terms of this reputation service, how do you decide that something is trustworthy?

We gather executable content of software that’s being used out there. We have a number of indicators that go into our assessment. Who’s using it out there right now within our customer base? Who published it? Do we know that publisher? Do we know where the software actually came from? What are others saying about that? In addition to our own information and our own research team, we also leverage other feeds. We use all of that to come up with a threat score as well as a trust score. That tells us how trustworthy that software is. We go in at the hash level.

One of the interesting things that we’ve seen is that the malicious actor out there is using software that’s valid to embed files to get into organizations. One of the examples that I give is that we had a customer who had built a solution that incorporated Google Earth. When we installed our product, the first thing our reputation service said was Google Earth is not trustworthy. Why isn’t Google Earth trustworthy? Because there was a file in there that was a malware dropper. They changed one file in Google Earth. What they were building was quite sensitive.

Are your products replacing other security products, or do they complement the kinds of security tools people already have in their environment?

The world has changed. Organizations recognize that. The current AV Suites out there are like low-end insurance. I want it there but they’re really not that effective. There has to be a new paradigm. So in the data center we’re a replacement. Customers will put us in as the primary protection mechanism in the data center on their servers. On the endpoint, certainly in some environments they’ll use us as a replacement technology.

But increasingly what we see is they’re laying us on top of their EPP Suite as another platform thats all around next-gen protection, but also around response and real-time intelligence. Over the last few years, companies have spent millions of dollars buying lots of new products on the network side to gain new visibility. I bought Xen technologies. I bought a network analysis product. I bought a malware analysis product like FireEye, next-gen firewalls like Palo Alto. On the endpoint I haven’t done a lot of new things. I’ve been using the same stuff we’ve been using for 20 years. You’ve added all that functionality on the network, where Ive really increased my visibility into what’s happening. I have to do the same thing on the endpoint. We provide a great new mechanism to do that. I was out yesterday on the West Coast visiting a customer of ours whos a Fortune 50 customer. This is the exact discussion that we had. The fact is that by us providing this visibility and this intelligence on endpoints and servers, we really help provide, for the IT security organization, a much more holistic view of whats happening in their environment. That’s why we announced these partnerships with FireEye and Palo Alto Networks with the goal of providing our customers and our joint customers with the full lifecycle from the network side all the way down to the endpoint and back, so that IT organizations can understand exactly whats happening.

From an IT or security person’s point of view, how does this change their life? Where does it reduce work? What do they focus on differently?

We provide benefits in two major areas. On the network side, I now have technologies that are analyzing all the content that’s coming into my enterprise and telling me if it’s malware or not. So analysis or detonation products saw something go through on an email to John. I did an analysis of that and it was malware. When they see that that malware goes to your machine, what cant be seen from the network side is whether this actually gained a foothold on John’s machine. There’s an investigational process that organizations have. They look at your machine to see whether the malware actually executed. If it did, what did it lay down and what do I have to do about it?

By combining the network side with the endpoint piece, and doing all of that in real time, I can dramatically reduce my response times. For a SOC team or an IR team, I reduce the number of hours it takes me to figure out whether I have to worry about John’s machine or not. I can do it in seconds. Very, very powerful, and a very direct impact on their security posture. It makes them more secure. The real-time intelligence piece helps make SOC and IR teams more effective and reduces investigation times and response times.

If you run us in enforcement mode -- I only want to allow trusted software to run -- then we first put you in a better security posture. The second thing is I can reduce the number of malware outbreaks I have and my reimaging costs go way down. I was at a customer yesterday, 3,500 users in the company, and they are getting 850 malware hits on machines, 850 users a year are getting hit with malware, and 75 percent of those get reimaged. So that means that they’re reimaging 600+ machines a year.

That’s a huge amount of work.

You got it, especially for a small team.

Why would somebody not run the product in enforcement mode?

Increasingly, what we see organizations doing is running us in enforcement mode in the data center, running us in enforcement mode on critical users machines and then for the whole community they’ll run us in a visibility or a detection mode where we’re just watching and recording everything. Then they’ll actually leverage us in conjunction with their network devices to be able to respond very quickly.

Is that because this has a significant impact on the user experience?

No. It primarily goes back to where they are in their evolution as an IT security organization. If you’ve had strong operational oversight and understanding of who should be running what in the enterprise, and you understand where all your software is coming from and who’s running what, then to implement us in a high protection mode is relatively straightforward. Many companies out there allow their users to do anything they want at any endpoint and they’re in a state of transition: “We need to get to a point where we actually have a better understanding of what people are laying down on their machines. But I know I’m unprotected right now. I’m really scared about the APT. I’m getting hit all the time. So Bit9, I’m going to deploy you in the places where I have control. I’m going to deploy you there in enforcement level and in other places I’m just going to put you everywhere so that you can help me respond if an incident does happen.”

Typically when someone installs, what do they find out right away?

Every customer is shocked. Honestly, every customer is shocked at what they find. And usually what they’re surprised at is what software is in their environment, and how software is arriving into their environment, especially from multinational companies. The pattern that we see again and again is where headquarters is in Europe, in Western Europe, in the U.S., in North America, their IT processes are pretty strong, but they’ll have groups outside of the core headquarters that have set up an FTP site or set up a set of servers that are not even under IT control. Theyre downloading software from those and they’re totally going around the normal processes inside the company, which really opens up big holes for the company from a risk standpoint.

What does it cost to deploy?

We’re a subscription-based product and we charge $20 an endpoint for a desktop, laptop machine, and we’re right around $200 per server. It depends really on size and scope.

With all this information you collect, do you do alerting to customers about things youre seeing in other environments?

Absolutely.

How does that take shape?

Through those ATIs that I talked about. As those ATIs go down, those get updated very regularly and what they show customers, where they have a risky piece of software in their environment, and they’re instantly alerted when the ATIs run. The ATIs are all in real time, so if they see anything that happens across all of those machines in real time, they’ll alert the IT organization. By the way, I just said this, but there is no other technology today on the endpoint that in real time records all of those resources. There’s nothing else out there today that does that. If something hits your machine, the IT organization gets a call and then someone’s got to remote into your machine or they’ve got to come and visit you, and then they’ve got to spend a couple of hours and try and figure out: What did John get hit with? How bad is it? Do I have to reimage it? They’re kind of blind. So what happens is a lot of times they just end up going through the 12-hour exercise, or reimaging, or whatever it takes. The fact that we’re recording all that information is very, very powerful for the SOC teams and the response teams and even for IT ops to understand what the heck just happened.

In an environment where people are using more and more cloud services, how does it help protect against problems when you have people using SaaS or PaaS or other things like that?

The same way. From a malware standpoint, if I’m using cloud services and data is getting exfiltrated out and they’re using valid credentials, we would not help with that. But if you’re using a service that’s been compromised in some way and there’s an attempt to try and lay anything down on a machine, a piece of malware, anywhere inside the environment, we would see that and we would understand exactly what was happening and we would give you an assessment on is it good or bad and tell the IT security team what’s happened.

[Saas, PaaS and IaaS: A security checklist for cloud models ]

Who do you compete against?

Status quo.

So, the first thing is to get people to understand how you approach this differently. What’s the hurdle and what gets them over that hurdle? That has really changed in the last couple of years. Most CISOs I meet now are very regularly briefing the executive team. They may be a member of the executive team. They’re briefing the board. With all of that awareness comes, for us, the benefit that they recognize that their current solutions just don’t work and they need a new approach. From a product comparison standpoint, as the CEO I’m slightly biased, but I would tell you that for what we do today there is no other vendor out there that is doing what we’re doing on endpoints of service.

Understanding that the world has changed. One of the biggest changes that we’ve seen is that the CISO a few years ago never had access to the board, was not someone who carried a lot of power inside of organizations.

Are you seeing the traditional security vendors start to change their approach along the lines of what you’re doing?

Yes, and that’s true with the large vendors out there, the Symantec’s of the world, the McAfee’s of the world, where they’re more focused on understanding what the trustworthiness is of software running inside of the enterprise. They’re certainly more focused on that.

So what will keep them from catching up with you?

We’ve spent five years building out our IP in this area. It’s easier said than done to build a true trust-based model. There’s a lot of legacy inside their products coming from the black-listing side and the way they viewed the world. It really does take a big shift. Obviously we’re as paranoid as any company to make sure we’re staying ahead. But I think it’s going to take them a bit to catch up. I would also say that on the real-time intelligence and the visibility pieces that we’re offering, to do that in real time at scale across 100,000 machines takes a lot of work to get that IP right, and we’ve done that. We think that’s a real advantage.

You mentioned policies and people implementing these policies. Do you give them help on how to do that? How difficult is it for customers to determine what their stance is going to be if they’re going into enforcement mode?

Again, it depends. It depends on how organized they are. We certainly provide assistance on helping them think through how to implement the product. We’re not a service-intensive product -- 3000-5000 machines, we’re going to need to provide them with 5-10 days. It’s not a lot. Most of the consulting that we provide is actually advising them to think through: How do you want software to arrive inside your environment? Most companies will run our product in the visibility mode or the intelligence mode, where we’re just watching. They’ll watch, see how people are bringing software into the environment, and then they use that to build their policies.

Makes perfect sense. You had mentioned some partnerships. Talk about your ecosystem. Who are the people that you work with to enhance the product and get the product out to a wider audience?

There’s been over the last few years a set of security-focused vendors in North America and Europe and in Asia, the organizations that are very focused on selling the next generation of solutions in security. So we use security-focused, value-added resellers out there worldwide, and domestically companies like Yakima and Fishnet and Forsythe. Then we have a number of technology partners as well, organizations that we work with and we integrate with. We mentioned FireEye and Palo Alto on the networking side. We also have relationships with the SIM [security information management] vendors, HP and IBM, because we integrate with their products.

We’re a key component for a lot of SIMs out there. In addition, we also have a number of IR partners. When they’re responding to an incident they’ll typically go in, work with a customer on something that’s just happened, and then they’ll recommend us as a solution, both in the data center and on the endpoint.

Do you have any partnerships with service providers who offer managed security services? Because this seems like it would be a great approach for them to incorporate.

We don’t in an official capacity. We have some service providers out there who offer us. We actually will provide that service ourselves, so we have the capability to manage for customers our implementation. We started that just this year. We have a number of customers who do that, very small organizations, up to organizations that are very large, 60,000-70,000 users that we’re managing for them. So it’s a great offering for organizations that really like what we offer but want to outsource it.

Whats next? How do you continue to develop the product and the technology?

We’re very focused right now on extending the platform in some of the areas I talked about, kind of closing the loop with the network side. We’re investing in partnerships that really provide our customers with a lot of value on understanding what’s happening inside their enterprise. All of that, that intelligence, the detection capabilities, the response capabilities, very focused on continuing to extend the platform that way. And then we talked a bit about other platforms. That’s the other big area we’re focused on. Mac and Linux and mobile, and making sure that we can give our customers a holistic view across all their different endpoints.

How does that work when you’re talking about smartphones and tablets where people are downloading lots of apps? It’s really an app world there. How do you envision it working in that environment?

Think about the model I just described. Take a step back and you say -- okay, what does Bit9 do? We really do two things. We’re giving you intelligence about what’s happening, and then we allow you to enforce policy around trusted stuff. Think about iOS. That’s essentially what Apple has done with their phone, their whole community. It’s all about: I have to vet this. I have to trust it. Android is more of the Wild West, so our basic premise is to do the exact same thing that we’ve been doing historically, where we’re showing a lot of value for our customers, and do that in the mobile world. One of the big challenges right now is that our organizations lack visibility and understanding of what’s on all those devices that their users are bringing in the environment every day.

Absolutely.

And that is where we can provide a lot of value.

So do you see that augmenting or replacing mobile device management?

Augment. MDMs today primarily fulfill on the vision where we thought the industry was going five years ago, where the IT operations and IT security platforms would all come together, and never quite got there on the traditional laptops and PCs and Macs. But on mobile, that’s what MDM is doing. It’s an operational product that also has security capabilities. For hardcore security teams that are investigating very serious attacks and very serious stuff, the MDMs do not provide the level of security intelligence that they need.

So would you know, for example, as part of your reputation services, that even if Google doesn’t know it, the things in the Play store are okay to download?

Yes. And then you have to combine that with the relevant data.If I have 10,000 users running 100,000 or 200,000 different applications on those devices, and I want to know where my risk exists on those devices.

What should we expect from Bit9 in the next year?

We’ll continue to help our customers protect themselves, protect their IP and help their businesses do well in this new world order that we’re all sitting in from a security standpoint. That’s what we’re totally focused on, supporting those customers and making them successful from a security standpoint. Organizations today need to put themselves in the best possible security posture, and on the endpoint and the server side in the data center, Bit9 is a company that can help them do that by providing them real-time visibility and intelligence on what’s happening and by only allowing trusted software to run. So we can save money and make them secure.