The five-minute CIO: Greg Day, Palo Alto Networks

10 Jun 2016

Greg Day, VP and regional chief security officer EMEA, Palo Alto Networks

“The biggest challenge today is people. There are just not enough skilled IT security practitioners out there,” says Greg Day, VP and regional chief security officer (CSO) EMEA at Palo Alto Networks.

Greg Day has more than 30 years’ experience in dealing with IT security.

In his role at Palo Alto Networks, one of the fastest-growing IT security players in the world, he oversees the company’s regional security operations and is responsible for regional cybersecurity strategy and the development of threat intelligence, security best practices and thought leadership for Palo Alto Networks in EMEA.

Based in Santa Clara, California, Palo Alto Networks is a network and enterprise security company whose core products include advanced firewalls designed to provide security and granular control of network activity based on apps, users and content.

Founded in 2005 by Nir Zuk, a former engineer from Check Point, the company makes close to $1bn in revenues annually.

Day’s colleague Stuart Borgman, director of Cybersecurity Engineering at Palo Alto Networks, will be addressing a Cybersecurity Briefing taking place in the Aviva Stadium, Dublin, on 15 June next, organised by Magnet Networks.

Can you give a perspective on how the role of chief security officer has changed?

I guess the role of CSO has changed in the last few years from being the traditional defender of technology to now being somewhat more aligned to the business and the business enabler. I have a three-way divide between trying to keep pace with the digital transformation that the business is going through to understand what risks that creates.

The role has gone from mitigating all those risks to educating the business to what those risks are so we can make a collaborative decision.

That ties into the second bit, the risks themselves are changing. What are the threats that will impact the IT we are using?

And the third part of that is regulation, which continues to evolve and that really is the requirement against us to conform to.

The big thing in the pipeline is the reform of the General Data Protection Regulation and the EU Network and Information Security (NIS) directive that is coming out.

How does Palo Alto Networks tackle threats in a different way to its competitors?

I think Palo Alto has a clear goal: how do we enable confidence in today’s and the future digital world?

Our remit is how do we manage risk? How do we find, detect and prevent the cyber risks to the same level of confidence we apply to every other form of risk in life?

I’ve worked in the industry for over 30 years. We built out a very complex myriad of cybersecurity tools across the security industry but, actually, the biggest challenge today is people. There are just not enough skilled IT security practitioners out there.

How do you as an industry propose to get around the talent problem?

Why is it we are challenged to deal with the threats we face today? Because we historically solved each problem as it came along and, therefore, we find most organisations have a complex array of security products that all require humans to not only manage and make them function but also join together the dots to know what’s going on.

It’s a bit like the police looking for a photo fit, but I’ve got four policemen in four police stations and one is looking at eye colour, the next is looking at hair, the next is looking at facial shapes and the last one is looking for tattoos. How do you make an informed decision?

The remit of Palo Alto Networks is how do we build something that is fit for purpose? That means we need to build something that is designed for how we use the internet today rather than the theory of it.

A simple quick example of this – traditionally, the internet was built around this idea that every application would have its own communications channel and there are tens of thousands of those available, so we built traditional firewalls based around that concept.

The reality is everything goes around encrypted versions of those and so we have thousands of applications using only a few channels. So we have a tool designed decades ago around the theory and the practical reality of how we use the internet today is very different.

At Palo Alto, we have fundamentally built tools that are designed for the way we use the internet and we call that the Zero Trust Model.

How does the Zero Trust Model work?

We shouldn’t just trust the internet, but base it on business process and business activity.

The biggest thing for us was how do we make cybersecurity as digital and efficient as the technology it is designed to protect and the criminals we are defending against.

If we have fragmented tools that we are waiting for humans to come up with the answers for then we are always going to be behind the curve.

The next thing we needed to build was an architecture that is technically efficient that only does things once rather than duplicating them. And an architecture that through one single pass selectively does the bits of analysis and joins [the information] together into a consolidated answer – the big-picture view of the problem.

Then, of course, the big challenge is I have to scale that across the different ways we use technology – whether network, data centre, cloud services, mobile users, traditional users, you name it.

So what I need is a platform that lets me link those things together and that’s our focus.

Who is winning in cybersecurity:, the attackers or the defenders?

It is very easy for organisations today to feel they’ve lost the battle against cyber threats and therefore start getting into recovery mode, we see a lot of that. Incidents happen, sometimes we get better at responding, but actually that doesn’t mean we should give up the fight.

We have learnt a lot over the last 25 or 30 years but one of the biggest lessons is criminals are very efficient, very automated and very collaborative and organised. And in the protection and defensive space we haven’t made that transition as an industry.

We should be sharing our knowledge and experience. We should be collaborative on the intelligence.

As a security industry, we instigated this several years ago through the Cyber Threat Alliance, we should be sharing that knowledge and intelligence so that we can all deliver the most effective and intelligent security detection and prevention as possible to customers.

At a technology level, as an instigator of this in my own business and when I talk to other organisations, we have to realise the biggest shortcoming is people and we need to leverage them in the smartest and most efficient way.

We have developed a platform that automates this as much as possible to make sure that security is working at the same speed as the business and the technology it is based on.

Hackers appear to be attacking data and encrypting it in return for a ransom. How do organisations defend against this?

The core bit for every business is they need to stop and reflect on what it is they are relying on technology for to make their business profitable. That’s been a challenge because often they get caught up.

Businesses will say ‘here’s my annual threat report and we’ve seen Xpc increase in this and Y in that’. That’s all fine, but what is more important is how that impacts your organisation.

One of the real growth areas has been in ransomware and ransomware is a logical step where cyber-criminals realise that stealing credit card information has dropped in value – they ask themselves “how do I get something that really makes a better return? If I encrypt your data I can get anything from $250 up to tens of thousands of dollars to get it back.”

We have certainly seen a real growth in that space but when I come back to the business – what is your dependency on your data?

For us, that would be our source code, our client databases, right through to the updates we are getting out to customers. I need to look at where that information is, the resiliency of that data and the controls that I put around those bits of information to make sure they are not susceptible to ransomware.

Interestingly, I was just having a look at what has happened in Ireland since 1 January and it’s typical to what I see all over the world. There are peaks and troughs, there are days when, from the customers we work with and share intelligence with, we saw nothing, right through to, interestingly enough, around 25 May [where there was] a huge spike of up to 20,000 new incidents happening in that day focused around LOCKY and DRIDEX, two prolific bits of ransomware and other tools. Purely looking at the Ireland space, the attacks were focused on the professional services market. We see peaks and troughs as criminals go “it worked well here, let’s go over to a new geography or industry”.

For me there are a couple of things here: I need to have that on-going vigilance, if I am an organisation in Ireland or the UK to ask “what are the things that will impact me today, tomorrow or next week? What are the things I can do to filter down the 300 new threats generated every couple of minutes and the new vulnerabilities we see every day to the ones that are actually going to have impact on my organisation?”

And then I need to decide if I have the controls in place to detect and mitigate those.

Intelligence in many ways is one of the most valuable commodities we’ve got to help us focus in on the things that will give us the greatest resiliency for our businesses.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years