Tuesday, December 27, 2011

2012 – It Isn’t Going to Get Any Better

At this time of year, I am always thinking about the many events that have transpired both politically as well as in the field of security.  I will spare you my political views, but I will provide some thoughts on 2011 from a security perspective.   As I have said before, it really was the year of the hack.  Notable breaches include Sony, RSA, Epsilon, and dozens of others.  These breaches really put a punctuation mark on how vulnerable we are to any sort of competent adversary.    Some breaches transpired over many years and weren't all that sophisticated; however, the RSA breach gave new meaning to the word “persistent.”   What was particularly interesting were adversaries targeting the security supply chain in order to break into their ultimate targets - Lockheed Martin and other companies / governments that use RSA authentication.     While 2011 was a security disaster, what does 2012 hold?  I don’t have a crystal ball, but I will give you a few of my predictions:

#5.  Proposed cyber-legislation will take one step forward and two steps back

I do think that we will make some progress on more comprehensive cyber-legislation to help fight fraud, espionage, and intellectual property theft.  While taking one step forward, we will also be saddled with awful legislative efforts like H.R. 3261 better known as the Stop On-line Piracy act (SOPA) which will have us taking two steps back.  Tackling these hard issues and creating a modern cyber framework is not an easy task; however, one would hope our elected officials could put some focus on something as critical as cyber-security.  Hopefully some of the more well informed politicians will realize this is a layer 8 problem (people) and not solely a technology issue.

#4.  Mobile malware goes mainstream but the world doesn’t end

I know this is a softball prediction; however, I would be remiss not to include it.   We have seen a massive jump in mobile malware from a percentage perspective; however, the overall total is insignificant compared to traditional PC based malware.  In particular, it was a busy year for Android with a host of malware released into multiple app stores.  While not malware, I particularly enjoyed the details on getting a root shell on an Android device just by using it the way it was designed. Even though iOS has a pretty darn good security model, I still think we will see some headlines next year.  In particular, I am surprised the self updating mechanism using Lua scripting I talked about at the 2011 RSA conference this year has not been more widely abused.  I do think there will be a few notable security issues that hit iOS next year.

#3.  Mac is back

If I take the Warren Buffet approach to figuring out how well a company is doing by visiting their stores, there appears to be no recession going on in Cupertino.   I have also observed a large increase in executives who have switched over to MacBook Airs as more and more Macs continue to backdoor their way into corporate America.  With that backdrop and Apple’s market share above 15% in most developed countries (not world-wide), we are finally getting to a point where it makes financial sense for the bad guys to target the Mac platform.   In May 2011 we saw the tell tale signs of interest in the Mac when Mac Defender was reported in the wild.   More recently we saw DevilRobber used to mine Bitcoin virtual currency.  However, the most troubling is Mac malware being disguised as a PDF document.   I think we have seen this movie before, and it isn’t pretty.  While it won’t be earth shattering, I think we will see some creative attacks against the Mac in 2012.  Most of them spread via social networks and abusing peoples trusting nature more than anything that is terribly sophisticated. 

#2 .  Stuxnet / Duqu tip of the iceberg

With control systems blowing up, drones falling out of the sky, and general paranoia around embedded systems reaching a fever pitch, we are going to find more advanced versions of Stuxnet and Duqu in 2012.  I still believe Stuxnet was an early generation of what is out in the wild and that the level of sophistication associated with well funded attacks will be awe inspiring.   I think any person in security worth his/her salt has to find these advance pieces of malware fascinating.  So be ready for more entertainment in 2012.

#1.  Calling a Spade a Spade

There is a lot of dancing that goes on when we hear about an APT.  I have worked with many companies that have had some form of APT, and the ones that didn’t just haven’t figured out that they really did.   By and large, many of the APTs appear to have originated in China.    I think this Bloomberg article does a pretty good job of spelling out that China hit 760 companies and many more that haven’t become public.  Yes, there are the other likely suspects that have a well-organized machine of cyber warriors, but China has been pretty busy over the past few years.  So in 2012 I think we will start seeing more attribution of where these APTs are coming from and not just throwing the overused and politically corrected APT on every intrusion.  Being able to decipher the threat from one nation to another is helpful in thinking about how to better protect intellectual property and what resources should be spent on specific defense.   Most importantly, we can begin to shape what kind of response is warranted in return by understanding “who” is targeting companies, not just “what” malware exists.

I know that it is easy to make predictions and that according to Jack Daniel there are Five Pentagrams of Prognostication.   While I enjoyed his post, I do hope I have given you a few things to think about. Will any of this come true next year?  Who knows, but I will be reporting back at the end of 2012 and grade my performance.   Let me know what you think.  You can reach me at george.kurtz at warburgpincus.com.

Tuesday, November 29, 2011

My New (ad)ventures

There was a lot of speculation last month about my departure from McAfee (now INTC), as reported by Jim Finkle at Reuters.   Well, I can finally confirm that I have left McAfee as part of a multi-month planned transition.   As many of you know, I spent the last seven years in various roles including GM of the Risk and Compliance Business Unit and most recently as McAfee’s Worldwide CTO.  After the acquisition of Foundstone by McAfee in 2004, I candidly didn’t think I would have stayed for as long as I had, but I am proud to be part of the executive team that put McAfee back on track and ultimately sold it to Intel in February 2011 for almost $8 billion.  I have been involved in acquiring many companies over the last decade, and I have been fortunate enough to be acquired twice in my career.   While most acquisitions are exciting, I believe it is always a good time to take stock in what a person wants to be doing long term.  To quote Steve Jobs:
 “Your time is limited, so don't waste it living someone else's life. Don't be trapped by dogma - which is living with the results of other people's thinking. Don't let the noise of other's opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.”

You have to have the courage to follow your heart and be passionate about what you are doing, and for me passion is everything.   I am most passionate about being an entrepreneur and building companies, which is ultimately why I decided to leave McAfee.

So What’s Next?

I am delighted to announce that I have joined Warburg Pincus as an Executive in Residence.  Warburg Pincus is a leading private equity investment firm with over $30 billion in assets under management.  I have known several of the principals of the firm for almost a decade and we always talked about doing the next big thing together.  I believe the time is right and that Warburg Pincus’ growth-oriented investment style is ideally suited for this space.  Given the highly fragmented security sector, where large players claim less than a 10% market share, there are unique opportunities to solve problems which are not being addressed with existing legacy technologies.  Blacklisting is a good example of a technology long past its prime.  However, most large companies’ main defenses center around technology that was invented during the VHS era.   How many people are still using VHS at home? Exactly.  So why do we cling to the old models of yesteryear to protect our most sensitive intellectual property?  

That is a question I have asked myself for some time now and why I am excited to partner with Warburg Pincus.  We are working to assemble a world-class team and looking to acquire technologies that will allow us to build a company focused on solving the most demanding security problems of today – not 20 years ago.  Will it be hard?  Of course.  Will it be fun?  You bet! My mission will be to build an enduring company where people are motivated to solve really hard security problems.

If you think you have an interesting security idea or technology, I would love to hear about it.   If you are a university with technology that you would like to commercialize, I would love to hear about it.  Finally, if you are dying to be on a killer team looking to change security, I want to hear from you.   I can be reached at george.kurtz at warburgpincus.com.

Wednesday, October 5, 2011

This site will be active soon... keep checking back to get an update on my latest ventures.