The breaches and cyberattacks expected to increase in 2017 is bound to give more sleepless nights to the security professionals. CSOs are largely confused to plug the gaps on both sides of security - network and endpoint- in the IT infra posture at their companies. Samu Konttinen, president and CEO, F-Secure in a detailed conversation on an India visit chatted with CSO India on the threat landscape, competing vendors and the future of cybersecurity.
You have been at the helm of F-Secure since August 2016. What have been your top priorities in this role?
F-secure is not a startup but compared to industry giants like Symantec, we are much smaller. We cannot pretend to be the cybersecurity supermarket where you get everything. Hence we are extremely focused to compete with ‘best in class’ solutions in the areas we operate.
In the B2B space, the end point is expanding from the traditional AV prevention and moving towards detection capabilities. Some vendors call it next generation, some call it EDR (Endpoint Detection and Response). There’s a paradigm shift in endpoint wherein one cannot rely on security solutions to stop everything. The bad guys are so skilled and so persistent that if they target your company, they will eventually get into the network. Your security solution should have the capabilities to detect the intruder ASAP as you cannot stop them. The expansion on the end point side is more about detecting behavior- based analmolies which traditional AV or ‘best in class’ firewalls can’t figure out.
Secondly, we are expanding into vulnerability management which is an interesting area. F-secure is currently the only vendor with a value proposition of combination of end point and vulnerability management and the patch management (as part of end point portfolio since long). The end point protection, vulnerability management and patch management creates a logical and holistic solution for CSOs and CISOs of organizations.
We are also exploring some of the new threat attacking vectors in the cloud. Couple of months ago, we announced a tie-up with Salesforce.com as only cybersecurity vendor to provide an additional layer of security for Salesforce environment.
F-Secure is rapidly shifting its focus from consumer business to B2B. How’s the report card been so far?
The shift to B2B business began three years back. Today 50% plus of company’s top-line emerges from B2B. The consumer market is becoming increasingly different as more consumers switch to free security solution in today’s app economy. Some of our competition feel this model is fine. But if the free product actually digs the consumer’s information and data then that security company is violating the consumers’ privacy. We are not tapping into this free ad-funded data-funded business model and hence we are shifting our investment away from B2C towards B2B.
We are in good shape and growing faster than the market rate. But we are extremely cautious and much focused as we cannot ignore the widespread competition from big security boys in the marketplace. We have to be ‘security specialist’ and elevate our endpoint security playfield.
Isn’t endpoint player F-Secure missing the bus with ‘network security’ game?
Actually it’s the opposite. Three to four year ago, there was a big gold rush in the network security space around gateways, next-gen firewall etcetera. But the tables have turned. Endpoint is the new sexy again. Because people have realised that the targeted criminals want to breach the end points which is always their ultimate target. The sole reason being that there are keys at the end point. Once they hack into the administrative keys from an end point of company’s employee, they can hack the whole company. End point is always where there is the big issue now.
There is now the emergent trend of cloudifcaiton including countries like India as well. People are moving their IT to cloud including most of the applications. Organizations are gradually moving their workloads and apps to cloud but endpoints will never disappear. The network security, gateway layer for a company with no on premise IT becomes limited or irrelevant to an extent.
Some big companies like banks might never go cloud route due to data privacy and other issues. However many companies are totally abandoning their Internal IT especially in the mid-market. Some super big organizations with the army size of IT teams show resistance to cloud for the real reason of the possible job loss of IT folks. Many mid-market companies understand the cloud option to manage IT and dedicate their main focus on their business. F-Secure would continue to be an endpoint centric security vendor.
What’s about network security companies buying endpoint ones (Palo Alto - Cyvvera, FireEye - Mandiant as examples) and vice versa (Sophos buying Astaro and Cyberoam). Does holistic strategy means more deals for security vendor?
It can provided you are absolutely the best in both of the worlds. We launched rapid detection service (in managed detection space) around six months back. We have now lot of cases where the customers have bought the machinery from Palo Alto, the sandboxing etcetera from FireEye but they still see attackers have come in. Many cases they have placed F-Secure rapid detection sensors to their end points. Through the Red teams, the attackers pass through Palo Alto and FireEye gear, but once the bad point hit the endpoint where the keys are - our technology flags it.
CSOs and IT managers appreciate the detection on the endpoint which FireEye and Palo Alto could not touch on the network level. This is a unique technology today in end point detection. And we always had good products in prevention space including traditional AV.
How ugly will be the face of ransomware in 2017 and what would be the probable triggers?
It will get worse. Many of the ransomware families are only getting started now though it exists for years. There is good chance of first ransomware cases in IoT space. Also more Mirai type hijack cases can happen wherein IoT is harnessed for cybercrime. IoT space remains be vulnerable as IoT providers focus on user experience, cool interface etc and security is not top of the mind. I wouldn’t be surprised if there are instances of connected cars forced to be locked. There might be more nation state cyber aggression between countries due to new USA president.
The murkier threat landscape spells more headaches for CSOs and CIOs.
Many companies’ leadership haven’t figured out the clear path for CSOs though the cybersecurity is on their agenda. CISOs often think of their role as a bigger budget to buy hardware equipment and software than their earlier role head of IT. Many CISOs get it all wrong as buying more stuff was would mean no presence of monstrous cybersecurity problems which is not the case.
CSOs should have strategic approach and realize that cyber defense is much more of a process. They need to elevate yourselves from IT box to more of a strategic role. CISOs should be partners for the BUs by aligning with company objectives, enable the business and manage the risks. It’s always the process or the people that mess up great technologies and this most CSOs don’t really comprehend. They don’t take their role holistically beyond an upgraded IT security role.
McAfee exiting multiple product lines including email security in 2015 must have benefited F-Secure with similar solutions.
We benefited a little bit mainly across Europe. Another big benefit we see in recent past is from politics perspective. After Edward Snowden revelation, more companies are approaching us than ever before as we are not an American company. They don’t want to work with the company with a cyber defense that might be forced to create a back door for NSA. Organizations will not be relying all its defense on F-secure only. They will have a multi-vendor policy with maybe some bit of for example Symantec or Palo Alto Networks. This multi-vendor policy is good wherein we are one company with no strings attached to powerful country’s national surveillance agency.
Being an independent company from Finland and not part of NATO makes them to work comfortably with us. They like F-Secure’s good team, great products, well-etched vision and importantly our origin being different country than America.
Lastly, why are cybercriminals and hackers are always one step ahead of R&D intensive security industry?
First the bad guys are not one step ahead…not always. A bad guy is like a striker in the soccer game while the security company as the goalie. Let’s assume we save nine shots out of the ten they aim at the net. But we don’t win as one miss makes them win the game by causing serious damage to the organization. That’s the challenge.
Also many organizations are easy targets for hackers because they haven’t run good vulnerability scanning solutions or the software is badly configured. A bad guy hence need not innovate but attempt the usual attacks with known vulnerabilities. Most companies unfortunately are bit lazy primarily due to digitalization (everything online) environment which is new area for them.
Companies can quickly put App in online space but the security can be super clunky. Security is more often an afterthought and not in the DNA for most of the companies. However some of them are now understanding the true meaning of holistic cyber defense. And that’s a good sign for the industry.