When founder and CEO of A10 Networks, Lee Chen, flew into London recently, Enterprise Times (ET) got time to talk to him. Chen has grown A10 from a company that delivered hardware devices to a wider security company. It now has its own threat intelligence teams based in the US, Europe and Asia. This gives it an interesting view on what is happening in the cyber security space.
ET wanted to know what the challenges were that Chen was seeing in the market, especially for fellow CEOs. Chen gave us a long list, some of which you’d expect such as blockchain, AI, machine learning, IOT, 5G, DDoS and the wider cyber security landscape. He also highlighted the risk of cryptocurrencies and the security or rather the insecurity of digital wallets.
Cryptocurrencies, mining and cryptomining malware
While governments are struggling to understand cryptocurrencies, Chen said: “Bitcoin is here to stay.” The problem is that unlike fiat currencies, cryptocurrencies are unregulated. They simply rely on privacy rather than stability. The last two years has seen a number of enterprises buy into cryptocurrencies. This is partly as a reaction to ransomware and other attacks. Corporate finance teams are buying these currencies in the same way they would buy a stock of Dollars, Euros or Yen. An increasing number are considering accepting cryptocurrencies in exchange for goods.
This concerns Chen as he feels it makes them open to attack and manipulation. “You can do so many transactions in such a short time that you don’t know who’s doing what. You could attack the currency and really cause billions of dollars of damage.”
So far in 2018, over US$1 billion has been stolen from cryptocurrency exchanges and insecure wallets. Chen points out that: “..people are actually bankrupt because of attack on currency exchange.”
There has also been a consolidation of cryptocurrency mining. Chen said: “The Chinese own, I think, 25 percent of mining. If they go to 50 percent cryptocurrency mining, you could make a lot of money.” This is just the legal mining. A10, like other security companies has seen a rise in cryptojacking. This is where malware takes over a users browser and computer to mine cryptocurrencies.
It is not beginning to threaten corporate IT. There have been reports of cybercriminals using containers such as Kubernetes and Docker to run their mining operations. Chen commented that this type of attack is: “hard to detect from the outside.” He continued: “One thing about Kubernetes is it really allows scale.”
Cybercrime is increasingly consumerised
Chen believes we are seeing an increasing number of attacks because: “The security landscape is now becoming so consumerised. Recently there was an example of a person who is a game player. He went to a website, he has no computer background, and learned about the DDOS attack. He downloads and he attacks the games in a way that allowed him to win. Then he realized, ‘wow, this is so easy for me to do a DDOS attack’ so he started to threaten the government and ask for ransom.
“This young kid, he said, wow, this is so easy. So he actually built a website. He immediately attracted 300 members. Some wanted to pay him to attack. This is somebody with no background in computers. The internet is really powerful in this way. Now almost anybody could go to the internet and learn how to send an attack.”
Part of the problem as Chen sees it, is the proliferation of point solutions. He commented: “If you look at the security industry as a whole today, it’s very much fragmented. You have 300, 400 different point solutions. Longer term this is not really a scale solution. Security is not something you can just buy once, it’s going to work all the time.”
Enter machine learning and AI
To solve the problem we need to think ahead. One of the big cybersecurity challenges is the amount of data and complexity of the landscape. Chen said: “I think the only way in the longer term to really build something, is machine learning and using artificial intelligence.”
This is not just about security vendors. When talking about enterprise IT Chen commented: “It’s impossible for the majority of enterprises to learn all the point so they need machine learning. Intelligent information is what I call it. It’s not really traditional signature it’s about behaviour. You design something that can learn what is normal traffic and what isn’t.”
Chen is not the first person to talk about the need to separate normal and abnormal traffic. The challenge is not easy especially as we have a more mobile workforce with more flexible working hours. Collaboration with colleagues near and far as well as customers and suppliers also muddies the traffic waters.
When we put this to Chen he responded: “You need to be continuously adaptive. The tracking has to be really comprehensive. Not just like the police, who check maybe your ID, fingerprint, face. We have to track everything, any transaction. It takes time, but its sees the patterns that we are doing all the time and it also learns the time that they shift. It helps create policies about those patterns and usage.
“That definition will change over time. So you need to build your profile, so the more you can track, the better. The more sessions you can track, the more applications you can track, the better. So these are ongoing things.”
The challenge with what Chen is proposing is scale. Capturing the data from a few users and then analysing patterns is relatively easy. But what happens when you are dealing with a global organisation and complex systems?
Chen sees cloud as the solution for scaling. Importantly, as a company that started life selling hardware, Chen sees the key to scalability as being software saying: “You have to scale, and then you’ll capture data everywhere. When a breach happens you can go back and track. But that’s even more challenging already, because the size of the data is so massive. You have to do intelligent logging. You don’t log what you can see that’s normal traffic. Don’t log that, log what is abnormal.”
IOT and 5G bring consumerisation, cost issues and DDoS
Both IOT and 5G bring new challenges for security. We are putting IOT inside everything from white goods to security cameras and 5G will allow us to gather vast amounts of data from them. But one of the problems is cost and the lack of knowledge of those organisations making their devices Internet Ready. This means that many devices are insecure but will consumers and businesses pay more for a secure device?
Chen agrees that: “For most IOT devices, the price point could be so low and that means no security. The only way is to get a price point that incorporates security into a chip. When you build security into a chip, that means it’s very limited. I think IOT will be secure, bits that’s probably a dream for a long time. The price point is just not feasible. You can do it with tons of money bit it’s just not going to happen.”
We asked Chen if the French suggestion that device manufacturers should be responsible for devices until the day they are no longer on sale. Interestingly, Chen does not think this is feasible. He says: “This not only a vending issue. It’s a consumer issue. If you’re serving a 200 dollar device cyber security is just not possible.”
When we had the problem with routers 20 years ago, governments threatened regulation. The industry reacted and today routers come with multiple passwords and preconfigured. Chen agrees that it got better but points out that you can always break things. The problem he sees with IOT is scale. The ease with which traffic can be generated to break a network.
But what about the number of IOT devices being connected to corporate networks. These not only provide a risky gateway into the enterprise but they are connected to large Internet pipes. To solve this Chen believes we need better policies. He said: “Policy needs to be comprehensive in a way that because you don’t want your boss to go to office and realise the coffee maker’s been hacked and because its on the network the company has been hacked. The IOT device needs to be isolated from the corporate network. That will take some planning.”
What is the future for A10 Networks?
The majority of security vendors have no experience of hardware. They are software companies. Those with skills across both domains have almost all developed into managed security services providers (MSSP). ET wanted to know if A10 networks had any ambitions in that space?
Chen told is: “Our view is really, if we don’t have to, we probably don’t want to be the one manage the skill service. We want to be a partner. The way I look at it is whoever provides you the hardware they are the management one, the one managing customers. They’ve got all the customer data and are the natural one to manage the customer services. We sell our technology and work with our partners to manage the security service.”