Qualys is a rising company in the security world, but where many companies of its ilk have built their reputations on the back of high-profile CEOs, with Qualys the public face has more often been the young CTO Gerhard Eschelbeck.
A native of Austria, but a fluent speaker of everyday as well as technical “security” English, Eschelbeck started in business as the founder of remote control company IDS GmbH, later bought by McAfee. He then became an engineering vice president at McAfee and eventually for Network Associates, which bought the company in 2002. In the short time since then, he has made a name for himself, testifying to congress on the subject of computer security, as well as presenting at conferences such as RSA and Black Hat.
It’s still unusual for a techie to be let off the leash to wonder the world preaching the sort of complicated messages Eschelbeck loves to discuss. The technical set tends to be shut away or rolled out to back up only narrow marketing messages, so how has this one managed to escape?
The first clever move was to have something to say, which always helps. His work on what he terms the “laws of vulnerabilities” (tracking the prevalence, persistence, exploitation and “half-life” of security holes) has turned out to be an influential way of making sense of the data collected by the Qualys security auditing and scanning network.
The next innovation was not to sit in his office. Like all rising security figures, he seems to spend almost as much time in hotel rooms on the road as in the comp-any HQ. It was typical of him that when we put the questions to him for the following interview he answered them from an indeterminate location.
Techworld: After decades of being taking for granted, security has moved to the top of people’s list of issues. Does this herald an important change in IT or is it another technological fashion?
Over the past decade we became increasingly dependent on information technology in business and everyday life. The availability and reliability of these technologies was taken for granted until attacks have demonstrated vulnerability. The great benefits have demanded to make these technologies more secure, evolving security from a nuisance to a business enabler. Security is no longer a technological trend, but a serious business issue. This shift from thinking of “how to prevent the bad guys” to “how to enable the good guys” builds the foundation of this important change. Increasing revenues and reducing cost are the driving factors for today’s successful security architectures.
Some have said security systems are now being oversold by a greedy industry. Would you agree with that?
The security industry is in the midst of an important transition. Security awareness originated in a few enterprises with highly sensitive information, and has now shifted to mainstream business. When critical systems are unavailable and data is not accessible due to an attack, organisations are losing valuable business, and confidential customer information is at risk. Enterprises are increasingly aware about the inherent need for implementing security and are looking for ways to protect their business. No longer can individual technologies be presented as the ultimate solution – it is generally recognised that a holistic approach is required. These high demands from enterprises as well as consumers have triggered the growth of the security industry.
Does government and regulation have any role to play in moving the security forwards?
Like any evolving area, global connectivity requires a legal framework to operate successfully. While there is limited direct impact from regulatory requirements, they have forced organisations to put strong focus on data security (access, sharing, and confidentiality) and data permanence (protection, integrity, and retention). For end users, regulations build a stronger level of trust as organisations are required to put necessary controls in place for compliancy requirements. For many enterprises, however, regulations have triggered more questions than answers. To create an overall stronger impact it would be desirable to unify the multitude of requirements for regulatory compliance and to develop stronger legislative direction on the implementation of compliance frameworks.
Why do you think so many large, rich companies have tended to underestimate the importance of security until it embarrassed them?
With many innovations, companies are focused on functionality. The first thing the industry does, is try to make their solution work. Security questions appear later. Today’s network infrastructure is optimized to transport network traffic in a fast and reliable manner, but does not provide the necessary security enforcement capabilities, requiring each individual endpoint to protect itself. With major security incidents hitting the press, we have reached a tipping point where information security has evolved from a science of security gurus to a systematic practice. In the past we were very focused on securing infrastructure and applications at the time of installation and operation. Now we need to go back to the early stages, when systems and applications are being developed. Security has to cover the full lifecycle of an application or system and must become a quality measure. Involving security in the design will not only provide functionality but also the required trust.
Can you name the events, people and technologies that have most influenced your attitude to your chosen field?
When I joined the field of information security more than a decade ago, I saw an industry characterized by time-consuming, expensive manual efforts, and recognised an opportunity to apply automation to the security industry. Through history, automation has revolutionised industry and made technology much more accurate, more cost effective and widely available. My passion for automation in information security was greatly inspired by Prof. Joerg Muehlbacher at University Linz, Austria. In particular, some of the automation efforts in the antivirus and vulnerability management spaces, have created significant impact to the security industry. Security automation has not only improved the accuracy and strength of corporate security frameworks, it has allowed engineers to refocus their time and expertise on core IT activities. Automation frees individuals from repetitive tasks and allows us to focus on creativity and innovation.
It’s a truism that security systems are fallible. Why do you think this has been the case and can they ever be secured?
Taking an example from the aviation industry, we have learned from mistakes over the years and improved the design and architecture of aircrafts. We have reached a very high degree of safety, but it is unlikely we will reach 100 percent. Speaking from my experience, the same concept can be applied toward information security. Various security architectures for endpoint protection have been suggested with varying success due to lack of scalability and manageability. With the ongoing move of security into the core of the network infrastructure, endpoint devices will have less influence. Systems will be selectively permitted based on their individual security exposure and system health. Such measures decrease the level of exposure, and with ever changing technologies we will see new security approaches as well.
What security holes and vulnerabilities deserve to keep us awake at night?
The security research community as well as vendors identify and publish on average 40 new security vulnerabilities per week. These vulnerabilities provide a multitude of avenues for attack and originate from many different areas. Incorrectly configured systems, unchanged default passwords, product flaws, or missing security patches are among the most typical causes. Security vulnerabilities linger and consequently create a breeding ground for attacks, leading to security breaches. Improperly patched systems not only endanger themselves, but also put other users at risk. It is not the security holes and vulnerabilities we know about and can respond to that are the biggest concern – it is the security holes and vulnerabilities we do not know about and will be the target of tomorrow.
Does security simply come down in the end to rationally assessing risk?
Information security is indeed all about managing risk. Following the principle of “You can't manage what you can't measure,” enterprises need to apply principles of risk management to determine what it will take to achieve an acceptable level of risk. As security practices are maturing, enterprises look for ways to measure the effectiveness of their security programs. Defining meaningful security metrics is still a science in its early stage, and needs even greater attention as metrics convert subjectivity into objectivity. Creating relevant security metrics is the only effective way to assess risk and gain support for information security projects. Correlating vulnerability data and asset values to define security exposure metrics enables enterprises to measure and manage their security improvements over time. The recently released Common Vulnerability Scoring System (CVSS) is a good example of an effort to create universal and consistent scoring for security vulnerabilities. Such metrics and standards eliminate guesswork and create objective information.
Which technologies do you think have the least/greatest contribution to make in the next few years?
Technologies to stop worms and zero-day exploits in action are the most over-hyped promise today. Worms and automated attacks are aggressively exploiting the weaknesses in distributed computing architectures built over the past decade. Protecting an environment from such emerging threats is an exponential problem without an immediate solution. The shift to centralised security enforcement at the heart of the network infrastructure will make the problem manageable and significantly reduce the breeding ground for such viruses and worms. Based on the premise that every endpoint can be the catalyst to a significant security incident, systems have to be screened and validated before they are granted access to a network. Various network infrastructure vendors have announced initiatives and partnerships with security vendors to deliver integrated network admission management architecture. We will see some first validations of these security designs in 2006. This will have significant impact on preventing worm outbreaks, as well as the ability to dynamically control network traffic based on security exposure and health of individual endpoint systems.
You have presented on what you describe as the ‘laws of vulnerabilities’. Can you summarise these?
The Laws of Vulnerabilities are part of an ongoing research project to gain a better understanding of security vulnerabilities in the real world. Over the past three years, I have gathered and statistically analysed vulnerability information for more than 5 million critical vulnerabilities across hundreds of thousands of systems and networks of global organisations. This data is not identifiable to individual users or systems, however, it provides significant statistical data for research and objective analysis. It enabled me to define and publish the Laws of Vulnerabilities and the annual trend update.
Let me summarise the Laws of Vulnerabilities as follows:
• Half-Life: The half-life of critical vulnerabilities is 21 days on external systems and 62 days on internal systems, and doubles with lowering degrees of severity. In other words, for even the most dangerous vulnerabilities, it still takes organisations 21 days to patch half of their vulnerable external systems, and 62 days to patch half of their vulnerable internal systems, leaving the balance exposed for a significant period of time.
• Prevalence: Half of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities each year. The continuous discovery of the most dangerous and widespread vulnerabilities produces an ever-changing window of exposure to computers and networks.
• Persistence: The lifespan of some vulnerabilities and worms is unlimited. Old risks recur partly due to new deployment of systems and servers with faulty or un-patched software.
• Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle and for 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities. Such rapid availability of exploits creates a significant exposure for organisations until they patch all their vulnerable systems.
The results, such as information about vulnerability half-life provide valuable lessons for the security community at large on how to protect networks and systems from evolving threats. The significance of this unique research has been recognised internationally, providing insight into lifetime and prevalence of vulnerabilities to define accurate risk rating.