When security technology fails, you don’t want to be the guy walking in the door selling more of it.
George Kurtz, former chief technology officer of McAfee, was often in that position as he logged hundreds of thousands of miles a year traveling to big organizations to counsel them on their cyber security risks.
He said he left many meetings with the same sinking feeling. Even organizations that spent top dollar on security — loaded with antivirus software, firewalls and other anti-hacking weapons — still got hacked, and they knew nothing about who attacked them, and often didn’t care, Kurtz said.
So he sensed an opportunity when he left McAfee last year, following its acquisition by Intel. He teamed with Dmitri Alperovitch, McAfee’s former lead threat researcher, and another partner, Gregg Marston, to work on tackling one of the hardest problems in security: assigning blame for attacks.
Now their startup, CrowdStrike, has received $26 million in first-round funding from private equity firm Warburg Pincus and is planning to release technology later this year.
A key challenge will be convincing organizations that traditional security technologies are no match for the most hardened attackers, and that they need to spend more on newer technologies. CrowdStrike’s idea is that highly targeted organizations need to focus on the known strategies of their adversaries — which Kurtz says stay remarkably static over the years — more than the technical mechanics of their attacks. Even sophisticated attacks can begin with an unsophisticated ruse. For example, last year’s breach of security firm RSA began with a piece of junk e-mail spammed to low-level employees.
Jeff Moss, a member of the Homeland Security Department’s advisory council on cybersecurity matters, said that many organizations have realized they can’t stop hackers entirely from invading their networks. They are looking for creative ways to detect attacks in progress, which is made easier by attackers’ repeated use of known techniques, Moss said.
“Generally criminals are lazy — if it works, keep doing it,” Moss said. “If kicking in the door works, why invent an automatic lock-picker?”
Kurtz and Alperovitch are hoping to leverage their experience with McAfee’s headline-grabbing breach investigations. Security software is projected to be a $21 billion industry this year, according to Gartner Inc.
“There’s a lot of helplessness out there,” Kurtz said. “It’s not that they shouldn’t have antivirus or firewalls, but they need something additional.”
McAfee Chief Technology Officer Stuart McClure said in a statement that “there will always be ways around solutions put in place,” and that security requires a combination of products, process and people.
CrowdStrike’s genesis highlights the limitations of modern security technology. Advanced attackers are masters at impersonating legitimate computer users to steal sensitive data.
Kurtz says his technology uses public and private data to supply context around an attack. Knowing that Chinese espionage agents go after oilfield exploration documents in a certain way, versus Russian spies that hunt for intelligence data in a different way, can help organizations allocate scarce resources, Kurtz said. He is keeping other details of the technology secret.
Brendan Hannigan, general manager of IBM’s security systems division, said that his customers crave details about the origins of attacks against them. Surveillance technology allows for constant monitoring of all network traffic, which helps identify patterns in attackers’ behavior. It’s sometimes impossible to definitively identify attackers, but identifying their techniques can help protect intellectual property.
“The reality is, you can get an enormous amount of information about who’s coming in and where and why,” he said.
But John Pescatore, a Gartner security-industry analyst, said many businesses don’t care who hacked them. They have limited resources to do much with the information, he said.
“That takes resources away from the business, tracking down criminals,” Pescatore said. “In fact, it’s often taking you in the exact wrong direction. If I take care of a vulnerability, then nobody can exploit that vulnerability. It doesn’t matter if it’s Chinese government funded or Russian government funded or whatever.”
Instead, he points to another nagging headache with no clear solution.
“The hardest problem in security,” he added, “is getting rid of the reusable password.”
In those cases, knowing who the culprits are is painfully clear.
(This post was updated with a statement from McAfee.)