Escaping the security equivalent of Groundhog Day

John E. McClurg is something of an old hat in the security world. Originally in academia, McClurg has worked at the FBI (where he helped establish a cyber-counterintelligence program with the Department of Energy), Lucent Technologies/Bell Laboratories, Honeywell, and up until recently, was the CSO at Dell. So why did he decide to abandon one of the biggest tech companies in the world just as it was entering a new phase? In short, he was tired of ‘after-the-fact’ security.

“I was living in what we called the world of the reactive,” he tells IDG Connect. “I was happy at Dell, but I was consigned to a world of the groundhog day. I felt very much that I was trapped in this cycle I could never break out of.”

Not if, but when

“Our security profession adopted this mantra “not if, but when.” It’s a phrase he repeats often throughout the interview, occasionally adopting a zombie-like voice to emphasise how drummed in it is into the industry.

“One of the things we learned in business school is you only make sure you manage the expectations of your leadership, right? And one of the things we [security professionals] did was to make sure they were aware of this mantra "not if but when", so when the "when" happened they didn't fire you.”

McClurg highlights the idea that success in this passive world isn’t whether you stopped an attack, but how quickly it was detected and contained, and the lessons you learned for the next time an attack was successful.

“So that was the world that had evolved and I had lived in for two and half decades basically; the world of the reactive.”

A whole new (heliocentric) world

Today he works as a VP & Ambassador at Large for California-based Cylance, one of the more well-known companies in the Machine Learning-based security space. The company provides proactive endpoint protection which it says can actively prevent even previously unknown viruses and malware from infecting computers.

“Suddenly I abandon my Dell community for this little obscure, hardly-known entity called Cylance,” he says, “and my peers are saying, “What has the kind of force to compel you to move towards them?””

“It's nothing less than an absolute new paradigm.”

What actually convinced him – and former Dell Distinguished Engineer Chad Skipper – to move, however, was the results they found from their own in-house testing. 

“I was in the midst of a battle with APT, and at the same time our CTO had said “enough” to always having to offer up at least one device as the sacrificial lamb to be that patient zero in which the virus successfully executes so you can capture the signature.”

Skipper apparently identified 60 companies offering an Advanced Endpoint Protection solution and created his own test for them.

“He pulled together in a single pot probably the most evil collection of malware, ransomware, and zero days, and he launched that against these contenders.” According to McClurg, of the 4100-odd pieces of that nasty concontion, almost 400 were zero days previously unknown to the wild. Cylance’s capture rate of 99.7% is what led to Dell eventually partnering with the company.

“As the CSO of Dell, I have echoes of this going on but I’m too focused on the battle at hand. I got APT in my knickers,” he explains. “Besides I don't buy this 99.7% figure. I think that's the marketing group, they've gone off the reservation, they're puffing, I just don't believe it.”

So McClurg took his recently conquered APT, told his team to run Cylance against it, and ‘report back once it failed to capture it’ so he could dismiss it can get back to work on important things.

“They disappeared for a couple of days, and then they come back, they said; “Well boss, we don't know what to tell you, but we tested it, and if we had Cylance in place we would not have lost our Christmas holiday, we would not have spent all those late hours, we would not have to be spending all this money we're now spending, if we had it in place, we would not have been compromised.”

“All of a sudden I have this downstream epiphany of what that would mean if indeed, at an endpoint, we never let those adversaries through in the first place: I can divert the cost, the money, the resources, to other critical challenges that we still have in the security world, for example insider threats.”

This realisation caused McClurg to take the plunge and move to a what is a tiny company compared to the behemoth that is Dell, because he wanted to bring the most amount of good to the most amount of people before he retires, something which he thinks can best be done with the Cali security startup.

 “The idea or prospect of finally moving out of that realm into a realm where the capture deflection rate is as high as 99.7% and sometimes even better was a wakeup call for me. What we've developed now at Cylance is a part of that shift in paradigm, from the reactive to the proactively predictive.”

Proof of the pudding is in the eating

McClurg likens the shift from static AntiVirus Signatures towards proactive security as that of Copernicus and Galileo championing the idea of a solar system that revolved around the Sun rather than the Earth.

“We empathised with Galileo, because we don't doubt for a minute we're up against a big challenge. That embedded paradigm, of the reactive detection, of signature-based AV, has been around for a long time and isn't just going to stand flat footed while some young upstart comes along and starts spouting terms like artificial intelligence, machine learning, mathematical algorithms.”

And there has been scepticism (although no accusations of blasphemy) from incumbents. Cyber expert and founder of his eponymous security company Eugene Kaspersky has written about the dangers of companies peddling wares that amount to AI snake oil. When IDG Connect spoke to Acuity, President and Chief Executive Kris Lovejoy said companies in the machine learning-security space must “evolve to a place where we're validating the marketing hype with the actual practical lab testing results” in order to avoid any accusations of security alchemy. Both Sophos and Symantec have called out Cylance for not taking part in more open testing.

“What's interesting and challenging in that space, with a lot of those independent shops it’s sort of like pay to play,” McClurg replies in his company’s defence. “And their continued viability is dependent on their giving a positive return back.”

Skipper, now VP Product Testing & Certifications at Cylance, has blogged about his thoughts on these testing houses where he labelled the current model “fraud”.

“It also brought out awareness to us that a lot of those testing houses were steeped in the old paradigm, and that if you're going to adequately test a new paradigm, it may require you to change the test.”

“We're very much engaged and understand that our customer base want that independent third party, but what we say is, “Who are you going to trust even more than an independent third party?””

McClurg cites an old Latin phrase to outline Cylance’s approach to getting the company’s message out there: Res ipsa loquitur. The thing speaks for itself.

“I say “Don't trust me, any more than I trusted my CTO. Test it yourself. the prowess of this solution speaks for itself.” What are you going to trust more than your own personal experience?”


Also read:
The future of machine learning in cybersecurity: What can CISOs expect?
Can ‘good’ machine learning take on global cybercrime?


« C-suite career advice: Mark McClain, SailPoint


Typical 24: Ian Wilding, Radical Company »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail