Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

This week I was lucky enough to talk to Tom Cross, the CTO of Drawbridge Networks. Tom has been in the security space for a long time. He has founded several companies and also worked at several large companies such as IBM and Lancope. He just recently left Lancope to become CTO Drawbridge Networks, a stealth-mode cybersecurity company backed by VCs such as Queensbridge, Bowery Capital, Paladin and others. Tom frequently speaks at conferences such as Black Hat and Def Con and has written many papers on security. I was really excited to pick his brain over the phone earlier this week.

What convinced you to leave Lancope to be part of the Drawbridge team?

Lancope is making great contributions to network visibility and anomaly detection, but I left because I like doing startups. I like that environment. I like how I get to do a wide variety of things and be more of a generalist.

I know that Drawbridge is in stealth mode right now, but is there anything you can tell me about the problems you’re looking to address?

We’re rooted in the acknowledgement that hacks are going to get through regardless of your perimeter security, and that you have to start looking at the internal network and limiting the impact of the threats that successfully compromise it.

Similar to some of the newer endpoint players?

There is a big endpoint movement going on now. 5 years ago the CISO had no interest in any additional endpoint products because they had so many. Now enterprises are more open to the fact that they are going to need another endpoint agent.

There’s a few different subclasses of the endpoint space: Bit9 provides application whitelisting, Carbon Black provides audit trails, Bromium tries to harden and segment the endpoint, Mandiant and CrowdStrike provide threat intelligence driven endpoint solutions.

At Drawbridge, we’re trying to bridge the gap between endpoint and perimeter security to give people more control over their network.

Before you left to join Drawbridge you were a security researcher for nearly 12 years at IBM and Lancope. How did the threat landscape change during that period of time?

For a long time people have had a perimeter focus to their information security efforts. The original purpose of the perimeter was to reduce the the attack surface. In the 90’s, everyone was focused on firewalls and VPNs. The SQL slammer worm in 2002-03 changed that. It was able to get control of a machine despite perimeter protection. You still see it out on the internet. IPS helped to solve that problem and saw its heyday in 2004-2009. Microsoft also got way more aggressive in how they handle security at that point in time. They would push out updates monthly. At this point we shifted to an era of “drive-by downloads.”

Now we’re seeing nation-state attacks. You used to have to physically be in a country to be a spy. Now everyone has a phone with all of their information in it. Additionally, there are several major cybercrime organizations based in Eastern Europe who are making a lot of money on credit card fraud and scams. They’ve attacked major retailers such as Target. We’re also seeing hacktivism or people that hack for a cause. The progress that we’ve made on defense pales in comparison to the increase in offensive activity by these three groups. We’re treading water a lot of times just trying to protect against these attacks. I don’t see any sign that those three kinds of hacking groups are going to subside.

After going through your presentation on insider threats, my impression was that to mount a successful insider threat defense, you really need a few different tools. What do you think an effective insider threat defense looks like?

People think that they can simply buy a product that will solve this problem. It’s more complicated than that. Insider threats are about the relationships that you have with your employees. Most of the time, when insider threats occur, it’s not because someone got the job because they were looking to commit a crime, it’s a result of a regular employee making a bad decision. Some acute event occurs that causes them to do something wrong. With that understanding, it’s possible to build a framework to detect people at risk. You really need to develop a multi-faceted program that involves HR, IT and management.

Technology isn’t always great for detecting insider threats, but its great at investigating them. Organizations that have great cyber audit trails are the ones who can find these rogue insiders once they know an event occurred.

At Lancope we had tools to detect unusually large amounts of data exfiltration, but this activity isn’t always suspicious by itself. For instance, there was a specific instance where a company had identified someone who they suspected was likely to try and steal data. They then used Lancope’s tools to see that a lot of data was leaving from their workstation to a specific IP address which turned out to be aprinter. They then investigated this further and realized that this guy really was trying to take a lot of data.

Securonix is an interesting company in the insider threat space. They really understand the problem very well and they’ve built and interesting product around that problem.

You’re a very active part of the security community, are there other people in the space working on what you think are really interesting problems or technologies?

There’s an interesting thing happening with wireless. We’re seeing smart cities initiatives in which wireless sensors are being deployed in cities throughout the world. These devices have very poor security and I think there’s a lot of opportunity there.

Additionally, we’ve seen a renaissance in the kinds of tools people can use to access radio networks. One example is HackRF One. There’s a lot of important security work that needs to be done in this space.

I also think the shift from preventative security to incident response capabilities is an interesting trend. Look at the example of firefighters; they aren’t expected to prevent all fires, they stop them once they occur. Tools like Lancope, & Carbon Black that provide audit trails and logs are the tools that are necessary for incident response. Over the next five years there will be a shift in thinking from the “we need a product to keep us secure” mentality, to the mindset of “we’re prepared to investigate breaches when they occur and we want to build an organization that is resilient in the face of security threats.” At Drawbridge, we want to be a part of that change, by helping people take control of their networks and contain the incidents that are happening there.