After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.
Tell me about your background. What led you to create BrightCloud?
I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.
A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.
BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?
We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.
You also have to credit Webroot’s vision in combining cloud-based endpoint security with Webroot threat intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.
How is your approach to threat intelligence different from most?
Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.
The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.
What approaches do you think cybercriminals will be using in the future?
Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.
Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.
Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.
As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.
We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?
There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.
Can machine learning help combat the threats that are keeping you up at night?
Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.