Dell’s Global VP and CSO, John McClurg
From working as a special agent for the FBI specialising in cyber and terrorism, Dell vice-president and chief security officer, John McClurg, has spent his career shaking old security assumptions out of clients, partners and his own bosses – modern security is just as reliant on ‘wetware’ as it is hardware and software.
McClurg is particularly focused on an area of security that is only now getting serious scrutiny, the disappearing division between the physical and virtual worlds.
“The traditional lines of delineated interests are now more porous,” he said.
This has already led to big problems with ‘wetware’ (namely: humans) when cybersecurity and real world security can no longer be looked at as independent problems – they are now one and the same. Obvious examples are phishing and spear phishing, but increasingly it has become more serious.
His work at the FBI’s counterterrorism task force gave him great experience as a ‘spycatcher’, and he found more and more that these nationstate actors, or criminals were blending their physical world crime with cyber.
He was twice-decorated in the FBI, has worked in cyber-counterintelligence, assisting in the establishment of the FBI’s Computer Investigations and Infrastructure Threat Assessment Center (now a part of Homeland Security), and has also worked on one of the USA’s first Joint Terrorism Task Forces.
An early case was phone phreaker Dark Dante – better known as Kevin Poulsen, which McClurg helped take down in 1995. Poulsen had ‘hacked’ into the telephone control centre in Los Angeles, literally breaking into exchanges and stealing technical equipment and manuals and taking control of phone lines. He used these skills to ensure he won a Porsche on a radio show by guaranteeing he would be the 102nd caller, amongst other crimes. Despite his technical prowess online, it was still the real world crime (breaking and entering) that made it possible.
After McClurg’s time at the FBI (where he was twice decorated for his efforts), he worked for Bell Labs and Honeywell, where he worked on some of the early Advanced Persistent Threat programmes. Honeywell froze his programme and Michael Dell approached him in 2011. It was an offer too good to refuse. Since he’s been there, Dell has boosted its security and analytics capabilities via acquisition with Sonicwall, Secureworks, Quest, and Credint giving him a vast portfolio to work with.
McClurg would not be drawn on the EMC purchase, which will gain him access to further security tools, such as RSA.
“All I’ll say is, we’ll have a security juggernaut.”
Like many security experts in his field, McClurg said the days of security via obscurity are over – here, there or anywhere.
“Australia may be a long way away geographically, but in cyber terms its just a single click.”
The question routine he runs past his clients is simple.
Are you international? Are you competing with an SOE from another country? Is your IP competitive?
“If they’re not [in your systems] now, they will be. Start looking. Be proactive.”
The problem with our porous interconnected world, is that it makes our physical world porous and interconnected too. In order to get at your core assets, your attackers will look outside your core.
“This is the lesson learned from Kmart. They didn’t go through the front door. They chose to do the HVAC [heating, ventilation and air conditioning] company. Your delineated interests become ever more porous,” he said.
“Where did Target’s [technical] interests begin, and where did the HVAC company’s start? It’s all so porous. The bad guys know that. They’re looking for those.”
He addressed the need for every company to push for the full suite of identity and access management.
“You really need to push for total privilege account management.”
While he estimates there to be only about 200-300 malwares used worldwide, these are tinkered and morphed with constantly to suit the target. This is where the whole security package has to morph with predictive data analytics, an idea he pursued working with US Federal Government programmes.
The analysis of the problem before and after, and a constant awareness of who has access where and why, makes it easier to spot outliers. McClurg says he has seen incredibly patient cybercriminals sitting on networks benignly for years, waiting for their time to strike. During that time, the malware lies dormant, acting like a completely normal program to avoid raising suspicion.
The US federal government has already passed requirements for its corporate partners to adhere to at the end of this year. Similar to his earlier spy programmes, this is to track threats inside businesses, alongside the external hacks.
“[Corporations] now need to demonstrate that they have up and in place a ‘viable insider threat programme’. What the heck do they mean by viable? I don’t think they even know yet.
“I had a notion of what they meant by viable. Analytics. We launched a pilot last year, just in our federal enclave, and actually validated that we could do it.
“We stuck it in there, the team didn’t know about it, we ran the analytics algorithm… Later on, the staff came over to me and they didn’t look too well.
“They said we’ve run the algorithm, and according to it, our biggest concern is our boss - the executive director of the programme.”
This new area gave McClurg a new breath of life.
“I didn’t know much longer I could do the reactive game. It was like whack-a-mole. I wasn’t having fun, I didn’t know if I could keep doing it. But being proactively predictive, that’s but a new spin on the game.”
He claimed using combinations of technology, with predictive and real time analytics is where the intersection between real world crime and IT will lead.
“Back when we were battling the cartels in Mexico, we used GPS embedded in our supply chain. The bad guys would hijack it and run off smiling, because they think they’re in for a big take, but the GPS would let us know where they were. We swooped down with the police.
“What then happened was the cartels had enough money to build their own IT systems, and they actually invested in GPS suppression. So we had to develop a reverse GPS suppressor. It’s a constant dance,” he said.
This constant battle of one upmanship isn’t always necessarily sophisticated at the physical end, but technology again, can help even the score.
“There was another puzzle when I was in Europe. The drivers of our shipments were stopping for dinner, or for the bathroom, and they were getting ripped off.
“The new rules their boss made was that they were never to stop. So, they would make the pick up from a factory and drive all the way to the drop off point. They’d open up the back door, and their load would be empty.”
The criminals had adapted their techniques.
“The drivers swore up and down they had never stopped. And we knew they hadn’t. We GPS tracked them. But we were still scratching our heads, trying to figure out what happened.
“What we were finding was it was a gang of Romanian acrobats. I have to hand it to them. They were coming up behind the moving trucks in the dead of night with their lights off. One of them would jump on the hood of the car, get close enough up to get on the back of the truck, cut the lock, open the doors just enough so the driver couldn’t see anything, then they’d start tossing the packages out.
“Fortunately we caught all this on infrared camera, which combined with the GPS, meant we caught them. They weren’t quite as resourceful as the cartels.
“That constant play between technologies is going to be an interesting play. We’re going to have predictive analytics; the bad guys are going to be able to afford predictive analytics. Their predictive analytics is going to predict our predictive analytics. So then we’ll have predictive analytics that can predict their predictive analytics that we can predict. Its going to get very interesting,” he said.
The problem with anything predictive is privacy and cultural concerns. East German survivors of the Stasi are less likely to welcome such trends than, say, the average Australian.
“The ability to identify proactively people’s propensities, is a good thing. You can find a propensity and move to mitigate and inderdict before it does a bad thing. But you’ve got to realise that in a lot of cultures, just being tagged as ‘having a propensity’ can be prejudicial. So this is where you weave in anonymising the data, keeping it discrete from names for as long as possible – until some sort of threshold is triggered. You need to have very close protections and controls in place.”
McClurg says the new programme will be rolled out in America sometime in the next year, followed by A/NZ and then “battle the cultural forces of Europe”, he said.
As another disturbing example of ‘meatspace’ interacting with cyberspace for criminal activity, McClurg told a story about one of his own staff members. He had a big project due on Monday, and had to work through the weekend. His daughter had a soccer game on the Saturday morning. His daughter hadn’t scored a goal all year long, so he told his wife to take his daughter to the game so he could finish his work, thinking he wouldn’t miss anything.
“Two hours later, the house breaks into chaos. Not only did she score the goal, she scored the winning goal. The first thing she does when she gets home is she runs straight up stairs and posts her accomplishment on Facebook. This Facebook account hasn’t been protected in any way, shape or form. He’s never talked to her about that,” he said.
No drama right? But Dad feels terribly guilty about missing his daughter's big day.
“He delivered the project on time Monday, and I give him the kudos he deserves. But for him it rings hollow. Because he knows for eternity he’s missed a singular event in his daughter’s life. He feel like he’s a terrible father.
“Even though he’s been trained, and by me personally, about awareness, and to not click on unsolicited emails, the first thing he sees when he goes back and sits down at his desk is an email saying ‘hey, I happened to catch this action shot of your daughter kicking the winning goal. Thought you might like it’.”
The cybercriminal had tailed his daughter on Facebook, and used it as leverage in a beautifully clean spear-phishing attack. Hardware and software doesn’t mean a thing when human weakness is exposed.
“Like I said – it’s the 'wetware'. First of all, he’s a guilt ridden father. Second, Facebook. He still knows what I told him, but he clicked anyway,” he said.
“That’s why I always say, its not about if I’m going to get compromised, its when.”
