Any network that claims 100% secure is dreaming

Duca is regarded as a guru in the security space, having joined McAfee back in 2000 and becoming Chief Technology Officer in 2013 (at Intel Security as it had become) before joining Palo Alto Networks in April 2015. He was also a member of the Australian Government’s Online Safety Consultative Working Group. He combines his strong leadership style, with a highly technical base and good communication skills.

Duca says 90% of his role as VP, Regional Chief Security Officer - Asia Pacific is about raising awareness of security best practice because the bad guys are getting smarter and more persistent. “These days we all know what the vulnerabilities are and anything that is known can be prevented although the adversaries are always finding new ways to get around patches and new security technologies,” he said.

“Most people tend to think that they are safe and secure if they use antivirus and have a firewall sitting at the front door of their organisation. That may have worked once upon a time but unfortunately, the hackers of the world have become a lot smarter than that,” he said.

{loadposition ray}

Duca says that he was attracted to Palo Alto Networks based in Santa Clara, California because its take on security was focused on the network (and that includes the WAN cloud and internet), it was a disrupter, and because of its contextual approach. He also could see the mission, purpose and passion for challenging the security status quo, and it was exhilarating.

The remainder of the interview is in his words.

Palo Alto Networks core products are a platform that includes advanced firewalls designed to provide network security, visibility and granular control of network activity based on application, user, and content identification and cloud-based offerings that extend those firewalls to cover other aspects of security like advanced endpoint protection.

Its founder Nir Zuk was a member of the famed Israeli Defence Force Unit 8200 and is credited in 2005 as the inventor of the first stateful inspection (SPI) firewall and intrusion prevention system. He wanted to use the firewall to identify network traffic like applications, ports used, users (and method of access), to protect against bad behaviour (e.g. not known good), and provide fine-grained visibility and policy control over application access/functionality. Hence Palo Alto Networks is credited with the first Next Generation Firewall.

It now is more important to place these attacks into a context and begin to understand the big picture – why are you using an unknown mobile phone from Russia at midnight to access corporate networks and run an app? The context is all wrong and it can be stopped at network level until it is investigated.

The bigger question is how to ensure security does not cripple line-of-business apps. You can lock down a network and pretend its 100% secure but it will cripple the user experience. There needs to be a better way – how can we safely enable those apps?

Palo Alto Networks can perform a single pass deep packet inspection without slowing the network or WAN down and through whitelisting it identifies good behaviour and lets it past. Then if you find something odd you can inspect it and upload it to us for bare-metal (on a computer) testing and analysis – and have a response within a few minutes.

Cyber criminals, hackers, are very well organised and funded. They are using tools like machine learning and AI equal in sophistication to the best protection companies.

We use tools too but we have over 37,000 customers to help us and once we find an issue it protects all of them instantly. Palo Alto Networks has been successful – we are not a huge company but we are achieving 30% year on year growth and adding about 2000 customers a quarter.

We discussed the emergence of MSSP (managed security service providers) and Duca was definite that we needed more, or at least more companies needed to use them! Few companies, especially those below 200 seats, have the in-house expertise to adequately secure their systems. If you don’t you should go to an MSSP that, like us, can leverage all their client’s experiences and focus on prevention rather than detection and response – which is often too late. Palo Alto Networks will prevent say, 80% of all issues leaving 20% to focus on.

When asked about MSSPs his response was that organisations like Telstra and Optus that provide internet gateway services are a good place to start. You should be able to assume that traffic from the internet has been cleaned and is harmless. But look for MSSPs that use Palo Alto Networks equipment.

Duca was emphatic – we need to have the same attitude to security as we have to wearing a seatbelt – it is an automatic priority. Security needs a seat at the company board table. It is not just an IT matter, it is about assessing risk, explaining what it is to other C-levels, and reducing the attack surface. Not more she’ll be right mate!

Final messages to iTWire readers

• Security is all our responsibility – “she will never be right again mate"
• The world has changed and the bad guys have as many resources as the good guys
• Be prepared to ask hard questions and accept the bitter challenges
• Cyber-crime and breaches are a matter of when, not if – you will be challenged every day
• Consider security on a risk-based factor – what risk will you face if you are hacked, what will it cost to reinstate (if you can) and will you remain in business? What are the crown jewels to be protected at all costs?
• Boards need to look at security as the top priority and not hesitate to spend what is needed
• Don’t accept fear, uncertainty and deception (FUD) propagated by many security vendors – call it out for what it is – BS.
• Focus on how you make the company resilient for tomorrow – yesterday has already happened