Marc Maiffret has been around the block when it comes to security. Aged just 16, his hacking activities attracted the attention of the FBI; aged 17, he founded his first company, eEye Digital Security. Now, via stints at FireEye and BeyondTrust, which acquired eEye in 2012, Maiffret is embarking on a completely new project, setting out to self-fund his second original security venture.
Not bad for someone who’s still five years from his 40th birthday. Unsurprisingly, Maiffret’s varied trajectory from hacker to CTO to entrepreneur has given him a detailed insight into the state of the security industry. I met him at RSA Conference 2015, where he gave me his take on what the sector gets right, but also where it falls short.
“For most of the companies that do well at preventing attacks and protecting their networks, it really comes down to whether they have the right people who know how to properly architect the environment,” he asserts.
Sounds simple, right? In theory yes, but Maiffret believes that the fundamentals of security are an underappreciated, and under-practiced, art.
“Attacks evolve every year, but the foundations of networking and protocols stay the same. Most people are now trained on the higher level tools. Tools have their place, but how you tailor things to your environment [is more important].”
Fundamentally, Maiffret takes a skeptical approach to some of the themes and trends that the security industry creates year on year. He highlights ‘lateral movement’ as one such buzz-phrase that’s getting a lot of coverage at the moment. This, of course, refers to attackers moving throughout an environment once they have gained access, as in many of the now-famous major breaches of yesteryear.
“A lot of people look at it by saying, what is the product or tool that I should buy that’s going to find those attackers inside my network? But one of the best things you can do is leveraging some of the technologies that you already own and just locking things down in the right way.”
To do this, Maiffret argues, it is once again a matter of understanding the core fundamentals of network security.
“I am a former hacker. It’s funny saying that now because people associate all hacking with financial data theft and crime. It’s not that I wasn’t committing crimes or something! But this was the late 90s; hacking was much more about exploring, seeing what systems you could get into and learning about technology and what was happening.”
Learning all the fundamentals of different technologies was completely normal for people in Maiffret’s position, who started in the industry over 15 years ago, something advantageous to this day. “That gives you an awesome foundation,” he insists, “But most people that are new in security don’t know what the fundamentals are.”
This deficiency Maiffret ascribes to a lack of “great educational programs for security,” particularly in his native US. Moreover, he argues, security is a product-obsessed industry: “It’s the perimeter one year, the endpoint the next – and all these things have their place, but there is an educational gap. The problem is that some of the stuff that works is just not the sexy stuff.”
Maiffret sees a trend at university level to teach the more general scripting languages, such as Java and Python, rather than foundational languages like C or C++ or. “It’s definitely counter to what’s needed in security.” he suggests, “But then, there are also a million and one job vacancies looking for Python, web and all that stuff.”
“Most people that are new in security don’t know what the fundamentals are”
Despite some of the resource and educational shortcomings across the industry, Maiffret’s strongly believes that there are some strands of the industry where positive progress is being made, and at a rapid rate.
“Information security is such a young field and the reality is that a lot of things have gotten better; it doesn’t seem like it if you look at the last year, because everybody’s getting breached. But if you look at exploiting and attacking Microsoft vulnerabilities now, versus what it was even five years ago, it’s staggeringly different and much more complicated.”
Even though a high volume of vulnerabilities are still being discovered, he explains, the picture is not necessarily as bad as it sometimes seems. It used to be that, when a researcher discovered a vulnerability, they didn’t have to prove its value: “If you find a giant Microsoft web server or Apache vulnerability, that just speaks for itself.”
Now, he says, many people resort to scanning the entire internet: “You may find 3000 systems on the internet that have a certain vulnerability, and so it seems really bad. And it’s not that it’s not bad, but I think that it’s a sign of progress that people have to go through so much to package up vulnerabilities; they don’t speak for themselves anymore.”
As far as vulnerabilities go, Maiffret believes that certain aspects of the mobile world are leading the way.
“If tomorrow the world ran on iPads, none of these [security] technologies would be needed. The real model is essentially what iOS and some of the app stores are doing. It’s how controlled it is; the apps are so limited. Even if an app has some sort of a vulnerability you can’t really get beyond it.”
The next step, Maiffret believes, is to take some of these practices and apply them more widely to the desktop world. He says: “Microsoft introduced that with Windows 8 but nobody adopted it. So I think in the next five years using apps on your desktop computer will be much more like what happens on your phone. Vulnerabilities and security risks are going to be reflective of that, which is to say there are going to be a lot less.”
As for the man himself, Maiffret regards himself as being in a lucky spot. Given that he’s an entrepreneur with the ability to self-fund his next company’s founding, he doesn’t have to go down the VC route and “give the whole company away.”
There’s not a lot of detail he wants to give right now, other than his new venture will be based out of Orange County and based on the belief that increasing success against attackers requires a combination of intelligent people backed up with intelligent machines.
“It’s a good time to be an entrepreneur in security,” he muses. “It’s not necessarily about finding the money, it’s about having the choice to work with the right people. But it seems like there might be a bubble, so much money is being thrown around. Half the companies [at RSA] won’t be here in two years. I’m kind of just in a unique position where I really want to just help create something that helps people become more secure.”