Cracks in the US Cybersecurity Walls: Q&A With NetWitness CEO Amit Yoran

Cybersecurity is a shambles in the U.S., but nobody seems able to do anything about it, and things appear to be going from bad to worse. Both Presidents George W. Bush and Obama have promised to appoint a cybersecurity czar — or “cybersecurity coordinator,” as the current administration calls the position — but still there is none.

Early in August, White House cybersecurity adviser Melissa Hathaway — who was at the helm in an “acting” capacity — resigned, saying the president was taking too long to make a permanent appointment and bemoaning her inability to drive any real change.

The reasons behind her resignation were eerily familiar: In 2004, Amit Yoran, who was then holding what essentially was Hathaway’s post in the Bush administration, stepped down after just one year, citing much the same reasons. He became the third official to quit the post in two years.

Yoran had made his mark in the private sector by founding network security firm Riptech, which was acquired by Symantec for US$145 million in 2002.

After leaving the White House, Yoran founded another company, NetWitness, a provider of distributed, real-time enterprise security solutions based on full packet capture and deep session analysis from the network to the application layers. NetWitness serves customers in the U.S. defense, national law enforcement and intelligence sectors, as well as critical infrastructure organizations and Global 1,000 companies.

Yoran, who is still ticked off at the state of U.S. national cybersecurity and says its existing “defense in depth” approach is outdated, discussed the issue with TechNewsWorld in an exclusive interview.

TechNewsWorld: You say existing defense-in-depth approaches predominantly rely on antiquated security technologies such as firewalls and intrusion-detection systems. Can you elaborate on defense in depth?

Amit Yoran:

Defense in depth means implementing multiple security countermeasures to deal with the same problem. So, to stop a nation-sponsored or criminal attacker, you might employ several technologies. Unfortunately, many of these have not kept pace with current threats.

TechNewsWorld: What is the aim of defense-in-depth systems?


Defense in depth is not a system; it is a strategy for implementing security technologies. It is a “layering” of technologies to provide additional depth. One technology is not enough, so you add more technologies to provide additional defenses, hoping the combination will work. Defense in depth systems include firewalls; antivirus; intrusion-detection systems, network behavioral analysis systems, and data-loss protection systems

TNW: Why do you say the government’s defense in depth systems are antiquated?


Many are based on the concept of “signatures,” which assume that you have foreknowledge of an attack. This approach is unrealistic in a world where attackers are creating designer malware and zero-day exploits crafted to circumvent the signatures understood by existing security countermeasures. A next-generation approach does not rely on signatures or statistical modeling.

TNW: As a former director of US-CERT and the National Cyber Security Division of DHS, what flaws in the federal cybersecurity model did you note?


There were gaps in the network visibility with existing security products (i.e., defense in depth). Organizations needed a way to view network events more deeply and accurately using full packet capture technologies.

TNW: Didn’t CSIS’ recommendations to then-incoming president Obama in November address that threat and recommend action to resolve the cybersecurity shortcomings of the Federal cybersecurity model?


Sure, and this will happen eventually, but we just had the 60-day review, and we are waiting to see how the cyberczar position shakes out. The president said good things. Agencies need to keep moving forward and plan new and improved security defenses. But better White House strategy and coordination also will help. There needs to be better clarity with regard to how threat data is shared both within the government and to and from the private sector.

TNW: What are the top federal CISOs doing to remedy cybersecurity gaps in their organizations?


Over 60 percent of federal CISOs have moved to adopt new types of security-monitoring solutions to close the defense in depth gaps I mentioned during the last two years. All of them have based their solution on NetWitness NextGen full packet capture.

TNW: Is anyone coordinating all these efforts from the top to create a federal government-wide model, or are these actions of CISOs going to result again in islands of cybersecurity at different levels of capability?


Not yet, but the president has committed to appoint someone.

TNW: Won’t it be difficult to have one uniform approach, given the different security requirements of different federal organizations and the specific additional requirements of sensitive agencies such as DHS, NSA, FBI and CIA?


Yes. Different agencies have different priorities and goals. Some have data that are more sensitive than others. There can be high-level standards, but each agency must protect its data in accordance with its sensitivity and criticality. And they must consider the issue I mentioned of the problems with defense in depth and moving to a new level of network visibility.

TNW: You have, of course, an ax to grind, as you are CEO of NetWitness. Notwithstanding that, how will the technology help improve cybersecurity?


Organizations have very clear gaps in network visibility due to the limitations of current network-monitoring technologies. Since NetWitness is based upon full packet capture and session analysis, the technology sees and records everything and can provide the kind of detailed content and context to network actions and behaviors that let security operations staff work faster, smarter and with more certainty. That’s why over 60 percent of the federal government has implemented NetWitness.

TNW: Deep packet inspection and rendition of the results in English instead of hex representations notwithstanding, the results must be reflected in real-time and tied in to some sort of alarm that alerts IT admin immediately. Also, there must be some sort of process set up to ensure that the right action is taken immediately on receipt of the alarm. Please comment.


Correct. That’s exactly what we do. Unlike other products that are simply large packet file stores or PCAP libraries, we’ve actually built an infrastructure that serves three real-time missions for some of the largest federal networks: 1) continuous augmented awareness — that is, making existing defense in-depth tools smarter and faster; 2) optimization of incident response, providing new and better information on new kinds of alerts to incident responders and giving them context to alerts they receive from other technologies; and 3) cyberthreat intelligence: providing real-time fusion with third-party data sources regarding botnets, dynamicDNS, malware, warez and other traffic with bad reputations flowing across networks, allowing organizations to build short and long-term intelligence profiles.

TNW: Also, NetWitness tackles only a small part of the overall problem. It would be better to use it in conjunction with policy administration and governance and provisioning/deprovisioning systems that are activated immediately any change occurs in users’ roles or access rights, yes? Please comment.


I agree that NetWitness is not a silver bullet and should be used in conjunction with other technologies for maximum effect.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels