Innovation Must Solve a Real Customer Problem

Mark Gentile is a distinguished engineer and one of the chief architects for Symantec Enterprise Division, creating the architecture to support Symantec’s various security solutions. Mark was the founder and CEO of Odyssey Software, a mobile device management and security company acquired by Symantec in 2012.

Mark, how did things change when Odyssey Software was acquired by Symantec?

I'm an engineer at heart, so when I came to Symantec, I wanted to go back to the things that I loved doing. I enjoy product engineering and innovating, and I had the opportunity to do what I love with a bunch of really smart people. It impressed me on how passionate and intelligent all of the people in the engineering org were at Symantec. I loved being around the people I was working with and the mission to build products, technology, and solutions that help protect our customers from bad actors.

How has Symantec focused on innovating after the Broadcom acquisition?

Previously, we were structured in a way that didn’t support our ability to realize our true vision and potential. Before Broadcom, we had different leaders running endpoint security, information security, and network security. There wasn’t any common prioritization or alignment across them, so what was important to one group, may not have been so important to another. 

Now that everything is all under a single General Manager for the division, along with a single Engineering executive, and single Product Management executive, we are realizing and delivering on our vision. For example, we’ve always had a vision for a single agent with configurable feature blades that support our broad product portfolio. Since the Broadcom acquisition, we have started delivering on this vision, with continued expansion and feature extensibility in each subsequent agent release. That's something that would've never happened without changing the executive organization so that we can align and execute on that vision.

What are some examples of innovations that you’ve been involved with?

I’d have to say Adaptive Protection, Adaptive Isolation, IPS and Threat Defense for Active Directory (TDAD).

Adaptive Protection came about because we tracked a significant rise in attacks that leverage “living off the land” (LOTL) attack techniques. To explain this a bit more, attack operators explore target systems for existing tools and software (“the land”), such as operating system features or installed applications. They then leverage what they find to conduct the attack, often without leaving any artifacts - hence “living off the land”. Typically, this starts out with a phishing email with an attached document containing active content (macros), or an attached application shortcut file. In the document example, attackers use the active content in the document to execute and chain together various tools and OS features into a well-orchestrated LOTL attack. Many of these tools and OS features that attackers leverage are normally unused in customer environments, yet serve as open “doors and windows” for attackers. We needed to provide a way for our customers to automatically lock the “appropriate” doors and windows they weren’t using to protect their organization. Adaptive Protection delivers on this.

Our IPS technology provides network protection directly on the endpoint stack. IPS will look at inbound and outbound network behaviors and content and convict malicious activity. This protection often occurs even before a file reaches a machine, or if the file is already on the machine and it attempts to reach out to a command and control server.

Threat Defense for Active Directory (TDAD) has also been a game changer. Every targeted attack involves lateral movement in the target environment. In a typical attack, once the attacker lands, they begin to leverage Active Directory (AD) to explore the environment looking for target machines, users, and resources. By design, Active Directory is an open database, which holds a wealth of information about an environment. Any valid user on a domain-joined machine is able to query AD for information about the environment. Attackers leverage this once they land to find the most interesting targets, then attempt to move laterally to these targets to progress the attack. Symantec’s TDAD uses innovative techniques to deceive, identify and isolate the attackers when they try to leverage AD for malicious purposes.

I can go into these further if you want to have a followup blog.

Thanks, Mark, we just might do that! Is there anything else Symantec has done to help foster innovation?

There are two other things that we’ve done that are top-of-mind.  

First, an innovation must solve a real customer problem. And to understand the problem, it's very important to have a relationship with the customer. In many cases, before we give early adopter customers code to test, we meet with them. We explain what we are thinking and why we are thinking this. For example, we met with customers and described the Adaptive Protection features in detail before we built it. We needed to hear what was most important and what was keeping them up at night, i.e., their biggest challenges around security. So, listening to the customer and engaging with them allows us to deliver the best solution.

The other thing that is key, is about how you execute and deliver on innovations. To accelerate the pace at which we innovate, we need to do real world experimentation; and in order to actually do experimentation in the field without disrupting customers, we need to be able to release code silently, in a very controlled safe manner. We do this with “feature flags”. With feature flags, we can turn “on” a feature for a select set of customer participants rapidly and iterate. This shrinks the time it takes us to cycle and get feedback on its efficacy performance, reliability, failure rate, etc. It’s important to measure and understand these metrics. Since we're doing it silently, we would be silently blocking, not actually blocking, but we would return back telemetry to help us analyze and iterate until we get it right.