For Innovation Look Back

Liam O’Murchu is a Director in the Security Response group

Can you share a little of your background.

I come from a reverse engineering background. I looked at incidents, analyzed a lot of threats including Stuxnet - the first cyber weapon.  And I was analyzing APTs; all the really sort of crazy APTs that came out about 10 years ago when everything was starting out fresh and new and we weren't tracking 200 of them like we are now.

I've got all that experience and am now applying that to a product environment where we can take my esoteric knowledge, match that with a product, and then make it easy for a customer to point and click, use the information that we have, to protect themselves.

What trends have you seen among customers in that time?

Security jobs have evolved over the last 10, 15 years. The SOC has become a core part of not just the response, but also the day-to-day job of protecting the environment.

Our largest customers are now very knowledgeable about security, and the mitigations or protections that they want to put in place. We can have a conversation at a high technical level where they completely understand the security problem.  They're able to describe precisely what it is that they're dealing with.   What’s interesting is that there is often a solution that we have available in a product they own.  They're just not aware of it.

Do you have a good example of that, when a customer sees a feature they didn’t know about and has a "wow" moment?

TDAD. Threat Defense for AD. We do a lot of analysis of the attack chain. As we look through that attack chain, we're always looking for common points that come up in every attack chain. The common point that comes up in every attack chain is that they need to get credentials in order to spread laterally. They need to move through the network.

TDAD sits at the perfect spot to be able to cut that off. It is very difficult for an attacker to understand what are real credentials and what are fake credentials. TDAD shows the attacker fake credentials.  Then as soon as the attacker uses a fake credential, alarm bells go off. It's very powerful because then it doesn't matter if they change the payload or they come up with a new attack technique, they still need to get those credentials. They still need to move laterally.  And you've got a perfect choke point to stop them.

What is the innovation at Symantec that you are most proud of?

It’s Adaptive Protection right now.   One way to view Adaptive Protection is as a look back system, where customers can look back at the activity that has occurred on their machines for the last year and use that to guide decisions for increased prevention.  The innovation here is that we tell you what techniques attackers are doing right now, and you have a one-year history see if you do similar things in your organization.    If you have not in the last year taken an activity that attackers currently are taking, you just block that.  You don't need to do a full lockdown, you don’t need to risk false positives, but you can cut off a path that attackers are currently using.

Sure, you can do this manually. But it's very difficult to configure those things. It's very painful for customers and a lot of work. The system that we've come up with is point and click. We do all the work for you. The innovative part for me is that customers can take action straight away. You don't need to do months and months of analysis. We present the data to you in a visual way and you can very quickly reduce your attack surface, related to what attacker's doing right now.

What does being an Innovator mean to you?

Anyone can solve a customer’s problem that is clearly visible.  What I find more interesting, truly innovative, is something where the customer doesn't even really see that there could be a better way of working. That's the spirit for true innovation, where you recognize there's a different way of doing things that is revolutionary in some way that other people don't see. That's kind of the breakthrough that we’re looking for.

We are going to innovate, but we're not just going to throw random ideas against the wall and see what sticks. We're going to go talk to customers. We're going to survey their security needs. We're going to see how we can change things for the better.

At Symantec we're not going to be doing tons of different projects, we're going to focus on a small number of innovations, rally the team around those innovations and get those projects across the finish line quickly and successfully. That's been really refreshing about the transition to Broadcom. Once you get buy-in on an idea, you get the support, you get the resources, and you have a clear timeline. You know exactly how you need to execute. That focus around executing quickly on innovation is very exciting.