Q&A with Zone Labs: Building security software a "mistake" for Microsoft
San Francisco (CA) - If the firewall has indeed become a permanent part of every computer user’s portfolio, along with her word processor, Web browser, virus scanner, and popup blocker, then Gregor Freund, the CEO of Zone Labs, is the man responsible. We had an opportunity to chat with Freund about the new ZoneAlarm 6.0, and about how the threats facing corporate networks have evolved.
Sixty seconds spent with Freund will alter your definition of a CEO. He provides a charismatic public face for his company ; he’s not one to lead from behind the barricade of an executive suite. And Freund usually refrains from the paranoid language indicative of most security companies, and instead provides a picture of a threatening, though manageable, Internet-oriented work environment.
THG : With regard to ZoneAlarm 6.0, you’re talking about "triple protection" on the firewall, and you’re adding one layer having to do with the operating system kernel ?
Freund : Five years ago, people who were writing viruses were more or less hacking for glory. Now the whole "malware industry" - if you’ll pardon the term - is moving to hacking for dollars. It means everybody is trying to make money off of Trojan horses, spyware, and so on. That caused an enormous shift in the kind of attacks we see, and in the intensity of new technologies for [not only] breaking into your computer, but becoming sticky. If you look at spyware [just] a year ago, it was relatively easy to remove. So the approach of the anti-spyware software - which was to scan your computer once a day or once a week and remove the stuff - worked reasonably well. Now the stuff becomes so hard to remove because [the writers are] using all kinds of old virus tricks. They’re using "rootkit" [the Hacktool.rootkit backdoor "suite"], they’re using polymorphism, they’re doing rapid new releases, all of which defeats the conventional way of dealing with [spyware].
So we added a third layer to our protection : The first layer was always the network firewall, the second was the firewall that sits between an application and a network to make sure that specific application has network access. Now we added a third firewall, which sits between the application and the operating system, monitoring what an application does. Malicious code does specific kinds of things : For example, it often tries to add itself to autostart mechanisms, so they run every time the operating system boots. Or maybe more dangerous, it tries to install a device driver, or to listen into your keyboard and mouse events. These are things that we can actually detect. We then ask our centralized database, "Do you know about this application ? Is it either on our whitelist or our blacklist ?" We count about 95 percent of all known, good applications. If it’s on the list, we automatically do the right thing ; if it’s not on the list, the user gets a popup that says, "Do you trust this application to do these kinds of things ?"
THG : Something that astonishes me in researching the behavior of spyware is a category that uses some of the methodologies you talked about - "rootkit" and - chief purpose is to sit there and do nothing, not to particularly report anything whatsoever. The people who write this "nothingware," I call it, do it as what they call a "proof-of-concept" - something to show that it can be done, that they could spy on you if they wanted to. But since they’re so nice, they’re not going to. It’s like somebody leaving graffiti on your system.
Freund : And the problem is, even if just a couple of guys who do it as a proof-of-concept, that spreads to the guys who might have much, much different kinds of motivation. Frankly, if you have a piece of malicious code running in the kernel, you’ve already lost the battle. Once in the kernel, there’s no security model any more. If it’s running as a device driver in the core of the operating system, at least in theory, it might become almost impossible to remove those unless you resort to [methods] beyond the reach of most users. That’s exactly why we find it so critical to actually prevent these things from happening in the first place, and stop them when they try to get a foothold on your computer.
THG : Last May, you suggested the formation of a kind of shared database across the industry, to help companies that combat malware behaviors to share common information among themselves, and perhaps, be able to respond to it faster. What is the status of this idea ?
Freund : We are in constant conversation with other companies, to potentially create a consortium of companies...Right now, there’s no other company that has the infrastructure to actually take advantage of that information. Because we’re not just building databases that we then download onto the client, but we actually create an infrastructure that, when something happens on the computer, asks the centralized database. We’re now seeing about 30 million requests per day, and 95 percent of those we can actually answer - positive or negative - [with] a 0.3 second turnaround time. We’re a full generation ahead of everybody else in terms of building this infrastructure, so I don’t think that other vendors could use this data as effectively as we can right now, simply because we built that infrastructure over the last 18 months.
THG : What about Microsoft ? Where are they in terms of a generation behind or two generations behind Zone Labs ?
Freund : I really don’t know, frankly. They have an anti-spyware product that’s so-so, from what we hear...The company that you mention is not necessarily known for technical innovation, although they’ve been pretty good at copying other people’s stuff.
I was in Germany recently, and my mother is running Word 97 on Windows 95, never upgraded her machine, works just fine, and you know what ? Word looks exactly like Word looks today ; that eight-year-old version does just fine. Security doesn’t work that way. In security, your "customer" - and I’m saying that tongue-in-cheek - is really the hacker. They’re using the latest state-of-the-art, best-of-breed hacking tools to break into your computer, so if what you’re doing is a generation or two behind, you’re really only doing a very partial job. It’s equivalent to locking your cars, but only locking three out of four doors. That doesn’t mean your car is 75 percent less likely to be stolen, because every competent thief would try all four doors. The same with security : If you’re 75 percent protected, if you protect 75 percent of all the different ways of breaking into your PC, it doesn’t mean the user is 75 percent more secure. It might be 10% more secure, because a competent hacker would try five, six, seven different ways of breaking in.
THG : Back at Comdex Chicago in 2001, we were talking about what architectural issues Microsoft needs to address in order to fix the ongoing watershed security problem. Since that time, has Microsoft done what you think they need to have done to fully address that problem ?
Freund : No, I don’t think so. I think to some extent, I think it’s a mistake [for Microsoft] to focus on building security software, because that’s really done very well by independent companies. I really wish they’d focus on the core of their applications, and the core of the operating system. Still, every month, I’m getting this long list of vulnerabilities, and we’ve seen quicker and quicker exploits of these vulnerabilities, often within days. This is a long list of things they need to worry about before they try to compete.
Don’t forget that cyber-security and, quote/unquote, "real-world security" aren’t all that different. We know that very secure countries tend to spend a lot more on security. If you go to Switzerland, the trains are well lit, they’re making a lot of things very secure, and still, they’re spending a lot more on police than other countries. So normally, a secure environment creates more of an awareness. I firmly believe there’s a need for an industry that focuses on creating a layer on top of everything else, of the operating system, of applications ; and at the same time, there’s just as much need of securing the applications, and the operating system, and frankly writing better code to avoid a lot of these security holes. I don’t really think that the one thing is going to replace the other.
THG : In this new industry that you’re talking about, does Microsoft play a leadership role, or does it play a membership role ?
Freund : We’ll see what role Microsoft plays. I think that it’s very, very hard to do both at the same time. On the one hand, you’ve got an inherent conflict. There’s a reason why, in the real world, we separate police and security guard functions from productivity functions. Think about it : You could come up with [a plan] to save some money here by having all the cab drivers all be cops. Then you can decide, are they going to pick up the fare or are they going to chase down the bad guy ? You run into a lot of inherent conflict if you try to do both at the same time.
A good example was a couple of weeks ago, when Microsoft decided to look at buying one of the largest spyware companies, Claria. Within days, the spyware from that company disappeared from, or was reclassified in, the Microsoft anti-spyware product, because now, while they’re talking and sitting around the table and thinking about buying this guy, they can’t at the same time classify them as malicious. So you see that, very quickly, your resolve to provide good security gets compromised by conflicting business goals.
THG : In your opinion, are the users of corporate networks, and the people who make administer them, more mindful of security measures and proper policies and procedures than they were five years ago ?
Freund : Yes, I think the consciousness has changed. Particularly, companies understand much, much more where their weak link is. About five years ago, when we were talking about endpoint security, we were, in most cases, getting somewhat puzzled stares. Everybody understands now that the individual PCs are a big threat. I still don’t think the consciousness is there [about] exactly what is the right methodology, because it’s not as straightforward as, let’s say, coming up with a new secure protocol or coming up with a new authentication method where you can phrase a lot of these things in computer science terms. A lot of the new threats we see deal with quite sophisticated human engineering, taking advantage of people’s behaviors, and that’s a lot harder to manage. Frankly, you want to have an environment that’s open, where you take advantage of PCs, where people can do their own things with the PCs ; and at the same time, you want to make sure that nothing bad happens.