ProtectWise's Scott Chasin Reveals His No. 1 Email Security Rule

By Dan Costa Features PCmag

Welcome to Fast Forward, where we have conversations about living in the future. Today we're talking about internet security with Scott Chasin, CEO and co-founder of ProtectWise. WannaCry is on the agenda, but we'll also discuss a new approach to security and protection that involves visualization. The idea is to make security understandable to you, to me, and the many people who don't understand how to navigate a command line. Read and watch our chat below.

Continue Reading Below

Dan Costa: We live in particularly scary times. It seems like there are more security threats now than ever before. What should we be worried about? Is it cyber criminals? Is it nation state actors? I remember a time when people just wrote viruses for fun, but now it seems like everybody wants to get paid.

Scott Chasin: Yeah, that's very true, and I think the answer is all of the above. I think you should be concerned with not only [hackers who] want to get paid but other nation states that are causing a lot of disruption around the world. It's not an easy solution to a very complex problem. It seems like the attack surface continues to widen and the threat climate is only getting worse.

What do you think is the one thing that most consumers aren't afraid of but probably should be?

Their email. When you think about how targeted attacks happen or even just the casual drive-by phishing attack, it generally starts with their inbox. We've got to get out of this mode of clicking on links in your email. That's really a bad thing to do and it often times gets you into trouble.

That's an interesting thing too because we've all adopted email. I have a policy that I try to enforce where I don't send an email that I wouldn't want everybody to read. You have to assume that it's going to get forwarded to everybody in your company under some circumstances. It can certainly be subpoenaed. Then if it's hacked, it's all going to get out to the public anyway.

Continue Reading Below

There's a huge privacy concern, but there's also a trust concern here because oftentimes you'll find that phishing attacks mask themselves as from a sender that's trusted. That's really where the problem comes into play. It amplifies the fact that you really just can't trust email. Headers can be forged. Obviously targeting websites or phishing websites, they look legitimate. They look like they're trusted so you have to be very vigilant, very careful as to what you actually click on and how you interact with the open web.

Recently, Google Docs was hit by a phishing attack. It was the first time that I'd seen a virus hit our company and our security team send out notes saying don't click on these links. At the same time, I was seeing reports all across the web and on Twitter. It hit a lot of people.

Yeah, email is obviously a mass medium communication channel and it's more and more being integrated into the application layer. It's a natural lily pad starting point for getting back to the app, and so you just have to be really, really careful.

So never click on links in email. I think also don't send as many links in email. That creates the culture.

You certainly don't want to be sending links in email. Then I would also say update your machine, right? It's one of those convenience things where 'oh, I'm going to do this tomorrow, I'll put it off.' You gotta update your machine because the malicious software that's out there takes advantage of old software that generally contains a lot of vulnerabilities. Unfortunately, these vulnerabilities are being used by criminal organizations to make money now.

WannaCry just hit, we're still feeling the reverberations of it. The thing that was not mentioned in a lot of those initial headlines was that if you're running Windows 10 and you have a patched machine, this is not going to affect you.

I think a lot of folks were bit by this that didn't have the updates; Windows 7, Windows 8, Windows XP. Microsoft patched this back in March and so we didn't start seeing the impact until the last couple of weeks. The reality is, is that you gotta update. Patch management is critical. Those that had updated patches, those that had vulnerability management solutions from a corporate or enterprise perspective fared okay.

So there are individual users who have to develop that habit of just applying by default all the updates that get pushed out. Then there's the business side where doing those patches and applying those updates could cost the business money, and they're the ones that tend to kick these things down the road.

That's right. The reality is that this is most likely not the last [time we'll] see these kind of vulnerabilities in the widespread nature that we saw with WannaCry. In the first 48 hours, you had 150 countries that were impacted. The reality is that you're going to see a wave of new vulnerabilities that are released. Specifically by this particular group, The Shadow Brokers, which released a number of zero-day vulnerabilities. You can expect, I'm afraid in the next couple of weeks and months, even more of these types of attacks.

So this is one particular group, what do those people look like? Are they kids in their basement that are just sort of glommed together and wreaking havoc or trying to get paid? What motivates a group like the Shadow Brokers?

There are a lot of folks that are forensically trying to determine exactly who they are. There's obviously some links that go to a number of different nation states, so we'll leave it at that. The investigation continues.

It's non-trivial to find out exactly who is doing this.

That's right...this is a complex threat surface with a lot of hidden vulnerabilities being exposed as we kind of move forward.

Let's talk about how to deal with the complexity of that landscape. Your company has a unique approach but intuitive approach. In layman's terms, you take a security environment and create a visual interface for it. It can be navigated and doesn't require command line to understand what's going on.

ProtectWise is all about creating a memory for the network. It is very similar to physical cameras that record. We've created a virtual camera that can record everything that happens on the network and we store that recording in the cloud. Now that's really important because a lot of companies are hacked and they don't know it, and they're not actually recording what happens on their network. So we provide that forensic breadcrumb trail that allows analysts to go in and answer the questions of how did they get in and what did they take? So what we've done is we've taken this memory for the network, we've put it in the cloud so we can have a really long retention window, as most hacks go undetected for months.

This is really important for organizations because now they have a record of what happened and then we actually use that memory to go back in time. WannaCry as an example or new HeartBleeds, we go back and we replay that memory. It was actually an idea that we borrowed, I should say modeled from the International Olympic Committee that's been testing athletes when they train and when they compete for many years. When they learn about new signatures or masking agents for performance enhancing drugs, they go back in time and they retest those samples. We did the same thing for cyber security. That was really the foundation of our product, but then we created this really advanced UI on top of it. If you're going to have all of this data in a memory for a network, you better have a really cool way to visualize all that data.

It's intuitive in that it creates a very efficient analytical response. That's exactly what we did. One of the first folks that we brought onto the team is somebody by the name of Jake Sargeant. Jake did all the CGI or a lot of the CGI for the movie Tron Legacy, as well as Oblivion with Tom Cruise, if you remember that movie and Terminator: Salvation. We've been working with Jake for the last three years to really visualize all of this data.

The reason why we're so passionate about a security presentation layer is that one of the biggest challenges that we face in security isn't necessarily a technological one, it's a human resources challenge. We simply don't have enough advanced humans to connect the dots forensically and so part of the challenge within that talent acquisition is the tool sets that we use don't scale. They're command lines, they're terminal windows, they're python scripts, right?

We looked at that and we said, well, the Minecraft generation is growing up. They understand virtual worlds, they understand how to collaborate virtually.

When you look at the interface that you've created and you look at the metaverse you built, you see a lot of Tron influences. Most people are going to think that's ornamentation or it's just for visual effect, but all the images, shapes, and the entire environment mean something.

That's right. We've created something we call the immersive grid. Obviously the grid was built in the movies; we're building the grid in real life. The idea is that we're taking a network and representing all of the assets on that network. Whether it's an iPhone or a database or a laptop or a desktop, we represent those as buildings. The result is that is you get a cityscape in a virtual world that allows you to basically see your security posture and all of your endpoints and PCs and assets. You can be inside of the network, you can be flying around and targeting different assets.

It's not gamification. We do have a high-end gaming engine, the Unity Engine that we use, but it's all about using gaming mechanics like targeting and way points and inventory management. Things that the next generation really understand and grasp.

Right now, a network administrator would see all those in a list but that's not as actionable as seeing an actual landscape of exposure.

The reality is that with security today, security is largely managed through log files. Which is a text file of time stamps and a string of text, right? So we can search those and we can correlate them, but it's not visual, it's cumbersome, and it doesn't scale. What we're trying to do is challenge the status quo by looking at the next generation. We are looking at their capabilities around collaboration and want to use the leverage of gaming mechanics. We think that cyber security is the perfect model to be able to go in and not only respond more efficiently, but to hunt and patrol. Just like beat cop would on the streets of New York.

Let's take some questions from our live audience. What do we got?

Speaker: Does your software do reverse lookups on IPs that are trying to do port scans?

Oh, of course. So we do a lot on network security. As far as scanning, detection, that's the first layer of what we call the kill chain. So we manage a heuristic engine that we've built that goes through all the stages of the kill chain. A kill chain is basically the stages of an attack and reconnaissance is the first stage.

'Kill chain' sounds pretty severe.

That's a military term.

Sounds like it. Talk to me about who this product is for. You've got some pretty highbrow clients.

We do, our first customer was actually Netflix. We've built this platform to deliver to the enterprise and very large organizations that have very complex networks or fragmented offices or have a lot of distribution in their IT assets. This is built specifically for those larger organizations, their incident response teams. The teams that they've put together to manage security across the network. They go out and do the investigation. They need forensic tool sets to be able to answer those key questions.

We've got the interface up here running. First of all, looks gorgeous. I feel like I could understand this if I knew what all these widgets were doing.

We wanted to put as much information as we could on what we call the heads-up display. This is designed to be up on a security operation center jumbotron, right? The idea is that it provides glanceable pattern recognition and so [you] very quickly see the number of connections going in and out of your company. You can see it zoned by geography, colored by threat severity. So everything you would see here, blue would be clean, red would be pretty bad. Now this is a demo loop of traffic and so we're constantly running bad traffic through it so yeah, there's a lot of red there.

So this may have been setting off alerts in the background while we were talking?

It's a demo, but here you can see the kill chain. We call this the attack spiral and so as you go deeper into this nautilus, the more problems you have. It starts with reconnaissance, [which] could be somebody scanning your IP range to delivery. Delivery could be somebody sending you an email with a link in it that's malicious to exploit, well you've clicked on that link and now you're infected. To beaconing, now that infection is calling home saying 'hey I'm alive' to command and control. We're now that botnet or whoever it's talking to is coming back sending commands and taking control of your PC.

Then ultimately to fortification and data theft, which is generally the objective here. So we manage all of that and we come up with events that allow for an incident responder to come in and very quickly understand what was the impact. We do all of the heavy lifting using machine learning, using some advanced heuristics and a massive state engine, we do all of the heavy lifting to allow the incident responders to very quickly come in and start to remediate.

This is in real time, but you've got the memory effect as well.

Our threat detection engine actually combines real-time analytics with back-in-time analytics. We like to call it a time machine. In fact when we were building this company and we were in stealth mode somebody asked me, 'What are you doing next?' And I was like, 'Well I'm building a time machine in my buddy's basement,' which isn't far from the truth. The idea here is that we go back in time thousands of times a day for our customers. Taking new intelligence that we learn about and going back and replaying that memory to determine whether or not they were breached in the past.

At the moment, people would have to filter through log files.

It is a lot of manual work to do it, so we use the power of the cloud, the elasticity of the cloud to not only store the data for a really long period of time but to continuously process it.

What is your personal sort of security process and protocol look like? What do you do? You open up your laptop, what browser do you use and what kind of protections do you have on there?

I use Chrome and 1Password. I don't click on links. That's about it. I have a couple of laptops and a home desktop. One laptop is a Mac, the other is Windows and I try to manage them the same from a security posture. Yes, I have AV, I won't mention which engine I do have.

You used to work at McAfee, though.

I did, I was a CTO at McAfee for a few years. It's kind of the easy stuff. Where we get into problems as consumers is the ease of use. The convenience that we all want so we cut corners, right? It used to be that we would write down our passwords, now we just use the same password.

There are a lot of people in this company with post-its and passwords on their laptops.

You got it and so now we have to think about again, clicking on links or updating the software. Even though it's an inconvenience, we have to be vigilant.

What about connecting to a public Wi-Fi network? I've done it.

IoT is another very large attack surface that's emerging, so public Wi-Fi is tricky. There's not a lot of authentication in determining [whether that's] really the AT&T Wi-Fi [or if] somebody is masking [it] as this particular public Wi-Fi. You gotta be careful. When you go beyond Wi-Fi and you get into the realm of everything connected, now you can really start to see the attack surface blossom.

I can tell you that we're not too far off in the distant future where we have ransomware like WannaCry that's locking up...your refrigerator. Perhaps they are icing you down with your climate control system. Think about the connected world and think about the challenges that we're going to face from a security perspective.

There are so many interesting things going on in the Internet of Things. So many great interesting products that are being built and they're being connected to the internet because we can do that now and it's relatively cheap. But very few of these companies have a Chief Security Officer. We find it very difficult to test the security of IoT products because there are just no standards, there's no process for it.

I think that's changing. Cyber security is a board-level concern. It's not that you're just going to get hacked, it's a business disruption thing. So a lot of companies at the board level are quite paranoid and so I think it's changing. I think that if you look at the budgets that most organizations are adopting, they're obviously trending upwards on IT security spend.

What are your thoughts on virtual private networks? We've seen a tremendous interest over the last three months, traffic to our VPN coverage has spiked. A lot of people feel like this is something that they just need to have. There's a lot of reasons for getting a VPN, but do people need them?

I think VPNs are extremely useful, especially in a corporate environment or a business setting. Again, it comes back to convenience. Clicking on the VPN, getting a connection, maybe having a little slower connection. These are all concerns that you have to understand are a part of the VPN life. My hope is that a lot of that technology becomes simply invisible and the goal of a lot of security should be to become invisible. Where we cannot inconvenience the user, but behind the scenes really create a utility model for security.

You are based in Denver; what's the tech scene like there?

Denver's fantastic and the city itself is booming. Software engineering is, I think, our number one job that we're attracting talent to. It's an amazing place for startups and we certainly have a lot of security startups in Denver. I think we have at least 80-plus in Colorado. It is kind of a cyber security headquarters for the West to a degree. It's a great town and certainly going through growth stage right now, where a lot of the tech talent is downtown, and so you get that energy and that vibe that normally you would feel in the West Coast.

You've built this virtual environment that identifies threats, it is very cyber-spacey. I gotta ask. In terms of virtual worlds and the metaverse, who do you prefer, William Gibson or Neil Stephenson?

That's a hard one, but Snow Crash all the way. So Neil and maybe, later—just visually—the Wachowskis with what they did with The Matrix.

I would go with you on that. Although I think that Gibson has a broader, more integrated view of how technology blends into our culture. But for pure visualization of cyber space, I think Stephenson has it.

I think Stephenson nailed it.

We talk about the future on this show, what are you most excited about?

Well for me it's gotta be augmented reality. AR is going to have a massive impact. Even to what we do. Imagine being immersed inside of your network, but what if you could actually physically walk around your network. That's going back to Snow Crash, a pretty cool blended idea. I think AR is going to have a really big impact to a lot of industries commercially. There are some things that we gotta figure out on the hardware side, but overall I'm really excited about what I would call the new lenses. Whether that's virtual reality or augmented reality.

We talk a lot about virtual reality, we talk about the gaming impact and sort of that completely immersed environment. But I've always thought that augmented reality and and blended reality would be bigger. There are just so many more opportunities for utility and usefulness and for businesses.

It's amazing, and if you've seen some of the early implementations, whether it's from architecture to engineering to cyber security, you can see it is really game changing technology.

What are you most concerned about and most worried about? What technological trend keeps you up at night?

I think there are a lot of them. I don't want to be locked out of my fridge, that's one of them. I think that overall, the attack surface isn't slowing down. I want a connected world, I want everything connected, but how we manage that not only inside of our businesses, but in our personal lives, is probably the biggest challenge.

We're not going to be able to do things the way we did them before.

That's exactly right and the adversaries that are out there, they're not going away, and so with that attack surface growing, the demand for disruption and extortion and to make money as a big motivator, it's there and it's constant.

That's one of the things that we've covered a lot on PCMag is that this went from a situation where there were some bad actors and then there was the security industry fighting them, to this is a criminal enterprise that makes a lot of money and there's tremendous incentives. Now because of bitcoin we have a payment system that can be pretty anonymous.

That's right.

This is the world that we live in and we need to have a totally different type of approach.

That's exactly right and we're hopefully onto a new approach that can enable an entirely new generation of cyber security analysts and responders and hunters and patrollers. We think that's really key. We gotta solve the human capital issue that's associated with all these jobs that are going unfilled. Some studies suggest 2 million jobs in the next four years are going to go unfilled in cyber security.

We were talking before we started filming that this is a counterpoint to that idea that automation is going to replace all human labor. But this is a case where we need the automation, but we also need the humans.

I don't think you can take humans out of the equation here. It's going to be some time before we can replicate human intuition in an algorithm, even an AI algorithm. Unless there's an awakening at some point, but humans are going to be a constant here. I don't think that you can completely leverage AI. Machine-guided intelligence in context of cyberspace is really good, but I don't think you'll be able to get away from humans in the equation.

What is the one product or service that has changed your life the most? Could be a gadget, could be an app?

Oh, that's a great question. Well obviously it would have to be the super computer that I keep in my pocket, which is my iPhone. With that, I can pretty much get anything on demand and so whether it's Uber or groceries, you name it and I think that, that connected life is probably the one thing that's changed the most, right?

It's important not to take it for granted.

No, absolutely.

This episode of Fast Forward is brought to you by Lenovo, where different analyzes better. If you want to hear past episodes you can find them on iTunes, Google Play, SoundCloud and wherever fine podcasts are given away for free. Again, big thanks to Lenovo for making this show possible and thank you for listening.

For more Fast Forward with Dan Costa, subscribe to the podcast. On iOS, download Apple's Podcasts app, search for "Fast Forward" and subscribe. On Android, download the Stitcher Radio for Podcasts app via Google Play.

This article originally appeared on PCMag.com.