In an exclusive interview with Brian Pereira, Content Director, Digital Creed, Bill McGee, SVP, Hybrid Cloud Security, Trend Micro talks about the adaptive way to develop security products through a culture of DevSecOps.
Bill McGee joined Trend Micro through its acquisition of Third Brigade, where he was co-founder and VP of Products and Technology. He is now the SVP & General Manager Cloud and Data Centre Security at Trend Micro. Prior to co-founding Third Brigade, Mr. McGee was SVP of Product Development at Entrust, where he was also a member of the founding team that formed Entrust from within Nortel Networks. As a member of the cryptographic systems group at Nortel Networks, he conducted pioneering work applying public-key technologies to multiple communication systems.
Q. Gartner says security cannot be static and there is a need to adapt security infrastructure on a continual basis. Can you explain how Trend Micro is responding?
Bill McGee: There are well developed aspects of security policy and security defense which we put in the white and black category of protection. White is defining what is allowed on systems, whether it is a firewall policy or what applications can run. Black is malicious. Gartner is saying that it is not sufficient, because there is a set of grey out there too; sometimes it is unclear whether it is bad or good. Sometimes the targeted attacks fall in the grey category.
Organizations are requesting for our products to provide better visibility into potential issues. They can then make risk-based assumptions on whether they should be investigating further or not. These new methods can have a higher false positive rate because they are not blocking technologies; it is not certain whether it is a security incident or not. However, this can be confirmed once they see the issue on multiple systems. And then they can investigate further.
We are making changes to our products to provide this additional visibility, with the ability to do incident investigation better.
Q. Enterprise IT infrastructure is becoming more hybrid. Users are asking for simplicity and automation to manage this infrastructure. Does the security threat vector change in hybrid and cloud environments?
Bill McGee: Threats on the hybrid cloud have not changed significantly yet. The same methods that are used to attack on-premise datacenters are used to attack clouds. Our customers who use our solutions for protection feel better protected on the cloud. It’s not really the nature of the cloud; they have simplified their architecture, modernized their security defenses and automated a lot.
Q. What should an organization keep in mind when selecting a security product or going with a vendor?
Bill McGee: The threat landscape is not static. The product itself is changing and so is the threat. So, one needs to have an information relationship. Good trusted interaction with the vendor is key.
Another key criterion is the openness of the technology, so that I can bring the additional insights the customer has and use those in the product. Or is it a closed system where the customer is completely dependent on the vendor? This about customization and the ability to use APIs for integration with other applications that a customer uses. It is also about additional threat feeds. Trend Micro has massive amounts of information that we provide to our customers. Some of our customers have their own threat information. Our products accept that information and deploy it so that our customers can get additional insights.
Q. How can a DevSecOps culture help in strengthening security?
Bill McGee: DevSecOps is something on the horizon and very few organizations are there today. Many organizations have a strong DevOps culture in place, and they need to learn how to do security on top of this. The security group must be involved in the CICD (Continuous Integration Continuous Delivery) pipeline or application development pipeline. Historically, security has been involved after product development, on top of production environments – without much insight into all the steps that led to the occurrence. Now we recognize that security can work better when you go back earlier into the development pipeline.
We are really figuring out how our products need to change to allow the security sponsor in the organization to intersect successfully with that DevOps cycle.