Meeting the Challenge of Mobile Security: The Perspective of Matthew Wilson, CEO of Penten
When visiting Australia, a key point of entry into the security and defense modernization process is the way the Aussies are reshaping their defense industrial base. They are a country the size of the United States with a population of just under 30 million people, with an economy the size of Texas but almost as large as Russia’s.
They are investing in a significant modernization effort, but one key question looking forward: how will Australian cyber, security and defense industries play in the future of Australia, with allies and the global technology business?
One impression I have is that Australia is clearly fostering a number of innovative technology companies at the SME level, augmenting the global capability being delivered by large international primes.
A key problem facing modern militaries is clearly how to build secure networks on the go?
Indeed, there is a clear disconnect between the security procedures of what seems the Jurassic Age and the networks correlated with those procedures and what a mobile security and military force needs for flexible, agile operations.
I don’t think a T-Rex jumps out as one as a flexible, agile animal; after all it is dead. This clearly is what needs to happen with the Cold War security mentality and the very heavy structure of very heavy and structured IT pipes that are integrated into the support of yesterday’s approach to security.
During my visit to Australia in August 2018, I had a chance to visit a company, which is pioneering very innovative ways to provide for security for mobile systems.
Winning contracts with the Australia’s Defence Innovation Hub and being nationally awarded for its technology, Penten is one of the new breed of Australian SMEs challenging traditional defense thinking.
I had a chance to sit down and talk with the CEO of Penten, Matthew Wilson, while visiting Canberra in August 2018 and to discuss their approach and the way ahead from his point of view.
Wilson started by laying out the general context within which Penten has been launched and works.
Our focus is genuinely about trying to solve problems in the cyber security space that haven’t been solved anywhere else in the world.
Of course, we use the term cyber security but really, we are talking about information security. We are looking at enabling how people work and want to work, rather than just focusing upon how to protect the enterprise systems housed in large facilities.
Penten’s only been around three years, but the founders have worked together for around 20 years.
Traditionally, in Australia we look to find a solution overseas then forklift and integrate it into the Australian context – usually many years after it was needed.
At Penten, we have taken a different approach – we look at the Australian need and seek to create new technologies to solve problems in Australia first, not wait for something to be delivered to us.
For example, IT is quite different in Australia from the US, in terms of scale, quantity of data and size of market. It is also much richer in terms of investments, so we needed to focus on approaches, which fit the scale of Australia but also provided better data assurance for a highly mobile society.
In the discussion with Wilson, it was clear that there was a very dynamic interaction between the technology they shaped and are shaping and the concepts of operations, which that technology could allow his Australian customers to be able to utilize.
At the heart of the intersection is a priority on mobile security that is an ability to provide security for working from classified or secure networks but to do so while working in a variety of locations.
Wilson went on to highlight some of their key work and technology areas of effort.
A key area where we have focused our attention is upon secure mobility.
That is how do we make classified information more mobile? And that mobility is not just outside of a secure facility. It can sometimes be in the secured facility itself.
A second key area of work is with regard to automating some cyber deception capabilities within a defense construct.
What do we mean by that?
If an intruder gets on a network and they communicate with a server they will ask the machine, “who are you,” the machine will tell them, “I am a Windows server version 2013 running this particular version, running these particular services.” The current paradigm is- if I ask a question of a server, I get an answer and I know I can trust the answer.
Because of this I know what tool to use to be able to move from that machine to the next target. This paradigm makes the job of the attacker simple. But what if we start to send back information that isn’t true, we do two things.
One, if the use of cyber deception is known to the attacker, we’re actually raising the cost of the way that they need move through a network because they can’t trust their usual methods.
And secondly, they have to be a lot more careful which gives us more time to find them.
But the challenge of creating effective cyber deception campaigns is really difficult.
Crafting ways one can go about making that tool more automated has been a real challenge and we have been focused on using machine learning to create decoy information to be able to trick and trap someone on a network. We are focused on creating as realistic decoys as we can.
Today’s cyber adversary is primarily an insider who is tip toeing around areas and information that they shouldn’t or we’re talking about an outsider who has stolen credentials and looks like an insider. That is, we’re looking at users on a network that look and act real because in most senses, they are.
This new adversary turns traditional behavioural and permissions-based protections into a sea of alerts. Automated cyber deceptions create very few but very high value targeted alerts for analysts to focus upon.
The mobile security piece really is central to the con-ops/technology dynamic. Users are operating in very mobile settings; but how to leverage information in ways that security is not only not compromised but that information can be brought to the appropriate use area?
If data is simply protected behind a firewall and not useable by the mobile users, whether military on the go or doers (doers as the Exxon add highlights) then the data may be secure but also useless.
Wilson described this challenge as follows:
I had a customer come to us and say, “we’re building and spending millions and millions of dollars on these beautiful buildings and we’re making lovely breakout rooms and secure cafes and really trying to create a work environment that is modern and conducive to the way people want to work.
We’re out there trying to recruit against the Googles and the Microsofts and the next great startup, the Twitters, for the next generation of talent” and what I’m actually doing is saying, “when you join us and get into this office, you’ll sit at that desk, you’ll have that desktop which you’re chained to, that is where your information will reside.
And when you want to engage with others, your mobility will come from a printer and your memory.
This is not the way the next generation has been trained to think, learn or work.
They are always connected, they are collaborative and they expect to add value with information at their finger tips.”
This creates a significant recruitment problem even before we get to the security problem.
In the enterprise world we have moved away from the hub and spoke approach some time ago. The focus now is upon how we both enable the user and protect the information they need access to?
He then went on to describe the shift for the classified community from moving from briefcases to secure data to what Penten now offers which is a secure USB enabling device – the AltoCrypt Stik.
The briefcase approach was built around the notion of providing mobility in terms of taking the entire architecture from a headquarters and sizing it in a smaller form factor.
What was being created was a mini-networking node. It wasn’t about enabling an individual.
We focused on the process quite differently. Rather than thinking about crypto being in the cupboard or in the computer rack, we’ll bring it right up to the device itself.
What we’ve essentially done is to take a heavy flyaway kit which was a network extension node and simply replace with a small USB device that enables the user’s laptop or tablet directly.
Through the use of the USB device and the authentication process, your mobile device is a peer network device on whatever network you are working on.
We have been focused to date primarily on two situations or con-ops. The first is working with the various secure buildings to be able to bring the information to the work situation in which they are engaged with others in the organization.
For example, we are working with the ADF on enabling a brigade headquarters to go wireless within a mobile HQ.
The second is mobility outside of a secure facility. And this gets to the larger question of how to build the pipes within which data flows to enable the user, regardless of classification.
An individual will require a pane of glass that engages with very different networks, whether it be a strategic network, whether it be a mission network, whether it be a coalition network, whether it be an even higher side network.
We can start to think about methods of engaging those networks that are all about enabling the device itself and not necessarily running separate infrastructure, either to that location or even from the cupboard perhaps of the device itself.
We can start to think about a real efficiency in the way that we’re looking at some of those larger pipes and the transmission of data. This allows us to start to think about the way that we’re pushing large chunks of data around the network.
Obviously, the approach being developed here is very relevant to handling the twin demands of mobile forces and at the same time how to handle larger data sets being generated by sensors on various platforms.