Guy Rosefelt, Sangfor Technologies: “endpoint security is necessary but not sufficient”
As cybercrime accelerates, more businesses turn to the digital world to create novel tools to oppose the technology utilized by malign actors.
From 2FA authentication and VPNs to AI-powered solutions: both individual users and large institutions are looking for ways to protect their sensitive data. Luckily, new technologies are coming out every day with more things to offer than ever before.
Guy Rosefelt, Security Chief Marketing Officer at Sangfor Technologies, talked us through a variety of security products the company offers, and discussed innovations in the spheres of cybersecurity and computing.
Since your start in 2000, how has the company evolved? What were the major milestones for Sangfor?
We released our first product, IPSEC VPN, in 2001. That was hugely successful, reaching over US$4M revenue in two years and becoming the de facto market leader. From there, we released new infrastructure or security products every two years until 2011, when we started releasing new products annually. In that time, we also expanded throughout APAC and then into EMEA in 2018. We reached over US$700M revenue in 2020.
You often stress the advantages of the Next-Generation Firewall. What are those benefits, and how is it different from a traditional firewall?
The industry standard today is the “next-generation firewall” (NGFW). Gartner defines that as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” Long before Gartner, Cheswick, and Bellovin defined what an application firewall was in 1994. Ironically, I was selling and supporting Raptor firewalls, the first commercially successful full application proxy firewall 30 years ago.
It was NGFW before there was NGFW, and it had a built-in IPSEC VPN. And it was not the only one; there was Sidewinder, Gauntlet, and a few others. But back in the day, application proxy firewalls were slow, and firewalls like Checkpoint took over the market because they made the case that stateful inspection was good enough protection. Fast forward 15 years, and that was no longer the case as successful application attacks started to emerge, mostly against web applications. Stateful firewalls were no longer good enough. So, the web application firewall (WAF) was born. I sold those too.
Sangfor does not talk about NGFW because that category has become disadvantaged. Sure, the best NGFWs have a lot of application intelligence and can process at wire speeds, but they are still limited in what they can see and block in a world with AI-enabled APTs. You cannot protect the network unless you can see potential threats to the network, not just monitor the traffic passing through it.
Sangfor has sold the Next-Generation Application Firewall (NGAF) for over 10 years. First, it is the only solution to seamlessly integrate NGFW and WAF in the same product, so application intelligence is more robust. Second, it has our Engine Zero malware detection engine built-in to scan files as they are transferred through. Finally, the NGAF directly manages our Endpoint Secure product, which creates a closed-loop synergy between network and endpoint, telling the firewall how to respond when an endpoint is known to be infected.
Did you notice any new threats arise as a result of the pandemic?
We saw several threat trends that were common globally:
- With the move to Work from Home (WFH,) there was an increase in reported insider threat activity, especially data exfiltration. Many cases were linked to employees downloading confidential company data while home and passing it to prospective employers while job hunting.
- Increase in successful ransomware and other APT attacks that originated in the employee home and then spread through VPN into the corporate environment. Many computers used for WFH early on were personal computers before corporate laptops were provided (if at all) with corporate VPN installed. Those systems or other systems in the home had, at best, basic (free) consumer AV installed, so not great on protection. Then the VPNs had no way of identifying and blocking malicious traffic coming down the pipe and directly onto the corporate network.
- Purchases of new security solutions slowed significantly in areas with extended or ongoing lockdowns. Many projects were going into the POC (proof-of-concept) before lockdowns, then got put on hold. Organizations did not want to test products on the organizational network while everyone was remote in the event operational systems were impacted and could not be restarted remotely. As lockdowns eased, POCs started to increase, then stopped when lockdowns were imposed again.
As the rates of cybercrime are on the rise, what measures can companies implement to protect their operations?
Assessment and prevention are the first steps. Find the gaps in your security (vulnerabilities, security policies, and procedures, unpatched systems, etc.) and fix them. Run assessments regularly. This is not new to anyone, but it is surprising how many organizations still do not do this. Most organizations have had to move to WFH but have not done a thorough assessment of the risks to the organization by these WFH users. How many infected systems at home can infiltrate down the VPN?
The next issue is that most organizations are in the “be able to detect everything” mindset. They are so focused on finding and blocking everything that they cannot conceive of what to do if something gets through and causes a breach. They need to plan for something getting through undetected and how to mitigate that. AV-Test sees 350K new malware variants every day. On average, NGAV/EDR/etc. is 99.5% effective at blocking; that means 1750 variants have a chance of breaching every day…something will eventually get through. Do they have a process to hunt looking for that?
Even though there are so many security options and providers out there, why do you think certain companies and private users still hesitate to upgrade their security defenses?
Cost is the biggest issue; no matter what security managers say, the people that write the checks do not want to pay for security unless they are forced to. There are a lot of organizations where top management does not believe they are a target.
This happened some years ago when I was a principal architect. I was scheduled to do a product installation and attempted to contact the customer a week before to work out logistics. I received no response from any of my customer contacts during that week. Finally, the Friday before I was supposed to travel, I was able to reach the CFO. Turns out, the entire security group I was supposed to work with was laid off the week before I was called as part of budget cuts. That group was considered a cost sink and did not provide the value to justify the cost. That group was the security operations & response team; their job was to investigate potential breaches and mitigate them. They averaged 50 incidents a day and were very good at what they did. I was going to upgrade part of their security infrastructure to improve detection and response. However, during the budgeting process a few weeks prior, someone decided that the team was not necessary; the company had never been breached so there was no need to maintain the expensive operations and response team and hundreds of thousands of dollars could be saved. Management had no clue how many breaches were stopped every day so, in their mind, there was no value. Six weeks later, they suffered a major breach and lost many critical systems.
I will say the mistake the operations team made was not providing metrics to upper management to show their value. At the same time, management never asked for any reporting or status.
This stuck with me, so I have made it my mission to make sure that all stakeholders can see the risks and the potential impacts. Today, things are much better as most organizations’ management now understand cyber threats and risks, or at least must meet some compliance requirement to quantify the risk. But a recent survey we supported shows that 50% of security groups still lack budget.
More enterprises than ever seek to switch to cloud solutions, but choosing between the private, public, and hybrid cloud can be overwhelming. Can you tell us a little about each of them and what type of user they suit best?
Let’s start with some definitions:
Public cloud - essentially, cloud services that offer the best high-volume workloads at the best price in the marketplace. However, public clouds are at risk of multiple security threats due to multi-tenancy. Hence, there will be organizations reluctant to engage those cloud services and delegating security responsibilities for the infrastructure while continuing full responsibility for workload security. A typical customer for the public cloud would be one who wants to leverage a more economical solution for running less critical applications within this cloud platform.
Private cloud - cloud services/platforms that have high-security protection and are more expensive than other cloud services. Private cloud customers tend to be extremely security conscious, like government or financial organizations that need granular control with access to best-of-breed protection and are willing to pay for it.
Hybrid cloud - this scenario strikes the balance of both public and private cloud services to create custom environments with high levels of security. Cloud providers and customers work to minimize the exposure of data by moving data and workloads between the public (less critical applications) and private cloud (mission-critical applications). Hybrid cloud gives customers the choice of opting for sustainable operating experiences that scale out or capital expenditures to scale up.
At the end of the day, organizations need to understand the risks and ROI of each option in relation to the services they need to implement. Do I want to host a complex and critical banking application on a less expensive, less secure public cloud? Do I need to host an information-only web application on an expensive, very secure private cloud? Should I host (and sacrifice) the web front end on a public cloud for the banking application backend hosted on the more secure private cloud?
Nearly half of the workforce at Sangfor is working on research and development. What was the idea behind this business approach? Can you tell us about some of your recent discoveries?
Sangfor has been about innovation since the very first day, so it is no surprise that we dedicate a significant portion of manpower and revenue to R&D. We worked hard for CMMI Level 5 and CC Level 4 certifications to verify and validate that our processes are world-class, repeatable, reliable, and secure. Sangfor has over 1000 patents, and we apply for new ones every year. We are the only firewall vendor with an integrated NGFW and WAF. We are the only endpoint protection vendor with the first-of-its-kind ransomware honeypot built in the endpoint agent.
We have actually been delivering in China for years what is, at best, marketed as XDR internationally before we had heard of XDR. We call it our XDDR (eXtended detection, defense, and response) Security Framework. With XDDR, we have delivered true threat hunting and coordinated response using our Cyber Command threat analysis platform, NDR sensors, NGAF (next-generation application firewall), and Endpoint Secure.
Our Application Containment solution identifies and blocks anti-proxy or proxy avoidance applications, both on the endpoint and on the network in a single policy. We have released Sangfor Access, our SASE product which integrates with our new consolidated endpoint protection architecture that will be released shortly. We deployed XaaS (Anything as a Service) this year, including our new Desk-as-a-Service (DaaS). And we have more innovations in the pipeline to come.
It is evident that online learning is going to become the new norm. With so many remote devices, how can institutions achieve and maintain top security for the upcoming school year?
Endpoint security is necessary but not sufficient. Endpoint security should be an indicator of risk that cloud services and network infrastructure uses to determine what level of access to resources, if any at all, will be available to users. Access controls must be based on user authorization and not the IP address of the system. Network detection and response (NDR) should be enabled at all remote access points (such as VPN servers) to detect and mitigate attacks from infected or breached remote systems. And all of that is for naught if there are no ongoing assessments of the infrastructure looking for vulnerabilities and security gaps and remediating them. Patching is your friend.
Lastly, everyone has some type of compliance requirement they have to meet, so robust and comprehensive reporting with metrics is a must.
And finally, what’s next for Sangfor?
Sangfor is one of the largest and most successful security and infrastructure companies in Asia. We have accelerated expansion into EMEA and are being recognized not as an Asian vendor but as a global leader in IT infrastructure, security, and cloud. A significant portion of the Fortune Global 500 is our customers. With increasing innovation in solutions and services, we plan to double that soon.