2018 TAG Cyber Security Interview with Industry Luminary: John Viega

September 7, 2017

By Dr. Ed Amoroso, Chief Executive Officer of TAG Cyber LLC

Interviewing the cyber security luminaries included in the 2018 TAG Cyber Security Annual was a thrill for me on par with what a political scientist might experience interviewing world leaders. My hope is that the pure joy of learning afforded by these capable and successful cyber security experts comes through in the narrative and transcripts. As any interviewer will attest, the goal is for you the reader to feel like you were seated right there during the interview, learning from the insights and views of these fine security experts….

An Interview with John Viega, CEO of Capsule8

Container-Aware, Real-Time Security for Linux

Advanced threat protection for Linux has been under- served, which is an issue given its pervasive deployment

Cyber security companies emerge from stealth every week, but few were more welcome to see than the recent unveiling of Capsule8, a Brooklyn-based cyber tech firm working hard to help us protect our Linux deployments. It is a well-kept secret that most server infrastructure, including in public clouds, depend on Linux for computing support. While this is good news for expert administrators with strong Linux backgrounds, it has the odd and unexpected implication that many of the commercially available tools to protect servers are not applicable. John Viega, CEO of Capsule8, helped us understand this situation, and explained the technical underpinnings of his team’s container-aware security solution for Linux.

EA: John, what are the statistics around Linux use in the data center and cloud?
JV: According to The Cloud Market, more than 92% of Amazon EC2 instances run Linux. About 18 months ago, Microsoft announced that about 1 in 3 Azure instances runs on Linux, and we’ve heard people claim that this number is now close to 1 in 2. With such widespread adoption of Linux in production environments, it’s surprising that the best practice for attack protection for enterprise Linux is stuck in the early 2000’s. Our team at Capsule8 is focused on bridging that gap.

EA: What problems do most people face with Linux security?
JV: People tell us that it’s difficult to collect and analyze the right data efficiently and easily, without risking bottlenecks or reliability. This is even more true when deployments leverage micro-services. Most people find out about breaches hours or days later, if at all. The world we’re enabling allows detecting attacks in progress, and automatically shutting them down as they’re happening, without negatively impacting production systems.

EA: Does the approach work differently for legacy Linux deployments as ones newly deployed using your technology?

JV: Our data collection doesn’t much care if you’re running in a cloud-native environment or a legacy environment. The analytics and automatic attack response can be done a bit better in a more modern environment. For instance, in a modern environment, some pieces of an environment are typically “stateless,” meaning they can go up and down without impacting the application. We can leverage that knowledge to provide both more accurate protection, because we have more information on the types of things that shouldn’t happen. But we can also be a lot more liberal about automated response in a stateless environment (if you’re worried a container might be compromised, then often you can just kill it and spin up another one). In a stateful workload, you must be more careful, but can still do things like kill risky connections and alert an investigator. The key here is acting in real time, before any damage is done.

EA: Give us a summary of how security solutions such as yours might prevent unknown threats from occurring.
JV: While there are shockingly many software vulnerabilities, there are far fewer exploitation techniques. We focus on detecting attempts at exploitation, and then, as a fallback, evidence of compromise. For instance, memory-based exploits often involve making non-executable parts of application memory executable. Detecting such things can be highly effective. But if an attack is truly pioneering, we may still notice, for instance, an interactive shell being spawned by a web server, which is a sure sign of exploitation in most places.

EA: You’ve been at this security game for some time. What are some offensive and defensive trends you are seeing?
JV: One of the most important trends is common to both sides: Automation. Attackers seem to be better at the automation, but the security industry is getting the message. The current number of experienced cybersecurity professionals is not nearly enough to satisfy our cybersecurity needs in the public or private sectors. In fact, ISACA predicts that there will be a global shortage of two million cyber security professionals by 2019. So, the industry can’t rely on human expertise alone for protection; we need automation. We are starting to see some leading-edge organizations automate at least part of their response process wherever possible. Capsule8 is designed to not only automate attack response, but to integrate via API to any incident response automation companies have deployed (e.g., Demisto or Phantom). Automation is a huge focus for us because without it, we can’t possibly keep up with the growing pressure from our adversaries.