Xceedium Chief Strategy Officer Ken Ammon has gained reputation as a renowned security expert in issues related to the federal government. He previously testified before the House Government Reform Committee on dramatic security vulnerabilities affecting sensitive government information and infrastructure. Ammon also previously served as an adjunct faculty member at the National Cryptologic School, where he was recognized with the Scientific Achievement Award. Here, he talks to The New New Internet about some of the threats facing the federal government, preventing leaks, and what an average executive should understand about cybersecurity.
The New New Internet: You recently joined Xceedium as the chief strategy officer, what was it that drew you to the company?
Ken Ammon: It was probably three things. I spent the last three years or so looking at the security market, trying to find opportunities that offered next-generation security solutions. Xceedium represents that; it is different than existing security solutions that have been offered for the last 10 years and it solves a critical security weakness. Secondly, Xceedium is a venture-backed company has the financial commitment and partnership of a venture team that I previous worked with at my last company, NetSec. Lastly, I’ve worked with the management team before. It is a great management team, solid investor and exciting market opportunity.
The New New Internet: What are some of your current duties?
Ken Ammon: I ensure market alignment with overall security requirements that are coming from the field, particularly those in the government market. I’ve been working in information security for almost 25 years now, and over that time I have developed relationships with security experts that are now security decision makers and risk managers. Those relationships help Xceedium align correctly with the compliance, as well as the security technical requirements that are represented by risks, such as insider threat. I am sort of a technical conduit to management compliance requirements. I also work with the selling side of the house as well making sure that we’re talking to the right audience.
The New New Internet: What are some of the solutions Xceedium offers to the federal government and agencies and businesses?
Ken Ammon: The Xceedium GateKeeper appliance addresses privileged user access control, containment and auditing, which historically has been a very difficult goal to accomplish. In short, we address risk presented by the most-powerful IT role inside the organization – the system administrator. If you talk to people that actually do penetration testing–or red teams, as they will call them in the government–their biggest concern is a system administrator or privileged user gone bad. That’s because they can erase their tracks and in many cases they have unfettered access. Historically, this has been a very difficult thing to remedy. Xceedium in a single platform offers a heterogeneous and consolidated point of access control on privileged users. More importantly, I think as we provide a detailed level of logging, Xceedium’s ability to enforce written policy both will change behavior, as well as provide a tool to go back historically and find out exactly what happened at any given moment. This both meets compliance requirements and provides a proactive control for privileged users. The GateKeeper alerts on security policy violations by sending alerts to your security operation center, which triggers the appropriate investigation. More stringent policy both alarms and prevents the unauthorized privileged user action. We view this as proactive policy enforcement and actionable log generation. In short, Xceedium can both meet the compliance requirements and stop the threat.
The New New Internet: You mentioned the insider threat – in your opinion, what are some of the biggest threats facing the federal government in terms of security?
Ken Ammon: The recent WikiLeaks loss shed new light on the long-standing challenge of the insider threat. And while advanced persistent threats continue to grab mindshare, many organizations haven’t invested in adequate technology aimed at managing the insider threat. As a mater of fact, most government organizations rely upon both written policy and trust as tools to manage insider threat. As such, the insider threat represents the greatest opportunity for investment.
The 2010 Verizon/United States Secret Service 2010 loss report contains compelling statistics showing that 90 percent of loss by insider agents is deliberate in nature. The report also highlights the failure of intrusion detection technology as a tool to manage insider threat. IDS, which is used for both insider and outsider threat, is only credited with breach detection 2 percent of the time. Post-breach investigation shows that log data contains the necessary information to detect a breach over 85 percent of the time. The challenge in leveraging log data is the lack of context and centralization. If you could just find a way of overlaying written policy with automated log data you greatly increase your odds of detecting a breach… and that’s exactly what Xceedium is doing for privileged users.
The New New Internet: Going back to the WikiLeaks disclosures, what are some of the ways the federal government can prevent these leaks from happening?
Ken Ammon: At the core of insider threat is the discipline of access control. Lease privilege and roll-based access control are critical requirements necessary to manage the risk of loss such as WikiLeaks. In addition, improved logging and policy enforcement technology will increase the odds of detecting the early stages of malicious insider actions.
The New New Internet: From a security standpoint and with reference to whistle-blower organizations, how does the government balance national security with the public’s right to know?
Ken Ammon: I don’t think I have a good answer for this one. As far as classification of government information is concerned, I believe it should be harder to classify documents than declassify. Currently, the inverse is true and we suffer from a gross over-classification of data. This complicates the ability to create effective information sharing and protection strategies
The New New Internet: As both an entrepreneur and a security expert, what are some of the best ways for smaller businesses to invest in security to get the most value for their dollars?
Ken Ammon: In general, smaller firm’s security needs are best served through utilizing quality outsourced solutions for services such as mail and Web. For the most part, smaller firms do not have the resources to do a solid job themselves and benefit from the relatively more mature controls and processes of a cloud provider.
The New New Internet: What is something that an average executive should understand in terms of cybersecurity impacting their businesses and their daily lives?
Reassess your threats. All too often your security staff can get wound up with projects aimed at building a better mouse traps to catch the most sophisticated outside threat while all but ignoring the insider threat. This can result in security solutions we like to refer to as a grass-hut steel-door. You must take a holistic approach and be pragmatic. Adopt a ‘zero trust’ model for external, internal and partner threat vectors.
Enforce your written security policy with manageable and centralized technical platforms. Documenting security controls in policy doesn’t make them so. The past decade focused on external threats while today’s threat landscape requires expansion for insider threat. IT security best practice continues to evolve and adopt technical solution over security policy. Both availability and affordability of technical solutions ease the move to technical controls. In addition, government compliance mandates show movement to continuous monitoring and ‘on-demand’ reports.
Say goodbye to the concept of a security boundary. Cloud computing, supply chain automation and mobility punch major holes through traditional security boundaries. Access control must evolve beyond traditional firewalls and incorporate security least privilege enforcement and role-based access controls.
The New New Internet: Should private companies invest in offensive cyber capabilities or defensive ones?
Ken Ammon: Defensive. In my opinion, there is too much liability surrounding any sort of offensive activity for commercial organizations. You can be proactive, which doesn’t cross the ‘offensive operations’ line, but I believe that any action that represents retribution is best left in the hands of national defense and government operations.
The New New Internet: Where do you see cybersecurity headed in the next couple of years?
Ken Ammon: Highly publicized sensitive information disclosure cases such as WikiLeaks and mounting financial losses will elevate attention to the issue of insider threat management. Complicating the issue will be the continued erosion of the security boundary, a greater adoption of mobility and cloud computing. The market will respond to these issues with advancements in access control and auditing solutions that are capable of extending beyond the security boundary and managing granularity to include third party access and controls.
The New New Internet: Cloud computing seems to be the buzzword this year. Do you see any problems with more companies moving their data to the cloud?
Ken Ammon: Yes. A successful cloud deployment should afford visibility and management of access controls to the information owner. Currently, you must extend an equal level of trust to a cloud provider as you do to your inside administration resources. I advocate a zero trust model for insider privileged users and recommend the same for third-party privileged access.
The New New Internet: What are some professional goals you have set for yourself for 2011 in your new role?
Ken Ammon: Bring a greater level of awareness to the zero trust security model. Xceedium Gatekeeper is a vital component in the enablement of a zero trust model and our company’s government and commercial enterprise customer platform affords me an excellent opportunity from which to deliver our message. I also plan for continued involvement with fielding next-generation security solutions designed to enable the secure adoption of cost saving solutions such as data center consolidation and cloud computing.