Ross Wilkers
Tony Cole serves as vice president and global government chief technology officer at FireEye, where he works with public sector agencies and other systems integrators to gain knowledge of the global cyber threat landscape and adapt enterprise approaches to address the threats.
The former U.S. Army officer and Symantec business development leader addresses security conferences in the U.S. and has contributed to publications and classes run by the SANS Institute.
Cole recently caught up with ExecutiveBiz to discuss how his Army experience helped prepare him for his current executive role and how mobile devices have changed how leaders approach cybersecurity. He also highlights how FireEye sought to add new end-point offerings through its acquisition of Mandiant.
—
ExecutiveBiz: When did you join FireEye, and how have your priorities evolved since then?
 Tony Cole: I joined FireEye back in April of 2013, so last year. I’ve been here just headed towards 10 months now. It’s an interesting question, because I would say they’ve been pretty clear right from the start coming over to FireEye. One of the biggest priorities that I have is helping governments around the globe that are aligned and allied with the United States to understand the changing threat landscape out there, how it impacts them and why they’re continuously a target from nation-states, cyber terrorists, and organized crime, so they can actually protect themselves.
There are a number of things that attracted me to FireEye. I had previously spent a long time at some other cybersecurity companies, including the two biggest ones on the planet, Symantec and McAfee. I was at McAfee for four years and Symantec for over seven years and it was very interesting to see customers spend an enormous amount of money on cybersecurity technology trying to protect their data and their enterprises and still get compromised. As things have evolved over the last 10 years or so, we’ve seen a dramatic shift in how the attacks are successfully taking place and it’s been kind of frustrating to work with customers that have made a huge investment in cyber security and yet they’re repeatedly compromised.
FireEye really attracted me with some of the cutting‑edge technology they were doing, the management team they created when they brought Dave Dewalt in, and a number of other senior executives that are all rock stars in the industry. The technology that was right for the threat at this time, as well as the management team that was here truly excited me about a new opportunity to really have an impact for customers in a positive fashion stopping some of these threats that were compromising their systems continuously.
The previous experiences I draw on most include an understanding of what the customers go through. I’m a retired Army guy, was in operational security, and helped started a number of CERTs for them in the past. A lot of that helped me really empathize with the senior executive sitting in the chair across from me that are actually trying to protect an environment. I can actually kind of feel for him or her. I know the pain they go through and the suffering when they think they’re doing their best and still get compromised. That helps me a lot and helps me get them to a place where they’re a little bit more comfortable, that even if they do get compromised, very, very, quickly we can turn around and identify how that attack took place and fix their infrastructure so they don’t get compromised again or if they do, minimize the impact.
ExecutiveBiz: What are some of the most frequent needs you’re seeing from FireEye’s customers, and how do you see the acquisition of Mandiant helping to meet those needs?
Tony Cole: When you look at FireEye’s customers versus FireEye’s potential customers, there’s definitely a distinct difference. A lot of our potential customers have a sense of comfort that they’ve not been compromised based on the dollars spent on cyber. Typically, when we go out and meet with these customers, that feeling of comfort quickly goes away as they do a proof of value, which entails testing our products on their live network with us, and see that they’re compromised.
That’s a challenge that we have on that side, to get them to understand that, even though they might feel that they’re comfortable with the current infrastructure they have in place, that more than likely, they’ve been compromised and simply are not aware of it, because they’re using old technology that’s signature‑based. Some cyber defenders today don’t understand the criticality of the impact of a cyber attack. Signatures offer defenses against known threats which provide some value however most of those widespread attacks have less impact than a targeted attack based on a zero day or unknown vulnerability which renders signature based threat defenses useless when really needed. The reason I make that distinction is FireEye customers will buy one piece of our platform and then one of the quickest needs that we hear from them is, ‘All right, how do I go protect other vectors now?’ When they see they’ve been compromised via spearfishing attack with a weaponized attachment or a malicious URL that’s sent to one of their executives in a email, they may actually say, ‘All right, great, now, how do I take this same technology and move it across all vectors in my enterprise?’
They may start in one area, and as soon as they see the vulnerabilities across the enterprise, they want to protect all the different vectors that they have. This relates directly to the Mandiant acquisition, because the one area we did not cover in the past was the end point. We heard that repeatedly from customers – ‘when are you going to move to the end point and take your solutions there?’ The Mandiant acquisition now gives us that presence at the end point so that customers actually will be protected across all their vectors.
We were already covering e‑mail, Web, file, mobility and the BYOD area, and now we actually are touching end point, as well. Besides that, it also gives us a great capability around incident response moving us even closer to the breach, and also gives a deeper capability around assessments, so customers that think they’re doing pretty well can still call us, and we can bring in a team that actually can do an assessment and tell them, ‘No, actually you’ve been compromised’, or, ‘Hey you are in a pretty good stance; you’ve got a pretty good infrastructure setup. You have pretty good policies in place and you’ve got the buy‑in from senior executives to stop an attack or react to an attack if one actually takes place.’
ExecutiveBiz: How have mobile devices and the proliferation of that technology changed how industry and government address cyber issues?
Tony Cole: That’s a growing area of concern around the world for a lot of CEOs, CIOs, and CISOs, especially in the open android platform where many organizations are at least testing and piloting the BYOD challenge. It’s interesting to see those CIOs and CEOs that have tried to keep personal devices out are starting to also understand the risks, because you can’t keep them out. If you decide that you’re not going to allow anything to connect, it doesn’t mean that somebody isn’t sitting there with a personal device in their hand and texting John over in the other portion of the IT engineering team about some challenge that they have. So now what you’ve done is you’ve actually got your corporate or government information going from personal device to personal device with you not having any control over it. You can’t keep those devices out so you had better put a system in place to try and control what’s being done with them.
There are so many ways to communicate today that the best thing we can do is actually bring in as much capability as we can, but control that capability, test that capability, and understand what challenges we could potentially have around it. What we’re doing at FireEye around that based on the feedback we’ve gotten from many different government agencies around the globe, is to test those applications to see if they are doing suspicious things or outright malicious activity or to see if it’s doing some nefarious actions that we might not want to allow in our environment.
We can actually go through and based on our threat scale that we have for applications, tell a customer that ‘Hey, maybe these eight applications you want to ban and not allow in your environment, but these other 23 based on that threat score, are pretty good, and you can allow them to actually operate.’ We’re obviously going to be tweaking that further down the line as we get more feedback from customers as the BYOD adoption continues, however, we’ve had a great response from industry and government around providing this set of capabilities to them.
ExecutiveBiz: What are some areas that you’ve seen companies like FireEye and federal agencies best collaborating in cybersecurity?
Tony Cole: There’s a lot of different areas where we currently collaborate. Policy and regulation is one area. We have a lot of conversations with organizations like the Department of Homeland Security, NIST and many others around the globe that have asked us for feedback numerous times on draft guidance, policy and even regulations on cyber security. We provided recommendations to them when they did the latest update for 800‑53, mobility, incident response, and many other areas. NIST is a great place for industry and government to collaborate and some of the programs that the Department of Homeland Security, under the NPPD, are also great places to collaborate, to have those conversations around how industry can help the government better protect their organizations. We’re also focusing on helping other governments around the globe provide stronger security recommendations to their own organizations to stop these advanced attacks.
With the changing threat landscape, DHS is doing a lot of work in that area, and we think that’s critically important, because we need to share indicators of compromise with governments, and they need to share them with industry as well to ensure that a threat they see is automatically rolled into commercial products. Those same organizations rely on commercial products so an indicator of compromise automatically shared with commercial security companies will be able to more quickly protect other government organizations and also companies. Automation is the key to success.
DHS and NIST are probably the two best places today to share information back and forth, where industry is very comfortable getting in there with them. It’s been interesting to see the government make some rapid changes to NIST 800‑53, to seek input on the security framework and other policies. It’s very, very encouraging. The one other thing that we we’d like to see as well is a change in how procurements are actually done.
One of the big challenges that government is going to continue to have, as long as they have information they want to protect – and obviously every government has information they want to protect – is they’re going to need to be very agile in how they do procurements and how they actually roll out new technologies.
The adversaries aren’t going to slow down. They’re going to continue to look for holes in the government’s infrastructure as well as corporate infrastructure so they can steal national secrets and intellectual property. The government needs to start thinking in that fashion and be very agile, much as they do on the Department of Defense side, when they’re planning any type of activity in a war zone around the globe. They stay agile, they look, they do after‑action reports. The same thing needs to happen in government around cybersecurity to continuously improve, so that they can actually thwart future attacks.
