Megabuyte, April 2016.
The Megabuyte Interview: Greg Day, VP and Chief Security Officer of EMEA at Palo Alto Networks
Greg Day is a “security lifetimer”, it says in his Twitter bio, next to “part time golfer”. You’ll have to go elsewhere to confirm Day’s skills on the green, but when it comes to security, Day has certainly earned his stripes: he’s spent over 25 years in the security big leagues (Symantec, McAfee, FireEye) before joining Silicon Valley security superstar Palo Alto Networks last August.
We’re sitting in Day’s sparsely decorated office at Palo Alto Networks in London, where the VP and Chief Security Officer of EMEA is just back from a skiing trip with his kids. Day looks like any other Palo Alto employee in his lanyard and company logo pin, but you don’t have to listen to him talk for long before you realise there’s nothing average about his approach – nor that of next-generation security platform expert Palo Alto Networks.
Fighting the good fight
This was also one of the reasons why Day chose Palo Alto: “I’ve always made sure I’m engaged where I think the industry is really evolving. The company is called Palo Alto Networks, but we do a whole lot more than just network security. I think the biggest challenge we have now in this market space is human resources. I’ll explain why,” says Day, drawing breath. This is a multibillion industry, he explains, and there are hundreds of vendors: “It amazes me – you could deploy so much technology, in theory, that you could just about stop any bad guy getting in. But what we lack is people, because most technologies require humans to drive them.”
Criminals are good at collaborating, says Day: “So we see thousands of [automated] attacks every single day. Then we have this defensive capability that’s generally high touch.” This is a problem, says Day, because there’s a significant shortage of security practitioners to actually keep businesses safe. Which brings us back to why Day chose Palo Alto: “The first [reason] was, in a wild way, how we seem to be getting to this point where the industry’s giving up!” He means how we seem to be accepting that crooks will get in, so we should just focus on how to recover. “Palo Alto Networks is very much focused on [how we] shouldn’t give up – we should build better preventative measures.”
The other attraction for Day is how Palo Alto takes a next generation approach. “When I started in security, the problem was viruses – we needed anti-virus. Before that, it was the internet – we needed a firewall. Then later, it was hackers, so we needed an IPS solution. We built all these layers of security, where each have solved a unique problem. But none of them really worked together!” This is why organisations need so many people to manage security systems, says Day, and also, this is what Palo Alto does differently:
“The remit behind Palo Alto Networks is to build security solutions that are inherently built off the same platform, that share a common architecture that functions together. … People [currently] put different attacks into different buckets but the reality is, all of them communicate and collaborate with each other.” The good fight has been hampered because the crooks are better at sharing information, says Day, who admires Palo Alto CEO Mark McLaughlin for setting up the Cyber Threat Alliance, bringing in peers Fortinet, Symantec and Intel Security to not just share basic threat samples, but also the rich, actionable intelligence. This led to key insights about the CryptoWall ransomware associated with $325 million in payments, but the point is how this approach changes the economics of how the market works: “What you start to do, is crowdsourcing the security industry.”
The case for streamlining
Talk of this level of openness and collaboration is unusual for companies of Palo Alto’s heft – but despite the $17bn market cap, the Silicon Valley original is just 11 years old. I ask Day, who’s spent the bulk of his career at McAfee and Symantec, if he feels like he’s joined a California startup? He laughs: “It’s an interesting transition, between a start-up and a mature company.” One drawback to the flexible early-days mentality is how you can lose focus by trying to do too many things, says Day: “What I really like about this company is, rather than trying to do lots of different things, we focus on doing what we do very well, and then, extend off that.”
This contrasts with how companies often approach their acquisitive growth, says Day: you end up with products that don’t speak the same language. “Palo Alto Networks has a grown-up mind-set where generally, what we’ve developed, we’ve done ourselves. It’s only really in the last couple of years we’ve made acquisitions to move into adjacent markets, but we’ve done it in a different way.” What Palo Alto did after the 2014 acquisition of Cyvera, says Day, was to take it off the market for the best part of a year: “The reason was to take that core capability and recode it in the same language. … What you now have is two products that talk the same language, natively integrated into the same platform.”
Customers are always talking about consolidation, says Day, and this means saving cash: “But what it really means is, ‘We want to be more operationally efficient.’ Most of the spending on security is using it, not buying it! So if I have two technologies that now natively work together, I don’t need the human [translating].” So yes, says Day, coming back round to the question, Palo Alto is definitely growing up: “But we’re doing it in what I would consider a mature, industry-leading way. As we extend into different areas of security, we’re doing it in a way that truly leverages the strengths we already have.”
From the first viruses
Day started his security career in 1991, working at Dr Solomon’s, the predominant antivirus company in Europe at the time. This was before there really was such a thing as computer viruses, though: “I remember some of the very first virus outbreaks! We once had a BBC TV van knocking on the door going, ‘Hey, we’ve heard of this thing called a computer virus. Could you connect us to somebody this has happened to?’” The TV crew had to wait six hours, but eventually, the new-fangled virus struck somewhere up north. “When I first started, we used to update antivirus every six months. Then it was every three months, then monthly, and then weekly. I remember thinking, ‘Wow, daily. Can we increase it any more?’ … When I started, there was less than 200 viruses in the world. Now, there’s probably more than 200 created every second.”
Day grew up in Hertfordshire, where his father worked for ICL Computers: “I think I was about five when he brought home one of the first BBC Micros. … I’m a tinkerer and played some games, but I was more interested in programming.” Day remembers writing his own version of Pac-Man. It didn’t do anything different, he says, but that wasn’t the point – it was about figuring out how make it work.
Later, Day got into the snow racing ski circuit, representing Britain as a professional amateur, which meant he didn’t get paid. “I started working at Dr Solomon’s as a temp to fund my skiing career. … I will always remember, Susan Solomon – she and Alan ran the company – kept saying to me, ‘Look, you’re obviously into computers and you’re gifted. What are you going to do after you finish with this skiing malarkey?’ The company ended up funding Day’s computer sciences degree at Portsmouth. “I wrote my own basic antivirus there, what we would call a behavioural blocker. That was in the days of DOS, before Windows really existed.” Then Day goes on to explain how it worked – he does that often, but the security lifetimer has a knack for making it seem fascinating. Like when he talks about how he sees security like “a three-dimensional chess game with no rules”:
“Every time you think you know what’s going on, there’s another piece added in. Take social media, which is usually used for reconnaissance, to understand people, and for social engineering. And, it’s used by malware authors as a command and control mechanism for sending instructions in a way that wouldn’t be recognised as straightforward code – it’s embedded within those things.”
At the security frontier
Palo Alto has a threat research team called Unit 42 that looks into this kind of stuff, and Day laughs when I ask about the name: “You’ll get the answer if you’re a bit of a geek!” It’s a reference to the Hitchhiker’s Guide to the Galaxy, where 42 is the answer to the ultimate question of life, the universe and everything. “Unit 42 is answering the unanswerable questions: ‘Let’s understand more about the bad guys, what they’re doing, and how they function.’”
We talk for a bit about what’s happening now in the industry – how security is increasingly becoming a core business function, and how changing regulation will make disclosing certain security breaches mandatory. “Most companies are still using security products well over 10 years old. I think we treat them like a comfort blanket: once they’ve saved us once, we don’t want to let them go,” says Day. Having said that, customers are increasingly realising they need a different approach to security. “Europe is maybe a year or two behind, because we want it just working and done. Whereas [among US customers] I think there’s more that start-up mind-set that says, ‘Let’s finish the development together.’”
Speaking of things that have been doing a great job for decades, there’s currently a big debate in the security industry: is antivirus still the right baseline for defence? “I’ve been very close to anti-virus, and it’s a brilliant capability. But the question is, are there new capabilities coming out now that are more effective?” Day lists a number of contenders – maybe sandboxing, or behavioural monitoring blocking. In any case, Day seems genuinely excited about the prospect. “One of the reasons I love working in this industry is, no two days are the same. … Just when you think you have a handle on the cyber security industry, new technology comes out. New threats come out. It’s an amazing space that’s only limited by people’s imagination.”