Integrating Endpoint, Network, and Cloud into a Secure Ecosystem: An Interview with Hugh Thomson of Symantec

First, some advice: If you fear APTs, then make sure you block or interrogate outbound web connections from your organization to uncategorized sites. If you are not doing this, then contact your proxy vendor today and request help implementing this vital feature. For many of you, Symantec will be the company providing that help – and my great friend, Hugh Thompson is one of their fine executives. You might know Hugh from his important role at the RSA Conference each year, but I’ve known him since the early 2000’s, having worked together on a live technology show called the Hugh Thompson Show that he hosted, and that I produced. We did the show in Maury Povich’s studio in Manhattan, replete with a live audience and even a cool band led by Steve Poltz. You can watch clips from those amazing episodes today on the AT&T Tech Channel (, including an early interview with the founders of Twitter. I was privileged recently to catch up with my old friend as part of the on-going research for my TAG Cyber Security Annual, and he was kind enough to share his perspectives on endpoint security, networking trends, and secure use of cloud service in the enterprise ecosystem. Here is what I learned from Hugh:

EA: Hugh, how do you see the corporate network evolving in the next few years?

HT: Network connectivity is just fundamental now. We’ve all witnessed the increase in the mobility of workers, exemplified by WiFi in offices, coffee shops, and at home. And the usage of 4G/LTE networks – which results in connectivity everywhere – will only accelerate more with 5G wireless services and the associated increases in data capacity and speed. In this new environment, employees will untether from corporate WiFi more often, and billions of new devices will be constantly connecting. As network access continues to evolve and improve, deeper network security will be more tightly bound to that access onramp.

EA: Are you seeing an acceleration to cloud? Larger businesses, especially the banks, have seemed more cautious. What’s been your experience?

HT: The caution from certain sectors is understandable, if you consider the compliance and regulatory requirements that many of these organizations must deal with. We’ve often seen companies start by working to gain an understanding of cloud usage and risk within their organization – that is, understanding the non-sanctioned cloud use by individual employees or departments. The conversation then quickly turns to controlling that unsanctioned cloud – usually by blocking the riskiest applications, and by forcing inspection by DLP and threat protection tools. All of this is motivated by the need to mitigate compliance risks. And the challenges are even greater on the cloud apps that organizations are sanctioning. Additionally, we’ve seen data residency issues from the European GDPR and Asian data sovereignty laws impacting global rollouts of large cloud initiatives. We’ve worked with CISOs trying to understand how to integrate cloud activity into their incident response processes. We’ve worked to highlight the potential compliance risk of content and permissions in cloud applications where we’ve seen how our content inspection and sandboxing capabilities can identify advanced threats stored in cloud content or transiting via email. Overall, enterprises are quickly learning what needs to be done to extend governance and security processes to cloud. That’s why we’ve aggressively acquired and built solutions into our platform to help them achieve their goals and bring a defense-in-depth approach to securing the transition to cloud applications and services.

EA: Will it be easy to virtualize proxy-based security? Where does it go with cloud-based architectures?

HT: Proxies are already virtualized today, as well as being delivered as a cloud service, and there are some important distinctions. Virtualization allows organizations to deploy proxies in any part of a private cloud or in IaaS architecture where they want to create a security control point, usually as a micro-perimeter. Furthermore, proxies as a cloud service allow any type of device, at any location, to gain that proxy-based protection, making it that much easier. Enterprises use a proxy cloud service to enable safe branch office access to the Internet, protecting mobile devices that have no agent-based solution. We’ve seen use by automobile manufacturers to protect Internet-connected vehicles, demonstrating a security model for consumer devices, industrial controls, and the next generation devices often referred to as the Internet of Things (IoT). Virtualized and cloud-delivered proxies make it easier to architect that protection into any device or application model.

EA: How do you see the cloud access security broker playing in enterprise security? Is this the new perimeter?

HT: I think we’ve already moved away from a concept of a single perimeter. Cloud access security broker capabilities are critical components to extending security and governance to cloud applications, but it’s an additive problem. Cloud apps present whole new sets of use cases related to many different areas of IT and security. These include discovery and access control of shadow IT; activity logging for compliance, breach detection, forensics, and incident response; data compliance issues around data residency laws; access rights for documents stored in the cloud; protection of documents with PII, PHI and other compliance sensitive information; and granular policy enforcement to prevent theft of data and identity. But, even as some applications, data, and content have shifted to the cloud, others remain within the enterprise domain. Enterprises need to figure out how to solve for the new problems, and make the solution consistent, integrating it with their existing security and governance infrastructure.

EA: With so much complexity in modern networks, how does a CISO team find ways to simplify? Everything seems so complicated nowadays.

HT: The challenge of the CISO is definitely more complicated. It’s a tough job, calling for the best people to navigate problems, technology, processes, and partners. The approaches we’ve seen start with an immediate need – a pain point, so to speak – but to also draw in strategic and long term considerations. CISOs understand that if their teams spend all their time stitching together narrowly focused technologies from different vendors, they’ll never achieve the operational effectiveness that they need. The smartest CISO’s choose their partners strategically, but also insist that those partners and platforms remain flexible and open to accommodating changes in requirements. In our experience, this seems like the optimal approach.

EA: Any thoughts on whether the defense ever catches up the offense in the cyber security game?

HT: We all hope for that to happen, but we must plan differently. We have no choice but to expect that the criminal offense will continue to advance and evolve. And, of course, the defense will also continue to innovate to improve security. For that reason, Symantec fundamentally believes that the best approach to improving one’s defense is to maintain an open architecture. This allows enterprise security teams to quickly integrate innovation to improve their defense posture, and it simplifies the ongoing operation that streamlines security and governance processes. The proxy serves a critical role to enable Web and cloud governance, threat protection, data protection and incident response. We view our open platform architecture as a way for our customers to continuously extend and adapt their security posture in the face of evolving threats.