Dell security chief on the "three Cs"

John McClurg, VP and chief security officer, Dell Inc.
John McClurg, VP and chief security officer, Dell Inc.

Very few IT interviews begin with a discussion of hermeneutics, but Dell’s chief security officer is not your average corporate officer. A onetime student of arts, philosophy, chemistry, business and the law, former FBI agent and security lead at Honeywell and Lucent Technologies, John McClurg is able to direct a wealth of contextual interpretation — and anecdotal illustration — to matters of IT security. McClurg was a key player in the capture and prosecution of ‘Dark Dante’, a phreaker who penetrated the Pacific Bell phone systems, but he is equally at home applying a philosophical world view to the threat landscape and drawing out sound principles of IT security management.

McClurg’s vision of the security landscape is one that is "chaotic, complex and laden with conundrum." As it has transitioned to an end-to-end solutions provider in this scenario, Dell’s goal has been to "optimally position a global company to do battle against the threats aligned against it… by taking security to an entirely new level."  To do battle with the "three Cs", McClurg has worked at Dell to evolve a security model that encompasses additional ‘C’ concepts: convergence, the essential security core, and connected capabilities.

Convergence of the physical and logical security worlds

Describing the capture of Dark Dante (Kevin Lee Poulsen), McClurg outlined sophisticated techniques used by the FBI to image Dante’s hard drive and to locate the password needed to decrypt three layers of encryption on the phreaker’s machine. In this work, McClurg came across photos that Polson had taken of himself using his grandfather’s pick set to pick an old lock on the door of the central office of the telephone company — the repository for employee passwords, manuals and equipment that Polson studied and used to mount an even more advanced cyber-attack. For McClurg, this "thirty-year old, rusty lock was the beginning of a new model, where a physical world vulnerability undermined a cyber-interest." At the same time, he had ample evidence — from Iranian attacks on nuclear programs, for example — that the flip side of the coin was also true, that cyber threats could compromise the physical assets. "In the 21st century, given the way that the traditional boundaries of delineated interests that make up our world are becoming ever more porous — and this includes interdependencies between the physical and logical worlds — I started championing a ‘converged’ model that would help ensure companies did not overlook interdependencies and could develop security in a coordinated way."

Importance of people and processes — "the insider threat"

McClurg’s fascination with the "trusted insider gone bad" also emerged from adventures with the FBI trying to locate a spy within the CIA organization — Harold Nicolson, who was sentenced in 2008 for conspiracy and for acting as an agent of a foreign [Russian] government. For McClurg, this experience provided further validation of the interdependencies of the physical and logical worlds: while the CIA had good physical and cyber security, because "digital rights management was perhaps not what it should have been" Nicolson was able to print documents and photograph them for ultimate hand over to the Russians.

According to McClurg, the insider threat is also a huge issue for corporations because security focus is typically placed on "fixing the perimeter," but the trusted employee has been empowered to skate past this defence strategy, since the technology is designed to prevent attacks from the outside. To underscore the seriousness of this problem, McClurg noted that from 2015, businesses that want to do business with the US government will have to demonstrate that they have a viable insider threat program in place. In anticipation of this requirement and to address this problem as it emerges across the broader community, McClurg added that Dell is currently developing a robust approach that will allow it to demonstrate this capability.

Surging beyond the "minimally essential core"

While at Bell Labs, McClurg worked with the converged model to reduce the concept to a lean, but efficient "minimally essential security core" that was acceptable to strained CIO security budgets and ultimately implemented at Honeywell. Working with the Dell security team, McClurg been able to expand on the concept to address the current threat landscape by leveraging acquired IP. Through Dell’s acquisition of critically positioned security organizations, McClurg’s strategy was to access "a constellation of partners around this idea of the minimally essential core that I can surge to as needed, while keeping my costs contained and leveraging the expertise offered by partners." The first star in this constellation was SecureWorks, a specialist in advanced persistent threat detection, which in addition to firewall monitoring capabilities, maintains a critical threat unit that McClurg explained is currently following the morph of 200 malware families.  A second key acquisition was SonicWall, which provided the Aventail Secure Remote Access platform with SSL VPN, deep packet inspection and next gen firewalls, followed by the acquisition of Quest identity and access management and Credant data encryption capabilities.

Through experience with the internal implementation of these offerings, Dell engineers have worked to combine both the competencies and rich data stores in formerly siloed offerings, building in scale capability to evolve a "Connected Security" solution. According to McClurg, these connections provide "a contextual richness — say around an incident at the firewall — that you never had before because you wouldn’t have had the identity and access management adding the information that it contains." The richer the better apparently, as he asked rhetorically "how rich can you make that context when you go to interpret the significance of it?" In another example, McClurg pointed to the case where an employee dispatches, contrary to company policy, de-encrypted messaging. Through integration of information from the firewall and the encryption solution, these technologies combine to work together as a data loss prevention solution. And when capabilities from beyond the security portfolio are incorporated — analytics from a solution such as Kitenga — connected security is able to harness the power of Big Data analytics in identifying and managing the threats in the security environment.

Interestingly, McClurg also referred to ‘connectedness’ as the interconnection of all businesses in the supply chain, which might be at risk regardless of their size. Even for the ‘mom and pop’ shops, he added, "security by obscurity" is a less than winning tactic, as vulnerable small organizations are often targeted by cyber criminals as the weakest link in a chain leading to larger suppliers or customers. For companies in this segment, he advised a modular approach to adoption of security technology that might begin with accessible SonicWall and Credent solutions. In McClurg’s view, "it doesn’t matter if you are small or large, it’s not a matter of ‘if’ you are going to be compromised, it’s ‘when’. The new standard of success is how agile you are when it happens, how well you have enclaved what is truly valuable to you, how quickly you move, and how you have positioned yourself so that when the bad guy takes a bite, he gets the bad taste of a heavily encrypted solution."

Four layer security

Ultimately, Dell’s Connected Security is designed to mitigate risk that hails from a complex interplay of threats from people, processes and technology vulnerabilities. Through integration of security capabilities and data from across its growing security portfolio, Dell is looking to provide the context needed to address risks that only grow with our increasing connectedness. While customers may start with the "minimally essential core," Dell now enables "surging" to additional capabilities to produce four layers security: at the perimeter through firewalls and intrusion protection for data in motion, which is informed by threat monitoring reporting; for the data through prioritization, isolation and heavy encryption of core information that is critical to the business; security related to process and policy through access and identity management that can help manage risks  associated with the convergence of physical and logical threats; and managed security services to address cloud scenarios. Dell has made significant investment to acquire these capabilities, and the software group has worked hard to develop the software integration required to connect them. Asked where the remaining holes are and what’s next on the acquisition list, McClurg put on his agent hat again: "The hole is always the trusted insider and it will always be that part of his/her attenuated being that the adversary will exploit because everything else is too hard to get to." But he declined to offer detail on bolstering the Dell portfolio: "the adversaries are out there and I’m not going to give them a roadmap."

The principles of good IT security management according to John McClurg

  1. Focus on the data — identify which data is critical and who needs access to it; separate/isolate key information repositories, and tie encryption to data at rest and in motion.
  2. Don’t underestimate the porousness of traditional boundaries between delineated interests and security technologies; work in a collaborative fashion with integrated solutions.
  3. Pay attention to employees — to their presence as an extended being that may be engaged in multiple channels, as either the employee or his/her activities in a specific context may represent a threat source.