Ken Ammon, chief strategy officer at Xceedium, recently discussed the future of cybersecurity with WashingtonExec. He also talked about infrastructure integrity and how the government responds to insider threats.
Xceedium operates its corporate headquarters in Herndon, Va.
Ammon also talked about what the CDM Phase II means for cybersecurity, new security trends and which security issues companies most often overlook.
WashingtonExec: What processes and technologies is the government utilizing to prioritize and respond to insider threats and infrastructure integrity?
Ken Ammon: The government’s goal is to achieve a desired secure state for federal infrastructure and to automate alerting and reporting of any deficiencies. Automation is the key to success and automated security tools must be applied to effectively enforce system boundaries, control desired behavior and manage enterprise privileges. This is of the utmost importance for all privileged users who pose the greatest insider threat risk.
WashingtonExec: What does CDM Phase II mean for the future of cybersecurity? Why is it expected to look different than it ever has before?
Ken Ammon: With CDM the government looks to achieve the desired state of ensuring trustworthiness of users and credentials by employing an approach that is referred to as “least privilege.” Least privilege targets users (subjects) and infrastructure/applications (objects) and applies an automated approach for enforcing the minimum privileges necessary for an individual to perform their job.
CDM Phase II represents a second step in a transformative progression, which ultimately integrates security tools as opposed to “bolt-on” security applications. Legacy security compliance tools have empowered security managers to report deficiencies rather than enforce a suite of security controls and automatically remediate and report breaches. Security experts have a long and well-documented history of criticizing the IT industry practice of applying security at the end of the development process, and the end goal must be to eliminate this practice.
“The special project teammates I worked with while I was on my USAF assignment to NSA during the early 1990s have had a tremendous impact on my career. I could tell you who and why, but then I would have to kill you.”
WashingtonExec: What security issues do companies most often overlook when it comes to protecting their resources from cyber threats?
Ken Ammon: Many companies still believe they maintain an effective IT security boundary and sustain an acceptable level of risk through written policy and training. Cloud, mobility, and virtualization have turned identity into the new security perimeter. The public need look no further than the Edward Snowden incident to realize the danger of subscribing to written policy over mandated and automated security controls.
WashingtonExec: Who has most influenced you in your career and why?
Ken Ammon: The special project teammates I worked with while I was on my USAF assignment to NSA during the early 1990s have had a tremendous impact on my career. I could tell you who and why, but then I would have to kill you.
WashingtonExec: What new security trends and technologies are most affecting corporations and private equity funds?
Ken Ammon: Cloud computing is the most disruptive and interesting development in IT since the development of internetworking à la TCP/IP. While enterprise organizations are dipping their toes into the cloud, companies such as Netflix have bet their entire business model on the cloud. What I find most exciting about cloud computing is the removal of upfront financial investment as a barrier to innovation. Our history of bolt-on security applied as an afterthought must be overcome if we are to maintain trust in mobility and cloud computing.
WashingtonExec: From your perspective, what’s on the horizon for Xceedium? What challenges exist?
Ken Ammon: Some define luck as opportunity meeting preparation. Edward Snowden’s actions have shined a spotlight on the need for Xceedium’s Xsuite product. What I find equally exciting though, is the value Xsuite brings to the fight against advanced persistent threat and malware. There are only two steps to all attacks – gaining access and elevating rights/privileges – and Xsuite takes a huge bite out of the attack surface of both steps. This is my third security start-up and the challenge is always the same – attracting and maintaining talent and preserving our laser focus on our customers.