Carlos Solari is Vice President of Cybersecurity Services at Comodo. A cybersecurity veteran, Solari’s career has included stints as the CIO for the White House as well as IT positions at the US Army and the FBI. He sat down with SafetyDetective’s Aviva Zacks to discuss Comodo’s founding and the modern cybersecurity challenges the company is helping face down.
SD: Carlos, thanks for taking the time to speak with SafetyDetective.com. Can you tell me a little about Comodo’s history?
CS: Of course! Here are some of the highlights. It started about 20 years ago in the UK. The company was founded by Melih Abdulhayoğlu. Comodo’s first foray into the industry was developing methods and technologies for encrypting web traffic, what the industry calls “CAs” – which stands for Certificate Authorities. Certificate Authorities help validate that the person or company that is seeking to establish their credentials is really who they say they are. So that was the initial business model. Many years ago, the company moved to New Jersey. And a little over a year ago, the CA part of the business was mostly sold to a private investment firm. But Melih is a serial entrepreneur and he’s continuously developing new technical capabilities – innovations – and putting them into operation at Comodo. The Comodo engineering team has developed an endpoint solution that essentially solves the malware problem by containing unknown files. While endpoint security has been around for a long time, there are major flaws in most of the solutions today. And many of these companies that sell flawed cybersecurity technologies are now making a living on remediation services!
SD: Comodo is well known for focusing on looking at cybersecurity in terms of “security stacks.” Can you explain what that means?
CS: The term “security stack” is used here analogous to “defense in depth,” which is a well-established military doctrine also applied in cybersecurity practice. It’s the idea that no single line of defense is sufficient and multiple layers are necessary. It is a reinforcing means of protection needed to protect against an advanced adversary.
In the cybersecurity domain, we could be talking about a website that lives inside of a DMZ “demilitarized zone” on a computer network protected by two firewalls. The security stack would employ other security technologies and methods to protect the internal network and the database.
The security stack also implies information that flows both up and down that stack:
- At the base layer, the security architect would employ technologies and methods such as network segmentation, software assurance, asset control, and configuration management.
- In the next layer, the notion of a security stack would employ what is commonly called “bolt on security,” which is the firewall and other protections layered on top of a network to protect it from intrusion or data loss.
- And then we have the third layer, which is the analytical component, by example, to detect if a password has been attempted too many times, brute force attacks, or possibly if an authorized credential is trying to connect outside the normal profile such as from a foreign country. In this layer, you correlate and develop situational awareness from all this security data and then apply the appropriate response such as blocking IP addresses or making internal network protections, adjustments, changes to the lower protection layers.
And all of this to say that Comodo provides the technologies and methods that work at all the layers as described here. For example, we provide consumer antivirus protection at the lower layer, advanced endpoint protection for the next layer and a service called cWatch MDR (Managed Detection and Response) at the third layer which probes for, and coordinates responses to, the advanced cyberattacks.
SD: The massive cyberattack in Atlanta last year has left many trying to figure out how something so disruptive could even be possible. How was it possible?
CS: That was certainly an attack of great consequence, hitting home in ways that everyone can understand such as shutting down city services and airports. It was good to see the Department of Justice thankfully making headway in the investigation.
What distinguished the attack on Atlanta’s critical infrastructure and other organizations mentioned in the press is the degree of sophistication conducted by just two individuals. It involved detailed reconnaissance on the network before the actual payload was executed. They were able to stage the attack. It was not some random virus. It was humans executing an attack sequence aware of the in-place defenses and exploiting the weaknesses in the network for maximum damage at maximum speed. These attacks emphasize the point that it does not take the resources of a nation-state organization to cripple the operation of a major city.
The solution is to have defense-in-depth. Part of that defensive layering must include something we call “containment.” Just like in the physical world, containment works to allow a response time, the attack contained until we can make a determination. In the Atlanta cyberattack there was no containment so there was no response time, the attack happening faster than the security could react. Containment operates by the principle of default denying all unknown executables until the determination is made. Comodo calls this determination process “verdicting.” It is an innovation brought to market with the idea that unknown executable files (possibly containing malware code) are held in virtualized containment until we ascertain whether they’re “good” or “bad” actors, the underlying file and operating system not affected; white-listing those that are found to be benign and blacklisting those that we verdict as a new malware. This combination is called TTP in the industry – for techniques, tactics, and procedures, and it – containment – works in real life. We know this from the hundreds of thousands of deployments that are in place.
SD: What can average consumers to do keep their systems clean of viruses and malware?
CS: I would first qualify the question to say that the trend of blended use continues. Consumer and business use of compute devices, laptops, tablets, smart phones are mixed, the same device or devices used interchangeably for work and for personal use.
The understanding we take away from this trend is to treat all our devices with enterprise-level of protection but at an affordable price. All devices need to be protected—smartphones, laptops, or desktops—no matter what OS they are running.
Comodo makes it affordable by providing tiers of protection, free antivirus software, as an example for strictly consumer levels of use, and working with partners such as Managed Service Providers (MSPs) to provide these partners with the more advanced security TTP. The MSPs serve small and mid-market businesses where there is more of a blended/mixed use of computer devices. Our technology also works for the large enterprise, organizations that may have tens of thousands of endpoint devices. At Comodo, we help the full range from individuals (consumers) to the large enterprise and the security stack of affordable defense-in-depth.
SD: Where do you see cybersecurity in five years?
I see more and more consumers and enterprises requiring the services of professional cybersecurity organizations to adequately protect against the complex threat landscape we face today. It will include defense-in-depth protection for industrial IoT systems.
We’re also seeing stricter compliance requirements and greater operational complexity—in addition to a skills shortage in IT. This is the challenge now and one that will continue to grow in the coming years.
In response, more businesses are starting to turn the whole job of managing cybersecurity to the experts so that they can focus on what they actually do. That is what I see happening in 5 years. Our offer to this market demand is called cWatch MDR. cWatch is our brand name. MDR is the industry recognized acronym for Managed Detection and Response. That means we handle things like systems integration, supplying the manpower, compliance reports, and tackling the actual threats. So, I see more businesses wanting managed end-to-end protection solutions and relying on external experts and companies to make that happen. That is the essence of cWatch MDR.