Above: An attention-grabbing robot at RSA.
GamesBeat: Do they tend to be any different as customers? Do they recognize more about game theory and design?
Roberts: I think so. Some industries, like the financial industry, they recognize some of those ways of thinking. The health care industry doesn’t have that knowledge. The gaming industry definitely does. “Oh, you’re telling a story.” Yeah, we’re telling a story. They get it. It’s a much easier conversation to help people understand how the Wonderland we’re building is protecting their system. There’s some fun stuff out there.
GamesBeat: If they’re coming in to attack, what do you find they’re doing? Do they simply want to hack a player’s account and take their virtual currency, or hack their cryptocurrency?
Roberts: That’s actually pretty big. As an individual attacker they’re not likely to do that, but if they can build a bot architecture, if they can go out and deploy against that, that’s huge. I build once and attack many. We’re seeing a ton of that. There’s a lot of that across all industries. If you look at the Steam architecture, which is more of a GUI on a web browser, that’s becoming much more of an attack vector. If we can put up a deceptive architecture and start capturing those patterns, we can build a defensive strategy against those, and when one or two get hit, we can get protection in place on everybody else.
The flip side is, obviously you have those targeted attacks. I want to go after your 2020 game, your 2021 game. Where is your road map going? Is it following the movies? Is it following a different theory? Where are you building your architectures? There are some interesting strategies.
GamesBeat: Does your customer base include game companies?
Roberts: I know that Acalvio is talking to a number of them. I’ve talked to many of them over the years at different organizations. We’re in a bunch of different verticals.
GamesBeat: It seems like if you can simply waste a hacker’s time, you’ve accomplished some good. You have more opportunity to learn where they’re coming from.
Roberts: It’s the tactics. It’s the methods. It’s the attack vectors. It’s the entry points. All of that helps an organization learn. “We were focused over here. We need to focus over there now.” The wasting of time is a tough one, because a lot of engagement — again, gaming systems — there are automated architectures out there that will perform a lot of the basic to mid-level attacks. If they get in, it just runs and runs. There’s no human behind a keyboard. Until something is found or discovered and a human comes in, really you’re looking at wasting system cycles. That’s a tougher one.
The mean time to breach at the moment depends on who you listen to, but it’s between 100 and 200 days. I break into your computer and for 100 to 200 days I’ll walk around with nobody knowing I’m there. Our job is to bring that down, if we can, to a matter of hours or minutes, whatever we can do, so that now you’re not waiting for the Feds to call. “Congratulations. You’ve become a point of compromise. Here’s what you lost.”
GamesBeat: How much investment does a company want to put into that deception? How elaborate should the ruse be?
Roberts: It can be huge. It comes down to the data. What are you trying to protect? If all you want to know is that somebody is creeping around your environment, there’s a limited amount. If you want the Wonderland, from our side, it’s actually a minimal amount of additional effort. We already have the data generated that you can use. It doesn’t matter what vertical you’re in. We can plug that data in. We already have deceptions built. All you have to do is hook up the engine. “You have 50 computers or 500 computers, we recommend that you put this out.”
If you want to go from just feeding breadcrumbs into the full Wonderland, that’s not much more investment. A lot of it comes down to the company. What are they comfortable doing? Do they just want to know there’s an attacker and kick them out? Or do they want to play a game with the attacker?
Above: Gamers actually make good security professionals, and this is one way to lure them to work for you.
GamesBeat: How do you position this? If you know they’re going to get in, you want to be there to catch them. How do you anticipate their way in?
Roberts: The numbers in the industry bear it out. We don’t have to put out any kind of fake entry point. You have humans sitting at keyboards that we, the industry, have not educated. Not sufficiently. We haven’t explained to everybody, “It’s January. It’s tax fraud month. Don’t click these things.” We haven’t done that continual education and invested in humans. As an attacker I always have an easy way in. It’s unfortunate, but it’s true.
As someone who’s worked in the security space, we’ve failed. As an industry we’ve managed to lose more than 10 billion records since we started keeping count. We’ve not won. This is not good. In a gaming analogy, we keep taking headshots. We’re not learning.
GamesBeat: As far as catching attackers and getting them to law enforcement, is that something you can do?
Roberts: We can bring the evidence. The challenge with any of that — this is one of the biggest issues in the industry — we have people saying that companies should be allowed to hack back. But if I’m breaking into him, I’ll take your computer over, and have your computer launch an attack against John. Now John’s going to say, “You bastard, you hacked me,” and he’ll break your computer. A few things happen. If you’re in another country, international barriers have been broken. Second, he’s hacked the wrong person. Third, I’m just laughing. It’s a huge issue. Attribution is a huge issue in this industry.
GamesBeat: So it’s up to your customers about what to turn over to authorities.
Roberts: Absolutely. We’ll learn the tactics and have the understanding as to what’s going on. We can provide the intelligence. But it’s definitely a customer-focused issue.
GamesBeat: Do companies ever tell a hacker, “We know who you are. Get out of here”?
Roberts: Rarely, if ever. At that point you’re just annoying them. They’re going to come in six different ways. They’ll do as much damage as they can. The whole idea is to just watch them, cut them off, and get everything cleaned up so they can’t come back in again. Or at least they can’t come back in the same way.
