Simon Edwards (SE Labs): “Protecting an enterprise is much more than plugging holes in computer technology”

I met Simon Edwards in January 2007 at the first AMTSO meeting in Bilbao (Spain). For many years, Simon has devoted himself to testing security products for Dennis Publishing, and at that time he was also the technical director at Dennis Technology Labs . Over the years, he has become a recognized authority in his field. Less than a year ago, he started a new career by opening his own business - SE Labs . Today's interview with him.

Luis Corrons (LK): From the moment you became the editor of Computer Shopper magazine, your life has become firmly connected with computer security. What is your experience in such a dynamic and innovative industry?
')
Simon Edwards (SE): I always approached the security business from an ethical point of view, because we sincerely wanted to make a bad situation better. We do much more than just anti-malware testing. We provide threat information for very large enterprises, and in the UK, insurance companies use our information to make very important decisions. This is a new direction in our activity, which has gone out of testing, but we are still testing security products, which allows us to receive information about the threats that we further provide. Although from the very first day we didn’t aim to create a security testing business.

When I was first asked to write a test group of antiviruses, I thought about how to do this, and without the participation of other testers or even companies that produce antivirus programs. In complete isolation from the experts, I came up with a testing method and discovered that some well-known threats can bypass antivirus, especially those that resemble Trojans and hacker utilities, rather than standard self-replicating "viruses." It was interesting.

The reader’s response was simply fantastic, and each time we published such a test, we sold more issues of the magazine than in normal months. But it was not so pleasant for the antivirus industry, and I received aggressive calls from some people, whom today, in fact, I consider my very good friends. We just had to get to know each other and develop trust between us.

I think that some security vendors have taken a completely standard position with respect to some new person who gave unpleasant results for them - this is an attack. “We don't know this guy, and he says our product sucks? He must be an idiot or simply bribed! ”Nothing has changed on this front. But now at least people know SE Labs, which creates useful tests and works ethically. Well, many people know. There are some companies, especially new ones, who still understand what's what. They assume that if you do not support their marketing message, then you are their enemy with a biased attitude towards them.

The standard position taken by security vendors, faced with unpleasant results from a new person, is an attack.

One big change is that vendors began to see the usefulness of testers actually attacking the system, as opposed to simply scanning the usual malicious programs that exist on the Internet. We recently carried out hacker attacks while testing Back Orifice 2000 , and we also used other tools, such as the “bad guys” had to access it. At the time, this was a very controversial approach, because, in general, security players believed that creating threats was taboo. Many still adhere to this approach, but since then we have developed targeted attacks for the purpose of testing, and this seems to be true given how many products claim to prevent such things.

LK: What is being an entrepreneur? Are you still able to do the tests yourself or have management issues become a major part of your daily work?

SE: I personally review each data set for tests that we publish, and I also develop testing methods used by talented testers who sit opposite systems. Passing tests and basic office tasks are managed by the SE Labs team in London. After the test is launched and executed, I trust my team and spend most of my time on solving millions of other tasks. What is really great when creating a company from scratch is that there are so many creative tasks to solve. But, as we will see, there is also a huge amount of routine, which also needs to be fought.

When you create your own company, you make decisions on virtually all issues. For example, on what day I will discuss deals with six-digit values, and after that I will resolve issues with teaspoons. I literally spent half a day in Ikea, discussing with my colleagues how to buy dining sets in the office.

Too much emotion and underdevelopment in this emerging “next generation” industry.

Returning to testing, I spent a tremendous amount of time trying to work with new companies in our industry. Some of them do it reluctantly, and I understand why. Startups are vulnerable, and poor results can kill their business before they even start it. We saw a lot of aggressive marketing and very sharp statements, trying to challenge the test results. Too much emotion and underdevelopment in this emerging “next generation” industry. This needs to be stopped because it does not benefit consumers.

LK: As a director of SE Labs, does your work continue to amaze you every day? Are you forced to adapt your tests to the type of attacks that often appear?

SE: The fundamental part of what we do is to find and use the prevailing threats. Theoretically, each product should receive a 100% result in our tests, because we do not use any rare threats collected on the outskirts of the Internet, or zero-day threats. Therefore, for me it is always very surprising that many vendors do not gain 100% result. Although in the world of security it is well known that a test in which everyone gains a 100% result is useless. I do not think this is true as long as the test goes with a clear explanation of what it is trying to achieve.

And, nevertheless, if I throw 100 well-known threats into leading anti-virus products, then I know that there will be punctures. And it still surprises me. We work with many vendors to help them solve these incidents.

LK: In addition to traditional security solutions, over the past few years some new solutions have appeared on the market with loud phrases like “next generation antivirus” that use a different approach to protect businesses. Did you have the opportunity to try such solutions? What is your experience?

SE: We tried to get access to some so-called “next generation” products, and I know what you expect to hear from me! But they are not at all "snake oil", as evidenced by their crazy marketing. They prove that this is a competent decision. I do not think that I would like to run many of them on my systems without some other forms of anti-virus protection, but they are not some kind of fake solution, as many people might think. They are not perfect, but not outright trash.

It is always very surprising that many vendors do not gain 100% result.

LK: There are also solutions from "traditional" manufacturers in the EDR (Endpoint Detection and Response) category. Did you have the opportunity to try any of them?

SE: Indeed, we have such solutions, and we even launched one of these products along with the so-called "traditional" antivirus on our own systems. Being able to track if / when a security breach occurs can be very helpful. And although we are a relatively small company, it would be naive to believe that no one in the world would want to harm us. We take security issues very seriously, especially given the nature of some of our customers (we not only test anti-malware products, but also provide security recommendations to some of the world's largest companies). Our influence goes beyond the world of "testing antivirus", and therefore we must be very careful.

LK: You have been involved in the management of AMTSO since the very beginning, and you are a member of the Board of Directors. In your opinion, what are the main achievements of AMTSO since its inception?

SE: Relations between anti-malware testers and the developers of such products have become a million times better than before. This is very important because good relationships influence the production cycle of software development that we use to protect our computers. It used to be that vendors hated testers and tried to somehow get around their results instead of improving their products. I think AMTSO has largely solved this problem.

LK: What difficulties in the field of product testing in the near future will AMTSO have to face?

SE: Next-generation companies are against testing. They may argue otherwise, but I think they do not want to be challenged. Their focus is investment and growth. AMTSO should attract these companies to its ranks and help them understand that there is something more important than just attracting investment funds. Customers at least be protected. And in this regard, testing actually plays a key role. They cannot count on success if they operate in a vacuum.

LK: In your opinion, what is the biggest problem in terms of information security that enterprises and organizations face today? Is there really a time lag between the introduction of new technologies in enterprises and the application of appropriate security measures?

SE: I think that the biggest difficulty is that protecting an enterprise is much more than just plugging holes in computer technology. Users are potentially the strongest link in the chain, while they are often called the weakest link. Here many can help learning. A return to the basics and a real understanding of what safety is can help. It is much easier to spend several million on some new types of firewalls, but they will not do all the work. Heads of information security services in enterprises should understand this.

Article author: Louis Corrons