Timothy Liu of Hillstone Networks: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Maintain cyber hygiene. Follow best practices for basic security measures in your environment. Antivirus, firewall/access control, network segmentation, identity management and control. These best practices will greatly reduce the exposure to drive-by cyberattacks.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Timothy Liu.

Timothy Liu is co-founder and chief technology officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

The security industry is everchanging, so that means I am hyperaware of security activity 24/7. and the most interesting story will be the most relevant one, which is the one dominating the current cybersecurity climate. There have been many incidents that have captivated my attention, but the one I’d like to discuss is an exploit that happens when using Apache HTTP servers, a recently discovered vulnerability.

This vulnerability occurs in Apache Log4j2 and is very easy to execute by hackers. Log4j is a common logging library used across most Java applications. It allows for remote code execution, meaning that hackers can take control of log messages to load and execute malicious code into the network. The vulnerability has an extremely wide range of impact and can result in serious consequences. This has been by far the most serious vulnerability of my career — it is a far-reaching internet vulnerability that affects millions of systems because it pertains to a very prevalent software code that is typically bundled with other software and hardware to isolate. Already there have been millions of attempts to exploit the vulnerability. And while there is a resolution, there is no cookie cutter way or one approach to resolving or patching the vulnerability — everything is dependent on the software environment.

This and similar types of incidents make me realize that my job as a CTO is a continuous and essential one — not only do we need to help our customers and every individual and business become resilient, but we also need to be able to identify and resolve random yet far-reaching security incidents that put the entire world at risk. The security solutions my team brings to market need to be immediately relevant. They must identify risk, pain points, and vulnerabilities in IT environments in order to protect critical assets.

Are you working on any exciting new projects now? How do you think that will help people?

Most of the projects that I work on are exciting to me! Currently, we have delivered an SD-WAN solution to the market that has security integrated from the onset. Exacerbated by the global pandemic, enterprises are now lacking the necessary connectivity capabilities and are discovering various gaps in coverage and protection, partially because of existing gaps in infrastructure and solutions. By merging connectivity and security priorities, the SD-WAN is a cornerstone that not only can connect global enterprises with thousands of sites, but can get enterprises ready for the next stage of the cybersecurity process. Beyond the solution, we took a design-first approach to the user interface, delivering the full range of SD-WAN capabilities in a simple-to-use dashboard for our users.

There is an increasing need in the market for more bandwidth, as well as improved network availability and quality requirements to better serve latency-sensitive apps as well as Tier 1 customers. Beyond QoS, the workforce today remains hybrid or remote, and they need a secure networking infrastructure to remain productive and competitive. The hybrid workforce is here to stay, and therefore, remote and mobile workers demand a quality user experience. Moreover, edge computing workloads are accelerating, and are the primary drivers for a secure SD-WAN solution. Now, organizations don’t have to struggle to balance supporting and securing a hybrid workforce against an increasing potential of cyberattacks. We designed the Hillstone SD-WAN solution with fully integrated security to address the critical pain points triggered by today’s business needs and market trends, and to ensure that IT teams can reliably and efficiently secure their networks and apps, while delivering a great experience for their end-users. Effectively, the SD-WAN solution can deliver both connectivity and security.

To learn more about Hillstone SD-WAN protection you can go to the Hillstone website and see the library of white papers.

What advice would you give to your colleagues to help them to thrive and not “burn out?”

Both life and work are marathons, not sprints. The character Nathan from the film Ex-Machina says, “after a long day of Turing tests, you gotta unwind.” Beyond that, I am a big proponent of taking regular breaks — in many cases it improves productivity. Not only do you come back refreshed, but you might just break the ensuing tunnel vision associated with burnout by gaining a new perspective on solving problems.

Also, it is very important to build a strong professional network, and in my case with other CTOs and CISOs. In this industry, being highly collaborative with peers can be rewarding and a force multiplier in ideation. Keeping an open mind about technology provides a fresh approach to solving problems as an industry, as well as leveraging existing technology in creative ways to provide different outlooks and solutions on new and unknown problems.

Let’s now shift to the main focus of our interview. The cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the cybersecurity industry? Can you explain?

1. It’s a field that is constantly changing, and therefore, mentally stimulating — and this keeps a CTO on his or her toes. New technologies and new attacks bring about new challenges: cloud, work from home, ransomware, etc. We can also see IoT security challenges emerging as well.
2. In many cases, hacking is about exploiting unintended vulnerabilities or weaker features in products and software. As an industry, we all need to be conscientious in delivering and deploying security products that can’t be compromised or exploited easily by hackers. In other words, to build the impenetrable shield, we need to assess the vulnerability of the shield from all angles and vectors, including a hacker’s mindset.
3. Development of AI technology is coming of age and its potential in security is recognized, but still in the very early stage. Its use on both sides of security could lead to spear vs. shield strategies and scenarios. I am fascinated with how we, as an industry, can augment AI/ML technologies to deliver greater, more effective solutions.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

While data leaks and ransomware are serious problems already, emerging technology points to a larger set of problems such as how to secure OT (Operational Technology) and auto system security. These potentially can bring about more than property or monetary loss: they can affect people’s lives.

As systems get more complicated, we may not fully grasp how these systems can fail and what damages those failures can bring about.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

We have more than 20,000 global customers, but one incident that stands out to me is an incident that K3 Cloud Services in the UK faced. A number of perimeter and internal security technologies and solutions were put in place in this customer environment, but hackers were increasingly using lateral attacks (between VMs) to carry out data exfiltration and other exploits. The Cloud team at K3 understood that they needed to segment their virtual environments to fully protect their customer applications and data. In general, security in virtualized environments and in cloud deployments are top of mind, and this customer case really brought it home for me. We had a real-life example of exploitation in a virtualized environment where lack of visibility of all traffic between dynamic virtual machines tends to be a critical gap for security administrators. And we delivered a solution that addressed all of their gaps and needs: granular visibility into east-west traffic to defend against lateral attacks, which is easily scalable, is transparent to users and network devices, and enforces Zero Trust across environments. Our solution allows security policies to be bound to every VM and to remain in place even if the VM is moved — without impacting security or application performance. This capability in our solution is of high importance in data centers like the K3 Cloud where customers might place multiple orders in short stints. What’s more is that our solution can be easily scaled up or down as needed to address the dynamic data center environment, allowing for a right-sized solution.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers, can you briefly explain what they do?

There are many tools out there and some primary categories include monitoring tools for network security, encryption tools, vulnerability scanning tools, sniffers, network defense tools, antivirus software, your run-of-the-mill firewalls, penetration testing, among other detection services. A lot of these tools are staples in IT environments.

One in particular that is relevant to IT — especially in today’s hybrid workforce and expanding network edge — is SD-WAN. We have our own standalone solution that delivers security at the edge. SD-WAN is the next-generation WAN edge solution for enterprises. Its key capability is to route traffic through wide-area links, including multiple internet connections, MPLS, and even mobile data networks like 3G/4G/5G LTE. This kind of tool to secure networks and the network edge is absolutely critical to today’s enterprises. The solution offers not only the visibility to see into network traffic, but also the ability to understand traffic context, as well as the ability to take action to protect traffic at the network edge. Centralized management, zero-touch provisioning, and superior QoS with active link monitoring is essential for fast, simplified and protected SD-WAN networking. And our solution delivers this.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

First off, we’re in an accelerated digital world. And cybersecurity is here to stay, impacting enterprises as well as individuals a lot faster and a lot more significantly than ever before.

Over-the-counter solutions or point products may mitigate security risks, but the cybersecurity landscape today is not that simple or cut and dry. And depending on the organization or industry, contracting out services may not be compliant from a regulatory perspective nor financially or operationally sound.

I think it really depends on the value of assets you want to protect. Security teams, software, CISOs are all investments. You need to figure out how the investment matches the value of assets you want to protect. In other words, look at the possible damage that a breach can cause and determine the security investment against what you can afford to lose if a breach occurs.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Today’s security reality is not a question of if, but when. And yes, there is a large percentage of malware that is sitting dormant, latent in networks, waiting for the right opportunity.

• If you do not have visibility or a solid understanding of what is going on in your system or your security posture, chances are you have already been hacked. Ignorance is bliss… or is it?
• If someone finds your company data on the internet, you have likely been hacked/breached.
• Also, some abnormal behavior may be easy to observe: unusually heavy network traffic, unusually slow systems, unresponsive servers–all these are signs that something is wrong in the network.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

• The first is to take account of the most important things that will be affected by the breach. Maybe it’s the customer; maybe it’s the business-critical application. Find the best way to remediate. If it is the customer, businesses need to communicate to the customer what the breach means to them, what actions they need to take to protect themselves, and enlist some internal or external help for them.
• Less urgent, but equally important is to find out why and how the breach occurred in the first place. Getting to the bottom of things will make sure the same mistakes are not made again.
• It is better to come up with a response plan to a list of likely breach scenarios beforehand. This way, the team will not be overwhelmed by device responses on the fly and having to worry about not getting every base covered.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

We need to be compliant with these laws. For example, many laws ask for data generated in each region to be kept locally, and we need to make sure our cloud services are compliant — we need to keep the data from each region separate. The other element is user data. We have marketing data and customer data, and we need to give people control and visibility over how their data is used. Opt-in, opt-out, delete, etc. — these are required by law now and ultimately affect individuals as well as businesses.

From a technology perspective, it challenges and forces security vendors to be more stringent and disciplined in delivering effective solutions.

From a business and marketing perspective, it requires that we respect our customers’ privacy and the integrity of their confidential data. And while it may add additional steps in how we communicate with our partners, customers and prospects, these rules benefit all of us in the long run.

What are the most common data security and cybersecurity mistakes you have seen companies make?

I think a lot of companies have taken some measures to protect their digital assets, from buying firewalls to installing antivirus solutions, among others. But few have taken the extra step to identify their important assets and consider the potential breach scenarios they will most likely face, and draw up prevention and response plans to address those assets and scenarios. Throwing a bunch of security tools together is not particularly effective or cost-efficient. Having a security strategy based on assets and risks is much more important. Having a holistic security strategy with solutions that can help tie everything together and deliver effective protection is more important. This is where having a member of your staff that is focused on security strategy and execution is important.

Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

A couple of issues have been brought forward by the work-from-home mandate: a lack of control of employee endpoints — they typically use the same endpoint for work and leisure. We rely heavily on VPN without physical presence. So proper authentication and authorization is an issue.

Secondly, we are seeing an uptick in malware activities, but it is not clear what percentage of remote workers is contributing to this. The WFH mandate is a general trend and will not go away after the pandemic. We expect more attacks appearing in this environment in the next few years.

Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Maintain cyber hygiene. Follow best practices for basic security measures in your environment. Antivirus, firewall/access control, network segmentation, identity management and control. These best practices will greatly reduce the exposure to drive-by cyberattacks.
2. Identify data assets. Classify the critical levels of data by sensitivity, value, importance, among other criteria — and review and implement proper protection for each category of data sensitivity accordingly. For instance, a customer’s personal information such as social security or credit card details should be of utmost sensitivity and protected as such.
3. Review the access controls and propagation of data, especially confidential data. It not only safeguards against external threats, but also helps with insider leaks. For access to critical data, it is usually a good practice to log and audit user access. Mishandling of sensitive data can be massive and have irreparable ramification, especially in the age of cloud. A recent example is when the personal information of almost 200 million registered U.S. voters was accidentally exposed online due to an improperly configured security setting by an analytics firm. This type of mishandling of data is unconscionable.
4. Emphasize proper backups to safeguard against ransomware damages. It can greatly reduce the damage caused by data loss. Maintain a full backup and implement more frequent incremental backups. It is also important to periodically test backups to make sure backups are not already corrupted data. Recently a Kansas City organization was able to thwart a ransomware attack because they had followed a double data backup protocol. Data was saved to a storage device attached to the network, which was attacked by the hacker and rendered useless, but the IT team had additionally set up backup on a tape machine, which was air-gapped, meaning without network access. Air-gapped backups cannot be corrupted by malware.
5. Conduct proper security training of staff and partners since social engineering is still one of the most important attack vectors. Phishing email, seemingly legitimate web links, file downloads — all of these are weak chains in the internal networks of corporations. The only way to address this weak chain is proper awareness and training.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.

I would like to eliminate all threat vectors within the enterprise by 2050. If the industry comes together, we can achieve this. Imagine a world without cyberattacks. If we all come together as an industry to address these problems, we can possibly achieve this and ensure that we live in a digitally protected and safe world. And we can’t do this alone. We need to work together with machines, because together, we are better, stronger and faster. So, imagine a world where AI and human intelligence work in harmony to combat and eliminate continuous threat vectors. Because, let’s face it: we are and will be a digital and digitized society.

This was very inspiring. Thank you so much for joining us!