Shawn Henry, CrowdStrike: The cybercrime buster

11 June 2014 | Guy Matthews

Telcos are uniquely positioned to play a key part in the global battle against cybercrime, says former FBI man Shawn Henry. Capacity hears about his tireless battle against a relentless tide of “adversaries”.

When Shawn Henry stepped down from his senior role at the US Federal Bureau of Investigation (FBI) at the beginning of 2012, it would have been understandable if he had opted to luxuriate in well-earned retirement.

After all, he had just devoted 24 years of his life to upholding the law, much of it spent battling computer crime in far-flung parts of the world as executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch. Instead he moved over to the private sector in the form of California-based CrowdStrike, a provider of security solutions and services.

Henry is president of CrowdStrike’s professional services subsidiary, as well as chief security officer for the parent company. CrowdStrike’s approach differs from most other operators in the field of data and network security. Rather than target its efforts towards detecting and thwarting malware, it focuses instead on the organisations that perpetrate it – “adversaries”, in its own jargon.

In other words it goes directly after the bad guys, collecting data on them and harnessing this information for the benefit of organisations in a variety of sectors, such as healthcare, financial services, defence, retail and, naturally enough, telecoms.

“Our clients are international businesses of various kinds, and our job is to make them more secure,” he explains. “Our primary business is protecting sensitive data from attack.”

CrowdStrike has developed proprietary technology that sits at the customer end point detecting threats. It also has an intelligence programme which Henry describes as “not dissimilar to government intelligence apparatus”.

“We want to know who these adversaries are and what they are targeting, in order to put the customer in a stronger position,” he says.

Animal instincts
When Henry talks of adversaries, he does not mean disaffected Bulgarian teenagers developing amateur viruses in their bedrooms. He means organised criminal groups, of which CrowdStrike has tabs on around 60, based in places like China, Russia, Syria and Iran. It has its own system for classifying these bodies, giving them intriguing monikers like Numbered Panda, Magic Kitten, Energetic Bear and Deadeye Jackal.

Lest this should sound like something out of an entertaining but lightweight pulp novel, Henry warns that the danger these organisations pose is very real, clear and present.

“These adversaries are sometimes backed by governments that want to steal data and supply it to organisations in their own country, perhaps to give them a competitive edge,” he explains. “They are after intellectual property, research and development information, details of corporate strategy, personal ID.”

Henry says CrowdStrike works with many of the major network operator names around the world, helping to defend them against those who would target and exploit their infrastructure.

“When it is telecoms companies being targeted, the attacker might be looking to disrupt their business and degrade communications,” he explains. “Telecoms infrastructure is critical, and if you are looking to make an impact on a country or a region then by degrading the traffic into and out of it, you can either affect its economy or gain notoriety fairly easily.”

Plausible deniability
Whole networks, or large parts thereof, have recently taken severe denial of service hits in places like South Korea and the Middle East, inflicting, he says, the kind of damage that affects society at a fundamental level if sustained and protracted.

“I stress, though, that this is a global problem that we’re dealing with here, and certainly not limited to one or two parts of the world,” he adds. “In some places it’s a fast-growing problem. In Africa, for example, there was not until recently much infrastructure to attack, as most of the continent lacked connectivity. That has now changed, and along with it the potential threat. Basically, anyone connected to the superhighway is in harm’s way. It’s an issue for all telcos regardless of geography.”

Does he perceive the telecoms sector as being on top of threats, or behind the curve compared to other verticals?

“There are many industries that I would like to see become a lot more aware of the threats their infrastructure faces – but telecoms is certainly not one of them,” he reassures. “Telcos may be well aware of the threat, but they don’t always have the expertise in-house to deal with it. Intelligence is at all points critical. Identifying what’s going on with your network is limited by the extent of your intelligence. You can know you are being attacked, but not by whom.”

He knows that for much of the past decade, telecoms organisations have been implementing defensive measures, and adding levels of security to make attacks difficult.

“That might be in the form of firewalls or intrusion detection,” he says. “This is fine, but not proof against the more sophisticated adversary. Telcos need to look harder now at detection. They need to detect quickly who is making an attack, then there’s a lot they can do about it. You don’t want to be waiting for a month or so to find out.”

Are carriers doing enough to protect data?
Along with denial of service attacks, telcos are facing more and more intrusions aimed less at their infrastructure and more at the data it carries, he believes.

“It’s becoming more and more about data loss,” he says. “It’s the handling of data on these networks that needs to be looked at. Telecoms organisations should pay more attention to that.”

Henry does not believe that the communications sector should be left to manage the problem in its own, and calls for proactive top level collaboration.

“In my 24 years in the FBI, I worked with many different governments,” he says. “These governments often, in my view, have information that they should be sharing with the private sector that they are not sharing, for a variety of reasons.”

He also thinks that the telecoms sector could help itself with better cross-referencing on security issues between players, regardless that they might be deadly competitors in the commercial sphere.

“Telcos have a unique ability to develop insights and intelligence into the tactics of some of these adversaries,” he claims. “They should probably be doing more to share this with each other and with other organisations. This would put everyone in a better position to control the problem. For competitive purposes, they are probably not sharing much. This could end up putting all of us in a dire predicament.”

Non-stop action
The one certainty in Henry’s mind is that attacks on networks and data will keep on coming.

“They can’t be stopped,” he fears. “The attackers know that there’s pretty well no chance they will get caught. Their risk is low and there’s not much chance of preventing them altogether. As a society we are stronger together, so I’d call on ISPs and telcos to work as one.”

Although plainly some way off any kind of retirement, Henry has at least been garlanded for his efforts on behalf of global security. He received the Presidential Rank Award for Meritorious Executive in 2009 for his FBI work. Given this career-long immersion in the tense and murky world of adversaries and malicious attacks, what does Henry do to unwind out of hours? Knowing what he knows, is clearing his mind for off-duty R&R even possible?

“In my time working for the government, I regularly did 70-hour weeks,” he muses ruefully. “Now I’m in the private sector I’m doing 80-hour weeks. That doesn’t leave a lot of time for out of work activities or downtime. You could say that my work-life balance is not quite what it should be – even though I give a lot of advice to other people on that subject.”