Zuly, tell us about what kinds of experiences led you to start Light Point security.
My career originally started at the NSA. There I was mostly working on the defensive side, so basically protecting our computer systems and networks from hackers, bad guys coming in and infiltrating us. So it was interesting. I actually started Light Point Security with my co-founder, also former NSA, but he was on the offensive side. So he was the guys that we were protecting our computers from – he did that. He was on the offensive side and attacking other networks.So we kind of got together and melded both skill sets, defensive and offensive, to really start the company. And for me, we really believed in the mission, and still do believe in the mission, protecting our nation’s security, all that stuff. But it’s sometimes hard to get things done in a big, gigantic organization. It can be kind of bureaucratic. So it was nice to be able to go off on our own and be able to know that we were doing something that really was going to have an impact, and we could see it ourselves, that what we did impacted this directly, and we could see that happen.
Really, the idea for the products came about from us sitting down and looking at the security landscape, seeing where vulnerabilities were, seeing how easy it was for bad guys to get into networks, and looking at the defensive solutions in place in the marketplace, and really looking at the flaws and vulnerabilities.
So when we looked at the security industry, we saw that most traditional security products are all based on detection, and the idea is that you’ve got an algorithm that could be signatures, it could be a database, it could be behavioral analysis, but at the end of the day, that solution uses some algorithm that they’ve developed to look at what’s coming into your computer, into your network, and then make a determination – “Hey, this is good,” or “This is bad,” based on this algorithm that I’ve developed, right?
The problem with that approach is that it’s more reactive than proactive. So it can only stop things that it knows about. If I know that this is bad, then I can prevent that bad thing from happening. But it’s not a viable solution for preventing these unknown attacks. I don’t know that this is bad, so I’m just going to let it through. Turns out to be bad, and well, it’s too late.
That was the security landscape, and we saw that there had to be a better way to do it. So that’s where we came up with our solution, and really, it boiled down to us sitting and thinking, and asking ourselves, “What would it take to basically stop the attacker’s side?” Stop him from infecting a computer, infecting a network. And that’s where we developed this concept of remote browser isolation. Isolation existed, but it was the adding the remote aspect of it that was something that we invented and created, based on our knowledge and what we saw in the marketplace.
So there’s a broad spectrum of use cases, potentially, from corporate to law enforcement to government and then wherever else?
Yeah, yeah. That’s kind of the neat thing for the product – there’s just so many use cases and so many ways it can be used, in so many different target markets. We’re today focused mostly on the commercial side, but the product can be used by large organizations too… our largest organization has 200,000 employees worldwide. So it can be used by really enormous organisations and enterprises. But we also have home users using our product. So a huge spectrum – small businesses and medium-size businesses can use the product. And pretty much anybody, from our perspective, anybody that browses the web and has data they want to protect should be using our product.
When we initially started, it was mostly designed with malware protection in mind – so providing that ability to prevent malware from infecting your network through web browsing. And we picked web browsing, by the way, because malware today comes through your web browsers. So 85% of malware comes through your web browser. You hear a lot about emails, but that’s… an email that contains a malicious link, you click on that link, that’s really a browser exploit, a browser attack.
So most malware comes through your browser – we felt like if we could attack that area, that piece of the bigger puzzle, then we’re doing a really good job.
So there are a lot of use cases. Malware protection is where we started, but as a side benefit of how the product was designed, anonymous browsing is something else that we’re able to provide as a use case.
And one interesting use case too is the ability to provide network segmentation or segregation. So organizations that have a network that’s got all their valuable data, a lot of times, sometimes, depending on regulations, policies, whatever it may be, can’t have direct access to the internet, that network can’t have direct access to the internet. So our product allows them to meet that requirement, because the network won’t have direct access to the internet. But it gives police the nice benefit of… from the user’s perspective, it looks like they’re still browsing from that same network… on the same machine, browsing as well as having access to their data.
In your presentation you started to talk a little bit about people that have malicious websites, that they’re either trying to restrict who gets to see the content or otherwise protect what they’re doing maliciously in some way. So that was actually very interesting to me, because I’m used to thinking in terms of the bad guys who want to protect their own identities, but the sites that they’re trying to get to are actually looking at that and going, “This is suspicious, and you have to give me some of your data,” right?
Can you go into a little more detail about how that works? On behalf of the malicious service providers.
So you mean like I’m a bad guy, I’ve got my site, and I’m… say, for example, a forum on the dark web. So I want to know who’s on my site, because I don’t want law enforcement on the site, right? So they put a lot of thought into making sure that they know, as much as they can know – because at the end of the day they can’t always know 100 per cent – but know who’s going to their site, what they’re doing, and get a good sense of are they legitimate or are they really on my site because they’re law enforcement and they’re trying to figure out how to get me.
Actually, that’s one of the things Brian Krebs does. He goes to these forums, pretends to be a bad guy, and he’s got to make his way in. So sometimes it’s just a matter of you can’t get in unless you get an invitation from somebody that’s already been vetted. So I’m vetted, so I’m going to vet you, so then they allow you to come in. So that’s one aspect of it.
But looking at it from the website perspective, they can do a lot of different things. And usually it boils down to maybe not on the first or second time you visit the site, them being able to say, “Hey, this could be law enforcement.” But as I was talking about, building that bigger profile, and seeing what all activity is happening, put that all together to get a better sense of what’s really happening.
So they can easily see how people arrive to their site. Are they searching for something? Was it a direct link? Where did that come from? If they searched for something, what were the keywords that they searched for? That can lead to certain information. Looking at what pages within their site they look at, how much time they spend on that site. Even the flow of information – so if they look at this page first, then look at this one, then they look at that one…
Then, also, being able to see if they can get information like an IP address or location. Not everybody knows how to hide their identity as well as they should. They may think they’re being protected, but as I talked about in the presentation, their IP address is being leaked. And so they see that.
They can do different things – once they determine that they don’t want somebody on the site, they could block them, but they don’t necessarily have to. They could just keep an eye on them and see what they’re doing. They could serve them different information to trick them into thinking something else. They can do a lot of stuff. But we’re always looking for, finding ways to try to get the bad guys. But those bad guys are always looking to see what it is that we’re doing, and they’re usually one step ahead, unfortunately, trying to think of new ways of protecting themselves.
They also have fewer rules that they have to abide by.
Exactly, yeah. That was something… right before my presentation I was going through the exhibits, and was talking to some folks, and we hit on that exactly. Bad guys don’t have any rules. Whatever they want to do, they can do. We, especially law enforcement, a lot of times our hands are tied and there are certain things we can’t do. And unfortunately, that means that we can’t always get the data we need or can’t get it as fast as we need to. And it’s just unfortunate… that balance of people’s privacy and being able to get the information you need to protect people.
So how have online, covert investigations evolved over time to the point where it’s gotten to this point… have you noticed any particular trends in that evolution or the challenges that the investigators have faced?
It’s evolved as technology has evolved. So initially, when you looked at it from the early days, it was always having two separate networks. So I’ve got this network over here, I’m doing, let’s say, my Secret Service browsing, and it’s tied to Secret Service’s network. And then I’ve got this other network over here, which is my covert network, where I do all my covert stuff, and it has absolutely no ties to my network.
So that’s really how it initially started. As you can imagine, it’s resource-intensive, it’s very costly and expensive. You have to set up this whole network, lots of hardware, then you have to maintain the network. And one of the disadvantages is if something goes wrong, where inadvertently this covert network is now no longer covert, and it’s tied to, for example, a Secret Service, having to tear that out is very costly. Redoing the whole thing is very expensive.
So that’s how it started, and as technology has evolved and made things easier, things have sort of evolved along the line, and… so people started using proxies and VPNs, and those are software solutions which make it a lot easier, a lot more cost-effective for organizations and folks to do their anonymous browsing. But then they have those drawbacks that we talked about, where they’re not 100% foolproof.
For example, VPN. VPN wasn’t necessarily designed for anonymous browsing. It was designed as a way for somebody that’s outside of the network to be able to get into the network securely; basically, we’re creating an encrypted tunnel there. But the technology existed, and it was leveraged to do anonymous browsing.
So technology has evolved and been leveraged from other areas to provide the information and the security that they need. But again, as I mentioned, there’s things you need to look out for and just know about. And then, from there, if we look at the evolution, the next step from my perspective is the remote browsing aspect of it, where that is a solution where it doesn’t now have those potential leaks, because instead of it being a concept of “You’re browsing from this location and I’m going to make it look like you’re browsing from over here,” now it’s a concept of “You really are browsing over here.” So there’s no way for it to come back to you, because you’re not browsing from your local…
So I think that’s where the industry is headed. From I guess the market perspective, things have always evolved from… starting like a hardware implementation to now software-based, so that’s kind of where I see it evolving and gong to.
And what about for mobile devices? Is there a mobile application for that as well, or for that matter, maintaining privacy with some of the new devices, like Alexa or any of those sort of IoT-connected devices.
Yeah, so I think that IoT generally is kind of interesting, because these devices have access to a lot of information, but they’re not yet designed with security in mind. It’s a lot cheaper to build a solution that it’s not super secure, that’s more consumer-facing from a cost perspective. So people – it’s just nature – people cut corners to make it more of a mass appeal type of solution.
That’s what we’ve been doing with apps for years!
Right. Exactly right. So unfortunately, a lot of these devices have access to a lot of this data, and just aren’t being protected. And I see IoT taking the same path that mobile devices have taken. So initially, way back when, it was mostly all computers, and over time that’s evolved to more and more mobile device usage, and users use more mobile devices, more data is on those devices. Initially, on the mobile device side, people weren’t too concerned with security there, and now, today, people are. Because there’s just so much – it’s sometimes even more than on your desktop.
So I see IoT taking that same path, where initially, security is really not that big of a deal, but as things evolve, as they become more commonplace, as more data gets stored on these devices, security is going to start playing a bigger and bigger role in the devices. Now, for example, some people say, “Well, I’m going to buy Apple because I believe that it’s more secure than the Android.” That’s legitimate reason for wanting Apple versus Android, and I kind of see that evolving to IoT as well.
What advice would you give to other women and/or women of color trying to make it in this industry and be successful?
I’d say that if you want to do it, just do it. That’s kind of the best advice that I can give. And sometimes people want to do something but they’re just afraid, or they’re uncomfortable, insecure, not confident in their abilities.
Or they’re worried they don’t have the support, right?
Right. So I would say just – if it’s something you really want to do, just do it. There’s no better time like today. The worst thing you could have in life is regret. So don’t look back 20, 10 years from now and say, “I wish I had done that.”
So really, just do it. That’s the best advice that I can give. I’ve been in engineering all my life, and so for me, I never… I don’t really look at it in terms of gender and color. If I want to do something I just do it, and I don’t really focus on, “Well, there aren’t too many women doing it.” Well, too bad. I’m just going to do it anyway. Right?
Yeah. Well, you love it, right?
And that’s enough to kind of keep it going.
Yeah. So the second piece of advice is: just ignore the surroundings. It doesn’t do you any good to worry about things that you can’t control. So just ignore it. Focus on what you want to do, and just do it. And don’t worry about the fact that hey, there aren’t that many women, or have concerns that you don’t even know if they really exist, but you think maybe, so… for example, you may think, “Well, I want to do it, but I don’t think I’m going to have the support. It’s going to be a whole bunch of guys and nobody’s going to want to help me.” You don’t know that. You’re guessing. But you don’t know that. So don’t make a decision, an important decision like what you’re going to do with your career, based on a potential, could-be kind of thing.
So yeah, just ignore everybody, just do what you want to do, and go for it, really.
Zuly Gonzalez is the Co-founder and CEO of Light Point Security. Light Point Security invented the concept of remote browser isolation to truly prevent ransomware and other web-based malware from infecting an organization. Their product also provides anonymous web browsing for online researchers. Prior to Light Point Security, Zuly spent over a decade serving the nation as a cybersecurity leader at the National Security Agency (NSA) where she protected national security interests. Zuly is a frequent speaker at technical and cybersecurity forums, and has written for, and been cited in national and international technology publications. Zuly was named one of Maryland’s 40 Under 40 and is a board member of the Maryland Cybersecurity Council.
Forensic Focus interviewed Zuly Gonzalez at the Techno Security & Digital Forensics Conference in Myrtle Beach, SC. For more details and to find out about next year's event, visit the official website.