Interview: Mike Murray, Director of Cyber Security at GE Healthcare

So today, we have with us Mike Murray. He's the director of Cyber Security Assessment and Consulting at GE Healthcare. Prior to GE, Mike spent 15 years working from companies across all range - startups that built security products, consulting companies, and even a large financial services firm.

In 2008, He partnered with a couple of other like-minded individuals and built the Hacker Academy, and then, in 2010 we co-founded MAD Security which subsumed The Hacker Academy as part of a security consulting, resale and system integration firm.

Mike has a diverse background of technical skills, business and management skills and I discuss with him why he tries to spend his time doing incredibly cool projects with passionate and interesting people. We talk about Mike's interest and involvement in the Internet of things, how we get developers to do their own security, and why he views security as one of the "hardest careers out there." Mike also shares his thoughts on why he choose to work in healthcare security and what security means to the future of the healthcare.

The following is a brief excerpt of our interview.

Jeff Williams: I have this vision of the future where everything is constantly testing itself for security in operation. There is no real difference, right? The same sensors run in Dev, test, staging prod, all over the place. And they're always monitoring for potential security vulnerabilities and security attacks. Both sides of the equation.

And developers just get incredible feedback immediately on how their software is being used and where the securities weaknesses and attacks are in it.

Mike Murray: Completely. That's the kind of pie in the sky vision - I actually paused there. I'm like "That would be really nice. I don't know that that's going to happen--"

Jeff Williams: I think we have to get there actually. I think we can't not get there. If we don't get there, then we're just going to continue to have things like JPMorgan and Home Depot and so on.

Mike Murray: Yeah. And I think we are going to continue to have those things. It's funny. I see those as a symptom of the changing world and frankly, as a symptom of things getting better. That we're finding more of those kind of breaches, to me, is a positive.

Jeff Williams: That's interesting. At some point, you have to recognize the problem before you can make a fix. And right now, I don't think organizations are really taking, particularly application security seriously. When the Verizon DBIR says 36% of the attacks of coming through application vulnerabilities.

And then you look at the analysts saying that only 1.7% of security spending goes towards application security. Something has got to be wrong.

Mike Murray: I don't know that I would say that that's necessarily something wrong. I think a lot of security is playing whack-a-mole. So, if you think about, if there's only 1.7% being spent on application security and there's 37% of the attacks - that means that that's going to be a priority for spending over the next few years.

If we went back and undid the other 97% of spending, there's a lot of old vulnerabilities that would show back up. Because that other 97% of spending has been built over the last 20 years to address each problem as it goes along. 

Jeff Williams: Except that it's all firewalls and IDS's and antivirus...

Mike Murray: You bet.

Jeff Williams: ...which for the most part, the perimeter protections aren't working anymore.

Mike Murray: But I'll tell you - this is the funniest thing - we security people are such negative Nancys. We are so doom and gloom all the time.

The security industry as a whole are the old guys in "The Muppets." You know the guys that sit up on the side and just grumble about everything? Because if you think about it, everyone complains about how none of those technologies work. "They're terrible, SIMs are terrible." I was just on a call - "SIMs are terrible and I'm going to make fun of them."

But I will tell you, if you went to a JPMorgan Chase and they had no firewalls, no IDS', no SIM, no identity management and they got breached with application security, you'd go "Why did they get breached with application security? Why didn't they just walk in and take everything?"

Those technologies - we all complain about all of them, and I'm no stranger to complaining about the same things. I complain about all the same stuff that you guys do, but the thing about it is if we didn't have those things, security would be so much worse. Because I remember, and this is the disadvantage of getting old or I guess the advantage in some ways.

I remember when we didn't have those things. I remember Code Red - and SQL Slammer is my JFK moment. My grandmother and my parents' generation, they all remember exactly where they were when JFK got shot. I have a vivid pinpoint perfect resolution memory of exactly where I was when I found out about SQL Slammer.

It was world changing. That was...there are no firewalls and SQL servers all came with a blank password, 1434 to the Internet was wide open, UDP everywhere. UDP spread like wildfire.

These things are all fixed now. We don't have those problems anymore. But we complain about all the things that we did to fix them and "Why are we spending money on this crappy technology?" But holy crap, if we took that stuff out - if we took that stuff back out, it would be like 1999 again. And 1999 was not a good time to be a good security professional unless you were a pentester. I was a pentester in 1999, it was a blast.

It was whatever network you were looking at, look at the OS's you came up with and the category and the ports. Like "Did you have a Web server?" If I had a Web server, pick my Apache exploit of choice because I probably had three that worked and just whatever box was around.

Pentesting is not like that anymore. Pentesting is hard now. But back in 1999, it was easy and it was easy for the attackers, too. And we all forget that. We tend to forget that we've done a really good job over the last 20 years. That's not saying that there's not a lot of work to do.

But given where we were even ten years ago from a security perspective, I think we complain far too much.

Jeff Williams: That's a fair point. I guess from my perspective, I see application security not getting much better. And a lot of it is because software development is rocketing ahead so fast with new architectures, new platforms, new protocols. And we haven't stamped out anything. We haven't stamped out SQL Injection or cross-site scripting or really anything.

Mike Murray: I would say SQL Injection is a lot better now than it was in 2007.

Jeff Williams: It's definitely on the way out, but it's not because of application security. It's not because of OOS. It's not because of anything like that. It's because people started moving to ORM frameworks that aren't susceptible.

Mike Murray: Right, absolutely. But that in itself is a mitigation. Here's the funny thing. This is the problem with security. I did a talk at RSA last year which was framed as a career talk. I called it "Security, the Hardest Career."

But it actually fundamentally rotated around a concept that Chris Nickerson and I came up with many years ago over drinks one day. And it was the idea of a vulnerability cycle that basically, as technology evolves, there's patterns within the types of vulnerabilities that come out.

But one of the points that we came up with that was really important is that if you think about security, security actually has a really difficult characteristic in that all security problems are front-loaded. Almost always in the technology life cycle, in the life cycle of any given technology, the security problems are in the majority discovered...80% of the security problems are discovered in the first 20% of the product's life cycle.

And because of that front load, every new technology is going to be the place where all the security problems are. So whatever the new technology is today, it's going to have more security problems than the previous technology. The previous technology will just be getting all of its crap worked out and all of the old security issues worked out as it's supplanted by a newer technology.

The broader scale version of this is IPB 6 versus IPB 4, but you just described the perfect example. As we start to work out the stuff...the issues in the old technology, some new thing comes along that's full of security holes and we have to deal with that. And it makes security a really difficult career and it's part of what contributes to us all turning into old, curmudgeonly Muppet guys up in the corner in the room just grumbling about everything, is that it always feels like the sky is falling.

Because just as soon as we manage to fix one problem, the problem completely shifts. And you can see this completely. The best example of this is 2004. 2004 comes along, Microsoft has done its trustworthy computing thing. They have literally fixed the worm problem. There is actually a date. And the date is the date of the release of Windows XP Service Pack 2.

And if you look at that date as a de-mark in history...before that date, there's a mass-spreading worm every month. And that date happens and there's only two or three more ever. There's only two or three more really significant worms in history after that date.

And literally, we fixed that problem. And if you actually look at that same date, that's the same date that everybody starts pushing everything to be over HTTP because they get tired of the firewalls. And OOS starts the next year.

So we fixed this one problem and all of a sudden, we're on to this Web app stuff and all we're talking about is Web app stuff. It's that kind of life cycle problem that just makes it feel like it's always going to be an issue and it's always going to be horrible.

But really, it's that we are front-loaded. And so, security is always going to be a really hard career. It's going to be a really hard thing for us to deal with because we always have to be at the front.

If I was some SQL developer, if I was a database administrator, yeah, I might have had to learn to move from Oracle to SQL Server to MySQL and whatever the new cool database things are.

But as a security professional in the last ten years, I've had to be an expert on vulnerability research, phishing and social engineering and security development life cycle and the Internet of Things. The security pro has to be at the front end of the technology life cycle. So it's a constant whipsaw of new lessons, new learning and new problems. That just make it always seem like it's going to be horrible.

To listen to the rest of my interview with Mike, click here.