“You can’t stop the device from getting hacked, you have to defend your data” – A Primer with Kevin Mahaffey
Kevin Mahaffey is an entrepreneur, investor and engineer with a background in cybersecurity, mobile and machine intelligence. He is CTO and Founder of Lookout, a cybersecurity company dedicated making the world more secure and trustworthy as it becomes more connected, starting with smartphones and tablets. He started building software when he was 8 years old and it has been a love affair ever since. Mahaffey is a frequent speaker on security, privacy, mobile and other topics.
Tell us a little bit about yourself and about Lookout
I am Kevin Mahaffey, I’m the founder and CTO of Lookout. We are a cyber security company focused on mobile.
I like fixing problems. The company started in 2007 and actually myself and the other two co-founders were doing research into mobile phone security and we got our hand on a Nokia 6310i, you know, black and white screen, had snake the game on it, and this phone was notable to us because it had Bluetooth on it. We found actually some pretty bad security vulnerabilities on that device. You could hack into it and reboot it. And we looked on a whole bunch of other devices and we found similar vulnerabilities in almost every phone we ever touched. And we tried to work with all the different manufacturers, everyone from Blackberry to LG to Nokia in this case and nobody really took security very seriously because the question was why would anyone wanna hack a phone? This is in 2004 mind you. And one of the other excuses was, well the range of Bluetooth is only 10 meter so you had to be really close to someone.
And so Bluesniper was created to extend the range of Bluetooth to 1.2 miles away. And in doing so we proved that you could actually hack a phone from really far away. We thought that this is maybe something we’d talk about at some technical security conference but we were surprised to be on the front page of the business section of the Wall street journal of the NY Times, so we thought “this is a big problem that we can solve”. So we said ok lets start a company to solve the problem and in 2007 we started Lookout to build software to protect both individuals and businesses from cyber threats on their mobile phone.
What makes you want to hack things?
Hacking is not like we see in the movies. The way a system does work is different than the way it was designed to work. And they surface that. Good hackers, people who want to make things better, when they find a way to manipulate a system in a way that wasn’t intended they try to get it fixed.
Where is the company’s HQ located and why?
We are based in California, San Francisco, and we have offices in Europe and Asia. The reason we are all over the world is because this is a global problem. Mobile security doesn’t affect only one country but every person on the planet. From individuals who’re using their phones for online purchases to large companies who’re using mobiles to run their businesses to manufacturers.
We started in LA and in 2009 we moved to San Francisco because Google and Apple became big in mobile.
Are you going to stick to phones? Or you have plans for other devices, such as cars?
We don’t have any products in that space, [car security etc], I’m not sure if we will ever have a product for cars but the passion of everyone in the company is [understanding] how to make the world a safer place and sometimes that means releasing a product, sometimes it means doing and publishing research. And if there is a product that is needed, we go build it. IoT security needs to be taken very seriously. However, we are focused on mobile right now. We’re focused on one problem at the time.
Can you also hack an offline network?
Most people are focused on how to secure a network. How to stop bad things from happening. But if you think of your body, your immune system doesn’t work that way. And most networks are architected to assume you can block those things. But nowadays you can’t control what’s in your network anymore. So a lot of companies are getting breached everyday, and usually by someone inside their network, they use some valid credentials to access the data that they shouldn’t, and that’s a really big problem. So we advocate for this concept of the immune system where you gather data, preferably no personal identifiable data to know how things are working, everything from your smartphones to laptops, then you process that data and analyse it for find indicators of a threat and sometimes you can automatically respond, or sometimes you need to escalate to some smart human in a security team to think about it some more and decide what to do. But this is very different than stumbling upon a hack because they take out your internet connection for taking so much data from the company, sometimes that’s how you discover a hack.
What kind of advancements do you see happening in the future for your company and in the world?
So right now a lot of individuals use Lookout. The big course for us right now is helping large companies and governments secure their mobile devices because 3-4 years ago people could get email (if that) on their phones. Basically everything you can do on your PC most organisations started to be able to access from a smartphone or tablet. But the organisations don’t have any idea what’s going on on these devices right now. So we see a lot of demand on that. How to secure these devices. We look at a modern way to stop advanced threats that it’s not just signature based to stop attacks on mobile.
And do you see this happening in general?
Everyone is moving towards data security. Some companies are building their own software and they’re very far down on that road, other companies are just starting to get there. But it’s not the device, it’s the data. You can’t stop the device of getting hacked, you have to defend your data and you have to respond to threats and hope they never happen. Those two principles are really coming forward. Unfortunately it means a lot of organisations have to rip out some things and replace some things but I think it’ll make companies and people more secure because when companies are more secure, as an individual your data will be breached less often.
What are some key hurdles in the industry that you’re experiencing and how do you see data science applications solving this problem?
The hurdle is there’s too much data in security or not enough data. In the case of not enough data, many security organisations apply. You can ask any given system, what is the data that will show the hacker gets in. And if you don’t have data coming from that system, then you never gonna know that a the hacker gets in. Other times you have so much data that it is not very useful and you don’t know what to do with it. So you have to set the security teams that are drowning alerts. They’re so busy that they can’t focus on the really important threats. And what I have to see is machine learning emerging to actually helping with these issues.
First there are organisations stitching together the data. so instead of a bunch of isolated data streams we use the phrase joined-in and analyse it. Joined-in is where you take your source code data and mash it with your vacation data so if an engineer checks in for threat indications that’s actually something you wanna look at. But if you only look at source data you’ll never be able to make that conclusion. And analyse it means to look deeper and extract more information. And then, using machine learning to take that huge volume of information and funnel it down to a simple message which says, okay, here are the things that humans need to look at and here are the things that humans don’t need to look at and we know how to deal with it. We can automate responses, cut the device from the network etc. Ultimately humans can only make so many decisions per hour and we have more and more connected things in the world and so if we try to add those things and do the security the same way we did in the past, we’re gonna lose.
What are the possibilities and benefits of using data science in cyber security?
[Using data science] I think security teams will get more sleep, companies will be more secure, hacked less frequently, and individuals will see their data be more protected.
When did you notice that things started to take off?
When we started the company we were securing windows mobile smartphones. And projections for how many smartphone there will be in 2017 were very few. So when we went to investors they were like ‘oh yeah the smartphone market is not very big one’. And now there’s billion smartphones shipped every year and what changed was iPhone and Android launched and that made smartphones easy and fun to use and then at the same time you had 3G and now 4G networks and made the data connection very fast. And the growth of Android and iPhone helped business to grow because it turns out everyone is using smartphones personally. And more recently they started to use them more for work and we’re using things for data, for shopping and for sensitive business data that attract hackers.
So if you could tackle any technology exists today to solve a challenge which would it be?
I think there’s still a lot of misinformation around machine learning and big data systems, I think a lot of people believe that you can just apply machine learning to data and magic happens and problem solved. It’s not true. Machine learning is something that can be a good classifier can detect anomalies in some cases it’s not just machine learning it’s what we call a cyborg. It’s machines doing one thing and humans doing another and find the right handoffs approach so that they can operate together.
Like this article? Subscribe to our weekly newsletter to never miss out!
Image: James Case, CC BY 2.0