Stuart McClure, a serial entrepreneur and innovator within the infosec world is renowned for his extensive knowledge of AI, decision tree processing, and threat modeling. We spoke with him about his career in infosec, what motivated him to start Cylance, and why AI is so important in security today. Our conversation has been condensed and edited for clarity.
Stuart, you've worked at so many different companies and in different industries. Are there unique lessons that you've learned in the trenches as a practitioner that informed your experiences as a vendor?
Well, I've had a blessed career in the sense that I've been able to wear a lot of hats. I’ve been a senior leader in private and public companies, and I've also started companies, some that finished small and some that finished big. I've also been on the operator's side building security programs for companies like Kaiser Permanente and Ernst & Young. I think all of this experience lends to my belief that it's all about the journey, and it's really not about the finish line. All of us think about getting to a certain place in life or in a career, chasing promotions or assignments or achieving a goal. And all those are great, but they really are steps in the journey of life. To me, the most exciting part is to meet a challenge straight on and never give up until you've achieved your goal. So no matter if you're a practitioner, a builder of companies, an executive running them, or an individual contributor it's all about working every day to achieve something that you genuinely care about.
Your book, Hacking Exposed, is very interesting. What was your experience writing it, and how did you go about doing that?
For me, like most people, I dreamed of writing a book and thought it was the coolest thing ever. Becoming a published expert and bringing a book to market, especially back then when more people read printed books, felt like the pinnacle of success. But the key reason I was interested in writing this book is that I was writing for InfoWorld in their Test Center. It was quite a popular publication for things like technical evaluations, comparisons, and feature write-ups. I’d written probably hundreds, maybe even thousands of articles and op-eds. They're actually archived now on Google—just search for them under InfoWorld and then my name.
During my time I covered a lot of different technologies, and gravitated initially towards things like networking, databases, and cybersecurity. Cybersecurity was where I really found my drive and passion. Hackers seemed like brilliant people to me. How could they figure this stuff out? How did they know how to break into a U.S. Air Force computer system or network? I used to just think, "Gosh, there's got to be an underground education system that teaches folks like this, or these folks are so incredibly smart that their IQs are off the charts.” And when I started to really dive into the full scope of every technique out there, I realized that all of what I believed was wrong. The people that were doing the hacking were not 200 IQ folks. They had simply learned techniques that were either already built into the software, operating system and the network firmware or they just figured it out largely by trial and error. Probably 99% of all the cyberattacks that have ever occurred, quite honestly, are committed by folks who have nothing better to do than to try again and again to bypass security controls.
“I really wanted to provide a comprehensive source, almost like an encyclopedia of how these users pull off their hacks.”
I was really keen on exposing this realization to the world because I got very frustrated reading a lot of newspaper articles like one about a "genius" 13 year old living in his mom's basement who hacked in the Air Force computers. When I peeled the onion and started interviewing folks, they’d tell me "The password for the admin user was the word password." That's not smart! You don't have to be a rocket scientist to figure that out. It was then that I started to categorize, collect, and really detail all the techniques of hacking. After the first year or two, I realized I absolutely needed to expose the fact that anybody can do this. There's no skill prerequisite. Anybody can hack, and the defenders need to know how these hacks occur so that they know how to defend their systems and networks.
Through my articles and op-eds I would feed these ideas to my audience. But I really wanted to provide a comprehensive source, almost like an encyclopedia of how these users pull off their hacks. I just wanted to show the world that it didn't take much at all to hack into these systems and networks. Of course once the book came out, I honestly had no idea it would be so successful. I was just like any first-time author. You think, "Hey, I'm just super excited the thing's in print. I can brag at Thanksgiving dinner next year.” But after the first two weeks, it had sold out of its first print run of 15,000 copies and from there it absolutely exploded. Over the years, I think it's sold almost a million copies, if not more, and translated into 20+ languages. I was just happy that the book was a great resource for people to build their careers and defend their networks by understanding how hackers really worked.
That's really awesome. A lot of people over the last two decades have been craving content that realistically describes this world of hacking because a lot of depictions of hacking are very outlandish.
Very sensationalistic. Yeah. Almost Hollywood-ish, and I think that was probably the key differentiator for the book. When we came up with Hacking Exposed, there were only three other cybersecurity books out there in the market. People often ask me, "Why do you think it was so much more successful than the other three?" I just attribute it to the way we delivered the content. I'm such a kinetic learner. I could sit in a college or university class, and only retain 1/100th of what that professor says if I'm lucky or really attentive that day. If you give me a book to read, I might pick up 5/100ths. But if I kinetically exercise the elements and do it, like in physics class, I'll get 99/100ths. That’s why I loved physics in high school. Anyway, I was truly passionate about bringing that content into our recipe-driven formulaic approach that anybody can follow: One cup of port scanning and two and a half cups of footprinting. It was just easy to read, and that's what made it successful.
It's funny that you brought up your university classes, because we'd like to ask you about your background in philosophy, psychology, and computer science. How have these disciplines shaped your experience?
Well, for pretty much my whole career, I had no idea how they were going to shape my experience. I went into college undeclared and didn't really know what I wanted to do. I naturally gravitated towards psychology because I wanted to figure out what made me tick and why my family was the way it was. Some of that interest migrated into philosophy, which is, of course, explaining the meaning of life. Around my junior year, I started asking myself what I should do for a career. This was in the early 1990s, where we were in a pretty serious recession and I decided against getting a master's or Ph.D.
That's when I realized I enjoyed the computer science classes that I had taken just for fun. I thought this newfangled thing, computers, was interesting and worth my focus. In my final two years of college I took as many computer science classes as I could and ended up getting a minor, or what they called an emphasis, in computer science. Those classes gave me enough coding knowledge that I could program at will. I built a lot of cool tools and products. One of my most fun projects was a challenge from an administrator in the lab where I worked as a teacher’s assistant. He challenged me to break into his computer. I ended up getting in by writing a brute forcer to crack the password file. It was simple because I knew how to approach it. I just took a dictionary and mutated, morphed, and encrypted it until it matched. That was the thing that really got me hooked on computer science and cybersecurity.
“What I believed is that you could predict a big part of the decision making on a computer system—something very few people thought at the time.”
Early on, I knew that there may not be a security career for me yet, but there was certainly an IT and programming career. From there I started my first company right after college. My majors eventually came together in Cylance. My work here is the culmination of those three disciplines into one because now I’ve finally applied decision tree processing, logic, data, computer technology, and preventive predictive capabilities on computers, and it’s being done with AI and machine learning.
In life, very few things are truly predictive. You can predict that the sun is going to come up at a certain time tomorrow, but there's not much more in terms of predictability. What I believed is that you could predict a big part of the decision making on a computer system—something very few people thought at the time. To be able to do that in such a positive way, to prevent bad stuff from happening, has been very edifying and meaningful for me.
Can you go into more detail about what drove you to create Cylance and what challenges you faced in scaling the company?
At that point, I'd spent about 20 years in the cybersecurity field. I felt absolutely defeated because nobody believed you could prevent cyberattacks. It was depressing that the best you could do is detect and respond. It's like saying, "Well, I can't prevent a burglar from coming in the house. If it's going to happen, I just want to have cameras and a phone handy so when it does, I can at least try to catch their image if they’re not wearing hoodies or masks." But I knew in my heart, and with my background in computer science, programming and decision tree logic, there had to be a way around this. I wanted to program a computer to think like a human being and prevent these cyberattacks, because that's what I was doing. I did a lot of live hacking and security demonstrations, showing people how to hack. Almost every time, I was asked the same question at the end: "Hey Stuart, what do you run on your computer that prevents hackers from getting into your system?"
That was easy to answer when I was at Foundstone, one of my earliest startups, because we didn't really have a technology that prevented anything. When Foundstone got acquired by McAfee, that question came up again at my hacking demonstration at the Rochester Institute of Technology. This time, the head of worldwide sales of McAfee in the front row waiting for my answer. I knew in that moment that if I had the same response as every other time, I would be the shortest lived executive at McAfee. I also realized, I couldn't lie to a room full of students either. They were there to learn. So I told them, "Look, I don't have to show you. I'll tell you, I don't run anything. Except maybe a firewall. But I know what to open and what to avoid because I know the indicators and telltale elements of a cyberattack. But most people don't, and those people need a way to prevent hackers from breaking into their systems.”
As I kept sharing that idea and explaining it the same way each time, I kept asking myself why couldn't we train a computer to think like my brain, and recognize the characteristics of what they're about to open? That was the true beginning of Cylance and applying a programmatic way to make that decision-making in real time.
Can you talk more about your work on adversarial AI at Cylance and how breaking your own AI helped you build better types of responses?
Definitely. So adversarial AI, sometimes called offensive AI, is the practice of taking the math model you built based on all the learned and trained data and using another model to break that original model. Early on at Cylance we knew we had to build a team to do this. That team was three or four folks that spent pretty much all their time trying to break the original AI model with the new model. It would learn what sort of branch of technique would be successful. Then it would exploit that technique in all of its combinations to find the most exhaustive ways around the original model. We used those learnings to retrain the original model.
It became this incredible AI trains AI modeling process. It was very powerful and impactful for us because we could rapidly release new models that were far greater in a very short period of time. It took about two years to get the very first production model working at 80% effectiveness and with about 10% false positive rate. But within six months, we were up at the 98th percentile of detection and the 0.01% of false positive. We knew that an iterative model could be incredibly powerful to get the accuracy we needed to productionalize the model.
Were you building generative adversarial networks (GAN)?
Well, it's related to the GAN concept but that came out a couple of years after we started building our models. We almost did it in a "semi-automated process" where we had our original model, but then we built a whole new learning sub-system that would test the model with each variant or variable that could be changed. The new model learned and continually reiterated.
What are other unknown and misunderstood threats in cloud security that experts should be preparing for, and what advice would you have for teams trying to stay a step ahead of these threats?
With everybody working from home everywhere around the world, the natural focus is on the cloud-based tools that orgs and people are using. I also think data is a big issue because data can be so transitive and fluid. It's very hard to even know where your data starts and ends. Those elements, to me, are the meta problems of cybersecurity. We’ve figured out how to troubleshoot the “plumbing” of information security. Questions like: "Is the network router insecure and is there a default password or an easy password to guess?" have all been answered because we've been dealing with them over the past 20 years.
But I think that the questions are now on how tech and data will interact in the cloud. Following where the data now lives. Insider threats and things of this nature are going to be very important. Even embedded security will be a big issue down the road. Talk about edge compute and things like that, I think are all interesting elements of cybersecurity going forward for sure, but at the end of the day it really is about the data because that's what the user and corporations own.
Speaking of cloud and these new types of risk, is this what made you find Nightfall compelling? What aspects of Nightfall do you think are driving your decision to get involved?
It's really all of these things. The cloud is becoming the de facto new plumbing. Regardless of what older companies are saying, they are moving to the cloud, however reluctantly. They might not admit it, but I see it all the time. When you move to the cloud, naturally, your users move to the cloud as well. And when your users move to the cloud, so does your data. The DLP solutions that have been out for the past 20 years have been grossly negligent. I'll go on the record to say I've been associated with a few of them. So I have to take some of the blame.
The problem is that they have largely missed the ability to understand and label data in any semi-intelligent way. The best you could do is based on a rule set of "if then, else." That's it. The application of AI into this space makes perfect sense. I'd love to see AI be successful in the cloud because that's where everything is.
What lessons or advice do you have for up-and-coming infosec leaders, based on your career and experiences?
Infosec leaders have to do all the blocking and tackling work. You have to know where your vulnerabilities are, where the threats are, and where your exposure is, all while constantly maintaining that knowledge. You really can't do that at the expense of prevention. I think most infosec professionals, even to this day, believe that you cannot prevent cyberattacks. But once you can realize that AI is the true enabler of prevention, you can embrace that technology, implement it, and see its power.
But even if you do all that, build a strong prevention platform inside the organization and utilize a traditional detect and respond platform, you face the problem of third party risk as well. You can control and monitor as much as you want but you probably have hundreds if not thousands suppliers and each of those entities get access into your data and your networks. Who's to say hackers aren't already in those vendors that can then ride in through the coattails of their access into your networks and expose you? So I think third party risk is going to be a big issue. It really just goes back to this data problem. We need to know where the data is going, what's happening to it, who has access, and who's controlling it.
One final question. Is there anything that you're currently reading that you would recommend to others, either an infosec or just a good book in general?
There's a few books I'm in the middle of. I'm famous for reading multiple books at the same time and taking forever to get through them. I would recommend Who by Geoff Smart. He’s one of the first people I've seen build a quantitative approach to hiring talent. Honestly, the biggest problem that every single CEO in the world faces is people. Every goal they want to achieve and every accomplishment they want to obtain is dependent on the people they hire and work with. Hiring is an art form, and hiring is probably one of the biggest areas where companies go wrong. Not just big companies, which is pretty obvious, but smaller companies too. You'd think it'd be easy to find 10 rock stars for a 10 person company, right? But you'd be surprised. This book enables entrepreneurs and good leaders to know that there is a quantitative way to prevent churn in their staff. This book can be a really powerful, additive contribution for any entrepreneur or organization.