Interview with Eddy Willems of G DATA CyberDefense: “We would be much worse off if we hadn’t set up AMTSO”

In the first interview of our new interview series, we spoke with Maik Morgenstern at AV-Test about how AV-Test makes sure their tests are transparent, the challenges he sees in testing, and the importance of AMTSO for fair testing. AMTSO consists of tester and vendor members, and to assure balanced contributions from both sides, today we will interview a representative of the vendor side, Eddy Willems of G DATA, also a founding member of our organization.

Eddy Willems

Eddy Willems is Security Evangelist at German computer security company G DATA, and a true veteran of the cybersecurity industry. Eddy encountered what can be considered an early version of ransomware in 1989, and figuring out how to resolve the issue of a locked down system triggered his interest in anti-malware. He is a founding father of the European Institute for Computer Anti-Virus Research (EICAR), and has been an AMTSO member for many years, joining its board in May 2012. We’re excited to interview him today for our blog.

Eddy, thanks for taking your time for this interview. First, we would like to hear why tests of your products are important to you, and what’s your expectation of a good test?

Product tests are important for two reasons: marketing, and product improvements. Tests serve as a marketing tool for our company, by providing us with a relatively independent way to prove our claims, and giving customers an indication of how good a product fits into their needs. Also, via tests only the important differences between products are indicated, helping the users with their product choice.

Tests also allow us to improve our products, by making sure that the product is working properly. Tests also help us to identify how good we are at blocking ITW threats and to find gaps that we yet need to cover. Moreover, a test can point out weak areas of a product and give hints to improve it.

A good test should comply to the AMTSO Testing Protocol Standards and AMTSO’s Fundamental Principles of Testing. It should deliver relevant results for the research issue (which itself should be clearly stated). The methods should be clearly described, so results are reproduceable, and measurements should be set in relation to human perception and experience. There is no point in overinterpreting differences that are merely measurable, but are not relevant in the everyday experience of a product. Also, feedback opportunities for us as a vendor are a plus. Ideally, a test’s results indicate how products can be improved and contribute to making the world a better place. A good result for us is full detection and removal of all threats along with good performance and usability scores.

It’s great to hear that the AMTSO Standard is so important to you when it comes to testing of your products. Overall, what do you think of AMTSO, and why are you and your company an AMTSO member?

It assembles a huge community comprising the most relevant AV companies and the world-leading Testing Institutes for Anti-Malware products. It has a proven history of productive cooperation (despite the friction that came with it). We always believed that testing could be improved – especially the absolutely unrealistic tests that were around by the time AMTSO was founded. We still believe that AMTSO can play a positive and effective regulative role in the improvement of worldwide testing of security products and services. As an early AMTSO member we helped setting up the organization since the beginning and I tried to contribute to this progress as a board member for over eight years.

We enjoy contributing to AMTSO’s projects – Real Time Threat List (RTTL)  and the Unwanted Software Criteria (USC) program.

In fact, GData is the member that contributes the most to the operational planning of RTTL, which is a program that feeds testers with threat intelligence, including high-quality, prevalent, and real-world samples. The goal of the USC program is to discuss different criteria vendors are using to determine what unwanted software, or potentially unwanted programs (PUPs) are, and to find some common ground, which isn’t always clear as PUPs are in the grey zone and not malicious per se. What is your motivation in contributing to both projects?

The RTTL provides us with yet another good sample source, the participation in USC allows us to shape the future industry’s response to the fast-growing and steadily evolving PUP problem.

How do you see the evolution of testing since AMTSO has been created?

We would be much worse off if we hadn’t set up AMTSO. Testing has evolved in a positive, much more realistic and independent way since AMTSO was involved in the scene. There was a huge task to be solved and AMTSO did a good job. Fair testing rules have been created. Testers became more open and fair, they even got a parity with non-testers in the board. The pre- and post-test information exchange works better. So, over the course of time most of the fundamental challenges were solved and became more specialized. But there is still enough to work out.

What types of problems does your company (and software) try to mitigate?

Our business has changed substantially over the last decade. Back then, the goal of an AV product was to identify malicious files and their activities. That used to be considered a technical problem, which can be solved with software (as a technical means). Today, we try to protect companies against attacks of cyber criminals, that threaten their business. A new field is detecting, containing and mitigating attacks. But it is also about preventing users from making cardinal errors (e.g. awareness training for several user groups or avoiding unsecure configuration of software and services). In order to solve this task all aspects of organisations and their members need to be considered. This is no longer a technical issue; it is about humans and changing their behavior and attitudes. While we are working in these directions, we sometimes encounter the misconception that our company only deals with anti-virus software.

And what types of problems are keeping you and your company busy at the moment?

We are constantly evaluating new types of security related problems ranging from the typical malware to Mobile, IoT, Automotive and Industrial related security threats. Moreover, we are working out Detection (check systems for indicators of compromise and indicators of attack) and Response (how to automatically contain and remove the consequences of attacks) and a big amount of Awareness and Education training.

There is one particular type of threat that is keeping us busy – PUP software aiming to make money from fooled customers by showing them fake “problems” or promising to “fix” hardware and performance problems. Some of those PUP providers are hiring law firms and advocates to deal with AV vendors who detect them. They also try to fool certification authorities by giving them specially-crafted software for certification. In addition, they pollute search engines so that people, who search for the info to solve problems with their computers, are redirected to the webpages that advertise junk software that fixes nothing.

What is most concerning in the industry to you at the moment?

The constantly decreasing diversity of the market, accelerated through acquisitions of competing EU AV companies by US corporations. The decreasing number of independent AV companies will lead to a less robust industry. Moreover, we still see marketing in the cybersecurity industry as a problem. Marketing professionals still have no clue what our solutions are about and keep getting things wrong. But that’s probably a consequence of the generally insufficient knowledge about (cyber) security. We also still see too much lethargy about setting up protection. Too many people in responsible positions underestimate the threats they are exposed to, and there is too little exchange about the attacks and possible mitigations. Usually, the first thing that happens when a company is hit by ransomware (or other malware), is that communication is suspended. This only helps the attackers to continue their business. Another concern is that the security industry works together in some ways by sharing samples and research but this isn’t enough, it could be improved in a better way.

Which improvements do you have in mind to improve collaboration in the cybersecurity industry?

Why not create a unified centralized organization who could organize better exchange about attacks, malware and possible mitigations ASAP when they become available. I think we all are too careful to protect our own research. We are waiting too long to share it in many occasions. That approach could have stopped much more cyber problems.

As a final question, is there anything you’d like to plug or announce for you or your company?

SMEs are easy bait at the moment. They are particularly exposed to current threats and have ineffective defense in place.

Our Security Awareness Trainings and Phishing Simulation tests became a very important part in the layered construction of security solutions protecting companies and organizations, especially within SMEs this part (the security trained human) is often forgotten.

Thank you very much for taking your time for this interview.