Interview: Gavin Lowth, VP, Norton talks about car hacks, free AV and more

Read on to find out Norton's take on new threats on the horizon.

By Siddharth Parwatay Published Date
08 - Oct - 2015
| Last Updated
17 - Nov - 2015
Interview: Gavin Lowth, VP, Norton talks about car hacks, free AV...

Digit: So Gavin tell us what’s new at Symantec?
Gavin: So with Mike Brown being in the CEO position, he has made some big calls around the future course of Symantec as an organisation. One his first decisions when he came in as CEO was he split the Norton business into its own business unit. That’s been massively  different for us in terms of employees working in the Norton Business Unit, our partners, and our customers as well. We’re trying to become very clear in terms of how we communicate to them for our protection technologies. 

Digit: Speaking of effective communication you have any big name brand ambassadors in india and is it an effective way to communicate with prospective customers?
Gavin: In Australia we had a big sponsorship around V8 and Nissan. We kind of did that for a while, it worked for us at time when we needed it and then it ran its course and we stopped doing it about a year ago. But it’s something that we are looking at and it's going to be within the security landscape. You know Norton is a huge brand already, we don’t need ambassadors to build the brand, it more of whether the ambassador have core security, family type protection values that we share.

Digit: Kaspersky had Sachin Tendulkar as their brand ambassador for a long time. They had some association with Ferrari as well. If we remember correctly, they provided internal IT security for their manufacturing systems. No plans of going that way?
Gavin: Look I think as a new entrant to the market, you got nothing to lose. You got no brand presence, you got no history in the market. Norton has had association with Indian customers for over 25 years and we still maintain that our core value is around best protection. Customers feel super confident when they see the Norton logo or the tick and that's something you know we won't compromise on. You will get best protection from us all the time as we don't want to compromise on the protection technology. 

Digit: We used to also do large scale antivirus tests a long time ago. We’d use virus database samples from VirusSign. We also had a Linux guy who’d do real time penetration using Kali. But what we quickly noticed was that all the participants in the group test – the antivirus companies – were unhappy with our test process. These possibility of a particular antivirus database being biased towards one particular AV engine always existed. Besides there was little we could do to rate against zero day viruses. Now we only sort of do a comparison based on features that are offered.
Gavin: Look, we still use file based signatures but it's just a tiny part of our protection technologies. That’s where we’ve come from because that's how we used to do it, that's how the industry started, but you know we have award winning intrusion prevention system technologies. If we look at the AV security industry today, as I said signature base is a very small part. RPS gets to a next level. But this, what we call reputation based is huge for us. Because of the scale, because Norton is so big, we see things quicker. So you talk about your zero day attacks, with a reputation and heuristics based technology that we have, we are the first to see threats.

With the amount of data that we have, we see in seconds what our competitors see in a week. We very rapidly are updating the security technologies. The latest product we have shifted a lot of protection technologies into the cloud, so we can get it down to the consumer devices, whether it be android or PCs, very very quickly. The amount of work they have put in, over the last 18 months (whilst we have been quiet externally) they’ve spending a lot of time, and a lot of effort in upgrading the protection technology. Anybody I’ve said “Hey, take it home, install it on your PC, your android or iOS device,” the feedback is super positive. 


Digit: You guys started with multi device licences too a while ago right?
Gavin: Yes we have. 

Digit: We're guessing that strategy would have worked out pretty well in this market?
Gavin: Very very well. The awareness around PC security, is very high. Three or four years ago, as mobiles started to proliferate, the awareness is still very low on mobiles. And what's starting to happen now, as people start to realize the amount of data, and the value of information on a `3000 or a `10,000  phone, is becoming more and more relevant. So people are understanding how to protect the phone itself by installing top products. These industry springing up all over the place around securing the mobile device. But the multi device, as i said we were the first to use it, and it's worked out very well, people who used to typically have a PC, would start to use the same licence, or the same access of same licence into their androids and other platforms. So it’s worked well for us and we are starting to see a big uptake as the awareness increases. 

Digit: You spoke about positioning Norton not just as an antivirus company, what does that mean exactly?
Gravin: If you look at any antivirus technology, even the technologies around the Norton security product today as I see it, the antivirus piece is less than 20% of the technology pie. You got a two way firewall, you got intrusion prevention systems, you got this reputation based scanning which is very quick, that can see the behavior of certain files. This can actually warn you very quickly and say, “Hey! This kind of looks like a threat. It kind of smells like a bad threat, it’s behaving like a bad threat. It's much probably a bad threat.” Even without the signature to match. It takes years and years and scale to built that sort of reputation, that sort of database. 

Digit: So as far as the PC version is concerned, the kind of the feedback that we get from our readers, is that they want an antivirus that just runs in the background, doesn't bother them too much, and is very light, shouldn’t be very resource hungry. Are there any steps towards achieving that which you guys are taking?
Gavin: Buy Norton Security! (laughs) Without a doubt! 
I mean, I can honestly say – despite the PR people’s misgivings – that in 2004-2005, our product was sub optimal. We had some issues in 2006, with the heaviness of our product. We did a lot of work in 2007, and beyond in terms of getting out technology quick, getting it smaller, and getting it quicker to update, and these are the technologies we’ve revamped. Anytime I give somebody a copy of the latest version of the product, the installation time, the memory it hogs, how quiet it is on the PC, exceeds expectations. Have a look yourself. 

Digit: We have used the NIS quite bit. So another a very recent thing that everyone in the media has been talking about – and it is related to the security on the IoT front – is the recent news of two hackers successfully managing to remotely hack a Jeep Cherokee.  
Gavin: Did you see it?
Digit: We Did! 
Gavin: Amazing don’t you think? But the whole thing was scary. 

Digit: From your perspective, what are your thoughts on that? Does Norton have a play in the IoT space?
Gavin: What's happening, as you just said, is more and more devices are connecting to the internet. It used to be a PC, it’s been your phone for the past couple of years but now you look at advanced households where IoT is more prevalent in certain markets, you would see the fridge is connected, the TV is connected, the kettle is connected, the alarm system’s connected, your front door key is connected, your thermostat is connected. All sometimes it's using protocols that are not found in PCs and mobiles today. It’s new types of protocols that have these kind of connectivity. 

Digit: Yes many of them are embedded systems, so they are non x86.
Gavin: Exactly! Protecting these devices and protecting these communication channels is a huge issue. There are of course dumb devices that are not gonna have any effect whether they get hacked or not like a bulb. But then you have other pieces… like your alarm system, your car – that’s a big issue. How organizations or individuals protect all of those devices is becoming super important. So there is some work that we have been doing over the last eight to 12 months, I think that the market is right for solutions to come in.

You look at the enterprise – it’s pretty secure: there is policy, there is process, you have IT systems in place, you have CIOs and the ability to respond is good. The consumers with a personal devices, that is becoming, I think there awareness is low today. If you look it like say home, the amount of devices that can potentially be internet connected, is massive. I think that’s the next space where there is a huge market opportunity. 

Digit: On your R&D side, do you work with government agencies, to protect say critical infrastructure, like say dam pressure valves or the electricity grids... those kind of things? 
Gavin: To answer your question directly, yes, we have solutions that cover across all of enterprise whether it be government, whether it be large enterprise, banking or finance. The Norton side of the business is very much focused on consumers and the low end of small and medium enterprise. My type of business is around that. There is a lot of technologies that we have today and with the split, we will start to become lot more focus in the development of roadmap around those technologies that we have today. It's not just hackers as much, there is state sponsored, there is underground criminal groups – this is how they make their money. 

Digit: Funny that you mentioned state sponsored, because we had a question about state sponsored cyber terrorism. What are your thoughts on that? 
Gavin: It’s is a concern, across whole of governments, you know all of the security in general.  The ISTR – The Symantec Internet Security Threat Report that comes out has some information on that. I don’t have it off hand but I can point you in the right direction. 

Digit: From the consumers point of view, what according to you is biggest threat to information security right now?
Gavin: You know from a consumer perspective the way that the people that go about their daily lives today there is an intrinsic understanding that “I’m safe”. What's happening now is that there is increased awareness around, as I said, the value of information that is swinging around in your purse or back pocket. That’s becoming a concern. So anyones looking around thinking “so is my personal information safe, credit card information safe”. So one of the first things I’d say in answering your question is educate yourself. Whether it's technology, whether is a process, or whether it's communication – having a conversation with your family, your kids, your mother and father – it's important to start understanding the threats that are out there.

Digit: For a long time, people use to think that Macintosh systems are unhackable, but in reality it was just that the hackers had not turned their attention to that platform yet. There just weren’t enough people on it and in turn just not enough money.
Gavin: Correct. And it funny right but it’s really not the OS, now it could be the ecosystem around it that you could have your personal information, credit card details, social security number.

Digit: Is security mostly a reactionary market? What are some of the proactive techniques that security companies are engaged in? 
Gavin: We spent a lot of time in the last 12 to 18 months researching our protection technologies and really improving them. We want to be as the best security. We don't wanna compromise there. That's an important part of at least keeping yourself in terms of making yourself aware around the information that you have, where your information resides etc. So I dont think its reactionary, I think you can lower the risk. There’s always a risk being on the internet but I think people who use good security protection technologies, feel confident and go about their online lives in a much more confident manner. 

Digit: One of the talking points you had was research from the quantified self, what was that about?
Gavin: In that respect we go back to connected devices. Any of those fitness devices that you wear on your person are IoT devices. I think it'll become more important as it becomes more common in people's lives.

Digit: But aren’t those wearables just gathering harmless data. How does it matter if a sensor monitoring your heart rate gets compromised? 
Gavin: If it's your credit card details, your social security number, your date of birth, that's information you don't want anyone to know, but if information like you run 5 miles a day or, maybe your fitness levels, perhaps it's important to someone, maybe a health insurance company. 

Digit: So we are at the end of my questions, is there anything from your end you would want to tell our readers?
Gavin: Yes, you know we have done some great work researching our protection technologies.  We feel have a great product, a great service offering – something that we would be coming out with later on in the year. It's been a lot of change over some time in Symantec, but we feel that decision you see that Mike Brown’s made we’re in super super good shape to execute our plans. 

Digit: When we speak to our readers they of course recall Norton. McAfee to for some reason.  But the free ones are very popular here – AVG and Avast mainly.
Gavin: In my opinion, if you are not going to use anything, then use something. But typically what happened over the course of the last three or four years, is that a lot of new players entered this market, thinking that this is an easy market. But what you realize very quickly, is that if you don't have the scale, or you don't have the support system, when people are in trouble, they need to go to phone somebody, you can't do that with the free stuff. There is no way for these players to put in place those systems, there’s no revenue to do that.

Eventually, they do end up selling you something. At this point consumers think that particular brand is free why should I pay for it? When you want support from them, you can't get it. So that’s become very prevalent. They enter business thinking they’ll make a lot of money. But that didn’t happen. Only one of them made any money. And even that player is being bought out by Private Equity. I’d just say once again if you are not going to use anything, use something. But if you want best protection, use a paid option.


Siddharth ParwataySiddharth Parwatay

Siddharth a.k.a. staticsid is a bigger geek than he'd like to admit. Sometimes even to himself.