






















The strength of the cybersecurity community lies in how openly we all share what we learn. Threats constantly evolve. The best way to stay ahead is through the collective intelligence of experts who’ve seen it all and are generous enough to pass their knowledge on.
Few share intel like Mark Kennedy, a Distinguished Engineer at Broadcom and, as he jovially calls himself, “the old man” of Security Threat Analysis and Response (STAR)—Broadcom’s cybersecurity SWAT team whose insights have helped give rise to countless groundbreaking protections. Mark is the longest-tenured employee at Symantec, his 35-year career spanning nearly the entire history of modern cybersecurity. In that time he’s mentored up-and-coming analysts, dismantled emerging threats, and helped shape the very industry he’s served.
I sat down with Mark to talk about the sparks of innovation that led to the development of
Adaptive Protection, a unique defense against living-off-the-land (LOTL) and other attacks, and his reflections on his early career, meaningful innovations, and the tests that prove it.
When I was in high school, my cohorts sort of assumed that I knew computers, just because I was kind of mathematical, but I didn’t. But then, as I hit my senior year, I thought it would be irresponsible for me to go to college not knowing what I was going to do. That bothered me.
“And I thought, ‘You know, this computer thing? This might turn into something.’ This was 1977.”
The weird thing about computers at that time was that the colleges were actually lagging. The professors had just come through the early days of computing (50s and 60s) and didn’t quite reflect the reality of the world. All the advancements were out there happening in the real world.
While I was in college, I had jobs programming, so I knew what was happening with cutting-edge stuff and techniques in the real world. In some of those early courses, the languages they were teaching weren’t really in operation anymore. It’s always funny when later in my career I’d use something I learned in college. It was very rare.
My first job coming out of college was working for Mattel Electronics writing video games for the Intellivision console. I thought, “I’m going to be working at such a highly sought-after position. I’m going to be working with the best of the best.” It was a lot of fun until the video game industry as we knew it crashed in 1984…which is when I knew I had to get a real job.
I then moved through a number of startups. In my first nine years I worked for five and a half companies before I joined Symantec. It’s sort of been the norm for engineering—people move around, get some expertise, market it, and move on to the next one.
“It’s meaningful work, you know? We’re fighting bad guys, we’re doing good. We have a great team of engineers, and it’s always been fun—and continues to be.”
I told my kids when they were growing up that there’s what you’re good at, what you enjoy, and what you get paid for. I’ve been fortunate that I have all three. And that’s why I’m still doing it. It’s like a perpetual hobby that I’m getting paid for.
In the early 2000s, cybersecurity was dealing with the transition from files being infected to machines being infected. We came up with a fundamental change in the way that security should be handled. We’re only now beginning to realize the system we envisioned 20 years ago—we were pretty ahead of our time. It’s one of those interesting what-ifs that make you appreciate the innovation that started it all.
Much as it chagrins me, Adaptive Protection sort of came out of the open seating arrangement that Symantec had adopted—which I was very opposed to.
I was sitting at my desk, and some people were talking. Something clicked in my head about what they said. I was like, “Wait a minute. What if we could learn what behaviors were used in an organization and make the policy adapt to those normal behaviors, and block abnormal behaviors that could be signs of malicious activity?”
That’s when I realized we needed to break the one-size-fits-all paradigm of traditional security. Since we couldn’t block these actions for everyone, we needed to mold protection to reflect how each organization actually behaved. The idea is if a behavior is unused in the organization, or has specific patterns, our default is that we don’t allow that behavior, or we limit that behavior using exceptions. It all just came together.
A computer system is like a toolbox. It's got all these tools that do good things, but they can also be used for bad things (such as with LOTL attacks). Our goal was to kick things out of the toolbox that you didn't need. Like, if your house only has screws, then you don’t need a hammer. There’s nothing wrong with a hammer, but a hammer can break a window.
If you don’t need it, let’s take it off the table.
“Those 4 seconds could be the difference between a protected machine and total destruction.”
In that time, how much critical data could be exfiltrated? How many files could be destroyed? And could the threat escape to another machine before it can be stopped. Adaptive Protection breaks traditional security testing because it’s designed to adjust to an organization’s unique configurations.
Testing has to reflect real-world environments. If you just run a file against one configuration, you’re missing the point. Malware behaves differently across setups, and Adaptive Protection is built for that reality.
Testing isn’t just about internal validation. It has industry-wide implications, which is why testing standards are so important. Being able to influence stuff like testing standards is… something I feel I made a real contribution to not only the company, but also to the industry.
If I could fast-forward to the end of where we would be, we would not be needing to write proactive signatures. We would have a system that takes all of these disparate events from everything, with an engine that quickly starts contributing to it. We want to make it as difficult as possible for attackers to circumvent. This is what drives innovation.
In cybersecurity, no one has all the answers. Progress happens when we pool our knowledge, challenge our assumptions, and look out for one another. With Broadcom’s R&D engine (the company spent over $11,000 a minute on R&D in fiscal 2025), Symantec and Carbon Black strive to ask the important questions and share what we’ve learned—across teams, companies, and the community at large.
After decades in the trenches, experts like Mark remind us that protection must evolve as quickly as the threats do. Breakthroughs like Adaptive Protection embody years of insight, collaboration, and innovation across Symantec’s legendary team.
Read the Putting Adaptive Protection to the Test whitepaper to see how Adaptive Protection stops LOTL attacks and other threats without disrupting day-to-day operations for end-users.


Dan Mellinger
Head of Communications, Enterprise Security Group
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。