Interview extracts from the first volume of an oral history of cybersecurity practitioners.
Government cybersecurity efforts are a study in contrast. It was the government that essentially invented most cybersecurity principles and practices, but it is also the source of epic failures. Brian Concannon helped to investigate cybersecurity failures both for the government and in the private sector. Having worked the same types of problems from both sides of the fence gives him both perspective and a very clear sense of what it takes to make a difference.
Brian Concannon: Being an entrepreneur, every week is a little different. This week has been all coding. I’m actually making a pivot, which is another common thing in the life of an entrepreneur. Doing some exploration on a product idea; trying to put it out there in front of people as soon as possible to get some market validation. The next few weeks are probably going to be more sitting down with potential customers and getting feedback, trying to sort of validate the concept of the product prior to spending the time and effort to build the whole thing. So, yeah, coding and talking to people.
What was it that drove you to make the decision to go with this product?
I would say it was a heart and gut check. The product I was building was almost too big for what my vision was for the company right now. The requirement to sell it and support it at the enterprises that would really make the most use of it was really more fitting for a funded start-up. Part of my vision is to bootstrap as long as possible. I realize I actually need a tool that I can sell that’s a little more right-sized for how I want to operate now.
The original product is more of a detection/hunting platform that’s going to be a big piece along with the data analytics that I do for this new tool, but the new tool is going to be a lot easier for a small team to support and maintain for a long period of time. It’s going to be basically a search engine where you can search and get analytics about what’s happening on endpoint data in the wild. Endpoint data like, say, Windows hosts. So, it’s really using the whole data pipeline that I’ve built, but instead of doing detection for customers, I’m actually aggregating data, doing analytics and acquiring insights that they then can use inside their already existing detection programs, and I’m more excited, because this is something I’ve wanted to build for a long time.
You’re working in the threat-hunting space; can you define what threat hunting is for me?
I think, for me, it is all about taking a proactive approach, using all the analytics and data at your disposal to proactively go out and find adversaries in your network. You know there’s so many detection tools and passive monitoring tools and all this stuff that plays a part in defense. It all works pretty well, but if you just sit and wait for those things to throw an alert, you’re definitely missing a lot. You know, especially when you’re talking about state-sponsored attackers, who could be hanging out in your network for months. This is something I watched a lot of when I was in the Bureau and at CrowdStrike.
At CrowdStrike we had a Security Operations Center, and we just kind of decided to take a different approach than was standard at the time. A lot of that was driven by my colleague, Kris Merritt, based on his experience running SOCs. We found that by taking a more proactive approach, we could find so many advanced attackers that other methods just let by or couldn’t find. So, I don’t think we necessarily defined the term hunting; I think everyone else took a similar approach at the same time, but we eventually said, “Hey, what we’re doing is kind of like hunting.” That’s how we got into it with the team at CrowdStrike. It’s called Overwatch now, but the team I led enabled them, with the tools we built, to allow those analysts to go hunting in different ways.
When most people in cybersecurity think about the FBI, they’re thinking about the “going dark” argument and back-dooring encryption, which in the security space is a very big no-no, but the Bureau is doing a lot of good things in the security space unrelated to that discussion. What are some things that people in security might not know about where they would find themselves in agreement with what the Bureau is doing?
The bureau is spending a lot of time investigating, tracking down these advanced attackers, and collecting intelligence. You know, I think it’s hard because any time you’re talking about the government, you’re going to have issues of classification, but I think the bureau could make an effort to share more of what they’re doing, as much as they can, with other people outside the Bureau. The Bureau is one of the few organizations that has real power to do something about this activity.
Yet, I also felt that at the Bureau it was a little painful because we can track an adversary group, collect all sorts of evidence, have really good intelligence (some of which we could share, and we did share), but we couldn’t always go arrest these people because of the countries they were in. So even with our capability and authority, there were some limitations to what we could do to counter the threat.
That’s one of the big reasons, especially as I got more into tool development, that I left the Bureau. In the private sector you can collect the same information as we did, the same intelligence, but you can also build products, and you can share all of that to actually help protect people. I could take the skills and the tools, and I could build something and actually go tell companies not to worry about classification issues and so on.
There is an argument that the standard law enforcement model or approach to crime fighting online isn’t that effective because it doesn’t scale the same way bad activity does. For every Silk Road that it gets taken down, there’s a dozen imitators out there that continue to operate unimpeded. You kind of spoke to this with the issue of jurisdiction. The things that you can do require a lot of coordination, and it takes time before something can happen. Does law enforcement have to change to be effective in the information age, and what does that look like?
So, I started off my career in the Bureau on a counterterrorism squad. If you look at their history, the FBI is more about gangs and drugs and white-collar crime and that kind of stuff. And they obviously got pretty good at counterterrorism after 9/11, when they realized they had to get good at it. But then cybersecurity comes along, and it’s something new they’re not good at. When I joined, they were looking for engineers because they knew they would need them, which was smart. But they were behind, and they’ll always lag behind to some extent. Some of it is just that there is so much red tape that they have to navigate. They can’t move quickly and leverage technology as quickly as the private sector can.
But I think they do need to continue to evolve and work more closely with the private sector like I talked about before, kind of a team effort. I think they need to make better use of the private sector in terms of not only the technology and tools that have been developed, which are arguably better than what they can develop on their own, but also in information sharing too. The classified aspects of the work make it really difficult to share information and to leverage tools in the private sector. So, I think that’s where they’re going to continue to evolve. You don’t want to have to grow the FBI so big that they can handle all of this. That would be ridiculous, so they need to do what they’re good at, but better leverage the private sector.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.