Dr. Chuvakin: But you will have some kind of balancing act. You cannot just be about I know how to hack Kubernetes, but you also can't be, I've studied fair and the risk assessment methodologies. To me, you will have to live in both worlds. You live in a tech world, and you live in a risk world.
Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. My guest today is Dr. Anton Chuvakin. He is a member of the office of the CISO at Google Cloud as a recognized security expert in the field of SIEM, log management, and PCI DSS Compliance. He has held some very impressive positions, including Director of PCI Compliance Solutions at Qualys and Research Vice President and Distinguished Analyst at Gartner. At Gartner, Anton covered a broad range of security operations and detection and response topics and is credited with inventing the term EDR. In addition, Anton taught classes, including his own SANS SEC434 class on log management, has presented at many security conferences around the world, has authored several books, and is, overall, just an awesome human being that I truly admire. Anton, thank you so much for joining me today.
Dr. Chuvakin: Perfect. Thank you for inviting me. This is fun.
Caroline: Yes. Anton, to say that your resume is impressive would be a severe understatement. But before we get into that specifically, I wanna know, how did it all start? What is it that got you into the world of technology and security?
Dr. Chuvakin: So, you know what, the funny thing is before this podcast, I was actually looking for how I answered this question in the past because I assumed somebody asked me that question in the past, and I know what I would say, but it's interesting that there's no canonical story about how it all started. But I was a physics grad student at the time and I was, you know, quietly studying physics. And in parallel, I kind of started getting interested in, well, Linux, and, you know, IT, computers. But just as I was getting interested in that, because my physics involved a lot of computation, some of the computers got hacked by somebody. And sort of almost my first exposure to information security back in the 1990s was around investigating a compromised machine.
So it's interesting how this whole IR forensics angle was my starting point. It wasn't anything else. And then it was... I started to become even more interested in the computers and less in physics, and over time, I realized I don't even wanna be a physicist, I wanna graduate and then, perhaps, try my luck in the...well, it wasn't the cyber security, in the information security realm, and the rest is history.
Caroline: Incredible. You heard it here, folks, the canonical story of Anton Chuvakin. Anton, I have a follow-up question for you, why do you prefer computer science to physics?
Dr. Chuvakin: Ooh. Well, I'm gonna hide behind a quote. While some of you may think that quantum physics is really like a brainy area of human endeavor, I'm gonna misquote slightly where he said that information security or cybersecurity, I don't recall how he said it, was probably the most intellectually challenging profession on the planet. And I feel like physics was too easy for me. Okay, I'm joking. It wasn't too easy. It just, the whole, you know, blue team, red team, or the good guy, bad guy, investigating, figuring out the traces, it just became more exciting to me than physics. It's not the intellectual challenge, it was just that excitement of dealing with a threat, you know, investigating, countering, mitigating, like, somehow, that excited me a lot more than, well, using computers for what computers are used for.
Caroline: That is so cool. I agree that in cybersecurity, we have some very, very challenging problems to solve at the end of the day... And perhaps this is my oversimplification of the way that I see physics, but at the end of the day, cybersecurity is certainly not just about math, actually, the involvement of all these pesky humans creates some very interesting challenges. Thank you so much for sharing that with us. Anton, if someone had told you in the first couple years of your career that you would be the Research Vice President and Distinguish Analyst at Gartner, how would you have reacted?
Dr. Chuvakin: Well, here's the thing. Good number of years before I joined Gartner as an analyst, somebody told me that I'm kind of already an analyst, I just don't know it yet. So, perhaps, at the very beginning, I would be surprised, but throughout the later years, I almost felt like I'm doing the analyst job without being at the analyst's firm. I did a fair bit of competitive analysis. I was always involved with use cases with how people use technologies, you know, how people procure technologies, how do they decide build or buy, how to tell good technology from bad. So in that sense, I don't recall who that was who told me that, "Anton, you should really go apply at an analyst firm because you're kind of already doing all that stuff."
And when I joined Gartner in 2011, I kind of realized that that person was right, and I was kind of a natural analyst. And yes, you can probably say, "Was it your physics education that prepared you for this?" And I have no idea. I think that physics education did prepare me to applying analytical approach to things, whether it's the pesky humans or computers. So maybe that did the trick, but ultimately, I would've been surprised at the very beginning, but probably not later on.
Caroline: Very cool. I think that I've only known you since you've already had that type of role, and what I know about you is, of course, a very good fit for that type of work. Anton, we have folks listening to the podcast at all different stages of their security careers. Do you have any advice for folks that are up and coming and maybe for folks that are just getting started?
Dr. Chuvakin: Okay, so I'm gonna give... I'm pretty sure everybody who is like "seasoned in security" wants to give advice to newcomers. But I was reading one of my favorite security mailing lists, Daily Dave, that goes way back many, many, many years to the age of security mailing list. And just a few days ago, there was a discussion about how some of the people have attended 30 DEFCONs or something. The point is that some of the people in security started in a very different era. And I, my first security job was in the year 2000. And my kind of security as a hobby was in the late '90s. So, think about it, my "formative" years were in a very different environment compared to today. So I've seen a lot of people who've been doing security for 10 years, 20 years, I don't know, maybe half a century for a few people, they give advice, and the advice is kind of about cloning themselves. And I'm not entirely sure that reliving anybody's career over the course of 20 years is the best approach.
So I'm nervous to give this advice because I know that a lot of people give advice and they tell their experience, and they say, "See, I ended up great. Do what I did." I'm not sure that's good advice. I would, for example, highlight the need to learn technology. But today's technology, you don't wanna start... Well, you probably do wanna know Linux. Funny enough, my first exposure to security was in Linux. And guess what's really important to security today, say, for cloud security? Linux. So there are a few common threads, yes, but many other things are just different. For example, study networking. There was a bit of a discussion/fight on Twitter as whether you need to know networking to be a good security professional. My gut feel is the answer is yes. And I don't think it's gatekeeping. I think it's kind of, well, to be a physicist, you need to know math. It's not gatekeeping, it's kind of a foundational brick or one of the foundational layers.
So there are certain elements like Linux, foundation of modern cloud infrastructure, containers, networking, they're all useful things to pursue, study, and, of course, experiment with. One bit of advice that everybody gives is that you have to, you know, play with stuff in the lab. And I think that's kind of still very solid, robust, good advice, whether you're starting in the '90s or in 2030s. What you have in the lab would, of course, be different, actually, except for Linux. Perhaps, Linux would still be in the 1990s lab and in 2020s lab, but you would be experimenting with things.
Now, this is one angle, there would be some technical background. In the early days, a lot of good security people came from being system admins. Today, probably a lot of good security people came from studying security in college. That wasn't an option in the '90s. So mixing the technical with non-technical is another pillar of advice that I would pursue because I've met people who study technology and they have absolutely no appreciation for the human side of a threat. But I've also met people who study, you know, the GRC, the governance, high-level policy, humans, but they don't understand the tech. Frankly, both types are...well, not ideal as security professionals.
So you would have some kind of balancing act in studying tech, modern tech, you know, future, emergent tech, whatever, and kind of risks to business, human side, and how you balance it, I have no idea. I have no idea how I balanced it, but you will have some kind of balancing act. You cannot just be about, "I know how to hack Kubernetes," but you also can't be, "I've studied FAIR and the risk assessment methodologies." To me, you, you will have to live in both worlds. You live in a tech world and you live in a risk world.
Caroline: Anton, you have had a very storied career in security, and it is still going strong. I think that already listening to this podcast episode, our listeners can tell a little bit, are learning a little bit about the way that you think, and many of your roles have centered on consultative thought-leadership-y, forward-thinking outlook. When you think about your career, what are some of the favorite predictions that you've had? And then naturally, my follow-up question will be, do you have any current predictions for what you think may lie ahead for us in the security industry?
Dr. Chuvakin: I'm gonna start from a very quick rant connected to this. One thing I wanna basically caution people against doing is predicting threats. And I hate it when people ask each other, well, myself and others questions about, "Hey, can you predict what threats would matter?" Because the reason why I hate predicting threats and I sort of don't try not to go into the threat prediction business is because, ultimately, for a lot of companies, the threats they would face in 2022 would be the threats they faced in 1998. Like a lot of threat landscape is kind of the same because if you never really improved security beyond the level of 1998, why would a threat actor do anything different? If you can be attacked with the default password Circa probably not 1998, probably more like 1988-style attack, why change? You know, a password used to be in a Telnet server, look it up, but now this password is in the cloud servers or an API, but it's still the same attack.
So for many threats, the challenge isn't predicting threats. The challenge is why are you so negligent to a threats from 5, 10, 15, 20, 30 years ago? So leaving threat predictions aside, one thing that I've mentioned a few times is I'm gonna go in this direction and then hit my favorite single prediction piece. So one thing I've been using a lot in predicting the future is not what people would call a talent shortage or whatever, but it's really the fact that the amount of stuff we have to secure does grow faster than we can grow people who know how to secure it. And it may be cloud, it may be IoT, it may be just people doing more digital things at companies. But just as many, many years ago, people obsessed about, you know, system admin to server ratio, right now, we can think of some form of assets to secure and the security professional ratio.
And to me, this is kind of a runaway train because we have much faster growth in what we need to secure compared to growth in people who know what to do securing stuff. And, yes, some of you will self-serving motives would say, "Yeah, the answer is automation." But right now, it's not about the answer. Right now, it's kind of about acknowledging the fact that stuff to secure grows faster than people. And that's a prediction of sorts that I don't think it's changing. I think that these are still gonna be tricky and still gonna be very hard to deal with. Now, the other prediction is that you have to change...we have to change what we are doing. And, of course, at Google, we do have a lot of answers around this area, like how we use automation and discovered in my own podcast and in other places. But that's not the point. The point is that it's still a runaway train.
So a specific prediction piece, I wanted to highlight, there's one particular piece of writing that I've written back in 2009. The blog post is dated January 1st, 2010. So it's like 12 years ago at this point. It's kind of my, admittedly, somewhat pathetic attempt to predict security 10 years into the future. So I was writing this piece in 2010 and I was trying to predict how things would look like in 2020. And to do a bit of a spoiler, in January, 2020, I kind of checked my predictions, and I said, "Hey, was that really off?" But the interesting bit about this piece is not because I was right, I was wrong. It was kind of a mixed bag. But the main gist of it is that I felt like in 10 years, security would affect the real world, the physical world a lot more.
So if you look at 2010, you'd think about people hacking, you know, websites and stealing card numbers, and, you know, PCI DSS this and PCI DSS that. But a lot of this was kind of about digital and nobody really seriously thought about people dying. Well, maybe in 2010 they started thinking about it, but ultimately, the security effect in the physical world was not really a big deal in the 2000s. Now, my prediction was that it would change, and in all honesty, I was must be wrong in this regard, but I feel like I wasn't"wrong" wrong. I feel like I was early. So it's almost like I probably should have written a piece predicting security 10 years in the future again in 2020 for 2030, and I would've predicted some of the same things because, ultimately, today, we don't just work in digital security or computer security.
We kind of work in...well, if you hate cyber, cover your ears, cyber security to cover not just digital systems and information processing, but covering control systems, covering things that ultimately affect the physical world. And to me, that's still my main, maybe not my main scare, but my main suspicion is that security will change that. Right now, we talk about securing elections, we talk about securing democracy, we could talk about securing connected cars. And so, things happen in this area, but I'm just afraid that they would be scarier. And those of my friends and colleagues who deal with OT security or control systems, I have no idea how they sleep at night. Whenever I talk to them at a conference, I have no idea how I sleep at night. So I keep thinking that digital security would barge in into the physical world even more in 10 years.
Caroline: You know, I think that to predict the future accurately is a hard thing to do. I think that to predict the future accurately and with a correct timescale is even harder. And so I have to say that, on one hand, I'm intrigued about how spot-on your predictions are. I'm also sort of simultaneously terrified and also relieved that it is not so bad so soon, which, frankly, would not surprise me either.
Anton, there are so many topics that I would like to discuss with you. Unfortunately, time is finite. So I'll pick one, which is threat detection. There may be a lot of anxiety around the threats that we don't know about yet, but I'm gonna make a statement, and I wonder if you'll agree with me or if you'll disagree. It is usually the low-risk, very well-known threats that can cause a lot of damage. What do you think?
Dr. Chuvakin: I think that your question has a bit of a logical flaw because if they're low-risk, and if you subscribe to a traditional thinking of risk as, you know, chance of a loss and the amount of loss, then low-risk, by definition, cannot cause a lot of damage. So if it's low risk, by definition, it's not a lot of damage. But I think what you're trying to say is that these are mundane threats. It's not the esoteric that gets you, but more basic. It's not the fancy container escape, but it's more, you know, the forgotten password that gets you. Is this close to what you had in mind? Because to me the low-risk issue is, by definition, low-risk. You should not pay attention to.
Caroline: I think that's a really good point, Anton.
Dr. Chuvakin: More like low complexity, well-known threat. Yeah, that's the thing.
Caroline: I think if I were clever, I might say to you that I did it on purpose as a trick question and that you discovered my trick. But, in fact, I think that your interpretation is a very good one. And that is, in fact, the case. You know, today we happen to be recording this podcast in August in 2020. It may be a little bit of time before it's released to the public. And today, I happened to watch an interview of Mudge who was recently in a security role at Twitter. You know, and, of course, the news does not write about Mudge without also showing a picture of Mudge in 1998 at his senate testimonial. And while his hairstyle is different, there are many things, unfortunately, that are the same with regards to the types of cybersecurity vulnerabilities that get exploited today as 20 years ago, which is sort of fascinating and infuriating at the same time.
Dr. Chuvakin: Yes, I think that a lot of organizations, a lot of kind of real damage, a lot of things that go boom in the night, they happen over things that we sort of know about. Like back in the Gartner days, a lot of analysts, a lot of my colleagues like to quote the statistic that 99% of damage, or...I don't recall how exactly it was phrased, but basically, 99% of badness happens from known vulnerabilities. Now, it's a cool thing to say to shock your audience who maybe assume something different, but ultimately, it's also kind of a bad thing to say because that means that organizations haven't dealt with the stuff that they've known about, right? And, of course, a large enterprise would have a lot of stuff they know about they can't fix, right?
And keeping a large complex environment secure is really hard. And moreover, if your company has like layer cake of IT from like mainframes to containers, 1970s tech, 1980s tech, 1990s tech, 2000s tech, all layered together, connected in some way, I have no idea how to keep it secure. So in that sense, I think that known low-risk issues cause damage, but they're also really hard to eliminate at scale. Again, one of my areas of coverage at Gartner was vulnerability management, and I realized very quickly that the only problem worth solving in VM is prioritization.
How do you risk-prioritize things to fix? Passionate scale, sure, that's important, but, ultimately, you can never win at that game. You can never fix everything. Like your IT and your business just won't work. So you are prioritizing. So in that sense, you can always find some "low-risk issue" and say, "Yo, you didn't fix this one," but like, if you scan your environment and you have, you know, 7 million findings, of course, you won't fix all 7 million. So again, with this rambly answer, I think that I'm trying to get to a point that sometimes the so-called low complexity stuff is actually really complex at scale.
Caroline: Yeah, well said. I began my cybersecurity work at eBay and had a perspective during that experience of how truly complicated it can be even to solve a low complexity problem if there are so many instances of that problem, if there is so much legacy software, if the number of assets to secure is exploding, and if you do not have, or if it's not even possible to get a clear picture of ownership of these assets, of course, this remains for me one of the reasons why this field is endlessly interesting. Anton, I expect that our listeners would love to hear more from you. You host the "Cloud Security" Podcast with Timothy Peacock, and I'm curious, what kickstarted your collaboration, and what is your favorite part of working on your podcast?
Dr. Chuvakin: I really wanted to do a podcast to have kind of a more informal, less bureaucratic channel for expression, a discussion form about cloud security that isn't under strict, you know, rules what you can say. Because, like, podcasts are a lot more fluid and a lot more agile than, say, you know, longer-form writing or even blogs. But I've also was kind of deathly afraid of doing a podcast alone. I felt like the banter in the beginning or interviewing people together is kind of a critical part. So it's almost like I had a bit of a costume call. I don't know, maybe that's not the right term. So I really needed a co-founder, and I found the perfect, perfect person when I found Tim at Google. Tim is also notable for one particular thing, and it kind of blew my mind a little bit. Tim is the second-generation security professional. Think about it.
Caroline: That is so cool. That is super cool. I hope one day that my daughter will be second-generation, but that might be not for another 10 years. That's pretty cool,
Dr. Chuvakin: Yes, exactly. But, to me, to continue on your point about the podcast, that's the origin story, that is part of the origin story. And I think the favorite part is that sometimes we highlight things that are about how Google does something. Some of the more popular episodes are connected to something that Google does that's just so far, so much better than what people expect that it's kind of almost mind-blowing. It's like seeing the glimpse of a future. And, of course, that future is not always portable. Like, you can't just say, "Oh, yeah, I'm gonna do the same." But revealing some of the "Google secrets," it's not really secrets about how we do things and trying to make it actionable to others is really fun. And also, now that I've worked for Office of the Cisco, highlighting some of the thinking behind who I consider to be the best minds in security kind of on the planet. People like Phil Venables, for example, I feel like sharing their wisdom in our venue is really awesome. So, to me, this is great.
Caroline: Phenomenal. Well, Anton, thank you so much for spending this time with me today, for sharing with us about your story, and for the impact of your work. I'm so glad to know you, I'm so glad that you're working at Google, which makes stuff that I use like every minute of every day. Thank you. Thank you.
Dr. Chuvakin: Thank you very much for inviting me. Hopefully, we can motivate people to go pursue the career we are pursuing for a good number of years,
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @humansofinfosec.