Hi folks, Ed Amoroso here. And I'm sitting with my good friend, Roger Thornton, who serves as the Chief Technical Officer for AlienVault, which is one of the cooler names of a cyber security company. >> There's a little story behind that name. Maybe we'll get to tell you today but thanks. >> Tell us. Well, tell us. Where did that AlienVault, that really is a cool image. >> The AlienVault was started by a couple of gentlemen in Madrid, Spain and there's a point in time, I don't know exactly when it was, probably in the mid-1990s, when all the cool names were taken, and so this is when you had to kind of invent names. And they've decided they wanted their name to be serious and playful. So they created a list of playful names. Alien was in that list. >> [LAUGH] >> They created a list of serious names. Vault was in that list and they wrote a computer algorithm that went through it. And it got to Alien and it got all the way down to Vault, and the algorithm would go search the trademark registrations, the corporation database, the Internet registrations, and that was the first one. >> That's fantastic. I wonder if people name their kids that way. Like first, the middle. Your first and your middle name. You're stuck with your last name but it's a great idea. >> There's a similar story how my son became Alexander but I'm going to leave that. >> [LAUGH] We'll do that in a subsequent video. So tell us about yourself. How did you get interested in computing and ultimately in computer security? >> Great, well, computers and, I would say, engineering more in general is easy. I grew up on an airforce base in the 1960s. And the first time I saw a jet take off and I definitely remember the first time seeing some of the NASA gear, the rockets and stuff. I was probably three or four years old and I didn't know what an engineer was but I knew and I wanted to make that stuff. Right? So fast forward to I went to school in the 1980s. We weren't doing a lot with spacecraft anymore and I lived at that time right in the middle of the Silicon Valley so the big thing was computers. Kind of locked into it was the local industry. And so I started off as a semi-connector manufacturing engineer. How do you go from that to security is a strange story but one of the great things about the Silicon Valley is it constantly changes itself to meet the needs of whatever the next new thing is. So the place I lived in, we went from semi-connectors to computers to software, and then Internet became the big rage and I worked in that arena. But when I the did work in the Internet, I worked for an online brokerage firm called e-Trade. >> Did work for eBay and at that time was the first time that I'd ever experienced crime against the products that I made. And I also made some egregious errors. At that point, I was a development manager. Years later, I would learn that some of the mistakes that we made in the authentication system, how that system works, we'd be used to it compromise the system. When all of that hit me, a friend got me really interested in security. And he got me there, actually a friend that you know Ted. We were having, >> Adventure capitalist. >> Yeah, so we were having lunch and talking about ideas for startups [INAUDIBLE] and he over a period of time, [INAUDIBLE] on this issue. And his perspective, as a person that had spent most of his career in computer security and then as an investor, had invested in numerous security companies, he felt this sense of guys like you, software people, you're building this stuff. And then guys like us, the security guys, are trying to protect it. And we're talking 1999, 2000. >> Right. >> And he was reaching the point where he was starting to think that the stuff you're building just can't be protected. We've tried and tried and tried. No matter what we do, we can't seem to do it. So let's talk about what are you guys doing when you're building it and I didn't get him the first few times he brought that up. But he asked me a question that I became obsessed with. And he said, tell me, what is a firewall made out of. And I said, well, it's a piece of software. And he had this, aha. Why is it that the firewall can be on the open Internet and suffer the ravages of everything thrown against it, but heaven forbid, if the word processor or the banking system or any other piece of software, why does this one software need to protect the other? Why can't the other be built in the same way? And as technical guys often do, I gave him some answer that was not correct but just [INAUDIBLE] and I started to think and think and think and, of course, I learned that firewalls are compromised every so often. >> Right. >> But that ultimately, every break in to a computer system for the most part, now qualify this, can be driven back to either design or coding mistake in a piece of software. You might say, well, wait a minute, there's end users and they do stupid things, but we're designing software systems and users are part of the system. Right. >> So softwares should compensate for that. So, my first forey into computer security was a company called Fortify Software, my first customer as ATT. >> Right. >> And in that company, like any good engineer, and this is some advice I would love to give to folks that are taking this class. As an engineer, when you first approach security, you're going to think about solving the problem, right? >> That's right. >> The problem, if I understand the requirements and can interact with the problem enough, I'll fix it. And if you're fortunate like myself to, early in that endeavor, meet somebody with a law enforcement background, they will tell you and teach you that computer security is not a problem like most engineering problems, it's crime. And, for the most part, no place on earth have we solved the problem of crime. Crime exists. Where human beings endeavor to commit crime, and they apply their intellect and their vigor and energy, they'll prevail to some degree. So crime is something we manage. We manage it to an acceptable level. We never really solve it, because the cost of solving it is infinite, right? So when I first went into computer security, I didn't know that, and so I went about how do we solve this and the idea at Fortify was, well, if we simply just build the software pattern from a design and coding point of view, we would anticipate the behavior of bad actors. We would build code that didn't have things like buffer overflows and SQL injections and all these very common patterns allow people intrusion. And so we set off to do that and we made an impact but, as you can imagine, not every piece of code in the world is built to be resilient from a security point of view. >> Right. >> Right. >> Even though it may end up being critical in what it's deployed to do. So we're at a state today where every major bank in the world is building code that's pretty well tested and rigorously designed and built. The telephone infrastructure is that way, a lot of DOD systems are that way. But that might be 10% of all the systems on Earth. And a company like, I don't want to pick on somebody, but the next social networking company to come out of the Silicon Valley or virtual gaming company that come out of Silicon Valley will build something that doesn't seem to need the rigor that a banking system or a communications infrastructure needs. And it probably won't be built to withstand every form of attack that you can envision. >> And then, it'll become critical. >> Yeah. >> And once it becomes critical, we have the same problems. So once I really got my head around that, which was we can build software better but we're never going to build it perfect. And a of the software is just simply not going to be built with an eye toward security. I moved my interest in the security problem in managing that problem to the area of detection and response. And I don't know if you guys have covered, I'm sure you have or will. >> We will. >> The MIST framework protection, try to protect your systems. >> Right. >> But if that- >> MIST is the US National Institute of Standards and Technology. And the framework you reference is a set of requirements to help companies improve their security, right? >> Right. >> Sorry to interrupt. >> No, thanks for clarifying that. And the model that they have is protection, detection, response. I think one of the most important models out there to get your head around if you're really into building a security program. >> Yeah, I agree. >> And so, spent that time in protection. And proved to myself that things that people like yourself know, 15 years before I got involved in security, there was no way we were going to protect these systems completely. If that's the case, then what's another model that we can apply to security? And frankly, it's the same one banks have used for years. So if you think about your favorite bank and the branch in your neighborhood, but don't try this at home. >> You could rob that bank and then chances are you're going to get away with the act of going in and taking money. In fact, the banks can help you do it. They're going to facilitate and get you out of there. Now the probability that three weeks later, you're enjoying that money at home is pretty close to zero. And the reason for that is the banks have looked at that and concluded it is impossible for me to protect the branch to the point where it can't be robbed. And when they describe this to you, they say that could be done, it would no longer be a bank branch. The primary function of a bank branch is to move money in and out to the local community that it serves. And if you really secured it, if you protected it to the point where it couldn't be robbed, it would no longer be serving that function. So as crazy as it sounds, the better approach is to put the protections in place so that it's not being robbed on a regular basis but the detection capabilities put by the banks and law enforcement with the help of telephone companies and computer makers and everybody else involved. It's such that were you to commit that crime, the detection capabilities of knowing who you are, where you went afterwards are such that that's adequate in terms of keeping the bank safe. And so it's funny that that model's right there in front of all of us. It's one of the oldest ones there was. The person explained all that to me was an executive at a bank, who told me banks have been around for about 3,000 years, that are being robbed for 2,999 or some odd years and this is really a group that we can learn a lot from in terms of combatting crime. So this idea of fine, you're going to get in but if I can detect you and respond before any real damage has happened, basically, I'm safe. >> That's really fascinating. Hey, we're going to let everyone take a little break here. Will you come back and do a second video with us and continue on those themes? >> I might. You bet. >> That's great. I hope you've enjoyed that part one with my friend Roger Thornton. I hope you'll come back and watch our second part. Enjoy.
