The word ‘journey’ is over-used in the context of things that do not include taking oneself from one place to another. But considering the career of Jack Daniel, the word seems apposite, writes Joe O’Halloran
This journey – from college dropout to car mechanic, co-founder of a worldwide security community, and strategist at a leading security vendor – is a less-travelled one. But it’s one taken with great gusto and accomplishment by
Jack Daniel. Inducted into the Infosecurity Europe Hall of Fame in June 2015, Daniel now stands alongside luminaries such as Eugene Kaspersky, Phil Zimmerman, Mikko Hypponen, Professor Fred Piper, and Dan Kaminsky.
His journey got into gear, almost literally, when, after dropping out of college, Daniel took on a job in a car dealership as a mechanic: an unorthodox, accidental, but ultimately rather logical first step into security. By starting out as an auto mechanic, Daniel’s experience fixing problems with cars set him on a path to diagnosing and solving technological issues that would eventually lead him into computer security.
“I was a mechanic, I was one of the few true Renault experts in the US; it’s possible that the masochism of being a Renault expert set me up for a career in security – it certainly set me up to solve problems,” he reminisces at Infosecurity Europe before his Hall of Fame induction.
“Like a lot of people I stumbled into security, especially from a network and admin side. [In the dealership] I had systems that I was responsible for running, and bad things happened to them. People attacked some of the systems and I had to fix it. People attacked the systems again and then I had to figure out how to stop them from doing the same thing.”
Learning and Unlearning
Proving rather adept at this, his work at the dealership soon led to responsibilities for administering the company’s computer systems: “From there it was learning everything I could, because I really liked the challenge of solving the security problem without sacrificing usability.”
A career in security consulting followed, before, eight years ago, he moved into the vendor space with German firewall company Astaro, now owned by Sophos. While there, Daniel feels that he learned a lot about the outward-facing side of industry, assisting customers and end-users in trying to secure their environments.
“There were a lot of things I had to unlearn,” he says, comparing his experiences in the new sector with the automotive industry. He cites the latter’s poor customer relations as something simply incompatible with the culture of security.
One of the key lessons he most definitely did not unlearn was dealing with finance and the mindset of the security arena: “We can’t solve problems without money... [The security mindset] is often about doing the best with resources available. For many, often it is a choice between paying employees and renewing firewall defenses.”
The lesson of prioritizing resources is key to anyone seeking to move into a management role within security, he argues. In his experience dealing with more senior officials, he adds: “You can tell the people who have come from the trench position, writing code and doing admin… [there are those] who hang onto the absolutism you have when configuring switches or deploying machines – but if you don’t temper that you hit a wall. Those who communicate and compromise tend to move forward and be more effective and satisfied in their job.”
The View From The Top Of The Ladder
Daniel can certainly be considered one of the latter. When he looks back at his career, the word ‘learn’ constantly crops up, and not accidently: “There’s a very steep learning curve and you have to enjoy learning to continue to climbing the security ladder.”
It’s more than fair to say that Daniel is now perched at the top of the ladder, where he is adequately qualified to offer compelling and insightful perspective on all aspects of the market and community. He has had the rare privilege of being a security technology end-user, developer and vendor. Given this, what does he feel is the state of the community right now? The good news, says Daniel, is that the community is in a position of strength – but it has more work to do.
"You have to enjoy learning to continue climbing the security ladder"Jack Daniel, Tenable Security
“The community is very strong but I think we could do a better job of being a community across more lines – we have a lot of silos and we don’t always break down the walls between military, government, education, etc. We have a very strong community in that the people that are in it are very diverse.”
It’s only in the past few years, Daniel adds, that people have entered information security as a career: “It’s not like automotive engineering or civil architecture or medicine where there are years of doing these things and where you follow a path. Only in the past few years has this path been defined as a collegiate curriculum [for security].”
The vast majority of security pros, Daniel says, come from somewhere else: “I think that gives us diversity. It may be a challenge to maturity, but it certainly gives us perspective. If we work together we can really leverage that broad set of knowledge.”
Indeed, another achievement Daniel can be proud of is creating BSides, the community-driven events that act as a forum for sharing knowledge. The idea spawned from the community’s complaints about conference papers that had been rejected by Black Hat: “Some of the rejections were valid, but some of the rejected papers were great and simply didn't have a home.”
The event was a success, and there was demand for the same model to be replicated across the United States, and eventually worldwide.
Getting The Basics Right
As well as being a font of knowledge, Daniel has been a repository of great quotes from his years in the industry (see above). One classic from a few years ago said the industry tends to forget about its fundamentals and is too focused on creating problems and then building security. How true would this statement be today, and how could it be affecting the industry?
“We get excited about what’s newsworthy and we forget the fundamentals,” Daniel muses. “It’s easy to get excited about Heartbleed, Shellshock, or whatever the latest thing is. But whatever it is, it isn’t important if we haven’t addressed [what will happen] to all the systems or environments, or if we haven’t done risk or an inventory of systems and assessed what really impacts our ability to do the mission of our organization.
“Then [you can] worry about whatever makes the news next week. Rather than worry about the latest news, there are things we should be doing better. Are all the archives protected? Can I back-up and restore reliably, so that every time an event comes up we have a plan to respond?”
Security events will increasingly arise from the growing vectors of point-of-sale and the internet of things (IoT). We need to get used to this, Daniel warns.
“IoT just means that a lot more devices are going to be connected to the network, and that means if there are weakness in those systems they are going to exploited. One specific example is DDoS. We have seen more and more of this. I have seen a lot of reflection attacks using DNS and NTP and those attacks were against systems that were poorly configured on systems run generally by systems administrators.
“One of the [new] attacks is from using a UPnP probe called SSDP – which is in a lot of consumer devices and not managed by professionals. We could fix DNS and NTP but nobody is going to fix SSDP. That sort of protocol is in a lot of these simple devices so that they can communicate and I fear that those are going to be leveraged for this sort of reflection attack.”
Setting Out On A New Road – Or Two
But what of the next part of Daniel’s journey? Where will the security road lead him? Intriguingly he believes than he will be travelling in two directions at once. He explains: “As my role evolves at Tenable and I spend more time speaking to executives and senior management, it’s really helping me grasp even more the challenges of enterprise. Yet coming from small to mid-sized businesses, those guys need a lot of help because they don’t have resources.”
One thing that has become clear to Daniel over the last several years of working in enterprises is that the challenges we face scale much more effectively than the solutions: “If it’s a problem for the coffee shop down the street, the Fortune 500 company is probably struggling with the same problem. It’s interesting to be in a role where I can share what I know which hopefully drives security forward.
“In the opposite direction, I started about a year ago looking into the history of information security and assurance, and then sharing that information with a younger generation, because no matter when you come into this industry, just trying to keep up keeps us at a dead run. The idea of looking back really isn’t an option for most of us. I have the luxury of stopping and looking back and summarizing that and sharing that knowledge with the younger generations so they know how we got to where we are now.”
In studying the journey that Daniel has taken, they are in for some ride.