I’m not a narcissist, but I can play along.” These are Tom Kellerman’s first words to me once I’ve explained why I’ve booked so much time with him to do this interview.
We’re at the Mandalay Bay, Las Vegas, in August. There is a loud cloak of noise that is unavoidable whilst sat in a casino that never sleeps, surrounded by giddy Black Hat attendees. Tom, or TK to his friends, picks his chair carefully, and it takes a while for him to settle into the surroundings. Throughout the interview his eyes flit less, his guard drops slightly, but I can say with confidence that his situational awareness never dwindles. This is very obviously a man obsessed with physical security.
His next words immediately shed light on why. “I’m the son of a US diplomat and my mother is from Switzerland. I grew up in West Africa and Guatemala. As a child, we were evacuated for the fundamentalist revolution in Mauritania.” That, Tom reflects, was the first time he truly experienced the importance of security. “I may look like your typical American cracker, but I’m not,” laughs Tom.
I pull him up on his visible paranoia and he nods, almost guiltily. “You’re right, I’m ultra-paranoid,” he admits. “I’m very aware, to a point where I wish I wasn’t. Maybe that’s why I like red wine,” he ponders. Perhaps unsurprising given his upbringing, Tom has a situational awareness that transcends the physical world into cybersecurity. He considers the similarities between cyber and physical security to be significant though. “I was a bouncer and a DJ back in college. Being a bouncer at a nightclub is very similar to doing cybersecurity: you have to look for behavioral anomalies in both.”
He remembers his youth in Guatemala as “dark years” – presumably referring to both the country’s political situation and his own experience. “The civil war, the mass atrocities, the numerous attempts to assassinate my family, the coup d’états that occurred all contributed – and acted as a provocative catalyst – for my obsession with security”.
Poignant Words of Wisdom
The interest in physical security started to evolve into a passion for information security when someone from the Embassy, who was trying to date his older sister, taught Tom how to do DDoS prompts when he was around the age of 11. That, he recalls, was the beginning of his grey hat explorative phase. “There was no cable TV and I couldn’t do team sports because of kidnapping risks, so my outlets were fantasy novels by the likes of Tolkien, computing and video games.” He talks about kidnapping risks the same way that the average person would talk about chilly winter days.
Despite spending six weeks every summer back in the US, Tom didn’t move to the States permanently until he was 16. By then, his technical skills were clearly substantial, although Tom is too humble to admit that. His college professor advised him to use his skills for good.
The professor, Professor Kenneth Organski, told Tom to “add a Master’s or a PhD in international affairs, because he said the two would converge someday, and that they were fundamentally important to the future of the world.” A memorable and notable piece of advice in its own right, but certainly more poignant given that Professor Organski sadly passed away 10 days later. “[The advice] stuck,” says Tom.
I can’t help but pry into why Professor Organski felt it necessary to caution Tom. “Were you playing around on the dark side?” I cautiously ask. “I was on the edge of righteous behavior,” smiles Tom. “It was a time in my life when I was messing around with my tech skills, rather than applying them.” Read into that what you will.
“I was on the edge of righteous behavior”
A Proud ‘Father’ of 76
Tom’s Bachelor degree was in political science and psychology with a minor in computer science at the University of Michigan. There was no cybersecurity degree back then, remembers Tom, but he connects his favorite part of his course, abnormal psychology, with what he does today.
He later attended the American University in Washington D.C. to study for his Master’s and his PhD was grandfathered in after he authored – and the World Bank published and defended – his book, Electronic Safety and Soundness – we’ll come back to this later. “I wrote my thesis on the illicit trans-national corporation, which is a discussion of the use of technology by organized crime to undermine regimes, specifically focusing on the Russian mafia’s collaboration with drug cartels to undermine the Peruvian economy and governments, in exchange for cocaine for use in Europe post-Glasnost.” He says it almost without taking a breath and is seemingly unaware of my wide eyes. Tom then goes on to give me a more in-depth insight into this topic, which in all honesty, could make a dedicated article in its own right.
That wasn’t the end of Tom’s time at the American University as he later returned to teach there for eight years. He recently took a sabbatical working for Alvarez and Marsal as an MD creating a risk matrix for cyber insurance and teaching at AU.
Tom loves teaching and considers his students ‘his children.’ He started teaching around the turn of his 30th birthday. “I don’t have my own children, but I consider the 76 students that have graduated from my class and are now cybersecurity analysts around the world my children.” He also considers them his greatest achievement. “Changing the career path of international affairs or law candidates who go on to become leaders in cybersecurity is the most rewarding thing I’ve been a part of in my career,” he tells me.
“I like teaching, but more importantly, I learn more from my students than they do from me. They force me to think differently, and when they ask a question I don’t know the answer to, I tell them to go away and research it for me. It’s amazing,” he laughs. Joking aside, he considers teaching the number one thing he has given back to the community.
The Guy That Wrote Checks
His career hasn’t been exclusively dedicated to ‘giving back’ though and TK applies a similar darkness to his reflection on his years as an investor as he does his childhood in war-torn Guatemala.
“This billionaire in New York gave me $100m to invest in technology,” he recalls, almost ashamedly. “I was in charge of a venture capital fund that was specifically investing in cybersecurity and technology transfer from the US intelligence community and the Israeli intelligence community.”
Tom soon became tired of dealing with investment for lawyers. “The used car salesman feeling, the snake oil, the one great meeting for every 30 or 40 I attended…” he remembers, listing all the reasons he regretted his time as an investor. “I was tired of being considered the guy that just wrote checks, and I wanted to get back into the fight, especially when I could see the state of cybersecurity was essentially going down the toilet.”
He candidly tells me that he regrets this part of his career. “I wasted a couple of years not being in the fight, but all things happen for a reason, I truly believe that.”
Tom believes that the greater universe offers different paths, the high road and the low road, the hard road and the easy road. “They lead you to similar destinations, but based on different tasks,” he explains. The venture capital path led him to Carbon Black (I’ll come back to that later), so he seems more than happy with his destination, but less so with the journey. “Now that I’m in Colorado enjoying hiking and biking, I understand the point about the route less travelled and the longer, harder journey having the greatest reward.”
From one metaphor to another, Tom compares the security industry to a Northeastern city of Syria.
American cyberspace, according to Tom, looks more like Raqqa in Syria than Honolulu. I don’t think anyone would argue with that. “Part of the problem is that the hackers are better organized, cooperate better and have a better sense of community than even the White House.” This, says Tom, is perhaps why the economy of scale on the dark web is approximately a trillion dollars, when comparatively, the cybersecurity industry’s is $100bn.
“Changing the career path of international affairs or law candidates who go on to become leaders in cybersecurity is the most rewarding thing I’ve been a part of in my career"
Getting Back In the Fight
Tom’s passion for making the world more secure radiates from him. It’s no surprise to me that venture capital investing was not for him, and even less surprising that the security industry welcomed him back with the widest of open arms. “At the time, I realized there was only one company that effectively transferred the technology from the intelligence community, and that was Carbon Black.”
Tom had a pre-existing relationship with Mike Viscuso (Carbon Black’s then co-founder and CEO, now vice-president of strategy), so he called him up and landed a job. “This is actually going to be the last job in my career and I mean that in an amazing way,” he tells me, completely committed to this statement.
“Unless I get fired, this is it,” smiles Tom. So what’s so special about this particular vendor, I probe? The culture, for one, argues Tom. “I’ve never known anything like it during my 21 years in the game,” he says.
“Carbon Black is one of the few cybersecurity companies that has an open API that connects to over 140 other security vendors and even allows competitors to plug into it. That is awesome,” explains Tom. “We don’t provide professional services, because we think it’s ethically wrong to sell you the bulletproof vest and also the gravedigger on the back side, metaphorically speaking.
"So we partner with over 120 incident response and MDR firms that use our capability for free in their investigations.” This informs Carbon Black analytics, giving the firm greater situational awareness, and at the same time enables Carbon Black to give back to the community as a whole.
Tom also applauds the company’s Women in Cybersecurity initiative which has the objective of reaching 50% female employees by 2021. “It’s awesome,” he says. “Women are inherently more proactive than men, whereas men are physically more reactive. Cybersecurity is now really about understanding the adversaries, and looking for behavioral anomalies, which again, women are better at than men.”
Carbon Black has also given Tom the platform to create a group called ‘The Howlers’ – based on a science fiction series called Red Rising, which he tells me is (excellent) mandatory reading material for all CIA agents during training. ‘The Howlers’ is made up of employees who have raised their hands to say they want to join the fight above and beyond their normal job description. “These are the Top Guns, the Navy Seals, the Army Rangers or the MI6 of Carbon Black.” It was Tom’s idea and is perhaps an indication of the next chapter of his career. His ability to rally people behind positive ideology is really admirable and I’m sure makes him an excellent teacher as well as leader of ‘The Howlers.’
Filling In the Gaps
His career years in between the highs (teaching and Carbon Black) and lows (venture capital investment) are given little more than a nod during our conversation, but allow me to fill in the gaps. After he graduated, Tom went to the World Bank as the deputy head of cybersecurity in the IMF treasury security team.
He then worked at Core Security where he trained red teams on how to do binary vulnerability exploit development and deep dive penetration testing, which is where he met Mike Viscuso. Following his tenure at Core Security, he became CSO of Trend Micro. “My career is pretty stupid,” he comments as I try to piece together his roles somewhat chronologically.
Tom and I are joined by one of his colleagues, Ryan Murphy, for this interview and their friendship is apparent. “Tom could have easily rested on his resume and made a lot of money investing in firms, but to instead say ‘I want to contribute to solving this problem’ demonstrated the passion he has for empowering the good guys,” says Ryan.
“He wants to win for the good guys because that’s the right thing to do to improve the human condition,” continues Ryan. “You don’t find that in a lot of people. It’s one of the reasons I personally love him, and why he is a major asset to Carbon Black.”
It’s not only Ryan who is impressed by Tom. He’s an impressive man with notable presence. Despite his sense of humor and his modest nature, there’s something about Tom which means you take him completely seriously. Even when he’s saying something like: “I wrote a boring book, an incredibly boring book. Like if you can’t sleep at night, this will solve your problem, kind of book.”
Challenged to write the book (titled Electronic Safety and Soundness: Securing Finance in a New Age) by the World Bank, Tom claims it was the first book ever written specific to financial sector security. “It was the beginning of the true conversation of how we need to create defense in depth around electronic finance that goes beyond encryption. Frankly, if encryption was the answer, we probably wouldn’t be sitting here at Black Hat,” he says, acknowledging the book’s necessity but still rolling his eyes about its sleep provoking qualities.
I ask him whether he’s tempted to write a ‘non-boring book’ and he grins. “I’d like to, perhaps in the style of Tina Fey’s Bossypants. It’s arrogant to think that anyone would be interested in that story though, so I’ve decided I might do stand-up instead,” he laughs.
"The United States is going to enter 2020, arguably one of the most important elections in our history, completely blind to what may occur when it comes to the election"
Standing Among Giants
Something that Tom is understandably proud of is holding a seat in the Commission on Cyber Security for President Barack Obama, where he served as an advisor to the International Cyber Security Protection Alliance. “After Titan Rain, the government said they were going to produce a mission on cybersecurity for the incoming President.” Experts from the private sector and within government were brought together to create a strategy to deal with the cyber-crisis.
“It was right before President Obama was elected, so we had McCain’s, Clinton’s and Obama’s people there,” recalls Tom. “When Obama won, we were then transferred to consult in Congress for two years, but we met once a month for an entire day. We were not paid, we were created by Congress to serve the incoming President, and we did.”
I can’t help myself, I have to ask about working with President Obama. “He is down to earth, highly intelligent and very eloquent,” says Tom. He reflects on the recommendations created and is visibly disheartened. “To this day, only 60% of the great recommendations have been implemented and two were even reversed by the Trump administration.”
How Tom feels about the recommendations that were either ignored or reversed is written all over his face, but I decide to ask the question anyway. “I’m not going to say why, but it pissed me off. This is not a political issue, this is a patriotic issue. Actually, this isn’t even a patriotic issue, this is a civility issue. Cyberspace is not a civil place. We had to civilize cyberspace, and frankly there’s no leadership. The only country showing true leadership in cyberspace is China, and it’s not in our best interests.”
His candid denouncement is completely justified and I appreciate his honesty. I want to hear more. “Carbon Black doesn’t sell to China, Russia, Korea or Iran, or any entity that is actively targeting democracy,” he insists. “That’s where we draw the line geopolitically when it comes to doing business. Yes, that may inhibit our capacity to grow faster by eliminating those markets, but that’s irrelevant to us.” It’s another nod to what he loves about Carbon Black and why he is intent on making it his final career stop.
“It’s a major concern for me personally, but certainly for the industry too, that cybersecurity is becoming a partisan political issue, and that’s how we approach it. The United States is going to enter 2020, arguably one of the most important elections in our history, completely blind to what may occur when it comes to the election.
“Democracy, not only in the United States, but around the world, is at risk at worst, and at the very best, in doubt. People are doubting the integrity of what makes them part of a democracy in an election and that’s a very scary thought.”
The Future is Black
According to Tom, his path is set in stone. His future is firmly rooted in Carbon Black and he knows nowhere else he’d rather spend the remaining years of his career.
That doesn’t mean he’s giving up on teaching all together though. “I still want to help educate children, and I’d still like to be an adjunct professor, maybe in Colorado.” Of course, if he wins the lottery, the path may open up to expose a new potential direction. “In that case, I’d become a philanthropist. I’m very passionate about our National parks.”
Colorado suits him well. The hiking, mountain biking, swimming and more recently he’s trying to meditate too.
He makes sure he balances the healthy with the indulgent, however: “My happy place is great music (he loves hip hop), good friends, a good glass of red wine (pinot noir, specifically) and a good piece of cheese. In fact, he considers “if I was going to get executed tomorrow, by the Chinese or Russian government, I would have a nice piece of cheese and a glass of red wine first.” Not that he’s paranoid or anything. Tom Kellerman, thank-you for all that you do for our industry.
For more content like this, subscribe to receive Infosecurity Magazine's regular content including webinars, newsletters and digital edition of our print magazine for free.