Meet the IAM Disruptors: David Ross
Last week, we announced the appointment of David Ross to SecureAuth’s executive leadership team. David joins SecureAuth as vice president of research, where he will drive innovation and continue to bring to market new capabilities around adaptive authentication, secure passwordless authentication and identity-based threat detection.
David is a remarkable industry expert with 20 years of experience in computer security, having previously worked for organizations like FireEye, Mandiant and the Department of State for Diplomatic Security. He was the progenitor of the OpenIOC Framework and his early work at Mandiant revolutionized endpoint compromise detection methods.
To get to know SecureAuth’s new VP better, here are David’s thoughts on the cybersecurity industry, technology and on his personal career motivations.
You’ve spent 20 years working in cybersecurity. What are your thoughts on the industry’s next transformation?
The cybersecurity industry is currently being commoditized as more companies try to sell security as a service. I don’t see anything new or innovative, and the focus is on selling what they have at a larger scale. Identity and access management has been around for a long time, but it’s often not considered to be a cybersecurity asset – and I’d like to change that. SecureAuth is transforming the industry with a fundamentally different approach that both enables organizations and acts as a third pillar of cybersecurity right next to the network sensors and endpoint agents. This is an exciting time to be with SecureAuth!
What is the greatest transformation in cybersecurity you've witnessed?
The greatest transformation I’ve witnessed is public awareness and the understanding that compromises are inevitable. When I started in this industry, nobody wanted to admit or discuss security breaches; security was an afterthought line item on the IT budget. Companies today better understand that security breaches will happen and not only do you need to plan for them, but you need to actively seek them out.
What security challenges are businesses facing today?
What to do with all the malware we now find. Most security companies are security ‘monitor’ companies. Unfortunately, they can only tell you when there is a compromise. Forward-thinking organizations are employing threat detection tools that gives IT teams visibility into exactly what is happening at the front door of their enterprise – risks, threats and all, adapting identity authentication requirements based on risk behaviors observed, enabling organizations to better safeguard themselves while providing a frictionless user experience to employees, customers and partners.
Previously you worked on endpoint compromise detection methods. How has this practice changed since your time at Mandiant and where do you see it heading?
Fifteen years ago, no one had dedicated endpoint investigation software. We walked computer to computer to run PERL scripts from USB pens and we liked it. Twelve years ago, Mandiant was the only company to have an agent dedicated to incident response and it changed the game. Data that would take days or weeks to collect now took hours.
I took that to the next level when I started using our product not only to investigate the endpoint to scope the extent of the compromise across the enterprise. The process of scoping resulted in developing OpenIOC, an XML schema to build and share Indicators of Compromise (IOC). OpenIOC allowed teams to quickly search their enterprises for malware seen at other places. It was a force multiplier, which took tactical intelligence sharing from months to minutes. This also enabled us for the first time to proactively look for and find compromises within customers not exhibiting symptoms.
Improving enterprise endpoint data collection led to what we call today “hunting”. We take a sampling of data from every system and process it on the back end to find anomalies leading to compromised systems our IOCs didn’t find. It’s all the rage today; everyone hunts. The direction has always been to reduce the amount of time attackers have inside your network (alert to fix). Modern agents collect more data, react to real-time events and can even take commanded actions against the attackers. The next step is better integrating intelligence sources with an orchestration layer that can take the human out of the loop until truly needed. Analysts today have way too many alerts to deal with.
What is your favorite personal gadget?
This may sound odd but I’m not a gadget guy. I have an iPhone but I refuse to give up my analog watch. I’m a tool guy and my favorite tool is a 12-ounce riveting hammer my wife’s father gave me twenty years ago. From airplanes to automobiles, kayak building, motorcycles or home repair, that little hammer is my go-to whack bonk. Sometimes it’s the old and familiar that enables the new and creative.
What was the first piece of technology you got really excited about?
Tenth grade high school, I was introduced to CADD software that pre-dated AutoCAD. It was all command line and arcane by today’s standards but I could layout and modify an idea without having to throw away days of work and grab a new sheet of paper! I remember how liberating it felt to be able to quickly iterate through my mistakes to find the solution I wanted. The best thing about computers is how quickly we can iterate over failures.
What device improves your life most at work?
I don’t own it yet but a few of my co-workers do: An Apple pencil. I work best with a whiteboard or a stack of plain paper and a pen. The problem has always been the iteration of the idea on paper (grab more paper) or the whiteboard isn’t big enough and then moving the ideas to a digital form (photo). Until now, the stylus hasn’t been a good enough solution for me but after using a friend’s apple pencil – it’s time to buy a new tool.
What drew you to a career in cybersecurity and how has your experience working in the U.S. Navy influenced your career path overall?
In 1997, a friend insisted on loaning me money to build a home computer. At the time, I was stationed in Naples, Italy and all my money was going into either motorcycles or sailboats, but my friend insisted that I have my own computer ‘to break and fix’. With that, I taught myself enough to become the company system administrator where subsequent behaviors prompted my chief get me assigned to the Fleet Information Warfare Center (FIWC), where I helped build the Navy’s first cyber red team. Experiences and connections made at FIWC later opened an opportunity with the State Department’s Diplomatic Security Service where my “evil finding” career really kicked off.
What advice would you give someone just beginning their career in cybersecurity?
Don’t limit yourself to one aspect of the problem. Most people focus on either endpoint or network data. This prevents you from imagining larger, more creative solutions. It hamstrung a few of my projects over the years. Always take time to step back and ask, “What is the real problem we’re trying to solve?”
What is the most important lesson you’ve learned in your career to date?
My greatest lesson learned is the importance of a good culture to the success of a company. Go the extra mile for your employees and they will go ten extra miles for your customers. Leadership’s number one responsibility is their employees by creating a positive environment for them to do great work for your customers.
Want to learn more about David? Check out the announcement on his appointment at SecureAuth here!