Matt Jonkman is a frequent speaker and author, as well as founder of Bleeding Edge Threats, (formerly Bleeding Snort). He’s worked in security in the financial and telecommunications sectors for the last 10+ years, and now consults doing vulnerability assessment, threat research and signature writing. Matt’s recent writing projects include a regular article in Hakin9 Magazine, the Snort IDS and IPS Toolkit and How to Cheat at Configuring Open Source Security Tools.
———————————————————————————————-
Matt was recently generous enough to give us some time to talk about his time in Australia, the IT Security industry here, his thoughts on the industry in general, business and some good products……

BorB: You recently moved to Australia. Why the move? (Aside from the obvious move to a great country )

MJ: Mostly a desired change of scenery for the family. Work of late has allowed me to be wherever we wanted to be, and Sydney is definitely a place to experience! I have young daughters and the beaches have most definitely agreed with them.

BorB: How have you settled in?

MJ: We’ve really enjoyed the places and the people. Did the obligatory campervan trek recently to Uluru and related places as well as the local sights. We’ve truly enjoyed everything here. This is a beautiful country with a very global outlook. It’s been both enjoyable and a necessary change of point of view. And learning the local language (aussie-english) has been great fun, although sometimes perplexing.

Unfortunately immigration is proving more of a challenge than anticipated in order to stay as an independent contractor, so our days here are limited. Certainly no regrets though!

BorB: What’s your impressions of the IT security industry here in Australia? Is it much different to the US?

MJ: I like the folks I’ve met in the local security positions in the major companies here in Sydney. I get the impression that they’re more free to pursue ideas vs their American counterparts. That may be a result of a lessened ‘fear’ of regulatory issues. In fact I’m very interested by recent news that some companies are de-listing from US exchanges in order to avoid SOX compliance.

I don’t have anything against SOX in general, it’s a good idea. But the amount of FUD and misunderstanding as to what it actually requires is muddying the waters in more places than it’s helping I think. That doesn’t seem to be as much of an issue in the Australian regulatory community.

I also sense that Australian companies feel as though they get treated as a secondary market by larger distributors and vendors, US based ones especially. I don’t know if that’s true or not, but I can certainly say that the general US mentality of only looking within rather than globally may be to blame for this. I hope that changes soon, because there is a large and in some verticals underserved market down under. Global companies I think, need to realize that a guy based in Europe or the US with the task of being Asia-Pacific Sales Manager just isn’t going to cut it. They need people on the ground that understand the Aussie mentality, market and competition.

BorB: As a well known and respected security researcher, what are your thoughts on where the industry is today?

MJ: I think we’re at a crossroads. Research is being done many times over in parallel in many different places, and a lot of the resulting data is not being acted upon.

Additionally, law enforcement is at a critical mass. Storm is a good example of a skilled group of criminals operating completely without fear of prosecution, right out in the daylight. Identity theft, spam and all the other badness we experience each day is individually too small a crime for any enforcement agency to pursue. Then we have international jurisdiction and cooperation issues. The Russian Business Network is the perfect example. They make money in places where the economy is in peril, so they’re tolerated. Doesn’t hurt the local police, there’s no local crime being committed.

Frankly, in countries where the majority of these crimes originate, the law enforcement agencies have far more important local issues to deal with; kidnapping, revolutionary groups, terrorism, etc. How can we expect them to give a darn about some rich westerner that lost 500 dollars when they get phished? Especially when that $500 is being spent locally…

How it’ll be dealt with: I’ve always thought the only meaningful way forward is real UN leadership, and countries that are willing to cede their local jurisdiction in international cybercrime and resources to work together. It’s a global issue. It needs a global task force to deal with it in any meaningful way. But of course, more chefs will/may cripple a group like this in just trying to govern itself…

BorB: What in your opinion are the biggest IT security challenges facing business today?

MJ: The insider threat. We have solutions for the perimeter, IDS, blacklists, etc. Not to say that there won’t be a compromise from the outside. There surely will be, and as long as a company recognizes this and has a plan to both detect and handle the intrusion, they’ll be fine.

We’re back to the days where is is often easier to compromise a company locally in a social engineering manner. And as long as companies fail to realize the incredible value of the data they possess about their customers, insiders will continue to be able to walk out the front door with it in their pocket, and turn that into cash in 20 minutes on a carder forum.

BorB: If you had the chance to present to a roomful of CEOs, what would you say to them about our industry?

MJ: I have many times, and will again say: Security is the CEO’s problem. The security engineers are the tools the CEO should be employing. CEOs should be directly involved in the risk decisions far more than I see on average.

They need to know not exactly what technically is going on, but exactly what risk is being introduced or mitigated. It’s security 101. They should be involved from the ground all the way to incident response. It is NOT the security engineer’s decision whether to spend money to mitigate a risk based on what the impact might be. It’s the CEO that should know what that impact would mean in dollars, and how many dollars are available to be expended.

I think these things are far too often delegated from officers of a company to managers without the proper oversight and long term involvement.

BorB: We all whinge about how senior “business” management does not want to listen to IT Security people, and we all know that most organisations around the world should be managing security better, but what do you think IT security people could be doing better to assist the business?

MJ: Communication. We are generally geeks at heart, and our eyes light up when we talk about that new 4-way snort sensor we’re deploying and the traffic it’ll handle. I don’t know if everyone realizes, but no one else gives a crap. Not even if you had a 4-way dual core sensor with 10G of ram. They STILL don’t care. (I know, it’s amazing, but they just don’t care!)

Talking about those things in the presence of non-technical folks makes their eyes glaze over. We all know this, but we forget.

We as security professionals need to INSIST that we get regular time with our upper management to keep them apprised of what we’re doing, what we need and, where our risk lies – then help them make the decisions on what risk we can accept, what it’ll cost to handle other risks, and what could happen if we don’t.

We need to do this all in a manner they’ll understand. This is a fine line to walk. If you speak to a professional manager as a geek, they’ll tune out. If you speak to them as you would a child, they’ll think you an idiot, (then start accepting CVs for your position). You’ve got to keep it down the middle, use intelligent analogies, and make SURE they understand. And make sure they understand you NEED them to understand – that it’s important to you personally.

BorB: I’ll put you on the spot. Name some of the vendors and products you trust.

MJ: Haha! Tough to generalize. I must say I trust all of the sponsors of Bleeding Edge Threats.

But, for research I have to say the Shadowserver.org guys are spectacular, Arbor’s Atlas interface, ISC and SANS of course.

For products, Endace has a great new accelerated snort appliance coming up that looks great. (I’ve been able to play with it). Sourcefire’s 3D stuff looks great. For MSSP’s Arbor and Secureworks have always been very helpful and reliable partners of Bleeding Threats.

BorB: Tell us a bit about Bleeding Edge Threats. (http://www.bleedingthreats.net/)

MJ: Bleeding started out about 5 years ago as just a place to collect the snort rules that crossed the many lists out there when vulnerabilities were discussed. We’ve turned into far more than that, with a great deal of intelligence gathering going on behind the scenes, and involvement in some spectacular research and law enforcement communities. I’ve been invited to speak all over the world, which has been a great pleasure in itself. It’s been a very exciting ride.

We’re at a crossroad at the moment, and are looking to expand the project into something that might be self-sustaining and even more effective for the long term. If you or your company is interested in being part of what the future may hold please contact me, but either way keep an eye out for what’s coming next!

BorB: If you could turn back time and knowing what you know now, what advise / tips would you give some of the pioneers of the Internet, (assuming we could beam you straight into their office and labs)?

MJ: SECURITY!!! All of the founding engineers have said they’d not considered security and wish they had. I wish they had as well.

Really though, at some point in the development of arpanet, had we realized even a tenth of the potential of this thing, we should have re-engineered it before it went ‘live’. But alas, we’re far too deep to do that. And even IP6 isn’t going to help out. I’m afraid we’re stuck with the problems we have for a few generations at the very least.

BorB: Matt, thank you very much for your time. We hope you do stay in Australia.