GTCF #10: Trinity Cyber - Steve Ryan & Tom Bossert - Intrusion Prevention On Steroids
March 17 2021 Filed in: Gula Tech Cyber Fiction Show | Cyber Policy | Portfolio Interviews | Threat Intelligence
Steve Ryan and Tom Bossert discuss Trinity Cyber's advanced and proven ability to prevent cyber attacks with Ron Gula. We discuss how Trinity Cyber is taking a fundamentally new approach to rapidly remove exploits in documents and interdict botnet command and control for large and small organizations. We also discuss cybersecurity policy since Tom was the former Homeland Security Advisor to President Trump and Steve was the National Security Agency's Threat Operations Center Deputy Director.
Ron Gula: [00:00:00] Hi there. This is Ron Gula with the Gula Tech Cyber Fiction Show. Today we have guests from Trinity Cyber. We have CEO Steve Ryan and president S- Tom Bossert. I didn't screw up your guys's names did I?
Steve Ryan: [00:00:14] Not yet. [laughs]
Ron Gula: [00:00:15] Oh my gosh. We've only been, investing and working on this for a while. Steve, how's it going?
Steve Ryan: [00:00:19] It's going great, Ron. Thanks for having us here.
Ron Gula: [00:00:21] Thanks so much for coming.
Steve Ryan: [00:00:22] Yeah.
Ron Gula: [00:00:22] Tom doing well?
Tom Bossert: [00:00:23] Doing great. This is my first three-person podcast.
Ron Gula: [00:00:26] Oh, really good.
Steve Ryan: [00:00:27] This is my second, yeah.
Ron Gula: [00:00:28] Excellent.
Steve Ryan: [00:00:28] Yeah. [laughs]
Ron Gula: [00:00:28] We're gonna get a little bit about your backgrounds. We're gonna talk a lot about Trinity Cyber. And then we're gonna actually talk a little bit about national cyber policy and whatnot, right?
Steve Ryan: [00:00:38] Cool.
Ron Gula: [00:00:39] So Steve, how'd you get here?
Steve Ryan: [00:00:40] I started at National Security Agency right out of college, 32 years there. I thought I was joining NASA. What kid my age didn't watch Neil Armstrong land on the moon and not want to be an astronaut. And on the bulletin board in the engineering school, there was a little thing that said NASA was coming to interview. I'm like, "Oh, how cool is that." I walk in the door all ready to talk moon landings, and there's a poster with a eagle holding a key. And it said National Security Agency, and I thought I was gonna work for a security, like a security guard company. And I-
Ron Gula: [00:01:13] [laughs]
Steve Ryan: [00:01:13] ... said I'm here. I'll do the interview." It was an awesome interview, and I just loved it. And and I had the chance to go to Fort Meade and interview with some great folks. And I worked in or led a special projects organization for my entire 32-year career. So it was really cool, got to work with some really hard problems with absolutely no red tape. And I thought that's the way life was supposed to be.
Tom Bossert: [00:01:35] Blind squirrel finds the nut, huh?
Steve Ryan: [00:01:37] Yeah.
Ron Gula: [00:01:37] That's right. That's right. Yeah, usually special projects is not, does not make one's career. But you ended up pretty much, building most of the NSA's hush-hush kind of funny stuff that we can't talk about a whole lot right?
Steve Ryan: [00:01:47] I did, yeah.
I did 15 years of special chip designs. These are special chips that had unique purposes that went in communication gear in-
Ron Gula: [00:01:56] Special s-, chips for special projects. ...
Steve Ryan: [00:01:59] very unique parts of the world.
Ron Gula: [00:02:00] But you were also instrumental in setting up the Threat Operations Center, right?
Steve Ryan: [00:02:04] [affirmative]. Yeah, I was. I I ended up getting into a development program, saw the writing on the wall. Most of the chips I designed were for point-to-point communication systems. And, in the late '90s, that was shifting over to network systems. And so I wanted to learn more about the underlying, ecosystem of networking products. And so I went into this three-year development program. I got to do a year as an intern at PSINet back when they were like, when they ha-, when they had their name on the stadium, when they were really hot. Learned a lot about working in a fast-paced, private-sector mentality. And I took that to NSA. And my third tour, I started in this brand new organization doing network defense for DoD. And defense at the time was watching a whole bunch of stuff and putting a whole bunch of bodies on that, and writing reports. And and I thought maybe we could do better. [laughs]
Ron Gula: [00:03:00] I like doing better. Some things certainly never change though, right? I think there's plenty of people out there hunting and writing reports these days.
Steve Ryan: [00:03:06] Th- that's true.
Ron Gula: [00:03:07] That's awesome. And you also won a couple you were awarded some interesting awards. What is the Exceptional Civilian Service Award?
Steve Ryan: [00:03:13] It's it's a, it's an award given to any, anybody at NSA. Some awards are only given to, senior executives, but when you do something pretty profound I, somehow somebody thought I did but a lot of that work, a lot of it, the award I got there was largely for the work in the, in building and and eventually running the NSA Threat Operations Center.
Ron Gula: [00:03:35] Excellent. I appreciate you sharing that. A lot of people put the NSA as this big thi-, organization they don't really get a lot of looks into. And there's people that have careers there such as yourself. And people, do great things for the country, and it's hard to get them to talk about that. I appreciate you you sharing that. Tom, how, as a political science and economics major, do you end up as president of Trinity Cyber?
Tom Bossert: [00:04:00] Yeah, it's a long but short story.
Steve Ryan: [00:04:03] Yeah, how Tom?
Tom Bossert: [00:04:03] Yeah.
Steve Ryan: [00:04:03] [laughs]
Tom Bossert: [00:04:04] I'm surrounded by two national assets here that both worked at the NSA. And at some point or another, I got asked as a junior level, but I guess senior title holding White House policy director to see if I could figure out how to tackle the cybersecurity problem. And I started meeting a lot of really smart people, to include Steve Ryan, at the time, and this was, in 2004. There, this was prior to the NSA's Threat Operations Center. This was when we were trying to figure out the problem, and somebody needed to put it together in a policy, push a lot of money together. What you did was fun and you got to work for it, but somebody had to pay for it and figure out the budget. And so I started to learn it from the policy side. And I had to do it in a hurry because we had a lot of problems, a lot of growing risk, and we had a President at the time that wasn't really, keen on process. He was a little bit more about results. And we briefed him a few times, and I know at the time it seemed very important. But if you flash forward years later, same people around the table, it was a young Steve Ryan with more hair on his head-
Steve Ryan: [00:05:06] A lot more hair.
Tom Bossert: [00:05:07] ... it was a young General Alexander with one star, not four. It was a, it was probably a young Ron Gula still out there, taking over the world and, and-
Ron Gula: [00:05:15] Less gray hair.
Tom Bossert: [00:05:15] ... and less gray hair-
Ron Gula: [00:05:16] Yeah.
Tom Bossert: [00:05:16] ... and developing Dragon at the time. But, all of that was happening, and I was supposed to synthesize smart people into something that made sense. That's what I did. And I came to realize in the 10 to 12 years in between now and then, and I've had the d-, the chance to do this for another President that there's not a lot changing out there and innovation's hard to come by. And when you find something that works, you grasp onto it and you r-, and you really, marry yourself to it. There's a lot of doubters, there's a lot of people that don't understand how innovation's not gonna break things. But if you don't innovate, you don't get anywhere.
How did I get here? I got here by hard work, luck, circumstance, and because I raised my hand and said, "Let me take on this problem." And I brought a lot of smart people around me, like you guys, to help me get there. And when I left the White House last time, I found the same thing when I left it the first time, I found that there's not a lot of innovation, "Maybe I ought to call Steve Ryan and see what he's up to." And sure enough, he's up to something new and good and hot. I begged him for a job. He gave it to me. He built the tech. He's got the vision. I know how to implement it and hopefully sell it.
Ron Gula: [00:06:14] That's excellent. That's excellent. Let's start talking about Trinity Cyber. Very excited that, as Gula Tech Adventures, we got to invest and,
Steve Ryan: [00:06:22] We're excited too, Ron.
Ron Gula: [00:06:23] It's a lot of excitement.
Steve Ryan: [00:06:24] Yeah.
Ron Gula: [00:06:25] But, y- coming from the network intrusion detection and kind of prevention thing, this was the first technology that I've really seen that's a big leap frog. No disrespect to a lot of the cool forensics, packet-
Steve Ryan: [00:06:37] Yeah.
Ron Gula: [00:06:38] ... packet vaults out there. There's been a lot of people looking at packets to find things. But, Steve, why don't you tell us a bit more. What does Trinity Cyber do? What problem does it solve?
Steve Ryan: [00:06:46] It solves a few problems, Ron. Where we are today in, in, in cybersecurity, it's largely about getting your arms around all the things that are happening and then getting that information to the right people so they can do something about it. We take a different twist, and that is how do the bad guys do what they do, and what can we do about that in flight? We're not talking about it after the fact, we're talking about it before it happens or while it's happening. It goes back to my genesis back at the fort. We had this idea that what if we understood the techniques that the adversaries used and found a way to get in the middle of those techniques to cause them not to work?
Ron Gula: [00:07:31] W-
Steve Ryan: [00:07:31] It's powerful stuff.
Ron Gula: [00:07:33] We talk about a technique.
Steve Ryan: [00:07:35] Yeah.
Ron Gula: [00:07:35] I've got my social engineering exploit kit. I'm gonna make a PDF. I'm gonna email it to Tom, and it's gonna have four different CDE exploits. I might even zip that in a file and have a b- bu-, a buffer overflow, some other attack in that zip file. How does Trinity handle something like that?
Steve Ryan: [00:07:51] Yeah, that's a great question. That, that is our sweet spot. That's our wheelhouse, right? And so when you think about how that's delivered some people will say, all office documents with equations are bad because there's this vulnerability that allows a bad guy to create an overflow condition to cause something to happen. What we're doing is looking for those conditions, right? And for us, it's about building the session as though it were coming to an endpoint, so the kind of things that you'd want to be able to do post-incident, like a real forensics deep-dive into the session. You're not looking at a bunch of ones and zeros, you're looking at contextual, built content. And so we build that in flight before it gets to you. And now were not looking at a bunch of ones and zeros, but we're looking at a zip file. Perhaps it has multiple zip files in it. And then we're burrowing through those zip files to find the Office document. Modern Office documents are zip files, right? You've got to get down in there.
And then, inside an Office document, a lot of people think an Office document is like what on the screen, a bunch of letters on a page. And hon-, it's a really complex file system, and it has file systems inside the file system. And you've got to be able to parse that all the way down to its native components and its native objects. And when you do, things jump out at you. A lot of people don't because it takes too much time. And so that's the key that Trinity Cyber was able to invent was being able to do that fast enough where we can examine a the, a full session with its content, with its files, and get to the conditions that your bad guy... And you've got a kit and your kit relies on taking advantage of certain conditions. If I know that, I'll make sure that those conditions never manifest.
Ron Gula: [00:09:46] And then, what does this mean for the users of Trinity? Do they have to wait for their documents to get scanned? Is it, you say it's instant. I mean what does that mean?
Tom Bossert: [00:09:55] That's what I was just writing down here. All of that's really impressive. But to somebody listening, they're thinking, "That's great if you've got all day." But what we cracked, what the team that Steve, the innovative tech team that Steve's led has cracked is speed. That's why I was so attracted to it. Others have tried this before, but nobody's been able to get anywhere near the speed that we've been able to produce. You get two things, you get speed, and with speed comes maneuverability.
If Steve does everything that he just described, fully opens something down to the, OLE and CFB and the sub-object level, sees the conditions all stripped away of the obfuscation that are gonna let's say you called it a buffer overflow, they're gonna create that buffer overflow conditions that says let's change those conditions. Let's remove that buffer overflow. Let's not look for indicators of that, let's actually find its presence, wherever it is in the response body every time, everywhere." if you do that fast enough, now what do you do? One of the things we do when we interview new technicians is we ask them that questions. And the ones that wash out say, "I would send an alert."
Steve Ryan: [00:10:56] Yeah.
Tom Bossert: [00:10:57] And the ones that get hired say-
Steve Ryan: [00:10:58] I would review the logs and send an incident report.
Tom Bossert: [00:11:00] And send an incident report.
Steve Ryan: [00:11:01] Yeah.
Tom Bossert: [00:11:01] The ones that get hired are the ones that say geez, if I've got it at rest in front of me and I can write a formulaic action and marry it with this detected formula, why wouldn't I change a, an 08 to an 07 so it doesn't, you know-
Steve Ryan: [00:11:13] Yeah.
Tom Bossert: [00:11:13] ... register it as [inaudible 00:12:24]
Steve Ryan: [00:11:13] Yeah.
Tom Bossert: [00:11:14] Why wouldn't I make that thing away so that we don't have all of these people, good, talented people chasing down tickets and doing this kind of incident response when they could instead focus on more important matters?
Steve Ryan: [00:11:26] It's a really powerful thing too because what you get is you get a broader application, right? Whereas a lot of folks will say, "I know that file is bad because we've seen it before or we've seen ones just like it before or we've seen bad files hosted on the same place or coming from the same IP." those are all important things but, somebody has to be first there to, to, for something to get on that list. And what we do is we make sure that you're not first.
Tom Bossert: [00:11:58] [crosstalk 00:13:13]-
Steve Ryan: [00:11:58] We take the whole technique right off the board.
Tom Bossert: [00:11:59] Who's asking, Ron? This is the hardest thing for me. Now, you say, "What's in it for the customer?" I always have to ask, "Who's the customer?" If it's the CEO, reduce risk, and if it's the CSO, I'm gonna buy him time, I'm gonna buy him space, I'm gonna g-, buy him a relaxed patch management cycle, I'm gonna reduce their SOC expenditures, all of these different... But I have to know who I'm talking to make a persuasive pitch. And what blows me away more than anything is that the market's so saturated with claims. I understand it, right? Some are legitimate claims. Others are not. And we'll have compete in that space. But it's so saturated with these claims that we've essentially conditioned an entire generation of CSOs to say, "I don't want innovation. I don't buy it. I don't believe in it. And if you are gonna tell me that you buy me let's say 60%, 80% more security or reduced risk I don't know, do I want that?" And it blows me away that we would have to have that-
Ron Gula: [00:12:49] I see this a lot across our portfolio where, if you have a technology that's 5% better, that sort of non-believer CSO-
Tom Bossert: [00:12:56] Yeah.
Ron Gula: [00:12:56] ... considers it's not worth replacing." But if you said, "I've got this leap, this quantum leap in technology"...
Tom Bossert: [00:13:02] Yep.
Ron Gula: [00:13:03] I don't know, that's a big, that's a big risk."
Tom Bossert: [00:13:04] yep.
Ron Gula: [00:13:05] I actually do think Trinity is a big leap in technology. When we had intrusion detection, we didn't have context, right? We had regular expressions and pattern matching.
Tom Bossert: [00:13:14] [affirmative].
Ron Gula: [00:13:14] And then the big innovation was intrusion prevention, right? If you can detect something and you can prevent something. But then, of course, people started flipping that stuff on, and they started preventing real work. Everybody bought intrusion prevention and then never really turned it on.
Now, Gartner was a big driver of this, and they gave you a Cool Vendor Award. What why did they award you that? And what'd you do with all that?
Steve Ryan: [00:13:35] It's it's, it is this innovation of being able to have this, as Tom de-, was describing, we can do this deep inspection, all the way down to the DNA of an internet session with this incredible precision that others just can't attain, but being able to add this maneuverability to it. We're not just blocking, somebody like, "Oh, this is bad, just block it." again, what we do is we'll remove the conditions that make it bad, right? You asked about what about the user? For the user, it's invisible, right? For the user, you're pulling a file down, you get a file. It just happens to be a clean one. Or you go into a website that's got something malicious on it, for you, your experience doesn't change. You get to do whatever you were doing. You just don't get the malicious part.
So we got this Cool Vendor in network and endpoint security. And I remember at first thinking, "Yeah, but, they're pooling us together with network and endpoint." But when you stop and think about what we're doing, we're almost doing endpoint-level security but in the network, right? In flight. We're pulling it all the way down to the endpoint or almost mimicking like what would happen on the en-, what would happen on the endpoint but we're doing that in the network.
Tom Bossert: [00:14:44] 20,
Steve Ryan: [00:14:45] We're really giving the best of both.
Tom Bossert: [00:14:46] 20 of the 25, most frequently used exploits by the Chinese, the NSA put out a great paper. I'm loving what the NSA's doing. They're getting better and better and-
Steve Ryan: [00:14:54] Yep.
Tom Bossert: [00:14:54] ... the quality of the work there or help to craft policy to help them operate better to secure the country. And they put out a great report that said, "Here's what we're seeing real time." This is what we've all been trying to get from them for a long time. And we looked through it as a company, and we said, "This is great." As patriots, as people that used to work in government, good policy, good outcome. So check for General Nakasone, if you're listening good work. It, it's outstanding. We look at it and say, "We can take 20 of those 25." 23 of the 25 were network obse- observable in network trafficking.
Steve Ryan: [00:15:23] 20 of the 25 were network observable, yeah.
Tom Bossert: [00:15:23] The fact that we can take them off the table for a customer, right? You asked, "Wh, what does the customer get?" They don't just get an elegant solution. That's cool, but a lot of times customers say I'll take a cheap blocking solution over an elegant, cool solution any day." no you won't. If our solution works 100% of the time because we find the actual presence of the bad thing, that's meaningful. And the competitor isn't a bad thing. We don't replace them. We say it's all an additive, complementary environment. You want to block things that come from a known bad IP address. You want to block things that come from a known bad country code. But the problem is you miss the things that are coming from a not previously known bad place or without hash values that have been built into the system. We're gonna catch it each time.
It's really, I don't know, not as profound to the listener as it is to us and to you guys, the practitioners, because you know what it means to do this. Most of the buyers and al- almost all of the policy makers in our country have no clue how profound that is. And I don't want disparage any of them but I've, you work for presidents of companies, CEOs, you work for presidents of the United States, and they really don't, you have sympathy for them, don't have the ability or the time to internalize the technical, trade-offs right? We tried to brief President Bush on botnet attacks, and he said, "Are you telling me little robots run around the internet? I don't know what you're all telling me you want me to do. If you need more money or authority, you let me know."
And we and he, it was the right, it was the right, response from his perspective. "If you need more money or authority, you let me know. How does that strategically position me to better defend the country or, to gain advantage over an adversary?" Great. Good questions for a President. The right answer, it turns out, is not to go and tell him how the CFB and the OLE sub,
Steve Ryan: [00:17:02] That's right.
Tom Bossert: [00:17:02] ... objects inside a o-
Steve Ryan: [00:17:03] "At [inaudible 00:18:46] 1,024-
Ron Gula: [00:17:03] Yeah.
Steve Ryan: [00:17:04] ... is where the buffer o- o-- occurs, Mr. President." [laughs]
Tom Bossert: [00:17:05] Yeah.
Ron Gula: [00:17:07] What you want to say is, "We just make it go away."
Tom Bossert: [00:17:08] Y- yeah. And so that's the answer. It sounds hard to believe. But you get a series of executives that say, "Listen, I just want it to go away."
Ron Gula: [00:17:14] Yeah.
Tom Bossert: [00:17:15] And we've got an elegant way of making more things go away, more persistently.
Ron Gula: [00:17:18] So let's play I'm the doubting CSO here.
Tom Bossert: [00:17:21] Yeah.
Ron Gula: [00:17:21] I say, "Okay, hey, I've got sandboxes. I've got a next-generation firewall. I've got five XTAO members on my hunt team. I've got DNS. Why do I need Trinity?"
Tom Bossert: [00:17:34] I got two answers.
Ron Gula: [00:17:35] Yeah.
Tom Bossert: [00:17:35] One, we're gonna reduce the noise. We're gonna reduce the false positives, so we're gonna increase your security. And, two, we're gonna give you rich contextual data and information that's gonna make all those really smart people better able to do their job.
Steve Ryan: [00:17:47] That's right.
Tom Bossert: [00:17:48] Period.
Steve Ryan: [00:17:48] Great example on that. When you think about, piece of malware that beacons out, what a lot of people do is say that's okay. I can just block the beacons," right? And you can. And a lot of people do, and that's not necessarily a bad thing. But you still got a, an infected box or infected boxes in your network. And good luck finding them, right? Behind nets, your, you've got all you can see out at your edge is, a whole bunch of beacons. And you don't know where they are. So what if you could intercept those beacons and reply back to them right from the network, right? What if a box, it's calling out saying, "I'm here. What do you want me to do?"
Instead of blocking that communication, why not grab the communication and answer back as though or get the answer back and change the answer to something like, "I have an idea. How about you uninstall yourself," right? Or if you can't do that, at least do something that makes it really apparent, where you are. Set yourself on a loop-back where you keep trying to connect to yourself. That'll get your hunter's attention. And then, so you can put the adversary's energy and use it against him, right? So that you can take these techniques that they're using and use them to benefit yourself from a defensive standpoint.
Tom Bossert: [00:18:57] I'm so glad Steve just said that because we're not a treat to the existing, marketplace, marketplace. We're here to complement them. Endpoint solutions increasingly are excited to work with Trinity because they say, "Geez, y- you remove the threat, bought us a little bit of time and a little bit of maneuverability, right? But you changed that traffic in some way that put a little canary in there for us, right? We're making it easier for the endpoint solutions to do their job. We're making it easier for the SOC team to do their job. We're not trying to claim that we solve everything. But if you solve the things that take all their time, you buy them more time, you buy the... If you've got former guys that were TAO guys, God bless you, you're already in a good spot. Most customers don't. And the problem there is, w- we want to help the county-
Steve Ryan: [00:19:42] There aren't enough of them.
Tom Bossert: [00:19:43] ... That we're sitting in.
Ron Gula: [00:19:43] That, that's where I was gonna go. Now let's I'm the CSO of the Buffalo Municipal School System which recently got locked out for ransomware.
Tom Bossert: [00:19:51] Yep.
Ron Gula: [00:19:51] Now these school systems, they have IT people. They've got budgets. They usually don't have five people from TAO on a hunt team. What does Trinity do in so-... Is this another box? Like how would a municipality deploy something like this?
Tom Bossert: [00:20:03] Yeah.
Steve Ryan: [00:20:03] Yeah, the way this works is the traffic has to go through us, right? We are an inline solution. And we're not, and we don't shy away from that, right? In order to do the kinds of things that we do, in order to d-, to do the deep inspection of the sessions, you have to build it. And you build it in both directions 'cause you see the requests and the response simultaneously when you do that. And that's when you get the real power. And the only way to do that is to live in the path. We live in the path. And so you get a municipality, and so you work with their providers. And you move their traffic through us, right? We're into the biggest data centers around the country. All of the internet traffic goes through these data centers anyway, right? And so all we do is make sure that, as the traffic's going through that data center, it makes a little detour through us and back. And so that municipality gets the same level of protection, this notion of looking at state-sponsored tradecraft, real high-end stuff, find it, take it out of the session, make it clean, right? And do that with a whole team of people that are former operators for the National Security Age- Agency protecting the DoD and the [crosstalk 00:23:13].
Tom Bossert: [00:21:12] Y- you kind of tee, you teed us up for a softball there, right? That's a great pitch. What does a small municipality that has important traffic do to get their hands on TAO-level, former NSA executives and operators, analysts and engineering? That's what we do. This is the short way of saying what Steve just said is that's a private cloud offering. And the cloud is everything and nothing to a lot of people. But it means that, to that county, our Trinity service on their traffic is as, as close as a millisecond away.
Steve Ryan: [00:21:38] And from that point of view, from a resources thing, they don't have to buy multiple boxes. They don't have to do that. And it just goes through the cloud which is great.
Tom Bossert: [00:21:46] And they get the bodies.
And on top of that-
Steve Ryan: [00:21:47] And they get that. And-
Tom Bossert: [00:21:48] ... you think about how expensive these, the, finding good talent is hard. And you have to pay for it. And you have to pay a lot of money for it. And you think about being able to apply this talent to your problem across the board, it's pretty powerful.
Steve Ryan: [00:22:01] And cyber products in many ways are like free puppies. Once you get them, you've got to care for them. You've got to get people trained on it. You get stuff like... With this, unless there's an attack, there's no alerts.
Tom Bossert: [00:22:14] There's notifications, right?
Steve Ryan: [00:22:16] Yeah.
Tom Bossert: [00:22:16] And so that's think of that, it's a historic notification. It might be a millisecond in history.
Steve Ryan: [00:22:21] [affirmative].
Tom Bossert: [00:22:21] But you get a notification that something was just removed from your network traffic, not that something's in it that you have to go track down. But I think maybe the best way to say it is y- it's, the training of those puppies is uneven at best, right? We've all... I had good friends with dogs that aren't well trained, the idea here is that our capabilities on expert mode, on expert settings, being run by experts for you. We sell it as a service. Not to disparage the model, but what you and we have all seen over the last decade, a lot of next-gen firewalls, IPS, they require a customer to go through training and do a lot of things to maintain those settings in a way that are best and most conducive to the best outcome. That's great.
We still encourage that. We don't want to replace a next-gen firewall. But we don't let you do that because to get in the middle, as we're describing this flagship service of inline, sub-millisecond engineering, right? The engineering that goes into to m-, looking at traffic that deeply and modifying it in flight, you have to know what you're doing. And you have to be good at it. And that's why, yeah, we're f-, we're, [inaudible 00:25:36] been in business for four years. We're disruptive. We're getting a lot of traction. But it's because we've kept people that have been doing that kind of work for 15 years in the largest organization in the world.
Steve Ryan: [00:23:32] Yeah.
Ron Gula: [00:23:32] Let's make this a little bit more realistic. We just had this exchange vulnerability where people are still running Exchange on-prem.
Steve Ryan: [00:23:38] [affirmative].
Ron Gula: [00:23:38] The patch was out for a long time.
Steve Ryan: [00:23:40] Yeah.
Ron Gula: [00:23:40] However, people still aren't applying it. Is this the kind of vulnerability you would clean-
Steve Ryan: [00:23:45] Yeah.
Ron Gula: [00:23:45] ... And protect?
Steve Ryan: [00:23:46] You just take it right off the board. Honestly, we just take it off the board. It's an- and can't explain that enough. And it goes, a- again it's like all the way down to our roots. We look for these techniques. We look for the fact that somebody's trying to take advantage of this vulnerability. And we c-, you can see that in the network traffic. And you quite literally remove it. And now it's-
Tom Bossert: [00:24:07] Then it makes this-
Steve Ryan: [00:24:07] ... what the result is you don't get hit, so that, that's really powerful. The view from the bad guys is you patched, right? Even though you haven't, right? That's a really important thing. We make the view for the bad guy appear as though you've patched. You haven't patched. And so this telemetry that you get is not only, "Hey, we just took this bad thing out of your network traffic," but we can tell you that somebody was just going after this server using this exploit. You don't want to patch, if you can't patch, w- we got you. That's a really powerful thing. There's a lot of folks will say you should just patch." There are a lot of good reasons why you can't patch.
Ron Gula: [00:24:45] I think the reason the NSA puts out a list of 25 vulnerabilities the Chinese are exploiting because if they were all patched the Chinese wouldn't be exploiting them, right? Clearly there's targets out there that, that-
Steve Ryan: [00:24:55] There are.
Ron Gula: [00:24:55] ... are ongoing here. What's the most obscure kind of vulnerability that you prevent being exploited? Is there something in there? We're all talking about Exchange right now. And where I'm coming from, so I used to run Tenable network security.
Steve Ryan: [00:25:08] Yeah.
Ron Gula: [00:25:08] We would audit 100,000 vulnerabilities. Lot- lots of vulnerabilities. And then people would say you just got to patch your highs." And every now and then a pen tester would come and be like there's this low vulnerability if you have this low and this medium. I can chain these two things together and then, boom I'm [inaudible 00:27:47] on your domain controller."
Steve Ryan: [00:25:25] Oh, wow.
Ron Gula: [00:25:26] Stumped, I stumped Steve.
Tom Bossert: [00:25:27] Yeah, you stumped Steve.
Ron Gula: [00:25:27] I stumped Steve.
Steve Ryan: [00:25:28] No, there's one of the ones that that the team had a lot of fun with, I think it's on the obscure side. But I'll say that it's also on the fun side was a bot that communicated over raw TCP.
Ron Gula: [00:25:43] [affirmative].
Steve Ryan: [00:25:43] And so you think about, the firewall settings or the secure web gateway, and so on and so forth, all looking for, protocols and communications within those protocols and the vulnerabilities that may or may not be apparent there. And this thing was just communicating over encoded data right in straight TCP. And it gets right past everything. And but it doesn't get past us. And what's really, this is where the team had the most fun here was being able to get in the middle of the command and control of this botnet and on, on one side clean the bot from the machine. The, a machine calls in and says, "Hey." It checks into the controller. We tell the machine to uninstall it, to, the bot to uninstall itself off the machine. Awesome. But to the controller we're telling the controller that the mach-, that the machines, the bots still live.
Tom Bossert: [00:26:37] Send an [inaudible 00:29:15] code and say, "Send me back second stage command."
Now, we're in between. We'll, the technology's important. And we'll sell it to clean files. We have different products, right? But if you do it, if you deploy it the way we're describing, that's the kind of, that's the flagship, right? That's the service. You know-
Steve Ryan: [00:26:51] That's more fun than anybody should be allowed to have.
Ron Gula: [00:26:53] [laughs]
Tom Bossert: [00:26:53] ... it re-, it, so it's you don't want to use marketing terms. But man in the middle has become this negative, right? And it is. It's what bad guys do to take over, good people's networks. But we're intentionally designing ourselves here to be a good guy man in the middle. And I think that's what's so pround, profound about it. What?, 90% of traffic is HTTP, HTTPS, right? It's this web traffic. Ask the average person what's the difference between internet and web, and they say, "I don't know."
Steve Ryan: [00:27:16] It's all in the cloud.
Tom Bossert: [00:27:17] It's all in the cloud, right?
Ron Gula: [00:27:18] It's all in the could.
Tom Bossert: [00:27:18] But, it's, th-, that other 10% is pretty important stuff. And the fact that we're looking at protocol fields and that we're looking for, bad things and raw, UDP and TCP an- and that we're able to look at SMTP-
Steve Ryan: [00:27:29] Yeah.
Tom Bossert: [00:27:30] ... and things that are not HTTPS and HTTP makes us an internet solution not a web solution. And it's pretty cool. You get into that, and then you think that we can start sending invalid responses to scanning requests, and it starts to get cooler-
Steve Ryan: [00:27:43] Yeah.
Tom Bossert: [00:27:43] ... And cooler.
Steve Ryan: [00:27:43] And you find the executables being sent to your IoT devices, and you take them off the wire.
Tom Bossert: [00:27:48] Yeah.
Steve Ryan: [00:27:48] That's pretty powerful too.
Tom Bossert: [00:27:49] Yeah.
Ron Gula: [00:27:49] Excellent. The go to market is pretty unique for what I call you guys's intrusion prevention company from the future, right?
Steve Ryan: [00:27:57] Yeah.
Ron Gula: [00:27:58] You can do it with ISPs.
Tom Bossert: [00:27:59] We like it when you say intrusion prevention on steroids. [laughs]
Ron Gula: [00:28:01] From the future? Yeah, or ster- steroid, it's steroid-induced future coolness, right?
Steve Ryan: [00:28:05] Yeah, we love it.
Tom Bossert: [00:28:07] Oh yeah.
Ron Gula: [00:28:07] You partner with MSSPs?
Tom Bossert: [00:28:08] We do.
Ron Gula: [00:28:09] You can really... And the thing I like about the MSSP is, I mean I've been working with MSSPs for the past 20 years, I haven't seen a technology like this change the analyst to customer or analyst to event ratio. This is a really good type of very positive. And then you can also sell direct to governments, to counties, to enterprises, small business. It's, that, that's a really good combination.
Tom Bossert: [00:28:32] What's so cool is that the MSSPs they're all good. I mean I really have not run into a bad MSSP, right? They're all in business for the right reason. The first thing they say is, "Do you add value to our customer?" Yeah, we do that. We go through that. We prove that.
Ron Gula: [00:28:43] Check.
Tom Bossert: [00:28:43] Then they say, "Wait a minute, how do you improve our business?" And we say we stop more, and you don't have to put more money and effort into it." And they go, "Great. Less effort on our part, more efficient results." the business model, checks off all their needs. Their customers are happy. They're doing less work. We're providing more deep contextual information. But then you get into the higher-end MSSPs that are doing the incident response and the investigatory work, they really love what we're doing because we're sitting there giving them the opportunity to control that command and control back and forth while they're investigating. You don't put the network at risk.
Steve Ryan: [00:29:13] [crosstalk 00:32:04] canaries in files, yeah.
Tom Bossert: [00:29:14] Yeah the kind of things you can do to make, the big MSSPs happy is exciting. But the business model, our sweet spot right now, getting the cloud service providers as partners, getting the MSSPs as partners, and getting volume adoption, it's great. It's like we're gonna actually make a difference.
Ron Gula: [00:29:31] That's one of the big reasons I was exciting about investing. I think this is the type of technology that if you had in the ISP fabric if you had access to this at MSSP level, it's a level up. And it's been an arms race for the last 20, 25 years.
Tom Bossert: [00:29:43] It has.
Ron Gula: [00:29:43] But this is a big leap in, in this type of thing. I think the last thing I wanted to ask about on the tech side is, a lot of people think about malware analysis, file-base analysis with sandboxes. And you've basically done what sandboxes do in less than a second, milliseconds.
Tom Bossert: [00:29:58] [affirmative].
Ron Gula: [00:29:58] What are your thoughts on just state of the art with sandboxes? There's evasion techniques, there's, there's some executables you wait a week until, there's a mouse movement, then it leaps into action, right?
You think you've gotten around all those kind of, of techniques?
Steve Ryan: [00:30:11] Yeah, I'll never say we got around all of them, right?
Ron Gula: [00:30:13] [affirmative].
Steve Ryan: [00:30:13] But the idea is that as you start stacking those techniques up... I don't want, again, it sounds simple and it's easy for those of us who don't have to do it.
Tom Bossert: [00:30:22] Yeah,
Steve Ryan: [00:30:22] but it-
Tom Bossert: [00:30:23] That's a common saying in our company.
Steve Ryan: [00:30:24] It is. [laughs]
Tom Bossert: [00:30:24] For Steve, yeah.
Steve Ryan: [00:30:25] But if you have the ability to look for those techniques, that's when it's really powerful. And, again, not looking for the standard kind of IOC things which, again, is important. But when you can look at, look w-, deep within the file or the delivery of the file... Sometimes it's not the file you're looking for, it's how it's being delivered, right? The technique that's being used to tuck it in a corner, right?
Tom Bossert: [00:30:50] I can't help but be the business guy here, right? I know that was a technical answer. But we don't want to fight the market. If you want to take a copy of your traffic, you don't like an inline solution, you want to send it to a sandbox, that's cool. W- we add our capability to your, sandbox, to your favorite service, and it just makes it better and faster. It makes it deeper and more accurate. It's, e- eventually people will become more and more, those that are skeptical will become more and more comfortable with what we deliver. And they say, "Okay, we'll go inline with you." But for today, you want to sandbox all of your traffic and run it run it through a 30-minute or three-hour delay, cool. Maybe you recommend to your sandbox service or company that they add our engine, and we can reduce that timeframe considerably. And-
Steve Ryan: [00:31:30] And increase your accuracy performance.
Tom Bossert: [00:31:32] Split the money all the way around.
Steve Ryan: [00:31:33] Yeah.
Ron Gula: [00:31:34] All right, I want to awkwardly transition out of the Trinity sort of technol- technology and go-to market review. And just y- you both come from a wealth of I'll just call it nation state, leadership-
Steve Ryan: [00:31:46] [affirmative].
Ron Gula: [00:31:46] ... For everything from national defense in cyber. So let's just pivot right to that. Your ex-NSA. You're ex-DHS, ex- White House. And, so I want to ask some kind of, I think they're controversial questions, but they're really top of mind right now, especially if you look at the transition from the Trump administration to the Biden administration and all this new investment in cybersecurity, right? So could you frame for our viewers maybe I'll start with Tom, when we talk about defend forward, when we talk about defending the nation in cyberspace, what does that mean for the person who's got a Comcast internet connection at a pizza shop?
Tom Bossert: [00:32:23] Noth-, not much. [laughs] Not much, right? And boy, you just asked me a really important question. Let me see if I can back up and maybe establish my role in creating that, that policy. The idea of defend forward really starting the 2004 and '05 timeframe when we were having debates in the White House. And I have to look back on this, I was told I'm the only guy that's held every policy rank in our National Security Council staff model, right? You started you started at a assistant secretary level by rank protocol, and you end up as a cabinet member by rank protocol, and you do all the jobs in between. You coordinate all these, smart cats and dogs. And you realize that they have the same arguments over and over again.
On one macro level you end up with a, a- any meeting a President attends, they can pretty much guess that OMB doesn't want to pay for it and DoD wants to shoot it. The State Department wants to talk to it, and the CIA wants to spy on it, and so on. You have some roles that are predictable. But what I found was there was a predictable reoccurring fight in the cy-, in the national cyber debate about the appropriate role of the federal government. This highly distributed problem that we've just talked about from the bottom end of the customer and the target but now you got this kind of federal government that wants to provide some centralized solution to a distributed problem. They constantly struggle with what their role is and how they can help. And, in our country, we've got a distrust of centralized government for a lot of good reasons. We don't really have a lot of latitude there.
And we had this debate over whether we would, when it's in our lawful, clearly authorized right to do it and within our national interest to do it, should we, as a country, gain access to someone else's, let's say a foreign country, an adversary's system. The debate rages as to when you shouldn't, what techniques you should or should not use, and how much you should share. What I found was, back then and all the way through to today, the argument centers on the human relationships not on the technology. And the questions becomes I don't mind if I offend an adversary, but I don't want to offend an ally." it gets a little bit hard, as you both know, in the technological space, to draw those human lines.
Steve Ryan: [00:34:32] There's allies and then there's allies.
Ron Gula: [00:34:34] Yeah, that's right.
Tom Bossert: [00:34:34] There's allies and then there's allies that, that spy on you, and so on. And not everybody plays by the same rules. And so one of the debates that raged was this question, and I'll say it in a way it's not classified, right? But it was this question of whether you want to essentially hack into another person, another country's networks. And in so doing perhaps do something that would be offensive to or against the standard rules, norms, or laws of an allied nation. Do you want to take down a terrorist network and, in so doing, infringe on some German infrastructure? You had to trade that, have a trade-off conversation. Almost every other country reached the conclusion that they're gonna do what's in their interests first and foremost and then beg forgiveness from their ally, provided that you don't shut down the German internet a- and you're just taking a small step that might offend or might step on their toes. You gain forgiveness, you work with your closest allies to coordinate when you can, but you do what's in what's right for the country.
And I was always moved by that debate because the US was slow to adopt that mentality. And when I got into the Trump administration and began to push that conversation forward we had this kind of series of conversations that led to, "Hey, this is like defense forward. If you got to do something that steps on the toes of an ally, as long as it's not out of bounds, and we'll define that, in the fine print, let's do it. Because it's for the greater good. You want to bring down the terrorist network, you want to spy on the country that's gonna build a nuclear weapon and deploy it to kill your people, then do it. That's absolutely right and just. And if, in the meantime, you might burn a chip or break some trust with an allied country manage that." And what it turns out to be is a good policy. Because every other country came through my office and came through to talk to the President in the Oval and said, "Yeah, we were already there. We're not all that offended that you've taken that view.
But what we don't want you to do as the United States is to go so far as to give up the moral center and the leadership role that you've got." for me, the important part is constant management of that policy. I need somebody there that's gonna say, "Wait a minute, the US is the sheriff. We stand for good and right. We don't stand for just breaking up and causing disruption to corporate networks around the world for our own selfish interests. It's got to be high standards. It's got to be a really responsible leader that's in charge, but it's also got to be a lot of smart people that know how to tailor the use of our capabilities like you two to make sure that there's not any disproportional effect around the world."
And then I'll get off my long answer here by saying contrast that with what you saw Russia do with NotPetya. They took a known vulnerability. They created an exploit. They went after Ukraine and any company doing business there. And they launched it without any kind of constraint, any kind of technological ability to stop its propagation. North of $10 billion of indiscriminate damage across the country ensues, across the world ensues, and even affecting their own people. And they don't really care. The US doesn't act that way, right? And so what's really important is that we take a defend forward mentality but with a lot of caution.
Ron Gula: [00:37:39] And for the pizza shop owner?
Tom Bossert: [00:37:42] They're all sitting around as I started saying, "What does all that mean to me?"
Ron Gula: [00:37:45] Yeah.
Tom Bossert: [00:37:45] And it's the dis- distributed problem. It doesn't mean much to them unless that defense forward mentality goes after the bad guys that's going, that are going after them. And, and/or, if we can really get to the Shangri-La, we get enough agreement among foreign leaders that they stop doing things that will indiscriminately hurt the pizza shop owner for no good reason. NotPetya shut down things that were anywhere near the target, right? They weren't, they were ancillary, they weren't conceived of by the targeted designers, by the weaponeers. And, so some pizza shot guy got hit by that, right? Some hospital got hit by that. And he's sitting around, or she is sitting around looking at their government saying, "What are you gonna do about it?" And I think we have to do something about it that's bigger than ones and zeros. But, at the same time, we have to behave in the ones and zeros in a way we want everyone to, follow our lead and behave as. It's a golden rule.
Ron Gula: [00:38:35] S- Steve the NSA, without going into classified stuff because, the classified segment of the Gula Tech Cyber Fiction Show will be up after this, right?
Steve Ryan: [00:38:42] [laughs]
Ron Gula: [00:38:42] The NSA has a defensive mission to protect the DoD.
Steve Ryan: [00:38:46] [affirmative].
Ron Gula: [00:38:46] Protect communications-
Steve Ryan: [00:38:47] Yes, it does.
Ron Gula: [00:38:47] ... ensure things there. And I don't think the general public really understands that. Can you talk about that, talk about the Cybersecurity Directorate and just kind of-
Steve Ryan: [00:38:56] Yeah.
Ron Gula: [00:38:56] ... that, that stuff?
Steve Ryan: [00:38:57] No that's really cool. I think most people look at NSA as, from the movies, right? Spying on everybody and, doing these evil things zip lining out of Black Hawks and, right?
Ron Gula: [00:39:07] Oh, we all did that.
Steve Ryan: [00:39:07] Yeah, we all did that.
Ron Gula: [00:39:08] Yeah.
Steve Ryan: [00:39:08] But that's not what it's like. And and so much it, of it, a-, is about defending the nation in general. And then, on the cyber s- side, there's a s-, explicit authority to protect Defartment, Department of Defense networks actively to protect. That was my role when I was there. And so what makes that really powerful is the ability to use the intelligence that's gathered about what foreign bad guys are planning to do and being able to use that actively. And I'll tell you there's, nobody has that nailed better, right? There, there isn't any better contextual threat intelligence that comes than, that what comes out of the NSA.
Ron Gula: [00:39:47] And it's funny 'cause we invested in Flashpoint. I got friends at Recorded Futures a bunch of different threat companies out there, threat intelligence companies. And they all are full of smart people. I'm like, "Yeah, but you don't have reconnaissance satellites. You don't have informants walking into your embassies. You don't have active deception ops. I think the NSA is in a much better place to understand threats than anybody else.
Steve Ryan: [00:40:07] Yeah. Yeah, for sure. They they understand not only the technology behind them like how they work what this particular exploit does and how it gets its payload, but they understand the mindset of the adversaries, the motivation who these people are and what they're all about.
Tom Bossert: [00:40:27] I think the Biden team is standing on, as all of us have done in our government service, the shoulders of those that have come before us. Not to bastardize that, that phrase, right? It's [inaudible 00:44:30]. But the idea that they've got an opportunity now, with I think a more trusting public, more frustrated with the threat and the recurring kind of nature of all these intrusion to now share contextualized information, basically share threat intelligence that they get through, lawful but by only nation state level means with the private industry that's out here trying to protect the guy in the pizza shop and the county that, that's running the water treatment facility.
Ron Gula: [00:41:05] [crosstalk 00:45:00].
Tom Bossert: [00:41:05] They've got an opportunity to do that and I think they're gonna. And I honestly believe in the leadership team. Anne Neuberger and Rob Joyce and Chris DeRusha is a very promising guy that's, that our CSO here for the country. All of them seem to be on the right path. And we'll see what they do. But I think they're gonna now have to figure out how to change the nature of what has always been a little bit of a tired thing, information sharing. That's a really tiresome, boring, repeated talking point. I think they can change the relationship between private industry and government. And I think there's a, the timing's right, right? I think there's a condition for it.
Steve Ryan: [00:41:38] It is.
Ron Gula: [00:41:39] Let's talk about this a little bit. Anne is joining the National Security Council.
Tom Bossert: [00:41:43] Yep.
Ron Gula: [00:41:43] And she comes from the NSA's Computer Cybersecurity Directorate.
Steve Ryan: [00:41:49] Yes, she does.
Ron Gula: [00:41:50] Which is not Cyber Command. I've already seen it reported incorrectly that she came from cy-... C-, walk us through what's the difference between Cyber Command and the Directorate.
Steve Ryan: [00:41:58] Yeah, so they're, these are two organizations that are inexorably linked, right? I was on the team that crated Cyber Command back in in 2010. And the idea was to create an organization that would have more of an operational view of cyber for the nation. Again, specifically for the DoD but then broader for the nation. The National Security Agency is largely about the intelligence that is gathered to fuel operations, right? Some say NSA doesn't do operations but the two of them together are, are super powerful. You got the National Security Agency driving and the delivery of the intelligence about the adversary. And you've got the Command being able to do something about the adversary.
Tom Bossert: [00:42:45] I'll tell you, this might not sound right, and I always have to struggle with the words so that the listener doesn't misunderstand me. But this nation needs more, better defense than offense. I'm not saying we shouldn't reserve the right to do what we have to in the interest of our national security. I'm all for that. I've got a record of it. At some points in time you have to do what you have to do. But, by and large, the problem we have is a policy set, a large line or lineage of policy makers that don't understand the weaponeering. Imagine if you were to put a kid in a tank or give him a gun in the military you teach him the weaponeering of their weapon, you teach them how fast the bullet comes out of the muzzle. You teach them all sorts of things. Here's the bug splatter. Here's what'll happen if you fire this ordnance or this missile, how far it'll go, how many people it'll hurt. Among other reasons, you don't want them to hurt someone that's not their target or some innocent bystanders.
If you think about that, there's been a couple of good pieces. I'll give Andy Greenberg a shout-out here, Wired Magazine, he wrote about the double-edge sword. I don't know if you saw that article recently. Great article. Go read that. It paints the picture of the dilemma here in the cyber world. You release, a, an exploit and therefore the vulnerability, into the wild. You go after a target, and it's like that scene from Hunt for Red October where, the missile comes back around 'cause they took the fail-safe off the thing. The torpedo comes back around to blow up the boat that fired it. And there's, I forget the exact quote, but it's you arrogant bastard, you blew us up."
An- and that's the whole point. We've been so focused on offense and defense, and you two both know this, but I think, the general public think of it as a football game, black and white, offense and defense. And you know it's a little bit more complicated. This is a I think, the moment and the timing is right for them to not be in that black and white mode. I think Anne comes from the nuanced side of Cyber Command. That's the best way to describe it to the listener. And that nuance is important because she's got an opportunity to increase our collective defenses. I'm all for it. I know a lot of people are out talking about collective defenses. It's not a sales pitch. It's important for the country. We're a complement to the other services i- in the market kind of talk that we've covered.
But in a policy world, if we don't have a collective capability and a mentality of, "Get this country in a better place," we're gonna be on the losing side of an asymmetric war-
Ron Gula: [00:45:00] Yeah, w-
Tom Bossert: [00:45:00] ... which is really odd because we're the big ones.
Ron Gula: [00:45:03] We have the resources and we have the talent and they're not being put in to the right use at a national level. And they can be.
Tom Bossert: [00:45:10] I got in a-, I got in a-, I got in a lot of trouble, Ron, f- for saying this. And I'll tell you why. I don't regret saying it but I, I said it, artfully. And I suggested that we were gonna change our policy in a way that would put some of my colleagues and former TAO types in physical harm's way. But, I explained to a group of people, large industry leaders, CEOs, Fortune 1,000 companies, that if you really look at the number of smart guys, the Ron Gulas and Steve Ryans of the world but the ones that, that live and work for other countries, if you look at the number of people that are really able to develop the elegant tools, the real exploits that are really problematic, that make it onto the front pages, there's not that many of them, right? The guys that design and built the Patriot missile-
Ron Gula: [00:45:51] You ha-, you have a list of these people?
Tom Bossert: [00:45:52] I think it's a small enough list that I'm, I got in trouble for saying we should get out hands around their throats or their wallets. But the idea here is that we've got human beings behind these keyboards. That's what led Steve to develop our capability. You don't go after just the ones and zeros, you go after the methodology of the bad guy. And you can create a massive difference. But-
Ron Gula: [00:46:11] Y- you're talking like a spy novel, right? There used to be like MI6 programs that went out and assassinated people who had multiple PhDs-
Tom Bossert: [00:46:18] Yeah.
Ron Gula: [00:46:18] ... 'cause that's where innovation came from, right?
Tom Bossert: [00:46:19] Yeah, I don't want to assassinate people with PhDs.
Ron Gula: [00:46:21] [laughs]
Tom Bossert: [00:46:21] But you do want to keep track of the people that take the- these super powers and use them for evil.
Steve Ryan: [00:46:27] Yeah, and there is hierarchy, right? When you really look at all the bad things that have happened and you roll it up. And they ride on the shoulders of perhaps a whole bunch of vulnerabilities. And they ride on the shoulders of a who-, of a smaller number of exploits that ride on the shoulders of a-
Ron Gula: [00:46:43] Well-
Steve Ryan: [00:46:43] ... handful of techniques written by a few people.
Tom Bossert: [00:46:46] Yeah.
Ron Gula: [00:46:46] [inaudible 00:51:07]-
Steve Ryan: [00:46:47] The further you up are you are on the stack here the more broad the application.
Ron Gula: [00:46:52] Yeah. And it's funny 'cause if you go back to the '90s, if you were a hacker-
Tom Bossert: [00:46:56] Back before we called it cyber.
Ron Gula: [00:46:58] Before we called... Exactly.
Tom Bossert: [00:46:58] For those of us who are resisting the term. [laughs]
Ron Gula: [00:47:01] ... If I met another hacker, I might exchange one tool for another tool.
Tom Bossert: [00:47:07] Yeah.
Ron Gula: [00:47:07] But, holy cow, if I could write my own tools-
Tom Bossert: [00:47:10] Yeah.
Ron Gula: [00:47:10] ... I didn't, I wasn't dependent upon that. And that, that was kinda how things happened. And then somewhere around like the late '90s or so, it became cool to drop zero-days, drop the zero-day tools and put those things out there. And we still kinda haven't really recovered from that. So-
Steve Ryan: [00:47:25] Yeah, we haven't. Look at the difference between, when I got into this business, I said I was a chip guy and I, I walked in the door of this organization that was doing defensive operations, defensive network operations, and I walked in the door like a week before the ILOVEYOU virus hit, right? And that was like, that was a holy cow moment, right? Across the world. C- compare and contrast ILOVEYOU virus with WannaCry, right? Not a whole lot of difference, in terms of vulnerability and how it was exploited and how it spread and the damage that it caused. And not a whole lot of difference in the response. But 17 years between one and the other, right? Not a lot of changed. [laughs]
Ron Gula: [00:48:10] I want to go from that to SolarWinds. 'Cause SolarWinds was a different kind of technique. How do you guys react to SolarWinds, the way that was a supply chain attack?
Tom Bossert: [00:48:19] One of the things, I want to jump in on that one, that I should make clear because, now we're in this company, we don't put our hands around the necks or the wallets of the bad guys in a private industry, and nor should we. That's a government policy. That's from my old days in government, right?
Steve Ryan: [00:48:30] But we do make it harder.
Tom Bossert: [00:48:31] But what we do is we put our hands around the ones and zeros that they're using as a weapon, right? And so a ton of terrible analogies I don't want to get into them, right? But the idea of attacking the methodology as a Patriot missile here. You're not sh-, you're not firing at the archer, right? You're really going after the arrow in flight. You've heard this analogy before from General Alexander. At this point, when you ask about SolarWind, you get a lot of people thinking, "Man, maybe Trinity is an offensive company." No not the case. But the idea of being able to see the techniques for hide and command and control traffic, and then stopping, altering or messing with that command and control traffic so that the bad guy doesn't get the desired outcome is key.
And it's key for one really misunderstood reason: people are focused on the supply chain, the Trojan horse of SolarWinds. How did all the bad guys get in? They got in to this, Trojan horse, and they were accepted in the front door with a digitally trusted software update on the Orion software. They got inside your network, then they all climbed out of the belly of the Trojan horse. And for six to nine months, they established other means of beaconing out and communicating back home and getting administrative level controls laterally of the network that w-, that was infected. What does Trinity Cyber do? We see, catch and stop, and hopefully shorten the discovery period substantially from six to nine months to six to nine days that command and control traffic that all of those that all of those, bad guys inside the network were establishing for that period of time.
You don't always have to prevent everything to stop the bad outcome. And it's important that people don't think that we're then going so far as to, hacking their chip sets and damaging them.
Steve Ryan: [00:50:11] Yeah.
Tom Bossert: [00:50:11] That's not for, that's not for private industry to do.
Steve Ryan: [00:50:13] No, I'll tell you, we have this really cool technique that we use where we can find malicious stuff, code, command and control, exfiltration, bolted onto the back of image files. And I remember when we first started doing-
Ron Gula: [00:50:28] Now wait a second. For, the listeners here-
Steve Ryan: [00:50:30] ... pictures. Yeah.
Ron Gula: [00:50:31] ... I'm sending images of my family vacation, stuff like that.
Steve Ryan: [00:50:34] That's right. That's right.
Ron Gula: [00:50:34] And you're saying we, we can use that for command and control?
Steve Ryan: [00:50:36] Absolutely.
Ron Gula: [00:50:37] All right.
Steve Ryan: [00:50:37] Absolutely. The, there's no checks for compliance, right? At the end of the day you're looking at this beautiful photograph. But on a computer it's a bunch of ones and zeros. And those ones and zeros come to an end. And there's a little section that says, "This is the end." but if there's stuff after that nothing checks. [laughs] This is, it's true. And so I remember we were giving demonstrations of this. Like we could show "Watch. I'm gonna, I'm gonna go to this website and I'm gonna pull down this picture that has this known maliciousness on the back of it. We're gonna pull it down. And then, after it goes through Trinity Cyber, you'll see there's no maliciousness. How awesome." and it was, looks like a cool little parlor trick. And I think people think this is kinda neat." but lately I've read two articles in the last two weeks of these novel methods of injecting command and control and exfiltrating content through the use of image files.
Tom Bossert: [00:51:33] Steganography.
Steve Ryan: [00:51:33] And we've had this as a counter technique for years. It doesn't matter. I don't care what the picture is. I don't care what format it is. I don't care whether it's on a website or being sent through an upload or a download. It doesn't matter. We just take it right out.
Ron Gula: [00:51:50] Trick question, so we had the ILOVEYOU virus, we had WannaCry, we had NotPetya.
Steve Ryan: [00:51:55] Yeah.
Ron Gula: [00:51:56] Even this Exchange hack was the, so-, had some other name. I forget the name of it. But it wasn't the Exchange hack. It was this name. Why was SolarWinds named the SolarWinds hack?
Tom Bossert: [00:52:06] Oh, it drives me crazy.
Steve Ryan: [00:52:07] Because of the company.
Tom Bossert: [00:52:08] Yeah, but, but-
Ron Gula: [00:52:09] Of course. But why was it named SolarWinds?
Tom Bossert: [00:52:11] Why do-, why-
Steve Ryan: [00:52:11] Oh yeah.
Ron Gula: [00:52:11] Meltdown wasn't called the Intel thing.
Steve Ryan: [00:52:14] That's true.
Ron Gula: [00:52:14] You know why? 'Cause Microsoft named it. And Microsoft does a lot, right?
Tom Bossert: [00:52:21] That's great.
Ron Gula: [00:52:21] But I think they, they kinda had some help in naming that-
Tom Bossert: [00:52:24] Yeah.
Ron Gula: [00:52:24] ... We'll see about that. We'll get flame for that one.
Tom Bossert: [00:52:26] Yeah.
Steve Ryan: [00:52:26] Oh yeah. What do you say? You're like, "Nothing to see here." [laughs]
Tom Bossert: [00:52:29] Yeah.
Steve Ryan: [00:52:29] "Hey, it wasn't a Microsoft problem."
Tom Bossert: [00:52:30] Here, we'll do a little damage control. Microsoft, Brad Smith put out a great a great blog post after SolarWinds.
Steve Ryan: [00:52:37] He sure did, yeah.
Tom Bossert: [00:52:37] And I associate myself with every word in it.
Steve Ryan: [00:52:40] Yeah.
Ron Gula: [00:52:40] Yeah, and Mi- Microsoft does so much to help security.
Tom Bossert: [00:52:42] Oh!
Ron Gula: [00:52:42] But they're the target.
Tom Bossert: [00:52:43] But they're also the target. And they're also the, beneficiary of a lot of our dumb, government decisions and good government and bad government around the world. But on that note, it's really upsetting when the hack is named after the victim. And if we can change the mentality around-
Steve Ryan: [00:52:57] Yeah, I'm-
Tom Bossert: [00:52:57] ... to name it after the bad guy I'm all for it.
Ron Gula: [00:52:59] Yeah. Yeah, I'm not a fan of calling it the SolarWinds hack. We should've had a cool logo and stuff like that. All right two more questions. We'll talk about science fiction and I will thank you guys for a great interview so far. All right, so the Solarium. We had the Solarium which was an effort by Congress with a lot of different help from different parts of the government to come up with recommendations for cybersecurity, 85 different recommendations. One of them is we need a White House cybersecurity czar, a cybersecurity coordinator, a cybersecurity, whatever. I'm just gonna ask Tom, how is that gonna help the Biden administration if we get one of those?
Tom Bossert: [00:53:35] You're the first guy to get me on air to answer this question.
Ron Gula: [00:53:37] Wow.
Tom Bossert: [00:53:37] An- and I'll tell you, I've been ducking it for a lot of good reasons. I've answered the members of Congress, senators and others that have asked me Biden administration officials. But because it's difficult to answer, I want to be careful. H- here's my view. For any organizational structure to work, you've got to have somebody in charge. You've got to have that person trusted by the President, and trusted by his cabinet to implement change. They've got to have experience. Access, experience, responsibility, all of that stuff is really common, basic management. But, right now, I think there's a misunderstanding in this town. You have to align incentives, authorities and budget. And so if we have a new person, a czar or a director, it's gonna, it's gonna really matter more whether that person is good, can lead with knowledge more than rank, and whether that person can galvanize a kind of unity of effort. Because, otherwise, all the departments and agencies and all their jurisdictions and all their congressional committees will slow roll.
Ron Gula: [00:54:34] They'll do what they want, yeah.
Tom Bossert: [00:54:35] And I honestly think that the current team, regardless of the good work in the Solarium Commission, is more poised for success than in the past. Not because of those recommendations but because I think at this stage we finally have Congress willing to listen to somebody who stands up that knows what they're talking about and says, "This is the direction we're gonna go." They don't even have to get it 100% right. As long as we all follow that person, we'll make a tremendous amount of progress.
Steve Ryan: [00:55:01] Agreed.
Ron Gula: [00:55:01] Czar might not be the best name for this?
If we're gonna be fighting the Russians in cyberspace.
Steve Ryan: [00:55:05]
Ron Gula: [00:55:05] Da, yeah. Will this person become the Dr. Fauci of cybersecurity?
Tom Bossert: [00:55:11] You know what? I can also speak to this 'cause I got a lot of b- a lot of time spent planning for a pandemic. And I don't think Tony Fauci will be upset to hear me say this. I'm friends with him. I've known him for a long time. He's not infallible. He made his share of mistakes through this pandemic. He's humble enough, hopefully, to know and admit that. And I think the same thing's gonna happen in the cybersecurity realm. Whoever we follow is gonna make some mistakes. But not having anyone in charge is gonna get us nowhere. I hope the new cyber director becomes the Tony Fauci of cybersecurity even with the mistakes that are gonna come with that. But what I don't want that person to become is a political hot button that's perceived as a kind of threat to our distributed authority system in this country. Nobody wants the federal government knocking on the door saying, "I'm here to help, and I'm gonna take over your corporate network." what we need to do is have someone knocking on the door to say, "How can I help you? What tools, services and products can I produce? What advice can I give? What kind of government resources can I marshal to help you?," not to tell you what to do and how to do it.
Ron Gula: [00:56:16] Very cool. Steve, any comments on all that?
Steve Ryan: [00:56:18] I've always thought that that to do this right at a national level, we, as a nation, have to have the right controls in place, just, baked into the internet fabric, right? Looking for looking for the bad guys and looking for the things that the bad guys do, not to violate privacy, not run by the government. But there's certainly plenty of the private sector that delivers, the ones and zeros to our businesses and to our homes. And and it's open, and the bad guys know that, right? So any of that infrastructure-
Ron Gula: [00:56:55] And Trinity can close it. You can say it, right? [laughs]
Steve Ryan: [00:56:56] Oh yeah. You bet it can. You bet it can.
Tom Bossert: [00:56:59] You know what? You know what? Is it, do we have time for a little plug here? You know what's cool? We talked about the supply chain risk of Orion. And people are out there thinking, "How in the world do you have Trinity sitting at your network edge looking at all your traffic in a, terminating SSL traffic?" the answer is Steve and the team had the, and not surprisingly, presence to build a company that built a technology without ever plugging it in to the open internet. It's a completely, outside the defended network, but out-of-band capability. It's important.
Ron Gula: [00:57:26] Yeah.
Tom Bossert: [00:57:26] And I don't think people realize that. I throw it out there.
Ron Gula: [00:57:28] [crosstalk 01:02:58].
Tom Bossert: [00:57:28] You don't get third-party supply chain risk with our capability, our solution operating out of band. And if you don't understand what that means, call me, and I'll let you know.
Ron Gula: [00:57:35] Yeah I'm starting to see that in pitches. People who are soliciting us for investment, they're trying to show how secure their development system is, their software distribution system.
Steve Ryan: [00:57:44] It's really important.
Ron Gula: [00:57:45] And, I'm like, "Do you have an air gap network?" "Do you do background checks on your employees?" All right, let's start with the basics,
Tom Bossert: [00:57:50] that's right.
Steve Ryan: [00:57:53] That's right.
Ron Gula: [00:57:54] All right, so let's, Gula Tech Cyber Fiction-
Steve Ryan: [00:57:54] Yes.
Ron Gula: [00:57:54] ... let's talk about some science fiction.
Tom Bossert: [00:57:56] Yeah.
Ron Gula: [00:57:56] So Steve-
Steve Ryan: [00:57:56] Yeah.
Ron Gula: [00:57:57] ... what science fiction influences you, influences Trinity? Where do you think we're going here? What's how's it all influence in us?
Steve Ryan: [00:58:04] Couple I'll hit you with a couple. I couldn't answer this question without tipping my hat to The Matrix, right? I have this belief as we do our thing that if you're looking at network traffic, if you change a one to a zero, that ma-, cou-, y- you can change the contents of a packet which means you can change the outcome of the session which means there is no spoon.
Ron Gula: [00:58:27] There you go.
Tom Bossert: [00:58:27] There you go, yeah yeah.
Steve Ryan: [00:58:28] Right so gotta love The Matrix. And then from a s- science fiction books big fan of Daniel Suarez Daemon, that, that whole notion of the-
Ron Gula: [00:58:38] I haven't read that series.
Steve Ryan: [00:58:39] Oh.
Ron Gula: [00:58:39] A lot of people rave about it.
Steve Ryan: [00:58:40] Yeah.
Ron Gula: [00:58:40] They love it.
Steve Ryan: [00:58:40] Really cool. Stephenson, Cryptonomicon. and Read- Read-, Reamde, always want to say Readme Reamde Doug Richards Amped, those kinds of things. I just come from this I think it was my special projects training and the stuff I, I dappled with before I came to NSA that I just don't look at things for what they are but what they could be or what I could turn them into. And I love the books that follow that same mentality.
Ron Gula: [00:59:05] Excellent. Yeah I spoke with Chris Klaus a couple times.
Steve Ryan: [00:59:07] Yeah.
Ron Gula: [00:59:08] He was the founder of ISS. And he was inspired by Neuromancer.
Steve Ryan: [00:59:11] [affirmative].
Ron Gula: [00:59:11] And that really, th- there's a scene where the guy's parachuting in. And he's got some sort of [inaudible 01:05:04] vehicle. But that inspired him to write like ISS Scanner which I thought was pretty good.
Steve Ryan: [00:59:19] That's cool.
Ron Gula: [00:59:20] Tom, how about you? Science fiction, any-
Tom Bossert: [00:59:21] I th-
Ron Gula: [00:59:21] ... any time to watch science fiction in the White House? [laughs]
Tom Bossert: [00:59:23] No, not in the White House. But, fortunately, y- you spend some time, being a normal human being. And, it's it dawned on me, I was thinking about this, the science fiction I'm drawn to all has an underlying morality play to it. Yeah, it's really cool to see what the future might look like, and there's, the St-, the Star Trek originals. They're, always, capture us because now we can look at it and it's the communicator is our flip phones. And it's already antiquated.
But every single sci-fi episode storyline, franchise that I like ends up really, if I look at it closely, having a morality play in it, right? Really the original Star Trek series was a bunch of Westerns played out in space. And, to me, that's what this whole thing comes down to. Steve and the team give me and our customers the ability to change ones and zeros and affect outcomes in a technological space. But how you use that power has to come down to your view of humanity and what you're trying to do and who you're trying to help. And it's a right and wrong thing for me.
Ron Gula: [01:00:16] Are you saying that there are good guys and then there are bad guys, and then there's this third thing in the middle-
Tom Bossert: [01:00:21] It's a-
Ron Gula: [01:00:21] ... that could be the Trinity?
Tom Bossert: [01:00:23] It's kind of-
... It's kinda time for the good guys to have the cool skills and abilities to take back and level that playing field.
Steve Ryan: [01:00:29] yeah, you bet.
Ron Gula: [01:00:30] Awesome. How do people get ahold of you? And how would they, if they want to learn more about Trinity where we can we sent them?
Tom Bossert: [01:00:37] Trinitycyber.com, Ron. And from there, you can get ahold of Steve and I directly in about 20 minutes.
Ron Gula: [01:00:45] Anything else there, Steve?
Steve Ryan: [01:00:45] No, that's it. Go to the website, trinitycyber.com.
Tom Bossert: [01:00:49] There you go.
Ron Gula: [01:00:49] Awesome.
Steve Ryan: [01:00:49] Yeah.
Ron Gula: [01:00:49] I want to thank Steve and Tom for coming on the Gula Tech Cyber Fiction Show. I've really enjoyed learning some of the stories here and digging in a bit more about about Trinity Cyber. And once again, thanks for our listeners and our watchers here. This is Ron Gula. I'm at Gula Tech Cyber Fiction Show.
Steve Ryan: [01:01:05] Thank you.
Tom Bossert: [01:01:06] Thanks, Ron.