Sophia D’Antoine of Trail of Bits: Nick’s Newsletter No. 30

Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

This week I spoke to Sophia D’Antoine, a security engineer at Trail of Bits which is a high end security consulting firm. Sophia recently completed her masters in computer science from Rensselaer Polytechnic Institute where she focused her studies on malicious applications of hardware side channels in virtualized environments. As a security consultant, Sophia provided an interesting perspective that’s very different from many of the entrepreneurs and investors that I’ve interviewed.

You were working for a bunch of large operating companies before you left for Trail of Bits which is more of a consulting and incident response firm. How was the day to day these operating companies different from your day to day at Trail of Bits?

I think that computer science is turning into two separate fields; there’s the more high level and less technical parts such as web programming or user interface design, and then there’s the much more technical side which includes things like security. I worked for two very large organizations with lots of bureaucracy and a lot of non-technical people. I also worked for an earlier stage operating company that doesn’t really have the bureaucracy, but it’s still not very technical and it’s not a security-focused company. I moved to Trail of Bits because I wanted to be around a lot of highly technical people and to feel like I was the stupid one in the room. I’m more of a researcher at heart so I wanted to be in an environment where I’m able to learn something new every day.

At Trail of Bits I’m sure you have a great window into how organizations are struggling in their security efforts; where in these security efforts do they need the most help?

That depends on the type of company. Small companies for instance, don’t have security teams so the most secure thing they can do is to contract out their security work. The worst thing they can do is just blindly download security products because they’re only as secure as the commercial products they buy. Larger companies can do a lot in-house, but they should still bring in a 3rd party security team to review their products and check the security of their networks.

Nowadays we’re starting to hear that medium-sized companies are oftentimes better off trusting their data with a major cloud storage provider, than storing all of their data in-house. Do you agree with this idea?

Yes, when you have a small company, you don’t have a security team so you better have 3rd party products. AWS is the most secure. They recognize the need for things like side channel protection. They have a team that is constantly reading about the evolving threat landscape so they are able to stay on top of it.

Given that organizations are going to be storing some portion of their data in the cloud, what are some of the cloud security technologies or policies that these organizations should be adopting? I know in your thesis that you say that anomaly, signature-based and pattern recognition technologies for detecting malware may be effective, but are there currently tools out there that provide this protection for cloud environments?

These tools don’t currently exist but we’re working with Amazon right now to develop them. There are plenty of tools out there for network security and there are a lot of pen – testing companies that can run those tools on your network. However from a hardware standpoint, there aren’t any tools that run anomaly detection. The solutions that work in the network don’t translate over into the hardware.

What’s the research or technology out there in the security space that’s really interesting to you right now?

At Trail of Bits, we do a lot of work with Darpa’s CGC (cyber grand challenge) on using methods to automatically find problems in software. I’m really interested in looking at tools in that space and incorporating those tools into compilers to automatically harden applications. Developers would write their code and then compile it, and the code would automatically be obfuscated so that potential hackers couldn’t easily understand the code when they try to reverse engineer it. I want to make security easy for a tech developer.

Similar to companies like Checkmarx who scan source code as developers are writing it to search for common vulnerabilities?

I know developers who have used these tools and they’re not super effective at finding those vulnerabilities. First of all, these tools can only find vulnerabilities that are previously known about. Second, they do this at the source code level, not the binary level–where security flaws truly originate.  Checking the security posture of code after it has already been compiled is much more effective. Darpa is doing a lot of work in this space.

The tool that I’m working on is less about finding vulnerabilities in code and more about protecting your code from people (hackers or competitors) who are trying to steal your IP or user credentials.

The News:

Intelligence Start-Up Goes Behind Enemy Lines to Get Ahead of Hackers

  • An interesting look into the operations of threat intelligence provider iSight Partners. iSight analysts dig through the underground web to infiltrate networks of cybercriminals and understand what they’re plotting before they do it. They then provide this information to organizations and help them prioritize their threats. iSight makes most of its money through subscriptions to their six intelligence streams. Also see this WSJ profile of Israeli threat intelligence firm Black Cube.

Helping Banks Spot Vulnerable Servers … in Seconds

  • Explains how Tanium is able to instantly provide information into the security status of endpoints.

Cisco routers attacked by hackers in four countries

  • Previously commercial routers such as these had only been subject to DDoS attacks, not outright takeover. When taken over however, routers provide access to the data of any organization that sits behind it. FireEye’s David DeWalt called these routers the “ultimate spying tool.”

Top 10 Keys To Security Sales Success

  • George Muldoon, a sales rep at Bromium, recommends going higher up in the organization. Nowadays, security is a board-level concern, so sell to the C-suite.

Cyberthreat Posed by China and Iran Confounds White House

  • The U.S. is trying to figure out how to let China and Iran know that their actions, which have been consequence-free, will now start to carry repercussions.

IronNet Cybersecurity raises $7.5 million

  • The company is led by former director of the NSA, Keith Alexander and aims to detect anomalous network activity. The round was led by Trident.

As Security Booms, Onapsis Gets Cash to Stop Corporate Cyber Attacks

  • The company raised a $17 million Series B from Evolution Equity Partners and others. The company aims to protect business critical applications, like the ERP systems provided by Oracle or SAP.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s