Monday, October 24, 2016

The "oral history" of GIAC

A couple days ago press@sans received a note asking for some information. Apparently, a professor is writing a book about the origins of cybersecurity and wanted an oral history. Apparently, some of them get added to the Charles Babbage Institute, here is an example with Lance Hoffman. So, I took a crack at it as shown below.

In 1981 I graduated from Mary Washington with a BA in Geography, (cartography and air photo interpretation), and was hired by Defense Mapping Agency, DMATC, (now NGA). They were just converting from manual processes to Computer Aided Design, (CAD). The terminals were powered by DEC PDP 11/70s. I was working the evening shift, essentially 4 - 11 PM. The facility was on the Potomac river gorge, (Brookmont, (Bethesda), Maryland), and in June, we had a thunderstorm almost every day and we were required to shut the systems down and unplug them; they even had a thunderstorm code to charge our time to. There was no IT department for technical support in the evenings, so during the thunderstorms I started reading the manuals and even started coding in RSX-11M. The path to being a technical GS-12 involved getting a masters degree in geodetic engineering from Virginia Tech. So I started taking courses at Telestar Court in Falls Church. One of the required courses was data structures in Fortran, my first computer course with punch cards on an IBM 360 mainframe. I loved it. I quickly took all the computer courses. When I signed up for one as my elective, the topography department head denied it. He said, "You have taken enough computer courses". I updated my resume, (forget what they called the form back then), and got an appointment with the computer department head. He read my paperwork, looked up and said, "Do you have any experience with small computers?" "Well sir, I am the president of the Fredericksburg Commodore 64 club", I replied. I was hired, I became a computer guy and have never looked back; who would want to do anything else?

In 1997, my primary security focus was network intrusion detection. Fred Kerby, cybersecurity manager at NSWC Dahlgren, had arranged for me to speak at a conference, but the event was canceled. He called Alan and asked if I could give a talk at SANS Network Security in New Orleans.

Michele Crabb, (now Michele Guell), assigned me a topic, "Making the most of your opportunities with management". I was stumped. I was terrible at working with management. So, I chose the angle of talking about all the mistakes that I had made. I didn't think anyone would come to the talk, it was the last time slot on the last day; hundreds of people showed up and it turned out to be the highest performing short talk at a SANS event.

After the scores came in, Alan Paller found me and asked me if I could speak on a technical topic, so we talked about intrusion detection that night. They put flyers all over the hotel and brought in a wooden canoe with local beers on ice. The Q&A went in the direction of searching a database of network information looking for patterns. A couple of years later, the notes from that discussion led John Green to create Dark Shadow. It was interesting to see how many organizations were toying with the concept that would later be known as SIEM.

In the center of the room was Marcus Ranum, with his famous red cowboy boots. I was a bit intimidated.  Marcus didn't slaughter me and later, when Marcus was with NFR I helped Kent Landfield extend the NFR N language to support intrusion detection patterns. Now I was writing for two different IDSes and was beginning to realize that if you knew cybersecurity from an architecture perspective, you could apply it to multiple implementations.

In 1999, I agreed to write a book on cyber security intrusion detection, (link is 3rd edition, couldn't find first). I worked on it on the commuter train up to the Pentagon from Fredericksburg VA and then on the way home. After supper, I would retire into my office and write till about 10 PM. Every couple of weeks, I received a call from Alan Paller. He wanted to do something to “prove people could do the job” in cybersecurity. I was pounding on the keyboard and he would tell me he hired, this famous person and they could do it, then a few weeks later, he would call and say it did not work out. I liked Alan and would have loved to help him, but that wasn’t my mission, the book was my mission . . . until two things happened.

First, even though I had moved to the Pentagon for missile defense, I was still working with the Navy Laboratory at Dahlgren Virginia. I used some of my training dollars to send two of the Shadow IDS team members to the USENIX 99 conference in Monterey. I was there as well. The talk I had chosen was boring, so I drifted into some of the other talks. I did not see my people. I wandered through the Portola, (then Doubletree) hotel and conference center, did not see them. Finally I ended up on a deck overlooking the bay and saw them. They were in sea kayaks. That hurt; I had limited training resources. And it hit me. Mr. Paller’s idea could also tell an employer that spent training money on someone whether they actually mastered the subject matter. I still was not totally invested, but was becoming interested in the idea of proving someone could “do the job”.
NOTE: this conference was also what got me thinking about the flawed structure of "technical conferences", 1 and 2 hour talks leading to more depth at ShadowCon and later the track system at SANS.

Second, back at work at the Pentagon, I found out my IDS contractor had resigned to be part of a startup with the Enterasys Dragon IDS. Our prime contractor handed me a stack of resumes. One looked really good, lots of experience, remarkable, because in 1999 intrusion detection was in its infancy. So, I told the prime to bring him on board. His first day on the job, I wanted to bring up a RealSecure IDS on one of our new facilities. So, I handed him the disk and told him to load the maximum signature set. I came back a few hours later and it was not running. All you had to do was load the disk, agree with the Microsoft install wizard, next, next, next, choose the signature set and you should be up and running. Long story short, his resume was bogus, I don’t even know how he managed to write it. Mr. Paller’s vision was starting to make a lot of sense to me at this point; I called Alan and told him I was in.

Alan, came down to visit the Shadow team at Dahlgren and we spent some time on the whiteboard. Security was getting more complex, even in 1999 there wasn’t such a thing as a “security guy”. Instead, there was a firewall/perimeter expert, IDS expert, Windows OS, Unix OS, forensicator and so forth. To prove someone could “do the job”, we would have to define the job. Then break it down into knowledge elements, knowledge, skills and abilities, (KSAs). 
NOTE: as GIAC came to be, KSAs morphed into ICF, (important, critical and frequent) values.

As 1999 drew to a close, the white house security council requested my participation in Y2K in the event cyber attacks were going to happen. My boss at the Pentagon didn’t like it, but couldn’t really say no, so I reported to the Gerald Ford House Office Building to set up shop. It was a terrible experience. The FBI wanted to be in charge, the US CERT wanted to be in charge, the GSA point of contact was really mean. I was just a techie, unprepared for the worst of government politics and turf battles. Mr. Paller was kind enough to take over on site and I did all the work remotely including setting up multiple global response centers counting on Richard Bejtlich, Arrigo Triulzi and other analysts. I had been a happy government employee till that event, but I was done and SANS was kind enough to hire me. I resigned from missile defense January 5, 2000.

For the next year, I focused on gathering knowledge about the security skills and figuring out how to teach and test it. Eventually we settled on the name and idea of GIAC, (we had created the brand earlier as the Global Incident Analysis Center, later,, now known as the Internet Storm Center), and rebranded as the Global Information Assurance Certification. The early days were rather crude, essentially two guys and a dog writing test questions, but we focused on continuous process improvement. 

We all know the events of 9/11/2001, but what most people don’t know is that it spilled over into cybersecurity, probably in part due to the Code Red worm two months earlier. All of a sudden, we were facing enormous demand for our training and attempts at certification; every class was sold out. Capacity was maxed out. A SANS employee, Zoe Dias, spent weeks figuring out how to increase capacity by a factor of 10, she would wake up in middle of the night as ideas came to her and she continued to chip away at the logistics problems. Her work resulted in the distribution system we depend on today.

In 2002, the industry was realizing there was a lack of provable security skills. Steve Katz, CISO CitiCorp, had done a briefing on the topic that got picked up by the press. Eventually, GIAC was lucky enough to hire an engineer named Jeff Frisk and he cared enough and was detail oriented enough to help GIAC become what it is today.

No comments:

Post a Comment