Welcome to Defender Spotlight! In this monthly blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We’ll inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.
In this edition, we spoke with Mike Arpaia, the Co-Founder and CSO of Kolide.
Mike is the original creator of osquery, which he created, open-sourced, and widely deployed while working at Facebook. While at Facebook, he then went on to lead the company's intrusion detection efforts, where he was responsible for all infrastructure and network instrumentation.
Before his time at Facebook, Mike worked at Etsy, on a custom host intrusion detection product, which he deployed and managed across Etsy's corporate infrastructure. Mike is excited to continue working on open source technologies in the operating system instrumentation and analytics domain, which continues to be a passion area for him.
Let's see what he had to say. :)
Tell us about yourself, and your history working in security operations.
My name is Mike Arpaia and I’m currently the CSO at a startup that I co-founded called Kolide. Before Kolide, I worked at Facebook, first as a Software Engineer primarily focused on host intrusion detection, then as an Engineering Manager, where I was responsible for all intrusion detection infrastructure at Facebook. As an Engineer at Facebook, I created and open sourced a piece of software called osquery. As a Manager at Facebook, I grew the osquery effort as well as many other intrusion detection efforts including network and application instrumentation.
Before Facebook, I was a Senior Software Engineer on the Security Team at Etsy, where I also worked on host instrumentation and intrusion detection. Before Etsy, I spent several years as an offensive security consultant, performing penetration tests and helping numerous organizations with various aspects of their security posture.
What you are working on these days?
When I was at Facebook, we released osquery as an open-source operating system instrumentation agent. Osquery has been incredibly well received, but osquery only solves a single part of the larger host intrusion detection problem space.
At Kolide, we’re working on building a suite of open technologies and products on-top of the osquery platform to help solve the entire host intrusion detection problem space.
Kolide is taking the principles of openness and transparency that I fostered at Facebook by giving talks and authoring blog articles on the topic and expanding on them. This is not an approach typically taken by security product companies, so I’m really excited about how we’re approaching the domain.
Can you tell us about a moment in your career when you were proud to be a defender?
I’ve been proud to be a defender all throughout my career as a defender. While working at Facebook, my team was deeply involved in handling incidents and it was always great to be able to work on such high impact events that had the ability to negatively affect so many people, but didn’t because we had things under control.
I was proud to be working on defensive approaches to operating system security when we released osquery to the community and received such a warm reception.
I still consider myself a defender, so I’m also proud that the Kolide team is growing and building something which will truly help people make the internet a safer place.
In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
When I was a consultant, I got to see how hundreds of companies approached different aspects of maintaining the security posture of their organization. I got to see what worked, what didn’t work, what could have been done better, etc. All of this was great experience and ultimately drove me to take that experience and put it to good use as a defender myself.
If we’re talking about a SOC specifically, I think that it’s important to define a small, consistent toolset that analysts can use which maintains a low cognitive footprint. Often times companies have too many tools across too many environments and analysts struggle to keep up with what they need to know to be productive.
This was one of the key motivating factors behind the creation of osquery. Often times, you’ll use one tool for instrumenting your production environment, another tool for instrumenting your corporate environment, another tool for keeping track of what apps your employees have installed on their workstations, etc.
All of these tools require a different way of reasoning about the domain and a different set of skills and knowledge. With osquery, all of these problems can be solved with a single tool, using knowledge that analysts already have: writing SQL queries.
I’m not saying that osquery specifically is the answer to everyone’s SOC problems, but I think that companies should focus on those core principles of maintaining a robust, yet simple toolset which takes advantage of analyst’s skills instead of requiring them to learn new ones.
What are some of your favorite products, software, or tools that you use on a daily basis? How do they make your job easier?
Obviously I’m a big fan of osquery! It’s definitely one of my favorite pieces of software, for sure. I am a wee bit biased on this topic though :)
Aside from osquery, I’m a relatively recent Docker convert. I can be a bit of a curmudgeon when it comes to adopting new infrastructure technologies, so I kept Docker at arm’s length for a long time, but over the past few months I’ve been using Docker extensively to assist with creating development environments, segmenting production infrastructure, isolating dependent components of applications, etc.
Containers are really awesome and the ecosystem that Docker has created on top of container technologies is just incredible.
What are some of the trends in the security industry that you find encouraging?
I spent a lot of time and effort over the last several years giving talks and writing blog articles about why it’s important for us to embrace openness in information security. My opinions on the topic are laid out in my Velocity 2015 talk. People have been receptive to these ideas and I think the industry is starting to see the value of open, high-quality, foundational software that we build our industry on-top of. I plan on continuing these approaches with Kolide and I hope that people continue to be receptive.
What are the top 3 things defenders should be worrying about today? What worries you the most personally?
I think defenders should spend the most time reasoning about the most critical attack surface they expose and what they’re doing to defend it. We should constantly be maintaining insight into our attack surface (our infrastructure, our networks, etc) and ensuring that we understand the risks presented by that attack surface.
Once we understand the risk and can think through how attacks are likely to occur given the risk, we can do things to make those attacks more expensive and, if possible, mitigate the risks.
I don’t like the term “worrying”, because it implies a certain level of sensationalism to an approach which should be more tactical.
What advice would you give to someone getting started in security?
I would emphasize the fact that, as practitioners of information security, we have a huge level of responsibility. There are a lot of people in the world who use the internet and digital products every day of their lives and it’s our responsibility to make sure that they can do so without fear or consequence.
The internet is a scary place and nobody knows that better than we do. Sometimes I think that our industry loses sight of the fact that our most important role is to keep people safe. Always remember that there are real people that suffer in real life due to the problems that our industry has failed to solve thus far.
I like to think that organizations that use osquery to protect the infrastructure are able to offer a slightly more secure experience for the people that use their services. This has been my attempt to scale my personal ability to influence the security posture of the internet as a whole.
Make sure the world and the people who occupy it are better off because of the things that you do with your career. That may sound really grandiose, but I believe that the industry can have tremendous impact if our work is properly focused.
What do successful security processes look like? For daily workflows, but also from a strategic standpoint?
I think that successful security processes at an organization include some kind of insertion into the pipeline of creation. As an infrastructure team builds new infrastructure to accommodate the new products that the product engineering team is building, the mature security organization will be inserted all throughout this pipeline both technically (via automated code review systems like Herald) and culturally (by establishing friendly relationships throughout the organization).
Maintaining insight into the state of your organization is an absolutely crucial step to effectively defending it.
What does a good team structure look like when setting up a security operations center? What qualities and skills do the ideal team members have?
I’ve worked on a security team of 4 people and we were all one team. I’ve also worked in a security organization of over 150 people where there were over a dozen security sub-teams. When I was a consultant, I got to observe numerous established security teams and understand how they work with each other.
The group of people that make up a security team, which includes but is not limited to its leadership, will define the most effective structure for the team given the personalities involved. What’s important is that everyone on the team understand that they must ruthlessly prioritize defending the infrastructure which presents the most significant risk to the organization.
What are some of the best industry events to attend and why?
If you asked me this several years ago, I would have probably rattled off a list of large industry security conferences, but my mind has changed a bit more recently. I think more security professionals should be spending time at industry events and conferences that are put on by other computer science disciplines.
If you are a defender responsible for securing infrastructure, go to infrastructure conferences like Velocity, DevOpsDays, Surge, etc. If you’re responsible for defending application codebases, go to Programming Languages conferences (like Strange Loop) to understand different approaches to PL, static analyzers, compiler design, etc.
All of this will give you insight into the population who creates the things which you must secure and probably will make you a better computer scientist. Use static analyzers to find vulnerabilities in code, write middlewares for your distributed systems message routing framework to identify injection in message bodies, etc. Learn from your peers in other branches of computer science and apply it to information security.
Have any questions that we didn't get to? Want to tell him how great osquery is? Connect with him on Twitter!
And if you liked this interview with Mike, you can check out others in this series: