Marc Maiffret, CTO of BeyondTrust, recently sat down with Joel Beasley, the author of ModernCTO and host of the ModernCTO podcast, to discuss eventful career beginnings, hacking, technology leadership strategies, and company security cultures, new and old.
Marc and Joel share similar career origin stories, making big splashes in the technology world from an early age. For Marc, that meant getting raided by the FBI in his teens for hacking into government systems—purely out of curiosity. Having built an impressive cybersecurity career since, including leadership stints at FireEye and SpaceX, Marc recently rejoined BeyondTrust as its CTO.
As a security researcher Marc was an early pioneer in Microsoft vulnerability research, including co-discovering and naming Code Red, the first Microsoft computer worm. Marc has presented at numerous security conferences and has testified before Congress on matters of national security. As an entrepreneur, Marc helped design and build some of the first products for Vulnerability Management, Web Application Firewalling, Endpoint Security, and Malware Detonation.
Listen to the podcast or read the transcript below to gain security insights and a historical cybersecurity perspective.
- Marc Maiffret, CTO of BeyondTrust
- Joel Beasley, Author and Host of ModernCTO
Moderator: Hello, my friends. Today, Joel is talking to Marc, CTO of BeyondTrust. They discuss how Marc's career in cybersecurity started after he got raided by the FBI, Marc's co-discovery of the infamous Microsoft vulnerability Code Red, and how the culture of a company has to fundamentally change in order to make meaningful changes to security. All of this right here, right now on the ModernCTO podcast.
Joel: Do you see yourself as more of an entrepreneur or a technologist? How do you view yourself?
Marc: It depends on the day; I mean, probably both in a sense. I oscillate between everything from hacking around on code and getting in the weeds on things, to doing the Chief Technology Officer business role and everything in between. So, I think definitely the moniker a friend gave me when I was very young. He coined the term Chief Hacking Officer, so I think that's pretty representative.
Joel: Have you been hacking a while?
Marc: Yeah, since I was about 13.
Joel: How'd you get into that?
Marc: For me, it was really just an escape from a crazy home life and crazy upbringing. Getting my first computer and access to it was just this entire world of learning the programs, learning how things work. I mean, there was definitely that aspect where you had control over it, so I think anybody who's grown up as a child in a chaotic household turns into something where having your escape — sometimes escapes end up being bad ones that are detrimental. Luckily mine was nerding out with computers and getting into hacking and things of that nature. So, it was a world I could control in the sense that I could control that virtual space in the way that the real world was uncontrollable for me at that point.
Joel: I connected with that a lot. Like around age 11, 12, my parents got divorced, and it was more so of, they were just focusing on other things. So I had a ridiculous amount of free time, I was self-governing, I could completely autonomous, and that's not what you see for most 13-year-olds, right? And so, I look back on it now, I'm 34 now and I have two kids and a third on the way, and I look back at it and I say, "Man, I was so lucky that some of the worst stuff I was doing was just things on the computer and I wasn't out there smoking meth and all this other stuff."
Marc: Yeah. I mean, it's like what you were saying at the start, that overcoming things, I mean, it definitely can make you stronger, but I consider myself lucky in a lot of ways because I think it also... There's plenty of people where you end up broken and you might not ever get out of it, so I was lucky that my escape and addiction, if you will, was computers and hacking and learning about that sort of thing versus... Sure, it could have gone a lot of other ways for me.
Joel: Yeah. I remember one day I went to Best Buy and then I went to like Books-A-Million and I found this book my dad let me buy, and it was called HackThisSite. a I went home and I started playing around with it and I performed a couple of the hacks, went through the courses. And then almost immediately, I figured out that I could make money writing code on ScriptLance, and then my focus completely shifted and I barely had like maybe six months of my life where I spent it interested in the security and the hacking before I realized that businesses would pay me money to write business logic code and I was like, "I'll go do that."
Marc: Yeah. No, it's an interesting thing. I think everybody's got the like, “what was that first book or exposure.” I don't remember what store we were at; we were at some sort of used computer store and I think I was like 12 or something like that, and the only programming book that they had was a language that's not very popular anymore called Visual Basic. And so, the first thing I got exposed to was not the prime language that I would've wanted to be learning at the time. And stuff like that as far as the value to using it in the hacking space and security and stuff, but it was definitely a fun exposure and jumping off point just to learn programming in general. My friends will tease me of course on Visual Basic being the first language, so it's out there now.
Joel: I think it was Visual Basic Studio, was like IDE for that, right?
Marc: There you go. You end up drawing all your interfaces first and then figure out what's the code actually going to do versus pretty much everything doesn't work that way anymore.
Joel: Yeah. The closest thing I found to that was when I got into a little bit of the Apple development from... That's how they do a lot of their interface work.
Marc: I still prefer it as a thing, get an as real as possible UX/UI prototype so you get that full experience and then fill in the blanks. I don't know if that's just a preference or I've been poisoned by Visual Basic early on.
Joel: I think it's because it's the way you develop the best products. That's what I have found to be true. So how did you go from hacking, raided by the FBI, how did you not go to jail, and how did you end up making a career out of it?
Marc: It's funny you asked that. A lot of people don't ask the, you were raided, did you get in trouble or go to jail or any of that? So, at the point that I was raided, I'd been hacking all sorts of companies, government sites, things of that nature. I should clarify, different than a lot of things you hear about hacking today where it's like ransomware, cybercrime-driven. This was hacking at a time when it was much more about the ability to just go explore systems in the way that you would go learn about new computer environments and things of that nature, would be to go break in the companies that had those sort of computer systems, because you couldn't... All the magical stuff you can do these days of setting up your own home hacking lab just wasn't quite a thing. So, your lab was other companies, universities, stuff like that.
Marc: And so, that hacking eventually caught up with me. But yeah, I was never actually charged or arrested or no record or anything of that nature. The wakeup call was very real though, I'd say. As far as what did I do at that point, I was definitely scared enough into doing the right things and I think I'd been trying to find the path of how I take this passion that I had… I was writing a lot of security hacking tools at the time. And I very much knew as best as a 17-year-old could know what they wanted to do with their career. I knew I wanted to do something in my life with that. But this was at a time that the security industry was more in its infancy. There was a couple of big consumer antivirus companies, but the modern security market that we know today really didn't exist so there wasn't as clear of a path as there would be right now.
Joel: And did you have an influence in your life that was entrepreneurial that caused you to not just go work for another security company, but actually start eEye — I think that was your first company?
Marc: Yeah. So, it was an interesting path. At the time that I got raided, I was working for a website development type of firm and the founder of it, Firas Bushnaq, a friend of mine. I basically told him, "Hey, I got raided by the FBI." That didn't end up spooking him and so, I told him, "Hey, I have all these ideas of security technology and stuff that I actually want to try to of productize, basically." And that was the initial seed and we started the first company together, eEye Digital Security. And really, the first product that we built was to take all the different automated hacking tools that I had been building and turn that into what we now call vulnerability management — where you can essentially scan a company's environment, figure out all the weaknesses and ways that a hacker could break in, and how to fix those things.
Joel: Oh, nice. Is that when you got involved with the whole Code Red Microsoft thing?
Marc: Yeah. So, in parallel to building a lot of security tools and starting my first company, eEye, I was also heavily involved in some of the early Microsoft security research. So, in the late '90s, early 2000s timeframe, I helped pioneer a lot of the early vulnerabilities of Microsoft software. And so, in doing that, we were also trying to figure out software that could be defensive in trying to prevent attacks against Microsoft systems. And throughout that work, we eventually found the first Microsoft computer worm called Code Red — which is an interesting story within itself.
Joel: We were doing the prep meeting and I made a joke, I was like, "Yeah, he's sponsored by Mountain Dew." And then Adam stood up and he's like, "Hey, there's actually something there, ask him about it."
Marc: No, that's a true thing. So, the start of Code Red was essentially: it was a Friday afternoon and I was hanging out with a good friend of mine, Ryan Permeh, who went on to go co-found the company called Cylance. We got an email from a customer who was seeing something weird happening with their web server. We started to do some research and started to unravel and figure out that there was this worm code that existed. Jump to two days later on Monday morning. We were putting out our research and we got a call from somebody who claimed to be in the Situation Room in the White House, and the worm itself was supposed to eventually flood and attack one of the White House web servers.
Marc: And so, we thought it was probably a prank call or something and called a friend at the FBI to find out it was actually somebody at the White House that was trying to figure out what was going on. And so, then a couple of days after that, it's all over the news. There hadn't been this sort of worm for Microsoft up until that point. I got a call from the head of marketing for Pepsi, which was making Code Red Mountain Dew at the time, and it was supposed to just be a soft drink that was out for a limited offering. I guess because of the worm and all the press surrounding it, a lot of IT people were buying Code Red — and so we got this awkward call from the head of marketing saying, "Hey, it's weird to be associated with something bad, but pretty cool what you guys found, and we just want to send free Mountain Dew."
Marc: And so, the distribution plant shipped to our old office. Up until we finally told them after probably like a year or two that we were so sick of getting shipments of Code Red and stuff like that. We were like, "Stop sending it." So, that's always the fun joke at conferences when people try to hand me a bottle of that; I'm not quite the fan of it as I was back then.
Joel: Man, I’ve drank way too much Code Red and Surge. And I think people underestimate how popular those drinks were. They were incredibly popular.
Marc: Absolutely. And that was our joke in naming that, we were like, "We appreciate this soft drink" as a couple of hacker programmers at the time, and we ended up naming it after it. And it was like a tongue-in-cheek like, maybe they'll stay around, and they very much did. And it's essentially why there's Code Red on shelves still.
Joel: I would've named the second virus like Cool Ranch.
Marc: We had that, we were like, "Why didn't we call it the BMW worm or something better — something with better sponsorship."
Joel: There you go. Yeah, just the steady stream of Beamers showing up year after year, that'd be great.
Joel: I definitely had a ton of fun in the prep meeting. I do a lot of these, but there was one thing in there, a bullet point in there, that somebody at Microsoft in the security team… I guess I'll back up.
One of my producers explained it to me like this. They said, "Marc's really brilliant at security. He sort of bullied Microsoft into being better at security and then one of their heads of security called him up and cursed him out." I don't know if we can talk about that…
Marc: Yeah, I'll do that. You guys went deep, that's fantastic. Yeah, so totally nice guy;put that disclaimer up front, the person from Microsoft. I won't name them. But we had this interesting aspect in that we were both a security and software company. And so, at the time that this incident that you're describing happened, from security vulnerability management software, we had the two largest deployments in the world. So, we were deployed across the entire Department of Defense and then across the largest—I won't name the company—but the largest commercial deployment. And so, we were both trying to navigate as a startup selling software and all the normal business trajectory there. But we were also very active in security research and very passionate about doing something larger than just the products we were selling.
So, we were trying to improve the security of Microsoft. Microsoft back in that early 2000s timeframe very much treated security as more of a marketing problem to be solved for than a technical one. And so, there are things that people take for granted today. For example, Patch Tuesday is a once a month patch release cycle for Microsoft, and it's changed over the years. But the reason that came about—and this phone call where I got cursed out—is that we were trying to make it painful enough from a vulnerability research perspective for Microsoft to start fundamentally changing how they approach things. And so, we had a couple of months period where we found a very critical Microsoft vulnerability, we would report it to them, and a few weeks later they would come out with a patch. Then we would send them another one.
We would keep doing that over and over. As soon as they would fix one, we would send another. Obviously, we could have sent them all at once, but we were trying to do is optimize for constant hits in the headlines of these issues to draw awareness and to fundamentally get them to change. And so, jumping ahead from that. Not just because of us, there was plenty of other security researchers active at the time that were doing their own version of what I'm describing. Bill Gates eventually sent out his Trustworthy Computing memo to basically refocus the company’s security as a number one priority. But in the process of that, I think it was on one of those fourth iterations of back to back vulnerabilities, and they clearly understood we were holding onto these things and using it as a pressure campaign. And so that led to the cursing out.
And we also started, at the time, to publicly list, not the details of the vulnerabilities, but we were one of the first companies to list all the vulnerabilities that we'd reported to Microsoft that they're working on so that we could make public a vulnerability had been sitting there for eight months to get fixed and is unpatched by Microsoft — and essentially draw more awareness to get them to change. And since then they've changed dramatically and for the better.
Joel: No, that's great. And it was coming either way; if it wasn't you, it's other people.
Marc: Yeah, and like I said, it was... in some ways hate describing it because I don't want to make it sound too much about me and my team at the time, because there were so many other people working hard from a security research perspective to try to make change happen there. Plenty of people within Microsoft themselves that were trying to fight the good fight and change the culture, and eventually it changed.
Joel: So, you stayed with the hacking. I just did a brief detour there; so, you've gotten to see the whole evolution of the past 20 years. Has hacking changed over time, or is it similar?
Marc: Yeah. I probably boil down hacking or the personality of a hacker… like I've met everybody from myself that's a high school dropout, self-taught and everything I do, to somebody who's a PhD onother end of the spectrum. But the common thread is just the insatiable curiosity, just wanting to understand how things work. And then also that ability to maybe think about systems and try to get them to work in a way that maybe the people that created them didn't intend. And that, to me, is more of the core to hacking; that curiosity, not hacking in the sense of like the person behind doing cybercrime ransomware.
Marc: The nefarious movie hacker is not how I would classify; that's more that curiosity and creativity. So, it's definitely changed a lot over the last 20 years of going from that exploration culture to just a major source of revenue in crime and everything else.
Joel: You got to love that cinematic command line thing that happens every cringe— like the first movie I ever saw got it right or it was doing something legitimate was the Facebook, The Social Network movie where he was using commands. I was like, "Oh, he's actually typing something, it's not..."
Marc: Yeah, I know. Well, and then you had Mr. Robot that did a great job, and they showed that you could show the real thing and it could be compelling and interesting. There's a million and one bad versions of course of flying through magical 3D worlds and everything else that is not quite it, but yeah.
Joel: You could be doing anything super bright; you've been in this industry forever — what are you doing right now? How are you spending your time?
Marc: I spend my time in, I'd say two ways. You mentioned having kids; I have my daughter, so when I'm not working, I spend the time with her. But from a professional perspective, I'm the Chief Technology Officer of BeyondTrust. And really, my primary interest is that , as you see the headlines every day coming out about different hacking events, there's always different hacker techniques that are malware or attack campaigns that exist. But everything's usually centered around having the right level of identities that you've compromised and the right level of access between systems. So, I spend a lot of time researching: what are those threats, what are those kind of themes, how does that work and then, what can we do from a product perspective to try to fix some of that and give our customers the visibility and control needed.
Joel: Nice. And so, how long have you been doing that?
Marc: I'm actually back to BeyondTrust about six months now, so I was previously also CTO at BeyondTrust five-ish years ago. I'm horrible with timelines so, don’t quote me on that.
Joel: And so, what was that? How did you get involved with them originally?
Marc: BeyondTrust actually acquired my first company, eEye Digital Security years back. So, that's how I ended up there originally. And it was a great team. I think one of the things in security is that there's a lot of security companies that are always chasing the surface level threats, and there's always something new and different there. But I like to think about a lot of what we try to focus on, and my appeal to the company is that we try to focus on the core physics of… Let's say, probably one of the most important security concepts is limiting and lessening your attack surface, versus a lot of security threat prevention type of products that are much more about, “You have this sprawling attack surface, and we're going to hopefully see the right kind of attacker behavior.” Versus removing things in the first place that don't need to be there.
Joel: So, entrepreneur. I want to talk a little bit about leadership. A large part of our audience is leaders, or people that want to become leaders in technology. You've done the difficult thing, you're a leader as a CTO, you've gone through, as Elon Musk calls it, staring into the abyss and eating glass — the difficulty of starting a company. What are your thoughts when you hear the word leadership. I know it's super broad but what pops into your mind when you hear that?
Marc: I think the main thing when I hear leadership is that there's a million and one recipes out there on what the right way to lead is. But it's really about finding yourself, knowing yourself, and your own style of leadership. There's not like a set template that works, it really is much more about understanding what works for you. And I think one of the struggles that's common for folks, and I know I certainly deal with it myself and I've dealt with it myself, is trying to transition into leadership type of roles.
Marc: It could be hard, I think, for people to make that jump and have that belief in themselves. There’s first knowing yourself enough, but then there's the voices in your head that are trying to tell you “Maybe you're not capable, or you're not deserving” in some sense. That sort of imposter syndrome that I think sometimes people go through. And again, I think it varies case by case.
Joel: How do you deal with that? I call it imposter syndrome and I say it's a synonym for self-doubt. But how do you deal with it? Do you listen to, like, Tony Robbins? Do you surround yourself with people? How do you actually deal with it yourself?
Marc: That's a good question. I don't think I have one way. I think having a good network of friends, not just in a way that your friends just tell you,” Oh, you're great, everything's good.” They challenge you when you should be challenged, they say, ”Yes, maybe you did do the wrong thing there,” when they should say that. So, I think definitely having the right peers, and that's always what I say to people especially when they're earlier in their career. You definitely want to be paid well and those things, but it's much more about what sort of growth are you having. And it's not just growth in the titles that you're collecting, or the ladder climbing in that sense, but the growth in character that you're having and the growth in skills that you're having. And I think the worst thing is if you find yourself in a job where you can be making great money but you're not actually growing in those sort of ways. To me, that's a death trap that I don't want to find myself in.
Joel: Yes. I have found increasingly as I've gotten older, the people I get to spend my time with have like a premium. If I'm on a project and I'm with really, really great people, that to me is more important than money. Obviously, money's incredibly important and I never want to devalue that.
Marc: Yeah, exactly. Because there's equally that, where I've had people that I've known where, because of some of that self-doubt and stuff, they allow themselves to not speak up and get everything they deserve. So, from a money perspective, it's the given of some level of baseline there, but I think revolving around money is a horrible thing to do.
Not just in business, but in life in general.
Joel: 100%. It's important though. I think you sparked an interesting thought. So, as you're progressing through your career, you typically start pretty narrow. Let's say as a software engineer on a team, you become team lead, but as you expand out, your compensation, I would argue, is correlated to your understanding of the business as a whole.
Marc: Yeah, that's exactly it. You asked me earlier, what my day-in-the-life entails, and it's really being able to translate. I think if I have my core value, it's translating deeply technical things at a level that others can understand. And I think there's another aspect to that where I got advice earlier in my career, after I had left my first company eEye for a little bit. I was debating taking a job as the Chief Security Architect for a company called FireEye. And at the time, I had been mostly focused on vulnerabilities, vulnerability research, and vulnerability management, and FireEye was in an early stage at the time; a startup doing malware zero-day threat detection. And I got great advice from someone that I have a ton of respect for named Dan Geer.
Marc: And I was talking to him about, “How do I make this switch between these two worlds; I haven't really done anything with malware.” And he was super encouraging in the sense of, that's actually a great thing that you haven't done it. He's like, "You have the intelligence to think through these problems and you're going to bring a totally different mindset." So, I think the other thing career-wise that you just made me think of, is talking about that exposure and learning is part of the way that you broaden your horizon in some of the different roles that you take. And that doesn't have to be dramatic, where you like start in development and you go do something like sales— something totally different.
Marc: But even within development, maybe switching between front-end and back-end or something just to have a broader perspective, so that you can think for that larger picture, as you're eventually getting into the position of leading and trying to steer the ship.
Joel: Yeah. You've mentioned a couple of people like Dan just now and I think somebody—Firas.
How have relationships played into like your progression in your career and your life?
Marc: It's interesting. Lately— definitely with having kids—relationships are just harder because time is harder. But no, I think the main thing is life is limited. We hopefully have some level of awesome memories at the end of it, but even that's not guaranteed given different things in the world. But it's really about the, to me, the memories you're creating, and that all comes down to what people you're surrounding yourself with. And I think you need to be extremely picky and extremely thoughtful on who you're spending time with, but everybody's got different versions of that for themselves. That's more what works for me.
Joel: Yeah. Well, there's 1000 ways to cook a steak, right?
Joel: Do you ever put in your calendar time for relationship building or networking at all?-
Marc: No, not specifically. I mean, I probably could do a better job, if I'm speaking honestly, on networking and stuff like that. I kind of oscillate between that aspect of business, and then the staying up until 4:00 AM mad scientist in the lab. Those two things are kind of counter to each other in some sense. And so, I definitely select much more time for the mad scientist in the lab, because I find that some of the other network building and other things takes care of itself if you're working on stuff that you're passionate about, and if you're creating some impact in the world. That's not to say you're just trying to do awesome things so everybody comes to you or something like that.
Marc: But I think there's a balance of how much time do you spend talking about all the things that you want to be doing in life and you're aspiring to, versus, “Can you name the three things you did in the last week to get to your goal,” —right?
Marc: And so, I think on the balance of that, I again, try to stay in the lab, try to work on the next record and then get out there, tell everybody what the new record is, play it a few times, and then try to quickly get back into the lab until I have something worthwhile to say or do again.
Joel: My brother-in-law's a music producer, so that's exactly how he operates. He goes away, does a bunch of music, comes out for the premieres and the shows, and then goes back away for a year.
Marc: The reason I use that example is I was explaining to a friend once. He is in music also, and he's like, "Oh yeah, it's like you're working on your next record. You want to go tour on it and then you want to like... But you don't want to tour on the same record for 20 years or whatever." I really appreciate the thoughtfulness of questions, because the getting raided part —I love telling that story, because if I can inspire some other young person that's going through a trying time in their life, to give them an example that there is hope or a path or go. Fight the fight and try to get out the other end. But it's always good to have progress.
Joel: We try to do deeper prep when people have more well-known stories simply because— like I've traveled the world and given the same talk 50 times in interviews. People will often fixate that I got hit by a car when I was a kid and I was in a wheelchair and that taught me discipline. So, I just go on the autopilot and someone's like, "We can maybe lightly touch on the FBI thing, but let's try to find some better questions around that.”
Marc: No, it's cool, man.
Joel: You mentioned translating deeply technical things as a large part of your job at BeyondTrust. Do you get to do anything that's really geeky cool, like run a team of people that are searching for vulnerabilities? Or, what's the geekiest, coolest thing that you can talk about publicly?
Marc: Yeah, we do plenty of that. Just this morning actually, like a few hours before getting on here, I was hands-on working with three of the people on my team. We are essentially doing a simulated attack of, essentially compromising a Kubernetes environment. Getting code execution within one of the containers and then gaming out different versions of what lateral movement looks like with plenty of known techniques and things in that space. But that stuff's cool; if you start with a vulnerable web app and now, all of a sudden, you have account access to AWS. What does that look like from the attacker's perspective of how that actually plays out? Very hands on is what that actually is.
And then the important translation part for me, is that it's easy for me to go describe that attack and give that sort of an example or something, and there's people doing that.
But how do I go take the complexity out of trying to defend against something like that? The tailored nature of security, where security needs to be tailored from company to company as much as possible. And how do you try to put that into something that's productized, where so many companies don't have the people and expertise— or the time, frankly—even if they do have the expertise, to really go learn all these nuances. So, how do you try to understand that threat at a deep enough level; understand what the solution might look like so that you could try to give something to help out?
Joel: No, it's definitely… It's hard. I've programmed for the past 17 years, pretty much until this show got really popular, so it's been about three years since I was doing it full time. But everything got so deep so quick, and to be able to keep up with all the different ways you can get in trouble with security, even just being a developer. You have to accomplish the business goal, but you also have to make sure that it's secure. But it's like, how deep can you go? Because you could build out a whole security team…
Marc: Absolutely. No, it's a great point that you brought up. Maybe another way to answer the question you asked, of how things have changed in the last 20 years. So, security 20 years ago, you could be a domain expert in everything to do with malware, everything to do with vulnerabilities, everything to do with like web attack, SQL injection, et cetera. Like you could really be across multiple disciplines in that way. You still can today to an extent. For example, take something I just mentioned like security involving Kubernetes and those sort of environments —there are people that that's all they do. And they go super deep and do some super, super amazing work. But it's hard to think that you're both going to be excellent at that level of focus and four other domain areas of security.
Marc: So, I think in security, kind of going from a professional perspective, getting exposure to these different types of environments, and working on both offense and defense and getting the different perspectives becomes very, very helpful when you start thinking about how you're going to improve things — especially as you start thinking about leadership and what are the physics and core principles of what matters from a security perspective.
Joel: Yeah. And one of the beautiful things about that is —and tell me if you've seen this —but I saw the sort of egotistical, “I can do everything,” gatekeeper, nerd persona become really unpopular, really fast. Because we all have to rely on each other and it has to be a team thing now.
Marc: It's all community-driven. I mean, just be a good person. That should be the default for any professional thing, but particularly in security. I mean, it's a complete community-driven effort. There's plenty of security companies that try to do the right things, but there are so many independent security researchers, there are so many amazingly hardworking people at different companies working on the individual security teams. Those are some of the people that I think of most often; like the human impact of what it is to be on the IT security team of a company that's responding to ransomware — that's a heavy load. And you could characterize that for most people working in security, depending on the role, there's just this sense of looming.
Marc: The sense that it’s not the “if,” but “when” you're going to get breached. And so, you always just have this uncertainty and sense of looming that something's around the corner and something's about to happen, and you hope you're doing everything right. You have a million and one people trying to tell you what the next right thing is — there’s a lot of noise out there. And so, I have just a lot of empathy for people that work at different companies that are trying to get security to where it needs to be, and especially in the context of security as this race without a finish line. You're never going to be done, like in software. In some sense, you're also never done; you're always iterating new version. But there's at least little bit clearer milestones.
Marc: And so, we think of that in terms of security, milestones in different projects or improvements we're doing. But again, with that sense of looming disaster of who's out there that's potentially starting to target you, or what's going on in that sense.
Joel: And earlier, you gave a brief overview of BeyondTrust and what they do, but I'm going to ask you — can you make it more concrete? I'm going to give you hypothetical: let's say we're a company, we have 100 employees. We're a technology company, and we make a SaaS application. And we just got some funding and we're expanding and security's becoming a bigger and bigger topic as we grow and bring on more important customers and larger accounts. How could I interface or what's the problem you solve for them? How would you interact with that company? Or are they too small or…?
Marc: No, we have companies of all size from the largest enterprise to small. And so, really for us, the central focus is around what you just described — you're going to have a variety of different users and identities from a cloud perspective, and you have a lot of machine-based identities where there is no human attached. And so, one of the most important things to do is to understand: what are those different identities, what are the different privileges of who has access to what and how, what are the different points of how you're controlling access into systems. And so, we really try to put a lot of the guardrails and safeguards around identity access controls. And there are other types of security products and technology out there, but I think our core focus around identity and access is really one that is, again, central to every breach.
Marc: It gets back to what I was talking about with first principles. You typically need to compromise someone's identity at a company to then try to move laterally to the systems and information that you care about. So, we're really focused on that kind of problem space.
Joel: And so, one thing that I remember about seven years or so-ish ago: GitHub. People were writing code to scan GitHub for AWS keys and things like that, and then they would just be fully privileged AWS keys. Because you saw Amazon's IAM, that whole rollout became so much more granular. It started out with like, “Here's a key and it can do everything.” And you could either check an admin key or just another key, and then it became incredibly granular. Are you actually a system that you'll have…? Like, I'll put my employee into it, and then I'll manage what access they have? And does it API into Amazon so I can create keys and do all of that, or am I missing it?
Marc: No. Yeah, it's across a few things. So, it's everything from… Say you are a company, you have your 1000 employees with laptops working remote, especially in this post-COVID world where that's much more common. So, there's both being able to control what level of access do people have on their systems. Do they have full blown administrator access, which makes the impact of if they were hit with malware. The ability for malware to spread and have more impact is greatly reduced by removing administrative rights and better controlling those rights. So, there's that from the workstation server’s perspective, but the same concepts of things like least privilege; making sure people only have access to exactly what they need to. We have solutions that work with that from a cloud perspective to trying to reel it in. So, it's really from the client server all the way to cloud and everything in between.
Joel: Are people writing BeyondTrust policies that work with your system or is it mostly just all done through an interface?
Marc: Yeah, it’s definitely policy-driven. I'd say in the balance of things, especially for large enterprises, they typically have people and resources where they really — like if it's a Fortune 100 bank, they have teams dedicated to writing very tailored policies on who can do what and how, what's the request and authorization mechanism. And we just do some awesome stuff there.
Marc: That stuff gets me excited. When you look at, for a smaller company that's more cloud native in the sense where they're not trying to run on-prem or traditional servers, in that sense it's more like SaaS cloud infrastructure. There's definitely how do we help do least privilege and things of that nature. And then of course, just the ability for people to be able to have secure remote access to systems and managing the different privileged accounts. It's not always just the company and your own employers at the company — it could be, I need a vendor to be able to get a third party remote access to some critical infrastructure type of system that is like a, I don't know, water filtration pump management.
Marc: There are weird scenarios like that come up. And so, how do you provide them secure access that's audited, recorded, you know exactly what's happening, and it's limited to only what they're allowed to do. So, there are a variety of scenarios that we help with.
Joel: Yeah, there was an interesting issue in Florida where I think somebody left some sort of TeamViewer up at a utility company and they got in through that and I was like, "Oh man."
Marc: Yeah. I'm bad with dates and timelines, but I think it was the first or second time that I testified before Congress, it was about critical infrastructure. And one of the things I was specifically calling out when I testified was about the fact that a lot of water filtration and other utility companies, they were starting to switch and just use every day off-the-shelf software like you mentioned, as a way to control role and manage. And so, there was an example where I was doing a penetration test of a large utility company in California, and I was able to get control of the water filtration system. And so, of course I'm not a water filtration expert, so I was asking one of the employees there, "Hey, this system that I have control to the filtering process, what could you do then?"
Marc: You could obviously at that point do all sorts of nefarious things that would cause people to have to boil water for a period of time and stuff of that nature. And so, jumping to now, I think that was like 10 or 15 years ago when I was both testifying about that before Congress. Pretty much what I was explaining was that sort of scenario that you just described, that happened in a real way in Florida. And I think that highlights one of the challenges: is that it's easy to point a lot of these things out, but again, how do you not just give the right technological solutions. Especially from a leadership perspective, the hardest thing in security is not so much the technical security controls, it's changing culture, right? It's changing business culture, it's changing how businesses operate, how people think about it.
Marc: I know of the things I always highlight is, if you are looking to move into a position of security leadership, you really want to focus on your storytelling abilities. And how do you make the technical controls that you know in your heart is the absolute thing you need to protect the business, but how do you translate that in a way that the business understands, cares, and most importantly, that you're not just being some giant security team roadblock — that you're actually figuring out what the business is trying to accomplish and then, “How do we give them the right safeguards to do what they need to do as a business, but securely,” versus just saying, “Can't do that, can't do this, take this away, take that away,” right?
Joel: That's hard when at first you fall in love with the technology, and then you want to protect it.
Marc: It's the question I ask so many people when they're aspiring to different security leadership roles.Like, all right, but you might be stepping beyond the bounds of some of the technology leadership and into some of the culture, people, change agent type of stuff. And that's one of those, again, you got to know yourself first. Is that the sort of thing you want to be doing? And not to say that you can't be doing both, but there is a level of... You get to a point where it becomes much more about how to change culture and behavior, and less about figuring out some technical security controls.
Joel: Oh yeah. I had an interesting conversation a few years ago with Bryson, he's the CTO at Equifax. He came in after the whole breach thing and his responsibility was to change everything. And he explained to me, he told me all of this. Bryson had to change the entire culture in engineering, because it was a large company, and switch it from just being vendor led and each department buying their own thing and bolting it on, to it being built into the culture at the lowest level.
Marc: That's absolutely it. And the way that it was... That you just described it is the way they go about it. There is no magic five things that you bolt on and you get security, like even as somebody at a security product company. I mean, we're offering a great series of different tools and technologies that you could use as a part of your process and what you're doing, but you still have to have the right processes, the right ideas around how you're going to tailor these things to your business in specific ways. So, absolutely.
Joel: I don't envy him at all having to make that change. I'm just going to find a company that is good at it.
Marc: Some people live for it. Some people are like, "Oh, the culture's this, and it needs to be that." And they live for that sort of change. And again, that's where you just got to be... You got to know yourself and know at what stage you are in your career and what your interests are. Because I think some of those people who get caught up in wanting the next title, or they just feel that they like have to grow up into some different leadership role. I had a good friend of mine that was a SOC manager on a security operations team and wasn't really looking to do other stuff or move into CSO-type work and some of the policy aspects and everything else. He just loves threat hunting and getting into that. And I was just like, "Yeah, you should feel zero pressure on trying to go make that your own. That's the thing you love doing, keep doing it."
Joel: That was a mistake I made many times. Like I would think that people were like me, like anthropomorphism, and I would excite them with things I thought would be exciting. But to them it was stressful. I was like, "You're going to have your own team and the company's going to grow." And then they resign and I'm like, "Oh man. I just stressed this person out who has a kid at home, who's trying like..." At that point in time, that's where their focus is.
Marc: It's a funny thing with leadership where sometimes it's just like, “Well, it's a given, I've given this person new growth...” But is that actually what they want? It seems obvious because everybody wants to grow in this way or that, there's the stereotypes to it all. But I think always asking the first question of:is that actually their interest, and where are they trying to go? And trying to be the sort of leader that's like a good mirror, in the sense that you can hold up a mirror and hopefully reflect back to people. I mean, I could count numerous people that I've hired and gave them their first job in security, and they've gone on to do amazing things.
Marc: And that's not because of me and because I hired them; most of the time it was because I saw something awesome in them, and I just needed to hold up enough of a mirror so that they could see it in themselves and believe in themselves and go down that path, right?
Joel: 100%. We have to identify the next generation, those sparks in people, and then help fuel that fire.
Marc: Yeah, absolutely.
Joel: How did you get the opportunities to testify in front of Congress?
Marc: Good question. So, the first time I testified, it was in relation to Code Red, and so it was very much computer worms — particularly in the Microsoft sense. There had been previously the Robert Morris Worm, many years prior. So I believe that was the first time. And then at the same time, I mentioned from a vulnerability research and vulnerability management perspective we had at the time the largest deployment in the world. Every DOD system was essentially mandated to use my company's software. So, if it was a Humvee driving through the desert somewhere with a server rack on it, it was running our software, Navy ships out at sea, and so on and so forth. And some of the vulnerability research we were doing led to some of the conversations, and I believe the second time I testified specifically on critical infrastructure itself and the risk to the country from that perspective.
Joel: That's pretty cool.
Marc: Yeah. It was a lot of fun. I was actually talking to a friend, awesome author, journalist, et cetera, extraordinaire, Kim Zetter. She did a write up about some of the previous pen test I had done on the water filtration plant, and I was catching up with her at one point and when the Florida hack happened, she was like, "Hey, didn't you say something about something like this? And it was like pretty on the point to description and I think we can always do more to educate and get the word out.”
Joel: Yes. Man, this is great. I want to make sure... Do you have like a book that we can plug? I mean, I know we can say go to BeyondTrust.com, that's the website, right? Hopefully.
Marc: Yeah, BeyondTrust.com.
Joel: For your identity management needs, is that how we describe it?
Marc: Yeah, identity and access security. That's what we do.
Joel: Thank you so much for listening. And if you found this episode useful, please share it with a friend or a colleague who you think would get value from it. And if you have topics that you would like to hear discussed on the podcast, either add me on LinkedIn or send me an email, firstname.lastname@example.org. Every time I get an email or LinkedIn message, it absolutely makes my day and inspires me to keep going.
Jackson Pitts, Content Marketing Manager
Jackson Pitts is a Content Marketing Manager at BeyondTrust, bringing with him several years of content experience within enterprise technology. He holds a BSBA in Business Administration and Marketing. Prior to BeyondTrust, he held various content marketing positions covering topics including cloud, cybersecurity, data center technology, and ITSM. Outside of work you can find him exploring New England and playing the drums.