[00:00:00] CM: Today on Cyber Work, Jason Meller of Kolide and I talk about his time as chief security strategist at FireEye. His early days in one of the best help desk jobs I’ve ever heard of and blue screening his friends in the wild west days of the Internet. That’s all today on Cyber Work. Also, I want to tell you about a new hands-on training series called Cyber Work Applied. Tune in as expert infosec instructors and industry practitioners teach you new security skills and show you how those skills apply to real world scenarios. You’ll learn how to carry out different cyberattacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more. Best part is it’s free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It’s a new way to learn crucial cyber security skills and keep the skills you have relevant. That’s infosecinstitute.com/slash learn. And now let’s begin the show.
[00:01:00] CM: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry.
Jason Meller is the CEO and founder of Kolide. Jason has dedicated his career to building projects and tools that enable security experts to successfully defend western interests from sophisticated and organized global cyber threats. He started his cyber security and product career at GE’s elite computer incident response team led by Richard Bejtlich, father of modern network security monitoring.
From there, Jason moved to the legendary Mandiant Corporation acquired by FireEye quickly returned working his way up from an entry-level analyst position to becoming chief security strategist. As chief security strategist at FireEye, Jason was responsible for rapidly building products and services with an engineering strike team to facilitate and grow high profile partnerships with key strategic initiatives. So as you know, our MO here at Cyber Work is talk about the career types, all the careers that there are to be had in the cybersecurity world. And Jason has generously agreed to talk with us about some of the different types of positions he held while in FireEye and the ways in which those positions and responsibilities helped to add up to the skills and expertise that prepared him to start his own company.
Jason, welcome to Cyber Work.
[00:02:22] JM: Thanks for having me.
[00:02:23] CM: So how did you first get in interested in cybersecurity? Because it seems like it goes at least all the way back to college when you were still working in helpdesk.
[00:02:31] JM: Yeah, keep going back. Keep going back.
[00:02:32] CM: You were working helpdesk while you were still in school. Is that right? What was the initial draw for you even further back than that?
[00:02:39] JM: Well, I don’t know. Have you have the Pixar movie Soul? That just came out a few weeks ago.
[00:02:44] CM: No. No.
[00:02:45] JM: The whole premise of the of the movie is really about folks or new souls that are about to be born into the world and they kind of have to get all this education before they actually go out to planet earth. And one of the last things that they need is something called a spark. And for me, computing has always been that spark. Like I go all the way back to like when I was just a really little kid. Like my dad tells me stories that like right before you went to bed, Jason, every night you were always asking, “Dad, when are we going to get a computer? And when are we going to be able to do this with technology and that and technology?” And he’s like, “How did you even know anything about that stuff? Like you were just a little kid.”
And so eventually after asking for years and years and years, cost of a personal computer went down. We ended up buying one. And then I was just hooked, man. I was hooked from day one. I remember just being excited about – And I was really born at a really good time. So I was born in 1985 and that meant right when we were starting to get like personal computers in the homes, that was really the birth of the modern – Well not the modern web, but the early web. ISPs were starting to become more of a commonplace thing. Everybody was on AOL. And then when I hit high school, that was around the same time major events happened like peer-to-peer file sharing. Like Napster happened when I was a freshman in high school.
And then all the way in college, I started college and Facebook started the same year that I started college. And then just as I was leaving out of college, that was when Apple introduced the iPhone, which was a huge paradigm shift for us. So what does an impressionable team want to do with all this technology to impress their friends? They want to break it, right? And that’s what I devoted my entire like childhood to trying to figure out. I was like trying to do really cool stuff.
And back then that was really easy to do. I mean I don’t know if you remember like the ping of death like. Going all the way back to like the 90s. You could just send someone an ICMP thing and you’d end up actually blue screening their computer. And that’s all you had to do, is just do something malicious like that, or send like a multi-byte character through AOL instant messenger and it would punt them offline or something like that.
So I got my start like really being interested in the fact that even as someone who is just like a kid, I could actually impact these systems. At that time, it was in a very negative way, but it felt cool. Like it felt very powerful in the sense that I had that level of influence just as somebody was just learning, and that was very addictive for me. So I would say all the way right up until I got to university, I spent a lot of my free time just kind of playing around online and learning more and joining IRC channels and meeting other people that were in that position. So that –
[00:05:23] CM: Okay. Go ahead. Go ahead.
[00:05:26] JM: I was just going to say that –
[00:05:27] CM: I was going to say, so were you were you reading books a lot? Or it sounds like you were finding lots. There was a lot of resources even in the early internet there of sort of answering the questions that you were asking.
[00:05:38] JM: Right, exactly. And what was so interesting about these communities of hackers is that they actually built their own training grounds in many ways. Like I remember coming across something called Crack Me’s. And Crack Me’s were like these little programs that were almost educational sense that you were supposed to learn how to circumvent the serial number portion of it. And the goal was to actually teach you how to build cracks for actual commercial software. And I ended up learning a lot of reverse engineering skills like dusting off my knowledge of like debuggers and IDA Pro and learning all those techniques before I even knew what like malware reverse engineering was or anything like that. I was just kind of trying to learn as much as possible.
So yeah, I grew up in a kind of a sleepy cul-de-sac in the southwestern portion of Connecticut, and there weren’t a lot of like resources physically close to me. But on the Internet, there was a ton of stuff. So yeah.
[00:06:36] CM: Yeah. So I mean it sounds like you were you were learning the sort of like attack moves even before like the idea of security is around. Like you said, it was so easy to blue screen a friend’s computer or whatever like that. So can you sort of talk about what the security landscape was like at the time versus how it is now? Obviously there’s a million more sort of resources and defenses to stop pranks and tricks like that and so forth. But like I mean it sounds like it was kind of like the Wild West at the time. Like it was all sort of attacks and no defense or something.
[00:07:11] JM: It really was the Wild West. I mean I ended up later in my career meeting some of the teams that were trying to thwart some of the stupid things that I was doing as a kid. But, ultimately, back then, like it was pretty rare to have any sort of dedicated security function at your organization. And the technology just wasn’t there yet.
I mean going a little bit forward, like going into like the first foray of wireless technology. Remember when Wi-Fi came out. Well, the best encryption that we had at the time was WEP, and that was cracked within I don’t know a few months of it coming out, and you just didn’t have this expectation that you could keep really anything secure from even someone who was mildly motivated to take it down. And that really was the trend up until I left university.
But when I started university, that’s when things really changed for me. It was during this time period very much the Wild West where malware really started to impact the Windows computing platform significantly. This is really when you saw a lot of spyware that was ad written and you’d get these computers that had like 800 toolbars on them and they were slowed down. And that’s sort of when I started university. It was right around the time Windows XP was starting to become a little bit more mature and they just introduced like a security center and things like that. But ultimately we just had all these students just coming on campus and their computers were just loaded to the gills with viruses.
And I had always found a lot of joy in fixing things. So I signed up to be the student for the student help desk. And they just threw me right into the fire of, “Okay, everybody’s coming on campus. Let’s get their computers in a position where they can connect to the network and we’ll go from there.” And it was a really crazy time, because for whatever reason, our shop really was trying to push like an educational component to this. It wasn’t like a normal IT shop where you get the computers in and then you just reformat them. You would actually get the computers in. And our job was to figure out what was going on with the device and see if we can like manually remove the malware, which takes like 10, 20 times longer, but I loved it. It was great trying to figure out, “Okay, does this device have a root kit? How is this device being remotely controlled by another party?” And we got to figure all that stuff out.
And I was joined by a ton of really smart people that showed me all sorts of tools that I had missed in my own sort of earlier self-education and really became passionate about that. And it was great practice because it was a time period where malware was just all over the place. You were more likely to find a Windows machine with malware than without, and it was just a great place to sharpen my knife so to speak and then get some real I would say good, like practical expertise that ended up paying major dividends once I decided to really take the jump from a career perspective later on in my life at GE.
[00:10:07] CM: That’s interesting. Yeah. I was going to say that when we hear a lot of people say I’m stuck in a help desk position or I don’t know how to get out of help desk into something more substantial or whatever. But it sounds like such an anomalous version of the I’m in help desk story in that so many the sort of the stereotype, that IT crowd stereotype, is have you tried turning off, turning on again? But like rather than – Or like you said, just like completely scraping it clean and starting over or whatever. But it’s interesting that they – Why do you think they specifically were so dedicated to saying like, “We’re going to do this right. We’re going to sort of like tweeze out all of the malware that’s in here and we’re going to sort of preserve the integrity of the computer.” Rather than just saying, “Well, you screwed up. We’re starting over.”
[00:10:51] JM: You know, I’ve thought about that a lot and I really have no idea, because –
[00:10:56] CM: Okay. So you’re just lucky. Yeah.
[00:10:57] JM: Is this perspective? It makes no sense. We’re going to spend 30 times longer to resolve this computer just so that the student doesn’t have to reformat. When reformatting was likely the best way to move forward from there. It really made no sense.
[00:11:12] CM: It’s pretty easy too. It was easy and fast at that point. Yeah.
[00:11:15] JM: Yeah, a lot easier, a lot faster. So I really don’t know why. I imagine that they felt maybe some level of obligation because we were students. We were going to the university. And it was sort of there was an educational component to it, but that’s just me speculating. It really makes no sense at the end of the day, but it was a lot of fun. And I ended up learning so much. And it was at that time period, like that very perfect time period where the malware just wasn’t sophisticated enough where someone coming in with no skills at all was just going to be totally lost. Like I would imagine might be the case today. But there was enough sophistication there where it really grabbed me from a perspective of, “Oh man! I got to spend all night figuring this out, because this is really cool.” Like there’s an IRC channel that’s controlling all these devices and I can see all the other computers that are infected. Like these are the types of things that like I was just like crazy for like I’d never wanted to leave work because I just found it so fascinating.
[00:12:13] CM: Now, my next question was going to be how you made the transition from help desk to cyber threat analyst for GE. But it sounds like my idea of what this was going to be was, well, I was stuck in help desk, but I studied in the evenings or I crammed and learned things on the side. But it sounds like you really had your entire sort of like education. So like how much harder was it to transition from this unique help desk position to cyber threat analysts for GE? Were there still things you needed to learn and sort of get caught up on?
[00:12:43] JM: Well, it was interesting because I didn’t go to school for technology or engineering or anything. My dad was pretty staunch at you’re going to school for business just like me. And I ended up graduating with the most technical business degree that I got, which was like management information systems and business administration.
And for whatever reason, University of Connecticut, because GE was headquartered in Connecticut at the time. They had a really good relationship. And so they had a pretty large recruiting program and they quickly identified me as someone who should join their information management leadership program, IMLP.
And that program is very much – It really had nothing to do with security. And I didn’t really have the sense that I could do this for a job. This was 2006, 2007. And while, yes, I was aware that there were IT/security jobs out there, I didn’t really know if that was really a career that I could pursue. So I started on more of like a project management business administration type of track and started at GE. And I did the entire program there. So it’s two years, six-month rotations. I ended up going all over the country. I ended up going to China for a little bit. And they really just kind of throw you in in terms of, “Okay, you’re going to move here. You’re going to go to Cincinnati, Ohio. This is where we build the jet engines.” “Okay, now you’re going to Alpharetta, Georgia. This is where our data center is. You need to do a project to shore up our whole backup system.” “Okay, we’re going to the Fairfield headquarters.” “Okay, we’re going to spend three months in China to learn a little bit about the research and development areas there.” So they really just throw you in. They try to get you as much experience as possible and try to turn you into what they call like a future GE executive. So it’s kind of like getting your MBA without actually going to a school. It’s like really getting it tailored to a specific executive track in the organization.
So I was finishing that program up, and the last rotation I had was with a group called HR Systems. And they ran all the HR products inside the company and all the technology to support the really large HR team at GE, because at the time it’s like 300,000 employees total, like it was a pretty big function within the company. And I remember the director was really trying to convince me to take a full time like off – Now I was leaving this program and they really wanted me to stay on as a project manager.
And I remember just thinking to myself, “Man! I don’t know if I really want to do this.” So I ended up kind of just poking around internally. And this was right towards the end of 2009, early 2010. The financial crisis is now like starting to rear its ugly head. And what GE had done was they had actually bought some buildings from a Ford supplier out in Michigan and what they were trying to do is build like a technology hub out there. And one of the folks that was really looking to build up a team was this guy named Richard Bejtlich. And what I didn’t know at the time was that GE was going through a pretty significant incident where they were being essentially attacked by what we now call today like APT1.
And, essentially, Richard, who was hired a few years prior to that was trying to build a computer incident response team in the organization. And this Michigan opportunity allowed him to really expand the team. So I didn’t really know anything about the stuff. I didn’t know about like advanced threat actors. I didn’t know about nation states trying to exfiltrate like intellectual property.
So I ended up meeting with someone who connected me with Richard, and he was really just looking for people who just had like network security monitoring experience and folks who knew a little bit about security. So all like the work I did at school formally, all up to that point just pooped right out the window and I just ended up interviewing with him and just talking about all these things that I did at this help desk. And he had other people on the team who were really smart, who knew a lot about like malware versus engineering and they were like quizzing me like, “Okay, what port does this map to?” And like, “Okay, what tools did you use for this?” And I had all the answers because it was just a part of me. And I ended up doing really well.
And one of the things that I realized they wanted me for was I was sort of this weird hybrid person where I had sort of the polish of the executive GE program and I could guide them because they were just sort of foreigners in a foreign land. They were these like really high-end security experts, but they had no idea how to navigate the politics within the organization. And so they saw me as sort of like this hybrid breed of, “Oh, this person gets it from a technology perspective, but he also can help be an advocate for us at like the leadership level so that we are really putting our best face on this whole thing.”
Because a big part of computer incident response isn’t just the technology. It’s about positioning it within these large organizations. It’s going to the leadership team who’s obviously very interested in terms of what their exposure is and really talking about that competently in a way that they want to hear it. And that was something that I realized I could provide for them. And then I joined the team. So I moved over to Michigan, and that’s when I really started I would say like the formal part of my security career.
[00:18:02] CM: Yeah, that’s something we bring up a lot on the show, is the importance of all the soft skills around cybersecurity. And the big one is advocacy and communication and the ability to – And I guess for non-tech people, there’s not always this understanding. But for a lot of people who are that deep into cybersecurity, like your head is so far up into this machine and this problem or whatever that it’s hard to sort of like pull out and sort of explain it to the rest of us. Like what are you actually doing? Why do you need this much more money? Why do you need this much more access and things like that? So do you think that was part of the MBS program that you did that gave you that soft skill and that competency or was it just something naturally part of you or some combination?
[00:18:48] JM: Yeah. I think that – Well, first of all, Richard who I mentioned earlier who led the team, who’s the director of the computer incidence response team. He really – The thing that I was really fortunate with having him as a leader is that he was very opinionated and I think he had a lot of opinions that back then seemed very contrarian, but now are now considered the default perspectives that you should have, like compromise is inevitable so you should prepare for it. That was like a huge one that I learned from him and later on from Kevin Mandia, the president of Mandiant.
And then really trying to reframe discussions, because when you get hacked, especially if you – Because we were talking with like the CEO of GE, Jeff Immelt at the time, or Gary Reiner, who is the CIO, and these are people that are incredibly intelligent, yet I’m here. I’m like in my early 20s and I’m trying to like brief these people on something that could potentially totally disrupt their business, could become a headline if it goes out of control.
And so what’s interesting though is that Richard had like really good expertise when it came to, “All right, going to ask these types of questions. Like I’m going to anticipate,” that they’re going to really care about the who versus the what and the actual metrics associated with this. So let’s like really point them in that. Because when someone hacks you and you don’t have a lot of experience being hacked, your first reaction is you want to know everything about the person or the group that does that, and that’s not always should be your top priority. It’s really actually containing the hack before you really dive into the threat intelligence aspects of it. And so I learned a lot about just sort of reframing discussions in that way, and then they got it right away. And what was really cool at GE was Gary Reiner, who I mentioned earlier, the CIO, he heard us and he was like, “All right, metrics are really important here,” and GE was a very metrics-driven organization when I was there. It’s like we are going to commit to every severity one incident. We’re going to go from detection to containment in one hour and we need to build a whole system. And that’s fine. Like if anyone violates that, if you detect the SEV1 incident and we can’t get containment on that asset within an hour, then that’s going to actually filter up all the way to me and I’m going to have to talk to that group that wasn’t able to attain that. So that was huge that he was able to get that. And big reason we were able to even arrive at that edict was the leaders and the mentors that I had there helping us all of us working together to guide them towards that.
[00:21:22] CM: So I want to jump from there to one of the superstar companies you worked for. A lot of people are excited to hear about your time, your three years with FireEye. You moved up pretty quickly to chief security strategist. And want to eventually talk about the steps you took along the way to get there. But first of all, what did you do as a chief security strategist? We want to know about interesting job titles that people are aspiring to. What was your day-to-day work like as a chief security strategist? What were your tasks, responsibilities?
[00:21:53] JM: Yeah. So I made my whole career at Mandiant and then FireEye, because Mandiant ended up actually being acquired by FireEye through just being able to combine really quick engineering iterations and being able to push out products with a very small set of resources.
So the reason why I rose so quickly within the organization was that I could come up with a new idea or a thing that we really needed an existing department. And Mandiant is a company that sells software. So if we were able to come up with a new product or an existing enhancement, an existing product and build it with very limited resources, sometimes it was just me, and then that would net out a new product line, new source of revenue. Then that’s something that the company is going to reward over and over again.
And I was so good at that that we ended up really building like an engineering strike team around me. So I would get like three or four people that I hand-picked and we would sit down and we would be the team that you would call upon if let’s say we had a huge partnership and we needed to – There was a technology component to it and, okay, we’re going to be doing the whole press event three months from now, “Jason, you’re starting from zero. Let’s get it done.” And so that would be my job, it’s like, “Okay, we’re going to figure out what this partnership means from a technological perspective. We’re going to get all that technology done and we’re going to be able to do it faster than anyone else in the organization can do it.”
So my whole thing was like trying to be as nimble as possible, apply agile methodology because a lot of the things that I learned in tandem with my cybersecurity skills was software engineering. I really loved building web applications and things like that, and those were skills combined with my love for security, combined with some of the executive training that I had. Those are all assets that I was able to leverage together where I didn’t need like a lot of people around me to be able to build something that really moved the needle within the company. And they were able to see that and then they kept throwing opportunities at me and we kept on delivering and that was really where I ended up finally reaching chief security or strategist at the organization.
So it’s interesting because they gave me that title because it was a cool title to have, but they really didn’t know what to do with me in terms of like layering me into an existing department. I really wanted to be independent and focus on problems that I knew I could really move the needle on. And they afforded me that opportunity, because obviously there was a huge benefit for them. But over time I realized that I’m doing a lot of the work here. I think I could probably do this on my own. And that’s when I really started thinking about striking off on my own and founding Kolide and things like that. But that’s why I was in that role specifically.
[00:24:39] CM: Yeah. Can you talk about how your working methods in a solo situation versus in a team like that? Like how did you sort of find out that being independent sort of afforded you more freedom? And what were the sort of like benefits and disadvantages of sort of like a team function versus a solo function like this?
[00:24:57] JM: Yeah. So what’s really nice when you’re working independently is that you have control over really the vision, how that vision actually plays out in terms of how it’s implemented from a technology perspective. And then if you’re good at coding, you have the ability to actually make that thing come to life. So I’m not perfect at all those things, but I knew enough of them where I could get an idea from my head down to paper. Do a formal presentation in front of leadership and then actually say, “All right, I don’t need any resources to actually get this to the next level. I don’t need anything.” And like that’s so low risk for them, like they’ll let me really kind of go after any R&D project and then boom! We have something that is probably 80% percent of the way there in terms of is this shippable to a customer? And then we would just call upon two or three additional engineers, take it to the final 20%. But that’s really was a culmination of my entire life skills like all coming together.
And that’s the thing that I would say to folks who are trying to make sense out of my story like, “How does this apply to me?” Is that when you enter a burgeoning field like cybersecurity, it’s really important that you try to draw upon unrelated talents that may not be exactly the right fit for being a security analyst. And can you actually add a new superpower to the organization they have because you have this extra skill? And because even today I would agree this is true, like cybersecurity and infosec, they’re still burgeoning fields. There’s probably a lot that you can do by bringing in another skillset, whether that’s graphic design, whether that’s marketing. Whatever it is, you can be a support person to take the folks that really want to get their hands dirty every day and make them smarter and better. And that’s why I really gravitated towards building products, because while I did this stuff as a kid and I really liked reverse engineering malware, there was always someone better than me at it. They would be able to do it 10 times as fast or they were even more passionate than me. And I realized that I got more out of it building tools for them to make them more powerful and smarter and better than for me to try to compete with them or assist them. Like that was my superpower that I could add, and that’s what naturally led me to joining companies like Mandiant that have a whole product organization. I knew I would do well there. And that would be my advice to the folks out there, is think about the things that really make you special and that you’re passionate about and can you come up with a way of combining that plus infosec together and really be a unique character in the organization?
[00:27:31] CM: That’s awesome advice. I hope everyone double underlined their transcript or put this particular section into highlight, because yeah I think this is the breakthrough. You hear a lot of people say, “Well, I don’t know how to sort of break through to the next step or whatever.” And most of us have some other thing that we’re good at or interested in that’s not necessarily security related that can be applied. And you made some really good examples there, graphic design, or marketing, or speaking, or mediation or what have you. And I think those are all – And do you have any sort of advice for sort of if you maybe have kind of a calcified department who isn’t necessarily looking for new and exciting changes of sort of pitching them on, “Hey, there’s this extra thing I can do and I can make the team better for it.” Do you have any thoughts on that?
[00:28:20] JM: Yeah, and it may be a little bit hard to swallow, but leave if they’re calcified. Leave. And that’s easy for me to say because it worked out, and I know that’s scary right now for folks who are thinking about their careers and they’re just grateful that they have a job in COVID-19. And that can be challenging. But ultimately that’s going to net you the most career momentum is moving jobs regularly. And it’s hard because you want to be loyal to the organization that believes in you, that’s giving you this opportunity. But at the end of the day, it’s on you to seek out the right leadership teams and the folks of who’ve ever been not satisfied with a role. And it’s time to look. And you’ll find that all the anxiety that you might have about that change ends up just melting away as soon as you land that interview and you nail that interview and you end up landing that job and you meet the new leadership team.
But there’s been – Like if I had stayed at GE, which it felt crazy to me that I was going to leave GE for just – At the time, Mandiant was like a little bitty startup. They had less than 100 people. They had just gotten like their first round of VC funding. That was a huge risk. I was moving from Michigan to D.C., and it ended up being the right move. And then I actually didn’t stay at Mandiant full time. I had like a little foray and like my own startup before Kolide, and that didn’t end up working out.
[00:29:41] CM: Is that Threat Stack?
[00:29:43] JM: Yeah, that was Threat Stack, which I learned a lot from that. But ultimately I ended up coming right back and then seven months later I believe. And then I was at Mandiant and then they got acquired by FireEye. So it’s important that you explore. And then if it doesn’t work out, if you’ve done a good job, organizations are pretty good about it. If you were a real talent a real resource, they’ll take you back.
Yeah, I mean the other thing I want to acknowledge is that I was also very lucky and fortunate. I was fortunate that I had parents that were supportive of me and really having me be focused on technology, like they bought me that computer. they would encourage me to spend more time on it. So that was huge. And getting lucky with my university, that help desk. Like that’s my luck. And the fact that I kind of look like a lot of the folks that are in this industry right now is also helpful. And I can understand that if you feel like you’re not in that same realm from a luck perspective, it can be tricky. But ultimately it’s on you to prepare yourself to meet the opportunity when it arises.
So if you are passionate about the stuff and you do take the time to learn as much as possible, that was my moment with Richard on that call where he was interviewing me. None of my actual university skill set really mattered there. It was all about my passion for the space and the things that I have taken the time to learn myself. And that is really what opened the door for me. If I had failed in that moment, I would have had a completely different life.
[00:31:09] CM: Yeah. I want to sort of put a framework around your sort of obsession with learning and so forth, because maybe not everyone is, as you said, inclined to think about this 24 hours a day and stuff like that. And, again, because the landscape has changed so much and there’s so much more sort of such a larger bedrock of knowledge that you need to have to sort of even enter the security space now and there’s the whole sort of churn of every six months half of it becomes irrelevant as technology update. Do you have any combination of projects or independent learning or focus study or certifications that you recommend to people who are just getting started in the industry now? I mean obviously we can say follow your obsession and so forth. But are there any sort of like practical signposts that you think are especially good for people in this area?
[00:32:00] JM: So I think that there’s a whole segment of cybersecurity that has not even been explored at all. It’s completely greenfield and it’s really the psychology of cybersecurity as it relates to the end users. And this is what we’re exploring at Kolide today is this idea of honesty and security and can we build great relationships between the end users that are actually using the technology and the security team that’s designed – They’re there to defend the organization.
Right now they have a terrible relationship and it’s because the tools that they’re utilizing, they feel a lot like going all the way back to like that Spyware. They do a lot of the same things that Spyware does, like these endpoint detection and response or remediation capabilities. And the thing is that that relationship is actually really, really important. You’re not going to be able to automate all the things that you want to do from a compliance and security perspective just using technology. You need to educate end users.
I think a perfect example of why – A perfect signal at least that this is sort of a problem right now in the industry is I don’t know if you saw that GoDaddy fishing thing that happened at the end of last year.
[00:33:13] CM: Yeah. Yeah.
[00:33:14] JM: So this is an example where you have a security team within the organization and they’re mandated to let’s do our best to defend the company.
[00:33:24] CM: Yeah. Get the real most realistic attack possible. Yeah.
[00:33:28] JM: Right. Exactly. And so for the folks who didn’t see that news article, they sent out a phishing campaign that really was about, “Hey, we can’t meet this year because of COVID-19. But just as like a thank you for all the work that you did this year, here’s like a $600 bonus. If you click this link you’ll get the bonus and you just fill out your information.”
And so folks click the link and as soon as they did that, like maybe a week or so later, they got an email letting them know that there was no bonus. Actually now they fell for some internal spear phishing training simulation and now they need to take additional training because clearly they can be tricked into clicking any link. Now this is a perfect example for me of like just not getting the whole empathy aspect of reaching out to end users.
Now, are these folks really going to be like, “Thank you, security team. We really appreciate the fact that we’re stressed out financially and now I’ve clicked this link and now I feel great about taking the spear fishing training.” Absolutely not. You’ve now taken that person and made them fearful of the security team. They don’t trust them anymore. And they wonder really what benefit are they really adding to my day other than humiliating me in front of my peers.
And then when this article came out, there was thankfully a good pushback from I would say the community that said, “No, this is wrong.” But there were a few people out there that were saying, “You know what? Actually this is the good thing to do because the attacker can do this as well.” And I just fundamentally disagree yeah with that notion.
So getting back to my earlier point, because there are no really good rules of engagement between end users and the cybersecurity team in terms of dealing with things that are really private or asking for informed consent before accessing certain data on the device, I think there’s a whole area to explore there. And if you’re someone out there that really feels like you’re an empathetic person, you understand how people feel because you are an end user yourself. I think that there’s going to be opportunities to really explore that, because, in my mind, the end users are one of the biggest untapped resources for the security team. They are the eyes and ears of the organization. They can be the ones that can tell you where the real risks actually lie. We’re not talking about these boutique nation state threat actors. We’re talking about the things that they do every day that put the company at risk. But because they don’t have a good relation with the security team, they don’t feel compelled to raise them because nothing is going to be done. I think that that problem can be solved. We’re going to create a whole new avenue for securing an organization that just wasn’t possible before.
So if you’re good at psychology, if you’re good at – You’re just empathetic. If you understand like the human component of this really well. These are the folks that I think can really benefit from really exploring these avenues, publishing articles and stories. And because I think this is going to be a thing, and it’s certainly something that we’re pushing at Kolide.
[00:36:31] JM: Okay. S so I want to talk about now that you’re a business owner and you’re doing the things you want to do in the world, can you talk a little bit about what role maybe that veteran cyber security professionals can or should take in helping aspiring new startups or security professionals? Because we talk a lot about the skills gap on the show and we talk about a lot of solutions coming from HR. Not looking for unicorn candidates or security departments, looking for diversity and things from the tech sector. Do you think there’s anything that security veterans can provide in terms of direct action or example that could tamp down the talent shortage?
[00:37:12] JM: Yeah. I definitely agree that there’s always been a talent shortage in our industry and it doesn’t feel like it’s getting any better despite the amount of investment in education. And I’m not sure why that’s the case. Part of me feels as though we have built such a closed technological ecosystem that when people are in the prime years of their ability to learn and grasp new information, and I’m talking before high school. Instead of dealing with systems that are wide open and you’re encouraged to really look under and really understand how they work, these things are like your iPhone, right? They’re totally closed and they don’t break, but you don’t really know anything about them. And that I think stymies that early learning opportunity.
So like as a parent, as a new parent, as someone who’s thinking about this as well. How can we you know build the next generation of folks who are passionate about this? I think back to my own experiences, how can we create systems and opportunities like the Raspberry Pi? Open systems like that where people who are passionate about building real things and bring them into the world, they have opportunities to do that. So I’m a huge supporter of early intervention education. Like going all the way starting from elementary school, middle school, magnet schools that really kind of push. I taught a couple of years of hacker high school in a magnet school in Hartford Connecticut. And these are just really bright kids. And as long as you have a program there that can really inspire them to really take those first steps, then I feel like we’ll be okay.
Going back to like as a business owner, what are the things that we look for? Well, we’re looking for folks who haven’t lost that spark that I talked about earlier. We see a lot of veterans in the industry. And I see a lot of cynicism and I see a lot of folks who just feel like they feel stuck because they’re doing the same things that they’ve been doing. I encourage folks out there that feel like they’re in that rut to not feel compelled to move into like a leadership role if they really don’t think that that’s good for them but they feel like they need to have this upward momentum. Continue to explore your domain and just find um newer areas in that domain that I think can maybe reignite that spark and maybe diminish some of that cynicism. Because when I’m hiring folks, I’m looking for people just as passionate as I am. And we can sense that maybe this is someone who has had too many times that an organization where they just – As you said, that it’s like a calcified leadership team or they’ve been told like they’ve done something really good and they ended up like trying to bury it because it’s like not a good PR moment for them because they found a security incident. Those are things that are good examples of like toxic organizations that it’s good to get out of there before you lose that spark within you. And I encourage you to try to do whatever you can and there was a reason why you entered this field. Continue to look for it and find it. And I know as we all get older, we have more responsibilities. We have children, we have family, but always carve out a little bit of time because it’s important to keep sharpening that knife.
[00:40:24] CM: Fantastic. That’s a great way to wrap up. I want to ask you as we wrap up today about Kolide itself. Tell me about your products. What you do? What you’re proud of? What projects you have on the horizon that you’re excited about?
[00:40:38] JM: Yeah. So Kolide was founded on a principle of bringing this idea of honest security to teams that are really looking to build up that relationship between the end user and the security team. So we’re a completely new product. Like it doesn’t exist out there. We’re not a category that you can map on the Gartner chart or anything like that. So for folks who are interested about honest security, I wrote a little – I would call it almost like if books were albums, this would be like an extended play. Not a total LP. It’s called honest.security. That’s the whole domain. And it really explores some of the things I was talking about earlier around having good empathy for end users and things like that. So that’s the North Star of our company, is honest security.
And so from there, the goal was can we build a product that allows organizations that don’t have the time to build the tools necessary, to build up this relationship? And that’s what Kolide is. So Kolide is right now for teams that Slack. And we basically use an open source endpoint agent called Osquery. It installs on Mac, Windows and Linux. And then from there, we build up an inventory about the device and then we help companies check that device for compliance and security issues. Instead of fixing them for them, we actually reach out to end users on your behalf and teach them about the aspects of the computer that aren’t set up properly and actually walk them through it step-by-step. And this is all happening within Slack and they can click a button and verify that they did it right.
And the goal here is twofold. Number one is to give folks the ability to have a little bit more agency over the devices that they have. So instead of locking them down in this secured state. Can we give them the agency to make better choices for themselves, but educate them at the same time so that they can do that? And if you’re someone who’s maybe been a little bit I would say burned or maybe a little bit cynical from an IT help desk perspective and you’re like, “Users aren’t going to be able to do that.” I would say you’d be surprised in terms of how well that they can actually make good decisions for themselves if you invest the time in educating them. So that’s part one.
Part two is really all about actually helping teams figure out their whole compliance, I would say program. So the idea here is, again, can we get folks uh to fix these problems? And then if they can’t fix those problems, let’s lock them out of the systems and then give them a real good opportunity to understand why they’re locked out and then maybe even opt in some additional device management. Like if you’re really bad at installing your own updates and you’ve shown that over time, well, let’s give you an opportunity to opt in for some additional updates. And that’s a person now who’s not like cursing out the IT and security team. They know that they have the opportunity to manage their own device, but they just don’t have the time or they don’t want to. And now they’re the one that’s making the decision to opt in to additional management. And that’s a lot different than pushing all this management and all these security agents down there.
And the thing that we practice is transparency and really thinking through privacy. So all of our customers and our end users that are using our agent, they can see exactly what we’re collecting on the device. They can object to certain information that’s being collected. They can put their device in private mode. And this is I think the next generation of security technology for a post-COVID-19 world where we’re all now taking our technology at home. We’re surrounded by our family. We feel a little bit different now than we did working in that cubicle in the office for a device that was provisioned to us. Like just the terms of engagement have changed. So let’s build technology to really I would say respond to the culture changes that we’re seeing in society due to the pandemic.
[00:44:25] CM: Yeah. I mean that almost opens up a whole other conversation. But yeah, I know there’s so much sort of anxiety around having your sort of work stuff in your home life and the sort of like porous work-life wall between the two and so forth like that. So I think that sounds really great. I was going to ask you a little bit about that helicoptered security where the company appears to sort of be sort of watching your every move without your knowledge. But it sounds like this is a sort of thing that is trying to directly address that issue, which a lot of people I think are just taking for granted. Is that right?
[00:45:00] JM: Yeah. And we’re seeing a lot of I would say popular solutions out there. I won’t name specifics, but they’re out there and they’re now struggling where they weren’t struggling before to actually get their endpoint agents deployed across their company, because people just feel differently about it. It doesn’t feel the same when you’re now using the company’s computer to do everything. Like you open up – If it’s a Mac for instance. Like you open up iPhoto on your company’s computer. Your kids show up. Like that feels different, because you’re using this computer for everything and it just doesn’t feel like, “Oh, I’m going to give just blanket access to this. Like I feel like I might have some rights here. What are they?” And the reality is that this is a whole area that has not been explored at all. And it harkens back to the thing I was talking about with GoDaddy and all this other stuff. Like we just have to figure this out as a community and as an industry, and Kolide is there to try to figure this out. It’s like one of the first commercial products that’s really trying to take endpoint security and bringing it within the honest security space.
[00:46:06] CM: This has been a blast, Jason. And this hour has blown by. But I’ll just wrap up here with one last very, very important question. If our listeners want to know more about Jason Meller and Kolide, where can they go online?
[00:46:18] JM: Yeah. So you can follow me on Twitter @JMeller. I would encourage everybody listening to this today, if you’re going to do one thing, look at honest security and that’s honest.security. That’s the whole domain. Give that a read. And if you’re interested in learning more about Kolide, just visit our website at kolide.com, Kolike. And you can follow us on Twitter under the same name.
[00:46:41] CM: Awesome, Jason. Thank you for joining me today on Cyber Work. This is a blast.
[00:46:44] JM: Thank you for having me.
[00:46:46] CM: And thank you all as always for listening and watching. New episodes of the Cyber Work podcast are available every Monday at 1 p.m. central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. And don’t forget to check out our hands-on training series titled Cyber Work Applied. Tune in as expert infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. Go to infosecinstitute.com/learn to stay up-to-date on all things Cyber Work.
Thank you once again to Jason Meller, and thank you all for watching and listening. We’ll speak to you next week.