General security

Interview: Dr. Engin Kirda

June 17, 2015 by

Dr. Engin Kirda is the Co-Founder & Chief Architect of LastLine and research professor at Northeastern University and the director of the Northeastern Information Assurance Institute. Before this he has held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and the U.S.

Dr. Kirda's research has focused on malware analysis and detection, web application security and social networking security. He has co-authored more than 90 peer-reviewed scholarly publications and has served as program chair of RAID, Eurosec, USENIX and other leading security conferences. He consulted the EC on emerging threats and gave a U.S. congressional briefing on advanced malware.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Dr. Engin Kirda1. You're considered an IT thought leader with a particular interest in cyber security. Why is the cyber security space an area of interest for you?

A: I like working in cyber security for a couple of reasons. First, it is an area that has a lot of potential for impact for a researcher. That is, if you come out with smart solutions, you can see them be deployed pretty quickly. For example, the Anubis malware analysis system that I was involved in building became very popular in a short period of time, and also led us to found Lastline. Second, the problems in the space are real. Hence, the research work we do is simply more fun because we know that we are working on important issues. Third, I like the intellectual challenge in this space. The attackers evolve and they are smart. So we constantly need to adapt our solutions and always keep the adversarial thinking in mind.

2. In your opinion, are businesses as knowledgeable about cyber security issues as they should be?

A: No. Unfortunately, we are not there yet. I would say that the situation is better in terms of awareness compared to, say, a decade ago. But the threats are more widespread and hard to stop than they were a decade - or even a year - go. Right now the biggest challenge we face is a shortage of cyber security professionals. Despite the broader awareness of enterprise security issues, we need more talented and knowledgeable employees in the industry who understand the current threats, and can effectively deal with them.

3. What actionable steps can you recommend for businesses that want to build a corporate culture that includes cyber security awareness?

A: I think training and workshops are helpful. Many of the attacks we see today are based on software vulnerabilities, often in combination with some sort of social engineering. Some of these attacks are complicated, but studies (including some of the ones that I've conducted) show that many of these attacks and vulnerabilities are actually simple in nature and can be avoided with awareness.

I also think that it is important to assess the solutions that are currently being used in a company. For example, antivirus solutions are still useful today, but not as effective as they used to be in the past. Nearly all businesses need to go beyond a "set it and forget it" signature-based security system to include a layered set of defenses and security professionals whether they are in-house our outsourced.

4. What are some of the negative consequences that can arise if companies find themselves on the receiving end of a cyberattack?

There are many negative consequences. Probably too many to list. The most common ones are financial damage, loss of face and reputation, liability problems, and loss of customers. Of greatest concern are companies where a cyber attack might cause physical harm to people or damage to critical infrastructure like energy, water or transportation. Thus far, the vast majority of attacks result in significant financial losses -- both directly and indirectly.

5. In addition to being the chief architect at Lastline, you're also a cofounder of the company. What was your rationale for starting up Lastline?

As a researcher and a professor, I had had quite a bit of impact with my research. We had built security tools that many people were using, and we wanted to make these tools accessible to more people to have even more impact. Lastline has allowed us to build and bring to market novel and unique technology, and has allowed us to focus on some of the very interesting cybersecurity problems out there today. We're now applying our research in a business environment, and creating a sustainable source of security innovation that quickly transfers to real world applications. It's like we're working with the wildlife instead of mainly observing it.

6. What specific hard and soft skills do you need to be successful at your job?

I am a computer scientist. This involves understanding technology, decent coding skills (at my level), and understanding the problem space really well. Understanding current attacks and knowing what the attackers are doing requires some experience. However, it is definitely not black magic, and most of the attacks and tricks we are seeing out there are not super surprising. In terms of soft skills, I need to be able to manage people too. And that requires some understanding of what motivates people, and how to manage projects, time and human resources effectively over the long-haul.

7. What does your position as a research professor at Northeastern University entail?

I am a computer science professor. I do research in cyber security, mentor and graduate Ph.D. students, and I teach graduate and undergraduate courses on computer security. In these courses, I teach students "hacking" skills so that they know how most vulnerabilities happen and so that they can protect themselves -- and eventually protect others.

8. Somehow, you also find the time to serve as the director of the Northeastern Information Assurance Institute. Why is it important for you to occupy this position?

I have an academic background. The institute allows us to promote cybersecurity research and education. I find both of these areas critical in the fight for making the Internet a safer place in the future. Hence, I'm happy to do my share.

9. In the past, you've served as a consultant to the EC on emerging threats and delivered a U.S. congressional briefing on advanced malware. What cybersecurity threats should businesses be particularly wary of?

I think industrial espionage using advanced malware will continue to become a bigger problem in the near future. I think governments and businesses need to be wary of this possibility.

10. What sort of advice would you give a college or university student who wants to get into the IT space?

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Code. Code. Code. Coding and systems skills are critical if they want to work in the security field.