Ep66 – ft. Alex Ionescu
[00:00:01] Announcer: You’re listening to Cyber Security Inside, a podcast, focused on getting you up to speed on issues in cyber security with engaging experts and stimulating conversations. To learn more, visit us at intel.com/cybersecurityinside.
[00:00:40] Tom Garrison: Hi and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me is my co-host Camille Morhardt. How are you doing?
[00:00:49] Camille Morhardt: Hi, Tom, I’m doing well today.
[00:00:51] Tom Garrison: Well, we have a very interesting topic today because as we were talking, we started discussing how our view of what is important information, how it changes over time. And we have a guest today who formerly worked at CrowdStrike. He’s now moved on and we’ll introduce him in a minute; but he’s got a great set of stories and experiences that help us understand how the way we think about personal information today, or privacy today, may look very, very outdated in just a few years from now. I thought it was fascinating.
[00:01:32] Camille Morhardt: Yeah, I did too. You kind of brought up the point that when you were in school, you used your social security number as your student ID. We all laughed and then, you know, he mentioned that actually, that wasn’t a problem maybe back then, but you couldn’t do much with the social security, but now the world has changed. And so he got us starting to think about what are the kinds of personal information that we may put out there or make available because today it’s not a problem. Nobody can do anything with it. But what about in 20 or 30 years, you know, and really building that threat model, looking forward to future use cases when we think about privacy today.
[00:02:12] Tom Garrison: Yeah, it was definitely one of those moments where we were just sort of talking and not really expecting to get our eyes open to a brand new subject, but it happened to both of us. And I think everyone listening here will probably have the same sort of experience. It starts to make you think, well, maybe what I’m doing today seems really innocent and there’s no problem with it, but will I regret this years down the road?
So what do you say we get right to it? Camille
[00:02:39] Camille Morhardt: I’d love to.
[00:02:44] Tom Garrison: Our guest today is Alex Ionescu. Alex is a founder of Windsider Seminars and Solutions Incorporated and the previous VP of Endpoint Engineering at CrowdStrike. He is an experienced executive, author and computer security expert with two decades of experience in OS development, Windows internals, and Kernel programming, and five years experience in arm-embedded hardware architecture, and Kernel development as part of the iOS team. So welcome to the podcast, Alex.
[00:03:16] Alex Ionescu: Thanks for having me.
[00:03:17] Tom Garrison: So that is quite a background. Spend a few minutes and tell us a little bit about yourself and the kind of things that you’re working on now.
[00:03:28] Alex Ionescu: Yeah, I’d love to, uh, I grew up as a stereotypical hacker in the 90s spending a lot of time taking a apart, various operating systems, writing viruses for fun and trying to figure out how things work inside and out following various folks in the industry and keeping a Black Hat and Def Con talks and all of that got an amazing opportunity to work at Apple for four or five years during the first versions of the iPhone and all of that. And then a joined up Dmitri Alperovitch and George Kurtz at CrowdStrike, uh, since Day1, building, uh, the company, the product, the teams while. And on the side, I continue to do all this, uh, reverse engineering windows, internals, working with Mark Vasinovitch and others on books, tools, trainings, and yeah, living and breathing cyber security. So I’m still doing that part, even though I’m taking some, some time off from the day-to-day of running a company and a team.
[00:04:26] Tom Garrison: Well we’re certainly happy to have you here on the podcast, your perspective should be really interesting given that your time at these companies and specifically around CrowdStrike without talking about CrowdStrike directly, but just how has the security landscape evolved and changed over your tenure?
[00:04:44] Alex Ionescu: It’s been really wild at the last 10 years in cyber security, I think, from at least my vantage point have been a paradigm shift. So when I started a CrowdStrike, one of the ideas was, nation states are going after companies are stealing data. Um, they’re getting competitive advantages. They’re figuring out mergers and acquisitions. And this was widely believed to be fantasy by the average folks or, you know, one-off governmental things that happen every three years. And, you know, the NSA and China are fighting, not Mom and Pop’s movie theater is getting hacked into and people’s records are being stolen.
And companies were afraid to name countries; the McAfees and Symantecs and all the anti-virus companies back then were not really talking about nation states and naming. To where today where, you know, ?Mandy? and FireEye and CrowdStrike are naming companies, are naming countries, you know, doing reports on here’s activity, out of China, out of Iran, out of Korea.
Everybody’s aware, this is happening. The Sony hack with North Korea was, was one of the most famous ones and known by, uh, by the public and many others–obviously DNC and so on, so forth. So this has become a reality. So I can talk to friends that are not in the industry and this is something they’re aware of. 10 years ago it was science fiction for most folks. So a lot of little things have changed, but I think that societal changes is the one that marks me the most.
[00:06:13] Tom Garrison: The element that you mentioned, which is people thought it was like the boogeyman, people would talk about it, but it didn’t really exist. It really didn’t impact you or you know that your company, I think that’s gone. I’d love to get your perspective, though. On, do you think it’s changing behavior?
[00:06:35] Alex Ionescu: I think in some ways behavior is changing, but a related question would be is the change in behavior mounting to anything? Are we changing outcomes? And I’d say behavior is probably changing. Folks are more careful at companies are thinking about this in terms of budget and risk and spending money on these things; training their workforce to make sure they’re not clicking on spear phishing links and people in general, I think are more aware at the same time the attackers have adapted to that and are doing other things now that people are not training for and thinking of. So it may sound pessimistic, but I’m not sure that the outcomes have significantly changed in the last 10 years. I’m not saying we’re fighting a losing battle, but I do think we’re swimming against the current so to speak. And there’s a lot of more swimming needed to be done.
[00:07:28] Camille Morhardt: Do you think the increase and huge boom in IOT has played out the way you expected it to, has it changed endpoint security, notably? Is there no going back or was it overhyped?
[00:07:44] Alex Ionescu: I actually personally think that IOT has not had the impact. I thought it would. I thought things would get a lot worse. I don’t see, you know, outside of security conferences, toasters getting hacked and hackers, really getting into companies through, their fridge. But I don’t think that’s because IOT isn’t a I’ll say a disaster from security perspective. I think it’s because it’s still so easy to go in through the end point. It’s, almost sad to me that IOT hasn’t become how hackers get it. Because it’s at the end point, still not where it needs to be. Um, and that started to change Windows 11 has a bunch of security features, companies like CrowdStrike and others are making a difference.
So hopefully we’ll, we’ll harden up the end point, where they need to use the toasters and the fridges. But I think that IOT hasn’t quite caught up with that in most cases, I don’t see people breaking into hotel rooms with stolen cards or things like that, or hacking networks through email servers, some exceptions aside it’s still so much easier to do on that machine today.
[00:08:44] Tom Garrison: What are those major vulnerabilities that you think still exist in the end point? And you said, you know, “it’s too bad we haven’t hardened the end point more;” where could we be doing better?
[00:08:57] Alex Ionescu: So I think the biggest thing I’ve seen on, including with CrowdStrike is there is a huge, huge compatibility issue, especially in an enterprise systems. Right. You know, the, the recent print nightmare in printer spooler bugs on Windows, for example. Months and months to patch that correctly because here’s one more feature used by enterprise for 20 years to, to make it easy to install a printer. So there’s a large amount of behaviors and features and functionality that exists on, take PC tor example, that are don’t make sense in today’s security landscape, but are hard to get rid of because then you would be completely breaking down an enterprise’s ability to get their job done.
There’s, you know, entire people joke about who still sends FAXes. There’s entire departments in very large companies that if they couldn’t send a FAX using the windows machine, things would break down Excel, macros. Right? I. I know entire CFOs that run their, their public company out of Excel, macros, and a thousand spreadsheets. So how to get people away from those insecure environments, configurations and settings, without causing millions of dollars of lost productivity. There’s not an easy solution to that. And these components are very old.
You know, the print spooler in Windows is I think a 35 year-old code base at this point; obviously it’s going to have issues and you can’t. Spend time and go rewrite that component. And I think that those problems on the end point are not intractable, but have a very long shelf life.
[00:10:28] Tom Garrison: Well, and I know that you’re an optimist and so I’m sure you have a brighter view of the future looking forward. So where, where do you think some of those advancements are going to happen on the client end point?
[00:10:42] Alex Ionescu: Yeah. So I think going forward as there’s a number of things that are pointing in a good direction. A lot more work these days is not in the cloud, right? So a lot of new companies, a lot of startups, a lot of the departments are moving to doing everything in the cloud, for example–whether it’s GSuite or Office 365 or whatever their preferred mechanism is. That automatically removes a lot of complexity off the endpoint. Now the cloud is not a panacea. It’s obviously got its own issues as well, but it’s a more modern set of systems that can be secured a little bit better than the average endpoint.
So I think the shift to virtualization in cloud environments is helping, as well. the operating systems are getting hardened; hardware is getting better so today’s PCs and Macs have all sorts of security features built in that, even though the attacks can still happen, the vulnerabilities are still there, the ability to weaponize those attacks to actually have an outcome that’s beneficial to the attacker it’s getting a lot harder; and with, you know, new version of Windows coming out, even more so.
Today’s PCs, for example, aren’t being necessarily sold as just faster. They’re also being sold as faster, better and more secure. Right? So it’s kind of become part of the marketing lingo. “Here’s the new version of an Intel processor. Here’s a new version of Microsoft Windows or less, and you should upgrade because it’s more secure.” That’s an amazing message that we didn’t have 10 years ago; 10 years ago, “there’s two more cores! And one more gigahertz!” which you know, is meaningless in this battle.
[00:12:11] Camille Morhardt: Can you talk a little bit about the evolution of the word “security” to include privacy and even ethics, if you think it extends that far?
[00:12:21] Alex Ionescu: Yeah, I think, uh, when people think of security and real life, they think about privacy and integrity and then safety and all those things. I think the behaviors we do online mimic, what do we think of in security. So before people started doing banking online, for example, I don’t think necessarily fraud was included in, in security. And then as we started doing that. Now with social networks, I think that had a big part into privacy being part of security as well. So think the word, to your point, is adapting as we’re doing more things on our computers, on these platforms, what we want to feel secure, be secure, um, you know, honesty, authenticity, integrity, all these things to me are part of security as well. Yeah. I think it’s, it’s our users that kind of defines what keeps being added into a bucket.
[00:13:10] Tom Garrison: You know, it’s interesting that we talk about privacy now and it’s, it’s sort of… you don’t have to be a technology geek to think about privacy. But if I think back just to my college days–which unfortunately was a little further back that I’d like to think now, but–my student ID was my social security number and that was, you know, almost 30 years ago. Now that’s a lot of change, behavioral change, societal change that’s happened in a relatively short time.
When we think about how open we were just about data and information to now where there’s a hypersensitivity and, but obviously when you’re talking about people and behaviors, there’s always weakness, right. And people can be tricked to give away information. And that’s, I think still, still the world we live in today, even though we’ve made huge leaps, there’s still a lot more to go.
[00:14:06] Alex Ionescu: Yeah, what’s interesting to me is I think that the social security example, either two ways of looking at it, right? One is, all those situations where we’re misusing a number and they weren’t being secure about it. They weren’t keeping it private like they should. But a counterpoint might be, what could you do with someone’s social security number of 25, 30 years ago? Probably not that much versus today or today with a social security number, you can open credit cards, you can do a lot more things probably because of automation because of systems that do less checks. I think 30 years ago, if you wanted to open a credit card, pretty much have to walk in person into a bank and know someone.
I mean, I wasn’t in the US back then, but generally I feel it’s we consume so much more. Now that systems are more easily set up to intake our information and the power of having someone’s information is increasing. So maybe 30 years ago, it was fine for your social to be your student ID#. Who cares. Today, with that information you can destroy someone’s life, you can swap them, you can do all these things you weren’t able to do before. So.
And as we build systems today, people insistence feels or should be thinking, what type of data am I using this input that today isn’t as important, but in the future it could be right. And genetic code is I think one, one example. Everyone is uploading all these things into 23 and Me and all these other websites that obviously have nice benefit, but who knows if in 50 years what somebody could do with your genetic code. We go, Sci-F, maybe they could build a clone out of you. Right. And it’s not in the threat model today, but 50 years from now, it might be, and we might be laughing. “Can you believe people uploaded their genetic code on websites back in the day?” Interestingly thing to think about.
[00:15:47] Camille Morhardt: Do yourself do online banking?
[00:15:50] Alex Ionescu: I do online banking. I do with 23 and Me. I do all the things that we need to be careful of and I think it’s the best you can do is just mitigate your risks, right? Check your balances, check your log in, check your audit history. But if you know, if one day something gets compromised, we’re all in the same bucket. No nobody’s immune from, from getting owned, so to speak.
[00:16:14] Tom Garrison: With your perspective in the industry, who do you think would be a company that maybe our listeners who are trying to say who’s doing it well, or who should I maybe contact to understand the sort of security journey, to work with them because they’ve got a great set of offerings or solutions or whatnot? Who do you think is on the forefront?
[00:16:37] Alex Ionescu: So, you know, obviously I’m, I’m selfish, you’re going through the throw my old company name into the mix and say, CrowdStrike is definitely a player in there.
Tom Garrison: I would expect you to say that.
Alex Ionescu: Microsoft obviously is, is taking security very seriously. I’ve seen Satya pour billions into it and really try to make this part of Microsoft’s DNA as well. And then beyond that, you know, there’s lots of consulting companies and resellers and others that’ll take a whole holistic approach to everything. So I, I don’t know the names of all the companies, but in general, I’d say, um, It’s about the vibe that you get when you interact with a sales person or doing a proof of value is, are they trying to sell you a product or are they trying to sell you a partner and a story?
And, and that, that I think is where we’ve seen successful partnerships they built where they’re not just trying to get you to install something and then never talk to you again. But you know, they ask questions about “how do you handle your email?” How do firewalls work at your company? How do employees log into the systems?” And when you see a security company ask those questions. And these are thinking about more than just “how do we get you to install this thing?” and how do they play into your, your security ecosystem? And those are good signs that you’re having a good conversation with someone who wants to be your partner and not just make another sale.
[00:17:57] Camille Morhardt: I just watched this Tom Cruise movie called Night and Day, and he’s telling the hostage–well, we’ll just call her hostage–he says, “if they come in and they start telling you, we’re going to make you safe and secure; we’re gonna stabilize the situation.” And he’s like, “those are the buzzwords that mean you’re in trouble and they don’t have anything good in mind.”
So I’m wondering, are there buzzwords that you hear, but people bring up in this context that you say “Run! They don’t know what they’re talking about. They’re throwing something in.”
[00:18:25] Alex Ionescu: Artificial Intelligence.
[00:18:28] Camille Morhardt: I was thinking you might say that.
[00:18:32] Alex Ionescu: If you hear those two words, it’s time to run away. And I think if you hear machine learning ask some questions, right? I think those are, those are two words that I hear all the time. And the reality is we, as a society, we have not yet invented artificial intelligence. You know, we have machine learning, we have some pretty good models and approximations, but, uh, anybody that tells you there’s some sort of product that’s AI driven and you just put it on and then never think about it again. I mean, we, you know, we don’t even have self-driving cars yet. Right. And it’s been 10 years, I think Elon is promising those. So it’s a journey until you get systems that manage themselves or operate themselves. And all these vendors are trying to obviously reduce friction.
But in security you’ve got to have a human element. We’re just not at the point where you don’t need someone double-checking the log, doing the audit trail. We can minimize it as much as possible. We still need humans for now. Um, maybe one day we won’t.
[00:19:28] Camille Morhardt: What is it reasonable application of artificial intelligence in cyber security?
[00:19:34] Alex Ionescu: Alert reduction, for example, right? Risk scoring, things that help you navigate the 20,000 alerts of 20,000 employees, 20,000 binarys–which ones are more likely than not to be malicious, insider threats, misconfigurations. I see AI today as a prioritization of what’s more important and less important. But to me, the final determination needs to come from, from a human outside of very, very basic examples. Right. We all know that if it’s Mimicats.etsy and it’s the exact binary off the MimiCats Github repo, it’s Mimicats, but that’s not even artificial intelligence anymore. Right? A lot of companies use string matching and regular expressions as artificial intelligence and obviously that doesn’t count.
[00:20:22] Tom Garrison: Yeah, there’s no doubt that there is, uh, a lot of overuse of these buzz terms. Artificial intelligence is one of them. It’s not that it’s not a really cool technology and that it won’t have value, but I think people are definitely over promising where we’re at today. So Alex, this has been great. And I think it’d be a shame if we missed out on our most fun segment of our podcast, which is fun facts. So I wonder if you have a fun fact that you’d like to share.
[00:20:53] Alex Ionescu: Yeah, I’ve always been a reverse engineer at heart and more than just computers. And, um, I like to build these very gigantic Lego sets– the Star Wars Imperial destroyers, and the Millennial Falcon, 6-7,000 piece Hogwarts castle. And I’ve always been amazed at how Lego gets all the pieces there. Then there’s nothing missing.
But I had a particular set where once we were done building, we had a piece missing and I was told this could never happen. And then I called up Lego and I said, “how’s there a piece missing? I thought you guys measure everything and weigh it and have these whole systems.” And they asked me, “do you have an extra piece by chance?” I said, “yeah, there’s one extra piece that I can’t figure out where it goes.”
And apparently their system is based on light it’s based on weights based on shape. And there’s an insane corner case where a piece might be missing in your set, any different one, might’ve fallen in from a different bucket. And if it just has the right shape, size and color, it’ll trick it into thinking that the set is complete and it happens and something, a one in a million sets; but it was fascinating to me in terms of, of making the relationship between how this works. Not a lot of our security products work as well, right? To me, it was kind of fun to find flaws in systems like that, even something as simple as a Lego bricks.
[00:22:12] Tom Garrison: Well, that’s great. That is really cool. So, Camille.
[00:22:16] Camille Morhardt: Yeah, you lucked out with the missing Lego piece too. So I, uh, I’ve been interested in frogs. My son is trying to get me to get him a salamander and it’s been like years that he’s wanted a salamander. So I just thought, you know, he’s not the best with. So how long can a frog survive without water? So I was Googling that and I found out there’s a frog in Australia that can store water and its gills and its tissue, and even its bladder. And it can store double its weight in water, and it can live for up to five years without drinking after that.
[00:22:50] Tom Garrison: Wow. Geez.
[00:22:52] Camille Morhardt: So, if salamanders or anything like that, I may not get out of this one. (Tom laughs)
[00:22:58] Tom Garrison: That’s pretty incredible. I bet you salamanders don’t live anywhere near that without water. But anyway, um, and Alex, by the way, on the Lego thing, I figured they would ask you, “do you have a cat or something that ate the piece” before they started asking about extra pieces.
[00:23:17] Alex Ionescu: There was a very long set of troubleshooting steps for the issue. I was making a mistake before it got to the Level 1 support that knew what was happening.
[00:23:27] Camille Morhardt: You’re like “you don’t understand who I am. I have not made a mistake.” (all laugh)
Alex Ionescu: That sounds like me.
[00:23:28] Tom Garrison: All right. So yeah, so my fun fact has to do with airplanes and it’s because I am one of those people who’s really looking forward to going out and starting to see customers again and visit. We’re not there yet. Um, but hopefully not too long, it’d be good to get out there. So I started looking up how fuel efficient Jets are–apecifically in this case, I just happened to look up 737s because it’s kind of the workhorse, at least domestically here in the U S and it turns out that all in rough numbers, just rough numbers that a 737 burns about 5,000 pounds of fuel an hour. And that translates to about 750 gallons. And so I did a little bit more research and specifically the 737-800, if you calculate a hundred nautical mile trip and you assume the passenger load is assuming 162 passengers. That it’s about 96 miles per gallon, per passenger, which equates to 0.593 miles per gallon for the entire airplane. Not the most fuel-efficient
Camille Morhardt: Half a gallon per hour? Or per kilometer
Tom Garrison: Miles per gallon. You get a half, half of a mile per gallon. Not the most fuel efficient, but I thought pretty fascinating, especially when you think about flying across the country or something like that, that’s a, it’s a lot of fuel there.
[00:25:17] Camille Morhardt: Well, you picked a short haul flight.
[00:25:18] Tom Garrison: That’s true. I did pick a short haul.
[00:25:20] Alex Ionescu: We should think about somebody. If all this passengers are driving the car to see distance claimants to the wind,
[00:25:29] Tom Garrison: That’s true. Maybe it must have been driving Teslas or something, but yes,
[00:25:33] Alex Ionescu: 200 people in a Tesla at one time.
[00:25:37] Tom Garrison: It’s been great having you on the podcast. Thanks for sharing your background and your insights. And I look forward to talking to you in the future.
[00:25:42] Alex Ionescu: Thank you. Likewise, thanks a lot for having me. This was great.
Stay tuned for the next episode of Cyber Security Inside. Follow @TomMGarrison and Camille @Morhardt on Twitter to continue the conversation. Thanks for listening.
The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel Corporation.