New In-Person Event locations added! Choose your event, and join us for practical cyber security training.

Thought Leaders

Table of Contents

Daniel B. Cid, Sucuri

Stephen Northcutt - November 21st, 2013

Daniel B. Cid from Sucuri has agreed to a thought leadership interview. We hope that you will enjoy his thoughts and impressions and we certainly thank him for his time.

Daniel is the CTO of Sucuri and the founder of the open source OSSEC HIDS. He is very passionate about information security, especially in the areas of intrusion detection, log analysis and server security and monitoring.

He is an active member of the open source community, especially known for creating the OSSEC HIDS (Intrusion detection system) and writing the Host-Based Intrusion Detection book. In 2008, he sold his open source project, OSSEC, to Trend Micro, and joined the company as the lead of OSSEC development.

In the past, Daniel worked at Trend Micro, Q1Labs (now IBM), Sourcefire, and on his own ventures.

You can find a bit more about Daniel on his web site: or on Twitter: @danielcid

Please list URLs of papers or presentations you have written that are available on the web:

I write so often that I don't even know where to start. You can find all my new research and writing at the Sucuri blog:

And all my old posts and studies on intrusion detection and OSSEC at my site:

One that I really like, and was the basis for most of my OSSEC (log analysis work), is the log analysis for intrusion detection (very old):

How did you become interested in the field of information security?

Since I started working (well, most playing) with computers I always had that "what if" attitude to test systems and see how they would respond. So I've always been drawn to reading and learning about hacking, exploitation and offensive security.

But that was very early on, before I ever had a real job.

When I really became interested in security and the defensive side was on my first job as linux system admin. One of our servers got hacked and it was a big mess for a few days and that really changed my mindset. I became very paranoid and passionate about security and started to read and study as much as I could about it. And that's the area I have been focusing on my whole career (defensive security).

Have you worked on security products before the product you are working on today? If so, please list them and describe the highlights of some of these products.

Oh yes. I think the first security product (tool) that I really learned and used actively was Snort. After that I worked with all types of honeypots, IDS's, firewalls and SIM products that I can't even list or remember them all.

I worked at Sourcefire, so I was very active with Snort and worked at Q1Labs, so I was very active on their SIEM (Qradar) as well. And during these years, I created the OSSEC HIDS, out of my need to monitor and watch all my logs from a centralized location. That end up becoming a full blown HIDS with integrity monitoring, rootkit detection and active response.

What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

I work at Sucuri and I lead the Product, Research and Security team. And what we have is what I would call the early days of an AV (anti virus) for web sites.

We monitor web sites and look for signs of compromise, like malware or spam injections or even if the site is being blacklisted. If we detect that a site is indeed compromised, we have another part of our product, that in conjunction with our remediation team, responds to the incident and tries to clean up the infection for our clients.

And our main differentiator is that we don't look for vulnerabilities, like most security scanners. We actually look for signs of compromise, like malware or spam, and respond to them.

What do you think the security products in your space will look like in two years, what will they be able to do?

Our space is very new. If you look back a few years, you wouldn't see the same amount of attacks focused on web sites. Yes, sites were getting hacked, but not in the way it is now, with large botnets, exploit kits and crime groups targeting them.

And based on what we are building and innovating on that space, there will be a lot more security options available for all types of sites. Most of the options right now are just too expensive for the day-to-say web site owners. And that's one category of user that we really want to help. Everyone with a web site has to be aware of the security issues there and be able to properly protect themselves.

Please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

I don't think anyone is really winning, but both sides are getting better and making the other improve to stay competitive. When one end innovates, the other has to respond or lose ground. And the best proof of that is how the attack landscaping is changing.

Developers are becoming more security aware, products are being shipped with better security options and prevention technologies are also widely used. Which company doesn't have a firewall or an IPS now?

It is even hard to imagine the old days of servers coming with telnet and FTP enabled by default.

And what I find fascinating is that all public APT cases, that I can remember, started with a phishing email. That shows how much harder it is becoming to getting in. There are still web-based attacks like SQL injections, but those are also becoming harder to exploit.

But at the same time, our detection is not improving as much as it should. We are good at prevention/attack blocking technologies, but when they fail, the battle is lost for most companies. And that's an area that we really need to improve.

Please share your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.

I would say it is the human factor. Users are still choosing bad passwords or clicking on phishing emails or visiting sites without protection. And that's a very hard problem to solve specially for non technical people. And we see that with web site owners every day at Sucuri when trying to help them when their sites get hacked (and note that people with web sites are theoretically supposed to be more technical). Millions of people own web sites without knowing the basics of information security. And as we move to an even more digital/online world, that will continue to be an issue.

What is your biggest source of frustration as a member of the defensive information community?

Oh, there are so many of them. The first one is the lack of interest in that area. Most of the conferences are always about offensive security. The media only cares about "cool" hacks and new exploits and never about interesting and new ways to protect servers and users.

The second biggest issue is the lack of passion I see in so many defenders. Relying too much on checkbox lists and tools and very little on analysis and research. To give an example, a firewall now is a very common product on most companies. But very few of them actually look at the firewall logs. Even fewer actually even have logging enabled.

And that goes for IDS's, WAF's and many other products. They install and think the job is done and they can mark a checkbox. That's very scary.

And the other big issue in our security community is that we don't share and help each other as much as we should. I see more participation on the blackhat side, than on the defenders' side. I personally try to share as much as I can, specially on the Sucuri Labs:, but we still have a long way to go.

We like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

I assume most people reading this interview will be security professionals. So my biggest advice and something that has been on my mind lately is regarding signature-based detection of malicious activities. It is so ingrained into our culture and so common on most security products, that it is easy to just take it as the right way and stick to it.

But we need to start changing our mentality a bit and whenever possible start doing the opposite. Instead of signatures of bad activities, start building signatures of good activities and block everything else. I know it is nothing new, but very few security solutions actually rely on it. I am glad that at least on firewalls, we accept that as the right away, even though very few really do it.

And that's the model I am taking on the new WAF (cloud-based IDS) that we are building for web sites. For example, instead of looking for SQL injections and blocking those, we are actually blocking every request and only allowing in what was previously white listed. So we have been building profiles for all types of web sites and CMS's (like WordPress, Joomla, etc), and only allowing requests that pass our white list.

It is still in its infancy, but you can read more about it here:

Please tell us something about yourself, what do you do when you are not in front of a computer?

I am always on (just ask my wife), but most of my breaks are for BJJ (Brazilian jiu jitsu) , which I love and have been doing for many years already.