Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Thought Leaders

Table of Contents

Joel Yonts, CISO

Stephen Northcutt - February 12th, 2010

Joel Yonts is a true thought leader in information security, those of us at the Security Leadership Lab were really excited when he agreed to participate and hope you will enjoy his interview. And, as always, we thank him for his time!

Joel, can you start by sharing the short version of your bio please, that seems to be the fastest way to introduce you to the community.

Certainly Stephen, here is my published bio: Joel Yonts is a seasoned security executive with a passion for information security research. He has over 20 years of IT experience with certifications in the areas of Security Leadership, Computer Forensics, Malware Analysis, Incident Handling, and Reverse Engineering. His research interests include malware analysis and defense, computer forensics, and enterprise security. His information security contributions include the published work, Mac OS X Malware Analysis, and is a frequent conference speaker on topics such as Rootkit Techniques, Battle Against Malware, and Protecting your Teen in a Highly Connected Society. In addition to his research, Joel is currently serving as CISO of a Fortune 500 retailer.

Thank you, Joel, and I know you are published; would you kindly list three URLs of papers or presentations you have written that are available on the web:

I think you did an incredible job on the rootkit paper, thank you for that. Can we also ask you to list your top three “must read” papers that are available on the web that you did not write:

Reverse-Engineering Malware by Lenny Zeltser

Reverse Engineering by Crayon by Danny Quist and Lorie Liebrock

2009 Data Breach Investigations Report by Verizon Business

Thank you for the tips, Joel, let's get started with the interview; how did you become interested in the field of information security?

I have always had a passion for scientific research. I was a chemistry major in college and was involved in many research projects in the “Hard Sciences”. On a parallel track, I had a love of computers and spent many hours developing programs and exploring the technology world. Information Security merged these passions for me into a single thread. I can think of very few areas where the pace and need for technology research is greater. The other thing that grabbed my attention was the computer virus. I had just finished a “Hard Sciences” project to classify and map the behaviors of native fish in the local streams of Virginia when I was reintroduced to the computer virus. I immediately recognized the similarity in capturing, analyzing, and classifying these tiny “cyber” life forms as a strong parallel to my recent native fish project. I was hooked, no pun intended.

What happened after you met that virus? Did you jump straight into reverse engineering to figure out how it worked? Also, do you remember the time frame, I always find it interesting to learn when people heard the "song" of security?

I have dealt with malware throughout my 20 year IT career but my reintroduction occurred in 2006. The culprit was a SQL worm with an IRC Bot payload. There was a good bit of adrenaline associated with the incident but I was captivated by how the specimen propagated through the network and the function of the payload. I did attempt to pull an isolated sample apart using basic IT tools, but my technique was far too crude to call it reverse engineering. It is amazing how much information you can get by examining strings embedded in a binary. I pulled out enough info to give me the gist of the malware and a desire to learn how the pros pull these things apart.

Thanks for sharing that! What project or product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

I am currently working on an automated Malware Analysis Zoo. The intent is to automate the mundane aspects of malware analysis and provide a framework for organizing samples and supporting analysis artifacts. As part of this project, I am developing a white paper on the topic of building a malware zoo. The intent is to equip a wide audience with the ability to build their own malware storage and analysis system. The paper is part of my GIAC GREM Gold certification with an anticipated completion of mid-2010. I have a functioning malware zoo in my lab environment today but I have a long list of enhancements planned. At some point, I hope to solidify a release and potentially release it to the public under a GPL license.

Joel, you seem to gravitate towards some pretty specialized SANS courses *grin*. Other than reversing malware, is there a course you have particularly enjoyed, and if so, what was special or unique about it?

Hands down, SANS709 Developing Exploits for Penetration Testers and Security Researchers. My original intent for taking the course was to fill a few gaps in my reversing skills, particularly in the identification and mapping of exploits embedded in malware. What I hadn’t counted on was how much I would use my new knowledge of exploit mechanics in day-to-day security decisions. My eyes were opened to see how simple OS configuration decisions and application development choices could influence an environment’s susceptibility to various memory exploitation techniques. The other benefit I discovered was the ability to find zero day flaws in legacy and homegrown applications. Most of us have them, in some form or fashion, sitting on our networks with potential zero-day vulnerabilities. These flaws would never be discovered by vulnerability scanner signatures and there are no patches forthcoming to remediate. The skills taught in the class would give a corporate security engineer the ability to find these opportunities before they were exploited by someone with malicious intent.

Additionally, it was the first security course where I felt like we were really breaking new ground. We were actually discovering new software vulnerabilities and developing custom exploits right in the class. I enjoyed the sense of empowerment. In the past I had to leave the heavy lifting of exploit discovery to the software vendors or, heaven forbid, the attackers. Hats off to Stephen Sims for putting together such a ground breaking and widely applicable course.

What do you think the security products in your space will look like in two years, what will they be able to do?

I think we will continue to see new technology and techniques added to our automated defenses, followed by attacker techniques that will defeat them. In other cases, the attackers may be the first to innovate, with the defensive counter following close behind. This cycle will not end anytime soon. To supplement this I think we will see resurgence in Incident Response (IR) technology, techniques, and training. I think there will be a greater understanding that even if I do everything I can as a defender, things can and will go wrong, and that IR is critical to plug the gap. (In this IR umbrella I am also including monitoring and other detective controls). IR can mean the difference between an attacker gaining a toehold into your systems and a full data breach.

If I may ask a favor, we ask the security products question on most of the interviews, would you be willing to look at a couple of other recent interviews and choose a prediction and comment on why you agree or disagree with the asserted trend?

I thoroughly enjoyed the interview with Chris Wysopal, CTO at Veracode. I believe he is dead-on with the need and direction for clean code. In his interview he talked about future compilers having built in security validation and cloud computing based holistic program analyzers. I definitely see the need and probability that future compilers will have the capability he outlined, but I am not sure about the cloud computing solution. Developer systems passing potentially sensitive source code to the Internet for some reason gives me an uneasy feeling. Regardless of the specifics, though, I believe Chris is hitting at the root of the problem.

Please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

We have made tremendous progress in securing our systems and networks. Generally I would say our systems have better patch management, more secure configuration, and greater adoption of defensive technology than ever before. Unfortunately, this is not a level playing field. We have seen a nearly exponential explosion in malware growth, and attackers have become very organized. Attackers have become skilled in taking the smallest holes and quickly turning them into avenues of intrusion. Both sides are advancing this battle, but if I had to weigh the number of corporate intrusions/data breaches vs. the number of cyber criminal arrests, it doesn’t feel like we are winning. This is not a defeatist statement. We need to understand this fact and use it to increase our determination to win this battle in the long run.

Joel, I would love to hear your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months. What is coming down the pipe?

Targeted attacks! Specially crafted exploits and malware combined with laser focused social engineering. This will be the downfall of many huge targets (i.e., Operation Aurora – Google)

For the not so huge targets such as home users and smaller companies, the market is ripening for attacks on emerging platforms, specifically mobile devices and Mac OS X. These platforms have been on the security watch list for some time and, at some point, the scales will tip and there will be an onslaught against these platforms.

What is your biggest source of frustration as a member of the defensive information community?

Lack of information sharing. There are many groups that hold pieces to the cyber crime puzzle. I would like to see the various law enforcement, credit brands (VISA, MasterCard), banks, merchants, security vendors, and corporate security groups come together in some way to collectively document attack patterns and track criminal activity. I think such collaboration could help us build better protection and bring more cyber criminals to justice.

Yes, we are all concerned about the lack of information sharing in security. That was the problem the ISACs (example, ) were created to help with. That was the problem InfraGard was created to solve. If you could give one actionable piece of advice to Howard Schmidt on this topic, what would it be?

Mr. Schmidt is in an unbelievably demanding position. My first general comment to him would be that we want you to be successful, leverage the talent in the information security community to help you shoulder the load. With that said, we need to change our definition of success in the information security community. Too often we are content with saying we are winning this war when we are simply diverting the attacks at the gates. To win, bad people must go to jail! To facilitate this focus on the cyber criminal I believe Mr. Schmidt could institute a Cyber Crime Most Wanted similar to the FBI program. The information shared would, of course, be tailored to information security and contain attack specific details. I believe the information security community working together could build a more complete profile of the cyber criminal groups and pin more crimes to the groups. This enhanced definition and increased allegations would be a natural stepping-stone to more arrests.

We like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

Technology has impacted every age group in our society but none are more at risk than our teenagers. A whole new world has been presented to every teen that can access a computer or wireless device. Images and text pass between peers at a blinding rate with little or no forethought or supervision by adults. Teens have no idea the digital trail this activity can leave that follows them the rest of their lives. Also, as if being a teenager wasn’t hard enough in the past, new issues have arisen such as sexting, cyber bullying, and cyber stalking. There have been very disturbing cases of social networking being used by pedophiles to stake out a target. Also, most teens don’t realize that taking a partially nude photo of their 17-year-old girlfriend and then sending it to their buddy is production, possession, and distribution of child pornography! It is a very serious crime that could result in jail time and a spot on the sex offender’s registry. I believe there are two keys in protecting our young people in this highly connected society: education and empowerment of parents. First, we need to make teens and parents aware of the problem and how bad things could be. Second, we need to empower parents with the ability to monitor and control the teen's use of mobile devices and the Internet. Many new solutions exist that can help parents be dialed into what is going on in their teen's cyber life.

And it is not just teens! I was visiting a friend's house when his nine year old suddenly got quiet, which is not normal for this kid, so the dad went to check on him and he was using Google images to search for "breasts". Would you kindly suggest either a few products that can help parent manage their kid's Internet use or a place to get further information. And, at my house we *still* have all the computers in a public room and my son is 25 and no longer lives in Hawaii; it is just too easy to run into trouble if you think no one can see what you are doing!

I love the idea of using public areas for family computers. We follow a similar model in our house. In regards to products, I have been impressed with Safe Eyes by This product combines traditional content & keyword filtering with monitoring of social networking sites. Safe Eyes even has an iPhone product. Internet usage is not the only potential land mine for our teens (or pre-teen) though; monitoring who is calling your child’s cell phone and what is being sent through text and images can be equally as important. For monitoring phone and mobile messaging I would recommend a product called MyMobileWatchDog. There are many good Internet Safety sites out there to help with education. Two that stand out in my mind are National Center for Missing and Exploited Children and Focus on the Family.

Almost done! I notice you are a CISO. You are clearly very well versed in the technical aspects of security, what do you think got you selected for the CISO position and what tips would you have for a newly selected CISO?

I believe the CISO role is truly unique. Having a grasp of the technical aspects of security is important so you can make good security decisions and focus on the true problems in the weeds. Also, in the CISO position you are interfacing with senior management. If you can project the sense that you are dialed into what matters in the security space and that you have an understanding of the dynamics of security, it will inspire confidence in your recommendations and lend to good senior management support. At the same time, you must be able to speak the language of the business. Understanding the key initiatives of the business and how the security team can support those initiatives is important. This balancing act of technical depth with the ability to speak the language of the business is a must for a CISO. I believe this balanced path is what led me to the role.

For someone new to the role, I would warn against becoming a security dictator. A CISO can have a considerable amount of control within an organization. Don’t use this control to “police” the organization. You will be absolutely hated and your effectiveness as a security leader will be diminished. Instead, build an atmosphere of cooperation where together you build controls and make decisions that help the organization stay safe with minimal pain. At times you may still need to play the security trump card but, hopefully, this is the exception.

Please tell us something about yourself, what do you do when you are not in front of a computer?

At this stage in my life, I would call myself a family man. I have two beautiful young children and a lovely wife that I enjoy spending time with. I still have time though to enjoy a little mountain biking and I am involved with my local Church.