Register now for SANS Cyber Defense Initiative 2016 and save $400.

Thought Leaders

Table of Contents


John Kanen Flowers

Stephen Northcutt - May 26th, 2010

John “Kanen” Flowers is the founder of nCircle Network Security. Flowers designed and developed the nCircle Ontology, IP360 – the original holistic network security solution – “Block on Exposure” and “Intrusion Prevention.” Flowers was the inventor of interoperability between discovery and detection systems in network security. He has agreed to a Thought Leadership interview and we certainly thank him for his time!


John, were did you get your start? What was life before Hiverworld/nCircle?


Prior to nCircle, I worked for Microsoft Corporation and was the Chief Architect of an early news delivery and filtering system, called Farcast (later InQuisit), which was purchased by Ask Jeeves (now Ask). After that, I went on to create technologies in natural language and search, video, color correction, social networking, benchmarking and now, once again, network security.


Amazing, can you cook as well? I am amazed at the number of security thought leaders I meet that are chef level cooks.

I wouldn't call myself "Chef Level" -- but, I do cook. I trained in Thailand and I am moderately skilled at creating quite a few Thai dishes, including Tom Yam Kung nam Khan (prawn soup in coconut milk), Plathu (mackerel), Phat Thai kung (which I learned to cook in Chiang Mai) and Panang Gai (not technically Thai... more a Malaysian dish). I make a decent Mi Krop (or Mi Khrob) and I'm learning Pla Nueng Manao -- a fish dish that I consider quite difficult. When I'm not stinking up the kitchen, my wife tends to cook most meals and is amazing at it.


Can you tell me just a bit more about what you have done and what you are working on?

Stephen, I am an inventor on over a dozen patents, almost all of which are in the network security and algorithmic and natural language search fields. My personal blog and full resume can be found at www.LifeZero.org, where I discuss life, technology, video, search, network security, programming and, most recently, the advanced network security tool and platform, カネ|box.


I went to your website, it is quite interesting, I was a bit slow on the uptake for navigation, but found the kane|box paper, love the network history section, what a blast from the past. By the way, Kane (Kah Nay) means male in Hawaiian. What are some “must read” papers that you recommend other people read?

I'll add the Hawaiian meaning to the paper. I love how many different meanings I can pull out of a single word (I'm a bit of a word nerd), so that makes my day! As for papers -- "Insertion, Evasion and Denial of Service" (the classic paper). Everything at http://techbuddha.wordpress.com (Amrit Williams). Most of the papers from Owasp.org are worth reading.

Lately, I've been trying to wade through the Metasploit documentation.


That is a great reading list, thank you for that. How did you become interested in the field of information security?


As a kid, I read the Legion of Doom technical journals ( http://www.textfiles.com/magazines/LOD/ ) and watched Three Days of the Condor way too many times. By the time the movie Sneakers came out, I was working for Microsoft and thought, “I could start a company that does that.” So, eventually, I did.


Three Days of the Condor, wow, it has been a long time, I wonder if Netflix has that on watch instantly (it does, I may rewatch that tonight)? What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

I stepped out of network security for a while and created a search engine that did natural language queries and results. It wasn't much of a commercial success, but it was purchased by the co-founder of Ask Jeeves. We did some really interesting things with language and math, but my first (and true) love remained network security.

nCircle was a decade ago and times have changed. The stuff that worked then doesn't really work as well today. I used to refer to IDS as “Network False-Positive Recorders” and I still think that's true, but there's a more insidious side, which is false-negatives and – in the case of Intrusion Prevention – that is a really bad deal.

I was really inspired by Gibson's concepts of personality constructs and I decided to apply that knowledge.


Whoa, let me stop you right there; I found this paper, is this the right Gibson, is there a better paper to point to?

I was thinking more, William Gibson, the author of Neuromancer and -- my personal favorites -- Count Zero and Mona Lisa Overdrive. But, yeah, that Gibson is a great example. I've read him and find his work very interesting. I'm also highly interested in virtual economies and how they mimic real-world economies. When you dig into most things, you'll find personality at the root of decision-making. That is a big lesson and one I try to always consider (and remember) with everything I do.


Awesome, thank you for that, so back to your idea what are you going to apply the knowledge of personality constructs to, what are you trying to do?

At kozoru (my last company), I wanted to create a system where we indexed and understood the language of the Internet. But, more than that, I was interested in the idea of authority, time-based information and bias. This took me down a path of understanding the interconnectedness of concepts and language, from a statistical perspective. I wanted to apply that knowledge to the network security field. The idea being that both search and network security can be better understood from a heuristic and a statistical perspective. Turns out, there are some really great things you can do once you stop building dumb security products with rules telling them what they should do and how to find problems.

To that end, I'm working on an Open Source platform, called カネ|box (or kane|box), which does a number of new and (hopefully) interesting things in the network security field. It isn't like other tools and it's a bit hard to describe briefly, but the overall theme is this -- there's an Engine which understands protocols and traffic. That Engine gets trained on your network, because it is unique and different than other networks. When the Engine is trained, it can tell you what is happening in a meaningful way. kane|box does discovery, detection, deflection and packet scrubbing... but it does more than that too.


I am intrigued, what more does it do?

You've read the kane|box White Paper and Documentation, so you've seen either hints toward functionality or flat-out examples of some of the functionality. The four big areas I am focusing on over the next year are: Exposure Inferencing, Scrub on Exposure, Geo-targeting and what I call "Elite Ninja Skills."

And, since you asked...

Exposure Inferencing means the platform looks at traffic on your network, compares that traffic with a huge set of known acceptable traffic, adds to that a huge set of known suspicious traffic. All this traffic goes into the Engine, which determines what is acceptable for your unique environment and infers a set of edge cases -- things that probably shouldn't be on your network. As you gather traffic, kane|box starts creating exception reports for anything that shouldn't be happening on your network, which includes what I call the "Damage over Time" attacks (an idea taken from certain online role-playing games).

Scrub on Exposure is a way of doing something with this information. While kane|box can make different decisions about the threats it has modeled, one choice I am excited about is the idea of literally scrubbing the packets going into and out of your network to remove anything considered hostile. The paper you mention talks more about this functionality.

Geo-targeting is exciting because -- as far as I know -- kane|box is the first technology to model threats and apply geo-location information to those threats. This means, among other things, kane|box knows whether an attack originated in Germany, France, Africa or wherever. If you combine geo-location with Damage over Time and Exposure Inferencing, you can create a historical view of something valuable; when and how the exposure was created and what kind of leverage is being applied to your environment.

"Elite Ninja Skills" is a fun way of talking about how the platform can absorb exposures then use Training Sets to actively test your environment for vulnerabilities and exposures. Or, put more simply, you can run an existing tool against kane|box and then kane|box will be able to test for the same vulnerabilities as that tool. And, because kane|box isn't one tool with only one function, those newly discovered ways of testing are compared with a large dataset. In this way, kane|box can create compound vulnerability and exposure conditions, based on a huge number of possibilities. In theory, this should allow kane|box to find new, not-yet-discovered vulnerabilities and exposures, some of which would be unique to your environment.


What do you think the security products in your space will look like in two years, what will they be able to do?

Hopefully they will get smarter. Network security products are really, really dumb right now, but they are forgiven because companies spend hundreds of thousands of dollars creating a pretty interface that management can see and understand. This is a problem. Reports are important, yes, but if the product just ignores or doesn't understand anything it's reporting on, then the reports are useless and giving a false sense of security (pun intended).


Sadly, I agree that network security products are pretty dumb, I was interested in the meta rules from the failed SIEM company Hightower and I am very interested in speaking with some customers of LogMatrix. Of the products that are out there, who do you feel has some significant potential?

I've taken a look at the work being done by White Hat Security, largely because of my interest in Web Application Firewalling and protection. Jeremiah Grossman is well-informed. I read his blog regularly and I remain convinced there will eventually be a decent solution for preventing web attacks. The White Hat Security guys seem to be going down an interesting path with their managed solutions. I've also taken a hard look at Qualys and Cenzic and I am convinced they are very good at advertising and marketing. There's a decent paper called The Security Treadmill, aimed at Executives, which talks about some of the concerns I have.

I like Amrit and the work they are doing at BigFix has some real potential. It doesn't solve all the problems I am discussing, but it is a great solution for what it does solve.

I'm also very happy with the work being done at CAPEC.mitre.org. It is very exciting to see someone thinking about exposures in a holistic way, rather than just trying to play the counting game and enumerate as many different micro-threats as possible. I think vendors could learn a lot about the big picture just by reading through the CAPEC Methods of Attack View.

Obviously, I am hoping kane|box can address some of the issues we have discussed here, but -- as the platform is not finished -- time will eventually determine whether this is the case.


Please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?


Right now we are. The bad guys have gone underground. They aren't openly sharing exposures anymore. They are obfuscating their attacks in so many ways, it is just impossible to predict with anything rules-based. I say rules-based, knowing there are people who will wave their hands and talk about how they're doing something different. But, they aren't. Everything right now is based on the same, old, broken ideas from ten years ago. And, remember the Matrix... a system built on rules is fundamentally brittle and can be circumvented. Until we learn this, we're going to keep getting compromised and our reports are going to keep showing how many “threats” were “prevented” by the technology.

And, the bad guys will keep winning.


I agree the bad guys are winning. Please share your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.

The threat right now is social. We're all connected to these networks and we give them all our private information and they largely believe – as evidenced by Zuckerberg's recent announcements – that they are the Internet and the Internet is insecure and open. Because of this, and technologies like Open Graph (and others), we're just handing our personal information to the bad guys. I've already seen Bad Gadgets (the 2007 Black Hat presentation, co-presented by my friend and long-time collaborator Tom Stracener) and “Ass of Fire” YoVille Awards, both of which are scary... but it's the stuff you don't see that is even more frightening.


Yes, I have followed the work of Kevin Johnson on exploiting Social Media information as well. Why do you think the bad guys are winning?

I think we have largely given up on solving security, probably because everything is costly and nothing truly works properly. That's very sad to me and I believe it will take years to recover from such an attitude. But, my hope is we do recover. I saw this same behavior in the mid-nineties and we got through it, we'll get through it again.


Glad to hear you think there is a tunnel at the end of the light! What is your biggest source of frustration as a member of the defensive information community?

I've already discussed this, but in a single phrase, it's the idea of perfuming the pig. Many companies are completely disillusioned with security – and they should be. We have to start giving the good guys tools that work and do what they say, but that requires a fundamental change in the design and creation of those tools. It's going to be hard to solve this problem, because enough companies are still spending big dollars on products with fundamental flaws in their architecture and design.


We like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.


I've probably already ranted enough.


Oh no, you are only a six out of ten on my rant-o-meter, please continue.

As you can likely tell, I'm that guy that won't shut up and gets really frustrated when someone creates a product or technology that does not work or is not well designed or has a foundation with glaring flaws in it. Because of this, unfortunately, I've made a few non-friends in the space. But, I feel like, if someone calls themselves “good guys” or “white hat” – they have a responsibility to do something meaningful and try to protect people from the bad guys. Otherwise, why bother saying you're on the right side?

I also find it disturbing that, after a decade of hard work, products are incapable of properly handling either simple obfuscation techniques or large networks. Data correlation in network security is in the dark ages. Reporting is single-minded and not based on conditions or changes over time. We are still counting attacks and ranking them based on arbitrary scoring systems. Like I said, security products are quite dumb.

My wake-up call to the security industry would be to stop trying to imitate everyone else, because what they are doing is broken. We need new foundations, new mindsets and we need to not be afraid to apply other technologies to the network security field. Something has to seriously change for us to succeed.


And the personal side of your life? Please tell us something about yourself, what do you do when you are not in front of a computer?

I love traveling and spend half my time outside the country each year (if possible). Learning new languages is a kind of hobby for me, I'm into Japanese again, but spent a lot of time learning Thai and Mandarin and some Spanish -- as I just spent 9 month traveling throughout Latin America, I sort of osmotically learned enough to get around.

Mostly, though, I just enjoy doing whatever I can with my wife, whether it's seeing a movie, going out to eat or just hanging out. Those are always the great days.