Register now for SANS Cyber Defense Initiative 2016 and save $400.

Thought Leaders

Table of Contents


Dominique Karg, AlienVault

David Dede - November 20th, 2013

Dominique Karg from AlienVault has agreed to a thought leadership interview. We hope that you will enjoy his thoughts and impressions and we certainly thank him for his time.

Dominique started fiddling with computers when his father gave him his first Atari 2600 and Commodore 64, followed shortly thereafter by his first IBM PC in 1990. An avid gamer and true hacker, he had more fun "creating" extra ammo, getting more units and constructing different appearances than he did actually playing the games.

Very early on, he was hooked on hacking and programming, which led to a passion for computer languages and especially computer security. Long nights learning through hands-on exploration of the computer trumped long days listening to lectures on Chemistry, Computer Science and Psychology, so Dominique decided to leave school early and take his first job at IP6 Seguridad in the late 90's as a security auditor. This led to the founding of one of the first ethical hacking teams in Spain within IP6 Seguridad, with Dominique as a core leader who specialized in advanced application testing techniques.

In 2002 Dominique started coding OSSIM, and later published it in 2003 on Sourceforge.net. Dominique has led the project since its beginning to today, first as security architect and coder, then as manager of the development team, and later in 2007, as co-founder and CTO of AlienVault.

As the OSSIM project evolved, Dominique discovered his passion and his belief in the power of the open source community. The realities of helping to run a business and meet payroll at the end of the month, however, forced him to spend less time doing what he loved. Now, in 2012, he is finally able to take on the role of Chief Hacking Officer at AlienVault and combine his two computer related passions: security and the power of open communities.


Please list URLs of papers or presentations you have written that are available on the web:


http://www.alienvault.com/docs/correlation_engine_explained_rpc_dcom_example.pdf
http://www.ossim.net/docs/correlation-engine-explained-worm-example.pdf
http://www.alienvault.com/c-suite-blog/of-dragons-elephants-aliens-a-decade-of-ossim
http://maikel.galeon.com/netsearch/ns001.html
http://www.huffingtonpost.com/dominique-karg/
http://www.alienvault.com/open-threat-exchange/blog/author/dkarg
http://www.slideshare.net/BSides/dominique-karg-advanced-attack-detection-using-opensource-tools


Please list your top three "must read" papers that are available on the web that you did not write:


1. "Smashing the stack for fun and profit" Not only is it a big part of my own motivation, I still think it's one of the most innovative papers that was ever written on the concept of information security.

2. "The Loginataka" Haven't found anything that better describes the attitude of a thinker in terms of modern computers in my 20 years playing with them.

3. The US Constitution (or the relevant one for your country if it has one). It's being used as toilet paper too much lately.


How did you become interested in the field of information security?


When my love for gaming jumped over to the x86 platform, two problems soon arose: the need for cracks and the need for more "resources" in-game. Learning that brought me in contact with a thing called "Linux" which in turn enabled me to go online. My search for more information on the subject of security brought me in touch with the Bugtraq mailing list and the first few months of reading it where horrific: I didn't understand anything, and I considered myself a "master" of the subject (15 years old with little to no "outside of my hometown" knowledge). After that the humbling experiences came one after another and through reading books, articles, talking to smart people and exploring further, my passion for security grew deeper and deeper.


Have you worked on security products before the product you are working on today? If so, please list them and describe the highlights of some of these products.


Apart from having worked on OSSIM for the past 10 years I wrote some minor code and programs before that. The only one worth mentioning would be arp-fun: http://packetstormsecurity.com/files/10854/arpfun.tar.gz.html. If I recall correctly, I coded this in a week - with way too much beer inside me. I was very saddened by Richard Stevens' death, since his 3 tcp/ip illustrated books were the most exciting stuff I had read in years, and wanted to apply some of the theory that he presented into practice, while learning libnet and libpcap.

As a funny note - I tried to make sense out of some parts of the code months later, and it took me years to get to a regular level of coding like that again.


What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?


I am working on a product called "Open Source Security Information Management", or in short, OSSIM. It started as a front end and correlation engine for the most well known open source security products available around 2002 and has turned into a full blown SIEM platform through the last 10 years. The part of it I am most excited about right now is the Open Threat Exchange, where users contribute attack information to each other in what I believe is one of the future strong points for security.


What do you think the security products in your space will look like in two years, what will they be able to do?


People will realize that the illusion of network and security isolation is just that, an illusion, and will more openly be able to share some of their security information in an attempt to increase their own awareness. More and more sources are pulled in to correlate information and I can see products like OSSIM being used to correlate "emotion" events drawn from a Google Glass device, for example, with health and financial information from other databases. I don't like the prospect, but I can see how it is hardly avoidable.


Please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?


It is the "we" part of the question that is ambiguous for me. As an individual or representative of a security vendor I am certain we are losing ground; that is because the bad guys are not only more aware of our technology, and the potential for making money, but also of the potential for harvesting information and putting that through computers to detect potential "annoying guys", rather than bad guys. With this I mean that I do not know what is worse, my government reading my emails and listening into my phone calls without a court order or a foreign-government backed group of people DDoSing my site or stealing my payroll spreadsheet ;-)


Please share your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.


Won't be very different from the past. I still believe the most dangerous threat is believing we are "ahead" of anyone or "doing well" (not to talk about those that "have the solution to all your security problems"). We have been living in a 20-year bubble of trust where "bad guys" only did bad things that harmed IP or public presence. I believe that we will be surprised by just how many things bad guys on both side of the glass panel know that we don't, like broken encryption codes, deliberate backdoors, or computer systems in cars, for example, that can expose life threatening vulnerabilities to anyone driving by with a computer.


What is your biggest source of frustration as a member of the defensive information community?


The lack of support from the government for efforts that are not war or espionage related. Using a Middle Ages comparison, it is as if our king is sending people to war without swords or horses, unable to fight back or flee; and we, the blacksmiths, not being allowed to build horse armor or better weapons.


We like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.


History has taught us that life doesn't work out really well when entire societies just think about themselves. Open Source is one way of sharing the "love" so to say, but so are things every one of us can do in their day-to-day lives. I'm astonished when seeing how suspicious people are when I do things for them for free. Looking out for your neighbor goes a long way, both in the information security world as well as the real world.


Please tell us something about yourself, what do you do when you are not in front of a computer?


My passion for RPGs (NSA intern: I'm not talking about rocket launchers, it's ok, calm down) made me always want to pick up Blacksmithing, which I enjoy in my free time now. Fast cars are always high on my passion list. And, I'm trying to make my father's dream come true and get one of his pictures (or my own, since I started shooting 18 months ago) published in a major magazine.

I am also enjoying a lot learning Paul Ekman's theories and applications of facial expression recognition and the emotional intelligence gained from it, so different from the type of intelligence required for infosec coding :-)