Infosec and the future: Dr. Giovanni Vigna on lessons learned over 25 years

When I asked Dr. Giovanni Vigna what are some of the most important lessons he has learned during the 25+ years he spent working in computer security, his answer was simple: always learn by doing and always innovate.

“Reading about security is never enough. Getting one’s hands ‘dirty’ by actually writing code or setting up systems is the only way to really appreciate how difficult it is to create reliable, effective attack/defense systems,” he says.

Learn by doing

One of the ways to learn by doing is to participate in CTF competitions, and Dr. Vigna knows a lot about that. He has founded and has been running the Shellphish hacker group, as well as organizing one of the world’s largest attack-defense hacking competitions for many years now.

Founding Shellphish was a natural consequence of participating in these competitions, he tells me, and since its inception in 2005, it has become the team that has participated in more DEF CON CTFs competitions than any other team in the world. The International Capture The Flag (iCTF) competition he started in 2003 is also the longest running educational attack/defense CTF competition in the world.

“My experience in organizing and participating in many CTF competitions has taught me that students and researchers love to be challenged. This drive to win results in better preparation and more commitment to achieve,” he says.

“In fact, these competitions are very similar to an athletic events, in which the event performance is important but the actual training that precedes it is crucial. Preparing for a CTF by designing and implementing attack and defense tools is the most important learning phase, in which a student/researcher actually learns and tests the capability of different tools and techniques. The actual competition then puts the acquired knowledge to the test, but it’s the preparation that contributes the most to the improvement of security skills.”

These competitions are a great way to train and recruit students and employees.

“In a competitive environment, students and researchers tend to go well-beyond the call of duty, coming up with interesting, creative attack/defense solutions. In addition, doing this under severe time pressure can really shape one’s view of security and improve the appreciation for team work,” he adds.

Always innovate

Dr. Vigna’s background in academia (he’s been a Professor of Computer Science at the University of California in Santa Barbara since 2000) and security research forced him to always think about what’s “novel”.

The security field moves at a fast pace and things and approaches become quickly obsolete, so trying new approaches is the only way to move forward. And, according to him, there is always a way to make a security mechanism or technique better, faster, more effective.

He transferred this approach to Lastline, where he serves as the company’s CTO.

“At Lastline we have a very in-depth view of what the active threats are. This inspires us to find novel approaches to combat them, since it’s obvious that current approaches are not effective. So, even though Lastline and the university are two different worlds, they share many aspects,” he adds.

Infosec and the future

There are many new and not-so-new technologies that are being tried out in the computer and information security field, and Dr. Vigna is very excited about new ways of doing security analysis.

“So far, the model has been to have a human analyst explore a problem (e.g., finding a vulnerability in a piece of software) by using various tools and composing their results. I think that in the future it will be an automated system that drives the discovery process and uses humans as ‘tools,’ asking the human analyst for help when certain tasks cannot be solved automatically,” he says.

“It’s a sort of Copernican revolution of how we do things. While the research is at its infancy, the prospects are great since an automated approach can scale better than humans (and, no, we will not become slaves of the machines).”

Another thing that will shape the way in which we do security is machine learning.

“As we are able to collect more data, we can extract more meaning and automate more tasks, by using machine learning in the right way,” he notes.

“However, in this case, ‘right’ is the keyword. Doing machine learning in an adversarial environment (i.e., when the data from which you are trying to learn is “fighting back”) is not your standard machine learning gig. We will need to innovate the machine learning field in order to be able to learn, classify, cluster threats in the presence of an opponent that is well-aware of the techniques that are being used.”

It will not be easy, he says. “The emerging threats understand which machine learning techniques are being used, what models have been learned, and use this knowledge to fly ‘under the radar.’ It might not be common now, but it will be the battlefield in five-ten years,” he predicts.