Trust nothing: A life in infosec is a life of suspicion

Like many before him, Amit Serper started his cybersecurity career in one of Israel’s intelligence agencies. Nine years later, he left for the private sector: he joined Cybereason, a cyber security company started by former colleagues which specializes in endpoint (EDR) and managed detection and response (MDR).

When he started there as a senior security researcher, then progressed to different research roles. Today, he’s the company’s head of security research, leading Nocturnus, its advanced global research team.

“I’ve been a security researcher for the past 15 years. In my career I’ve done anything from exploitation, low level operating system research and malware analysis and reverse engineering,” he told Help Net Security.

The main lesson he learned throughout all those years is that, in the infosecurity field, one must always doubt everything.

“Everything is a matter of effort and nothing is really impossible. Whether it’s a purportedly ‘unhackable’ device or a very sophisticated piece of malware – code can be subverted to do things that it wasn’t meant to do. Something that was engineered to be tamper-proof can be reverse engineered and hacked,” he notes.

The state of (in)security

There’s no doubt about it: many software solutions out there are insecure. Hardly a day passes without hearing news about breaches and new software vulnerabilities.

“Just because a company tells you that their product is secure or they promise that there are no security vulnerabilities in their products it doesn’t mean that they know what they’re doing,” he opines. “If you care about information security, you should always doubt everything and do your best to determine what the risks are and configure your devices and system accordingly and protect them if necessary.”

While security issues may arise because of a variety of reasons, shoddy and lax development skills is among the main ones, he believes.

“When I was doing vulnerability research on IoT devices, I was shocked to discover how little thought went into security – all the developers cared about was ‘making stuff compile’ and shipping out products as quickly as possible. Seeing all of those (oftentimes plainly ridiculous) vulnerabilities made me embark on a mission to make people in our company – from finance employees to software engineers – care about security.”

Serper sees plenty of malicious activities on large companies’ networks every day and, he says, there are plenty of very talented attackers out there. Also, their job is easier than that of the defenders: they have to be right just once, while defenders have to be right 100% of the time.

“Defense requires a lot of skill, experience and, of course, the right technology. Good visibility of the organization’s network – endpoints, firewalls, proxies – is essential. And once you got that covered, you also have to be able to tell apart malicious activity from regular admin activity,” he notes.

But while being a defender in today’s world is not easy, doing that job well is just as satisfying as hacking a company, in his opinion.

He also waxes lyrical about bug bounty programs, which are, he believes, one of the best things that happened in the industry, for both companies and researchers.

“For years, security researchers would find bugs, report them and would, in most cases, be ignored. They would write about the vulnerabilities, create exploits and give talks about them at conferences, but that was it. Bug bounties allow all those researchers to get paid for the valuable time they are investing in finding those bugs and, because the pay-out to the researchers comes from the companies themselves, it helps create accountability and a win-win situation for everyone,” he says, and recommends to all product companies to have a bug bounty policy.

Getting into information security

For those wanting to get into information security, Serper advises choosing a discipline that they are excited about or will get them working on issues they care about.

Whichever discipline they pick, the technical knowledge and skills they will have to amass are all over the board, he says, but they also must not forget about learning communication skills.

“Security is all about telling other people what it is that they are doing wrong. It’s easy for security-doers to be sarcastic and condescending and to think that if the problem or solution is easy for them to understand, it should also be the same for others. Unfortunately, it’s not, and communicating our message in the right way is key to successfully working with other people and making sure that our advice is taken seriously,” he opines.