- Col. USA, ret.
- Cyberspace Directorate
- US Army Chief of Staff
- USCENTCOM
- CTO, State of Illinois
- Microsoft
- Federal Signal
- Lt. Col. USA, ret.
- ITT Defense/Exelis
- Signal Officer, 101st Airborne Div.
- Deputy Dir. Ops., Joint Force Headquarters-DoD Information Network
- United States Air Force – 41 yrs., Communications, IT and cyber
There are two parallel threads.
The first thread was learning how analysis breaks down. Scientists use analysis all the time to explain natural phenomena. This works out great because the laws of physics don’t change. (Not that we know of, at least.) Analysis techniques like signal detection and hypothesis testing worked so well in the physical sciences, people started applying them to other fields. Fields like natural language processing, hedge fund trading, and eventually cybersecurity. The problem was that the analysis techniques always depended on an underlying model… and the models changed. Fields of study that involve humans always seemed to have models that changed on a regular basis. People are unpredictable — go figure! So when we wonder why our security methods don’t work, it’s because our adversaries work very hard to break our models of security.
The second thread was military operations. I have a military background and learned fairly quickly that plans, while a good exercise for preparation, do not hold up under contact with the enemy. The funny thing — the enemy wants your plans to fail. Better yet, the enemy is constantly trying to trick you. Simple analysis, while a good tool, never is enough when facing a determined adversary.
Mixing these two threads together gives us an “interactive defense” that allows us to “change the battlefield,” “influence and expose malicious intent and intruder” and “expel malicious actors.”
That is, we can deploy information technology tools that actively deceive attackers. Things like this have been around for a while and have been used by experts in the field of cybersecurity. The problem is that these kinds of solutions are a lot of work to set up and maintain, and the solutions are usually very fragile.
I wanted a platform that would let me easily and quickly (in 5 minutes or less) deploy a massive armada of phantoms, and, I did not want to have to configure or maintain this stuff. I wanted to overwhelm any adversary with the push of a button. Ridgeback was the answer to my problem.
Ridgeback is a unique and innovative Enterprise Security Platform, allows me to deploy any sort of interactive defense at an incredibly large scale. I can now completely overwhelm even the most sophisticated adversary by simply typing “start-ridgeback.” Better still, I can even run it on my laptop.
Going from zero visibility in our layer 2 networks to full visibility is always very eye opening. We have installed Ridgeback into a number of customers, and every time we bring up the console for the first time and begin seeing data we always hear "WOW, what is that traffic?" Much of the time the customer does not believe what Ridgeback is showing, but in every instance, after analysis, Ridgeback is always shown to be correct.
This was the biggest surprise for me with this technology - showing me what is really happening on every VLAN where there is a rcore sensor configured. In the first network we installed it we saw traffic from segments that we should not have seen - upon further investigation we found a switch configuration error that allowed traffic to bypass our firewall if the attacker knew the network. This alone was enough for the customer to move forward with the purchase.
I initially saw this technology as one to fill the huge hole that is in every network - a software tool capable of providing visibility and protection on layer 2 segments, where the only current option to protect these networks is NAC. In my experience (multiple NAC implementations) it is difficult, and time consuming to setup and maintain, and it does not show inter-system traffic within the VLAN. Once a system is permitted onto the network, the NAC no longer provides any protection. With Ridgeback, we have full visibility, and if desired, full protection with the Ridgeback rcore assigning itself every unused IP address in the layer 2 segment. In protect mode it is impossible for any hostile user or program that is exploring the network to do so undetected. This is our canary in the coal mine - if it triggers, there is activity that needs to be investigated. However, instead of waiting for analysis and people to do something to prevent the activity, Ridgeback immediately responds to the intruder, tying their system in knots, while at the same time providing time to make decisions based on facts, not analysis.
The software is simple to install and simple to use. We use it first to clean up all the unwanted traffic, then we use it to enforce good behavior. Then we generate reports that validate what we expect to see. This is a technology that, in every instance, has provided more benefits for our customers than we expected when we first deploy.
This is one of the best technologies I have seen in decades. Nobody else does anything like this. The existing AI based analysis tools cannot match the fact-based detections that Ridgeback provides - and when customers combine Ridgeback fact/truth-based detections and protections of AI based analysis it becomes a truly winning combination for the defensive team. Remember - the bad guys only have to be right once. We have to be right every time.
