Let’s Hear from OISF Board Member Christian Kreibich

As many of you already know, OISF’s Board of Directors is comprised of 7 security industry experts and thought-leaders.  We are fortunate to have their expertise in guiding us through this exciting year for OISF and Suricata.

But, you may be wondering why did they want to become a member of the OISF board, what is their vision for OISF, what are their opinions about security tools,  etc.  Well, we thought it was best to hear directly from them.

This month, we would like to thank Christian Kreibich, Director of Research at Lastline and Senior Researcher in the Networking Group at the International Computer Science Institute, for sharing his thoughts with us.

Tell us a little about you – your work in security, how you arrived in security, the organization you work for, etc.

I came to security via networking, which had always fascinated me. So many cool things you could do in that space! Back in 2000, while a student at TUM in Munich, I had an opportunity to intern with researchers in the Networking Group at the International Computer Science Institute (ICSI) at Berkeley. We explored solutions that would make it harder for attackers to evade NIDSs. I had a blast, and after an absolutely terrible software engineering internship in industry back in Munich decided that a Ph.D. would be a much better idea.

From 2003 onward I then got to spend four years researching network security ideas in Cambridge. It was quite the ride: automatic signature generation, protocol learners, anomaly detectors, the emergence of botnets — a lot of really cool stuff happened during that time. (Cambridge’s amazing pubs were an additional bonus, but that’s another story.)

Freshly graduated I returned to the US for a post-doc, building botfarm technology back at ICSI. We ended up doing some incredibly cool work measuring the financial angle of the emerging underground economy, enabled by botnet infiltration. (I also had to adapt to ridiculously hoppy US IPAs, but I digress again.)

These days, I wear two hats — I’m a senior researcher in ICSI’s Networking Group, and finally found my way into industry as the director of research at Lastline, an anti-malware company founded by close friends and colleagues at UCSB.

What inspired you to want to become a board member of OISF?

Open-source software is everywhere these days, and its users often don’t appreciate the commitment and demanding environment of its developers. Organizations such as OISF are key for steering these projects successfully, and OISF’s main product, Suricata, is close to many things I work on every day. Board membership was a natural idea, and I’m very glad to be serving today. I’ve not yet managed to meet all members, but we sure had a blast in Copenhagen!

What is your opinion about having security tools, such as Suricata, managed by a non-profit vs. for-profit organization?

It is a key advantage for open-source security software to be managed by an organization that is not primarily profit-oriented. It establishes a degree of independence that otherwise remains hard to maintain. The challenge, of course, is funding, but organizations like OISF demonstrate that a combination of major backers (such as DHS in the early days of OISF, or NSF in the case of Bro), revenue from training events, and industrial sponsorship can make it work.

What is your role in the security community?

As an OISF board member, I’m trying to help the development of Suricata as well as OISF. More broadly, I try to advance the state of the art in network security both as an academic researcher and via Lastline’s products — two outlets that sometimes overlap and always keep me on my toes. The security community has a wealth of incredibly smart and fun people, and it’s a thrill to be part of it.

What does your crystal ball about the future of IDS, IDS, and Suricata tell you?

Scalability will remain a key challenge in this space. Clustering processors behind smart load balancers currently offer one way out. You can take this further, though, for example via out-of-path, nearly real-time flow-level analysis via Hadoop-style architectures. It’s going to be exciting.

On the open-source side of things, we still haven’t found the ideal toolchain for building network monitoring solutions. I wish the solutions that exist were more modular and reusable. Take, for example, protocol parsers and TCP reassemblers. Far too many implementations of these exist. The good news is that improvements are emerging, such as the HILTI high-level language for expressing protocols, and will hopefully see broad adoption. Suricata is right in the middle of the action, and can thus both contribute and benefit.

What should we be telling people about Suricata that makes us different then other IDS/IPS technologies out there?

It’s important to acknowledge the continuing importance of signatures in the NIDS toolbox. People, particularly academics, are quick to dismiss the approach, but like any technology you can use it cleverly or poorly. This gives Suricata a unique focus that is important to keep.

Suricata also has the benefit of support from a great, growing, and supportive community. This is something that everybody involved can truly be proud of.

Any final thoughts?

I’d simply like to say “thank you” — to everyone in the community, not just OISF and Suricata. Our space evolves so fast, and it’s such a thrill to be part of it.