What an interesting interview Aviva Zacks of Safety Detective had with Jason Crabtree, CEO and Co-Founder of QOMPLX! He told her about how his military experience influenced his decision to start his company.
Safety Detective: How did you get involved in cybersecurity?
Jason Crabtree: I got into cybersecurity, in part, because I grew up around some of the old school infosec community members in the Seattle region. When I went to West Point, I studied engineering because of my love for machines and demanding technical problems. I kept getting pulled into security because of my love for combining those two things. After a tour in Afghanistan as an infantry officer, I ended up getting an opportunity to leverage my technical expertise for Cyber Command and worked with the defense community on issues associated with cybersecurity, industrial control systems, and risk management. I was fortunate to see several sides of the security and risk management community as a result.
SD: What motivated you to start QOMPLX?
JC: I started QOMPLX with my co-founder Andrew Sellers. We met at grad school at Oxford, and we started working on modeling, analysis, and data science work. I did a lot of work on the optimization of complex systems and he specialized in massive unstructured data. He eventually did a lot of chief architecture work for the Air Force, and I ended up at the Army Cyber Command for part of the same period. We found that the same challenges we were having in the federal government, especially within the military and intelligence community, were the same issues faced by large, sophisticated corporate organizations. We also found that there were numerous opportunities to avoid major negative events via superior defensive tools and processes which we felt were not being addressed adequately.
One of the most damaging issues that we saw was authentication problems like Active Directory security. Since Andrew had run some of the large active directory consolidation and collapse programs within the military, we had first-hand knowledge of the issues prevalent in extraordinarily complex production Active Directory environments. We realized that the technology to secure these problems, as we wanted, didn’t exist, and we decided that we wanted to go out and build what we couldn’t buy.
We had a belief that building a group of operators, together with technologists and risk specialists, was needed. We brought together people with deep cyber operations experience, insurance experience, and large-scale distributed systems backgrounds and combined those skill sets into a unique entity. And as a result, we built a team with varying experience from the military, intelligence community, and private sector. The strategy was key to ensure we could service diverse groups including large financial organizations, healthcare providers, manufacturers, and government entities. We developed a team that can synthesize this totality of experience and leverage that composite experience to improve outcomes when working with various clients.
SD: What would you say is QOMPLX’s flagship product?
JC: We’re best known for providing the world’s largest companies with real-time validation of the Kerberos protocol. Our Identity Assurance suite protects against a number of the nastiest attacks on the street today—including Golden Tickets, Silver Tickets, DCSync, DCShadow, NTDS.dit extraction, Kerberoasting, Pass-the-Ticket—improves organizations’ security posture. These types of post-exploitation attacks enable lateral movement and support stealthy, long-lasting breaches as well as rapid deployment of ransomware. At least some elements of these are a common part of the attack chain for most of the major breaches you’ve read about—including Marriott, Merck, Maersk, Finastra, and Travelex.
Security leaders have to start addressing some of the fundamental security issues in enterprise authentication. These issues are a fundamental challenge for top CISOs, and hardening Active Directory is often one of the core security goals, especially in 2020, for the premier financial institutions, manufacturing and healthcare companies who have actually engaged with competent red-teams and learned how easy it is to bypass major endpoint vendors, privilege access management solutions, and SIEM tools that don’t have sufficient visibility to address this challenge. A lot of folks mistakenly believe that top-tier EDR vendors will reliably catch tools like Mimikatz—but very simple techniques will reliably evade that kind of detection—so we focus on the network signals and validate the protocol instead.
In addition to stateful validation of the Kerberos protocol and broader streaming analytics on complementary Windows Event Log and Sysmon data, we also pull data from Active Directory and map how different users, groups, and Active Directory objects relate to one another. We’re able to help folks build that into their operations to improve both prevention and response measures—leveraging our blast radius calculations to highlight entity-specific risk.
Those two product modules [Identity Assurance and Privilege Assurance] are part of the QOMPLX cyber, or Q:CYBER, platform. We typically start with mapping organizations’ Active Directory environments before moving into advanced use cases so that teams can build appropriate business cases for these fundamental security controls. And while some folks use our tools in standalone configurations, others will also use some plugins that allow them to import into existing SIEM (security information and event management) workflows like QRadar or Splunk that may already be present in their SOC workflows.
SD: What verticals or industries do you think would be interested in your company’s products?
JC: We work pretty extensively with financial services and large technology companies but we’re growing quickly in healthcare and manufacturing as they’ve experienced more of these events. The thing about our products is that if you use Active Directory or are a Windows-based network, which is the majority of enterprises, we have some things that you’re probably not doing today that are cost-effective and important to addressing critical infrastructure security inside your organization.
SD: Where do you think cybersecurity is headed in the next few years or so?
JC: I think when we look at where things are heading, folks will want to focus more on the basics. Active Directory controls are now a fundamental control capability—right alongside firewalls and endpoint devices. This is the critical infrastructure of every organization. When we look at risk management, we always try and encourage people to look at their core assumptions—what must remain true to avoid disruption. The first core assumption in enterprise security of any type, regardless if you’re a big organization, or small organization, is that authentication is valid. Everything else depends on it.
That doesn’t just mean using a tool like ours to help secure critical protocols like Kerberos. It also means working with the CIO to do things like working towards turning off NTLM (the Microsoft NT LAN Manager security protocols) which are outdated and should not be enabled in an organization. NTLM is provably fundamentally insecure, which means it is not something that you can overcome. You just have to transition away from it. We still see snake-oil vendor salesmen duping uninformed defenders into believing that they can secure NTLM, but researchers in MIT’s Athena project invented Kerberos as a response to NTLM’s inability to meet enterprise authentication security needs decades ago.
In the end, tools alone don’t make you secure. Integrating quality tools into the SOC makes you secure. But if you don’t have visibility—especially around fundamental things like authentication—you are not going to be in a position to trust the alerts and monitoring sources that you’ve got. And so, I think what we’re going to see people adopt much more aggressively is a smaller number of tools that are better integrated and that have the ability to match up datasets from multiple different types of entities. We’ve held that thesis for a long time now and remain fixated on democratizing access to this kind of data fusion capability.
At QOMPLX, we use information from everything from LDAP to DRS to Kerberos to WEL/Sysmon and traditional logs from other security appliances. Taking diverse data sets and then mixing and matching that with additional context from other data inside the organization. Our goal is to help clients better leverage existing sensors they may already have, fill key gaps around authentication with our own visibility and analytic tools, and then leverage a lot of streaming and graph analytics to support defenders’ work.
This type of experience—including the ability to use built-in scratchpads for ad hoc data science on security data—is increasingly required for folks to get ongoing value from tools. And I think we’re going to see continued pressure on security teams to not just ask for more resources, but specifically to demonstrate how those controls and those security programs and practices link to helping the organization remain operational despite adverse circumstances or being under duress.
SD: How do you think the pandemic will change the face of cybersecurity for the future?
JC: Well, COVID is representative of how interconnected and interdependent our society has become. You can no longer unplug and isolate yourself from the Internet and connected business is here to stay. These disruptive events are helping drive a realization that business continuity planning is needed to support the reliable operation of companies.
Unfortunately, we seem to require going through painful experiences like this to internalize these principles, which in many cases were probably things that we might have just agreed to adhere to in advance given a careful analysis. Post-COVID, organizations will remember that they need to have a security architecture that can flexibly reallocate people across offices, regions, or the globe for remote work. My work in multidisciplinary optimization and risk management always points to the need to be efficient on the right timescale—many organizations found that they had created efficiencies that only applied to very narrow expectations of the economic and work environment.
Resilience is still about being efficient—but about being efficient across a wider range of prospective scenarios.
In terms of information security, the fundamentals haven’t changed because of COVID. It’s the same threat actors. It’s just a different challenge with defenders and organizations struggling a bit more around attaining visibility and operationalizing those sources of visibility to provide a comprehensive picture of the business they support.
The best antidote to poor risk management is shining a bright light on the underlying issues. Solid risk management practices will encourage organizations to do a better job of exercising the care that their customers ultimately expect of them; it drives security organizations to work with their committed partners to align with a long-term vision and with activities supported by the CISO. The reliable attainment of key business outcomes, underpinned by information technology that preserves operational integrity despite inevitable challenges from real-world disruptions—be they hackers, hurricanes of viruses—must remain the goal.