This year there was a lot of discussion in the Galleria Bar relating to exploit development (a big change from the past decades worth of vulnerability disclosure debate) – mostly due to the media attention garnered by the HB Gary Federal and Endgame Systems (Endgames) disclosures/revelations over recent months.
Each evening I’d inevitably get pulled into (new) discussions as folks I hardly know (or had only just been introduced to) tried to pump me for insider information about Endgames – somehow assuming I’m involved with that company. Let’s be clear – I have nothing to do with the Endgames business! It’s important that people understand that. The fact that both Endgames and Damballa (where I work) are in the same building in Atlanta is a reflection of shared Georgia Tech heritage and talent recruitment - not to mention $$$ per-square-foot office space rental costs – and is not a conspiracy seeking new enlightenment. And No, I don’t (and have never) worked for Endgames.
By way of preempting the next recycled batch of grilling from security nuts, weirdo’s and conspiracy theorists, here are some facts…
- Back in 2005 I was enticed to leave NGS Software and London, and assume the role of Director of X-Force in Atlanta after Chris Rouland (the former Director of X-Force – and current CEO of Endgames) took on the role of CTO at Internet Security Systems, after Christopher Klaus (an ISS founder) vacated that particular position. As it happened, I took over responsibility for X-Force just after the Blackhat/Defcon events of 2005 – immediately after the Mike Lynn and Ciscogate (so that wasn’t anything to do with me). So, yes, Chris and I have both held the same titles at ISS and No, Ciscogate was not my fault.
- While I was the Director of X-Force, the X-Force group (which consisted of R&D, threat research, detection/protection engineering teams and signature development teams, etc.) reported up through the VP of Engineering. The professional services teams (some of which were/are commonly tagged as “X-Force”) were regionally focused and organized, and so tended to report up through the regional sales organizations (i.e. not my responsibility). This is an important distinction, because ISS wasn’t unfamiliar with some of the professional services that would eventually transfer with the people that kicked off Endgames. So, No, I was not responsible for things labeled as “X-Force” within the professional services division in the US, and Yes, the professional services group(s) did have access at the time to all the latest vulnerabilities and 0-days uncovered by the X-Force R&D teams.
- When IBM acquired ISS in October 2006, there were a lot of changes. ISS became IBM ISS and an “Office of the CTO” was established. Given integration challenges and the hope that a center of excellence could be created within IBM to bring together all the great security research done throughout IBM globally – and the hope that the derivative technologies would make it in to products within IBM ISS – the responsibilities for X-force were to be divided and I took on the role of Chief Security Strategist – reporting in to the new “Office of the CTO” – working with Chris Rouland and another founder of Endgames. So, Yes, Chris and I (and several of the eventual founders of EndGames) worked together for a couple of years in the same “office” for IBM ISS.
- Some of the (PSS) services ISS had previously provided were not well suited to a company such as IBM and needed to be shutdown or were left to passively wilt while contract renewals wouldn’t be pursued. Several of these services (derivatives and extensions) are directly related to how Endgames came to exist – after the ISS professionals familiar with their delivery and a belief their commercial viability struck out from IBM ISS to create Endgames and satisfy those customer needs. I was never part of that side of the IBM ISS business. For one thing, I’m a foreigner and didn’t have the appropriate security clearances to get involved. For another, I find some aspects of that particular business model unsavory. So, No, I never had a hand in that side of ISS/IBM ISS’ business.
- You can’t swing a stick in Atlanta without hitting an ex-ISSer. The number of security professionals that have passed through ISS over the last decade-and-a-half and gone on to establish and populate new security startups in Atlanta is amazing. This is why you’ll find so many ex-ISSer’s working at both Endgames and Damballa – and dozens of other security companies in the area! So, Yes, we all know and respect each other and tend to get on well. Endgames is on the same building one floor below Damballa, and there are several bars within spitting distance of our respective offices.
- In the early days of Damballa (which is a startup that sprung out of Georgia Tech), Chris Rouland was on the companies Technical Advisory board. Damballa for it’s first few years of existence was focused on tracking botnets, enumerating the bot infected victims, and providing that insight as commercial intelligence feeds. Shortly after my joining Damballa in 2009, Damballa stopped providing commercial threat intelligence feeds and focused on appliance-based threat detection solutions. Chris Rouland elected to leave the Damballa Technical Advisory Board shortly before Endgames launched their IPTrust brand/service. So, Yes, in the past there was a relationship between Damballa and Chris Rouland (after all, he created the original X-Force and has been a thought leader in the security community for quite some time) – just not what some people have assumed.
There is no commercial relationship between Endgames and Damballa. Damballa and Endgames are separate commercial entities – doing completely different things in totally different ways, with different objectives, customers and employees. The histories of several folks working at both companies are entwined with the history of ISS and IBM ISS – but that’s it.
And so on to the last conspiracy theory questions; No, I know of no cases of ISS selling vulnerabilities to any foreign entities. And, Yes, I’m still an opponent to middle-men financial models relating to the buying and selling 0-day vulnerabilities.