May 8, 2019 Security operations
Brian Donohue Todd Gaiser

Meet Todd Gaiser: detection engineering extraordinaire

Todd Gaiser is a longtime anti-malware enthusiast, a vintner (in a manner of speaking), and the new director of detection engineering at Red Canary. Since much of the funding round we announced last week will be dedicated to growing the team here at Red Canary, we’re going to do our best to post introductions of anyone that could significantly impact the direction of this blog.

Considering that the Cyber Incident Response Team (CIRT) produces much of the content here, and that the director of detection engineering will play a sizable role in guiding the direction of the CIRT, Todd has the dubious honor of being the subject of our very first Canary introduction.

We sent Todd questions about his career and his interests, and he sent us back the following answers.

What interests you about security?

I’ve always been fascinated by malware, and I’ve spent a good part of my career learning about the anti-malware industry, techniques, and the ever-escalating arms race between offense and defense. Back in the day, I had a collection of DOS viruses that I would run on an old test box and (attempt to) read the source code to understand what was happening—Cascade was an old favorite. Within a few weeks of starting at Microsoft, I found myself a participant in the MS Blaster incident, volunteering at night to man the phones and help consumers navigate the outbreak.

After a few years, I was fortunate enough to be an early member of the Microsoft Malware Protection Center (MMPC), where I worked with some of the top folks in the anti-malware industry and watched as malware became more and more sophisticated and, frankly, evil.

How did you get into security?

My first “job” in information security was in early 1992 when I downloaded a cleaning tool for the Michelangelo virus from a bulletin board system (BBS) over a screaming fast 1200 baud connection. Media attention around the virus had reached a frenzied pitch with the impending activation date of March 6th, so I rode my bike around the neighborhood and offered scanning and cleaning services for a dollar. From that point on, security was a passion. I’ve always been fascinated by the evolution of both attackers and defenders as connectivity moved from bulletin boards to the internet and intent moved from curiosity and pranks to global criminal operations and espionage.

Why Red Canary?

Having gained some experience building out a threat detection service, the alignment to my role in Red Canary was the initial draw. However, after a few interviews and my first few weeks at the company, I can say that the people really set the company apart. We have a group of insanely smart people united in a common goal of helping our customers detect and respond to threats in their environments. While the technology is awesome and constantly (and quickly) evolving, it’s the people at Red Canary that make the biggest impact. I consider myself lucky to be a part of this team.

Can you tell us any good security stories?

I can’t get into too many details here, but I have seen some pretty crazy things in the security space. Big malware outbreaks come to mind first. From the MS Blaster story I shared above, to watching one of the first variants of Conficker utterly dominate a production datacenter in the span of a few minutes, to being “in the room” and watching as teams from all over Microsoft came together to help customers deal with the WannaCry outbreak.

We had a lot of exposure to advanced actors, and it was always interesting to see how they would get caught. Many years ago there was a company with a remote developer who had a less than reliable power source. His box got popped and the adversary had tarballed up a ton of source code and other data. By mere coincidence, the developer’s power went out immediately after the tarball was created but immediately before the actor could hide the file. When his machine came back up he saw the archive sitting on his desktop and called in the calvary. A lot of times we would be involved with incidents early on, and it was always very interesting to see how the media portrayed these incidents days, weeks, or even months later.

Endpoint- or network-based security?

I’m a bit biased given that most of my focus and career has been on the endpoint, but I would go with endpoint expertise every time. It’s built into the name: everything begins and ends with the endpoint. From a network perspective, you might be able to observe what data are traveling between endpoints and to where, but that is becoming more and more difficult with on-the-wire encryption, anonymous proxies, TOR, VPNs, and so on. However, by examining the endpoint, you can determine who is sending the data and you often get a good idea of the content from file reads, writes, and more by profiling the host processes. From a network-only perspective, you might be able to see the delivery of malware, but from the endpoint you can observe how that malware is affecting the system.

MacOS, Windows, or Linux?

I used to be a big Linux user back in the 90’s. After moving from DOS 6.22 with WFW 3.11 to OS/2 for a hot minute, I migrated completely over to Linux, running mostly Slackware distributions and dabbling with the “Linux From Scratch” project. When I accepted my job offer from Microsoft, I guessed I needed to figure out this whole Windows “thing” and installed XP about 3 weeks before I started. I have a lot of respect for Windows after spending so many years on the inside and watching some super smart people make some awesome progress in securing the platform. On my first day at Red Canary, I was handed a Macbook. I assumed it was some strange hazing ritual, and, since then, my search history has been littered with colorful variations of “how to do XYZ on a Mac.”

What’s ahead for the Red Canary CIRT?

It’s on the first page of our website because it’s the reason we were founded and the reason we work so hard for our customers: we are your security ally. And at the center of that partnership are the insanely talented detection engineers who are monitoring, analyzing, designing, tuning, and innovating on a daily basis to help protect our customers. We hire the best and our core job description goes well beyond that of a traditional analyst.

Our detection engineers are continually looking for ways to improve our system end-to-end, whether that means adding new detectors to find the latest threats, creating innovative suppression rules to help accurately reduce noise, or building tools, processes, and workflows to ensure we deliver the highest quality product and service possible.

So my vision of the CIRT isn’t revolutionary… I foresee a future where we’re doing everything we’re doing now, but better, faster, more accurately, at scale, and with the highest quality you’ve come to expect from Red Canary as your security ally. We will get there by leveraging the talents of our amazing people, building on cutting edge technology, and a laser focus on improving every day.

I’m excited to be a part of it.

Todd’s been in security for nearly two decades, specializing in endpoint threat detection and anti-malware. In 15 years at Microsoft, he worked in security product development, built Windows platform integrity features, contributed to the Microsoft Malware Protection Center, and helped build its enterprise threat detection service. Outside of work, Todd helps run a winery with his dad and brothers, watches rugby, does outdoorsy stuff in Colorado, and spends time with his wife and son.

 

Suppressors 101: How to Filter Out False Positives

 

Goalkeepers Win Games: How a Change in Mindset Can Help Defenders Be More Effective

 

Surfing the Mid-Career Wave: 5 Steps to Making Your Next Move

 

Triage Planning: What Can Security Teams Learn From First Responders?

Subscribe to our blog