Career Notes 12.5.21
Ep 78 | 12.5.21

Ryan Kovar: Everyday, assume compromise. [Strategy]


Ryan Kovar: My name is Ryan Kovar and I'm a Distinguished Security Strategist at Splunk. 

Ryan Kovar: I think when I was growing up, what I wanted to do was be a history teacher, primarily. Computers were really something that I just did video games of and ended up getting into because I joined the Navy. 

Ryan Kovar: I tried to join the Air Force and they said, you're not very good at math, so no thank you. And I tried to join the Army and I said, well, I really just want to drive a tank, that seems fun. And they said, no, you have to be in military intelligence or chemical warfare. And I said, neither of those sound appealing. And then I went to the Marines and they said, you'd be a rifle man. I said, well, that doesn't sound fun. So finally I went to the Navy and they said, sure, you can either do photography or work with radios and computers. I said, well, radios and computers might be fun. So I ended up joining the Navy and then focus on computers while I was there. 

Ryan Kovar: I was actually a system administrator on an aircraft carrier. So I was on the USS Kitty Hawk out of Yokosuka, Japan. I really cut my teeth as a Windows NT 4.0, Unix 5.5, and Exchange 5.5 system administrator. And that's where I really got into computers. I was also in charge of the cyber warfare defense for the fifth and seventh fleet during the invasion of Iraq in 2003, which mostly meant I put in Ackles into a firewall. And that's kind of my first taste into cybersecurity. 

Ryan Kovar: At 22, you know, I had 20 plus 20 ish people working for me, um, you know, multiple millions of dollars equipment, thousands of users and not something that most 22 year olds have. I left the Navy and then I actually worked at the defense contractor in San Diego doing very similar job. And they said, Hey, we have this one week opportunity in London supporting the UK home office at the time is called NCIS, which was National Criminal Investigative Service, which was very confusing being in the Navy. So I went out there for a week to help them actually with Exchange 5.5, and securing that system and they ended up giving a work visa and I stayed for another four years.  

Ryan Kovar: It's been a very interesting journey. I feel like it's fairly unique when I talk to folks. I moved to back to America and I completely left the public sector and got a job working at KPMG. They were doing big data before we had the word big data. I started working for them as a sysadmin and doing basic security work. While I was there, I really got into security and decided that I was really interested in this idea of an active adversary doing malicious things, and I wanted to focus my career on that. I started working with the compliance team. While we were doing that, I realized that, Hey, we really needed to boost our security. So I helped build out the first SOC that they had, and also simultaneously built out one of the first NOCs and learned how just to do enterprise monitoring. And oddly enough, uh, I tried to actually buy Splunk at the time, but they were too expensive for our budget. My wife was accepted to a PhD program in the UK. So we actually moved back to the UK. While I was there, I found out that master's programs in the United Kingdom don't have an undergraduate requirement if you can show professional development over the course of your career. So I was actually able to get a master's degree in cybersecurity while I lived in the UK without a bachelor's degree. 

Ryan Kovar: My best friend from the Navy called me and said, Hey, I'm starting up a nation state hunting team at DARPA. And would you like to help run that with me? So we moved back to the US and I worked at DARPA for four years running a nation state hunting team. We did a lot of research and development, and that was wonderful. When my wife finished her PhD program, she said, Hey, I need more flexibility than working in DC. We basically said, where can we go? And I've been using Splunk at the time. And Splunk said, Hey, we'd love to have you come on. Since COVID happened, obviously I've been at home a lot more. And based on our experience around SolarWinds, we kind of realized that there was a for a team of researchers to really focus on solving what we affectionately call blue collar for the blue team problems. So that kind of led to the security research team called SURGe here at Splunk.  

Ryan Kovar: Now our days are really spent around finding research projects that we think will help the every person of security and I'm trying to create it in a consumable way. To be perfectly honest, we're really inspired by CyberWire for a lot of that. Just how the, the short sweet notes that you guys put out every day and every week, and trying to look at how we can do similar things to help folks and get them on their way for their security journey. 

Ryan Kovar: One thing about being in the military is you got a lot of leadership training. I personally find that I think it could probably be described most generously as a benevolent dictatorship. I like to take a lot of input, but I do believe that at the end of the day, someone has to make a decision and someone has to lead an organization. We do things that are, uh, we really need to find a better word for it, but affectionately called "murder boards" where people bring up ideas and we kind of really work the devil's advocate side of every aspect of it, and it's not intended to be criticism. The idea is that everyday, you can do better. And there's a motto that we have on our team of fail less, which is not intentionally negative. It's actually comes from our background in blue team, which was assume compromise. Everyday, assume compromise, and that your job is to find that compromise. The only failure that I believe in is not sharing your failure. I've given whole presentations on my failed research and the idea being that. I've done this, I've used the scientific method. This is my approach. This is what the outcome was. You don't need to go down this route. We can use this to build, to go a different direction.  

Ryan Kovar: The other aspect that we work very hard on is diversity of thought. We have a variety of different people, variety of genders and all different things coming in there to make sure that we're getting a diversity of thought and output before we kind of pulled together as a team and execute.  

Ryan Kovar: I've been doing cybersecurity or it now for over 20 years and of that 20 years of knowledge, only about five years of that knowledge is really relevant. You can't sit on your laurels in this industry. Like what you knew yesterday can be completely extinct tomorrow.  

Ryan Kovar: The biggest thing that I take pride in now is less the work that I've done than the people I've helped influence. I think the most rewarding aspect of my career in the last five years has been one mentoring and working with people new to the industry. I do try to do is do a lot of advocating where I look at it more of I think you're phenomenal and I'm going to make sure that the doors open for you and provide that feedback and make sure that people are taking you seriously and giving you any advice I can. That has been more rewarding to me than probably any of the ephemeral, uh, technological victories that I've had over the last 20 years.