Tribe of Hackers
From an interview with Marcus Carey & Jennifer Jin for Tribe of Hackers, 2018:
Dug Song is the co-founder and CEO of Duo Security, the leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo protects more than 12,000 customers globally, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. Founded in Michigan, Duo has offices in Ann Arbor and Detroit, as well as growing hubs in Austin, Texas; San Mateo, Calif., and London.
Prior to launching Duo, Dug spent seven years as founding Chief Security Architect at Arbor Networks, protecting 80 percent of the world’s Internet service providers, and helping to grow the company to $120M+ annual revenue before its acquisition by Danaher. Dug also built the first commercial network anomaly detection system, acquired by Check Point Software Technologies.
Dug’s contributions to the security community include popular projects on open source security, distributed file systems, and operating systems as well as co-founding the USENIX Workshop on Offensive Technologies.
If there is one myth that you could debunk in cybersecurity, what would it be?
That security is so hopelessly complex. Unfortunately, the security industry tends to admire threats and problems as much as actually solve them. You find that folks focus on the wrong things; most security conferences are really sensationalistic with all the stunt hacking and hype. In reality, when you look at how most organizations fail at security, it’s always from the same fundamental and basic things that were highly preventable. There are always fancy zero-day attacks, zero-day threats, and super-capable nation-state attackers, but that’s not what most security actually is, or where the real problems are. With Duo, we’ve begun to help change the perception that security has to be so hopelessly complicated.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
Hygiene. Since we focus on the wrong things like the “super-sexy attacks,” we end up in a situation where we basically fail at the fundamentals. We overlook the most basic things we should be doing, and we end up doing dentistry via root canal. There’s been other organizations that have taken a stab at coming up with a very basic security program; for instance, CIS’ Critical Controls. But looking at the organization, do you have a security program? The quality of that stuff is pretty simple.
There’s actually a tweet from Alex Stamos (@alexstamos), former CISO of Facebook, where he summarizes pretty well all the things a company should do. It starts with reducing your attack scope by putting everything you need to protect behind single sign-on. Then comes defending that with systems like Duo to understand who your users are, making sure you have a full inventory of all the devices used in your environment and that they’re updated and safe, as well as awareness of what’s happening in your environment and the ability to audit that activity. Lastly, add some controls to understand what to do when things go wrong.
How is it that cybersecurity spending is increasing but breaches are still happening?
Most security products don’t actually protect organizations from the threats they face. In security, a vendor can make money by selling you a box that sits there and does nothing, and the vendor will say, “See? You’re more secure, nothing’s happening.” And the customer will say, “Well, jeez, nothing was happening before I bought this dumb box.” The reality is, security is a lemon market where people don’t or can’t understand the effectiveness of the tools and products they buy.
Breaches are definitely still happening, and they’re escalating because of the digital transformation of businesses—every organization is bringing their ecosystem into their world. Everybody has a lot more of their customers’ data than they ever did. That concentrated risk of data loss is something that’s driving it on one side. But on the other side, computing is getting much safer. The consumer IT products we use today are much safer than they ever were and much more capable.
Consider an iPhone. The iPhone is about the safest computing platform out there today. There is no antivirus market for the iPhone and there never will be; Apple makes sure of that. It’s kind of the “Holy Grail” of trusted computing. This exists now today not only for iOS devices, but Android devices and even Chromebooks. It’s amazing to me to think that the nation’s schoolkids are in safer computing environments than most businesses. Safer options do exist now, we just have to be able to recognize that and make better choices about what we use.
Another aspect is security never kept up with the consumerization of IT. It used to be that almost all great technology was developed first by the government, then it would go to business, and finally it would get to consumers. Today, it’s exactly the opposite. My 8-year-old kid has an iPad before anyone at my office does, before the government allows them to be used. This inversion of control means that every user is basically a CIO, and if I don’t like your security program—and if I don’t want to jump through the corporate firewall and the corporate VPN to get to the corporate file server to share a file with a colleague—I’m just going to use Dropbox. Organizations have very little real ability to tell people what to do anymore. They have to design security IT workflows that people actually want to adopt.
The other piece driving this is that every enterprise today is an ecosystem. The Internet has not only hyper-connected all of us individually, but all of our business as well. You look at any modern organization and it’s an ecosystem of partners and contractors and vendors, and the degree of third-party risk for all of our organizations in a hyper-connected world is much greater than it used to be, and that’s why you see all these breaches happen that way. Someone gets hacked as sort of a second-order effect of another organization getting breached. That exposed attack surface of users and devices, and all the data applications that have left the four walls of your building, that’s been a wonderful thing for productivity and users in terms of a better experience, but I think security has just failed to keep up. Security still thinks it can enforce unnatural behaviors on people, and that’s just not possible anymore.
You used to have to put an agent on an endpoint in order to keep it from running the wrong software, but now all that stuff is evolving. There are app stores that prevent bad software from getting on my device. There’s a natural segmentation within the cloud: Salespeople can only go to Salesforce, HR people go to Workday. There’s no crossing of streams within a single shared environment anymore. Computing has gotten much safer, but insecurity today exists at the intersection of people and technology. Hackers have that figured out. Today, they don’t go after systems anymore; they go after people.
Do you need a college degree or certification to be a cybersecurity professional?
Hell no. What you’re trying to solve when designing security for people is the same thing as user experience design, in a manner of speaking. For a long time, people have said, “Security and usability are diametrically opposed.” Security is about saying “no,” and usability is about saying “yes.” I don’t think that’s true at all. If you’re really thinking from a design perspective, security and usability are both actually about the same thing: making sure only the right thing is happening. Until now, security folks never really had to think this much about users. When building a bridge in traditional engineering, you have to think about how to prevent things from failing. However, security engineering means thinking about how things can be made to fail. Increasingly today, security and design is about understanding how you defend against attackers who find ways that people can fail. It’s a more holistic sort of problem to solve with a broader set of solutions than just technology.
For instance, at Duo, I would say only 20% of our people have prior experience in security, and everybody else comes from a whole bunch of different backgrounds. Even outside of our security team, we have just as large a design team, and our design team also has user research as a function. This team is led by a former journalist, who actually spends their time conducting hundreds of user interviews so we can understand our users’ experiences living with security every day. We have to solve for their needs.
For instance, we handle most of the healthcare exchanges in the state of New York, covering hundreds of hospitals and clinics. We think about the needs of what doctors or clinicians have to deal with in the course of their daily work, dealing with federal E-Prescription requirements as they write prescriptions using technology. What are the issues? What are the incentives? What are the constraints keeping them from operating more safely? We have to design workflows for them that meet their needs.
That doesn’t require a college degree necessarily. In many cases, we’re doing things that aren’t taught traditionally in undergraduate programs. What we’re looking for are smart people who’ve learned how to learn and have the good kindergarten skills to work well with each other, and with our customers, so we can jointly solve for their needs. Ultimately, I think about security for organizations as a public health strategy. How do we ensure that we align user incentives to produce the right organizational outcomes? You can’t just tell people to stop smoking or eat healthy foods. You have to figure out how to build the right programs around the behaviors you want to see a population comply with, and they need to do it of their own accord. At Duo, we think of security as much more people-centric and people-focused when it comes to solving problems, and not strictly in terms of the technology. The technology has been there for many years; it just hasn’t been deployed because no one’s ever made it usable.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’m not a good example, unfortunately, because I grew up in a very different time and age when we just didn’t have access to the things we needed to learn. You learned how to do things in an environment that you didn’t have legitimate access to. Today is very different; you have computers everywhere. The barriers are extremely low. In fact, both of my kids, a 12-year-old boy and an 8-year-old daughter, have their own Raspberry Pis. They both have been doing programming since they were very little, and not because I’m pushing them, but because their friends are programming and their schools are teaching them. I’m excited that the joy of creation in technology is becoming much more mainstream. It’s not just computers; it’s “making” as a culture. I’m happy to see science, technology, engineering, math, and also the arts intersecting much more from an early education perspective than they had before. I have great hope there will be many more folks who will have the skill sets and the mindsets for this kind of work in the future. Right now there is a labor gap in terms of these skills today.
I got started by just messing around, and I think that’s how anybody learns anything, ever. You can sit there and have somebody tell you how to do something, but until you’ve had the joy and frustration of trying to do it on your own and make that progress yourself, you don’t really learn. For example, I love skateboarding as my primary hobby because, one, you have a super-strong feedback loop, and two, you can’t really fool anybody. You either are able to do something or you aren’t, and you figure it out quickly because concrete is pretty unforgiving. It’s also the kind of thing where you have no other choice but to maintain a beginner’s mindset, which is what you have to have in security, particularly. In other disciplines, you can master something over twenty years and then all of a sudden you know everything you need to know about a discipline. Security is just constantly evolving, and the landscape is shifting, because again, security is about how things can be made to fail. That’s why I think hobbies like hacking and skateboarding are similar, because no matter how much you know or how far you get, you’re just one pebble or one zero-day exploit away from falling on your face.
My suggestion to anyone looking to get into security is to find a community to join. For me, security wasn’t about just the subject matter alone. It was the socialization of that learning as part of a community and becoming friends. I had to find those friends and network online before the Internet with bulletin board systems (BBSs), X.25, etc. In this day and age, there are so many options, and that’s what’s so wonderful about the democratization of all this knowledge and access via the Internet. If you want to run an OS, you can download a free virtualization environment; download images for defunct operating systems; and learn the past, present, and future of everything you need to know, many times, completely for free, and often with other communities of interest. Having fun with it is how you get into it, in my opinion. It is a very wide industry, and there are many ways in which people can pivot from different existing careers or mindsets.
One of my favorite articles on this was from my friend Cory Scott, the CISO of LinkedIn. He contributed an interview to Decipher, an editorially-independent news site of Duo. He talks about the four categories of security minds that he likes to hire and includes folks that he basically describes as being actuaries, like accountants. In a certain respect, a lot of security is about getting the fundamentals right. How do you ensure proper hygiene? Folks who are used to building and reviewing checklists, or building reliable processes, can ensure organizational outcomes. There’s a wide variety of things to do in security, so there’s many paths into it than just what I was doing.
What is your specialty in cybersecurity? How can others gain expertise in your specialty?
I’m not sure I have a specialty, and I think that’s one of the fun things about security. No matter how much you learn, there’s always something more to get into. I’ve done everything from authentication and network protocol stuff to operating systems and application security; I’ve kind of done a little bit of everything. That’s the joy in it. I also enjoy being on the people side of it, too. It’s not only security design and usability stuff, but thinking about how innovation in security actually happens from open source communities and networks, to how security becomes or is introduced as a basic capability on every team, or how you create more successful and diverse security startups. My interests in security persist in ways that are not strictly technical anymore; it’s more about trying to contribute to the community that I grew up in that supported me, and now I, in turn, have an obligation to help support and pay it forward. I would like to see more diversity of opinions, thoughts, ideas, experiences, and people in this industry. That’s presently what my interest and focus is in.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I don’t think success is very linear. Some people are born knowing exactly what they want to be in life and those people scare me. I have a friend who’s a public company CEO, and he said, “I knew I was going to be a public company CEO when I was eight,” and that’s… scary. I think there’s many routes to the top, and it’s not just ladder-climbing. You can enter a field and find a profession and work your way up the levels; for some people, that works, but that’s not me. My interests growing up have been pretty broad—from skateboarding and graffiti to punk rock and hacking—but for me, it’s really the exploration. If you’re like me, you have the voracious appetite to experience the world from a bunch of different perspectives and incorporate that into your learning. Fundamentally, I just like to create, and I think that’s what creativity is. It’s not necessarily that you have some crazy, wild ideas no one’s ever seen before, but that you can draw from a background of many different ideas that you can combine. Many of my best ideas have simply been taking ideas from one domain and applying them to another.
For instance, Dr. Jose Nazario is a fellow I brought into Arbor Networks, a company I started back in 2000. We were trying to solve the Internet worm problem, where malware would infect a network and self-propagate and infect everyone else like the flu. Jose was a microbiologist with a PhD from Case Western Reserve University, and what better person to work on how you deal with digital pathogens than someone who’s actually modeled and thought about how you defend against real ones? We applied a bunch of epidemiological models and solved for the viral K-coefficient of infection and designed autonomous systems for quarantine.
Many lessons are drawn from the sciences and nature and liberal arts, showing us how to do different things in the field of technology. But you only realize that’s possible if you’ve been exposed to a lot of it. When I was at the University of Michigan, I studied computer science (CS), but I barely even went to those classes. What I really enjoyed was studying philosophy and liberal arts and honing my skills in graphic design, which turned out to be really useful later, especially when you’re starting a company and you need to do sales, engineering, product management, and marketing. It’s just useful to have a wide skill set. I think my path, and the paths that we’re trying to enable at Duo, is building a platform of opportunity for everyone and their careers, so long as they align with our mission as an organization.
It is kind of a path of rock climbing, not ladder climbing. You go sideways, you exercise different muscles. There are many paths to the top. We had an office manager who became one of our top-performing inside sales reps, who went on to become one of our top-performing recruiters, and now helps us throw corporate parties and then DJs them. Explore and try lots of things; there’s a very good chance you’ll find your way into some opportunity, and you can always pivot from there.
What qualities do you believe all highly successful cybersecurity professionals share?
There are many ways that people achieve success, and not all of them are good. In security, there’s probably more opportunity for folks to be successful without actually contributing very much. That’s not to say that the majority of the industry is bad; I just mean to say that sometimes incentives aren’t really there and people can get away with a lot. It can be discouraging to see the wrong things happen, or people being awarded for not the best behavior. Likewise, some security companies are creating problems as much as they’re solving them.
There’s one thing everyone at Duo has in common: We’re self-aware. We test this in our behavioral interviews. We’re looking for people who can step outside of themselves and not only understand the impact and effect they have on others, but also someone else’s point of view. That’s super important because, in security, you’re trying to solve for the ways in which technology fails, often because someone had a different mindset or didn’t have the same understanding. Empathy is our number one trait and condition at Duo, and that’s not just about caring for others (a lot of people care about others); it’s also about understanding their point of view. Because, at the end of the day, without fundamental understanding, we can’t really authentically and successfully solve for their challenges.
Secondly, you have to have a fundamental optimism about technology. In the service of solving these problems, you have to build more technology. The answer is not to get rid of all technology. Sometimes people think, “Well, if this stuff is so unsafe, we should just not use any of it.” I remember in 2006, a trojan turned some of the banks upside down in Brazil, and the American Bankers Association and executive arm of the FDIC said that no one should be using a computer that they use for email or the web for online banking, and that you need to use a separate device. That’s just a fail. We can’t have security nihilism where people are giving up on the problems. I see an industry that says, “Oh, it’s not a matter of if but when.” It breeds a fatalism about this stuff, where organizations and people say, “Well then, if we’re gonna be hacked anyways, what can I do about it? Nothing.” We’re left with making decisions from fear instead of actually understanding that in fact, systems can be made safe. Cars used to not have seatbelts, now they do. Computers used to not have security, now they do. There’s things that you can do to make yourself safe, but you can’t give up on the problem.
Lastly, technology is actually a people business and a team sport. Nobody ever accomplishes anything in this industry alone, except offensively. You can be a very successful offensive hacker on your own, but even then, you’re standing on the shoulders of giants, leveraging what came before you. The best teams I see out there, and the thing that I find that is non-negotiable at Duo, all have this in common: good kindergarten skills. What are the three core values? To engineer the business, learn together, and be kinder than necessary. It’s about going out of our way to help each other be successful. At the end of the day, we win as a team or lose as a team, and nothing else matters. We have to work well together, and often shoulder-to-shoulder with our customers, in solving these problems. You can’t blame others for these problems. Your job is to solve them with them. All the time, I hear folks in the industry say, “Well, if it weren’t for these stupid users…” You see that kind of victim-blaming all the time. It’s not constructive, nor is it effective in helping move the industry forward. We have to be good partners.
That’s where I hate this notion of security gurus, or security rockstars. I think that stuff is just obnoxious. At Duo, we’re proud to be the roadies, not the rockstars; we’re proud to be mission control, not the astronauts. Our role is to protect and serve, and ultimately, our mission is to ensure the safety of their mission. We don’t exist in a vacuum; we exist in the context of helping others. As a purposeful organization, we prevent others from harm. Our mission as a company is to democratize security by making it easy and effective for all. You can only do that if you have the basic humility to understand how you have to operate to get that done with these folks.
There are many examples of other companies that have different values and approaches, and they’ve managed to be successful because they’re able to go drop in a box and say, “Give me your money please.” I hope all of that changes.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
One is The Checklist Manifesto by Atul Gawande. It’s basically an explanation of why it’s so important to get basics right and why checklists do matter. In our industry, there’s a lot of folks saying compliance is just security by accountants, not real security. I think that’s wrong. Getting those basics right matters, and how you actually build operationally—the kind of discipline to make sure that the right things happen—is super important.
My second recommendation is also not about security but about the challenge of the hyper-connectedness of our systems and our world, and the kind of butterfly effect that arises from that: A Demon of Our Own Design by Richard Bookstaber. It’s actually about our financial collapse in the last decade, looking at the ways in which complex systems fail. A lot of it is simple. The warning lights, like at Three Mile Island, didn’t work, and then there’s a cascade of other lack in controls that leads quite literally to a nuclear meltdown. If you’re looking for examples of how security fails, it’s helpful to look at other disciplines.
What is your favorite hacker movie?
Sneakers. I really like WarGames but Sneakers is by far the best hacker movie that ever existed. Everyone likes Hackers, but Sneakers was great. Duo made an edit of WarGames that basically summarized the entire movie in one minute. You can watch it on YouTube.
What are your favorite books for motivation, personal development, or enjoyment?
I actually called this out in Inc. Magazine, but I hate business books. I think most are just one idea spread out over 300 pages, super tedious, and not that interesting. One of the more inspiring books, for me, in terms of how I conduct my life and career is The Wu-Tang Manual by The RZA. I wrote about it on LinkedIn (there’s an article on my profile that you can check out), but I like the way that The RZA thought about how they created not only a rap dynasty, but also a platform of opportunity for everyone involved with the clan, while also considering where they did it—Staten Island (Shaolin). The notion is that being somewhere outside of all the hustle and hype can be a real strategic advantage. Everyone chasing after each other’s ideas and dollars sometimes doesn’t produce the best results. If you really wanna do something well creatively, you’ve gotta have the space to stretch out, and do that with people you really care about and respect.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Make sure you actually have an access point for your house that has a firewall. Some people think all they need is a passthrough bridge, but you should actually have a real access point with a real firewall so you can block things inbound. You can also use that access point to configure things like OpenDNS, which is useful as just a basic preliminary control.
Make safe choices about computing. Use a Chromebook or an iOS device or iPad. Use the cloud. I guarantee you that hundreds of Google’s security engineers are going to do a better job of protecting your email and storage in their cloud (Gmail and GDrive) than you ever will.
Pick and choose your battles. Thankfully, most of that is pretty easy to solve in the consumer context.
What is a life hack that you’d like to share?
This isn’t so much of a life hack as it is a principle, but it does have quite a bit of bearing on how I conduct myself. My dad was a Buddhist monk, and it’s quite a long story of how he got to working at a liquor store. He told me that reputation takes a lifetime to build, but it can go away in a second. The meaning of life, he said, is to live a life of meaning. What does that mean? A life of meaning is to have an impact and help others. At the end of the day, we’re not going to take it with us. No one has ambitions to die rich. What is the legacy that you’re going to leave behind? If you’re a good person and do right by others, the universe won’t let you starve. That’s how I conduct my life and career and the models of leadership that I have for myself, my company, and community.
I started something eight years ago called the Ann Arbor New Tech Meetup. It’s a startup showcase of five new companies presenting every month, so we’ve had hundreds of companies and thousands of founders. What makes this event great is not that you’ve met a lot of people, but that you’ve introduced a lot of people. Being useful is the greatest hack of all. People think of hacks as shortcuts, but I think of them as strategies. A good hack is an interesting strategy that people overlook, and sometimes the simplest things are standing right before us. I try to be useful and make sure that I’m doing the right things in life.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Life is a series of intentional mistakes. You intend to do something else, but you know that there’s a very high probability of being wrong. At least in my life, I’ve never had a job that I’ve done before. Even at this job, every day, I’m just figuring out what my job should be. I think about my daily work, and everything that sits before me, as either having the potential to be a great success or a great failure. But as I like to say, we either win or we learn. The only real failure you have is to not reflect and learn. When people operate on autopilot and aren’t thoughtful about their actions and behaviors, and the impact it has on themselves or others, it’s a failure to learn.
This probably isn’t a single mistake, but it took a long time to learn: My success isn’t entirely my own. It does take a village, not just to raise a family or a child or a company, but even on my personal journey, I would need help along the way, and I’d have to ask for that. I think one of the hardest things to do in life is to know when or how or whom to ask for help. Over time, and also through the course of many relationships, being well-flanked by different perspectives has helped me realize who I can go to, and for what kind of advice, and then actually reach out to them. Sometimes I think people are too proud or don’t want to be embarrassed, but the most successful people I know in life (conventionally successful)—who have changed the world and had a huge impact—they’re also some of the most humble. They’ve always kept that beginner’s mindset and never really lost that. It’s like in skateboarding; you can go pretty far and think there are a few things you’ve gotten lucky by, but now you’ve done it all and know everything, and what else is there? I could just be parking myself on the beach right now. I think that’s a real danger, and that, to me, is death. For me, not learning and growing is just slowly dying in a very boring way.
It took time for me to learn how to be vulnerable in a professional context, but it allowed me to reach out and not be afraid or scared or embarrassed.