#1 Could you define the role of a security researcher?

I see researchers as people who have way more time than me to drive deep into the morass and try to make a living doing it. Their qualifications/value are varied.

#2 How do you [or your company] define a meaningful, useful tool?

Something that generates more value than the money it cost to buy, solves more issues than it causes, and requires only reasonable care and feeding.

#3 What are your technical needs at the moment? What kind of tools do you [or your company] would like to see.

That will vary from shop to shop but in my day job I need a “tool of tools”…something that will help me manage and get the full value out of the stuff I already have in place.

#4 What are your current limitation about this? How do you feel with existing tools.

I don’t think it exists right now. eIQNetworks is the closest I’ve seen but it’s still not fully there, IMHO.

#5 How do you feel with you daily job — Are you frustrated to waste time to do meaningless things because of your stupid colleagues or stupid tools?

Of course – that’s what CSIRT Managers do! :)

#6 Do you think Security Industry is a failure by default?

No. Too many folks assume that anytime the bad guys get any exploit to work the Security Industry has failed. If we used that same logic nobody would be interested in buying locks for doors…

The problem is not getting pwned – it’s what you do and how quickly you do it after getting pwned.

#7 What’s the kind of company do you [or your company] would like to deal with? For what kind of purposes ?

Tough question. In general I want to work with folks who don’t BS me, don’t waste my time, and are proud of their product. I want to work with people who want a conversation – not just a target for a interminable monologue.

I hope that helps.

CSO : — Please.
Consultant : — Thank-you sir, we are here today to present us our latest security products.
CSO : — Well, I don’t need any more security products, I have already plenty.
Consultant : — Allow me to show you a new kind of attacks (show some scary stuff).
CSO : Woah, this is scary, the bad guys are sure pretty good and coding horrors.
Consultant : — No, no, Sir. It’s a security tool developed by a security researcher ; he’s a white-hat you see ?
CSO : — oh that’s cool then.
Consultant : — Well, he gave his tools away on the internet so now the bad guys are using it.
CSO : — so what you are trying to telle me is that you are looking to sell me a tool to protect me from a bad guy that got his tool from a supposed good guy ?
Consultant : Yes, yes, sir. You see, it’s always like this ; bad guys don’t have to research anything, the good guys are making the breakthrough, they just have to wait for the tool being released.
CSO : But, but, why are they doing it ?
Consultant : For the fame and for the free planes tickets to various security meetings around the world. But if they weren’t do this, the bad guys would win.
CSO : — Oh, so the bad guys can code after all ?
Consultant : — We don’t know, the good-guys are making all the breakthrough so it’s quite hard to say…
CSO : — So what you are trying to sell me is a security tool that will protect me from bad guys using tools from good guys that used money from this kind of security tools sales for their research ?
Consultant : — Yes.
CSO : — Get out!

This conversation could’ve happened.

ps: I don’t think the security industry is a failure as a whole. However, I do think security community is.

ps2: of course nothing I’ve juste said is as simple as that. There are many shades of grey between success and failure.

#1 Could you define the role of a security researcher?

Someone who expands the limits of knowledge for him or herself, their team, and the industry. Like you! ;-)

#2 How do you [or your company] define a meaningful, useful tool?

Something that opens up an entirely new vista (no pun intended) for information discovery…much like SandMan. Sorry, but that’s a great example…just as Volatility is, as well.

#3 What are your technical needs at the moment? What kind of tools do you [or your company] would like to see.

In some ways, the list is far too expansive. However, as I really think about priority needs at this point, my primary need isn’t a tool, but instead a process or method whereby I can engage customers *before* they have an incident and help them prepare, and train them to react appropriately when an incident does occur.

As far as a tool, though…I’d suggest that an alternate means (besides EnCase) for searching an acquired image for credit card data (and possibly other sensitive data) quickly and accurately (enough so to reduce false positives) would be very helpful to anyone performing PCI work.

#4 What are your current limitation about this? How do you feel with existing tools.

With respect to the PCI tool, that’s probably best left to another forum.

#5 How do you feel with you daily job — Are you frustrated to waste time to do meaningless things because of your stupid colleagues or stupid tools?

In some ways, yes. But in some capacity, it’s not because of the tool or colleagues, as much as it is business models. Our business model, for example, restricts us from training our staff so that everyone has and shares knowledge. Our customer’s business models prevent them from reacting appropriately to an incident, thereby limiting what we can do once we’re on-site.

#6 Do you think Security Industry is a failure by default?

As a whole, no. With respect to reactive incident response, from a customer needs perspective, no…but from an industry perspective and what’s really THE RIGHT THING for customers, yes. The industry is many times driven by the wrong forces…for example, sales. A customer calls and has no real knowledge of what they need, so sales will sell them just about anything…b/c all sales cares about is the signature and the commission. The customer only wants a reactive service, which is good for sales and can be leveraged to develop a relationship, but often it isn’t…the potential for the relationship is soured due to the inability of the responders to answer all of the questions, not due to any lacking in their ability, but due to the lack of available and viable data.

#7 What’s the kind of company do you [or your company] would like to deal with? For what kind of purposes ?

Depends on what you mean by “deal with”. From a customer and from an employment perspective, some of the things I look for and would like to see are similar…the need/desire for a technical lead to provide expert advisory services, training to staff, as well as conducting research and development. From a customer perspective, I’d like to work with an organization to help them prepare for incidents, because *they* recognize that doing so is much less expensive than dealing with an incident after it’s already happened.