The Honeynet Project is a 501(c)3 non-profit security research organization dedicated to investigating the latest attacks and developing open-source security tools to improve internet security.Board of Directors 2018-Present, Member 2001-Present

Providing expertise and leadership in a variety of Information Security topics including research and development, prototyping and developing new products and services, vulnerability research, software development, threat hunting, penetration testing, reverse engineering, and alternative analysis. Select contracts:Mellanox (now NVIDIA)Co-developed a virtual machine introspection prototype that, after rapidly acquiring physical memory, made possible the detection of security events on virtualized operating systems without any software running on the virtual systems (written in C and Python), running on a programmable NIC (Patent 10802982). Bloomberg CIRTDeveloped a custom-built flow-based anomaly detection system (written in C and Python), applying statistical and data science methods for identifying hosts requiring further investigation – a project funded by Bloomberg’s CISO.

Accountable for global threat research and thought leadership efforts. Grew external researcher community interaction through collaboration with six additional companies and collaborated on threat hunting and combatting brand abuse, cryptocurrency, and other types of scams. Global SME for decision making and communicating with the public for Marketing, PR, and operational security teams.Represented the company to journalists, members of government, and industry analysts. Co-led work on mobile vaccine passports that informed millions of people worldwide of their shortcomings while simultaneously reverse engineering passports from Canada and proving they could be falsified.

Studied privileged insider cryptocurrency mining and authored a whitepaper on shadow mining. Researched multiple problem domains for expanding detection capabilities including Industrial Control Systems (ICS) and container and container orchestration attacks. Gathered customer data and authored measurement studies to identify and predict trends. Co-developed Zoom detection capabilities (in Python) as pandemic-driven remote work emerged. Co-developed an agnostic mechanism to identify attempts to extract windows credentials from memory and identify LSASS attacks. Built Exabeam’s automated detection lab for gathering various telemetry and developing new detection content.As technical lead of the research team mentored other researchers helping them approach research into electronic health records and financial systems. Also mentored many detection content developers and customer success team members through an informal program that led to authoring a formal detection triage program. As a thought leader helped shape the research roadmap, provided security expertise to Exabeam's data science, marketing, and PR teams and gave media interviews. Received the most valuable Exabeamer award for Q1 2020.

Integrated Phantom into Symantec’s Splunk environment by developing custom playbooks in Python. Developed automation tools to manage accounts for 200 internal AWS customers and supported peers to bring AWS security and network logs into Symantec’s Splunk infrastructure.

Subject matter expert for developing SMB and DCERPC detection capabilities in concert with platform engineering and data science teams – research further leveraged to develop ransomware detection ML models. Principal researcher and subject matter expert focused on improving outbound (D)DoS, outbound Spam, and DGA detection ML models and unique host identification heuristics. Gathered and analyzed data to develop Vectra’s 2014 Post Breach Industry Report and 2016 Post Intrusion Report in collaboration with the company’s marketing team. Co-led outbound efforts to assist customers in understanding and contextualize Vectra’s ML detections – work that directly led to Vectra closing its second largest deal in 2015.

Following a reorganization to reengineer the entire product, co-created the APIs that enabled writing log-based detection content including asynchronous I/O, parsing, enriching log data, measuring performance and extensively documented them. Additionally, co-led the effort to productize the reimagined product including continuous integration, packaging, and operating system automation. Developed log-based detection content based on analyzing malware campaigns and attack tools.

Business owner of Trustwave’s managed security services (MSS) defining product vision over 24 months enabling 148% growth over the previous 12 months.

Developed threat hunting tools using C, Python, Java, Hadoop, and PostgreSQL operating on sampled network flow data with an ingestion rate exceeding 12 terabytes/day. Additionally, regularly briefed Verizon’s CISO and investigated significant security incidents.

Originally accountable for software testing of Arbor's Peakflow X platform and building testing tools, went on to found Arbor’s Security Engineering and Response Team (ASERT) and co-create Arbor’s threat intelligence service (ATLAS). Additionally, developed dozens of behavioral security policies, trained key customers to defend against burgeoning threats, and honed a growing software engineering skillset in writing kernel and user space code.

Developed network-based detection capabilities based on vulnerability research.

Worked with startups, primarily Sourcefire, as a software developer and technical expert during due diligence meetings with key SF Bay Area customers.

Investigated security incidents as the final escalation point, developed enterprise-wide intrusion detection and log-based detection capabilities, and evaluated third-party security products.

Consulted on pen tests and vulnerability assessments and developed internal tools. Additionally, one of a select group of consultants who led long-term customer funded research projects; co-discovered the vulnerability in CVE-2001-0895.

Developed vulnerability scanner and intrusion detection signatures and developed the company’s hardware platform and operating system customization.

As a contractor to Motorola, Inc.: accountable for developing tools to automate patching dozens of commercial Unix systems running AIX, Solaris, and HP-UX in preparation for Y2K using Perl and ExpectAs a contractor to Encyclopedia Britannica managed commercial Unix systems and helped replaced aging infrastructure.

Developed a web front-end for Arizona State's problem management and change control systems built upon Remedy and Sybase (Perl, C and shell scripts).

Managed commercial Unix systems

Accountable for software testing.