Monday, June 16, 2008

Welcome to Greg Hoglund's new Blog

Welcome to my new blog, Fast Horizon. I have retired my old blog on rootkit.com and opened up shop here at blogger. I am the CEO of HBGary, Inc. (http://www.hbgary.com/) – a new company in the computer security industry. We released our first product this year (Responder, www.hbgary.com/responder_pro.html). HBGary is actually about five years old, but until now we have been a services company working primarily for the U.S. Dept. of Defense and Intelligence Community. I am excited to be part of the shift toward product development. This is my third startup. I am the author of three books and have been educating people about security threats – especially rootkits – for almost 10 years. I have a great foresight for trends – thinking of ideas about 5 years too soon for the market - and an almost cynical edge to my observations. Most people know me as a hacker, but in truth I probably know more about business and product development than hacking at this point. All of my startups have been in software development. I have probably experienced every management nightmare that can be listed, and dealt with it. I like to take big bites - so HBGary is tackling the biggest threat in computer security today – malware. Unlike most companies however, we aren’t selling snake-oil. Instead, our philosophy is that it’s IMPOSSIBLE to keep the bad guys out. The billions of dollars spent on security since the millennium has been a complete waste. Instead, we assume the bad guys will succeed – and it’s our job to catch them once they get in.

I could describe our solution as a platform for analyzing physical memory. You see, if there truly is a cyberspace in the Enterprise, it’s represented by the ones and zeroes in physical RAM.

There are only three kinds of data in the enterprise:
- Data at rest, on hard drives
- Data in motion, over the network
- Data in execution, in RAM

For any data to be used, it has to exist in RAM. Everything that matters must exist in RAM. By being in RAM, you are the center of the universe. Yet for all its power, until now nobody has a platform to analyze RAM. There are host-based IDS products, and AV, but all of these depend on the OS to query things about the OS – age old rootkit problem. The system is subverted and it’s game over. Our solution steps aside the OS and analyzes the physical RAM snapshot –offline-, thus avoiding any malware trickery.

There is a high barrier to entry to this work. We open the RAM, look inside, and extract objects. We reverse engineered every version and service pack of Microsoft Windows to be able to do this. We can find every process, every driver, and every line of assembly code of every software component. And, we do it without using the operating system – we do it without executing the environment we analyze.

In my grand vision we will build a picture of the true enterprise cyberspace. We have radical new technologies, like Digital DNA, that can be used to identify fragments of documents, strains of malware, intellectual property, fingerprints of email attachments, etc. Although we are tackling malware, our platform is generic and could be used for many other markets (IP asset tracking, E-Discovery, etc). As a company, we couldn’t ask to be in a better place in a market. We are set to explode.