Daniel Cid Interview – Defending 250,000 Websites From Hackers Every Month
Daniel Cid has spent well over a decade securing people’s websites, so they don’t have to. The Founder/CTO of Sucuri specializes in intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.
He’s known for creating the free open sourced OSSEC HIDS (Intrusion detection system) and founding Sucuri. He’s also the co-writer of the Host-Based Intrusion Detection book.
Here’s Why You Should Listen to Daniel:
- Sucuri defends against 33M+ monthly attacks.
- Protects more than 250k+ of his clients websites per month.
- He’s fixed several security holes for IncomeDiary and monitors our sites.
What are the most common rookie mistakes website owners make when it comes to keeping their sites secure?
The most common mistake is that they underestimate their risk and the importance of security. In fact, security is the last thing in their mind when pushing a new site live.
We hear this all the time:
“Why would anyone try to hack me?”
“That would never happen to me.”
This lack of appreciation and understanding of their risk when they put something online, leads to bad security practices that only change when they actually get hacked or attacked in some way.
Before we used Sucuri, some of our sites had a lot of downtime due to viruses/malware/hackers etc. Then we got Sucuri and it stopped happening. What is it that Sucuri does that works so well, that other software and plugins don’t do?
Security is the core of what we do as a business. We think, live, and breathe it daily. When you pour that much energy into any one thing you have the opportunity to identify and address a number of problems.
We invest heavily in security; this includes hiring some of the brightest minds around the world to build out our research, response and remediation teams. We’re united in the one ideal that website owners should be able to operate online safely against those trying to destroy what they’ve built. This level of focus allows us to stay ahead of the threats. It’s the devotion to being the best at website security that is our biggest differentiator, and in my opinion what makes us so effective.
We are a company owned and operated by security professionals first and foremost, not by marketing, sales or even developers. This keeps us true to our values and ensures that everything we build is addressing a real website security problem.
Your company is a leader in website security, when people are told they can’t do something, they want to do it even more. How often do hackers take on the challenge of taking your site down and what measures do you have in place to prevent it?
We are attacked very often and I won’t go into technical details around what we do to protect ourselves.
However, I can talk about our thought process when thinking about security: it comes down to keeping things simple. Complexity is securities worst enemy; complex things break in complex ways. We always break our systems down into simple, manageable solutions that are isolated and work independently (a concept known as Functional Isolation).
We also operate under these assumptions:
- That someone else is reading our emails.
- That our private content will be shared publicly someday.
- That our data will be lost.
- That our servers will be compromised.
- That our software has security bugs that we do not know about, yet.
- That someone is trying to hack us right now.
- That someone, smarter than us, is trying to hack us.
It may sound paranoid, but it guides our security decisions.
Once you think about them, you will understand why we encrypt and backup our data. Why we remove old content that is not in use anymore. Why we use multiple layers of security (Defense in Depth). Why we use a WAF to protect our sites. Why we monitor our logs. Why we restrict our employee’s access to internal systems. Why we set up honey traps for attackers. Why none of our servers talk to each other. Why we use multiple hosting providers. The biggest thing we do is place security first before convenience; it’s often the very opposite for most organizations, convenience often trumps security.
It is all about reducing our risk and increasing the chances of us detecting and blocking an attack before it can do any damage.
Most of the time sites go offline it’s because they have been hacked. Every second your website is offline, it’s losing money. What is the very first thing you should do to get your site back online if this happens?
Breath. Calm yourself down. Don’t panic or do something crazy.
Once you’re calm, it’s amazing how much clearer things become. I honestly recommend talking to an expert in the security field to help you out. My company, Sucuri, focuses on website remediation and cleanup, but there are other people that can help as well. Unless you are a hard-core developer or a security professional, do not try to do it yourself. This isn’t meant to be a shameless plug, but the reality. Security, contrary to popular belief, is not a Do It Yourself (DIY) project; we have to learn to leverage professionals in their respective fields, there is a reason they exist.
A business owner wants nothing to do with their security issues; they want to focus on running their business. A website that is infected can cost you a lot, a website that stays infected or continues to get reinfected can be catastrophic.
Brazilian Jiu Jitsu with some of the team at the Sucuri 2014 Team Meeting. Exercising the mind & body.
Time machines are real, you travel 5 years into the future. What new website security problems do you see happening?
The core security problems will still be the same: Someone will still be trying to hack you, profit from your work or take you down.
That has been the constant for years and won’t change. What also won’t change is that the bad guys will keep trying to exploit the easiest path. If your application is secure against SQL injection (SQLi), they will move on to Cross Site Scripting (XSS). Once the website is safe from XSS vulnerabilities, they will move to brute forcing or phishing. If all that fails, they may try to take your down via a Distributed Denial of Service (DDoS).
You use live chat on your site. So do we. How has it effect sales and support? Does is provide a positive return on investment?
One of our big focus these days is trying to humanize security. How can we humanize if we don’t have real people engaging directly with website owners? That’s where things like chat and phone come into play. It provides a mechanism for our new and existing clients to engage with us.
It also allows us to touch and hear directly from our clients, in the moment they are the most vulnerable: hacked, infected or under attack. That gives them assurance that we are here for them and working on a solution. And it also allows us to listen to their needs and make sure we are addressing their needs.
What has been your biggest set back and what did you learn from it?
So many setbacks, that it is hard to pick one.
In fact, I think that running a business is like a rollercoaster; it has many ups and downs. You have to keep going though, you can’t allow yourself to be distracted from your focus. Some clients will be upset some days, sometimes most days. It’s hard to ignore the squeaky wheel.
Employees will mess things up; growing pains are a natural piece of the puzzle. Yes, your servers will crash; your networks will get congested. You’ll likely underestimate the impact of social media, and it’s impacts; all of a sudden everyone has an opinion. Remember though, the fact that you have these problems is a good thing; I’d be more concerned if you didn’t.
The key to it all of this though is to continue to learn and push your own boundaries. Improve and don’t allow yourself to make the same mistakes over and over. Repeated mistakes will kill your company.
Sucuri is one of the most important services we rely on, what are the 3 most important services & tools that your business relies on?
We are a remote and distributed company, with employees in over 19 countries; communication and tracking services are the ones we rely on the most. I would say Hipchat, BitBucket and Jira are the three most critical for us in our day to day operations.
What advice would you give to other developers thinking about creating their own SaaS business?
You have to be able to solve at least one problem that you users (clients) are having. People will buy from you to get that problem solved. That’s how we started. People needed to get their site cleaned from malware and that’s all we did. That allowed us to learn our customers and their needs, before expanding our services and offerings.
If you try to do too much to start at once, you will likely not do any of them well. It is better to start with a bicycle, than with half of a car that won’t start.
What’s the best advice you have ever been given?
Never stop learning. Work Hard. Do more than what is expected from you. Persist.
Thanks a lot for the brilliant insights Daniel…
If your website gets hacked, it will cost you a lot more than Sucuri will. Time, energy, and emotions are expended when you’re websites are compromised, we’re not just talking about finances. Great security means more profits and peace of mind.