Vinnie Liu Has a Mission: Keeping People Safe Online and Offline – DARKReading

Vinnie Liu was only 17 years old when he landed his first job the National Security Agency (NSA). The year was 1999, and he worked onsignals intelligence gathering.

It was a formidable but typical start for Liu, now Bishop Fox CEO and co-founder. The NSA was looking for promising high school graduates with proven fluency in hacking and programming languages. Liu, then an incoming computer science majorwith apsychology minor at the University of Pennsylvania, spent two years commuting from Philadelphia to the NSA satellite office in Baltimore. His first year was focused on red-team hacking and the second on specialized tool development.

Working at the NSA really opened my eyes into how deep you can get, into how deep this rabbit hole can go," Liu says. "I had grown up with bulletin-board systems on the Internet. Cybersecurity wasnt even a term people used.

Thats about all he will say about his work at the NSA, except that it involved nation-state actors. But the experience left a lasting imprint.

It gave me a huge sense of being mission-driven, Liu says. Were missionaries, not mercenaries. Our mission, fundamentally, is to keep people safe both online and offline.

That mission ultimately manifested itself as Bishop Fox, an offensive security firm whose team of hackers pretend to be villains. In other words, they try every possible way to penetrate a clients security defenses, including adversary simulations and purple teaming (red teaming and advising the clients blue team at the same time).

But for all the criminal cunning that Bishop Fox staff need to employ, Liu thinks of the companys work in medical terms. Bishop Fox, he says, is the doctors doctor.

There are so many similarities between good health practice and security, he tells Dark Reading. You dont just prescribe pills and thats it. You dont eat healthy and exercise once and thats it.

This approach is a view into the two personal qualities underlying Lius success: his sense of purpose missionaries, not mercenaries and his palpable scorn for complacency. Lius brand of optimism is hard, even austere.

People in the industry have too pessimistic a view, he says. I dont even like the joke, 'Its not if you get hacked, but when.' Our whole philosophy is defending forward.

Career PathLike many successful tech firms, Bishop Fox has humble origins: the living room of a bachelor pad.

Liu had graduated from Penn in 2003, having focused on network security and adaptive intrusion detection services. He then joined Ernst & Young as a security consultant, performing penetration testing for Fortune 500 clients. Liu calls Ernst & Youngs Advanced Security Center a kind of NSA for the private sector.

Working with Liu at Ernst & Young was Francis Brown, now on Bishop Foxs board. Brown and Liu had lived on the same hall as freshmen at Penn, and both studied computer science. They were the only first-year students in their program who did not drop out within the year, Liu says. The two friends lived as housemates in Arizona, where as long as we could afford pizza and Internet, we were good to go.

Honeywell would eventually poach both men from Ernst & Young; Liu would lead Honeywells global penetration testing team, plus the teams of Honeywells various subsidiaries. The chance to build up Honeywells team was an exciting prospect, but turned out to be a limited opportunity: Once the team was built, the slower pace of work left Liu (and Brown) restless. Liu had outgrown the role; by 2005 he was speaking at conferences like Black Hat on how to bypass anti-forensic tools a skill he had been developing since his teens. Both Liu and Brown started moonlighting as independent security professionals.

Then one day, in 2006, Liu, Brown, and a third contributor sat in the living room and toyed with the idea of launching a security services startup.

We said, Why not? Liu remembers. We were really enjoying this.

From 2006 to 2009, we were a lifestyle company, says Liu, referring to the fact that the company was still kind of a hobby for them. In 2009 they switched to a professional mindset, and Bishop Fox was born. Liu and his partners set about recruiting the best talent they could find and attracting bigger and bigger-name clients. Their revenue rose, despite launching during the Great Recession.

It was also the Titan Rain era when a string of attacks believed to be the work of Chinese state-sponsored actors compromised a number of government agencies in the United States and United Kingdom and companies and government agencies were beginning to realize how vulnerable they really were. Binary analysis and incident-response forensics were suddenly in high demand. Liu was one of only a few hundred people in the United States who had any experience with both of these functions, and most of his peers had only worked with disk forensics.

We sucked at it back then! he laughs. Everyone did. We were playing catch-up with the people writing the viruses.

Fast-Forward to NowThese days Bishop Fox offers various assessment tests, including the comprehensive 4+1 methodology, in which several assessments and simulations are built around a central tabletop exercise. But all of the company's services involve continuous work with a clients developers, architects, and teams, rather than the waterfall style of performing one test here and another test there. Sometimes an assessment alone can take two months to complete.

This is not a let me just kick the tires kind of scan, Liu says. We look at code. We look at business logic issues. We like to find the hard problems, we always exploit, and were going to chase it down all the way.

Liu doesn't let clients rest on their brand-new tools or infrastructure either. Youve got to get the basics right," he says. "We teach them how to take a punch and keep going.

Twelve years later, the threats have grown, attackers have become more sophisticated, and defenders are changing how they approach security. Liu has observed security teams shift away from compliance-based security and toward ongoing, developmental security operations.

What does that mean for Bishop Fox?

Weve been very discreet, says Liu. I think its time to come out of our shell. Weve done good work with big name clients. Its time to go out into the world and talk, to bring good work to more people.

The landscape may have changed, but Lius mission hasnt: keeping people safe, online and off.

PERSONALITY BYTES

What is Vinnie Lius greatest success? This sounds terrible, but Im really proud of the people who have come through Bishop Fox. Some of our alumni have become CISOs at publicly traded companies. Recruiters will just hang up if they hear you work at Bishop Fox [because they know how hard it is to hire people away].

One thing his colleagues would never guess about him? I dance goofy, I sing loudly, roll on the ground, make faces. Ill do anything to make my kids laugh and smile.

His dream job if he worked in a different industry? Definitely something where I make things with my hands food for people, construction, etc.

Favorite thing to do in his spare time? My pandemic skill has been failing to grow things in my garden. The universe has somehow blighted the 32-square-feet of backyard where my garden lies.

Favorite book? Im a huge sci-fi/fantasy book nerd. The more space battles, wizards, and aliens, the better.

Here is the original post:
Vinnie Liu Has a Mission: Keeping People Safe Online and Offline - DARKReading