Build Beyond: Security at the Forefront

A conversation with Deputy CISO of Mysten Labs Christian Thompson on developing the best defenses for a blockchain ecosystem

Build Beyond: Security at the Forefront

Last week we sat down with Christian Thompson, Deputy CISO at Mysten Labs, to get his insights and comments on the interconnected nature of security practices and his observations about Sui’s security practices for developers.

What are the responsibilities of a tech company CISO?

CISOs, or Chief Information Security Officers, have a wide range of responsibilities that play a crucial role in keeping our digital environment secure. One of their key tasks is threat intelligence. This involves delving into the minds of potential attackers: who they are, why they might target us, when they could strike, what's driving their actions, and how skilled they are in their methods.

By gaining a clear picture of our potential adversaries and understanding their capabilities, we can take proactive steps to safeguard our systems. Think of it like a puzzle—if we know who the puzzle players are and how they operate, we can fit the pieces together more effectively. For example, we can align their known tactics with the areas of our systems that could be most vulnerable to their approaches. It's like setting up a defense system that's primed to raise the alarm if anyone tries to breach our digital boundaries.

And just like how an alarm system alerts us when someone tries to break into our home, this defensive setup gives us real-time alerts if there's any suspicious activity. This means we can swiftly respond to potential threats and take appropriate actions to neutralize them.

The areas of concern encompass a wide range of areas including, cybersecurity, data management, risks in various areas, architecture, compliance, governance, resiliency, and reporting.

Part of a CISO’s role extends to safeguarding the internal team. We dedicate substantial efforts to grasp the risk profiles of our team members. These profiles can undergo substantial changes, especially when team members travel to regions prone to violence or other concerning issues.

How do security concerns change when you think about an L1 blockchain like Sui?

A multitude of functions and services must be combined to create a cohesive defensive strategy for a blockchain like Sui. The strategy must hone in on areas identified as vulnerable. But it doesn't stop there—the Sui community has a vested interest in safeguarding the entire ecosystem, which includes both the network and developers building on the Sui platform. Excelling in security is a costly and challenging endeavor, particularly for fledgling companies. To address this, the Sui Foundation is developing a product that extends security measures to the larger ecosystem. Essentially, the Sui Foundation will provide smaller companies access to security tools and services typically only available to larger organizations. This empowers them to build in a safer environment, boosting confidence among end-users and regulators alike. The goal is to ensure that when people build on Sui, they're doing so in a manner that's not only effective but secure.

What tools and services are used as part of the process of maintaining a secure blockchain?

Here is a look at the kinds of services and tooling that captures the essence of what I currently regard as an adept security team. These elements represent the diverse array of services integral to establishing a robust security framework. It's important to recognize that the true efficacy lies not merely in the individual presence of each service, but rather in the intricate interplay between them. This involves understanding their interconnectedness, the sequencing of their implementation, and the synergies they create.

For each of these delineated services (the discrete items listed on the chart), the Sui network leverages specific tools or relies on service providers to deploy them. The Sui Foundation intends to package these components in a manner that offers meaningful utility to any enterprise seeking to adopt them. Hence, the segmented compartments in the illustration symbolize well-structured repositories awaiting exploration by entities in pursuit of a fortified security posture.

There are so many elements in that diagram. Are they all equal and intertwined? Or is there a prioritization mechanism?

Certainly, there's a thoughtful rationale behind the diagram. It's like starting from square one and figuring out what requires immediate attention—the fundamental building blocks of security, if you will. Think of it as a foundational security toolkit. This toolkit might encompass what we call 'brand defense,' which entails having a pulse on any harm that could impact a company's reputation. It involves gathering intelligence to monitor and mitigate any negative brand effects. Additionally, a key part is 'integrity,' which means having the capability to probe into and address elements that might be tarnishing the brand.

Now, a toolkit wouldn't be one-size-fits-all. Different organizations might need distinct toolkits tailored to their unique purposes. Let's say a company is heavily involved in coding—they might prioritize developing a 'vulnerability capability.' This involves closely examining their systems for potential bugs and conducting tasks like 'fuzzing' to stress-test their code. On the other hand, consider a DeFi company versus a gaming company. A DeFi company might lean towards toolkits that focus on regulatory risk, governance, and compliance. In contrast, a gaming company might have a more concentrated interest in operations, intelligence, and a specific level of security engineering.

In essence, the diagram encapsulates the notion of catering security strategies to the distinct personalities and priorities of different types of companies.

Is that how companies think about security generally, “Here's all the risks I have, how do I mitigate them”? Is that the starting point or is there another lens?

That’s exactly right.

Kits seem like a key way of keeping a whole blockchain ecosystem secure. Given the whole point of a public blockchain is that it's decentralized and permissionless, how do you think about keeping a network secure, even though technically anyone can access and participate in it?

Absolutely, the concept of a toolkit plays a pivotal role in upholding the security of an entire ecosystem. The beauty of a public blockchain lies in its decentralized and permissionless nature, which brings in a multitude of eyes to scrutinize its various aspects. The crux here involves two key factors: building the necessary tools and capabilities, and fostering education.

Consider this: people within an ecosystem need to not only understand what's happening but also be aware of the available tools and how to effectively utilize them. It's worth noting that many factors influencing the ecosystem extend beyond the blockchain itself. Elements like social media chatter, fear, uncertainty, and doubt (FUD), and potential scams can have an impact. This underlines the significance of comprehensive awareness.

A crucial third aspect is the exchange of information within a community. When individuals can communicate and collaborate, they enhance their collective knowledge base. So, it's a three-pronged approach. Education empowers with knowledge, information empowers with actionable insights, and the tools empower with the means to take action. This combination provides the community with the capability to not just understand but actively influence the various dynamics at play.

How does the Sui ecosystem currently communicate?

Sui's ecosystem communication is multifaceted. The recent Validator Summit provided a valuable platform for individuals to forge connections and exchange insights. The same principle applies to the Builder Houses initiative. Additionally, I understand that the Sui Foundation is planning to publish a series of papers focusing on Sui's security aspects in the near future.

Communication channels span platforms like Discord and Telegram, fostering interaction among validators, node operators, and other stakeholders. These forums not only heighten awareness but also expand organically as time progresses, creating an evolving hub for discussions and knowledge-sharing.

Move was designed to be inherently more secure than other blockchain programming languages. How does that impact the way security is handled on Sui?

There's no doubt that Move is more secure than some of the other programming languages out there. I would say on top of that, much of the team that initially worked on Sui is security focused. So it isn't just the language, it's also how the various components of Sui are constructed that make it more resilient, more difficult to exploit. That is not to say that the business of security isn't full of very smart people on the other side too. And given enough reward, they will work very hard to find exploits. So it is important for experts to understand who, what, when, why, and where that is going to happen. That's the focus.

How should news of exploits elsewhere in Web3 impact the work being done for Sui?

Regrettably, when incidents of exploitation occur within the Web3 realm, it's undoubtedly concerning. However, these situations also serve as valuable learning experiences. They prompt security professionals to delve into the mechanics behind the exploit—the 'how,' 'what,’ ‘when,' 'who,' and 'why.' Such insights provide an additional layer of insight into the broader landscape.

The Sui Foundation team has dedicated a significant portion of their security resources to understanding the identities and capabilities of these threat actors, focusing on deciphering their preferred attack vectors and motivations.

These exploits carry two distinct takeaways. Firstly, there's a sense of unfortunate empathy for those affected, as these occurrences impact real people. Secondly, there’s an opportunity to enhance Sui’s strategies. These incidents are lessons, allowing Sui to hone and fortify its positions to safeguard against similar risks.

What do you see in the future for security in Web3?

We're truly standing at the threshold of a new era, one that's marked by the emergence of Web3 and the remarkable technologies it ushers in—artificial intelligence, machine learning, augmented reality, virtual reality, and the like. What excites me about this is the incredible potential it holds. We're on the cusp of experiencing incredibly immersive interfaces and accessing information in ways that were previously unimaginable, all at an unprecedented pace.

This transformation extends to the realm of security as well. Imagine having an artificial intelligence partner that comprehends the moves of our potential threats, possibly even an AI versus AI scenario. This is the direction we're headed towards, no doubt about it. And I would expect Sui to be at the forefront of these advancements.