Gerhard Eschelbeck, Google’s vice president of security engineering, details at the RSA Conference how his company does security at scale.
SAN FRANCISCO—Gerhard Eschelbeck, vice president of security engineering at Google, has one of the toughest jobs in IT security: He has to keep Google secure.
In a session at the RSA Conference here March 1 titled “My Life as Chief Security Officer at Google,” Eschelbeck gave attendees insight into how he spends his days working and his nights worrying about IT security.”Delivering at our scale and securing at scale is a very interesting challenge,” Eschelbeck said. “We all have to assume we’re always under attack.
That’s not news, but what really matters is how we react, how we respond and take action.”Given that scale, Eschelbeck noted that not only is it important to see the forest for the trees, but also the trees for the forest.
That is, while Google scrutinizes individual processes and platforms, it also has to be aware of the big picture of the entire environment.With that context in mind, Eschelbeck said that his days are very full, typically beginning at 7 a.m. in the office.
A typical day is largely consumed by anywhere from nine to 15 meetings of different sorts with his direct team as well as other leaders from across Google’s business.
Beyond the usual meetings, Eschelbeck has a weekly “brown bag” lunch with his team to have a more informal discussion of issues.
At last week’s brown bag meeting, he met with the Google Safe Browsing team to talk about what Google needs to do in 2016 to stay ahead of threats.
In addition to all the meetings, Eschelbeck typically finds time in his day to talk to his own management, as well as look at engineering projects in development.That said, when it come to working in security, the reality is that there are a lot of non-typical days, he said.A recent example was when Google discovered the glibc vulnerability, which was a risk to Google’s platform.
After the discovery, Eschelbeck and his team spent their days looking at all the different variants and potential risks, as well as exploit vectors.
Then, wide-scale remediation across Google’s infrastructure took place.
It was a proud moment for Eschelbeck, he said, when he realized at the end of the day that all of Google was patched and protected, and in relatively short order.Night Worries”Every day finishes with a night, and there are things that keep me awake at night,” Eschelbeck said. “One thing that worries me is the supply chain.”Given the myriad vendors and components that are often involved in producing modern technology, Eschelbeck worries about all the components being properly validated so that everyone is safe and secure and so that no single weak link will lead to disaster.Another area that worries him is how small businesses and those without security teams deal with the modern threat landscape.”How do they survive without having the scale of security like Google?” he said. “I believe cloud has some of the answers for this question, but not all of them.”Google has a security team of approximately 600 people worldwide, with half in engineering-related roles and the other half split between security review and operations, according to Eschelbeck.”The single biggest constraint on the team is our capacity to hire.
It’s a big challenge that we as an industry are facing,” he said.While staffing does worry Eschelbeck, the Google security team has processes in place to minimize that challenge, with automation being the primary solution.”What the security team does is whenever it identifies a pattern, it builds a tool, so in the future you don’t have to have a human involved,” Eschelbeck said. “So it’s essentially constantly trying to automate yourself out of a job, and that has helped us to scale up the security organization.”Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.