Chris Jordan of Fluency Security: “Security is a changing environment”

Let’s first define the difference between breach and incident. An incident is unauthorized access to an infrastructure environment, whereas a breach is actual theft of protected data. Most attacks are not hacking, but rather logging on to, someone’s systems. This is due to the sophisticated, targeted phishing attacks that continue to prove fruitful for hackers. […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

Let’s first define the difference between breach and incident. An incident is unauthorized access to an infrastructure environment, whereas a breach is actual theft of protected data. Most attacks are not hacking, but rather logging on to, someone’s systems. This is due to the sophisticated, targeted phishing attacks that continue to prove fruitful for hackers. Humans are the weakest link in the cybersecurity chain.

We’ve designed our tool to react quickly to newly published indicators of compromise or other new techniques used to gain access. To this end we’ve created a GUI approach to adding new behavioral rules within minutes, whereas many similar products require script writing capability that takes much longer to implement. Our proprietary streaming database allowed us to search all of our clients’ data within minutes to determine if they were impacted by the latest national attack; none were.

It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Chris Jordan.

Fluency CEO and Founder Chris Jordan founded Endeavor Security, a cutting-edge, threat hunting and streaming analytics solution focused on helping enterprises and governments protect their most sensitive networks. Prior to Fluency, his company Endeavor Security was acquired by McAfee in 2009. There he was Vice President of Threat Intelligence. Well known for establishing some of the largest government security operation centers, Chris changed his career, starting a security service company in 2003 and a research & development company in 2004. Both companies have since been acquired, and with retiring from McAfee in 2012 founded Fluency® with longtime friend and coworker Kun Luo.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I come from a blue-collar middle-class family. My father dropped out of high school back in the 40’s to take care of his family. He is self-educated, and my role model. We moved a number of times, following work opportunities. My parents did an excellent job of never allowing us to know when we were struggling. We went to in-state schools and I got my masters at night while working during the day. Coding was more than a job — it was a hobby. Going out on the weekends cost money, coding didn’t. I was fortunate to be in a company of other young coders. Strangely, I remember renting a beach house one year with three other co-workers. We would all bring out laptops and LAN up on the patio overlooking the beach.

The transition to security was by chance. Being lower middle-class, we always fixed things instead of replacing them. I have a habit of taking things a part and then putting them back together. That habit extends into reading code and reversing communications. One day, I was asked by a manager if I could break into an optical lock that was read by an Apple Newton. I wrote a report on all the ways that I could break into the Newton and fool the readers of the device. The report was read by a security company, and they recruited me. My job changed from missile testing to information security. This changed a side hobby of hacking into a career. The company taught me regulations. More importantly, the company was mostly older people who focused on policies, procedures and architecture. This left all the technical work for me. I was encouraged to hack everything. Optical routers, UNIX servers, Banyan VINES networks, and the newest technology — firewalls.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

For a short period of my early career, I was doing what is now penetration tests and felt I was very good at breaking into systems and felt I had a mastery at the craft. When I was asked in ’95 to start up the Army computer emergency response team (ACERT). I felt that it was going to be boring, an unwinnable game of cleaning up and patching systems.

Luckily, Lawrence Livermore National Labs had a protype to a new technology called, “network intrusion detection” that allowed on-the-wire intercept of system communications for security. This tool gave me a chance to watch first-hand the activity of some very talented hackers. I watched not only exploitation, but how hackers hid themselves from detection and moved within the system. These years provided me a humbling education between what was known and what was really happening. I learned to check my ego at the door and pay attention.

Can you share the most interesting story that happened to you since you began your career?

Kris Kaspersky was an amazing individual. The best hacker I have ever known and he loved photography. While I think my business partner Kun Luo is the smartest man I know, Kris was the most talented.

One afternoon at McAfee, we got a message from Dmitri Alperovitch that a massive attack was occurring exposing companies like Adobe and Northrop Grumman. The name of the attack was being referred to as operation Aurora, a reference to a directory name that appeared in the exploit code. How the exploit worked was not really known. It was in a packed JavaScript file. The code was complicated and had obfuscation that the Atlanta McAfee people could not get around even though they had the code for more than a week. Kris got the file around 11 pm that night. Within a couple of hours, he had the code reversed and by 6 am that morning, he had written a script that could unpack any obfuscated JavaScript. His mind kept working the problem, even after he solved it. He won an internal McAfee award for his work, but like the government stories I can’t tell, no one outside of McAfee knew who really did the work. Later, Kris would die in a parachute accident and it left a void in my life. I found a picture of the two of us on the Internet after he passed away. It was of the two of us meeting for the first time in San Francisco. He had captioned it, “I finally got to meet my best friend”.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are many people that helped shape who I am today. One friendship that stands out the most is Peiter Mudge Zatko, a.k.a. Mudge. I was doing some speeches for NFR security. At the Gold Club in Paris, the two speakers were Mudge and me. I remember sitting in the back of the theater listening to Mudge describe what he called the “Physical Laws of the Internet.” My wife, also in information security, asked me if he was making any sense. I told her; it is genius. I just think it’s too obvious to him, and incomprehensible to the audience. Mudge was trying to explain to network people what we would call network behavioral analytics. He was just twenty years too soon.

I would have to get up on stage and follow Mudge. I was talking about AI log analysis. Something my 2003 company had just received funding for. My slides were made before the trip, and I didn’t know that Mudge was going to be there. The second to last slide was a quote from Mudge, “You will never pay me to review logs.” It was a very surreal moment to quote an idol you look up to and be able to see them in the audience. Since then, he has always been there for me. Some people are more amazing after you know them.

Are you working on any exciting new projects now? How do you think that will help people?

The most awesome thing about starting your own business it that you get to decide what project you spend your time developing. We are working on streaming analytics. This involves analyzing data as it comes into the system to determine when a behavior is detected. To scale analytics involves writing code. I make this distinction of writing code, versus integrating libraries and then placing a script on top of it. Most companies do not write their own code. But in writing code from scratch, it can be written directly against the problem removing bloat. Bloat occurs when the library or tool needs to consider options or platforms that are not in play. The result is that you can implement new concepts. So, we have built a system that performs analytics on streaming data. Think of it as the difference between a data lake versus a data river. Audit events are a river, it requires a different approach than marketing data.

Helping people is an interesting aspect when asked, “What are you doing?” While we are doing streaming analytics, the “Why” is not the same as the “How.” Why do people need streaming analytics? Streaming analytics answers the real-time question of “When.” A data lake we can say there is water and there is ice. Streaming analysis answers the question of the moment of when water turns to ice. Sometimes it is important that you know there is ice, yet it’s important to know the moment ice is seen. Or in other words, it’s good that a SIEM can detect a bad event, but it is more important that it can tell you the moment it occurs. People think they want big data analytics, what they really want is big river analytics.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I have had burn out a number of times. You get into an easy rhythm of working and deadlines. To me burn out occurs when I am chasing a long-term goal. Soon I am working long hours and investing weekends to have a feeling of making progress. The combination I find that works for me is time management, hobbies and friends. Time management is simply having a consistent start and stop time with defined times for hobbies and dinner. Every hacker I knew had hobbies, Johnny Long had a yoyo, and Kris did photography, and I am learning guitar. Obviously, we hopefully have more than one hobby. Dinner is important for family, and I will try to have lunch with a friend once a week. Lastly, it’s about recognizing the small steps and progress. If the same pattern occurs and you do not see progress, it feels endless and meaningless. I am bad at this last step of celebrating the small successes. But when I do, it helps. Many people play video games for gamification often creates recognition for small steps and progress, like a boss fight. A boss fight in a game would seem empty if there was no reward or recognition on its completion. True, even if it’s just Mario sending a flag up a pole.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc., about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

As you dig deeper into this question, you will find a range of legal requirements first driven by nations and individual states such as the European Union with GDPR to Canada with PIPEDA and California with CCPA. Many countries and states have laws on their books today working to protect private information known as PII (personally identifiable information) or PHI (personal health information). PHI protection, for example, is defined by law within the USA with HIPAA (health insurance portability and accountability act) and HITECH (health information technology for economic and clinical health act) dealing with electronic health records. Another law is the SOX (Sarbanes–Oxley Act of 2002) dealing with public accounting and investor protection.

Secondly, various vertical industries have compliance regulations in place such as for credit card usage referred to as PCI-DSS. NY state has a finance industry regulation known as 23 NYCRR-500 that puts specific requirements in place for any financially related business that has activity in NY.

Now you need to dig into the actual legal wording of these laws/regulations. For example, CPPA is geared to protect the consumer and how their data is used. CCPA doesn’t really impact typical SMBs. The bottom line: It doesn’t protect the digital rights of the individual.

Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

It depends on various factors. For example, does an individual prefer to receive marketing for only items that interest them or not at all? Another might be if you travel, do you want your hotel to know your preferences and prepare them for you in advance of your arrival? These examples can go on and on but in the end, it is a matter of individual choice that should prevail; however, that’s not likely to happen any time soon globally. Consider the latest pandemic: Phone companies, Google, and Apple are able to track your location enabling it to do a public service when it comes to exposure contact mapping. A missing family member can be tracked by their cell phone geo location. Are the results of these scenarios more important than individual digital rights? The answer is “it always depends.”

In our opinion, a best practice is to provide an individual with the option to opt out of data being collected on them.

At a global level, the option to individually opt out is complex — given all the unique laws and regulations.

In the face of this changing landscape, how has your data retention policy evolved over the years?

We’ve always maintained a position of storing data for a full year to meet the minimum compliance regulation for PCI-DSS. In many instances, this has helped authorities in doing research on potential issues that may have occurred up to a year in the past. Additionally, we support our clients by making available optional extended years of storage to satisfy requirements for financial and health storage.

Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?

We make every effort not to record any sensitive information from our customers. We don’t request and track email addresses and phone numbers unless the customer asks to be contacted. We don’t particularly need this information to run our business. We know what we store, and it’s extremely important for other businesses to know what they store. As a policy, we don’t allow for any shadow drives. Cookies are not run on our website. As a company, we retain information through Microsoft — one platform via the auto log. We maintain the encrypted auto log for 365 days.

Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

By default, we store all client log data for a full year with optional years available as required. This data is stored in the AWS cloud and utilizes key protections provided by AWS.

It was critical for us to build in support for the toughest laws, which are the European Union GDPR regulations. Any data that can be fed to us with PII or PHI content can be pseudonymized per the model GDPR defined. Additionally, since we’ve been operating in the cloud for years, we’re able to utilize the AWS regional locations that allow us to adhere to local data regulations, such as in Germany. This also ensures our international and multi-national clients are able to meet privacy laws. We believe these capabilities will enable us to easily adopt any near-term-future privacy regulations.

In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?

The way that we have stored data has changed. First of all, MSFT doesn’t even create alerts. It’s all done in the cloud. For example, you must tell Microsoft Office 365 to retain data longer if needed, and still, it’s not done centrally. If an organization is running AWS, Oracle Cloud, Dropbox or Salesforce, it’s not centralized. The new requirement is that you must store data in a central location. MSFT doesn’t provide for that. Out-of-date tools can’t just be fixed by putting a new interface on them. Unless the tools for retaining data are Fluency tools, which are born in the cloud, they are badly suited.

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

Let’s first define the difference between breach and incident. An incident is unauthorized access to an infrastructure environment, whereas a breach is actual theft of protected data. Most attacks are not hacking, but rather logging on to, someone’s systems. This is due to the sophisticated, targeted phishing attacks that continue to prove fruitful for hackers. Humans are the weakest link in the cybersecurity chain.

We’ve designed our tool to react quickly to newly published indicators of compromise or other new techniques used to gain access. To this end we’ve created a GUI approach to adding new behavioral rules within minutes, whereas many similar products require script writing capability that takes much longer to implement. Our proprietary streaming database allowed us to search all of our clients’ data within minutes to determine if they were impacted by the latest national attack; none were.

We believe in continuous improvement. Our development approach is a highly adaptive, flexible model that protects against new and evolving threats, ensuring our clients have the latest capabilities. Cybersecurity is an ever-changing model, and you must be able to “turn on a dime” to respond properly. Without exception, Fluency delivers on maximum visibility, detection and response.

Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

Security is a changing environment. We have to learn and adapt. We change the way we operate because of what we find.

#1 — Someone must be in charge of this effort, such as the DPO (Chief Compliance Officer or CISO), etc. [Example: A man without a plan is not a man — this cannot be done by committee. This is a position of business (not security). That may sound odd, but this is not a technical position. PII and PHI (personal healthcare information) needs to be defined. The CCO is trying to manage the problem, not SOLVE the problem.]

  • Learn the corporate data requirements.
  • Understand the laws/regulations that demand compliance.
  • Document how data is shared/accessed.

#2 — Maintain a centralized data repository. You can’t have a decentralized structure where data is everywhere. That creates way too much difficulty. [Example: Keep it simple, stupid. The reason non-centralized data is a non-starter is that it serves as a single point of failure. That all paths to and from data is encrypted.]

  • Define role access.
  • Partition your data.
  • Proceed with an organized approach.

#3 — Institute a well-tested disaster recovery plan. [Example: All your eggs are in one basket, and you need to make sure you’ve brought durability to your system. Durable, immutable storage. RPO (Recovery Point Objective) and RTO (Real-Time Objective). Data storage should be redundant geographically. SaaS recovery.]

  • Ransomware is an example.

#4 — Define WHO has access to what and why. [Example: Not only do I want to have MFA, I want to be able to audit everything that person does. I want to validate every user.]

  • Two-factor authentication is required (MFA).

#5 — Deploy EDR. It’s not only important to protect data; you must also control and monitor WHO has access to the data itself. [Example: Remotely workers accessing data means that the information is going to end up on local machines.]

  • Audit definitions needed.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Understand how to perform your job correctly and put into account all the ways you may be vulnerable to cybersecurity attacks. Don’t center your cybersecurity efforts on a checklist. Checking off boxes is not the way to go. Checklists mean nothing unless you know what you’re doing. Perhaps we should add a residency requirement to cybersecurity certifications so that REAL WORLD experience/exposure is garnered. We have too many cybersecurity experts on “paper.”

How can our readers further follow your work online?

Visit the Fluency Security website: or from LinkedIn or Twitter locations.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    You might also like...


    James Campbell of Cado Security: “Always be prepared for a breach”

    by Tyler Gallagher

    “You cannot secure what you do not know about”, With Jason Remilard and Paul Caiazzo of Avertium

    by Jason Remillard

    “Knowing an action must occur” With Jason Remillard & Stephen Moore

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.