Randy Marchany, Chief Information Security Officer, Virginia Tech

Randy Marchany is one of those rare individuals who has spent his entire career with the same employer. His time with Virginia Tech started four decades ago as a student, and he has worked his way up to CISO since then. And along the way, he earned his bachelors and master’s degrees in computer science and electrical engineering from the university.

Marchany began working at Virginia Tech at the age of 22. “I started off as an IBM systems programmer, then moved on to working with ‘microcomputers and instrumentation’. Today we call that the Internet of Things,” he says “Then I became a system administrator for DEC VAX systems and Unix systems. I was a UNIX system administrator for probably 10 or 15 years.”

Necessity forced Marchany to learn about IT security. “I got into the IT security aspect of computers in 1991 when one of my servers was hacked. My colleague and I spent probably two to three months to recover from that attack. We said to each other, ‘Let’s figure out how this guy got in so that we don’t ever have to go this lengthy recovery process again.’ We started digging around and couldn’t find many materials on IT security. Then we stumbled onto this outfit that was just starting up at the time. It was called the SANS Institute.”

Not long after that, the SANS Institute held a conference in Washington, D.C. Marchany and his colleague wanted to go but couldn’t afford the registration expense. They discovered they could attend the conference for free if they agreed to be speakers, so they proposed to talk about their hacking experience. Following the conference, Alan Paller from SANS approached them about working on some projects together. That’s how Marchany became instructor number two for the SANS Institute, and he has been a part of the teaching team since 1992.

Working at the university is exciting

Marchany really loves the vibrant atmosphere of working at a university. “We get a lot of the leading-edge technology way before the rest of the world does, so that makes it rather exciting,” he says. He recalls a project from 1991-1994 called the Blacksburg Electronic Village that involved Bell Atlantic (now Verizon), the town of Blacksburg, Virginia, and Virginia Tech. “We wired the town of Blacksburg to the Internet and created arguably one of the earliest electronic commercial villages,” says Marchany. “We had grocery stores, florist shops and other businesses that advertised a primitive web presence. With a Mosaic browser, you could visit a shop and order flowers or other goods. This was all a test, but we were on the forefront of digital commerce. It was pretty exciting.”

In the last decade, Marchany oversaw the development of a lab that is used by the operational analysts. “As the CISO, I’m responsible for the cyber defense of the university,” he says. “On the operational side, we monitor all the intrusion detection devices and data, and we’re the core incident response team for the university. We have a lab that the analysts use to build and test tools. Some years ago, we opened the lab to any students, undergraduate or graduate, who have an interest in doing cybersecurity research. The students can work on real world problems using real data that we collect on the operational side, and they get practical hands-on experience with the tools and how to use them in an enterprise. It’s been a very good program for us and the students all around.”

A few patents to his name

Marchany is a co-holder of two cybersecurity patents. He and three others were awarded a patent in 2004, when the first handheld computers were coming out. At that time, the handheld devices weren’t capable of doing any real network analysis. “You couldn’t look at packets, because the operating systems at that time didn’t have the capability to do so,” says Marchany. “We came up with a way to use power consumption on the batteries as an indicator of somebody attacking the device. For example, think about your smartphone just sitting there on your desk and nothing’s happening. Your battery power consumption is at a certain level, but the moment somebody tries to connect to the device, it starts to consume slightly more power simply because it’s processing whatever information is coming into your phone. So, what we developed was a way to use that spike in power consumption as an indicator that something might be off, that somebody might be attacking you.”

His second patent is more current and has potential commercial viability today. “Virginia Tech is one of the few institutions in the country that is running a full IPv6 network today,” explains Marchany. “Suppose you and I are exchanging data and you get hit with a massive denial of service attack. How can we defend against that attack to keep our traffic flowing? Our idea is to jump to a new IP address, and now the attackers have to find us. This works because of the massive addressing space of IPv6. One of our IPv6 networks has 1019 addresses in it available, whereas the entire IPv4 network worldwide only has 1010 addresses. The technique is similar to radio frequency hopping but by hopping IP addresses instead.”

With orders of magnitude more addresses, it’s possible to jump around and make it more difficult for attackers to find the good traffic. Marchany says there is some interest in commercial use of his technique in the Internet of Things world.

On the lighter side

Marchany played in a band called No String Attached for nearly four decades. The band just recently retired after achieving what Marchany calls “minor success.” “We played sort of a Celtic style of music, and there’s not a huge market for that style, but we actually have nine CDs out and we were nominated for an independent record label award called an Indie that is akin to a Grammy. We were nominated for Best Album in string categories for six or seven of our albums, and one of them won the award for an Indie a few years ago.”

He toured all over North America and Europe as part of the band. Their music can still be heard often on National Public Radio. In fact, Marchany wrote the original theme song for an NPR show called “World Café.” His instrument is called a hammer dulcimer, and he says it’s just a tremendous amount of fun to play this music.

Marchany and his wife enjoy riding motorcycles in the beautiful Virginia countryside.