Dr. Johannes Ullrich | Source | Dean of Research at SANS Institute

Prior to his two decades at SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes has always been attracted to the fast pace of information security and curious to understand and measure the intricate dependencies of attacks and countermeasures. While the fast pace of the field can be overwhelming at times, it does offer constant opportunities for learning, and any change and impact is quickly measurable.

Johannes’s first network was a lab network used to remote control physics experiments. When he first got his hands on an "early" cable modem, which allowed him to control experiments from home, he overlooked the fact that the router (which he built himself from a Linux distribution) was also an open mail relay. Of course, it didn't take long for a spammer to find and abuse it, which led to an angry call from his ISP. Like most of us who start to worry about security after an incident, that was when he started learning about firewalls and security. In the process, he discovered his interest in collecting data about the attackers scanning for systems like his own. This led to the development of DShield.org, a website that still today collects logs from users worldwide to better understand these attacks.

Johannes’s daily work revolves around the Internet Storm Center. Leading this group brings him in direct contact with packets, web applications, and malware on a day-to-day basis. This work keeps his skills sharp and relevant while informing the material he presents in class. Johannes enjoys working for SANS due to the ability to disseminate what he’s learned researching current attacks, as well as bringing him in contact with students who are working in the trenches of information security. This back-and-forth sharing and learning with others drives his passion for information security.

It can be exhausting to have to deal with "yet another attack" day in and day out, but being part of the great team at the Internet Storm Center allows Johannes to affect how networks are defended. It is rewarding for him to hear from former students, readers of the Internet Storm Center, or listeners to the podcast how they applied what they learned and how it helped them. Teaching technology "from the ground up" can be challenging at times, yet crafting even a dry topic like packet analysis into something exciting and seeing students light up as they capture new concepts makes even hex conversion and counting offsets more exciting than a good movie for Johannes.

Johannes has found that students starting out in the field will often question why they need to know some of the background and details about protocols that are taught. His ability to link these topics to practical examples where this detail made the difference wins them over. His approach to teaching is to convey an understanding for the underlying principles to get students ready for what's next since information security is developing too fast to focus on specific techniques and tools.

Johannes is a partner of the Cyberwire Podcast, a member of the Board of Advisors for Threatstop, Inc, earned a PhD in physics from SUNY Albany, and holds multiple security-related certifications, including the GIAC GMON, GNFA, GWEB, GCIA and GSIP. Over the years, Johannes has been honored with a variety of awards, as well:
- ISSA President's Award for Public Service 2018 – 2018 from ISSA
- Best Security Podcast - Mar 2014 from Security Bloggers Network
- Historic Preservation Award Mobile Web Application for Historic Springfield – from City of Jacksonville, FL
- Best Technical Security Blog - 2009 & 2010 from honorSecurity Bloggers Network
- Best Paper Award - 2008 from Usenix
- Top 5 Influential Security Thinkers - Dec 2005 from SC Magazine
- Top 50 Most Powerful People in Networking - 2004 from Network World