Craft tailor-made solutions.
I view information security as more of a business function than just a technology function, primarily because there’s no one-size-fits-all security solution. While the number of security solution providers has grown exponentially, the solution themes and approaches tend to remain the same. Each industry has its own set of challenges and regulatory requirements, but more importantly, you need to understand your specific business model to design a security program that mitigates threats uniquely impacting your organization. This unique business-specific security program development requires a complex skill set spanning information technology, risk management, legal, audit, business function operations, and a real-time understanding of the threat landscape in the market; that’s why the CISO role is one of the most complicated in a company.
Keep an eye out for blind spots.
The focus on cybersecurity has increased over the past couple of years, with a burst of sophisticated, targeted attacks against companies of all sizes. The most common problem organizations face, in spite of having a structured security program, is the lack of visibility and consistency in actionable security intelligence. In other words, you can only protect what you see and manage well. Hackers exploit the gap between what you see and what you don’t in a systematic manner.
Recognize pattern disruptions.
We had developed a security incident and events management platform yielding our first generation of actionable intelligence, but we still had all of these log events sitting untapped in this massive database. So, we sought to figure out how best to use this information while carefully filtering noise to stay focused. The business does it—for example, with pricing: you run contextual queries against market, looking at consumption models, what products are in demand. I decided to take this approach with our security analytics and build the foundations for big data security analytics.
I said, “What if we start looking at all these logs and create a pattern baseline of the network? Then, if there’s a deviation from that pattern, we know there’s something interesting in the network.” It’s a simple thought process, but to develop it we had to build a custom security-analytics data model. We then pumped processed information from all our log sources into it, and layered contextual business knowledge on top of it, creating a custom signature for the organization. So, on any given day, the idea is to predict the indicators of attack based on how the business consumes information. You know the expected traffic patterns, and if you see something anomalous, you zero in on it.
There’s no “I” in Army.
Security is not just about the CISO; it’s about the CISO’s tactical team. It’s taken me a long time to build a well-balanced group of security professionals within the organization, but I now have a robust and versatile staff, ranging from fresh college gradates, to veterans, to professionals with decades of industry experience.
There’s no “I” in Army.
Security is not just about the CISO; it’s about the CISO’s tactical team. It’s taken me a long time to build a well-balanced group of security professionals within the organization, but I now have a robust and versatile staff, ranging from fresh college gradates, to veterans, to professionals with decades of industry experience.
It’s not all Fun and WarGames.
You have to give security professionals a controlled environment in which they feel comfortable exploring. I’ve been fortunate enough to recruit some bright candidates who already established themselves by winning regional and national hacking competitions even before they graduated.
But most security practitioners just out of school don’t have the opportunity to try out some of the cooler aspects of the job. I’m trying to create a platform on which they can do that. I bring them in and give them the opportunity to be a part of what I call my Red Team. The Red Team is the offense team; they try to hack into our own security controls and break our solutions. In doing so, they come to understand how the technology works. Working against them is the Blue Team, which is the defense. They keep strengthening our controls based on the Red Team’s exploits.
If you see something, share something.
Sharing information has required a big shift in thinking. A few years ago, the mentality about security was that you didn’t want to share what you were doing. That’s a good point; you don’t want bad guys to know your security model. But then a handful of industry pioneers decided to get out there and start sharing information. It became clear, with a steady increase in cyberattacks and data breaches, that sharing best practices should evolve.
Back in 2007, I started reaching out to my industry peers to create an intelligence network. Initially it was informal, but it grew, and now operates as a powerful peer roundtable sharing timely and invaluable intelligence. This collaboration extends to both government and private sectors. When one of my industry peers experiences a security incident, technical intelligence helps others implement preventive controls. It’s security crowdsourcing in action.