It’s been about two months since the end of RSA 2018, and about a month since the end of the avalanche of emails and phone calls (for what it is worth, I apologize).  I think we have all had a chance to mostly recover.

I have been digging around the web to see what different people have taken away from RSA this year. Of course their published opinions differ as a lot of the data is from vendors pushing their own stories or takes.  <Spoiler: This will end no differently, but then I hope you expected that>. Below is one attendee’s take on RSA this year that I thought was fairly original. I found it on the twitter webs and I won’t point directly to it but in brief:

RSA 2018 Vendors:

Yup, we are all barking basically the same thing.

While at RSA I took a bit of time to catch up with some old friends and see what they are up to at their current gigs, but in large I was anchored to our booth running demos and talking to people passing by.  So my overall floor exposure was a little more limited than I wanted.

What I did pick up and collect on the general themes of the show, a translation of the seal barking if you would allow, is around Machine Learning, Automation, and AI.  Yet another year of advances in replacing human intuition, thought, and adaptability in the quest of faster response times to security issues and attempts at being truly predictive.

Not that there’s anything wrong with any of the above.  But it is the basically the same theme as the last couple of years.  Let the machines save us from ourselves.

We saw a lot of vendors touting new algorithms and new advances in machine learning around data flows, or user behavioral analytics, social network monitoring, traffic profiling, etc. etc. etc. In short we saw a lot of modifications on the same ways to do the same things.  Improvements on existing protocols and procedures. Nothing that I would call really new or enlightening.

The other thing that I was hoping to hear coming out of RSA was clarification around the pieces of the security market and what they are responsible for.  That didn’t happen. Threats are still wide ranging, nebulous things that are dangerous, ‘cyber’ and IOT are all encompassing, and every vendor is doing a little bit of everything buzzword wise to expand their messaging to literally anyone who would listen.

We are just as guilty as everyone else.

That being said, I am proud to be part of this company and the new product we announced at RSA.  Why I am proud is that as a company we continue to focus on empowering the human element, and with this latest product we push even more or the humans in the security loop.

It is interesting to think that putting humans back in the security loop could be considered new or different.  I mean humans haven’t gone anywhere, so why focus on this? To answer that I will point at the trends and the known realities we are facing in security.

One reality we are facing is a known and documented shortage of qualified people in security.  We have people using this shortage to move around quickly and advance their careers and titles.  These actions are leaving vacuums at companies around the world that vendors and universities are scrambling to fill as quickly as they possibly can.

I’ll point to a recent acquisition as an example of this:

From Oliver Fredericks’ Phantom blog post: Feb 27th 2018

“Enterprises faced a massive shortage in the number of security professionals, dozens of independent point products, a suffocating volume of security events, and rising costs.  SOC teams were simply at a loss as to what to do next.”

Phantom saw this vacuum forming and developed a tool that targeted a very specific need.  They went after Security Operation Centers and asked them simple questions:

• Is there a task that you perform over and over again?
• How often do you get the same result from that task?
• Once you complete the task are there follow-on tasks that are dependent on the first result?

A targeted tool for a targeted need.  A job well done from the vendor stance.

Other vendors are working in the same augmentation-based way.  MSSPs are the classic example of team augmentation. Other vendors in the risk and compliance, vulnerability, endpoint, user behavioral analytics, and many other fields are all attempting to do more analysis and detection with fewer people involved.  It is the nature of the beast and the core of the security problem.

This is why you hear the same barking from all the vendors.  It’s AI, machine learning, and automation simply because we don’t have enough people.

So now that we have identified a core need, more people, how does a focus on empowering people in the security loop help?

The help, or value, comes from focus at the team level.  A focus on the coordination and collaboration that is possible between between the members of a team and between separate teams or groups themselves.

Think back to the large breaches that occurred in the recent past.  Equifax, Anthem and in particular Target, all are use cases where there were alerts from point tools that one team saw that another team or group didn’t.  Not saying that spreading a single alert to the larger teams would have prevented the breaches, but they might have had a better chance.

Here’s the way I see it.  Continued efforts in automation and orchestration are important.  But as that process continues we will find more and more problems and tasks to be automated.  We won’t be able to see the larger picture because users are focusing on the next issue or result.  We getting back more time, but we are being sucked into the details. It’s the classic “forest for the trees” scenario.

We need to think higher when possible, we need to take a 30 thousand foot view of our security program.  Usually this rarified air is reserved for the CISO or the Chief Information Security Officer.

After reading that particular definition, what I take away from it is a CISO’s focus on Strategy, Vision, and Process Control.  At no point do I see the words Tactical, Operations, and Response in that definition.

In general a CISO’s role is to set the strategy around how things are to be protected.  The controls or tools to be utilized and the correct process(es) in how tools are to be used and reported upon.  They aren’t day to day users of security tools, they don’t live in logs and alerts, and they aren’t familiar with critical asset locations, or standard company traffic profiles.  These points are all in general, as certainly there are CISOs out there that are still hands on in their technical fields. But normally CISO’s are managing day to day operations and in the weeds with those operations.

So who is involved with these detail based tasks?  The security team leaders and managers. They are responsible for their team’s operation, determination of issues and scope based on the data available to them.

To me there is gap there.  There is a head of Security that is responsible for the strategy, the procedures, and vision of how to protect a company from a wide range of threats.  We have teams and team managers that are responsible for their tools and areas of responsibility. But we have no one that is directly charged with understanding the company security posture in the terms of an operational and tactical whole.  In military terms we have a General guiding the campaign, some company commanders in charge of specific sectors, but we don’t have a Brigade or Division Commander to determine how each group should be support each other or the organization of the sectors to accomplish the mission assigned.

We are fighting campaigns to defend our companies in a bit of a vacuum.  There has to be a better way.

One way may be a senior level role who is a liaison between all the security teams.  Someone charged with the identification and the tactical or coordinated response to issues that roll across the desks of multiple teams.

What would this role look like?  What would their responsibilities be?

Cyber Advisor or Cyber Director:

Key Responsibilities:

• Manage the daily operation and implementation of the IT security strategy
• Devise team protocols and implement IT solutions to minimize the risk of cyber-attacks
• Conduct a continuous evaluation of current IT security practices and systems and identify areas for improvement
• Oversee the management of the IT security operations by giving tactical and cross-team support to the security organization

Day-to-Day:

• Communicate with key stakeholders about IT security threats
• Create and manage adherence to an effective process for mitigating and reporting security incidents
• Foster an environment of collaboration across IT security functions: Incident Response, Threat Intelligence, Patch and Vulnerability Management, IT Security Compliance, and Security Architecture
• Manage collaborative investigations of security incidents
• Perform IT security risk assessments and report on ways to minimize risk profile
• Articulate IT security issues within a business context

Key Skills:

• Analytical mind capable of managing numerous information sources and providing data analysis reports to senior management
• Solid people management skills – providing direction, monitoring performance, motivating staff and building a positive working environment
• A passion for technology and security safeguarding with a desire to deliver
• Flexible and adaptable – capable of changing direction where required and showing flexibility to meet new demands
• An Ability to move between different Security Tools and Domains while understanding the details and how those may relate to a larger security picture
• Knowing who to ask for what to identify, scope, triage and mitigate potential Security, Risk and Compliance issues.

So now that we have an overlay that could matter, and a job description, how would you fill this position?  Well, here is the secret: Someone in your company is already fulfilling this role. It may be the IR team lead or manager, it may be 1st shift SOC manager or the Intel Team lead.  There may be two or three people within the organization that could help put the pieces of an issue together across multiple teams or data streams. All this role is meant to do is to elevate that person(s) and to give them a title and power to get things done.  Being clear,I don’t see this as a managerial role, but more of a security architect or advisor role. This person works only for the CISO, they aren’t beholden to a single security team, and aren’t judged on the performance of a single group or toolset or project.  They are judged on how much the security program is improved.

In order to show you how this roll can improve a security program we will turn to ThreatQ and what we could call the advisor’s workbench in my next blog.  

I told you how this blog would end in the beginning….