When I was asked by Rackspace in 2015 to build and staff a security operations center that could deliver effective cybersecurity services to our customers, I knew it would be a challenge.
After all, breaches of large organizations such as the U.S. Office of Personnel Management, Anthem Inc., Ashley Maddison and multiple financial institutions were adorning the 6 o’clock news on an almost daily basis. My thought was, if these organizations, with significant budgets and the ability to attract some of the most experienced talent in the industry were unable to defend against cyberattacks, how would we be able to succeed?
The answer came not from technology alone, but from a far more familiar asset: people.
When my team and I took on the challenge, we understood that we needed to reassess what it was we were solving for. We had to understand why so many cybersecurity programs were failing and what a successful security operation would need to do differently.
In order to understand the capabilities we would need to defend our customers, it was critical to understand the threat and how, in detail, that threat had evolved in a way that was rendering tried and true security strategies obsolete.
Two things stood out.
First, business had changed. By 2015, we were no longer talking about whether companies would move to the cloud — that ship had sailed. Customers expected businesses employing new cloud-enabled technologies to deliver greater value and more efficiency, yet remain secure. We also saw the beginning of organizations using multiple clouds, increasing exposure to risk.
If we believe, as we should, that the role of a security team is to enable the business, it’s clear that a modern security strategy must work across multiple platforms, reducing risk enough to allow businesses to go where they need to go and do what they need to do to deliver the outcomes customers demand.
Back in 2015, that meant whatever we set out to build had to reduce complexity by providing a consistent set of capabilities across all of the platforms utilized by our customers’ businesses.
The second thing that stood out: the infamous Advanced Persistent Threat (APT). The internet is full of articles and opinions declaring APTs to be a game-changing enemy. My team agreed, but in order to build capabilities that could mitigate such a threat, we had to understand what it was APTs were doing differently.
This is a complex question, with a complex answer that could fill another entire blog post, but think of it this way: malicious organizations that have succeeded in using APTs invested in PEOPLE — and they did it long before our companies’ security teams did. They trained, equipped and organized people in a way that enabled them to share information, cooperate and coordinate far more effectively than their defensive counterparts.
This collaboration accelerated the development of tools and tactics, and their more organized approach ensured they were lying in wait to take advantage when an unsuspecting employee inevitably clicked on a phishing email or used “PASSWORD” for a password. It’s more complicated than that of course, but the upshot was, security teams were still relying on the latest tool, then handing it over to well-meaning, but under-prepared IT professionals. And as we’ve seen with breach after breach, a well-trained, well-equipped hacker will always prove far more innovative than a tool. This isn’t a war technology alone can win.
As we continued to build out capabilities for Rackspace security, we understood that to mitigate the threat APTs and APT-style attacks bring to the fight, we needed to significantly enhance two capabilities within our team: detection and rapid response.
Thousands of tools claim to identify and block cyberattacks, and to a certain extent, this claim is valid. These tools are effective against many thousands of attacks deployed against organizations every day. Some use complex algorithms, innovative machine learning and Artificial Intelligence. I’m not here to decry the inadequacies of the security technology industry, these tools are critical.
But sophisticated attackers, with legitimate credentials that have been phished or obtained through some other technique, operate below this threshold.
Proactive analysis, or cyber hunting, extends detection capabilities below this threshold to enable us to seek out and identify sophisticated attackers. Cyber hunting means different things to different people and there are multiple approaches, but the bottom line is, if done correctly, it means using security analysts who are highly trained, up-to-date and well equipped.
Accepting that sophisticated attackers will circumvent our perimeter tooling, and developing the capability to hunt them down on our networks, modern security operations also require the ability stop these attacks before they develop enough to impact the business.
Incident response must protect the business before it is impacted, rather than pursuing a graduated response that deals with the consequences of an attack. Without a rapid and active response capability, security teams are little more than the ineffective “security monitor” in that well-known commercial, happily “monitoring” the bank, while robbers relieve it of its valuables.
The bottom line is, effective detection and rapid response both require high levels of expertise. In the last 18 months, my team and I have interviewed more than 300 cybersecurity analysts, yet we’ve hired 32. Why so few? Because the role has changed.
Many cybersecurity analysts have earned the title by manipulating a tool as part of a security team, but not much beyond that. When we pushed during interviews, too many candidates lacked the analytical thinking and practical experience to operate within a modern cybersecurity team. Even well-trained, highly experienced “traditional” analysts often lack the experience needed to take active and real-time measures and deal with an attack BEFORE it’s able to impact the business. It is this proactive response capability we believe is needed in today’s battle space.
In the past, the role of analyst has largely been post-event analysis: dissecting attacks, reverse engineering them, understanding the weaknesses that enabled them and perhaps making recommendations about how to avoid them in the future. This is valuable, but it’s an outdated expectation of what an analyst needs to be.
As hackers have “up-skilled,” evolving to evade the tooling we set around our perimeter and within our networks, we need analysts that not only have the ability to hunt these sophisticated attackers but also engage in hand to hand combat — and win.
A security team must have the ability and the capability to identify an attack, understand how it happened in real time, predict what is going to happen next and then take the necessary action to contain that attack, or at least make it as difficult and as expensive as possible for our adversaries, before they’re able to move through the attack life cycle and achieve their objectives.
Analysis is no longer a passive skill, it’s very much an active one.
These skills are hard to find in a single analyst. The role today requires elements not only of a traditional cybersecurity analyst but also that of a threat researcher and an incident responder. Given the new demands, I’m not even sure what to call it anymore.
The team we’ve built at Rackspace is rightfully proud of the technical and analytical skills we bring to bear because we demand significantly more than considered analysis. Our team includes active cyber warfighters. As I said, this a war technology alone won’t win, so when we built our team, we did what hackers had done before us, and invested in PEOPLE.