IT Life: Security Needs Analytics
James Stevenson was nearly a policeman, but ended up in Blue Coat – using analytics to stop cyber-crime
He nearly became a policeman, but James Stevenson ended up fighting cyber-crime at Blue Coat’s advanced threat protection group. What’s his secret? Well, it all seems to hang on security analytics.
What has been your favourite project so far?
I discovered a zero-day malware exploit on a customer network within two days using pro-active breach discovery methodology. It was eight months before the customer’s previous anti-virus provider was able to detect this same malware.
What tech were you involved with ten years ago?
I was heavily involved in security operations centre (SOC) work, integrating and leveraging traditional tools such as security information and event management (SIEM), firewalls (FW), intrusion detection systems (IDS), intrusion prevention systems (IPS), anti-virus (AV) and vulnerability scanners.
Stand by for Big Data security
What tech do you expect to be using in ten years’ time?
Security analytic “Big Data” platforms fully integrated with traditional best-of-breed security solutions for rapid detection and remediation against advanced threats. The current point solutions with separate data silos are not good enough as intelligence sharing is key.
I still think traditional tools such as firewalls, IDS and SIEM technologies play a vital role in a defence strategy, but with attacks circumventing signature capabilities and taking months (or years) to uncover, it is clearly not enough.
All decent security operations centres are starting to see the value of implementing a best-of-breed SIEM for centralizing (not necessarily correlating) logs and integrating with a security analytics platform to get the context and content of the associated traffic and conduct rapid investigations.
This pro-active breach discovery methodology has a significantly better detection rate against unseen threats compared to a team of security analysts sitting at their screen waiting for a signature based alert to trigger. It doesn’t cut it in today’s threat landscape and I know this after spending five years as SOC analyst team lead in a decommissioned nuclear bunker.
Today, large enterprises are starting to shift from a preventative/reactive strategy to pro-active breach discovery. Although it requires more of a human element to investigations, the majority of the process can be automated, such as the blocking of known threats and automatically sandboxing the unknown artefacts bypassing traditional technologies.
Who is your tech hero?
Jeff Moss (AKA Dark Tangent). A hacker may seem like an odd choice at first glance but he founded Black Hat and DEF CON where previously unknown security exploits are revealed and ultimately making the world more secure. He was sworn into the Homeland Security Advisory Council and now forms part of a task force to increase the pipeline of cyber security experts required to meet the increasing demand against today’s cyber threat environment. He’s also served as chief security officer at ICANN.
Who is your tech villain?
None… I would like to specifically call out. Let’s just say I would like to avoid any entanglements.
Did I mention security analytics?
What’s your favourite technology ever made? Which do you use most?
As a security analyst, I was frustrated with the lack of content (payloads) and context before and after alerts generated from traditional security technologies. I started to heavily rely on security analytic solutions five years ago to get complete network visibility for situational awareness and pro-active breach discovery.
I would now feel blind without it if someone pulled the plug. It would feel similar to leaving my mobile phone at home for a week while traveling on business. If I was joining a SOC team and they didn’t have a security analytics platform, I know I couldn’t do my job properly.
What is your budget outlook going forward? Flat? Growing?
The emerging space of advanced threat detection is growing rapidly. Gartner says that 10 percent of budgets in 2012 were assigned to rapid detection and resolution, and predicts it will increase to 75 percent by 2020 as we adapt to the changing threat landscape.
Apart from your own, which company do you admire most and why?
Most recently, I’ve been excited about the arrival of Google-backed start-up Shape and its concept of the “botwall”. For years I’ve been working hard to detect polymorphic malware bypassing traditional detection tools, and to see a company attempting to leverage the same polymorphic techniques against the attacker by obfuscating the websites code on every page view is a very interesting concept which will confuse automated bots.
The attacker will no doubt find a way to work around the current iteration but I’m sure the Shape team has anticipated this and hopefully has a good roadmap up its sleeve. It is shaping up to being an interesting arms race and concept.
What’s the greatest challenge for an IT company/department today?
I’ve spent a lot of time with SOC and incident response teams across EMEA and have seen a common theme: a shortage of human resources armed with the appropriate analysis skills, training and technology required for today’s threat landscape. This is why there is so much demand for the consultancy-based security firms that take over after an incident to understand the scope and root cause.
There is also far too much focus on security budgets being driven by compliance and just ticking the boxes. Being compliant does not mean being secure. Although many companies are increasingly aware of the inadequacies in traditional security technologies, they are typically reluctant to invest in new security solutions until it’s too late. They typically deploy security solutions as part of a knee-jerk reaction to their stolen intellectual property and/or customer data hitting the media. It is the same as buying an alarm system for your house after you’ve been burgled.
Take the cloud carefully
To Cloud or not to Cloud?
Despite the security and privacy concerns of the cloud you can’t ignore the financial and operational benefits for SMEs and large enterprises. There are different risks that need to be addressed no matter your decision. If, for example, you are concerned about your sensitive data in Salesforce, you could invest in a solution that ‘tokenises’ the data in transit before resting in the cloud. That way if someone gets direct access to your cloud data they can only see jargon. Bottom line, mitigate identified risks and embrace the Cloud.
What did you want to be when you were a child?
Being an armed forces brat I was intent on joining the military, but my family convinced me from a young age to join the police instead. I walked into a police station at 18 and they encouraged me to get some life experience. After applying a few years later, they lost my application during a small recruitment window. They eventually found it between two desks but I had missed the window, so I decided it wasn’t meant to be.
I finished my degree in business information technology, got my first break at Symantec (thanks Graeme Pinkney) and never looked back.
OK, sometimes I wonder “what if” now and again.
Are you a security pro? Try our quiz!