Security Analysts Becoming ‘Data-Mining Gurus’? Q&A With Bay Dynamics’ Ryan Stolte
Insight On Red Teaming, Analyst Challenges & More
As we progress in 2018, we’ve seen more data breaches, a widening of the proverbial threat “landscape,” and numerous cyber security headlines dominating media coverage. That’s because vulnerable organizations are being exploited at alarming rates – this includes ransomware attacks, open-source vulnerabilities, malware strains and social engineering schemes, etc.
Oftentimes, it’s hard to navigate the space. Or better yet, it’s tough to prognosticate. What does the future of cyber security hold? Will the space “plateau”? Further, as workloads migrate and data analytics explode in the enterprise, who will be there to pick up the security slack? To get his take on these topics, we spoke with Bay Dynamics Co-Founder and Chief Technology Officer (CTO), Ryan Stolte.
Cyber Security Hub: Can you tell me a bit about your time in the cyber security space? Perhaps a bit about your experience “threat-hunting?”
Ryan Stolte: One big observation (I find is that with) every breach that occurs, very rarely, if ever, do we run into a situation where we throw our hands up and say “We have no idea what happened!” There’s data there, the fingerprints exist. Why can’t we get ahead of it, and stop that stuff before the breach occurs? (You can) use data to get out (in front) of it and stop it. That’s really the essence of disrupting the kill-chain. The opportunity for us is: before cyber security, we were focused on web-based analytics – all the stuff you take for granted, or expect in the consumer experience … (The) same techniques are directly applicable to cyber security. The difference is understanding what people are trying to do. In this case, (it’s about) understanding what the bad actor is going after – (feeling) encouraged to get to the target, (wondering whether they’ll be) stopped. The process is the same for a practitioner on the other end … Luckily, we’re able to bring to bear decades of experience in that regard.
CSHub: How can analysts hunt threats more effectively?
Stolte: There are challenges with how we’re hunting threats today. We have a situation – we don’t have enough experienced threat hunters and cyber professionals at all to cover the scope of what we need to defend ourselves. There are not enough good guys to stop the bad guys, to win the battle … There’s too much data – a huge amount of (it) in cyber security software. It captures data, logs everything, but it’s logging far more than human analysts can consume themselves. We can’t throw more analysts at the problem. (There must be) creative ways to turn information into insights that security practitioners can take advantage of, without staring at it line by line. The data is too granular. As they say, a picture is worth a thousand words … (So, if we) back up and look at the picture…we use human reason and do not stare at individual pixels, or the logs that come through. We can’t see what’s “really” going on. (We should) use technology to paint that picture, and humans do what they’re good at: passing judgment on the situation, and not trying to piece together alerts/events.
One problem is that the adversaries are out there and they’re changing tactics. (If the business is) set in its ways, and there’s too much data – a high volume – and it goes with what worked before, by nature they’re going to miss a lot of stuff. They’ll catch some bad guys, but there will be a huge, gaping hole. The problem is not because we don’t know how to do the jobs, (it’s that we) can’t watch every door at the same time. There’s a community of great people, who (also) understand how to do investigations. (But we) need to incorporate technology to provide “hot leads.” How? Through analytics, machine learning and AI…
Regrettably, we’ll never have enough humans to do this (data analysis work) without leveraging AI. We have to use that, and train people better. The more experienced people out there, they can pore through data, and start looking at hot leads. Let them be good investigators. I think that’s one of the failings of the last few years. Security analysts are being turned into data-mining gurus. This has bypassed human capabilities entirely. (We must rely on) human subject matter expertise to pass judgment, not rely on intuition to find things. Let the machine find things… Intuition is going to get us in trouble.
CSHub: What are some challenges analysts face when threat hunting?
Stolte: There’s too much data out there. (We must) get hot leads faster. (What I’m) advocating is: let AI find those things and present them to investigators… There’s a strong connection between people in (similar) backgrounds in the physical world, (those who are) doing investigations – former police officers, those out of the military. But they’re not looking at the digital footprint, they’re looking at the analog footprint. And they’re experienced in that; they’re not necessarily computer experts and don’t have the background. There’s a strong pipeline of folks taking investigative roles in private organizations. But it’s a bad idea to turn them into programmers. They’ll do their job, but (conversely), programmers and data analysts are not necessarily good at performing human-level investigations.
They’re qualified to pass judgment. That means saying, “What do we do with this person?” Or, “Is it an HR violation?” But, they don’t (necessarily) know how to find a pattern. So, let technology get them a complete package. (This means information on) investigating a person and evidence to support that. It’s an important pipeline into the security of an organization. (We must) “tech-enable” these folks, not turn them into technologists.
There’s too much data coming out to understand what we’re missing. In having a good understanding of your security posture, (you’ll likely need to) use analytics to find the threats, and put them into context in the value of the target. You can use analytics to find the gaps.
Imagine the digital world as a building: You’re sitting in the command center; you don’t know where the doors and windows are. How can I protect them? (So, for the) crown jewels, how can I protect them? (You may) figure it out, but you don’t have a camera on them, watching them (at all times). You can’t, you’ll still have blind spots. We find a lot of organizations saying they have a good security posture – with defense in depth, a vulnerability management system, data from firewalls, a web proxy, intrusion prevention systems (etc.). On paper, the CISO (might) say, “Good!” (But, if you) bring that in, you may have a vulnerability over here, and endpoint protection in some other group. They’re not the same assets. The one camera, or one angle, is on different groups of the estate. That’s a big problem organizations have, they don’t know that they’re missing controls on important parts of the organization. If it’s missing, and you don’t know, you can’t fix it. You’ll never catch the bad guys, because you don’t have evidence to support it in the first place.
This leads people back to using intuition. (Here, there exists) problems: people may not understand – (or controls) haven’t been deployed uniformly. Then, you don’t have evidence for the human or AI entity to figure out what’s going on. You’re not collecting the right stuff in the first place. That’s a major, overlooked opportunity. (One should) take data, find threats where they can, and (ultimately) paint a realistic picture… This can be used as a list to make progress…
CSHub: Where do you see the security space three to five years from now? This could be in any regard – AI, IAM, firewalls, etc.
Stolte: There are a couple of major themes. Cyber security will be a major pillar of corporate risk management. Everyone is realizing that they’re under attack all the time – and if you don’t secure (the enterprise), you’re going to get in trouble. Five years from now, there will be a (holistic) risk-based approach to cyber security. This demands visibility into how we’re doing (security). Are the controls in the right places? That’s very important. (This will be at the) board level and trickle down. Organizations will be able to answer how we’re doing from a cyber security perspective. A risk-based approach will be a huge factor in the industry.
We’re going to continue to move toward our identities, and access around identities. (This entails) much more real-time protection for our assets, in a similar way that credit cards have become a real-time protected asset. There are more parallels and analogies to observe with what credit card companies are doing today and how we’re going to expect user accounts to be treated in the future.
(It will be) more pervasive on the inside of an organization as well, and more behavior-based. (If you detect problems, you must be) able to produce a second factor of authentication. But, we’ll also watch behavior, and if you don’t act like yourself, we’re going to stop you. A direct analogy to that is what we have seen with credit cards… We’ll see that inside organizations… People will realize these accounts they have are as sensitive as personal credit cards… This won’t be a business inhibitor, but will deter a lot of bad behavior of prospectors or “door-jigglers” (within the enterprise)… A behavior-based approach to how our credentials are used inside and outside of an organization (will be present) five years from now. Maybe it will be longer than five years, but it will be accepted as a standard. That will touch every facet of security.
Be Sure To Check Out: Competition, Automation Key To Cyber Success? Q&A With SentinelOne