Cloud provider FireHost's security chief brings lessons from the front lines

Chief Security Officer Jeff Schilling ran security at the US Army and Department of Defense

Jeff Schilling joined secure cloud provider FireHost as chief security officer this week.

Jeff Schilling joined secure cloud provider FireHost as chief security officer this week.

Jeff Schilling, who joined cloud hosting startup FireHost this week as chief security officer, knows a thing or two about cybersecurity.

As director of the U.S. Army's Global Network Operations and Security Center, he oversaw security operations and incident response for more than 1 million computers on 350 wide-area networks in 2,500-plus locations around the world. He went on to direct the global security operations center for the entire U.S. Department of Defense. During his 24-year military career, he was deployed to Saudi Arabia, Kuwait, Haiti and Afghanistan to work on communications and information security.

Schilling retired from the Army in 2012 to run the Global Incident Response practice for Dell SecureWorks. His new company, Dallas-based FireHost, operates a managed cloud IaaS (infrastructure as a service) to securely host enterprise data, including regulated data such as payment and health-care information.

The IDG News Service talked to Schilling about his experiences securing military operations and what they taught him about enterprise security. This is an edited transcript of that conversation.

IDG News Service: What kinds of cybersecurity threats did you face?

Schilling: There are three categories of threat: criminal actors, nation-state actors and insider threats. Categories of threat will tell you what capability they have.

When you start to look at motives, there are three main motives. One is hacktivism, or destructive activity. That could be a nation-state actor, that could be a criminal actor, or that could be an insider who's trying to disrupt, deny, or destroy inside your network. The other category is strictly criminal, trying to take intellectual property; putting malware on your system that locks up your system and then making you pay ransom; and credit-card and other breaches.

The other type of motive I see out there is national-level espionage. I think there are over 190 countries that have active cybercollection programs ... to try to gain advantage in national policy. That's how you would best characterize the type of operations that the U.S. government does: basically, foreign intelligence gathering to help inform national policy decision-making.

The other type of nation-state activity that we're seeing, although it's hard to give attribution to, is what would probably be termed as cyberwarfare: Deny, disrupt, destroy, and keeping people from getting access to their infrastructure.

IDGNS: Who's winning?

Schilling: Clearly, threat actors have the advantage. When I was in the Army about three years ago, I was doing a public speaking event, and someone asked me, 'What is the game-changer that would bring the initiative back to the defense?' Our legacy networks are not defendable the way we have them set up now. If we created a cloud infrastructure with a blank sheet of paper that was defendable, then we could get the initiative back. That's one of the things that drew me to FireHost.

IDGNS: How did the situation change over the time you were working on security within the DoD?

Schilling: The threat actors' technologies and capabilities are not really changing that much in the last five years. We're seeing a lot of the same tools being reused and changed to meet a specific purpose.

Where the threat actors have really upped their game and improved is their operational processes. It is incredible how quickly criminal gangs are operationalized. When a zero-day exploit is announced, within 18 to 24 hours criminal actors are building or modifying tools to be able to exploit those critical vulnerabilities. I wish that I could study the software development programs of the criminal gangs, because they are very, very quick.

The second point I'll talk about is the nation-state actors. The nation-state cyberwarfare activity really was not in the forefront of the news and didn't get a lot of scrutiny in the past. No matter what country you're in today, there just seems to be a lot more national attention and international attention on these types of activities, and a lot of policy discussions on 'Should we be doing it or shouldn't we be doing it?' Those nation-state actors are putting a lot more investment in, and I think we'll see a technology leap ... improving their security processes to make sure that it's harder to detect their activities.

IDGNS: How are things going to change in the future?

Schilling: I think that we're going to get better at defending our networks. So the threat actors are going to have to up their game in the technology that they're using against us. As network security, both in the retail industry and other verticals, gets tighter, you may see some of these criminal actors start going to ... physical access operations where they try to actually penetrate the physical security boundaries of companies. So going forward, I think that we really have to get better at detecting the insider threat as well as with our physical security programs.

IDGNS: What did you learn in the military that may be useful to enterprises?

Schilling: Yesterday I was driving down the road. I saw a guy riding down the sidewalk. He was wearing a bike helmet, but he didn't have it strapped on. So what happens when this guy hits something and goes flying over his handlebars? That helmet is going to come flying off. I've seen a lot of companies that have that same problem with their security. I think you've seen some of the retailers that had bought a lot of security appliances and security technology but really hadn't trained their people to be able to understand and leverage that technology and also didn't have the processes in place in escalating some of the alerts that you get from that technology.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuespersonnelsecurityFireHostcloud computinginternet

More about DellIDGLawsonSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Lawson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place