Automation key to defeating new adversaries

The Office of Personnel Management in the United States is responsible vast volumes of personal information. They’re responsible for the data relating to potential, current and past employees of the government. IT Security Operations Director Jeff Wagner is responsible for protecting this data against a constantly changing threat landscape. He’s taken a non-traditional approach to not only respond to threats in seconds with fewer resources, but also uncover previously hidden threats that were lurking on the network.

“A lot of people are realising that the current security architecture we’ve grown up with is pretty well dead. We need to take an entirely new approach towards defeating adversaries,” he says. Wagner sees attackers taking a far more targeted approach to breaching organisations. Rather than hammering to boundaries, they are using stolen credentials to simply walk in through the front door. This is disconnected from how many organisations approach security. Typically, they invest heavily in perimeter security that is largely ineffective once someone has access to a user’s account. Many people see two-factor authentication as a potential solution but Wagner sees issues with this approach.

“From a corporate perspective, or a federal government perspective, it’s very difficult issuing out all these two-factor credentials and then trying to manage them. At the same time if a card or token breaks I have to swap it out. Do these people stop doing business while I swap them out? There’s the management overhead of deploying this. It’s very difficult doing two-factor authentication is very difficult for an enterprise”.

That means there needs to be a move from securing the permitter to watching what happens inside the permitter.

“I consider every user an insider threat. I look through everything we do and use behaviour analytics for everyone. I want to now when that good user turns into a bad user,” Wagner says.

“When I log in, I verify my log-in,” he quipped.

The good news is the security industry is starting to evolve with the pace picking up. Peter Clay, the Chief Information Security Officer at Invotas says over 1200 new security companies received venture capital funding last year with the investment continuing to increase.

Wagner sees some significant changes occurring on the defensive side of the cybersecurity war. “We’ve reached the point which, unless we develop full-on AI capability, there’s really not a whole lot new in the IT world. What we need to realise is once we’ve set up all these tools running and something goes wrong – no one stops what they’re doing”.

However, the news is far more positive. He sees the ability to use better analytics to detect malicious behaviour, whether it’s intentional or accidental, a major game-changer along with orchestration – the ability to take the data relating to a detected incident and automatically initiate the response.

When looking at most of the recent mega breaches, the forensic investigation after the incident has revealed log entries that were either missed or noticed but not reacted to either quickly enough or at all. Once the initial log entry was seen, it was lost in the noise of subsequent entries until the attacker launched their attack, often months after the initial breach.

These tools allow Wagner to operate a very efficient team. With a small budget of just $211M USD, he says OPM is the “biggest little agency” of the US government. With just eight engineers to run his network, he needs to maintain a laser focus on what’s important.

“Many people say we only have 8500 users – which is totally true. However I have 13000 federal investigators out around the world with laptops all remotely connecting back to the network. I get over a trillion terabytes of data passing through the sensors. I don’t have enough engineers to react to them. Orchestration is a game-changer”.

Part of his approach has been to do away with written procedures and replace them with flowcharts so that they can be used more readily – much like the pictographs airlines use for emergency procedures. This makes it easier for users to follow and results in fewer errors. It also means repeatable processes are highlighted clearly which simplifies the process of finding which processes can be automated.

Read more: Security Watch: NetIQ updates Access manager and Authentication Framework

The result of the automation is staff can be relieved from performing simple tasks and allowed to focus on higher value and more complex issue resolution. This results in better skilled workers who are better equipped to deal with serious breaches. The automation also reduces the time it takes to react to an issue and initiate a response.

While moving to this kind of automation seems difficult, Wagner says it’s really about finding which problems can be most easily automated and deliver value. Rather than trying to do everything all the same time the secret is to target your efforts and approach it as a long term program rather than a finite project.

Join the CSO newsletter!

Error: Please check your email address.

Tags United Statessecurity industry#RSACJeff WagnerIT SecuritySecurity LeadershipIT Security Operations DirectorCSO Australia

More about IT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place