Chris Coryea comes from Leidos – a major MSSP in the United States which is comprised of about 33000 employees that come from the original Leidos MSSP business and Lockheed Martin's cyber security team. That brought together the MSSP capability with advanced analytics and Lockheed Martin's famed Cyber Security Kill Chain approach.
Based in London, American born Coryea began his presentation at AusCERT 2017 quoting UK Prime Minister Sir Winston Churchill who said, "You will never reach your destination if you stop and throw stones at every dog that barks".
"In this world we live in, the theme of distractions and focus couldn’t be more true. We have so many distractions, it's really limiting our ability to focus on what it takes to create a really mature cybersecurity program," said Coryea.
The recent WannaCry attack is a case in point. While a serious threat, professionals were inundated with calls from management, boards and vendors that potentially distracted them for doing their jobs.
One of the ways to avoid this distraction was to empower people to do their jobs by giving them the right technology and supporting them with a framework.
Coryea walked the audience through three case studies where Leidos guided organisations through a journey that took his company a decade to complete. Through these stories, Coryea highlighted the myths that stopped those businesses from moving forward, the truths that debunk the myths that were limiting them, and then what steps they took to mature in their cybersecurity organisation.
While there are many different frameworks, said Coryea, the key is that everyone is "working from the same sheet of music".
One of the myths Coryea encountered came from a Fortune 500 financial institution. Being well resourced, they could recruit some of the top cybersecurity talent that was available. But they believed that having smart people, who were empowered, they didn't require a formal framework or processes.
The problem was that there was a lack of focus. As a result, they had an idea of what they should focus on, but no way of understanding what they must focus on.
"You can outpace your adversaries if you all focus on the right things," said Coryea.
The path to enlightenment was to choose a framework and to employee the employees and leadership in the framework so they could look beyond a specific incident and focus on the company's broader needs.
Looking at how technology could help, Coryea discussed the journey taken by a large utility. But the problem was the exiting staff were faced with even more log data and alerts than they could cope with. As a result, they were unable to focus and there was an overdependence on "out of the box" configurations that diminished the focus on the specific domain knowledge of their own people.
The enlightenment, said Coryea, came by getting a better understanding of the entire technology portfolio, evaluating its effectiveness is defending against real attacks and increasing the visibility of real problems.
The third case study came from the pharmaceuticals industry. The company operated three SOCs that they wanted to staff with 30 analysts over an 18-month period. However, the myth they were caught with was that all network defenders are "cut from the same cloth" sad Coryea.
"They had the Mr Robot mindset," he said. "The one thing that we, as defenders, have is that analytical mind. That hunger and built-in ability to solve those tough problems".
Once that myth was dispelled the company could cast a much wider net when recruiting and it also helped cultivate talent from within the business. Those internal people have a lot of other benefits as they understand how the business works and "where the bodies are buried" said Coryea.
For each case study, Coryea said it was critical that there was an agreed measurement system in process to measure the effectiveness of the chosen solutions and mitigations against the different threats and risks.
That measurement is critical as it helps focus management attention on the right thing and proves the value of the investment to boards and other senior company officials.