IT Security Teams: Changing Stripes

Brian Wood Blog

For large firms with the resources to deploy a team of people focused on IT security, the members of said team are a changin’.

No longer is security experience a strict requirement; indeed diversity of experience is valued — as long as an extremely high degree of specialization is part of the package.

While such luxuries are rare for any small or medium-sized business, it’s interesting to note the changes taking place at large companies.

Article by Kelly Jackson Higgins in Dark Reading.

Emphasis in red added by me.

Brian Wood, VP Marketing


The Changing Face Of The IT Security Team

For a peek at the IT security team of the future, consider the team at Cisco Systems or at OpenDNS: in both firms, the security team includes not only malware experts and researchers, but also data scientists with no security expertise whatsoever.

The surge in “big data” resources for vendors and large enterprises, a growing trend toward gathering internal event logs and external threat-intelligence feeds, has pressured some organizations to rethink the type of expertise they need in in their IT security department. Enter the math majors, most of whom weren’t schooled in Stuxnet or botnet traffic.

When Dan Hubbard, CTO at OpenDNS, started at his post two years ago, one of his goals was to rethink what a security research team should be. “One of the goals was to rethink if you could restart a security research team, what would be the absolute things you have to have to be competitive?” Hubbard says.

OpenDNS built on the existing team that was in place, but added a whole new generation of members. “Instead of hiring [more] reverse-engineers or malware researchers, we decided to augment [those experts] … [with] data scientists who understood massive amounts of data,” Hubbard says. That also meant adding algorithmic experts with PHDs in machinery, graph theory, some of whom had worked in genome research or fields unrelated to cybersecurity, he says.

The first-fruit of OpenDNS’s new-age team was its Security Graph, a free service for security researchers that provides them with access to OpenDNS’s Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

Today, one-third of OpenDNS’s security team are traditional “security geeks” or experts, and one-third are data scientists who work on math problems to analyze all of the data, Hubbard says.

Cisco also has expanded its security team with algorithmic experts in its Threat Research, Analysis, and Communications (TRAC) group. “We have a whole side of the team comprised of data scientists … They have no backgrounds in security,” says Levi Gundert, technical lead of the Cisco TRAC team. “Data is data to them. At the end of the day, we’re driving use case for them but they are managing the models and tools to quickly pull back data for analysis in an automated fashion.”

Gundert says the gap between the cultures–mainly how the two worlds can speak different languages in the context of security — is a work in progress. “When we increase communication and the opportunities to communicate, we’re seeing a lot more success. Without that, a lot gets lost in translation when shooting emails back and forth.”

He says the teams hold weekly phone calls to ensure both sides are understanding one another.

Times are changing for security geeks as big data and threat intel-sharing become part of the picture. The teams can’t work in isolation anymore: “The days of siloing teams has to go away. Even within research teams, you find a Web team, a vulnerability team, and an email team — they all need to come together,” OpenDNS’s Hubbard says.

Much of security research leads to protection when a new threat is discovered. Data scientists take a different approach: “A lot of the data scientists we have hired are looking at a problem before the attack happens,” he says.

Pairing together the security researcher and the data scientist is a powerful combination. “You’ve got someone who knows a ton about the security space and how threats work, and then you’ve got the math/data science person” working on crunching the data and they “feed off each other,” Hubbard says.

When OpenDNS teamed up with Kaspersky Lab to study the Red October attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia, Kaspersky Lab had malware samples that they had reverse-engineered. “They are really good at that kind of stuff–they had recompiled the binary, but didn’t have the data or breadth of the network … so we helped build that.”

That hunger for security intelligence from internal logs and external threat-gathering services goes hand-in-hand with what many experts consider the Holy Grail of security — continuous monitoring — where organizations watch each and every move that goes on in and out of their networks in hopes of catching the bad stuff before it does real damage.

Tenable CEO and CTO Ron Gula says this need for big data gathering and crunching expertise has a lot to do with the evolution toward continuous monitoring. “I only see data scientists with bigger companies –with 10,000 and up or 5,000 and up employees — not at SMBs,” Gula says. “Big Fortune 500s and government agencies can measure their network in real-time and measure patch rates, for example, or tell you the number of systems patched within the last five days for the past 90 days.”

That’s what data scientists do, he says. “In my opinion, the reason they [organizations] are doing [data science] is because they are moving toward continuous monitoring,” Gula says.

OpenDNS’s Hubbard sees large enterprises gradually moving toward data scientists in their security teams as well, but to solve somewhat different problems than OpenDNS, Cisco, and other vendors are solving. A large enterprise security operations center typically has experienced cyberattacks for more than a decade, and in the process, purchased all different types of security tools to defend their environment. “In many cases, they have not deployed it right, and many of these solutions are disparate systems and there’s an information gap between all of them,” Hubbard says.

So some use tools like Splunk, for example, but many are struggling to apply context to the data they’re gathering. “Even with all of those pulling data into one central data store, it’s hard to understand that the receptionist’s computer is infected or the CEO’s computer” has been compromised, he says.

“The attacks are not identified and correct context isn’t applied to them,” he says. “Companies are hiring a big data scientist due to the business intelligence” they need to correlate, he says.

It’s about turning data into information. Getting access to data is not hard. Applying the appropriate context to it is really important,” Hubbard says.