I have had the honor of working with first-rate security operations teams around the world. Whether I was in the CISO role at one of the top 5 companies in the Fortune 500, running Security Operations Centers in the frenetic world of financial exchanges, or responding to threats against the critical infrastructure industry, there are a number of challenges that have been universal:
- There is never enough time
- It is tough to deliver security consistently and effectively
- Repeatable processes are illusive
- Shutting down a threat or attack takes longer than it should
Lack of time and resources as well as having a “target on one’s back” are challenges that every IT security professional faces. As they say, “you’re only as good as your last security event response.” Just ask the CISOs who have lost their jobs to security lapses.
Paul brings more than 20 years of experience working with security operations teams and solving security challenges at some of the largest organizations in the world.
So what is needed to overcome these challenges?
Consistency – it takes time
It’s sad, but true. Despite the glamorous portrayal of hackers and security response teams in the movies, a monotonous but important reality is that security teams need to document what they do. We need to track it, we need to be coordinated, and we need to be agile. We are forced to do it with increased pressure from the growing number of threats impacting our organizations. Our work needs to be standardized and repeated every day, without a drop in service quality.
I’ve built a number of security programs. One concept that has always served me well is the playbook. In all situations, whether the security team was small or large, there has been a need for consistency, for common nomenclature, standard deliverables, and predictable paths. At the very least, this approach ensures that the shift handover will be smooth. Geographically dispersed groups are going to be able to respond more effectively, and the public face of the IT security team will look professional and reliable.
The benefits are worth it. A consistent approach drives team pride, fast action (e.g. like building a SOC with full 24×7 operations in 2 months), and metrics that demonstrate the value of the security team.
To ensure consistency from the start, I’ve used playbooks with graphical diagrams supplemented by an arduous manual documenting each and every step of the process. When the inevitable happens, the team could use a well documented playbook to ensure that we were following a consistent process.
Still, there was something that always bothered me. Lack of automation. I call it a “click-fest”. Cut and paste this information into another application, or even worse, re-type the information. I challenge anybody to get excited about entering a SHA256 manually. This “click-fest” was often repeated multiple times a day. Human error, boredom, and even missed security events occurred. When I lead a security team, I want to exercise their critical thinking, challenge them to use their instincts and IT security chops versus treating them like a group of unskilled data entry dupes.
So what has changed?
The industry has evolved. Products have APIs that allow you to extract information and enable response. Though you need something to bring the data together and go beyond a prioritized list of events to review – invoking once again the cursed “click-fest”.
After two decades in the security industry, I started working with some of the most forward thinking security institutions, building threat intelligence platform architectures. These architectures were designed to consume data in the form of events and threat intelligence, and then validate if the event reached a risk threshold. These systems were being built in-house and they required a lot of maintenance. This changed some of the members of the team from being security analysts to developers. It’s not ideal, but you need people who not only understand how to build robust solutions, but also understand the mission and parameters that affect a security operations team, or a threat intelligence team, or an incident response team.
Are you in security or system integration?
The systems were built. They weren’t ‘pretty’, but they worked. It wasn’t a system which allowed people to easily codify their processes into playbooks. It required systems integration. I remember meeting a CISO in Australia, and he asked if I could help him get out of the system integration business since most of his security engineers where focused on integration instead of optimizing security response.
But I want efficiencies, I want automation
When I started to design those threat intelligence platforms, many customers wanted complete automation. I had to explain to them that you could only expect to automate a portion of the operations – maybe 60% of the threats. I had to explain that their security response needed to leverage all of the organization’s infrastructure. There is a cost associated with implementing security controls. The closer the threat gets to the processor, the higher the cost. If I can block an attack at the network level, then I’m not going to affect the performance of that critical database. I talked about an agile response model with “micro rules” that could be applied according to whether you were monitoring for a threat IOC inside the infrastructure versus responding to an active threat inside their environment.
A system is needed that provides automation to enable speedy, standardized, and effective response. This same system also needs to support the triage process of investigating an event, bringing all relevant information to the analyst from multiple sources, enabling them to determine the level of risk and to perform deeper analysis of the situation. It should also enable active response across multiple solutions.
Phantom has built what security operations teams and incident responders need. A platform that empowers security teams to integrate and develop standardized process and procedures. All the concepts that I’ve dreamed of and spoken about during the past few years are realized in a product that enables integration, automation, and efficiency in a security operations environment. It supports an agile model that can leverage the power of automation and the human brain.
Phantom provides automation, consistently. A powerful platform to ensure that SOC and IR teams are focusing on the interesting aspects of investigation and response, leveraging their skills and passion for security. Phantom is the solution that can proactively gather all the information that analysts need to assess risk, and execute an effective response, at scale.
I’m really excited to be joining Phantom, since it is the realization of the dreams I had as a security professional. I look forward to helping our customers, our partners, and the IT security community find success. I look forward to working with a great skilled team to build relationships that will help advance the capabilities of the IT security industry, from vendors to the people protecting organizations on the electronic frontline.
VP of Delivery
Paul is a seasoned IT Security Executive with a global reputation for building organizations and delivering services. He has more than 20 years of experience working with security operations teams and solving security challenges at top companies including EDS, General Motors, GE, Cisco, Dow Chemical, The Washington Post, The United Nations, MCI, Prudential, and Mitsui.
Prior to joining Phantom, Paul held a number of senior leadership roles including EDS’ Chief Information Security Officer at General Motors, Chief Security Officer at Dow Chemical, and Director of Security Operations for a major financial exchange. Paul earned a CISSP certification, and is a member of ISSA, IACs, and the MIT Enterprise Forum of Cambridge.