Welcome to Defender Spotlight! In this blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.
Brian Castagna is a senior information security leader in the Boston, Massachusetts area. He's built information security programs for several Boston technology companies. His focus is on a collaborative cyber defense strategy between employees, customers, security vendors, cloud providers, and law enforcement.
Brian’s areas of expertise include security incident response, threat intelligence, risk, controls, compliance, vulnerability management, third party vendor due diligence, and security contract negotiation. He has expert knowledge of security compliance standards including SOC 1, SOC 2, PCI DSS, HIPAA, FedRAMP, ISO 27001.
Tell us about yourself, and your history working in security operations.
I started my career in public accounting as an auditor. No, I wasn’t wearing a pocket protector and itching to do your taxes. I was a slightly ‘cooler’ auditor, an information technology auditor at PwC and KPMG in the early 2000’s. I audited information technology security controls around access and authentication, change control, and that’s right - security event logging and monitoring.
Security event logging and monitoring in the mid-2000’s included an RSA Envision SIEM that nobody in the company knew how to configure, let alone the resources to actually monitor, investigate, and respond to alerts. But in fairness, the volume, complexity, and relevance of cyber attacks were not anywhere near today's levels.
I reached a point in my career as an auditor when I was tired of finding problems I couldn’t fix. I wanted to stay in the companies and fix them. I joined EMC in 2011, and got to hang out in the RSA Critical Incident Response Center - their SOC. The timing of my employment here coincided right after the RSA Breach, and I got to experience first hand fighting APT’s in a mature incident response function - security event monitoring, security event responders, threat intelligence, malware analysis - the whole enchilada.
Can you tell us about a moment in your career when you were proud to be a defender?
My incident response team during some hunting activities found a customer's code base publically accessible in an S3 bucket. We immediately called the customer, and he changed the permissions on the bucket to limit the exposure. He was so happy that we were proactively looking out for his company’s security.
Cyber security is so nebulous for most people; there is just an assumption that it’s being taken care of. But when you can proactively notify a customer of a cyber threat or incident that you stopped, they respond like you just brought home their lost puppy. “Oh my god, I’m glad Spike is safe, something awful could have happened to him,” but you prevented that from happening. They are really thankful.
In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
People, Process, Technology. In that order.
People: Having the right skill sets are critical to building a successful SOC. And the skill sets required are going to be varied: hunters, incident responders, content analysts, junior analysts to monitor the queue, threat intelligence or malware expertise, project focused resources vs. queue focused resources, vulnerability management expertise, etc.
Process: The people on your security incident response team need the right workflows, runbooks, shift schedules, and policies to build and maintain an IR function. Prioritize alerts P1, P2, and P3, because you will never get to all of them.
Technology: Security incident response does not scale without technology and automation. Having a well-tuned SIEM with the right log data is the first step.
Having a security incident response orchestration platform like Komand is critical to scale your IR function. For example, the ability to automate your run book with Komand allowing an analyst to only spend 5 minutes per alert instead of 20 minutes makes your IR team 300% more efficient. Next you have your tools - IP reputation, threat intelligence, vulnerability assessment, etc.
Companies struggle most with the People. There is such an unbelievable talent deficit in cyber security right now; particular in security engineering, architecture, and incident response. And if you get the right talent, you need to cultivate that talent to build the team, and keep them happy and well paid enough to stick around.
What are the top 3 things defenders should be worrying about today? What worries you the most personally?
Vulnerability Management: Cloudbleed, Dirty Cow, Image Tragic, Poodle, Heartbleed, Dirty Calf (I made that one up). It’s like there is a super scary Linux Kernel vulnerability every other week. How do our security incident responders fit into vulnerability management? Most of them want to focus on IR, not vulnerability management, and often vulnerability management is left flapping in the wind in organizations. There needs to be clear roles and responsibilities for vulnerability management within an organization, and defenders should be focused on detecting the attempts or exploitation of vulnerabilities within their environment.
Rapid Adoption of Cloud SaaS Products: In many organizations, the corporate server room is disappearing faster than blockbuster video stores did in the early 2000’s. It means that Tom in sales or Sally in finance might be procuring the latest and greatest new SaaS cloud tool. And they might be working outside of procurement. What does that mean for our defenders? There could be all types of corporate sensitive data, PII, cardholder data, or customer data in the Cloud, and you have no visibility in your monitoring tools. This is a macro problem greater than adding more log data to your SIEM. How can you defend against attacks on your company outside of your company or outside of your visibility? Certain tools like CloudLock are useful here, but half the challenge is just figuring out what your company is using in the Cloud, before even thinking about monitoring of the activity. This is where your risk, controls and compliance team comes in handy to regard certain gates for third party vendor due diligence, and should engage our defenders as part of this.
It’s the Data Stupid: Often, defenders can lose sight of what we are really trying to protect: the data. Yes, it might be about the availability of the data, or confidentiality of the data, or integrity of the data. But it’s about the data. When developing a plan to defend with an security IR orchestration platform like Komand or SIEM tools like SumoLogic, Splunk, or ELK remember what’s ultimately important: protecting the data.
What advice would you give to someone getting started in security?
Don’t specialize too early. There are emerging roles in information security incident response, threat intelligence, security engineering, security architecture, risk and compliance, and vulnerability management. Get exposure to as many of these disciplines as you can, because they are different enough on their own, and important enough together for you to focus your attention.
For example the success of a security IR program, could be completely dependent on business processes or customer driven requirements. Information Security is still raw in a company’s business plan - it’s not like Finance, or Sales or Marketing that have been around forever. And you need to develop a skill set that has the right mixture of technical aptitude, business awareness, communication skills, and friend making.
What do successful security processes look like? For daily workflows, but also from a strategic standpoint?
A successful security process is one that is operating in concert with the business, recorded, and resolved timely.
A strategically successful security process is where there is a clear alignment between security, the business, and executives on the level of security investment required for the risks presented at the organization.
In sum, Brian teaches us to never settle, and to gain experience in as many areas as possible.
If you enjoyed this interview, you can check out other inspirational thoughts from fellow defenders: