Working: Cyber Secur1ty Ch1ef Locks It Down
Imagine a nationwide crime wave occurred overnight. Suddenly every single business needs metal shutters, razor wire, motion activated lights, security cameras and an off-leash Doberman.
That's basically what has happened in the e-commerce world over the last 25 years. Now that every business is dependent on networked computers the threat of invasion is total and permanent.
A whole cyber security industry has grown up to protect businesses (and government) from attacks on their servers, and it's only getting bigger and more complicated.
Verizon, Sony, Equifax, Capital One...Every big data breach is a wake-up call to the public, but it's just another day the office for someone like Sean Ventura. He's the Chief Information Security Officer at Atmosera, a managed services company which specializes in Microsoft's Azure cloud. Azure and Amazon Web Services are the Pepsi and Coke of cloud computing. GCP (Google Cloud Computing) is the other platform, perhaps the Red Bull. There's also Alibaba Cloud in China, owned by Alibaba, but that's another story.
Ventura has the double role of being a cyber security expert for Atmosera's clients, and for the company he works for. He has to watch networks around the world, and the one around his cubicle.
Businesses have stopped having their own tech teams to manage machines in their server closet. More and more they are outsourcing them to cloud management companies such as Atmosera. (Atmosera offers Azure, Private Cloud and Hybrid Cloud, but let's just call it cloud.)
He estimates 65% of his time is spent on worrying about his clients' networks, the rest on Atmosera's. Standing at his workstation, which is stripped down to a ThinkPad and a monitor, Ventura looks at a dashboard that shows threat levels as a real time point graph, or he can switch to a map of the world. There he sees pie charts above certain cities. A dark sector shows someone has unsuccessfully tried to log on to a network. A light sector means they were successful. He points to the dark circle over Moscow.
He knows they have no clients in Russia or China.
"What we're looking for is where they're coming from. So, here's a failed (login) from Russia.... Failures we are less concerned with. If we suddenly saw a success from Russia, different conversation. At that point, we're like, 'Hey, let's go talk to the user.'"
(Also, two or three fails is nothing. It could be just someone having a hard time remembering their password. Thirty or forty means it's a concerted attack. In any case, the computer logs every keystroke.)
This means someone is trying to log in when they shouldn't.
The likely explanation? An executive is
traveling, or someone has shared their user name and password. In another case, a user logged in in Indiana and then five minutes later in India. Again, it was probably password sharing.
The datasphere has created "log fatigue."
The tools he uses include vulnerability scanning, patching solutions and machine learning analytics. Machine learning drives the user behavior analytics engine, in order to analyze all of the data. It logs 700 million such actions per month - more than any human could ever sort through. But the software can see anomalies like the Indiana user's apparent time travel and flag them.
"Humans are data hoarders by nature. And so, in the security field, one of the things that we struggle with is how do we parse that data?"
Hard NOC life
That's when a human sees them in the NOC (pronounced NOCK). The network operations center is room where network analysts sit at high desks managing traffic and fixing anomalies. They are pretty much entry-level workers here, most coming out of Computer Science degrees. In ascending order, the hierarchy goes: security analyst (looking at data); security engineer (implementing tools); security architect (the bigger picture) and chief information security officer (the strategic visionary).
Risk is on a continuum. Heavily regulated companies and those under strict compliance, such as banks and merchants that take credit cards (under the Payment Card Industry Data Security Standard), spend the most on cyber security.
"To a non-regulated company that might have three people because they're they have intellectual property that they want to protect, it tends to be a business decision. What kind of risk do you want to take?...I've seen companies where they have systems engineers who are very security focused, and so they don't necessarily need it, or feel they need us again in person. It may be you have someone come in, you know, once a quarter or every year and kind of a checkup, let's see how you're doing."
He adds, "Security is not a yes-no. It's not a binary choice. It's really about a risk analysis. Everything we do is about what is the risk to your data? What's the risk to your organization? And then it becomes a business decision. You can make a decision to be a little bit more risky."
As is common in customer service, they use a ticketing system to perform investigations and fix problems. "Hot" events are happening right away, such as a compromised account or data leaving the organization. That takes a phone call to the client from their 24/365 operation.
"Even though machines can recognize patterns, sometimes it takes a human to delve a little bit deeper to provide context around that."
They try to avoid alert fatigue too, "That's where you produce so much alerting and so much noise that people stop paying attention. We don't do robocalls."
"In the ultimate security world, you'd have a computer that's locked in a room that nobody can touch. Completely useless. So it's a balance of active security versus usability."
Ransomware is hot and growing. That's where a hacker locks up your computer unless you pay a ransom. If you don't pay, they move on and you lose your files. They're not stealing your data to sell, they're just kidnapping it.
"Ransomware is a very low cost, high return. A couple of years ago, the FBI put out a notice that said it's probably better to pay the ransom. And if you think about it, it's usually not a lot of money, in the business world."
For a big company or a municipality, it might be tens of thousands of dollars. For a mom and pop or an individual it might be $300. He's seen some as low as $120.
"Is it worth the time to try to recover your backups? Or just pay the $120 bucks and you're off?"
"I was reading that ransomware operations have some of the best customer service in the world because they're available all the time. They want to make it easy for you to give them money. They don't want grandma to have to figure out how to operate a Bitcoin. They've got an 800 number and walk you through it that way they get theirs and they're done."
The best defense against ransomware is having good backups that are not connected to another system.
"Sixty percent of companies that lose their primary data are out of business. Sometimes it's just as easy as, take your files and copy them off onto a little external hard drive and lock them in a drawer."
The building is in an office park in Beaverton, all beige cement and dark windows. The company started out as a regional ISP called Easy Street. Eventually they were asked to host servers, colocation, and then private cloud services. Walking around the building, there are servers behind glass that are under the highest security, and include clients such as government agencies that store tax information. Then there are colocation racks, divided into hot and cold (literally) and where people can come in and attend to their own machines.
Ventura says it common now for a software startup to come to him and say they want to outsource all the IT work, so they can use laptops and focus on making their product. They're paying for Atmosera to manage the hardware, the operating systems, the virtual machines, and the risk. He reminds them that security is always shared: They have to change their password and use screensavers. (His own kicks in about every five minutes.)
The company achieved an expert status with Microsoft and Azure after a long auditing process, and became one of their top 50 partners.
"The reason that we are one of them is because Microsoft doesn't want egg on their face, right? We really showed that we could take it to the next level for the company."
Microsoft supplies leads, but Ventura's team also makes a lot of cold calls. "People are just out there calling companies, 'Hey, what, what are you looking at in cloud? How can we help?'"
They sell them on managing the shift to the cloud, which is complex and changes systems engineering, security, and the way you manage your resources.
He says it's usually the CEO or CTO who makes the call to switch to the cloud. He notes that CEOs tend to listen to outsiders more than their own staff, simply because they are paying them. Ventura likes explaining to non-technical CEOs in plain English. "There's a lot of talk about castles," he says with a chuckle.
"'Castle' is a good analogy that we've used, and houses. You want to lock your doors, lock your windows. You lock your valuables in a safe, you don't leave your jewels sitting out in front of your bay window, and then leave the window open. So it becomes more of a business risk conversation than a technical risk."
He says the Capital One hack hurt the reputation of Capital One, more so than Amazon's, which just provided the cloud servers. The hacker herself seemed like she was "making a cry for help," because she bragged about it online.
The hacker took data (breached, but not exposed) after she had left Amazon. It was encrypted but she had the keys to decrypt it as part of her unauthorized access. She could have sold it but didn't do anything with it. Cloud providers and hosts want the data owner to encrypt everything and keep the keys. They don't want to see it, to reduce risk.There's a shift from protecting the computer to protecting the identity of the person using it.
"Fingerprints, eyeballs, typing patterns, heart rate patterns, biometrics that watch how people walk...." Whatever it takes to minimize human error. "We joke about lick pads," he chuckles. "If I have to do a 10-minute mediation to reach the right heart rate before I can log into my computer, I can handle that."
Ventura is on a CISO Alliance, where they meet quarterly and swap war stories, and collaborate. "Even with competitors. If I was developing a security product, I would probably be a little bit more cautious about what I what I provided. But I'm a consumer of tools. So there's very little that I would give away that would be considered a competitive differentiator."
His basic desk tools are Slack and Outlook. The more technical tools, such as Incident Detection Response (IDR), are more like dashboards. On this day there are 11 investigations going on. Russia and China are easily the most trouble. He worked at a steel company and Chinese hackers were always trying to get their metallurgical formulae. "It was more economic for them to hire out people away." In Russia it's more ransomware.
His day begins checking up on investigations and answering client emails. He manages one person here, compared to 27 in the metalwork job.
"In the security space it's just about how do you reach that balance of the security and the business, and then from a personal side, letting things go? Because from a security perspective, I could sit up all night worrying about stuff right now."
WHAT'S A CISO?
A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Managed service provider, cloud and security
Ownership: Private equity
FTE: 70 (58 in Beaverton, 1 in Hawaii, 1 in Texas, and 10 at a data center downtown)
Where: 9705 S.W. Sunshine Ct., Beaverton
Reporter, The Business Tribune
Follow us on Twitter, Facebook and Instagram
Subscribe to our E-News
You count on us to stay informed and we depend on you to fund our efforts. Quality local journalism takes time and money. Please support us to protect the future of community journalism.