Threat Intelligence

4/28/2017
12:30 PM
Paula Greve
Paula Greve
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Day in the Life of a Security Avenger

Behind the scenes with a security researcher as we follow her through a typical day defending the world against seemingly boundless cyberthreats and attacks

Some days it can seem like cybersecurity is an endless line of attacks and breaches, wrought by powerful adversaries from down the street or around the globe, not unlike a superhero movie. Security teams are kept busy dealing with the latest threats, disclosures, and patches, aided by increasingly powerful tools to detect threats, correct compromised systems, and generally protect the organization.  

For me and my researcher colleagues in the industry, defense is a boundless task, fighting against more than 600 million pieces of malware, ransomware, and other cyberattacks. But like other professions, my day typically starts with a meeting.

Image Source: Grigoriy Pil via Shutterstock
Image Source: Grigoriy Pil via Shutterstock

7:00 – 9:00 AM: Morning Sync-up with Team
The team that I lead is largely remote, so first thing in the morning is an online sync-up with them. What is going on, what have they seen? Sometimes the meetings are 15 minutes, other times they can take a whole hour – it depends on what is going on and what needs to be addressed.

We work with machine learning and other analytics to identify changes in traffic patterns, pulling in various threat intelligence data and identifying any correlating events in our customer traffic. These morning meetings are focused on uncovering reasons for changes and interesting anomalies, as well as identifying and classifying new threats.

There is too much for any one person to keep track of, so collaboration is vital as threats appear, grow, and evolve. This enables the team to identify which areas are of concern, what we should dig into, and what we need to escalate to other teams for further action and investigation. I generally collaborate with other internal researchers – there are dedicated URL researchers, file researchers, threat intel researchers. However, for McAfee, the spheres of collaboration have grown from our internal team to encompass customers, external threat researchers, other security vendors, law enforcement organizations, and government agencies.

Threat intelligence sharing, which began with academic researchers and high-threat industries such as finance and information technology, today has expanded into most major industries. In the U.S., the National Council of Information Sharing and Analysis Centers (ISACs) has 24 members who collect, analyze, and disseminate actionable threat information to their members and provide tools to mitigate risks and enhance resiliency. More recently, we helped found the Cyber Threat Alliance, a group of cybersecurity practitioners working together to share threat information and improve defenses. Intelligence sharing and collaboration across boundaries are now essential components of cybersecurity.

9:00 – 9:30 AM: Catchup on the latest Security News
Unless there is a major security breach, massive new threat or other emergency, I spend some time reviewing the latest internal and external news from security researchers. I’m also interested in understanding what our research teams are seeing, responding to questions from our customers, reviewing new security exploits being posted, and hearing updates on the ongoing battle with ransomware and how this impact our customers.

I will do my own investigations over the course of the day into how this new information changes how we look at the overall picture, and how new tools, techniques or procedures impact our existing models. This is not something I just take on by myself; I partner with members of my team and other researchers. But I definitely get hands-on, which means diving into the data, analyzing an attack to find out where intruders were going, how they got in, and what additional data we need to answer questions about where our protection strategies fell short. My research also examines the geographic range of the threat to see if it is limited to just a few customers or is more widespread.

9:30 AM – 4:00 PM Collaboration & Planning
The bulk of my workday is spent with other researchers around the company. This is a mix of meetings, less formal discussions, and in-person or online collaboration. We typically discuss whether product features and capabilities are adequate to the job at hand, and whether we have the technical skills to meet the evolving challenges. This is also when we plan for the future, answering questions such as how do we scale the system to handle the new amount of data that we need, how do we ensure that our data is protected and meets customers’ privacy expectations, and what missing data do we need to collect from our point products, or from our threat intelligence sharing activities?

Daily Challenges & Rewards
The most frustrating part of my day is knowing that when we miss something, someone else will have a very bad day. Every hour we are protecting people worldwide from over 600 million pieces of malware, seven million types of ransomware, and a wide range of other attack types. Still, every day I think about how I can do better, how my department can do better, and how we can help our customers do better. And then I get to apply my skills and experience, keeping the world safe from hackers!

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Paula Greve has over 20 years of experience within the field of cybersecurity. She has extensive knowledge of web threats and how they are used to infiltrate systems at the workplace, in the home, and on the mobile devices. She is currently leading the data science team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jacobarch02
100%
0%
jacobarch02,
User Rank: Apprentice
5/3/2017 | 2:35:23 AM
Great Post
NIce work I really appreciate your work. Thanks for posting this article.
L2k4fc
50%
50%
L2k4fc,
User Rank: Apprentice
5/2/2017 | 2:21:04 AM
Nice article
This doesn't sound like work to me [of course it is though], it sounds like a very fun and rewarding way to spend your day.  
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-10078
PUBLISHED: 2019-02-23
Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.
CVE-2014-10079
PUBLISHED: 2019-02-23
In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.
CVE-2018-20785
PUBLISHED: 2019-02-23
Secure boot bypass and memory extraction can be achieved on Neato Botvac Connected 2.2.0 devices. During startup, the AM335x secure boot feature decrypts and executes firmware. Secure boot can be bypassed by starting with certain commands to the USB serial port. Although a power cycle occurs, this d...
CVE-2019-9037
PUBLISHED: 2019-02-23
An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a buffer over-read in the function Mat_VarPrint() in mat.c.
CVE-2019-9038
PUBLISHED: 2019-02-23
An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is an out-of-bounds read problem with a SEGV in the function ReadNextCell() in mat5.c.