Threat Intelligence

4/28/2017
12:30 PM
Paula Greve
Paula Greve
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Day in the Life of a Security Avenger

Behind the scenes with a security researcher as we follow her through a typical day defending the world against seemingly boundless cyberthreats and attacks

Some days it can seem like cybersecurity is an endless line of attacks and breaches, wrought by powerful adversaries from down the street or around the globe, not unlike a superhero movie. Security teams are kept busy dealing with the latest threats, disclosures, and patches, aided by increasingly powerful tools to detect threats, correct compromised systems, and generally protect the organization.  

For me and my researcher colleagues in the industry, defense is a boundless task, fighting against more than 600 million pieces of malware, ransomware, and other cyberattacks. But like other professions, my day typically starts with a meeting.

Image Source: Grigoriy Pil via Shutterstock
Image Source: Grigoriy Pil via Shutterstock

7:00 – 9:00 AM: Morning Sync-up with Team
The team that I lead is largely remote, so first thing in the morning is an online sync-up with them. What is going on, what have they seen? Sometimes the meetings are 15 minutes, other times they can take a whole hour – it depends on what is going on and what needs to be addressed.

We work with machine learning and other analytics to identify changes in traffic patterns, pulling in various threat intelligence data and identifying any correlating events in our customer traffic. These morning meetings are focused on uncovering reasons for changes and interesting anomalies, as well as identifying and classifying new threats.

There is too much for any one person to keep track of, so collaboration is vital as threats appear, grow, and evolve. This enables the team to identify which areas are of concern, what we should dig into, and what we need to escalate to other teams for further action and investigation. I generally collaborate with other internal researchers – there are dedicated URL researchers, file researchers, threat intel researchers. However, for McAfee, the spheres of collaboration have grown from our internal team to encompass customers, external threat researchers, other security vendors, law enforcement organizations, and government agencies.

Threat intelligence sharing, which began with academic researchers and high-threat industries such as finance and information technology, today has expanded into most major industries. In the U.S., the National Council of Information Sharing and Analysis Centers (ISACs) has 24 members who collect, analyze, and disseminate actionable threat information to their members and provide tools to mitigate risks and enhance resiliency. More recently, we helped found the Cyber Threat Alliance, a group of cybersecurity practitioners working together to share threat information and improve defenses. Intelligence sharing and collaboration across boundaries are now essential components of cybersecurity.

9:00 – 9:30 AM: Catchup on the latest Security News
Unless there is a major security breach, massive new threat or other emergency, I spend some time reviewing the latest internal and external news from security researchers. I’m also interested in understanding what our research teams are seeing, responding to questions from our customers, reviewing new security exploits being posted, and hearing updates on the ongoing battle with ransomware and how this impact our customers.

I will do my own investigations over the course of the day into how this new information changes how we look at the overall picture, and how new tools, techniques or procedures impact our existing models. This is not something I just take on by myself; I partner with members of my team and other researchers. But I definitely get hands-on, which means diving into the data, analyzing an attack to find out where intruders were going, how they got in, and what additional data we need to answer questions about where our protection strategies fell short. My research also examines the geographic range of the threat to see if it is limited to just a few customers or is more widespread.

9:30 AM – 4:00 PM Collaboration & Planning
The bulk of my workday is spent with other researchers around the company. This is a mix of meetings, less formal discussions, and in-person or online collaboration. We typically discuss whether product features and capabilities are adequate to the job at hand, and whether we have the technical skills to meet the evolving challenges. This is also when we plan for the future, answering questions such as how do we scale the system to handle the new amount of data that we need, how do we ensure that our data is protected and meets customers’ privacy expectations, and what missing data do we need to collect from our point products, or from our threat intelligence sharing activities?

Daily Challenges & Rewards
The most frustrating part of my day is knowing that when we miss something, someone else will have a very bad day. Every hour we are protecting people worldwide from over 600 million pieces of malware, seven million types of ransomware, and a wide range of other attack types. Still, every day I think about how I can do better, how my department can do better, and how we can help our customers do better. And then I get to apply my skills and experience, keeping the world safe from hackers!

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Paula Greve has over 20 years of experience within the field of cybersecurity. She has extensive knowledge of web threats and how they are used to infiltrate systems at the workplace, in the home, and on the mobile devices. She is currently leading the data science team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jacobarch02
100%
0%
jacobarch02,
User Rank: Apprentice
5/3/2017 | 2:35:23 AM
Great Post
NIce work I really appreciate your work. Thanks for posting this article.
L2k4fc
50%
50%
L2k4fc,
User Rank: Apprentice
5/2/2017 | 2:21:04 AM
Nice article
This doesn't sound like work to me [of course it is though], it sounds like a very fun and rewarding way to spend your day.  
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...