Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:53 PM
Connect Directly

The Changing Face Of The IT Security Team

Big data means big changes in the makeup of IT security teams at large vendors and enterprises

For a peek at the IT security team of the future, consider the team at Cisco Systems or at OpenDNS: In both firms, the security team includes not only malware experts and researchers, but also data scientists who lack any security expertise whatsoever.

The surge in "big data" resources for vendors and large enterprises -- a growing trend toward gathering internal event logs and external threat-intelligence feeds -- has pressured some organizations to rethink the type of expertise they need in their IT security departments. Enter the math majors, most of whom weren't schooled in Stuxnet or botnet traffic.

When Dan Hubbard, CTO at OpenDNS, started at his post two years ago, one of his goals was to rethink the composition of a security research team. "One of the goals was to rethink if you could restart a security research team, what would be the absolute things you have to have to be competitive?" Hubbard says.

OpenDNS built on the existing team that was in place, but added a new generation of members. "Instead of hiring [more] reverse engineers or malware researchers, we decided to augment [those experts] ... [with] data scientists who understood massive amounts of data," Hubbard says. That also meant adding algorithmic experts with Ph.D.s in machinery and graph theory, as well as some who have worked in genome research or fields unrelated to cybersecurity, he says.

The first fruit of OpenDNS's new-age team was its Security Graph, a service for security researchers that provides them with access to OpenDNS's Internet and DNS traffic data and analysis. The idea is to provide researchers with a more global view of malware, botnets, and advanced threats rather than just a snapshot or slice of the activity.

[Red October, PayPal phishing campaign connection discovered via new OpenDNS service for researchers. See OpenDNS Offers Security Researchers Free Service For Tracking Cybercrime, Cyberespionage.]

Today, one-third of OpenDNS's security team are traditional "security geeks" or experts, and one-third are data scientists who work on math problems to analyze all of the data, Hubbard says.

Cisco also has expanded its security team with algorithmic experts in its Threat Research, Analysis, and Communications (TRAC) group. "We have a whole side of the team comprised of data scientists ... They have no backgrounds in security," says Levi Gundert, technical lead of the Cisco TRAC team. "Data is data to them. At the end of the day, we're driving the use case for them, but they are managing the models and tools to quickly pull back data for analysis in an automated fashion."

Gundert says the gap between the cultures -- mainly how the two worlds can speak different languages in the context of security -- is a work in progress. "When we increase communication and the opportunities to communicate, we're seeing a lot more success," he says. "Without that, a lot gets lost in translation when shooting emails back and forth."

He says the teams hold weekly phone calls to ensure both sides are understanding one another.

Times are changing for security geeks as big data and threat intel-sharing become part of the picture. No longer can the teams work in isolation: "The days of siloing teams has to go away. Even within research teams, you find a Web team, a vulnerability team, and an email team -- they all need to come together," OpenDNS's Hubbard says.

Much of security research leads to protection when a new threat is discovered. Data scientists take a different approach: "A lot of the data scientists we have hired are looking at a problem before the attack happens," he says.

Pairing the security researcher and the data scientist is a powerful combination. "You've got someone who knows a ton about the security space and how threats work, and then you've got the math/data science person" working on crunching the data and they "feed off each other," Hubbard says.

When OpenDNS teamed up with Kaspersky Lab to study the Red October attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia, Kaspersky Lab had malware samples that they had reverse-engineered. "They are really good at that kind of stuff -- they had recompiled the binary, but didn't have the data or breadth of the network ... so we helped build that."

That hunger for security intelligence from internal logs and external threat-gathering services goes hand-in-hand with what many experts consider the Holy Grail of security: continuous monitoring, where organizations watch each and every move that goes on in and out of their networks in hopes of catching the bad stuff before it does real damage.

Tenable CEO and CTO Ron Gula says this need for big data gathering and crunching expertise has a lot to do with the evolution toward continuous monitoring. "I only see data scientists with bigger companies -- with 10,000 and up or 5,000 and up employees -- not at SMBs," Gula says. "Big Fortune 500s and government agencies can measure their networks in real time and measure patch rates, for example, or tell you the number of systems patched within the last five days for the past 90 days."

That's what data scientists do, he says. "In my opinion, the reason [organizations] are doing [data science] is because they are moving toward continuous monitoring," Gula says.

OpenDNS's Hubbard sees large enterprises gradually moving toward data scientists in their security teams as well, but to solve somewhat different problems than OpenDNS, Cisco, and other vendors are solving. A large enterprise security operations center typically has experienced cyberattacks for more than a decade and, in the process, purchased all different types of security tools to defend its environment. "In many cases, they have not deployed it right, and many of these solutions are disparate systems, and there's an information gap between all of them," Hubbard says.

So some use tools like Splunk, for example, but many are struggling to apply context to the data they're gathering. "Even with all of those pulling data into one central data store, it's hard to understand that the receptionist's computer is infected or the CEO's computer" has been compromised, he says.

"The attacks are not identified and correct context isn't applied to them," he says. "Companies are hiring a big data scientist due to the business intelligence" they need to correlate, he says.

"It's about turning data into information. Getting access to data is not hard. Applying the appropriate context to it is really important," Hubbard says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...