Some days it can seem like cybersecurity is an endless line of attacks and breaches, wrought by powerful adversaries from down the street or around the globe, not unlike a superhero movie. Security teams are kept busy dealing with the latest threats, disclosures, and patches, aided by increasingly powerful tools to detect threats, correct compromised systems, and generally protect the organization.
For me and my researcher colleagues in the industry, defense is a boundless task, fighting against more than 600 million pieces of malware, ransomware, and other cyberattacks. But like other professions, my day typically starts with a meeting.
7:00 – 9:00 AM: Morning Sync-up with Team
The team that I lead is largely remote, so first thing in the morning is an online sync-up with them. What is going on, what have they seen? Sometimes the meetings are 15 minutes, other times they can take a whole hour – it depends on what is going on and what needs to be addressed.
We work with machine learning and other analytics to identify changes in traffic patterns, pulling in various threat intelligence data and identifying any correlating events in our customer traffic. These morning meetings are focused on uncovering reasons for changes and interesting anomalies, as well as identifying and classifying new threats.
There is too much for any one person to keep track of, so collaboration is vital as threats appear, grow, and evolve. This enables the team to identify which areas are of concern, what we should dig into, and what we need to escalate to other teams for further action and investigation. I generally collaborate with other internal researchers – there are dedicated URL researchers, file researchers, threat intel researchers. However, for McAfee, the spheres of collaboration have grown from our internal team to encompass customers, external threat researchers, other security vendors, law enforcement organizations, and government agencies.
Threat intelligence sharing, which began with academic researchers and high-threat industries such as finance and information technology, today has expanded into most major industries. In the U.S., the National Council of Information Sharing and Analysis Centers (ISACs) has 24 members who collect, analyze, and disseminate actionable threat information to their members and provide tools to mitigate risks and enhance resiliency. More recently, we helped found the Cyber Threat Alliance, a group of cybersecurity practitioners working together to share threat information and improve defenses. Intelligence sharing and collaboration across boundaries are now essential components of cybersecurity.
9:00 – 9:30 AM: Catchup on the latest Security News
Unless there is a major security breach, massive new threat or other emergency, I spend some time reviewing the latest internal and external news from security researchers. I’m also interested in understanding what our research teams are seeing, responding to questions from our customers, reviewing new security exploits being posted, and hearing updates on the ongoing battle with ransomware and how this impact our customers.
I will do my own investigations over the course of the day into how this new information changes how we look at the overall picture, and how new tools, techniques or procedures impact our existing models. This is not something I just take on by myself; I partner with members of my team and other researchers. But I definitely get hands-on, which means diving into the data, analyzing an attack to find out where intruders were going, how they got in, and what additional data we need to answer questions about where our protection strategies fell short. My research also examines the geographic range of the threat to see if it is limited to just a few customers or is more widespread.
9:30 AM – 4:00 PM Collaboration & Planning
The bulk of my workday is spent with other researchers around the company. This is a mix of meetings, less formal discussions, and in-person or online collaboration. We typically discuss whether product features and capabilities are adequate to the job at hand, and whether we have the technical skills to meet the evolving challenges. This is also when we plan for the future, answering questions such as how do we scale the system to handle the new amount of data that we need, how do we ensure that our data is protected and meets customers’ privacy expectations, and what missing data do we need to collect from our point products, or from our threat intelligence sharing activities?
Daily Challenges & Rewards
The most frustrating part of my day is knowing that when we miss something, someone else will have a very bad day. Every hour we are protecting people worldwide from over 600 million pieces of malware, seven million types of ransomware, and a wide range of other attack types. Still, every day I think about how I can do better, how my department can do better, and how we can help our customers do better. And then I get to apply my skills and experience, keeping the world safe from hackers!
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
- So You Want to Be a Security Rock Star?
- The Road Less Traveled: Building a Career in Cyberthreat Intelligence
- To Gain Influence, CISOs Must Get Security's Human Element Right