Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/28/2017
12:30 PM
Paula Greve
Paula Greve
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Day in the Life of a Security Avenger

Behind the scenes with a security researcher as we follow her through a typical day defending the world against seemingly boundless cyberthreats and attacks

Some days it can seem like cybersecurity is an endless line of attacks and breaches, wrought by powerful adversaries from down the street or around the globe, not unlike a superhero movie. Security teams are kept busy dealing with the latest threats, disclosures, and patches, aided by increasingly powerful tools to detect threats, correct compromised systems, and generally protect the organization.  

For me and my researcher colleagues in the industry, defense is a boundless task, fighting against more than 600 million pieces of malware, ransomware, and other cyberattacks. But like other professions, my day typically starts with a meeting.

7:00 – 9:00 AM: Morning Sync-up with Team
The team that I lead is largely remote, so first thing in the morning is an online sync-up with them. What is going on, what have they seen? Sometimes the meetings are 15 minutes, other times they can take a whole hour – it depends on what is going on and what needs to be addressed.

We work with machine learning and other analytics to identify changes in traffic patterns, pulling in various threat intelligence data and identifying any correlating events in our customer traffic. These morning meetings are focused on uncovering reasons for changes and interesting anomalies, as well as identifying and classifying new threats.

There is too much for any one person to keep track of, so collaboration is vital as threats appear, grow, and evolve. This enables the team to identify which areas are of concern, what we should dig into, and what we need to escalate to other teams for further action and investigation. I generally collaborate with other internal researchers – there are dedicated URL researchers, file researchers, threat intel researchers. However, for McAfee, the spheres of collaboration have grown from our internal team to encompass customers, external threat researchers, other security vendors, law enforcement organizations, and government agencies.

Threat intelligence sharing, which began with academic researchers and high-threat industries such as finance and information technology, today has expanded into most major industries. In the U.S., the National Council of Information Sharing and Analysis Centers (ISACs) has 24 members who collect, analyze, and disseminate actionable threat information to their members and provide tools to mitigate risks and enhance resiliency. More recently, we helped found the Cyber Threat Alliance, a group of cybersecurity practitioners working together to share threat information and improve defenses. Intelligence sharing and collaboration across boundaries are now essential components of cybersecurity.

9:00 – 9:30 AM: Catchup on the latest Security News
Unless there is a major security breach, massive new threat or other emergency, I spend some time reviewing the latest internal and external news from security researchers. I’m also interested in understanding what our research teams are seeing, responding to questions from our customers, reviewing new security exploits being posted, and hearing updates on the ongoing battle with ransomware and how this impact our customers.

I will do my own investigations over the course of the day into how this new information changes how we look at the overall picture, and how new tools, techniques or procedures impact our existing models. This is not something I just take on by myself; I partner with members of my team and other researchers. But I definitely get hands-on, which means diving into the data, analyzing an attack to find out where intruders were going, how they got in, and what additional data we need to answer questions about where our protection strategies fell short. My research also examines the geographic range of the threat to see if it is limited to just a few customers or is more widespread.

9:30 AM – 4:00 PM Collaboration & Planning
The bulk of my workday is spent with other researchers around the company. This is a mix of meetings, less formal discussions, and in-person or online collaboration. We typically discuss whether product features and capabilities are adequate to the job at hand, and whether we have the technical skills to meet the evolving challenges. This is also when we plan for the future, answering questions such as how do we scale the system to handle the new amount of data that we need, how do we ensure that our data is protected and meets customers’ privacy expectations, and what missing data do we need to collect from our point products, or from our threat intelligence sharing activities?

Daily Challenges & Rewards
The most frustrating part of my day is knowing that when we miss something, someone else will have a very bad day. Every hour we are protecting people worldwide from over 600 million pieces of malware, seven million types of ransomware, and a wide range of other attack types. Still, every day I think about how I can do better, how my department can do better, and how we can help our customers do better. And then I get to apply my skills and experience, keeping the world safe from hackers!

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Paula Greve has over 20 years of experience within the field of cybersecurity. She has extensive knowledge of web threats and how they are used to infiltrate systems at the workplace, in the home, and on the mobile devices. She is currently leading the data science team ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
L2k4fc
50%
50%
L2k4fc,
User Rank: Apprentice
5/2/2017 | 2:21:04 AM
Nice article
This doesn't sound like work to me [of course it is though], it sounds like a very fun and rewarding way to spend your day.  
jacobarch02
100%
0%
jacobarch02,
User Rank: Apprentice
5/3/2017 | 2:35:23 AM
Great Post
NIce work I really appreciate your work. Thanks for posting this article.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...