Garrett Gross Director, Field Enablement at AlienVault. We interviewed Garrett to get a sneak preview of his Keynote talk at BSides Chicago July 15. If you haven't yet, register to attend!
Question: You work with a lot of different customers on a daily basis. How would you describe the consensus of how people are feeling about InfoSec in business right now? Are you seeing any signs of battle fatigue, with all this recent Ransomware activity?
Much like fashion and pop culture, InfoSec goes in cycles. We’ve seen trends like this before, with viruses, worms, and RATs. Ransomware and Ransomware-as-a-Service are just the next new trend. Veteran InfoSec pros are accustomed to this pressure to learn and adapt quickly. Now, IT generalists are a different story. Especially in mid-size businesses and businesses that have very limited or no dedicated InfoSec staff, IT generalists are having a terrible time dealing with the stress of Ransomware prevention and incident response. It is becoming overwhelming.
Question: The defender does have some disadvantages against the attacker in most situations, including companies defending their infrastructure and business. What advice would you give to Blue Teamers?
This is a huge hurdle. The defender must be successful 1000/1000 times and the attacker only must be successful 1/1000 times. I urge Blue Team defenders to be constantly vigilant in their jobs and focusing on the basics. Use the right technology for prevention, detection and incident response, focus on process, embracing security advocacy and leveraging the InfoSec community for help and support.
Question: How critical is emerging technology, such as Machine Learning, for the typical business trying to maintain a robust security posture?
ML/AI is definitely compelling and, in the right hands, can be a very powerful tool for correlating data. However, for the ‘typical business’ (small IT/security team), it usually ends up being a distraction. Whats important for most IT teams are the basics – threat detection, endpoint protection, user training, and security advocacy.
Question: The InfoSec community is pretty helpful to new folks. What advice would you give to InfoSec newbies?
Don’t be afraid to ask questions. Most tenured security pros love nothing more than empowering and educating the next generation. There is a robust InfoSec community that includes Twitter, LinkedIn groups, Open Threat Exchange (OTX), various vendor forums and even Reddit as resources. There are also inexpensive regional conferences like BSides, as well as the bigger cons like RSA, DefCon and Black Hat. Get out there an engage with the community!
Question: Tell me a little about information sharing methods and strategies in InfoSec.
Historically in InfoSec, especially in financial and defense industries, there’s been an extreme reluctance in sharing telemetry on attacks; some folks would even see this an “admission of guilt”. However, we now feel that the pros outweigh the cons in sharing threat information, as the value of the shared information coupled with a unified front of defenders is a game-changer. In addition, open source offerings and technologies like TAXII, STIX and CybOX are opening the door for more effective threat information sharing by standardizing the data.
Question: What are the most significant problems you are seeing in the customers you work with on implementing and upgrading their security posture?
So many problems… First, there’s the proclivity to think that security is “set and forget”. It isn’t. And - relying on technology alone as an indicator of compromise is terrible. You need data and qualified InfoSec professionals – not just products. If you don’t have qualified InfoSec pros – consider a Managed Security Service Provider (MSSP). Second, is the mentality of “I haven’t been attacked yet, I must not be a target, so I don’t need to invest in information security.” This is usually reinforced by the perception that security is too expensive and supported by those that control the pocket books. Unfortunately, we find time and time again that the financial repercussions of a successful breach (stolen data, consumer confidence, regulatory fines, etc) heavily outweight the cost of investing in the right people and technology.
Question: In your opinion, what’s the best career path to get into InfoSec?
I see two basic paths. One applies to security operations. You start out as a sys admin or network engineer, learn the underlying technology, and become active in the InfoSec community as you go. Then, transition into a full time role as a jr analyst or something similar. The other path, if you’re more interested in studying the code behind these attacks, is to get a computer science degree and find a job on a research and development team at a SOC, MSSP, or even an intelligence vendor.
If you haven’t registered for BSides Chicago yet, it’s not too late! Register now!!
