February 26, 2014, 4:17 PM — In our post-Snowden world, with daily headlines about domestic spying and wholesale surveillance by U.S. intelligence agencies, the job of 'intelligence officer' has lost a bit of its shine. Unless you work in the cyber security industry, that is, where time as a computer operations expert for one of the government's "three letter" agencies is burnishing resumes and prospectuses like never before.
Mike Rothman, analyst, Securosis, via a panel discussion focused on incident response at RSA Conference, 2014
At the RSA Security Conference this week, companies large and small are trumpeting the spy agency connections of senior staff as never before. Startups in areas like 'threat intelligence' and endpoint protection tout their executives' experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks.
But the bigger story about cyber talent – at RSA and elsewhere - is of scarcity rather than abundance. Finding experts with experience identifying and analyzing sophisticated cyber threats is a herculean task. Hiring them is even harder, and few organizations can afford an internal team of cyber forensic experts to stand at the ready.
In it's Annual Security Report for 2014 (reg required), Cisco Systems found that problem of sophisticated and stealthy compromises is exacerbated by a shortage of more than one million security professionals worldwide. "Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections, in a timely and effective manner," according to the report.
"The number one issue I hear is 'we can't find the people,'" said Mike Rothman, an analyst at the firm Securosis. "And I'm talking about guys who can configure IPS (intrusion prevention system) boxes, not malware analysis," Rothman said. He was speaking on a panel discussion focused on incident response at an event hosted by the investment-banking firm Americas Growth Capital on Monday.
The answer, increasingly, is to turn to the cloud for help. Recent years have seen the rise of companies like CrowdStrike, which marry endpoint- and network-behavior monitoring for 'indicators of compromise' with data analytics services hosted in the cloud.
That approach has merits – especially as IT environments have become more open and where user activity is not constrained to a limited set of endpoints deployed behind a corporate firewall. But threat intelligence services have their limits – especially in the area of threat mitigation. Security pros note that meaningful recommendations for mitigations demands context about the environment being protected.
"There's a lot of interesting innovation of what's going on with threat intelligence," said Ted Julian, the Chief Marketing Officer at Co3 Systems. "But all of that only matters if you can act on it. This is complicated stuff, and it requires a very different set of skills.
Co3 offers a web-based software platform that allows companies to take threat intelligence and inputs from other security tools, such as security information management tools, and create a detailed incident response plan that is specific to that company.
This week's RSA Security Conference is highlighting offerings from a number of other security firms that address different parts of what's generally termed 'incident response.' These new offerings – think of them as 'spooks as a service' – typically combine some degree of network and endpoint monitoring with a cloud-based management platform to gather and analyze data against data aggregated from other customers and third-party threat intelligence. Advocates see the new services as one way to address an acute shortage of cyber talent.
The endpoint security firm FireEye is one of the most prominent security players to pursue the 'spooks as a service' model. It made headlines when it tapped some of the equity from its recent public offering to snap up managed security services firm Mandiant for $1 billion. Mandiant made a name for itself pursuing so-called "advanced persistent threat" (or APT) actors for the government and other high profile firms.
FireEye recently unveiled a hosted security service, the FireEye Security Platform, which combines endpoint- and network-based protection with cloud-based 'monitoring and protection services" in which security analysts from FireEye will "actively hunt for adversaries to find and stop attacks as they begin to unfold."
But smaller, startup firms are getting into the business, also.
J.J. Thompson of the IT risk management firm Rook Consulting, based in Indianapolis, said he has seen his company's business expand rapidly in recent months from tailored consulting engagements to more standardized endpoint monitoring for malicious activity and hands-on incident response.
Rook's customers – many of them large companies – simply don't have the staff or expertise to be able to conduct sophisticated investigations of malicious software on their networks, Thompson said.
Cybereason, a Cambridge, MA-based firm, is another firm promising companies help with cyber threats that befuddle so-called 'border defenses' and that can lurk undetected for days, weeks or months on compromised networks.
The company launched earlier this month and is headed by Lior Div, a former Israeli intelligence agent. He says that most current cyber security products are focused on addressing either the early stages of an attack – as attackers try to penetrate a company's defenses – or the final stages of an attack: as hackers attempt to make off with sensitive data.
In contrast, Cybereason attempts to understand the entire 'malop' (malicious operation) using lightweight endpoint agents that continuously monitor endpoints. The data that is collected is channeled back to Cybereason's cloud-based platform where, Div says, the company analyzes it using proprietary data analytics and the insight of high-caliber malware experts and reverse engineers – many (like Div himself) trained in the Israeli Defense Forces (IDF).
Another, Cyphort, launched on February 18 and is being marketed as a tool to combine multi-platform threat detection with machine learning technology and other correlation tools to help security teams identify attacks and help fix them. CTO Ali Golshan said most of Cyphort's existing customers already own FireEye's technology, but are hungry for more context about an attack – is it nuisance adware or a data stealing Trojan – as well as specific instructions on how to remove the threat.
The appearance of hosted cyber forensics and incident response is another phase of an ongoing migration of security intelligence to the cloud, says Wendy Nather, an analyst at The 451 Group.
In some cases, the services are just an expansion of existing managed security services, or a formalization of the kinds of ad-hoc engagements that cloud providers would have with their customers. "Companies like Rackspace have been doing incident response for their customers forever," Nather said. "It wasn't part of their contract, but they did it because customers couldn't do it themselves."
Nather said that hosted incident response services definitely have an audience – but that challenges remain. The services can be difficult to scale. And, while pretty much every company that's hacked is looking for help identifying and removing the threat, not all companies are as curious to do the kinds of extensive, root cause analysis that cyber forensic experts might prefer. "You need to figure out how far the customer is willing to go to deal with it," she said.
But Julian of Co3 said that even small firms need tools to help them fully understand the ripple effects of security incidents and how they can impact a company. "Our industry tends to focus on endpoints and malware, but even small organizations need to understand that that's not the beginning and end of the threat," Julian said.