At this week’s Exabeam Spotlight 2018 conference, its inaugural user conference, Steve Moore, chief security strategist, spoke with us about the latest issues facing security operations centers (SOCs), the changing definition of insider threat, and if there’s any light at the end of the tunnel in terms of winning the cybersecurity war.
Moore spent the last two-and-a-half years building health care provider Anthem’s cybersecurity program post-breach. He also wrote Exabeam’s recent State of the SOC report.
In terms of insider threats, the definition has expanded beyond someone who works for you and means you harm, Moore said.
“The insider threat is, to me, somebody who means you harm or someone who is also compromised and is ignorant to that fact,” he said. “So Steve Moore means you no harm, but my credentials are stolen or I have malware on my machine, and now my electronic self is zipping about and being party to a potential breach. So the issue is that most organizations don’t understand internal attribution, so most are ignorant to the fact that if they have a compromised person who as a human soul means them no harm, but as an electronic entity that’s been compromised, that is a issue. You’re almost having to reteach … if there [are] innocent people involved.”
For his report, Moore spoke with SOC professionals across CISO, CIO, analyst and management roles, and found three key issues: too many alerts, a shortage of talent and a lack of technology.
“They have alert fatigue, which is not only overwhelming them, but causing them to miss what is important,” he said. “Fatigue leads to lack of prioritization, which is just sort of this muddled mess, which then leads to never really running down one thing completely. You’re just sort of halfway done with lots of things.”
And beyond the talent shortage, many respondents said the people they work with aren’t qualified enough, “so it’s not the fact that there’s an empty seat, but I’m in that seat and I’m not good enough to do the job,” Moore said.
“The next is technical debt … so the technology that we have is aged to the point where it is ineffective,” he said. “So we have this perfect storm that has arrived on our doorstep of too many alerts, not enough people, not enough qualified people, and we’re doing it with old tech. I can’t think of something that’s much worse.”
Moore’s advice: Do fewer things better. Pay attention to fewer alerts and identity current tech deficiencies, he said.
“And I’m going to tell all the executives this because right now, the state we’re in, we’re ineffective right out of the gate,” he said. “We’re garbage right now and we’re OK with it. We’re going to continue for a period of time being garbage, but out of that we’re going to do a few things very well. We need to work on prioritizing our work, prioritizing on the events and the triaging better, and then we’re going to collapse the time it takes us to perform those tasks.”
Also, the most senior people are going to “stop being nerds and they’re going to start being mentors,” Moore said.
“So we’re going to take the people we have who aren’t up to snuff and we’re going to train them up and we’re going to do that by …