We chatted with Fred Thiele, a career security practitioner, consultant, and executive currently working in global financial services. Fred leads cyber defense capability at the Commonwealth Bank of Australia to ensure the organization is ready to detect and recover from cyber-related attacks. Fred has built, operated and maintained several security operations centers around the globe and co-founded a company in 2007 that specialized in SOC and SIEM services.
We wanted to get Fred’s expert perspective on the current state of operational security, necessary features he looks for in a monitoring platform and key focus areas for a bank’s operational security.
Can you briefly summarize the current state of operational security in your view?
The asymmetry of operational security has never been stronger. There have been many advancements in defensive technology and methodologies in the past 10 years. However, the technology that improves our defensive posture also improves the attackers’ offensive capabilities. To this end, organizations need to focus on the basics and get back to practicing good security hygiene (patch management, limiting admin privileges, understanding where your crown jewels live, and asset management). Whilst not sexy, basic security hygiene remedies 80% of the issues we see on a day-to-day basis.
What do you see as some of the key focus areas in providing operational security for a major bank?
Tight relationships with partner organizations that provide IT services because enforcing controls across multiple vendors can be challenging. Tabletop exercises – The testing of processes and procedures to ensure you know what to do when an incident occurs. Asset management – Where are your critical assets and where is the most important data in your environment? Good internal relationships – Good working relationships make security incidents less stressful.”
In your considerable experience, what is the most important aspect of gaining value from a monitoring platform?
There are several key features I look for in a monitoring platform: Accurate and timely events that indicate an incident has occurred (only escalate what almost certainly is a security incident). Most often, this is dependent on the quality of the content in the platform, which is becoming exponentially more difficult to manage. Update and maintain the alerts/signatures/content of the monitoring platform. Operational teams benefit immensely from well-written rules that they do not need to maintain. Ideally, some of your vendor maintenance fees allow the vendor to provide you this content so that your analysts can focus on their job at hand.
What interested you in becoming a strategic advisor to Respond Software?
I want to help influence the next generation of defensive measures based on the current threat landscape. Vendors often lose focus on what matters to customers because vendors are not in the trenches fighting the adversary every day. Influencing a technology roadmap based on current, real-world experience is something that can help our industry.
Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in commercial industry. He has designed, built and managed global security operations centers and incident response teams for eight of the global fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his first-hand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.View all posts by Chris Calvert