Setting the Foundation for a Cyber Resilient Future: Q&A with Peter Schawacker of Blinktag Solutions
We recently sat down with Peter Schawacker, a leading consultant with in-demand expertise in both the business and technical domains of cybersecurity. With over two decades of experience in nearly every aspect of the field, Peter has served as an incident handler, a sales engineer, a product manager, a technology evangelist, and a senior business executive. He’s also spent time in the infosec trenches, with hands-on experience as a security operations center (SOC) analyst.
In Peter’s consulting practice, he’s helped build SOCs, professional services delivery teams, and managed security service businesses. His wide-ranging experiences give him a unique bird’s eye view of today’s cybersecurity landscape. He shared his perspective on current events with us during an in-depth interview.
Q: What’s your assessment of the state of cybersecurity today? What’s it like out there right now?
It’s foggy. It’s really hard to tell how things look. The usual measures and standards that we employ to understand threats and assess what’s going on in the world just don’t seem to apply anymore. So everybody’s trying to figure out how to recalibrate—to find measures that can tell them what’s going on. At the same time, everybody’s trying to figure out where they need to be: in terms of their offensive position, their defensive position, finding out where growth is going to occur, and understanding what’s not going to come back in the near future. Planning today is really hard. As a result, “short-term everything” is where security is at right now.
Another thing that people are trying to figure out is what they’re not seeing. Everyone’s aware that there are a lot of unknowns, but nobody knows what’s coming next. We say we’re “mid-pandemic,” but this assumes that we’re not actually still really early in the process. It also assumes that there isn’t another one coming. I won’t even get started on the murder hornets.
Q: How is the threat landscape? Are more attacks happening?
It’s impossible to be certain, but we’re pretty sure that attacks are way up. There’s a lag between the time when the data is gathered in studies and when the results are published, so we don’t yet know for sure, and won’t for at least three months from now. Most of the data that we’ve got is still from last year.
But we do know that attackers are well aware of the challenges that businesses face, and the ways that IT is changing. We also know that anyone who was in IT security and lost their job—the so-called “good guys”—is susceptible to recruitment by the “bad guys.” We saw this phenomenon at the end of the Cold War, where former academic computer scientists or high-level employees in IT in the former Soviet Union found themselves out of work. They needed to eat, so they’d turn to working for organized crime. I think that advanced persistent threat (APT) actors are recruiting heavily right now. So they’ll have a lot more manpower, and that’s enough to explain an increase in incidents.
I don’t think there are necessarily more vulnerabilities. But it is the case that during the first month of the pandemic, it became more dangerous than usual to patch end user systems, and specifically desktops. If something broke during the patching process, there was no field service. And it wasn’t easy to obtain a replacement for the device. As a result, people were waiting longer to apply patches.
Q: How are CISOs handling this new and unpredictable world?
It’s different at different companies. Some got rid of internal staff, and are now trying to cope without having certain functions, like a SOC. They may be turning to project-based staffing or having to think about how to outsource. When it comes to partnering with external service providers, CISOs are looking for enhanced effectiveness and real value.
The move to remote work is in a cleanup phase now. That’s going to persist for some time, and I don’t know if it’ll ever really end. “Business as usual” has always included cleanup. But the type of threat management that’s necessary will change over time.
CISOs are also thinking about how to make work-from-home more successful and how to create social cohesion for their remote teams. Because stress levels are so high right now—and will continue to be, on an ongoing basis—that social cohesion is exceptionally important. A good SOC team will bind together and manage itself if you let it.
Everybody’s had to cut costs. Sometimes this can lead to more efficiency. It can lead to a tendency to value quality over quantity, as well as a desire to be more conservative. There’s more interest in investing in automation, which has become a more conservative approach than staffing. It used to be that if you were employing automation, you were a risk-taker. Now, it’s the other way around.
Q: What advice do you have for security leaders as they navigate the challenges that 2020 is bringing?
There’s a lot of uncertainty, so there are no absolute answers. But there are good ideas.
One good idea is to recognize that when you’re forced to live through a crisis, you might as well exploit the advantages that it brings. We’ve already paid the price for change. Normally, a leader decides that a change must be made, in order to derive some benefit, and then commits to the pain and risk that the change will bring. Covid, the civil unrest that arose in the wake of George Floyd’s murder, and all the rest—that’s the pain, upfront. So you can use that disruption and the adjustments to people’s thinking that it’s causing to make the changes that you need to make. You’re already paid the bill, so don’t walk away from the table. That’s the most important recommendation I would make.
CISOs can use the current drive for cost-cutting to dump software that they don’t need. If you have software that you’re not using, you have unnecessary vulnerabilities that someone could attack. Make this time into an opportunity to get rid of those.
Another important idea is to take a good hard look at insider threats, especially from former employees. Make sure that access revocation is being handled in a timely manner. Many organizations struggle to keep track of who has access to what. In today’s climate, there are sure to be more cases of former employees wanting to walk out the door with a box of data to use elsewhere.
I’d also suggest that security leaders pay close attention to threat intelligence. The best sources, unfortunately, aren’t the open source or free ones. Besides the fact that criminal organizations are actively recruiting right now, hacktivism is back.
Finally, when it comes to outsourcing, managed detection and response (MDR) services are more effective and deliver more value than the old managed security service model. In the old model, the service provider would find alerts and send them over to the customer, and the custom was then tasked with figuring out what they meant, whether or not they were bad, and how to handle them. Then they had to provide feedback, usually through a ticketing system or via email. In MDR, there’s an ongoing partnership between the customer’s security team and the service provider. A dialogue takes place that’s highly collaborative, and this continuous dialogue enables situational awareness.
Few companies can keep incident handlers on staff, so it makes sense to outsource this function to someone who specializes in it, and is practicing this sort of work every day. You’ll get a higher quality of service if you do.
Q: Is there anything else that CISOs should be paying attention to right now?
It’s vital that they think about the effects of stress on their teams. Security is like exercise. If you rest between sets, and you schedule recovery days into your workout program, you’ll get stronger, faster and healthier. But if you spend your whole life in the gym, it’ll negatively impact your performance. You’ll end up sick, and weaker than ever. Because your body and mind will be flooded with cortisol all the time. And that’s what we’re seeing right now in SOCs.
We make small decisions all the time, and stress makes it harder to make good decisions. Bad decisions beget more stress, which makes it harder to make additional decisions. It’s a vicious cycle, and the problems just compound themselves.
If you assume that cyberattacks have increased by two- or even threefold, then teams are being asked to do two or three times as much work, in some cases using approaches that they’re not accustomed to, at the same time their capacities are diminished due to stress. At the same time, companies are conducting layoffs, so teams are smaller. It’s a really bad situation, and it’ll be a long time before we bounce back all the way.
One of the few potential solutions is automation: you’ve got to remove the little decisions that crowd people’s thinking. That makes it easier for them to be effective.
I’d also like to see researchers study the effects of stress on employees below the CISO level. Everyone’s contribution matters to the business, and how their jobs affect people needs to be taken seriously.
Q: What’s coming next? Is there any light at the end of the tunnel?
It’s become a cliché to say that we’re living in historic times, but the reality is that there’s a convergence of seismic events, the likes of which we don’t usually see in this country. When these kinds of things come together, it can be catalytic.
Look at what’s happening right now with COVID-19. The states that are doing well are the ones that have focused on data. If you pay attention to the most reliable and meaningful metrics, you can begin to think about re-opening the economy and enabling access to all sorts of things.
There’s a strong parallel with cybersecurity. If you have reliable and meaningful metrics, you don’t have to spend all your time thinking about the scope of the problem and how you are going to solve it. Instead you can concentrate on attack surface reduction.
And people’s attitudes towards all manner of things are changing for the better. The public has a much better understanding of the value and importance of data. When did you ever see people obsessing over predictive models before? There’s more interest in science and scientific thinking now.
I think the pandemic overall has given people a much better sense of what’s important in life. It’s possible to understand this in scientific and objective terms, but also in human ones. But I believe that over the long term this can contribute to positive social and political change.