Last time, I had the honor of speaking with Lesley Carhart, a security incident response team leader who also writes the tisiphone.net cybersecurity blog. She's a Circle City Con staff. I just so happen to be talking to one of the people who's presenting there later this year, Cheryl Biswas. Cheryl is currently a cybersecurity consultant for KPMG. She also writes an engaging blog, CyberWatch. Some of her work has been published here on The State of Security, as well! Unlike my other interview subjects, I've actually met Cheryl in person because we're both based in the Toronto area. She's just as sharp, warm, and enthusiastic in person as she is on the internet. I've also written about her previously on Medium. Kim Crawley: So, I was interviewing Lesley Carhart a few days ago. She's on staff for Circle City Con and this year you're giving a talk there! Cheryl Biswas: Yes I am! I'll be talking about disaster recovery. People really don't realize how little they care about it 'til it's too late. It's always been something near and dear to me. KC: Would you say that the majority of enterprises with data centers are poorly prepared? CB: Enterprises with data centers rely on their third-party providers, usually the data center, to ensure DR is in place. Lots of regulations and contractual obligations involved. But unless you check on the third parties they rely on, you really aren't secure. I don't think people realize just how much they need to plan for. And the scariest reality is the small and medium business level KC: Do you think enterprises sometimes hire third parties with little to no research? CB: No. Enterprises are big entities that are answerable to boards and regulations. It's the smaller guys. KC: Something I hear frequently is that corporate accountants get in the way of security hardening. CB: I haven't come across that. But when it comes to spending money on security, then it's always an uphill battle. Justification is harder than attribution, it would seem. KC: That's a huge problem. Cybersecurity seen as a "nonprofit generator." CB: Absolutely! The push is on for innovation. Money and resources go to getting products and services out. Business is the driver. Profits are lifeblood, right? And security takes time, money, manpower. It's no surprise, therefore, that boards tend to look at things through cost justification. What would an incident cost? Will our cyber insurance cover that? Then that's the risk we can accept. So insurance is a mitigator, taking the place of putting security in place. It meets an actual audit or regulatory requirement. Everything needs to be explained in terms of business risk. KC: Regulatory requirements are a must, but proper hardening goes beyond that. CB: Indeed. Insurance companies are aware of this and pushing back because they don't want to pay out. They aren't a safety cushion. It needs to be done right. It's a necessary investment. And it goes in better early. KC: Have you been able to persuade accountants and executives in the past? CB: It's really a give and take. So compromise happens. The end goal, in the case of a security audit, is for the company to establish its compliance. Some things get discovered, some things get fixed. In some cases, the client is open to suggestion, willing to learn, and accepts recommendations. That's a great scenario and very encouraging. We want to celebrate those wins. KC: I guess sometimes it helps to see a half full glass. Now, the topic of your talk at SecTor 2016 interests me. CB: Oh! Banking insecurities. SWIFT and the bank heists. KC: Those events make me wonder: do you think that network admins often focus on uptime to the detriment of everything else? CB: I can only surmise. If you need to be competitive, then availability is key. Uptime is what gets monitored and reported. It's measurable and paid for. It may be mistaken for security. KC: But there may be less immediate incentive with security-related metrics? CB: Hmm. Unless you can prove something earth-shattering. Take exploits, for example. I can say that when you explain in plain terms how a vulnerability will impact a business, it gets attention. That' s why pentests are so valuable. KC: Unfortunately, more and more malware attacks on datacenters are fileless. Overall, more and more attacks don't appear in the logs without good heuristics. CB: Yes! You find these in ways nobody expected. KC: And then there's log overload in SIEMs. CB: The fact is we need to progress to the next level of technology to capture the new stuff out there. But we aren't getting the basics in place yet. You can't run before you walk but we need to be able to "see" this stuff. We need to be going the machine learning route. The shiny blinky boxes will always be a problem if we expect them to do the work. They are our tool to get to the answers. We are the ones who actually process the data. Threat intel ultimately resides with the humans not the machines. KC: I've heard of vendors dropping machine learning in favor of technologies like network behavioral analytics. In my opinion, only time will tell if that's any good or not. Frankly, I haven't worked directly with SIEMs. CB: I think EUBA/UBA has lots to offer. Especially from an insider threat perspective. And I agree only time will tell. There is no silver bullet. KC: Maybe some antimalware systems can employ all of that together? KC: If we aren't prepared to accept we need to do the work and analyze what comes in, nothing we use really matters. CB: There are systems that do many things. I don't believe in having something do all the things. Because I don't believe you can do all the things well. There are strong recommendatons not to put all your eggs in one vendor's basket for good reason. KC: I've seen different vendors combine their patented technologies in security products and services lately. CB: Actually, what I've heard is that layering different products works to catch things. So two AV products, multiple intel feeds, etc. Yes, the combinations of vendors. I like that. KC: And that doesn't generate more false positives? Or there's little conflict otherwise? CB: The more you data you input, the more false positives you get proportionately. It takes time and effort to tweak. KC: It sounds very complicated. CB: So, you are looking at getting vendors to do that for you. Customized intelligence. We can't keep doing what we've been doing. The threat landscape has changed. There is so much more data out there. At risk. The attackers have had this time to up their game and skills. They know more about us than we know about ourselves. What we need is what's not in scope. That's where big data comes in-- data analytics, machine learning. KC: Cybersecurity, in all facets, is an endless cat-and-mouse game. CB: It's specialized skill sets and money. KC: As a woman in infosec, how can we attract more women and transgender people to our field? CB: I don't like focusing on those as our differences. People are quite sensitive to it. I'd like it to be that we're all on the same team, except maybe one side is red and the other is blue. KC: We all know that there's a lack of women in IT and computer science in general. CB: Indeed there is. The numbers aren't improving so far as I can tell. You know I am part of TiaraCon and our focus is on diversity. That's our message, to encourage people to come to infosec and tech. KC: TiaraCon sounds like something that's needed. Explain what you've been doing with TiaraCon. CB: Last year, we focused on women in tech. It was to address that need. To offer a space where everyone felt welcome, especially women, and to show both sexes how comfortable and easy working together could be. It was a huge success. People were so surprised and delighted, really. They want us back again for more. So we're talking diversity because there are many people with skills, passion, talent who belong here. KC: I hear some women drop out of computer science in school after the first year. I know first hand as you do that it's tough to be in a boy's club sometimes. I've heard of matters like students being directly misogynistic or sexual harassment not being taken seriously. CB: I've heard first-hand accounts of shameful behavior toward women, and we can expect that has happened to others. KC: Was anything like that discussed at TiaraCon? CB: We talked about that more one on one. This year, we hope to have workshops around it. It's a bigger issue than just women. We want to help offer constructive advice, approaches, where to get support. And there are men who have been hugely supportive in our careers. I know that for a fact. I owe so much to the guys who stand by me and teach me. They are my friends and colleagues. They've really gone the distance for me in some cases. KC: Fortunately, I have met many supportive men. One who writes for a publication that I also write for recently recommended me for a security analyst position. Fingers crossed! CB: Fingers crossed indeed! Yay! We're talking about allies at TiaraCon this year. KC: Yes, allies are crucial, in my opinion. I understand that you've written reports for corporate clients before. In my experience so far, it's even tougher than writing for magazines and blogs. But it's been really rewarding. Doing it well builds confidence. CB: Reports are very hard work! And they matter because it's about the client. KC: I find that there are even more guidelines involved. CB: Presentation. Wording. It's all about how you say things. But what you want to deliver, it needs to be presented in a way that the client will understand. KC: I was advised to not use the word "solutions" when writing a report on third party SIEMs. Oops! If a teenager, regardless of gender, asked you how to get into cybersecurity, what advice would you have for them? CB: Ahhh. Code! And try the CTFs online, like Over the Wire. There are more out there. KC: Are there any programming languages you would recommend for them? Python is useful and easier to learn. CB: Absolutely! Python to start. KC: Nah! Start with x86 assembly! Ha. CB: I would have them watch Hackers and Wargames and Sneakers. I would let them see what social engineering is. I would like them to look at mainframes, where we need people desperately. Or ICS-SCADA. KC: Social engineering is so overlooked by laypeople. As are other human factors, like bad UX design. CB: Ha ha! Yes! KC: Last time I met you, you recommended Mr. Robot because it features a more realistic portrayal of cybersecurity and "hacking." What does Mr. Robot get right, compared to Hackers or Law and Order? CB: Mr. Robot gets most things right. They had to deliberately make things wrong so that the exploits could not succeed if someone tried to do them in real life. KC: How considerate of them. Or perhaps legal liability is the factor. CB: The people with their anxiety and depression were very reflective of our community. Brilliance comes at a price and is so often misunderstood. The natural curiosity of hackers. That's why I think mentorship is hugely important here. And for those of us who are older to find ways to be nurturing and supportive if we can. KC: Do you spend time mentoring young tech professionals? CB: I do! It just happens. And I love it. KC: It's amazing, but by helping others, we often help ourselves. CB: We teach each other. We both grow. Exactly that! Mutually rewarding. I have a wonderful mentee just now. It's a privilege. KC: Before we finish, is there anything else you'd like to say? What do you think are some of the biggest problems in cybersecurity now? CB: I know our focus is on IoT and that's good. We have a lot of work to do there. It really illustrates what happens when security isn't baked in and isn't even a consideration. At the same time, we need to be looking beyond the usual suspects. There are up-and-coming cyber crime zones. Threats and attacks will continue to evolve, after all. The playing field is fluid and dynamic. KC: As in, types of targets? Methods of attack? CB: Yes. Shifts in targets. Cyberwarfare is a reality, and the geopolitics at play will bear that out. Different methods as we get better at detection, they get better at obfuscation KC: A lot of the stuff of science fiction novels is coming true. CB: You are so right about that! KC: The cat-and-mouse game again. Thanks for sharing your thoughts!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
