Cyber Work Episode Recap: How is the open exchange of information affecting cybersecurity?
Cody Cornell, CEO of Swimlane, is a passionate advocate for the open exchange of security information. Infosec recently chatted with Cody about his rise to the cybersecurity challenge and how he sees the sharing of security information as an important movement across industry.
Cody summed up his stance in an interview for Cyberdefense Magazine in February 2019: “To transform cybersecurity from a source of consternation into an opportunity, everyone in the industry, not just collaborative SOCs and ISACs must work together to share intelligence, best practices, and lessons learned, amongst a network of trusted peers.”
Becoming a security professional by knowing how technology works
“I am a systems security person.”
Cody’s career did not start with a technology background. However, once he started working with the Coast Guard, he was introduced to a more technical career. Here he was trained in electronics and began to work more on the IT side. It was during this time that Cody quickly realized there were great opportunities in the tech industry and especially in the security sector.
From there, Cody moved into security management. He admits that pentesting was not his passion; instead, he ended up on the blue team side of security. Here he discovered his love of collaboration.
Cody told Infosec that being a security professional and a start-up founder were different paths for him. Back then, network and system engineers were a great influence as they understood the underpinning of the technologies they had to secure.
To bolster his career, Cody worked on achieving certifications, including Cisco and Microsoft certification. This taught him how infrastructures worked: “I would have struggled if I had not understood the underpinning of the system I was trying to secure.”
How do collaborative sharing initiatives work?
Previously, on CyberSpeak, Infosec spoke to Michael Figueroa about a yearly event, the Collaborative Defense Simulation. This is where security groups collaborate and share knowledge related to specific types of disasters, such as nation-state attacks.
Cody told us he wants to expand this type of collaborative sharing of security information, making it a more continuous event. Although the threat intelligence community already shares data in this manner, he wants to take this a step further. Instead of just sharing data, add in the measures best used to mitigate the underlying threats the data points to.
He added that from an automation perspective we can now ask, “how do we share this data in real time and how do we react to this, again, in real-time?” Using a security-based defense model, the automation community can extend this from what you see to what you do.
Does anyone resist sharing security information?
We asked Cody if some companies prefer not to share security data. He replied that some organizations feel uncomfortable uploading payloads or malicious data because of issues around attribution. However, the STIX standard sets out a way to share security information that includes actions.
Having security information sharing with actions works well in trusted circles: for example, an industry vertical, e.g., government agencies, utilities and so on. These organizations already have the infrastructure to create a trusted circle; this allows them to accelerate collaborative sharing. Because of the wins seen in this type of collaborative sharing, the wider industry is observing the benefits and the potential for wider, cross-industry, collaboration.
What does a collaborative security-sharing body look like?
Cody discussed what collaboration across industry looks like and how it works. He told us that currently, it is very much word-of-mouth-based. However, Swimlane has created a not-for-profit to advance the movement. The company is exploring how this is best served; is it as a coalition of vendors, government and industry, or as an independent body?
Cody stated the importance of industry moving from an asymmetric situation: “… so that the adversary to defender dynamic is not asymmetrical, where you have all the attackers collaborating in many capacities and they can use that effect against a single organization … organization’s need to band together and be able to push back as a banded group.”
Industry sees that identifying threat actors and sharing threat hunting patterns is paying off. But it isn’t happening across the industry yet — other than occasionally, in situations where there is shared technology usage.
What can I share, how can I share it and is it easy to leverage?
Cody gave us some advice on how to begin to share and collaborate around security. He suggested that initially you take a small example and look at the group you already work with, for example, intra-industry.
Security ops are typically very busy, so it’s hard to begin the process and work out the best way to package the information. He suggested that you start by looking at the intelligence you already have and the resulting telemetry you’re curating out of your organization.
The process is complicated by the lack of time to normalize it, standardize it and share security data. Automation can help a lot in this. For example, an automation platform or even just a series of scripts can capture that information, package it up and allow it to be shared: You can then see how another organization can leverage the information.
Regional groups or consortia doing security sharing?
An Information and Sharing Analysis Center (ISAC) is a great place to start as it is the path of least resistance.
Security ops teams typically have to wear many hats and perform multiple tasks. Time management is a key area of optimization in these teams. How to manage time and to work on higher-value tasks can be helped using security collaboration.
If you use security collaboration to create an optimized landscape, what does it look like?
Security collaboration will facilitate a move away from a static infrastructure to a highly dynamic organic infrastructure that responds to cyber-threats. An organization will be able to move from buckets of people with point responsibilities to a less-siloed taskforce.
If the infrastructure is more secure, it is better for all. The business world is highly connected, and if everyone is more secure, we are all better off. Those who have the experts should share this intelligence across the entire landscape to improve security.
Cody stated: “The future is sharing, but it must be in an effective manner.”
Careers in cybersecurity industry around open sharing and security systems
“The key is to be active in the community.”
Cody offered some advice on building a career as a cybersecurity professional.
Security is a great profession; it pays well and is recession-resilient. You don’t need a Ph.D., master’s or even a degree. If you can prove you are proficient, you can get a great job.
Be practical and know how things work. Understand how to install the components of an infrastructure, Active Directory, NGINX, AWS, and so on. Create practical skills. Understand how data works. Understand how technology works. Build a lab; tear it up, break it down.
You don’t need to code. If you can’t, update documentation for an open-source project that’s popular. This gets you in front of people who can help you become a great security professional.
Cody finished by saying: “This isn’t just a job for me, it’s a passion.”
Swimlane current projects
Swimlane is focused on some of the major pain points that organizations struggle with. Skilled staff shortages are causing real pain in industry. Alongside this, the sheer number of technologies that require securing, cause issues. This situation has created a large surface area: each new technology needs to be monitored and managed. Making them work together is important. The surface area and security technology sprawl are complicated.
Swimlane ensures that the investments made in security technologies are effective by making them interoperate effectively. The company ensures the people who are responsible for managing the infrastructure and the alerts have the bandwidth to work on the most valuable tasks. This allows an organization to optimize its investment while also making their infrastructure more secure, improving the overall security posture.
Our customers are using automation to contribute to their ISACs.
Swimlane has contributed to the OASIS standards including Open Command and Control (OpenC2). Swimlane contributes to open-source work, which can be seen in the Swimlane GitHub page. They also contribute to the MITRE ATT&CK framework.
To see all of Cody’s answers and to watch the whole episode, watch the Cyber Work podcast here.
- How is the open exchange of information affecting cybersecurity?, Cyber Work Podcast (YouTube)
- Structured Threat Information eXpression (STIX™) 1.x Archive Website, STIX
- Member ISACs, National Council of ISACs
- OASIS Open Command and Control (OpenC2) TC, OASIS
- Swimlane, GitHub
- ATT&CK, MITRE