Strategy and Focus Protect New York City

Posted: 21st October 2019
Strategy and Focus Protect New York City

Our guest this week is Quiessence Phillips, deputy CISO and head of threat management for New York City Cyber Command. She’s one of the leaders of a team of cybersecurity professionals working to strengthen and coordinate the cyber defenses of one of the largest and most important cities in the world.

Quiessence joins us to share valuable insights into managing the scale of the responsibilities she and her team hold, the techniques she advocates for staying ahead of threats, as well as her thoughts on how best to prepare for a position in the industry.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 130 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest this week is Quiessence Phillips. She's deputy CISO and head of threat management for New York City Cyber Command. As one of the leaders of a team of cybersecurity professionals working to strengthen and coordinate the cyber defenses of one of the largest and most important cities in the world, she shares valuable insights into managing the scale of the responsibilities she and her team hold, the techniques she advocates for staying ahead of the threats, as well as her thoughts on how best to prepare for a position in the industry. Stay with us.

Quiessence Phillips:

From undergraduate, I was a computer science major, always had an interest in reverse engineering, at the time it was not the hype at the moment, so I decided to do some research around cybersecurity, or information security, which at the time was how we referred to it. I think what made me gravitate towards it is I felt as though I can merge somewhat of this investigatory root cause analysis, looking to reverse engineering how things happened with a field that was looking to basically try to identify bad activity, bad actors, et cetera. I really thought that it could be applied very nicely with cybersecurity.

I spent about six years with the federal reserve working on our national incident response team. I worked for a startup providing threat intelligence to major financial institutions. Also spent about four years with Barclays, the financial firm, heading up the incident response team there. And then most recently, obviously, for about two years here with New York City Cyber Command.

Dave Bittner:

So can you give us some insights into what your day to day is like there at the New York City Cyber Command?

Quiessence Phillips:

Sure. I guess background on New York City's Cyber Command, we were newly formed about two years old, in July, and one of our missions is to basically centralize cybersecurity initiatives for the city. And when I say the city, that is over 8.6 million residents, and then also over 150 agencies and entities that we service.

On a day-to-day basis I head up our threat management function and that is pretty much encompassing our security operation center, our incident response team, our cyber threat intelligence team, and lastly, our counter threat automation team. So leading all of those initiatives all in effort to properly detect and respond to any type of adversary or anomalous activity within the city.

Dave Bittner:

Can you give us a sense for the scale of your organization and also the threats that you're dealing with?

Quiessence Phillips:

I would say the threats that we encounter are across the board. By nature, New York City is dealing with so many different verticals. So if you think about health care, education, financial health and safety, et cetera, we deal with it all. So obviously the threats that are imposed upon these different verticals, we see them all. One thing that we try to do is really understand all of the different verticals within our city, all of the different business processes, et cetera, so we can really try to do proper threat modeling, really understand the different adversaries that are targeting us. What type of actors, what type of activity we're seeing.

To answer your question, I think we see a plethora of activities and actors that are targeting us, whether it's actual targeting or just by way of larger campaigns and things that we're seeing. From a scalability perspective, we won't talk about numbers, but New York City Cyber Command is growing 100 percent year over year. And that is really to fulfill our mission, to be able to centralize all security initiatives within the city.

We're working with so many different agencies to change the culture and really thinking about full visibility across the city. So, one, that is a huge feat to be able to build the infrastructure to take in all of that telemetry. That's in the petabytes. And to be able to build out a program to effectively and efficiently, because resources are finite, to properly detect and respond to those threats in a meaningful time frame.

Dave Bittner:

I'm curious for you, as a leader, how do you approach a challenge that is this large in scale? New York City is, like you said, over 8 million people. It is a huge city. It is an important city, and so that's a big task that you have in front of you. How do you wrap your arms around that?

Quiessence Phillips:

Piece by piece, I would say, with a lot of strategy, with a lot of focus on what is our objective. We don't want to boil the ocean and we want to set meaningful targets year over year. Obviously, we want to protect the city from any type of threat, so that's why I mentioned earlier, we start with our threat modeling. We start with baselining our organization. We start with really trying to identify and understand our network and what we're protecting.

A huge piece of the puzzle is visibility. Because we can't detect or respond to what we can't see. The partner group that threat management works with, security sciences, we've been working together on somewhat of a log management work stream where we're trying to build the infrastructure, as I mentioned, to be able to scale to meet the demands.

Part of this effort is to really ensure that we have the environment that can take in all of this data, so we call it our data highway to really put in proper sensors. One, working with all the agencies and different types of environments, different types of technology stacks. So that's a huge feat. And then ensuring that once we do have that data in a secure fashion, that we can then put in all of the proper content engineering, and we can put in all of the proper metrics to be able to determine that we are moving at the pace that we think we are. We are identifying and detecting the things that we want to be able to see, how effective our use case is.

Internally, we have somewhat of a metric to measure ourselves and one of those things that we use for each fiscal year is objectives and key results, and we really try to key in on what we're trying to meet each fiscal year. And across the organization, we ensure that there are accountable executives and responsible executives to ensure that we're meeting each of these objectives. We try to ensure that across your organization we're all working towards the same mission instead of somewhat being decentralized as an organization.

Dave Bittner:

Yeah, I can imagine it must be really important, but also challenging, to have all of this happen in a collaborative way. I could imagine it would be very easy for different parts of the city, different organizations in the city to feel like they want to insulate themselves. But that's not going to work with this. You all have to be able to collaborate with each other, communicate, share information. You're all in this together.

Quiessence Phillips:

Yeah, absolutely. I think we look at things as though security is a we problem, down to the user, right? Everyone says that the user is the weakest link, but it takes a village somewhat. So it does take a fair amount of socializing to ensure that we are all on the same page with the mission that we're trying to fulfill.

And at the end of the day, no matter if you are an end user or if you are a commissioner in a specific agency, we all want to ensure that there is a certain amount of security in place and not to get in the way of any of the business processes or practices. But we want to ensure that security enables the business to continue to be productive. And as we've seen with the threat landscape, that security can be, or if there is a lack of security, it can disrupt the business. So we want to ensure that that doesn't happen. I think that is a shared goal between ourselves and all of the agencies that we're trying to protect.

Dave Bittner:

I want to talk specifically about threat intelligence and how you all use threat intelligence there. I know something that is important to you is this notion of operationalizing threat intelligence. Can you walk us through what are your views there?

Quiessence Phillips:

Sure. I think oftentimes we see intel as a small piece of a security program and although there is a lot of discussion around intelligence-led response, I find it, in many cases, not well exploited, in the positive sense of the word. When we think about operationalizing threat intel, we consider the entirety of the incident lifecycle, so from preparation to post-incident response and embedding intel into that lifecycle.

So what that means for us is pretty much ensuring that at each stage of our incident management process, intel is actively informed or informing. So being that we have a common structure for incident management, we are able to plug in how intel works at each of those stages, how it correlates with the work that incident responders are doing.

So for example, at the preparation phase, as I mentioned earlier, we conduct threat modeling. We baseline our network and business processes. We develop a common method to track incidents and categorize threats. Some of this is a byproduct of our incident management guidance in our incident response plan, but it's important for the success of the intel program.

Other things that are important are strong analysts notes. So what we've done is implemented a QA process to ensure that the analyst notes regarding the way an incident has been handled, any of the artifacts around it, any of the information around the user, the type of attacker, et cetera, all of those notes are very strong. So at the point when intel is then extracting that information to build out patterns and trends, et cetera, there is quality data coming into that collection process.

Dave Bittner:

Let's continue down that path. When we're talking about turning incident data into intelligence, how do you go about that?

Quiessence Phillips:

I think one is we review past attacks, so we want to identify what IoCs were involved, what steps did the adversary take, how many stages of the attacks were observed, where did we detect it? That's one piece that we focus on quite a bit because we're always looking to see how we could have detected something sooner. Obviously that is important, not only from a detection and response perspective, but also an intelligence perspective.

We want to uncover a systemic attack or identify any type of attacks. This is important also for the breadth of agencies that we service. We may be able to impart where specific attacks are seen within which vertical. A lot of times when you just have this data sitting within your incident management system and you're not looking at it over a specific or a longer period of time, you may miss out on some of those trends.

Dave Bittner:

And then it all has to feed back on itself, right? It's a circle, because when you get to the end of your analysis, that informs how you go back to the beginning.

Quiessence Phillips:

We think about it the same way. Whenever we're doing, let's say a post-incident response, we're looking at when do we detect this? Which of our technologies detected it? Did we see it across the board? What do we know about the attacker? What do we know about the activity or the user? Et cetera. And that, as you mentioned, goes right back into the collection process for intelligence, or even for honing our detection mechanisms, putting in new configurations, allowing us to create different content or more granular content.

Maybe this is telling intel the types of adversaries that we're seeing and they might be able to tie that to a specific strain of malware, et cetera. There's a lot that could be gleaned from any type of post-incident response and how that's fed into intelligence, and then what we can then also provide back to the community that may not be readily available.

Dave Bittner:

What are your recommendations for organizations who are just getting started with threat intelligence? How do you think they should approach that?

Quiessence Phillips:

Yeah, that's a great question. I would say one, they should want to try to identify what it is that they're trying to do. I think intel at a high level is very well understood. But applying intel to your program, to your organization is very different depending on where you are.

If you're looking to operationalize your intel the way we have thought about it, then I think it’s very useful to take a look at how intel can be embedded into your lifecycle. Where is it that it can actually be embedded? You don't want to boil the ocean, so let's say a lot of times people have a stream of data coming in that is considered to be intelligence. But these might come in your very well known forms of IP addresses and domains that are considered to be bad. That alone is helpful but doesn't provide a ton of context.

So if you now know that this IP is related to this type of attacker, but this type of attacker is part of this group and they typically target this type of organization, then that gives a little bit more to go off of.

I think one of the easiest ways for organizations just starting out is to one, have some type of platform, let's say where they can collect all of this threat intel information, so your typical threat intelligence platform or TIP. That is usually one thing that allows them to at least consume it into one place because, believe it or not, a lot of people are still using spreadsheets, or Google sheets, et cetera, whatever your platform is. And that, although helpful doesn't allow you to do this work at scale. So I think it's also helpful to build out some type of framework.

I would imagine that any type of organization that is just starting out with intel would hopefully have already spent some time thinking about their incident response plan, has already thought about detection mechanisms and how do they respond to different types of alerts, et cetera. And seeing how can intel at least inform any of those decisions. So that's pretty much where we started.

I think over time we really thought about this whole model of intelligence-led response and how it could truly be exploited or implemented within our incident life cycle. But you definitely have to start small because there's such a large data set out there for what is considered to be intel.

Dave Bittner:

You know, it strikes me that being in New York City, which is the largest city in the United States, one of, if not the most important city in the world, depending on how you measure it, what sort of lessons do you have, words of wisdom you have for those smaller cities around the nation and around the world who look to New York City as a mentor, as a place to draw inspiration from, to draw guidance from?

Quiessence Phillips:

I think everything we do, we're looking at somewhat of this public good mission. Whereas maybe because of the size and breadth of New York City and the size and breadth of our program, we want to be able to provide a lot back to the community. We want to be able to, wherever we've spent a lot of time coming up with a strategy, coming up with a framework or a motto, et cetera, we want to be able to put that out there and allow that to be somewhat of a blueprint for other cities to follow or other smaller municipalities.

Many municipalities share a lot of the same challenges. So we can absolutely build some of these models based on our infrastructure, based on the operationalizing of threat intelligence within our incident lifecycle. We can package a lot of this up and allow other municipalities to use it as a model even if they don't completely replicate it.

To answer your question in particular, what words of wisdom do we have is really understanding the business that you're in. I would say that the reason why a municipality is somewhat unique is that, at the end of the day, we have to provide a service to our residents, and how can we do that without securing the technology that they've grown to depend on? If we think about complete cyber resiliency, it's very helpful for municipalities to really think about where their critical services are, and what are the dependencies, and what are the residents completely reliant upon.

You’ve seen in the news where some destructive type of attack has crippled some cities for X amount of time. I feel as though if there was a fair amount of research around cyber resiliency in the services that are critical for the residents and really unpacking the applications that are reliant on some of the technologies, that would allow them to really have this risk-based model to determine. Just because resources are always a constraint, and whether that be financially or just because there's a finite number of people who can work on a specific project, that would allow us to really hone in and say, "Okay, we know that we have 20 critical services that absolutely cannot go down and how can we focus on protecting those?"

Not that the rest of the environment is not important, but at least that allows you to come up with some type of model to influence or inform your executives on how to make certain decisions based on the criticality of a service that your residents rely on because if we're not serving the residents, then we're not doing our jobs.

Dave Bittner:

I want to swing back around to where we started, which is some personal things about you. I'm looking particularly for words of wisdom you have for that student who's coming up, who's looking for a career perhaps in cybersecurity, who would look at someone like you as a mentor, as an inspiration. Do you have any guidance for someone in that position?

Quiessence Phillips:

Yeah, I think one of the things that I say probably often is POC your skills. We use POC pretty often in technology, and this is really just a term for proof of concept. The reason why I say that is because you can have all the education in the world, but what can you do?

So people, especially in this industry, especially because cybersecurity has transitioners, if you will, from other types of technological backgrounds. It's really important to see, or to show, what you've done. And I think that helps to, regardless of your educational background, that helps for any ... Let's say your interview or any organization that you're looking to go into, to see what you can actually do. How you've taken one problem and the solution maybe that you've come up with and how you've been able to add some value to the cybersecurity industry, if you will.

I think that is hugely beneficial and not only is it helpful for others to see what you've done, but it's helpful for you to continue to hone your skillset because everything seems like something until you get into it. And we all know that with any type of exercising, theory is theory, but in practice it’s very different. The stress level is very different. The learning curve is very different. So putting yourself in that position where you're ensuring that you can stand the test of time and you have what it takes to actually do this, or maybe you decide that this is actually something that you don't want to do. I think POCing your skills and working on those projects, and putting them out there for other people to critique, is a very helpful practice.

Dave Bittner:

Our thanks to Quiessence Phillips from New York City Cyber Command for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.