Security Wisdom From the FS-ISAC

February 17, 2020 • Monica Todros

Our guest this week is DK Lee. He’s an information sharing operations manager at FS-ISAC, the financial services information sharing and analysis center. They’re an industry consortium focused on reducing cyber risk in the global financial system, and count over seven thousand financial institutions as members.

DK joins us to share his insights on threat intelligence, along with his opinions on leadership, organizational maturity, and checking your ego at the door.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 146 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest this week is DK Lee. He’s an information sharing operations manager at FS-ISAC, the financial services information sharing and analysis center. They’re an industry consortium focused on reducing cyber risk in the global financial system, and count over seven thousand financial institutions as members.

DK joins us to share his insights on threat intelligence, along with his opinions on leadership, organizational maturity, and checking your ego at the door. Stay with us.

DK Lee:

Bit of an interesting road, I guess. I actually was a graphic designer for 12 years I think, went to college down in San Francisco. I was a graphic designer for various companies, skateboard companies, a lot of action sport companies and stuff, and moved back here to pay off my loans, because student loans and living in San Francisco is not exactly the most ideal thing. Worked for some consulting companies and stuff, doing some government work. I just really got bored with it and bought a house, and the 2008 crash market happened, so I needed something way more stable.

Before I moved to San Francisco, my best friend … He’s been involved with IT security since he was 16. I remember before I moved he said “You should come do this with me.” Whatever. I’m not interested. So he’s always said that I should give it a try because I’ll be good at it. So when that happened, we talked again and he gave me a bunch of books, got a cert, and he got me my first job as a monitoring analyst for a government contract. That’s how I got my start. It wasn’t something that I really … This is what I want to do. It’s just like I fell into it.

Dave Bittner:

Did you enjoy it at the outset? Was it something that struck an interest in you? Or was it still work?

DK Lee:

In the very beginning, I did, and I still do. It’s like a puzzle piece. You try to figure out how to put things together and how things … See where it happened? How did it happen? In that aspect, it’s very interesting. I think that’s one of the reasons that my friend always thought that I should give it a try. I guess I’m pretty decent at that. Coming from a different complete background than when I was at work and even when I first started, my thought process was much different than what people are brought up to do, so a lot of the outside-of-the-box thinking … It was interesting.

As I progressed, I pretty much dabbled on everything I could possibly do. Malware analyst, analysis, pen testing, and everything. It’s very interesting. It’s been a very interesting journey just because I always seem to just fall into things by chance. I’ve been involved with obviously the monitoring portion and SIM content development, incident response, malware analysis, and now it’s just intel. I just fell into it all. I worked at iSIGHT for the internal security team and we got bought by FireEye. Like, well they have their own … And I got thrown into the internal … The intel division, and went from there.

Dave Bittner:

Is there any one aspect … As you look at the things that you’ve done, are there any in particular that are your favorite, that you have enjoyed the most?

DK Lee:

Malware analysis is super fun if you are getting really cool samples, but it’s also incredibly difficult because if you don’t understand programming, you’re not capable of really doing any parsing. It’s just not that fun. I’m just not that smart to get down that road. But intel’s been very fun. It’s been fascinating to see the trends and tracking of different patterns and different teams and different actors, so that’s been incredibly fun. It’s been really interesting.

Dave Bittner:

What is your day-to-day like these days?

DK Lee:

I’m more hands off these days. I’m more of a manager, so I have a group of smart guys. I make sure that all the things are getting handled. In FS-ISAC, we rely on what the members send us, so the team is responsible for ingesting, processing, and distributing out the information. That’s more of managing that and making sure that … Contextualizing all the information correctly and creating new reports based on that. So we recently started a biweekly trend report for what the members are sending, see the trends. Not particularly the trends of what’s going on, per se. It’s just because of what the members are saying. It’s not exactly a good picture, but it’s just more of a trend of what the members are interested in sending out, seeing the questions they’re asking.

It doesn’t always coincide with what’s going on. Sometimes literally one person brings up D-OFF, and that’s all they talk about for about a week. To watch that is also interesting.

Dave Bittner:

How would you describe your own leadership style as you’re guiding that team?

DK Lee:

Lead from the front, you know? I always have to. I guess a lot of people have been reading the Jocko book … Willinick’s “Extreme Ownership.” I read the book and I agree with what he says. Throughout my history of having managers and directors, the best ones have always been the ones who don’t really just … They’re the ones taking all the hits. They’re the ones that are leading from the front. They’re the ones communicating properly to his team and probably to up, you know? To his superiors. So, to me, that’s something that I always looked at and now I try to do every day, making sure that I’m communicating as clearly as humanly possible and not just to the people in my team but to the people that I answer to.

Dave Bittner:

What sort of attributes do you look for from your own team members?

DK Lee:

Curiosity, hard work ethic, people who really need to get answers. I don’t really enjoy people who are taking shortcuts to do things. I need to get people who really want to get the answers. It’s not just because so-and-so said this. I want people that really understand the … I guess the who, where, and why, all that kind of stuff. They want to know. It’s not that it’s their job to know, it’s that they want to know. I have a couple guys, younger guys and they’re just really thirsty about knowledge. They want to know why, constantly asking me questions, which I don’t mind, as long as they’re learning from it and they’re coming up with follow-up questions, no problem. Those are the kinds of guys I look for.

Obviously work is work. I totally get that. I’m not expecting everybody to spend all their time doing that, but while they’re there, I want them to be fully engaged and be passionate in what they’re doing.

Dave Bittner:

Have that innate curiosity.

DK Lee:

Yeah, they want to know. You always want to know. Even when I was a kid, you always wanted to know how the sun works and all that kind of stuff. Obviously, as you grow older, I still question things. And especially in our field, there’s a lot to question. Not just even intel but in security, there’s just so much to learn, to know. I look for the people who want to know. The people who are like, “I know everything,” or, “I don’t want to know” is not something that I want to deal with. Not because they’re bad people, but it’s hard for the team to grow.

Dave Bittner:

What part does threat intelligence play in the work that you all do at the FS-ISAC?

DK Lee:

Well everything, actually, just because that’s our main function. It’s the intelligence data that … IoCs and all the stuff that our members send. It’s our job to process that too, and distribute that out. We have another team, we have a sister team within FS-ISAC, they’re more of a strategic-based intelligence team. They also take what we send, what the members send, and they send out reports based on that. Everything that we do is based on quote-unquote intelligence.

What I think of security intelligence? I think, and I’m sure there are a lot of people who disagree with me because I’ve had disagreements about this conversation, I don’t buy into the whole intelligence driven security. I don’t buy into that, just because I’ve been to the other side of it, where I truly believe that intelligence is a very, very important support element of everything, is operations, engineers, monitoring, incident response, vulnerability management, red team, everything. But for that team to lead everything else, I don’t buy into that, just because intelligence is intelligence. But the growth of the operations has to be further along or equal to the intelligence.

Because the fact that if you have a very mature … A lot of companies spend a lot of money in intelligence. Fees and all that kind of stuff, but if you don’t have the operational team to ingest that, to operationalize it, it’s a waste of resources, and the other way, while they’re not getting a lot of data but they’ll still be able to function as a security operation without a lot of intelligence, would that hurt them? Yes. But they will have more resources to do other stuff within the operations. So, I feel like there are a lot of groups that spend a lot of money on intel data, intel feeds, intel vendors without really coinciding with their operational organization. To me, that’s a huge mistake and it’s a huge waste of resources.

I’ve been on the other side. I’ve been in companies where they have every vendor that you could think of. Every big vendor you can think of. But the only thing they’re really using that is from IoCs. That’s just low hanging fruit, but what else are we really … Do we have the tools? The ADR tools or the security tools that could really capture what those analysts are writing about. TTPs, how they’re moving, how they’re moving within laterally and all that kind of stuff. Do we even have logs? If you don’t, it’s a lot of waste.

Dave Bittner:

How does a company, or an organization, or even a team properly calibrate themselves to know?

DK Lee:

I think scoping from the beginning or even, let’s say, you’re an older organization that wants to change their program, you really need to scope your whole operations. Not just security but even networking operation. So what does your network look like? Do you have the segmentations? What tools do you have? Are they configured properly? Do we have the right egress points? You want to get a good foundation of a good network. Not perfect but at least a good network, some proper segmentations. Okay, do we have the proper security tools around there? Do the end points have the right tools that collect logs or even monitor?

After that you understand what you have now, then you think about what your organization is. So are you a finance organization? Okay, that should have different network segmentations than, let’s say, you’re in a hospital just because the crown jewels are much different. So you scope out how big you are, how many people you have and then you think about how much intel … other sources that you really want to bring in. Even then … Because I’ve had a lot of experience when people are like … Collect everything.

Scoping what you have and what your company is, even just looking at your company will help out with the collection requirement, because I’ve asked many people, “What’s your collection requirement?” They’re just like, “Everything.” It’s too hard to ask your intel vendors or even your internal team to say to collect everything. It’s just too hard, and it’s too hard for them to say, “Look for all that kind of stuff here.” So you need to prioritize everything. It’s the same thing as vulnerability management. There’s a lot of vulnerabilities but you can’t actually expect your team to look for everything and pass everything right off the bat. You need to prioritize that. So that prioritization is the collection requirement.

Dave Bittner:

Is there a formula for that or is that wisdom?

DK Lee:

I think it’s a little bit of both if you think about it. How big is your company? Okay. How many people do you have? What kind of stuff do you have? That is more of a formula. But then you have … Then you need to have the right people looking at your network and looking at your company, like a really good security architect and security operational manager, CISO, all coming together. Engineers, vulnerability management team if you’ve got a big enough organization, all coming together, then looking at that and saying, “Okay. What do we need?” Rather than …

Because I see a lot of people just like, “We’re going to just stack this. We’re going to just stack this. We’re going to just stack this to make this work.” But if this one piece doesn’t work, just putting this here normally doesn’t work. And don’t get me wrong, I’ve also seen some really good organizations where that happened, and it took a while, but when you look at them now, it’s like, “That is a well run organization. That’s a well run team.”

Dave Bittner:

But maybe they had fits and starts along the way.

DK Lee:

Oh sure. I know they did. I know they did, but it takes … I truly believe that it takes the right group of people that have come together, put all the egos aside and say, “Let’s all work together. I’m not bigger than you, you’re not bigger than me. Let’s just put this all together and make it work.” Because I’ve seen people … There are a lot of people selling that, in my opinion, a lot of these organizations they’re just not mature enough.

Dave Bittner:

They’re not ready.

DK Lee:

They’re not ready. There’s no point for them to have X, Y, and Z yet. They could, and when they’re mature, they should. It’s like a race car. You certainly know how to race, a lot of the pro drivers all learn from go karts. Just because you know how to drive a go kart at that age doesn’t mean that you should go into a Formula 1 car right now. Let’s grow into it. A lot of people need to look at themselves and see where they’re at. Some people think that they’re further ahead than they really are, and that’s a shame just because there’s a lot of good people within that small organization that want to do right. They really want to do right, and they’re the ones that are impacted by it.

Dave Bittner:

Do you think any of this is driven by compliance?

DK Lee:

There’s some.

Dave Bittner:

I think about, particularly FS-ISAC, your vertical has lots of compliance issues, requirements.

DK Lee:

I’m very lucky in that aspect, I guess. I don’t need to worry about it from what my team does. What we have to worry about is the TLPs and making sure that we’re abiding by our compliance of not sharing certain things, but that’s a very small, minute thing compared to everything else. For me, I don’t have to worry about that too much. Very limited on what we could do, what we could share to certain people, et cetera, et cetera, but that’s very small. But I understand where you’re coming from, where these people are forced by compliance to do things.

Dave Bittner:

I’ve got a box I can check.

DK Lee:

Yes. But that’s when, I guess, the right people need to think about … Their people need to really think about is that … Okay, is that box being checked more important than the rest of an organization? Know what I mean? And I think they could do both. You don’t have to just have something to just check a box. I think that checking a box could actually be very meaningful just done in the right way, not just buying something and plugging it in. Checking that box could also be just fixing what you have, configuring properly.

Yes, I see a lot of people being pressured by compliance and saying, “I need to have this to check a box,” but there are better ways to go by it than just buying something, then checking a box. It shouldn’t be about checking a box. It should be about improving your environment.

Dave Bittner:

What is your advice for organizations that are starting down this path, who I would imagine feel as though they’re at that moment of maturity when it’s time for them to engage with threat intelligence? Any tips for them to have a reality check?

DK Lee:

Don’t wait til you’re breached, publicly embarrassed. Don’t wait for that. Like I said, I don’t think all of them are bad. I think there are a lot of good ones, and there are a lot of good ones where there are a lot of people who want to do the right thing but they don’t have the right tools or finance or et cetera, et cetera. But I think where people really want to start is to look at your own organization to see how well it is functioning. It’s not just about, like you said, compliance and check box, but is your network really functioning as it should be? Is your network doing a proper pen test and putting a proper red team? Not just your network, but is your entire organization, even people … Is it properly done? Are they properly trained?

I’m not expecting everything to be perfect, but it’s a good start to always look inside yourself, and definitely have to check the ego. There really is a lot of ego in our industry. I think all of us have some, but it’s just that you have to be able to check that at the door just because if you don’t, there’s a lot of stuff that people just miss. And looking at yourself and just being self-aware is probably the best thing to do. It’s okay that you’re not at this super mature level, because a lot of people like to tout that, “We have the best security,” but you don’t have to think that way. It’s okay not to. It’s okay to be humble about it. Just because of the fact it will help you with your growth. And at the end of the day, you’re really trying to protect your own organization or your clients. Being cocky about it is not going to help that. Being humble about it, seeing where you need to improve within yourself every day is the best way to do it in my opinion.

Dave Bittner:

Our thanks to DK Lee from the FS-ISAC for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict Conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

A Grab Bag of Pulse Reports

A Grab Bag of Pulse Reports

June 22, 2020 • Caitlin Mattingly

Recorded Future’s Allan Liska is our guest once again this week This time, he brings a collection...

Tooling up to Protect Federal, State, and Local Governments

Tooling up to Protect Federal, State, and Local Governments

June 15, 2020 • Caitlin Mattingly

Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup,...

Broadening Your View With Security Intelligence

Broadening Your View With Security Intelligence

June 8, 2020 • Caitlin Mattingly

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he...