Faster Decisions Through Automation

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 155 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest this week is Bob Stasio, global cyber threat leader at DuPont, a global Fortune 500 company with around 35,000 employees. Bob shares his professional pathway beginning in the U.S. Army, with stops along the way at NSA and U.S. Cyber Command, and at private sector companies like Bloomberg and IBM.

In this episode, we get Bob’s take on threat intelligence and learn why he thinks automation is one of the key components to future success in securing organizations — both internally and online. Stay with us.

Bob Stasio:

I got into cybersecurity by accident. I started my career in the military as a signals intelligence officer starting back in 2004. And I came up when the Iraq war was kicking off and I had a lot of focus and training in the intelligence community, mostly doing signals intelligence work, which was really rapidly, at that time, converting from your classic signals intelligence from a Cold War perspective into the more modern digital era.

So I was in the right place at the right time and that afforded me the opportunity to move from this community that was moving from a traditional signals intelligence paradigm into this cyber world. We didn't even have a term for it at the time, got plucked out of the tactical military after my deployment to Iraq, where I was in the surge and we did a lot of counter-terrorism signals intelligence work in the surge in Iraq.

And I got moved in to help build out Cyber Command, U.S. Cyber Command back in 2009. So yeah, around 2009 I got pulled out of the tactical army and got put into the NSA architecture to help set up what was now U.S. Cyber Command. We didn't even have a name for it at the time and I got to go from a very tactical level where I was boots on the ground working with infantry officers to help track down terrorists in Iraq to now working at a very strategic level. I got put on the commander's action group at NSA, National Security Agency, working with the director on the staff to help build out this very strategic vision of what Cyber Command was going to be. And it was a very interesting opportunity and I was the rare man on the totem pole.

I worked for some amazing officers that I worked with there. Actually, one of which is now the current director of the NSA, General Nakasone, who's an excellent person to work for. But I helped them out to produce the output we needed to stand up what became U.S. Cyber Command. So, that was my introduction. And then eventually, I got moved into what became the Army's cyber unit at NSA and I was a company commander for that unit, which was an amazing experience to see the tip of the spear for the military, for the Department of Defense and cyber intelligence collection. It was a very interesting job. The stuff that we would get, the intelligence we would gather would very rapidly go to the highest levels of the government. So it was a very important job and it was a really interesting perspective.

So, I did that for about the first 10 years of my career, the government service side. And then the last 10 years, I have been more in the private sector. So I initially left the government, went into the private sector and started my own company initially to help bring some of the methodologies that we saw in the government and from the intelligence community into the private sector. And that was initially called cyber intelligence or cyber threat intelligence. Again, there wasn't really a name for it at that point either. But I helped companies stand up the cyber threat intelligence units, stand up these particular programs. So did that for a couple of years and eventually was hired inside at Bloomberg in New York to stand up Bloomberg's cyber threat intelligence unit there, in that global team, which led me to work at IBM.

So, I decided to take a little change in my career track to go work at IBM as a product manager for an intelligence product, a product that I actually used when I was in the military. It was called IBM i2 Analyst's Notebook and it was an analytical platform that we used to find terrorist cell networks, but IBM wanted to transform it into something they could use to fight cyber threats. So IBM hired me as a product manager to help that transition, which was really interesting and I thought it was a great experience to learn how software is developed and also how to apply it to different use cases in the private sector. So I did that for a couple of years.

And then did a short transition into the investment community where I worked to help invest in new emerging cybersecurity startups, which then led me to my job now at DuPont. So, I've been at DuPont for about six months now, and I've stood up DuPont's internal security operation center and what we call the cyber threat management team, which is this new and interesting concept of what I would call incident response 2.0

Dave Bittner:

Well, give us some insights, what is your day-to-day like at DuPont. What sort of challenges do you face there?

Bob Stasio:

My first challenge was to stand up a new team. I was pretty much the first person to come on and stand up the team internally. So I had to be a bit of a player/coach in the incident response world, which I think I still am. So, I started off doing a lot of the incident handling myself and also building out the team at the same time. But now we actually have a really great team that has been assembled and we're working through a lot of the different use cases. But day-to-day, it's essentially doing the level two network monitoring.

I think the term cyber threat management and what we're doing is this new concept where you have a little bit of the reverse in your setup of your personnel, where historically, you had a lot of level one responders, the majority were level one people and then you had very few level two, level three responders. We're the opposite. We have more level two and level three and very few level one and we outsource our level one.

And what we do is we triage the alerts. So we have a lot of artificial intelligence and algorithms in place and machine learning to triage the alerts that are coming in from this federated level one and only the really important things bubble up to my team. And they then look at those incidents and respond to them. And because we do a lot of this filtering and triage on the front-end, really everything we look at is important and there's very few false positives.

So, day-to-day, it's managing the team that's responding to these incidents and we do all types of incidents from business email compromise, to fraud, to data loss prevention, to your traditional cyber incidents. And it's just managing that process day-to-day along with the other administrative stuff that I do, keeping the vendors in line and things like that. So, that's a bit of the day-to-day.

Dave Bittner:

I mean it strikes me that with a company as large as DuPont and as many different things that that business touches, that's a lot to keep track of. How do you go about setting priorities?

Bob Stasio:

Very good question. Yeah, there's a lot to keep track of from the various locations we have around the world. We have offices and manufacturing facilities in Asia, and Europe, and the United States. We also have different PCN or SCADA networks that exist within our research centers and our plants, so it's very difficult to do that. And again, what we do to prioritize our interest in our day-to-day is using a lot of machine learning to do that. So we have quite a few systems in place that do what I would call alert triage and they prioritize things very simply into a low, medium, high. And, we have certain parameters where high alerts need to be looked at within a couple of hours, medium alerts need to be looked at within at least 12 hours, and low alerts are handled more in bulk or look for trends. So, we use a lot of automation, if you will, to do the prioritization. So, we only look at the most vetted and real alerts that come onto my team.

Dave Bittner:

And, what is your take on threat intelligence? I mean how does that play into the work that you do there?

Bob Stasio:

Yeah, threat intelligence is really vital. And I'll give you a little bit of an anecdote. When I first started, we had a pretty high meantime to respond, meaning when we had an alert come in, it took quite a bit of time to mitigate it or to remediate it. Once we started using threat intelligence to help us understand what the severity of the threat was, get a little more context around it, we reduced the meantime to respond by about a factor of 10 just from that alone and not even including automation or anything else.

I look at an incident when you respond to it in really three steps. The first step is confirm or deny there's an issue. The second step is determine scope and scale. And then the third step is remediate and get back to normal.

On the first step, to confirm or deny if it's a false positive, threat intelligence is absolutely vital. You can't do any of the other steps unless you confirm it really is an issue and also wrap some context around it. Is this just a random drive-by malware or is this an advanced persistent threat trying to get into my network? And that'll determine how you respond to it, how much time you spend on it, and how much effort you want to put against a particular alert. So, threat intelligence is really the linchpin that helps with that first step and subsequently allows you to do the other two steps.

Dave Bittner:

It's interesting to me that, particularly with folks that I speak with who have some background in the military, they really value that experience. They tend to say that experience has really brought them a lot of specific skills to the work that they're doing today. Is that also the case for you?

Bob Stasio:

Absolutely. Yeah. I think for a couple of reasons. One, as an officer in the military, it allows you to get leadership experience at a very early age. At the time, I didn't really appreciate how important that was. But when I was a 22-year-old, Second Lieutenant graduating from college, I was put in charge of a nearly 20-person platoon of signals intelligence analysts, so you understand how to run an operation, run an operations center, deal with issues, prioritize, at a very early age, which you'll take with you later in your career, which is sometimes if you haven't been in the military, you don't get that experience until you're in your late 30s or early 40s for your first time. So, I really value that and also, there's just a discipline and process put in place.

But the other thing it provides is this ability to operate in an environment with very little information. And, I think you've had on your program before, Chris Crummey from X-Force Command. I actually used to work for him. That was my last role at IBM. I worked at the X-Force Center, the C-TOC Center. We used to say in that experience that people in the military or first responders understand how to operate in an environment with little information, so you can make decisions with very limited information and not wait. Whereas, if you look at some of the ways people are trained in the private sector, maybe somebody who had gotten an MBA, for example, they're trained ... Somebody who say works at BCG, Boston Consulting Group, they're trained to do this really deep introspective analysis on a topic and come back and write a 30-page report on their findings. Well, in the military environment where you're in a wartime setting or you're an intelligence operation, you don't have time to do that. You have to look for the early indicators and trends of something going on and extrapolate and make a decision very quickly.

And that's what we used to see when we were running simulations at the IBM threat center. But, I also find it's very useful in my day-to-day life, that's pretty much what I deal with every day. I have to see the little bits of information, little bits of puzzle pieces as an incident is forming and make very quick decisions. So, those were really the two areas that the military truly helped me with and I've taken to my career as it's gone forward.

Dave Bittner:

Now, does that also apply to the culture that you have, the culture that you set when it comes to things like accountability? Because I would imagine like you say, it's easy for folks to be paralyzed by indecision. And I suppose part of that comes from the fear that if they make the wrong decision then they're going to be punished for that. I would imagine in the military when you have to make those decisions and they could be life or death decisions if you make the right decision, if you make the wrong decision, there's a different framework for evaluating after the fact as to how those decisions played out. Is that something you bring to your team at DuPont as well?

Bob Stasio:

Accountability is important, but I think you touched on an interesting point as well. It's not so much the accountability for decisions, but it's giving people the leeway, the wherewithal to make decisions without guidance from higher. So a good example of this is in World War II. So, the invasion of Normandy, one of the reasons that we're credited for the United States being so successful, or the allies being so successful, is when we hit the shores of Normandy and we lost all communication with higher, there wasn't really a good way for those troops to get in contact with the chain of command, it was credited to the soldiers on the ground, the noncommissioned officers and the officers on the ground, the low-level people that made rapid decisions in this time of crisis without waiting for guidance. And they just pushed forward and they knew the intent and they accomplished the mission.

And if you contrast that with the German side, there's been a lot written on this, in the German side, they were frozen. They were a very hierarchical structure. They had to wait for guidance from Adolf Hitler and the chain of command and his high-level generals for them to do anything. And they delayed the movement of several reinforcement divisions to Normandy, which basically caused them to lose that battle and obviously, turned the tide of the war. I think it's not so much even the military, it's the American military. The American military empowers people at the lowest level to be leaders. There's a saying we use, lead, follow, or get out of the way. But it empowers even the lowest level NCOs to make a decision and to trust it and go with it, instead of, be frozen and wait for guidance from higher. So it's not so much, there is accountability, but it's almost there is an environment that allows you to trust your gut and trust the decisions that you need to make within your own group to be effective to move the operation down the road.

Dave Bittner:

For that person who's considering entering this career, maybe they're switching from a different line of work or coming up through school or their education, what sort of recommendations do you have in terms of the things that are going to best prepare them to enter the workforce?

Bob Stasio:

I would say if you can do any type of government service on the front-end of your career, I would try to do that. I was in the military, I was in the Army, I really value that experience. That's not the only place you can go. You can serve in a lot of different places in government or the intelligence community in a cybersecurity capacity. But working in that environment, it gives you so much on the front-end of your career, if only just to get training. One of the things I noticed in the difference between the government and the private sector is when you get hired in the private sector, you're expected to know your job day one. I'm not going to hire somebody just to put them through $50,000 worth of training. But in the government, and especially in the military, I was probably put through 500,000 to a million dollars worth of training in the beginning of my career. It's invaluable. I learned so much from doing that and it really sets you up for success later on in your career.

So I would say, you might sacrifice a little bit of pay on the front end. It may be slightly less pay in the government versus the Google or the Cisco recruiting you. But if you could sacrifice that for a few years and get that really valuable experience of training and leadership, that you can't get that later. You can't go back and do it again. So that would be one of my biggest recommendations to people looking for a career in this space.

Some of the challenges we deal with today in the private sector, we always have to be very cognizant of the budget that you're spending on cybersecurity. And in my particular space in incident response and security operations, it can be one of the more expensive areas because there's a lot of headcount or potentially a lot of headcount. And I think people in my field need to balance the number of people with automation. I think we've seen a start of a drive into automation and in playbooks in incident response, but I think we need a lot more of it. I think you need to balance the capability of your personnel with automation and things like threat intelligence to get to a decision sooner and faster and reduce your meantime to respond.

And I think people need to drive that a little bit more than relying on how we used to do things in the past where you have these big security operation centers with hundreds of people and round the clock monitoring. We have to move towards maybe having a very solid, excellent higher trained staff and automating areas where you can, and maybe even moving to an environment where you're not doing 24/7 monitoring. You're doing triaged alerting and treating it a little bit like the medical profession. Because in the medical profession, you have emergency rooms which are not necessarily manned by doctors or they're not manned by some of the higher value specialties.

So a cardiothoracic surgeon is not going to be sitting in the emergency room waiting for somebody to come in with a heart attack. The cardiac surgeon is going to be on-call, and if somebody does come in with a heart attack, there is a list of an on-call person and they'll be called in and they'll handle it. That's the attitude we have to get into. You have highly trained surgeons that are doing this work, that working more of a livable nine to five environment, what we all want to do, because they're more mature professionals later in their career. And then more of this monitoring automation and on-call for when they need to come in and handle alerts. So, I'd like to see people start to think about that and that's what we're doing. And I think it's been very effective so far.

Dave Bittner:

As you shift towards automation, as you embrace automation, how do you spot check it? How do you do regular audits to make sure that you're getting what you expect out of it?

Bob Stasio:

That's a really good question. I actually have a person full-time dedicated to doing the spot check. And I'm not even including my engineering team. So I have an engineering team that does the setup and maintenance of various tools, but I have an analyst that is pretty much full-time doing the optimization, the playbook development, and the spot checking of our automation. And it is a dedication to put one person on it, but you really need it and I've seen it become very effective over time.

Dave Bittner:

Our thanks to Bob Stasio from DuPont for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.