The Ultimate Job for a Network Defender

June 1, 2020 • Caitlin Mattingly

Our guest this week is Rick Howard, chief analyst and chief security officer at the CyberWire. Rick’s career included stops in the U.S. Army in signals intelligence, teaching computer science at Westpoint, and pioneering roles in threat intelligence for the military. He’s the former chief security officer for Palo Alto Networks, where he helped create and manage their Unit 42 threat intelligence team.

He shares his insights on his career as a network defender, his take on the essential role of threat intelligence, and what he looks for when hiring members of his team.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 161 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest this week is Rick Howard, chief analyst and chief security officer at the CyberWire. Rick’s career included stops in the U.S. Army in signals intelligence, teaching computer science at Westpoint, and pioneering roles in threat intelligence for the military. He’s the former chief security officer for Palo Alto Networks, where he helped create and manage their Unit 42 threat intelligence team.
He shares his insights on his career as a network defender, his take on the essential role of threat intelligence, and what he looks for when hiring members of his team.

Rick Howard:

I guess I got my start as a cybersecurity person from my training in the Army. I spent 23 years as a signal officer where I learned … Where I deployed communications in the early days, tactically. And then later on for garrison systems. And then I was right there when the internet was coming on board. So all that stuff essentially came over to the Army Signaleers to figure out how to do that for Army personnel. So that’s where I got my training.

So one of the last things I did was, well they introduced Unix into the Army’s communication system back in the early nineties. So it was right after I went to grad school and that’s where I got my start thinking about using computers for communication, and then how to secure them.

Dave Bittner:

And you spent some time at Westpoint as well, yes?

Rick Howard:

That was such a great job. I can’t believe they let me do that job. Imagine me teaching cadets how to be computer scientists. But it was fantastic. Westpoint is a beautiful place on the Hudson. We lived in this fantastic neighborhood. And you know in the Army they do everything by rank, so everybody with the same rank lived in the same neighborhood. So I was a captain and a major there, and everybody had two kids, a minivan, and a dog. And so every Friday night we would do these barbecues at the little park, across the street from my house. It was all fenced in, so everybody would bring their kids down. The parents would be up at the top where the gate was and kick the kids back into play. We would cook hamburgers and hotdogs every Friday. I mean, it was just a fabulous place. I taught computer science there for a number of years and just had a blast.

Dave Bittner:

And so when you wound up your career there with the Army, where did you head next?

Rick Howard:

Well, the interesting thing was, my last job in the Army was, I ran the Army Computer Emergency Response Team, which is essentially the CISO for the Army. We didn’t have CISOs back then, but that’s what essentially it was. My main function was to coordinate offensive and defensive operations for the Army so they wouldn’t step on each other. Because back in those days, the intelligence arm did all the cyber operations offensive and then another complete command did the defensive piece. And sometimes they didn’t like to talk to each other. So my job was to make sure —

Dave Bittner:

That sounds like, I’m just imagining you learning a whole lot about diplomacy from that assignment.

Rick Howard:

And I worked at this fantastic place. It was called the Army’s Information Dominance Center because we didn’t know what the internet was going to be back then. And the guy that built it was a “Star Trek” fan and he didn’t want it to be cubicle city. He knew that they were going to bring VIPs in to see what the Army was doing in this new thing called “cyber.” So he wanted it to look cool.

So he flies out to Paramount Studios and says, “Hey, we want to build the bridge of the Starship Enterprise for our Army Information Dominance Center.” And they let him do it. So for two and a half years, I got to work in this place, which had a captain’s chair that I sat in every day. Didn’t do anything in it, but I’m going to sit in it. Because, you know, because you have to. Had a big screen up front, had pods on the side. It had a raised platform, you know where Worf would normally stand.

And behind Worf, it had our conference room, where the doors opened and closed automatically. And I swear, I am not making this up, Dave, the doors had the sound effect that said “pshewit.” Just like —

Dave Bittner:

Get out. Really?

Rick Howard:

Yeah. And we walked through it all the time just because.

Dave Bittner:

Just for fun. Oh my God.

Rick Howard:

So that’s where I first started learning about cybersecurity at scale. The Army was just making it up as we were going along. And I remember the first case I had, was this guy, he owned the Army networks. He was all over us in every base camp and station around the world. And he was a conspiracy nut. He wasn’t doing anything like cyberespionage or cyberwarfare. But he was convinced that the Army, and by the way, all the services, he wasn’t just in the Army’s network, he was in everybody’s network, but he was convinced that we had the secrets for the alien invaders in our networks.

So his whole purpose was to find those secret documents. So we go through this big drill, and we coordinated with the British authorities because he’s a British citizen. They knock on his door, they arrest him, and then he’s out on the street the next day. And then spent the next 40 years fighting legal action to get him to the States for a trial. He has still not been tried for that.

Dave Bittner:

Huh. Is this just a case of somebody who has a bee in their bonnet and a whole lot of persistence and time?

Rick Howard:

Yeah. That’s the original persistent threat.

So that’s how I got started in all this. And then I did this thing that I wish I, if I had thought about it, I would have been a genius, but I just fell into it. When I retired from the Army, I went to work for a security firm that had nothing to do with the government. You know, people like me, old Army officers, would typically go work for one of the big systems integrators like Lockheed Martin or Raytheon. Because they’re military like, pseudo-military.

But I didn’t do that. I went to work for one of the original MSSPs. It was called Counterpane. It was the company that Bruce Schneier founded back in the day. And that was the smartest thing I ever did because I had to get out of the government mindset and I had to learn how to be a commercial business person. That was the smartest thing I ever did.

Dave Bittner:

What was that transition like for you? Is there a bit of a culture shock?

Rick Howard:

Oh my God. Yeah. I knew coming out of the military that I was going to have to tone my leadership style down, because in the service you say things and people do them.

So I, on purpose, was holding, really toning it down a lot. And after that first year, during my performance review, my boss said, “You know, you really need to tone down that Army leadership thing.”

Dave Bittner:

Wow.

Rick Howard:

Yeah. So that was a bit of a culture shock for me.

Dave Bittner:

So where did you go next?

Rick Howard:

I got the opportunity to go work in my, in the field that I love, which is cyber intelligence. Verisign, one of the original, big, important security firms. They had the small business unit called iDefense, which produced commercial cyber intelligence for their customers. And so they needed someone to run it and so I got to go do that.

It was fantastic because by this time I didn’t have any clearances from the government anymore. And one of the big things for iDefense back in the day was that they really had a HUMINT intelligence service. Meaning they put people on the ground in lots of weird places around the world just to see what was going on. So when I was in the Army, if I wanted to go talk to a Chinese hacker, that would take two years of planning, 17 generals would have to say yes, and then they would probably change their mind right before they went out the door because it’s too risky.

But in iDefense we had no government ties. So if I wanted to see what the Chinese hackers were doing, I’d just say, “Hey, go talk to the guy. Go have breakfast with him and see what he’s doing.” And they would tell us what they were doing. So it was a really interesting time.

Dave Bittner:

So you’re enjoying your experience there. What led you to being a CISO?

Rick Howard:

I’ve always thought that the CISO, or the CSO, was the ultimate job for a network defender. That’s the problem with the highest job you can get in our field in my mind. So I was constantly looking for an opportunity to take one of those jobs on. Because I learned all these things in the Army and working in the commercial sector, about how the adversaries work. I wanted to see if I could actually take an organization and actually do something meaningful.

And you know this from talking to a lot of CISOs and people that want to be CISOs, Dave. You can’t be a CISO unless you’ve been one, right? It’s this paradox. Nobody wants to hire a CISO unless you’ve been a CISO. So it’s really hard to break in. So I got the opportunity to go work for a company because my best friend, from the Army by the way, was in this organization that was looking for a new CISO. And I got to go do that for the first time. And it was a huge learning experience. It was a company called Task. They were a mini systems integrator. And I got to get my feet wet about what it means to be a CISO.

Dave Bittner:

And what was that transition like? I mean, what sort of things did you have to learn along the way?

Rick Howard:

Well, it was interesting because my predecessor had purchased all the toys. He had every tool that you’d ever have wanted. And he had them deployed. But he ran out of money when he started to hire the people to manage it. So he had world-class cybersecurity tools, but we had a sub-tier one list of folks. These were really motivated people, but they had no experience. And so the big thing I had to solve was how do we bring those people up to speed quickly, to manage all these high tech tools we had. And it was a lot more difficult than the way I just described it.

Dave Bittner:

And how long were you there?

Rick Howard:

It shows up on my resume like that, I was only there for a short time because I got this fantastic opportunity. My old boss at Verisign, the guy that was the CEO there, Mark McLaughlin, he left before I left Verisign to go to Palo Alto Networks and take the company public, which he did. After he left, I went over to Task to be the CISO, but Mark loved what iDefense could do when I was at Verisign. It never made any money, by the way. But it was just this unique capability that the company had and he loved it. So about a year after he went over to Palo Alto Networks, he called me and said, “All those things you were telling me that was going on in the cyber world, we’re doing them here. And you can help us get it done.” So I left my first CISO job at Task and went to be the Chief Security Officer for Palo Alto Networks.

Dave Bittner:

Now that strikes me as being an opportunity for scaling there. I mean, that’s a different size organization. Yes?

Rick Howard:

Yeah. It’s gigantic. And different in that Palo Alto Networks, when I joined, was one of the big security firms. But typical of most companies, they hadn’t applied everything they know to their own organization. So it was an opportunity to take their expertise, which they had a lot of, they had, when I first joined, it was only about 3,000 people. And most of those were security engineers, and they knew a lot about how the adversaries worked in cyberspace. But then the idea was to transition that knowledge into an operational arm of the internal company, which is fantastic.

The other thing I got to do was build their first intelligence program, which we named Unit 42. And it was designed to be a public facing cyber threat intelligence group. Because the company knew a lot about what was going on with cyber adversaries, but they didn’t have anybody dedicated to telling the world how smart they were. So one of my first tasks was to build this organization. And it was a blast because they said, “Make it the world-class cyber threat organization and then go hire some of the best people to run it.” Which I did. So it was fantastic.

Dave Bittner:

Yeah. And that’s where you and I first crossed paths. You were a regular guest on the CyberWire, explaining some of the things that … Some of the research that you and your team were doing at Unit 42?

Rick Howard:

Yeah. And it was wonderful because in my entire career, I’ve been doing cyber intelligence. Back when I was in the Army. When I first transitioned to the commercial world. But in every job I ever had, I always had one of two things happen. Fantastic analysts but crap data, or fantastic data and crap analysts. I didn’t have “fantastic” and “fantastic.” When I went to Palo Alto Networks, I was going to get fantastic data because everybody has a firewall and those firewalls are collecting intelligence, so lots of things to look at. And they gave me permission to go hire the smartest people I could. And I did. So for the first time in my career, I had the data that I needed to be good and I had the personnel that I needed to be good. And we found all kinds of interesting things.

Dave Bittner:

Well, give us some insights on your perspective when it comes to threat intelligence. What part does that play in an organization’s defensive posture?

Rick Howard:

Well, when I first started doing this intelligence wasn’t a mandatory thing. It was always, in the early days it was considered to be extra. Only the most well-resourced organizations would have one. But that has definitely changed in the last 10 years. It’s become obvious to most network defenders that if they’re going to have any chance of preventing bad guys from breaching their networks. The first thing that’s going to happen is they have to have ways to inform how they’re going to defend their enterprise. And what happened back in 2010, the Lockheed Martin research team wrote this white paper about intrusion kill chains, which fundamentally changed how we all thought about defending our enterprise. In the old days, before that paper came out, we would do this passive defense in depth. Basically throwing defensive controls, general purpose defensive controls, into our network and hope that the bad guys would run into them.

Lockheed Martin’s big insight was that adversaries, regardless of their motivation, and regardless of the tools they use to accomplish their tasks, they all basically have to do the same seven things. And if you build prevention controls for each of those seven things, you could build a defensive posture for all the known adversaries at each of those spaces. And you can’t do that unless you have an intelligence team. So in the last 10 years, that’s where most intelligence organizations have focused their efforts.

Dave Bittner:

What sort of suggestions do you have for organizations who are shopping around for threat intelligence? So what sort of things should they keep in mind when they’re looking to source that sort of thing?

Rick Howard:

Yeah, that’s a really great question. There’s a difference between hiring a news service and hiring a threat intelligence service. The distinction is if you can’t do anything with the information that you were receiving from the service, that’s news. But if you are receiving intelligence that you can make decisions on, that’s an intelligent service. And there’s all kinds of different intelligence services. There’s kill chain intelligence services. There’s people that monitor the dark web, and everything in between. But the point is, for CISOs and intelligence groups, is if they can make a decision with the information they are getting, then that’s what they should be looking for.

Dave Bittner:

And that’s, in your estimation, that is a worthwhile investment these days?

Rick Howard:

It is essential. I mean in today’s current environments, we pretty much know about 95% of the active adversary campaigns running on the internet on any given day. That’s a lot. So since we know that, the idea that you would take that information and convert that into prevention controls down the intrusion kill chain for the security posture that you have, you can’t do that unless you have an intelligence team.

Dave Bittner:

I want to switch gears a little bit and get your take on advice for folks who are entering the business. When you’re mentoring people, what sort of advice do you give them for getting their start?

Rick Howard:

I get that question a lot. The thing that I’m looking for when I’m hiring somebody, you go through the list of requirements for the job and see if they’re in the ballpark. But what you really want from a cybersecurity person, a network defender, an intelligence operative, is this passion for learning. To learn it on their own. They don’t really have to know a bunch to be a cybersecurity professional. They need to understand operating systems a little bit. They need to understand networks a little bit. But what they really need to do, their real skill set that I am looking for, is their ability to solve problems on their own.

One of the original questions I have when I’m interviewing somebody is I’ll go through the list of job requirements. But my last question is always, what are you running at your house? Because if this potential employee is not running a Linux box, that he built himself, he’s not smart. He’s not smart enough to be on my team. So it’s not that you have to know Linux. It’s just that you have to be smart enough to tackle these strange problems and figure them out yourself, because I don’t know how to solve them. And I’m going to hand this big dripping bag of problems to this person and say, “Go solve it.” And they need to be able to do that on their own. So that would be the advice.

The way you do that is read as much as you can. Read all the technical material that you can get your hands on. Do stuff at home. Practice what you’re going to do. Read books. Read stuff out of our industry because that’s going to give you insight about how you might apply your craft to different things. Just consume as much material as you possibly can.

And I would give one more thing for them. They should practice writing and speaking. Because I’ve had some really smart people work for me in my career, but they couldn’t convey what they knew to people that didn’t know what they know. So you have to practice communicating what you know to people that are not as smart as you. And the way you do that is you write and you speak in public. So there you go. That’s the easy way to get into the cybersecurity world. Read as much as you can, write essays, and speak in public.

Dave Bittner:

And invest in a Linux box.

Rick Howard:

Yeah. And if you play Fortnite at home, you get an extra added bonus for coming to work for me.

Dave Bittner:

Really? Fair enough. Fair enough. Rick Howard, thanks for joining us.

Rick Howard:

Thank you.

Dave Bittner:

Our thanks to Rick Howard for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

A Grab Bag of Pulse Reports

A Grab Bag of Pulse Reports

June 22, 2020 • Caitlin Mattingly

Recorded Future’s Allan Liska is our guest once again this week This time, he brings a collection...

Tooling up to Protect Federal, State, and Local Governments

Tooling up to Protect Federal, State, and Local Governments

June 15, 2020 • Caitlin Mattingly

Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup,...

Broadening Your View With Security Intelligence

Broadening Your View With Security Intelligence

June 8, 2020 • Caitlin Mattingly

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he...