The Proliferation of Cyber Janitors

Friday, January 20, 2012


The Proliferation of Cyber Janitors (and the mentality behind this movement)

Over the past two years, the cyber security industry has seen a significant move by security professionals and organizations to create CSIRTs or Computer Security Incident Response Teams.

The staffing for these roles has been significantly higher than other information security positions. The technology built for security operations centers (SOCs) has expanded equally as quickly with new log management and event correlation products coming on line.

As you know, CSIRTs can have a wide range of functions that cover the gamut from response to proactive threat and vulnerability management. However, the past couple of years we have seen a focus on response. An after the fact, see, detect and arrest function. It is almost as if the hiring managers have given up.

Let us shift gears a bit here.  Yesterday, Art Coviello, executive chairman of RSA said:

“It’s not a matter of if and when, it’s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.”

This statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached.  This is because RSA/EMC, like many other organizations, had built their security organizations on a see, detect and arrest mentality.

It was inbred from the start of their global security program based upon a cult of personality steeped in a law enforcement mentality. They have moved to the realm of cyber janitors. How much money to RSA/EMC spend (and are still spending) to ‘clean up’ their mess outside the initial $63M?

It took that incident to get RSA off the dime to ‘innovate’ a 30 year old, static product.  Much like all the others, it takes a spill.

So what is a Janitor?

The general responsibilities of most janitor positions involve routine cleanup tasks. These will often include removing trash from waste cans in offices, vacuuming carpets, sweeping floors, and in general keeping the space in an orderly fashion. In many cases, a janitor may also handle climate control functions with the building as well.

This may include keeping a furnace in proper working order, handling the function of thermostats, or keeping a boiler system in proper repair. A janitor often also troubleshoots with plumbing issues, handling maintenance tasks with hot and cold running water, replacing leaky pipes and faucets, and replacing sinks and toilets when necessary.

Along with basic cleaning responsibilities, janitors may handle other responsibilities, such as seeing that doors are locked after hours and that any electronic alarm systems are properly set before the building is closed for the evening. The head janitor may also oversee a cleaning crew, depending on the size of the facility.

While a janitor may work during the daylight hours, it is not unusual for many cleaning professionals to work during the evening. This is especially true with office buildings, where the janitor will be able to work without disturbing people who would prefer to work without a vacuum cleaner running or someone mopping or emptying trash receptacles.

The cyber janitors of today fill the CSIRTs expecting the worst to happen. They are skilled in after-the-fact clean-up functions. A whole cottage industry has sprung up around cyber janitors. They augment existing staff functions after a breach (or better said, a data spill), they serve to examine where the breach came from; they are law enforcement or interface with law enforcement (arrest) and they charge very high rates.

They are vultures feeding on the misguided carcasses of breached entities promising all sorts of help and assistance except one. The most important type of assistance that is need across all security organizations today.  That being a proactive, preventative approach to cyber security management.

Coviello also said:

“We believed we had a very strong security system in place before the breach and we redoubled our efforts across the entire spectrum, including our communication with employees.”

He said this because this is what he and all of EMC leadership were led to believe. The reality was internal deception and security staff way over their heads in understanding how to build a resilient organization.

RSA took their show on the road but they did not expose the true issues inherent in the internal security functions at EMC. Way too embarrassing to shed light on this. It is difficult to rebuild a program when it is steeped in the see, detect and arrest mentality. The cyber security industry hopes the redoubling of efforts at RSA/EMC does not mean doubling down on the same losing proposition.

Lucky for RSA that EMC was able to stifle criticism using the EMC marketing machine and legal group, by offering vocal critics a view at the breach (in exchange for signing an NDA that said you can’t say you signed an NDA).

If it takes a breach to stimulate innovation, then you have the wrong leadership since their main function should be innovation (not sales of outmoded products).

Most of the large security vendors still pitch and push reactive and signature based solutions. They push their wares since the market is still in the billions, since consumers are led to believe these products work. They buy their way to keynotes at large security conferences where no one is allowed to sell during their talks yet the talks they deliver are all about sales.

They talk innovation but their type of innovation is still tied to see, detect and arrest. They may mouth the words ‘proactive’ and ‘preventative’ but the products indicate otherwise. They propagate the cyber janitor skillset. The push the need for cyber janitors whether it is RSA, Symantec (lost source code), McAfee (penetrations), or others who have decided not to come forward.

What we really need in this industry is a complete shake up. We need true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures in our programs. No more sitting around waiting for the penetration. No more deception in security program communications. Full open kimono only.

If the product and/or solution does not prevent; if the foundational elements of IT and security are not of a proactive nature; if the sales pitch is still about after the fact investigations and forensics, then move onto the next vendor.

Companies can continue to expand their cyber janitorial staff or they can focus on preventing spills and reduce the requirement for cyber janitors. Pay me now or pay me later ($63M outlays and tarnished corporate image). (Could you imagine if you the CISO, were given $63M to run your security program?).

About the Author:  Jeff Bardin is currently Chief Intelligence Officer for Treadstone 71. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team competing against such organizations as Barclays Global and the Department of State. Jeff sits on the Board of Directors, Boston Infragard; Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Jeff served in the USAF as a cryptologic linguist, and in the USANG as an officer.  He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University.  He is also a professor of masters programs in cyber intelligence, counterintelligence, cybercrime and cyber terrorism at Utica College. Jeff also holds the CISSP, CISM, C|CISO and NSA-IAM certifications.

Possibly Related Articles:
Information Security
RSA Enterprise Security EMC Network Security Innovation Information Security CSIRT SecurID vendors Art Coviello Jeff Bardin Cyber Janitors
Post Rating I Like this!
Kevin Lovegrove Sad to say, but sometimes you need a disaster to spur people into making changes.
Bob Johnson I am what one would consider a Cyber Janitor...I am an Information Security Officer for the federal government. My biggest issue as a Cyber Janitor is cleaning up the end-user's mess that was created by their stupidity and total disregard for cyber security...and it is generally the upper-higher management that cause the toxic spills...then they get angry when I attempt to do my job and explain to them what they did wrong...until there is 100% buy-in by all levels of the chain I will continue to be a cyber janitor...and NOT a cyber security professional.
Received a slam over a Securosis - Here is my response to Mike Rothman -

Cyber Janitors - RSA/EMC was provided a detailed get healthy list in 2008 where it was summarily buried. Sometimes Mike you may wish to query someone before you shoot your self in the foot.

As for innovation, there is plenty to be had with orgs such as Unveillance, CounterTack, Content Raven, and Trustifier. You just need to look beyond the large companies who pay for your services to find them.

Some of these orgs offer great attribution techniques and methods of C&C takeover. It is a reality if you want to look for it. Maybe your research just isn't that good. Maybe you are one of those who sells services based upon the phony concept of APT. Maybe you should read papers such as Mitigative Counterstriking from U of Illinois to gain a bit of a background.

Comments like yours are seen to be quite ridiculous since you have been out of the game for so long and not in the trenches fighting the battles. Research is one thing. Actually having to work for a living is another. You lose touch much like your comments demonstrate.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.