The Proliferation of Cyber Janitors (and the mentality behind this movement)

Over the past two years, the cyber security industry has seen a significant move by security professionals and organizations to create CSIRTs or Computer Security Incident Response Teams.

The staffing for these roles has been significantly higher than other information security positions. The technology built for security operations centers (SOCs) has expanded equally as quickly with new log management and event correlation products coming on line. As you know, CSIRTs can have a wide range of functions that cover the gamut from response to proactive threat and vulnerability management. However, the past couple of years we have seen a focus on response. An after the fact, see, detect and arrest function. It is almost as if the hiring managers have given up.

Let us shift gears a bit here.  Yesterday, Art Coviello, executive chairman of RSA said:

“It’s not a matter of if and when, it’s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.”

• https://searchsecurity.techtarget.com/news/2240113999/RSA-SecurID-breach-Executives-attempt-to-repair-tarnished-image

This statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached.  This is because RSA/EMC, like many other organizations, had built their security organizations on a see, detect and arrest mentality. It was inbred from the start of their global security program based upon a cult of personality steeped in a law enforcement mentality. They have moved to the realm of cyber janitors. How much money to RSA/EMC spend (and are still spending) to ‘clean up’ their mess outside the initial $63M? It took that incident to get RSA off the dime to ‘innovate’ a 30 year old, static product.  Much like all the others, it takes a spill.

So what is a Janitor?

The general responsibilities of most janitor positions involve routine cleanup tasks. These will often include removing trash from waste cans in offices, vacuuming carpets, sweeping floors, and in general keeping the space in an orderly fashion. In many cases, a janitor may also handle climate control functions with the building as well.

This may include keeping a furnace in proper working order, handling the function of thermostats, or keeping a boiler system in proper repair. A janitor often also troubleshoots with plumbing issues, handling maintenance tasks with hot and cold running water, replacing leaky pipes and faucets, and replacing sinks and toilets when necessary. Along with basic cleaning responsibilities, janitors may handle other responsibilities, such as seeing that doors are locked after hours and that any electronic alarm systems are properly set before the building is closed for the evening. The head janitor may also oversee a cleaning crew, depending on the size of the facility. While a janitor may work during the daylight hours, it is not unusual for many cleaning professionals to work during the evening. This is especially true with office buildings, where the janitor will be able to work without disturbing people who would prefer to work without a vacuum cleaner running or someone mopping or emptying trash receptacles.

The cyber janitors of today fill the CSIRTs expecting the worst to happen. They are skilled in after-the-fact clean-up functions. A whole cottage industry has sprung up around cyber janitors. They augment existing staff functions after a breach (or better said, a data spill), they serve to examine where the breach came from; they are law enforcement or interface with law enforcement (arrest) and they charge very high rates. They are vultures feeding on the misguided carcasses of breached entities promising all sorts of help and assistance except one. The most important type of assistance that is need across all security organizations today.  That being a proactive, preventative approach to cyber security management.

Coviello also said:

“We believed we had a very strong security system in place before the breach and we redoubled our efforts across the entire spectrum, including our communication with employees.”

He said this because this is what he and all of EMC leadership were led to believe. The reality was internal deception and security staff way over their heads in understanding how to build a resilient organization. RSA took their show on the road but they did not expose the true issues inherent in the internal security functions at EMC. Way too embarrassing to shed light on this. It is difficult to rebuild a program when it is steeped in the see, detect and arrest mentality. The cyber security industry hopes the redoubling of efforts at RSA/EMC does not mean doubling down on the same losing proposition.

Lucky for RSA that EMC was able to stifle criticism using the EMC marketing machine and legal group, by offering vocal critics a view at the breach (in exchange for signing an NDA that said you can’t say you signed an NDA). If it takes a breach to stimulate innovation, then you have the wrong leadership since their main function should be innovation (not sales of outmoded products).

Most of the large security vendors still pitch and push reactive and signature based solutions. They push their wares since the market is still in the billions, since consumers are led to believe these products work. They buy their way to keynotes at large security conferences where no one is allowed to sell during their talks yet the talks they deliver are all about sales.

They talk innovation but their type of innovation is still tied to see, detect and arrest. They may mouth the words ‘proactive’ and ‘preventative’ but the products indicate otherwise. They propagate the cyber janitor skillset. The push the need for cyber janitors whether it is RSA, Symantec (lost source code), McAfee (penetrations), or others who have decided not to come forward. What we really need in this industry is a complete shake up. We need true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures in our programs. No more sitting around waiting for the penetration. No more deception in security program communications. Full open kimono only. If the product and/or solution does not prevent; if the foundational elements of IT and security are not of a proactive nature; if the sales pitch is still about after the fact investigations and forensics, then move onto the next vendor.

Companies can continue to expand their cyber janitorial staff or they can focus on preventing spills and reduce the requirement for cyber janitors. Pay me now or pay me later ($63M outlays and tarnished corporate image). (Could you imagine if you the CISO, were given $63M to run your security program?).