In a recent article here at Data Center Spotlight, we examined the shortfall of IT security professionals and the increased risk to many organizations as a result. But in the opinion of Cris Daniluk of Rhythmic Technologies, “I don’t think that we need more people that are carrying around six security credentials with them and a master’s degree. There’s always going to be a shortage of people like that.”
Cris shares with us a different model for IT security that is beginning to gain traction in some areas of the tech world, bridging IT and security personnel similar to how developers and other IT staffers have been successfully integrated in their work roles.
Other security-centric thoughts shared include:
- How the gulf between IT and security functions in many organizations takes valuable time away from the core functions of vital IT staff.
- The problems with info security budgets diverting money from IT, only to see that money implement security technologies that can be in conflict with IT.
- The risk in putting too much trust in your perimeter tools.
- Common security strategy mistakes that he sees repeated over and over again in different organizations.
There is valuable insight here for those charged with limiting risk by keeping their applications and infrastructure secure. Listen to the podcast in the player or read the full transcript below the player.
Kevin O’Neill, Data Center Spotlight: This is Kevin O’Neill with Data Center Spotlight. Today we are talking about IT infrastructure security with Cris Daniluk of Rhythmic Technologies. Cris, thanks for joining us today.
Cris Daniluk, Rhythmnic Technologies: Glad to be here, Kevin.
Data Center Spotlight: Cris, I think of you every time I hear bad things happening to your beloved Cleveland Browns, so I’ve been thinking about you a lot this season. I appreciate you coming out of your state of mourning to join us today.
Cris Daniluk: As a Browns fan, I know that ball security, like information security, is very important. Unfortunately the Browns players don’t also know that.
Data Center Spotlight: They’re young, they’re improving, you’ll be happy someday, possibly. You just launched a new website, Cris, at RhythmicTech.com – a lot of good content there. Congratulations on your website.
Cris Daniluk: Thank you. We spent a lot of time trying to tell stories about how we actually help our customers. A lot of people don’t understand what role a company like Rhythmic can have in their operations. More importantly, they don’t understand that there are options out there that they can take advantage of to improve their operations, so giving a customer-oriented message helped tell a lot of different stories about what we’ve been able to do for our customers.
Data Center Spotlight: That’s a great idea. Who came up with that idea for you?
Cris Daniluk: Oh, some guy who I’m talking to right now.
Data Center Spotlight: I just bring that up for full disclosure. I want people to know that I do some work for Cris and for Rhythmic, but that doesn’t mean he’s not a smart guy. In fact I do work for him because he is a smart guy and he’s got a lot to offer here, so let’s get to our interview.
First, Cris, tells us a little bit about Rhythmic. I want to let people know where you’re coming from and the services you provide.
Cris Daniluk: Sure. Rhythmic Technologies is a infrastructure management and DevOps company. We do secure cloud hosting, we provide outsourced operations, and we provide managed security for our customers. We typically support customers either in our data center on our cloud infrastructure or in the public cloud, or in theirs, depending on what works best for them. We work with their development and engineering teams to help improve their process and help them move more quickly.
Data Center Spotlight: A lot of what you do is pretty security oriented, so I’m glad to have you with us, talking about this today. There have been reports in recent months, Cris, and you see it repeated here and there that there are a million IT security jobs unfilled in the United States. You and I were talking about this recently, and that’s not your biggest concern. What’s your primary concern with IT security?
Cris Daniluk: The biggest concern I have is that companies have built walls between security and IT, because that was a sort of best-practice that developed over the last 20 years to ensure that you’ve got a team that’s solely focused on security and not distracted by the day-to-day “minutiae” of operations.
The problem with that is that it creates a disconnect where the intersect teams are creating policies that, then, IT isn’t staffed up to implement. It creates noise that doesn’t help. It takes IT away from the valuable functions that they perform on a daily basis that do improve security to go out and try and tackle policies and to tackle alerts flowing into their systems that they can’t keep up with.
On top of that, InfoSec is also starting to gain leverage as the security threat… I don’t want to say the security threat is growing, but rather, the perception of the threat is growing. People are understanding that they need to take this seriously and they’re pouring money into InfoSec and not into IT, and InfoSec is using that money and that power to install tools that run in parallel to IT tools, and often are in conflict with them.
So you’ve got this large group of people with a large amount of money and now political leverage inside a company that are coming up with policies, process, and tools, that actually take IT away from its core functions, and its core functions are the most important part of a good security foundation.
I think the idea of just hiring more people and funneling them into this broker process only makes the problem worse. We need to integrate the security and IT functions together in the same way that development and IT functions have been integrated through the DevOps model over the last few years. There’s no reason that that same productivity and capability that DevOps provides can’t be done in IT and security, as well.
Data Center Spotlight: Cris, let me ask you a question: Are there some leading edge practitioners and some like-minded people with you who are starting to implement this, or is it still a problem that there’s not a lot of momentum yet to solve?
Cris Daniluk: I think there are some people that definitely get it right, and they’re thinking this way, which helps me feel good about me thinking this way. There are a lot of companies that you read about that have security issues over and over again, big and small, but there are a lot of companies that you’d expect, that you don’t.
Amazon is running the biggest public cloud in the world and they have customers there that have vital corporate secrets stored and they’re keeping them safe every day. Google, similarly, has had virtually no meaningful security issues over the past 10, 15 years to speak of, and yet they’ve got a target on their back as big as anybody.
Google put out a zero borders security model – it’s actually their internal model that they quasi-open sourced – I think it was earlier this year. It talks about a lot of these same principles, that the important thing that you need to do is make sure that your security function is built-in to every IT function, rather than having this traditional security oversight model. It just doesn’t work. The problem is that it’s such a big departure from the way people typically think about security, that it is slow to adopt.
Data Center Spotlight: Cris, if hiring more security professionals the way things are structured right now is not the answer, how can an organization do more to keep their corporate data, and applications, and their customer data secure?
Cris Daniluk: I think the important thing is to make sure that you have a good and honest relationship with how important the data you’re trying to protect is – how much time you should dedicate to protecting data versus, say, rolling out new functionality and capability in your products.
There’s friction between security and progress and you need to decide, honestly, how much friction you want there to be. A lot of companies don’t really do that. A lot of companies think they can take a shortcut and just buy a tool, drop it in, for any amount of money, and say, “I bought this tool so I didn’t have to have good process. The tool does it for me.” That doesn’t really work.
I think it’s important for companies to think about the tools in terms of teams. Who will use that tool? Who will consume the data produced by that tool and make good decisions based on what’s coming out of it? That requires a much more mature process, and a much more honest process, of thinking about this.
Target is a great example of this. It’s often been cited that FireEye detected the Target attack long before the FBI did, and before most of the data had been lost, but the other side of the story is that the FireEye tool was spitting out thousands of alerts a month, and they were 100% false-positives, so Target’s answer was, “It was producing bad data. We were ignoring it.”
In reality, there are tens of millions of events happening in Target’s network every month and it was only flagging 1,000 of them and saying, “These are ones you might want to take a look at.” There just weren’t people to take a look at them. I think that companies need to have a set of people, and they don’t have to be paid high-pay, highly-credentialed security professionals, but they do need to be security thinking, lightly trained people that can look at these tools, consume the information and make good human decisions about saying, “This is worth looking at. Let me flag this for attention.” That doesn’t happen in most companies right now, and that’s a serious deficiency.
Data Center Spotlight: I hear you say that, and you’re saying that they do need to hire people. We’re talking about – either there were reports that there was a shortage of IT security people, and you’re saying, “No, there’s not a shortage,” but in this instance you think they should have had more people.
Cris Daniluk: That’s a fair point. There’s something to be said for hiring, but not the type of people they’re trying to hire. I don’t think that we need more people that are carrying around six security credentials with them and a master’s degree. There’s always going to be a shortage of people like that, but what are they going to do for your organization at the end of the day?
I think what we really need is something to bridge from the noise and volume of data that our tools are producing into our decision-making process. There’s an increase in machine learning that can do some little bits of that for you, but there’s still a lot that even machine learning isn’t touching right now.
It requires people, it requires eyeballs, it requires people that are trained, but it doesn’t require people that have spent eight years trying to get their education and paperwork in order. I think if you were to orient your hiring around that thought process; all of a sudden there wouldn’t be a shortage. There’d be people that would love to have that job, and love to get into that field at the ground level.
Data Center Spotlight: What kind of professionals would we hire? Could you compare them to their currently existing jobs? Would these people be hard to hire?
Cris Daniluk: I don’t think so. I think there’s a lot of interest in IT industry for security. I think there are a lot of junior IT professionals that would love to get into security, but see high barriers to entry. I mentioned the credentials are very important to get in there, and it creates this artificial barrier.
The best thing that you can have in a typical security organization is just experience doing it. There’s a lot of demand for people with no or little experience to get into that field. If we can get them in there and get them trained, and get them learning, I think that could be that real world experience would be far more valuable. There’d be a downstream effect of that that you’d be creating a pipeline for your future high value employees, as well.
Data Center Spotlight: It seems like what you’re saying also indicates the problem of having a firewall, so to speak, between the IT staff and the security staff. It seems like if they were more integrated, moving over from one side to the other, or sort of blending the two, would be a lot easier to do from a career development and skill development standpoint.
Cris Daniluk: Absolutely. They’ve been pitted against each other because one is creating policies that the other doesn’t have the time to fully implement, but it doesn’t mean they don’t want to. That’s sort of the missing piece, is that there’s no good feedback loop for IT to say, “I’d love to do this, guys, but here’s what I need.” Breaking down that wall will get communication going, and it’ll get problem solving going, and it’ll help people move back and forth more freely.
Data Center Spotlight: Are we talking about companies at the enterprise level, or are we talking about sort of a corporate-sized companies, or small businesses, as well? For a smaller business would it be easier to just outsource the security and the infrastructure security to a company like Rhythmic?
Cris Daniluk: Larger enterprises have had isolated security departments for a long time now, and that’s trickled down into even large, small sized companies – a couple hundred people and larger. But smaller companies than that, they just don’t have the time and energy to even think about this. It’s typically an IT department that also owns security.
At the end of the day I’ve got to give those guys a lot of credit. They do a pretty good job without having a dedicated resources and tools that their larger competitors might have, but that doesn’t mean that it’s everything they need to be, or should be doing. There is a lot of value in having companies that can insert their tools that they use across clients into their companies that can’t necessarily afford them on their own.
Security is a blend of policies and tools, with people added on top of it. Those tools are very difficult to get your hands on as a small company, and so are the people that read the data coming out of them. There’s a lot of value for small companies that have valuable data they need to protect in using an outsource security company.
Data Center Spotlight: Cris, it seems to me that in the info security world, you and your colleagues do a good job exchanging information, even people you are ostensibly competing against. There’s obviously gargantuan opportunity in the IT security space, but to keep each other informed, you let each other know what’s going on to try to stay ahead of the threats, or at least only a half-step behind the threats, so you have visibility into a lot of what’s going on out there.
I would imagine you’ve got some opinions as to what are the two or three things that people should be doing that many organizations are not doing that would keep them more secure?
Cris Daniluk: I think the single biggest thing that organizations need to do is make sure that they’re using their, not their security tools, but their everyday business tools – their Microsoft Windows desktops, their mobile devices – in the ways that are recommended by their manufacturers and their vendors.
The Home Depot attack was as a result of Windows XP machines being targeted. They should have never been using them. They should have been retired years ago, but they thought they were okay, because they were on an isolated network. It turns out the network wasn’t as isolated as they thought it was. Once somebody was able to get into that, they had access to everything.
People need to respect when tools are no longer supported. They need to keep them fully patched, they need to keep them configured the way that they’re supposed to be configured. That’s stuff that you do before you ever put your systems online and it’s a process that you should have in place whether you’re 5 people or 500,000 people. The nuts and bolts of daily operation is ground zero against fighting any of these security threats.
I would say that the next thing to do beyond that is to not put all of your trust in your perimeter tools. Don’t assume that because you put the best firewall in place, the best network intrusion in place, that you are somehow protected all the way inside. That’s hardly ever the case, and it almost creates a false sense of security, wherein a lot of cases you’d be almost better off without it.
It’s important to think, “What if?” “What if that didn’t work? Then what would I do?” Those thought processes are valuable, and companies are robbing themselves of the outcome of it by not having the conversation, not asking the difficult questions internally, and not thinking about it.
You don’t necessarily need an outside high-valued security team to come in and assess your network to get the answer to some of these questions. In fact, if you hadn’t had these conversations first, you wouldn’t get the true value out of having an outside assessment like that.
So I think companies need to be properly using their tools and technology, and having conversations about where they’re at risk, and what they would do if that risk actually happened, and how much it would cost them, so that they can start making better, more informed decisions.
Data Center Spotlight: When you see a breach of some sort, a lot of times it comes down to some sort of phishing attack, or someone didn’t properly guard their credentials, or somehow didn’t follow policy and were sloppy. Are companies doing a better job of educating their employees and making their employees stick to the security protocols that help to keep their IT infrastructure secure, or is that a growing problem? What direction is that heading in?
Cris Daniluk: I don’t know that I’d describe it as a growing problem, so much as it is becoming an easier problem for hackers to take advantage of. Social engineering – it’s one of the oldest tools in the book. It predates the information part of information security by quite a few thousand years.
The tools and the ease at which somebody can generate a beautiful-looking email that looks as authentic as it can be, and directing you to what ‘sure looks like it’s American Express’s homepage’ that you then type your password into, and then actually does the next step of logging you into the American Express website after so that you don’t get suspicious of what you’ve just done.
That can be done by 16 year olds in Romania now, with relatively little effort, because they’ve packed all of their goods up into tools that they freely distribute out on the Internet. It’s not, necessarily, a growing problem, but it’s a more accessible tool that hackers can use to get into companies, especially those companies that are relying heavily on firewalls. It’s another way in. Once you get into that desktop you can go from there, even if the user doesn’t have administrative privileges on their desktop, it’s still a huge advantage to be on the inside looking in, than on the outside.
Data Center Spotlight: What’s another step that companies can take that they’re not doing, or at least not doing well enough?
Cris Daniluk: I think it touches on what you just said – they’re not doing enough to educate their employees on their role in security. Every major company now has mandatory security awareness training, usually because they’re required to and not because they actually want to. It’s something that people just sit their way through until it’s over. Or if it’s done online on an honor system, they just click their way through until they can say they’re done. It’s not the same as really making people understand what their role is in security and how their individual actions can have wide ranging implications across the network.
If you look at what happened at MedStar with their ransomware attack – one person who had no administrative privileges whatsoever, but had access to a large number of patient files, clicked on a link and all of a sudden their files were encrypted on the network, because they had access to them as part of their job function.
That was a huge setback for them and it’s going to cost them a lot of money, and all it was a person clicking on a link in an email. The impact of that shouldn’t be so severe, but it is, and people need to understand that.
Data Center Spotlight: Cris, an informative, and at times, frightening, interview with you today. What is the best way for people to get in touch with you if they would like to discuss info security with you?
Cris Daniluk: I’d love for people to take a look at our website, take a look at some of the content and the videos that we have out there that talks about some of the security problems we’ve solved for our customers. They can certainly reach out and get in touch with us to learn more.
Data Center Spotlight: That is RhythmicTech.com. It’s R-H-Y-T-H-M-I-C, T-E-C-H dot com. If they want to reach out to you on LinkedIn, Cris – can you spell your last name of them please?
Cris Daniluk: Sure, it’s D-A-N-I-L-U-K, and I should probably spell my first name, too, C-R-I-S.
Data Center Spotlight: H’s were wild in your house growing up, huh?
Cris Daniluk: They were nothing but trouble.
Data Center Spotlight: I assume you’re the only Cris Daniluk in IT, and cloud, and security in Northern Virginia, so people will know it’s not a phishing link, and it’s actually you.
Cris Daniluk: I am aware of only one me that meets that criteria.
Data Center Spotlight: Cris, good information. Enjoyed talking to you, as always, and I appreciate your time today.
Cris Daniluk: Thanks. Have a great day.