How SOCS Help in Training Security Professionals
How are McAfee's new SOCs mitigating cyber and physical risks and training future security leaders?
"My mission is simple: it is to protect McAfee and our customers,” says Grant Bourzikas, chief information security officer and vice president of Labs Operations at McAfee. “My team and I will test and use McAfee products and services before anyone in the world does, to ensure that they are secure and that they meet our customer’s expectations. Then, and only then, will McAfee launch them into the marketplace.”
Beyond Bourzikas’ personal mission is the McAfee corporate mission of “We’re all better working together.” McAfee CEO Chris Young launched the new mission statement when McAfee split from Intel Security in April 2017. Inside McAfee’s lobby in Plano, Tex. is a pledge wall where each employee has signed their name and thus, their commitment to that mission statement.
The split from Intel also gave Bourzikas and his team the opportunity to create two security operations centers (SOCs): one in Plano and the other in Cork, Ireland.
“In a sense, the Intel split really made us the world’s biggest startup,” says Bourzikas, who has 19 years’ experience in cybersecurity strategy, architecture, engineering and operations. He is a four-time CISO, having expanded his experience at a Fortune 500 gaming company, a top financial services bank and brokerage organization and a Fortune 500 critical infrastructure utility company. He began his career in public accounting, during which he led cybersecurity strategy and assessment consulting teams.
The two new state-of-the-art cyber and physical SOCs, named the McAfee Security Fusion Centers, were designed last August and opened in January 2019.
Why Cork, Ireland for the second SOC? “It’s part of our continuity plan,” Bourzikas says. “Cork runs on a different electrical grid and is in a different time zone, so if our Plano SOC is hit with a major storm or power outage, we have an identical facility that is halfway around the world that should not be subject to those same issues.”
The purpose of the two centers is threefold: to protect McAfee, to identify new cybersecurity product needs and to act as a best practices blueprint for customers and partners.
Bill P. Woods, Senior Director – Security Intelligence for McAfee, who was hired by Bourzikas last year and who was instrumental in the design and layout with Bourzikas – is directed with carrying out those tasks.
“A key theme when building the centers was physical and cybersecurity convergence,” Woods explains. “Past thinking in the security industry has been that the CSO and the CISO shouldn’t work closely together, that physical and logical security should never touch. A lot of my former colleagues are still working in those types of environments,” he says. “At McAfee, we believe that it’s inevitable that cyber and physical will work together. Consider the very basics of physical security: locks and cameras are all networked, thus cyber, so why not combine the two parties to better enable the business to function?”
Bourzikas adds, “It was an incredible opportunity to engineer what we wanted a SOC to be. Most SOC layouts are not conducive to collaboration, so we made sure that the layout would allow our cyber and physical security analysts to share information. We also had a goal of ensuring that the centers would help us to train the next generation of security analysts. We had our goals established and we had the infrastructure and support from the C-suite, so the entire process was seamless. People think that SOCs are difficult to build and extremely expensive, but this turned out very well.”
Physical and Cyber
There is one physical entrance to the center in Plano and it can only be accessed by entering a secure mantrap and via a facial recognition system. Electrostatic windows are in place to ensure privacy. “Physically, we do not want people to get to our network, so we needed a good physical barrier,” Woods explains. “In a war, if your command post is overrun; it is all over but the crying. This is our command post, and we need to protect it.”
Once you are inside the Plano SOC, it’s easy to see how the placement of the analyst workstations are optimized to ensure collaboration between the security teams. The workstations also run on separate operating systems to ensure redundancy. “We want the analysts to hear what their colleagues are discussing,” Woods explains. “At the same time, they can alert their colleagues, via a status light, if they are deep into an investigation and aren’t available to collaborate.”
Woods stresses that collaboration is key to helping McAfee physical and cyber teams to stay ahead of threats. But more importantly, it allows them to be proactive, rather than reactive. “You can’t have an effective SOC if you are only reacting to threats,” he says. “It’s much harder to employ a proactive threat hunting team, but it’s necessary in today’s threat environment.”
The data derived from the cyber side of the center includes weekly reports to Bourzikas and Woods on the number of attacks, blocks, false positives and more that the analysts were successful in mitigating.
One area of the center houses a Malware lab, on a separate network that’s isolated from the corporate McAfee network, where analysts can test new malware threats. Nothing that occurs in the Malware lab leaves that area, and a film on the window blocks the ability for anyone to see what’s happening on the computer screens.
A final part of the Plano center is the physical corporate security component, where analysts monitor security at 67 McAfee offices in 54 countries. Woods says, “It is always business hours somewhere in the world for McAfee. The analysts feed data to security teams in each office and region. They monitor news feeds and employee travel.” Here again, the center’s layout allows for physical security analysts to collaborate with the cyber team.
Training Future Security Leaders
One of the challenges with operating the center in Plano is talent, Bourzikas says. “We are very thorough in the training of our analysts, but find it’s difficult to keep them in their roles long-term, as many suffer from burnout. One way we solve this is by offering our analysts different roles within McAfee, such as engineering or product development. In fact, many analysts are perfect for those future careers as they have experience testing those same McAfee products in our SOC.”
Bourzikas is passionate about finding solutions to the cybersecurity shortage at McAfee and the industry. He regularly speaks at industry conferences such as RSA, about the cybersecurity talent shortage, and he believes that the industry is neglecting one key area, which is developing a diverse workforce. “We need to tap into hiring more diversity. The industry as a whole is not good about tapping into that area – women, people of diverse backgrounds and former military,” he says. “I am only successful if I have great people working for me. Bill was a great hire, but there are not many ‘Bill’s’ out there,” he notes. “The industry is not good about developing a pipeline of future security leaders. We do a great job of taking people from other companies, but that will never solve the talent gap.”
Woods has specific skills in mind when he hires new SOC analysts. “Of course, they need to have the core skills, but we also look at curiosity. When you are an analyst, you are an investigator, and what separates the good from the bad is curiosity. We also regularly hire retirees and former military who have analytical skills. I can teach you to build a firewall by the end of this week but I cannot teach you an analytical mindset in a short period of time.”
“As an industry, we are too focused on hiring people with a CISSP,” Bourzikas adds. “Instead, I want to know how someone can securely design a server. That’s an awful thing to ask of a job candidate, because there are thousands of ways to do it, but I want to see their thought process. I’m also very open to working with millennials, who I believe are misunderstood. I do not share the notion that they are difficult to manage; you just have to get to know them. If you treat them as an equal and you empower them, they will be receptive to your leadership.”
In addition to researching new cybersecurity and physical security threats and mitigating risks to the McAfee organization and its employees, the security analysts at McAfee test each McAfee product before they are pushed out to the market. “We call ourselves ‘Customer Zero’ because we are the first organization to use McAfee’s new offerings and product updates, and because we share our learnings to help customers implement faster and more smoothly,” Bourzikas explains. “I’m providing a service by testing and using our products before our customers use them. I can see and provide direct feedback to our product development teams on how McAfee products can be improved.”
Bourzikas is also an advocate of sharing feedback to industry colleagues. “The ‘bad guys’ have so many advantages,” he notes. “They don’t have any rules to follow. They do not want to share their new hack or malware because if it becomes widely used, then companies will reverse engineer it to prevent it. We believe that all cybersecurity companies can and should share information on a regular basis. As an industry, we need to do better with sharing.”