Chris Hallenbeck: A Path of Security Leadership and Operational Insight
Chris Hallenbeck's path to information security, including his view of the CISO role and the value of metrics.
Chris Hallenbeck, Chief Information Security Officer (CISO) for the Americas at Tanium, says he got the “security bug” when he worked as a student consultant in the computer lab at Binghamton University in New York.
After a promotion to a Unix System Administrator, 40 computers were compromised in the school’s Engineering department. No one had a solution to the problem. “They were going to nuke the machines, reinstall them and move on, rather than try to dive into understanding how it occurred to prevent this from happening again,” he says.
Hallenbeck spent almost a month digging through the computers, understanding what happened, but also taking the extra step to send victim notifications to the other universities, government labs and other places that could be attacked due to the university’s compromised computers.
From there, Hallenbeck spent six years at AOL, Inc., where he led security operations and oversaw system administration. When the AOL-Time Warner merger was completed in 2001, the company needed to increase their incident response to provide coverage to all Time Warner divisions. This led to Hallenbeck’s formal transition into working in incident response for several years.
In late 2005, Hallenbeck began working for RSA Security, where he managed day-to-day functions for the Operations Security team. He then spent seven years in the government sector at US-CERT, where he built and oversaw its Incident Response Program. The program resulted in deploying teams for incidents of national security, including the private sector, critical infrastructure companies, State, local, territorial and tribal governments, or federal agencies that experienced security incidents. His experience at US-CERT honed his skills in IT operations, security operations, incident response, and crisis management, he says.
In 2016, Hallenbeck joined Tanium as Director of Technical Account Management. The company is a private, unified endpoint management and security company based in Emeryville, Calif. It works to empower large organizations and governments to manage and protect their mission-critical networks.
In that role, he engaged in endpoint detection and response (EDR)-focused support efforts to customers, helped shape the direction of the product and implemented intensive training with a number of security operations centers.
In August 2018, Hallenbeck was named CISO for the Americas. He reports to the global CISO. “It’s not rigidly hierarchical. It’s much more of a collaborative setup,” he notes.
A Sense of Mission
One of the most difficult challenges that Hallenbeck faced since leaving work with the government sector was finding a new sense of mission, something that fortunately he was able to find with Tanium. “At DHS, I was able to protect every imaginable sector within the U.S. and interface with comparable entities around the world,” he says. “So it was a very hard thing to step away from.”
Tanium, however, has the same customer base that Hallenbeck says he used to work with while in the government sector. His CISO role allows him to help shape and shepherd in solutions that address the cyber-hygiene issue, in addition to protecting all sectors in the U.S. and beyond.
Hallenbeck works with the global CISO, security architects and security operations and engineering teams. He also routinely works with a product security team, product managers and engineers who work on the company’s product platform, to help frame how data should be elevated to multiple decision makers.
One initiative he has undertaken is threat modeling, which encompasses understanding what threat actors might target in businesses and why, and what these threat actors might gain from breaching a company's systems.
“It’s not always about what attackers would gain from targeting these businesses – it’s more about what they might gain by getting to them, in order to get to someone else,” he explains. “We’ve seen that upon gaining access to a service provider, the attackers use the provider's infrastructure to hop from one target to another.” From there, attackers can gain access to myriad entities in government, healthcare, manufacturing, finance and more.
A publicized example of what Hallenbeck notes is a tactical campaign known as Operation Cloud Hopper – a global series of sustained attacks against managed service providers as a means to subsequently gain access to their clients.
At Tanium, Hallenbeck is examining different types of threats, modeling them out and then making decisions around better protective or detective controls to help them better mitigate those threats.
The Value of Metrics
Hallenbeck believes that the biggest single risk factor organizations struggle with is the unknown. “They can make reasonably informed decisions based on what they know about the systems they have, which provides them a snapshot of vulnerabilities within those systems,” he explains. “But organizations have no way to account for the unknowns.”
Accounting for these unknowns is where meaningful metrics can play a role, he says.
Tanium used to use typical metrics, such as patch levels, number of incidents and the meantime to resolve incidents. “The challenge with a lot of those metrics is they don’t necessarily convey what you think they might,” Hallenbeck notes.
Typically, organizations will pick patching as a benchmark, he says. “They’ll say, ‘We’re 95 percent patched across all known systems for all high vulnerabilities.’ Okay, that is great. But is that 95 percent of all systems that could be patched? Or is that only 95 percent of the systems you know about in your organization? The visibility gap is more often than not the thing that tends to skew the numbers and skews the risk of making uninformed decisions.”
He further explains that a round number of how many patches applied or the number of vulnerabilities mitigated in a month is not as valuable without context.
The same concept applies to the number of incidents, as well, he adds. “The number of incidents without context may leave me asking: so what? Are my incidents going up because we are getting better at detecting things, or because we are lacking in some of our protective measures? Or are we just being targeted more?”
A measure of just raw numbers tends not to be very useful without additional context. Trending, instead, is even more important, Hallenbeck contends. “Trending helps to show if we are headed in the right direction, if the money and investment that the Board is providing is going to the right things and if it’s moving the needle. Picking the right set of numbers to act as an input, and then showing the trending of that over time is more valuable to conveying risk.”
C-Suite and Stakeholders
The perception of the security team at Tanium is strong among the C-suite and external stakeholders, says Hallenbeck, but he is quick to point out that it’s important to understand what metrics they see as valuable. Traditionally, stakeholders will focus on a measurement based on a niche, narrow and focused approach, such as endpoint protection, he notes.
“Whereas if you look at us more holistically, and what we do across the entire organization, it’s a more clear way of measuring our performance,” he claims. “The organizations that understand the value of the security team and the operations team who work together tend to view us in the most positive light because we can deliver on that front. Neither team is operating in a vacuum, and the metrics should reflect that.”
CISO Trends and Topics
Hallenbeck's approach as CISO is heavily informed by his incident response roots. He’s even authored articles about the topic, including the concept of “incident response Groundhog Day” – which is a frustration as an incident responder, to witness organizations struggle with the same basic security weaknesses and make the same mistakes, repeatedly. “Those organizations have trouble getting to the root issues around hygiene and more systemic problems that enable the intrusion to happen in the first place,” he says.
He has witnessed a change that is occurring with the role. “CISOs are asking the question of how to best communicate with the Board of Directors and how to best convey the risks in a way that the Board can understand. Boards handle and evaluate risk all the time, but in the past, absent from that discussion has been cybersecurity – it has been more about broader business risk.”
Now more than ever, he suggests, is an opportunity for CISOs to educate Boards about cybersecurity risks. “In some cases, CISOs are briefing the audit committees. For the longest time, this would be unheard of. Now, it’s an ongoing and frequent collaboration, which is a good thing.”
The Next Six Months
In terms of the threats expected over the next six months, Hallenbeck says, “We are already observing those threats, especially with the coronavirus,” as is typical and happens with any major disruptive event in society.
“Whether it’s a massive storm, earthquakes or other societal disruption, almost immediately there will be an uptick in fraudulent schemes and phishing scams,” he notes. “Threat actors are acting in a typical way with the coronavirus pandemic, and taking advantage of the situation.”
In this challenging time, he suggests, “All employees should work harder to stay cyber secure, including financial business units, by confirming with their colleagues any requests to transfer money. We all need to come together to ensure that cybersecurity does not fail in this unprecedented time of our lives.”