Author: Amy Hunt

[Lost Bots] S03 E04 A Security Leader’s Playbook for the C-suite

In a special two-part “Lost Bots,” hosts Jeffrey Gardner and Stephen Davis talk about presenting cybersecurity results up the org chart. Both have handled C-suite and board communications and have lots of lessons learned.

Part 1 is about the style of a presentation: the point, the delivery, the storytelling. Gardner believes anyone can be great because he’s “an extreme introvert” himself. He shares a ton of wisdom about how to structure your presentation and really own the room with confidence. About halfway through, the ideas start coming fast and furious.

Part 2 brings it together with a deep dive into metrics (and an extraordinary bowtie on Mr. Davis, seriously). Metrics aren’t your story, but they do prove it true. The episode with one thing you must take away and remember: you’re not there to sell more security, you’re there to help stakeholders make well-informed business decisions. When that purpose is clear, some things get simpler.

[The Lost Bots] S03E03. The Rise of The Machines

Artificial Intelligence (AI) is both a profound topic and now, a practical one too: cybersecurity marketers in particular are loving the letters “A” an “I.” But exactly where are we?

Everybody knows an early version of Bing AI spawned a weird personality named “Sidney” and expressed the desire to be both human and destructive. Then there’s that “AI pause” letter almost everybody signed. And now this, from the New York Times: the godfather of AI, Geoffrey Hinton, 75, is leaving Google. He wants to speak freely about the grave dangers he predicts: “It is hard to see how you can prevent the bad actors from using it for bad things.”

A part of him, Hinton said, has come to regret his life’s work.

According to Wired, security researchers are “jailbreaking large language models to get around safety rules.” Our life’s work? Yours? It’s more important than ever. We just might save humanity. But that’s for later…

Separating real and hype about AI and cybersecurity

Rapid7 Detection and Response Practice Advisor Jeffrey Gardner and Stephen Davis, Lead Technical Customer Advisor for MDR may get profound in the future—but this episode is 100% practical and useful right now.

Around the 5:00 mark, they go through exactly how AI is being used in cybersecurity today (and not used, no matter what you hear).

And around the 7:00 mark, heed Gardner’s passionate warning about what you and all your company staff need to think about every time you engage with an AI tool. Every time. In any way. Seriously. Gardner and Stephen are funny, but this warning sure isn’t.

[The Lost Bots] S03E02: Finding unknowns, even spy balloons

When a balloon crossed through Canada and the United States, everyone lost their minds. The news was all-balloon, all-the-time. And the big, obvious, serious questions flew too: “why didn't we see the balloon sooner? Have there been other balloons?”

That sounded pretty familiar to Rapid7 Detection and Response Practice Advisor Jeffrey Gardner. When the U.S. Military responded to the visibility problem in the airspace, it discussed “adjusting filters.” And that sounded familiar too. Because that’s what security practitioners are expected to do every day: find things they don’t even know exist.

While this Lost Bots episode is packed with practical guidance (you’ll likely watch parts of it more than once) it’s delivered by the “Team America” avatars of Gardner and co-host Stephen Davis, Lead Technical Customer Advisor for MDR.

Anyone in cybersecurity is in it for the humans, but we can still be fun.

[The Lost Bots] S03E01: Tech stack consolidation and bacon

It’s 2023, and according to Gartner, ESG, and everybody else, the vendor consolidation trend continues. Throwing tools at the problem isn’t working well, and creates problems of its own.

So, this season of “Lost Bots” starts with Jeffrey Gardner, Detection and Response Practice Advisor and Stephen Davis, Lead D&R Sales Technical Advisor, talking the many upsides of consolidation—deals, integration, one throat to choke—and what they call the “gotchas” too.

At the 4:00 mark, there’s a good discussion of consolidation of layers vs. function. Pay attention: some consolidation decisions can actually increase your risk.  And because these guys are more than valuable fonts of free tips, the episode is packed with air quotes, bacon, and other surprises.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


XDR, the Beatles, and Blunt Instruments

Sometimes tools are blunt because there’s nothing else. Regarding economic controls for example, Fed Chair Jerome Powell said: “We have essentially interest rates, the balance sheet and forward guidance. They are famously blunt tools, they are not capable of surgical precision."

Others are blunt because they’re new and these things take time. For example: stereos in the 1960s shook the floors with unrestrained subwoofers. Yes, it was the Beatles and Ringo Star on the drums, but still. It took years to refine this new technology to enhance the music instead of assaulting our senses.

Taking off shoes at the airport? Blunt.

Years later, Real ID and TSA Pre-Check®? Better.

Coming soon: Facial recognition and biometric screening, better still—after privacy concerns are addressed.  

Cybersecurity has used blunt tools, followed by far too many “better ones.” The average security team is now managing 76 tools, and spending more than half their time manually producing reports. The way out is a sharp tool to replace all these better ones—a resource that will actually get the job done. Start with our newly released 2023 XDR Buyer’s Guide.

XDR consolidation and precision has arrived, just know what to look for

Security programs succeed when they have a library of curated, high-fidelity detections backed by threat intelligence that they can trust out-of-the-box. Anything else is low performance guesswork.

Huge numbers of alerts that teams must review and triage can lead to missing high profile threats. Extended Detection and Response (XDR) solutions deliver tailored security alerts that are quantified and scored to improve signal-to-noise ratio and help catch threats early in the attack chain. XDR also eliminates context switching and ensures you have high context, correlated investigation details, blending relevant data from across different event sources into one, coherent picture.

XDR delivered: MDR

With Rapid7, XDR security can also be delivered to you as an end-to-end, turnkey service. Managed detection and response (MDR) can be a game changer, with always-on threat detection, incident validation, and response (such as threat containment). Some providers offer features like threat intelligence, human-led threat hunting, behavior analytics, automation, and more to your capabilities.

A good MDR provider will be 100% end-to-end responsible, however, it should also be an extension of your in-house team. Look for a provider that will freely share the XDR technology with your in-house operation, and work transparently. Your team should be able to observe your environment exactly as the MDR team does, do their own threat hunting, and more—whatever level of collaboration you’d like to see.

2023 is the year of consolidation and XDR. But no change, however awesome or overdue, is easy. We hope this XDR Buyer’s Guide helps.

XDR, the Beatles, and Blunt Instruments
Dated, Vulnerable, Insecure Tech Is All Over the News. Hooray.

Save the links. Pass them around. And consider getting your copy of the new 2023 XDR Buyer’s Guide—because if this isn’t a time for reckoning and progress, what is?

The news: on Wednesday, the United States grounded all flights coast-to-coast for the first time since 9/11. The Federal Aviation Administration’s (FAA) Notice to Air Missions system (NOTAM) failed, leaving pilots without vital information they need to fly.

Separate from air traffic control systems, NOTAM ingests data from over 19,000 U.S. airports big and small. It then alerts specific pilots about specific anomalies to expect during 45,000 flights every day: the very latest runway closures, airspace restrictions, disruption of navigational signals, birds that can threaten a plane’s engines, anything.

Apparently, a corrupted file in the software was to blame for the system failure. This, from NBC News:

“...a government official said a corrupted file that affected both the primary and the backup NOTAM systems appeared to be the culprit. Investigators are working to determine if human error or malice is to blame for taking down the system, which eight contract employees had access to. At least one, perhaps two, of those contractors made the edit that corrupted the system, two government sources said Thursday.”

It will likely be a while before we know exactly what happened. But security practitioners might consider jumping to one conclusion today: your argument for investing in a detection and response solution which will provide visibility across your modern environment just got better. It’s important to have the right tools and systems in place, in all areas of your business from infrastructure to security, in order to have business continuity. Even with initiatives like legacy modernization, security teams need to have a view of their threat landscape as it expands.

Is anyone more responsible for business continuity than you?

Recently, CISOs have been named as defendants in several shareholder, civil, and criminal actions.  At the same time, CISOs are feeling less and less “personal responsibility” for security events, dropping from 71% to 57% in just one year. Security teams are spending more than half their time manually producing reports, pulling in data from multiple siloed tools. And silos present unacceptable risk. Something has to give.

While capabilities can vary across XDR vendors, the promise is to integrate and correlate data from numerous security tools — and from across varying environments — so you can see, prioritize, and eliminate threats, and move on quickly. The vendor evaluation process isn’t easy. But XDR is well worth it.

The 2023 XDR Buyer’s Guide includes:

  • Must-have requirements any real XDR offers
  • How XDR can be a staffing and efficiency game-changer
  • Key questions to ask as you evaluate options

The hidden lesson in the NOTAM outage? Less is more.

Patrick Kiley, Principal Security Consultant and Research Lead at Rapid7 has a long transportation background. He said that when organizations need to migrate off dated systems, it tends to be a “forklift upgrade, which typically requires significant resources.” That could include development, testing, cloud computing or hardware investment, and of course skilled cybersecurity personnel—who are in short supply these days.

“This kind of migration is a bear,” Kiley said, “so organizations tend to put them off.”

What’s not a bear?  Getting your copy of the 2023 XDR Buyer’s Guide.

Ditch The Duct Tape: Reduce Security Sprawl With XDR

The New Year’s Day edition of The Wall Street Journal asked a big question in a big headline: “Can Southwest Airlines Buy Back Its Customers’ Love?”

While other airlines rebounded from extreme winter weather and service disruptions, Southwest—always top-rated, with a famously loyal following—melted down. It canceled more than 2,300 flights, stranding passengers and their baggage around the country over the Christmas holidays. The U.S. Department of Transportation is putting the entire event “under a microscope.”

Most believe Southwest will, in fact, be loved again. Tickets were refunded, travel expenses were reimbursed, and approximately 25,000 frequent flyer miles were doled out to each stranded customer. Whatever. That’s not why you should pay attention to this tale.

The object lesson that matters? WSJ’s CIO Journal followed up, reporting that “balky crew scheduling technology” caused the disaster. Airline staff who used the system had been frustrated by it for some time, but couldn’t get executive attention. A scathing New York Times op-ed on December 31, "The Shameful Open Secret Behind Southwest’s Failure," blames the strong incentives to address problems by “adding a bit of duct tape and wire to what you already have.”

Balky tech that frustrates staff: Sound familiar?

Two years ago, ZDNet reported the average enterprise managed 45 different tools to secure their environment. A few weeks ago, the Silicon Valley Business Journal said the number has jumped to 76, with sprawl driven by a need to keep pace with cloud adoption and remote work. Security teams are spending more than half their time manually producing reports, and pulling in data from multiple siloed tools.

The cybersecurity skills gap isn’t going anywhere. And the most tech savvy generation in human history—Gen Z, the latest entrants to adulthood and the workforce—is unlikely to stick it out in a burnout job laden with clunky tools. They grew up with customer-obsessed brands like Apple and Amazon and Zappos. Expectations about technology and elegant simplicity are built into all corners of their lives—work included— and they instantly know the difference between good and shambolic. Younger workers led The Great Resignation of 2021.

The trend toward XDR adoption is part of a solution. While capabilities can vary, XDR should integrate and correlate data from across your environment, letting you prioritize and eliminate threats, automate repetitive tasks, and liberate people to do important work.

If 2023 is your year to consider XDR, start with this Buyer’s Guide

Our new XDR Buyer’s Guide is for all of you who want to consolidate, simplify, and attract top talent. In this guide, you’ll get:

  • Must-have requirements any real XDR offers
  • Ways XDR is a staffing and efficiency game-changer
  • Key questions to ask as you evaluate options

Last year, Southwest announced $2 billion in customer experience investments, including upgraded WiFi, in-seat power, and larger overhead bins, as well as a new multimedia brand campaign, “Go With Heart.”  

After taking very good care of stranded customers—and true  to form, the airline did—it announced a 10-year, $10 million plan to hit carbon reduction goals. The Wall Street Journal asked: “Could not the Southwest IT department have used another $10 million?”

…and you’ve surely heard about this

This morning at 7:20am, the FAA grounded all domestic departures when the NOTAM (Notice to Air Mission) system failed. This critical system ingests information about anomalies at 19,000 airports for 45,000 flights every day, and alerts the right pilots at the right time. We woke up hearing about “failure to modernize” and also possible compromise.

Thanks for reading and come back tomorrow, as we'll be following this developing story closely.

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Years ago, “airline pilot” used to be a high-stress profession. Imagine being in personal control of equipment worth millions hurtling through the sky on an irregular schedule with the lives of all the passengers in your hands.

But today on any given flight, autopilot is engaged almost 90% of the time. (The FAA requires it on long-haul flights or anytime the aircraft is over 28,000 feet.) There are vast stretches of time where the problem isn’t stress – it’s highly trained, intelligent people just waiting to perhaps be needed if something goes wrong.

Of course, automation has made air travel much safer. But over-reliance on it is now considered an emerging risk for pilots. The concerns? Loss of situational awareness, and difficulty taking over quickly and deftly when something fails. FAA scientist Kathy Abbott believes automation has made pilot error more likely if they “abdicate too much responsibility to the automated systems.” This year, the FAA rewrote its guidance, now encouraging pilots to spend more time actually flying and keeping their skills sharp.

What you want at any job is “flow”

Repetitive tasks can be a big part of a cybersecurity analyst’s day. But when you combine monotony (which often leads to boredom) with the need for attentiveness, it’s kryptonite. One neuroscientific study proved chronic boredom affects “judgment, goal-directed planning, risk assessment, attention focus, distraction suppression, and intentional control over emotional responses.”

The goal is total and happy immersion in a task that challenges you but is within your abilities. When you have that, you’re “in the zone.” And you’re not even tempted to multi-task (which isn’t really a thing).

Combine InsightConnect and InsightIDR, and you can find yourself “in the zone” for incident response:

  • Response playbooks are automatically triggered from InsightIDR investigations and alerts.
  • Alerts are prioritized, and false alerts are wiped away.
  • Alerts and investigations are automatically enriched: no more manually checking IP's, DNS names, hashes, etc.
  • Pathways to PagerDuty, Slack, Microsoft Teams, JIRA, and ServiceNow are already set up for you and tickets are created automatically for alerts.

According to Rapid7‘s Detection and Response Practice Advisor Jeffrey Gardner, the coolest example of InsightIDR’s automaticity is its baselining capability.

“Humans are built to notice patterns, but we can only process so much so quickly,” Gardner says. “Machine learning lets us take in infinitely more data than a human would ever be able to process and find interesting or anomalous activity that would otherwise be missed.” InsightIDR can look at user/system activity and immediately notify you when things appear awry.

The robots are not coming for your job – surely not yours. But humans and machines are already collaborating, and we need to be very thoughtful about exactly, precisely how.

Like inattentive commercial pilots, Tesla drivers using Autopilot don’t much look at the road even though they’re required to, and they remain wholly responsible for everything the vehicle does. Teslas are also being hacked, started, and driven off.  A 19-year-old took 25 Teslas. We’re designing our jobs – and life on earth, too.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?

Of course you’re special. (So are we.) But decades of research tells us humans believe they’re good multitaskers – and we are really, seriously not.

It seems a measly 2.5% of us can multitask well.

The rest of us are best when we focus on a single goal, allowing the left and right sides of our brains (specifically the prefrontal cortex) to work in harmony.

When we go for two goals at once, the brain splits duties, and we miss details, make mistakes. And it’s not a perfect 50/50 split: The work effort is more like 40/40, with an overhead charge just for the juggling. Trying to do three tasks? The brain’s information filters fizzle out. We don’t dismiss irrelevancies as quickly. There is guessing involved.

The truth is, multitasking isn’t a thing. The average security operations center (SOC) has 45 different cybersecurity technologies, according to an IBM study. What’s actually happening is task-switching and, even worse, context-switching.

The good news? Trends for 2022 point to change: a year of consolidation, greater detection and response capabilities on endpoints and in the cloud, and the integration of tools that simplifies and smooths the work.

It’s time to say goodbye to context-switching

You’ll never get ahead of attackers without the freedom to focus. And that fact has always inspired Rapid7’s continuous mission to accelerate detection and response with InsightIDR.

  • As a unified SIEM and XDR, InsightIDR automatically creates one cohesive picture from diverse telemetry, including endpoint, cloud, applications, logs, network, and users.
  • Alerts are highly correlated by our SOC experts, and high-context investigation details blend relevant data from different event sources for you.
  • No tab-hopping in and out of multiple tools: Embedded automation workflows powered by Rapid7’s InsightConnect let users focus on threats and decisions in real time.
  • Rather than asking you to do more, InsightIDR’s cloud-native, SaaS foundation ensures that users have the scale, agility, and power to keep up, no matter how their environments grow and change.

Technology that doesn’t understand how to really serve people can stress even the most sophisticated among us. Add to that the frustration that most C-suite executives don’t understand what life in SecOps is like either: Most don’t get that a breach is inevitable, and 97% of them believe security teams have big budgets and could improve on the value they deliver. Here’s ZDNet, reporting on IBM data that reveals security folks generally agree: “74% of [security practitioners] say their cybersecurity planning posture still leaves much to be desired, with no plans, ad-hoc plans, or inconsistency still a thorn in the side of IT staff.”

If the thorn is alert fatigue and context switching – and it probably is – the answer isn’t changing your personal attentiveness habits. When you seek out advice about how to stop all the multitasking, you’ll get suggestions that no CISO can take:

  • “Plan your day,” they say.
  • “Turn off your notifications.”
  • “Learn to say no,” they say.

The human factor is decisive in cybersecurity, so we task our technology to empower you – to give you the freedom to focus on what matters. Of course, it’s theoretically possible you’re in the 2.5% of people who qualify as “supertaskers.” (But as you may have noted from our first comic book we made for you, we think you’re superheroes, which is very, very different.)

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Unsung Security Superheroes: You’re Now Sung
Unsung Security Superheroes: You’re Now Sung

Get your copy of Rapid7’s first comic: XDR vs. Exploito. Available now!

We’re all more connected than ever, and security practitioners keep everyone – governments, organizations, businesses, and 4.95 billion people – as safe as they can be.

“XDR vs Exploito” isn’t “Dr. Strange and the Multiverse of Madness” with a $200 million Marvel Comics budget – but it’s a laugh. And it puts security practitioners in the pantheon of greats like Spidey. Let’s be real, that’s the work you do (and we do too).

The effect the comic book had on us, as a thing we worked on, was refreshing. The Mayo Clinic says a little laugh enhances your intake of oxygen-rich air, reduces physical symptoms of stress, and increases the endorphins released by the brain. We say bring that on. You?

The story

Our CISO Adira Adama has tangled with the evil Exploito before, sometimes as her mild-mannered self, and sometimes as her superhero alter ego. Now, the two match wits again at Exploito’s next target – and Adira’s new job – where she plans to deploy InsightIDR, Rapid7’s unified SIEM and XDR.

But first, Adira confronts chaos: a hodgepodge of legacy tools, a burnt out SOC team, and nervous executives who’ll turn on her if she stumbles.

Get the whole story here.

Additional reading: