What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm

The next wave of security maturity is measuring effectiveness, she told The Register


RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm. 

The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.

"We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."

These days Mandiant tracks more threat actors and malware families than every before, she added. "This problem is getting bigger."

But, she said, the security industry is also getting better at responding to increasing threats — even when they all hit at once. And organizations are doing a better job at recovering from attacks.

"If there's anything good about dealing with things like ransomware over the past few years, it's that it has instilled some know-how and resilience into our industry that we may not have had for years," she said.

Mandiant gets called in to assist with "thousands" of incident responses every year, Joyce said. "And what people forget is this: companies recover," she added. "The vast majority continue on. In fact, I can't think of one that didn't."

Resilience is top of mind, according to Joyce, echoing a theme from her earlier keynote

Backing up data and systems means organizations can recover more quickly from a ransomware — or a data wiping — attack. Most companies understand this, and they know what good hygiene looks like and what they are supposed to do to improve their security posture. 

Of course, sometimes there remains a disconnect between knowing what should be done and actually doing it. But overall, enterprises are becoming more resilient because they realize the problem is not going away, Joyce said. 

This despite the billions of dollars being lost to business email compromise, organizations are also improving their security training for employees, she added. 

How to measure effectiveness?

"The evolution from here is getting to the point where we can measure effectiveness," Joyce said. "More boards are going to ask: What is my investment getting me? And how can you measure that? And I think that that's how we ultimately see how we become more efficient in the security space."

Mandiant's answer to this is its security validation service. It uses the firm's threat intel to measure how well an organization's security controls perform against real-life attacks and hacking techniques, and gives them a score based on their preparedness. 

"We run realistic scenarios through validation on things that we saw last week," Joyce said. "And we can say, we have these ransomware actions that we saw in an IR last week, so let's run that against all of the security controls that we have in place." 

The validation service sends an alert if the organization detected and blocked the threat. And if security controls didn't work, it also details why not. "It could be the technology works, but it's misconfigured," Joyce said. "Validation is sort of a niche offering, but I think we're going to see it in the next maturity wave."

Oh, and the answer to the cybersecurity skills gap isn't simply hiring more people, according to Joyce. "We don't have enough people to solve this problem, so let's put that to the side," she said. "What we really need is the automation of repeatable tasks."

This doesn't mean buying the latest, shiny security tool that uses AI. 

"Everybody thinks about automating the cyber problem from the outside in," Joyce added. "It's within your organization. We need to automate repeatable tasks of the actual cybersecurity work." ®

Broader topics


Other stories you might like

  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022