Global CISO Forum Podcast – Awards Series: Preston Werntz

In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.

Listen

Download this Podcast

Transcript

Amber:
Welcome to a special series of the Global CISO Forum podcasts, honoring the EC Council Foundation info-sec tech and exec awards finalists. For the next three weeks we will be interviewing the best and brightest and in info-sec who have been named finalists for the CISO of the year, certified CISO of the year, most improved security program of the year, and most innovative security project of the year.

Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.

Amber:
With us today is Preston Werntz. He is the chief technology services section US department of homeland security, office of cybersecurity and communications, but more importantly he is a finalist for the most improved security program of the year. Welcome to the podcast Preston.

Preston:
Thank you very much Amber.

Amber:
Congratulations again on being a finalist it’s very exciting to have you on our list.

Preston:
Thank you, it’s really quite an honor especially when I’ve looked at some of the previous years of winners and nominees it’s quite a list.

Amber:
Well thanks, we like to think so. It seems like your nomination really revolves around the project, the automated indicator sharing project.

Preston:
Yes.

Amber:
Tell us a little bit about that.

Preston:
Okay, so for the past couple of years DHS overall we share a lot of cyber threat data, we’ve traditionally shared it in very manual ways and that delay it’s tough to share information manually at a fast enough pace. Where recipients can use it to help protect themselves in a fast way, and the longer it takes us to share that data the more time an adversary has to exploit the same bad infrastructure. They can sit on infrastructure for a long repeated time because organizations take a long time potentially to look for this malicious activity on their networks and take action. For the past couple of years DHS we’ve been moving towards more automated sharing through a number of pilot projects. Recently the cybersecurity information sharing act of 2015, when congress passed that they laid out some specific requirements of DHS and some specific timelines.

Out of that was really the automated indicator sharing initiative to kind of meet the requirements and the legislation for DHS to be able to ingest cyber threat data at machine speed, machine format, do a lot of automated processing, as much as we can. Then re share that cyber threat data as far as we can to all the different federal and nonfederal entities that will be connected to our server to let them use these cyber threat indicators and defensive measures for network defense purposes.

Amber:
I know that information sharing among agencies in the government has been a topic of conversation for quite sometime, and what the committee actually, their feedback and why you’re a finalist, was it’s an innovative blend of automated and manual processes that really seems to make it function better. Whatever it was you had in place before or other systems that are like it, how did you decided where to add in the manual and what to keep automated?

Preston:
Well you know it’s very important for us especially if you’re looking as we’re sharing the cyber threat data, this was something we looked at even before the legislation. The legislation highlights as well, it’s very important as we’re sharing this cyber threat data to make sure we’re kind of protecting any personal information that we don’t want shared unless it’s really related to the cyber threat. This is where some of the manual processing comes in. There’s an expectation as DHS is receiving this data in from other companies, from other federal partners that DHS is going to do a number of different privacy reviews of that data to make sure before we re share it, that we’ve removed any personal information that should not be in there.

The first way we do that is via some automated processes as the data comes in we run a bunch of scripts and tools on it to pull it through and say okay. I see what looks like a name, does it belong here? No, this indicator is supposed to be about IP address but it’s not. There’s different ways we look at it to try and make sure it conforms to what we’re expecting and if there’s any personal data we find but we’re not expecting or it shouldn’t be. Then it fails that automated check, if it fails that automated check and that’s when we push it to some of our DHS analyst for that manual review. It velopes into a queue where our analysts then look at that cyber threat indicator and term okay look there’s some personal information here, that personal information actually may need to be in there to really understand the cyber threat.

If it’s not we need to strip it out and publish an update as fast as we can to get that data back out there. The key for us is everything, there’s first an automated check, anything that fails the automated check goes to a human, at the same time though we still share as much of the data automatically as we can. My example, always is if we get a cyber threat indicator, lets say it’s about a spear phishing email. It contains a number of different data elements in that indicator, if two of those data elements fail our automated checks, that indicator goes into the human review queue. At the same time we’re going to share those 11 other data elements, near real time and there’s no to near basically when share back out, and say, “Oh there’s a number of other data elements currently under DHS review.”

Let’s say we’re still sharing it as fast as we can, you know at an automated standpoint, anything that’s failed those automated checks then go into the human review. As a human analyst look at them and make determinations and decisions we then publish an update so organizations would get an indicator from DHS, some parts of that indicator might say, “under DHS review.” This depends on the number of indicators in the human review queue within hours, or days, or potentially weeks they’ll get an update, saying, “Yep that has been fully reviewed by DHS analysts and the data now can be used as is.” Potentially we’ve left that personal information in there if it’s related to a cyber threat and it’s necessary.

Or we’ve taken it out and no one will see it, so that is kind of the automated steps and how it flows into our manual processes, to really primarily protect on the privacy and civil liberty side. Also we do some technical checks in there too.

Amber:
It seems like the project would be impressive enough if it was just information sharing about threats, but then with all of the protections for like you said, “Privacy, civil liberties, compliance that kind of thing.” It adds some complexity there, and another thing that your nomination has that maybe some of the others don’t. You know I’m not picking favors so I have no say, is the emphasis on national security. The projects that DHS undertakes their impact, of course, could be a lot bigger than a company checking for cyber threats although that’s important too. Just everything that you do in your role at DHS is a little bit heightened, do you feel that pressure? I bet you do.

Preston:
We certainly do and we’re really trying to explain to folks, we talk about trust environments and DHS being like a trust broker in between the commercial kind of world and if you look at legislation, legislation really wants those non federal entities, private sector companies. They really want them sharing amongst each other too, and the same time share with DHS and then we can be their broker to get from the commercial entities into the federal government. This is where we want to make sure we’ve done that privacy review scrub so we’re not re sharing data to our federal partners unless it’s gone through that DHS review. We want companies to be aware of that and feel that DHS is filling that trusted broker role, as soon as they mess up a little bit and don’t send us the right stuff we’re going to take the extra step to review it before it goes on further.

At the same time one of the things we’re really with our federal partners is there’s a lot of unclassified federal data that we don’t really share well, sometimes back out that can help private sector companies protect themselves. Through the system we’re really working with our federal partners as well, hey get DHS more unclassified data so we can actually share it back out to the private sector. I think that also it makes the value proposition much better for private sector companies. Why do they want to share with us because they’re seeing a lot more data hopefully over time higher quality data and much faster, that we think will make them want to share more ink because they see the value. Especially for getting more federal data that’s sometimes tough for them to get or maybe they didn’t know where to get it from or they had to pull it down in some PDF web portal.

If we can get it to you automated, get it into your security products and your tools, so you can take action on it faster that is just better for everyone.

Amber:
I did see that part in the nomination. Receiving and sanitizing data from public and private sector partners that seems like a big portion of it of it as well. Obviously you’re the chief of a section in DHS you’re very distinguished, you’re among our finalists. How did you get into security?

Preston:
You know I always tell folks actually I’m a Poly Sci major, I was not a technology guy. You know after college I got into a number of different jobs and I really actually gravitated towards the technology, I’ve always kind of loved. I was doing a lot of programming and when I look back at some of the programming I did back in the 90’s probably not the most security smart stuff I’ve ever done. I look back now and go, oh my goodness what was I doing, but over time especially that I moved over to supporting some different agencies in the intelligence community. You start really learning very quickly about, hey I’ve got this capability they want, in order to deploy it here’s this whole world of security that needs to take place before we’re delivering capabilities and solutions on these different classified systems.

It really opens your eyes, and once you’re in that world it’s really fast and it’s a lot of work, but you really learn much faster about the importance of security and how to weave it into the whole lifecycle. We always say it can’t be the last thing you think about, you’ve got to be thinking about security way up front even in the design stage it makes everything flow so much nicer. Once you get into that world it’s tough to get out.

Amber:
I see it was just kind of built into technology in the government, in the military?

Preston:
Yes.

Amber:
Well very cool. You’re kind of CISO, you’re a CISO level, you don’t have that title but have you seen changes in the industry and the executive management of information security during your time in the security industry?

Preston:
Yeah, I think I’ve seen much more understanding of the importance, like I said especially upfront in the process really getting the security folks involved. I think at a management level there’s much more understanding of where that fits in the importance early on in protects, in life cycles, and having security teams like I said, be involved from day one. I think that’s been a really good trend over the years, I think some of the other big changes obviously is we move into a world more cloud based. Big data that introduces some newer security challenges which are good. It’s always good to be doing these things and learning these things even if new challenges come with it. I think that will be something that will be part of us really going forward in the future.

Amber:
What do you see coming up if you could look into your magic crystal ball and tell us, what changes you think the industry’s going to have to be dealing with over the coming years? The next 10 years any predictions there?

Preston:
Boy, I’m never really good at predictions, but what I’ll say is that, and some parts of the industry are much better than the others, this I think, but like I said is that cloud adoption and implications for security which I think are really positive but it’s very tough to mess with that sometimes. That’s going to be a big piece as we move more and more to cloud, as we move more and more to automation understanding where security fits. It tough enough to have people understand the importance of security and probably be filing processes, how do you code that in at the machine level, and especially on the federal side. How do I prove to my orders and security folks that security is built in and baked in, and I can trust that the machines are taking care of the security where they need to take care of it. Obviously more data, cloud moving big data, insider threat becomes a larger and larger thing that everyone has to look at. I assume it’s already here now, I think that it’s just a new part of the future as well.

Amber:
Yeah it’s been really a trending focus for reasons we can all understand. Well very good I can’t wait to meet you at the awards gala. You are attending correct or are you not?

Preston:
Unfortunately I cannot.

Amber:
Oh you cannot, oh okay.

Preston:
You’ve hit me back to school, travel, hockey season so I’m already booked up unfortunately.

Amber:
Okay, well you’ll be mentioned, there will be clapping, and possibly we’ll be mailing you a trophy. Congrats again on being a finalist and thank you so much for taking the time.

Preston:
Thank you very much, really honored to be nominated and really excellent and a lot of fun talking to you.

Amber:
Awesome, thanks Preston.

Preston:
Thank you Amber.

Amber:
That’ll do it for this episode of the Global CISO Forum podcast, the show is produced by Saba Mohammed, edited by Shandiin Tome. You can help the show by subscribing on iTunes or Stitcher and if you would leave a review for us that would help other people find the show. Until next time this is Amber Pedroncelli.

Announcer:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.