5 Questions-with Daniel Schwalbe: Director of Engineering and Deputy CISO, Farsight Security, Inc.

schwalbe_CISO-director-5que.jpgDaniel Schwalbe
Director of Engineering and Deputy CISO, Farsight Security

1) Prior to joining Farsight Security as Director of Engineering and Deputy CISO, you served as Associate CISO for the University of Washington. What are the top 3 challenges for today's CISO?

The speed at which technology evolves is a big challenge for those of us who are charged with defending networks and the information for which they provide access. As security professionals, we must keep track of every new and emerging technology, and analyze almost in real-time how it could potentially affect the security of the enterprise. We have to be “right” all the time -- all it takes is one mistake or oversight for the bad guys to make their move. Effective user education is another huge challenge. As we fortify networks and systems, the users remain the soft underbelly of the enterprise. Phishing attacks are becoming more and more prevalent, and their level of sophistication has increased significantly. Just a few years ago, we were telling users to look for obvious misspellings or grammatical errors, but nowadays phishing emails often look nearly indistinguishable from the real thing.

A related challenge to user education is the ongoing battle between security and convenience. Users want convenience. They just want to get their job done, and not be held back by what is often perceived as overly burdensome security measures. So, they either find ways around them, or demand that security controls be dialed back -- until they get harmed personally, of course. Over the years, I have worked with many victims of cybercrime, and most of them ended up wishing they had used even stronger security measures to begin with.


2) What can CISOs do to attract and retain experienced cybersecurity staff?

This is a tough question to answer comprehensively. Even though we’ve been around as a dedicated industry for about 25 years now, Cybersecurity is still very much an up-and-coming field. In the Seattle area, where I am based, we often talk about Cybersecurity as a “zero percent unemployment” sector. For several years now, there have not been enough qualified candidates available to fill all the open positions.

This means that competitive salaries are an important retention tool. Very few qualified employees will stick around for the long haul if they can literally double their salary by just switching employers across town. Aside from compensation, work-life balance is becoming more important. If possible, giving employees the flexibility to set their own schedules can help. And if you can offer them the freedom to work on areas of their professional interest, in addition to their day-to-day responsibilities, that tends to help with retention as well. Of course, the prospect of working for a large enterprise with lots of interesting security challenges also can be very appealing.


3) What methods are attackers using to remain persistent in today's enterprises?

I have worked in the security field for nearly 20 years now. I started in the trenches as a front-line incident responder, and those days seem almost quaint now. We have definitely seen an evolution in the level of sophistication that attackers are capable of deploying. This is especially true when we look at certain groups of nation-state actors.

Unlike some “smash and grab” cybercriminals, the advanced persistent threat actors still like to play the “low and slow” game. They will quietly compromise systems and build up war-time reserves, all the while being very careful to keep associated “noise” to a minimum in order to avoid detection. Sometimes they will even patch the vulnerability they exploited to gain access, in order to keep out other intruders. So-called “fileless malware” has become somewhat popular as well in recent times. It is extremely difficult to detect these types of sophisticated attacks with traditional controls.


4) How can Passive DNS help organizations better respond to and protect against cyberattacks?

Passive DNS provides important context to the information you are likely already collecting from the networks and systems you are charged with protecting as a cybersecurity professional. Malware relies increasingly on DNS to diversify and hide its command and control mechanisms in the general “noise” of the network. Only passive DNS lets you pivot from one type of activity you might be observing in your netflow data or access logs to another. Without passive DNS data, you are only skimming the surface of what’s really going on on your network. Passive DNS allows you to add that context and lead to a complete new set of indicators of compromise you may have otherwise missed.


5) What do you enjoy most about being a CISO?

One of my favorite things about being a CISO is that no two days are ever exactly the same. You constantly have to think on your feet, and while years of experience can help guide your responses, you still have to chart new territory on a regular basis. I also enjoy working with really smart people. No CISO can be truly effective without a team of smart, skilled professionals who do a lot of the heavy lifting when it comes to incident response and defending the network and systems of the enterprise. And last, but not least, I like being able to help people in times of personal or professional crisis. Over the years, I have led many incident response efforts, and it usually starts out with the affected parties being extremely distraught because they just suffered a compromise, and they feel awful about it. In most cases, we were able to help people through the process, clean up the mess, and let them get back to their business. That’s very rewarding.

Stay in touch, subscribe to the Farsight Security Newsletter