What I Learned in the FBI About the Need for Security Automation 


Life comes at you fast.  When you are in the business of cybersecurity it feels like you are sitting in the cockpit of the Millennium Falcon while traveling through hyperspace.  Please excuse the Star Wars reference, but I suspect my fellow nerds can relate.

I have been a lifelong security and risk professional.  I spent 22 years of my career in the FBI, with the first half in FBI training and executing on some of the most advanced tactical training available to law enforcement professionals.  In the second half of my FBI career, I was first exposed to a cyber-related investigation as a counterterrorism (CT) investigator.  Not every CT case is a high-profile examination of kinetic activities.  I stumbled my way into a complex cyber-related CT investigation because the FBI was exploring the many ways the Internet was being used to exchange intelligence and build virtual networks within the hundreds of known terrorism groups.

This first foray opened a new world for me as I played catch-up with some of my peers who had been deeply involved in cybersecurity for many years.  The terms and concepts were not completely foreign to me, but it required me to level-up my skills specific to all things cyber.

Flash forward several years; I was an executive at the FBI leading one of its largest cybersecurity investigative teams. The powers that be, back at FBI headquarters, asked me if I would consider leading the FBI Enterprise Security Operations Center (ESOC), which was a combination of traditional SOC components and other tools you might imagine being used in the world’s foremost law enforcement and intelligence agency.

Oddly enough, SOC leadership was not a high-profile position within the FBI.  In fact, it was at least a grade lower than my executive position within a field office.  But I did not view the challenge in light of its position or status; I viewed the challenge in light of the education I might glean from leading a SOC for one of the most complex organizations within the U.S. federal government, even if only for a period of several months.

Having been schooled in the academics of cybersecurity management and leadership, I knew what questions to ask the experts as I was dropped into this highly technical team within the enterprise. What struck me was that I was not prepared for some of the answers they provided and what would persist to be challenges that nearly every SOC experiences.

After my first full briefing on ESOC operations I was left with more than a few overriding questions. How do we know if we have complete visibility? How are we acting on the numerous alerts that occupied the screen time of our small cadre of analysts? What dashboards and case management could we use to explain these events to upper management?  Are we using the best tools available to do the job? The list goes on.

What I needed were assurances my team was never able to offer me during this brief engagement.  What we needed was a tool or platform that could offer me complete visibility throughout the enterprise on all of the available enclaves, specifically: a case management system that allowed for analysts to share their research and a Security Orchestration, Automation and Response (SOAR) product that could replicate those rudimentary common steps which take place around any security event or incident.

Today, halfway through my second year in the private sector at Palo Alto Networks, a company  that vows to revolutionize security operations, I long for the ability to share these new capabilities with any enterprise that encounters the difficulty of wrapping their hands around security operations for the large-scale enterprise.

Innovation creates excitement.  The excitement for business leaders comes from the enhancement of capabilities or the transformation of processes that increase efficiency and increase fidelity of the signal-to-noise ratio.

The argument for the automated SOC makes sense for most SOC practitioners — as long as the automation actually works and accomplishes what it claims.  Automation and machine learning are two often overused buzzwords in the cybersecurity industry, which diminishes the impact of their actual meaning. What would you give for something that can truly optimize automation?

To again tap into my nerd self, what if these automated products could act as sort of a R2 unit that has the ability to respond based on what your numerous previous responses dictates? Or, provide you with a proven ability to respond in an automated fashion to something you have seen a thousand times before, but just don’t have the hours it would take to engage.  It can be a game changer and the difference between mitigating a potentially serious event to spending several days forensically trying to understand what exactly crippled your enterprise.


End Points

  • The excitement for business leaders comes from the enhancement of capabilities or the transformation of processes that dramatically increase efficiency.
  • The argument for the automated SOC makes sense -- as long as the automation actually works well.
  • What would you give for something that can truly optimize automation?