In the second segment of our two part blog series, Shaun Vlassis talks about Illuminate Security's approach to protecting organizational data and Shaun's thoughts on where the Threat Detection industry is headed!
Vaughan: All right, so just to clarify, to engage with Illuminate Security, I simply send my logs, and then anonymous individuals start sifting through them, crafting detection rules to uncover any malicious activity. What could possibly go wrong? But seriously, how do you ensure that sensitive information remains safeguarded?
Shaun: Indeed, it's a critical question, and I'll answer it while also offering corrections. Firstly, while logs are integral, they aren't the only consideration. It's crucial to understand that our platform prioritizes security and privacy at every step. Each customer is allocated a dedicated enclave on AWS, where our patented anonymization process kicks in. We meticulously redact sensitive details like passwords and other identifiable information specific to your organization. Furthermore, we tokenize every username, system name, and hostname, ensuring a layer of anonymity. By the end of this preparation, the logs retain their security value while obscuring the identity of the company.
As for the analysts, they aren't exactly unknown. When setting up a detection bounty program, you have full control over who participates. Whether you opt for an open-access program, say, with DNS logs, go for it. You can do that. Or if you prefer a more curated approach, it's entirely customizable. If you want to be anonymous, as in you don't know who the company is, you can do that. But then further to that, you can then say, I only want citizens from country X. So basically you can specify criteria such as citizenship, background checks, NDA agreements, and expertise levels. This tailored approach ensures that only vetted individuals, aligned with your risk tolerance, engage with your data. So, with defanged data, carefully selected analysts, and clear risk management strategies in place, the potential risks are mitigated.
Vaughan: I'm assuming you're also logging who has accessed which data. So you have insights into which of your hunters have reviewed specific information.
Shaun: Absolutely, and that tracking serves multiple purposes. It helps us calculate and demonstrate your threat coverage. For instance, if I excel at detecting DNS tunneling and have been analyzing your DNS logs, submitting findings to other organizations but not yours, it highlights gaps in your coverage. After all, I only earn rewards when I submit findings based on the work I've done. That's why we meticulously track who accesses what, right down to the log line.
To expand on this, we offer various distribution mechanisms for the program itself. It spans from data residing in an S3 bucket to a closed-off, customer-specific AWS account where analysts are invited into your enclave to run their logic. Whether they're using their own systems within your enclave or leveraging our platform for analytics, the level of data access can be tailored based on your organization's risk tolerance.
We do see quite a range of concerns, on one end there's companies that would not ever want to be public and only allow background checked citizens from Australia, through to a crypto company where the majority of their data is on the blockchain anyway so they don't even care if the cloud trail logs are anonymized because what difference does it make to them. At the end of the day, they'd rather get the benefit from it. So it'll be interesting to observe over time which combination of controls—people, process, and tech—becomes the norm for delivering a detection bounty program.
Vaughan: Awesome. I mean, it sounds like an amazing platform. I'm actually quite tempted to sign up for an account. The idea of getting paid to write regex sounds like a fun side hustle. But on a more serious note, you're discussing a lot about threat detection, an area you clearly have experience in. What, in your opinion, are the key qualities needed to excel as a detection engineer in 2024?
Shaun: That's a great question. I would say it is problem solving. A constant desire to learn and keep pace with the changing threat landscape and environment. You do need to have, in my opinion, the fundamentals of computer science and understanding how things work. Coding, scripting is a definite superpower. And I joke I've been a dirty Perl coder my entire career, mainly for its efficiency in log processing. Well, and to be fair, this isn't because I've been in the detection and response space. Perl is great for log processing. Why would I need to do anything else? At scale, it's very efficient and I can do everything I've ever wanted to and thankfully it still works. But I would say, having an agile mind and a passion for problem-solving is crucial. It's a challenging yet rewarding field. With these qualities and technical acumen, one can achieve remarkable success.
What's exciting now is the democratization of skill-building and reputation-building in threat detection. Gone are the days when your opportunities were confined to the organizations you worked for. Nowadays, you can hone your skills, build your reputation, and make a substantial income without being tied to a single employer. I envision a future where aspiring security professionals, even those still in university, can dive into Threat Hunting and make it a lucrative career path. It's something I'm personally invested in—supporting and nurturing the next generation of security experts.
Vaughan: Nice. The red team shouldn't have all the fun.
Shaun: Exactly. We need to leave some excitement for the blue team. It would be fantastic to have something like CVEs for common threats that can be detected. It's a fascinating area. We already have initiatives like MITRE ATT&CK and others, but the landscape is still crowded with various threat intelligence sources, making standardization a challenge. However, I believe we'll see improvements in threat detection over time. What intrigues me the most is the economic aspect. Just as bug bounties evolved over time, I'm curious to see the value assigned to detecting different classes of threats. Imagine the cost associated with identifying a ransomware operator before they strike or detecting malware installation in your environment. It's uncharted territory, and it will certainly impact security budgets and the perceived value of different security solutions. It's going to be fascinating to witness this evolution unfold.
Vaughan: What steps can individuals take to sharpen their threat detection skills? Let's say someone is working in security and wants to enhance their threat detection abilities, perhaps delve into Threat Hunting. What's the best approach to refine those skills?
Shaun: There are several paths you can pursue. Start by formulating hypotheses or delve into intelligence reports about specific threat actor groups. Understand their tactics, techniques, and procedures (TTPs), analyze malware they use, and study sandbox reports. Then, translate this knowledge into actionable detection logic for relevant logs. Experiment with your hypotheses on platforms like Bluehat. This way, you can validate your logic and refine it based on real-world scenarios. Unlike traditional settings where you're limited to testing within your organization, platforms like ours offer the opportunity to test and potentially earn rewards for your findings. It's a practical way to enhance your skills while contributing to the security community.
Vaughan: Sounds like a win-win. And finally, I'd like to hear your thoughts on the evolution of threat detection. We've discussed its progression from using IDs at the network edge to centralized log management platforms, and now to encompassing various environments, including SaaS platforms. What do you foresee as the broad trends shaping the landscape of threat detection in the next five years?
Shaun: It's a fascinating question. My perspective might be a tad biased, given our involvement with Illuminate Security, but I believe the democratization of threat detection expertise and the maturation of rule set management will continue to progress. Our platform provides a real-world evidence-based approach, which challenges conventional wisdom and offers tangible results. Instead of relying solely on vendor hype, organizations can now evaluate effectiveness based on validated techniques and approaches.
The other end is as the AI, ML, whatever it gets called over the next couple of years, will continue to increase in maturity and it will get better as the data that it relies upon gets more and more curated over time as to what is or is not considered a specific threat, what is a true positive, what isn't. However, I still firmly believe that, unless, (and I kind of come back to that point around what you need to be an effective threat hunter or detection engineer, or a pen tester, or a red teamer) is creativity and an ability to problem solve. Without that, the ML-AI stuff of the world will only be as good as what it has been trained and the data it's been trained upon, minus people keeping up to date with the latest vendor or their logging patterns, or their use cases and approaches, will still need experts.
I think we're going to get smarter as to how we use technology to support us and do things more quickly and at more scale. But if you were to tell me that in ten years time, an LLM will replace a threat hunter, I just don't see it. And I'll gladly be proven wrong in ten years time. And I'm glad this is recorded so we can look back at it. But we don't understand how the human brain works exactly just yet. And so anyone who says they're going to literally build artificial intelligence that can do what I am doing right now while I'm thinking about something else and solving a problem at the same time, just personally, I don't see it just yet. I'll gladly be proven wrong.
Vaughan: Very insightful. Thank you for your time, Shaun. It's been a pleasure having you on, and I look forward to seeing where Illuminate goes from here.
Shaun: Thank you, Vaughan. I appreciate the opportunity to share our insights. Until next time.
Vaughan: Awesome, thanks.