CISO of the Week, Robert Schuetter, CISO for Valvoline
Robert Schuetter brings more than 25 years of IT and 12 years of IT security experience to Valvoline as CISO and head of enterprise architecture. In 2013, he joined Ashland Inc. (the parent company of Valvoline) as CSO overseeing cyber, physical security and GRC. Prior to that, he was CISO for GE Aviation.
In addition to his responsibilities at Valvoline, Mr. Schuetter is co-founder of Integral Defense, a managed detection, threat intelligence and response services company that brings their learnings from protecting the largest companies in the world within reach for small- and medium-sized businesses. The team has open sourced much of their custom platform in an effort to shift the focus of the security industry off of which tool do you have, to how are you enabling your security staff to be as effective as they can be.
What is your overall approach to information security?
I came over to Ashland/Valvoline during a time when company breaches were hitting the front page of the news. The primary concern of many boards at that time was ensuring that your company wasn’t the next big story. A significant portion of my focus as a business leader has been determining on what are those events that have actual impact to the image and financial viability of the company.
When breaches went public, the standard statement at the time was something to the effect of “This was such a sophisticated attack that it was not able to be detected by commercial security products.” We focused our cyber team on detecting those attacks that get by our commercial products. We focused on reverse engineering any attack that was not able to be detected by our commercial products and generating intelligence both on the attacker, the attack patterns, and why specifically did our commercial products fail us.
At the end of the day, we needed to utilize our commercial products differently. We pulled the raw logs and events from those platforms. We created our own platforms when needed. We automated everything we possibly could for the analyst to do their job efficiently. And we now generate more useful intelligence about who is attacking than we consume from outside sources. In one company we saw approximately 450 attacks a month to a population of 10,000 that was not able to be detected by our commercial products but were by our own platform.
At every company I have run security for, this concept of using open source and custom platforms has beat out the commercial offerings every time. I am certainly not saying that you get rid of your commercial products, they have a tremendous place in prevention, but for complete coverage, you need something more. Threat intelligence in the commercial products has become commoditized. In one company we went to having multiple commercial vendors in each space however the number of detected attacks by our custom platforms didn’t go down. So the question needs to be “How do you detect attacks that slip by?” That is significantly different than the “Assume you are compromised and you just need to respond fast” mindset.
How do you communicate information security issues to the board?
Visibility is key. Visibility into your environment gives you the data you need to communicate effectively to the board. Everyone is struggling with how to quantify risk. How impactful will an event be? How likely is it to happen? What happens when the event takes place?
When you get to a point where you can generate your own threat intelligence on who are your persistent threats, what are they going to do with the information they want access to, what exposure do you have to non-targeted, widespread incidents, what is the population of insiders that have access to your data, who are your market competitors that could benefit, the conversation gets a whole lot more simplified. One part of the equation is already answered.
I have found that consistently between companies, when I show the leadership and board metrics of how many more attacks we have caught then previously, everyone says “Thanks, keep it up”. When I can show persistent targeting, who is behind it, how will they benefit, and what the impact will be to the viability of business, the leadership and the board can see and understand the actual risk.
I very rarely try to spend any time focusing on metrics or even a risk chart. We have those tools to run the team efficiently internally. However outside of the team, we tell stories. A CISO needs to be a professional story teller in my opinion. We place people into the mind of the attacker. What their lives are like in the current geo-political environment. How they are making money and infiltrating companies and just as importantly, as we shift our defenses, what we predict their next move will be.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Transparency. Complete transparency whenever you can. Share the attack patterns, share the intelligence on how organized crime is making money, and openly share when you were not successful preventing an issue.
When it comes to training, use real examples. Don’t rely on the generic examples third parties will provide for canned training or phishing exercises. Every phishing exercise we do is from an actual attack attempt we have seen. Then share your threat intelligence with the business on what would have happened, how are people getting fooled, etc.
I disagree however that awareness should be 50% of your strategy. In our experience, even when we replay real attacks in the phishing exercise and we can get the response rate on exercises down to single digit percentages, the phishing detection capability by the end user to real events is still only about 20% accurate. The attacker is able to change their strategy so quickly, when you finally get to release tips and tricks for detection to your user population, the attacker has already learned and shifted their strategy. So while you must create the culture of awareness, great intelligence and detection will trump a trained user in effectiveness every time. Invest in your team and your people first and foremost.
Threats are everywhere and always changing. How do you address this difficult reality?
I will go back to the point of analyzing every attack that gets by your systems. It is highly beneficial to be able to reverse engineer your own malware. Then after each detection, even if you stopped detected and stopped the attack successfully, you do a full investigation into how did the attack happen, what was the entry point, what tools did not detect the attack and why, what did the malware do or would have done, would other systems have caught the attack further down the line. If you can answer these questions, you can very quickly figure out how the attackers are changing, what they are doing to evade detection.
This also starts to point to any limitations to your visibility. This is where appropriate risk decisions can also be made. Do you really need yet another tool? Is there any tool that you have that the logs indicate the tool saw the event but couldn’t determine it was malicious? This is what a number of our open source tools do. They pull information out of commercial security platforms to give you the visibility to detect what they miss. We have a team that does nothing but this endless cycle of discovery. We could justify it because we had the full visibility into what was missed and could calculate the impact. We then pushed as many tools early in the attack. It is nice to detect attacks upon exfil, it is critical to have a safety net, but when you do this you better have a large 24×7 security operations center because you have no time at all to react. It is much better to detect early and buy yourself some more time to react and more opportunities to detect.
Why do some CISOs use technology for its cool factor instead of for securing or enabling business?
When I was a LEAN Six Sigma Black Belt at GE, the single hardest step in solving any issue was defining the problem appropriately. Often times a new green belt candidate would come forward with a solution and try to fit their Six Sigma project to whatever solution they already have instead of defining what the actual problem they are trying to solve first.
The same is true for many CISOs. We have never really been able to quantify the problem we are trying to solve. So we rely upon marketing and tools to tell us what we are solving by buying their tool. The paradigm is completely backwards. If you don’t have visibility, get that first. Sit with the business and understand their value creation proposition. Understand the business continuity plan and understand what types of impacts they can absorb. Understand the market by which your company competes and what is of value that you have that could slingshot your competition past you if they knew how your company did things. This sets you up for being able to identify the kinds of capabilities you will need and then your can map solutions to that need.
All too often we get caught up in cool marketing terms. Our open source platform does handle big data, AI, and automation. But we didn’t put these things in because of the marketing capability. They solved an issue we had. We have well compensated employees and they were spending the majority of their time doing simple tasks like pulling logs. I could get to that determination of whether an alert was a false positive or not faster, I could get my team more efficient, I could let my well compensated employees do the most valuable work but automating everything that they would naturally do with an alert. Everything they need is on the screen in front of them to make that determination of sounding the alarm or not. Yes, we use AI and automation, but it is a means to get to the high value work faster.
How has industry cooperation made an impact on cybersecurity?
My team and I were lucky enough to be a part of the defense space when the idea of industry sharing was first tried out. We were just a bunch of people trying to solve a problem that you couldn’t just open a book or google the answer. We knew the problem was bigger than us. Hence the Defense Security Information Exchange (DSIE) was born. I can honestly say without the expertise shared with us from the likes of Lockheed Martin and Raytheon, we would have never have become as good as we were.
It is industry sharing where I want to continue to focus. The bad guys all learn from each other. They are quick and nimble. They share malware and tools. Now that I am at a smaller company I have seen first hand that utilizing the tools and techniques that we created at the larger companies absolutely work. Beyond that, the threats we saw at the world’s largest companies with highly sensitive, targeted data is absolutely the same types of activity we saw in the manufacturing space, the chemical space, and the retail space.
That is one of the things we got wrong. It was great to understand what others in your industry are seeing but it is just as valuable to see what companies in other industries are seeing. At the end of the day, the big companies really protected themselves by developing their own technologies and then sharing the threat intelligence. Some have gone commercial. We have taken a different approach.
We are giving the technology away in open source. Start spending that money you would put towards a product and put it towards your people. Because in the end, we are not fighting robots and malware, we are up against another person. AI and automation do not replace intelligent people, it amplifies their capability. We talk a lot in this industry about the lack of people and talent. I disagree. We have a lack of the ability to quantify the value in our people. If companies understand the risks that are mitigated by our people, we can pay appropriate salaries and challenge our teams with difficult problems to solve and in the end you will find it isn’t that hard to attract talent to you. That is why we believe in open source so much. The value isn’t in the tool but in the people that fight the battle each day.
When we first got into security having to deal with true nation-state APT, I really fell into a dream job. We were given unlimited resources and unlimited funds to become the best cyber defense team in the world. We split into two teams, one that would purchase every major commercial product at the time and one that would try to think about the problem differently and create their own platform just in case there actually wasn’t any commercial product that would catch the threat actor at the time.
I am not ashamed to say that the custom development teams beat us to the punch every time. The code that was developed caught APT activity day one. This really shaped the way we think about the issue and we realized that the bad guys are using how we were thinking about the problem against us.
It is time to start thinking about the problem of security with a fresh set of eyes. We have to stop thinking about security in the normal constructs of traditional IT management terms. We tend to think in terms of a build competition where you are given a set of tools and construction materials and you see what you can build out of it. Instead we need to think of security in terms of a chess match. Your objective is to beat your opponent. It is time to get creative, learn your opponents thought processes, and then go print your own chess pieces and change the rules of the game.