With a background in counter intelligence followed by practitioner stints at McAfee, Sony and Hewlett Packard Enterprise (HPE), Brett Wahlin has an impressive career behind him.
Now three months into the HPE era, he carries the title of Global CISO well. After all, he explained that his experience at one of the most notorious incidents put him in good stead.
“I came into Sony after their PlayStation breach and they got me to fix it,” he said. “The Pictures breach was nothing to do with me. I fixed it and got out and they had another one.
“If you know the inside of Sony and how they work, it was inevitable that it was going to happen as they pushed the security into each one of the businesses and the particular person in charge of Sony Pictures had a different approach from the rest of us. The funny thing is that I would love to go back and say ‘I told you so’ as I insisted that we firewalled the networks between Pictures and the Sony network.”
He said that he had a hunch about the state of security across Sony, and he decided to segment the network so when the Pictures breach happened, his successor thanked him for putting the firewalls in as it was protected while systems were detonating.
While the concept of HPE is relatively new, Wahlin has been with the company for three years and as global CISO, he works with HPE to help them understand how the various technologies fit together in what is effectively an advisory role.
In recent months HPE has sold its IPS technology Tipping Point to Trend Micro while Voltage Security and Aruba Networks were acquired in 2015.
“Operations are evolving quite significantly to the point that we are creating things internally, that bolt on to what we sell and that gives our product teams an idea of what is next,” he said.
“Average CISO runs 50 different apps, so as we only sell three to four there is stuff we run together so there’s a dilemma on how you get them to all run together.”
We moved the discussion on to the role of the CISO within such an organization, and Wahlin explained that he has presented high-level strategies to the board and uses a specific format to get his message across. He called it “four P’s and the penguin”.
He went into further detail. The first “P” is “protect”. He said: “If you know it is protected it is very common, but it is hard to do. Do you know what is valuable? Do you know where to find it? Do you know what a critical asset is? The traditional tools for protection are encryption or asset protection, or identity management and these are all old things that we have been doing forever.
“The thing is we don’t know what to protect and businesses don’t know what is valuable to them. Part of our Enterprise Security Data Warehouse is that as we collect so much data and actually see what assets get used in the enterprise, so we know as we actually see what is used.”
The next “P” is “Prevent”. Wahlin said that if you know it is bad then you prevent it, and this is really easy to say but actually hard to do. “As there is a whole bunch of stuff coming at you, most traditional security tools do a good job of preventing a percentage of that,” he said.
“All of them are good at preventing known bad things and for some you have to do defense-in-depth for, but firewalls will prevent some things. The trick is in prevent; everything is a transaction so if you see something you stop something, and they have to take action and fix it. So what we try to do with machine learning is learn what people do in transactions and I can pull the people out and save the cost in that area.”
The third “P” is “prepare” which he explained is a new concept, and is not necessarily about getting ready for the inevitable breach. “This is making sure that you know what to do, and I called it breach preparedness at Sony so you mitigate the impact,” he said.
“Now you can take steps to prepare for destructive malware and there is nothing you can do. You can prepare and mitigate a breach, so if you can get in front of it either have an arsenal of protective machines, or have a significant effort in preparing.”
The penultimate “P” was “Pre-empt”, which Wahlin explained was his favorite, as this is where the machine system is repurposed to help the user understand anomalies.
“With predictive analytics you have a problem of false positives and we have different areas with statistical analysis and advanced to further provide fidelity on what it is we are seeing,” he said. “It gives us the ability to see something odd in the network, and more rapidly if I should do something about it.”
He explained that it is about using machine intelligence, combined with a more advanced level of analytics, to get a higher level of knowing what to deal with.
The final “P” is penguin. Not Linux he said, but rather towards an awareness campaign. He said: “On the TV show Brain Games there was a scene where you count how many times one set of dancers step into a circle. I was trained in counter-intelligence and I’m a smart guy, and I watched it for 30-60 seconds and the announcer says “did you see the penguin”. It rewinds and during the dance a six foot man dressed in a penguin suit did a slow walk and waved at the camera!”
A similar concept was used for a road safety campaign several years ago. Wahlin said that there is a phenomenon in the brain where you only find what you want to find.
“With the new level of analyst we refer to them as ‘penguin hunters’ because of this, and the concept is we don’t tell them what to look for and let them interact with the machines,” he said. “It is all about pattern recognition without knowing the pattern or what to look for. So it takes a person and the machine capability to find the unknown.”
Explaining security to the board and the wider business is not a simple task, and Wahlin has built one which seems to work. Getting the 1.5 million connected devices under control, even the penguins would struggle with that.