Today, data compromises and cyber attacks are almost everyday occurrences. The majority of businesses are trying to protect themselves against complex and ever-evolving adversaries. These hacking efforts are occurring minute-by-minute, and companies cannot defend themselves effectively or proactively. The demand for automated internal and external security operations is now essential to combating cybercrime.
CyberSponse debuted its technology in late 2014 to enhance the current security operations centers (SOC) used by most large companies with velocity and automation through API-driven orchestration. Most SOCs today operate manually, relying heavily on human capital (it’s important to note that due to soaring demand in the marketplace, accomplished analysts are hard to come by – and increasingly expensive) and immature processes which are often unable to respond to the number of alerts the organization’s security tools are throwing off. We at CyberSponse believe that security automation technology, when done right, has the ability to revolutionize an enterprise’s cybersecurity posture.
The market demand for automated incident response has taken off recently as more companies shift their focus from prevention to remediation speed. CyberSponse’s success and influence in this category has been embraced and welcomed by the security industry with open arms.
SO HOW DID IT ALL START?
In 2012, the idea came to me from my growing up in fire services and having an appreciation for fast and effective incident response. Since I had a background in cybercrime, I knew that the evolution of security was going to take place in the next year or two. While researching to see if incident response platforms existed, I was surprised to find that this market hardly existed. The only solutions I could find were legacy and clunky case management modules within existing yet dated SIEM technologies – this didn’t make any sense.
One of the very first presentations for CyberSponse was to incident response legend Kevin Mandia, Founder/CEO of powerhouse Mandiant. I reached out to Kevin because I wanted his opinion on what I was creating, and his encouragement motivated me even more. After more than a year of testing the market with our initial SaaS platform, I discovered that most organizations were unprepared or unable to find ways to innovate and implement incident response into their cybersecurity practices. We also found that no one wanted to use a SaaS-based technology either. Timing is everything, and I learned a very important lesson about being the first to market with a good idea.
Over the next two years, I was fortunate enough to build an ecosystem of top-notch advisors, mentors, and investors who have helped me achieve my vision. Building this company was never something I did just for the money. I did it because I wanted to help others, just like my father had as a local fire chief for more than 20 years.
The vision for CyberSponse is that automation will be the future of cyber security. Without it, it’s going to continue to be a repetitive cycle of more tools and no one to use them. The big buzzwords for RSA 2016 were automation and orchestration. Everyone finally gets it and understands that without interconnectivity between security tools, the current failures of the status quo will never be cured.
So how did we figure out that interconnectivity would be the future? 15 months into building the CyberSponse incident response platform, I was walking the floor of an NYC cyber security conference checking out all the latest and greatest tools; I remember the day explicitly. I started to ponder what a CISO would do if he or she wanted to build an enterprise security perimeter, yet by doing so, merely added more consoles and data screens to look at. It didn’t seem to make sense that security tools really didn’t speak well to each other. In 2013, no one talked about APIs and integrations; it was all about preventing and eliminating risk. I think we all now recognize that avoiding compromises isn’t possible, and an organization’s ability to detect, respond, and recover is much more critical.
The problem with integrations was also the carnage of bad experiences that large services companies put the market through. To create connectivity between legacy tools, it would cost a customer a small fortune to make custom, one-off solutions. This also did not make sense.
The concept of interconnectivity was expensive and time-consuming; no wonder the industry was hesitant about the idea of connectivity in the first place. Now that the industry is past professional service hours getting in the way, the road looks promising for building cyborg security operations centers. This is what I think when the human and the machines work as one — part human, part machine.
Today’s market demand from government, law enforcement & commercial sectors couldn’t be better. Organizations finally realize that committing bodies to the problem isn’t the answer, further exacerbated by the reality that even with approved budgets, finding capable staff and keeping them for more than six months proved impossible. Setting up a repeatable, measurable, and manageable environment was much more appealing than conventional thinking.
Security automation around incident response will be the new standard for organizations in the coming years. The CyberSponse team is already contributing our knowledge and expertise around this topic with standardization bodies so that we can clearly define and educate the market on this new area of cyber security. If the world is building widgets, cars, and everything else through automation and orchestration, isn’t it time to embrace it for cyber security?
Little did I know that building CyberSponse would be one of my life’s most challenging and rewarding experiences. I look back and see how our technology has progressed since our original idea rap session with Kevin Mandia from Mandiant [Now CEO of FireEye]. It’s like we went from building the first Model T to now racing Ferraris against other vendors/competitors in less than three years. I feel like the luckiest guy in the world, and it’s been an honor working with such a dedicated and determined team as we continue to build, scale, and differentiate in the market with CyberSponse. Many people shared their doubts, bet against me and the team, and were more happy to see us struggle than succeed. I think few realize that the more people reject you, the more it motivates a guy like me willing to do anything. I mean literally anything to create a healthy, functional, profitable, and unique business opportunity for our team, investors, and customers.
THE INCIDENT RESPONSE CONSORTIUM (IRC)
Early into my journey with CyberSponse, I obtained the domain name www.IncidentResponse.com and parked it, knowing one day I would use it as the central hub of all cyber incident response information, articles, news, playbooks, and more. Finally, in 2017, with the encouragement and support of our team, I mustered the will and courage to put together the first free, non-profit 501(c)(3) educational organization primarily focused on offering training and support for security operators by security operators. In short, I wanted to develop a fully comprehensive support community where security operation teams and members alike could go for access to playbooks, training, support, and mentorship to arm the next generation security operations soldier. So in late 2017, the Incident Response Consortium, Inc. was born, and our inaugural event, Incident Response ‘17 Convention (IR17), took place on September 11 & 12, 2017, at the Ritz Carlton in Arlington, Virginia. IR17 allowed me to bring the centralized resources of incidentresponse.com to life, with over 40 workshops and over 400 attendees, all in the same location, with the same goal in mind: Becoming the preeminent and most effective cyber soldiers this nation offers.
Following the event, I was overwhelmed and humbled by the breadth of positive feedback and support received from the community about the event itself, with many demanding more events in the future. As it was a new organization holding its inaugural event, I also couldn’t believe that the Governor, Terry McAuliffe, came to our event, delivering a keynote address expressing his support for Cybersecurity Operations and also the importance of cybersecurity for our democracy. The future of the IRC looks strong, with a serious agenda planned for 2018; I hope that its purpose and mission of helping security operators come together as a community lives on well after CyberSponse is under the banner of a future acquirer.