Know Your Enemy Know Yourself — You need to understand your business, what supports operations, who may want to compromise your users or systems and how they might look to accomplish it. Let that be the basis for your security program.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Andrew Maloney.
Andrew Maloney, CISSP, is the co-founder and chief operations officer at Query.AI where he is responsible for establishing and delivering on Query.AI’s go-to-market & business operations strategy. Andrew has over 20 years of diverse leadership experience, most recently serving as a founding executive and SVP of field operations at Jask (acquired by Sumo Logic). His experience also includes other high-level positions in companies that include Niara (acquired by HPE), Hewlett Packard (ESP), and ArcSight (acquired by HP). Andrew is also a decorated veteran of the U.S. Air Force.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a blue-collar family outside Washington, DC in Maryland, and my relatives were farmers and tradesmen. I spent a lot of time exploring the outdoors on the farm, tinkering with engines, building things in our garage, and doing home renovation projects with my dad. I still enjoy these activities as a way to decompress from the constant plugged-in state of the cybersecurity industry.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My venture into cyber isn’t so much a story of inspiration as it is one of happenstance. When I was pretty young, my dad would occasionally bring home old IBM machines that I would inquisitively mess around with. Later we had what was considered state of the art at the time — a Compaq computer running Windows 95 with a 1GB hard drive and a 56k dial up modem. When I was graduating, I knew I wanted to serve in the military, so I enlisted in the Air Force right out of high school and began studying computer operations at 17.
In the Air Force, I learned about computer and networking concepts, scripting, the OSI model (Please Do Not Throw Sausage Pizza Away), TCP/IP and really took an interest in it. The pivot to security actually came from my deployment to Oman in 2003. The concept of having a dedicated security function was not yet commonplace, so when I got to Oman, there was a need for someone to pick up and manage the firewalls and proxies for our forward deployed base. I volunteered to take on the challenge and it turned out to be a really fortuitous opportunity for me. Having that experience when I returned to my primary duty station led to the leadership asking me to join the security team. Having previous experience from the helpdesk, network and systems administration, prepared me well for the transition. From there onward I was hooked.
Can you share the most interesting story that happened to you since you began this fascinating career?
I’ve seen a lot, done a lot, and learned a lot, but if I had to pick one that stands out, I will say that one of the most special moments in my career was being part of the team standing up the FBI ESOC in the early 2000s, just after a Robert Hanssen — a very notorious spy — was discovered. He did a lot of damage to our country, and it really drove home the criticality of the security mission. The movie “Breach” was actually based on him, and Ryan Phillippe plays the agent who brings him down. Fun fact, it was filmed during my time there. What a mess that was.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Truer words have never been spoken. No one gets there alone. I’ve been fortunate to have some great mentors and friends help me along the way from my early days in the military, to the OG team at ArcSight. These were really impactful people in my cyber journey, but the one that stands out the most is W. Todd Parker. Todd saw something in me that no one else did and took a chance on me by pulling me from a technical leaning delivery role and teaching me the soft skills of consulting as well as leadership, business, and sales. Meeting Todd changed the direction and trajectory of my career and we’re still very close today. I think he’d agree that I’ve come a long way in the last 10–15 years, but there is always more to learn and more to do. Now I look to pay it forward. I love engaging with others to help them find their path and mentor where I can.
Are you working on any exciting new projects now? How do you think that will help people?
Query.AI is my company, project, and focus, and being in the driver’s seat of a rapidly growing, innovative startup, the excitement never ends. My co-founder, Dhiraj Sharan, and I launched Query.AI to help people in a number of ways, including:
- Lowering the barriers to entry for security for our customers and amplifying human potential through the use of assistive-AI in our technology,
- Pushing boundaries by challenging our teams to strive for excellence while empowering them to get outside their comfort zones. This is how they can truly grow and maximize their potential.
- Giving back to the cyber community. I’m excited that our first initiative in this area is a partnership with Neal Bridges, an industry thought leader who has spent a significant amount of time building the Cyber_Insecurity stream. The Cyber_Insecurity stream helps those who want to enter the exciting and rapidly expanding cybersecurity field get their start by delivering the knowledge and experience to land their first role. We will start by sponsoring a premium annual training pass to INE.com that will be raffled off each month to a member of the stream to help shepherd in the next generation of cyber professionals. I believe we should all find ways to give back to the industry because the more dependent we become on technology as a society, the more relevant this field will remain.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s important to remember that we work to live, not live to work. As simple as that sounds — and perhaps cliché — we have a very unhealthy culture in the US that glorifies working until all hours of the night, always being available, spending 300 nights a year in a hotel room, working weekends and holidays, and not taking vacations at the expense of all else. It’s not beneficial or sustainable.
I’m building a startup, and the truth is, 40-hour weeks are non-existent and schedules are highly unpredictable. I also have a young family and I will not neglect my wife or miss my kids growing up because of it. It may be hard, but you can find balance. If you don’t, your physical and mental health will deteriorate and you will end up less productive and burnt out as a result. We all need a break and more often than not taking time for you will help you find clarity both personally and professionally. If you’re at the right company, working with the right people who care about you as a person, and you’re all working towards a common goal, it will be easier to find balance. As business leaders, we must instill a culture of trust and communication to ensure team members are still hitting milestones and achieving goals while taking care of each other. You’ll have a more productive and happier team.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- Changing Landscape — Cybersecurity is driven by technology and innovation, therefore it is never static. When I got into cyber 20 years ago, there was already so much to learn and I had many moments where I felt like the more I learned, the less I actually knew. This remains a constant two decades later as new capabilities are created and new technologies are adopted. We must continue to adapt, which can be exhausting but it’s also exciting and keeps things fresh.
- Technical Advancements — It’s amazing and exciting to see and experience what has happened across the cyber and technology ecosystem in the last 20 years. We’ve evolved significantly from the days of syslog servers, IDS, and the beginning of SIEMs running on relational databases, to the cloud native, multi-tenant, auto scaling technologies we have at our disposal today. I’m very much looking forward to seeing and being part of what comes next.
- Impact on Our World — Cybersecurity is hot right now and not necessarily in a good way. It seems that there is a new, high-profile compromise dominating the news cycle every day. Going beyond the big-name breaches, indiscriminate ransomware attacks over the past several years have brought cybersecurity awareness into our homes and truly elevated the appreciation. I’ve always believed in the importance of cybersecurity, so while the exposure has come from some not so positive activity on the part of our adversaries, I’m encouraged that people are paying attention because the more dependent we are on technology, the more important our cyber mission becomes. When we become so reliant on technology that we can no longer function without it, ignoring the inherent risks and failing to plan accordingly is a recipe for disaster.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Critical threats are constantly emerging, and I think recent events have shown that nothing is off limits and we need to be prepared for anything. Adversaries attacked hospitals in the middle of a pandemic, shut down critical gas pipelines, and compromised drinking water supplies. The best way for companies to protect themselves is to follow The Art of War and, “Know the enemy and know yourself.” This ensures you’re properly implementing and securing critical systems that support your business operations and of course keeping software updated and patched. Companies should also follow least privilege models and enforce them by blindly trusting no one — not even software manufacturers. As simple as this all may seem, most security issues come from bad hygiene and fast-paced operational tempos, and it’s so easy lose track of what systems are in use, what accounts are still active, and what suppliers have access to. The combination of all these vulnerabilities create risk for you and opportunities for adversaries.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Breach is a strong term. Companies face hundreds, if not thousands, of suspected threats every day and very few of them turn out to be actual breaches. However, they still have to weed through these threats to identify which are indeed relevant (a potential breach), and quickly understand the scope and impact. That part of the process — the “investigation” of threats to find those that are relevant and identify the scope and impact — is exactly where Query.AI focuses. As an analyst you need to quickly gain context to understand and decide with high confidence which things are most important.
An example of this happened recently when a customer’s security team was notified of a suspicious file on a user’s system. The security team had limited information and needed to quickly identify if this was a relevant threat or some benign oddity. We were able to provide simple Access Investigation and Response capabilities to determine the source of the file, in this case a malicious email, which was indeed confirmed malicious from threat intelligence providers. The scope was determined to be not just the reporting user, but several other systems and a dozen or so email addresses. We were able to not only access the data and provide the above context of “bad” and the scope of systems and users affected to support the investigation, but also provide quick response actions to delete the emails from inboxes, quarantine affected systems and reset affected user accounts before any damage could be done. All of these things are critical pieces of investigations that are traditionally done through very manual, resource intensive pivots and data collection efforts. This type of investigation happens daily across the enterprise landscape and the proven ability of our single Security Investigations Control Plane is an exciting look at how we really make an impact to the industry going forward.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Ironically enough, as the COO of a startup I’m arguably closer to a security practitioner today than I have been in years because I’ve taken on the responsibility of a CISO and put in place many of the controls for our company. I engage regularly with our endpoint detection and response platform, which runs on all our corporate assets and protects them from unauthorized or malicious software. We have various corporate directory technologies, such as Google and Office 365, a single sign on provider that helps manage account access and credentials with two-factor controls, and of course our Query.AI platform — which serves as the connective tissue and central interface to bring all of our data and cybersecurity tools together.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The market is quite diverse in terms of security needs and maturity, and there’s no one size fits all approach. I’ve seen Fortune 50 organizations with tremendous budgets and large teams that are as immature in their security posture as you’d imagine a two-person IT shop at a small business. On the contrary, I’ve seen some small but very advanced security teams that run mostly open-source technologies and have the expertise to extend and stich together their technologies based on their experience.
It’s important to understand that technology alone is never the answer. There is no amount of “over the counter” software that will solve the problem of providing total security. You need the people and the process to align the technology to your business. There are some very capable security professional in our industry, and depending on your mission and scope, starting with someone who has the hands-on experience in a security team (or running one) with the right drive and aptitude could be a great fit to onboard. Allowing that person to roll up their sleeves, build a team and grow into the CISO role could be a viable option for those just starting out as opposed to trying to hire a CISO outright.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Aside from ransomware, which notifies you immediately that you’re in trouble, most adversaries try and stay below the detection threshold. They understand that high-profile alarms will draw attention and will attempt to infiltrate and methodically move around under the radar, but this doesn’t mean they are invisible — there is always a trail. There are several indications of a bad actor, such as a new user accessing critical systems, strange upload activity, a spiked CPU or full hard drive, access points, and activity to OT/IOT systems. It’s difficult to pinpoint because there are so many things security analysts have to look for. Many of these could lead to false alarms without context, which is why it’s important to “know yourself” so you can identify the critical access, who should have access, what standard operations look like, and identify outliers.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
It’s important to consider the context and variables associated with each organization and breach. How did they become aware? If they were notified, they need to immediately confirm the details of the notification. If they’ve made the detection, they will already be in flight on the incident response process. The simple answer is to identify the scope as quickly as possible. This means the impacted systems, users, and capabilities so you can contain and prevent further expansion. The remediation begins with isolating hosts, users, servers, network segments, and whatever is necessary to stop the bleeding. Depending on how bad the compromise is and how persistent the adversary is, the company should look to contact a professional Incident Response firm that can confirm their findings and ensure the compromise is truly contained. During that process, the company will need to start the process of collecting available information and notifying their customers and partners, I believe in transparency, and while no one wants to see a breach notification from a supplier, it’s always better to get in front of it. We’ve seen attempted cover ups in recent years and we’re starting to see stiffer penalties and fines for companies who don’t do things above board.
Our platform is data-less and provides privacy-by-design. We alleviate privacy and governance concerns about enterprise data by giving customers access to their data in its native locations. Query.AI doesn’t store, process, or require vendor access to data. That is relevant because it minimizes the amount and type of data we need from customers to operate our business. It works in the customer’s favor we’re not an additional risk of another vendor with their data to protect.
These measures have helped our business because many of the multinational corporations we work with have strict requirements to adhere to around data sovereignty. They benefit from our approach of accessing data where it lives through a security investigations control plane by receiving centralized visibility and insights across geo boundaries without persistence or violating their privacy agreements.
It certainly adds new checks and balances system for business in general. Ultimately, I think it’s for the greater good because our expectations as a society for online data privacy have been eroding for years and we needed some controls in place.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake companies make is buying into marketing hype and looking to bolt on the next shiny thing. As I said before, technology alone is not enough and there are no silver bullets. There is a reason companies have an average of a dozen tools or more, and very little integration or understanding of how they’ll work together.
Security is an ecosystem and a continuous process. It starts with preparation and, “Know the enemy, know yourself.” Then you can lay out the foundation for systems, infrastructure, and the proper controls and safeguards to ensure you’re deploying securely. You MUST keep these controls and safeguards up to date, and a lack of patching remains one of the biggest mistakes we see organizations make. Since we know there are bad actors and the software itself can’t be trusted, organizations must have the capabilities to continually monitor and respond when things go wrong or look out of place. This requires an investment in the right tools and people to best support the systems and infrastructure that run the business. The process for how you will monitor and how you will respond is critical because incidents can happen any time of the day and any day of the year. There is one more step that is often overlooked — the feedback loop. You must continuously learn from incidents and investigations so you can feed this back into your preparation loop. Whether it’s better user training, adjustments in deployment infrastructure, or new policies and enforcement, we must always learn and adapt. Threats are constantly evolving and sticking to the status quo is another common mistake.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Query.AI has been a remote company from the start, so for us it has been business as usual. For a majority of companies that had to scramble and take their workforce remote, there was certainly a learning curve. In issuing new systems (when none were available) and granting remote access to resources that have always been in the office, the mindset was seemingly, “make it work, then we’ll make it right.” As terrible as that sounds, cybersecurity’s function is to support the business regardless of circumstance. If we can’t ensure that business operations can continue in a time of crisis then we won’t have a business left to secure. I wouldn’t classify those as errors as much as they are difficult executive decisions, and my hope is that in making those choices, companies kept a close eye on anything they did with a business-first mindset and quickly went to work adding new security controls and closing any loopholes they may have created.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
I hope this isn’t too redundant as we’ve covered a lot of this:
- Know Your Enemy Know Yourself — You need to understand your business, what supports operations, who may want to compromise your users or systems and how they might look to accomplish it. Let that be the basis for your security program.
- Make Security a Corporate Priority — It’s not up to the two resources in the IT closet to ensure the security of an organization. Everyone needs to be aware, have access to training, and be reminded and refreshed regularly to minimize the opportunity for compromise.
- Sometimes Less is More — When considering what data to collect for your business and security functions, it’s important to understand what data is actually needed, what you intend to use it for, and how long you’ll need to keep it.
- Security is Not Static — What you implemented when you deployed a new system or onboarded a new supply chain contractor or capability is not set it and forget it. You must continually review your business, systems, infrastructure, software, users, suppliers — everything — from top to bottom. Our world changes so fast and we have to continually adapt as conditions and environments change.
- No One is Immune — I’ve heard so many times, “We’re not big enough to be a real target.” Wrong! Most adversaries are opportunistic and will take advantage of any low hanging fruit they can find. There is no excuse to overlook security because you don’t believe you’re a target. We’re all targets, and we have to plan and act accordingly.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would love to see a program that allows people to sign up and learn an old trade. We live in such a fast paced, always on, and interconnected world, and we all need an excuse to unplug from technology and appreciate where we came from. As I mentioned, I come from a blue-collar family and I find some of the best stress relief and most rewarding aspects of my life are in projects I can work on with my hands. So many great trades, such as wood working, timber framing, blacksmithing, masonry, welding and even gardening or farming are dying arts and it’s really disheartening. I love learning about how things used to be done and have tremendous respect for the craftsman of the past and present. I challenge you to take up a trade and find your own project to tinker with. You’ll be amazed at what it can do for your mental health and sense of accomplishment.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!