Keep only the data that you need and within your systems — With all the global privacy policies, it is vital to have a retention policy and ensure that people are sticking to it. Employees want to keep everything in case they need it someday. You must understand where your stale data is and remove it. Every year, we run a campaign with contests to remind employees to get rid of old files. A couple of years ago, the campaign was called “Let it Go.” This year, we have gone retro and is called “Hast La Vista BIG Data.” As people provide evidence that they have deleted files, they earn raffle tickets for that week’s prize drawing.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Debby Briggs.
Debby has more than 20 years of experience in cybersecurity and has been with NETSCOUT for the last 15 years. Prior to joining NETSCOUT, Debby held various network administrator and IT infrastructure roles with leading companies, including RSA, Healthsource and GTE. She holds an MBA from Southern New Hampshire University, a CISSP, and a BS in computer science. Debby is also a patent owner for technology using trust profiles for network breach detection.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small town in Vermont and attended a local State College to obtain a BS in Computer Science. I was always interested in how people and things worked. I remember when I was twelve, I wanted to understand how the kitchen faucet worked so one day I took it apart, and I was always playing games like Stratego and Battleship. I loved to learn and problem solve from the very beginning.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I remember I loved the first computer class I had in high school. It was so interesting and came easily to me, so I stuck with it and continued to study technology which eventually led me to this career.
Can you share the most interesting story that happened to you since you began this fascinating career?
I came into security by working and learning about all other aspects of IT. I started in End-User Computing, moved into messaging, then System Administration, and finally Networking. When security become a full-time career, it allowed me to combine my fascination of how people worked, my technical skills, and my love of strategy.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Two people come to mind. The first is Mrs. Cram, who was my Physics and Computer Science teacher in High School. She was the person that introduced me to computers. The second person is my first boss, Peg McCarthy, at GTE. She allowed me the room to grow and taught me a lot about how computers and people work. She also gave me the best career advice: don’t ever put something in an email that you do not want to be repeated or on the front page of the newspaper. As this was my first job out of college, and working for the Government Systems part of GTE, I learned a lot about security and how secure facilities and networks operated.
Are you working on any exciting new projects now? How do you think that will help people?
I just started being a mentor to a college student studying to get a degree in cybersecurity. We usually hire a couple of college students during the summer months to give them some experience working in the IT Security field. This will be the first time that I will be mentoring a local college student that is not working for me. We meet for the first time this week to select a semester project. This program will be beneficial to the security industry because right now there is so much demand for employees with experience. We have students graduating with degrees and no experience. Everyone in the professional community needs to give students an opportunity or the experience to learn with you.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Don’t sweat the small things. There are only so many hours in the day. Figure out what is most important, and work on that first. There will be days when things go sideways, and you will need to drop everything and put out the fire. If all you do is fire-fighting, you need to pause and figure out how to plan, develop a response, or a process to delegate to others. IT and IT Security is a team sport; use your team!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
1. The shift to the cloud — This is making the IT teams agile and able to turn up services in minutes. They no longer wait weeks to order and set up new services. This creates a unique, exciting challenge/opportunity for security. There is some comfort with seeing the hardware and the actual network cable in your data center.
2. Defending your network — You need to watch the news to hear about the latest cybersecurity breaches. These are happening to companies and governments of all sizes. I have always been interested in strategic games, like Stratego and Battleship, and I realize that the games I enjoyed playing as a kid taught me some of the skills that I use in my career. Some of the tools that IT already has in place today are some of your best security tools. For instance, network monitoring tools can see a spike in authentication requests to your authentication services, potentially indicating you are under a password spray or brute force attack.
3. People — You need to communicate to all employees, the leaders of the company, and your board. You need to be able to balance the business requirements with the security and risks and develop training programs that reach everyone.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
As most people have been working remotely for the past several months, there are some issues we should all be aware of.
- Where are your employees storing their data? What devices are they using to comment on your corporate network? Do you need to worry about the security of your employee’s home networks?
- Now that we are all remote and using the internet to connect to the corporate network, the VPN device has become an essential appliance. The bad guys have also figured out that a DDoS attack is very useful. There were 4.8 million DDoS attacks, up 15% YOY, and up 25% during the pandemic lockdown, and they targeted online platforms and essential services during the COVID-19 pandemic, such as e-commerce, educational, financial, and healthcare services.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
At my last job, I was responsible for the worldwide voice and data network. We had a Security Architect responsible for Security (this is pre-2000). The DNS for our corporate website got hijacked and was redirected to a fake web page that looked like our corporate website with graffiti spray-painted over it. This is when people hacked for fame and not money. During that event, it was decided that my team would take on the responsibility for Security. The main takeaway is prevention, detection, and remediation are all critical parts of your cybersecurity program. Know what you are responsible for and ensure that it is documented. Have network diagrams, data flow diagrams, and a full data inventory.
This inventory should include both systems and vendors. This list will aid you in determining the risk of all your vendors.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
(1) Arbor AED for DDoS and advanced threat detection and blocking. This tool stops DDoS attacks and known bad traffic using a threat feed. If we are under a volumetric attack that is approaching the size of our internet links, they redirect all our internet traffics to Arbor Cloud. They take over scrubbing the traffic and only providing clean traffic back to our enterprise internet links.
(2) Our Networking team has a network monitored using NETSCOUT’s ISGN platform. We are using the traffic data that they already have, install the ATA product and have a security dashboard.
(3) We use Tenable for internal scanning and a third party tool, RiskSense, for scanning externally and providing threat risk reports.
(4) We are presently evaluating a cloud security platform that will provide a single pane of glass for our multi-cloud environment.
(5) We recently selected and deployed VMware’s Carbon Black to protect our endpoints.
(6) We use Cisco for edge protection and VPN appliances.
(7) We use both Microsoft’s SCCM and JamF to allow us to push out needed patches.
(8) Finally, all our tools report and send logs to our SEIM tool.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Several security-as-a-service companies can assist teams if they do not have the resources or size to have this on their own. Look for vendors that solve more than one problem or have partnerships with some of your other vendors. Security tools are getting easier to use, and over the counter would work for most companies. The best time to hire your CISO depends on what business you are in and the company’s risk appetite. What I can tell you is that one of the most important sources that I use is the strong CISO community.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
People are the weakest link in a security program. Ensure you have ongoing security awareness training and use tools to protect them from hackers. Be aware of accounts getting locked out or people using simple passwords. MFA is a must-have. Ensure that everyone knows that if they see something, they should say something. If they clicked on the wrong link, they need to report it immediately. Some signs to look out for are accounts getting locked out, a change from your regular network traffic patterns, people noticing emails missing from their inbox or messages in their sent folder that they did not send.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
You need to stop the data exfiltration, figure out how the data or security breach happened, and fix it. If you have cybersecurity insurance, you may have access to a breach coach that can help you through the process. Once you have the incident contained, you need to start the investigation and determine what devices, accounts and data were involved. This takes time, which is one of the reasons that when events make it to the news there is a length of time between when the event started and gets reported out. The best way to protect your customers is to only keep and collect the data you need, and limit access to the data to only those that need it.
Privacy is something we all need to be aware of. We should only collect the information that we need and get rid of it when it has expired. People want to keep everything; it is a struggle to get people to delete old data no longer needed. The process and technology to do this takes time and costs money.
What are the most common data security and cybersecurity mistakes you have seen companies make?
A common mistake is working on the most challenging problems and missing the basics — employee training and patching systems. Employees need to understand how their lax security practices, like re-using passwords or sharing passwords between work and personal accounts, can cost the company millions of dollars in damages. Many data and security events are caused by systems not being patched or running old unsupported applications or operating systems.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Everyone has seen an uptick in cybersecurity events, from password spray and brute force to DDoS attacks. Cybercriminals have more free time and cannot travel just like everyone else.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Data privacy and cybersecurity are about taking a risk-based approach to protecting the data and your resources. It includes people, processes, and technology. You can focus on prevention, detection, or mitigation with the understanding that it is not a matter of if you will get breached, but when.
- Prevention — The human firewalls are your weakest link and a leading cause of data breaches. Ongoing security awareness is critical. You need to educate on password hygiene and utilize multifactor authentication. Email compromise is a leading cause of data breaches. This is another topic on which you need to have awareness training. In addition to awareness on phishing, you need technology to prevent these emails from making it to your employee’s inboxes.
- Patch your systems — Unpatched systems are still a leading cause of data breaches. This is where technology can assist in pushing patches out to end-user devices and servers. If you are in a cloud environment, make sure you understand if you are responsible for patching or if the cloud service provider does the patching.
- Keep only the data that you need and within your systems — With all the global privacy policies, it is vital to have a retention policy and ensure that people are sticking to it. Employees want to keep everything in case they need it someday. You must understand where your stale data is and remove it. Every year, we run a campaign with contests to remind employees to get rid of old files. A couple of years ago, the campaign was called “Let it Go.” This year, we have gone retro and is called “Hast La Vista BIG Data.” As people provide evidence that they have deleted files, they earn raffle tickets for that week’s prize drawing.
- The Security Department needs to enable the business, educate them on security risks, and develop a solution that works for the company and has taken security into account. If the Security team is always saying no, employees will work around you. If your systems are too difficult to get reports out of, employees will download the data to another location that is not protected to produce their reports.
- Pick your tools wisely! Start with the tools and information that you already have. If your team has network monitoring, can their devices tell you when something is above baseline? For example, the number of requests coming into your authentication servers could indicate a password spray or brute force attack. Find tools that partner with others you already have. Limiting the number of vendors may limit the number of dashboards your team is looking at.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Share your knowledge — it can be with a high school on career day, at a church meeting or local library teaching people about phishing and password safety. If you want to help solve the cybersecurity professional shortage, mentor a college student, hire interns over the summer and winter breaks. Help a local non-profit in your area and offer your security expertise to them.
How can our readers further follow your work online?
You can follow me on twitter @DebBriggs.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!