My View from the Cybersecurity Frontlines

When I was a kid watching Star Trek, I used to imagine that someday in the future, life would be like that: People walking around with small computers, instant communication devices, on their chests that would give them access to any information they needed. I think a lot of us did. We’d fantasize about having devices that could obey our every command and, at any time, we could just ask them to give us any information we wanted. But in those episodes, there were few moments in which security threats arose — where the communication channels those devices used to retrieve that information were threatened. No one ever asked about the system’s firewall. We just took for granted that it was all secure. That might not have made exciting TV back then, but none of us would want to be on the Enterprise under a cyber attack.

My colleagues and I who work in Threat Intelligence for Palo Alto Networks are often thinking about the technology of the future, and we still get excited imagining all that’s possible. But it’s our job to understand that as we move closer to that space-age future of our imaginations, we also become more vulnerable to cyber threats. We are constantly working to anticipate the threats to come, understand how they operate, and share what we know with the cybersecurity community in order to make the digital world safer.

My Journey to Threat Intelligence

I wouldn’t say I was predestined to work in cybersecurity. I had been interested in technology and planned to begin a career in programming while I was in college. But in 2003, the National Security Administration established the National Centers of Academic Excellence in Cyber Defense to address the (correctly) anticipated shortfall of cybersecurity professionals that could present a serious global threat. Each of the designated schools offered a scholarship for service (SFS) program: If you agreed to work for the government for two years, the NSA would pay for two years of schooling to train you in cyber defense. At the time I was considering earning a master’s degree, and although for personal reasons I didn’t end up participating in that SFS program, I got excited about a career defending computer networks, so I eventually enrolled in a master’s degree program in security informatics at Johns Hopkins University.

When it was time for me to do my summer internship between the two years of the program, I was fortunate to find a great opportunity with a security intelligence company. I spent an entire summer learning malware analysis, which led me to my current career.

The Knowledge Leaders

Unit 42 was started in 2014 by Palo Alto Networks’ Chief Security Officer at the time, Rick Howard, and myself. Rick is one of the smartest people I know, but his greatest talent is his ability to boil complex ideas down into simple, understandable terms. The idea for Unit 42 was to take all of the data we were collecting from our platform, in particular the WildFire malware analysis system and use it to not just create new prevention controls for our customers, but to better understand how adversaries are targeting them. With a stronger understanding of the adversary, we can build better products but also expose threat actors in the public and educate the world about their tactics. Our team consists of malware and threat intelligence analysts who look at our collective data to understand how adversaries launch their attacks, what tools do they use and how do they change over time. Then we share this information through our blog, white papers and other channels. In some instances we can go from uncovering a threat to publishing information about it in less than 24 hours. We move as quickly as possible to capture the critical details of the threat and share them with those who can use it to defend themselves.

This runs counter to the way many companies do business, which is to hoard information so that competitors can’t get hold of it. For us, there’s obvious value in sharing this information because our primary goal is to make it harder for the bad guys to win. If a bad guy has been launching attacks for three years, he’s doing the same things repeatedly because it keeps working. But if we write a report about it and publish it for the entire world to see, it stops the cycle of the attack, making the world safer for all of us.

As part of our global efforts, we founded the Cyber Threat Alliance (CTA) several years ago. This consortium of 25 cybersecurity vendors operates under the idea that a rising tide floats all boats. We share important threat intelligence with each other explicitly so we can all translate it into protection controls in our various products. What I love most about my work is the astounding amount of cooperation that I get from other organizations. When we need help or we need to alert customers to a problem of some kind, everybody immediately jumps in because they want to go and help. We all realize that we’re on the same team, fighting the same fight.

But there’s additional value for Palo Alto Networks in publishing this information: It demonstrates to the world that we are knowledge leaders in cybersecurity, at the forefront of the industry. Unit 42 is one aspect of the careers available in our industry, and sharing information is a crucial part of our work. Although people may not immediately know our company name the way they do others in the technology space, we are the biggest enterprise security company in the world, with 60,000 customers globally. So I think it’s important to point out to anyone who is considering a career in technology that working for Palo Alto Networks really enables us to have an enormous impact on worldwide security, and that is incredibly rewarding.