How Trellix’s CISO keeps threat actors at bay

Harold Rivas, chief information security officer (CISO) of Trellix, a cyber security company that specialises in extended detection and response (XDR), believes in adopting best-of-breed security tools to achieve cyber security outcomes.

“With XDR, it’s about creating one key outcome – how do I contain risk in a mixed ecosystem of security technologies as fast as humanly possible? That’s how we have adopted our own technologies to get that kind of outcome,” he told Computer Weekly on a recent visit to Singapore.

This requires Rivas and his team to enrich the threat information they receive from Trellix’s XDR platform and ecosystem, leveraging threat intelligence and guided playbooks to help security analysts respond quickly to emerging threats, including ransomware attacks.

Rivas’s focus on incident response is predicated on the belief that CISOs everywhere will face cyber attacks, regardless of what they do, and that they are being measured on how well they respond to cyber incidents.

His team monitors more than 80 threat actors with an interest in Trellix, as well as the attacks launched across the company. But instead of focusing on mean time to recovery (MTTR) after an attack, Trellix prioritises mean time to contain (MTTC) as a security outcome.

“We focus on the notion that there might be many steps involved in recovery and fully responding to the threat. There may be a full investigation, but I want to immediately stop the bleeding in any scenario,” said Rivas, adding that this helps to mitigate further damage and provides security analysts with more time for investigations.

“I’m fortunate not to face cost containment pressures as it’s understood in our organisation that we need to continue investing. I would encourage CISOs to convey the risks, but also get very smart about justifying each dollar spent“

“When we focus on the entire response rather than limiting the blast radius of an incident, it can lead to extended timelines. That’s where I think CISOs can face jeopardy when they are asked why it took them two days to make the decision that it was time to isolate a device,” he added.

But this approach requires Rivas to gain the support of his senior management colleagues to isolate user accounts or devices during a security incident, even if it disrupts operations. Rivas stressed that those organisations willing to make trade-offs between operational availability and containment will be less impacted by cyber incidents.

Being a software company, Trellix is susceptible to supply chain attacks that are increasingly used by threat actors to compromise their targets, which is why Rivas dedicates a significant amount of time to work with Trellix’s engineering teams to understand who checks in code and the underlying software components to detect anomalies.

He also manages a programme to ensure Trellix’s compliance with the US president’s Executive Order 14028 – Improving the Nation’s Cybersecurity, which requires federal government contractors to provide a software bill of materials and adopt US National Institute for Standards and Technology (NIST) security standards when building software.

With the onslaught of cyber attacks, the way security analyst teams are organised is also changing. Rivas noted that some advanced organisations have analysts who resemble data scientists and programmers more than traditional security analysts.

Trellix’s security analysts delve into machine learning models and refine techniques to identify and respond to security issues. But such efforts are not unique to Trellix, as many in the industry recognise that information security is increasingly a data problem and a matter of scale, Rivas said.

“How do I bring the right kind of analytics techniques to find a needle in a haystack, or the needle in a stack of needles? Those require different skills and it’s an evolution,” he added.

Being the first customer of Trellix products, Rivas’s team has had the opportunity to test new offerings, address potential integration issues, and challenge the assumptions of the company’s product and engineering teams.

For example, security analysts today not only focus on threats, but also need access to application programming interfaces, machine learning models and Python interfaces, he explained. “Certainly, there may still be customers that require threat-focused capabilities, but I want to ensure that the voice of more advanced customers is heard.”

On how CISOs can navigate economic headwinds while fending off unrelenting cyber threats, Rivas advised organisations to benchmark themselves against their peers and vigorously defend the investments they are making.

“I’m fortunate not to face cost containment pressures as it’s understood in our organisation that we need to continue investing. I would encourage CISOs to convey the risks, but also get very smart about justifying each dollar spent,” he said.