The Proliferation of Cyber Janitors (and the mentality behind this movement)

Over the past two years, the cyber security industry has seen a significant move by security professionals and organizations to create CSIRTs or Computer Security Incident Response Teams.

The staffing for these roles has been significantly higher than other information security positions. The technology built for security operations centers (SOCs) has expanded equally as quickly with new log management and event correlation products coming on line. As you know, CSIRTs can have a wide range of functions that cover the gamut from response to proactive threat and vulnerability management. However, the past couple of years we have seen a focus on response. An after the fact, see, detect and arrest function. It is almost as if the hiring managers have given up.

Let us shift gears a bit here.  Yesterday, Art Coviello, executive chairman of RSA said:

“It’s not a matter of if and when, it’s how you are able to respond and shrink the window of opportunity so when you are breached you can respond timely enough to mitigate any damage.”

• http://searchsecurity.techtarget.com/news/2240113999/RSA-SecurID-breach-Executives-attempt-to-repair-tarnished-image

This statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached.  This is because RSA/EMC, like many other organizations, had built their security organizations on a see, detect and arrest mentality. It was inbred from the start of their global security program based upon a cult of personality steeped in a law enforcement mentality. They have moved to the realm of cyber janitors. How much money to RSA/EMC spend (and are still spending) to ‘clean up’ their mess outside the initial $63M? It took that incident to get RSA off the dime to ‘innovate’ a 30 year old, static product.  Much like all the others, it takes a spill.

So what is a Janitor?

The general responsibilities of most janitor positions involve routine cleanup tasks. These will often include removing trash from waste cans in offices, vacuuming carpets, sweeping floors, and in general keeping the space in an orderly fashion. In many cases, a janitor may also handle climate control functions with the building as well.

This may include keeping a furnace in proper working order, handling the function of thermostats, or keeping a boiler system in proper repair. A janitor often also troubleshoots with plumbing issues, handling maintenance tasks with hot and cold running water, replacing leaky pipes and faucets, and replacing sinks and toilets when necessary. Along with basic cleaning responsibilities, janitors may handle other responsibilities, such as seeing that doors are locked after hours and that any electronic alarm systems are properly set before the building is closed for the evening. The head janitor may also oversee a cleaning crew, depending on the size of the facility. While a janitor may work during the daylight hours, it is not unusual for many cleaning professionals to work during the evening. This is especially true with office buildings, where the janitor will be able to work without disturbing people who would prefer to work without a vacuum cleaner running or someone mopping or emptying trash receptacles.

The cyber janitors of today fill the CSIRTs expecting the worst to happen. They are skilled in after-the-fact clean-up functions. A whole cottage industry has sprung up around cyber janitors. They augment existing staff functions after a breach (or better said, a data spill), they serve to examine where the breach came from; they are law enforcement or interface with law enforcement (arrest) and they charge very high rates. They are vultures feeding on the misguided carcasses of breached entities promising all sorts of help and assistance except one. The most important type of assistance that is need across all security organizations today.  That being a proactive, preventative approach to cyber security management.

Coviello also said:

“We believed we had a very strong security system in place before the breach and we redoubled our efforts across the entire spectrum, including our communication with employees.”

Continue Reading