An Interview with Ben McGraw, Cybersecurity Manager at Digital Guardian Part II
In part two of our Q&A with Ben McGraw, we discuss how automation will change the industry, how to improve the cybersecurity skills gap, and who is Digital Guardian's best basketball player.
In case you missed the first half of our interview with Ben McGraw, Cybersecurity Manager of Digital Guardian's MDR (Managed Detection & Response) service, catch up here!
There's a lot of talk about automation. That it might reduce the need for threat hunters and security analysts. But in some ways, it could help analysts by reducing the number of mundane tasks. How do you see automation shaping the future of your team and role?
That's a great question. A lot of people fear automation. I do not; it can be a huge benefit. I don't think there'll be a point, at least in the near future, where automation takes over or reduces the capacity of threat hunters or analysts because machine learning is just not good enough yet. At some point, automation and machine learning will potentially get there. But I think there's always going to be a space for the skilled human mind to review data to make sure there’s not a false positive.
Make the key decision.
Absolutely. I think at some point in the future, far out, machines or machine learning will be able to make that decision in an intelligent way. But it's years and years away from taking those roles and diminishing what they offer or what is required. Now, automation and machine learning streamline the process quite a bit. If you're a threat hunter, and you have tons and tons of endpoints, and you just pulled data back from, let's say, 1000. Efficiently going through thousands of sets of data from a particular organization is tough if you don't have some type of automated way of parsing that data out, getting it to a format that you can review, and then being able to search across that data. So, automation is key to streamlining those efforts.
From an analyst perspective, if you can automate the response to a detection, either through alerting a customer, implementing controls or even pulling additional forensics, it can be extremely timesaving. So, there are various things that you could still automate, of course, but again, the ultimate alert or decision from the automation or ML should probably come from a human.
Any thoughts on the cybersecurity skills gap or other insights you'd like to share from leading a threat hunting team?
I think the skills gap is the biggest issue we face in cybersecurity hiring, but it's something that's getting better over time. There are skilled individuals in the pool, it's just that they get gobbled up pretty quick when they're free agents, so to speak.
I find that newer analysts, people who want to get into the business, they're the most intrigued and want to dig deeper, because they're trying to learn. Sometimes if you find someone who's been in the business for quite some time, they're a little set in their ways and not necessarily willing to take that extra step. But that's not always the case. You never know who or what you're going to get. What I’ve found in the recent months is that transitioning a DLP analyst to the EDR/MDR team makes a lot of sense and has worked quite well with team dynamics and expectations. Given they have had experience with endpoint data, we can focus on triage and investigating actual threats in the metadata. It’s a logical next step for a DLP analyst and has worked out pretty well for us.
We've been talking about some of the challenges in the industry. From your perspective, what's the biggest challenge that you see facing the infosec community? If you could wave the magic wand and change one thing, what would it be?
I can think of two things off the top, one was sort of initially already touched on, the skills gap. But I think that's getting better. As I mentioned, I started in software development and programming. I had to develop that analytical mindset, early and in a different way. I wasn't necessarily looking at metadata from an endpoint to review for threats. I was writing code and it was breaking and I was debugging it over and over and over. So, I developed that process early on. But there are tons of different fields and individuals who are developing skills that can easily convert.
The other would be that we, speaking about the industry as a whole, always seem to be behind the eight ball a little bit. For example, the Colonial Pipeline attack was ransomware. It feels like everyone is sort of playing catch up. Potentially more automation, more AI or machine learning - 24 hours a day, 365 days a year - looking for anomalies, might help close that gap in the ongoing cat and mouse game, a little bit. If I could snap my finger, that's what I would change. But, I don't know if I see that happening, unfortunately.
To add some color to this, what do you like doing in your free time? Hobbies, interests, talents, out of the office activities?
You know, I'm one of those people who find work appealing. I do find myself working even when I'm not working. It's one of those scenarios where I'm constantly deep diving into threats, trying to research malware and all. But, I like fishing, golfing, playing basketball, even though I recently retired from basketball after a game against Tim Bandos our CISO. He shredded me.
He's got a good jump shot or what? What's his game build around?
Everything (laughs). I hate to even say it right, this is being recorded. I'm sure he's going to love that. It was bad. But yeah, no, I like basketball. Just apparently, I'm not too good at it.
You already mentioned this when you discussed your passion for your work, but when the Monday alarm clock goes off, what gets you excited about working at DG?
It's the day-to-day challenges. Whether it's a customer request - maybe they have some anomaly in their environment, or they're looking to solve a very specific use-case. Perhaps it's memory dump analysis, or maybe they want to parse a very specific forensic artifact. There are tons of different types of requests that come in, but it's wanting to solve the unknown.
As I mentioned, what got me to come to DG was the technology. The visibility that the technology offers, to me, can't be replicated in the industry. I really love that. I also love working with the people, my team's good. The DLP team is really good. I love working for Tim. He's been a great boss. Everyone else that I interact with here at DG has been great as well. So that's really what keeps me coming back. It's the tech and the people.
Thanks for sitting down with us today!