Say Goodbye to the Black Box: Improving Security Begins with Data Transparency

Michael Darling
Senior Director of Information Security at Venable LLP

I got into information security backward. I come from a physical security and operational background—think warzones and military base access control policies, and you start to understand how I’ve spent a decent amount of my time. The thing about physical security, though, is it’s fairly boring (until it’s not, and then it’s really not).

Life got much more interesting when I moved into cybersecurity security strategy and policy roles at the White House and the Department of Homeland Security. Working on things that you read about in the newspaper is super interesting but also very stressful. Eventually, I left government, working as a security consultant at PwC, and landing at Venable LLP in 2018. Based in Washington, DC, Venable is more than a law firm. It’s a place with a wonderful culture that is made up of more than 850 legal, cybersecurity, and policy advisors whose unique expertise helps steer our clients through an increasingly complex world. In many ways, we make opaque systems more transparent for our clients.

The key to any good security strategy isn’t more tools—it’s transparency.

As Senior Director of Information Security, I’m responsible for all information security and risk initiatives and align security with the Firm’s broader IT and business goals. I think I look at security through a different lens than most people in this space and have come to a seemingly shocking conclusion: the key to any good security strategy isn’t more tools—it’s transparency.

I’m a big believer in data. Data is the basis of the scientific method, a process that’s defined our knowledge acquisition for hundreds of years. You can’t protect weak spots if you don’t know where they are, and you can’t form a hypothesis about problems without collecting information first. Yet that’s exactly what many organizations expect security teams to do, despite the fact that we need to observe and analyze to answer questions.

Many people believe the sole responsibility of security professionals is the maintenance and protection of the systems that everyone uses daily. But I see security professionals as enablers. We have a greater goal than just protecting the business against threats. If we do security right, we make everyone else successful at their jobs, enabling the Firm to excel. This point can get lost in security conversations, and maintaining that ruthless bias toward enabling people makes it easier to focus on what matters. But without seeing the data and increasing visibility into the business’s threat landscape, providing that enablement and security is impossible.

That was the case when I arrived here. We used a big-name managed security service provider (MSSP), but we received alerts with little context or supporting data. Basically, the method they used to identify threats was a black box. The vendor didn’t share those insights or context, nor did they explain what actions they were taking to address threats. The lack of information bothered me. It was like they wanted to keep us in the dark so they could continue selling subscription services without addressing our real security issues.

As security professionals, we are enablers: Do security right, and you make someone else successful at their job.

I didn’t feel we were getting value from the service, so I chased the vendor for weeks, requesting a sit-down conversation and more information about how they actually operate. All I ever got was a meeting with a sales rep, who gave me a generic presentation. I came out of the interaction feeling unimportant to them, and I still didn’t have the answers I wanted. Transparency clearly wasn’t a priority for them, and that led to a lack of trust in their efforts and their ability to deliver on their promises. We needed to change course.

I have been in security my entire adult life, but until I arrived at Venable, I’d never been in a CISO role. Suddenly, instead of the expert advisor, I was the buyer and receiving nonstop propositions—I typically receive 24,000 emails a year in vendor spam. It was challenging to filter through the noise of constant solicitation.

Luckily, we had a brilliant security engineer who suggested I speak to the team at Expel. I came away from those initial conversations very impressed with their Managed Detection and Response (MDR) solution and their genuine interest in me as a potential customer. Even though I went on to compare three different vendors, Expel won out for several reasons.

• Whenever I engage a new vendor, I start with employee reviews. A company with a bad culture is more likely to cut corners. Expel had good reviews, so I kept going.
• I always ask, “How do you know your product works?” You’d think security companies could answer that easily, but it throws people for a loop. Expel led the conversation with honesty. They said nothing in this business is 100% guaranteed, but then went deep into their quality control processes and how they constantly use rigorous analytics to reassess how well their processes are working to provide the best security outcomes. Honesty is the foundation for any solid relationship, and that gave me the sense that this partnership would be very different than what we had with our previous vendor.
• I liked what I saw in Expel Workbench™, the company’s security operations platform. It allows security analysts to follow investigations in real time, see every action taken, and communicate seamlessly with the Expel team. Shared information makes us all better, and the platform facilitates that in a way I never saw before.
• Nothing was more complicated than necessary. Expel’s straightforward, API-based process allowed us to onboard in just four hours. Compare that to the companies who make their product more complex than necessary, making it harder for customers to get rid of them. I’d rather be with a company who is hard to get rid of because they’re great at what they do and are a valuable asset to my team.
• It would help us reduce alert fatigue. Numerous alerts are seen as a benefit, but those alerts come with a lot of false positives. With Expel MDR, we could reduce the alert noise and focus on those alerts that would reduce our risk and improve our security posture.

The overall customer experience mattered, too. Through all the years that Expel has been our security partner and in interactions with the Expel team, they are invested in their clients and client security in a way other companies are not.

There are real benefits to using a hybrid approach versus an entirely in-house SOC or an outsourced system. My security team consists of four people, and it would be difficult, if not impossible, for us to do alone what we do with Expel. I calculate it would cost about $1 million more than our current investment to bring everything in house and get minimal 24/7 coverage—that does not include the opportunity costs for the proactive projects my analysts engage in to improve our security, which wouldn’t be possible if they were focused exclusively on network monitoring and response. I’d have to spend between $100-$150k in additional consulting to get what I get from my analysts.

Let’s be honest: Spending every day investigating routine security alerts and suspicious emails is a sucky job, and high SOC analyst turnover costs the business. Our SOC analyst attrition would probably be higher without Expel because they would be working on less exciting things. The disruption of gapping and retraining analysts would further undermine our SOC. We attract great people, which I partly attribute to giving analysts interesting projects outside traditional SOC functions. This is all in addition to my team’s improved resiliency and continuity with Expel backstopping us.

The measure of a technology’s success is whether it empowers humans and gives them capabilities we wouldn’t have otherwise. And the value of a successful security platform is it turns analysts into super analysts. Using a hybrid SOC model extends the reach of our team and gives us a deeper bench, and working alongside Expel gives my team a depth of knowledge that would be very hard to replicate otherwise.

We now uses Expel in two ways, one broad and one narrow:

• They are our first line of defense when sorting through the huge amount of information we receive. Expel helps us filter out the noise and surface incidents that matter.
• They help us pinpoint specific concerns faster. My team has search criteria that trigger our own alerts, and the Expel team has their own methodology. Sometimes we’ll see something and ask them to investigate, and sometimes it’s the other way around. In a recent example, they were the ones to alert us when one of our employees went to a credential harvesting site. My team might’ve seen it, but in that instance, they got there first.

When an incident occurs, we turn to Expel Workbench to collaborate on incident resolution. The real-time information in Workbench offers visibility we didn’t have before, making it easy for everyone to see progress and next steps.

Expel has processed more than 2 million alerts on our behalf. From those alerts, they identified 114 actionable items—removing the need to investigate, triage, and action those remaining 1,999,886 alerts. If the alert turns out to be a credible threat, I follow the log of actions Expel takes to close the incident. I see the proof that Expel works.

Since we’ve been customers, they’ve added integrations to existing tools and AI bots for prioritizing customer interactions. They’re adding a detections tab to Workbench and continue to standardize how they surface insights across their customer base. Discussing these insights and other trends during our quarterly reviews helps us stay on the right track and ensure we’re focusing on the right things.

I think about how we paid that big-name MSSP for dedicated services and support, only for the vendor to be evasive about those services. Instead of prioritizing our needs, they wanted us to bend to how they operated. The funny thing is, the collaborative relationship I wanted could have potentially surfaced insights to benefit their other customers, too.

With Expel, there is no black box. For several years after our implementation, we made a habit of looking at Expel’s activity as a quality control measure. I could finally see all the actions that kept our company safe, and that visibility allowed me to rest easy. Instead of being concerned that our partner was missing critical vulnerabilities, I saw that Expel delivered on their promises, which has translated to operational excellence for our teams and our business.

The lack of empiricism in cybersecurity is shocking. When I worked in physical security, I couldn’t definitively say whether a building compound would be attacked, but I could accurately assess the threat and consequences: X amount of explosives from Y distance will result in Z damage. That certainty doesn’t exist in digital security because there’s often an economic incentive for security companies to keep information to themselves. Instead, most security measures stem from collective opinion (some of it right, some of it not).

The lack of empiricism in cybersecurity is shocking. It doesn’t exist, because we don’t have good data.

But collective opinion isn’t good enough. We didn’t design the digital realm with today’s robust ecosystem of malicious actors in mind—all the more reason why the security community needs more rigorous, evidence-based analysis, greater transparency, and increased avenues for sharing data. When we take this approach and work alongside strong partners, we can collectively determine the best defense.

Transparency is a big part of a great customer experience, and it’s great to have a partner with a shared commitment to that. It’s only through complete visibility and committing to sharing information that we can transform how we think about—and action—cybersecurity.