We recently interviewed Anthony Edwards, Director of Security Operations for Hilltop Holdings, who shared problem-solving insights for our evolving security landscape. Read on for what he had to say:
Q: What makes securing your sector unique?
A: The financial services sector is constantly targeted for malicious attacks. There’s nothing really more difficult about securing an organization like that—you just have to focus on different types of information, different regulatory compliance requirements. Our ultimate goal is to protect not only the organization that we work for, but also our customers and our customer data.
Q: Can you tell us about your security program today?
A: We definitely take a layered approach. We’re currently using an array of different technologies from a security perspective. Malware sandboxing. Both NetFlow or flow-based sandboxing, as well as file-based. We’ve deployed several different utilities. We’re using the Rapid7 InsightIDR for our log collection and SIEM, but we also subscribe to the MDR service for incident response. We also use InsightConnect in order to automate certain kinds of processes or functions for response to certain types of threats. Right now, we’ve automated the phishing email triage process using InsightConnect. We also use InsightVM for our vulnerability management functions.
Q: When did you start adopting Rapid7 products?
A: We started with InsightVM (Nexpose at the time). About a year after I took over security operations, I started looking at how we could increase our visibility to the organization, see what’s actually going on in the environment, and increase our ability to respond. I started looking at the InsightIDR solution because I was starting to see a trend where user behavioral analytics was no longer just nice-to-have—it became a requirement. I’ve been an InsightIDR customer since last October. Along with InsightIDR, I purchased the InsightConnect solution as well so we could begin to automate those functions. So over the last couple years we’ve invested heavily in Rapid7.
Q: As a customer, what is the value of having multiple products on one platform?
A: In a space like security operations, it’s incredibly valuable to have that “single pane of glass.” You waste time trying to navigate multiple platforms in order to administer or respond to threats or gain insight into what’s going on within the environment. It reduces your time to respond, and it reduces your time to detect or contain. And all of those solutions integrate into each other so that you can see a more holistic view of what’s going on if you’re using a single platform.
Q: Since you’ve been with Hilltop, how have you seen your environment change?
A: We’ve gone through a consolidation of four different lines of business with three separate IT organizations consolidating into one organization with our shared services model. We’ve gone down from seven data centers to two data centers. So the types of assets or types of applications or just systems in general that I was responsible for initially has evolved tremendously. Deploying solutions that give in-depth visibility into what’s going on is critical.
Q: How has the introduction of Rapid7 solutions improved your detection response process?
A: We were using InsightVM to do remote scanning using the scan engine functionality. But as we transitioned to the InsightIDR solution, we started deploying agents. The functionality and the level of visibility you get with the Insight Agent has increased our awareness of our vulnerabilities across the board because you’re getting root-level access from the agent itself. And then we just use the scan engines to check for those remote vulnerabilities. The agent functionality was a very beneficial aspect that we were able to leverage.
To gain the level of visibility we get with InsightIDR, we would have had to deploy multiple log collection agents or different types of solutions across the environment. But leveraging the InsightIDR agent served multiple purposes—for one, it supports the InsightVM product as well so we’re getting root-level visibility with vulnerability data. But it also complements incident response efforts we execute on a day-to-day basis through InsightIDR, giving us the security-level visibility from file activity, user activity, lateral movement, and infiltration. So it has greatly enhanced our visibility and our capability to respond.
Q: Which attack vectors are of particular concern to you?
A: I’m primarily concerned with file-less attacks—you know, malvertising, phishing emails. The end user is the most vulnerable aspect of any organization, so I’m constantly trying to figure out ways to try to gain a deeper or more enhanced level of visibility into what the user is actually doing.
Q: How does InsightConnect align with your security program’s future
A: I would like to leverage InsightConnect in the future to integrate or bridge the gap in between our firewalls and our detection solution, or our monitoring solution, or our endpoint security solution, to be able to share threat intelligence and IoCs across multiple platforms. Each security solution that has a threat intelligence feed is pulling from a different data source. For example, Palo Alto has a threat intel solution. ProofPoint email security has a threat intel database as well. Endpoint security solutions have threat intel feeds that update their endpoint agents. But they might not all share threat intelligence to each other. So if we can bridge that gap using InsightConnect, we can get into a more proactive state by sharing those threat intel IOCs across all of those different solutions to enrich their ability to prevent threats.
Q: About how much time have you saved doing phishing triage since deploying InsightConnect?
A: Before, we were spending approximately 77 hours a week doing phishing triage in response. We’ve automated that entire workflow. We’ve reduced the time to about three minutes total. The only time we spend is digesting the data that has come out of the reporting solution in order to make a determination on whether it’s malicious spam or legitimate. And then it’s just a decision point within the workflow.
Q: In a cloud-based environment, are there any unique challenges you’re discovering as a security professional?
A: There’s nothing really unique about it—it just adds a different degree of complexity. You have less control over a cloud solution than you would over an on-premises, internally hosted solution. So you just have to be creative and think outside the box. You could potentially have to purchase another solution or something like that. As we start using more cloud-based solutions, we just have to be mindful of what systems are accessing those solutions, how they’re accessing them, who’s accessing them, what data they’re ingesting, and where that data goes.
Q: Are there any Rapid7 products or features within products that help you keep better tabs on cloud-based assets?
A: InsightIDR has a cloud, a sort of shadow-IT detection functionality. As we’re forwarding logs to InsightIDR from our firewalls, we’re seeing all those cloud applications that are being accessed or utilized by our customer base. It’s brought some things to our attention that we weren’t necessarily aware of at the beginning, which is great. That way we’re able to address it from a business perspective.
Q: Tell us about the value the Rapid7 team brings to your security program.
A: My relationship so far with Rapid7 has become more partners than just a customer/vendor-type relationship. If I run into a challenge, or if a product is not functioning the way I thought it was going to function, Rapid7 has been very proactive trying to make sure that I have everything that I need.