Taking the Fight to a New Enemy
Eventually, Wilson sought more stability than a life in the military provides (he and wife Lynn have four children – ages 6, 8, 13 and 14) and longed for the familiarity of being back in Colorado. But a transition to the private sector didn’t signify a step back in his career – in fact, it was quite the opposite.
At Trustwave, even though he isn’t building classic offensive capabilities, Wilson is helping to spearhead a transformative way of confronting the enemy through advanced monitoring, detection and response. When he first joined the company, this end-to-end approach wasn’t feasible. The furthest these capabilities went was to generate alerts and send them to a centralized location, where a threat analyst would either determine it to be a false positive or issue an incident notification to the customer. No eradication occurred. Imagine knowing an intruder is in your home, but having no ability to force them out for days, weeks or even months.
This approach didn’t truly solve the problem for overstretched organizations trying to battle a foe who was likely several steps ahead of them, Wilson said. “Once we told the customer we detected a threat on their network, they’d have to figure out what to do about it.”
Enter Managed Detection and Response (MDR), which allows Wilson’s team – which relies on real-time threat intelligence – to remotely help organizations anywhere in the world kill malicious processes and seal holes, especially those businesses that lack the in-house competencies to perform such tasks themselves.
“We have so many resources at our disposal,” he said. “It’s very expensive for an organization to run a security operations center themselves, to build it and staff it, especially when you need to find people who are capable of doing incident response. For a fraction of the cost of setting up your own SOC, you can outsource it and transfer that risk and responsibility to someone else.”
MDR focuses on the endpoint, the place where a disproportionately large number of today’s attacks target.
“If I’m monitoring the network, I might see some network activity that tells me someone is breaking into a computer,” Wilson explained. “But when they’ve got that initial foothold, they can start laterally moving behind the IDS (intrusion detection system), and we wouldn’t even see that from a network perspective. But you can it follow it across endpoints.”
Ransomware, a high-visibility threat flummoxing even the most mature businesses and filching them of billions of dollars, is a notable example of where MDR can step in and curtail the menace. “If you detect ransomware and stop it before it gets very far encrypting your files, it’s not a threat anymore,” Wilson said.
He recently leaned on the teaching methods he used during a four-year stint as an Air Force cyber warfare instructor in Biloxi, Miss. to help a Trustwave customer understand how a robust defensive posture, one that puts detection and response front and center, can flag and impede a real-life hack.
Through a “cyber range” exercise, Wilson illustrated a mock scenario in which a SQL injection attack attempts to infiltrate a web server, but is identified by the web application firewall as it dumps usernames and credentials. Next, an alert sounds as the attackers attempt to use the credentials to access an endpoint located behind the firewall. A SIEM solution then correlates the alert, which initiates the MDR service to quarantine the compromised endpoint.
Wilson (center) stands with students from one of the Air Force cyber warfare classes he taught in Biloxi, Miss.
Trustwave planted its roots in compliance, but over the last decade has steadily grown its security portfolio, quickly filling voids to meet the needs of security professionals, as the threat and data breach landscape has evolved to an acceptance-level that compromises are an if, not when, proposition.
Charles Arnett, director of product management at Trustwave, said someone like Wilson is perfectly emblematic of a culture that continues to thrive by answering the biggest challenges customers face.
“When we first started endpoint detection and response, he and his team were willing to step up and look at the technologies we were considering and spend time with those and give us guidance of how we should craft a service around it,” Arnett recalled. “His concept of how to do that service was the blueprint of how we went to market with it.”
Arnett credits Wilson’s military background with supplying him with poise and character, while instilling a certain panache that is necessary in a role where you must be willing to stop at nothing to disrupt the bad guys.
“His background was not compliance, his background is keeping organizations secure,” Arnett said. “When you’re trying to create a world-class security organization, you need somebody who has been in the trenches. You tell him we have to take the hill, and he takes the hill.”
As Wilson grows the threat intelligence and machine learning proficiencies of the service he oversees, he also will tap into the soft skills he developed through his exposure to superiors in the Air Force, including motivation and inspiration. That is evidenced by his desire to make cybersecurity as much about the people as it is about the technology. For detection and response to work, humans are needed to hunt for threats, orchestrate the reaction and integrate the many moving parts.
“Being a nerd is sexier than it was 10 years ago,” Wilson said. “To get the best people, you have to make it seem cool, because it is. And it doesn’t hurt to let them know there are great career opportunities in it.”