Trustwave Stories

The Nerve Center

An ultramodern mission control for cybersecurity in the heart of Chicago is changing the way businesses confront threats.

Written by: Dan Kaplan

When the Great Chicago Fire tore through the city in 1871, claiming some 300 lives, decimating thousands of buildings and devouring 1.5 million acres of land, the Midwestern metropolis learned in a relative heartbeat how stunningly frenetic and uncontrollable – from barn fire to citywide conflagration – an unplanned event can become.

Chris Harlan Chris Harlan, a Trustwave senior security engineer, monitors network traffic flows for a customer.

Perhaps it is somewhat fitting, then, that the same city where one of history's most ruinous infernos occurred now houses the Trustwave SpiderLabs Fusion Center, which recently opened to help coordinate, control and mitigate disasters that can also bring businesses to their knees – only the crises being handled here are of the digital variety.

Such a mission makes sense in a day and age when organizations, from mom-and-pop to Fortune 100, are experiencing unremitting raids by malicious hackers, ascending cyberattacks to a top business worry among owners and chief executives. And while thankfully loss of life – at least so far – is rarely an outcome of these compromises, they do share many of the same characteristics with physical emergencies, and require the same tenets of prevention, detection and response.

All the capabilities that constitute those core security principles can be found inside the fusion center. And that, according to Jesse Emerson, Trustwave vice president of managed security services, is its secret sauce.

"The clients that have our services benefit by having multiple tiers of expertise across multiple competencies co-located and operationally integrated in the same room," he said. "Say something suspicious appears in a security log. A threat analyst can tap an incident responder and a security researcher on the shoulders and have them collaborate in analysis and decision-making. It's priceless because there is so much more brainpower and visibility going into our services."

***

Not even the elegance and style of Trustwave's newly renovated downtown Chicago headquarters can prepare one for the impression a visit to the fusion center brings. It is a 6,000-square-foot, dimly lit command center – protected by multiple levels of physical access control – that at first glance appears to be straight out of central casting for the latest blockbuster cyber thriller. But no mistake, no Hollywood screenwriters are necessary to bring this facility to life.

"All of the teams here represent the lifecycle of a threat," said Pat Tobin, an information security advisor who is part of Trustwave's client success team and is stationed in the fusion center. He is responsible for serving the interests of a major customer – from plotting big-picture product roadmaps to monitoring the client's threat environment and helping coordinate various Trustwave stakeholders if a major event unfolds.

When you're all in the same room, you see what issues [the client] is facing and you're all right there to help them solve it.

— Jeremy Batterman, global leader of the threat intelligence fusion team at Trustwave

On any given day, dozens of ethical hackers, advanced researchers, threat hunters and incident responders – known as "strike teams" – are working or collaborating inside the state-of-the-art fusion center, which functions as the central hub of Trustwave's global Advanced Security Operations Centers, or ASOCs, which stretch from Sydney to Canada and beyond.

These partnerships not only lead to a speedier and stronger outcome for the customer, but also help avoid unproductive turf battles among the problem solvers, said Jeremy Batterman, global leader of the threat intelligence fusion team at Trustwave.

"We're really just working side by side," he said. "Siloes fall apart because we're here face to face. The teams interact as a handoff, but it's not from a give-and-take perspective. When you're all in the same room, you see what issues [the client] is facing and you're all right there to help them solve it."

Information security advisors Melissa Koch and Patrick Tobin Information security advisors Melissa Koch and Patrick Tobin join forces to resolve a client issue. The fusion center was designed to be collaborative as team members hunt for threats, respond to and contain attacks and perform forensic investigations and reverse engineering.

For example, Tobin recalls a recent event involving his client that began with some Trustwave researchers proactively discovering credentials belonging to the company's staff available on the dark web. These email and password combinations were stolen in compromises unrelated to the client but were being used as part of widespread "credential stuffing" attacks, in which cybercrooks attempt to use stolen information to access various platforms, in this case a popular file-sharing system. The exercise resulted in multiple Trustwave groups becoming involved to triage the situation, ensuring it did not devolve into something more disquieting.

And the fusion center served as the staging ground for all of it.

***

The cybersecurity industry's notoriously problematic skills shortage – which reportedly grew worse in 2018, according to research from the Enterprise Strategy Group (ESG) – is preventing organizations from adequately staffing their internal security teams. This talent dearth is particularly pronounced when it comes to a company's ability to detect and respond to threats, disciplines that have morphed into a security program imperative as digital menaces become exponentially more difficult to ward off, necessitating advanced technology and adept professionals.

To help bridge the skills gap, resource-strapped organizations are becoming more comfortable with turning to outside providers for help, something ESG Senior Principal Analyst Jon Oltsik describes as a "portfolio management approach to cybersecurity workloads."

Enrico Rodriguez Enrico Rodriguez, Trustwave security engineer, studies data within the 6,000-square-foot state-of-the-art facility.

The fusion center, Emerson said, acts as a soup-to-nuts capsulation of this offloading strategy – with the ability to help clients identify major issues, understand how an attack functions (including diagnosing actors, motivations and campaigns), mitigate and eradicate the threat, recover from an incident and, finally, erect a stronger architecture that will help keep the same or similar attackers out of the network in the future.

That is all, of course, well and good for a customer being directly impacted by an intrusion, but the process also comes full circle to bolster the resiliency of other Trustwave customer environments.

"We take things one step further by operationalizing threat intelligence so that it feeds into everything, from prevention controls to detection and analysis and onto incident response and digital forensics," Emerson said. "That data helps to create better products, including Managed Threat Detection services."

The Cool Factor

What Makes the Facility So Stylish in its Practicality?

The Trustwave SpiderLabs Fusion Center was designed to maximize collaboration. Modern features include:

  • A more than 30-foot-wide configurable video wall used to display a variety of operational and contextual information, as well as enable incident collaboration. Between incidents, the video wall contains real-time threat and vulnerability data, hacker-related social media feeds and cable and weather news, as well as live video feeds from the global Trustwave Advanced Security Operations Centers.
  • Each desk is replete with 55-inch, curved 4K monitors to more visually display data analytics. Any workstation can also project onto the video wall, instead of staff huddling around someone's individual computer.
  • Noise-canceling layout with acoustic panels in the ceiling to help isolate sound so conversations are more effective.
  • Advanced audio-visual configurations for room-to-room and ASOC-to-ASOC collaboration.
  • Multi-factor, biometric authentication for access control to the room through a mantrap.
  • Attached “war room” with video conferencing capabilities for major incidents and breakout discussions.
  • Multiple white-board collaboration spaces throughout the space.
  • Light bars are located around the 50-seat training facility and are useful in cyber range exercises, where different colors can denote red, blue and purple teams. The training center also contains video conferencing and is separated from the fusion center with glass that can transition from transparent to translucent depending on sensitivity levels.

Batterman added that if the Trustwave digital forensics and incident response teams uncover something interesting during an engagement, they'll push that information downstream, and it will lead to an indicator of compromise useful for GTO (global threat operations) or intel teams conducting threat hunts.

"The other piece is we can create mitigations for the client to keep that threat away," he said. For example, this may include IP address blocking or automated patching.

***

Keeping with its second, but equal, goal of involving the greater community around security, the fusion center also serves as a premier education and training center for security practitioners, ranging from entry-level IT pros to accomplished CISOs running large enterprise operations.

Adjacent to the central command post is a large auditorium for delivering on-premises and remote training curricula, taught by renowned security experts. Participants learn cutting-edge techniques for detecting threats and defending networks and can earn industry-recognized certifications and accreditation in fields like penetration testing, data forensics and incident response. The auditorium also hosts regular industry gatherings and think-tank events that are helping to pave the path of the future, welcoming debates on practical and theoretical applications of new technologies and approaches in relation to the constantly evolving security threat landscape.

"The way we built out the fusion center, we really did focus on how we are going to use this to drive better value and interaction for customers," Emerson said. "And a big part of our vision has been to create a space where we can bring in the broader Chicago community, so they can participate in and present on specific topics."

So, for as much as cybercrime is a global pandemic and cybersecurity a global mission inside the fusion center, the facility will always have a local, neighborly feel to it.

"Our location is right in the heart of Chicago and within a couple-mile radius of some of the largest enterprises in the world," Emerson said. "It gives a taste of our values and sense of community, and we want to give back."

Recent Trustwave Stories

Feb 12, 2019

The Nerve Center

Oct 30, 2018

Knowledge is Power

Sep 06, 2018

The Incident Responder