Ir al contenido principal
Background image

Building Resilient Cybersecurity Programs: Insights on AI and Threat Response with Kelly McCracken

Share

Podcast

About This Episode

Our hosts Vince Spina and Rachael Lyon are thrilled to welcome Kelly McCracken, Senior Vice President of Detection and Response at Salesforce. With over two decades of experience in cybersecurity and technology, Kelly dives deep into the evolving landscape of AI and its pivotal role in security operations.

We’ll explore how AI enhances detection and response capabilities, especially against phishing threats, and discuss the critical integration of threat intelligence in security programs. Kelly will shed light on the importance of tailored incident response playbooks and the necessity of training stakeholders for effective decision-making during security incidents.

Podcast

Popular Episodes

      Podcast

      Building Resilient Cybersecurity Programs: Insights on AI and Threat Response with Kelly McCracken

      FP-TTP-Transcript Image-Kelly McCracken-04November2024-780x440.png

      Rachael Lyon:
      Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachael Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachael Lyon here with my cohost, Vince Spina. Vince, are you coming back from some fabulous travels again this week?

      Vince Spina:
      I'm not. Since the last podcast, I'm I'm home from Malaysia and took about 4 days to get the internal body clock

      Rachael Lyon:
      I bet.

      Vince Spina:
      Reset, and, happy to report this first, morning that I didn't get up at 3:30 AM because my body thought it was time to get up. So back to a normal schedule.

      Rachael Lyon:
      That's awesome. Yeah. It's hard. I never sleep when I go to Asia, but I get a lot of work done, you know, because I'm up, which is nice. So alright. So let me introduce today's guest. Really excited to welcome Kelly McCracken. She is senior vice president detection and response at Salesforce.

      Rachael Lyon:
      She's got 20 years in cybersecurity and technology and is deep in incident response, for much of that time. Among her many achievements, she's helped develop and lead implementation of national level cyber initiatives for federal government, including development of national cyber incident response plan and national cyber risk alert level. And we'll talk about some of her other achievements later in the podcast. Welcome, Kelly. Thank you for joining us.

      Kelly McCracken:
      Thank you so much for having me. I'm excited to be here.

      Rachael Lyon:
      Awesome. Well, Vince is gonna kick us off today.

      Vince Spina:
      Yeah. Kelly, super excited. This is kind of an area that, we have passion for here at our brand, but, as Rachael said, you have just an immense background in a lot of things, setting up SOCs, incident response, etcetera. So I thought I'd, just kinda maybe ask a question on security operation centers and where they've evolved. I work for a a vendor today, but in a previous life, I I worked in the the customer side of the business and, participated in NOX and SOCs, but, boy, the, the environment has just really moved on. There's the rise of advanced persistent threats, sophisticated, attacks, things like that. So my sense is, you know, setting up your your operation centers has had to morph over, you know, a period of time. What can you tell you from, you know, in the early days when you started, where you're at now? What are, you know, what are some of the big changes that you guys have had to do?

      Kelly McCracken:
      Yeah. So I think if you look back over, you know, at least my 20 years of being in the industry, we've really have evolved for the better. I remember starting off, we there was this, like, sense that you couldn't share. You couldn't share if you had an incident. You couldn't share your challenges that you had with trying to detect and respond. It was like, if you had an incident that was really bad. Like, now I would say, everyone's expecting people to have incidents, and it's more about how do you respond to that incident. How are you sharing about the incident? What are you sharing that you've learned from that incident so that the whole entire community can can, continue to learn from each other.

      Kelly McCracken:
      So, I remember being back in as a government contractor in early 2000 when FISMA first came out. And that's the Federal Information Security Management Act. And the each department agency had to, report that every quarter their incidents. And you'd have some departments and agencies saying they had one incident, and you'd have some departments and agencies saying they had hundreds of incidents because people were all reporting different things. They were there was no standardization as to what an incident really was, and people were scared, especially, you know, departments and agencies were afraid if they reported they had had an incident, maybe they wouldn't get the the right grade for FISMA, on the their report card. 

      Whereas now, you know, I think if you looked at people with incidents, every every big company out there, I think, has had some type of incident that's probably hit the news in one way or another. And it's it's I think if you looked over even just the past few years, how some companies have been, scrutinized for not reporting their incidents or sharing about their incidents, and it has caused a lot of us to move to be more transparent.
       

      [04:41] Interconnected Security Requires Strong Vendor Relationships

      Rachael Lyon:
      Yeah.

      Kelly McCracken:
      So, like, from a security operations center perspective, when when we set those up, it takes a lot of how do you, look at, how we're connected. So, over the past few years, you know, maybe last 10 years, companies have becoming more interconnected with each other, and so you're only as strong as your weakest link. And so you have to really look at your vendors, because, you know, we saw with with SolarWinds a few years ago, they had an incident, and then it impacted many other companies. And so you have to make sure that you're you're aware in the security operation centers where you have those connections and then build those relationships. 

      So I know at Salesforce, with a lot of, our our customers, I'm always trying to meet their security operations teams, their threat intelligence teams. So I can go ahead and build those relationships now, because a lot of our customers are our vendors as well. And so it's it's we're all in this together and by establishing those relationships early before, you know, one of us has an issue, we can be better prepared to be real be able to detect and respond together. And there's a lot of information we can share because we're all dealing with the same similar threat actors, and, I think, you know, it takes a village, for us to respond effectively to today's threats.

      Rachael Lyon:
      Yeah. Truly does. And I I think that's such a great point on transparency. You know, it's like we the only way we're gonna try to get ahead of things is is if we have all the information we need, right, to to address this. You know, I'm curious too, though, you know, and and we can't escape the AI conversation, Kelly. You know? And so I I'd be really fascinated in in kind of your perspective on hail how AI is reshaping the way SOCs operate? Because I imagine it's a pretty pretty exciting opportunity here.

      Kelly McCracken:
      Yeah. So, I think everyone over the past few years has been focused on automation. And then within the last 18 months, a lot of people have started saying, how can we leverage AI in your operations centers? And many security vendors have built automation and AI into their products for many years before it was even called AI. And we've I think a lot of security operations operations centers are looking at how can you automate away a lot of the tier one type work. But as you do that, you need to make sure that you're upskilling those individuals that were at tier 1.

      Vince Spina:
      Right.

      Kelly McCracken:
      Because now they're gonna have to be handling more advanced things. So it's not necessarily hiring people to do the same job as they've always done because you got AI and automation helping them with that. But now how do you take those people that you had doing those jobs and upscale them? How do you help them grow in their careers? Because as I always say, like, I'm not trying to automate because I I want to get rid of people. I didn't wanna automate because I wanna reduce our time to detect, and I wanna reduce our time to respond. 

      And that means I need more people being able to handle those more complex alerts and to be able to change and and do more hunting in the environments and doing more in-depth analysis across the board and being able to see, you know, what are learning more about the threats that we're seeing externally and understanding those so that when we see them in our, affecting our environment, we are prepared for there. But if you don't focus on upskilling those tier one analysts, you're losing out. You're not taking advantage of the fact that you, have invested in all this automation and AI fully.

      Vince Spina:
      Kelly, just a follow-up question on around AI, and you said, hey. The way you really wanna use it is not not to kinda, retract the size of your team, but actually to use it to, for enhanced detection and response. Any key use cases like in the you said, you know, you guys started looking at it about last 18 months. Any key use cases that, you know, AI has significantly helped you guys kinda detect and then ultimately respond against?

      Kelly McCracken:
      Yeah. I mean, we we use a lot of AI from a, both generative AI to help, you know, develop communications, be able to analyze emails that come in from our employees, to our security alias. We leverage that to then take that away because we get you know, we're very much of a see something, say something type culture, and so we do get a lot of reports. Some of it's nothing. But, you know, people are very anxious, and we can leverage AI to help vet, you know, what are those things that are that need to be have another set of eyes on it, and what are those that we can just you know, this is okay? Especially phishing. Phishing is a great way to leverage AI and automation. There's a lot of, security vendors out there that can help you block, the, you know, phishing emails from getting into your end users, but they're not a 100% perfect. Nothing is a 100% perfect.

      Kelly McCracken:
      So you're always gonna have those, phishing emails, especially because, you know, AI can be used for good, but it can also be used for bad. And those phishing emails are getting more and more well crafted by the threat actors. They no longer have them spellings. They can be in any different language. They can have your logo, and they have a lot of information about your company because it's very quick to do that now. So those phishing emails that get through get reported to your SOC. 

      And by leveraging AI and automation, you can, more quickly turn around and, automate that whole process end to end on, responding to that phishing, making sure you're doing the right blocks, removing the emails, communicating out if needed. So that that's, I would say, is probably one of the number one use cases I see a lot of the security operations centers using today.

      Vince Spina:
      Fantastic. Thank you.

      Rachael Lyon:
      Yeah. That's phishing is just crazy when I I I you keep hearing about the sophistication too that AI is enabled, right, with these, approaches and, you know, being able to replicate, you know, kind of languages in the Middle East and and have them look credible. It's just mind blowing. Yeah.

      Vince Spina:
      The I want a bumper sticker that says my AI can beat up your AI because I think I don't I kinda feel like that's where we're at.

      Kelly McCracken:
      So That's

      Rachael Lyon:
      right. You need AI to detect AI. That's right. Okay. So one final question, as we talk about SOCs, how does a SOC integrate threat intelligence into its operations?

      Kelly McCracken:
      So that's a a great question. I like to say that you need to leverage your threat intelligence to help drive your whole security program. So, you need to identify leveraging your external threat intelligence, the threat intelligence you get from your own environment, the threat intelligence that, you know, the intelligence you can pull from your incidents that you've had, from risk assessments that you've done, any type of testing you've done. Pull all that together and really assess what are your top threats to your organization. You can try to boil the ocean as a security operations center. It's not gonna be effective. So you have to really, prioritize prioritize what logs you're onboarding because you can't onboard every single log. It's way too expensive.

       

      [12:00] Prioritize Threats, Tespond with Intelligence

      Kelly McCracken:
      And a lot of logs you you'll never need. You need to prioritize your detections, and you need to prioritize which playbooks you have. So if you take that information that you've collected and identify your top threats, you then can prioritize as to, what, number 1, do I have the protections in place to be able to protect against that threat? Because you often need to have those protections in place to be able to have the needed logs to detect, against that top threat. So identifying where you have your gaps and your protections and then identifying where do you have your gaps and the logging that you currently have. Do you need to onboard new logs to your SIEM? And and then once you have those logs, what detections can you do on those logs? And then prioritize those. And then from that, alright, you now are detecting, but how do you respond?

       Or is do you have the playbooks in place to respond? And then do you have the does the team know how to respond? Do they know, you know, like I said, it takes a village to respond even internally. Do you know the right teams you have to reach out to to help you be able to respond end to end for that incident? So leveraging, threat intelligence, I think, like, if you try to do security operations without leveraging threat intelligence, you're probably overwhelmed, and you're probably not focusing on the right things. And the threat intelligence does definitely allow you to do that.

      Kelly McCracken:
      In addition to, like, threat intelligence having you having the ability to help you during an incident with the attribution and how does, how a threat actor is working, their their typical TTPs, can definitely help an incident response team, drive their response to an incident.

      Vince Spina:
      Yeah. Kelly, let's maybe we'll, kinda start moving down that that value chain because you were you were talking about it. You know? So as you kinda get stronger at threat intelligence, then you have to move to, incident response. And you you talked about just a minute ago about, you know, building out strong playbooks. And you intimated a few things, but, you know, in your opinion, what are some of the key elements to, creating a successful incident response playbook? Like, what are the things that you and your teams are, looking for? Yeah.

      Kelly McCracken:
      So, first, you need to, you know, hopefully, you have an incident response plan that's you follow, no matter what the type of incident is. And then the specifics of, like, the investigation piece is where the the playbook comes into play. I, a few years ago, wrote a blog on how to write an incident response plan, and, a lot of it is, you know, first, making sure you identify what are those types of incidents that you could have, because that will detail what playbook you need for each incident. You also need to determine, you know, what is the potential impact that that type of incident can have, and that can drive your playbook as well. 

      You know, if it if you have your low severity incidents, you know, phishing, phishing incidents that don't aren't really aren't successful in, you know, compromising a system, are are probably a low severity incident from you. But, you know, as, ransomware type of incident has a totally different playbook. I would say, you know, ransomware, we could go on probably for an hour just about how to respond to ransomware attacks. But ransomware incidents have a very unique playbook compared to any other security incident I I think any security operation center would respond to.

      Kelly McCracken:
      So, you need to identify, you know, what are those types of incidents that need playbooks, and then what type of severity could those would those incidents have? You know, data exposure would be a higher severity incident, Developing how who are the stakeholders you bring in, to respond to that type of incident? What are the different, containment actions you need to take for that specific type of incident? Because they're all going to be different. And then, you know, what is your, eradication strategy if it's a threat actor? Are you okay keeping, waiting to, sorry. I said eradication, but it's also containment. What is your containment and eradication strategy if, you have a threat actor in your environment? Are you going to go ahead and contain, or are you going to wait and see until you fully scope the incident?

      Rachael Lyon:
      You have to have

      Kelly McCracken:
      those discussions beforehand because if you're trying to do it during an incident, everyone's at high stress levels. It makes it very difficult. Business leaders may not they need to be trained as well because they're going to be the ultimate ones that say yes or no. Do you pull the big the pull plug or push the big red button? They need to be trained on on having some of those discussions now before the actual incident. So going through the whole incident response life cycle inside that playbook and having those discussions and and detailing it out, those decisions that are made prior to the incident helps the incident move, more smoother, during the actual incident.

      Rachael Lyon:
      It's, it's interesting. I'm curious to your perspective here too because I think, a lot of people and you mentioned this in the blog that that you were talking about, you know, kinda treat these incident response plans as as kind of like a tick box. Like, we gotta get one. Set it and forget it. We're good. You know? It's it's a matter of if something happens, and that's just not reality. Right? I mean, it's when something's going to happen. So I'd be kinda curious, like, what mistakes or, you know, kinda oversights organizations, are making when designing their incident response plans, and and are they following through on addressing those?

       

      [17:37] Customize Incident Plans for Organizational Alignment

      Kelly McCracken:
      I think, you you hit it right on the nail. Like, if you write an incident response plan, just so that you're doing the compliance checkbox, you're wasting your time. You can download 1 off the Internet and change the brand and have that. But if you write your incident response plan that is unique to your organization, number 1, it helps bring everyone together. And, you know, we try to, at Salesforce, run incidents very similar across, whether it's a security incident or availability incident because the stakeholders are all the same. Like, you're you're bringing in your your legal teams, your public relations teams, your business leaders, your engineers. And if they have to be like, I have to do this for this security incident, and I have to do this for an availability incident or this for, you know, any other type of incident, it it's very confusing. But if you standardize it across the company and then you can get a little bit more detailed as you go down into the different levels of teams, it it helps align so people aren't aren't scrambling and and understanding or trying to figure out what they're supposed to do during an incident.

      Kelly McCracken:
      I always say we when we do our retrospectives for incidents that you're not there's no incident that is handled a 100% perfectly. I don't know that I've ever heard anybody say, you know what? At any company that we did that, there was no mistakes. That was, like, super clean. There's always going to be something. And it's often because the threat landscape is changing. We're handling it different incidents. You don't you never know what's going to get thrown at you. And so there there are going to be mistakes, but it's how do you how do you learn from those mistakes? And it goes back to how I said at the beginning.

      Kelly McCracken:
      It's it's not that you're not you know, it's not, companies saying that they have no incidents. It's when they have those incidents, how do they respond is, I think, how you build trust across the industry. And by coming out and saying, like, number 1, we had an incident. This is what we did, and here is our, here's what we learned from it. I think it's definitely important because those learnings is, is how we all get better. The problem is is if you don't take those learnings and apply them, then I would say that that's a big mistake companies make.

      Vince Spina:
      Yeah. Kelly, I'm, curious. You guys are a SaaS based company, and a lot of customers now are adopting a cloud first or a a cloud also type, adoption strategy. You know, in the old days, when I when I was a customer, all of our apps and our data sat in our personal data centers, and, you know, that was a little bit easier to kinda manage and contain because, you know, it was a bordered environment. The world of cloud today, I mean, it's borderless. Data is everywhere. It can be accessed from anyone, anywhere. You know, how's that kinda changed, you know, how you guys look at, incident response planning today?

      Kelly McCracken:
      Yeah. So I think you've moved, we've seen the world move exponentially to to cloud. And, often that is decisions that are being made by the, CIO office, the IT team. And sometimes they are including their security team, and other times they're not including their security team. And often security teams don't understand sometimes the risks of going to, a SaaS vendor and or what's available from that SaaS vendor from a security perspective.

      Vince Spina:
      Mhmm.

      Kelly McCracken:
      So I think, you know, as you as companies do move to the cloud, they need to make sure that they're including their security team, through the whole process. And it's not just a once and done. And I think that's where a lot of people run into problems is that they're not doing the continuous monitoring of, their SaaS applications or, or even their infrastructure as a service. They they need to make sure that they're doing that continuous monitoring because you can misconfigure. You can have, if you don't have MFA enabled for those, services, you can have account compromises very easily, and that's on the customer side of the shared model that's with every SaaS solution out there. 

      So security teams need to make sure, like, if they understand which, cloud solutions are out there that their company is using and then what is available to them. Is there a solution where they can ingest the logs from those vendors so that they can get the visibility into what's going on? Do you have the, a solution where you can monitor the configurations of those implementing, of those vendors so that you can see if, someone has accidentally, you know, toggled something that then allowed for more access than intended. You really need to have that that oversight and not just, you know, send it to the cloud and assume it's all good because it is a shared model.

      Kelly McCracken:
      From an instant response perspective, it can be a lot more costly to do to respond to an incident that's in, the cloud than on prem. Because if you think about it, you are, if you're not ingesting those logs directly into your SIEM, you now have to go request those logs. So now you're you're spending time to be able to fully scope the incident. You also may have to pay for those logs, and those logs can be very expensive. You're also at the the mercy of that vendor being able to pull those logs in a timely manner. Like, depending on how they have those logs stored, it could take them a while. So, it's always good to understand what is available and then also exercise it. Do do your tabletops.

      Kelly McCracken:
      Include your vendors in those tabletops because that's the way that like, being over prepared will help save you in the end. And you're not gonna be scrambling as to, does anybody know anybody at this vendor that can help us get our, like, help desk ticket moved up in line? Because we really need our logs to respond to an incident, and then you're scouring LinkedIn. Like, understand who those contacts are and who you contact at the vendors to get that immediate help, because you don't have time during a security incident.

      Rachael Lyon:
      It's a really great point. And, you you know, I I I think it's interesting too about, you know, the on premises. Right? A lot of folks are operating within hybrid environments and, you know, because COVID kind of forced them to. Right? But, I'm just interested. Are there are there unique considerations, right, to incidents in the cloud versus on premises? I mean, are these kind of, like, separate playbooks, or how should people be thinking about these things?

      Kelly McCracken:
      I mean, they're they're I would say it's all in, depending on, the company. They're most likely probably all integrated now. And, it that makes that makes it so you can't have separate playbooks. But Yeah. You need to understand what tools you have, especially with, like, infrastructure as a service. Like, what security tools can you have available to help you detect and respond? And then you need to also look at, you know, what are the different how is that how are they connected? If they are, if you have first party and cloud, how are they interconnected? And do your instant responders know how to respond in the cloud? 

      Like, the different you you know, responding in AWS is different than GCP, which is different than Azure, which is then different than a SaaS vendor. Like, you know, do your instant response teams know how to respond in those, environments? Are you training them on those solutions? So it's it's definitely a, you know, it's a journey that a company has to take when they start moving to, the cloud because it it's definitely different different tools that are available and different skills that are needed.

      Vince Spina:
      Yeah. Kelly, I was gonna ask earlier when we're talking about, you know, SOCs and threat detection and things like that, and what was the role that AI played, you know, on that side of the equation. You know, the other side of that equation is, you know, can you share how you guys are using AI and the value of that from the incident response side of the the equation?

      Kelly McCracken:
      So we're we are on our AI journey. You know, at Salesforce, we've leveraged AI for years, but, as we get in, you know, with all the different AI kind of, innovation that's coming out, I feel like daily, we're continuing to build that into our operations. So we we use a, what we call a detection response Copilot that helps guide, our incident responders based on previous incidents that we've handled. They can ask questions. They can ask, you know, they can get summaries of incidents. They can understand. They can pull threat intelligence in. So that's one use case that that we're using.

      Kelly McCracken:
      You know, we're continuing to to build it out, though. One of the things that you have to think about, though, as you are implementing AI into your, your security operations, you're you're going back and you're assuming that you have handled every single alert and every single case and incident a 100% perfectly because that is what is going to be training your AI models on. So even though you're leveraging AI, you still have to have that skilled analyst on the other end saying, yeah. That that actually doesn't make sense. And and being able to have the opportunity to flag it so we can fix it, because your your the AI is only gonna be as good as the data. And unless you have everything absolutely a 100% perfect in the the data that it's taking, just like any use for AI, you could go down the wrong path. So it goes back to saying that you need to scale up those tier 1 analysts, including tier tier 2 and tier 3 so that they know to question the AI that you've implemented. We're also looking at, leveraging AI for, detection.

      Kelly McCracken:
      You know, we always if you're in the middle of an incident, you may need to create new detections. Well, I don't wanna have to have a 24 by 7 detection team that that has to be on call to be able to create a detection for me. If I could have a incident responder that can be able to leverage AI to create that detection for us, that that relieves me of having to pull someone in, on a weekend that may not need to be pulled in where we can use that AI. So there's a lot of different use cases out there. We're continuing to explore like everybody else, but it's a you know, it it's fun. It's it's interesting and, a fun world to live in to see, like, how we how we can use this new technology that, everyone is is grasping onto.

      Vince Spina:
      Yeah. I actually just wanted maybe a follow-up rate, so I'm gonna turn it over to you. But, you talked about the interaction of an analyst working with AI, but not fully trusting AI. But I was wondering, is there any kind of rote incidents out there, that you fully trust AI just to respond to that doesn't need human interaction? Have we gotten to that point? Or it's still kind of, trust and verify kinda, you know, environment.

      Kelly McCracken:
      So I think it depends on what the, impact of that incident could have. So if if the if the containment action that the AI would take for that incident, it could be business impacting, No. I probably don't trust it to do it.

      Vince Spina:
      Okay.

       

      [29:23] AI is Useful for low-risk Tasks, but needs Oversight

      Kelly McCracken:
      If it's low impact and it's something that we can, you know, easily turn back, then, yeah, that would be something that I would consider AI to to be able to fully handle. Ultimately, though, you still I would I think that you need to have someone looking over all of it. Maybe not every minute, but, you know, at the end of the day, let's see what all the AI handled. Let me just double check to make sure that makes sense and that we're not missing something or that an AI, has mishandled it or we've caused a business impact that we didn't intend to. So you still need that that oversight even though you have the AI handling it. But it really comes down to what is that level of risk you're willing to take on the impact that the a AI could have in its response to your business.

      Rachael Lyon:
      Yeah. That's a tricky one, I imagine. Because there would be that, I think, desire. Right? You just wanna hand it off and go take care of it so it'd free up my time to go focus on these other things. You know? But, that's, yeah, that's dangerous.

      Kelly McCracken:
      It is.

      Rachael Lyon:
      We're shifting gears a little bit. I I'd like to talk a bit a little bit about cyber protocols. You know, when you're developing cyber protocols for an organization, I mean, where do you even start? And and and how do you ensure that what you're putting together is is both, you know, comprehensive enough to mitigate risk, particularly looking forward, but also, you know, flexible enough to adapt to evolving threats, particularly when you don't know what's coming in the age of AI. It seems like a heady

      Kelly McCracken:
      task. Yes. So number 1, when you're thinking about protocols and you're trying to build your your overall strategy for your company, I think you have to look at your culture. And you have to, I think if you look at some of the most successful companies out there, most of them have security and trust at the forefront. Salesforce, we have trust as our number one value, and that really drives our culture and how we, put security as, like, at the forefront to make sure that we are building it into everything we do. The you also need to then start figuring out what, how do you build it into the innovation? You know, making sure that security is an enabler and not a blocker. And I think it's so important that as a security organization, you're not pushing things on the business and forcing it on them. You're more coming in as a a collaborator.

      Kelly McCracken:
      You're trying to enable them to be able to to do their job in the business, but do it securely. So working with them to understand, what their needs are and how can you address those needs while making sure that it's done in a secure manner. Often people wanna do the right thing, but they you need to understand their business needs to make sure that it is done in the right way. I think it's also, implementing a continuous, you know, not improvement process, I would say. You know, you can't set it and forget it. It's constantly looking and leveraging that threat intelligence like I mentioned. Doing that that threat intelligence assessment and from external and internal and and pulling up the information together, that's a continuous process that you have to do to be able to make sure you know where you need to focus your efforts. And it really helps you prioritize.

      Kelly McCracken:
      And you need to, make sure that you're you're working throughout the community, like leveraging bug bounty programs and and doing industry wide collaboration, working through, the ISACs, and, there's different you know, first, working in the industry to help share and get that information back so you can then apply it to, to your organization. I always push my team, saying that we need to be out there in the industry trying to help the industry, be better. Help them. I want people to be able to learn from from what we're learning at Salesforce because I believe if if if we're sharing, then we're making the the entire, community stronger. So you have to have, you know, raising that bar type of attitude. And then, you know, again, it just comes down to that continuous monitoring of threat landscape. Because without without that, you're you're going to be left behind and you're not gonna be protecting against your top threats.

      Vince Spina:
      Yeah. Kelly, I I love that, you know, you use the term, you know, you guys are always trying to be an enabler for the business, and trust is one of your your core values. You know, your your main mission is to keep your brand safe. Right? And, but you always have to kinda balance that with the experience of your employees and your customers and letting the business flow. When you talk about some of these, you know, cyber hygiene type protocols, any any you can share that through your experience have worked well, but some that, you know, might not have worked so well and you had to course correct, kind of keep that, you know, that balance happening of safety versus experience.

      Kelly McCracken:
      Yeah. I don't know that I have any specific protocol that I could share. But, you know, the the ones that are the best are the ones that are reducing risk while they're also enabling the business. If you, as a security team, push out a protocol that does not enable the business, you're going to spend more of your time having those conversations, fighting it, and and probably having to roll back things, you're gonna waste your resources. So if you go in to rolling out a protocol and having, that partnership at the very beginning to understand that the different environments because I guarantee you, organizations don't have their environments are not the same across the board. They probably have different, variations of their environments, and each of them have various security controls and those. You need to look at those and say, okay. Well, maybe this this environment does not need this protocol at the most, restrictive level.

      Kelly McCracken:
      But this one does because they don't have as, you know, as much defense in-depth, as much security controls in in play. So, if you try to beat peanut butter security protocols across the board, it's it's often not going to work. But if you sit there and you be a good business partner, with the the business leadership, you can usually move further, faster together. I think that, you know, you can also have these times where the business, if you're not working closely together, they they can go off and, they think they're doing the right thing. But they they're not the security experts, and that can cause some problems as well. So it really comes down to just partnership, making sure that you understand the business and the business understands what you're trying to accomplish, and then working together to get there. When it comes to a security operations center, you know, you'll hear sometimes, like, everyone's people don't see what the security operations center is handling. You you probably do reports out to your, leadership and to various stakeholders, but not everyone that works with the security operations center is seeing everything that's being sent.

      Kelly McCracken:
      So if you if you push something on to a business, and they're like, you know

      Rachael Lyon:
      what, we had to do

      Kelly McCracken:
      all that work to get that security protocol enabled. But you know, what is it doing for me? Because no news is good news, in my opinion. But they don't see, like, the the benefit of having it there if it's impacting them, but it from a security perspective, it is. So that's where you have to, you know, then start information sharing with them and explaining to them, you know, because I had this enabled, I'm was able to, you know, detect and respond to these threats that were, within your environment, and then that helps bring them along. But if you don't do that information sharing with them and help them understand that it is doing something positive for you, they will often push back on you.

      Rachael Lyon:
      It's funny too. Right? I mean, it's there's been these surveys or or articles on, you know, you you get more funding for cybersecurity after an incident versus, you know, trying to prepare. And, you know, it's it's hard to get executive leadership buy in, right, to to funding for for these kind of things. And a lot of it is just, you know, how do you translate, you know, kind of the security speak into to business terms that they understand, you know, dollars and cents. I mean, I I'd be interested in some strategies you use to to kind of make that translation happen, to get a c suite on board.

       

      [38:32] Learn from Incidents and Secure Funding Proactively

      Kelly McCracken:
      Yeah. So you're right. You usually do get more funding after you have the incident, and it would be nice if you had it before. But it goes back to making sure that you are learning from other people's incidents. So when you see an incident hit the news and, you know, like I said, more more companies are being more transparent with, like, what happened, how they responded, the challenges they had, Taking that information and bringing it back into your organization and saying, could this have happened here? And if it did, how would would we have been able to detect it? Would we have been able to respond from it? Would we be able to, like, have stopped it from happening in the first place? Leveraging that and then taking it to your executive leadership because they all saw it in the news, and they're like, that was scary for that company. And then saying it was, and the exact same thing could happen here, if we don't take these actions now, because the threat actor is still out there. I think that's a better way. That's one way you can get, helpful.

      Kelly McCracken:
      I recently saw a, a training and, the on that training, they explained how to get, something through congress. And it's you gotta relate to the congress person. Like, find something that they're that's personal to them. And so, you know, if if you take that kind of approach, you can definitely most likely sell it to them. So, yeah, finding a way to make it personal to the executive leadership team helps getting that that funding that you need.

      Vince Spina:
      Yeah. Actually, Kelly, let's talk a little bit about training. So up till now, we've, intimated that, you know, any incidents were happening from bad actors, but, you know, it's certainly, our experience here at our company, and, maybe you feel the same. But a lot of times, good people just do dumb things, right, or make mistakes. How do you how do you kinda build that in kind of, you know, training and awareness out to your employee community or maybe your customer community as, you know, some of these incidents come in and, you know, you uncover, you know, some things where good people just did something they probably shouldn't have done.

      Kelly McCracken:
      Yeah. So we we've we get that data together and, then figure out a way to do a campaign to help educate, the the employee base, through our our we have our training and awareness team. And that helps bring the the awareness. And if we're saying something that's, like, immediate, getting it out to the company as quickly as possible so that they understand. People are going to make mistakes. You know, humans are probably the weakest link, unfortunately. And so you have to just understand that's gonna happen, but you have to build a culture where they feel okay saying I made a mistake and and this is what happened, not trying to cover it up. And that they feel okay reporting it because, if they don't, the they're trying to cover it up could make, things worse.

      Kelly McCracken:
      So having that culture that it's okay to report, you're not going to get in trouble for making that mistake. It's better that you tell us versus not tell us. I think as a parent, I use the same same, approach with my children. Like, if you're it's better for you to just tell me what happened versus me trying to, like, sit here and investigate. You I think you you build this culture where it is okay. The if we start seeing a a trend and it may be people are just trying to do too much too fast. A few years ago, we had a chief trust officer that he would just start going out at every, you know, company leadership meeting or company, all hands to say, please slow down. You know, take a breath before you send that email.

      Kelly McCracken:
      Take a breath before you push that code. Take a breath like, just stop for a minute, because those those going too fast, you can make those mistakes. And if you just slow down, you can you can prevent a lot of work from having to be done from a security operations perspective.

      Rachael Lyon:
      Yes. I I had something like that happen yesterday when I was trying to multitask, and I clicked on

      Vince Spina:
      Trying to share, Rachael? Or

      Rachael Lyon:
      Something I should've. But luckily, I was able to rescind it and bring it back and correct it. So

      Kelly McCracken:
      We've all been.

      Vince Spina:
      Was that my, Vince, please don't read email? Was that

      Rachael Lyon:
      Recall. Recall. Yeah. Oh, yeah. Good times. So I I'm really curious. I mean, you've coauthored, a NIST publication. I I love these love these numbers too.

      Rachael Lyon:
      S p 800 dash 61, computer security incident handling guide. That's so cool. You know? And I I can imagine doing these are are huge lists. They're not you know? Yeah. I'm just gonna write this little thing. And, you know, so I I'd be curious to kind of researching standards. And and when you start putting a guide together, does that really kinda start reframing how you think about certain things or security approaches or, you know, kind of is there causality impact in going through such an exercise?

      Kelly McCracken:
      Yeah. I mean, putting one of those together, you have to do a a ton of research. You have to talk to a lot of, industry experts, listen to a lot of podcasts. But I think, like, going through that experience was kind of foundational for the rest of my career. It it really helped me learn how to do the whole process and, like, and the importance of planning, and thinking feet through things prior to an incident, was important. And I got to work with some really talented people, while developing that, that guide. But it was it was fun, but it was it was daunting. There's a lot of editing you go through and and making sure that you're not forgetting something and that you're getting it, perfectly right.

      Kelly McCracken:
      But it's it is a a great way to really get deep into a specific area of security. So I definitely recommend if anybody has the opportunity, to help coauthor a missed publication. It's a great way to to learn and to meet some great people across the industry as you develop it.

      Vince Spina:
      Awesome. Kelly, I got one more question, interest of time here because we wanna respect that. But earlier, we talked about kinda some of the considerations of, you know, data and applications moving off premise out in the cloud. My my last question was any, different considerations when you're building out your security protocols as it pertains to employees? Like, you know, it used to be, we all came into the office 5 days a week, and now, you know, a lot of those are working remote or hybrid. Yeah. How's how's that changed in your, you know, from a security protocol consideration perspective?

      Kelly McCracken:
      I can say that it changed significantly. You know, being a, a global company and people were already working remotely in some capacity prior to COVID, it didn't really change how we work. I I think that it just made sure that, you know, moving to things like 0 trust, is is important and, teaching people how to work from home, keeping, you know, things secure, making sure that you don't have ears around you if you're you're talking about sensitive information, not working at the coffee shop, if you're on a call, things. It's just general kind of, hygiene. I think that whether you're in security or not, that people needed to learn to follow. But I there wasn't much that changed for us when it came to, you know, going to remote from a security perspective. The the same protocols applied across the board as they did prior to COVID.

      Vince Spina:
      Oh, interesting.

      Rachael Lyon:
      Yeah. Just use common sense sometimes a little bit too.

      Kelly McCracken:
      Yes. Our security awareness training just got a little bit longer to explain how to work from

      Vince Spina:
      home. Yeah.

      Rachael Lyon:
      Yeah. Well, Kelly, yeah, I do wanna be mindful of time. Thank you so much for joining us today. This has been a wonderful conversation and and so many insights. Thank you.

      Vince Spina:
      Thank

      Kelly McCracken:
      you very much for having me. It was a great time.

      Vince Spina:
      Wonderful. Articulate. I was just I was impressed because, I mean, just off the top of your head, you know, we're throwing questions at you. You know your environment.

      Rachael Lyon:
      So Know your stuff. Yes. Yeah. I bet.

      Kelly McCracken:
      Thank you.

      Rachael Lyon:
      And it's so important too. So I I love that we're covering. I don't think we've had a a podcast on this theme before. Right? And it's it's just so critical. You know, so thanks for kinda walking through all the various elements too, right, that people need to be thinking of, because it is daunting. You know, but when you go through the the effort and exercise, it's so worth it. So worth it.

      Kelly McCracken:
      Yes. Yes. And it it it's an important topic. And, I think if the more you prepare, the the better it will go for you.

      Rachael Lyon:
      Absolutely. So again, thank you, Kelly, and and to all of our listeners, thanks for joining us again this week. And, Vince, as always, what do we want them to do?

      Vince Spina:
      Smash that like button.

      Rachael Lyon:
      That's right. Smash it. Smash the like button, subscription button, and comments. We love feedback. Please give us feedback on on this episode and what you enjoyed or or topics you'd like to hear in the future. We wanna hear from you. So until next time, everybody. Stay safe.

      Rachael Lyon:
      Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/ podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

       

      About Our Guest

      Kelly McCracken, Senior Vice President, Detection & Response, Salesforce

      Kelly has more than 20 years of experience in the cybersecurity and technology industry specifically focusing in the establishment and standardization of cybersecurity incident response programs and security operations centers (SOC). She has helped develop and lead the implementation of many national-level cybersecurity initiatives for the federal government, to include the development of the National Cyber Incident Response Plan and the National Cyber Risk Alert Level. Additionally, she co-authored the National Institute of Standards and Technology (NIST) Standard Publication (SP) 800-61, Computer Security Incident Handling Guide, rev. 1 (Kelly Masone), the national standard and guidance for incident response.

      Kelly is well-versed in developing strategic plans, concept of operations (CONOPS), standard operating procedures (SOPs), workflows, and escalation matrices for the development or maturation of SOCs. Specific to incident response, she has assisted in the development and implementation of many national level cybersecurity mitigation and outreach plans. She is well versed in SOC and incident response technology and the correlation between people, process, and technology within an operational environment.

      View her LinkedIn