Rob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute. With over 20 years’ experience in the cybersecurity space, Lee has spent his career working in both offensive and defensive cyber operations, supporting organizations with his specialist knowledge in information security, digital forensics, threat hunting and incident response.
As well as his role at SANS Institute, Lee is Founder and CTO at Harbinger, a Denver-based provider of digital forensics and incident response services and consulting. Now, his expertise in these areas enable him to ensure that the SANS Institute provides its learners with the thorough understanding and fundamental cybersecurity skills required to secure their organizations against today’s most sophisticated cyberthreats.
At RSAC 2022, we spoke to Lee to discuss the importance of implementing human-centric security alongside technical solutions, and how organizations can make sure they’re choosing the best solution for their business amidst a changing threat landscape.
SANS is a leading provider in the security awareness training market. How has SANS kept its edge in such a competitive industry?
Security awareness training is basically an understanding of what the technologies are that people are using, and the hygiene every person needs to be aware of when using those technologies. And the technologies that individuals are using in the workplace are consistently changing.
Take a look what happened during the COVID-19 outbreak; everyone moved from—in most cases—office environments to home environments, and the platforms via which they might be susceptible to attacks shifted. People were dealing with a lot more home technologies, home integration systems, video conferencing tools and such, and security teams had to look at whether all those different technologies were protected.
So, whereas before, a lot of security awareness training focused in on email—which is still a very important avenue; phishing emails have increased—we’re now adapting our content to cover the threats users and businesses are facing in their new work environment and within the new technologies they’re using. For example, we’ve also seen sufficient increase in phishing attacks targeting individuals through connection on social media accounts.
So, the real issue and the way in which we’ve adapted to keep providing strong training, is trying to keep up with the technologies that the normal everyday person is using, and making them aware of the different ways that a bad actor could try to take advantage of them.
How has your solution adapted in recent years to address changing customer needs such as educating users to identify more sophisticated threats, and meeting strict compliance requirements?
We’ve made our security awareness product highly configurable so businesses can use it for a lot of different utilizations. Every organization that signs into it could potentially have a different selection of modules that they’re providing their workforce. This means they’re also getting training that’s relevant to the problems they’re facing, rather than having one standard set of training that every organization undertakes.
So, we have different modules that are sent out and we’re expanding the amount of training that’s out there—not just in security awareness, but we’re also getting into basic IT practices that people learning now to use new technology platforms may find useful.
And we’re constantly updating our material on a monthly basis, generating new models because of technology changing that quickly.
How important is it for organizations to implement human-centric cybersecurity solutions, such as awareness training, alongside their technical solutions?
Oh, 100%, it’s incredibly important. Nothing is fool proof, no matter what you end up doing; attachment scanning, link scanning, trying to make sure that you’re scanning emails and all the different types of chat messages and videoconferencing meeting requests and post-meeting info that come in—it’s nearly impossible to cover everything.
And this is true especially of exposed devices. You might be able to cover a single platform like Windows or Macs, but when you have employees connecting a TV, a phone, even their air pods to the corporate network, or even just to the same WiFi network that their work laptop is connected to, all of these things have the ability to potentially be exploited.
I’m not sure if you’ve ever been on a plane and someone’s dropped a picture on your phone because the network is open and you didn’t realize that, but if you use that phone for both personal and work, and someone says, “Hey, would you like to take a look at this picture?”, you might click to open it and they could then access your personal and business data. And that’s just one example of how someone might try to take advantage.
Now, I’m not saying a picture sent to you on a plane is really going to be devastating. I wouldn’t click on it, but you need that mentality to always be aware that all these different devices that you have on you can be exploited. And you can only protect a certain number of them through the automated applications but, even then, some things will slip through the gaps. And that human awareness can make someone stop and think when they get a message saying, “I need that file,” or “What’s the password?”, rather than just sending it straight over.
SANS’ SAT offering includes phishing simulations, which are a contentious topic amongst security experts. How can phishing simulations be beneficial, and how can businesses prevent them from being viewed as a test or punishment?
Honestly, simulations are more there to provide awareness for executives into how many people are likely to fall for an attack, so they can roll out more training where necessary to those who are most vulnerable. It goes back to the need to do ongoing training to keep reminding people of the threat.
Think of it this way: you have the TSA announcement as you’re going through security in the airport, telling you to make sure you have your water bottles out of your bag. But how many times have you still had a water bottle in your bag? It’s human nature to just relax a little bit and maybe forget something, and simulations can act as a reminder.
I think simulations are also helpful especially as new employees enter the business, to be able to see exactly where they are in their understanding.
But if the security team decides to escalate an action, that’s where the debate may occur. At BlackHat, for example, they have the wall of shame, where they display the names of people using unsecure WiFi networks. I think that takes it a step too far.
I think in general, simulations should be used as a training phase, to trigger refresher trainings for the user. There’s nothing bad about it. It’s just like realizing you forgot your water bottle at the TSA checkpoint—everyone’s embarrassed by it. And I don’t think we can get away from the embarrassment aspect of it, but it shouldn’t be public; simulation results should be kept private and used by management as a way to measure how often regular training needs to be done.
Finally, what are the most important features organizations should look for in an engaging, effective security awareness training platform?
Security awareness is something that you can drill into the people until you’re blue in the face, but if you want something really effective, I would definitely recommend looking for something that is configurable, modular, and can very specifically meet your organization’s goals.
There’s a lot of prescriptive stuff out there saying that organizations who do security awareness should cover X, Y and Z topics. Now, that may not be for everyone. You may have a company that says they’re really only worried about training people to spot phishing attacks, for example. But again, if you use Zoom or other communication platforms, satellite technology, or you have a large virtual workforce, all of these things potentially change the dynamic of what training you might need to solve the problem you’re having, and might increase the amount of modules that your organization needs.
That’s really why we want to make sure that organizations feel like they can get as much or as little training as they want, to be able to nail down the most effective and efficient training for their workforce. But at the same time, you as an organization also have to engage with your security awareness training provider and ask them what they think the right content may be. If you let us know that you went all virtual, for example, we can let you know about additional modules that may be useful for you.
Thank you to Rob Lee for taking part in this interview. You can find out more the SANS Institute’s security awareness training solutions via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.