Charles Herring, WitFoo: Here's What It Takes for Effective and Sustainable SECOPS
Built by veterans of the military, law enforcement and cybersecurity, WitFoo Precinct is the world’s most intelligent SECOPS platform fueled by big data analytics.
What is WitFoo’s mission and what SECOPS challenges are you aiming to solve?
WitFoo creates tools and data to deliver sustainability in the craft of cybersecurity operations. Our driving hypothesis is the craft of SECOPS can become effective and sustainable by leveraging knowledge and craft philosophies from law enforcement. The tools and data we research and develop are intended to make conversations across the organization and craft sustainable and transformational.
To accomplish our mission, we focus on 7 unhealthy conversations:
Security analysts cannot comprehend the data coming from their security architecture. This is caused by diverse message formats, extreme data rates and lack of context. By working with more than 30 security operation centers (SOCs) over the last 5 years, we have endeavored to create a unit of work that makes sense throughout the business, reduces noise, and increases clarity for the investigator.
Security managers cannot effectively inventory the gaps in policy, personnel, and tools. By analyzing the characteristics of the standardized units of work, WitFoo Precinct delivers clarity that drives professional development and security architecture changes.
Security executives cannot communicate with the broader organization in terms the organization understands. By producing General Accepted Accounting Principles (GAAP) metrics from the Precinct units of work, Chief Information Security Officers (CISOs) and other security executives now speak in a language that their peers use to justify staffing and transformation projects.
Organizations are unable to safely share information with each other. As attackers launch new attack types using new sources, organizations that can share that intelligence with each other to accelerate detection and reduce risk. The WitFoo Global Indicator of Compromise (IOC) feed allows organizations to anonymously share information concerning these attacks without exposing themselves to brand or legal risk or requiring labor hours to be expended. As IOC reports are received, participating organizations quickly search real-time and historical data to determine exposure.
Organizations lack the ability to hold security vendors accountable. Because of the complexity of security tools and the lack of accountability metrics, security teams have been unable to hold vendors accountable for pre-sales claims. With the GAAP metrics produced, every tool in the organization is rated on gap and overlap coverage, labor cost of false positive noise, current ROI metrics and potential savings if additional tuning is performed. These metrics enable organizations to maximize the value from their existing tools and make cost-effective decisions when purchasing new tools. Customers are currently able to share their efficiency metrics with their vendors through the WitFoo Library service. In 2022, WitFoo Library will make these performance metrics available to the public.
Organizations and law enforcement are not able to safely share information with each other. Organizations fear brand and legal risk when turning investigations over to law enforcement. Law enforcement is unable to utilize data coming from organizations because it lacks completeness or fails to meet requirements for legal prosecution. Precinct creates “digital affidavits” which allow organizations to share information with law enforcement to successfully prosecute cases without creating undo risk.
Law enforcement does not possess the evidence to successfully prosecute cybercriminals. In working to solve conversation 6, Precinct assists law enforcement in organizing reports from many organizations into a single case that is focused on prosecution.
What is your background? What makes you & your leadership passionate about your mission?
From 1995 to 2002, I was active duty in the US Navy forward deployed out of Japan. My primary job was managing the avionics technicians in keeping 12 F/A 18 Hornets fully mission capable. After 9/11, I was detailed to the US Naval Postgraduate School to create the Network Security Group (NSG) to protect against cyberattacks. I immediately noted that naval aviation and SECOPS were completely different in the regard of craft maturity. SECOPS lacked professional development, quality assurance and codified workflows.
To learn what was available in the SECOPS market, I began performing product testing for the InfoWorld Test Center on network and endpoint security products. The years I spent in this role helped me understand how products were made and how the hype differed from the substance.
Serving as the Network Security Officer from 2002 to 2005, I worked in the Security Directorate with base police and military intelligence. My experience of treating SECOPS as an extension of law enforcement and national security was a contrast to the norm of treating the craft as a component of IT. As we built tools and processes inside of the NSG, we modeled them on law enforcement and military models. These models allowed us to have meaningful conversations at Department meetings utilizing GAAP reporting.
From 2005 to 2012, I performed several consulting functions with the US Department of Defense and other government agencies. I built applications that assisted in sharing information in SECOPS and disaster recovery (including Hurricane Katrina and the Fukushima tsunami). These experiences reinforced that SECOPS work has less to do with IT and more to do with law enforcement craft models. IT is built on manufacturing models of building, combining, storing, and shipping products (most commonly data). SECOPS requires a different set of philosophies, tactics, and skills to be successful.
From 2012 to 2015, I worked as a pre-sales engineer and later as a sales manager for Lancope, a security vendor that I used while at NPS and reviewed while at InfoWorld. I believed in the technology and wanted to help organizations deploy it to increase visibility to improve decision making. Through the experience of selling to enterprise organizations, I learned the importance of having a strong go to market strategy that included sustainable relationships in reselling and distribution partners. I also learned that many of the problems that I observed in forming the NSG 10 years earlier in the US Navy were still plaguing corporate America.
When Cisco acquired Lancope, my co-founder, Tim Bradford, and I decided that we should form WitFoo to address the craft and market problems preventing success in SECOPS. We believed that combining the craft knowledge in SECOPS with the time-tested knowledge of law enforcement would deliver a strengthened alloy capable of making the world sustainably safer.
What are WitFoo’s differentiators? What sets you apart?
A good friend of mine once remarked to me “Going to RSA is like going to a transportation conference where all the attendees want to purchase cars, but all the vendors are selling car parts.” Because the mission of WitFoo is to deliver the tools and data needed to deliver sustainability in SECOPS, we have taken a holistic approach to what we build. We are not aiming to fill market gaps - we are equipping the craft with a turnkey solution that boots up and delivers value. While Precinct can deploy inside a legacy datacenter, in a public or private cloud or hosted by one of our partners, WitFoo Support receives more than 1,000 metrics an hour from each node on health and integrations. Our service-level agreement (SLA) includes keeping our software and services running without the customer needing to take on extra labor. It also includes maintaining parsers and integrations from every data source.
Precinct also delivers infinite scale on data ingestion, retention, and processing at a single cost-contained price. Precinct uniquely delivers object-oriented security orchestration automation and response (SOAR) and GAAP accounting business metrics derived from machine data. Precinct’s data processing model utilizes semantic framing from natural language processing to normalize and comprehend every message.
The metrics in Precinct empower organizations to find problems in security architecture that will lead to security incidents. Our customers use those diagnostics to proactively close security holes so that the unit of work that investigators execute are close to zero each month.
Tell us about your latest partnership with SYNNEX. How does this help build your customer and partner ecosystem?
WitFoo believes in building sustainable and healthy practices into every area of our venture. SYNNEX provides us with extreme scale in sales operations while minimizing our cost of sale. The SYNNEX network of resellers provides WitFoo with access to hundreds of skilled reselling partners across the globe. We only sell through reselling partners because we believe that organizations that deploy Precinct and other tools with the guidance of skilled partners will quickly find sustainable success in SECOPS. These partners have deep knowledge of Precinct, the politics and policies of the organization and the skills to integrate Precinct with the other tools and processes already in place.
In building WitFoo’s go-to-market strategy, it was critical that we build a channel program that works for partners and delivers sustainable security. We utilize haggle-free pricing to protect the profit margins that effective partners need to maintain skilled engineers. SYNNEX is a great bridge to these skilled partners and a fantastic partner in maintaining those relationships. Making it easy for our partners and customers to procure Precinct is a critical component in accomplishing our mission.