Current attack techniques don’t allow companies to simply sit by and monitor the perimeter, explains Shawn Henry, an FBI veteran who is moving on to security startup CrowdStrike. Henry said his transition is based on the philosophy he shares with the fledgling company.
The threat is constantly increasing. We’re moving more data, ideas, intellectual property to the network. … The target set is increasing, so the threat is increasing.
Shawn Henry, president of services, CrowdStrike
Attackers have become sophisticated enough that they can slip through outer defenses and invade a system, wreaking havoc from the inside, he said. In short, the adversaries are (or were) already in the network, so if companies aren’t monitoring the activity within their perimeters, they’re not doing enough.
Henry, who spent 24 years with the FBI, is joining CrowdStrike as its president of services. CrowdStrike’s goal, according to Henry, is to “see how [attackers are] working in the network and moving in the network and eradicate the threat that way.” Constant log monitoring, he said, would only be a start. Security staff needs to go deeper.
“People who built the network know what anomalous activity looks like,” he said, so they need to be constantly keeping an eye out.
In an interview with SearchSecurity.com, Henry said it’s no big surprise that this activity is occurring within networks on such a large scale.
“The threat is constantly increasing. We’re moving more data, ideas, intellectual property to the network,” he said. “The target set is increasing, so the threat is increasing.” Whether theft is happening at a bank or on a bank’s website makes no difference. Criminals follow their target wherever they can gain access to it, he said.
Henry highlighted common vulnerabilities within DNS, servers and applications as widely exploited issues. But those more complicated attacks are also joined by techniques that have been around for years, including targeting common vulnerabilities and the use of malicious email attachments to get into a corporate network. “The adversaries” are just so good at getting in that once they’re there, he said, they can move horizontally and vertically through a network without being detected.
In general, CrowdStrike hopes to help detect and eradicate the threat from the inside using the technology and intelligence services that they already offer. The third leg of the company, the services division, is what Henry will be heading.
As president of services, Henry will oversee CrowdStrike’s incident response and managed services teams, which currently include “Incident Response Services, Enterprise Adversary and Malware Assessment, and Response and Recovery,” according to Henry’s announcement on CrowdStrike’s blog.
His team will be responsible for coming in after a breach has occurred to provide computer forensics support and services in the aftermath. After leading thousands of employees and overseeing thousands of investigations with the FBI, he feels he’s well-equipped to handle the position.
According to Henry, the change to the private sector is just another phase in his life where he can apply his skill set.
“I served my tour, and then I retired,” he said, noting that he appreciated all the people he worked with in the public sector and that he hadn’t felt restricted by any particular person or thing.
“CrowdStrike provides me the opportunity to continue this fight, from "the other side," using intelligence and technology to get in front of the problem rather than merely reacting to it,” his announcement said.