In this first segment of our two-part interview series featuring Shaun Vlassis Founder of Illuminate Security, we delve into the realm of Illuminate Security and explore Shaun's insights on the evolving landscape of Threat Detection.
Vaughan: Welcome to CydShow. I'm Vaughan Shanks, co-founder and CEO of Cydarm Technologies, and joining me today is Shaun Vlassis from Illuminate Security. How are you, Shaun?
Shaun: Doing well, Vaughan. Thank you.
Vaughan: Excellent. To start off, Shaun, could you give us an overview of Illuminate Security and delve into the core mission behind the Blue-hat threat detection bounty platform?
Shaun: Absolutely. Illuminate Security was founded in 2023 with a fundamental reimagining of how threat detection and hunting are approached within our industry. We observed the success of traditional bug bounty programs in enhancing penetration testing and red teaming capabilities for organizations worldwide. However, the blue team, responsible for defense, seemed constrained by the traditional model requiring dedicated detection teams, SIEM implementation, and ongoing maintenance. We recognized an opportunity to democratize threat detection by adopting a similar pay-per-result model, thus launching the Bluehat platform. Through this platform, organizations gain access to specialized experts who focus on specific threat categories. They are compensated only upon successful validation of detected threats. This approach enables businesses of all sizes, from SMEs to enterprises, to leverage a vast network of skilled hunters akin to platforms like Bugcrowd and HackerOne, but for defensive purposes. Our ultimate aim is to empower blue team professionals, envisioning a future where they earn commensurate rewards for their contributions, much like their counterparts in the offensive security space have done for years.
Vaughan: So, it seems like with bug bounty programs, there's this community of pen testers who are mostly engaged in consulting work and can utilize spare time or gaps between projects to participate. Since you're running a two-sided marketplace, it's essential to have a supply of skilled blue teamers on your platform. What kind of expertise are you attracting to work on the platform?
Shaun: Since our launch in September 2023, we've onboarded several hundred experienced threat hunters. On average, over 80% of them boast more than five years of experience, with some seasoned professionals having 15 to 20 years under their belts. What's intriguing is that the traditional blanket approach to threat hunting -"trying to detect everything" - doesn't cut it here. Our platform rewards specialists who excel in specific threat classes, techniques, procedures, or rule sets. For instance, if I were to rely solely on a Sigma rule set loaded into a basic Splunk instance, I'd detect some threats but with high false positives. I'd need to tune and maintain it, and by then, someone like Bob might have already detected a sophisticated threat like DNS tunneling using a simple, cost-effective script. They're the ones who get rewarded for being quick, accurate, and comprehensive in their findings. This mindset shift is significant for both blue teamers and businesses, who no longer have to compromise effectiveness for cost. Imagine the resources required to hire and equip a hunt team of ten to 20 people - it's astronomical.
Vaughan: Speaking of Sigma, while it offers rule sets for various operating systems, it falls short in today's complex, multi-SaaS cloud environments, doesn't it?
Shaun: Absolutely. Sigma is valuable for managing and documenting logic, filling a gap in Detection Engineering. We had actually done something similar at a company that I worked at in the past and the problem is that it provides a false sense of security. (I love that term!) Because rules are easy. Writing rules is just 2% of the work; the real challenge lies in maintaining and fine-tuning them to remain effective against evolving threats. Operational hurdles like log format changes or system outages can render rules ineffective without ongoing attention. Contrastingly, in a threat detection bounty program, you set criteria and wait for results, sparing yourself the toil of rule maintenance and false positive triage. It's a more agile and efficient approach compared to traditional methods reliant on large rule sets and cumbersome maintenance processes.
Vaughan: How have you witnessed the evolution of threat detection? We started with tools like Snort, believing we could detect all threats on the network. Then came YARA rules and other specialized approaches. It seems like the industry has become more tailored and specialized over time. How do you perceive this evolution in recent years?
Shaun: There are several facets to consider in this evolution. From a technological standpoint, the sheer volume of data has grown significantly, and the accessibility and maturity of logs required for threat detection and hunting have improved markedly by 2024. Most major platform providers or security technology vendors now offer robust solutions for log management. In the early days, this level of maturity and accessibility was lacking, along with the sophistication of the logging itself. As the industry has evolved, we've seen a shift away from chasing trendy technologies towards solutions that are pragmatic and effective. With the proliferation of SaaS applications, it's clear that traditional SIEMs aren't always the right fit for handling SaaS logs. Specialized providers like AppOmni and Obsidian Security have emerged to address this specific challenge. Similarly, in the realm of infrastructure and application logging, we're moving towards more bespoke analytical capabilities rather than trying to build all-encompassing solutions like Splunk. Amazing tool, but they're trying to beat everyone to everything. And when you do that, you have scaling issues, you'll have cost issues, you'll have a myriad of side effects that come from that, versus I'm going to write a DNS tunneling rule. By focusing on specific use cases, such as crafting a DNS tunneling rule, we can achieve scalability and cost-effectiveness without the overhead of trying to cover every possible scenario.
Operationally, the industry has matured significantly. We've transitioned from a time of tinkering and on-the-job learning to a more structured educational environment, thanks to organizations like SANS and a bunch of the other providers out there. However, much of the expertise still comes from hands-on experience and knowledge-sharing among practitioners. While the space has matured, it remains relatively niche, with only a small number of top-tier professionals in Threat Hunting and Detection Engineering. These experts are typically found in large organizations or are absorbed by leading security vendors like Crowdstrike, Sentinel One, and Palo Alto. Nonetheless, these seasoned professionals are open to engaging with platforms like ours, providing their expertise and insights beyond traditional consulting engagements.
Vaughan: So, in essence, we've moved from edge detection at the traditional firewall layer to centralized log detection, and now we're transitioning back towards a more federated model.
Shaun: I'd describe it as the federation of systems themselves. It's about selecting the best tool for the desired outcome. Why use complex AI techniques when a simple regex, account aggregation, or even a basic Perl script could achieve the same result?
Vaughan: Of course, always ensure to taint check your inputs for security!
Shaun: The future lies in technology supporting outcomes rather than an outcome in search of technology. There's a notion of federating security controls, where a single location can query different technology stacks, but the challenges of correlation, standardization of log naming conventions, and processing impacts can create unforeseen burdens. Imagine the strain on an Active Directory server scoped for 10,000 users when queried every five minutes by a SoC team. Expanding this to all security technologies and supporting reference data solutions risks overwhelming engineering and admin teams. While it sounds promising, practical implementation may prove challenging. Time will tell, but I have my suspicions.