Hi everyone this is Jeff Crume, I am a security architect and distinguished engineer with IBM. I've been with IBM for 36 years and most of that has been spent in the security space. I've been interested in this particular topic all the way back into high school where I spent most of my afternoons in the lab hacking and trying to figure out how systems worked, and how they would break and how you could defend against attacks and all of those kinds of things. So it's been a fascinating topic for me always as long as I can remember and hope you'll find it to be so as well. So welcome to this course, and I hope you'll find it interesting. We're going to move on to the next slide which refers to the challenge that we faced currently in the cybersecurity space. The challenges are significant. In fact most of these challenges have been true for a long time and I suspect will continue to be true for a long time moving forward which is one of the things that makes this such an interesting space and such a good place to develop and spend your time developing skills in. So for instance, the threats continue to increase. That's been the case for as long as we've been interconnecting computers across the internet. The threats have continued to increase, there's no reason to think that that's going to change. There's an increasing incentive for the bad guys to try to hack, and why is that? Well because more and more we're putting important information, valuable information, resources that have actual monetary work on IT systems. So as the famous or infamous bank robber Willie Sutton was asked, why do you keep robbing banks? He said, "Because that's where the money is". Well if Willie Sutton was robbing banks today he'd probably be on IT systems and be a hacker because that's where the money is and it will continue to be the case. So the threats continue to increase, system gets more complex which also increase the threat space and increase the size of the target that we place on these systems. The alerts that we get to continue to increase, in other words the notifications that people are attacking and doing certain techniques using different types of attack vectors that continues to change and more. We have some general themes that continue, but the details of the attacks will continuously change. Unfortunately, those things are good for the bad guys, for the good guys, the number of analysts is down and you see a statistic down at the bottom of this slide in particular, that talks about a skill shortage that we're projecting that by the year 2022, their will be 1.8 million unfilled cybersecurity jobs. Now that's a lot, but some people will argue and say well, that number is exaggerated, so let's cut it in half. Let's say it's roughly a million just in terms of round numbers. That's still a huge number. That means if you have the jog Rex to go out and get the skilled people, there's simply not enough skilled people and we can't create cybersecurity experts fast enough to meet that demand. Now you may watch this course, this is being recorded at one point in time, so anytime you put statistics like this out there, there's always a risk that in the future the odds are that the dynamics will be somewhat different. I suspect this is going to be a problem for us going forward. So we're going to need a lot more cybersecurity experts in the field to accomplish what we need to be able to accomplish and they're going to need more and more knowledge. The knowledge that's required in order to deal with more complex attacks continues to increase. Then unfortunately we have less and less time to work on these. Because literally time is money when it comes to these attacks, the longer it takes you to respond the more it will cause, the more data that gets leaked, the more damage that's done, and in some cases when we're talking about compliance regulations like the Generalized Data Protection Regulation from Europe GDPR. If you don't respond quickly enough and notify all the people that need to be notified of a breach, it will cost your company significant money as well in terms of fines. So all of those things taken together really come up to one inescapable conclusion, that we need more cybersecurity skilled individuals to help deal with the threat. So what do these folks need to do on a regular basis? Well if you're a SOC by the way as a security operation center so that's the control center, the nerve center of where we received the security information and event management information, that's the acronym you see their SIEM. That refers to bringing in all the alarms and security information into one place. So we need to be able to see those events on a console, see the incidence which ones of them are important and which ones of them aren't. That's a huge part of the triage that goes on here. In doing that triage we have to decide is this something a real thing or not? If it is, then I need to do more investigation. If it's not, well then I could move on. Maybe I want to classify it so that I don't waste time on those similar types of information and alarms that come in in the future. So we're constantly wanting to tune this to our environment so that we don't waste time. We're productive with what we do. You want to be able to do the investigations and some cases that involves using all sorts of different security tools, you may have lots of different consoles, although, we're more and more about trying to create an integrated whole so that we can bring in the information from the data layer, the operating system layer, the network layer, the application layer, the identity layer, bring all of those in an integrated way together, but in many cases these indicators of compromise may occur on different systems and we need to be able to bring them all together. So being able to be skilled at doing searches, doing investigations, having a curious mind that can go out and piece together all the different threads that we have into an integrated whole and start building a narrative around. Okay, this happened and then that resulted in this and then we add this happened, and now what we have is not a single incident but we have a large malware campaign for instance, that is affecting lots of systems. The way we mitigate and orchestrate our response to that, then will become the next skill that we really have to focus on. So first job is identifying the problem, then trying to discover the extent of that, the risk that's involved in it, for instance, how big of an impact does this have on the organization and then ultimately what kind of response do we do with this? Can we automate some of the response for the future? Is this something we will have to deal as a one-off? Are there individuals that we need to notify to get response to this particular problem? Do we have to work with other partners who systems may be connected to ours, ISP upstream? Do we need to have them put blocks on the network to get rid of the bad stuff? Do we need to install new tools that can help us do mitigations in the future? So you can see there's a lot of different kinds of things and I've only touched the tip of the iceberg. But again, I'll say to you I think is a fascinating area, it's one that is constantly moving. If you like a challenge, if you like hard problems, this is a good place to work. I hope you find this information in this course useful.
