July 14, 2020 Stories from the field
Suzanne Moore

How a successful security architect is modernizing defenses

Joshua Sitta is helping organizations move beyond the status quo to discover new solutions. His inspiration? An ancient blacksmith.

In every profession, there are people who follow the status quo, carefully emulating what has been done before, never questioning if there is a better way. And then, there are the others. They are the people who break the mold, ask questions, and look for new and better ways to solve old problems.

Joshua Sitta falls squarely in the latter camp. At first it’s a bit surprising. After all, much of his experience as an information security leader comes from working in what is arguably the world’s most highly regulated industry: finance and banking. Many would say that if anything can crush forward-thinking security programs, it’s compliance regulations. He recently told Red Canary:

“So often in cybersecurity, particularly in banking, you hear something can’t be done. A new idea is met with disapproval because people can’t get comfortable. Security becomes a stop sign department. I’ve always worked in heavily regulated environments: HIPAA, FISMA, FERPA, GLBA, PCI, you name it. Regulatory mandates are often very stagnant. All of them will set specific goals and ask you to compare solutions to meet often outdated guidelines.

As a result, it’s 2020 and you’re still answering questions like ‘What are you doing about the firewall or antivirus?’ Whatever’s left over in the budget at the end of the day is your little area to lead in security strategy, and that’s my favorite part. I’ve always been driven to solve hard problems and look for ways to do things differently.”

Joshua Sitta ponders the future of cybersecurity while visiting a college campus. He participates in a variety of programs to encourage IT students and at-risk kids to pursue careers in cyber.

Learning from historical changemakers

How does an enterprise security leader who spends his days navigating compliance and banking regulations develop a penchant for breaking the mold? It started in the unlikeliest places: the days of knights.

“My first love was medieval warfare. As a child, I would lose hours—days even—with my nose in an old history text. I remember diving deep into ancient weaponry, which no doubt inspired my affection for learning all I can about the TTPs of cybercriminals today. I’d daydream about whether I would rather hold a sword or spear defending my village. It wasn’t long before reality set in. I wasn’t a knight: I was the little guy in the corner holding a history book. No village looks to the scrawniest fifth grader as a battle champion.”

When Joshua realized he was unlikely to meet his dreams of knighthood, he quickly switched his attention from Sir Galahad and toward the nameless tradesmen who created the weapons he was so fascinated by. Unfortunately, his studies about blacksmiths proved to be far more boring. Most blacksmiths were not very bold or innovative, content to simply learn and emulate the tools and techniques used by their peers.

Then he stumbled upon a name that stood out amongst all the other historical fiction he was reading: Ulfbehrt.

“Swords created by Ulfbehrt seemed almost mythic, as they were lighter and stronger and sharper than everything else on the battlefield. Ulfberht was doing something different. One of the tales from my books describes the Vikings descending upon the blacksmith while he was still at work in his forge. This would have been certain doom for any other blacksmith, but not Ulfbehrt. Because he wasn’t held back by the practices of his peers, the Vikings stood in awe of his craftsmanship. Rather than taking his life and pillaging his storehouse, they declared him a master and invited him to live among them.

For me, the story of Ulfbehrt is much bigger than swords and swordsmiths. It’s about being driven to break through the status quo and solve challenges more effectively than The Next Guy.”

To this day, Joshua keeps an Ulfbehrt sword in his office to remind himself and his colleagues to keep striving to do things better.

Finding new solutions to old problems

Joshua has leveraged his experience as the Director of Enterprise Security Architecture at a thriving $35 billion-dollar financial institution to assist organizations of all sizes with cybersecurity needs.

“I started out as the Information Security Manager and made all the decisions related to business continuity and information security—from choosing the tools to training the talent. I was the one weaving the security fabric for the organization: the techniques we used to block bad buys, workflows, and what vendors we chose.”

As the bank grew, Joshua’s daily responsibilities shifted.

“I went from being the one who blocked threats and handled compromises, to talking with various business owners about response plans. Meeting with different departments and explaining why you need to bring a server offline or shut down a workstation can be very time-consuming distractions from incident response. I always looked at it as: I’m here to block and tackle conflicting perspectives so the rest of the team can focus on performing the technical work and go toe-to-toe with a compromise.”

Joshua compares the needs of a modern security program with those of an ancient blacksmith. There will always be constraints: availability of resources, effectiveness of tools, and skill of workers. Finding ways to best leverage the resources at your disposal to defend your organization is where the opportunity for innovation comes in. One step forward is looking beyond peer comparisons and prevention tools to build new strategies.

“When cybersecurity decision-makers build their security strategy, one of the first questions many of us ask is: What are my peers doing? It’s very similar to the way blacksmiths emulated their peers back in the Dark Ages.”

Joshua explains that, while peer comparisons are an important data point to consider, they should not be the most important thing—especially considering how much has changed since then.

“Back in the 1990s, antivirus and firewalls were our main focus in cybersecurity. These were the best tools we had. As organizations grew in maturity, they continued to ask about the security stack of their peers, creating a stale feedback loop. If you’re simply comparing brands of antivirus, you’re missing the mark. Antivirus and firewall are no longer the pillars of the security temple. We limit ourselves if we strive to meet that status quo.”

Sittadel: a new venture

It’s this quest for building new defense strategies that led Joshua to form Sittadel, an independent consulting group. The organization views itself as a cybersecurity servanthood that aims to beat the expectations on how valuable an IT firm can be.

“Business owners are used to cybersecurity folks that stand in the way of changes to business over time. At Sittadel, we try to avoid being in the approver or disapprover role, replacing ‘no’ with ‘In order to accomplish that…’ We want to empower business owners with a security strategy that’s as flexible as their business. If new business demands require a cybersecurity strategy that would exceed budget or scope, we’ll serve up that information as well. But we’re committed to helping organizations understand the different ways to solve their challenges so they can make an informed decision about what’s best for business.”

Flexible cybersecurity strategies proved to be critical during the global pandemic response to COVID-19. Organizations that previously enjoyed the protection of maintaining operations over the local area network (LAN) and retaining data on-premises were forced into cloud migrations, a critical move to assure continuity of operations.

“Among all the lessons COVID has taught us, we learned that we can’t rely on a central network appliance to inspect our traffic. We’re increasingly leveraging the cloud and business processes have already evolved beyond the scope of our traditional security perimeter. The modern village needs a modern strategy with modern tools.”

Joshua sees the shift from the “prevent breach” model toward the “assume breach” model as an important step forward. That includes moving beyond perimeter security and toward more modern approaches like endpoint detection and response (EDR) and managed detection and response (MDR).

“Perimeter security alone is antiquated. It’s an important cog in the machine, but reports show that it’s out the window when the employees you support routinely escort the attacker right into your ecosystem with phishing emails, drive-by downloads, or any other number of threat scenarios.

It’s up to us to reprioritize the security stack around today’s most effective tools. How would our programs be different if we designed our strategy around EDR and MDR? Where can we reallocate resources?”

In every generation, there are sparks of change. These sparks are created by people who break the mold and push to advance their craft, whether it’s with their hands, hearts, or minds. Yesterday, a blacksmith whose artistry startled his enemies so much they revered him. Today, a security architect who forges new paths where others see walls. Tomorrow? None of us can know.

But as Joshua Sitta works to empower businesses with new and innovative defense strategies, one thing is certain: Ulfbehrt would be proud.

 

Uncompromised: Unpacking a malicious Excel macro

 

Uncompromised: An AutoIT worm living off the land

 

Detection Déjà Vu: a tale of two incident response engagements

 

From overwhelmed to obsessed: one security professional’s EDR journey

Subscribe to our blog