At this year’s Black Hat USA conference, Rohan Singla, ChargePoint’s Director of Cybersecurity and Privacy, sat down with us for a fireside chat. As a security executive with a breadth of experience, Rohan has been privy to the trends, changes, and ongoing struggles of the industry over the past several years. Now at ChargePoint, Rohan must navigate the security challenges that come from running a complex network of tens of thousands of charging stations, serving millions of electric vehicle owners worldwide.
Over the course of the conversation, he discussed his approaches, experiences, and challenges in security operations, both at ChargePoint and over his security career. Read on to learn our 5 key takeaways from the discussion.
Security Data Lakes are a game changer
Before deploying Hunters, Rohan had specifically searched for a solution that would run on top of ChargePoint’s data lake. With their previous SIEM, ChargePoint found that they had little control over the storage and retention of their data. When their security data was stored by the SIEM vendor, it was a challenge to take back ownership of the data, often involving high costs and red tape.
In Rohan’s words: “Some organizations have a good data retention or data disposal policy, but most don't and they end up retaining data forever, including customer data. This is a big pain point from both a cost perspective and a management perspective.”
Another advantage is the ease of ingesting data sources into the SOC Platform.
“Historically, if you’ve worked with SIEM tools, you've had to write a custom connector, but the industry has evolved so much and we are a cloud-first company... If you can find tools to ingest the data, that makes life easy for us. And we don't have to write custom connectors, or wait for the vendor to write a custom connector.”
When the integration with a data lake is built into the product, the burden of data ingestion, which is often needlessly complicated, is offloaded from the security team. Instead, analysts and engineers are free to focus on investigating the threats that are unique to your organization.
“When, not if” mentality is counterproductive
If you’re in the security industry, you’ve probably heard some version of the phrase, “it’s not a question of if, it’s a question of when,” when it comes to being breached. The intended implication is that every organization can expect to be breached at one point or another, so building an effective cybersecurity program is a worthwhile investment. But over time, some security teams have taken this concept to mean something very different - that there’s no use in trying to detect and prevent attacks, and all efforts should go towards response.
“The SOC is more of a detection monitoring tool for most organizations, but we are trying to use our SOC team more as a preventative control.”
At ChargePoint, they’ve adopted a proactive, rather than a reactive, approach to security operations. By using their SOC Platform as a threat hunting tool, the team has the ability to actively search for traces of past or present attacks in the environment. The SOC team is able to ingest security telemetry across the entire attack surface, and easily investigate it over a single pane of glass. This way, they can focus on preventing a breach from happening, rather than resorting immediately to forensic and remediation activities.
Automation is crucial in today’s employment landscape
It's no secret that there's a serious talent gap in cybersecurity. SOCs notoriously struggle with high turnover rates as analysts move to higher paying roles in large companies or more senior positions, with no one to replace them. Summer is an especially difficult time, with many employees on vacation at once often resulting in teams being understaffed and overworked.
“Say I have a three person SOC team, and two of them go on leave. Now I just have one person and so many alerts coming in… That is where automation needs to come in.”
In the security industry, automation is often discussed in terms of SOAR or incident response. But limiting the discussion to these topics prevents security teams from experiencing the full power of security automation. Introducing automation earlier on in the SOC workflow, whether in data ingestion and processing, threat detection, or alert triage, can ease the burden on human resources. For example, a platform that includes detection content out-of-the-box, which is continuously updated in response to new threats and vulnerabilities, will ease the strain on existing detection engineers, and prevent the need for any external detection services. Of course, every SOC needs humans to run. But automation is the safety net that allows the show to go on when your organization is understaffed, or having trouble hiring and retaining personnel.
Where automation falls short, the right experts can fill the gap
In a constantly evolving threat landscape, an effective SOC Platform relies on the people developing it to constantly adapt to new vulnerabilities. Whether it’s writing new threat detection rules or developing new machine learning models for more accurate alert prioritization, humans are the engine behind automation.
“We can't automate everything, which brings us back to our team: how good is the team to understand these alerts? And then look to our partners to help us reduce false positives, fine tune the platform and reduce the noise.”
But beyond the product itself, professional services can provide significant added value. One way is through providing rapid investigations of customer environments whenever a large-scale campaign or widespread vulnerability is discovered. Another is with on-demand investigations to individual customers in the event that an incident occurs. In the most critical and uncertain moments, it’s a huge relief to know there’s a team who’s got your back.
When evaluating security tools, look beyond the technology
No two environments are exactly the same, and this is especially true for ChargePoint. Running thousands of physical charging stations, ChargePoint must consider OT (operational technology) security as a critical part of their overall strategy. ChargePoint’s unique use case is one of the reasons why, for Singla, it’s important to work with a vendor that gives customers a voice, and works with them to mature the product in the right direction.
“It's about finding the right partner… One key thing for me when I choose a product is what their roadmap is, and I want to talk to their product team. How passionate are they? It's not all about just buying what you're buying today. If you look at the Gartner magic quadrant, the top right over there - some of those tools haven't evolved. They were big back then, but they haven't evolved.”
For the full conversation with Rohan Singla, view the recording here: