Chevron injects data science into infosec operations

Chevron is driving data science and other “emerging technology” deeper into its IT security operations as it tries to mitigate against threats that exploit growing automation in the resources sector.

But the oil giant’s security strategy and emerging technologies lead Gretchen Myers told the RSA Conference that “dynamic conversations” with security operations teams “around how to bring in those emerging technologies into their day-to-day operations” is “an ongoing battle”.

“We know that there’s a lot of innovation happening in the security space right now, particularly around things like cloud security, IoT and emerging threats coming at us,” Myers said.

“Security operations teams are so overwhelmed with alert fatigue and all the activities needed just to keep up with today’s reality.

“But we have to figure out [how to have] the conversation of getting emerging tech into the operations environment.”

Myers said it was important to convince operations to adopt new IT and infosec strategies in order to combat the severity of the threat posed by bad actors to Chevron’s critical infrastructure.

“The stakes keep getting higher,” she said.

“Ten or 15 years ago what we really cared about was whether somebody could get into the network and look around.

“But over the last decade the threats have evolved to data exfiltration and trying to do things that compromise our network.

“As we move into the future, particularly in industries that have a heavy automation component, [attackers will] be looking to have physical impacts. For example, an oil slick is representative of the type of cyber threat to the oil and gas industry where someone could cause an industrial accident.

“These are very real cyber threats that if they are not real today, are on the horizon of becoming real very soon.”

One way Myers’ team has been able to get operations to try emerging technologies has been to co-opt a process used by engineers to qualify operational technology (OT) for production deployments.

The technology qualification process (TQP) is “a licensed process that comes out of the oilfield engineering side” of the organisation, Myers said.

“We’ve taken the same process and brought it into the cyber and IT function. The fundamentals here still make sense.”

Using TQP to qualify the production readiness of IT as well as OT meant a “common language” to the adoption of technology was effectively established.

“The qualification plan isn’t going to test every aspect of the technology. It’s designed to test specific things that you have questions about: Does it work as anticipated? Does it work in my environment?” Myers said.

“[But] this process means a lot to operations.

“It gives you a way to say, ‘We’ve done everything we can. We’re ready to do some field testing, are you ready to give us the time to solve the problem?’

“It changes the dynamic of the conversation and gives you a way in.”

Myers said her team had used TQP successfully to get two major initiatives over the line with operations.

Turning logs over to data scientists

Though Chevron has about a decade of data science under its belt, Myers said there was an opportunity to bring data science into the company’s infosec operations to tackle the “incredible volumes of log data coming into the cybersecurity space”.

“We’ve spent the last few years taking what was interesting ideas in the research lab and turning them into a production data science environment,” she said.

“We actually have data scientists that are sitting in our security operations team [now] who are an active part of our response today.”

Myers said the introduction of data science to infosec was achieved with a “standard stepping through” of the TQP.

“Instead of it being simply about the maturity of the [data science] technology, it was also about the maturity of Chevron’s ability to take advantage of it,” Myers said.

Stepping through the TQP with Chevron’s engineers gave the team “a pretty good idea of what we thought” data science in infosec “should look like”. That in turn helped in architecting the data science and advanced analytics platform, “solidifying and operationalising” it, and developing internal skills.

The capability is live but still being refined.

“Have we had measurable results in the data science space where we detected an incident and responded appropriately? Yes and no,” Myers said.

“That aspect is still very much in the prototype stage.”

She predicted data science would lead in threat identification and response sometime in the next “12-18 months".

In the meantime, the company is working to iron out any kinks that prevent them from achieving their full capability.

As others who have gone down the data science path have also observed, data quality can be an issue.

“A simple problem for us is that not all of our servers are configured to use UTC as their timezone, so when we’re trying to correlate logs across a global environment the data scientists have to spend a lot of time actually normalising that data simply for timezones to make sure they’re following the data sequentially,” Myers said.

“That’s a big bottleneck that takes time. Part of the reason why the data scientists are a little behind on the cyber learning curve is because they spend so much time on the data”."

Cloud security

Myers also revealed Chevron had used TQP to introduce security policy enforcement over cloud services.

Like many other organisations, Chevron found its business units adopting cloud services and decided there needed to be some central oversight and policy enforcement to reduce risk exposure.

Myers said she used TQP to shortlist and eventually select a cloud access security broker (CASB) product – ultimately landing on Netskope – albeit that the activity occurred “at a much faster pace” than the data science initiative.

The pace of the two projects was a by-product of their respective purposes.

“With cloud security we had a very specific problem - go find out what’s happening and tell me how bad it is,” Myers said.

“Advanced analytics was an opportunity. The emergence of thinking around data science we know will play a role in transforming how we think about security going forward. How will Chevron think about that going forward? How does Chevron take advantage of that?”

The urgency around the cloud security initiative allowed the company to act faster, which Myers sees as a benefit in her domain.

“When you’re moving that quickly through emerging technology, some decisions are going to be made on the fly and probably without all the information you’d like to have,” Myers noted.

“But that’s a good thing because in a company like Chevron we can have ‘analysis paralysis’ for long stretches of time.

“What’s important about that decision process is to make sure you’ve documented them so if you need to unwind them you know what the justification was [for them].”

Ry Crozier attended RSA Conference in San Francisco as a guest of RSA.