Ritchie Bros AI-driven cybersecurity SOC development journey

Guy Dulberger, CISO of RB Global, takes us on the company’s cybersecurity SOC development and AI integration journey, tackling staffing and mental health

How does one portray the importance of cybersecurity? Evidence recently puts the Chief Information Security Officer (CISO) role at the top of any organisation, but, back in the day, building trust in the need for cybersecurity professionals and teams was a matter of communicating and showcasing the problems in industry.

As we’ve seen in the employment landscape today, the market for cybersecurity professionals has grown significantly as the digital landscape evolves, but more and more pressing threats emerge. For a traditional group like RB Global, the considerations to be made are often foreign to a business, which can seem like a more significant shift than among later-founded companies.

RB Global, Inc. operates as the parent organisation to a long list of brands, namely, Ritchie Bros., IAA, SmartEquip, Rouse, VeriTread and Xcira. Talking on behalf of Ritchie Bros. specifically, and its cybersecurity transformation journey, is CISO Guy Dulberger who has been with the company for over six years now—he is responsible for all security functions of the entire brand of companies. This is not only a key role for business functions, but protects its near 8,000-strong workforces, who also represent a large portion of the company’s cyber entry points.

Assessing the digital landscape and workforce’s cyber capacity

When he joined the company, Ritchie Bros. was at a pivotal point, whereby the company saw a number of queries from its customers about hoax emails that were seemingly threatening their businesses. Having leapt into his role at the company, Dulberger quickly found himself in the deep end, managing real-life problems.

“I came in and figured out ‘this is the critical strategy point for us’. My strategy involved looking from the outside in at where the largest part of our attack footprint was. I started getting into the walls and figuring out from there what other controls were needed,” says Dulberger.

“But, at least if we start by tackling the larger threats, which are things like phishing, we are able to make sure that we have a proper endpoint detection response (EDR) tool to be able to isolate systems and respond in time—that will buy us a little bit of time to start looking into other areas.”

This is very much where the cybersecurity journey of Ritchie Bros. really began as Dulberger formed a strategy to tackle the most imminent threats to the company and its clients. In doing so, he was able to knock off some of the more challenging problems at the beginning leaving room to automate processes once the storm was settled.

“We’ve automated a lot of the analysts’ time now—with 90% of the automation just responding to phishing. We figured out how we can automate that, by bringing in an enterprise-grade tool that helps a lot without having to re-invent something or start building our own,” says Dulberger.

Turning attention to skills and leadership

The landscape for cybersecurity personnel is very sparse with a lot of demand for newly qualified professionals to come into the industry. Recognising the importance of expertise in security of the business’s operations, Ritchie Bros. focused on building a suitable team to manage its in-house security operations centre (SOC).

“As we were putting a proof of concept into place and building the solution or program, we then brought in the right people to be able to sustain and manage it. So, fast-forward to today we have about 30 people on our team, including contractors, which is pretty amazing,” says Dulberger.

“We just try to figure out how we can expand our model so that we continue to grow the team, but then also grow our portfolio. We manage everything. We don’t outsource any of our security tools.”

It’s safe to say he’s a man driven by the growth of the team and the success of the company as a result. Many of the ways in which he talks about growth are profoundly focused on the team that Dulberger has around him. More importantly, he has seen the team grow from strength to strength, many of them building their careers within the company. A testament to the leadership strategy of the business.

“My first security analyst is now a senior manager. It’s cool to see the progression of some people that have been with me since the beginning and also giving people career opportunities. I think it's great offering the ability to grow,” Dulberger explains.

“It's interesting because I think a security analyst coming into our environment today, within probably six months, can learn more than they would anywhere else because we try to keep an open structure where people have access to a lot of different things without necessarily being an expert in that field.”

Part of this is the way that Ritchie Bros. operates, providing its cybersecurity analysts with an openness to go beyond their roles.

“We give them the right type of access based on the trust level, but it doesn’t stop them from trying to understand something else. If they’re working on EDR, they can incorporate vulnerability management and see how that tool works. If they want to look into architecture, they can do that as well. We try to keep an open forum. Teams meet on a weekly basis and talk about everything transparently.”

Much of this is to credit for the success of the company’s cybersecurity transformation. Recognising the constant work involved in securing the business’s digital landscape, Dulberger and his team sustain their efforts to expand the capabilities of Ritchie Bros.’ infrastructure in line with business needs.

Working alongside consultants also gave the cyber team the edge it needed to think expertly about the way it solves problems. Having worked with one of the big four consultancies, the team’s outlook on cybersecurity has been further aligned with the business rather than aiming to build a ‘Fort Knox’.

Building an internal security operations centre

“Because we manage all of our security tools in house. Just because you worked somewhere else as a Tier One analyst doesn't mean that you have to get pigeonholed into one area and get stuck there,” says Dulberger.

The team at Ritchie Bros. is unique in that there is no formal tier system for managing cybersecurity threats. As explained by Dulberger, the team operates on a single tier with some members more experienced than others. The idea being that there is always someone within that group in the SOC that is capable of investigating and dealing with an incident.

Through the company’s strategic approach of enriching the skill sets of its employees, it is able to manage cybersecurity in this way and analysts are capable of dealing with problems from the point of interception to overcoming that challenge.

“We have some more senior analysts that can come in and support. I think that’s one of the advantages. I think understanding the business is probably key because there are certain technologies that have a higher rate of false positives where SIEM are probably going away at some point, but as of today, they’re still not perfect to fully rely on” says Dulberger.

Bringing AI to handle compliance

Of course it wouldn’t be a modern cybersecurity conversation without touching upon artificial intelligence (AI) and its input into a more reputable security network. One of the ways in which Ritchie Bros. leverages the technology allows for greater action in terms of compliance, but also supports machine learning (ML) in long-term functions.

“It's one of those necessary evils, right? Without compliance and regulation, there will be chaos. But I think there are certain regulations that hinder the business a bit. It's painful in some cases, and not everybody's doing a good job, from an auditing perspective, to understand your business and map the regulatory requirements to it,” Dulberger says.

“On the flip side, it helps drive projects and programs sometimes. I think that our company rarely says no to stuff when it comes to security, but I've talked to other CISOs when they're like, ‘oh, we have a hard time getting budgets’.”

Bringing AI and machine learning into the mix, Dulberger debunks the idea that AI is the silver bullet of cybersecurity, and in fact ML is the key technology for actioning likely causes of disruption. Working with ML means removing certain tasks from the hands of analysts and ensuring that anything recognisable is actioned much faster.

“A lot of the providers we use have baked in AI capabilities. Now, I'll be frank, some are better than others. A lot of the time people confuse machine learning with AI. In our industry, there's a lot more ML today that's more mature than the AI because ML studies patterns that happened and can detect it as such or it knows that, if something happened, you flag or action it.”

“Say you see an indication of compromise, you can then write a blocking rule that will send it to firewalls and other systems to be able to block it. That's just ML. To me, it's not really about AI. AI looks into things like if an analyst were to investigate something, can they make sense of it and can they write up a root cause summary of what happened with prescriptive action on remediation tasks.”

Bringing in the partner ecosystem, Dulberger divulges the role of Crowdstrike as part of its cybersecurity function. Leveraging the company’s technologies, including a portion of its EDR system, which he explains is a robust product that has integrated well with Ritchie Bros.’, and now RB Global’s SOC.

“It’s a really robust product in terms of power to detect, its response, and the ability to see anomalous activity. Crowdstrike supplies one of the first next-gen antivirus replacements moving away from signature-based to behaviour-based, as a result and adaptation to the newest attack threat actors and methodology.”

The problem of mental health among CISOs

To manage the evolution of a corporate SOC that brings the gap between two fast-paced environments, the stress is on to ensure that the business is safe, customer operations are protected, and in-house teams are supported. Such a large amount of pressure can take its toll on anyone, but, in this instance as the CISO, Dulberger cites mental health as a key concern of his. As he understands firsthand the impacts that trauma and challenge can have on an individual, mental health is close to his heart as a person, and as a leader.

Facilitating all of the changes, delivering an in-house SOC, around-the-clock cybersecurity coverage for the business, this can all be strenuous on personnel, especially the person leading such an endeavour.

“You should always stop when you feel almost at wit's end and be able to look back and say, ‘okay, what have I accomplished up until now? Have I made a difference? Is there anything positive I can look back to?’ That's what I tell my team too. They always have a tendency to look into things and say, ‘oh my God!, we have so much work to do . This is not secure. That is still a risk. What are we doing for this? We don’t have enough time’.”

What Dulberger is alluding to here is the overwhelming nature of cybersecurity, which can take its toll on team members that are unable to compartmentalise their work. Work-life balance is also key here to ensure that not only are analysts healthy and happy, but also are able to bring their best selves to the business environment.

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

**************

Cyber Magazine is a BizClik brand