The exploit researcher recently rejoined Talos after starting her career with the company’s predecessor
Lurene Grenier says state-sponsored threat actors keep her up at night, even after years of studying and following them.
She’s spent her security career warning people why this was going to be a problem.
Today if someone is compromised by a well-funded, state-sponsored actor, she is concerned but doesn’t necessarily feel sorry. After all, she’s been warning the security community about this for years.
“You think about the phrase ‘fool me once, shame on you...’ Five years ago if we had this discussion and you were hit with an attack, you’d think ‘shame on China,’” she said. “Today, if we have that discussion about why you were hit, it’s shame on us.”
Grenier has spent her career looking at state-sponsored actor trends and writing detection content to block those actors. She was one of the first of the smaller research staff at the Sourcefire Vulnerability Research Team, which eventually merged with a few other teams to form Talos. Matt Watchinski, who is now the vice president of Talos, initially hired Grenier as a vulnerability exploit researcher, doing the job of what more than a dozen people do today for Talos.
Grenier looked at vulnerability details for regular patch cycles like Microsoft Patch Tuesday and write her own exploit code for the vulnerabilities, which eventually fed into detection content that would block attackers’ attempts to target these issues in the wild. She grew with VRT, eventually overseeing the Analyst Team, which today is the main producer of detection content for Cisco Secure products and Snort.
She eventually took a few other paths on her security journey outside of Cisco and Talos, but recently rejoined Talos as a special advisor to Watchinski, studying state-sponsored actors and major attacker trends using Talos’ data and telemetry.
“My main directive is to come up with plans for this mountain of data that we have,” Grenier said. “I look at the data that we do have and see what outcomes for customers we can achieve with it. Can we create something like a semi-autonomous mediation plan when there is a breach? Can we track actors in a more granular manner so we can match them with what we’ve seen in the past?”
Even during her time away from Talos, Grenier never lost connection, speaking at two Talos Threat Research Summits that were a part of Cisco Live. In 2018, she even gave a presentation on how organizations were not taking threats from state-sponsored actors seriously enough and warned about the theft of intellectual property. Some of the same techniques and actors she warned about in that talk resurfaced earlier this year in a warning from federal agencies in the U.S. and the U.K., stating that Chinese state-sponsored actors were stealing important IP and creating fraudulent “tech transfer” agreements.
While Grenier still tracks these same actors daily, she views their activity as more of an inevitability that's going to produce the worst-case scenario rather than anything that can be avoided at this point.
“It’s like earthquakes or famine, it’s really just horrible,” she said.
At this point, Grenier is focusing her work on how to make attacks as costly as possible for the adversary, rather than trying to avoid them altogether. If her research can help even slow down an actor for a bit or cost them more resources when they go to attack again, that’s a small victory to build off.
“People have to see the cost of these breaches,” she said. “And they’re not going to see the inflection point for a while now, but it will eventually become very obvious.”
Although she spent several years away from Talos, coming back to the organization (a few hundred more researchers later) was easy for Grenier because the company culture fostered at Sourcefire carries over today with leadership. Grenier said she most enjoys the “work smart, play hard” attitude, where she recognizes there will be some late nights and long days, but it will never be wasteful work. She also enjoys the work-life balance that her current remote role offers her and the flexibility to try new things and explore new research avenues.
A lot of the security community, she said, is focused on selling solutions that are “plug and play” for the end user. But the difference with Talos is that our research informs users and administrators deploying Cisco Secure solutions so they understand the broader context of what our intelligence means.
“We’re not just selling it to people who don’t understand what they’re doing in the first place,” she said. “The focus here is on doing real, impactful work, and not just thinking ‘Oh what can we do for this threat?’ At Talos, you’ll also be asked to engage your brain to do the useful thing, the thing that ought to happen.”
Grenier tries to engage her brain in all sorts of ways even when she’s not at her desk. She enjoys playing music in her free time, specifically jazz-influenced blues music. The fast-paced, free-formed genre ties into the learning and reaction she must do in the moment as new state-sponsored actors develop new tactics and techniques. Just don’t expect her to be sharing any of these insights on Twitter any time soon.
“Social media is the biggest mistake we have ever made,” she said.
Fans will just have to look for Lurene at the next Talos Threat Research Summit for her next five-year prognostication, then.