Hacker News new | ask | show | jobs
by Mandatum 1508 days ago
Salesforce has been unable to attract or retain security talent. When they acquire a company, they close down the department that does security for that company - and then move everyone into the Salesforce Trust team. Unlike engineering who they typically leave alone (unless they're integrating or rebranding).

In doing so, they typically lose everyone that setup the SIEM and run the SecOps center. Everything "security" ends looking the same.

They don't pay well, executives have pulled talks and fired speakers who do things they disagree with (the same executives are promoted and remain there - no accountability), they've got a pretty bad wrap within the industry.
3 comments
lovelearning 1508 days ago
Let's assume that prior to acquisition, Heroku sec had set up a very secure posture using such tech. Then they lost most of their experienced people after acquisition.

Some questions:

1) Are these tech not enough to enable others - perhaps less experienced, or experienced but not on a particular product - to take over while maintaining the same posture?

2) What kind of additional (perhaps intangible) security does an experienced team add to the posture that gets lost when they leave?

3) As I understand them, things like risk frameworks, NIST CSF, security assessments are all supposed to anticipate people problems (resignations, malicious insiders, etc) and make the posture as independent of them as possible, probably relying on automated tools like XDR and SOAR to do their thing regardless of who's sitting at the console. Does it not work like that in reality?

Btw, thank you for your reply and insights (and to everyone else who replies)! Pardon my probably naive questions. I'm an outsider looking in and having trouble understanding this phenomenon of data breaches in the face of all the tech marketing.

link
milkshakes 1507 days ago
Fundamentally, a security analyst authors detections, reviews surfaced alerts, or identifies hypotheses to investigate. In the case of reviewing surfaced alerts (the firing of a detection which may or may not be authored by the security team), differentiating true positives from false positives is subtle and often requires context or further digging. Of course, this requires time, which costs money, so you can imagine the tension there.

This process can often be subtle, and difficult to automate. In many cases, the issue is automating the economical delivery of enough context to the deciding function that a clean choice can be made. However, even with enough context, and enough documentation, escalating vs suppressing an alert can often be a judgment call. Humans are meat based pattern matchers, and a decade's worth of "ML" and "AI" advancements still not sufficiently precise (as in vs recall) enough to filter out "things that look bad" from "things that are bad, for our specific environment", that knowledge still lies with the security team.

link
muraiki 1507 days ago
Only the slides are available, but the presentation "AI is Not Magic: Machine Learning for Network Security" at CMU's FloCon in 2020 was about this: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid...
link
gruez 1507 days ago
>bad wrap

https://www.merriam-webster.com/words-at-play/usage-bad-rap-...

link
dataspun 1507 days ago
indeed, unpalatable
link
richardfey 1507 days ago
> fired speakers who do things they disagree with

Can you please make an example? I am genuinely curious about what things

link
intern4tional 1507 days ago
https://tech.slashdot.org/story/17/08/10/1919204/salesforce-.... is probably the most well known incident. There have been others though.
link
Mandatum 1507 days ago
Hi Jim Alkove!
link
sfdcsecthrow 1507 days ago
He has retired.
link