Afternoon Cyber Tea with Ann Johnson 5.3.22
Ep 51 | 5.3.22

The Criticality of Cyber Resilience


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what should be top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson. And today I'm joined by Tarun Sondhi, who is a principal with KPMG Managed Services, where he leads the cyber managed services across security operations, cyberdefense, strategy, governments and transformation offerings. It's great to have you here, Tarun.

Tarun Sondhi: Thanks, Ann. It's great to be here. 

Ann Johnson: You know, you have such deep expertise in security architecture and infrastructure, identity and access management, cyber ops, incident response, regulatory compliance and led this transformation and rebuilding of the security operations center for one of the largest financial services organization in the world. Also, you've - I understand you've developed discipline processes in the SOC, such as cyber hunting and user and behavioral analytics - what we call UEBA in the industry - monitoring endpoint detection and response and security orchestration and automation. You have this amazing breadth of experience, and I'm really excited to have you on the show. So as we think about these programs, then, Tarun, that you've designed and you've integrated all this actionable threat intelligence and breach response within organizations, I know that several years ago, you also wrote an article for Forbes focused on the five ways to reinforce your company's cyber program. When you think about that article and you think about today's threat landscape, how has your guidance actually changed from then to now? 

Tarun Sondhi: Ann, that's a great point. You know, what's interesting is that the spirit of what I wrote eight years ago now is still relevant today, but the problems we face have grown exponentially. The surface of attack has become vast, as we see increase in adoption of things like the Internet of Everything, which has put into motion this hoarding of vast amount of data that we now store in the cloud all around the world. And our clients are putting a lot more emphasis on SaaS products to shorten their - the return on investments. We're not doing transformation like we used to in the past. Everything is now - not everything, but most things now are available in a SaaS format, which is also causing this new constant reevaluation of regulations and compliance frameworks that are constantly evolving. 

Tarun Sondhi: Now, our adversaries have kept up with this pace of disruption in the market. Their techniques are becoming a lot more sophisticated. They're super targeted against what they're trying to do, the mission that they have. And they've been able to evade those traditional controls and monitoring instruments that have been in place for a while. And then all the firms that are there attacking don't have the capacity to deal with the volume of threats. They just can't keep up with it. There's not enough practitioners out there that are available to fulfill all those jobs. So now with the cloud expansion, as I call it - it's no longer cloud adoption. It's really expansion in the cloud itself. Crypto, blockchain, as a next wave of new innovations that's coming up, it's actually deepened that crevasse of an already overworked cyber team. 

Tarun Sondhi: So what's really changed in my mind are really kind of three core areas that I hear from our clients, our joint clients. One is that they're looking for greater utility of smart systems that they're invested in that share intelligence, have an effective strategy, a set of processes to use those tools that harden their security controls. The second would be they're looking for more native instrumentation that makes extracting heuristics out of these tools into a single apparatus that they can look down on, rather than stitching together 10 different tools with its own kind of this Frankenstein that gets built up at the end of the day and having to manage it. They want to spend more time analyzing and having a stronger conviction. When they see some anomalous behavior, they want to be able to react on it. And I think the third is really around driving more automation, making progress towards this - autonomic models that allow systems to self-heal, raise the defense mode, as you will, as they see different activities taking place, malicious activity taking place. 

Tarun Sondhi: I'll use KPMG MDR practice as an example. This issue around alert fatigue - it's still here. It's very prominent. It's a real problem that even I face in operations - and I've faced that throughout my career - is how do I reduce the alert fatigue of my practitioners that are constantly looking at different alerts and trying to manage through it? And I had a single objective. When we decided to introduce a very differentiated offering in the market, in the early stages of the design that we worked very closely together with the Microsoft Sentinel team was a challenge on how can we use Microsoft Sentinel to deliver the outcomes to our clients in a way that our analysts are using their high cyber IQ and freely exercising their curiosity? Where's the threat? What can we know about the adversary? What do we know about the attributions of that adversary while the routine alerts are automatically convicted and the response actions are automated throughout? So I think the third area that I'm seeing that has changed is really around the spending more time on the work that needs this experienced technician rather than spending time waiting to commodity threats, if you will. 

Ann Johnson: Yeah, that makes sense. Look. Threats have increased, both the pace of threats, the sophistication of threats. And I think organizations are still struggling with things like automation. And how do they actually gear their really smart humans to be solving the hardest problems and then automate or remediate as much as possible that's below that layer? When you think about that, when you think about how attacks are evolving even right now - right? - what's the one thing that you notice that organizations should be thinking about but that they often overlook because it's just so hard for them to keep pace? 

Tarun Sondhi: Most organizations today collect some of - you know, a vast amount of data, like I talked about earlier. And as you think about why they're collecting this information, they're trying to build a better experience for their customers. They're producing targeted goods just in time. They're producing better ads that is a lot more precision towards the audience that they're going after. What comes with that is a responsibility to not only safeguard their own IP but also the data of their customers, the vendors and not to mention their own employees. 

Tarun Sondhi: So what I find one of the most overlooked items is the data. The data is no longer in one place. It's distributed across hundreds of applications, and it's spawned into new sets of information or even merged with other tools and other data. And probably the most important aspect is it is also shared with third parties. Getting a handle and an effective strategy around the controls and the recovery process is one of the pieces that I see as a high priority that most organizations overlook. They don't really understand or have enough discipline in place to know how this data is being used from the single repository that they assume it's in and where else within the organization it can be used. 

Tarun Sondhi: And I think the second priority is really around this discipline structure, the approach to continuously test those applications or systems or network that the data traverses. What are those vulnerabilities that exist in there? And they need to have a really good plan in how they surface to the top these vulnerabilities and then they remediate them in the right time, not to mention getting earlier on during the development process of those applications so you make sure you have security as part of your design. This is one area that I've seen almost 300% growth, from the data that I have, of the demand that I'm seeing from my clients - is being able to test those applications more continuously is one of the other areas that we see are most overlooked. 

Ann Johnson: So as we think about that - right? - the pivot for organizations and their need to actually try to stay ahead of threats - I was reading just this morning, actually, that Jen Easterly made a comment that it's really hard and becoming harder to have a good defensive posture. And, really, what organizations also need to focus on is resilience and recovery, almost - not more so than detection but almost in a way that's more meaningful and really investing because, as we found, organizations, by the way, are underinvested in operational resilience and maybe very invested in defense. 

Ann Johnson: So when you think about that, when you think about the current landscape, when you think about this increase and what we expect to continue to increase in both cybercrime and nation-state effects, you think about a lack of people. You think about everything you just said about automation. Talk to me a little bit about, you know, the MDR service that you offer, the value that your customers see from not just the defense capability but from a response capability. And how does that help them build better operational resilience? 

Tarun Sondhi: Yeah. Look. I sat down with my clients. I've been offering MDR - like SIRs, it's a newly created term, I think about five years ago, known as MDR. But the managed security services is something - I've been in the space for 24 years. And so about a year, year and a half ago, I started on this journey to discover, what is the new underserved, unmet market needs? And how are our clients struggling to keep and maintain this complexity of tools, the lack of nativeness that's available within the instruments that they have? They're stitching together, like I mentioned earlier, this Frankenstein of sets of tools to detect and respond. But they don't really talk to each other very well. So they're constantly trying to maintain that. 

Tarun Sondhi: And with the new challenges of data sovereignty, evolution of the data boundary laws and data custody laws, we are seeing a heightened awareness and a need to come together. And that's what we went out on a journey to fix. So together with Microsoft, we decided to take on this challenge and look for ways that brings together the disciplines and the different methods our clients are trying to build better resiliency, defend their organization. Things like zero trust, digital identity, ATP, the defender at the endpoint - they have these amazing solutions that they have put in place. They've put a lot of money into it. The next step is to be able to get instrumentation out of it, to get insights out of it so that you can shift left. You can start to understand if their primary indicators of compromise that an - are adversaries lurking in the environment. 

Tarun Sondhi: This is where instrumentation is really important. Whether you're using MITRE ATT&ACK framework, you're using other types of framework to be able to come up with your own model of what shift left means, this is where engineering and management goes into place and monitoring goes into place. So we spend that time cracking through this veneer. The detection and response is hard. You can't really bring it together. It still requires humans. We decided to spend energy to maximize the utility of the AI models and building these complex algorithms so you can harvest all that information and shrink it down to the single unit of measure that I am personally obsessed over, which is dwell time. The more we can shrink the dwell time, the better off we're going to be. All these other data points that we talk about - what is our mean time to respond, mean time to detect - those are great operational tools. But I still believe that the real unit of measure is dwell time, and we are obsessed around that dwell time. 

Ann Johnson: You know what? I don't disagree with you. Look, the - and time to detection, as you know, varies by geography and varies by sector. But the less time you have someone in your environment, the less harm they can do. It's kind of intuitive, and I explain it to folks in the way if someone breaks into your house and you're on vacation and you don't know they broke into your house and they can spend a week in there harvesting whatever they want out of your, you know, out of your goods - that's really meaningful as opposed someone breaks into your house in the middle of the day, the alarm goes off, the police are there in three minutes. That's how I try to get people to actually conceptualize what dwell time means and the impact it could have in their environments. 

Tarun Sondhi: You're spot on. You know, we want to be able to - I think the market is looking for how can we shift the attention of hiring and retaining our top analysts in the industry so that they have - they can use this discipline structure, this obsession to find elusive threads, use techniques like - such as cyber hunting. But if we don't have the room, the breathing room to be able to do that, and you're stuck in day-to-day mundane tasks that you know that you can use the tools for, it's very hard to retain that stuff and being able to kind of manage through it. 

Ann Johnson: Yeah, exactly. Let's switch for a second. Let's talk about, you know, the place that machine learning and artificial intelligence hopefully are going to help us have a really critical step up - right? - for cybersecurity because they're going to allow us to look through the trillions of signals that folks get in a day, and they're going to allow us to make some better decision and also empower automation. How critical do you think is for companies to invest? And I have another question because, you know, just about - and I'll say this as a vendor - every vendor wants to build their solutions as the latest in machine learning and AI. So how much should companies be investing, but also, how should they be determining if something is real? What are the key indicators they should be looking for to understand the solution actually works and will work in their environment? 

Tarun Sondhi: You know what - when - in the past, when we heard about words like AI, machine learning, automation, it sounded very buzzwordy kind of stuff, right? We heard all kinds of objections, especially in the cybersecurity space, right? Cyber has no defined pattern. Each threat is unique. Each adversary constantly changes their technique and tries to evade normal - the data footprints or the digital footprint that they leave behind, the dust that they leave behind. While some of it is still kind of true, but I think we've turned AI automation into reality by fusing together different sources of data that helps us inform the AI algorithms much better than we ever did before. 

Tarun Sondhi: We talked earlier about, like, this connected device as the Internet of Everything making - organizations are looking for ways to make their employees take their devices to their firms, work remotely and so on. Let me just take my home as an example. Ten years ago, I had maybe four devices that were connected to my Wi-Fi system. Now, I'm a geek. I'm a technician at heart. I'm a product guy at heart. So I was looking at the data that's coming out of my Wi-Fi system that I had to make sure I don't see any anomalous behavior. I have all kinds of controls put in place. Just this morning, right before our call, I logged on to my system just to kind of check in on it. I have 37 devices in my home that are connected to my Internet. And being able to look through that anomaly one device at a time is just not possible. This is the same challenge an organization has today. 

Tarun Sondhi: Now, with their connected systems, if they're feeding the tool, the AI, and they build good algorithms, you want to be able to bring digital identity information. You want to bring end user or end devices from end to edge, if you will - your cloud system, your SaaS systems, everything - into the machine, and allow and start to hydrate the machine with this intelligence. This is where AI and machine learning will help. It helps you synthesize all this data so much more faster than a human can. And we talked earlier about the lack of practitioners. We're not - never going to have enough people to look at this, so why not leverage the tools that have become so much better and can become smarter with more data? In my experience focusing on, like, SLAs, like I mentioned earlier, those things go out the window. We can finally bring using AI and machine learning from three-digit days of dwell time and I really believe that we can bring it down to two or one as we continue to expand into autonomous systems or autonomic systems that start to self-heal and repair things. And that all will come through the intelligence. 

Ann Johnson: Look, it makes a lot of sense. The more we can do self-healing, if you want to call it that, or automated remediation, obviously the better enterprises are going to be and then they can reduce those security alerts. Speaking of alerts, we went from this mostly people working in the office model - not everyone, but mostly people working in the office model to mostly people working at home model. And now we're going into this hybrid model. And a lot of organizations I'm talking to talk about how that's really changing the attack surface and their threat vectors. How do you think about making recommendations to organizations now that we're switching from, you know, people are going to be back in the office part time? 

Tarun Sondhi: It really is about trying to bring and stitch together all the information that you're getting from the tools, from edge to edge. The seamless work experience that we want our employees, our practitioners, our customers, our third parties to have when they access our data or when we're working with them is to be able to - as much as you can use the native disciplines, use the native capabilities and drive that deep inspection of the jobs of our skilled technicians who are on a day-to-day basis trying to figure out all this anomalous behavior. How much can you automate? How much of it can you digitize? We used to be able to be in a place where we would log in to four different applications four different ways, all of that using the digital identity solutions. You can bring it into a single place. You can manage it in one place. And you can make faster decisions whether you want to on board or off board a particular user or their access to it. It's really kind of - thinking hard about what's core to your business and focusing on that will be one big kind of macro recommendation. 

Tarun Sondhi: And I think the other area that I would highlight is, is to think really hard about what's core to your business in terms of domain expertise that you want to retain and manage the critical few cyber practitioners that you have while out-tasking as much of the work of routine operations to a service provider. That's one way that you can balance what you keep in-house and what you out-task. And I'm purposely using the out-task, but this is - I don't think the idea of outsource really exists anymore or there's a need for it. It is I have a function operation and I have tools that are already in the cloud. I just don't want to perform these tasks on my behalf. And that's another area that I would recommend our clients to consider. 

Tarun Sondhi: I think the last thing I would say is really a measured risk approach. This idea that we had in the past that once we go through a development process, we'll test these applications, our network and our solutions that we have in place as a point in time thing is no longer valid. We are going a rapid development cycle. Applications are coming out much faster because our clients are demanding it, our employees are demanding it. So testing that continuously, whether it's techniques such as ethical hacking, red teaming, pen testing, whatever those modes are that you need to have, there is a - put a continuous in front of it. That continuous part is going to be something that we see as a way for organizations to stay ahead of the risk and have a more measured approach so they know what the associated tolerances are to manage through those risks. 

Ann Johnson: I think you hit on something that a lot of organizations are coming to realize, which is cybersecurity is always a risk decision. There are some organizations that are obviously, you know, ahead of the curve or on the more mature program end of the curve that know it's a risk decision, right? You could shut down everything and have perfect security, but you have to be able to do business. So whatever decision you make needs to enable your business whilst keeping your business secure. 

Tarun Sondhi: That's right. 

Ann Johnson: So I love my job because I get to see the newest companies and innovations and I see them pretty early. I know you also have the opportunity to meet with a lot of companies and see innovations, whether it's in technology or people or process. What's one thing you've seen recently that you just really were impressed with and you think has a big future in cyber? 

Tarun Sondhi: Oh, wow. Bringing something down to just one thing - there are so many amazing things that are going on in our industry. If I could lump together blockchain, metaverse, this decentralized autonomous organization kind of business context, I think that would be one place where I see a massive disruption that's going to take place in the - there is billions of dollars being invested in the blockchain and metaverse space, if you will. And I think the innovation around cyber that I get super excited about is really with this disruption and this kind of distributed applications, new advancements in encryption that's taking place, the proxy re-encryption space, that's one area that I see that is going to get a lot more notice on. And I think we're going to see some really interesting things happen there, especially when we're thinking about private data being stored out in public, decentralized networks. 

Tarun Sondhi: This idea around proxy re-encryption - or PRE, if you will - is something that I'm taking a very close look on and trying to get ahead of it. And I think along with that is, with the speed, quantum computing becoming more mainstream. This is also being leveraged by the adversaries. They're using that to create more sophisticated brute-force attacks. They're becoming more efficient and more speedy. So quantum-resistant cryptography, these algorithms are becoming much more important for us to combat this rise in, you know, quantum computing and also the associated adversary use of it. We're going to see a lot more need for resistance around cryptography for that. And I think at last - and you said one area, but, you know, there are three subparts to it. And I think this new innovation that's going around, zero trust, I think it sits within the intersection of digital identity SASE and micro-segmentation, where we can start to insulate our data, our business into smaller segments and reduce the radian of impact. That, I think, will be the last kind of area that I think about. And I'm getting really excited about what we're going to do here in the future. 

Ann Johnson: I agree with you, by the way. And quantum-resistant cryptography, having spent so many years at RSA and with the crypto folks, it's exciting to me. I know (laughter) other people will be like, is cryptography exciting? But it is. It's really exciting. 

Tarun Sondhi: It is, yeah. 

Ann Johnson: So, you know, I really have appreciated you sharing your insights today. And I would love if you could help us send off our listeners with one or two key takeaways - it's something we always want to do - things that you would recommend they do today to overcome cyber challenges or things you're hopeful about of the future or all of the above. And you definitely don't just have to limit it to two. But we always try to leave with a little bit of practical guidance. 

Tarun Sondhi: Ann, it was a pleasure speaking with you as well. I'll leave behind a couple thoughts. One, we'll continue to see exponential growth in new innovations. I continue to believe that blockchain is going to evolve. It's in the early stages. Similarly, when you add metaverse on top of it, it is going to start to stress the edges of our security discipline. We're going to have to think differently. We today evolved from this era of having servers and machines that were sitting in data centers that were ours. We were very possessive of it. And then the idea of cloud started to disrupt. And we were still kind possessive of it, weren't really sure if sending something to the cloud is safe and easy to do. And today, no one wants to keep any data in data centers. They want to put it all in the cloud. So we'll see that type of a maturity happen and adoption happen around blockchain metaverse. We're going to find new spaces to come together. So with that, again, it's going to stress our security. It's going to make us think a little bit differently. And I think we need to be ready for that. We talked about cryptography in the sense of quantum computing. We need to move at that speed going forward. 

Tarun Sondhi: The second, I think, I will remind the audience is don't be afraid to out-task the services to service providers. Whether it's us or you go with someone else, you know, really think about where your business priorities are. What do you truly want to maintain within your business? And reserve those skilled practitioners that has been very difficult to get it from the market - I think I read yesterday in one of the articles that talked that there's a 30% year-over-year demand growth for security practitioners, and there's 600,000 security positions that are open. We're never going to be able to fill that. Let's accept the fact that there's always going to be a deficit of security practitioners in our space. So let's focus as much as we can during your early design, early strategy on how much do you want to - can you automate, use AI and machine learning - because I think they've really matured a lot over the years - and augment those jobs so you can reserve those security practitioners and preserve them to do things that are really important to your business. And they add value, rather than being deductive. 

Ann Johnson: Thank you so much, Tarun. That's wonderful. It was really a pleasure. I know you're incredibly busy, so thank you for taking the time to join us today. 

Tarun Sondhi: Thanks, Ann. Glad to be here with you. 

Ann Johnson: And many thanks always to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: We invited Tarun to join the podcast today because he's such an expert with a lot of knowledge and depth about how companies can actually automate their processes. With cybersecurity attacks proliferating and with it being still really difficult to hire enough cybersecurity talent, one of the things we have to be able to do is automate the amount of data that's coming into the organization, automate as much remediation as we can and really turn around actionable intelligence to our cyberdefenders so we put them in the best position for success. So this was a wonderful episode with Tarun leveraging his expertise, and I look forward to having everyone hear it. 

Ann Johnson: This week on "Afternoon Cyber Tea," security researcher Tracy Maleeff joins me to discuss current issues infosec professionals will face in 2022. Be sure to listen and follow us at or wherever you get your favorite podcasts.