Bonus: CISO Insights. A Fortinet-sponsored webinar on convergence: reducing the number of tools in the security stack.
Rick Howard: Hey, everyone. Rick here. Early in 2022, the security vendor Fortinet asked me to moderate a panel at their convergence conference scheduled for August on the topic of reducing the complexity in our security stacks. Since that's a topic that's near and dear to my heart, I jumped at the opportunity. The panel I hosted covered many of my favorite pet-peeve topics, like why an orchestration platform is probably better at reducing risk than, say, a series of best-of-breed tools that you have to manage independently, or how SASE, secure access service edge, my favorite new security architecture, will help you do that or the impact that 5G will have on these new SASE environments and what it means for how your cyberthreat intelligence teams collect their information in the future. And finally, if we're all going to move to the SASE model eventually - and I think we will - then we'll want our SASE vendors to join the security vendor ISAC, the Cyber Threat Alliance. Like I said, we covered a lot of good material, so we thought we'd offer it in audio form as a special bonus episode for "CSO Perspectives" subscribers and CyberWire Pro members. Enjoy.
Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. I was joined by Fortinet's Jim Richberg, the field CISO for the public sector, Aidan Walden, the CTO for their cloud practice, and Willi Nelson, their field CISO for operational technology.
Rick Howard: Today we're talking about convergence or integration, if you will. So before we get into any of the details, Jim, let's start with you. When you talk to your fellow CISOs out there and convergence comes up, what does that mean exactly? What do you talk about when those conversations come up?
Jim Richberg: Rick, that's a great question. And the reality is convergence means different things to different people in different organizations. And I'll give you three meanings that I find are coming up repeatedly. One is, of course, the convergence of working in security itself, the way that - powered by Moore's law and device consolidation - the way that new devices typically perform the functions of what were multiple legacy devices. Both on the networking and security devices, we're finding that you can now manage to do more with fewer devices. Convergence becomes your friend. And we're seeing that convergence between networking and security as well - the fact that something like a FortiGate can be both a multifunctional security product and do a lot on the networking side.
Jim Richberg: The second meaning of security that comes up repeatedly in my conversations is the convergence of platforms and the vectors of communication - the accelerated migration to the cloud and the adoption of 5G, the fact that COVID gave a kick in the seat of the pants to everyone to pivot the way they work, where they work from. And now, of course, we're dealing with work from anywhere as a new paradigm. And then the convergence of IT and OT networks - a decade ago, OT networks were typically isolated from the internet and from the corporate network. And now, for many organizations, that's not the case. So the reality is the digital surface, which many people call the attack surface, has become increasingly complicated. And the single top-of-mind issue that I'm hearing from organizations is, to your point Rick, how do you federate - how do you integrate security in that complicated environment, especially for an organization that may have geographically dispersed units and multiple functions to perform?
Rick Howard: When we first started doing all this, we used to - you know, this is talking about mid-2000s. The thing we used to buy all the time was best-of-breed tools. We needed to have the very best of the thing that we wanted. But now that we're in these multiple environments - you know, we got multi-cloud. We got SAS applications. We still have the data center. We still have office buildings around the world. And like you said, Jim, the mobile workforce now is fully in place. So, Aidan, let me bring it to you, OK? Is security in the hybrid cloud environments so fundamentally different that we have to use the cloud provider's security tools? Or is it better to reduce complexity and come up with some sort of security orchestration platform?
Aidan Walden: Yeah, I think the actual response to that question is more of the inverse. It's that the cloud provider's tools have a natural breakwater in terms of where they can be applied and where they're useful. Another way to look at what we've talked about so far - Jim was talking about convergence. The fact that we're abstracting the network layer, the SDNs - right? - so when we're in a hybrid environment, I have to run a network function - an application has to exist in multiple enclaves across the IT estate. And you're seeing this play out as cloud providers are pushing into the edge, into the data center with their own solutions.
Aidan Walden: But, you know, using those first-party tools from a cloud provider perspective typically doesn't meet the needs of an organization across that entire IT estate. So, you know, what we'd like to do is say, all right, based on where those assets exist and where those applications exist, it is a best practice to use those tools in those local environments and orchestrate those tools. But to drive policy contexts across the entire estate, you really need something much more capable and much more ubiquitous. And I - that's - you know, that's how you're going to provide consistent security across all of those - or that hybrid cloud environment.
Rick Howard: Well, I think that's an interesting point, too, Aidan, because you think about, you know, the relatively newness of cloud providers. There are new security vendors these days. You know, most of their security tools are 1 and 2 years old. They're beta versions. Whereas if you went to a orchestration platform, those vendors have been in business for a long time. They pretty much know what cybersecurity looks like. Am I wrong about that, or can you support that idea?
Aidan Walden: No, no, that's well-founded. The cloud providers, they're going to iterate quickly. That's what the cloud does. That's the benefit of cloud. It's very agile in all of its motions. What you typically are going to get from a cloud provider is something that is, at least initially, minimum viable product. And so really what you're trying to think through as a CISO or a technology leader is, all right, do I use the first-party services? They're definitely cloud-native. They're easy to consume. Or do I use third-party services, which typically integrate across my ecosystem very effectively? You know, in that hybrid environment, the pure play providers typically have depth of features.
Aidan Walden: And so, you know, the technology decision is oftentimes, do I choose the first party or third party? And, you know, third party can become very cloud-native, you know, in a way that I would define as easy to consume and a very, very good user experience, both for the security operator and for the end user who has to experience that security on the networks. You have to find ways not to have to compromise, is what I'm getting to, ultimately.
Rick Howard: Exactly.
Aidan Walden: Yeah.
Rick Howard: We'll talk about that in a second. But, Willi, I don't want to leave you out of this question. So it's the same question to you. Are the OT and IoT environments and other kinds of critical infrastructure environment - are those so different that you need a completely different security stack solution, or can the orchestration platforms handle that kind of thing?
Willi Nelson: I think the - excuse me - I believe the orchestration platforms are the way to go. It's very costly to have to have separate tools for IT, OT, IoT, et cetera. And you're normally running it with the same security team that's trying to manage that, right? So as those individuals are trying to get visibility into those environments, the fewer technologies we can add to their stack, the better. And I mean that in the sense of, like, the more that we can automate and bring everything to those individuals, it's going to - it's really going to make their lives easier. But also from an executive perspective, you have a - you know, you have a clearer understanding of what - where your problems are and where you should spend your time. And to me, that's where - it's all about that orchestration and automation piece of bringing it back to the SOC and your instant response teams.
Rick Howard: Gentlemen, I call these things data islands. You know, when we all started doing this, we just had a data center and a couple of headquarters buildings, and all the data resided behind this giant barrier. And back in those days, it was hard enough to defend our networks. But now that we've got them scattered across hybrid cloud environments and - even at the CyberWire, we're just a small startup. We have a hundred SaaS applications that make the business go. For big companies, imagine what that number is. I'm trying to make the point here that reducing complexity in your environment is a better defensive tool than having a bunch of different stacks where all those data islands reside. (Inaudible) this, or am I off-base?
Jim Richberg: One point to make is the typical organization that I deal with may have a presence in three or four public clouds - different providers. They may have a hybrid data center, to your point. They may still have private data center, as well. And while each of them may have a comparable capability, they're natively different. And different means often inconsistent. Inconsistency can create a gap. So having the ability to have standardization is really the problem because, especially when you're updating policy - security policy dynamically, if you then have to do it differently for six or seven different environments, that's when you get the lags. That's when you get things that are unevenly applied. That's what your potential attacker finds - that gap, that vulnerability - and that's where you get exploited.
Jim Richberg: So, yes, you can absolutely share responsibility. The cloud provider can do it. But if they're all doing it differently, different doesn't mean even. And that really - you're right, Rick. That really is the problem, that - either doing - either finding something that's in all of the cloud so you can configure once, roll it out universally, or just going with a third-party solution, to my mind, are better ways to reduce complexity. 'Cause that really - to this point, it's about trying to say, I don't want to have to solve this problem over and over again, especially (inaudible).
Aidan Walden: Yeah. And there's the efficacy part of it, too. So, you know, when you're applying - typically when you're applying cloud provider security, there's a question of efficacy, right? What is the level of security that I require? The - if you're - we get a lot of requests to protect ERP platforms, which have some of the more stringent requirements for effective security, right? So you typically want to do something more than minimum viable product there - right? - with the PII data, the financial data and so forth. So you have to look at each use case, right? Do I have a shadow IT workload - very simple? Can I protect it with something that's, you know, easy for that workflow, for that app developer who's using that cloud platform? Or do I have something that's business-critical? And in production, there needs to be a - something better applied, you know, some validation of the level of security, right? So it's - there's a difference between the tools and the quality of the tools, for sure.
Rick Howard: So, Willi, let's bring it back to risk. I mean, we've been talking very technical about, you know, convergence platforms and security stacks and all that kind of thing. But we're really talking about reducing the probability of material impact to your organization - right? - reducing the risk. I think what we're making the argument here is by a convergence platform, your risk goes down significantly because it's one policy distributed to all those data islands. Can you support that?
Willi Nelson: Absolutely. Yeah. I think it's a - that's a great point. And especially when you look at that - those multiple cloud platforms and the hybrid, et cetera - when you're looking at the situation where everyone, every cloud provider is different, you know, you may have somebody who is an expert in GCP. One's an expert in AWS. One's in Azure. To bring it all back in and be able to minimize my risk because I can repeat my processes - right? - and across those different platforms is - to me, that's the big savings that you're going to have from a convergence perspective.
Rick Howard: From the government CISO perspective, does risk come up as the main thing they're worried about or is it something else?
Jim Richberg: Well, at this point, government - especially if we're talking about the federal government - a lot of them are chasing implementation of the executive order President Biden signed last year that really said the federal government needed to accelerate movement on - it actually laid out over three dozen action items, but a lot of it was accelerate implementation of zero trust across the federal government, supply chain security and some things that related to public-private partnerships. So, yes, they care about risk, but at this point, they've got a lot of very aggressive deadlines that they've got to meet under this executive order.
Jim Richberg: You come from government, just like I do. We're used to seeing executive orders that can become shelfware. This is one where there's actually been full head of steam. So while risk is still part of it at this point, attention and money are being thrown, really, at moving forward materially on things that will help mitigate some of the risks, you know, SolarWinds, the things that we collectively said, what's the status quo ante? What's not working? Let's break this into bite-sized chunks and try to solve these problems.
Rick Howard: So let's change gears a second, right? We've been hearing about 5G as the new transport protocol that's going to completely change our lives. I don't know about you guys, but I thought this was going to happen a lot sooner than it has. But it's coming. It's on the horizon. So, Willi, what does that do to us in terms of convergence?
Willi Nelson: Well, I would like to think that it's going to make it, you know, simpler - right? - so much easier.
Rick Howard: I'm sure. I'm sure.
Willi Nelson: I'm sure it'll be simpler. Absolutely, right? Yeah. I'm sure it'll be harder before it's easier. You know, from an OT perspective, we have - we've spent the last - what? - 20 years going to the enterprise, right? We're bringing everything central. And we want to manage everything locally, or in a centralized fashion, as enterprise. And now with the pandemic and the fact that - with the 5G - that now we're able to really expand that footprint across, you know, the globe, to some extent, from a manufacturing perspective, I may still have all my data in one location, but the manufacturing site needs to have that fed back to them so they can make changes quickly. That's where 5G is going to absolutely provide us some real benefits.
Willi Nelson: However, there's the caveat - right? - that there - that if you configure incorrectly, you could end up leaving yourself with a ton of holes. And from my experience, we're just now starting to dip our toes into the SASE space. We thought, you know, we've got this covered. And now you're having to educate executives on, what is SASE? And not just executives - you're really educating your entire architecture engineering teams. What is SASE? How is it going to help you and how to deploy it so you can bring that data back and make those changes immediately - you know, real time, if you will - while still securing your network. And that's a - that brings up a whole nother - you know, from an education perspective, brings up a whole nother - it's probably a whole nother topic for another day.
Rick Howard: So, Aidan, let's - help us out here 'cause I've talked to a lot of CISOs. There's a lot of confusion about what SASE is. Can you give us a thumbnail about what SASE is and why 5G is probably going to play into that?
Aidan Walden: Well, let's talk about why 5G is going to play into these use cases. So 5G is the opportunity to move applications closer to the user so that users have a better experience. Obviously, that's facilitated by the network itself, but it's also really facilitated back to convergence, the convergence of the cloud data center with the edge location. So the cloud is moving into the edge because the traditional cloud data center doesn't really support the low-latency use cases that 5G can enable, right? So if I can get rid of that backhaul, I can move the application closer to the end user. I can enable real-time applications.
Aidan Walden: But SASE is a way to consume security in a more simplified way, have it delivered as a SAS, which is the directions that is - that the enterprise wants to go, right? They don't want to manage security platforms. They want to manage - they would rather consume it as a SAS. And SASE being able to deliver security functionality across a hybrid environment, wherever it may be required, consistently and then take advantage of that optimized user experience, the opportunity to ply zero trust from, you know, from remote workers can be a game changer. And those are the benefits that SASE will bring and how 5G will complement that.
Rick Howard: This is a complete flipping on its head of the old architecture that we all used to deploy. You know, and when I'm running organizations, it was build these big perimeters. All the network traffic comes to headquarters buildings and data centers, and we would deploy a security stack to protect all that stuff. But this completely flips it. It puts the security stack in a cloud environment and you can choose your vendor, then in whatever security stack they have from wherever you are, whether that's an employee out and about at Starbucks or it's an IoT device that's out in the middle of nowhere or it's the massive sales application that you have internally developed. The first hop to the internet is through the SASE vendor, it goes through the security stack and then it goes to wherever it needs to go. So it takes the burden off the security practitioner to manage all that, to keep the blinking lights going and allows them just to focus on the policy. And I think that's the future of how we do network defense.
Jim Richberg: I think it's a combination, Rick, of SASE and SD-WAN for government, especially for the federal government. Too often, you know, we have things like the Trusted Internet Connection initiative, which basically meant you ended up dealing with what we called the trombone effect. I'm in the field. I have to route back through headquarters, then to go back out to the internet and then to come back to the user. So you were introducing all this additional latency. And to your point, Rick, let's just make it so I go straight from wherever the user and the device are to the internet with security in the form of SASE built into it.
Jim Richberg: And because a lot of these organizations have to have a mobile workforce, DOD probably being the paradigm for something that has to be very agile in a physical sense, as well as (inaudible) sense, having the ability to have software defined networking on the fly with not only IoT battlefield (inaudible) highly ruggedized things. And this is the wave of the future. And we see this on the civilian side, as well, or a combination of being able to use something like SASE and deploy software-defined networking at scale with 5G, of course, being an important part of that. I think the government is increasingly recognizing that at the federal level and for state and local government. The fact that we're throwing under the Infrastructure Investment and Jobs Act over a trillion dollars into refreshing infrastructure. We're not going to do infrastructure the way we did before.
Jim Richberg: I'm telling state and local government that time and time again. You can't think of these in stovepipes. There is no such thing as an infrastructure that doesn't have a digital dimension to it. You can be expansive and say, if I'm doing a dozen different kinds of infrastructure, build the digital field of dreams. You know, how do I want wastewater and bridges to talk to each other? I don't know. If I did, I'd fund a startup. But some smart person is going to benefit from that. But at a minimum, you've got to build interoperability on the threat side because we already see threat activity move from one sector to another sector. Sometimes by design, sometimes, frankly, by accident. But it's coming and it's happening. So, yes, Rick, SASE is a part of this solution for government at all levels.
Rick Howard: So, Willi, let's bring it back to 5G. The reason we're connecting 5G to SASE is because before 5G gets into place, we have to provide that internet connection wherever our stuff is around the world. With 5G, though, that becomes a local connection. I'm not going to go through some backbone or through some T1 or through some internet provider. 5G is going to put me right at the edge to get on the internet. That's why SASE becomes important - right? - because everything is going to be direct to the internet.
Willi Nelson: Yes. And you may have to explain T1 to some of the younger viewers.
Willi Nelson: And then going to frac T1, et cetera. But, yeah, so I think that's exactly the point is that with the 5G that we're - you know, our world today is always connected, right? And - whether it is with your mobile device, it's with your laptop, it's with your tablet. And now we're monitoring all those environments, whether it is your smart building, your manufacturing process. You know, and I may be, at length, still monitoring that information. And it is going to be that - you know, that edge is going to be with me at all times. And to be able to use something like SASE that allows me to still be secure as I - you know, as I am able to monitor and make changes real-time is really going to be important for the industry and for - really, for so many industries. And I'm looking forward to really seeing it, you know, to take off, to some extent.
Aidan Walden: You know, access to the internet is one thing. But the actual application - so what I'm seeing as I work with cloud customers is the application itself is highly - more - is more distributed. So it's not just about having an application, you know, on the internet and being able to have a local breakout to the internet more quickly. That's important, but the application itself is going to be very close to the user. So the whole concept of the distributed application plays a big part in the user experience because, I mean, you can't have backhaul when you're talking about augmented reality and real-time - you know, automated driving and things like that. So, yeah, I - you got to think about how the applications are constructed now from a service-oriented architecture to now microservices proliferating. And that brings us back into the abstraction, right? So now I can Kubernetes or OpenShift as an abstraction...
Rick Howard: Yep.
Aidan Walden: ...Very local to my user.
Rick Howard: That's a good point. Yeah. I'm glad you brought that up because that went right by me. But, Jim, I want to come back to something you said 'cause I didn't want it to go by either without us talking about it. These complex environments really highlight the importance for being really good at threat intelligence. And I know that Fortinet was one of the founding members of the Cyber Threat Alliance. It was the first sort of ISAC for security vendor sharing. So I wanted you to talk a little bit about that, and what's your guys' support for that alliance?
Jim Richberg: So sure. We are - not only are we still very active in the Cyber Threat Alliance, but the World Economic Forum has actually got a lot - you know, people tend to think cybercriminals, for instance, are anonymous. They're - you know, we have the image of hoodies. You can't see them. But the reality is everybody's working from a place at a time, and there are footprints. There are findable footprints. So we're actually pioneering some work that we've done with Cyber Threat Alliance, World Economic Forum, a project - Cyber ATLAS. It's actually helping to literally map the members of different cybercriminal ecosystems. So we have over 200 information-sharing relationships as a company ranging from - with - over competitors. The bad guys share information. We can't sit there and state threat information is parochial. I can't tell you what I see. You need to share that.
Jim Richberg: We work with law enforcement. We work with cloud providers. We've really got to have a level playing field because I tell organizations, look, you are ultimately responsible for your own security. That doesn't mean you have to do everything yourself. And I can tell you, as the guy who, in his federal career, literally ran the U.S. intelligence community on cyber, the biggest three-letter agencies in this country don't have enough data, don't have enough analysts, don't have enough understanding of context to do it all by themselves. So why would any other organization think that they don't need help, partnership on cyberthreat intelligence. That is, Rick, the essence of a team sport that we've all got to play because we're all playing on the same side.
Aidan Walden: Well, Jim, I want to throw something out to you also. And this is coming from my practice where I see customers interested in - especially in cloud - localized threat intelligence. So obviously, we source and we partner for global threat intelligence. But within their own enclaves, you know, there's a lot of interest in understanding how attacks are being executed against them, the targeted type of attacks and being able to put together chains of events and contextualize, you know, how that attack pattern is executed and then using that as a feedback mechanism locally, right? So now, you know, when you look at - I'll even throw in an extra buzzword - machine learning. You know, machine learning is taking that localized TI and distilling it across, you know, a security environment. And so now I can, essentially in real time, with information that's very, very localized to my environment, raise my overall security posture in real time. So, you know, there's the global TI perspective, but there's also the localized - locally significant TI, I think, that's part of it as well.
Jim Richberg: I mean, what you're essentially saying, Aidan, is actionable threat intelligence.
Aidan Walden: Yeah.
Jim Richberg: And actionable threat intelligence is often tactical. It can be generated by a machine. But the challenge is, machines find the signatures. Humans have to make sense of them. If I'm trying to say, oh, this is orchestrated. This is part of a playbook. This is tactics, techniques and procedures. Computers don't need a threat board to respond. They do so in an automated fashion, but they do so absent a sense of context. And that's why a SOC has people who spend 55 to 59 minutes out of every hour simply trying to comprehend what is happening. So that, if you look at the math, that 1 to 5 minutes you have to do something about it better be highly lethal. And that's why we had...
Aidan Walden: Yeah.
Jim Richberg: ...These convergence (inaudible) that you can have meshes, platforms, ways to make the few minutes left to do something about it highly efficient.
Rick Howard: That was a lively discussion. I want to thank Fortinet for letting me host their panel, and I want to give special thanks to the panel members, Jim Richberg, the field CISO for the public sector, Aidan Walden, the CTO for their cloud practice, and Willi Nelson, their field CISO for operational technology. And as always, if you agree or disagree with anything I have said or anything the panel said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to email@example.com. That's firstname.lastname@example.org. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. Thanks for listening to this special bonus episode.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.