CSO Perspectives (Pro) 8.23.21
Ep 56 | 8.23.21

Pt 2 – Orchestration as a first principle strategy.

Transcript

Rick Howard: In the last episode, I made the case that as we are building our InfoSec barbecue pit in the backyard, you know, digging our foundation into the ground by reducing the probability of material impact and then placing four stones on top of the foundation for strength: zero trust, intrusion kill chain prevention, resilience, and risk forecasting. 


Rick Howard: The next thing that we need to do is find a long slab of stone called orchestration to lay across those first four stones. This is controversial. Most security professionals don't have orchestration that high up in the priority queue. Many don't even have anything close to something that resembles orchestration. At best, they are still in manual mode when it comes to updating the devices in their security stack. 


Rick Howard: And as I said last episode, that was fine 25 years ago, when all we had were a handful of security tools. But today with all the things that we have to get right to support the barbecue pit foundation, and do them at all the data islands in our architecture, manual doesn't cut it anymore. Anyway, that's my story. And I'm sticking to it. But I'm pretty sure that many will disagree with me on multiple levels. So it's time to see what those levels are. 


Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. 


Rick Howard: On today's show, I've invited two really smart and experienced security executive veterans to the CyberWire Hash Table to challenge me on this orchestration idea. Kevin Magee is the Microsoft CSO for Canada, an old friend of mine and a former colleague when we were both working at Palo Alto Networks, and Bob Turner, the field CSO for education at Fortinet. Now, if Bob's name sounds familiar, you win the prize. He has been a regular visitor to the Hash Table since the beginning, and he just recently took this Fortinet job. He used to be the CISO for the University of Wisconsin at Madison. But now both he and Kevin are working on the Dark Side for a security vendor, as I have done numerous times in my career too. 


Rick Howard: And I don't know if you've noticed this, but recently I would say in the last five years or so, most of the security vendors in the world today have built a cadre of former CISOs and security practitioners who have been in the trenches for years keeping their organization safe, have the scars on their backs to prove it, and have a highly developed soft skill of being able to explain security things to company executives. And this is the reason we want these two guys at the Hash Table today. 


Rick Howard: As I started these conversations, I wanted to talk about the four potential technical approaches that you might use to implement an orchestration program that I laid out in the last episode, DevOps, or SOAR/SIEM as a bridge to DevOps, orchestration platforms from the big firewall vendors, and finally SASE or secure access service edge. But both Kevin and Bob were quick to point out that we shouldn't even start thinking about technical approaches until we got our entire organization going in the same direction, in terms of policy, around the idea of data governance. 


Rick Howard: So Bob, now that you've gone to the Dark Side and are working for Fortinet, a security vendor that sells orchestration platforms, do you wish you would have had one of these Ferrari kinds of firewalls deployed in your university or did you?  


Bob Turner: So we did, we had a platform, but it wasn't a complete platform. Let's talk about the, you know, the mechanics of building a platform, there's the simple, you know, boundary protection, the firewall and the rules and the context you can sit there. Even in, in higher ed, all of those rules and contexts are not going to be universal. You know, you can have your core basic set of rules, but then there's also the contexts that are going to get set up project by project, port by port. So when you're talking about orchestrating that, there's a manual intervention, a orchestration by committee, aspect to it. And then again, that sometimes takes on the personality, not of the division or department, but sometimes the individual researcher.  


Rick Howard: I mean, I could see that for, you know, let's say you're doing zero trust. The committee work that you're talking about would be identifying the people and what you would authorize them to have access to, the machines that they touch and what they would have access to, those kinds of things. But once that committee work was finished, using the orchestration platform to enforce all that, and to make changes as people change jobs or moved out of the university or new people come in, wouldn't that be just a push button update, or do you still need the committee for that? 


Bob Turner: Well, you you need the committee to meet periodically. And we actually have this construct, where I was, and they would meet periodically and say, what are the unique and different things and why are they unique and different? You still need to have that capability, but you are correct in the assumption that once you have it set, it does orchestrate itself.  


Rick Howard: Right, so a big, firewall, and I call them orchestration platforms, that you could place at every data island, we're talking about in the cloud, multiple cloud providers, in your own data centers, in university fiefdoms, separating everything. But whereas those fiefdoms could maintain the blinky lights of those orchestration platforms. There could be a university-wide agreed upon policy that would say this group can't get to this kind of data, whereas this machine can get to these other kinds of research projects. Is that what you think could happen? 


Bob Turner: It can happen, but I'm going to throw another log on the fire in the fact that if you don't have good data governance, in other words, if you don't have a steward saying this is, for example, cybersecurity related data. So anything cybersecurity related data, here's the rules you follow. Here's how you get access. Here are the technologies you have to have in place. And then you change that cybersecurity to engineering, or you change it to liberal studies or you change it to the business school. There will be those little islands and the rules are, it's nuance. It's very fine nuance in a lot of cases, but you have to have that data governance so that everybody can agree and understand on the rules for the data itself. How do you access it? What are you allowed to do with it? Where do you put the product once you've played with the data a little bit? Where do you put that data product? How do you label it? Who has access? When they can have access? And all of those are more mechanical sometimes committee, but sometimes individual actors have to make those decisions.  


Rick Howard: So once they have a governance plan, but though you could use a orchestration platform to implement is what I'm trying to say. Right? 


Bob Turner: Yeah, I think that's, that's a possibility and you know, not to harp on the nuance too much. It's one of those, yeah. General rule. It's good enough, but "it depends" is always part of the answer.  


Rick Howard: Okay. I know. And you've given me that answer in past interviews too, Bob. I just want you to know I'm keeping track of every time you throw that at me, right? 


Bob Turner: Well, and it's because education is such a nuanced world. And I say world, not specifically business, because yes, it is the business of education, but the personalities that go with not only the institution, but sometimes down to the individual PI, are tremendously important. In order to get to the point where you have done what we call the sifting and winnowing and the relentless search for the truth. 


Rick Howard: I totally get that, but there is a, there's a political layer at every CISOs gig, especially true for university CISOs. But what I'm getting at is once you've got all that figured out, what are the ways you can implement those policies that you have agreed to and orchestration platforms is one way. 


Kevin Magee: I think a lot of the conversations I'm having to sort of reset expectations are with the boards of directors or the C-suite. And I look at their audit report somewhat not. I see protect the crown jewels. So let's, let's talk through first principles of that.  


Rick Howard: That's Kevin Magee, the Microsoft CSO for Canada.  


Kevin Magee: If you give an initiative, or a directive to IT and security to protect the crown jewels, well, they're not sure what the crown jewels are. They also may lock down to the crown jewels to the point where they're unusable. So then we see the emergence of shadow IT and whatnot. So again, stepping back and really thinking through the first principles of what, what we're trying to do, what our security posture is, and what the unintended consequences of directions from leadership can be. An initiative or a compensation package for a CEO based on growth is going to drive certain behaviors, which will probably prioritize availability over integrity and confidentiality. What are the unintended consequences of those? A lot of the strategic discussions I'm having around that and getting back to, you know, a first principles approach. So that's a page I've taken for me when I probably owe you some royalties on that. But,  


Rick Howard: I want my monthly checks. Okay. 


Kevin Magee: so what I'm recommending is an approach before we even discuss SOAR or any of these, these technologies is to step back leadership, identify the five, 10 most critical business processes or activities for the org. Then walk through the process from start to finish and document it. And then document all the associated technologies and data stores. Now this could be value stream mapping or whatever the organization's comfortable with, but you'll often find data stores, processes, or aspects of technology that you didn't realize were the crown jewels by doing this.  


Kevin Magee: And then I asked three questions. What are the security solutions that you have in place and what are they protecting? And that's, that's an inventory exercise. We're generally doing this already, but then I asked the business, what are your most critical business processes and activities and what data stores do you have and what's protecting them? There's often a disconnect or they haven't explored that. And then the fun question is what are the gaps? 


Kevin Magee: And then we start to see the differences in what IT security think is protected and the crown jewels are, and what the business thinks that the crown jewels are and how we're protecting them. And then we can have a real discussion about changing our approach to security, exchange in our posture security and automated. Because ultimately, as you know, the goal of security is to reduce the probability of a material impact to my organization due to a cyber event, um, not to take inventories of my tools and then figure out how to automate processes within them.  


Rick Howard: Here's some trivia for you. Jackie Fenn, while she was working for Gartner created the concept of the Hype Cycle in 1995. She noticed that all tech products go through the same repeated pattern of consumer expectation attitudes. It starts with the "peak of inflated expectations" as consumers realize the potential of the new idea, and then moves through the "trough of disillusionment" as the same people begin to realize that the new tech is not quite ready for prime time, and then rises through a much gentler "slope of enlightenment" as the products get better, and finally, once the product has matured reaches the "plateau of productivity." 


Rick Howard: Kevin, you're familiar with the Gartner Hype Cycle, and we've been talking about four different technical approaches to realizing automated orchestration for our security stacks. Let's start with just vanilla DevSecOps. Where would you put it on the Hype Cycle at the peak of expectations, in the trough of disillusionment, or maybe it has already passed through the trough? 


Kevin Magee: I would love to see it in the trough of disillusionment too, so that we would have made some progress on it. I still think we're in the envisioning and the beginning of the Hype Cycle, unfortunately. That's unfortunate, but, I think there's a number of barriers that are still holding us back in that space. And most of them are cultural. They're not,  


Rick Howard: Yeah, that's true. I totally agree with that. All right. What about SOAR? And we're not talking about just noise reduction in the SOC. I'm talking about, orchestrating your security stack with this. That's really at the beginning of the Hype Cycle, I'm thinking right? 


Kevin Magee: I think in some more advanced customers are just over the peak where they're starting to implement it, and they're trying to bite off more than they can chew with first SOAR project. And maybe that's pushing them into the trough of disillusionment, but I think it's just in the early stages. We're trying to figure out what SOAR is, and how it will work. And we're often approaching it from a very technical answer.  


Rick Howard: That's true.  


Kevin Magee: to the question. And again, to be successful, we need to step back and really bring in the business aspect to make SOAR effective because you're orchestrating a process, you're not orchestrating technology. And ultimately that's the defining difference whether you, SOAR project's going to be successful or not, is if you understand that.  


Rick Howard: So how about the orchestration platforms? The Palo Alto Networks, the Checkpoints, the Ciscos, where do you put those on the chart on the Hype Cycle? 


Kevin Magee: I think it's an evolving market. You really, we saw the move from stateful inspection to next generation firewall. And I remember talking to CISOs and security professionals at that time as you remember, and saying Layer Seven Security is the future. And everyone thought I was nuts, that we will never, ever secure the traffic at layer seven. And now it's reality. Now we're looking at a platform approach or cloud security and whatnot. And again, it's that sometimes resistance of this is the way we've always done it. I can't follow the packet. I'm not sure how do we tap the network? We tend to apply sort of the old paradigms onto the new platforms and they don't work. Best way you can solve for that is to bring younger people on your team who have never experienced having to install a physical wiretap on, to get traffic, to mirror it, to see what's happening or use NMAP and memorize all the switches or whatnot because they think about cloud, they think about platforms in a completely different way. So again, the human element, adding diversity to your team, adding some business folks, your team, adding younger folks to your team to round out those old guys like me who think of security of how do I trace the packet and how do I follow the packet to understand security, to break out of that mold, to break out of those norms is I think what's going to make these platforms really successful. So a very diverse POC team when you're taking on any of these projects will really ensure the success overall. If you staff it with, 20, 30 year veterans of the security industry who really try and jam the old paradigms into the new way of doing things, they're just not as successful.  


Rick Howard: So if I was going to put orchestration platforms on the Hype chart, I would say they were closer to being on their rising expectations, I mean, they're, they're ready now. They, you could buy them now and they would work. They're expensive. Right. But if you needed to do orchestration project, now you could buy any of those big firewall vendors and they could do the job, right? 


Kevin Magee: I think the technology for the platforms are there. We just need to catch up in terms of the cultural and human elements to make them work.  


Rick Howard: All those other things you talked about understanding crown jewels and first principles, we have to figure all that out too, but yeah, I totally agree and that's really hard. The last bit is on SASE. Where would you put SASE on the Hype chart? 


Kevin Magee: I think it's still in the Hype stage. I don't think we're seeing a real clear indication of what SASE is and where it's headed. And part of that is some of the vendors do have it figured out. But it's often clouded by just the mass amount of ambiguous marketing out there as well, too. So I think we'll need to continue to develop that. We'll have to see customers looking at it and gain success with some of these projects and then go through iterations of SASE to really understand the benefits and some of the, the failings of the approach as well. So the quicker we can go through those POC cycles or sort of those, DevOps cycles of, implementing, these platforms, the quicker we'll get the learnings that we need to improve them.  


Rick Howard: I think it's also unclear how much it's going to cost. Let's just say that a SASE vendor throws in a Checkpoint orchestration platform as their security stack, then the price of the service is going to be really expensive. So that immediately eliminates small and medium-sized companies. I do think that architecture is the best way going forward. Okay. But we have some problems to solve like you mentioned, they've got to see how it works in the real life. 


Kevin Magee: Yeah, if the sales person from the vendor presents it as you know, the next greatest thing and does jazz hands when they say SASE that's their sales pitch, I don't think it's going to be super effective. I think really having a frank discussion about you know what you're trying to accomplish, what the costs are, frankly, not just the billable, what top, what they will be to operate, what the risks are, in adopting an approach like that for your security posture, what are you giving up as an organization, but what are you gaining as well too? Are some of those really hard discussions that need to be had up front in order for a project like SASE to be successful.  


Rick Howard: One word of caution. I know the industry isn't racing to the orchestration idea right now, but when you do and you will eventually, make sure you take the time to really understand what you're trying to accomplish. Here's Bob with the last word.  


Bob Turner: Don't automate it so much that you don't understand it. That is probably my key and it could be that's why change is so slow in some industries. It's having the skills, the talent, and the time to really understand what the opportunities are. And certainly, DevSecOps is the opportunity we should all be embracing. 


Rick Howard: Bob and Kevin are just two opinions in this vast sea of security practitioners out there, but I think their views are spot on for most everybody in the industry. The bulk of us are still trying to determine where our data is and all of our data islands, and convince our leadership team to agree about who should have access to it. If that sounds familiar, it is. That's essentially what zero trust is all about. And if you haven't started down that path yet, then there isn't much use in discussing how to orchestrate it in conjunction with the other three first principal strategies. 


Rick Howard: And that's a wrap. Next week, we're going to talk about my favorite subject adversary playbooks. You don't want to miss that. But as always, if you agree or disagree with anything I've said or anything, our guests have said on this episode, hit me up on LinkedIn or Twitter and we can continue the conversation.  


Rick Howard: The CyberWire CSO Perspectives is edited by John Petrik, and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.