CyberWire-X 8.7.22
Ep 35 | 8.7.22

Cybersecurity is a team sport.

Transcript

Rick Howard: Hey, everyone. Welcome to “CyberWire-X”, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And in today's episode, we are talking about how cybersecurity is a team sport. In other words, with a number of tools in the security stack deployed across multiple data islands exponentially growing, it requires a team across the entire business to orchestrate all of the change. A program note - each “CyberWire-X” special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view.

Rick Howard: I'm joined by Jenn Reed, the CISO at Aviatrix, and she's the newest member of the CyberWire Hash Table group. Jenn, thanks for coming on the show. 

Jenn Reed: Thank you for having me. 

Rick Howard: So before we get started, I noticed in your LinkedIn profile you are a former enlisted Marine. I'm a former enlisted Army guy. And here we are, CISOs of our own organizations - 20 years in your case after you started, 40 years in my case. And boy, I don't feel old for that. But - and we're having a discussion today about the state of cybersecurity today, right? And so how cool is that? And did you ever... 

Jenn Reed: Pretty awesome. 

Rick Howard: ...Yeah, did you ever think that when you enlisted in the Marines that you would end up here? 

Jenn Reed: I did not. But, you know, my dad is a tank commander in the Army, and so, you know, very much military background. And he said, do anything but the Army. 

Rick Howard: (Laughter). 

Jenn Reed: So, you know, I went into the Marine Corps instead. I showed him. 

(LAUGHTER) 

Jenn Reed: But there I was doing intel work. So I was always going to be kind of in the programming sphere, you know? But yeah, seeing myself become a CISO at this point in time, no, not at all. You know, much more, I'm enlisted. I'm a doer, man. I'm a doer. 

Rick Howard: Yeah, I get that, right? So today we're talking about orchestrating the security stack. And here's what I mean by that. We have all these security tools that we deploy in our environments from firewalls and antivirus and intrusion detection to XDR. But we also operate several unique states. And I call them, you know, data islands. We have data and applications back in our own data centers and on our employees' mobile devices and in at least one cloud provider's network, probably more than one, and a host of SAS applications here at the CyberWire. We're just a startup. And we have over 100 SAS applications that we use to make all this stuff go. 

Jenn Reed: It's a complicated question, right? 

Rick Howard: Oh, yeah. 

Jenn Reed: Because just as you guys do, we have over a hundred different SAS applications that feed the IT stack, as well as we have deployments in every single cloud. And, of course, we have to. We're multi-cloud. So if we're going to deploy multi-cloud software, we have to be multi-cloud at the same time. That's how we deliver. And having a security stack can be really complicated because I need to be able to see my posture across all those deployments both in a cloud data perspective but also, how do I get a good visibility into all those different SAS applications we're using for supply chain? Can get a bit complicated, you know. 

Rick Howard: Well, it was complicated enough when we were just doing it in one place, you know? You know, when I started, we just had one security stack in the data center. And that was it. And it was hard to do then. Now, like you said, multiple cloud environments all over the place. So do you - what's your philosophy there? You just try to manage each of those separately? Like if I'm in one cloud, say Google Cloud, I'll use their security stack versus Microsoft. And then for our data center, we might use some hardware firewall or something. Or is there some other philosophy you have there? 

Jenn Reed: So it's a combination of things, really. So we're past... 

Rick Howard: It's never black and white, right? 

Jenn Reed: ...No, it can't be. All of the great things that were available to us for on-prem - right? - next-generation firewalls and IDSs - great. But they're not cloud native, right? And so they're really designed for that on-prem infrastructure. 

Rick Howard: Ted Wagner is the CISO for SAP National Security Services, an old Army buddy of mine and a regular visitor to the CyberWire Hash Table. He agrees with Jenn that the orchestration platforms are not quite ready for primetime when it comes to cloud deployments. 

Ted Wagner: Where we see older elements of data centers, and even with the innovation of software as a service and our islands of data, we're still consuming, ingesting data into a SIM. Where we see innovation particularly is in SASE vendors where we can get infrastructure as a service like VPN as a service or identity as a service. So they really bring some innovative capabilities like continuous adaptive risk and trust assessment, or CARTA, for identity. These are great tools for the network defenders, but those orchestration platforms still lack key functions like threat intelligence platform, where we really rely on implementing our MITRE ATT&CK framework and adjusting well the threat intelligence to inform our security monitoring. So I think we're still in transition. Those core functions that we rely on - threat intelligence and applying analytics to large datasets - still remain with the SIM. But we see SASE vendors and being disruptors and curious to see how the story will play out. 

Jenn Reed: And so when you're talking cloud, where you have hundreds of accounts, you know, where you have your developers in their own sub-account to lower the blast radius of anything that they're experimenting with, that's not going to be a solution that works for that environment. So it's really about instrumenting those different cloud environments, then having alerting tell you when things change and being able to then leverage that and sending that to a centralized alerting for an SRE team to triage and bring in our security team when configurations change for having centralized alerting. But you have to instrument everywhere. 

Rick Howard: That's an interesting point, right? So I kind of bifurcated it into, you either have separate tools in each environment to adopting a security platform like you were talking about, but you have a middle ground there. Use tools for each environment designed for that, those environments instrumented. So the telemetry is coming back to a central location. 

Jenn Reed: We have software that we use ourselves that we developed ourselves for our secure networking platform, which of course then we use for our own production environments but actually gives us the ability to see what's happening and feed all of that telemetry data in to a centralized location so we can see what's happening across our data and control plane. But then we also have - from a monitoring perspective, our SRT team has instrumented and fed that same alerting data from multiple clouds into a Grafana and Prometheus framework so that they can actually act on that information and see it over time because we can't just have it in one single cloud. 

Rick Howard: For those that don't know, Grafana is an open-source visualization tool for ad hoc data, plus cloud environment telemetry from Google, GCP, Microsoft, Azure and others. Prometheus is an open-source monitoring system for machine centric and highly dynamic, service-oriented architectures. 

Jenn Reed: Prometheus is really a framework so that we can actually pull in log and other type of event information over time. So you can get that both from a system level but also application level. And then, of course, Grafana actually shows the visualizations. 

Rick Howard: Would it be fair to say that your teams are kind of ahead of the game here and in Devsecops world where you're reaching out through APIs to collect telemetry off of these security products? Is that fair to say? 

Jenn Reed: I think so. You know, it's one of those things that we have to. We're a software company, so we're never going to have a gigantic operations team or security team. So we believe in instrumenting, and then we believe in automating. So automating the monitoring, alerting and triaging and remediation as much as possible. And a lot of that I learned from where I was at previously because they're helping Avis run their global IWC. I had a very small team, as well. And so automation was key. No console access, man. It's like if you can't automate it, you're not doing it. 

Rick Howard: Well, I'm - I totally believe in that philosophy. And - but I would say that you guys are ahead of the game. Everybody that I talked to on this show - not everybody, OK? Many of the folks I talked to on this show are still doing it the old-fashioned way, you know, logging console jockeys and updating things. They're trying to get there, but they're struggling. So any advice you can give them that will make this easier? Is there some piece of philosophy that you guys have adopted to make this easier for your organization? Or is it just something they started doing from the beginning? 

Jenn Reed: Well, it's something that they've had - they have started from the beginning. I mean, they - Aviatrix was started by software engineers, right? And so software engineers believe in coding and automation, right? They want to build the product, so they want everything else to be instrumented so that they can, you know, increase their speed to market, right. So you don't want to grow a huge IT organization and security organization. So it's been native to what they've done. And at the same time, it's why the software itself has an API to enable automation and a TerraForm provider - right? - because believe that teams really moving to the cloud or expanding their capabilities need to kind of adopt more automation. And one of the great things is, like, it is bringing on some of that coding to the security teams. Cross train, man. You know, give them something to start with you know, bring them on the team. Get them exposed, you know, to your tools you're currently doing and have them write a provider care form script that can automate that out of service tickets. 

Rick Howard: Amazing what automation will do to the security teams, right? So I'm glad that... 

Jenn Reed: I know. 

Rick Howard: Yeah, it's such an interesting idea. 

Jenn Reed: I know. People's like, how can I automate? I need a person to look at. But you can 'cause you can actually have people become more versed in it, and they can learn to read the code, check the code and approve it before it goes to production. 

Rick Howard: I like what you described there - I mean, that you would actually have - you can collect all the telemetry off of it for whatever services you have. But you could also - right? - go the other way. If you decided that you're going to put new prevention controls to prevent, let's say, Panda Bear, you could send it that - with one push of a button, right? You could send it up to the firewall - right? - or to all the firewalls that you have, right? Yeah. Yeah. 

Jenn Reed: Via one script, right? 

Rick Howard: Yeah. So let me push back on you on - 'cause early on, you said that those big platforms, they're not cloud native. I think they would push back on you on that. 

Jenn Reed: (Laughter). 

Rick Howard: They're not - you know, so they think they can be in front of all your cloud deployments and do exactly what you're saying - OK? - but use the software and firewalls to do that kind of thing. What's your argument against that? 

Jenn Reed: Well, it's just that it starts to get a little bit more complicated because actually getting access to their underlying core to make those updates, the changes to actually feed the data into them and get it back out of them - because they're still tended to truly be designed to be a physical machine with, like, a separate control plane and a data plane... 

Rick Howard: Yeah, they are. 

Jenn Reed: ...Which is great if I'm in a data center. But, you know, when I'm sitting out on the cloud, it's a virtual machine, and I have a virtual niche, right? And so you could say, well, I have my management Ethernet in my control pane. Ethernet - they're still virtual, man. I can't actually get to a completely separate management network. Like, that doesn't exist. So why am I turning myself in circles trying to force that, right? What logical separation should we be making here in place to really adapt to the cloud? And I think, like, that's a paradigm shift that's really hard for some of the on-prem providers to think about - is if I'm really going to be ready for the cloud, how do I change from a physical, hard, hardware mindset to really transform that into logical controls and multiple logical controls to ensure separations exist - right? - because you have to, right? But at the same time, understanding that these are all virtual networks - there isn't necessarily anything that prevents X, Y and Z from happening except for something that's logically in place. 

Rick Howard: You mentioned earlier that you have SREs, site reliability engineers, working for the company. Is there a set of SREs for security and a set for all the other things, or is it just one big group? 

Jenn Reed: Well, so we have support engineering function, which supports our customers. So we deploy virtual machines. And so customers are responsible for updating their - the machines that they have deployed. It's not SaaS, so we don't push anything on a customer. But when customers have issues or they need assistance, they call into our support engineering function. So that's separate, right? We have a separate function, which is our SRE function, and they function for both security - and they'll escalate to our security team, but they do have security training - but also for our operational support so that they kind of sit on both of those in their - it's 24 by seven for our site reliability engineering team. 

Rick Howard: You were talking about before how we need to set up a framework. Is that a requirement session? You say, here are the things we need to be able to do, and we hand it over to this SREs, and they build it for you? And then there's some testing and then deployment? Is that how it's done? 

Jenn Reed: There's a design phase for a requirements phase for what we need and how we need it to happen. And so part of that, we give them the requirements for that and questions back and forth. And then there's a development phase where we validate that it's working as appropriately, testing to - and then where you load testing and edge cases. And then it gets released to production. So all of those functions and processes but also any alerting that needs to be done, escalation procedures, then any triaging and anything that can be automated, we talk through so we can test that automation as well, you know, for certain types of things that might come in. 

Rick Howard: Like I said earlier, you're - you guys are well ahead of most organizations that I talked to. So is there one piece of advice that you could give folks who are starting down this pass up, and they could - if they just understood this one thing, it'd be a lot easier for them? 

Jenn Reed: Crawl, walk, run. Get started. Don't be afraid, you know. 

Rick Howard: Wait. That was seven things. All right. No, go ahead. 

Jenn Reed: Damn it. Sorry. Sorry. No, you know, it's - you know, but you have to get started. A lot of people have fear that they need to have it all planned. 

Rick Howard: That's a good point. Yeah. 

Jenn Reed: Yeah. 

Rick Howard: Get started, I guess, is what I'm hearing in all that. 

Jenn Reed: Yes. 

Rick Howard: Right? Yeah. Don't be afraid. I like that second one, too. All right. Well, this is all good stuff, Jenn, but we're going to have to leave it there. That's Jenn Reed, the CSO at Aviatrix. Thanks for coming on the show. 

Rick Howard: Next is Dave Bittner's conversation with ExtraHop's Chase Snyder and CrowdStrike's Janani Nagarajan. 

Dave Bittner: So today we are talking about this notion that cybersecurity is a team sport. Can we just start off with just some high-level stuff here, a little description of why each of you thinks that that is a good way to come at this? Janani, why don't I start with you? 

Janani Nagarajan: The team sport aspect comes in because right now, if you ask five different people what cybersecurity or even buzzwords like XDR or zero trust mean to them, you're going to get five different answers. So I want to make sure that everyone who's - especially our customers who are confused about what cybersecurity actually entails are brought together for this journey where we are trying to solve the problem by getting ahead of adversaries, who are actually getting increasingly sophisticated thanks to their tech craft, employing artificial intelligence and machine learning. So all the customer wants to do is have a better way of staying ahead of these attacks, making sure they're able to stop threats, they are able to sleep better at night and really protect their environment, their users, their employees from any kind of damage that might happen. 

Dave Bittner: And Chase, do you agree here? Is this pretty much aligned with your thoughts? 

Chase Snyder: Yeah, that's spot on. I'd say there's competition in the cybersecurity technology market, so there are many different vendors coming at it from many different angles, but ultimately, the top priority has to be delivering on the needs of the buyers, the enterprise. And using that as a North Star, asking ourselves constantly, are we serving the need of the customer? - has positive results for the business. So it really is the right way to approach solving what is truly a multifactor and extremely complicated challenge of securing information systems. 

Dave Bittner: You know, Janani, if we're going to use team sports as sort of our analogy here, I mean, from a practical point of view, what does that mean for the folks who are organizing this? What sort of things can they use, you know, from that example to apply to the things they do every day? 

Janani Nagarajan: So first thing is to take a step back and actually look at the problem we're trying to solve. Right? It always starts with the customer requirements or the customer needs. When we walked through the trade show floor, we see a lot of buzzwords talking about XDR and zero trust and how we're trying to help the customers. But what does it actually boil down to them in terms of their day-to-day activities, in terms of their corporate initiatives, their outcomes? So we need to actually take a step back and think about what is it that are trying to solve based on the customer, and what is it that we're trying to protect? So we have actually run into customers who actually have legacy systems. They are still operating mainframe systems that they are not able to move out of, or they're actually trying to adopt containers and serverless because they are looking at digital transformation. So we need to have a solution that transcends across these technologies. 

Janani Nagarajan: And on one side, when you talk about technologies, you also have to look at the flip side as to what is it that we're trying to protect. You have these adversaries; you have these nation-state actors or e-crime actors who are really bent on wreaking havoc. And I think it came across when COVID-19 hit. People started working from home and really saw how the technologies couldn't keep up with some of the attacks that are out there. So we want to make sure that whatever we are trying to solve for, we are solving for existing environments but also for the future that we are looking at. So in terms of strategy itself, you need to make sure that we have the right people, the right expertise and the right technology to actually solve any problems that might happen in the market landscape, actually. 

Janani Nagarajan: So we want to make sure that we bring - come together as a cybersecurity community, we have this guidance and best practices as to what is it that we're trying to solve and find the best way to solve - stop that. So that's where the team sport comes into play because instead of being only on defense, we also want to make sure we have our offense, our technologies like prevention, to make sure that we stop these attacks from ever happening. 

Dave Bittner: You know, Chase, what does this mean for various vendors working together? I mean, is this - there's opportunities here - right? - to sort of - the whole is better than the sum of the parts. 

Chase Snyder: Yeah, 100%. Each of the different vendors in the space, each of the different types of technology has a different core competency. And so if we're going to extend the sports analogy, you've got goalies. Depending on the sport that you're playing, you've got forwards, or you've got, you know, linebackers, or you've got various different positions, and you wouldn't want to put someone from one position into the other position because that's not what they've practiced for. That's not what they are built for or perfectly skilled at. So you put together a team that fulfills all of those different requirements, and you try to make them work together, play together as a team effectively. So in the case of cybersecurity and particularly for the businesses that Janani and I represent, there are different signals, different sources of data that you can use for detecting and responding to cyberattacks. 

Chase Snyder: ExtraHop focuses on network data, observing - covertly observing network traffic in a way that the attacker can't actually tell that they're being watched. CrowdStrike focuses more on endpoint security but has a whole range of capabilities focusing on what is happening on the individual hosts or on the individual endpoints. So we have complementary types of visibility. We fill in gaps and support and complement each other's capabilities so that we're not letting the attacker, you know, get a zillion shots on goal and allow the, you know, rely - let the whole team rely on the goalie to stop every single one of those. We're stopping them a little bit ahead of time, but we're also able to, you know, stop them from getting into the goal if they get right up to the line. So that's kind of the key message here - is that no one technology solves every problem with perfect efficiency. If you can get several different technologies to work together really well as a team that solve each of the individual problems at the highest efficiency available, then you're better covered across the board, across the full range of tactics that attackers are bringing to bear against enterprises and the full range of tactics that attackers are constantly refining and innovating to make them better and more effective. 

Dave Bittner: Essentially, you're putting together an all-star team. 

Chase Snyder: Yes. Love that. We are putting together - we're the team from "Space Jam." It is the all-time - all-star team. 

Dave Bittner: That's right. Well, Janani, I'm curious. You know, at this year's RSA Conference, the hot topic was XDR, and I think that certainly keys into our conversation here. First of all, you know, for folks who may not be completely up to speed on this, how do you describe that to people? 

Janani Nagarajan: Yeah. So that's the million-dollar question now because like you said, 30 different vendors are talking about XDR, and depending on whom you ask, you probably get different answers. But again, I think one thing we all agree on is XDR means extended detection and response. That means we are extending to all the technology stack or all the multi-domains that are out there, and we are coming up with a unified way of protecting the environment across these extended domains. The detection speeds is where the intelligence lies, where we are integrating threat intelligence with any kind of security telemetry that we have and correlating it across these domains to come up with detections. And the response is, what are the actions that we take in order to secure the environment and make sure that it doesn't happen again? 

Janani Nagarajan: So very simply put, the extended detection and response is looking at a bunch of data across different domains, seeing what is out there in terms of maybe endpoints, your cloud environments, your networks or even identity access management, email security, web security, making sense of it in terms of correlations and responding. So the response actions could be either we reimage the system - that is basically taking a hammer to a problem - or we actually do targeted mitigation. We remove selected malware files, or we stop certain processes from happening. So having this unified approach of taking into account all the data - so we have a data problem, so taking into account all the data, making sure we make sense out of it in terms of detections and responding to it in a meaningful fashion without impacting productivity - I think that's all the customer cares about. They want to make sure the problem goes away but without affecting their system, without affecting their environments. 

Dave Bittner: Chase, how, as a customer, do I properly calibrate my expectations in terms of my vendor's ability and willingness to actually collaborate and work together? 

Chase Snyder: One way to look at it is to look at what partnerships or what integrations any given technology that you're considering has and then how easy they are to deploy. So there's a big burden on the vendors, on folks like us at ExtraHop and on CrowdStrike, to make it as easy as possible for the customer, and you can tell how much a cybersecurity technology vendor has invested in that by how simple it actually is. So if it's plug-and-play and you just have to type in some API keys to a field and click go, that's a pretty good sign that the vendors have done a bunch of work on the back end to make sure that their data plays nice together, make sure that their APIs talk well together and make it easy for the customer. 

Chase Snyder: If you've got that across multiple vendors with any given technology that you're looking at, that's a really good sign that the business prioritizes this ecosystem approach of having the best player in each position. If it's a lot of work to deploy the integrations or you have to have professional programmers and, you know, people who know how to work APIs and write bespoke code to make these things plug together, that can be a signal that it's going to be more of a challenge for you to get what you need out of the technologies. And there are layers to this challenge, and each one of them requires kind of a different approach. So plugging two technologies together so they can share data is one thing. Making sure that that data is of a type that is compatible and is going to be meaningful for your security analysts and your security practice when it's pulled together is a whole other challenge that requires cybersecurity expertise. So looking at the cybersecurity bench, the expertise at the organization and ultimately testing the actual tools and testing the workflows to make sure that they solve your problems is going to be the most important way. 

Chase Snyder: So in the context of XDR, making sure that it is reducing the amount of manual effort that your analysts have to do to pull together the data points that they always need in order to make good decisions about how to respond to a threat that's been detected is the gold standard. There are pieces of data that live in different tools in most security operations centers that analysts are constantly having to pull together - the same things from different places - to decide how to respond. And if you find a tool that is pulling together those things automatically in a format that makes sense and presenting them to the analyst in a way that helps them make a faster, better and more precise decision about response, that's a good tool. And that's something that we're working on together with CrowdStrike to try to deliver. 

Dave Bittner: Janani, any thoughts there? 

Janani Nagarajan: Yeah, so I 100% agree with what Chase said. It ultimately boils down to the fact that we are trying to come together across platforms, and we like to use the word best of platforms, because we are no longer talking about point solutions. We're talking about best of breed solutions or platforms coming together, exchanging threat information or whatever we see out in the wild with each other so that we have a fortified defense across these - against these adversaries. So having that communication that Chase mentioned, having that bidirectional communication as to what it is that we're seeing in terms of attacks that are happening across the different attack surfaces and being able to seamlessly come together - I think the key word is, how do we make sure that these integrations work, as Chase mentioned, without any friction? 

Janani Nagarajan: And also, given the cybersecurity resource shortage that we keep hearing about, we want to make sure that these platforms are able to communicate with each other right from the get-go. If you have to require the customers to rearchitect their environment, make a bunch of changes, then that is not - it is actually slowing our teams both down. So making sure that we come together in a unified fashion, expediting our threat detection and response capabilities - I think that's where the biggest challenge lies, and that's where companies like ExtraHop and CrowdStrike are coming together to make sure that our focus is always on the adversaries out there. So we have something called the adversarial-focused approach, where we are looking at automatically detecting these threats and making sure we have response capabilities without slowing our customer down. 

Rick Howard: We'd like to thank Ted Wagner, the CSO at SAP National Security Services, Jenn Reed, the CSO at Aviatrix, Janani Nagarajan, head of product marketing at CrowdStrike, and Chase Snyder, senior product marketing manager at ExtraHop, for helping us with this show. And we'd also like to thank ExtraHop for sponsoring it. “CyberWire-X” is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague Dave Bittner, this is Rick Howard signing off. Thanks for listening.