CyberWire Daily - Cybersecurity is a team sport. [CyberWire-X]
Episode Date: August 9, 2022In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their... own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport–united for a shared mission. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by two Hash Table members, Ted Wagner, CISO at SAP National Security Services, and Jenn Reed, CISO at Aviatrix. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor ExtraHop's Senior Product Marketing Manager, Chase Snyder, and CrowdStrike's Head of Product Marketing, Janani Nagarajan .They discuss why and how vendors should work together to enable better integrated security for their customers. They’ll answer questions like “what is XDR?” and “how do I get my vendors to work together?”. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire.
And in today's episode, we're talking about how cybersecurity is a team sport.
In other words, with a number of tools in the security stack deployed across multiple data islands exponentially growing,
it requires a team across the entire business to orchestrate all of the change. A program note,
each CyberWire X special features two segments. In the first part, we'll hear from an industry
expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their
point of view. And since I brought it up, here's a word from today's sponsor, ExtraHop. When it comes to enterprise compromise, we all know it's not a matter of if,
but when. Yet, 75% of security budgets go to preventing intrusion, and we're losing the battle. It's time for a new
approach. It's time to defend the win. Visit ExtraHop at Black Hat to learn how AI-based
network intelligence from ExtraHop stops the advanced threats that are already inside your
cloud, hybrid, and distributed environments. Intrusion is inevitable. Breaches don't have to be. Stop by booth 1540 or visit extrahop.com slash cyberwire. That's extrahop.com slash cyberwire to learn more. And we thank ExtraHop for sponsoring our show.
I'm joined by Jen Reed, the CISO at Aviatrix, and she's the newest member of the CyberWire's hash table group.
Jen, thanks for coming on the show.
Thank you for having me.
So before we get started, I noticed in your LinkedIn profile, you are a former enlisted Marine.
I'm a former enlisted Army guy, and here we are, CISOs of our own organizations,
20 years in your case, after you started, 40 years in my case. And boy, I don't feel old for that.
But, and we're having discussion today about the state of cybersecurity today, right? And so how cool is that? And did you ever, yeah, did you ever think that when you enlisted in the Marines that you would end up here?
I did not.
But, you know, my dad is a tank commander in the Army.
And so, you know, very much military background.
And he said, do anything but the Army.
So, you know, I went into the Marine Corps instead.
I showed him.
But there I was doing intel work.
So I was always going to be kind of in the programming sphere, you know.
But, yeah, seeing myself become a CISO at this point in time, no, not at all.
You know, much more, I'm enlisted. I'm a doer, man. I'm a doer.
Yeah, I get that, right?
So today we're talking about orchestrating the security stack. And here's what I mean by that. We have all these security tools that we deploy in our environments from firewalls and antivirus and
intrusion detection to XDR. But we also operate several unique states, and I call them, you know,
data islands. We have data and applications back in our own data centers and on our employees'
mobile devices and in at least one cloud provider's network, probably more than one.
And a host of SaaS applications here at the CyberWire.
We're just a startup and we have over 100 SaaS applications that we use to make all this stuff go.
It's a complicated question, right?
Oh, yeah.
Because just as you guys do, we have over 100 different SaaS applications that feed the IT
stack, as well as we have deployments in every single cloud. And of course, we have to, we're
multi-cloud. So if we're going to deploy multi-cloud software, we have to be multi-cloud at the same
time. That's how we deliver. And having a security stack can be really complicated because I need to be able to see my posture across all
those deployments, both in a cloud data perspective, but also how do I get a good visibility into all
those different SaaS applications we're using for supply chain? It can get a bit complicated,
you know? Well, it was complicated enough when we were just doing it in one place. You know,
when I started, we just had one security stack in the data center and that was it. And it was hard to do then. Now,
like you said, multiple cloud environments all over the place. So do you, what's your philosophy
there? You just try to manage each of those separately? Like if I'm in one cloud, say Google
Cloud, I'll use their security stack versus Microsoft. And then for our data center, we might use some hardware firewall or something.
Is there some other philosophy you have there?
So it's a combination of things, really.
So we're possibly...
It's never black and white, right?
No, it can't be.
All the great things that were available to us for on-prem, right?
Next generation firewalls and IDSs, great,
but they are not cloud native, right?
And so they're really designed for that on-prem infrastructure.
Ted Wagner is the CISO for SAP National Security Services,
an old Army buddy of mine,
and a regular visitor to the CyberWire hash table.
He agrees with Jen that the orchestration platforms
are not quite ready
for primetime when it comes to cloud deployments. Where we see older elements of data centers and
even with innovation of software as a service and our islands of data, we're still consuming,
ingesting data into a SIEM. Where we see innovation particularly is in SAS A vendors
where we can get infrastructure as a service like BPN as a service
or identity as a service.
And they really bring some innovative capabilities
like continuous adaptive risk and trust assessment or CARTA for identity.
These are great tools for the network defenders.
But those orchestration platforms still lack key functions like threat intelligence platform,
where we really rely on implementing our MITRE ATT&CK framework and ingesting relevant
threat intelligence to inform our security monitoring.
So I think we're still in transition.
Those core functions that we rely on, threat intelligence and applying analytics to large
data sets, still remain with the SIEM.
But we see SASE vendors and Bing disruptors.
And I'm curious to see how the story will play out.
And so when you're talking cloud, where you have hundreds of sub-accounts, you know,
where you have your developers in their own sub-account to lower the blast radius of anything
that they're experimenting with, that's not going to be a solution that works for that environment.
So it's really about instrumenting those different cloud environments,
then having alerting tell you when things change and being able to then leverage that and sending
that to a centralized alerting for an SRE team to triage and bring in our security team when
configurations change. But having centralized alerting, but you have to instrument everywhere.
That's an interesting point, right?
So I kind of bifurcated it into you either have separate tools in each environment to adopting a security platform like you were talking about,
but you have a middle ground there.
Use tools for each environment designed for that environment,
instrument it so the telemetry is coming back to a central location.
We have software that we use ourselves,
that we developed ourselves for our secure networking platform,
which of course then we use for our own production and QA environments,
but actually gives us the ability to see what's happening
and feed all of that telemetry data into a centralized location
so we can see what's happening across our data and control plane.
But then we also have, from a monitoring perspective, our SRE team has instrumented
and fed that same alerting data from multiple clouds into a Grafana and Prometheus framework
so that they can actually act on that information and see it over time.
Because we can't just have it in one single cloud.
For those that don't know, Grafana is an open-source visualization tool for ad hoc data
plus cloud environment telemetry from Google GCP, Microsoft Azure, and others.
Prometheus is an open-source monitoring system for machine-centric
and highly dynamic service-oriented architectures.
Prometheus is really a framework so that we can actually pull in log
and other type of event information over time.
So you can get that both from a system level, but also application level.
And then, of course, Grafana actually shows the visualizations.
Would it be fair to say that your teams are kind of ahead of the game here
in DevSecOps world, where you're reaching out through APIs
to collect telemetry off these security products?
Is that fair to say?
I think so.
You know, it's one of those things that we have to.
We're a software company.
So we're never going to have a gigantic operations team
or security team.
So we believe in instrumenting
and then we believe in automating.
So automating the monitoring, alerting and triaging and remediation as much as possible.
And a lot of that I learned from where I was at previously because they're, you know, helping
Avis run their global AWS. I had a very small team as well. And so automation was key.
No console access, man.
And so it's like, if you can't automate it, you're not doing it.
Well, I totally believe in that philosophy.
But I would say that you guys are ahead of the game.
Everybody that I talk to on this show, not everybody, okay?
Many of the folks I talk to on this show are still doing it the old-fashioned way.
You know, log in console jockeys and updating things. They're trying to get there, but they're struggling. So
any advice you can give them that will make this easier? Is there some piece of philosophy that
you guys have adopted to make this easier for your organization? Or is it just something they
started doing from the beginning? Well, it's something that they have started from the beginning.
I mean, Aviatrix was started by software engineers, right?
And so software engineers believe in coding and automation, right?
They want to build the product,
so they want everything else to be instrumented
so that they can, you know, increase their speed to market, right?
So you don't want to grow a huge IT organization
and security organization. And so it's been native to what they've done. And at the same time,
it's why the software itself has an API to enable automation and a Terraform provider,
right? Because I believe that teams really moving to the cloud or expanding their capabilities need to kind of adopt more automation.
And one of the great things is like, is bring on some of that coding to the security teams.
Cross train, man, you know, give them something to start with, bring them on the team,
get them exposed, you know, to your tools you're currently doing and have them write a provider Terraform script that actually replicates your Palo configuration or replicates your FortiGate, you know, and then let them show you how, you know, you can automate that out of service tickets.
Amazing what automation will do to the security teams, right?
So, yeah, it's such an interesting idea.
I know. People's like, how
can I automate? I need a person to look at. But you can, because you can actually have people
become more versed in it, and they can learn to read the code, check the code, and approve it
before it goes to production. I like what you described there. I mean, that you would actually
have, so that means you can collect all the telemetry off of it for whatever services you
have.
But you could also, right, go the other way. If you decided that you're going to put new prevention controls to prevent, let's say, panda bear, you could send it that with one push of a button, right?
You could send it up to the firewall, right?
Or to all the firewalls that you have, right?
Yeah.
Yeah.
Via one script, right?
Yeah.
Yeah, yeah.
Via one script, right?
Yeah.
So let me push back on you on,
because early on you said that those big platforms,
they're not cloud native.
I think they would push back on you on that.
They're not, you know, so they think they can be in front
of all your cloud deployments
and do exactly what you're saying, okay,
but use the software firewalls to do that kind of thing. What's your
argument against that? Well, it's just that it starts to get a little bit more complicated
because actually getting access to their underlying core to make those updates, the changes
to actually feed the data into them and get it back out of them because they're still tended to really be designed to
be a physical machine with like a separate control plane and a data plane.
Yeah, they are.
Which is great if I'm in a data center, but you know, when I'm sitting out on the cloud,
it's a virtual machine and I have a virtual NIC, right? And so you could say, well, I have my management
ethernet and my control pane ethernet. They're still virtual, man. I can't actually get to a
completely separate management network. That guy doesn't exist. So why am I turning myself in
circles trying to force that, right? What logical separation should we be making or in place to really adapt to the cloud?
a physical, hard, hardware mindset to really transform that into logical controls and multiple logical controls to ensure separations exist, right? Because you have to, right? But at the
same time, understanding that these are all virtual networks, there isn't necessarily anything
that prevents X, Y, and Z from happening, except for something that's logically in place. You mentioned earlier that you have SREs, tight reliability engineers,
working for the company. Is there a set of SREs for security and a set for all the other things,
or is it just one big group? Well, so we have a support engineering function, which supports our
customers. So we deploy virtual machines.
And so customers are responsible for updating the machines that they have deployed. It's not SaaS,
so we don't push anything on a customer. But when customers have issues or they need assistance,
they call into our support engineering function. So that's separate, right? We have a separate
function, which is our SRE function, and they function for both security, and they'll escalate to our security team.
But they do have security training, but also for our operational support.
So they kind of sit on both of those, and they're 24 by 7 for our site reliability engineering team.
You were talking about before how we need to set up a framework.
Is that a requirement session?
You'd say, here's the things we need to be able to do.
And we hand it over to the SREs and they build it for you.
And then there's some testing and then deployment.
Is that how it's done?
There's a design phase for requirements phase for what we need and how we need it to happen.
And so part of that,
we give them the requirements for that, questions back and forth. And then there's a development phase where we validate that it's working as appropriately, testing, and then where we do
load testing and edge cases, and then it gets released to production. So all of those functions and
processes, but also any alerting that needs to be done, escalation procedures, then any triaging,
anything that can be automated, we talk through so we can test that automation as well, you know,
for certain types of things that might come in. Like I said earlier, you guys are well ahead of
most organizations that I talk to.
So is there one piece of advice that you could give folks who are starting down this path,
if they misunderstood this one thing, it'd be a lot easier for them?
Crawl, walk, run, get started, don't be afraid.
Wait, that was seven things. All right, no, go ahead.
Damn it. Sorry, sorry.
No, go ahead.
Damn it.
Sorry, sorry.
You know, it's, you know, but you have to get started.
A lot of people have fear that they need to have it all planned.
That's a good point.
Yeah.
Yeah.
Get started, I guess, is what I'm hearing in all of that.
Right.
Yeah.
Don't be afraid.
I like that second one, too.
All right. Well, this is all good stuff, Jen, but we're going to have to leave it there.
That's Jen Reed, the CISO at Aviatrix. Thanks for coming on the show. to. All right. Well, this is all good stuff, Jen, but we're going to have to leave it there.
That's Jen Reed, the CISO at Aviatrix. Thanks for coming on the show.
Next is Dave Bittner's conversation with Extra Hops Chase Snyder and CrowdStrike's Janani Nagarajan.
So today we are talking about this notion that cybersecurity is a team sport.
Can we just start off with just some high-level stuff here,
a little description of why each of you thinks that that is a good way to come at this? Janani, why don't I start with you?
why each of you thinks that that is a good way to come at this.
Janani, why don't I start with you?
The team support aspect comes in because right now,
if you ask five different people what cybersecurity or even buzzwords like XDR or trust mean to them, you're going to get five different answers.
So we want to make sure that everyone, especially our customers,
who are confused about what cybersecurity actually entails, are brought together for this journey where we are trying to solve the problem by getting ahead of adversaries.
We're actually getting increasingly sophisticated thanks to the art of craft, employing artificial intelligence and machine learning. So all the customer wants to do is have a better way of staying ahead of these attacks,
making sure they're able to stop threats, they're able to sleep better at night,
and really protect their environment, their users, their employees,
from any kind of damage that might happen.
And Chase, do you agree here? Is this pretty much aligned with your
thoughts? Yeah, that's spot on. I'd say there's competition in the cybersecurity technology market.
So there are many different vendors coming at it from many different angles, but ultimately the
top priority has to be delivering on the needs of the buyers, the enterprise.
And using that as a North Star, asking ourselves constantly,
are we serving the need of the customer, has positive results for the business.
So it really is the right way to approach solving what is truly a multi-factor
and extremely complicated challenge of securing information
systems. You know, Janani, if we're going to use team sports as sort of our analogy here,
I mean, from a practical point of view, what does that mean for the folks who are organizing this?
What sort of things can they use, you know, from that example to apply to the things they do every
day? So first thing is to take a step back and actually look at the problem we are trying to solve.
It always starts with the customer requirements or the customer needs.
When we walked to the trade show floor, we see a lot of buzzwords talking about XDR and Zero Trust
and how we're trying to help the customers.
But what does it actually boil down to them in terms of their day-to-day activities, in terms of their corporate
initiatives, their outcomes? So we need to actually take a step back and think about
what is it that we're trying to solve based on the customer and what is it that we're trying
to protect? So we have actually run into customers
who actually have legacy systems.
They are still operating mainframe systems
that they're not able to move out of.
Or they're actually trying to adopt containers
and serverless because they are looking
at digital transformation.
So we need to have a solution that transcends
across these technologies.
And on one side, when you talk about technologies,
you also have to look at the flip side as to what is it that we're trying to protect. You have these
adversaries, you have these nation state actors or e-crime actors who are really bent on wreaking
havoc. And I think it came across when COVID-19 hit, people started working from home. You really saw how the technologies couldn't keep up
with some of the attacks that are out there.
So you want to make sure that whatever we are trying to solve for,
we are solving for existing environments,
but also for the future that we are looking at.
So in terms of strategy itself,
we need to make sure that we have the right people,
the right expertise, and the right
technology to actually solve any problems that might happen in the market landscape, actually.
So you want to make sure that we come together as a cybersecurity community. We have this guidance
and best practices as to what is it that we're trying to solve and find the best way to stop attacks. So that's where the team support comes into play because instead of being only on defense,
we also want to make sure we have our offense, our technologies like prevention to make sure
that we stop these attacks from ever happening.
You know, Chase, what does this mean for various vendors working together? I mean, there's opportunities here, right?
Sort of the whole is better than the sum of the parts.
Yeah, 100%.
Each of the different vendors in the space, each of the different types of technology has a different core competency.
And so if we're going to extend the sports analogy, you've got goalies.
So if we're going to extend the sports analogy, you've got goalies, depending on the sport that you're playing, you've got forwards or you've got, you know, linebackers or you've got various different positions. And you wouldn't want to put someone from one position into the other position because that's not what they've practiced for.
That's not what they are built for or perfectly skilled at. So you put together a team that fulfills all of those different requirements,
and you try to make them work together, play together as a team effectively.
So in the case of cybersecurity, and particularly for the businesses that Janani and I represent,
there are different signals, different sources of data that you can use
for detecting and responding to cyber attacks. ExtraHop focuses
on network data, covertly observing network traffic in a way that the attacker can't actually
tell that they're being watched. CrowdStrike focuses more on endpoint security, but has a
whole range of capabilities focusing on what is happening on the individual hosts or on the individual endpoints.
So we have complementary types of visibility. We fill in gaps and support and complement each
other's capabilities so that we're not letting the attacker, you know, get a zillion shots on goal
and allow the, you know, let the whole team rely on the goalie to stop every single one of those. We're stopping
them a little bit ahead of time, but we're also able to stop them from getting into the goal if
they get right up to the line. So that's kind of the key message here is that no one technology
solves every problem with perfect efficiency. If you can get several different technologies to work together
really well as a team that solve each of the individual problems at the highest efficiency
available, then you're better covered across the board, across the full range of tactics
that attackers are bringing to bear against enterprises and the full range of tactics
that attackers are constantly refining and innovating to make them better and more effective.
Essentially, you're putting together an all-star team.
Yes. Love that. We are putting together. We're the team from Space Jam. It is the all-star team.
That's right.
Well, Janani, I'm curious, you know, at this year's RSA conference, the hot topic was XDR.
And I think that certainly keys into our conversation here.
First of all, you know, for folks who may not be completely up to speed on this, how do you describe that to people?
Yeah, so that's the million-dollar question now because, like you said, 30 different vendors are talking about XDR.
And depending on whom you ask,
you probably get different answers. But again, I think one thing we all agree on is XDR means
extended detection and response. That means we are extending to all the technology stack or all
the multi-domains that are out there. And we are coming up with a unified way of
protecting the environment across these extended domains. The detections piece is where the
intelligence lies, where we are integrating threat intelligence with any kind of security
telemetry that we have and correlating it across these domains to come up with detections.
The response is, what are the actions that we take in order to secure the environment
and make sure that it doesn't happen again?
So very simply put, the extended detection and response is looking at a bunch of data
across different domains, seeing what is out there in terms of endpoints, your cloud environments,
your networks, or even identity access management, email security, web security,
making sense of it in terms of correlations and responding. So the response actions could be
either we re-image the system that is basically taking a hammer to a problem,
or we actually do targeted mitigation. We remove selected malware files, or we stop certain
processes from happening. So having this unified approach of taking into account all the data,
so we have a data problem, so taking into account all the data, making sure we make
sense out of it in terms of detections and responding to it in a meaningful fashion
without impacting productivity. I think that's all the customer cares about. They want to make
sure the problem goes away, but without affecting their systems, without affecting their environments.
Chase, how as a customer do I properly calibrate my expectations in terms of
my vendor's ability and willingness to actually collaborate and work together?
One way to look at it is to look at what partnerships or what integrations any given
technology that you're considering has and then how easy they are to deploy. So there's a big burden on the vendors, on folks like us at ExtraHop and on CrowdStrike,
to make it as easy as possible for the customer.
And you can tell how much a cybersecurity technology vendor has invested in that by
how simple it actually is.
So if it's plug and play and you just have to
type in some API keys to a field and click go, that's a pretty good sign that the vendors have
done a bunch of work on the back end to make sure that their data plays nice together, make sure that
their APIs talk well together, and make it easy for the customer. If you've got that across multiple
vendors with any given technology that you're looking at,
that's a really good sign that the business prioritizes
this ecosystem approach of having the best player in each position.
If it's a lot of work to deploy the integrations
or you have to have professional programmers
and people who know how to work APIs
and write bespoke code to make these things plug
together, that can be a signal that it's going to be more of a challenge for you to get what you
need out of the technologies. And there are layers to this challenge, and each one of them requires
kind of a different approach. So plugging two technologies together so they can share data is one thing.
Making sure that that data is of a type that is your problems is going to be the most important way. the amount of manual effort that your analysts have to do to pull together the data points that
they always need in order to make good decisions about how to respond to a threat that's been
detected is the gold standard. There are pieces of data that live in different tools in most
security operation centers that analysts are constantly having to pull together the same
things from different places to decide how to respond.
And if you find a tool that is pulling together
those things automatically in a format that makes sense
and presenting them to the analyst
in a way that helps them make a faster,
better, and more precise decision about response,
that's a good tool.
And that's something that we're working on
together with CrowdStrike to try to deliver.
Janani, any thoughts there?
Yeah, so I 100% agree with what Chase said.
And ultimately, it boils down to the fact that we are trying to come together across platforms.
And we like to use the word best of platforms because we are no longer talking about point solutions. We're talking about best of breed solutions
or platforms coming together,
exchanging threat information
or whatever we see out in the wild with each other
so that we have a fortified defense
against these adversaries.
So having that communication that Chase mentioned,
having that bidirectional communication as to what it is that we're seeing in terms of attacks that are happening across the different attack surfaces and being able to seamlessly come together. work, as Chase mentioned, without any friction. And also given the cybersecurity resource shortage
that we keep hearing about, we want to make sure that these platforms are able to communicate with
each other right from the get-go. If you have to require the customers to re-architect their
environment, make a bunch of changes, then it is actually slowing our team sport down. So making sure that we come
together in a unified fashion, expediting our threat detection and response capabilities,
I think that's where the biggest challenge lies. And that's where companies like ExtraHop and
CrowdStrike are coming together to make sure that our focus is always on the adversaries out there.
So we have something called the adversarial focused approach where we are looking at automatically detecting these threats and making sure we have response capabilities without slowing our customer down.
We'd like to thank Ted Wagner, the CISO at SAP National Security Services,
Jen Reed, the CISO at Aviatrix,
Janani Nagrajan, Head of Product Marketing at CrowdStrike,
and Chase Snyder, Senior Product Marketing Manager at ExtraHop,
for helping us with this topic.
And we'd also like to add a special thanks to ExtraHop for sponsoring the show.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe,
where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilpie.
And on behalf of my colleague Dave Bittner, this is Rick Howard signing off.
Thanks for listening.