CyberWire Daily - Encore: Examining the current state of security orchestration. [CyberWire-X]
Episode Date: January 15, 2024In this encore episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by guest Rohit Dhamankar, Fortra's Vice President of Product Strategy, and Hash Table membe...r Steve Winterfeld, Akamai's Advisory CISO to discuss CISO initiatives such as vendor consolidation, automation, and attack surface management as a way to determine if it’s possible to achieve both increased security maturity and decreased operational load. This session covers common mistakes when adopting security technologies, including the pros and cons of AI, and how to better collaborate together. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics
affecting security professionals worldwide.
I'm Rick Howard, N2K's Chief Security Officer and the Cyber Wire's Chief Analyst and Senior Fellow.
And today, we're talking about the current state of security orchestration.
After the break, we'll take a deep dive look at CISO initiatives such as vendor consolidation, automation, attack surface management, and the hot topic of the moment, how machine learning and large language models might help to achieve both increased security maturity and decreased operational load.
Come right back.
The cybersecurity landscape is full of single-solution providers,
making it easy for unexpected cyber threats to sneak through the cracks.
That's why Fortra is creating a stronger, simpler strategy for protection, one that increases your security maturity while decreasing the
operational burden that comes with it. This is all possible thanks to Fortra's best-in-class
portfolio and deep bench of expert problem solvers. Fortra's integrated, scalable solutions
help customers face their toughest challenges with confidence. Learn more at fortra.com.
I'm joined at the CyberWire hash table today by Rohit Dhamankar. He's the Vice President of
Product Strategy at Fortra and my best friend, Steve Winterfeld, the Advisory CISO at Akamai
and a repeat CyberWire hash
table visitor, I started out by asking Rohit to describe what vendor consolidation is.
I'm joined today by Rohit Damankar. He's the vice president of product strategy at Fortra
and Steve Winterfeld, the advisory CISO at Akamai. And we're here today to talk about
recent developments in vendor consolidation, automation,
and attack surface management
to see if it's possible to achieve
both increased security maturity
and decreased operational load.
So in other words,
is security orchestration getting any easier?
So Rohit, let's start with you.
Can you describe what this idea of vendor consolidation is?
Well, I think to me, the saying that comes to mind is in security world,
it's almost becoming like, are there too many cooks in the kitchen?
Are too many cooks spoiling what is being delivered?
And by that, what I mean is the industry has been evolving
in a way where we look at,
I would say,
each aspect of a dark surface,
each new technology
that comes through the picture.
And the idea is,
let's put a solution around it.
So sometimes, like for example,
big evolutions happen,
like cloud came up. So now there's a whole slew of acronym sometimes, for example, big evolutions happen, like cloud came up.
So now there's a whole slew of acronym soup, in fact, of cloud products that's supposed
to do cloud security. That's the status of that. For the same old problems that we have
had, like malware has been around for, what, 20, 30 years? Now we have a lot of companies
who are claiming on wonderful AI and next-generation and maybe the next generation to solve that problem.
The question really is the amount of security happenings, breaches, stolen data that has not been stopping.
And people have sort of been led into saying, okay, for that problem, go and take that pill, go and install that solution.
And I think now people are asking back saying, okay, I have like 40, 50 tools, a bigger enterprise sometimes when I speak to customers, have more than 100 tools.
than 100 tools and they're left with, I would say, a small staff that even can operate the tools and understand what the tools are producing.
And so then they are taking a question back saying, have we done too many?
Is it time for us to go and look for just a few of this and make sure that we can make
more meaningful outcomes, meaningful security outcomes,
that is actionable outcomes out of those.
And I think that's what people are asking very loudly
and people are trying to gravitate more towards that.
Well, we're all old timers here, right?
Especially Winterfell, okay?
And when we started, you know,
this is back in the 90s, right?
We all only had like three tools. So we could manage it, you know, this is back in the 90s, right? We all only had like three tools.
So we could manage it, you know, ourselves.
You know, we had intrusion detection.
We had firewalls.
Probably had some sort of antivirus on the endpoint.
All right.
But like you said, Rohit, the number of tools that people have managed over the years, that's slowly been creeping up.
You said, what were you saying, 50 to 100 different tools?
I've heard bigger numbers.
Steve, I know you've talked about this, right? What are you seeing out there when you talk to
other CISOs? Yeah, and I would start off with probably my favorite quote that ties right into
what he was saying. Complexity is the enemy of security. Bruce Schneier said that. A lot of
people have said that. I've written an article on Security Boulevard. It is such a
ground truth, but we're not operationalizing it. And when we look at things like, you know,
Panseer put out a report that the average company of, I think, 500 employees has 76 different tools growing at 19%. Last year, RSA had 599 speakers and 605 vendors.
And so it's just, how am I as a CISO supposed to wade through this and figure out
which is the right one for me, how to integrate these.
You know, we've talked about this before, this shift away from best athlete to best
teammate.
I love Michael Jordan's quote, talent wins game, but teamwork and intelligence win championships.
Yeah, I'll tell a story, Roy.
Steve and I both worked at a company together a number of years ago where the predecessor CISO went out and bought all the tools. I mean, we had all the cool things. I mean, it was like a kid in a candy store, right? But he ran out of money before he ran out of resources to buy people with. So we all had, we had tier one analysts in the SOC and all those big Ferrari engines
of security tool capability
were sitting idle
because we didn't know how to configure them
and make them work for us.
So it was so complex
that we didn't know how to solve the problem.
And so, I don't know, Steve,
what was your,
do you remember any of that from back in the day?
Yeah, and I remember quickly,
we were like, we went into,
you know, where do we have overlap? Where can we reduce tools? Where can we get rid of technical debt? We had so much technical debt. And just kind of shifted away from that because ultimately it does come down to both people, processes, and technology. And I think if you fail at any one of those,
the whole thing falls apart.
Well, I think one of the reasons we're here,
and Rohit, Steve mentioned this before,
but I'm wondering what your thought is on this.
We kind of creeped up on this situation
where our environments are so complex.
Because in the early days, we had this, I don't know,
we always wanted to have the best of breed product, right?
And some people, you know, they didn't have
one product in their networks. They had two or three
doing the same thing because they were
afraid they didn't have the best pieces.
Is that how you see the industry going to?
Is it we all just kind of crept up on it because we wanted the
very best tool that was out there?
Yeah, I think it's
that whoever propagated
the best of breed,
you know, I would say,
set on words and security.
And I think that's where a lot of this thing has begun
because you're looking now for suddenly,
you know, best 80.
You're looking for best next generation firewall.
You're looking for best whatever else out there, right?
And I think that's what is causing a disaster
because the other tendency
that this art industry specifically has seen, there, right? And I think that's what is causing a disaster because the other tendency that
our industry specifically has seen, and I think Mr. Winterfeld pointed that out very nicely.
Mr. Winterfeld, let's be formal here. Yes, Mr. Winterfeld.
Some people respect me, Rick. Some people actually respect me.
Go ahead, Roy. We interrupted you. Well, that's fine.
When you had more speakers at RSA,
more companies than speakers at RSA,
and I think that's kind of the evolution of it.
And I have come from startups.
I've come from small startups into this industry.
And I always see that usually you end up having one small problem.
That, okay, today EDRs are not
solving this.
Let me make a company around it now.
You know, let me go for the VC funding.
And it's like one sort of attack vector out of 10 that you're wanting to make a company
around.
So you kind of hold all of that IP close to your chest, all that, whatever the threat
intelligence, any algorithms very close to your chest, and you start competing saying,
hey, I differentiate my product this way.
And lo and behold, that product is gone.
And sometimes it is the best of the breed
that it detects that particular attack vector very well.
But then it doesn't work very well
with the other tools that you have.
It may not share the right data with other tools.
It may not create that big picture.
That's what many people are looking at.
And that's how your tool proliferation starts.
And then, of course, you have, there are people, there are CISOs who think,
sorry, you are a CISO, Mr. Winterfeld.
It's okay. We're used to being disparaged. Go ahead.
You're not the first one, Rohan.
No, I think
some of the best thought process is
that they would consider
themselves cool if they're using these
cutting-edge technologies. Like right now, there's
a lot of hype around AI, for instance.
They think that
in order for them to be
looking and forward-looking
and all that, they need to have those best Ferraris out there.
It doesn't matter if you don't have drivers.
It doesn't matter if you don't have parking garages for it.
It doesn't matter if you don't have fuel money for it.
Well, and I agree that there's a cool piece to this, right?
But, you know, back in the day, there was a time when we wouldn't have even considered bringing in one vendor to solve most of our problems. So, we would never pick
one security company and say, please do everything for us. But Steve, I wonder if you can talk about
the shift in our thinking here is that you were mentioning complexity before. We are now choosing
less complexity over that kind of trust model. Well, yeah. And, you know, as you're saying, transformation is driving a lot of this problem.
We've transformed off of, you know,
our networks to cloud networks.
We've transferred off of servers
to serverless and containers.
We've transferred, you know,
deploying once a year to multiple times a day.
This has required new skill sets. This has required new skill sets.
This has required new technology.
And so for a while there, it was like,
oh, I need a security tool for this environment.
I need a security tool for that.
And then at some point,
I spent all of my time in vendor management and integration.
And I literally was a vendor manager over a
security leader. And so then I was like, okay, so how do I get back to being security first?
And that was where I went back to that keep it simple, stupid principle, that KISS principle of
how do I reduce this to a manageable number? And the way is by platforms.
You know, Gartner came out with SASE for a while,
and then it was SSE.
And I think those terms caught on for a little while
because it followed the trend of we as leaders
are trying to reduce the complexity,
reduce the number of vendors.
So I'm changing to a culture of simplicity.
You know, for a while,
I've worked in an organization
that did not fear complexity.
And that has operational impacts.
It has security impacts.
It has cost impacts.
Whereas if I focus on,
do I have a current vendor can do that?
Do I have a current tool
that I can expand its capabilities and cover
most of that risk? I think ultimately, I feel a better security posture with better integration
and fewer tools. So, Roy, let me ask you this then, because we've seen the emergence or the
transformation from the old firewall companies like Cisco
and Check Point and Juniper and the like,
and they just kept adding more services into the box,
meaning it's a one-stop shop for everything.
So it's one approach that we could do.
So I wonder what you think about that,
and is that something that you see your customers
looking at over and over again?
So I think, first of all, Rick,
we are sort of getting out of that box age to some extent, right?
Because the box age was very much kind of pre-cloud days
where people wanted to have their AV, their email security,
their firewall, their application security,
all in like one box, right?
Effectively, I think the sort of that new box today,
I would say is platform where, you know,
it's a cloud-based platform
where people are bringing a lot of their wares together.
And I would say that even from that perspective,
I don't think there will be just like one vendor
ruling everything in a customer's environment,
but it will not be 50 or 100.
It could be four or five, which are very specialized.
And to, again, Mr. Winterfeld laid it out nicely.
At the end of the day, it's risk reduction, right?
In your attack surface.
Do you know what your attack surface looks like?
Can you explain that risk
to a layman
as well as to a technical staff
on your team well enough?
Do you have that ability either inherently
yourself or through some of the dashboards
that are provided? And then can you
apply the appropriate set of vendors
who are going to cover that for you? And you
can choose strategy.
There may be some overlaps,
there are no overlaps,
depending on how you find
the strength of those vendors.
What have they been good at?
And what do you need to kind of,
you know, have a plan B
in case they miss something?
And if you do that well enough,
you should be able to have,
I mean, at the end of the day,
even today, the attack surface
has like six components to it. You have your servers, you have your desktops, laptops the end of the day, even today, the attack surface has like six components to it. You have your
servers, you have your desktops,
laptops, end of the endpoints.
You may have your native
cloud
infrastructure, maybe more like
the function as a service
or more the platform
as a service. Then you have people who are going to
lift and shift in the cloud.
You have your network devices, IoT, stuff like that.
So there is very finite thing, I mean, in terms of the category.
And then you need to choose the right things and the right level.
First of all, it all boils down to also your business side.
How much is your business ready to invest in the security?
What's that budget look like?
And then how do you optimize between what you want to spend on tools,
what you want to spend on people, and how do you want to architect your processes?
There's a book by Sunil Yil called Cyber Defense Matrix and kind of explains what you were talking about, Rohit, the complexity of the environments.
And his thesis is that whatever your strategy is, and he uses the NIST cybersecurity framework as the overall strategy,
and making sure that you have the right tool
in all the buckets across the matrix, right?
But not too many tools, right?
And make sure there's no overlap.
And by the way, find where there's gaps,
where you thought you had coverage
and you didn't have coverage.
Or five tools in one category.
Right, right.
And so there I have, you know,
I've over-calculated that risk.
I need to, I can get rid of two or three of those.
You and I have talked about using the MITRE ATT&CK frame,
those, you know, ATT&CK sequences in a similar,
you know, way to take advantage of that framework concept.
I think either one of those work.
It's a great analytical tool to say,
do I have a broad and appropriate level of coverage?
The other thing that he mentioned there was risk.
And you've talked a lot about reducing the probability
of material impact due to a cyber event over the next three years.
Pick your period of time.
Pick your, you know, material impact.
But I think if you come back to a couple core things like that and then tag on a goal of reducing complexity, I think that's enough to start to operationalize this.
And that's when you start
looking for the partners that can help you do those things. Well, Ron, let me bring it back to
you because Steve mentioned SASE and SSE kind of brothers and sisters of technology architecture.
He and I may disagree about the importance of that. I think it's the thing that we're all
going to move to at some point. However, it is now on its way down the trough of disillusionment.
We were all very hyped about it in the first couple of years,
but we found out how hard it is.
But I expect that it will slowly move up the slope of enlightenment.
This is all termed from the Gardner and how they describe technology.
I expect to see that in three or four years.
And what SASE and SSE are is, I don't know grammar okay that's we'll just go from
there all right but it's a complexity reduction engine okay we give all the complexity to some
vendor right and all we do is manage the policy wherever our devices are and i'm are you thinking
that's a good solution for us roy yeah i Yeah, I think I mean, I will double
down on the policy perspective because the
SASE, SSE are, you know,
tackling on, especially in a lot
of the edge
devices and how they kind of come
in, how can you apply like zero trust
models, how can you apply
a whole bunch of other cyber
security hygiene to that. But
where I would double down is this policy business, right?
Like, in general,
if the products that we are working with are well orchestrated,
where something happening in one product
is able to trigger a policy in the other,
like, for example, like I said for a second,
you have a trained security product
where somebody, you send a phishing email, a user gets phished, right?
If you are able to then go out and say,
okay, tell your staff that this user has gotten phished,
I think this user is more risky, look at all his events or whatever coming out,
you have to be more careful, far more careful than you normally would do
because he's at a chance of risk.
If similar kind of policies
automatically translate across products
and they're easy to write,
not complex, not geeky,
you know, like JSON or XML
or whatever other formats,
that's what I think will kind of tie everything together.
So I think that common policy framework
and a rich policy framework of that
would be sort of cornerstone
of whatever we are doing next in terms of consolidation.
So Steve, let me go to you.
So one idea here is a move to consolidation platforms
of some form.
That's one way we could do it.
The other way we could do it, Steve,
is through automation, all right?
Through an extended project
to reduce the toil
of all the technical debt that we have.
I wonder if you could talk to that a little bit,
you know, and what's the state of DevOps
and DevSecOps in our industry now?
Certainly.
And again, some of these, you know,
we talked about SASE,
and I think, you know, the disillusionment comes
because of the buzzword bingo with vendors.
And these are other terms that are so abused.
You know, we have automation.
We have AI.
And AI now, some people call large language models
versus machine learning versus, you know, movement.
And they treat it all the same.
And what you just talked about, you know, DevOps versus DevSecOps,
if the three of us defined DevSecOps, we'd have at least four definitions.
So as we look at all of this, it is absolutely imperative
because the skills and the speed and the scale can only
be met through leveraging the technology. Again, it goes back to most of this, I think, should
support people. Most of this should be developed after we have our process to implement our process. But then it absolutely, you know,
if there is two steps in my investigation
in the security operations center,
those should be automated.
When the ticket pulls up,
those should already be filled in.
You know, if I'm doing an investigation
and we have a private large language model,
you know, generative AI,
to help me do,
my threat intelligence team do rapid,
you know, understanding of something or policy development based on our internal documentation.
The machine learning and deep learning algorithms
are critical to move at cyber speed.
I think all of these are critical to our future
and need to be part of our skill set as leaders
to understand when and how to leverage these.
Well, you mentioned filling in our security podcast bingo card.
It wouldn't be a podcast about cybersecurity
if we didn't talk about artificial intelligence.
So, Rohit, I think all of us agree that, you know,
machine learning and large language
models have all this potential to help us here. But, you know, we all have reservations. Our own
experience has been, you know, it's pretty good, but not quite good enough yet. So, I don't know.
What do you think about that, Rohit? Well, I have always viewed, you know, AI or ML more as an aid for cybersecurity, a strong ally, a strong aid.
And I am completely baffled when a lot of people end up saying,
AI is going to solve all the problems of the world.
And they say that.
Yes, of course it is.
Of course it's going to solve all the problems.
No, no, no, let's be clear.
My AI, the AI I'm going to sell you is going to solve the problems.
Yeah, yeah, that's true.
My differentiated AI will solve all the problems, right?
My differentiated AI, yeah.
And you are seeing some of these effects, right?
I mean, AI or ML, I mean, as I say,
these days when I tell a six-grader learning equation of a line
as y equals nx plus c,
that's the equation of a straight line.
And I said, even that is AI these days.
So everything is AI, statistically or whatever.
If you did, if you computed just a standard deviation, now it's called machine learning, right?
So if you don't take those definitions,
where I have seen a lot of challenging problems,
especially looking at anomalies and things like that,
and ML has been great at it.
But again, all of those have to be dealt.
And as, again, Ritrafer was saying about filling out steps in the process.
So AI can generate something.
And I'll give you an example.
I see a lot of
in these new EDR tools,
it says this file
is potentially malicious
and the risk rating is 70%.
And if you happen to be
a SOC of that company,
or if you happen to be
a general SOC provider,
you don't know what to do
with 70%.
You are not going to
block all of it.
You're not going to sort of say,
okay, this file is bad and I'm going to delete it.
You can't quantify that.
So what you're trying to do,
and that's where a lot of automation comes in,
is saying, okay, what is the context
I can build in that environment around this file?
Do I have more pointers?
Do I have external pointers around this file?
Does somebody else in the world know about it?
And I would believe that all of that information
we can get through various techniques,
including Gen AI, for instance.
And I think once you have all of that pulled together,
you still will need, in some sense,
the human mind to kind of say,
okay, this signal here is the most dominant,
this is the least dominant,
and make sure that I make a decision
based on all of these factors.
And maybe that can then further be codified
into AI through channel.
But it needs that process.
Just single, I would say, applications of AI
in, again, in different areas of cybersecurity,
I hope to just produce some more haphazard outcomes of AI in, again, in different areas of cybersecurity,
I hope to just produce some more hack-as-art outcomes that are not, again, well correlated, well contextualized,
and that just increases more noise
and results in many further problems.
That's my current state, too.
You know, I just don't trust it yet.
I've had so many experiences just with the early models here
that they give you a partial answer and then information that's not true at all, right? And so, you definitely can't
turn it on and just let it go. So, we're not there yet. But Steve, I'm wondering if you want to put
your, you know, look into your crystal ball. Do you see this being solved anytime soon? Or
I won't make you talk about history, but we'll make you talk about future stuff.
Well, I won't talk about history,
but a recent example was
the first generation of SIMs,
you know, the security event management tools.
Felt like it was a device to just let you watch
incidents scroll off the screen.
It was something we needed.
It's something that took some time and maturity.
I think we're in a similar process now. We're early
days. I think the potential there is if we look at some of the pros and cons, you know, the pros are
we need something to help us with the speed and scale of some of the tasks we're doing.
We need something to help our research become more effective and efficient, especially with
big data
where we're querying a lot of things.
And we don't need a Google search,
we need contextual search.
And I think a lot of the private initial queries
in degenerative AI are helping with that.
We need responsive to malware
and some of the machine learning stuff
is helping us to on the fly through learning
help respond to malware.
And so all of this is absolutely needed.
It's early days.
It's, you know, for the more mature shops, it's where we should be.
The cons are real, too.
I mean, we saw data spill of code on a large language model.
model. We've seen OWASP put out a large language model top 10 threats because there are attacks against the actual large language model itself. The audibility of both machine learning and large
language models is scary. We have to be able to say how we got there. There are biases that could
come through depending on how you're using it that are unacceptable.
And finally, having the skill and the staffing to leverage you correctly.
If you would have told me there was a title of prompt engineer a couple years ago, I wouldn't have believed you.
And yet, there's a job out there now.
So, I think we're early days, but actually we need to be engaged.
We need to be, as leaders, figuring out when and how to leverage this.
The trick is how fast to go into this, how much to invest early.
So I'm going to characterize what Steve just said as hopeful,
which is, you know, not usually what he comes up with around here.
So Rohit, I'm wondering if you agree with him or not.
No, I think, I mean,
I do agree from the standpoint.
We do need something that covers,
I would say, constantly evasive,
you know, tactics in the security industry.
And again, as you can see,
the cat and the mouse game continues, right?
Like, so people were doing a lot of evasion.
So now we said, okay,
let's detect them through AI ML.
And as Winterfeld said, I have seen now lots of, okay, let's detect them through AI ML. And as Winterfell said,
I have seen now
lots of, in fact,
even there were talks
at RLC, for instance,
on how to defeat
the AI ML model.
So the adversary
is always thinking
the next step.
So you probably have to
then think of,
you know,
the counter to that.
And so that's kind of,
again,
and you will see all,
the funny part
about security,
I think I would say,
is that once something gets on the security track,
it never leaves it.
So you still have people who are probably running
some version of Windows XP out there
who are still vulnerable maybe to, you know,
a lot of the pull runs from the past.
And it's not a joke.
I have heard of some, you know, like production environments
that are still running very old version of Windows. You can see
that in airports still. The
NT crashes.
So all the different
to today's world
when somebody is trying to defeat a new AI
model for something else.
So it's all there.
So we're at the end of this. I'm going to come to
both of you for last words about this topic.
My summary of what we just talked about is we all agree that the environments we operate in are fairly complex.
And instead of going for more tools to solve individual problems, we're looking for orchestration ideas that will reduce complexity and do a good enough job that will allow us to do our jobs for us.
Steve, what's your last word there?
Yeah, I think culture eats strategy for breakfast.
I think we need a culture of avoiding complexity, moving away from complexity.
Rohit, last word to you, sir.
Last word to you, sir.
Well, choose your vendors wisely, consolidate them, and automate the heck out of it for what you can.
We'd like to thank Rohit Dhamankar, Fortra's VP of Product Strategy, and Steve Winterfeld, the Advisory CISO at Akamai,
for helping us get our arms around these latest developments in security orchestration. And most importantly, we'd like to thank Fortra
for sponsoring the show. This has been a production of the CyberWire and N2K, and we feel privileged
that podcasts like CyberWireX are part of the daily intelligence routine of many of the most
influential leaders and operators in the public
and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic
Workforce Intelligence optimizes the value of your biggest investment, people. We make you
smarter about your team while making your team smarter.
Learn more at n2k.com. Our senior producer is Jennifer Iben. Our sound engineer is Trey Hester,
and I'm Rick Howard. Thanks for listening.