Ep 48 | 11.16.23

Examining the current state of security orchestration.

Transcript

Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, N2K's Chief Security Officer, and the CyberWire's Chief Analyst and Senior Fellow. And today we're talking about the current state of security orchestration. After the break, we'll take a deep-dive look at CISO initiatives such as vendor consolidation, automation, attack surface management, and the hot topic of the moment -- how machine learning and large language models might help to achieve both increased security maturity and decreased operational load. Come right back. [ Music ] [ Music ] I'm joined at The CyberWire Hash Table today by Rohit Dhamankar -- he's the Vice President of Product Strategy at Fortra -- and my best friend, Steve Winterfeld, the Advisory CISO at Akamai and a repeat CyberWire Hash Table visitor. I started out by asking Rohit to describe what vendor consolidation is.

Rohit Dhamankar: Well, I think to me the saying that comes to mind is "insecurity world." It's almost becoming -- like, are there too many cooks in the kitchen? Are too many cooks spoiling what is being, you know, delivered? And by that, what I mean is the industry has been evolving in a way where we look at, I would say, each aspect of attack surface, each new technology that comes in the picture, and the idea is let's put a solution around it. So sometimes, like, for example, big evolutions happened when cloud came on. So now there's a whole slew of [inaudible 00:02:01] soup, in fact, of cloud products that are supposed to do cloud security. That's the status of that. Similarly, for the same old problems that we ever had, like, malware has been around for -- what? Twenty, thirty years? Now we have a lot of companies working on wonderful AI and next generation AI and maybe the next next generation to solve that problem. The question really is the amount of, you know, security happenings -- breaches, stolen data -- that has not been stopping. And people have sort of been led into saying, okay, for that problem, go and take that pill. Go and install that solution. And I think now people are asking back, saying, okay, I have, like, forty, fifty tools. A bigger enterprise sometimes when I speak to customers have more than hundred tools, and they're left with, I would say, a small staff that even can't operate the tools and understand what the tools are producing. And so then they are bringing a question back saying -- have we done too many? Is it time for us to go and look for just a few of these and make sure that we can make more meaningful outcomes? Meaningful security outcomes, that is -- actionable outcomes out of those. And I believe that's what people are asking very loudly and people are trying to gravitate more towards that.

Rick Howard: Well, we're all oldtimers here. Right? Especially Winterfeld. Okay? And when we started, you know -- this is back in the '90s, right -- we only -- we all only had three tools. So we could manage it, you know, ourselves. You know, we had intrusion detection. We had firewalls. Probably had some sort of antivirus on the endpoint. Right? But like you said, Rohit, the number of tools that people have managed over the years, that's slowly been creeping up. You said -- what were you saying? Fifty to a hundred different tools? I've heard bigger numbers. Steve, I know you've talked about this. Right? What are you seeing out there when you talk to other CISOs?

Steve Winterfeld: Yeah. And I would -- I would start off with probably my favorite quote that ties right into what he was saying. You know? "Complexity is the enemy of security." Bruce Schneier said that. A lot of people have said that. I've written an article on Security Boulevard. It is -- it is such a ground truth. But we're not operationalizing. And when we look at things like, you know, Panaseer put out a report that the average company of, I think, 500 employees has 76 different tools and growing at 19%. Last year, RSA had 599 speakers and 605 vendors. [ Laughter ] And so it's just -- how am I as a CISO supposed to wade through this and figure out -- which is the right one for me? How to integrate these. You know, we've talked about this before. This -- this shift away from best -- best athlete to best teammate. I love Michael Jordan's quote, "Talent wins a game, but teamwork and intelligence win championships."

Rick Howard: Yeah, the -- I -- I'll tell a story, Rohit. Steve and I both worked at a company together a number of years ago where the -- the predecessor CISO went out and bought all the tools. I mean we had all the cool things. I mean, it was like the kid in the candy store. Right? But he ran out of money before he ran out of resources to buy people with, so we all had -- we had tier I analysts in the SOC, and all those big Ferrari engines of security tool capability were sitting idle because we didn't know how to configure them and make them work for us. So it was so complex that we didn't know how to solve the problem. Right? So -- I don't know -- Steve, what was -- do you remember any of that from back in the day?

Steve Winterfeld: Yeah. And I remember, quickly, we were, like -- we went into, you know, where do we have overlap? Where can we reduce tools? Where can we get rid of technical debt? We had so much technical debt.

Rick Howard: Yeah.

Steve Winterfeld: And -- and just, kind of, shifted away from that because ultimately it does come down to both people, processes, and technology. And I think if you fail at any one of those, it -- the whole thing falls apart.

Rick Howard: Well, I think one of the reasons we're here, Rohit -- Steve mentioned this before, but I'm wondering what your thought is on this. We kind of creeped up on this situation where our environments are so complex. I -- because we -- in the early days, we had this -- this -- I don't know -- we always wanted to have the best of breed product. Right? And some people, you know, they didn't have one product in their networks. They had two or three doing the same thing because they were afraid they didn't have the best pieces. Is that how you see the industry going, too? Is it we all just kind of crept up on it because we wanted the very best tool that was out there?

Rohit Dhamankar: Yeah. I think it's -- it's that whoever propagated the best of breed, you know, I would say, set on words and security, and I think that's where a lot of this thing has begun because you're looking now for, suddenly, you know, best AV. You're looking for best next generation firewall. You're looking for best whatever else is out there. Right? And -- and I think that is what's causing the disaster because the other tendency that this -- our industry specifically has seen and I think Mr. Winterfeld pointed that out very nicely that --

Rick Howard: Mr. Winterfeld. Let's be formal here. Yes. Mr. Winterfeld.

Steve Winterfeld: Some people respect me, Rick. Some people actually respect me.

Rick Howard: Go ahead, Rohit. We interrupted you. Yeah.

Rohit Dhamankar: Oh, that's fine. When you had, like, most speakers around, I'd say -- no, like, more -- sorry, more companies than speakers at RSA, and I think that's kind of -- I mean the evolution of it. And I have come from start-ups. I've come from small start-ups into this industry. I always see that usually you end up having, like, one small problem that, okay, today EDRs are not solving this. Let me make a company around it now. You know? Let me go for the VC funding. And it's, like, one sort of attack vendor out of ten that you're wanting to make a company around, so you kind of hold all of that IP close to your chest, all that whatever the intelligence and the [inaudible 00:08:26] comes with it close to your chest. And you start competing, saying, hey, I differentiate, you know, my product this way. And, lo and behold, that product is born and sometimes it is the best of the breed, that it detects that particular attack vector very well. But then it doesn't work very well with the other tools that you have. It may not share the right data with other tools. It may not create that big picture. That's what many people are looking at and -- and that's how your tool proliferation starts. And then, of course, you have -- there are people -- there are CISOs who think -- sorry, you are a CISO, Mr. Winterfeld.

Rick Howard: It's okay. We're used to being disparaged. Go ahead.

Rohit Dhamankar: I do --

Rick Howard: You're not the first one, Rohit.

Rohit Dhamankar: No, I think that -- I think some of the -- the hard passes is that: a) they were considering themselves cool if they were using this cutting-edge technology. Like, right now there's a lot of hype around AI for instance. Right? So they -- they think that, in order for them to be, sort of, you know, looking and forward-looking and all that, they -- they need to have those best Ferraris out there. Doesn't matter if you don't have driver's. Doesn't matter if you don't have parking garage for it. Doesn't matter if you don't have fuel money for it.

Rick Howard: That's right. Well, and I -- I agree that there's a cool piece to this. But, you know, back in the day, there was a time when we wouldn't even consider bringing in one vendor to solve most of our problems. Right? So we would never pick one security company and say, "Please do everything for us." But, Steve, I wonder if you can talk about the shift in our thinking here is that -- you were mentioning complexity before. We are now choosing less complexity over that kind of trust model.

Steve Winterfeld: Well, yeah. And -- and, you know, as you say, it's -- transformation is driving a lot of this problem. We've transformed off of, you know, our networks, the cloud networks. We've transferred off of servers to serverless and containers. We transferred, you know -- deploying once a year to multiple times a day. This has required new skill sets. This has required new technology. And so, for a while there, it was, like, oh, I need a security tool for this environment.

Rick Howard: Mm-hmm.

Steve Winterfeld: Need a security tool for that. And then, at some point, I spent all of my time in vendor management and integration, and I -- I literally was a vendor manager over a security leader.

Rick Howard: Mm-hmm.

Steve Winterfeld: And so then I was, like, okay, so how do I -- I get back to being security first? And that was where I went back to that "Keep It Simple Stupid" principle -- that KISS principle of -- how do I reduce this to a manageable number? And the way is by platforms. You know, Bernard [assumed spelling] came out with SASE for a while. Then it was SSE and -- and I think those terms caught on for a little while because it followed the trend of we, as leaders, are trying to reduce the complexity, reduce the number of vendors. So I'm changing to a -- a culture of simplicity. You know, I -- for a while, I've worked an organization -- did not fear complexity. And -- and that has operational impacts. It has security impacts. It has cost impacts. Whereas if I focus on -- do I have a current vendor can do that? Do I have a current tool that I can expand its capabilities and cover most of that risk? I -- I think, ultimately, I feel a better security posture with better integration and fewer tools.

Rick Howard: So, Rohit, let me ask you this then because the -- we've seen the emergence or the transformation from the old firewall companies like Cisco and Checkpoint and Juniper and the like. And they just kept adding more services into the box, meaning it's a -- a -- you know, one-stop shop for everything. So it's one approach that we could do. And so I wonder what you think about that and -- and is that something that you see your customers looking at over and over again?

Rohit Dhamankar: So I think if we are, Rick, we are sort of getting out of that box age to some extent. Right? Because the boxes was very much kind of pre-cloud days where people wanted to have your -- beyond the AV, that email security, the firewall, that application security, all in, like, one box. Right? Effectively, I think the -- sort of that new box today, I would say, is platform, where, you know, it's a cloud-based platform where people are bringing a lot of their wares together. And I would say that, even from their -- that perspective, I -- I don't think there will be just, like, one vendor ruling everything in a customer's, you know, environment. But it will not be fifty or hundred. It could be four or five, which are very specialized, and -- and to, again, Mr. Winterfeld laid it out nicely -- at the end of the day for risk reduction. Right? In your attack surface -- do you know what your attack surface looks like? Can you explain that risk to a layman as well as a technical staffer on your team well enough? Is -- did you have that ability either inherently yourself or through some of the dashboards that are provided? And then can you find the appropriate set of vendors who are going to cover that for you? And -- and you can -- you can choose strategy where there -- there may be some overlaps, there are no overlaps, depending on how you find the strength of those vendors. What -- what -- what are they -- what have they been good at? And what do you need to, kind of, you know, have a Plan B in case they miss something. And if you do that well enough, you should be able to have -- I mean, at the end of the day, even to me, the attack surface is, like, six [inaudible 00:14:17] to it. You have your servers. You have your desktops, laptops. And at the end points, you may have, you know, your native cloud infrastructure. Maybe more like the function of a service or a more the platform as a service than you have people who are going to lift and shift in the cloud. You have your network devices, IOD, stuff like that. So there is very finite thing. It's -- I mean, in terms of the categories. And then you need to choose the right things and the right level. First of all, it all boils down to also a business side. How much is your business ready to invest in the security? What's that budget look like, and then how do you optimize between what do you want to spend on tools, what do you want to spend on people? And -- and, you know, how do you want to architect to your processes.

Rick Howard: There's a book by Sounil Yu called Cyber Defense Matrix and kind of explains what you were talking about Rohit, the complexity of the environment. And his thesis is that you -- whatever your strategy is, and he uses the NIST Cybersecurity Framework as the overall strategy, and making sure that you have the right tool in all of the buckets across the matrix. Right? But not too many tools. Right? And make sure there's no overlap. And by -- by the way, find where there's gaps, where you thought you had coverage and you didn't have coverage.

Steve Winterfeld: Or -- or five tools in one category.

Rick Howard: Right. Right.

Steve Winterfeld: Yeah.

Rick Howard: Okay.

Steve Winterfeld: And so there -- I have -- I have -- you know, I've -- I've overcalculated that risk. I need to -- I can get rid of two or three of those. You and I have talked about using the MITRE ATT&CK frame, those -- those, you know, attack sequence in a similar, you know, way to -- to take advantage of that framework concept. I think either one of those work. It's a great analytical tool to say -- do I have a broad and appropriate level of coverage? The other thing that he mentioned there was risk. And --

Rick Howard: Mm-hmm.

Steve Winterfeld: -- and, you know, you talked a lot about reducing the probability of material impact due to cyber event over the next three years. Pick your period of time. Pick your -- you know, material impact, but -- but I think if you come back to a couple core things like that and then tag on a goal of reducing complexity, I think that's enough to start to operationalize this --

Rick Howard: Yup.

Steve Winterfeld: -- and that's when you start looking for the partners that can help you do those things.

Rick Howard: Well, Rohit, let me bring it back to you, because Steve mentioned SASE and SSE, kind of brothers and sisters of technology architecture. He and I may disagree about the importance of that. I think it's -- I think it's the thing that we're all going to move to at some point. However, it is now on its way down the trough of disillusionment. We were all very hyped about it in the first couple of years, but we found out how hard it is, but I expect it will slowly move up the slope of enlightenment. This is all terms from Gartner and how they describe technology. I expect to see that in three or four years. And -- and what that -- what SASE and SSE is -- are -- is -- I don't know grammar. Okay? That's -- we'll just go from there. All right. But it's a complexity reduction engine. Okay? We give all the complexity to some vendor. Right? And all we do is manage the policy wherever our devices are. And I'm -- are you thinking that's a -- a good solution for us, Rohit?

Rohit Dhamankar: Yeah. I -- I think -- I -- I mean, I even double down on the policy perspective because the SASE, SSE, you know, tacking on -- especially, you know, a lot of the edge devices and how they kind of come in. How can you apply, like, zero trust models. How can you apply --

Rick Howard: Right.

Rohit Dhamankar: -- a whole bunch of other cybersecurity hygiene to that. But where I would double down is this -- is this policy business. Right? Like, in general, if the products that we are working with are well orchestrated, where something happening in one product is able to trigger a policy in the other, like, for example, let's say, for a second, you have a train security product where somebody was sending a phishing email, a user gets phished. Right? If you are able to then, you know, go out and say, okay, you know, tell your SOC that this user has gotten phished. I think this user is more risky. Look at all his emails or whatever coming out more carefully -- find more carefully than it normally would do because these are the kinds of risks. If -- if similar kind of policies are automatically transferred across products and they're easy to write, not complex, not geeky. You know, like, [inaudible 00:18:54] or XML or whatever the format, that's what, I think, will kind of tie everything together. So I -- I think that common policy framework and a rich policy framework of that would be, sort of, cornerstone of whatever we are doing next in terms of consolidation.

Rick Howard: So, Steve, I may go to you. That's -- so one -- one idea here is a move to consolidation platforms of some form. That's one way we could do it. The other way we could do it, Steve, is through automation. All right? Through an extended project to reduce the coil of all the -- the technical debt that we have. I wonder if you could talk to that a bit, you know, and what -- what's the state of dev ops and dev sec ops in our industry now?

Steve Winterfeld: Certainly. And, again, some of these -- you know, we talked about SASE and I think, you know, the disillusionment comes because of the buzzword bingo with vendors. And -- and these are other terms that are -- are so abused. You know, we have automation. We have AI. And AI now -- some people call, you know, large language models versus machine learning versus, you know, movement. And they treat it all the same. And -- and what you just talked about, you know, dev ops versus dev sec ops. If the three of us define dev sec ops, we'd have at least four definitions. So as we look at all this, it is absolutely imperative, 'cause the skills and the speed and the scale can only be met through leveraging the technology. Again, it goes back to most of this, I think, should support people. Most of this should be developed after we have our process to implement our process. But then it absolutely -- you know, if there is two steps in my doing an investigation in the security operations center, those should be automated. When the ticket pulls up, those should already be filled in. You know, if -- if I'm doing an investigation and we have a private large language model, you know, generative AI to -- to help me do -- my threat intelligence team do rapid, you know, understanding of something, or policy development based on our internal documentation, the machine learning and deep learning algorithms are critical to move at cyberspeed. I think all of these are critical to our future and need to be part of our skillset as leaders to understand when and how to leverage things.

Rick Howard: Well, you -- you mentioned filling in our security podcast bingo card. It wouldn't be a podcast about cybersecurity if we didn't talk about artificial intelligence. So, Rohit, I think all of us agree that, you know, machine learning and large language models have all this potential to help us here but, you know, we all have reservations. Our own experience has been, you know, it's pretty good but not quite good enough yet. So, I don't know, what do you think about that, Rohit?

Rohit Dhamankar: Well, I have always viewed, you know, AI or ML more as an aid for cybersecurity -- a strong ally, a strong aid. And I am completely baffled when a lot of people end up saying, "Well, AI is going to solve all the problems of the world." And they say that --

Rick Howard: Yes! Of course it is!

Rohit Dhamankar: Unfortunately --

Steve Winterfeld: No, no, no! Let's be clear. My AI -- the AI I'm going to sell to you is --

Rick Howard: Yeah. Yeah. That's true.

Rohit Dhamankar: -- differentiated AI will solve all the problems. Right?

Rick Howard: Yeah. My differentiated AI. Yeah.

Rohit Dhamankar: Well, so -- but I think that -- and -- and you're seeing some of these effects. Right? I mean, AI or ML -- I mean, as I say, these days when I -- a child -- a sixth-grader learning equation of a line as y equals mx plus c. That's the equation of a straight line. And it's -- even that is AI these days, statistically or whatever it is you did. You know, if your computer just a standard deviation now, it's called machine learning. Right?

Rick Howard: Yeah.

Rohit Dhamankar: Those definitions there, I have seen a lot of, you know, challenging problems, especially, you know, looking at anomalies and things like that. And ML has been great at it. But, again, all of those have to be dealt as, again, Winterfeld was saying about filling out steps in the process so AI can generate something. And I'll give you an example. Like, I see a lot on the news, these new EDR tools. It says this file is potentially malicious and the risk taking is 70%. And if you happen to be a SOC of that company, or if you happen to be a general SOC provider, you don't know what to do with 70%. You are not going to block all of it. You're not going to sort of say, okay, this file is bad and I'm going to delete it. And you can't -- you don't know -- you can't quantify that that's so bad, then you are trying to do, and that's how a lot of automation comes in. Right? Is saying, okay, what are the -- what is the context I can build in that environment around this file. You know? Do I have more pointers? Do I have external pointers around the file because somebody else in the world knows about it. And I believe that all of that information we can get through various techniques, including gen -- gen AI, for instance. You know? And I think once you have all of that pulled together, you still will need in some chance the human mind to kind of say, okay, this signal here is the most dominant. This is the least dominant and you have to make sure that I make a decision based on all of these factors, and maybe that can then further can be qualified into the AIs through channel. But it's -- it needs that process. Just single, I would say, applications of AI in -- in, again, in different areas of cybersecurity, algorithms produce some more haphazard outcomes that are not, again, well correlated. One can capsulize and that just increases more noise in terms of any further problems.

Rick Howard: That's my current state, too. I -- you know, I just don't trust it yet. You know, I've had so many experiences just with the early models here that they give you a partial answer and then -- and then information that's not true at all. All right? And so you definitely can't turn it on and just let it go. So we're not there yet. But, Steve, I'm wondering if you want to put your -- you know, look into your crystal ball, do you see this being solved anytime soon? Or -- I won't -- I won't make you talk about history, but we'll make you talk about future stuff.

Steve Winterfeld: Well, I won't talk about history, but a recent example was the first generation of SIMS. You know, the security net management tools. And that was just -- I felt like it was a device to just let you watch incidents scroll off the screen. You know? It -- it was something we needed. It's something that took some time and maturity. I think we're in a similar process now. We're early days. I think the potential there is if we look at some of the pros and cons, you know, the pros are we need something to help us with the speed and scale of -- of some of the tasks we're doing. We need something to help our research become more effective and efficient, especially with big data where we're querying a lot of things. And we need -- we don't need a Google search. We need contextual search. And I think a lot of the private initial queries into generative AI are helping with that. We need responsive to malware and some of the machine learning stuff is helping us to, on the fly through learning, help respond to malware. And so all of this is absolutely needed. It's early days. It's, you know, for the more mature shops, it's where we should be. The cons are real, too. I mean, we saw data still with code on a large language model. We've seen, you know, OWASP put out a -- a large language model top ten threats because there are attacks against the actual, you know, large language model itself. The audibility of both machine learning and large language models is scary. We have to be able to say how we got there. You know, there are biases that could come through depending on how you're using it that are unacceptable. And, finally, the -- having the skill and the staffing to leverage these correctly -- if you would have told me there was a title of Prompt Engineer a couple of years ago, I would have -- I wouldn't have believed you. And yet there's a job out there now. So I think we're early days, but actually we need to be engaged. We need to be, as leaders, figuring out when and how to leverage this. The trick is -- how fast to go into this. How much to invest early.

Rick Howard: So I'm going to characterize what Steve just said as hopeful which is, you know, not usual -- not usually what he comes up with around here. So, Rohit, I'm wondering if you -- you agree with him or not.

Rohit Dhamankar: No, I think -- I mean, I do agree from -- from the standpoint we do need something that covers, I would say constantly, evasive, you know, tactics in the security industry. And, again, as you can see, the cat and the mouse game continues. Right? Like -- so people were doing a lot of evasion, so now we said, okay, let's detect potential AI email. And as Winterfeld said, I have seen now lots of -- in fact, even there were talks about it, say for instance, on how defeat the AI email models. So the adversary is already thinking the next time. So you probably have to then think of, you know, the counter to that. And so that's kind of -- so, again, and you will see all the -- the funny part about security, I think, I would say is that once something gets on the security track, it never leaves it. So you still have people who are probably running some version of Windows XPR there [inaudible 00:28:48] -- -- and -- and -- and it's not a joke. It's -- I have heard of some -- you know, like, production environments that are still running very old version of Windows. From there, you have --

Rick Howard: You can see that in airports still. You know, the NT crashes that in -- You know, so -- so --

Rohit Dhamankar: -- so all the different, to, you know, -- in some ways trying to defeat a new AI model for something else. You know? So it's -- it's all that.

Rick Howard: So we're at the end of this. So I'm going to come to both of you for last words about this topic. My summary of what we just talked about is we all agree that the environments we operate in are fairly complex. Instead of going to more tools to solve individual problems, we're looking for orchestration ideas that will reduce complexity and -- and do a good enough job that will allow us to do our -- our jobs for us. Steve, what's your last word there?

Steve Winterfeld: Yeah. I think culture each strategy for breakfast. I think we need a culture of avoiding complexity, moving away from complexity.

Rick Howard: Rohit? Last word to you, sir.

Rohit Dhamankar: Well, choose your vendors wisely. Consolidate them and automate the heck out of it for what you can.

Rick Howard: We'd like to thank Rohit Dhamankar, Fortra's VP of Product Strategy, and Steve Winterfeld, the Advisory CISO at Akamai, for helping us get our arms around these latest developments in security orchestration. And, most importantly, we'd like to thank Fortra for sponsoring the show. This has been a production of the CyberWire and N2K, and we feel privileged that podcasts like "CyberWire-X" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment -- people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our sound engineer is Tre Hester. And I'm Rick Howard. Thanks for listening.