HomePodcastDefense in DepthDefense in Depth: Promises of Automation

Defense in Depth: Promises of Automation

Automation was supposed to make cybersecurity professionals’ lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to this week’s sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

Full Transcript

David Spark

Automation was supposed to make cybersecurity professionals’ lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth, my name is David Spark, I’m the Producer of the CISO Series and joining me for this very episode is Geoff Belknap, the CISO of LinkedIn. And if you were to stumble into him just walking down the street, he might sound like this.

Geoff Belknap

Hey get out of my way, I’m walking here.

David Spark

That’s exactly what he would say.

Geoff Belknap

But also I might say, and this would be really strange if we ran into you on the street, welcome to another episode of Defense in Depth.

David Spark

Yes, that would be very bizarre if you said that. I’ll tell you a quick story. I may have mentioned this on the show before. I have a friend who I used to work with who’s a tech journalist himself by the name of Patrick Norton, worked at ZDTV which later became TechTV and he went on to do podcasts with Ziff Davis. I was literally listening to him in a podcast on my iPod, so that gives you an idea of how long ago it was, as I’m walking down the streets of San Francisco and I ran into him, while I was listening to him.

Geoff Belknap

That’s a very San Francisco story, I feel.

David Spark

Yes, very much so. Our sponsor for today’s episode is deepwatch, advanced managed detection and response to secure the distributive enterprise. More about that later in the show. Alright now, Geoff, former co-host of this very show, Allan Alford, who is the CISO at TrustMAPP and has his own show, the Cyber Ranch Podcast, started a discussion on the promises of automation. In essence, we were sold that this was going to reduce headcount and it would simplify our lives like the Jetsons. But as we’ve reported before on the CISO Series, it’s actually done the opposite. Companies that want to add automation need to increase headcount to get the right talent that knows how to set up automation. Geoff, are you disappointed with what automation has delivered or do you see automation in a very different light?

Geoff Belknap

I’m not disappointed by what automation has delivered, but I think I have taken a very realistic view of what automation could do. Which is make smart humans able to make faster decisions, make better decisions. I think the Jetsons view of the world is really unrealistic but would be great if we could get there.

David Spark

It would be awesome. I’d love to press a button and have everything happen.

Geoff Belknap

Yeah, I don’t think there’s a “find the bad guys” button and I don’t think that’s anytime in our existence. I don’t think that’s about to happen.

David Spark

Well our guest today, I don’t think he has the “find the bad guys” button, but hopefully…

Geoff Belknap

We’ll find out.

David Spark

…maybe by the end of the episode…

Geoff Belknap

Yeah.

David Spark

…we will have come up with one. He’s the CISO over at HBOMax, Brian Lozada. Brian, thank you so much for joining us.

Brian Lozada

Thank you for having me, greatly appreciate the opportunity to be here.

Can it be solved?

00:03:00:13

David Spark

Yaron Levi, CISO over at Dolby, said “Unfortunately many feel that almost every problem can be solved with technology, and as a result we have a lot of technology tools but we severely lack people and process.” And Chris Horner over at Select Bank and Trust Company said, “It feels like many time tools are viewed as magic bullets. However if the foundation is rocky to start with it’s impossible for these expensive tools to deliver on their promises.” So we hear this all the time, it’s people processing technology, but we mostly get sold technology, right, Geoff?

Geoff Belknap

Yeah, we’re mostly sold technology and I think the unfortunate thing is we forget sometimes that the people and process are the thing that we really need to focus on and while the technology can augment that, and augment the progress we’re making as we improve the process and we train up our people, it’s really easy to chase that shiny goodness of technology that might make all your problems go away. And in reality not so much.

David Spark

Brian, I just had a call with the vendor and one of the things that I hear from vendors when they pitch a lot, I’m sure you’ve heard this line, it goes “Only takes minutes to install,” or “Within a day you’ll be up and running,” and that kind of a thing. What could a vendor say, realistically, for you to understand and say “Oh, yes, I’ve got the people that this could work in my environment.”

Brian Lozada

Yeah, vendors are always going to try to sell you that, “Hey, we’re going to be able to fix your problem quickly and we’re going to be able to do something that you are not currently doing.” I think what we’re missing there is that the vendor candidly, no vendor knows your environment. No vendor truly knows your problem more than yourself and the problem solvers that you’re working with across the organization. So I think when it comes to selecting tools that are focused on automation to solve a problem, you have to be very cautious in what part of the critical passage of business you’re putting it in. I think if it’s more enterprise centric there might be some tools that could help, but if it’s something that is more service or customer driven that you are building, an experience, or maintaining an experience, the investment in automation needs to be done more with people, with builders, with folks that understand how you are delivering software, how you are looking at products and those problems that you’re trying to solve with developing those products, and incorporate that automation into that process. Think of a buzzword, here it comes, shift-left. Right? Everybody’s talking about shift-left. But the reality is to shift-left is security practitioners in automation to really work with those builders and be builders themselves.

David Spark

But I want to go back to my earlier question and I agree with everything, what could a vendor say, or maybe ask you, to make you realize, okay, I can get this to work in my environment and to realize the value of this tool?

Brian Lozada

I think the last part of your question is the best, what can a vendor ask? They should ask what my problem is. I think a lot of vendors come in and say, “This solves this problem that everybody has.” Again, it’s different in every single environment and I believe this, everybody is a snowflake, every single environment is different because people make it different. How people work that technology, use that technology is different. So I think the vendor needs to come in and say, “How can we use our unique technology or our IP to solve your unique problem?” Instead of saying, “This is a out-of-the-box, click on this, in three minutes I’ll tell you what’s wrong with your world.”

Geoff Belknap

Yeah, I feel like it’s a really tempting sales value prop to communicate, to like install this software, this problem goes away.

David Spark

And, by the way, we hear this a lot.

Geoff Belknap

A lot. And it’s because it’s a marketing trope that works, right? I think certainly if you’re a new CISO and I’ll say even me, today, and I’ve been doing this for a little while. I’ll get perked up and be like, “Oh, that’ll be great. I’d love to make that problem go away.” And the reality is as you dig in a lot of these products are good, like they are valuable, they have great technology, but they don’t make the problem go away. And if you approach them with eyes wide-open and you’re like, great, is this a time to value place that’s going to make the time until I have the solution in place, much, much faster by just spending money? Is this going to solve the problem, maybe more holistically than my own solution would be? Whatever it might be I think we always come down to the principle of you really shouldn’t be doing anything yourself that isn’t strategic and core to your business’s success. And I think Brian made this really clear up front, like great, for enterprise systems there’s a lot of stuff that you can automate away and just spend money on, so to speak, to make it go away. But if your business, especially as a consumer-facing business, a lot of that you need to be focused on yourself so the consumer experience is very positive, it’s very rewarding, it’s very trust-driven. And it’s tough to just buy that off the shelf.

How do I start?

00:06:47:02

David Spark

Peter Luo of DTonomy said, “Fixing foundations and adding automation are conducted in parallel. The process of adding automation is the process of re-evaluate what are missing in the tech stack.” And Keyaan Williams of Cyber Leadership and Strategy Solutions said “I think it is more about impact than automation for the sake of automation. How do you justify spending and represent value to the business if you don’t have documented evidence of the efficiency and effectiveness of automation in your controls environment?” And last thing, Brian Haugli of RealCISO.io is a fan of automation, but he warns, “If you automate bad ideas, incorrect tasks, or broken processes, you just do them faster and at scale.” So I’m going to go to you Brian, who’s smiling at that very last quote, you’ve got to know what you have and measure it to see if you’re doing any better, and if you don’t have things in good place, you’re just going to make a bad thing worse.

Brian Lozada

I totally agree, I love Brian’s quote. Automation could be good or it could be bad, again if you’re creating automation based on bad data or on bad expectations of results. So I think scoping out where automation makes sense for you in your business, looking at the critical path. You’re not going to automate everything, you can’t, that’s just not going to be realistic. Plus maintain that automation and continuing to ideate on that, it doesn’t make sense to do it everywhere. Really focus on that critical path, what really makes sense so that you can use your resources more strategically. Think about us as CISOs, we’re all starving for talent and if we have our talent chasing ghosts and doing things like that, it’s bad for the team and it’s bad for retaining talent. But if you use that talent in those strategic areas to develop automation, really getting rid of those processes that are mundane and don’t really add any strategic value to the business, I think it helps. I think as thought leaders we need to be very cautious on where we’re going to invest on automation. Whether that’s a tool that we’re going to buy or building it ourselves. I’m more of a fan of building it ourselves or building it within your team, than actually buying off-the-shelf.

David Spark

And I must say it’s probably because you have a good slew of engineering talent and I’ve heard this from different CISOs, the ones who have the talent want to do exactly what you say and those who don’t, they don’t really have that option. Let me ask, within the past year or two, I’ll start with you, Geoff, can either of you speak to something simple that you automated that you saw, like, oh this doesn’t need to be done this way anymore?

Geoff Belknap

Oh yeah. I mean look everything Brian says is dead-on and I want to just pull this thread out. Which is we are talent-starved, it is a very tight talent market. Therefore you really have to focus on where is the key talent going to add value and then how can you build automation around them in a way that they can add more value, that they can do more and go further? And I think that you have to be smart about who you’re bringing on and what they do. You clearly need some talent around building software and automation. I’ll give an easy example here which is like in LinkedIn’s sectional response program we have a specific focus which is we have instant responders and detection engineers that are looking for bad things, for lack of a better description, to happen in the environment, and when they see it they are immediately starting to build some automated detection rules around what they’ve seen, right? So now they’re extending, instead of adding more instant responders or detection engineers, they’re extending what we can detect in automated fashion so there’s less work to do to find the stuff that we know has already happened in the environment. That’s just one small example. Another one would be with the SOAR and SIEM tools, you can automate away phishing responses and phishing reporting and a lot of the stuff that would be manual toil for really expensive, hard to find engineers. You can turn that into automation. I think the key though is, like Brian mentioned, you have to also add skill on the team that could maintain and operate that automation infrastructure.

David Spark

Brian, in thirty seconds, do you have something that you’ve automated recently?

Brian Lozada

So within our AWS environment we leveraged a lot of the native logging that comes out of AWS, whether it’s CloudTrail, GuardDuty. We pump that, it’s kind of like EventBridge, and then from EventBridge we create our own security land that’s for automation based on anything that we deem doesn’t match a standard or something that we would want into the environment. And it could be as simple as breaking the build and not letting the developer actually push that. Or automatically re-mediating it, it continues to go out but we’ll add the encryption after it’s out there, right? Something simple like that. So we focus a lot of time on that area.

Sponsor – deepwatch

00:12:35:08

Bill Bernard

Hi, I’m Bill Bernard, Senior Director of Solutions Architecture here at deepwatch.

Steve Prentice

Deepwatch offers a suite of managed security solutions including managed detection and response and end-point detection and response. Bill has been talking to me about how, over the past few years, we’ve had a number of things in cybersecurity that have simply become tougher to deal with.

Bill Bernard

Ransomware of course is the ultimate of late and the fact that ransomware is now able to not only steal your data but also the speed with which downloads of your own data can come to those malicious actors and they can go get a second helping, so to speak, from your data. While they’ve held it ransom from you they can also threaten to hand it out to other folks. And so the ability to have a full view of your environment, the ability to know what’s going on everywhere in the environment, to be able to take action on places like the endpoint and at the firewall and to make sure that you’re aware of your entire environment and all the vulnerabilities in that environment through a well-managed vulnerability management program, we believe are critical to combating these sorts of things.

Steve Prentice

He also mentions how hard it is for companies to hire security talent these days.

Bill Bernard

We have millions of jobs around the world available in information security that we just can’t seem to hire for. So instead of asking you to try to hire for those folks by offering you some sort of technology or platform that you have to figure out how to manage, deepwatch is going to bring a team of folks in to assist you with how we make these things happen and how we can provide value to you and your environment.

Steve Prentice

For more information go to deepwatch.com.

If you looked at the problem this way.

00:14:09:22

David Spark

Rachel Arnold over Activision Blizzard said, “Automation has allowed the talent to develop rather than be buried under tedious soul sucking analysis.” And Brent Wilson of Extensha said, “Automation is to enhance a security pro’s ability to do more analysis, more discovery, and make better outcomes.” Actually referencing what you said at the beginning, Geoff. And Luis Valenzuela said, “Automation is rooted in much earlier concepts aimed to eliminate wasteful processes to enhance quality and value.” This speaks more to what automation has done rather than eliminate headcount and give us more hours in the day, hasn’t it, Brian?

Brian Lozada

I totally agree. I think that Rachel’s comment of “tedious soul sucking analysis” is painstaking towards our talent, right? New talent doesn’t feel there’s growth there. So when you focus the talent on giving them a problem to solve and saying you get to automate this, at the end of the day we’re all engineers, we want to be able to engineer something, be creative and think out of the box. And I think the opportunity to allow your talent to automate that is exciting. I think it helps retain talent and it helps them also look at let’s find areas that maybe we possibly weren’t looking at that I can do automation, that I know there’s a problem here and we didn’t have the time to do. I’m going to start tackling that. I think it keeps that talent engaged thoroughly throughout your problem solving.

David Spark

I like that comment you said, “it helps you retain talent”. Geoff, have you seen any sort of changes in implementing a new technology or process that the team is much happier and as a result they stick around a little longer?

Geoff Belknap

Yeah, look, Rachel’s quote here is the perfect quote of someone who has lived through doing that tedious soul sucking analysis. And I think both Rachel Brent and Luis speak from a place that is very close to my heart because retaining talent is all about keeping them happy and not just happy, but engaged and feeling good about their work and that they’re adding value, and that there’s purpose in the work that they’re doing.

David Spark

And it’s more than just a “team building” exercise.

Geoff Belknap

Absolutely.

Brian Lozada

Yes.

Geoff Belknap

And nothing drains you of that feeling that the work you’re doing matters, than clicking a thousand different clicks to pull up another drive image to analyze it or to do some manual domain name generation algorithm analysis or something like that, when all that stuff can really be automated away so that analysts, instant responders or engineers, as they’re looking at an incident, they get all this enriched data now through automation to start making decisions. That’s the thing that makes them feel great, it’s actually solving that incident or solving the problem they’re looking at. Not doing the slide-rule level toil. So I think when you can take that away, you get people to stay in that flow space and stay focused on what you really hired them for. And that always is going to make them a happier, more engaged employee.

This is not just a security issue.

00:17:15:08

David Spark

Dan DeCloss over at PlexTrac said, “Context switching between multiple platforms, tools and work-flows wastes a lot of cycles.” And this by the way is a unique point, I like right here. And Chris Morales of Netenrich said, “What we can do is lower the barrier of entry into cyber security and adjust the way we staff SecOps. Bring in more junior analysts to perform Tier-1 work rather than asking for a security researcher to do that work.” So Chris sort of is an extension of what we were saying in that last segment of well if we’re taking away the tedium then we can actually level up lower people, hopefully, and have them doing more valuable work that would have more value to the organization. And then Dan just made an interesting comment saying, hey, you know, just the doing of the tasks and switching around is actually reducing our productivity in general. Geoff, agree?

Geoff Belknap

Yeah, look, launching the Apollo missions probably involved way more calculation, thought, toil and context switching than launching a SpaceX mission. I’m sure they’re both very, very complicated but SpaceX has automated away a lot of the tasks that an astronaut has to do in the capsule. Like that’s a great example of you now can focus the training on the things that you need to focus on and not the basics of all the fundamental physics involved. All that stuff can come but now somebody can be a productive astronaut or in my case, an instant responder or detection engineer, with way less training than they ever needed before.

David Spark

Brian, have you leveled up junior people thanks to tools that were automating away simple tasks?

Brian Lozada

I have. I think not only have I leveled them up but I’ve given them the opportunity to define a little bit more of their own career path and saying, hey, leverage this tool to understand where the problem set is, now let’s build something that is going to be more custom towards us. I’ve done that a lot within my team. And I think again it goes back to that retention of talent or letting your talent really dictate where they’re going to go in their career. When they’re coming in as junior engineers, you’ve got to give them the opportunity to define that themselves. And what Chris said earlier about junior analysts are looking at bringing in folks from other areas of the technology spectrum, not just saying hey you have to have a cybersecurity background, I think that helps. I think diversity of thought, bringing in problem solvers from other areas in technology into the cybersecurity realm, it helps. It absolutely helps dramatically and thinking of the problems differently so as a team you can come together and say, hey, I’m going to leverage this person’s experience from this part of the business to solve my problem here in the cyber realm. So I think it all plays with each other and I think we should, as thought leaders in security, we should broaden our horizon and think about what type of talent do we want. At the end of the day it’s problem-solving. Can they problem-solve whether they’ve been in security or not? And can they apply the right context to that particular problem to solve that business need?

David Spark

Right, I want to close with some advice from both of you on this. How am I looking for things to automate away, if you will? And what is the question you ask yourself and the question you ask your team and the advice you give our audience. How do we think about it? Because actually we’re thinking about this for just the CISO Series in general. We’re obsessed, I don’t know if people realize it, but we publish nine episodes a week and more than twenty pieces of content a week across all of our programing. We’re constantly in production mode. We’re always looking for ways to refine or automate tasks away and we have actually done some of those things already. How do you look at your process to be able to see what you can do? Geoff?

Geoff Belknap

I always like to think about my friends at Netflix who, I think if you talk to, some of them would tell you the secret of a company like Netflix or the secret of a company like HBO, is not the streaming platform. Streaming platforms are great, but it’s how fast and effectively can you produce as much content as possible that reaches the audiences you’re trying to reach? And I think if you talk to people at those kinds of organizations, they would tell you and I’m curious to see if Brian agrees with this, the secret is all their production tooling, all their infrastructure that automates a lot of that stuff that generally can take years, but is generally very toil intensive. I think about it the same way in security. The secret sauce of security is not just finding a bad guy, anybody can do that. But it’s how effectively can you execute those tasks? How quickly can we spin up new engineers? How much can each of those engineers touch effectively without getting to burnout? All of those things are the secret sauce of how effective your security program is. And I think when you’re thinking about automation, thinking about it through that lens is the key.

David Spark

And I will add into this and toss to you Brian in a second, when things look really, really simple, like the front end of HBOMax or the front end of Netflix, there is an amazing amount of complication that goes underneath to make it look that simple. Brian, you’re smiling, yes?

Brian Lozada

A thousand percent agree. There is so much that actually goes into it and just kudos to the organization, HBOMax and the talent that goes behind that. And Geoff, you’re absolutely right, there’s a lot that goes on to make it so that our customers can enjoy our content. So when they hit that “play” button, there’s a lot that goes into that. And I think, to my earlier point is, where do you want to focus your attention on automation? Look at the critical past of the business, for HBOMax, consumer data coming in, content going out. Those are two critical paths. Understanding those critical paths and saying, where do we have the most redundancy of talent, doing the same mundane task that is adding not much value there and saying this is where I’m going to focus my automation. And say, what tools can I remove and build on there or what resources do I put within that critical path to adjust so the automation can handle a lot of that, right? So I like to focus on those areas when I’m prioritizing where I’m going to put resources behind when it comes to automation.

David Spark

Excellent. Brian, we’re going to close it right there and thank you so much. And now I’m going to ask and I’ll start with you Geoff on this one, what was your favorite quote and why?

David Spark

Oh boy, I think Peter Luo’s from DTonomy’s quote really strikes a chord with me. “Fixing foundations and adding automation are conducted in parallel. The process of adding automation is the process to re-evaluate what you’re missing in the tech stack.” And I think what’s really important to me there is there is so much in security that we’re distracted by that’s like, oh I’m going to buy this widget or that widget and implement deep, dark web block chain thread automation or whatever it might be. When the reality is what most organizations need is just to focus on the fundamentals, just patching and asset management and risk management. But automation can really help focus on those fundamentals in parallel.

David Spark

Good point. Brian, your favorite quote and why?

Brian Lozada

My favorite quote is from Brian, I think when he says he’s a fan of automation but he warns if you automate bad ideas or incorrect paths. I think that’s crucial really before you put resources, funding, any attention towards any automation, make sure that you’ve done your diligence because you could be causing more of a problem than fixing. So I think that’s very, very, very crucial when it comes to focusing on automation.

David Spark

Excellent. Well, that brings us to the very end of our show. I want to thank my guests but first I want to thank our sponsor, that’s deepwatch. They are the advanced managed detection and response to secure the distributive enterprise. More about them at deepwatch.com. And I always ask my guests, are you hiring? I believe you probably are given how you’ve been talking all through this show. Brian, we’ll get to you in a second. Geoff, I know you’re always hiring and one can go onto LinkedIn.com to find them and not just jobs at LinkedIn, but other places as well.

Geoff Belknap

Mm. A very fine website and some very fine employment opportunities.

David Spark

Anything else you would like to say in our closing?

Geoff Belknap

No, I think the main thing that Brian and I have both said throughout the whole show is the important part, automation is not what saves you from having to hire people. It’s what makes the people that you’ve hired even better.

David Spark

That’s the line to say. Alright, Brian, any last thoughts on the topic and are you hiring and if someone is interested how do they find the jobs, get in contact with you or any of the above?

Brian Lozada

Absolutely. So last thoughts again, focusing automation is really focusing on the talent towards putting the right resources behind that automation or what you’re fixing. I think it’s important to think of automation that way instead of hey, buying it off the shelf and it’s going to fix a problem. It’s not going to happen. You’ve got to focus on the talent. And then HBOMax, we are absolutely hiring. I am hiring. You can go to Warnermediacareers.com/hbomax or you could hit me up on LinkedIn directly. We’re hiring across the security team, so across the cloud security team, AppSec, ProductSec so please reach out.

David Spark

Awesome. Alright, well thank you very much, Brian. Thank you very much, Geoff. And thank you to our audience. We always greatly appreciate your contributions and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

RELATED ARTICLES

Most Popular