Gartner Creates Another Category for Everyone to Ignore

I have talked to vendors who get all excited about Gartner opening up a new category for them. All I can think is uggh, something new to confuse the security marketplace. I know there’s a need to label products in categories to simplify sales. But the complexity is driving buyers nuts.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is RJ Friedman, CISO, Buchanan Technologies.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Buchanan Technologies

Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more.

Full transcription

[Voiceover] Biggest mistake I ever made in security. Go!

[RJ Friedman] The biggest mistake I’ve ever made in cyber security was assuming that everyone else cared as much as I did. It was a quick mistake and an easy lesson learned.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost for this very episode, the one you’re listening to right now, that would be Andy Ellis. He’s the operating partner of YL Ventures. You may know him by this sound that he makes with his vocal cords.

[Andy Ellis] La, la, la, la, la.

[David Spark] Very nice, Andy. We’re available at CISOseries.com. Our sponsor for today’s episode is Buchanan Technologies. You can find them at Buchanan.com, and they are in the world of MSSPs. If you are needing help with your cyber security program and you’ve thought about an MSSP, or you’ve worked with them and been happy, not been happy, or are wondering what an MSSP should do, you should be interested in what they have to say. And in fact, they brought our guest for today. And so we will be talking about this very subject later in the show. But first, Andy, an enormous kudos to you and of which there will be a series of kudos to you.

[Andy Ellis] Thank you.

[David Spark] But you have finished the first draft of your book.

[Andy Ellis] I did.

[David Spark] And this is your first book.

[Andy Ellis] My first book.

[David Spark] Tell me, what is it about?

[Andy Ellis] So, it is titled “The One Percent Leadership.” It is about the small practices that make great leaders. Too many leadership books are basically autobiographies. You can go read Jack Welch’s book on leadership, and you would be an amazing leader if you could time travel back, kill Jack Welch, and assume his position, assuming you were a white dude. And that’s mostly…

[David Spark] And assuming that you’re okay with killing him.

[Andy Ellis] Yeah, that, too. But realistically leadership isn’t like, “Do this one practice religiously.” It’s about getting a little bit better about a lot of things continuously for yourself, for your team, and for your organization. And so it’s 55 chapters, each of which is a tip, a story, and a little practicum for how to think about being better at leadership.

[David Spark] I think this is great. And by the way, I’m going to throw kudos your way, Andy. Of the many things I’ve discussed about the practices that you’ve done over your many years being a leader yourself, being a CISO yourself, I have been surprised and shocked by the spectacular tips that you’ve imparted on this very show, and the fact that you can jam it all into a book is awesome.

[Andy Ellis] Well, my goal is to get it all in because I don’t want you to have to buy 55 books. Just buy one.

[David Spark] Buy one. Or listen to 55 episodes. Although I’m going to guess some of the tips you’ve mentioned on the show are in the book, yes?

[Andy Ellis] Some of them are in the book.

[David Spark] I am looking forward to it. So, the first draft, do you know when the publish date would be on this?

[Andy Ellis] Publish date is currently scheduled for April 18th, 2023. So, a full year out.

[David Spark] So, we have a full year of promoting this, don’t we?

[Andy Ellis] Yes.

[David Spark] [Laughs] Well, awesome. Congratulations. That’s awesome to hear. That’s why I say there’s going to be a series of congratulations for this as well. All right, let’s get to our guest, and I’m very excited to have this person on and also the topic of MSSPs because we’ve touched this a lot. And I love touching on this topic because there’s so many sort of nuances to this topic. It’s pretty spectacular. Anyways, thrilled to have him. He’s the CISO over at Buchanan Technologies. It is RJ Friedman. RJ, thank you so much for joining us.

[RJ Friedman] Thank you for having me, David.

How a security vendor helped me this week.

3:46.087

[David Spark] Do a search on the internet for EDR, XDR, and MDR, and you will find an endless stream of vendors offering definitions in an effort to direct you in what you should buy. Now, in addition I talk to vendors who get all excited about Gartner opening up a new category for them. And then on top of that, security vendors complain that they have a really difficult time keeping up with everything on top of their regular work. I know there’s a need to label products and categories to essentially simplify sales, but the complexity is driving buyers nuts. And that’s why I constantly hear CISOs say they are not looking for vendors, they’re looking for partners. I’m going to start with you on this, Andy. How can a vendor better demonstrate that they can become a partner and that they are a partner?

[Andy Ellis] I was hoping this question was going to be all about the whole industry, and the markets, and that.

[David Spark] Which by the way, we’ve discussed that. And by the way, that could eat up endless time.

[Andy Ellis] Yeah, so I have a really simple answer. Do you have a customer success team? And if you don’t know what a customer success team is, these are the people who after you sign a customer are dedicated to making sure that the customer sees value every single day in what you did. How do they make sure that they’re using the product well, that they’re getting all the security benefits? And you can think of the customer success team’s job as being making sure the renewal is a no brainer. That at the end of the year or two years, whatever the life of the contract is, no body should question and say, “Oh, yeah, why are we working with them?” That is what differentiates a vendor from a partner. It’s not… People talk about design partners and, “Oh, we’ll build this special thing for you.” No, no, it’s really simple. You have to be dedicated to making the customers’ use of your product successful. And it’s in your own interest. Because at the end of the day, they won’t let go of you if you have made them successful. But if you view this as a transaction… “Oh, I got my 50 grand. I’m moving onto the next thing. And if this sits on a shelf, I don’t care.” Well, welcome. You’re just a vendor.

[David Spark] That is a great point. RJ, I’m throwing this to you. Are you making sure that your customers see value in what the heck you’re doing?

[RJ Friedman] Absolutely. Yeah, we have a customer success team. And in the past, I’ve actually run a customer success team at a security company, a vendor, that creates products. And even beyond making sure they’re happy after the sale, I think that demonstrating that you’re not a vendor and you’re a partner comes even when it comes to marketing. Before they even talk to anybody at your company, when they’re just going and googling you, making sure that your marketing team understands the topics that they’re talking about, that they’re not saying that you do things that you really don’t. One of my biggest things was always when everyone would say, “Oh, we do AI. We do AI.” And you look into it, and sure enough they don’t.

[Laughter]

[RJ Friedman] And so it starts with marketing, and then it starts with sales after that. So, when you’re actually having conversations with people like Andy, you are not making these claims or talking about things that are irrelevant, or making it sound like your company has no idea what they’re doing. That all plays into the partnership even before a contract is signed.

[David Spark] So, one of the major concerns that we hear a lot from vendors is that getting their foot through the door, getting that initial meeting, getting that conversation… And I hear CISOs always firing back, “We’re looking for partners, not vendors.” So, in the initial meeting with a vendor, assuming you get some way to demonstrate it, how do you sort of explain in that opening conversation or maybe the research you do beforehand to say, “Hey, we’re more than just pushing our product on you. We’re going to be a partner with you.” RJ?

[RJ Friedman] I think one of the best ways to actually do that is to not explain anything and to listen.

[David Spark] Well, I understand. But you still need to get that first meeting. So, how is that…? Like there’s a lot of chicken and egg issues going on.

[RJ Friedman] For getting to the first meeting, absolutely. Yeah, for getting that first meeting as a salesperson, it is showing that ability to really diagnose the issues that the customer is having and show that you have a meaningful approach to actually solving their problems for them rather than trying to push one or two things that you might be getting a bigger bonus on that month. Really having a better idea of how to go into an account, how to go in and have a conversation with a CISO about the problems that they’re having and being a solution salesperson, not just being a features and functionality salesperson.

[David Spark] Andy, what did you want to add?

[Andy Ellis] Yeah, so I think it comes back to how RJ answered the first question, which is how do you make sure that your marketing all the way out to customer success is connected. Because at that point then your sales rep isn’t walking in trying to close a deal. They’re trying to solve a problem for customer success. They’re trying to set up customer success well, which means part of your sales cycle is talking about how you’re going to make the customer successful, and what metrics you’re going to use to demonstrate to yourself that you’re helping the customer.

Hey, you’re a CISO. What’s your take on this?

8:44.244

[David Spark] “If you were building a cyber threat intelligence program from scratch, what would you include or not include,” asked Drew Brown of the FAA on LinkedIn. Former CISO Series co-host and now CISO at TrustMAPP, Allan Alford, said the “correct” answer is “know your risks first before you do anything.” BUT he added that he and Gary Hayslip, CISO at Softbank Investment Advisers believe there’s a minimum viable security threshold. Something akin to the security poverty line coined by Wendy Nather of Duo Security. At bare minimum…and this is what they said…you need firewalls, email protection, end point protection, secure endpoint management, SASE/CASB. And if it’s very cloudy, a SIEM with UEBA. That seems a lot for minimum, but maybe that’s the state we’re in. I get the feeling that the “minimum” list just keeps growing. We see this in physical security as well. Security cameras are now a requirement right after locks on the doors. With the list constantly growing, do you believe more and more organizations are falling below the security poverty line? I’ll start with you, RJ.

[RJ Friedman] Well, first, I love that line – security poverty line.

[David Spark] Yeah, that was Wendy’s line. It is a great line.

[RJ Friedman] Yeah, absolutely. As far as the actual poverty line is concerned, we have a federal poverty line here in the US, but I think most people would agree that the real poverty line in Los Angeles is a lot different than the one in Detroit. And the same, I think, goes our industry. So, when you’re looking at let’s say a hospital where lives actually depend on the security of your organization compared to maybe a steel mill where only a few people in management have access to a computer that can reach out to the internet, the poverty line is going to look a heck of a lot different. That said, the right answer, as Allan points out, is one that’s frustrated me often because I’ll go, and I’ll tell customers, “Well, the right thing to do here is to assess where you are, assess the gaps, compare yourself to whatever security framework you’re adhering to or pick a security framework if you haven’t done that yet.” That’s the right way to approach it, but many people don’t have the patience for that. They say, “No, just give me a magic bullet.” And that’s something that’s frustrated me so much that I came up with a solution actually and built at Buchanan what we call the security essentials package, which is to try to address the bare minimums that really any company with a digital footprint can and should do in order to reduce risk. So, these are five things that I’ve picked out that I think just about every company with an internet connection will see a return on investment with.

[David Spark] Can you say what those five things are? Just as a quick list.

[RJ Friedman] The list of five would be email security, security awareness training, multifactor authentication, a good end point protection tool, so next gen AV at a minimum, and then of course we have patching and vulnerability management.

[David Spark] Okay, so that’s a good… And, again, we’re talking minimum. I know there’s a lot, lot more, but we’re talking minimum. Andy, I’m throwing this to you, but I’m going to go back to the original question I had, which was are more organizations falling below the poverty line because it’s just becoming too much?

[Andy Ellis] I think what’s really important is to understand what happens once you’re below the poverty line. Wendy and I actually did a talk on this the year she introduced the concept, and we talked about security subsistence syndrome, which is when you don’t feel like you can afford to do anything but the bare minimum. And so you’re so focused on that bare minimum because if you get popped and you don’t have AV, everybody will criticize you. But if you get popped and you didn’t have some Cloud based protection tool, everybody is not going to freak out as much. Even though like, oh, you’re moving to a Cloud first company, and maybe that’s more important than next gen AV on your endpoints. And so that’s, I think, the real problem is people who basically don’t see that they can get better by just leaping forward and saying, “Oh, why don’t we just get rid of our on premise systems, move everything to the Cloud and start over, don’t lift and shift.” But yeah, what if we got rid of active directory and just moved to Office 365 or Google, doesn’t matter which one, and stopped trying to secure active directory? So, there’s a lot of practices I think people could do that sometimes they’re hesitant to do. Now, my take is that companies that are really just starting now in the last few years that are Cloud native are much less likely to struggle with this idea because they don’t have this legacy technical debt architecture that’s sort of handcuffing them to this list of technologies.

It’s time to play, “What’s worse?”

13:26.466

[David Spark] RJ, are you familiar with how this game is played?

[RJ Friedman] I am not.

[David Spark] Okay, I think the title gives it away.

[RJ Friedman] I think the title does give it away.

[David Spark] So, what is going to happen is we have fans of the show who submit bad scenarios, two of them. At least two. Sometimes we get more than two. But two bad scenarios. You’re not going to like either one. But the game is it’s a risk management game. You have to determine which one is a worse scenario.

[Andy Ellis] And you don’t get to modify them. We don’t get to cheat and weasel out of them. They’re hells, and we’re trapped in one of these two hells. Pick the hell that you’re stuck in.

[David Spark] Yes, exactly. This comes from Jim Sheldon of CIP Centric. I always ask Andy to answer first. That gives you a little bit more time to answer. So, what is worse for an MSP…so, just a managed service provider, not specifically an MSSP…but what is worse for an MSP managed AV/EDR systems. Scenario number one – the MSP reports true positives that have been cleaned up, but no details are provided, so root cause analysis cannot be performed. That’s number one. Or two, the MSP reports true positives that may have been cleaned up, but this time details are provided, and root cause analysis can be performed. Andy, which one is worse?

[Andy Ellis] I think I need to reprocess this one. So, it’s scenario one is it reports true positives that have already been cleaned up.

[David Spark] But there’s no details of what…

[Crosstalk 00:15:10]

[Andy Ellis] But there’s no details about it whatsoever.

[David Spark] But the second is they may have been cleaned up. Who knows?

[Andy Ellis] Maybe, or maybe they haven’t been cleaned up, but I have details. So, I’ll know…

[David Spark] But you got some details.

[Andy Ellis] So, I’ll know whether or not they got cleaned up, so I can potentially then go clean them up?

[David Spark] Well, but you just know…

[Crosstalk 00:15:25]

[Andy Ellis] I’m trying to figure out who cleaned them up. Did my team them clean them up, or did the system clean them up?

[David Spark] I’m guessing the MSP cleaned them up.

[Andy Ellis] Oh, the MSSP is doing the cleanup for me?

[David Spark] The MSP. But they only may have been cleaned up, but you know the details of what’s happened.

[Andy Ellis] I see. So, the MSSP basically says, “Here’s a list of your incidents in the last 30 days.” And in one scenario they have fixed all of them, but I all I get is the list of names. So, it’ll be like RJ’s pet project 35. I have no clue what this is, but it got cleaned up. Or I’m going to get, “Oh, David Spark did this thing. Here was the compromise. And now, we’re not going to tell you whether or not we…” I’m going to make this harder. “We’re not going to tell you whether or not they cleaned it up.”

[David Spark] They may or may not. But you have all details of what…

[Crosstalk 00:16:06]

[Andy Ellis] All the details, so I got to go figure this out. This one is actually really interesting because these are both good situations. You usually have to pick between two awful ones, but I actually…

[David Spark] These are the awful in the sense… There are cleanups, which is good.

[Andy Ellis] Honestly they’re imperfect, but they’re both actually better than what you’re going to normally get. Sorry, RJ. You’re going to be like, “Oh, no, we totally do the synthesis of these.” Let’s be honest.

[RJ Friedman] [Laughs]

[David Spark] By the way, I should mention these are MSPs, not specifically…

[Crosstalk 00:16:33]

[Andy Ellis] Oh, MSPs. Right.

[David Spark] An MSP which does more.

[Andy Ellis] Most MSPs don’t have any idea what actually happened in your environment. They’re not actually giving you meaningful reports. They’re not actually telling you what went on in them, and they’re not actually remediating most of the stuff anyway. So, if I’m getting like three out of the four, and I just have to pick which one I don’t get, I’ll actually be honest, and the security half of me cringes when I say this. But what is worse is getting the root cause analysis. Because if they’re just going to clean everything up for me, my business can move more quickly. Like, “Oh, look. Whatever you screw up, we’re going to clean up for you. You’re not going to learn anything from it anyway, so don’t sweat it.” It’s kind of better than, “Oh, we’ll let you learn from this, but you have to keep doing work cleaning it up.” That’s what I have an MSP for. Let them clean it up. So, I’m going to actually…

[David Spark] You make a good point.

[Andy Ellis] The security engineer in me is like screaming at me saying, “No, you want to know what’s going on.” But I actually think that’s worse, and I think that’s a trap.

[David Spark] Okay. RJ, what do you say? Do you agree or disagree?

[RJ Friedman] I’ll play devil’s advocate with Andy. I’ll go the security route and say the root cause is more important to know. Because what if it’s indicative of amuch larger problem that now is not getting solved? And maybe they caught this one, but they don’t catch the next.

[Andy Ellis] Well, they’re certainly not going to catch the next one because they didn’t catch this one correctly. They didn’t clean it up. Certainly they’re going to get popped next time. My answer…

[Laughter]

[Andy Ellis] I don’t fix anything, but they just keep cleaning it up anyway.

[RJ Friedman] I could look at a building and see that it’s about to fall over without knowing how to fix it, right?

[Laughter]

[RJ Friedman] Maybe you need to hire a more advanced team to come and do that work.

[David Spark] But if you know it’s going to fall over, and you know how to prop it up to make it stay up, and you don’t tell us what actually happened…

[Andy Ellis] Yeah. No, no, but it’s baked in. They keep cleaning everything up. They report what happened, and then they fix them.

[David Spark] Yeah. Well, then I guess it’s the ideal world.

[Andy Ellis] Realistically if I take off my CISO hat and just have a CXO, everybody else in the business is going to pick that first one is what they absolutely want.

[David Spark] And you’re going to say, “This is nirvana. This is exactly what we’ve always wanted.”

[Andy Ellis] Yeah, right! “You just clean everything up for me and don’t pester me with details.”

[David Spark] All right. Well, by the way, but I like RJ’s answer here, too. This could be indicative of something way bigger.

[Andy Ellis] Both of these are actually good. Just to be clear, like, “Wait, I have an MSP that actually reports true positives instead of false positives?”

[Laughter]

[Andy Ellis] I will take that any day. This is a win.

Please, enough. No more.

18:58.172

[David Spark] Today’s topic are MSSPs and specifically using an MSSP to augment your security. Now, Andy, what have you heard enough about with MSSPs? And I’m sure you’ve heard a lot. But what would you like to hear also a lot more? So, I want an answer to both questions.

[Andy Ellis] I think what I’ve heard a lot about is just, “Oh, we’ll solve the cyber security skills gap because you can’t hire people, but we’ve got them.” And I hear a lot about that. But what I think I want to hear more about is really how the MSSP creates an upskilling path for the staff that I have that says, “Hey, I’ve got people who I’ve brought in, and maybe instead of having 20 people on my team it’s only 3. But how are my three people becoming more senior by interacting with the MSSP?”

[David Spark] I like it. RJ, I’m tossing to you. I want you to answer what have you heard enough about with MSSPs, and what would you like to hear a lot more?

[RJ Friedman] Yeah, I’ll start with what I’d like to hear a lot more. I’d like to hear a lot more about how MSSPs are going and investing in their staff, and selecting quality candidates, and making sure that they’re skilling up their own staff, and then teaching them ways to work with their customers.

[David Spark] That’s the first time I’ve heard that on this show. So, kudos to you on that. Go ahead.

[RJ Friedman] Rather than what I think we hear too much, which is that, “We’ve got the best, quickest, cheapest way to go and look at alerts and toss them over the fence to your guys. Good luck.”

[Laughter]

[David Spark] Which by the way, that’s another thing that we hear all the time. Not just from MSSPs but from vendors in general. Like we can discover all these things. I think the discovering thing, that problem has been solved by a lot of people. It’s the dealing with them is the issue. Yes, RJ?

[RJ Friedman] It’s the dealing with them, and it’s the communication. Communication is so essential for this that it’s almost more important than having a security skillset. [Laughs] It’s not obviously, but you need both. If you don’t have the ability, if your analysts don’t have the ability to communicate their findings and solutions around those findings, you may as well be throwing your money away in some cases.

[David Spark] RJ, what is it that you guys are doing at Buchanan Technologies to kind of address the main concerns that your customers have been having?

[RJ Friedman] That’s a big question. Because I think there is so many concerns based on the customer. I think we’re a little more broad than most of the MSSPS that we’ve run into. Most will focus really on just MDR – managed SIEM, that type of thing. We are a little bit more holistic in nature. We’re born out of an MSP. And so Buchanan Technologies is a 34-year-old MSP as well as an MSSP. And because of that, we’ve gotten very deep into many different clients’ environments, and we see their problems all the way from identity and access issues all the way through to disaster recovery. And so we as an MSSP needed to design our solutions to be able to address kind of that wider variety of issues.

[David Spark] What is the story you’re trying to tell now? And it’s so hard for MSSPs to differentiate themselves and to be seen as a unique player in how they can play into the space. What do you find is your most difficult struggle of doing just that?

[RJ Friedman] I think that the most difficult thing about differentiating in the market is that it’s just such a big market. There’s so many different players out there, so many big names, and so much money behind a lot of these new players and old players that it’s hard to really stand out and get attention unless you’re willing to invest quite a bit in marketing and sales.

[David Spark] And, Andy, have you found that it’s better to play with MSSPs that know certain verticals better?

[Andy Ellis] Yeah, I definitely think that the MSSPs often have a way that they tend to work, like their playbooks. And the more they focus the more likely it is that you’re going to have playbooks that match what you do rather than some generic playbook maybe that was developed for healthcare, and you’re an online retailer. And there’s some synergy, but then you’re like, “Yeah, those processes don’t quite fit me.” So, that is definitely helpful. I’m not saying you have to use a specialist MSSP. But generally there’s probably some benefit there.

[David Spark] Why do you think, RJ, customers do ultimately choose you? Because they’re looking at other MSSPs. What do you think gives you the chance to win?

[RJ Friedman] I really do think a holistic approach is helpful. There’s actually been a number of deals which we’ve won against some very large and very well known competitors. But they’ll only focus on one or two aspects of a security program. Kind of going back to that other question that we had around what the best way to kind of approach security is and Allan’s comments around finding out what risk is and then what to address. We may think that we have a SIEM or an EDR type deal, but upon conversation with a customer you realize they’re not doing security awareness training. They don’t have multifactor in place. Some of these really core basics. And you show them then the math of, “Look, this is a lot less of an investment and a lot more risk is being eliminated. Let’s start with this. Let’s start with manage multifactor authentication.” So, we have that ability to pivot into a lot of these other areas of security that a lot of companies just don’t touch.

[David Spark] What is sort of the security savviness level of your customers? Is it all around the gamut from they’re clueless to they’re extremely savvy, and we’re just augmenting? Where does it lie?

[RJ Friedman] [Laughs] Yeah, it does run the gamut.21 I think there’s a lot of customers out there that are smaller, that don’t have dedicated security teams. They’re in the 300 to 1,000 kind of employee range. But we also have some very large enterprise clients, tens of thousands of employees with large, robust, dedicated, some of them even 24/7 security teams already in place which we augment. And the approach is different for each. Some of the smaller ones will go in, and it’s definitely more consultative. Whereas a lot of the bigger players, they come to us knowing exactly what they want and asking us if we can handle it.

What works? What’s not working?

25:13.242

[David Spark] False positives or alerts that tell you that a security threat is present but isn’t are the bane of the security operation center or SOC. 90% say they’re having a negative impact on the security team according to a survey by the Enterprise Strategy Group. With nearly 45% of alerts as false positives, a lot of money is also being wasted. So, if you could reduce the false positives you could also save money and hopefully improve the security team’s morale. On CSOOnline, Jaikumar Vijayan offers a few tips to reduce false positives. One is focus on threats that actually infect your environment. Two, conduct red team exercises on critical app stacks. Three, keep records of investigations to reduce future efforts. And four, learn over time and tweak, which may seem obvious. I’m going to throw this to you first, Andy. Seems all like a good effort but also a lot of work, which will hopefully reduce future work. Does it actually?

[Andy Ellis] I think alert fatigue is a real problem that we need to address. It’s not just the cost. It is the morale. When you have people who they have to just click through half of the alerts, there’s a good chance they’re going to just click through a bunch of other alerts also and ignore things that might be trust positives. So, let’s acknowledge that that’s actually our biggest cost isn’t the time spent dealing with false positives. It’s the fact that true positives likely slipped through and become false negatives in our overarching process because the human in the SOC is part of the detection process. They’re not separate from it. So, some of these are really good. Some of these I’ve sort of questioned. I’m like, “Conduct red team exercises to reduce false positives?” That feels completely orthogonal. It’s interesting. It’s good. It’s valid. But that first one which is sort of focus on the threats that matter, one of the biggest challenges I think we have in a lot of our infrastructure is we don’t know how systems are connected.

So, you do vulnerability scans, and you find a thousand vulnerabilities on your systems. Technically they are all true positives. You got to go… And a thousand is a low bar, not a high bar here. You got to go fix all of them, but which ones are connected to your crown jewels. Which ones have an attack path from that system to a system with something else on it, to your database that has PII? And if you don’t know that because you can’t see your architecture in a dynamic fashion that’s hard. Because I think whether something is a true positive or a false positive is this unnecessary binary nature that instead think of it as this scale. Like this one is 99% bad, and this one is in the fourth percentile. And there’s a 50 percentile somewhere here. But go clean up all the 99 percentile alerts first. So, if you actually had that context to decide which are the things that really hurt you, that’s the thing to go after. But I also think this is a place where we should push more on our vendors. Because vendors have no incentive to reduce false positives. In fact they have a negative incentive.Because if you get breached, they want to be able to point at their tool and say, “Oh, there was an alert that you ignored. If you had only dealt with every alert, you wouldn’t have been breached,” is the vendor incentive. And that incentive causes them to not really care about reducing false positives.

[David Spark] Good point. All right, RJ, is the reducing false positive effort in this way or any way you can suggest a worthwhile effort to actually reduce future work?

[RJ Friedman] Oh, absolutely. Since Andy focused kind of on the first point there, I’ll focus on the last two. I would say those are a lot…very related to the SANS IR step of lessons learned – the last of the six incident response steps there. And as a reminder, I keep records of investigations to reduce efforts and then learn over time and tweak were the two that I’m referring to. During interviews for our managed security team, I’ll ask everyone that comes in and interviews what their favorite of the incident response steps is. It’s just kind of an opinion piece with no wrong answer. The real right answer though in my opinion at least is that it’s lessons learned. And actually we’ve gone and implemented that into our actual alert investigation process. So, we don’t just use it in incident response, but we use it in alerts and looking at alerts as well. And even if something is a false positive, we look and we question, “Well, what can we learn from this?” And maybe the answer is, well, something is tuned wrong, or we need to put in something in a whitelist. And on the other hand if it’s a true positive alert, still lessons learned, right? What can we go and tell our client and show them value and add? Back to the partnership conversation we were having earlier, what can we add to the client’s environment to help them reduce these types of true positives in the future as well?

[David Spark] Excellent. Excellent point. And excellent advice. I’m sorry, Andy, you wanted to add something?

[Andy Ellis] Yeah, I was just going to drop… You talked me into dropping pearls of wisdom from my book. One of my chapter titles is “If You Spend All of Your Time Fixing Current Crises, You Aren’t Averting Future Crises.” Right there is what RJ is suggesting.

Closing

30:24.575

[David Spark] We are closing on that. Thank you very much, Andy Ellis. And thank you very much, RJ Friedman. I want to thank your company, Buchanan Technologies. Buchanan.com for more. I’ll let you make a final plug. And by the way, I always ask, are you hiring. So, make sure you have an answer for that, too. So, thank you very much for sponsoring this episode and also just being a phenomenal sponsor of the CISO Series in General. Andy, any last words you’d like to make on today’s episode?

[Andy Ellis] In 11 months you’ll be able to buy a copy of my book on newsstands hopefully everywhere.

[David Spark] They’re getting in line right now. I can hear all… They’re doing it. All right, RJ, any final words? How can people reach you? If they want to know more about Buchanan Technologies… I know I mentioned the web address. And if you’re hiring, let me know.

[RJ Friedman] Absolutely. So, yes, we are hiring. We are currently looking for level two and three cyber defense analysts in the US and in Canada. We’re also hiring for other types of leadership positions within the company, so please reach out. You can reach us, of course, at Buchanan.com. you can find me on LinkedIn – RJ Friedman. And you can also email me at rjfriedman@buchanan.com.

[David Spark] Awesome. Thank you very much, RJ. Thank you very much, Andy. Thank you very much to Buchanan as well, and thank you to our audience, as always, for your great contributions and for listening to and subscribing to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.