Discovery of security issues is important, but ultimately we need them remediated. So why do so many solutions seem to stop short?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is our guest, Neil Watkins, svp technology and cybersecurity services, i3 Verticals.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, GitGuardian
Full Transcript
Intro
0:00.000
[David Spark] Discovery of security issues is important, but ultimately we need them remediated. So, why do so many solutions seem to stop short?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very time, he is a guest cohost today. Yaron Levi, the CISO over at Dolby. Yaron, thank you so much for joining us.
[Yaron Levi] Thank you, David. Happy to be back. Always a pleasure to be here.
[David Spark] Our sponsor for today’s episode is GitGuardian. Keep secrets out of your source code. We are going to learn more about just that a little bit later in the show. But first, this topic is something that you brought up, Yaron. Discovery without remediation ultimately feels like passing the back.
Yeah, you have a better understanding of the issue when you have discovery, but you still have to deal with it. Now, Yaron, you characterized this on LinkedIn as selling someone a smoke detector but saying they ultimately still have to find and fight the fire. Is it enough that a company says, “Well, we integrate with Jira so you can submit a ticket.” Does that do the trick?
[Yaron Levi] I don’t think so, because at the end of the day, Jira is just an extension of the smoke detector. So, the challenge is that what I hear from most vendors is, “We give the CISO visibility.” But what I really hear is, “This is where you start, and these are the actional steps to take to drive to a better state.” So, they often leave it for us to figure out what needs to be done, and just opening the ticket is not enough.
[David Spark] Visibility, context, telling the story, yeah, we hear a lot of that, but guide me through a solution. Now, I would argue that some of the vendors would say, “Well, everybody is kind of a special flower, and they want to do their remediation differently.” But, heck, you got to help somebody, right?
[Yaron Levi] That’s true.
[David Spark] All right. Well, joining us for this conversation to help us discuss this very, very issue a friend of yours. He is the senior vice president of technology and cyber security services over at i3 Verticals. None other than Neil Watkins. Neil, thank you so much for joining us.
[Neil Watkins] Thank you for having me today. It’s a pleasure to be here. Yaron, David, good to see you both.
What’s our visibility into this problem?
2:23.056
[David Spark] Byron Rashed said, “Visibility is to see the who, what, why, and where of an event, to give context to the threat analysis and understand various aspects that will help them to threat hunt or see if the event is real or not.” Clea Ostendorf, who’s a field CISO over at Code42, said, “If a tool elevates that exposure, I would say the visibility is valuable.
However, point made about visibility about fatigue. Visibility without filtering is noise.” I think most of them know to filter these days. Lastly, Frank Siepmann of Solvitur Systems said, “The last thing we need in cyber security is a cloudy, fuzzy picture of where to focus our time, money, and energy.” I think that last quote speaks to you, Yaron.
Yes?
[Yaron Levi] Yeah, absolutely. Because one of the things that we need to remember, it’s never just one tool. And we have multiple tools that are doing many different things. So, if most tools give you like floods of very rich data set… And the more tools you have, the more data you have. So, essentially it’s like playing 100 streams of music in full volume at the same time.
It’s very loud. It’s very noisy, and you cannot dance to that. That’s a problem that we have.
[David Spark] All right. What about you, in terms of this sort of frustration or experience of seeing all of this visibility tools that are out there, Neil?
[Neil Watkins] Yeah, there are just as many tools as there are things to look at. And that’s part of the challenge is how do they integrate, how do they work. I like Yaron’s conversation about music, for example. What we have today is a stadium full of people at a rock concert. Lots of noise, lots of things, limited context, limited understanding of what that context is.
So, visibility really is key, but do you really need visibility of everything? Or do you have design principles and capabilities that limit what you must watch and things out there that I would say are less valuable? Mos people try to watch everything, and that causes the noise that causes the problem.
[Yaron Levi] I love what you said, Neil, because I think a lot of those tools are coming from the point of collect a bunch of information and take this bottom up approach as opposed to let’s take a top down approach. Let’s decide first of all what we care about and then decide what to collect, as opposed to flood me with everything and then figure out what to do.
[Neil Watkins] Yeah, I think you’re spot on. What I care about, right? Understanding your ecosystem, understanding your environment, understand the potential threats that live in that landscape are key. They’re organizationally correct, and they’re organizationally organic often times. So, you have to know where to apply the most visible and capable things because if you apply universally, you’ll end up with meaningless data.
I mean you really do. And David mentioned filters before. Well, filters today aren’t filters for tomorrow, and filters aren’t that smart. So, that becomes its own challenge. So, again, if you’re relying on collecting everything and trying to filter through it, you’re still going to miss it.
How are the vendors handling this?
5:38.153
[David Spark] Max Brunner of Salt Security said, “Most vendors struggle to distinguish the difference between a hot shower and a burning couch, but some do this accurately while also telling you the exact location of the couch, how and why it caught fire, as well as sharing with you how to prevent the fire from spreading and enabling you to text your kids with instructions, education of how to play safely going forward.
But most vendors are smoke detectors with a penchant for false alarms.” And this came up a lot, by the way. Eric Strassman of Red Canary said, “Not all visibility solutions are built the same. Some point directly to the source of a problem and leverage granular data from packets to get the right team in the right place to make a right call on where and how to put out the fire in a quick and efficient manner.” Which I think is what you are asking for, right?
So, Neil, I’ll start with you on this in that the complaint about the false alarms… And they all said, “Well, you can tune it and make it work for you.” But don’t you want a good percentage of this working pretty well out of the box?
[Neil Watkins] Right. So, every organization is different, as we talked about. Its mission, its vision, what it does. But users, ironically, we all kind of function the same way no matter where we work. So, there should be some tell-tale signs out there that we can all look for because the patterns are the same.
Even the criminals act the same way, as we’ve seen through all the conversations we’ve had about attack frameworks and everything else. There is a consistent pattern that should be consistently visible.
[David Spark] What is your level of frustration, Yaron, in terms of getting sort of these all seeing tools that require a lot of tuning to work properly in your environment? Have you had good experiences, bad experiences? Are they getting better, worse? What’s the situation?
[Yaron Levi] Yeah, I think by and large, there are very few tools that really give you actionable advice and step by step of what to do. So, the time to value, if you will, in many, many of the solutions is pretty long. I had a conversation with somebody the other day about it, and I liked the analogy they used.
They said it’s like buying a Lamborghini, but they ship the box with all the parts, and now it’s up to you to start putting that Lamborghini together. I mean I don’t know how to do that. I mean, yeah, by the end of the time, I’m going to put the Lamborghini, and it may be fabulous, and it’s going to look great.
But it may take you like 20 years to do that. And by that time, there can be a new car. So, it’s really, really hard. I mean to put that, if I want to get a Lamborghini, all I need is I need to get in the car, and I need to drive. I often times don’t have the time, and the people, and the process, and the resources to put that car together.
So, I think there is another thing that people are saying, that we’re seeing, is that I think a lot of the tools are coming more from a SIEM mindset. Right? So, you have a SIEM for data. They call it DSPM. There’s a SIEM for cloud infrastructure. They call CSPM. There’s a SIEM for SaaS. They call it SSPM.
I could go on, and on, and on, and on. But as Neil mentioned before, you just keep getting floods, and floods from all of those. And then when you ask them, like, “Okay, what…? I need to connect everything.” They say, “Oh, well, throw it to your SIEM.” Well, okay, now I amplified the problem even more.
So, what we need is something that we can get the information in the proper context and then we can take action on.
[David Spark] Neil, you had a follow up?
[Neil Watkins] Yeah, I just wanted to kind of say the evolution of security technology has been an interesting study over the last 20 years. Let’s just say for argument’s sake we all start out with four capabilities, and everybody that went out to create a new product said it was lacking this, whatever this was.
So, they went out and built yet another capability that said, “I addressed this.” And now we have 4,000 things that still don’t address the entire problem unless they’re aggregated together. So, that’s kind of how the industry has evolved, and that’s what’s left us so fragmented in this capability is that they… Somebody said, “Hey, it doesn’t do X,” and they went out and created a product that did it.
And they heartfelt believe it, and it has value. The problem is alone it has no value.
[Yaron Levi] In fairness, we’re dealing with a complex problem. So, I think the more simplicity we can inject into the problem as opposed to more complexity, I think that’s kind of the mind shift we need to take with that.
[David Spark] But the problem you’re trying to solve is pretty complex. That’s why the solutions become more complex, don’t they?
[Yaron Levi] Yes, they are, but I think also we need to get to some kind of a definition of something that Neil and I have been talking about for long time and we’re probably going to share some of that later on, pretty soon here – what is good enough? We have to get to some kind of a definition or some kind of an agreement.
I realize that this good enough is going to be different between organizations. But I think it’s starting with that end in mind. What do we care about? What are we looking for? What are we afraid of, and what is good enough? And then build to that as opposed to collect everything and try to make sense of it.
[Neil Watkins] To tack onto what Yaron is saying real quick, what keeps happening in our industry, I call it relatively still simple. So, it is complex, but we’re still getting beat by simple. So, to Yaron’s point, we should be getting a little bit more simple often, too.
Sponsor – GitGuardian
10:52.801
[David Spark] Before I go on any further, I do want to tell you about our awesome sponsor, and that is GitGuardian. Now, how confident are you that your company credentials have not leaked? Now, malicious actors are using leaked secrets for lateral movement, and GitGuardian’s mission is to help security stop them.
GitGuardian is the code security platform for the DevOps generation that facilitates a secure software development lifecycle for Dev, Sec, and Opps teams. Now, in the event of a hard coded credential, the GitGuardian platform promptly alerts security teams and helps fixing the issue by directly involving the developer and improve your Mean-Time-To-Remediate and keep your secrets a secret.
Aw, they’re speaking our language right here. So, for companies with multi cloud and multi-VCS environments, GitGuardian is the key to building software securely. Adding a layer of protection by securing your infrastructure as code files. Power innovative features like honeytokens to prioritize incident remediation.
Focus your efforts where they’re most needed. Go to gitguardian.com and start scanning all your repositories, Jira and Slack during their 14-day trial. You’ll discover where the hard coded credentials are in your organization or use the community addition for your open source and personal projects completely free of charge.
Remember, it’s gitguardian.com.
What else is required?
12:32.907
[David Spark] Jenni Martin of Capstone IT said, “Visibility, action plan, and qualified people to execute the action plan. Nothing happens without people to do it.” James Berthoty of Latio Tech said, “The only fix I’ve ever seen is getting the alerts directly to the teams that are going to be fixing them and skipping the middleman.
Small security teams run out of batteries very quickly.” All right, so I’m going to go back to leaning on the Jira ticket does have some value here, Yaron. If we could just direct people to do the job, that’s what’s good, but that also speaks to what you said at the beginning. It’s like, “Just tell me how to start.
How do I get started on this?”
[Yaron Levi] Yeah, and the analogy I like to use with that is if you think about walking into a cockpit of a commercial airline or let’s say 30, 40 years ago, you had five people in the cockpit. You had all those buttons, and gauges, and clocks, and everything else. And you had five people in the cockpit.
You had the captain, the first officer, flight engineer, communication, and navigation. Now you walk into a cockpit, and you have four monitors. You have a captain and first officer, and that’s about it. And what can we say? Planes are safer now. I don’t know with the recent issues we had. But by and large, they’re probably safer than 30, 40, 50 years ago.
And the pilots only see what they need in order to take action. They don’t have to monitor everything all the time throughout the flight. I mean flights today are pretty complex. So, in a way, I kind of want to have something very similar. I want to be able to when I get that Jira tickets, it’s already enriched with the information and the action that we need to take and only the one that is relevant based on risk, based on our priorities, based on the business.
We don’t need to get all the floods all the time.
[David Spark] Neil, how has the improvement of communicating your team to remediate improved or getting more difficult?
[Neil Watkins] It’s getting more difficult because the context and the breadth of it is getting louder because we are becoming more aware as a culture, and by that I mean a technology culture. Everybody now reports everything, and they don’t understand the context. But they report it with the same priority, so everything still has to be filtered through.
So, humans still are suffering from what I call the ability to triage fatigue. They just say, “Hey, it might be important. You go figure it out.” And so we spend a lot of time still trying to navigate through that to say, “What is important?” And ironically, because of that, the things that are important get missed.
[Yaron Levi] Yeah, and I think there is also an opportunity for us to challenge some common practices. So, for example, we talk a lot about vulnerability management. And every day, every week, every month, we scan the environment. We find more and more vulnerabilities. And we endlessly chase after for patching them.
In some areas and in some parts of the business or parts of the technology, if we can move let’s say to more ephemeral infrastructure and then recycle the infrastructure every day or every week. And every time we [Inaudible 00:15:45] a new server, it’s already patched and everything, the system or the problem cannot take care of itself.
So, it’s not always easy, but I think we need to start thinking about more and more opportunities like that where the systems are self-healing and self-protecting as opposed to we constantly, constantly babysit and take care of them, patch them, and so on.
[Neil Watkins] Yeah, I just have one last comment on that, Yaron, if you don’t mind. The bottom line is we are still suffering bad design principles in technology, and we’re still compensating for them. That’s creating all this noise. If we were able to reset the clock, and that’s not always possible, but to come back to some more modern capabilities and some more modern thought, and catch up with the evolution of those methodologies, security actually does get more simplistic.
What’s the next step?
16:34.147
[David Spark] Mark Graziano of Segment said, “I’d even argue that even if your tool tells you where the fire is, visibility and context, remediation is still the main bottleneck.” I’m going to agree here on this one. “If someone makes a new tool that can identify ten more vulnerabilities than the nearest competitor but my vuln management team still experiences inefficiency remediating vulnerabilities identified by an existing tool, is really a betterment for security?
Tools that emphasize remediation efficiency will be the next frontier.” Yaron, this is what you’re screaming for right here. I mean this is what you want. The ones that lead not with detection, but we’re going to help you solve your problems faster. Which I’m saying I definitely see these companies out there.
[Yaron Levi] Yeah, they are, and I think we need to encourage and prioritize having more of that. As Neil said before, more visibility is not always better. I remember years and years ago in a company that will remain nameless, but we rolled out a vulnerability scanner, and we found a lot. I mean thousands, millions, more.
It was a lot. And then it was mostly infrastructure. And then like a year later, I had made a business case to purchase another tool to scan for software vulnerabilities. And I presented it to the COO, and he said, “You know, Yaron, last year we bought this tool that gave us all these vulnerabilities, and you told us how bad we are.
Now you want to buy another tool that will tell us how much worse we are when we’re still dealing with the problem from last year.” I was pissed at that time, but in retrospect I think he had a good point. But, yes, how can we accelerate, and how can we potentially simplify the way that we are remediating and taking more action as opposed to keep adding more and more visibility?
Because I think that’s a lot of what we’re seeing in many, many tools. And you see it also with analysts, for example, in the SOC. Almost the automatic reaction they have to an alert, “Oh, it’s a false positive.” And in many cases they are right, but not everything is that bad. Tools are getting better.
We’re improving over the years. But we need to always overcorrect towards action.
[David Spark] Neil, are you seeing a format of these companies who are getting into this more remediation phase of helping out security professionals…do you see a certain way that they’re approaching it that’s different than others?
[Neil Watkins] They’re trying to do some of the things we’ve seen other technologies do over the years, and it’s just called encapsulation, right? Segment it away, make it go through some other hurdle, take a different approach to remediating the threat by changing the way it flows, for example. We’ve seen that when Firewalls were good enough, and all of a sudden now we have web application firewalls.
We didn’t make the code better. We just made something else check to make sure the process was working in a different way and then capture it there. So, the only way remediation tools can work without knowing how an organization is developing their technology is to use that kind of generic segmentation and encapsulation methodology to let the bad happen inside of something that is controlled.
[Yaron Levi] And for me, I think I’ve seen some tools that focus less and less on the specific findings but actually are doing more aggregation and providing you the context. And I think understanding the context, it’s much more actionable. When it’s aggregated, it’s put in the right context. Then it’s much easier for us to take action.
Because what I care mostly about is the systemic issues and less the individual findings.
[David Spark] And also, stressing one of the things that we’re heard about vulnerability management in general is that we’ve heard that of all the vulnerabilities that you find, it’s only between 20 and 40% that you need to deal with. These prioritization tools that are out there, that helps you with that, that is definitely one step in the right direction.
And offering the ability to connect with Jira is definitely also one in the right direction as well. We’re all moving in the right direction there. And also the context things. These are all in the right direction. I think we just want to push even more in the right direction. Yes?
[Yaron Levi] Yeah, absolutely, and faster.
[David Spark] Faster, yes. Because the problems are coming faster and faster as well, and the vulnerabilities are increasing faster and faster. All right.
Closing
21:09.511
[David Spark] This brings us to the point of our recording where I ask our guest and cohost which quote was their favorite and why, and I will start with you, Neil. Which quote was your favorite and why?
[Neil Watkins] I believe Mark Graziano’s was the best, when he talks about the inability to remediate. That is one of the biggest pains that we have is the ability to timely remediate because of what it touches. It touches systems of revenue. It touches the ability to make new products. It is very sensitive, and therefore it is overlooked.
So, no matter what visibility we have, we still seem to hit that roadblock.
[David Spark] Very good point. And Yaron?
[Yaron Levi] Yeah, for me, it’s what Max from Salt Security said. I liked the analogy, with the kids, and the couch, and education, and everything else. You need to have that overall message, overall context, overall action to deal with the root cause as opposed to the symptoms. So, just telling me that there is smoke going on, yeah, it’s important, but I actually need to know where the fire is and how to turn it off.
[David Spark] Very good point. Well, I want to thank you, Yaron. I want to thank you, Neil, as well. And I want to thank our audience, too. I want to thank our sponsor. That would be GitGuardian. Remember gitguardian.com. Sign up for their 14-day trial, and they have a free service as well. And as we learned, they do help with the remediation process.
So, thank you, GitGuardian, for doing that as well. If you’ve got a great story or great conversation online, we love to turn those into episodes of Defense in Depth. Please let me know. Any last thoughts from either of you on this topic, or if there’s anything you would like to plug? Are you hiring, either one of you?
Let’s hear it. I’ll start with you, Yaron.
[Yaron Levi] Yeah, so, David, first of all, thank you. Always a pleasure to be back on the show. And, Neil, thank you for joining me. Always a pleasure for having conversations, banter, and discussions that you and I have. I think this is a topic that we need to communicate and we need to partner with our vendors within the community to make it better.
We can’t expect that only one side will solve it and throw it over to the fence to the other side. I mean this is a partnership. This is a partnership in that fight, and we definitely need each other to help with that. So, I welcome the collaboration. I welcome the ideas, the sharing. And, yeah, I think that’s always…that’s essentially how we are going to win the fight.
We are hiring. Always we’re hiring for like good people. Yeah, check our website at [email protected]. And if something pops up and you have an interest, let me know. I’m happy to connect you.
[David Spark] Neil?
[Neil Watkins] Thank you, both. I love talking on these topics, so thank you for giving me the opportunity to do so. We can’t win this fight alone. I say that because even outside of the core listener group, it takes a lot of other people not necessarily focused on this topic to help us win this fight.
So, please reach out to your peers left and right, encourage them to continue to learn more. As far as hiring, go to careers.i3verticals.com. We are always hiring good people. Come to us before you go to Dolby.
[David Spark] Excellent. Thank you so much. And thank you to our audience as well. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.