Given the ease of sharing data, our sensitive information is going more places than we want it. We have means to secure data, but you really can’t do that if you don’t know where your data actually is.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Brian Vecci (@BrianTheVecci), field CTO, Varonis.
Special note: Andy Ellis’ book “1% Leadership” releases TODAY! Order it now!
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Varonis
Full transcript
[Voiceover] What I love about cybersecurity. Go!
[Brian Vecci] It’s always changing. Every day, every week, every month, every year is different. My year this year in my role is almost completely different than it was even six months ago, and what I like in life is getting to learn and do new things. I can’t imagine something to work in that changes as fast and requires as much learning as cybersecurity. That’s what I love about it.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And here joining me, the ever-talented, the newly-published author – we’re going to get into that in a second – my co-host, Andy Ellis, the operating partner over at YL Ventures. Andy, make some noise of some sort.
[Andy Ellis] I’m a newly published author. It’s awesome!
[David Spark] We were going to get to that in just a moment, hold tight. We’re available at CISOseries.com. And our sponsor for today’s episode is the one, the only Varonis – effortless security outcomes powered by automation. We are going to talk about that very issue on today’s episode. But first, Andy, this is a huge day for you. There has been a lot of lead-up to this, there’s been a lot of talk about this. It is your book “1% Leadership.” For those of you just joining us, what the heck is this book about? And you can get in now, today, April 18th.
[Andy Ellis] In fact, right now, you can go buy it online while you’re listening at your favorite bookstore – “1% Leadership.” So, I wrote this book as an antidote to what I saw as the cult model of normal leadership trainings and books.
[David Spark] Of which there’s plenty of.
[Andy Ellis] There’s plenty, and it’s, “Do this one thing and you will be an amazing leader.” And this “one thing” is like the distillation of somebody’s biography. It’s like, “If you do this, you will be like Jack Welch. All you have to do is stack rank your employees and you will be successful.” Well, maybe that worked for Jack Welch, but he did a lot of other things as well. My book is 54 short practical lessons on leadership focused on leading yourself, focused on leading your people, and then focused on leading an organization. Each chapter is on average 762 words, so you can consume them very quickly. That short. And in fact, where most books try to hide their message from you, they’re really a tweet hidden in 400 words, every chapter starts with a tweet. That’s the chapter title is the summary of the lesson, we’re not hiding any lessons here. You can read the Table of Contents to remember what lessons you’ve already learned.
[David Spark] Right. And many of those lessons I know have been heard on this very show as well. In fact, you’ve referenced it on past episodes. So, anyways, we will provide an actual link to this, and I’m going to throw this out – do you know Dan Lyons’ book Lab Rats? Have you read it?
[Andy Ellis] Yes.
[David Spark] Because he goes after all these sort of management books out there, the slew. So, read Andy’s book first, then go get Lab Rats. Actually, a better book by Dan Lyons though is Disrupted, I like both of them.
[Andy Ellis] Yeah. And if you’re an HR professional who’s listening, I would love for you to take my book and use that as the foundation for the leadership training in your organization.
[David Spark] That would be huge! That would be huge. All right, let’s get to our show. Our guest, we’ve had him on Super Cyber Friday, we’ve had him on Defense in Depth, and now, our sponsor guest for CISO Series Podcast is one, the very talented, the visually stunning I should mention, none of you are getting to see this, but he’s got quite an impressive setup I’m always impressed by. In fact, he’s the one who turned me on to some lighting as well. It is Brian Vecci, the field CTO of Varonis. Brian, thank you so much for joining us.
[Brian Vecci] It is fantastic, as always, to be here. Thanks, David. Thanks, Andy.
Are we making this situation better or worse?
4:05.699
[David Spark] Are we creating more problems for ourselves by holding onto dark data? Now, dark data, which was a term I had never heard before, is information that’s generated and stored by the business but not really used for anything else. This is what Gartner said as reported by Apurva Venkat on CSO Online. Now, what is this generated yet unused data? That’s my first question to both of you. And is this the same as ROT data? Which would be redundant, obsolete, and trivial data. How can it be discovered, classified to determine what it is, and I assume we would ultimately want to delete it. Or what else would we want to do with it. So, my feeling – none of this happens because it’s too darn hard. A survey by the Cloud Security Alliance discovered that 76% of organizations rated tracking data as moderately to highly difficult, and we often avoid moderately to highly difficult I’ve noticed. So, Andy, I start with you. What is this data, why is it literally we’re generating our own liability?
[Andy Ellis] There’s a lot of reasons you end up with dark data but probably the most prevalent one is you’re building a system and you build the system before you build the reporting and all of the APIs and everything that’s going to come out of it. And your developers reasonably have grandiose ideas about all of the information you would use, and so you capture everything. And from a debugging and diagnostic perspective, that’s often really powerful. When something goes wrong, we want to have really detailed logs.
But from a developer perspective, let’s say you’re tracking your consumers, you want everything because you don’t know what will be useful. And so later, you come in and you have a million points of data and you’re like, “Well, this 10,000 is useful but maybe the other 990,000 will be useful later, and so it just sits there. I think that’s one of the biggest things of dark data that isn’t just redundant or that’s been stuck around for a long time, was this aspiration that you would use it, and then you never got around to using it.
[David Spark] Brian, I hear this a lot and the other thing is there’s this comfort in knowing that it’s there and what if it’s not there. I’m sure you run into this a lot.
[Brian Vecci] Well, there’s a flip side of that. A lot of the reasons that we have dark data is that nobody wants to delete anything beyond, to Andy’s point, the logs and the stuff that we’re capturing as part of newly built applications, people create data. Think about what you use every single day. Think about the spreadsheet that we’re all looking at right now. This stuff just gets created and it never goes away because in IT and security, we never want to be the person that deletes something and then three months, six months, a year, somebody in the business comes calling and says, “Wait. What happened to that?” So, we never delete anything whether it’s being used or whether it’s being not.
To your point, there’s maybe some comfort that it’s there but I’d argue there’s a lot of unease that, “Why am I keeping all of this stuff that still represents risk?” I’ve got the PII of all my customers in a thousand different places all over the enterprise and if any of that gets lost or stolen or misused or encrypted, I could be held – not me personally or maybe me personally – we can be held liable for that. I’d love to get rid of it. But we don’t want to be the person that deletes something that somebody comes and needs it.
[David Spark] So, how do you talk them down? That’s what I want to know. How do you talk them down from that, “I just want to hold on to it”? And you make that very convincing argument of the liability. Do you throw like a “What’s Worse?” case scenario like, “Okay, let’s think of something that you saw that you wanted from six years ago. How desperately did you really need it?” Does that ever come up?
[Brian Vecci] It can but I think that’s a little bit more tactical. I think you need to be a little bit more strategic about this. The reason that we, whether it’s IT or security or an enterprise as a whole, never delete anything is because you don’t really know what you have. You don’t know whether it’s being used or not. And there’s also a liability to deleting something or getting rid of something if there actually is organizational or business value to it.
So, the way to solve this is to do two things. One, it’s to agree on a policy. We’re going to talk about getting everybody in the same room and getting everybody to agree on something. That’s not trivial but it’s certainly achievable. What should our organizational policy be? For this kind of data, whatever it is. Whether it’s source code or customer data, what have you. Let’s decide how long do we really need this stuff? Do you need it after six months maybe? Do you need it after 3 years, 7 years, 10 years, what have you? Once you decide on a policy, you need to be able to enact it, and we’re going to talk about automation a lot today, but the only way to enact a policy is to know what you’re enacting it on. The reason that we talk about dark data is it’s dark. We don’t know what it is. We don’t have any visibility.
[David Spark] Have you ever moved that line and go, all right, let’s say five years. Five years. No one’s going to need this data in five years. And then you realize, “Okay, now can we move it to four? To three?” Have you been able to pull that trick off?
[Brian Vecci] Absolutely. But it also depends on what the data is. And there’s also there’s a flip side of it. There’s some regulations, there’s some compliance regulations that you have to keep this for 10 years. You have to keep these mortgage applications and these mortgage records in these PDFs for 10 or 15 or 20 years or for the length of the mortgage, a 30-year mortgage. You can’t get rid of a 30-year mortgage document two years into the mortgage, right?
[David Spark] [Laughter] No. Right.
[Brian Vecci] There is no one size fits all. But the broader point is we call it dark data and it’s a really good term because it’s dark. It’s like trying to clean your garage in the dark. You don’t know what it is and where it is and how it’s being used. And you can’t apply a policy to something if you don’t know what it is that you have. The real problem here is the darkness, it’s the lack of visibility. This analogy falls apart at some point, but we need to turn the lights on, we need to know what we have. And you need to know that these are mortgage documents and they’re used for this reason. Every PDF is not created equal, every JPEG is not created equal, every log is not created equal. You can’t apply a policy unless you know what it is you’re applying the policy to.
Can’t we all just get along?
10:11.353
[David Spark] How can we get more departments on the same page when it comes to data? So, it seems in some cases there are conflicting objectives. For example, marketing/customer information versus privacy. Or there’s different departments – security, privacy, and infrastructure – operating in silos yet they should be working together. And then there’s the situation of the sheer volume of data. Business believes it can do more and be more efficient with more data, and security just sees more data translating into more risk. And again, I’m putting broad strokes here as you just said, Brian. It’s not one grand classification; everything should be treated differently. But I’m going to start with you here, Andy. How do you get some type of happy medium for the business, security, and privacy?
[Andy Ellis] I think the first thing you have to do is stop decomposing your requirements. Privacy, security, and the business all are inheriting from one set of requirements. We want to safely and securely use data. And the problem is security says, “We want to prevent all insecure things,” privacy is, “We want to protect privacy,” and business is, “We want to use.” Now you have a conflict. Because it’s not that they’re coming together with stakeholders to say, “How do we do this in a safe and secure way that respects user privacy?” Instead, they’re fighting because the business is like, “I just have to launch the thing. I don’t care about security and safety. I don’t care about privacy.” We have to get people together saying these are the stakeholders who can represent one adjective or one adverb on this mission. But they’re just an adverb. Security’s incentive should not be, “Stop everything.” Which is actually what security gets incentivized to do. If your goal is stop unsafe things, you don’t have a goal to let launches happen, so that makes you the Department of No. That creates the tension, so you got to eliminate that tension by saying, “Your job is to help the business do things safely, not stop them from doing things unsafely.”
[David Spark] Good point. All right, Brian, I know this is a charge for you about the intersection of specifically privacy, security, and infrastructure, but I brought the whole darn business in here because it’s everybody’s concern. Where do you begin? And I love Andy’s take. Where do you begin, just how do we talk about finding that happy medium?
[Brian Vecci] I was in a meeting with a CISO recently and when somebody smart says something smart, I tend to steal it so that I can sound smart. This is a CISO who is, to Andy’s point, trying to protect his business, trying to make sure that they can work securely. But he didn’t think of himself as the Department of No. What he said, and this might be a little bit cute and maybe not mean all that much, but it sounded true to me. He said, “What I’m trying to do is let my business and let our business users and the business functions proceed at the speed of trust. There needs to be a level of trust.” And I think we’re actually kind of, to the point that Andy made, it used to be security was all about the Department of No, and privacy was all about putting restrictions in place, and the business wanted to, “Damn the torpedoes, I just want to work,” I think we’ve seen an evolution over the last few years of businesses now realize that if you don’t keep data private and you don’t keep data secure, it ends up costing the business money in the long term, it just will, like risk has an actual cost to it.
[David Spark] Sometimes you don’t need long term either.
[Brian Vecci] Yeah. Sometimes you don’t need it at all. But they don’t want to be put in a position where it’s difficult to actually accomplish what their business objectives are. So, you need to put guardrails in place, you need to let people collaborate, whether it’s internally or externally. You want to make the best use of the data that you’ve got, the infrastructure that you’ve got, but you need to do so in a way where data is kept private because there are serious costs to not keeping data that doesn’t belong to you private anymore. If you’re collecting the PII of European citizens and California consumers and Virginia residents, there are serious costs if you don’t keep that data private. Similarly, a lack of security can have massive operational costs. Not just compliance fines but a security company recently touted the average dwell time for an advanced threat has gone down from 180 days to 23 days. Varonis has a security research and incident response team. You give any single one of those people access to your network for 23 days, I can put you out of business, no problem whatsoever. That has real business costs. And you can’t keep data private unless it’s secure, but we need to do so in a way…
[David Spark] But that is not Varonis’s new business is to put someone out of business in 23 days. [Laughter]
[Brian Vecci] No, no, it’s not. I’m just talking about any advanced threat. Anybody that knows what they’re doing, 23 days. Twenty-three days? That’s a month of business days. Listen, we can absolutely put you out of business. We actually do purple team exercises where we do this.
[Andy Ellis] So, I want to move people away from guardrails, and Brian mentioned that, and everybody’s been saying, “Oh, we need to give the business guardrails.” We need to give them roads. The problem is we’re putting up guardrails on unsafe roads because the business is trying to move around some dangerous obstacle, and we need to figure out how to build a safe road for them so that they can actually go where they want to go. So, as security professionals and privacy professionals, you have to figure out what the business needs and give them a way to do it before they ask. Because once they ask, they’re already asking for the unsafe way because they’re just trying to avoid you, and you don’t want to have to deal with guardrails as they’re driving around the side of a mountain. Can you build them a tunnel through the mountain that gets them where they want to go and does it the right way?
Sponsor – Varonis
15:42.386
[David Spark] So, before we go on any further, everybody, I do want to tell you about Varonis. And actually, we’re going to get some more cool stuff, especially around security automation from Brian, but this you’ll be interested to hear. So, we know this, that so many security incidents are caused by attackers finding and exploiting excessive permissions. We’ve just been talking about this, like too much data. So, all it takes is one exposed folder, bucket, or API to cause a data breach crisis. The average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of admins years to right-size privileges. With how quickly data is created and shared, it’s like painting the Golden Gate Bridge. Nobody wants to do that. That’s scary too, for that matter.
Varonis reduces data exposure while you sleep with the industry’s first fully autonomous data remediation. Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. Because Varonis monitors who uses data, their free IR team, that’s their incident response team, will watch for alerts and call you if they see abnormal behavior like insider threats or compromised service accounts. To see how Varonis can reduce risk while removing work from your plate – that sounds nice – head on over to their site. This one’s going to be easy to remember – varonis.com/cisoseries – and start your free trial today.
It’s time to play “What’s Worse?”
17:25.911
[David Spark] Brian, you’re familiar with this game, yes?
[Brian Vecci] I believe I am.
[David Spark] Two horrible scenarios and you have to tell me which one is worse. I always make the co-host answer first, so I’ll ask Andy to answer first. I win if you disagree with Andy, just so you know.
[Andy Ellis] I win if you agree with me, just to be very clear.
[Brian Vecci] Is there a running tally? Like what’s the score so far?
[David Spark] Oh, no. That I don’t know.
[Andy Ellis] David does not like to see what the running tally is, so we stopped.
[David Spark] I would say the majority are agreements, I will say that. It’s always kind of nice when there are disagreements. Neil Saltman of Armis sends this in, so what’s worse? Knowing many of your devices are running unpatched software that can’t be updated and knowing that others have been breached recently with the same software/versions for their systems – that’s bad – or knowing that you are working with a vendor who has access to your systems that has just been breached. Andy?
[Andy Ellis] Ooh, this one’s a good one. I like this one, Neil. I will point out, Neil, while I’m thinking, I have your book right above mine on my bookshelf, so I expect my book to be on your bookshelf too.
[David Spark] He’s got a book about cybersecurity sales.
[Andy Ellis] He does. It’s fascinating reading. So, my scenarios are I’ve got unpatchable systems and there’s breaches happening based on these unpatchable systems. I’m not allowed to modify, I can’t get rid of them, I can’t ditch them. Or I’ve got a vendor I use who just got breached and so I’ve got a bad day going on. I’m probably actually going to say the first one is worse, but this one’s a hard call for me, so if Brian disagrees with me.
And the reason that I’m going with the first one, here’s where I try to get Brian to agree with me, is that, look. If I’ve got unpatchable systems that I rely on for business use, I’m going to have a lot of bad days in the future, and I can’t make them stop. But I’ve got a vendor who was recently breached, we can think about ones that have happened like SolarWinds or other folks in that ilk, I’ve got a bad day going on right now but it’s an impetus for change and presumably my vendor’s going to change. So, I’ve got a bad day but I’m going to get past that, and this one is one I can use to build on. If I have unpatchable systems that I can’t move forward on, I don’t have any way to build on that to improve my security program, so I say first one’s worse.
[David Spark] First one is worse. Okay.
[Andy Ellis] Yep.
[David Spark] Brian, where do you stand?
[Brian Vecci] I’m highly annoyed because you did a very good job of articulating exactly why I think the first one is worse as well. I was thinking of this in terms of what’s my path forward, and to your point, if I’ve got a vendor that’s been breached, to your point, it’s not a good day.
[David Spark] It’s not a good day but let me just throw this out. The second scenario, it’s a done deal, it’s been breached, it’s happening. Where the first scenario, nothing’s happened yet.
[Brian Vecci] Sure. But at least you have a way to fix the problem, right? You’re having a bad day but tomorrow can be better, I’ve got a path forward. A bunch of devices where I have no path to patching them? That means I just have an inherently insecure system with no path forward, like I’m going to have to change my business, and to me, that’s worse.
[David Spark] All right. So, we got agreement on this, with some slightly different reasoning on it but I like it. Excellent.
[Andy Ellis] But this is a great one, Neil. Even though we agreed, this was not an easy choice.
[David Spark] It wasn’t an easy choice.
[Brian Vecci] No, I went back and forth.
[Andy Ellis] Two very bad choices.
[Brian Vecci] I think they’re both defensible.
Please. Enough. No more.
21:01.505
[David Spark] Today’s topic is security automation. We have heard this and I’ve heard a wide range of what this is and a lot of promises attached to it. So, Andy, what have you heard enough about when it comes to security automation, and what would you like to hear a lot more?
[Andy Ellis] So, I think one of the things I hear a lot, and this is what comes out of vendors, is they talk about headcount reduction. First of all, pitching headcount reduction to a CISO who already doesn’t have enough headcount? Probably not a winning message, just to be very clear.
[David Spark] [Laughter]
[Andy Ellis] CFOs might love it, CISOs probably don’t.
[David Spark] That is a very good point.
[Andy Ellis] What I want to hear more about is really it’s headcount amplification. How do you take the existing headcount and amplify their effect through automation? So, take people from doing scut work and you’re leveling them up because we let automation do the scut work. And I really want to understand if you’re selling a product that does this, how are you helping educate my staff? Because it used to be that I’d bring in an analyst and they knew nothing, and you throw them in the deep end of scut work where they’re doing repetitive tasks, but they learn through those tasks, and they grow. And if I’m going to take and say, “Well, you don’t have to do that anymore,” but now they’re not learning in that, how is your tool helping them learn without that boredom and that awfulness that they used to go through in a way that’s highly efficient and effective? So, how does your tool sort of help my staff grow more quickly into senior analysts who can be more effective because the automation is dealing with the stuff that really wasn’t value for a human to do?
[David Spark] So, kind of an exoskeleton on your staff.
[Andy Ellis] Ooh, I really love that. And like Brian said earlier, I’m stealing somebody else’s clever thing. I’m using exoskeleton as my new security automation metaphor.
[David Spark] I like it. All right. Brian. Let’s start with what have you heard enough about with security automation and what would you like to hear a lot more?
[Brian Vecci] I actually agree with Andy again. I think it’s ridiculous when people talk about headcount reduction with automation. If you’re reducing headcount with automation, your people are doing useless things. It’s just it’s not the right way to think about it.
[David Spark] I used to hear that a lot. I don’t hear it nearly to the amount I’d hear it now, but I used to hear it a ton.
[Brian Vecci] Yeah. I used to hear a lot about headcount reduction. I don’t hear that anymore and nor should I because I think it’s a ridiculous approach to security automation. I’m actually going to tweak the exoskeleton analogy and I think good automation is really more like power armor. It’s not just an extension, it’s not just armor, it lets people do things that are impossible to do otherwise. One of the metaphors that I’ve used or one of the analogies that I’ve used with CISOs sometimes is I can automate all of your data security risk. We’ve been talking about dark data. I can get your risk to zero. I can do it in a day. I can do it by writing a PowerShell script that deletes everything. There’s no more data, there’s no more risk, it’s fantastic, you can sleep at night.
Of course, that’s ridiculous because the data, it’s like money in a bank account. If I empty it, that doesn’t mean you’re better off, right? I’ve reduced the risk to it but you’ve also eliminated all value that you’re getting from it. So, if I’m going to automate something, what’s critical isn’t the headcount that I’m going to reduce, it’s the outcome that we are going to achieve and the measurement of that outcome. Automation needs to be built on outcomes, it needs to be built on measurement, and security automation is really about doing it intelligently. If I break everything as I “fix it,” then I’m not accomplishing anything useful. But if I remediate things, if I fix things, if I’m a force multiplier, if I’m a power armor for your security analysts and your incident response team, if I make them better at their jobs, if I reduce the time it takes to detect a threat, and I reduce the time it takes to respond and investigate a threat, and I reduce the likelihood of a threat even getting to data in the first place, those are all measurable outcomes, and that’s power armor for your security team, and that’s what automation really needs to be based on.
[David Spark] Now this is where I want you to sort of explain exactly how Varonis is pulling this off because I know this is kind of your secret sauce, what you’re really pushing. What is Varonis doing? What is the power armor you’re providing?
[Brian Vecci] What we’re trying to do is measure and reduce risk and reduce the time it takes to detect and respond to threats. Compliance then becomes a byproduct to doing that. Here’s what Varonis does. Let’s start with the assumption that you’ve got data on premises, on file systems and NAS devices, you’ve got data in the cloud whether it’s in 365 or object stores like S3 or Azure Blob. And you don’t know what you’ve got, you don’t know where it is, you don’t know who’s using it, you don’t know who it belongs to, you don’t know where it’s exposed. And even if you could get a picture into any or all of those things, you don’t know what to do about it. Everybody’s got findings and findings fatigue. What do you actually do with it?
So, what Varonis does is we give you visibility. That’s outcome number one. We know not just what’s sensitive and where it is. We know who’s got access to it, we look at every entitlement and configuration and account, we monitor behavior, and we combine all that together, so you know what you’ve got, where it is, how it’s being used, and where it’s exposed, whether it’s through a configuration or a shared link or an entitlement, and then we use all of that to build automation. Because you can automate things when you understand not just where the risk is and where the exposure is, but how people are using data and how they’re getting access to it, and you’ve built an automation engine on top of all that to safely make changes, roll them back if you need to.
And when you’re doing all of that, well, when you’re locking things down so that users and applications can’t get access to data that they don’t need, and you’re monitoring the data – David, I’ve said this to you, I don’t know, half a dozen times – but nobody breaks into a bank to steal the pens. They’re after money. If somebody gets access to a device and account, your network server, you know what they’re going to grab? They’re going to grab data. They’re going to steal it. They’re going to encrypt it. They’re going to hold it for ransom or all of the above. So, we monitor the data, we monitor the target of an attack. Credit card companies are really good at detecting fraud with a credit card. You know why? Because they watch the money, and they know who you are and what you buy and where you live.
At Varonis, we watch your data, and we know what it is, whether it’s important, how people got access to it, how they use it, who their peers are. You combine all that together and you can reduce the time it takes to detect a threat to data, and you can reduce the time it takes to investigate and respond to it, and that’s why we’ve got an incident response team that’s just part of being a Varonis customer. You install us and now you’ve got a free IR team. I don’t want to call them free, it’s just part of being a customer with us. And we can do that because it doesn’t take a lot of time or energy to detect a threat or come to a conclusion about what happened. In a nutshell, that’s what we do.
Looking down the security roadmap.
27:47.052
[David Spark] Threat hunting gets better with time, but only if you’re tweaking the right measurements and pulling the right levers. I’m being very vague here, obviously. So, Andy, I’ll start with you. What are sort of the tactics you take to continually improve your threat hunting experience? Like who needs to talk to who? What are you looking at? What is the overall objective that we go from essentially a sort of a blank slate to this sort of well-oiled machine?
[Andy Ellis] So, I like to think of threat hunting as being the compensating control to everything else you’re doing. Which is as soon as you know how to find a threat, you should create a control that automates and finds things like that. So, I think earlier we talked about how dwell time has come down. Threat hunting is successful when dwell time comes down, not because your threat hunters are finding problems but because they’ve found a problem and you automated detection. And so threat hunting is really about learning all of the ways in which you’re currently blind and shining lights. If you have threat hunters who are doing the same thing today that they were doing last month, what are you doing wrong? You should instead be saying, “What don’t we find? What’s going on out there?” So, it’s an educational system, which makes it easy to keep people around when they’re like, “Ooh. I get to learn new stuff and try new ways to detect adversaries. And once I find something that works, we have an engineering team that automates it.” That’s the key piece to making threat hunting truly successful.
[David Spark] This kind of sounds like the formula of why you love cybersecurity as you said at the very beginning of the show, Brian.
[Brian Vecci] I was thinking the exact same thing. If you’re not changing, you are falling behind because I guarantee you the people that are trying to get access to your data and lock it down and steal it and use it, they’re changing. So, if you’re not and if your team isn’t learning new things, if you’re not filtering noise, if you’re not doing regular alert reviews, if you’re not adapting, then somebody else is adapting more quickly than you are.
[David Spark] Adding to what Andy said, what are different ways you look to iterate? Like give me some of the mechanics of how you do that.
[Brian Vecci] So, one of the things, and I can speak from our experience, one of the things that our incident response team does is in addition to being an extra set of hands, we have proactive incident response, so we look at our customers’ data. When we see an alert like, “Hey, an insider’s accessing a bunch of sensitive information that she’s never looked at before from a device she’s never used,” we’ll take a look and make sure that this isn’t noise. If we think it might be a true positive, we’ll reach out, give you a phone call, and say, “Hey, there’s probably something that you want to look at, and we’ll help with the investigation.” That gives us a lot of experience, and that’s how we continue to get better.
But one of the things that this team does with our customers is on a regular basis, it depends on the customer but at least once every few months, we want to sit down, and we do an ops process where we look at what’s triggering. We look at, you know what, are you looking at these alerts? Are you triaging them? Are you investigating them? If the answer’s no, why not? If it’s noisy, why? What can we tune out? Because it’s not just that your people need to adapt. The analysis and the automation that you have in place also needs to adapt. Because what’s true today might be noise tomorrow and you need to continue to filter that stuff out. And you need to make sure that, going back to the power armor analogy, that when your team sees something that it needs to respond to and needs to investigate, that they know that it’s real and that they’re not wasting time chasing ghosts.
There was an organization that I met with a couple of months ago, and they had an alert set up for every time anybody anywhere in their enterprise touched any type of PII. They were getting one-and-a-half-million alerts a day. How useful is that? Nobody’s going to look at that. It’s absurd, right? They’re absolutely chasing ghosts. But, and this is a good example, you can alert on every time somebody accesses something sensitive but it’s useless. But if we’re going to actually tune this, let’s start combining that. Well, okay, I only really want to know when they’re doing this from somebody else’s device, from a place they’ve never been, at a time of day that they don’t access. You start putting all of those things together and any one of those things by themselves could be completely benign. But when you start combining risks together, like not just geolocation but geolocation and what they’re touching and what’s normal for them and who their peers are and the device that they’re using and the applications that they’re authenticating to, whether any of that’s normal, now you can get something that’s really actionable. Findings are useless unless they’re actionable and really, to Andy’s point, unless you can automate the response to them.
[David Spark] Excellent point.
Closing
32:35.528
[David Spark] Well, that brings us to the end of today’s episode. We kind of really honed this discussion on data and threat hunting and automation. I really kind of liked it, it’s a very sort of well-rounded conversation.
[Andy Ellis] We had a consistent theme for the whole time instead of rambling.
[David Spark] Well, it’s not rambling, Andy. We just like to have variety. But yeah, we stayed with a pretty consistent theme today, so that was pretty awesome. So, thank you very much, Brian. Thank you very much, Andy, as well. Brian, I’m going to let you have the very last word. Andy, I know there might be a book that you want to plug. Is that true?
[Andy Ellis] There is – 1% Leadership. You should buy it right now. And I’m going to be speaking next week at RSA on Monday morning, I have a wonderful Monday morning slot, and here’s my promise. If you bring your book to my talk, I will sign it for you. I’ll walk outside and I will do a signing right there, right outside the talk, if you bring the book. Especially if you mention CISO Series. You won’t just get my signature, I’ll even like put your name and a couple of fancy words in it too.
[David Spark] You’ll make a lipstick smear right on the book, right?
[Andy Ellis] Ooh. Maybe. But probably not.
[David Spark] Bring your lipstick. I’ll bring lipstick.
[Andy Ellis] Yeah, I guess I can bring lipstick and if somebody asks for a lipstick smear and they’ve got a copy of the book, maybe I’ll do it. Maybe.
[David Spark] Let me just say. If someone can capture that on video, put it online, that will go viral, for sure.
[Andy Ellis] Quite possibly.
[David Spark] Quite possibly. Be there. All right. Brian Vecci, I want to thank your company Varonis for sponsoring this and also just being a phenomenal supporter of the CISO Series as well. What do you want to offer to our audience or is there anything specific you can offer to our audience?
[Brian Vecci] Of course there is. So, I will also be speaking at RSA although I don’t have a time and location yet, but we do have a booth. It’s going to be in the North Expo Hall, I believe. So, if you’re at RSA, come and stop by. I will be there as much as I possibly can. If you look me up, find my speaking slot, if you bring Andy’s book, I will happily sign it. I’m not sure that that’ll add much value to it but I’m happy to smear lipstick on it and sign it. And that would be actually great. Come by and show me that you listened and listen to Andy’s book. If you’re not going to be at RSA but anything that I said today sounds interesting to you, one of the things we do is a no-cost risk assessment of data on premises and in the cloud, every place that Varonis looks.
[David Spark] Because it’s SaaS-based you’re doing this, right, it’s super easy to do.
[Brian Vecci] It’s super easy to spin up. We can do it in like half an hour. It takes a couple of weeks. There’s no financial commitment at all. We do ask for a little bit of your time to review what we found and obviously help us with the setup. I guarantee you it’s valuable. I have yet to have an enterprise do one of these and not get value out of it, so we’re happy to do that if you’d like. And if you’d like to learn more about that, come to our booth at RSA or go to varonis.com and you can learn a heck of a lot more. And if you’d like to see this amazing audio/video setup that I have that you heard mentioned, go to varonis.com and contact us and I’ll be happy to get on camera and we can talk through what is it that we do. I’d love to meet everybody that’s listening.
[David Spark] You can also contact Brian through LinkedIn; we’ll have his LinkedIn as well attached to the blog post for this very episode. Thank you very much, Brian. Thank you, Varonis. Thank you, Andy Ellis. Thank you to our listeners. We greatly, greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.