Interviews | June 29, 2021

Software security success hinges on strong collaboration between sec and dev teams

FireMon | Varonis | Veracode

Jeff Styles
VP, Global Field Engineering


Q1. A recent study by FireMon showed that automation, zero-trust, and SASE have become top priorities for CISO's. What's driving the trend?

A CISO's priorities are driven out of necessity. This post pandemic world has propelled the remote work movement and stress and complexity along with it. CISO's are facing more scrutiny about security posture and practices than ever before. This rapid expansion and shift to remote work has caused a massive surge in IT change in a short amount of time. If there is one thing I have learned over the years, it is that a lot of change with limited planning tends to cause a cascading set of problems. Change in IT is destructive—83% of all unplanned outages are caused by approved change. Now factor in this unprecedented shift to remote work and the acceleration to the cloud and what do you get? Amplified destruction.

Here are some things I'm seeing:

  • Volume, speed, and new tech—often cloud—is a breeding ground for human error
  • Misconfigurations are the leading cause for forming unintended breach avenues, compliance violations and unplanned outages. Gartner predicts through 2025, 99% of cloud security failures will be the customer's fault.
  • Trust relationships and data isolation policies are not being updated let alone monitored
  • These all are leading to an enormous spike in bad actors all trying to capitalize on bad change

Automation, zero-trust, and SASE are mechanisms, concepts, and architectures CISO's are leaning heavily on—amongst others—to get in front of and help neutralize the blast radius.

Q2. FireMon claims that it can help organizations achieve some $10.3 million in cost avoidance over five years. What are some examples of the kind of costs that FireMon helps organizations avoid?

The typical cost reduction/avoidance scenarios come from the following areas:

Being able to significantly reduce human error ((i.e. policy misconfiguration)

  • Prevent policy compliance violations
  • Prevent policy breach avenues
  • Prevent unplanned outages due to bad change

Using policy automation

  • To increase security agility while lowering SLAs and associated fines
  • To increase operational efficiency while reducing operational and security costs
  • To stop the revolving door of mistakes by checking change proactively prior to implementation

Q3. What is FireMon's messaging at Black Hat USA 2021? What do you want security professionals to know about FireMon's strategy over the next few years?

Policy Management platforms will continue to evolve and will become even more critical in an organization's layered defense models. We will continue to push the limits of the security policy management space. Expect to see significant enhancements to policy misconfiguration defense, intent based automation and next generation policy support to include non-network based security policies.

Snir Ben Shimol
Executive Director, Global Cybersecurity


Q1. Varonis recently introduced DatAdvantage Cloud. What exactly is it, and what issue is it designed to help organizations address?

The adoption of cloud and SaaS skyrocketed during COVID and accelerated the digital transformation in ways we haven't seen before.

This adoption led companies to move their most critical assets into cloud repositories and applications, opening a massive new attack surface for external threats and insiders. One of the biggest challenges that organizations face, is identifying sensitive data and visualizing who can access it across their cloud and SaaS repositories. Cloud applications add another dimension of risk for security teams, mainly due to CI/CD and the fact that DevOps and engineers have more power and many privileges. We see security teams struggling to track when SaaS applications, APIs, and services are used in an abnormal way.

Our security teams are seeing a new trend—threat actors exploiting cloud apps to gain initial access to unleash devastating ransomware attacks. Monitoring the interconnectivity between cloud applications and identifying when users are moving laterally from one application to another is critical to detect threats and malicious behaviors.

With DatAdvantage Cloud, our approach to protecting your critical data and fighting sophisticated insiders and APTs now extends into cloud repositories and SaaS apps. DatAdvantage Cloud addresses blind spots with data-centric security for your most important SaaS and cloud repositories like Salesforce, G-Drive, S3, and more.

DatAdvantage Cloud provides key capabilities to identify where your sensitive data is located, analyze cross-cloud permissions, and visualize who has access to what – making it possible to conduct fast cross-cloud investigations around user activities, admins, applications, and APIs covered by our detections on suspicious activities and policy violations.

DatAdvantage cloud allows our customers to know exactly how sensitive data is shared cross-cloud to reduce their cloud blast radius. You can also leverage DatAdvantage Cloud to uncover shadow identities, risky SaaS privileges, enforce cross-cloud policies, and monitor risky admin activities.

Q2. Varonis has noted how threat actors have increasingly begun sidestepping endpoints in carrying out attacks. What are the implications of the trend for enterprise defenders? What should they be doing to address the threat?

I've met with many security executives who were completely blindsided by solely trusting their perimeter security. Those solutions are indeed an important part of the organization's ecosystem. However, most of the APTs we encountered this year, including the Darkside and REvil groups, sidestepped endpoints by simply targeting servers, VDIs, gateways, or by just using compromised contractor's credentials without executing code. Those attacks went undetected by many organizations that based their detection strategy on endpoint security.

Today, where supply-chain attacks, insiders, and sophisticated APTs are so common, we see organizations re-thinking their strategy. They are monitoring their crown jewels – their critical data. Threat actors are always after your data and will look for data to tamper, exfiltrate, or encrypt. Those facts call defenders to change their mindset. They need to monitor data activity and focus more on high-value data. The main challenge here is when an APT begins to act like a sophisticated insider. In those cases, IOC-based detection provides no value. To shorten the time to respond to threats, organizations should not rely on known indicators but on behavior-based profiles that can automatically detect abnormal activities that signal a possible attack.

Q3. What events has Varonis planned for Black Hat USA 2021? What can your customers and other security professionals expect to hear from you at the event?

Varonis has several in-person and virtual events planned at Black Hat this year. We will have presentations, demos, trivia, games, and some swag at our in-person booth. DatAdvantage Cloud, which was just launched in May, will be available to demo for all who stop by our booth. Throughout the week, we'll be discussing some of the most important topics our customers are facing today.

Our lunch & learn on Wednesday, August 4 from 12:05 - 1:30 PM PT, hosted by Bob Kryzsik (Field CTO) and Kilian Englert (Technical Marketing Manager), will focus on Big Game Ransomware. On the virtual side, you can request meetings with security experts, schedule 1:1 demos, and stay tuned for some other fun activities we'll be announcing closer to the conference. Also, make sure to stop by our on-demand zone within our virtual booth to watch Varonis' Security Researcher Kody Kinzie as he demonstrates how hackers breach Wi-Fi networks and unleash ransomware from miles away.

Chris Wysopal
Founder & CTO


Q1. You've recently been quoted as saying organizations should consider onboarding a chief product security officer (CPSO). What exactly would that role entail? Why do organizations need a CPSO?

As software increasingly runs our critical infrastructure – from our power and water supplies to agriculture – we need to add more rigor and structure into securing the software products we are creating. And the Biden administration's new cybersecurity executive order is forcing this issue, especially in the short term for those selling software to the federal government. I think a critical part of this effort is hiring a chief product security officer – someone who is closely tied to both security and development and whose responsibilities would span engineering, compliance, and supply management. While the CISO protects information in the enterprise, products need an equivalent level of security attention to enterprise information systems. This requires a role with a stronger engineering skill set than most CISOs typically have.

Q2. What are some of the essential components of a good application security program these days? What are some of your most mature/forward leaning customers doing with application security, that others should learn from/emulate?

We've been working with organizations in all industries to start and mature software security programs for 15 years, so we've got a good sense of what works, what doesn't, and what it takes to reduce your risk from software vulnerabilities. We've learned that the most successful software security programs are:

  • Integrated throughout the development lifecycle: There is no one-size-fits-all software security test; effective software security requires different testing types – static analysis, dynamic analysis, software composition analysis – at each stage of the development lifecycle, from coding to production.
  • Focused on fixing flaws, not just finding them: And that involves security training for developers. Most developers have never had security training, in school or on the job. Giving them guidance and training on how to identify and remediate vulnerabilities – including real-time feedback – is paramount.
  • Collaborative: Software security success hinges on strong collaboration and communication between security and development teams. The most effective software security programs we've seen include mechanisms, like a security champions program, that ensure that security and development teams are working together from the start.

Q3. What can security professionals expect from Veracode at Black Hat USA 2021? What are you planning on highlighting at the event?

We're excited to be back at Black Hat this year! We always have great conversations with the attendees of this conference. One of our most popular activities at Black Hat in recent years has been our secure coding challenge – which we'll be hosting again! Stop by our virtual booth for details on how to join, then put your coding skills to the test to win some really cool prizes. We'd also love to chat and answer questions in our booth – or feel free to just take a look around at our software security resources, including product demo videos and the new open source edition of our annual State of Software Security report. Finally, don't miss our Lunch and Learn session on Wednesday, August 4th with our customer Wallace Dalrymple from Advantasure. Healthcare has had quite a year; join this session to hear how this healthcare organization managed the pandemic, regulators, and cyberattackers this year. Looking forward to “seeing” everyone virtually at Black Hat this summer.

Sustaining Partners