Interviews | July 22, 2020

COVID-19 Has Forced a Fundamental Shift for Most Organizations

Akamai | Chronicle/Google Cloud Security | Cisco | Palo Alto Networks | Splunk | Varonis

Andy Ellis
Senior Vice President, Chief Security Officer


Q1. Why is zero-trust a good approach for addressing the new security challenges posed by the increase in remote work as a result of the COVID-19 pandemic?

The fundamental premise of Zero Trust is in not relying on the security of the network layer, but by moving the security up into the applications themselves. That enables organizations to stop relying—dangerously—on the security of access to a corporate network or VPN, and instead tying into endpoint security capabilities before "trusting" a user's device. That's really helpful, because almost no one is actually on the corporate network today. Why invest in a VPN, which likely only slows down your users?

A good Zero Trust solution improves the user experience, because it gives them consistency wherever they are, rather than needing to think differently as they move from location to location—which, hopefully, they'll get to do again someday).

But the real advantage that Zero Trust brings is that although it really does help during "CoviDistancing", it's actually a good solution for many of the security challenges that enterprises have on an ongoing basis. So implementing Zero Trust to manage application access today is an investment that will continue to pay off even if we ever return to a "normal" office environment.

Q2. How should security leaders be using this opportunity to introduce zero-trust in their organizations? What's a good place to begin and what's a good strategy to garner broad support for it?

When we began implementing our Zero Trust capabilities at Akamai internally, we focused on two axes: where did we have the biggest security risks, and where did we have the most user pain? Sometimes we had to address those separately; but where we could find common ground to improve security and ease of use together, it was easy to gain momentum. For instance, focusing on the VPN elimination angle—because what employee hasn't had a problem with the VPN at some poin—gave us support to drive application owners onto our Single-Sign-On platform, because that was needed to make them available without the VPN. Although now we can bring apps on by tunneling access across the SSO, we still prefer to help them do native HTTPS integrations.

So begin with understanding how you're going to bring all authentication together—for us, internally, it's X.509 certificates and push-MFA—and have a crisp, clear vision to sell. Zero Trust isn't about securing the enterprise of the past. It's about building the security framework that is enabling the enterprise of the future. And that's a way to market your own Zero Trust transformation to your peers in the language they're looking for—not about stopping the business, but about enabling it.

We should also recognize that for employees in many industries, they're combining personal and work activities onto their devices, and rather than chase the pipe dream of segregating those, Zero Trust solutions let us support safer models; especially as many of our employees become fully distributed 100% of the time.

Q3. What do you expect will be the top concern for CISOs at the Black Hat USA 2020 virtual event this year? What do you expect they will be most interested in hearing about from Akamai?

This is such an unusual year, that I hesitate to predict even a few weeks out what might be the top concern. Plague squirrels? Volcanic monsters? Even Skynet might be in the realm of possibility. But, discounting a massive change in the world again, I suspect that many CISOs will continue to look for opportunities to drive effective change. So much of the time and energy spent by security teams doesn't always end up making a structural difference; we often feel like we're trapped on the hamster wheel of putting out small fires, rather than clearing out the underbrush. How to put security solutions into practice, and make them work operationally, is going to be a critical concern, and one we think we've addressed.

And I hope that they hear that message as they engage with the product side of our business -- many of the solutions we've brought to market are those solutions that let me outsource the ongoing operational burden and upgrade challenge, which might be in well-established solutions like Zero Trust access, Bot Management, or Web Application Protection. Or it might be in looking into bleeding-edge solutions like Page Integrity Management, as so many modern web applications are built on multi-party JavaScript frameworks, and there are so few ways to extend defenses closer to the user without being overly intrusive. I suspect those are all areas that CISOs will be interested to dig in on. Because none of us feel like we have enough people to solve all of the problems on our plate, so any solution needs to address how we can use more of our limited time solving other problems.

Dr. Anton Chuvakin
Head of Solution Strategy

Chronicle/Google Cloud Security

Q1. What are some of the biggest challenges facing SOCs these days? Why has a big data analytics capability become such a key requirement?

Today, even mid-sized organizations may generate petabytes of security telemetry. Most security operations teams, however, are not skilled in managing big data and the underlying hyperscale infrastructure required to keep up with these volumes. On top of this, budgets have largely shifted from capex to opex which means budgets won't be spent on more hardware to support the ever-growing security telemetry.

CISOs want their security operations staff to perform security operations, not infrastructure management. This has boosted the case for using SaaS-based security analytics with unlimited data storage. But here is the trick: unlimited scale of SaaS-based analytics should not mean unlimited rise in costs. Because enterprises need to vastly scale their security data and perform security analytics on it, we predict that the use of cloud-based security technology will grow dramatically for the next couple of years.

Q2. What are some of the key requirements for threat hunting from a technology and a process standpoint? What do you need to do to be successful at it?

Effective threat hunting is supported by having the right technology and processes in place - but it truly relies on the right people. From a technology perspective, you need to be able to collect and store as much security telemetry as possible - such as endpoint, network and log data - all in one place. By having this data collected - but also enriched and cross-correlated, threat hunters can discover and investigate threats that have been hiding over long periods of time.

Threat intelligence is also central for threat hunting as it often—but not always—provides the initial thread for the analyst to pull. Also, threat intelligence helps understand the impact of a potential threat on your organization by associating the activity observed with the threat actors type.

From a process standpoint, it's critical to have incident response processes in place so that you can escalate any threats discovered during threat hunting. The first step is to review the activity and a system deemed suspicious during the hunt. For this, you need to check the context data that was added to enrich the alerts such as system name, system users, running processes, and threat intelligence feeds. From there, you can look at the history of similar suspicious events in this system and in other systems, focusing on the nature of the uncovered suspicious activity.

Your incident response process should include identifying your compromised systems, as well as the systems that have connected to and from them, and reviewing activities on those systems to find further affected resources (hunting pivot). Lastly, security teams need to remediate all affected systems at the same time to avoid an attacker persisting in the environment. Note however that cutting off attacker access before you are confident that you uncovered the true extent of a compromise is a mistake as it tips the attacker that you are onto them.

Q3. What does Chronicle Security plan on highlighting at the Black Hat 2020 virtual event this year? What can organizations expect to hear from Chronicle?

This year, we're excited to talk about how enterprises can take advantage of Extended Detection and Response (XDR) tools by rethinking the way they do security analytics. The XDR technology ecosystem promises a deeper level of visibility, improves detection and supports automated response against modern threats. It can be difficult, however, to realize the full value of XDR tools and platforms without rethinking the way security telemetry is stored, curated, and used to perform security investigation and remediation. For example, if your EDR or XDR data is stored for a week only, many security superpowers do not really manifest for you. Similarly, without fusing the data into a high quality, normalized and enriched set, XDR may misfire and not deliver the value. By learning more about the dimensions of modern security analytics, we believe that enterprises will be able to fully leverage their XDR investments.

Trey Boynton
Global Lead, Inclusion & Collaboration Strategy


Q1. What are some approaches business leaders can use to tackle structural bias organizationally? What's a good place for them to begin?

The first component for business leaders ready to dive into diversity and inclusion work is to understand the need to embed it into your overall strategy. This means your diversity plans should have a home, not only with a designated team that focuses on this area, but also in your strategic business plan, your mission statement, your vision as an organization and in the values you model for your employees.

Leaders will need to take an honest look at their organization and the culture and take inventory on how things really are in order to develop a "north star" strategy. With that baseline understanding, you can begin to target gaps, expose processes, and then make changes to embed inclusion at the point of decision-making. Once you know where you want to go, the next step is to build in success metrics to keep things trackable and accountable. The process is ongoing and constantly evolving. And if you don't accomplish all of your metrics, what do next steps look like? How do we mitigate the roadblock? It's critical that you are honest and transparent through this analysis process—it will ultimately help build trust.

An important note: you cannot execute on strategy if you do not have a good culture. You may have heard the well-known saying from educator and author, Peter Druker, "culture eats strategy for breakfast." I'd argue, that if culture eats strategy for breakfast—then inclusion sets the table. Your company is built on people, not products. Drive from a place of inclusion – from the collective ‘we' - and watch the barriers to brilliance for your teams fall.

Care for your D&I efforts like you would the launch and care of a product. It's the same process and equally as critical. You need to do the research, create your quantitative goals, relentlessly disrupt, update and ultimately deliver to your customers.

Finally, let's debunk the myth that in order to bring inclusion in as part of the business strategy that some in the organization lose - this is what we call a scarcity mindset. This is not true. With inclusion you can have abundance; there is enough for everyone. We don't have to take away from some to give to others. It's not about giving out slices of the pie, it's about growing wheat and fruit trees for everyone. Build your culture around raising everyone up equitably and that's when you'll find your competitive advantage—the x-factor to success.

Q2. What is the most challenging-and the most rewarding-aspect of your work as an executive in charge of driving inclusion and equity at your organization? Why is it important for all organizations to hire individuals in similar roles?

For me, inclusion work is deeply personal. I consider it head and heart work centered on creating space so that employees and teams are valued, celebrated, and are able to define their own success. In short, my ultimate goal is to reduce barriers to brilliance—and that promise to employees is a beautiful thing.

As for greatest challenges, prioritization is my biggest nemesis. It would be the understatement of the year to say that there is a ton of work to do in addressing inequities in the workplace and communities we serve. It can be difficult to decide what is most important first, when thinking about an entire function that executes across the enterprise.

Why to hire for inclusion? It's critical that organizations invest in this area because companies are not made up of products – we are made up of people. Companies are communities of people. When our employees come to work, they are hoping for the ability to thrive and contribute at their highest potential. Inclusion helps answer that call. When companies do not factor in experiences of all people, they miss that opportunity. When we link inclusion into the outcomes of the business, we can demonstrate the value.

Q3. What message do you have for those at the Black Hat USA 2020 virtual event around the need for diversity in the technology field?

If you read nothing else, remember this: when we operate inclusively, we unleash the potential of the collective that allows us to be innovative in ways that set us apart from our competitors and allows us to deliver unprecedented value to our customers and partners.

Hackers and inclusion workers have a deeply connected relationship. Think about it:

  • Focus on Education and Training: Cybersecurity uses education and training to change behavior. This is the foundation of a diversity and inclusion program.
  • Understanding the Customer: Security product teams have a desire to understand the experiences of the customer and end-user to help reduce barriers to their business goals. Inclusion teams seek to ensure all backgrounds and viewpoints are considered for people to do their highest and best work.
  • Protecting the Vulnerable: The spirit of cybersecurity is proactively thinking about potential risks and threats to people and organizations – keeping them safe. The idea of protecting the most vulnerable and bringing them to the center is the definition of social justice.
  • Security is Everyone's Job: Just as security awareness programs seek to educate and involve everyone in healthy security habits, diversity & inclusion teams seek to involve everyone in company goals around connectedness.
  • Holistic Approach: We can't do one specific thing to ensure security, we need levels and layers of security with diversity and depth. Similarly, we can't just do one thing and expect to experience inclusion. We need to have multiple manifestations of practices, processes and procedures.

This synergy is unmistakable. So, cybersecurity community, consider this is your call to action. There is no industry or community better predisposed to do social justice and inclusion work. You are already thinking about the collective over the individual and looking at behaviors to keep people safe. You are on the front lines of protecting people, our democracy and our citizenship. You are doing public good by protecting those organizations—from the philanthropic non-profit to the innovation-driven enterprise.

When you protect everyone, the industry needs to look like EVERYONE. Let's be relentless in our pursuit of representation. A diverse team will help solve the ever evolving and diverse set of threats you manage on a daily basis. Make a commitment to inclusion and watch the magic happen.

Embrace your white hats, my friends.

MK Palmore
Vice President, Field CSO

Palo Alto Networks

Q1. How has the recent growth of the remote workforce complicated the cloud security challenge for organizations?

Securing our information in the cloud has always been challenging. Part of what we do, as vendors, is to try and educate our customers about the difficulty in assuming that security is on by default and then subsequently taking proactive steps to secure our digital footprint in the cloud. Palo Alto Networks made a significant investment in the concept of secure remote access with our Prisma Access and Global Protect solutions prior to the COVID-19 crisis. We realized in the new Secure Service Access Edge environment, that having secure access to your business information, regardless of your location, would be a large component of future business operations. We were both prepared and lucky the investment allowed us to help our customers scale quickly to the challenges posed by the pandemic.

Q2. Based on your experience at the FBI, what are some key requirements for effective public-private partnership on cyber security issues? What can enterprise security leaders do to enable better partnerships?

Public-Private partnerships can be the difference between an underperforming cyber program and one that is marked by robustness and resilience. No single entity sees the entirety of the cyber threat landscape. It's important, in fact imperative, for InfoSec leaders to ensure they maintain connectivity to the public sector threat intelligence feeds and to make an attempt to develop personal relationships with their regional contacts within the public sector.

As the former leader of the FBI's cybersecurity effort in the Bay Area, I made a point to conduct proactive outreach with executives across business sectors so that we all knew one another prior to a significant event happening. That outreach paid off on more than one occasion. There are any number of ways to do this, through direct programs like the FBI's InfraGard, regional NCFTA and the various ISACs who all have some level of connectivity to threat intelligence from the public-sector. For those states lucky enough to have them, I would also link up with cyber threat analysts based in DHS sponsored fusion centers around the country. Every node represents a possible source of valuable and useful intelligence.

Q3. What technologies and services do you predict will garner the most interest from security professionals at the Black Hat USA 2020 virtual event this year?

Digital transformation waits for no one and given the crisis we're all experiencing, things have only sped up—so technologies and solutions that enable and accelerate digital transformation will be a draw.

For some people that will mean looking at AI and automation to augment the capabilities of their security teams. Innovation to drive SOC automation is something we at Palo Alto Networks have focused on because it's a need of many of our customers. For other people it's going to be about leveling up their secure remote access as remote work will continue for the foreseeable future. With so much uncertainty, technologies designed to support business continuity and resilience will also be a focal point.

Additionally, with teams going remote, the need for seamless cloud-based development from anywhere is vital—so platforms that enable fast, secure app development across clouds gives companies a major advantage. Those organizations that were already leaders in this regard are benefiting from their early adoption. For those who were hesitant, they are now trying to figure out how to make a shift during these difficult times. So, cloud security tools and education around best practices becomes paramount.

Albert Biketi
VP Security Business


Q1. Splunk has positioned itself as helping organizations bring data to every security challenge. What does that mean and what does it take—from a technology standpoint—to be able to do it effectively?

Bringing data to every security challenge breaks down into three groups--data to every question, every decision and every action.

For every question, we use our expertise in data to build tech that runs the best possible investigations and does the highest class monitoring. The goal is to reduce the mean detection and response times -- take down that dwell time and give the adversary less time to do bad things.

For every decision, we build analytics structures, pulling data from known and previously unknown sources of risk, and then correlate them to help make the best decision as quickly as possible. Too often, that's where the process stops. Not at Splunk. It is not enough to know, you have to take appropriate action on each decision. We offer high-quality remediation through effective collaboration across teams.

Most attacks today have a high level of automation. They are always on, never get tired and move to the next technique almost before they have exhausted the first. A human response simply cannot keep up with that, particularly at scale. Splunk harnesses that same kind of automation to stitch together a strong foundation of effective data analytics and a platform for action.

Q2. What do you perceive as some of the biggest market opportunities for Splunk in the security space over the next few years?

Splunk already works with 91 companies in the Fortune 100. I believe, however, that our market opportunity is still tremendous. It grows out of the persistent need to have the right people, processes, and technology in place that can get SOC teams ahead of the bad guys.

The first market opportunity stems from a scarcity of people. You are never going to have enough people to do everything you need to get done. That's true now. It'll be true in three, five and even ten years from now. The reality is that throwing more people at problems is not scalable, nor is it a successful security strategy. Splunk is working to solve workload problems and help more people make better decisions faster. That's why we've invested so heavily in analytics, machine learning, as well as security orchestration, automation and response (SOAR) capabilities. We use machine learning and highly scaled execution to solve the scarcity of people problem.

Second, we're seeing that companies are doubling down on their digital transformation effort—and so are we. As of late, we've seen enterprises rush to move everything to the cloud, a "transformation accelerator" if you will. Some companies are faced with remote work challenges, while some are realizing they need to do commerce in a new way. Either way, this presents infrastructure challenges, architectural challenges and service challenges. Sure, there's a significant opportunity for innovation, but this presents huge security risks and challenges in very compressed time.

Third, (is) how to get rid of complexity? It's long been said that security teams are overwhelmed with tools and red flags, and it's unfortunately still the case today. Throwing security tools and point solutions at problems has led to uncoordinated responses and a loss of context as people navigate issues. Whether it's something as simple as phishing, malware, or ransomware, a consistent approach to security can turn a complicated web of processes into a smoothly integrated operations workflow, while reducing MTTR as the volume of attacks continues to grow.

Q3. If there's one thing you'd like security leaders at the Black Hat USA 2020 virtual event to know about Splunk, what would that be?

We've put a lot of distance between the days since we were a data-logging platform, and what we are today. Splunk's journey for customers is extremely strong across Security, as well as IT Ops and DevOps. We bring together metrics, logs and traces to understand what's happening and why it's happening. Our use cases in security and fraud are ahead of the pack. Splunk is a true data platform for the enterprise and we've seen incredible cloud momentum. Our customers are moving with us.

Splunk's continuing evolution means that we are dedicated to leading the SOC transformation within the cloud. We've made a lot of progress, but we also have some big announcements coming up at our October users conference, .conf20, that really illustrate how our leadership maps back to accessibility and customer needs.

In fact, our overarching motivator right now -- that includes our evolution to a Data-to-Everything platform and a cloud-native posture -- is accessibility. We believe that data to everything means making data accessible to everyone. As we've grown and evolved, we've doubled down on accessibility. We recently changed our pricing model to make Splunk more affordable and sustainable for more people. We've also done a lot of work in education. After all, what is the use of all this data if no one understands how to read and use it?

Brian Vecci
Field CTO


Q1. How has the increase in remote working as the result of the COVID-19 pandemic complicated the security challenge for organizations? What long-term changes do you see it having on enterprise cybersecurity strategies?

COVID forced a fundamental shift for most organizations almost overnight. Connectivity and access gains increased risks to sensitive corporate data. Companies were quick to get workers up and running, but collaboration platforms like Teams that were designed to help employees keep in touch left gaps that allowed authorized users to copy, save, and share sensitive data all too easily. Security teams are having a hard time keeping up with who has access to these new environments, what kind of data is being shared, and whether it's sensitive or not. Convenience took priority to security in a lot of situations.

Many employees found themselves fearful of losing their jobs and were without a manager watching them -- setting the stage for insider activity. Those lacking a fast, reliable connection at home turned to unsanctioned—and not necessarily secure—third-party apps and tools to get their work done. Taking away employee convenience is often a futile exercise—they'll find ways to get the job done with or without your help.

Looking ahead, companies that want their employees to stay remote or plan to bring them back on a part-time schedule must think about their long-term data security strategy. Fundamentals, like locking down access to least privilege, will help prepare your organization for an inevitable attack, breach, or privacy violation down the road. Employers need to make sure that they know where valuable data is, work diligently to ensure that it's not exposed to too many people, and monitor everything closely.

Making sure that privacy and security are built-in by design, from the beginning as new features and functionality are deployed, is critical to ensure that things don't get out of control.

Q2. What are the biggest challenges organizations have when it comes to implementing a data-centric security strategy? Where does it take to move from a network-centric security model to one that is more focused on data?

Traditional cybersecurity strategies tend to focus on keeping external threats out of the enterprise network, but security and IT pros know that it's just a matter of time before an organization is compromised. Many companies are leaving themselves vulnerable to data breaches with poor internal practices. Unsecured folders that are open to global access groups—those set to Everyone, Domain Users, or Authenticated Users—are a major win for attackers once they breach a network, granting easy access to key data such as intellectual property and customer data. Poor access controls also increase the threat of a malicious insider abusing their position.

Employers need to ask themselves, "Do we have an accurate picture of our data risk? If we do, can we safely reduce risk without getting in the way of employees? Can we quickly detect if there's a threat to data or systems caused by unneeded sharing or access to data?" These are important security questions that often aren't being asked in the push to offer more collaboration options. Firms must audit all servers to identify all folders, mailboxes and SharePoint site, that have global access groups applied to their ACLs (access control lists). These global access groups need to be replaced with tightly managed security groups that ensure only appropriate users have access to sensitive and regulated data. Moving forward, a least privilege approach should be used for all access permission, with users only accessing as much as they need to perform their roles.

Some of the most significant data breaches in recent years have been the result of bad practices around managing and securing data on the network – this should be a huge red flag to any executive team or board charged with securing a company's intellectual property, customer data, and other confidential and protected information.

Q3. What do you expect people participating in the Black Hat USA 2020 virtual event will be most interested in hearing about from Varonis?

Security and IT teams scrambled to adjust to today's new normal. Our latest Remote Work Update to the Varonis Data Security Platform was built with these challenges, including increased VPN activity, the Microsoft Teams explosion and Office 365 use, in mind. We added a new Edge dashboard highlighting risks to your remote workforce and to help security teams track and trend progress as they mitigate critical security gaps. We included new remote work threat hunting queries to highlight potential indicators of compromise that haven't yet progressed to a full-blown alert. There are myriad ways to share data via Teams and answering a simple question like "Which sensitive files have are overexposed?" can be a huge challenge. Varonis takes the guesswork out of Teams permissions and shows you how each user can access your Office 365 data. For example, Varonis identifies if a user exists in Azure or if the user is granted access via a sharing link, right in the interface. You can see the impact Teams has on your threat surface and get a granular view of who can access data shared through Teams—even if the users are outside of the organization.

We help security teams see where their sensitive data is overexposed with new reports showing where data is shared with external users and even publicly. Further, we added new threat models that enable users to combat those new threats. For example, Varonis will detect if a compromised account creates a sharing link to sensitive data, or there is an active brute force attack directed at Azure.

When suspicious activity occurs, it's always helpful to have an additional pair of hands and a team you can count on. Varonis provides customers with complimentary, no-cost access to our Incident Response Team that can help you investigate usual activity and potential threats. Please visit our website to learn more or contact us for a demo or a free Data Risk Assessment.

Sustaining Partners