Security faces many problems. Asset inventory, patching automation, config management, and device administration are all perennial challenges. But how many of them are related to security specifically?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us Sneha Parmar, information security officer, Lufthansa Group Digital Hangar.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Fenix24
Full Transcript
Intro
0:00.000
[David Spark] Security faces a lot of problems, but how many of them are actually related to security specifically?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me as my co-host for this episode, why, it’s none other than Geoff Belknap. Geoff, thank you for joining us.
[Geoff Belknap] Thank you for having me once again. I keep thinking you’re going to ban me from this podcast.
[David Spark] Not at all, Geoff. You’re one of the wonderful voices that we love hearing and people love hearing you over and over again. And in fact, you can hear many episodes of him. Just go to our site, CISOseries.com, type Geoff’s name in, spelled G-E-O-F-F. I’m assuming you have to spell that a lot for people because I don’t know where that ranks in the Geoff spelling list.
Where does that rank?
[Geoff Belknap] I will tell you the authoritative source on that is an SNL skit that everyone and their brother has sent me. So, if you don’t know what I’m talking about, go ahead and Google that, we’re paying it, and you can get the answer for yourself.
[David Spark] I’ll have to look it up myself, I’m not familiar with it. Our sponsor for today’s episode is the Conversant Group, the world’s first civilian cybersecurity force. More on exactly that a little bit later in the show. But first, Geoff, you recently posted on LinkedIn that the hardest problems in security aren’t “security problems.” So, you listed asset inventory, patching automation, configuration management, and device administration as the biggest examples.
What brought you to this realization? And if that’s the case, shouldn’t we be hiring completely different people to handle what we’re calling cybersecurity?
[Geoff Belknap] No. I think the thing that always brings this to mind is the reminder that while we’re working in security on very complicated problems with active threat actors who are motivated to do wrong, we sometimes lose sight of some of the most important things we can do in security are the fundamentals.
Do we know everything that we have on the network? Do we know the current condition of it? Do we know who’s responsible for it? And those things aren’t traditionally “security problems,” but boy, are they some of the most impactful things you can do to improve security of your organization.
[David Spark] You are right. I don’t think you’re going to get any disagreement, but it’s sort of the eye-popping moment that a lot of security is not “security.” And the person that’s going to help us with this conversation, thrilled that she’s joining us for this, with a sort of a recently new group as part of Lufthansa, Lufthansa Group Digital Hangar.
It is the information security officer there, Sneha Parmar. Sneha, thank you so much for joining us.
[Sneha Parmar] Thank you for having me. Glad to be here.
This is not just a security issue.
2:45.919
[David Spark] Phillip Miller, CISO over at Qurple, said, “Since the early 2000s, we have known these to be the critical things to ‘get right.’ Nearly a quarter of a century later, the same problems persist, albeit with new complexity due to abstracted tech stacks. The real problem is security being treated as a discrete function instead of an embedded reality.
Solve the communications, partnership, prioritization, and policy missteps, and things will get better.” And Mark W. of MITRE said, “I worked with an organization for five years trying to get them through the number one thing they could do for security was configuration management. Configuration management was a prerequisite for everything else.
But you don’t go far enough. Bigger than those four is poor engineering. As Carl Landwehr stated years ago, the economic boom in cybersecurity is a consequence of poor engineering.” So, wow, both of these just say there are basic sort of structural issues that cause security failure. Geoff, what do you think of that?
[Geoff Belknap] I think that’s definitely very true, but I think what I was really trying to get at here is what Phillip dipped into, which is this is a team sport. Certainly, things start to break down when we think of security as security’s problem, and we don’t think about the other things that all of our peers and partners and colleagues are responsible for as well.
If you’re just an IT admin, you turn out to have an incredible impact on the cybersecurity stature of your organization. If you are managing your infrastructure, if you have your configurations logged, if you’re making sure all your things are logged, if you’re doing your patching, all the boring stuff nobody wants to give you money for or sell you a new toy for or give away to you, you are doing some of the most important cybersecurity work to do that there is, period.
And I think we sometimes get lost in the marketing ecosystem of all these new exotic threats, and certainly, those are very important and very challenging to deal with, but if you’re starting from a position of not understanding how defensible your infrastructure is or really not even understanding what your infrastructure is at all, you’re starting from a losing battle position.
[David Spark] All right. I throw this to you, Sneha. I guess, what has been your history on dealing with making security a team sport?
[Sneha Parmar] Painful one, I’d say. Because it’s just the entire history itself, security being seen as something which is bolted on, rather than an embedded key function within the organization. That itself creates a lot of silos, but also a lot of unrealistic expectations or not knowing who’s responsible for what.
So, a lot of times, you would go into the conversations with different parties from within the organization who would be like, “No, but security is responsible for this,” or “No, these people are responsible for this.” And that just constantly creates more friction, rather than us going in as a team, as an entire organization, to actually go for solving those problems.
And that is where that constant friction among different teams, from the responsibility point of view, kind of creates this huge pileup of backlog, operational, maintenance, or even just in general, technical debt. And until there is a clarity or a decision from the business on who is owning it, it just stays there.
And the worst part from security perspective is attackers don’t wait. So, we cannot afford any minute on just sitting on those information that, okay, we have these many problems and we should solve it. What security professionals would ideally do is jump in and be like, “Hey, it’s okay. Let us figure out how to get it done.” But in that position, then security goes in and focuses more on operational and maintenance work, and then we are losing time on the threat side.
So, it’s very difficult to balance.
[Geoff Belknap] Yeah, I like to think about it is if you aren’t owning your technical debt and your operational problems, your threat actors will. That is where they thrive.
What do most people think it is, and what’s the reality?
7:03.045
[David Spark] Yaron Levi, CISO over at Dolby Laboratory, said, “You can also summarize it as ‘lack of operational discipline.'” It’s a really nice way of summing it up. Erkang Zheng over at JupiterOne said, “These are spot on! They are the foundational, but they are so hard to do well at scale. I wish more of us in the industry would invest more time, resources, tools to doing better at the basics, and let’s accept that there really isn’t a ‘easy’ button for this.” And Sergei Rousakov of LinkedIn said, “Simply knowing what’s attached to your network and who to contact about it cannot be overappreciated.” So, all three of these are just saying the basics of running a business, running your operations, they get really, really tough as things get more complicated and as you grow.
Sneha.
[Sneha Parmar] I actually do agree. We can see it as operational discipline. So, lack of operational discipline or operational or maintenance deficiencies ideally. And it gets difficult when you scale as a business because then it’s just a huge amount of operational load that you want to do. But from the management perspective or from the business perspective, operations or maintenance is seen secondary to moving fast or the road to innovation.
So, that always kind of like bogs down and slows down. Also, as Geoff also mentioned, it’s the boring stuff. Like, okay, nobody’s going and telling the IT or device admin that, “Hey, you have no idea how amazing it is that you’re with us and you’re doing all of these tasks, which are considered boring and not so sexy work, but it just creates a huge, huge difference.” So, from my perspective, we can call it operational deficiency or even an operational discipline.
And also, I’ve wondered a lot of times that from personal hygiene perspective, so if we own a house or a car, it’s by default, we accept that we are responsible to maintain it, but that is just not showcasing from the organizational standpoint. And when there is like budget or companies are struggling, they would ideally want to reduce the operational budget or the maintenance budget and want to make it more cost-efficient, but that is where the attackers get an upper hand.
[David Spark] Geoff, this is not the first time we’ve talked about you got to get the basics down, but why does this become so unbelievably complicated? And the “smartest” businesses still struggle with this.
[Geoff Belknap] I mean, there’s a myriad reason, right? I think one of the most primary reasons, especially in the tech sector, we are incentivized to get product and features out. If you’re in the consumer space, you want to focus on getting new products and shipping them faster and cheaper. And spending money on this stuff that nobody ever sees, that don’t really impact customers directly, is a hard decision.
I think Sneha’s analogy of a house is a great example. If you’ve got a little money and you’re looking for a new house, you want a pool or a hot tub or a really cool kitchen, and you’re not really asking questions about when was the last time the heating and cooling system was maintained? Or is it new?
If the house is 20 years old, is the heating and air conditioning system 20 years old? Because then it’s towards its end of life. How’s the water heater doing? Right? Those are not the questions you are asking on the first visit.
[David Spark] True. Not on the first visit, but you do ask them before you buy. [Laughter]
[Geoff Belknap] You do eventually, but you really don’t ask until you’re down to brass tacks of buying. And I guarantee you, the decisions are not really being made on whether the water heater needs to be replaced or not. And while this is sort of an absurd analogy, it’s not that far off. Like at the end of the day, a lot of people are sending around third-party security surveys.
Very few of them are asking the basic things of like do you have an inventory management system? Like how sure are you that everything in there is accurate? Do all of those things have owners? No, we’re asking like what’s your SOC 2? Do you have an ISO certificate? What are you doing for GDPR?
And while all of those things are very important in their own right, we really need to get focused on what really matters. And the couple of things that really matter in an organization are when was the last time you had an incident, and did you do anything to repair the things that caused the incident?
And do you just know everything and everyone that’s in your environment and who’s responsible for them? It sounds ridiculous, but it is an incredibly hard problem, and I think there are only a few people working on that problem. I think Erkang, who commented here, is one of them, but it’s just not where people get excited about.
They all want to add AI. Nobody wants to go make sure AI knows all of the things Sneha and Geoff are running in their environments.
Sponsor – Conversant Group
12:06.024
[David Spark] Who’s our sponsor this week? Well, didn’t I tell you at the beginning? It’s the Conversant Group. And let me tell you about them. Brand-new sponsor of the CISO Series. Let’s just face the facts that cyber-attacks happen. The question is, how quickly can your business recover? With Securitas Summa from the Conversant Group, recovery isn’t just possible, it’s assured.
So, Securitas Summa is a comprehensive cybersecurity program designed to keep your business secure and operational. It combines proactive defense, continuous protection, and assured recovery through Fenix24, the world’s leading recovery firm. Work begins in less than 60 days and recovery starts the moment you need it.
No delays, no excuses. With Securitas Summa, your organization has access to a fully managed recovery process that gets you back online faster than anyone else. Fifty percent faster than the industry average, to be exact. And downtime is minimized, risk is reduced, and your operations stay on track.
Cyber resilience starts with the right partner. So, go to their website, visit conversantgroup.com to learn how Securitas Summa delivers security and recovery you can count on. It’s conversantgroup.com.
Sometimes it’s really not that difficult.
13:30.859
[David Spark] Jerry Davis, Cybersecurity and Infrastructure Security Agency or CISA, said, “It’s IT lifecycle management that I maintain is one of the most glaring nemesis to good security.” Darren Desmond, who is a CISO, said, “If you were in a business that had a mobile workforce of some kind, you wouldn’t expect the vans and trucks to be bought, fitted out, and deployed, and then expect them to run without maintenance for 20 years.
Yet this is exactly what many companies do that act surprised when they are hit by a ‘sophisticated attack.'” And Simon Chapman of Conversec said, “The difference between mediocrity and excellence is simply doing the basics to a high standard. All the things you mention are basics – boring, unsexy, unexciting, and utterly critical.
The real issue is lack of communication and collaboration, but there’s no product for that.”
All right, Sneha, I’m going with you on this because you addressed many of these earlier, and these also reference things that were said, but they kind of bring them all together. We got a problem with dealing with the basics. I love the analogy that Darren said, which is very similar to yours about maintaining the vans and trucks that are built in your fleet.
But then the other thing, it’s communication and collaboration. So, how does the maintenance and the communication collaboration pieces go together, I guess, better and how do they fall apart?
[Sneha Parmar] I would go back to what Geoff mentioned, knowing what we have within our environment is the key, but also knowing who owns it or who is responsible for it is the key. And I feel like that is where you could either get most traction for things from security side, if you see an issue within your infrastructure or your environment.
Knowing who owns it, it gives you a very high chance of making sure that it gets fixed. Yes, it might take a little bit more time depending on the priorities, but there is a chance.
[David Spark] By the way, just quoting Sergei Rousakov, who we quoted earlier on LinkedIn, said exactly that as well. Just knowing who owns it and who to contact is key. Go on.
[Sneha Parmar] Exactly. And on the other side, when it falls apart, is not knowing what you have, definitely, then you’re at point zero or maybe even negative. But even if you know, you already also know that there are a lot of issues or vulnerabilities, but not knowing who owns it would get you into the friction with the business.
[David Spark] This is one level up because the whole asset management industry just lived off of this one line – you can’t protect what you don’t know. I mean, we’ve all heard this umpteen times, but this is the one level deeper. It’s not just knowing what you have; knowing who can deal with it.
[Sneha Parmar] Exactly. Who can fix it.
[David Spark] [Laughter] Exactly.
[Geoff Belknap] And making sure they do. That, I think, becomes the real problem. It turns out lots of people have Jira tickets and ADO tickets and ServiceNow tickets about things they need to fix, and they’ve got dashboards that show that they are hundreds, if not thousands, of days old. And they’re all just waiting for somebody to be like, “Hey, you going to take care of this?” And they go, “Oh, right.
Yes, of course I am.” Or more likely, it ends up in a postmortem after-action report from an incident. You go, “That might not have happened had we done the things we said we were going to do on a regular basis.” But I also think what Darren is saying here is really important. People need to understand that that regular maintenance is really important.
If we’re not holding ourselves accountable to that regular maintenance, then we’re not really running the business and we’re going to run into trouble. And at the end of the day, that’s the thing that really matters. That’s security work. That is security work for accounting. That is security work for engineering.
That is security work for sales. All of these teams that own systems, they all need to be doing these operational things. Like Sneha said before, it’s operational discipline and it’s not just security’s job.
[David Spark] By the way, I asked this question a long time ago for the security community, I said, “Is there any one thing in security which is set it and forget it?” And nobody could come up with a single answer. There’s nothing.
[Geoff Belknap] I mean, there is for pentesters. If you set and forget the thing, the pentesters will find it and prove to you that you set it and forget it.
[David Spark] [Laughter]
[Geoff Belknap] The bad guys of all sorts will notice.
What’s our visibility into this problem?
17:47.035
[David Spark] Dr. Joe Lewis, who’s the CISO over at the Centers for Disease Control and Prevention, said, “A long time ago, the Center for Internet Security stated categorically that you could reduce 80% of your cyber risk by having, one, good asset inventory, and two, good software inventory. Neither of those two things are specifically cyber, but are areas we consistently struggle with, especially with the ease and agility of cloud.” Oh, I would double down on that.
Yes.
And Ramin Ettehad of Oomnitza said, “I’d argue that it’s crucial for the asset inventory to avoid becoming yet another data silo. It should instead be a living, integrated layer across your security business and IT system to create a 360-degree view of all your technology assets. This enables the orchestration of key workflows across the asset lifecycle from one place.
Without this, you’ll end up relying on manual tasks, which create blind spots and erode operational hygiene.” So, I will start with you, Geoff, on this. This is doubling down on just the asset inventory issue we talked about, but like, oh, this has got to be like everyone’s visibility, not just security or not just IT.
[Geoff Belknap] Yeah. And I think the key here is helping everyone see that if you, for example, are part of a push to improve security in any way, shape, or form, sometimes people forget that they can do security without having to work on a security project, right? That’s specific to adding Auth or 2FA or something like that.
Like security, a lot of times, is clearing out your backlog, understanding your asset inventory, and understanding how to use the things that you have. I think there’s, in some of the investing that I do, there’s a lot of companies that are very interesting in this space because they’re starting to bring this ethos into the security space.
And if I look at like JupiterOne or Reach Security, they’re really trying to take the boring stuff that nobody thinks about as security, like understanding what you have or understanding how to use what you have better, and bring it into the mainstream of security, and I’m really hopeful that that takes root.
[David Spark] All right. Your take on this? Which essentially is just make this inventory issue visible to everyone.
[Sneha Parmar] I’d also agree because I’ve seen a lot of times, even just in the security community space, that you might have a very good security tool, be it on the defense side, but the infrastructure or the application or whatsoever got compromised was not onboarded. So, then it’s like, okay, you invest a lot in the tools, but if you don’t know what you have in your environment, you would still be 1 step or even I would say 10 steps behind because you have a lot of investment, you have a great team, you have the visibility and most of the stuff, but because of lack of inventory, you might miss out a couple of things which is critical to the business, but nobody knows because, well, there’s no visibility.
And that leads to a disaster. So, all the efforts you put in, in securing a lot of stuff, it didn’t necessarily go in vain, but still you missed out and there’s this… It’s the invisibility cloak. [Laughter] You don’t know when it’s going to be like, “Okay. Hey, we’re here.” The attackers would be like, “Yep,” they hit a jackpot.
So, that is why it’s the basics is just so important.
And the other thing which was mentioned was that make sure that it’s not another data silo. So, there might be so many times like once you did it and then you forget it. Okay. We have an inventory, but maybe you finished that project. Perhaps it was an initiative, which was very good, and it finished in 2022, for example, and then nobody maintained it.
Again, we run into the same things, especially focusing on cloud because now, one, there are positive sides of it because people are moving. Most organizations are moving to cloud. So, you have then a little bit of visibility more and more because they’re moving applications to the cloud. You can also see the cost optimization part.
So, business finds it also useful, not just for security or asset inventory. They could figure out, okay, where we are spending more costs. But on the other side, then it’s just moving too fast, that sometimes you just spun up a lot of things which are going in, and the configuration sides of things are not there.
So like maybe you would find an S3 bucket, which is public, and it’s just the balancing effect. It’s very crucial.
[David Spark] By the way, everything you described, our listeners have seen and heard again and again and again.
Closing
22:26.686
[David Spark] Well, we have come to the portion of the show where I’m going to ask you, Sneha, please take a look at all these wonderful quotes that I read from our incredibly bright audience and tell me, which one was your favorite and why?
[Sneha Parmar] I would say Yaron Levi. You can also summarize it as lack of operational discipline. I think it’s about time we all got more disciplined into understanding that maintenance is part of our job. Everybody’s. Not just security. And that is where the basics lie. And if you want your security team or even the organization and the resilience, the entire cyber resilience of your organization to improve, you need to make sure that we do the basics right.
[David Spark] Geoff, your favorite quote and why?
[Geoff Belknap] My favorite quote is all of these because they all came from my network because I posted this on LinkedIn.
[David Spark] Yes. [Laughter]
[Geoff Belknap] So, thank you, Yaron, Erkang, Sergei, Jerry, and everybody else, but I’m going to go with Darren here.
[David Spark] Yeah. He made the reference to the vans and the cars.
[Geoff Belknap] And he really hit it on the head here. I think the only missing part is the people doing the maintenance for those vans need to consider and be treated like they’re doing an essential service for that business. Your business that needs those trucks maintained cannot operate without those trucks.
If you’re an – just to pick something out of the top of my head – if you’re an airline, and you’re devaluing the people that maintain the airplanes and the aircraft, I think you’d have a pretty tough time running a sustainable airline. And yet this is sort of where we are when we look at our tech stacks.
I think in the tech world, we actually do a fairly good job relative to other industries in terms of making sure that our tech stack is well-known and maintained. But my exposure to some of my colleagues in other industries is it’s not so good. I think a lot of people sort of try to set it and forget it and are very surprised when problems and costs come up later.
So, I think it’s a great analogy. Great job, Derek.
[David Spark] Excellent. Well, thank you very much, Sneha. Thank you very much, Geoff. And I also want to thank our phenomenal sponsor, and that’d be the Conversant Group, the world’s first civilian cybersecurity force. Remember, you can go to their website, conversantgroup.com, to learn more about how they can keep you running when the inevitable happens, and sadly, we know the inevitable often does happen.
So, please check them out, conversantgroup.com. Well, Sneha, thank you so much for coming. Geoff, as well, thank you for posting this. This was a great, great conversation online, and I’m so thrilled everybody had it, and we were able to discuss it with everyone. And thank you to our audience. We greatly, greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.