Every vendor is quick to throw out the word visibility. But like AI, that term is loaded and can mean a lot of things. What is meant by visibility, and what is desired by the term visibility?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Bil Harmer, security advisor, Craft Ventures. Joining them is James Bruce, business security services director, WPP.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[David Spark] Every vendor is quick to throw out the word visibility, but like AI, that term is loaded and can mean a lot of things. So, what do we mean by visibility, and what is desired by the term visibility?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. Joining me as my guest co-host is none other than Bil Harmer, who’s a security advisor over at Craft Ventures. Bil, thank you so much for joining us.
[Bil Harmer] Thanks for having me.
[David Spark] All right, that’s the sound of his voice. You’re going to hear more of that later in the show. Our sponsor for today’s episode is ThreatLocker, Zero Trust Endpoint Protection Platform, and they’ve got a lot of cool new services and tools, and we’ll be talking about that later in the show.
But first, Bil, let’s talk about the topic at hand. Ask a cybersecurity professional if they have visibility in their environment, and they’ll likely mention some combination of logs and dashboards. But as Rinki Sethi who’s the CISO over at Upwind Security points out, all that data is just noise without the right data at the right time with the right context.
We’ve heard this a lot. Visibility has the same problem as the term AI. It can mean so many different things, and if you’re not clear with what you’re delivering or desiring, so “We provide this kind of visibility,” or “I’m looking for this kind of visibility,” you may be very unhappy with the results.
Like that term is not synonymous to all or isn’t defined the same way to all. Have you run into this problem, Bil?
[Bil Harmer] 100%. The nomenclature is splattered across everything. I’ll go back and thank Wiz for this one because they provided visibility, and they blew up so fast that now everybody wants to provide visibility. As you said, it could mean actionable things, or it could mean simply dashboards.
And what I’ve also found is there are a lot of CISOs out there that do not want visibility. They want action because they look back at the lawsuits that are coming and the legal liability of having visibility without action, they’d rather not ring the bell.
[David Spark] All right. Well, we’re going to get into this discussion of visibility, what is meant by it often, what we want, where we can come to a communal understanding, or maybe we describe it in different ways. The person to help us with this very discussion is the business security services director over at WPP, none other than James Bruce.
James, thank you so much for joining us today.
[James Bruce] Great being here.
What’s our visibility into this problem?
3:32.982
[David Spark] So, Max Stevens of Upwind Security said, “A few years ago, the mindset shifted from I want to see everything to I want visibility and clear actionable steps.” Ah. “Observability without action is just noise.” Oren Yaakobi of Alma Security said, “Visibility has turned into everything and nothing depending on who’s selling it.
Real visibility should mean understanding the state of your environment, the risk it creates, and the actions you can actually take, not just more dashboards to show pretty graphs.” Oh, I’ve heard lots of complaints on that. And lastly, Nivathan Athiganoor Somasundharam of Teleport said, “Visibility without context is just noise.
The real value comes when visibility leads to actionable insight, not just more data, but the correct data to make fast, informed decisions. In the age of alert fatigue and sprawling logs, clarity is the new currency in cybersecurity.” So, there’s a lot of echoing here, and I’ve heard this a lot, Bil.
Don’t just show me what my problems are, show me how to solve them, and give me the tools to do just that. That seems kind of like the Holy Grail, yes?
[Bil Harmer] Absolutely. It’s what everybody’s banking AI to be, that it’s one of the only things that can consume all of that data and not treat it as noise and find small patterns in huge haystacks.
[David Spark] Good point. All right. I throw this to you, James. Can we come to a quick agreement that visibility without action, it’s not so much noise, but it’s just like you don’t have any capability at that point, right?
[James Bruce] Absolutely. The thing about visibility, it isn’t about seeing everything. It’s about discovering what you’re not seeing. For example, lateral movement. Maybe a third-party vendor that’s sitting there, maybe they have a service account that has more privileges than you thought.
Maybe user accounts that you’re not aware of. It’s not so much, what can you show me? It’s kind of like, help me discover that I don’t know I’m missing. And it’s like going threat hunting. You go in, you don’t know exactly where you’re going to end up, but then you find all these corners, maybe the service account, maybe a registry setting, and you’re not really sure until you find it, and you never knew that that was the problem.
I look at M&S in the UK. They went into their service desk, and somebody impersonated an admin, and they gave them a password over the phone. And they were able to go in and lateral movement and basically ransomware, and they encrypted everything. So, these are the things that you think, “Well, service desk, social engineering, it was an ideal attack.” I mean, they’re not going to say anything.
Our ex-CIO is their CIO now, Rachel. We know that she went in trying to update their infrastructure, get them current as she did at WPP. Essentially, she knows all these legacy systems, they need to be updated. Unfortunately, they hit her hard with this ransomware attack and they’re still down, I believe.
They can’t take orders online. So, these are the things, kind of the unknown unknowns. It’s a defense term used in the ’60s, used by Donald Rumsfeld back in the ’80s…or ’90s.
Is anyone happy with this solution?
6:51.596
[David Spark] Lior Yaari of Grip Security said, “While we pride ourselves for actionable visibility in the product pitch, I do want to highlight the benefit of pure visibility for a short moment. There’s multiple reasons for why pure visibility is important for security resilience, even when there’s no immediate action.
For example, have software composition analysis context to which open source packages are deployed is a visibility element. Still, even without any remediation action, knowing is key in order to be able to quickly respond if one of those third parties is breached.” So, that’s a good point.
Andrew Dutton of Sumitomo Chemical America said, “I disagree with the use of the term being overused. It is a core function of you can’t secure what you don’t know.” And also referring to the unknown unknowns or even known unknowns. “I think more to your point, vendors use the term as a blanket statement, and for each, you need to unpack those use cases.
In the end, we need full visibility, which does mean collecting data on multiple fronts.” So, Bil, going to Andrew’s last comment there, it’s like, well, you just can’t rely on one solution, can you?
[Bil Harmer] What Lior and Andrew are both talking about is an inventory. We can put a new name on it and call it visibility into assets if you want. I don’t care what you call it. We need inventory.
[David Spark] The whole category of asset management exploded not too long ago, I would say maybe seven years ago, maybe eight years ago. The line that every one of them used was you can’t secure what you can’t see. And everyone kind of agrees to that, yes?
[Bil Harmer] Absolutely. You can’t secure what you can’t see, but you also can’t secure everything. If you try to secure everything, you secure nothing. And I think what’s being missed in this tossing visibility in and all the different terms that we’re throwing around is that we have to have acceptable losses, and we have to have risk-based profiles attached to them.
So, yes, do an inventory, and I’ve been preaching inventory for years. And not just hardware inventory, but software inventory. So, your SBOMs, your third-party vendors, your data. And then categorizing all of them, putting value on them so that way you understand where you can put your risk, where you can accept your losses, and where you then put your actions.
But I think in the current term of the term visibility, I don’t think those guys are, like, I mean, they’re not hitting the same visibility term that everybody’s throwing around right now, which is simply highlighting all the garbage that’s floating around inside our environments.
[David Spark] Which, by the way, almost every single vendor will provide a free scan of your environment to pretty much show you how screwed you are. I always recommend, because most of our sponsors offer it, I always recommend they do it. Like, look, you kind of need to know.
It’s like not going to the doctor and not knowing that you’ve got a serious disease. You really kind of need to know. The taking the action afterwards is then a more difficult discussion.
[Bil Harmer] The fear becomes that you’re the next Tim Brown and that you have this visibility and then the SEC is suing you personally. That is what everybody’s afraid of right now.
[David Spark] Tim Brown from SolarWinds. All right. James, I throw this to you. There is just the value of having an inventory, right?
[James Bruce] Oh, absolutely. You have to track your assets. That’s one of my main priorities right now is making sure that we have as much visibility, and what do we have, and is it protected? WPP has 96 companies, over 100,000 employees. My remit is about 60,000 employees, so it’s a large remit in terms of what we need to see.
And we have a lot of devices and essentially, again, SolarWinds, M&S, looking after VMware vulnerabilities. We need to know anything that has VMware on it, we need to know what version of it it is and update those immediately. And that’s where asset tracking is crucial.
And of course, we need to know what our perimeter is, what’s out there. Everybody says you have to assume you’ve been breached and there’s somebody in your system, and that kind of holds true. It’s like you need to discover lateral movement. Asset tracking, lateral movement, you need to know what’s going on with your assets and obviously, know which ones are important.
[David Spark] Have you found that there have been some evolutionary steps you’ve been able to make? Because you have quite a difficult environment to manage. I mean, that is a lot of different users and endpoints. And I’m assuming, by the way, they’ve got such a mishmash of tools each one is using, calling out stuff, and storing data in different locations.
What was kind of a significant evolutionary step you had to take? And just pick a time, whether a year ago, two years ago, four years ago. I mean, what was a significant step for you?
[James Bruce] Bil mentioned earlier, it’s all about risk, and essentially getting down where is our crucial data and prioritizing the most crucial issues. Like Wiz provides a lot of noise, but it does have something called issues, which shows you kind of a toxic combination of things.
You have this system that needs to be patched now because it has a potential to be breached pretty quickly. It was going to a risk-based management system and focusing solely on that. Like Bil said, you can’t protect everything, you can’t close everything down.
You have to focus on what’s your most important asset, protect that regardless. And it saves a lot of time and energy in terms of chasing medium to low vulnerabilities. Like PCI says, you have to remediate low and medium vulnerabilities, and that’s crazy because you have to concentrate on the high criticals.
And what keeps the business running? Kind of minimum viability company, it’s kind of MVC. What do you need to run your business? That’s what you focus on.
Sponsor – ThreatLocker
12:50.711
[David Spark] Before we go on any further, let me tell you about our spectacular sponsor, and that would be ThreatLocker. Now, we know even the most reliable employees make mistakes. I know it’s going to be hard to believe, but I’ve made a few myself.
An unauthorized USB device or an accidental click can expose sensitive data and create serious risk. Traditional user-based access controls, they rely on trust, and trust isn’t security. So, ThreatLocker takes a different approach. By enforcing program-based policies, it ensures only approved applications can access, read, or copy data.
Sensitive files stay locked down while approved software continues to run without disruption. And when exceptions are necessary, it happens. Administrators can approve them in seconds, keeping productivity high without sacrificing protection.
Also with ThreatLocker, every action is logged in a detailed audit to capture the exact user, file application, and device serial number. This is zero trust in action. It’s what it actually looks like when you actually do it. It’s precise, enforceable, and the best part, simple to manage.
Discover how ThreatLocker can help you gain more control over your environment. Go to their website. You know it. It’s ThreatLocker.com but do me a favor. Go to ThreatLocker.com/CISO. If you add that /CISO, it’s the easiest way to let them know that you found out about them from the CISO Series.
Go check them out.
Does anyone understand what’s going on?
14:25.389
[David Spark] Mike Wilkes of Columbia University said, “Just as business intelligence implies that we have data and we distill intelligence from big data that matters, maybe there is room for a new term that I’d call business impact intelligence that delivers a similar distillation and filtering of data that helps prioritize data that is important to the business and not just data that InfoSec or IT or operations teams deem interesting/important.” This is very relevant to what you were just saying, James.
And Mike Towers, who’s the chief security and trust officer over at Veza said, “Every platform and every program must be able to answer the ‘so what’ question and translate whatever they see into actionable intelligence and demonstrate impact. The best security programs don’t just collect signals.
They translate them into measurable business outcomes. Visibility must be coupled with actionable intelligence.” This is literally hitting home to what you just said, James. Knowing your assets, knowing where the value is, how to connect this stuff all through.
Are there tools out there doing that or do you find you have to cobble it together yourself? What are you finding?
[James Bruce] The tools are useful, but it’s definitely being cautious with AI. You have to check each answer to prioritize, but it’s a cobbling. It’s intuition and it’s experience. It’s basic things, asking basic, what keeps the business running? What are the assets that we need to defend?
And go and just do that. Forget about the CVE, this score, this dashboard, no matter how green your dashboard is, it could be green, but if you’re not defending your assets, you’re not doing your work. And it actually makes things easier because that’s your primary task is knowing where your crown jewels are.
That’s your stock server, financial server, ERP, and then keeping those clean as much as possible. That’s a full-time job is just doing that. Of course, there are things, you could get attacked in so many different ways, but the data might not be valuable.
Obviously, our HR data is very valuable, and that’s what we do is concentrate on those assets. And I’ve had discussions where you have to protect things that have a medium vulnerability. You can spend days protecting something that has no value. So, it’s tricky.
It takes a lot of time.
[David Spark] It’s the $1,000 of camera equipment protecting $20 worth of Twinkies.
[Laughter]
[James Bruce] Exactly.
[David Spark] I’m throwing this to you, Bil. Everything we’re kind of saying here, we’ve said so many times on this show. First of all, are we moving in the right direction? Because we keep talking about context. We keep talking about business value, knowing your business value.
Are the tools helping us? Are they speaking to this kind of visibility, which is what this theme is about? What do you think, Bil?
[Bil Harmer] No.
[David Spark] Okay. So, that’s a sad response to all of us.
[Bil Harmer] Yeah, it’s a sad response.
[David Spark] [Laughter]
[Bil Harmer] I have probably looked at a couple of hundred startup companies over the last couple of years, and I can visually remember two that include financial data. Any startup that shows me a visibility portion to their tool, whatever their tool is, I ask them, “Can you integrate and take in my financial data?” and the question that comes back every time is, “Why?”
[David Spark] Why? [Laughter]
[Bil Harmer] Yes. [Laughter]
[David Spark] Because I’m running a business.
[Bil Harmer] Exactly.
[James Bruce] Exactly.
[Bil Harmer] We need to get out of this mentality of security for security’s sake. And this is the business. We are running the business. Others have said, “Yeah, we can. We’re just not sure how. We don’t understand.” That answers the context question because when you have the financials, when you understand what it means to the business, now you have context for why I might say, “That vulnerability to me is worthless, I’m going to forget about it.” And to James, he goes, “That is so critical to my world.” Because we might run two completely different businesses with two completely different models and two completely different risk profiles, but that’s not to say that the vulnerability itself is bad or good.
It’s an issue that needs to be addressed in context. And then I think once we start seeing that piece develop, we’ll start to see a lot more value coming out of the tools. I’m not saying the tools are not valuable. I’m just saying we’ll see them more business-like and of more value to the business, and we won’t be hit with those 20, 25% budget cuts at the end of the year.
[David Spark] And let me also echo the quote that we’ve said many times on all of our programs from our other co-host, who you know very well, Bil, Steve Zalewski, who used to be the CISO over at Levi Strauss, who said, “How does this help me sell jeans?” And it’s his sort of tongue-in-cheek way of saying, “Hey, just connect this to my business, fool.”
[James Bruce] Yes.
[David Spark] This is what you do, James. I’m assuming you’ve had this conversation with vendors.
[James Bruce] Absolutely.
[David Spark] Are they coming up to speed or are they still lagging behind?
[James Bruce] Unfortunately, still lagging. And of course, selling me AI where they don’t really know the issues that I have managing these companies and managing this large of a user base. And it seems that they’re selling the product, but they don’t really know security or what’s involved, so they’re not solving my problem.
They’re not giving me what I need. I don’t think anyone can give me what I need yet, but it’s getting better. Wiz provides a lot of noise, but it also provides a lot of value. Close. We’re not there yet.
We’ve seen this one before.
20:02.346
[David Spark] Nuri Rosen of Britive said, “The question is how do you leverage that visibility to help your business?” Exactly what we were talking about. Nuri goes on to say, “One main issue we see is that even if companies have general visibility into their user activities, they cannot detect misconfigured human and service user accounts, which leads to widespread privilege sprawl and static access.” Okay.
So, this is another kind of visibility that we have not mentioned here, which has nothing to do with the data. It just has to do with how well are we doing security, pretty much. How well are we managing IT? Bil, I ask you, do you ever have visibility into that?
And by the way, we know we’ve had vendors that do provide some visibility into this. What has been your experience into visibility and into that area of your organization?
[Bil Harmer] I’ll use this term euphemistically, I guess, tying the digital to the [Inaudible 00:21:06] is critical [Laughter] to this, and it is something that we do not do very well. And I don’t know why we don’t. Well, I have an idea why we don’t do it well because to do a true digital identity that has high fidelity in it, you lose privacy, and we are struggling with that as a society.
That’ll be something that we deal with as the years go on, but it becomes one of those things where we don’t do the hard work either, and we rely on the cool glittery tools and the new shiny thing.
We don’t do the hard work. The work is an inventory. The hard work is cleaning up when somebody leaves. Open communication. The number of times I’ve been at companies where they’ve said, “HR’s not telling anybody about the layoffs because it’s sensitive private information.” Okay, I get that, but unless you have a process to include your IT team so that you can close those accounts out, you’re not going to have a company because they’re going to get missed.
They’re going to get left behind. You’re going to have an angry employee do something horrible. So, it’s this misunderstanding of terms like privacy, of visibility, that people are not operating on the same dictionary. And I think that’s one of the things that you’ve got to have people come in when you start to talk about these things.
Before you have a meeting and pitch me a product, if you’re going to use some terms, define them for me before we get into it, so I understand what it is you’re doing.
[David Spark] That is the line. We’re not all using the same dictionary. Everyone has their own definition. The vendor has their definition coming in. You have yours when you’re being the receiver. Maybe before any products are defined. The thing is, the vendor may say, “We define visibility like this.” And you say, “That sounds good, but we want visibility like that.” Have you had those conversations, James?
[James Bruce] Absolutely. I like that term a lot. It’s agreeing on what we’re discussing and what it means. It’s hard because a vendor comes in not knowing very much about our environment. And there’s some vendors that do due diligence, and they research everything, and they tell me exactly, “Well, you need to know all your assets, you need to know what you have in these companies, and you need to know all the vulnerabilities that you have on everything.” It’s like, yes, exactly, and here’s a product that might help you track so you don’t get that kind of hacking or something happens kind of like that idle Tuesday.
It’s like, what? At four o’clock, something’s happening in Hong Kong? And those kind of things. I didn’t know we had assets in Hong Kong. That’s what you want to avoid.
Because we have companies all over, it’s just you need to have a general dashboard of every country, every vulnerability, every asset, in these 96 companies at the same time. And it’s nice when it’s green, but I know that we need to do threat hunting.
We need to look for lateral movement. Those things don’t stop. We need to look at service accounts. What Nuri said is those will bite you, is those service accounts with high privileges that you forgot about. And of course, the human aspect, you just can’t have one person clicking on something and have it destroy your infrastructure.
So, these are the things you have to look out for.
[David Spark] Yeah. I must say, you know, I think about this. Could our company fold like a house of cards with one mistake? In many cases, it can happen. Very much so.
[Bil Harmer] Look at MGM, right? Like one mistake.
[David Spark] That one came from a phone call.
[Bil Harmer] Yeah. Because somebody was trying to be helpful. That’s the other part. They were just trying to help.
[David Spark] Yeah.
[James Bruce] Yeah.
[David Spark] And this goes to the whole idea of blast radius of don’t want one mistake to take the whole kingdom down. Not at all. All right. Let me ask this one quick question because we kind of made references to dashboards here. I want to know, and totally be honest with me on this question, just quick response.
Have you ever had a false sense of security because you saw green color on your dashboard, Bil?
[Bil Harmer] A hundred percent yeah.
[David Spark] Yes.
[Bil Harmer] [Laughter] Absolutely.
[David Spark] James?
[James Bruce] Definitely.
[David Spark] Yeah. [Laughter] It’s completely false. Sure looks pretty.
[James Bruce] Yeah.
[Bil Harmer] At least take a screenshot, point back to it, go, “But it was green.”
[David Spark] “But it was green.”
[James Bruce] Yeah.
[David Spark] “I did my job. I made it green.”
[James Bruce] Today.
[David Spark] [Laughter]
[James Bruce] At this minute, at this second.
[David Spark] There you go.
Closing
25:07.343
[David Spark] That comes to the point of the show where I’m going to ask you which quote was your favorite and why. I’m going to start with you, James. Please take a look at the quotes. Tell me which quote was your favorite and why.
[James Bruce] I like Lior Yaari’s quote.
[David Spark] Oh, from Grip Security. He’s talking to say there’s value just to visibility itself because you know, and he specifically was talking about third parties, right?
[James Bruce] Absolutely. High risk, high probability, high-impact third parties. Something that we worry about with all the companies that we have.
[David Spark] Oh, yeah. You must have endless vendors with all those companies.
[James Bruce] Endless vendors. Exactly.
[David Spark] Wow.
[James Bruce] I think I’ve vetted probably a thousand vendors in my group.
[David Spark] Jeez. Can’t even count that high. That’s too much.
[James Bruce] It’s a lot. No, they all want privileges into our network.
[David Spark] Of course they do. All these vendors do. Of course they do. All right, Bil, I throw it to you. Which quote was your favorite and why?
[Bil Harmer] Mike Towers. Because if you can’t answer, “So what?” I don’t care.
[David Spark] Again, all going back to Steve’s comment about selling jeans. It’s just like I don’t need security for security’s sake. I need security to improve the business. And by the way, our listeners, the two of you, everybody’s on board with this.
Well, that brings us to the very, very end of the show. Huge thanks to our sponsor, and that would be ThreatLocker, delivering zero trust in action. Go to their website. See it for yourself. ThreatLocker.com/CISO. Add that /CISO. I’m asking you to do that for us because it’s the easiest way to let them know that you found out about them from the CISO Series.
ThreatLocker.com/CISO. Also thanks to James Bruce, who is with WPP and has more vendors than you’ve got to deal with.
[Laughter]
[David Spark] If anybody’s got more than a thousand, let us know.
[Laughter]
[David Spark] But he is a business security services director over at WPP. Also always awesome to have Bil Harmer, the security advisor over at Craft Ventures joining us as well. As always, to our audience, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.