How are threat actors getting around EDR? Every solution out there will show how well it does in benchmarks, but that doesn’t seem to match real-world situations. Is there something wrong with the tech, or does this come down to organizational issues?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest and winner of Season 2 of Capture the CISO, Russell Spitler, CEO and co-founder, Nudge Security.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] Ten-second security tip. Go!
[Russell Spitler] So, I always recommend…and this is for friends and family…to use a two-tiered banking system as they call it. A checking account and then where you keep all your savings. And the reason for that is as you think about interacting with the world, writing checks, using debit cards, you want to limit how much you could lose if you do fall prey to a skimmer or somebody stealing your checkbook. And so you always want to keep those separate and make sure money can’t automatically move between them.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, producer of the CISO Series. And joining me, my cohost for this very episode, it’s Andy Ellis, who is the operating partner over at YL Ventures. Andy, say hello to the audience.
[Andy Ellis] Hello, folks. Or depending on where you are in the world, good afternoon, good evening, or good night.
[David Spark] This is his sign on, everyone. We’re available at ciso-dev.davidspark.dcgws.com, where you can check out all of our wonderful programming, not just this show. Our sponsor for today’s episode is ThreatLocker – allow what you need, block everything else including ransomware. They’ve got a zero trust end point protection platform, that’s key. They’ve got a suite of amazing products. You’ll want to hear what I have to say a little bit later in the show, so stay tuned for just that. Andy, I have a question for you. You and I go to a lot of cyber security events, but you speak at non-cyber security events, correct?
[Andy Ellis] Yes, I do.
[David Spark] So, I’m going to mention one event that I think is in dire need of more cyber security content, and that would be the Dreamforce Conference, which is a speciosity [Phonetic 00:01:52] of cyber security content. And it was kind of shocking given that whole conference is about collecting a lot of personal data.
[Andy Ellis] Yep.
[David Spark] A lot. And they really push that. This is why I’ve always kind of argued the people who collect the data and the people who are trying to protect it or protect it from privacy issues are at sort of conflicting concerns, if you will. What events need a lot more cyber security content, do you believe?
[Andy Ellis] So, I think almost any event could do with more of it, but the challenge you actually run into is most of these events have basically three ways that they source speakers. So, one is are these their main stage-ish speakers. So, one way is they have their big vendors. Their big vendors get to buy keynotes, and so they get up on the big stage. And then they go get celebrities. There aren’t really that many good cyber security celebrities who actually will give you cyber security content instead of just, oh, random cool, “Hey, I hacked the thing,” content. Then they do the diversity speakers, honestly. They’ll hand select speakers. Quite often, because when you get a bunch of paid vendor keynotes you end up with a bunch of white men, and so they want to round that out. So, they say, “Who are the people within our industry that are luminaries that aren’t white men?” And put those up. You see that at RSA all the time. They’re high quality speakers, just to be very clear, when I say it’s sort of the diversity sourcing. It’s because they recognize they have a problem, and so they’re creating a venue to make sure that there is an avenue that isn’t become a C-level executive at a platinum sponsor.
[David Spark] So, you don’t want to call out an actual event like I did with Dreamforce?
[Andy Ellis] Yeah. Well, because mostly I would want them to hire me to come speak at those events. But if I call them out, probably they’re not going to come pick me up.
[David Spark] [Laughs] Dreamforce is never going to book me, so I’m not worried about it at all whatsoever.
[Andy Ellis] Right, but Dreamforce would be a great example of could use some great cyber security speakers, could definitely use practitioners who have been there, done that. But GDC could absolutely use more security content. CES, oh my goodness, could use security content.
[David Spark] Yes. They could. But I was just shocked at how little there was. But with Salesforce…or Dreamforce, which is the Salesforce conference, the little that I saw was depressing bad, too. It’s a bad combination – little and bad.
[Andy Ellis] Well, because I suspect… I haven’t been in a while, but I suspect what you saw was actually vendors within the Salesforce ecosystem delivering talks. And the Salesforce security ecosystem…I’ve worked with a bunch of vendors in that space…is very early, very nascent, and you’re not going to get great thought leadership out of those folks.
[David Spark] We had a sponsor a while ago that did Salesforce security, so it exists. Let me just say it exists. [Laughs]
[Andy Ellis] Yep. I’ve worked with a bunch of those vendors, and it exists because the Salesforce configuration ecosystem makes AWS look easy to use. And so setting up security settings inside Salesforce is brutal, and so there’s a number of vendors that are basically just, “We will do the hygiene work for you.”
[David Spark] Enough dumping on Salesforce and Dreamforce. Let’s get to our guest at hand, who I’m very thrilled to have on. Because not only have they been a phenomenal sponsor of the CISO Series, but they entered the Capture the CISO competition, which we just ran the second season of it, and they won.
[Andy Ellis] How many CISOs did they capture, and did they give them back at the end?
[David Spark] The CISOs are back. They did have them locked up in their basement for a period of time, if I remember correctly. And they did release them after they won.
[Andy Ellis] Good.
[David Spark] I think that was the deal – “We win, we release you.”
[Andy Ellis] So, the ones who lost, any CISOs they captured, they’re just gone, and we have open CISO positions now?
[David Spark] No, they’re free roaming CISOs. They didn’t do any of this. I don’t want to get a lawsuit from our winner or anybody else for that matter. [Laughs] No, but they won. And what I want to say…and we’re going to talk about it a little bit later in the show is they completely wowed our CISOs and wowed our audience, because we did the final episode on a livestream. They were a huge, huge hit. Here’s how I will tease it to everyone – everyone saw it as an immediate return on investment. That’s your tease.
[Andy Ellis] Excellent. And I do like their logo.
[David Spark] Yes.
[Andy Ellis] It’s clever.
[David Spark] Let me introduce him. It is the cofounder and CEO of Nudge Security and the Capture the CISO season two winner, none other than Russell Spitler. Russell, thank you so much for joining us.
[Russell Spitler] Great to be here. Thank you.
It comes down to the basics.
6:25.960
[David Spark] How are threat actors bypassing EDR? Every EDR solution out there will tell you how well it does against synthetic tests, but real world attacks keep happening. A recent threat on the cyber security subreddit listed a few possibilities, from EDR just not being installed on a particular exposed server, to improper configuration, to being disabled by an attacker. Now, these are just pretty obvious ways it could fail. Andy, is this just a lack of proper cyber security hygiene, or is there something more systematic causing this that EDR is failing in classic attacks?
[Andy Ellis] I think this is embrace the power of and. It can be both. In many cases… You look at a lot of the entities who get breached by ransomware. Quite likely, they didn’t even have EDR in many of their systems or poorly configured, etc. But at the end of the day, there’s two different ways an EDR can possibly work. One is through allow listing, and one is through deny listing. You’re either looking to say, “Here’s the exact set of things my users can do, and I’ll allow that and absolutely nothing else.” And when you think about things like the enterprise browser that’s sort of a step in creating that box, it’s EDR similar, or it’s looking for things that only malware would do and stopping it. The challenge is there’s a huge gray space in between those two where both humans and malware operate. It’s one thing if you have a call center that you know exactly the clicks that your users do. Like EDR could run really tight on those. It’s very hard to have those machines compromised in lateral movement. But somebody like you, David, who’s always doing weird things… You’re off on random Reddits. You’re downloading PDFs from random people and opening them. The DBIR… Like you had to read the DBIR to prep this.
[David Spark] Mm-hmm.
[Andy Ellis] I’m literally just going through the list of things we do to prep for this are surprising, are unusual, and are all avenues for malware. And so it’s really hard for EDRs to ever outthink an adversary in a place where you have a human who does varied work. So, we can’t set the bar of just install the EDR, and it will perfectly work. It would be nice if people would just install the EDR and set it up reasonably so it would work at least 95% of the time.
[David Spark] We’re saying the EDR is not the silver bullet, of which we know there is nothing that’s the silver bullet in cyber security.
[Andy Ellis] But it’s a bullet if you use it right, and I don’t think most people are using it right.
[David Spark] So, it’s a copper plated bullet. There we go.
[Andy Ellis] Yeah.
[David Spark] All right, I am throwing this to you, Russell. Why do you think this still happens? And you can add/deny anything that Andy just said.
[Russell Spitler] I think Andy made a really good point about sort of the technical efficacy of EDR, and I think that’s all valid. But I think when you step back a little bit further, there’s another factor that comes into play. Ransomware by definition is a broad based attack. That means… And it’s becoming more vertically targeted, to be fair. You know, hospital based or etc. But they just need a few of those attacks to succeed in order to get the payout that they need. When you think about that, now you don’t need to just have EDR in place on all of your systems. You need to have it properly configured. But if it’s not in all the systems, there’s a nice way in. If it’s not as configured or you are configured better than the next retailer down the road, they’re going to go after the next retailer down the road.
And so when you think about the sum total challenge here is not only do we need to get everywhere in order for it to be an affective line of defense, but we need to have it affectively managed. And even about I think it’s just under a year ago, we started seeing ransomware start to target services that were outside of the traditional perimeter in places where you could protect it with EDR. And that just goes back to sort of that economic incentive that we’re seeing these attackers is, “Any way I can get money out of you, I’m going to do that.” And that attack, the Omega Group I think it was, started focusing on SharePoint online. You know, “Let me focus on the places where traditionally you can never put EDR and go ransom the data that I can extort out of that system.”
Surprising research just in.
10:42.609
[David Spark] Are enterprise patching programs keeping up with threat actors? Many enterprises stabilize patch management cycles around 30 to 60 days. Now, looking at that timeline, the Verizon DBIR shows that CISA’s Known Exploited Vulnerabilities catalog that 85% of vulnerabilities remain un-remediated after 30 days, while 47% are not fixed within 60 days, and 8% remain unpatched after 365 days. We have heard from experts that at most, 40% of your vulnerabilities need to be patched, but that’s all vulnerabilities. This report refers to known exploited vulnerabilities, which is probably a much higher percentage you need to actually pay attention to. So, I have to assume many of these companies reporting have a vulnerability management program whose function is to help you prioritize and patch these vulnerabilities. Russell, I’m starting with you here. So, if the tools are actually in place and people are actually patching, why are these numbers of unpatched exploited vulnerabilities still so darn high?
[Russell Spitler] It’s a tired path, but it’s change management process. The challenge that we have with these high number of vulnerabilities is there is a huge number of these systems that are still pets, not cattle. These are things that we have to manually role the patches or have to be an exception of our traditional roll out process, or we don’t quite trust the automation to do it. And I think this is a hangover from this admin days of the ‘90s and 2000s. Eventually we’ll get to a point where enough of our infrastructure has rolled over to more of a continuous deployment model where we can more affectively get within that 30 to 60-day window. But when you’re dealing with tens of thousands of custom maps or home grown instances on AWS or even in your own data center, you have a real challenge with just the rate of change that you can keep up with. I don’t think that this is necessarily the fault of lazy admins but just a volume challenge that ultimately becomes a really difficult prioritization effort.
[David Spark] But the fact that like this vulnerability management industry is quite huge. We’ve had many of them as sponsors on this show. And they all are hoping to solve this problem, but everyone seems to be struggling here.
[Russell Spitler] Giving me a better list of what to go target doesn’t give me time to actually go target it, or it doesn’t change the business constraints and the fact that that’s a real server that I haven’t touched since 1984, and I don’t know who can actually log in.
[David Spark] Good point. All right, Andy, you’re chomping at the bit to jump in on this.
[Andy Ellis] So, I think that we, as an industry, have completely missed the boat on this. Vulnerability management is not a cyber security problem. It’s a developer problem. Full stop. The problem that we have is that development organizations, whether they’re in IT, just managing servers, or whether they’re engineering organizations building their own things do not fundamentally have the discipline to patch their software. And there’s two different types of patching they should be doing. One is you should be maintaining some form of currency to say, “I am never going to be more than N days out of date.” Which might be a large number. It could be 180 days. I don’t care what it is, but you should never get to a point that you’re like, “Oh, we finally have to move from Python 2 to Python 3, but the world is already on Python 4.”
You’ve screwed up if you’re in that world because you’re not even maintaining currency with sort of basic stability management. But you should also be responsible for, “Oh, there’s a high, important security flaw. I need to update this.” This should be a process that is inside engineering, inside development teams. The CISO at best is governing. Is just saying, “Hey, are they hitting their SLA more than 85% of the time? Yes or no?” That should be the only piece the CISO is involved in, is the risk management of is there a process, and is it affective. Instead, we have CISOs that are buying software to help them prioritize which patches should be fixed, so we’re spending more time arguing about the importance of patching specific things than it would take to just patch almost everything.
[David Spark] That is a really good point. I just want to… I realize there is certain things that I usually have team members fix.
[Andy Ellis] Yep.
[David Spark] But I realize that some of the things to fix are so simple and quick that the time it would take me to create like a ticket, put the information in, send it is maybe 15 seconds shorter than if I just did it myself.
[Andy Ellis] Right. But why isn’t there a process for your team to notice this needs to be fixed and go fix it? That’s what we’re missing.
[David Spark] Well, there is a process, but I could have just done it myself. I think a lot of times things can be…
[Andy Ellis] No, no, the fact that you have to notice is the problem.
[David Spark] Well, we all notice problems and mistakes.
[Andy Ellis] Unless it’s incident category vulnerabilities. There is maybe a dozen core libraries and a handful of vendors for whom remote compromises in those is all hands on deck. Right? Open SSL has a flaw. We all need to care about that. But the number of things that are at that level is pretty small. If there is some random vulnerability in Python, everybody should just fix it. This should not require me to do any prioritization. It should pop up. An engineering team should be like, “Oh, my build system says that there’s a critical vulnerability in Python, and we’re going to take this and push it out. And by the way, we’ll tell the CISO through an API that this got fixed in six days.” Why are we not in that world? Because we think this is a security problem and not a development problem.
[Russell Spitler] I certainly far prefer that. I would much rather the security team be alerted when there’s a pinned dependency in the development pipeline as opposed to the inverse. “Here’s a vulnerable dependency,” as opposed to, “Here’s something that’s stuck.”
[Andy Ellis] Right. Once you get to a point where it’s like, “We can’t fix this because X…” Okay, now you’re outside the normal process. The security team can help you triage and get what you need done to go deal with weird, complicated problems, but security teams are really bad at process operations in other people’s domains because the other people throw up roadblocks. We shouldn’t be doing that.
Sponsor – ThreatLocker
17:08.725
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that is ThreatLocker. Do zero day exploits and supply chain attacks keep you up at night? Of course they do. You work in cyber security. That’s what they do. So, worry no more. You can actually harden your security with threat locker. Now, listen to this. Imagine taking a proactive deny by default approach to cyber security. You’re blocking every action, process, and user unless specifically authorized by your team. Threat locker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US based support team. Now, stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware. Worldwide, companies like Jet Blue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit threatlocker.com. Go check it out.
It’s time to play, “What’s worse?”
18:33.755
[David Spark] All right, you know how this game is played, Russell, yes?
[Russell Spitler] I’ve heard it before.
[David Spark] Two bad scenarios. You’re not going to like either, but you have to pick one of them to be the worst. All right. We have two bad scenarios. It comes from a new submitter, Mustafa Hodzic of iBoss. And here are the two scenarios. Andy answers first. You agree or disagree with him. Scenario number one, you’re the new CISO at a mid-sized organization tasked with rapidly improving security. The network team lacks technical skills and relies on an external help desk contractor whose original contract and official website are unavailable. This contractor holds admin passwords to all systems, operates remotely, and always has its camera off. [Laughs] So, not easy to contact them.
[Andy Ellis] Okay.
[David Spark] But the team vouches for their legitimacy and have been not as honest to the CISO for how much they rely on him. He has served…this outside contractor…them well so far, but no one knows anything about him. Okay, so…
[Andy Ellis] It might not be a him. You don’t have video. It could be a her. It could be a them. You don’t know.
[David Spark] It could be a mouse on a wheel for all we know.
[Andy Ellis] It could be a whole team of people. It could be AI.
[Russell Spitler] It might be Alexa. Who knows.
[David Spark] It could be a whole team. Who knows. It’s the mysterious successful contractor, and that’s all you know. You know what? This is like Charlie from Charlie’s Angels.
[Andy Ellis] Yes.
[David Spark] We’ve never seen Charlie. This is scenario number two. As the new CISO for a midsized investment firm, your goal is to swiftly enhance security. The small team is heavily reliant on one sys admin who has full control over a custom network security setup. The sys admin abruptly quits when pressured to transition to a cloud based solution, leaving behind the complex server tunnel/data infrastructure, incomprehensible to others, halting access to executive users. So, what you have is scenario one that seems to be working, but you have no window into anything there. Zero. And scenario two, you’re out of luck is pretty much what’s happened. And your executives don’t have access.
[Andy Ellis] But in both cases, I just started?
[David Spark] You’re a new CISO in both cases. Yeah, you’re a new CISO in both cases.
[Andy Ellis] Okay. Oh, I would totally take number two.
[David Spark] Totally take number two is…?
[Andy Ellis] Is good. Sorry. So, the first one is worse. The second one where the guy just basically quit and nuked everything, for me, the CISO, way better.
[David Spark] He didn’t really nuke everything. He just left it all behind. Nothing has been nuked.
[Andy Ellis] He left it all behind, but it doesn’t quite work. It’s not being maintained. Everything is kind of ugly. I’d rather have that one.
[David Spark] But the executives have been shut out.
[Andy Ellis] Even better.
[David Spark] Okay. [Laughs]
[Andy Ellis] This sounds like as I showed up, the CIO was trying to move things over to a cloud solution, modernizing. And this guy basically walked off in a huff, and everything broke because of it, which meant that it wasn’t stable, wasn’t reliable. And now we get to replace everything, and I’ve got carte blanche to make the CIO do it right this time around. Like you get to design green field in a crises. Painful, brutal, but it’s workable. That first scenario, we have no idea who this person is. If we confront them, we might end up in scenario two anyway. So, it’s certainly not any better than scenario two. But for all we know, our sys admin is a nation state adversary who’s like, “Oh, we’ll provide you with free sys admin services in exchange for owning all of your data.”
[David Spark] [Laughs]
[Andy Ellis] We don’t know…
[David Spark] “What a great deal.”
[Andy Ellis] “What a great deal.” Like this can’t possibly work for me. So, like number one is completely and utterly unacceptable. I need to remove the veil on who this person is.
[David Spark] Right, because number one literally could be the worst thing ever.
[Andy Ellis] It could be the worst thing ever, but not knowing who that entity is is completely and utterly unacceptable for a business. You cannot operate that way, period. That’s table stakes.
[David Spark] But… I understand, but this mysterious person could be like Charlie and could be a savior. Could be amazing.
[Andy Ellis] Could be. But as long as they want to stay mysterious, they’re not employed by me.
[David Spark] Okay. [Laughs] I throw this one to you, Russell. Are you going to agree or disagree with Andy here?
[Russell Spitler] As I was evaluating that, my first instinct was to reject the premise of it, which is what midsized business [Inaudible 00:23:18]
[David Spark] You can’t do that.
[Andy Ellis] We’re not allowed to do that.
[Russell Spitler] Totally fair. But you guys save yourself with transitioning to the cloud. Because what midsized business is running a network? I wholly agree with Andy. I would much rather be in scenario two. The idea that we’re already making that transition, that somebody walks out, it’s a mess, which proves the instincts of whoever is making that transition right. That means that we have probably a few months of pain. But on the other side, we get to sort of recreate things from the ground up in a way that we can all be comfortable with and maybe do some background on some of the people who are in the high priority situations.
[David Spark] And let me ask you about this – sort of the upgrading, a few months of pain. I’ve gone through a painful upgrade myself knowing I didn’t want to do it, but I just bit the bullet and did it. And when I came out on the other side, it was one of those moments of relief. You always have this thing of, “Why did I wait this long?”
[Andy Ellis] Right. It’s like going to the doctor.
[David Spark] Yeah. [Laughs] So, I’m assuming you’ve had these experiences, Andy, Russell?
[Andy Ellis] Oh, absolutely.
[Russell Spitler] That I feel like I startup life. You get to a challenge, and you’re like, “Oh, shoot, I should have solved that a month ago, because now I’m ten times more efficient on the far side of it.”
[Andy Ellis] And startup life is nothing but that realistically.
[Laughter]
[Russell Spitler] Exactly. It’s been my life for 20 years now. But on the other side, I don’t mean to be cavalier about a few months of pain. That is never a fun situation to be in, and the people who are stuck around end up working long hours and are often underappreciated getting through it. But you end up more efficient and more affective on the other end.
[Andy Ellis] Right. And odds are you will end up actually with the budget to not have a single person who’s the only one who has control of everything. You may be more efficient. It will probably cost you at least a little more on the, “Who are my core admin,” side, but that’s a good cost to pay.
[Russell Spitler] I think it will all come out in the wash if you have expensive networking gear that you’re keeping up to date.
[Andy Ellis] [Inaudible 00:25:09].
[Russell Spitler] Yeah.
Please, enough. No, more.
25:11.720
[David Spark] Today’s topic, Andy, is AI security. I think you may have heard this topic come up once or twice, I believe.
[Andy Ellis] What does AI mean?
[David Spark] It stands for artificial intelligence.
[Russell Spitler] I read that as Al. I’m going to have to review my notes.
[David Spark] [Laughs]
[Andy Ellis] Oh, Al. Al security, very important.
[David Spark] Yeah, Al needs security, too.
[Andy Ellis] Al needs a lot of security.
[David Spark] And AI. So, Andy, I’m going to ask you. Let’s just start. And this is… I know we could spend hours upon hours on this, but we’re not going to. But just briefly, give me the highlights. What have you heard enough about with AI security, and what would you like to hear a lot more?
[Andy Ellis] So, I am tired of hearing about AI security as like, “AI will make everything secure.” I think there’s a lot of benefits to AI. This is not me saying… I think the whole copilot, etc. model has some amazing opportunities down the road. I’m tired of hearing about that for a little bit. I’m kind of neutral on this. I hear a lot about it, but I need to hear a lot about is actual model security – how do you make sure that data isn’t leaking out through your models, etc. The thing I most want to hear more about is AI use safety and security. How do we know that the AI that we are using is not creating harm for our business like by telling a user something that isn’t true? But because it came from us, now we’re beholden to whatever our AI just told the user. Things around the safety of how we use AI in our business process I don’t think enough people are talking about.
[Russell Spitler] I’m going to pick up right in the middle of where you left off, which is I’m a little sick of talking about model security because the reality is the exposure that we have today is our employees using it, not some developers creating their own home grown model, regardless of the fact that our understanding and security concerns around those are probably a year to 18 months before they’re fully realized. But I 100% agree with you in terms of the more around the actual usage. That’s where obviously when you think about the usage of operational technology outside of the sort of traditional constraints of your environment, that is the traditional shadow IT nightmare, and that is the sort of traditional…
There’s something out there, but I think this put it into beautiful focus. Because as you remarked, people are now quickly able to consume AI tools in whatever form, integrate them into business processes for better or worse. And we really need to start focusing on understanding which employees are using these technologies, which ones are using it at scale, which ones are paying for it, which ones are using the fly by night shim on top of Anthropic that started up last month. And of course, that’s a huge part of what we do at Nudge and a big piece of why we created this company in the first place.
[David Spark] So, this is where I want to get you to tell the Nudge story. So, this is why they won the Capture the CISO competition. Nudge is just your awareness platform of what AI tools are being used in your environment and how you manage just that, which has a lot of vulnerability management, which we just talked about before and speaks to this essentially I’m going to say shadow IT 2.0 that we’re seeing today. So, explain, Russell.
[Russell Spitler] Yeah, exactly. So, Nudge Security helps you identify all the accounts that your employees created across the various SaaS applications out there in the world including all of the shadow AI that they’re leveraging. But what’s pretty markedly different about what we do is we don’t sit between the employee and the internet in order to observe it, which changes the sort of value dynamic because I can show you every app everybody signed up for in about an hour or so. Then the other challenge that comes into play is how do you get actionable granularity from that information. If we were looking at the sort of DNS logs, the network traffic, it’s very challenging to get even a single sign on or authenticated session from that level of telemetry.
We take the email approach where we actually analyze the communications from these providers in order to identify the accounts and get insight into their activity, and that allows us to give you that historical context, as well as ongoing actionable details like, “Hey, this user is actually paying for ChatGPT. This user has API keys that they’ve issued. This user lost their API keys on GitHub because they made a bad check in.” And those are the types of things that allow you to take it from a broad based sort of anxiety provoking concern down to, “Here’s the portion of my population I need to go engage with. These are the portions that I need to make sure that we retrain. Here’s the portion that I need to redirect away from whatever the fly by night tool is that they just signed up for and put them back on the safe path with technology that our company is comfortable with.”
[David Spark] And was this…? Because a lot of people were talking about the ROI benefits, about the cost savings of your tool. What is it that your customers are using it for that is…? Are they seeing that 20 people that have 20 separate open AI accounts, and you could have merged things together? What is it that you’re seeing?
[Russell Spitler] Well, the reality is with the AI world, we are in the [Inaudible 00:30:27] phase of that market where not a whole lot of these are major cost centers until you’re bringing your own model in house. But when you kind of zoom back out, shadow AI is a subset of sort of the sort of business led IT adoption or shadow IT that’s out there. What we find in a lot of our organizations is you got one happy set of employees over here using Monday.com and another happy set of employees using Asana, another happy set using Jira. And then all of a sudden, you’re paying three enterprise costs for largely the same software that could perform the same function or task, or you auto provision Salesforce accounts for half of your organization, and 30% haven’t logged in in the last 90 days. Those are the places where we find a big ROI in that sort of larger technology governance and giving you insight into what’s going on in your organization.
[David Spark] What has been the most shocking thing that you have seen when you’ve worked with a customer?
[Russell Spitler] So, the reality that we now live in is as we are there on our work laptops, our personal lives creep into our work worlds.
[David Spark] Oh, yes.
[Laughter]
[David Spark] I have a fear I know where this is going.
[Russell Spitler] That can be as sort of benign as, “Oh, here’s a doctor’s appointment,” or, “Here’s your Amazon account for whatever toothpaste that you’re trying to order.” But it also gets into places where people are trying to hide part of their personal lives from the rest of their world, and so we do find a whole lot of dating apps, and paid streaming services, and all sorts of other things. We found one employee for a large organization who was very clearly starting a marijuana growing business through the series of accounts that they were signing up for and websites that they were starting to engage with. I think overall when we start to think about the affective governance or the security of AI, we’ve got to start to focus on the governance of use. And very much front and center for our sort of ongoing concern, and we’d be happy to help on that front.
Are we creating more problems?
32:28.970
[David Spark] Is proprietary data putting our cyber security mission at risk? Using proprietary systems in the original SIEM/SOAR setup made sense in a pre-cloud era, argued Barrett Lyon in a Dark Reading piece. But in an age of pervasive cloud adoption, the complete lack of standardization makes achieving log data management out of reach for many organizations. How can we move away from this patchwork arrangement into something with more transparency and standardization, or is this the whole hope and the point of data lakes, Andy?
[Andy Ellis] Well, I think that this is what data lakes want to be. The challenge is that you can’t standardize the data because the data is describing different things. If you have a security event which is a provisioning event which you would like to say things like, “Who got provisioned to what?” That’s going to have very different data in it than an event from say a web application firewall that’s like, “Oh, here’s this web request I got, and I decided to block it for whatever reason. Which I want to tell you why I decided to block this.” So, there’s some core data that’s, yes, obviously going to be very similar, and we’ve pretty much standardized on things like timestamps, but the actual event data is not the same, and we’ve spent like 30 odd years fighting about this – of people trying to standardize like what is the reporting format for all this data. There isn’t one. You have to have a data lake of some format that’s going to bring in your data. It’s going to ingest it. It’s going to normalize it so that you can see it, but some of this data is not consistently structured with other data, and it always will be that way.
[David Spark] This is something we just flat out have to accept, Russell, and data lakes is our savior here?
[Russell Spitler] I’m not going to jump the shark and say data lakes are our savior.
[David Spark] [Laughs]
[Russell Spitler] There’s never going to be a savior on this particular front, but I 100% agree with Andy, which I standardization means loss of granularity. You really want to embrace what data elements the original sources have to share with you because often, they’re pretty critical. I mean you look at the original AWS cloud trail logs. There’s a whole slew of things that never would have fit into the standard SIEMS or data formats that were available back in 2014, ’12, whatever. ’10, whenever you adopted AWS. But to take a bit of a contrary approach, I do think this voluminous data collection into a data lake, and then we’re going to have magical threat hunters who are familiar with all the data and standardize it is a bit of a rich man’s dream perhaps is the best way to say it. There are few companies in the world who can afford that approach at scale. What I would advocate for is actually more distributed analysis of that.
You want to collect and distribute that analysis as far upstream as possible, just like we do with the network. We don’t capture network packets. We run it through a network IDS or whatever X network DR thing we’re talking about these things and then capture that analyzed information in a more traditional format. I think that same approach actually makes a lot of sense when you start to look at these cloud services, whether you’re dealing with SaaS services or public cloud infrastructure. Actually relying on some of the analysis within those environments and then standardizing and collecting more traditional alert type of notifications into your sort of centralized data store.
[David Spark] Andy?
[Andy Ellis] Actually we see a couple companies in the OT world starting to do things like this, which is you’re collecting massive amounts of data off of industrial systems. Moving that data is very expensive, but you kind of need to build models across that data to figure out, “Oh, I’ve got to do a Fourier transform so that I can protect when I’m going to need to do maintenance based on certain cycle times.” And so what some of them are starting to do is like you build your model off an initial data set. Then you shove the model down to the edge so that where you’re capturing the data, you filter it back through the model that says, “Oh, here’s the Fourier transform that I expect you to satisfy. As long as you do, I just basically am sending up a, ‘Yep, data is good.’ And as soon as I don’t, now I’m sending up new data as a way to sort of push it down.”
And we need to do more of that in the security world. Rather than looking for bad, we should unlook for the good. We should build models that say, “This is normal,” and shove that down to the edge and say, “Look, stop sending me normal traffic. Filter that out as much as we can. Keep that at the edge in case we do need to go look at it.” But I think we’ve gotten so enamored of machine learning that will find bad stuff that we should stop and use machine learning to find and get rid of the good stuff so that we’re not collecting massive amounts of data.
[David Spark] Excellent point.
[Russell Spitler] I couldn’t agree with you more on that one, and I think that pokes the one hole that I would make against my argument there, which is you need to kind of know what you’re looking for before you can affectively summarize data. And to your point, we can’t affectively know what bad behavior looks like, but we can more effectively summarize and filter out the good behavior. Move that noise floor a little bit closer to the edge, which is going to make some people’s hair stand on end because it’s like, “Well, it looks like good behavior, but who knows if it’s still good behavior tomorrow.” But I think that’s a bit of the cost we need to make if we can’t afford two billion dollars a year in data storage costs.
[Andy Ellis] Yeah, it really is.
Closing
38:03.397
[David Spark] And that brings us to the very of this show. Thank you very much, Andy Ellis, and Russell Spitler. Russell, I’m going to let you have the very last word here. But first, let me thank our sponsor, ThreatLocker. You remember? Allow what you need, block everything else including ransomware. Yes, they’ve got a very interesting zero trust end point protection platform, very much designing all their tools to build that sort of zero trust model that is so desirable. Well, they started at a platform level. So, get a head start on your zero trust program. Check out what they’re doing over at ThreatLocker. Go to threatlocker.com. Russell, any last words? Any offer you want to make about Nudge Security to our audience? Are you hiring over at Nudge Security? Give us the lowdown.
[Russell Spitler] Absolutely. The premise of Nudge Security is, as we discussed earlier, help you find out what SaaS technology, the operational technology that your organization is using affectively. We do it in a way that not a lot of people have heard of before, and that’s why we offer a 14-day free trial on our website. Anybody can sign up and try it out. We’d love to get in firsthand with any of your listeners and help them through that process.
[David Spark] We will have a link to Russell’s LinkedIn profile, his page, so feel free to reach out to Russell directly. And you know what? Feel free to reach out to Andy directly. He’ll respond to your messages as well. Yes, Andy?
[Andy Ellis] Maybe. It depends on what the message is. I’m not going to blanket commit to respond. I get some crazy span on LinkedIn.
[David Spark] He does not respond to spam. Thank you, everybody. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.