Episode Transcript
[00:00:00] Speaker A: In today's environment, where you can't have a conversation without saying machine learning or artificial intelligence, I think for security, the benefits of automation in so many of our security processes are really still untapped. And I would encourage folks to really start. It's a journey. Security is a journey. So is automation.
[00:00:24] Speaker B: You.
This is KVCAN as a primary target for ransomware campaigns, security and testing and performance, scalability, risk and compliance. We can actually automate that, take that data and use it.
Joining me today is Mike Zachman, VP and Chief Security Officer from Zebra Technologies. And today we're discussing how the power of automation can improve data protection and enable seamless data driven security approaches. So Mike, thanks for joining and welcome.
[00:00:56] Speaker A: Well, thank you. I really appreciate you having me on.
[00:00:59] Speaker B: So Mike, I want to start with your view on the power of automation, which you say improves data protection and then subsequently enables data driven security approaches. So I know there's a lot going on in there, so talk me through it. Whatever comes to your mind, I'm keen to hear it.
[00:01:14] Speaker A: Yeah, so let me unpack that just a little bit. Automation is a big word, but for me, automation, it enhances our data protection because it reduces human error, which we know in a lot of our processes. Human error is often a big element. And then once things are automated, it allows faster threat detection, allows faster response. Consistency is better. When things are automated, it just works better and then it can scale up. When you think of automation, you're taking a manual process, you're getting it such that the computers are doing it. And if you need to do more, it's a lot easier to scale that up. And then really at the end of the day, it lets you use your people, your human resource, if you will, for more strategic thinking type tasks.
[00:02:09] Speaker B: Okay, so you said consistency when automated. So when you say consistency, what do you mean specifically when you say that?
[00:02:16] Speaker A: I go all the way back 20 years When Sarbanes Oxley came around and there were a lot of controls put in place and there were manual controls and automated controls. Automated controls are ones that you program. Think of it that way. You program the computer to do a certain set of logic. Even the way the regulations worked was if you could show that and test it once everybody was comfortable that, okay, once you've tested an automated process, it's going to work the same way from then on.
So that's what I mean with consistency.
[00:02:55] Speaker B: Okay, so I have a question. When we hear the word generally in the market, when people hear the word automation, I feel they start to get stressed like, oh, I'm going to be automated, I'm going to not have a job. What's your view on that? Because I agree, if you're doing something, what is it, more than three times? It should be automated. But then I feel like there's people out there on social and on the line, they start to freak out about it.
[00:03:17] Speaker A: Yeah. So I'd say automation means you're using technology without needing human intervention, but that doesn't mean humans don't have work to do. That's why when I was talking earlier, for me, a lot of the automation we see, especially in security, it's not replacing jobs, it's freeing up overworked, overloaded people to do more thinking, more rewarding, I would say less repetitive tasks.
[00:03:52] Speaker B: Absolutely. So then would you say it's a fair assumption then that the more mundane tasks that are repetitive are being automated than they should be, and then those people that are being freed up perhaps can do more strategic thinking rather than repeat stuff every day?
[00:04:08] Speaker A: No, that's exactly what now? Is that always what happens? No, I can't say that. But if I use an example in the security space, security operations, that's often a 24 x seven round the clock operation where people are involved, watching alerts, looking for bad events and then responding to those, the more we can automate the response to alerts and such that those analysts never see them. And we free them up to focus on the events that where it's not clear, is this a problem or not? Or if it is a problem, it's not clear what action should be taken.
Those are the tasks that we want people to be engaged with. And if, for example, an email comes in and our systems see that there's a malicious attachment, I don't need a human involved. I can have our systems just automatically remove that attachment or even completely block the email, whatever we've previously decided to do.
[00:05:18] Speaker B: Okay, so all that makes sense. So why would you say people aren't doing this? Now? I know it's a bit of a hard question and it's probably a long winded answer, but I'm just curious to know from what you're seeing in your role, in your perspective, like why aren't people at this level?
[00:05:34] Speaker A: So it's hard, it sounds easy, but it's a lot harder than what you think because it requires you to really understand what is the work you're doing, what are the processes involved, what are the inputs, what are the possible outputs?
That takes energy and thought.
And sometimes it's just people are so busy, they don't have time to stop and do the work to automate. My dad used to say, that guy's so busy walking to work, he'd time to look for a car.
[00:06:13] Speaker B: That's mentality 100%. And I'm hearing you and I do understand that. So let's go back. You said really understanding the processes. So just say, someone's listening to this. How do you start really trying to understand? Because, I mean, look, I've worked in large enterprises before. Sometimes there are no processes, so you got to invent them, you got to create them, which could take weeks, months, et cetera.
[00:06:33] Speaker A: That's one process, I would say that. And if I use security operations as another example or as that same example, you don't always have to start from ground zero yourself. Talk to your peers, talk to your partners, vendors, talk to your professional colleagues. And what you might be able to do is leap over that process of saying, okay, I'm going to document and understand my processes. And you might be able to say, hey, look, I'm going to take advantage of processes that have already been defined and automated and I'm going to implement them and replace processes that I already have. So that's one way of jump starting this. Once you get past that, then you really do have to do some analysis, a Pareto analysis. Where are my analysts spending most of their time? Okay, let's focus on those processes that are in fact consuming the most resource or are the most critical or however you choose to prioritize. And then you just have to do the hard work. You have to attack them.
[00:07:46] Speaker B: Yeah, look, that definitely makes sense. And I know that these things are not as easy as you and I are talking today. Like, oh, just go and understand your processes and start that. Do you think though, as well? So how do you get this to the top of the list? I mean, I've spoken to security professionals right around the globe about so many different things. And when I'm talking to someone like, wow, that's really important. But I've done 200 plus of these interviews. So it's like every person, what they're saying is really, really important. So how do you get this automation, et cetera, to the top of the list? How does that sort of climb? Because again, this was a really great interview. I'm really going to adopt what Mike says, but the next day rolls around and I've got to keep the lights on and stress starts happening. And then that automation thing in the back of my mind goes by the wayside. How do you sort of keep it front in mind.
[00:08:39] Speaker A: Once again, great question. I guess that's why you're doing this. You've got to prioritize, and so there must be recognition that you're trying to fix or improve something that needs fixed or improved. So I would say to my security peers and colleagues, if you've got all the staff you need, you've got all the budget you need, and all of your performance indicators are operating where they're supposed to be operating, then you're in a great place. And if you don't want to prioritize automating your processes, fine. Now I would also, then in the next breAth, I'd tell them that they're leaving a lot of money and inefficiencies on the table and that they should still be looking at automation, but maybe it's not their priority. The reality is most of us struggle to have enough staff, we struggle to retain staff, and we struggle to have enough resource to deal with the mountain of alerts and just other security related events that are happening in our organizations. So you've got to be able to stick your head up above the trench enough to say, okay, if we do this day in and day out, keep repeating what we're doing today, it's the definition of insanity to think that we're going to get better. So how do we get better? Well, automation is really a key element to do that. So however, you have to prioritize that. That's kind of where it is.
[00:10:20] Speaker B: So if you look at what you're saying as more of a strategic long term solution about sort of a Band Aid solution, because again, these things, it's not going to be flick of a switch, okay, we're already, it's all automated. Obviously, as you know, these things take time. You've got to win people over. You got to understand the processes, you got to get a process, you got to even know what's going on to be able to map it all out. What is some interim sort of solution that you would employ to sort of tie people over in terms of, hey, we've got this long term solution of the automation, but maybe this will do not, instead of, but just one step ahead is better than no steps.
[00:10:54] Speaker A: Yeah. I would go back to comment I made earlier about finding those use cases that have already been resolved broadly for me, years ago, for me, it was email protection and we had people responding to phishing emails and malicious attachments, and we're just spinning our wheels with that. But there are solutions out there that have proven themselves to be able to really automate. And so you go for a quick win and you find one of those quick wins, you implement it, and that's how you kind of, I would say, either win over your critics or silence the critics, but also build up some credibility for the process.
[00:11:41] Speaker B: When you say critics, do you mean critics internally? Are people saying, oh, we don't want to do it, it's all too hard. Can we bothered those types of people?
[00:11:47] Speaker A: Well, critics can come from all over. They can come from the people that are doing the job today because, hey, this is how we do it, and I like how we do it. Critics could be from people who would rather get that resource allocated to them and their projects than to you. That's the type of critics I'm talking about.
[00:12:10] Speaker B: So when you said use cases, go out and find them, so how should someone go out and find them?
What would be your strategy on doing that?
[00:12:18] Speaker A: I would say that the first thing you really need to do is you do have to understand your business functions. And then within those business functions I mentioned before, whether you have a peer network or professional network, whether existing partners or even just research through various sources, look for examples of solutions that fit your functions. And I used email as one. Endpoint protection is another one, URL filtering.
If you're running this function, you're going to have a sense of what are these key widgets in my processes. And then you read the news, you talk to your peers, you do the research, and you run with it.
[00:13:12] Speaker B: So what do you think, Mike, people overlook when it comes to automation? Is there anything that comes to mind right now?
[00:13:20] Speaker A: A lot of the things that are being overlooked today, I believe, are in the security operations space. And that's because that is a very human, intensive place.
And although we have playbooks and there are certain things that are repetitive, a security operations center can seem like a pretty chaotic place. And so when you look at it, it may just seem too complex and complicated to try to invest in automation. But I would argue that there is some really good use cases in the security operations space.
[00:14:05] Speaker B: So I want to move forward now. And obviously, we've spoken a lot about automation, which is really important. And some of these nuanced things, like, again, it's so easy for us to sit here and talk about, oh, just employ that. But at the end of the day, you got to put rubber to the road. So as a result of doing that, how would you sort of describe all of this? Improving sort of data protection from your point of view.
[00:14:28] Speaker A: So one is the speed of response that can come from automation. Automation is going to respond to threats faster than humans. So if you see data, let's say that you've got data that you recognize as sensitive data, and if you've got an automated control that either stops that data from going outside the company or automatically encrypts it and says, oh, this needs to be encrypted, I'm going to encrypt it and send it out there, you've actually just avoided a threat, let alone responded faster than the old days of hey, you're on an exception report, why did you send this data out? We've got to go find it and get it back. So that's one example of where automation can improve the data protection. And then there's issues of consistency. We touched on this earlier where if you can program a control that you can have a high level of confidence that it's going to work the same way every time scalability comes into play. If I need to add three people to my security operations center, that takes a lot of work and a lot of time.
If I need to add compute capacity. In today's world of scalable cloud compute, scalability just happens automatically. And then finally the last thing, it kind of goes back to the consistency. But human error is a real issue, and so anytime you can automate, you can reduce the human error element. Those things together all add up to better data protection.
[00:16:21] Speaker B: Great points. So I'm going to ask the same old question that everyone asks around false positives. What are your thoughts on that? Because look, with automation, you're absolutely right, it still doesn't capture every single thing. However, it's probably a hell of a lot better than someone manually doing something that absolutely right.
[00:16:40] Speaker A: False positives. AnD Then of course the other side of false negatives are a true issue that we have to be aware of. When automating security controls, we learn over time which kind of data sources have higher fidelity than others.
Kind of part of that automation journey is that automation is best suited when you have high fidelity signals. If in fact you've got a noisy alert, you may not be getting anything advantageous by automating a response to a noisy bad alert. So it kind of goes to the old garbage in, garbage out. You need to ensure that you have good inputs to your automated processes and let your people filter through the noisy ones.
[00:17:38] Speaker B: Okay, so you said something before. I just want to go back with step high fidelity signals, so talk to me a little bit more about that. What does that look like?
[00:17:45] Speaker A: So high fidelity signals are things that you can trust and that you have a high degree of confidence that it is accurate. And so, for example, we get telemetry from our endpoint protection on our desktops and laptops. We found that those, if we get an alert from our endpoint protection that says, hey, there's a malicious process trying to escalate privilege, we know that that's a high fidelity signal, so we're going to take action very quickly on it, as opposed to, we may get our spam filters as an example.
Lot of false positives in the spam filters, so we tend to let those not be responded to as quickly because more often than not, what you think might be malicious really isn't.
[00:18:47] Speaker B: Now I have a question. I'm going to use an example. This is a real example. So I was talking to industry peer of mine the other day, working on a client, a specific vendor did not pick up. So again, going back to false negative side of things, the question that I have is just so hypothetically, you're in a company X vendor didn't pick up whatever they find out about it, what does that client then do? Do they take it back to the vendor, say, hey, you guys didn't detect this in order for your product to get better? I asked this question to my peer. He's like, I have no idea. That is a really great question. Do you have any insight on that?
[00:19:23] Speaker A: It depends upon the product, but I would say the majority of partners that we have, we absolutely have a feedback loop with them.
And that's where these things, machine learning and AI and all that model training, those feedback loops are very important. And I would say most vendors support and want their customers to provide that feedback. And in many cases, it's an automated feedback loop. So even that is an automated process.
[00:19:58] Speaker B: And I don't know whether they were using another vendor that detects it. I don't know the specifics on that. It was just more so that. And I was like, that's really interesting because that's how vendors, et cetera, get better on knowing those things.
Do you think that that, look, not everyone's perfect, right? So I think that that's fair enough to say, hey, we missed it. But do people seem to be really rattled? One thing got missed because like I said before, it's very hard to capture everything and get everything right 100% of the time. No human, no machine can ever do that. So I think sometimes can be unfair for people to say, oh, well, you missed one thing, and then people start getting really agitated by it. Now of course, if the one thing led to a massive data breach and all of that, that is a problem. But it's just sort of going back to being fair about sometimes things fail and things get missed.
[00:20:49] Speaker A: Right. Now, I know this is the worst answer to give, but it depends. But I'll say, generally speaking, when there's a false negative and we have an incident, most groups are going to do a root cause analysis and they're going to try and figure out, okay, which layers of controls failed and how do we plug that so it doesn't happen again. Right. So, everyone, to your point, no one's perfect. No process is perfect, no solution is perfect. Anytime we do a root cause analysis and the miss points to, oh, look, somebody escalated privilege on the endpoint and I don't know why didn't it detect that? We are absolutely going to take that to our partner, but we're not going to take it to them necessarily with this. And, oh, look what you did, and what are you going to pay us because you screwed up? I would say that's pretty rare. Usually it's in the spirit of, hey, have you seen this before? This may be a new technique. It's a new tactic used. I guess I haven't had the experience of where something clearly obvious was missed. If I was put in that position, I guess I would be upset with the vendor if they failed to detect something. That was a known common approach.
[00:22:21] Speaker B: Okay, I want to talk about data sources now, straightforward about how many inputs, how many feeds, et cetera. So there's a lot of things going on. It depends on the size of the company, et cetera, where those data sources are, how they come in, et cetera, when you say people are generally really overwhelmed by lots of data. So even going back to the alert, so it's like, yes, cool. What people have been saying on the show is like, yeah, but there's so many alerts that people don't even know what they're looking at anymore. Like, how do you sort of reduce that? So I want to get into this because this is really important because, I mean, you can give everyone everything, but then that makes people feel stressed and overwhelmed, and we don't want that. So I'm just curious to hear your sort of lay in the land on this front.
[00:22:58] Speaker A: Yeah. There's no question that alert fatigue is a real problem, and there's no simple answer.
The best approach is to say you're tuning this. It's a constant tuning battle to kind of turn off alerts that continue to prove false. Negative false positives. I'm sorry. To turn those alerts down and to just as importantly, ensure that those really important alerts get turned up so you can respond to them quickly. And it takes ongoing monitoring and management of the team and the tools to do this and you can have it all tuned just right. And then some upstream change in the IT environment happens and suddenly you're getting flooded with false positives again. So you have to retune. So it's not a set it and forget it type of environment, but it is something that as you mature, you should be able to deal with.
[00:24:14] Speaker B: Do you think people genuinely think it, said it and forget it?
[00:24:18] Speaker A: I think some think that if it ain't broke, don't fix it. And it's difficult to think that they're getting swamped with false positives and they do nothing about it. The challenge is if they've turned it down so far that they're letting the true positives go unreported. And I think that's the danger of the set it and forget it.
[00:24:45] Speaker B: Is that because people are so desensitized? And also, would you say it's because of the influx of data, so many things going on, so many alerts, there's all of those factors that maybe tune it down a little bit and desensitize people to these things that you're sort of alluding to?
[00:24:59] Speaker A: Yeah, I think what you mentioned can all be factors.
There's also the fear.
I've literally heard from some peers who say their biggest fear is getting an alert that they don't respond to and there is a breach.
They've literally said, I'd rather just never get the alert because then there's not the liability of it. And so think back to like, Equifax was kind of the days of that, hey, you should have known. Now, I don't want to overplay that. That is a broad view, but I will say managing those alerts is a critical function within security. And to say, well, we're just overwhelmed is. I'm sorry, that's not a good answer.
[00:26:02] Speaker B: You're right. So how do people manage this stuff effectively? Because, yes, automation is key part of it, as we've spoken at length. Now, there's other factors that go into things being missed or et cetera, but is there any other sort of things sort of adjacent to, on the automation front that you want to discuss today?
[00:26:22] Speaker A: I think underlying all of this, because automation is just one knob that you can turn here. Underlying all of this is you've got to have your security function measured, and you've got to have, like any business function, you've got to have key performance indicaTors, and you've got to have service level agreements, or at least you've got to have expectations of performance. And if you're not meeting your expectations of performance, then you need to do something about it. And in many cases, automation is a good practical way for you to improve the efficiency and effectiveness of your security operations.
[00:27:09] Speaker B: Okay, so let's go back to maybe reporting on all of this data to derive insights. Now, I've been a reporting analyst, so I've worked across multiple different security functions on bringing all this data together. These things are very important because getting the right reporting in place to drive insights can then mean more funding, more this, more people paying attention. But then going back to what we sort of discussed, like sometimes people just report for the sake of reporting, and then there's no insight, so that isn't helpful. But then also people are reporting on the wrong things, or they're reporting on literally everything. So it takes like a year to read one report. So how do we boil this down, where we're only capturing the main information? And I guess it depends on who's looking at it. What a SOC analyst cares about is fundamentally different to what someone else in their business thinks about, or what the Sizo thinks about. But how do you sort of COVID all the bases?
[00:28:03] Speaker A: Yeah, this is an ongoing question.
Once again, in my professional peers, at least once a year, a group will get together to try and define what's the right set of metrics and measures and porting for a security function.
So that's an ever evolving topic.
While there are basic fundamentals, like time to detect, time to respond, number of incidents, age of vulnerabilities, there are some fundamentals in there, but a lot of it really does depend upon, as you said, who's reading it. But if you're going to have effective reporting from security, I guess it's a bit of a catch 22. You're going to need automation to make those reports accurate, timely, and efficient. Because I can tell you, a lot of time and manual energy often goes into the creation of PowerPoint reports that by the time they get up to a managerial level that can make some decisions, they're already weeks old. And then people start arguing about that they're not accurate.
[00:29:20] Speaker B: That was my whole job, 100%. Then they'd come down to my desk saying, is this accurate? Or what is this? This is now four weeks old.
[00:29:27] Speaker A: Exactly. So then you end up spending so now, not only have you had people spending a lot of time and a lot of energy putting these reports together, when you get to the point of actually wanting to make a decision, you're not talking about the security function anymore, you're talking about the validity of the data. So nobody wins in that case. So until you can automate these metrics in a way that can be consistently and timely created, you're going to fight and fight and fight an uphill battle.
[00:30:06] Speaker B: So do you think, Mike, hypothetically, someone doesn't have automation, but they're doing all these reports, they've got six people every month doing these reports. And the validity of that, a great point. Again, I've worked in this function, I know it very well. All the points you're saying, which is valid, should people just forego the reporting if you don't have automations? Because there's no point in wasting all these salaries on people doing all these reports. The stuff's out of date. Someone comes down, you got the group exec saying, this is not right. You're getting called up because stuff is accurate, but because it's six weeks later, but they've read the report. What are your thoughts on that?
[00:30:39] Speaker A: Yeah, I would absolutely say you need to somehow blow that up. So if that means you just quit doing it and see who screams, maybe. Once again, it depends upon your company and the specifics, but if I found myself in that situation, I would absolutely want to take some sort of drastic measure to drive a change. So stop doing it, or go to just one metric that you report once a month.
It's an unsustainable process if you don't.
[00:31:16] Speaker B: So if you had to boil it down to one metric, what metric would you say would be the best? Now, I know that's really hard, and again, there's no right or wrong answer. I'm just curious.
[00:31:25] Speaker A: I don't think I could give you one. If at the level of security, not just security operations, but at the level of security, my one metric would have to be level of risk. And security's job is to manage that level of risk to a point that is acceptable to the business.
[00:31:47] Speaker B: Do you think even getting to that point is hard too? Do you think people wholeheartedly could answer that?
[00:31:53] Speaker A: No, it's very hard. It's why there is no easy button for that metric today.
Because is that measured based upon these fair or actuarial dollars associated to the risk? Is it the red, yellow, green stoplight risk level? Getting an answer from the business in terms of what's an acceptable level of risk is extremely difficult. But if I had a security program with only one metric, and that's all I was allowed to have, that's what I would, I would, I would. Whether you put risk on a scale of one to ten or high to low, I'd have one. That would be my one met one measure.
[00:32:36] Speaker B: I think people's got to start basic and then build it up, because like I said, too much stuff going on. Like, you don't know what you're focusing on. You don't know what's the priority.
[00:32:43] Speaker A: A maturity growth for metrics often goes through. Okay, first let's just measure and report on activity. Okay? How many tickets, how many alerts per analyst, how fast are they being done, things like that. Then you start migrating from activity to outcomes. And that is a maturity journey, and it's hard to jump right to the end without question. And you made the point earlier that said different audiences need different metrics. In all honesty, the worst thing that we security people have done in quite a while is go talk to leaders about the hundreds of thousands of vulnerabilities in our environment and expect them to know what to say about that. Right? But we do it because we can, we can measure it. It's a number, but that's an important measure for some people, like the infrastructure owners or the application owners who have those vulnerabilities. They may need to know, but that's where metrics have audiences and the same metrics don't have the same audiences.
[00:34:00] Speaker B: So just quickly then, on that point, which is fair and valid. So if you're a sizer, what do you think? They're sort of looking at a reporting stuff, because this is the stuff, my experience that they then take to whoever CFO, group, exec, board people to say, great, this is where we're at. This is why I need more money from you. This is what drives and fuels more funding. So do you have any insight on that, that maybe people aren't focusing on certain elements that they can do just from your experience?
[00:34:30] Speaker A: Yeah. So good, effective information security leaders should be reporting up like any other business function. So they should be reporting up on their efficiency and their effectiveness. And so from a security perspective, what we'll often look at in terms of how much activity am I doing for a given amount of money, how many alerts am I dealing with? How many endpoints am I protecting? How many malicious emails did I block? That sort of stuff. It's the outcomes that are a lot harder. So number of breaches responded, time to fix risk level. I mentioned that before. So the information security leaders really need to see all of those measures, but then really report up summarized efficiency and effectiveness.
[00:35:27] Speaker B: Would you say people are currently doing that?
[00:35:30] Speaker A: I would say it's highly variable.
Even you look at what information security or information is being provided to boards and it is extremely variable today. You've got some groups, they report up activity, low level activity, and because it kind of feeds the fear, uncertainty and doubt that you were talking about earlier, which says, look, we've had 8 million attacks from the Internet against our systems this month and we've blocked 7.9 million of them. And the 100,000, we stopped here and we had 80,000 tickets. Right.
[00:36:19] Speaker B: And you know what they say.
[00:36:20] Speaker A: So what, what they say is, well, do you have what you need? Because I'm supposed to ask that question and you say yes, because all your executives are in the room. And we go on with the dance. Now that is getting a lot better compared to the past. I do think more and more boards are becoming savvy enough to say, look, I don't need to know how many vulnerabilities are in the environment. I need to know what our risk is. What are the top three risk areas that we're focused on? Do you have mitigation plans for those? Are you properly resourced?
Those discussions are getting better.
[00:37:06] Speaker B: So, Mike, is there any sort of closing comments or final thoughts you'd like to leave our audience with today in.
[00:37:11] Speaker A: Today'S environment where you can't have a conversation without saying machine learning or artificial intelligence? I think for security, the joys of automation, the benefits of automation in so many of our security processes are really still untapped. And I would encourage folks to really start. It's a journey. It's not a snap your fingers. Right. Security is a journey. So is automation. But I really encourage folks to start that journey if they have.
[00:37:47] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This is KBCAT, the voice of cyber.