Oct 9, 2024

The Ultimate Guide to Cloud Security: A Deep Dive with Richard Stiennon

TLDR;

Vendor / Platform selection should be based on organization goals. CISOs & Security leaders should prioritize selection based on current posture and look at achieving a set of future goals vs compliance needs or by following a checkbox approach.
Vendor health is an important aspect of determining a platform/vendor. For agent-based solutions, avoid & delay automatic updates from vendors.
When rolling out vendor tools, follow a phased rollout and add the rollout as part of a contract clause. This will push vendors to prioritize implementation, support & training.

Transcript

Host: Hi, everyone. This is Purushottam, and thanks for tuning in to Scale To Zero podcast. Today's episode is with Richard Steinnon. He's the author of Security Yearbook 2024, a history and directory of the IT security industry. And he's the chief research analyst at IT-Harvest, an independent analyst firm that has a platform for researching around 4,000 vendors and 11,000 products. Richard, thank you so much for taking the time and joining us today to share your insights!

Richard Stiennon: I'm happy to be here, Puru. Thank you!

Host: Absolutely. So before we start, I generally ask this question to all of our guests and I get unique answers. So I'm curious, what does a day in your life look?

Richard Stiennon: Well, on some days, it's pretty laid back. get to just use my platform to do research and then post to Substack as all my research is posted for free on Substack. And then deal with the blowback from posting, right? When people are commenting and objecting or whatever.

But typically I start the morning fairly early and catch up and preload new vendors we've discovered in just a Google Sheet that I share with my researchers. And I have to categorize them. So there might be 20 or 30 on a backlog pull those in and start categorizing them as long as I can before the first calls.

And then it's calls with customers, helping them understand the market or walk them through using the platform to analyze the market and of course, I'm sewing because I, it's essentially a startup. So I've got calls where I'm doing demos as well. and then, you know, I, you might wonder, cause I'm writing books. when do I do that? Well, it's not during a regular day because I need big chunks of time to write books. So, towards the end of the year, every year I have to carve out, you know, five days at a time to sit down and, and do that writing.

Host: Yeah, that's a huge commitment, right? To take out like a week and just focus on writing your book and then resume your regular work and then you have to come

Richard Stiennon: Yep. And you you think you've got plenty of time in between calls during the day, but you just can't get your head in gear for doing that kind of thinking.

Host: Yeah, you can't get into that flow state, right, so that you can continue to write with interruptions. All right, so before we start, do you want to briefly share about your journey as well with our audience? Like, how did you start? How did you get into what you do

Richard Stiennon: Sure. Yeah, you know, like most people of my generation, there wasn't a security industry. So I spent 11 years in the automotive industry. was designing car seat structures all that time. And, but I got into the Internet in 1992 and started my own ISP. A couple of years later, I went to work for another ISP that was focused on security. They're actually the first MSSP.

Host: wow!

Richard Stiennon: And that's when I first got exposed to the whole world of network security in particular. And I got to meet the founders of Checkpoint Software, know, Gil Schwed, Mariusz Nak, Schlomo Kramer, all came through the offices in Southfield, Michigan, as well as the founders of ISS, who ultimately bought Netrex. But by the time they had bought Netrex, I was moved on. I had been retained by PricewaterhouseCoopers.

So he's doing a bunch of attack and penetration testing on big banks, national railroads, and e-commerce sites. So we tried to hack into and successfully got into Dell's e-commerce site where they've sold computers online. then Gartner recruited me from there to be the second industry analyst covering security. And that was way back in 2000. So the industry

Super young back then, you know, less than 2 billion a year in total revenue for security products. And I lasted there for four years, which is longest I've ever held a job. And I left in 2004 and within a year had started IT Harvest to basically do all the same things I did while I was at Gartner, but focus on this idea of harvesting data.

So was more, you know, some market research on top of analysis and advisory Services.

Host: Lovely. I love your journey that you have seen how the industry has transitioned, right? Right from the day it started focusing on security to where it is today.

Hopefully, we'll be able to touch on some of those points today. So today's focus would be around selecting the right cloud security vendor and zero trust. So let's get into some of the security questions.

So there is an age -old debate between build versus buy and experts like you always recommend that you need to assess the need for buying a security platform or a vendor before you select one or before you decide on it, which sounds very straightforward and logical.

What are some key factors that you would recommend organizations should consider when they are evaluating their cloud security needs or even a vendor or platform?

Richard Stiennon: Yeah, this is a great question because I've been thinking a lot about how do you go about vendor selection? Um, only because I realized my tool is good for vendor selection, right? can, because I have a database of all 10,600 some products, um, you're going to actually find them now.

So I went back and looked at how do people actually select a vendor? Um, and there's two approaches. One is, Hey, let's just ask my friend what he or she uses and do the same. Right. And, and that is surprisingly common.

CISOs in particular known for looking for peer insights into, other products, right? And they'll have, Hey, if, somebody they respect and has a bigger organization went with CrowdStrike, then let's do that. Right. And that's, you know, that's not horrible, right? Better than the, other way people often select products is there there's value added reseller comes to them and says, Hey, you should buy this product. And that's not horrible either because, you know, presumably the reseller is taking some time to evaluate whether which are the best products. And they probably they selected their product based on what's selling the best.

So ultimately, yeah, you're getting the popular product, which is probably one of the better products, but not necessarily. And another way is to call your industry analysts. So you call your Gartner, Forrester, Amdya, Standard and Poor's industry analysts. And you say, Hey, I'm looking for a new firewall or endpoint protection. What should I, what should I get?

And they'll ask you a bunch of questions. The questions will elicit what you're leaning towards, and then they'll support you in that decision that you're already going to make, right? They'll give you a stamp of approval. It's okay to buy CrowdStrike. you're using. You want to use Sentinel one? Yeah, that's okay. cyber reason. Why, why are you thinking of cyber reason? yeah, that's good reason. You know that it kind of, I don't know. They usually just, cause they don't want to, they're not going to say that one is better than the other. Right. Yeah. Because their answer is it depends.

So, but I think that the way you should do it is the same way you buy a car. If you are, you know, a modern person whose primary concern is how do I from home to work and then visit my family on the weekends, right? So it's a 500 mile drive. What kind of car should I get? So you research all the vehicles. You compare pickup trucks to sedans to electric vehicles, all, and then you pick the price range that you're interested in. And finally, you evaluate the manufacturer and the model.

So you start with everything and that's the, in the ideal world, right here in Detroit. you only buy a vehicle from the same manufacturer that your parents bought vehicles. Right. And if you're like me and you're married to somebody who bought Ford, we're, we're AMC and you're a Chevy person, you're in trouble.

But for the most part, you should make a decision with data. And so I'm big proponent of data, but you know, and, and I definitely recommend when you look at cloud products, right? You have to come up with the requirements first. and quite often you don't know what those are, right? All you knew was you needed to, digitally transform and get rid of your data center, which was a closet in the back office.

So you moved everything to, to VMs in the cloud and you, and when you made that decision, you may have thought about, should we just do what everybody else is doing and go to AWS? Should we go with the low cost provider, say Google, or should we go with Microsoft? Cause we're Microsoft house, you know, so he made that decision kind of ad hoc, know, you didn't really think about it or test it or anything else. just made that decision. now you're stuck. and now you have to figure out if you need a certain product.

So of course you look at the layers defense. You need to be able to control network access to all of your stuff and you need to find a solution to do that, you need to protect the workload. You need to have a good way to protect your identity. So you look at all these requirements and if it's identities, you know, is it privilege access management? Is it consumers, or customers? Is it users? Is it third parties? You figure out what kind of solution you need. And then before you purchase any product, you've got to look and see if the cloud provider already gives that to you, which they probably do. And it's probably close to free.

So look at that first, because when you go to a product vendor, they're going to basically, they looked at the offerings from the cloud providers and they put a nice front end on it. Right. And they're going to charge you a lot of money for that nice front end that does a better job of management. They certainly do a better job of selling because AWS is not going to send an enterprise salesperson to your door and say, you need this. Right.

So you kind have to discover what's out there before you start talking to the wizards and actas and the 200 other vendors that are selling your stuff. And then you're going to try them and be aware that the proof of concept for cloud security products are mind-blowing.

They're so simple, to set up and run, right? Two minutes is the average cost or timeframe to get it running. And you're going to, you're going to be blown away. You're going to go, my gosh, I didn't know that it's misconfigured. And this VPC is connected to this one, which is connected to the entire world. And, you know, it's going to tell you all this super, super valuable stuff, which will justify whatever the expenses, whatever whiz wanted to charge you, you're going to say yes. Okay. So you should take a step back and at least, you know, get two other quotes, right? You should look at Orca. You should look at Palo Alto and you should try them out and see which one is gonna work better with you.

And then you should do the vendor assessment, right? See if the vendor is viable, if the vendor's, know, the right headquartered in the right country, you know, are they Chinese? Are they Russian? You know, are you allowed to buy from that vendor? All those sorts of things. You should look at that. You should look at the vendor health. Because you, even if it's the best product, You know, if the vendors in the process is being acquired by Google, do you really want to deal with a vendor that's going through that? Right. So, so those are some of the things that should be going through your head when you're selecting.

Host: Mm -hmm. OK, so I love how you structured right from the beginning, right? Like how today's cloud practitioners are buying, like how are they making that decision, either to referral using peer insights, to reseller or industry analysts. And then you went into what should be the mindset of the company when they are thinking of acquiring a platform - looking at what are your goals, what do want to achieve, where are you today, where do you want to get. And I really loved where you said, right? You should not just, let's say a Gartner analyst tells you that, go with this tool. Instead of just jumping into it, you should evaluate multiple tools so that you can see pros and cons and which fits better, more from a, of course, your goals perspective, also from an integrations what existing systems you have in place, how does it integrate and things like that.

A follow-up question I have on this is, does any of this change if it is a multi-cloud setup instead of a single cloud setup?

And yeah, can you think of any additional things I should worry about if I am doing multi-cloud deployments?

Richard Stiennon: Well, first of all, for the most part is when you're going multi-cloud, you can't rely on the individual cloud service provider to service the other clouds. Right, right. That'll change if Google buys, buys whiz for instance. Or maybe it won't. Maybe Google will say, can't use it for the other ones anymore. Who knows? But.

Host: native tools here. True.

Richard Stiennon: But yeah, the equation changes a little because then you're not going to have native capability that you can pull together. You mentioned make versus buy. I actually don't encounter people very much who make their own security solutions.

Though small companies with technically savvy people will use open source. And that's a great solution too. So then. then the multi-cloud starts to make sense. would, before you get into it, I would question the value of multi-cloud. It's, I really am not a believer in it until later when you take advantage of the additional resilience that it gives you. Right, because there are gonna be cloud auditors, but the only multi-cloud you should have is one relationship with one of the cloud providers and your own data center. Right?

So you're doing bare metal cloud stuff in your, in your data center. Then you're going to look at for tools that can handle both. And most of them do

Host: One of the things that you highlighted like how organizations should look at why they are buying it. One of the drivers is often a compliance need or you have to check a box that hey, I have a security monitoring tool.

But selecting a vendor or a platform based on that approach, check works based approach often creates issues in either selecting the right tool or in a longer term, when we look at it a longer term picture. So

What common mistakes have you seen organizations do when they are evaluating cloud security?

Richard Stiennon: Yeah, first of all, I would not do any checkbox buying whatsoever. Right. So make sure that if the motivation is to have that checkbox, yeah, we got logs, etc. It is also by a product that actually makes you more secure. It makes you more secure, and saves you money. Maybe, you know, it's going to. You talked about compliance. That's a regulatory compliance, but quite often it's a customer requirement that you do X, and Z, right?

Document all your processes, be ISO certified. You really have to take it seriously, right? Even though it's a lot of work, it's expensive, you also have to be secure because you don't want to go through all that work and have all these processes and documentation and incident response procedures in place. And then that'd the position to use them when you need them. So I guess I just, I would take all those things seriously in dual purpose. All of your security tools, make sure there's a compliance aspect that it can fulfill that compliance aspect, and give you more visibility, more recoverability, resilience, etc

Host: Okay, so now a follow -up question is, let's say if your leadership is saying that, we need to get it because we have xyz or we have some contract with someone, so we have to get it because of these reasons,

How would you work with your leadership so that you show value to them?

Richard Stiennon: Yeah. You know, leadership's going to have these outside-of-security motivations for doing something, right? It's like, Hey, we're going to market with CrowdStrike. we have to use CrowdStrike. You're not going to convince them not to use CrowdStrike, right? But if there's something that, you know, is missing, then you could look, for instance, you could say, okay, we're going to use CrowdStrike, but we're also going to Defender, right? Cause we need to catch viruses too.

We need to know what viruses we're catching. so you can kind of pad it. You've already paid for defender probably. So, can beef up and work around the constraints that leadership has given you. If it's purely now I've been in the boat of, of the team, the IT team shooting down. The project that I was proposing from the outside. I was way back. I was selling gift certificates, gift certificate fulfillment during the dot com boom. And we went to, we visited Nike. So the, the founder and owner of the company that I worked for as president of a gift certificate company owned by Isaiah Thomas and Isaiah Thomas is, you know, a basketball hall of Famer for the Detroit Pistons. So anyways, we go to Nike sit down with the IT team talking about how we're going to implement a Nike gift certificate program. And one of us dropped Isaiah's name and the entire team from Nike goes, that's why you're here. That's why we were asked by our president to give you guys time to pitch to us.

So, lesson learned, they went ahead and they created an RFP for gift certificate program that was totally misaligned with what we were offering. So there's like no way we can, we could ever do that. So that's one way. then I think every IT department just has people that are familiar with, what do we call that? When you shoot down the bosses ideas, undermine, undermine, yep. Torpedo, that was it. Get good at

Host: So then how can organizations avoid these mistakes and get better at selection process?

Richard Stiennon: Yeah, you know, use, use real requirements that artificially induce requirements. A mature organization will already have, you know, either the NIST framework or have chosen a framework to work by. So they'll already know what gaps they've got, right? They don't have coverage for a particular of one of 23 areas under NIST. And they'll be working towards solving that and they'll have a plan in place.

and those are the ones that are going to do the research, find the best product, stay on top of the latest and greatest, you know, maybe it's not your tendency to buy from young startup companies, but they might be the only ones that have.

And if you wanted to get good, guardrails around company's use of artificial intelligence, you can look at whether your current DLP solution does that. Probably actually does, right? Because you know when somebody is connecting to chat GPT or Bing solutions from Microsoft. And you just scan that information and see if they're using credit card or putting credit card information into those large language models. So, but you know, if that's too hard to do, that's to build your own or if it's, you know. You need something with better controls and you talk to the startups. You're only going to have startups as options, right? Because the whole problem is only two years old.

Host: So let's say I understand this, how to decide a tool and how to not follow a checkbox-based approach. One of the things that you highlighted earlier is there are industry analysts who spend a lot of time giving us insights, what vendor or what tool to pick. So one of the questions that we got from Ashwani Paliwal, we reached out to our common friends.

And one of the things that he said is that often Gartner leader reports are published for cybersecurity. And there is no hidden secret that companies pay reports of 100K to get featured in some of these reports. But for the CISOs world, do these reports make sense? And do they feel that these reports matter?

Richard Stiennon: Well, first of all, me lay that aside or lay the suspicion aside that vendors can purchase their ranking in magic quadrants or waves or any of these reports. They can't, they absolutely cannot. so I was at Gartner for four years. I didn't, when I was, you know, ranking vendors in a magic quadrant, I didn't know how much they spent on us. I didn't know if they were customers back then there were plenty of vendors that were not customers.

didn't make any difference whatsoever.

If they have, if they were, even if they were a big spender, as for instance, Mac fee was, and I removed their firewall from the magic quadrant. said, this is it. Nobody ever talks about this. We don't need a gauntlet firewall in the magic quadrant. Man, tried to get me fired. They called all the way up to the president of Gartner and did, you know, but my immediate supervisor said, Hey, Check your facts, stick to your guns, we're behind you. Because Gartner has to be independent of the vendor influence.

And part of the reason they have to be is the vendors are only 10 % of their revenue. Their revenue comes from selling to CISOs and executives of big companies. So they still serve a good purpose, right? Because the Gartner customers tend to be late adapters. Right.

They, they do not buy the latest and greatest. Um, Gartner acknowledges that about 80 % of them are late adapters. They only have 15,000 customers and there are hundreds of thousands of enterprises around the world.

So the, you know, a CIO talks to a Gartner analyst, they're going to get really, really good advice from the analyst about what other companies are doing, uh, approaches. They might even get pricing information, and what other people are paying. And it's going be great. The only failing is they don't give you the data to make the decision on they're giving you their opinions. And, and you might trust their opinion. They're wise and experienced. So this is great, but they, you still won't have the data.

So if you're using a data approach to making a decision, you know, you get the only data point is Gartner says it's in the leader's quadrant. That's, that's something that means a lot. That is going to be healthy, more likely to succeed because Gartner has said that, if they're already public, it'll help their stock whenever they're in the leaders quadrant.

So all good stuff, but they might miss. like to, I like to use the example of, UTM vendors. So, you know, hardware appliances that do everything for you. So for your remote office, that's all you need is one box.

And if you went to Gartner, they'd show you the manager quadrant for UTM. And it would have, you know, Fortinet and Palo Alto and all the rest of them on there. But what if you were in Perth, Australia? It would not have Red Piranha, which is based in Perth and Red Piranha has a perfectly fine UTM device that you can buy. And you probably wouldn't want to know that. So you go buy it from them and get the excellent customer support from somebody just down the

Host: Right. Right. Now that makes a lot of sense and thank you for clarifying that. So another question on the similar thread that we got from Renee Guttman is like vendors often, like sometimes, not often, like sometimes partnered with insurance companies to offer various either discounts or guarantees to refund.

What are your thoughts on such relationships? Do they have real value?

Richard Stiennon: I used to hate insurance companies with a passion, right? As most of us do, right? You pay all this money for insurance, it rains, the roof leaks and destroys all your paint and your furniture. the insurance company says, yeah, we'll pay to fix the roof. that's not the cost here. The cost is the damage from the rain. Or many, many instances of problems with insurance. And when insurance companies started selling cyber insurance, I, like many, thought of it as a scam. know, was like they were in the fine print.

They were writing clause after clause that said, you don't need to collect anything. My favorite one was act of war clauses. And, of course, you've seen the act of God clause for weather-related events. And, you know, all of a sudden, know, outages in Ukraine that were obviously acts of war. They started denying, so the not pay you attack. The insurance companies tried to get out from paying the billions of dollars of damages with using that clause.

So what really changed everything was ransomware because ransomware was covered and the insurance companies were starting to, they never lost money on cyber insurance, but their margins went from, you know, I don't know what it was, 60% to 25%. And so they started being concerned. So they started working with vendors and service providers for incident response and MSSPs to basically they can now offer discounts on cyber insurance to those that use some of these vendors.

Fantastic. It's the best thing that's happened in cybersecurity ever. You know, as much as governments here in the United States, he says, constantly berating people to, you know, don't succumb to ransomware, do this, this, and this. Nobody listens to them because somebody owns a little manufacturing plant.

My favorite example is the ice manufacturer here in Detroit. you know, he's got two offices and a little tiny server, running Windows NT and connection to the internet. And he, you he doesn't have an IT security guy at all. Right. So what's he going to do?

And he's not going to tune into what CESA tells them to do, but he is talking to his insurance broker, you know, once a quarter. And he's constantly looking at his insurance costs because he pays, you know, he's got employees and ice manufacturing. He probably pays what half a million in insurance a year. He's definitely looking for ways to save money. And his insurance broker is going to say, you know, you should have cybersecurity insurance because what happens if you know, booking and delivery stuff goes down.

He's going to go, oh yeah, how much is that? And they'll say, oh, know, it's $5,000 a month. Unless, you know, you work with Mandiant or CrowdStrike to protect all your systems. And then it's 2000 a month. it's like, sometimes it pays for the additional investment in security. Worth doing. So best thing to ever happen in security, it's finally going to get security down into the SMB.

Host: I really like how you gave an example of a manufacturer and how does it impact and how the cost of buying a tool works out with the insurance coming into picture. Yeah, thank you so much for doing that.

Now, let's say I'm convinced I have decided a vendor and now I have procured a vendor or a platform for my security needs, I need to do the implementation, sometimes the integration. And once the integration is done using that platform, and often it needs training and support. What should organizations look for in terms of vendor support and training resources?

Richard Stiennon: Well, first of all, when you go through that purchasing process, try as hard as you can to include the terms that you will not pay the vendor until it's up and running. Right. So none of this. Yeah. You know, so the vendor will be very interested in getting you up and running and working. Yeah. And then, you know, if, you know, make sure there's some professional services if it's needed.

Host: love that. Yes.

Richard Stiennon: Now, cloud security, we're talking about the beauty is needs very, little configuration and setup, right? So there might be the training that you need on top of that. So make sure all that's in the contract and then that there's a way to extend it if you need more help or want to do more training down that preferably with the vendor, but maybe a third party. Maybe the value-added resellers are interested in that business and they add that into the deal.

Host: OK, now most organizations have started following agile-based methodologies, And most organizations at the same time would not want to do Big Bang. Let's say if you are onboarding a new platform, you might want to do for non -product first, and then you might want to do UAT and production. Like, you take agile approach for implementation.

How does that affect the vendor, the relationship with the vendor and also as a customer, I'm using the platform. How does that impact?

Richard Stiennon: Yeah, every vendor's implementation process could be different. Cloud vendors, it's becoming pretty standard. It's like, me your keys and plug them in to the screen and boom, you're done. But the customization should be done as well. So yeah, I wouldn't call it agile, but use phases of implementation. And for sure, if it's an endpoint solution, then roll it out in phases. So typically you put it on the IT people's desktops first and roll it out from there. And then learn as you go what kind of training you have to do to let people know that we've got this on your desktop. And don't be afraid of that falcon flying around, etc.

Host: Makes sense. Like phased rollout makes sense even for EDR-based tools and also for even cloud security so that you don't do a big

Richard Stiennon: Yeah. Yeah. Yep. And then, I think very, important to stress today. Cause, we're, doing this interview that day that CrowdStrike seems to have shut down most of the world. with a simple, simple update, you and do not have, and now with a SaaS solution, they can change the SaaS solution without telling you they do all, all day, every day.

Um, but if it's something that's resident in your VPC or on your endpoints, uh, do not have a process where they can update the software and you just accept the update. Build in the, yeah, build in delays. Um, if you were somebody who had a 24 hour delay in how soon you updated CrowdStrike, you wouldn't have a problem today. Um, you'd see the problem that are you other people did your testing for you. It, and then there are organizations that do do testing because look at where the internet's still up. You know, we're doing an interview, over the internet and Riverside FM is still up and running. So they are either not on windows, or don't use crowd drug, or they have good testing processes and they discovered that when they ran their tests and they didn't implement it. So you want to be in that position not to, I mean, literally this an application of zero trust. Do not trust the vendor to have perfect updates and just wait as long as you possibly can.

Host: Yeah, so I'm glad that you stressed on that point, right? That auto update, you should not just do auto updates with all of your vendors, but particularly if you have like agents running on your machine, so things like that. It could break your machine or servers or things like that. So it could be a big challenge.

Speaking of Zero Trust, it is quickly becoming like a new normal in Cyber Security, right? When it comes to Zero Trust, there are many areas of course, not in all the ideas, like it could be identity or devices or network or application or workloads.

And there are many principles to implement as well. Now, where should organizations start when they think about zero trust?

Richard Stiennon: Yep. Yeah, know, first you should figure out if this is something you want to adopt and make noise about, right? Because you don't have to. the federal government says you do have to. And so you have to jump through the hoops to take what you do and what you want to do and shoehorn it into a zero trust framework. It's not the end of the world. We've been asked to do much more horrible things than that in the past.

They missed used to, you know, just force everybody to use risk management principles and look where that got us. Right. We're in real deep trouble because of that. So I'm, much happier that we're using zero trust because it's a little closer to the way an engineer like me thinks, you know, which is in terms of a layered defense model. Think of, you know, how am going to stop attackers and what are they going to attack. Well, they're going to attack my endpoint. And so I'm going to beef up security on my endpoint.

How are they going to get to my endpoint through the network? I'm going to beef up my network security. What are they after? They're after my data. I'm going to encrypt all that data. Well, then they're going to be after your keys. I'm going to store the keys like, you know, in an air gap device and evolve. Right. That's how I build security architectures. Zero trust is a little more ephemeral, little more wishy washy than that. It's part of a hard part for me you're speaking the zero trust language is that it's, you know, just semantically it's not zero trust, right? It's, it's, it's graduated trust. It's dynamic trust, but it's, it's, it's greater than zero trust. so yeah, yeah, there are some zero trust models.

And one of them is I don't trust a vendor to send me a good update. I'm not going to trust it. So I'm going to test it. I'm going to reverse engineer it. I'm going to see what it does before I install it. That would be zero Or, I'm not going to trust, Dropbox or Google or Microsoft to encrypt my data for me. I'm going to, because they might look at it. I'm going to encrypt the data locally and keep the keys locally and store it on their systems. So that's completely zero trust. The part that's not zero, zero trust is the access control stuff that all the vendors are talking about. so yeah, you

You shouldn't let somebody into your network. If you don't trust them. Great. Right. If they're unknown, don't trust them. And then if they have access credentials, give them little bit more trust. Okay. They can, they can see the calendar system. if they have, if they are the system administrator for a server, trust them more. Right. And, but if they log in from China, don't trust them anymore.

So it's a graduated thing, you know, and it's, doesn't quite fit a universal model. So, but you, but it's easier to live with than things we had

Host: So we like today is a perfect day because there is CrowdStrike, things are happening with CrowdStrike and it's affecting many organizations. I think you had some observations on CrowdStrike, but I think we'll have to wait to see what was the RCA and things like that to do deeper analysis.

But you have some observations around what happened with SolarWind, right? And how it got remediated. And I want to double click on that.

So can you share with our audience what exactly happened with SolarWinds?

Richard Stiennon: Yeah. So in short, SolarWinds was an example, not the first example of a sophisticated attacker going after the vendor's customers by infiltrating the vendor, getting on the, you know, the laptop of the engineer creating code and changing the code on that laptop so that when the engineer uploaded it into the repository and follow the whole CI CD requirements. Backdoors were installed in the production software and then digitally signed, hashed, et cetera, sent out to 18,000 customers. So super sophisticated.

When did that happen before? It was a company called MeDoc in Ukraine that created, has a accounting software package. It's like QuickBooks for Ukrainians. They got into that update servers and they modified the software so that when it sent out updates, it introduced a worm into the world, which was not Petya. And, know, just was the most devastating attack in history, billions and billions of dollars of losses.

So what do we do? Well, the answer, according to the US government, CISA, everybody else is we have to do a better job of software development, right? SolarWinds, was SolarWinds' fault because they didn't do a good job of software development and for security in general. That's just kind of hard to point the blame at them. Yes, the...

The spy agency of Russia was able to induce somebody to click on a link and fall for a phishing attack and get exploited by very sophisticated unpatched vulnerabilities. And, and then get into it and execute the whole thing, right? It's like the only ones I know who have ever seen who could stop that was Lockheed Martin. They would have stopped it, but not SolarWinds. And I don't expect the software developer to be that good.

But the answer. According to everybody is all software developers should be as good as Lockheed Martin and not allow these types of texts happen. And it's just silly. It's not going to happen. Right. There are millions of software developers. IT harvest is one of them. We have a software product. So, and you know, we're not going to invest that. the real answer is, or the real need that we now know we have is that we have to be able to examine code when it's shipped to us from our software vendors and determine if it's got malicious updates in it.

And frankly, I'm not quite sure how that would be done. You could reverse engineer it. You're already checking the hashes to see if it's digitally signed. That doesn't help. You can inspect the code. You can do a diff on it. Mind

Your contract with the software developer specifically says you will not reverse engineer the code. So you got to, you have to change that contract, right? And it's, you know, the little guys aren't going to be able to do that, but bank of America is going to be able to do that. They're going to say, we're going to reverse engineer your software updates and make sure that it's not malicious. Maybe there's going to be a trusted testing site that could do us do that as a service and you

You you, you accept code from them maybe, but then you got, you know, now you got a single target for the, you know, the, the sophisticated attackers to go after. So you might've created a worse problem. So I'm not sure how it's going to be solved, but if I knew how to, how to do those sorts of things, I'd be starting, you know, software companies instead of doing what I do.

Host: So speaking of some of these attacks, one of the questions that we got from Senthil Ski is, what do you believe are most critical emerging threats in cybersecurity that organizations should prepare for in the next five years? And how can they mitigate? Or how can they even think about them from today?

Richard Stiennon: Yeah. The, the emerging threat is more automation on the part of the attackers. So today, every organization pretty much is worried about maybe tracks the meantime to discovery. you know, that's a metric to see, you know, when they're being attacked, meantime to, to breach, is another one. So today, you know, the meantime to discovery of a breach is 272 days, something ridiculous like that. So yeah, get that down, shorten that, know, get it down to a week. The attackers can do less damage in a week than in most of a year.

But when you think about automation, the attackers are not going to take a couple of weeks to break into your systems. They're going to take minutes to break into your systems because they're going to use an AI that's been tasked with picking from a library of exploits.

they'll, they'll hammer on the front door until somebody clicks on a link and then boom, two minutes later, they've got everything from your critical resource that they were after. So you have to start thinking about that now so that you can start being prepared to turn on automation. lot of us have been investing in, SOAR solutions, you know, to automate the simple things. you gotta push the boundaries a little bit because you're going to be offered tools very soon that use AI to determine if an action has to be taken, right? Then the very first steps, it's going to start shunning with TCP IP resets.

You're to have to become comfortable with that. You're going have to explain to somebody why an API call from a partner that only happens once every six months just got shut off. And you're to have to debug issues like that. Those issues are a lot less onerous to debug than hey, somebody triggered through an API and stole all of our data. You don't want that to happen. You can't reverse that one. Yeah, so be ready for automation because the attackers are going to start using.

Host: So that means you have to stay ahead of your attackers even though they have sophisticated tools and with AI and everything like that. So that brings me to the next question, which is like, are the key statistics present, which was presented at Garton Security Conference this year, keynote, that around 73 % of CISOs and security leaders feel burnout? So with more and more attacks happening, with more areas to focus on, there would be more burnout, right, in a way. So what's your take on this? How do you handle stress and burnout? Any tips for security leaders?

Richard Stiennon: I'm the wrong person to ask. don't typically get stressed. So maybe my secret, I don't know. I think it's because my secret is I think so broadly about life. can go, you know what? This particular thing that's happening, you know, whatever, the IRS wants their money. You just rise above it.

Host: So yeah, step out of the current situation, think from a bigger picture anyway.

Richard Stiennon: Right. Yeah. Think really big picture. Think about your life. Think about, your options, right? I have a backup plan. Like, Hey, I don't have to do this job. If that's the case, right? You want to be in a position to say that, I could retire to the lake house, that kind of thing. just kind of keep that in mind, on those really bad days. I think it's amazing how, have you ever noticed how just feels like people who are wealthy, especially in the startup world, when they're doing their second startup, they've made all their tens of millions from their first startup, they just have this freedom of action that you don't have typically.

And it doesn't happen very often for CISOs that they're wealthy, but having that ability to stand above it, I guess, and know that it's not the end of the world for you personally, really, really helps. Right.

So in it, and that gives you the freedom to go, you know what, let's just make the right decision here. Let's all calm down. you know, we need more resources. You're as a leader, it's your job to get those resources. So your team's not stressed out or burned out. so you take care of yourself. I'd be a hypocrite if I talked about getting exercise and all the rest, cause I know it's good for you. So. Take care of yourself so that you can take care of your team.

Host: So which means you do a lot of planning and prep beforehand, right? Particularly when you are being attacked and you are not prepared, you would feel you cannot look at the bigger picture at that time, right? Because you are not prepared. You have to deal with it right then and there. So that definitely would add to the stress. So more planning and preparation like some folks. Sorry, go

Richard Stiennon: Yeah, you should. Yeah, you should not be making new decisions during an emergency, right? You know, it's like, should we call the FBI? That should not come up, right? There should be a flow chart that says, now you call the FBI, and then you just do it. And you know the person's number, right? Or, you know, 72 hours to tell the SEC, who do we tell at the SEC? Don't scramble.

This desktop exercise for incident response is the most important thing you can do. Get everybody there. And you know, the ones that are actually, you know, red team kind of things. now they're going to send a new packet at you. That's maybe not as valuable, but the incident response plan and working through it and practicing, rehearsing it is going to save you so much. The tabletop. Yep.

Host: The tabletop exercises. Yeah, yeah, that helps quite a bit. Totally. That's a good suggestion. Think big picture. Yeah, another question that we got from Jeffrey Wietman is around intrusion detection systems. So he wants to know, do you think IDS is dead? It looks like there is a story behind it, if you want to share.

Richard Stiennon: Yeah. So Jeffrey remembers, we weren't at Gartner together, but he later joined Gartner. So, so very aware of what was going on back then. But when I joined Gartner, you know, I was the firewall guy and I'm looking at this IDS stuff that was becoming popular. And it was frankly in network security. were two things you could do. Firewalls, stop stuff from getting in and IDS, which is look at stuff that does get in.

And, a community of people would write signatures of bad stuff and deploy them and people would put them in their IDS system. And it would, every time it saw the packets that match that signature, you would get an alert. So all of a the network guys got to live the life of the desktop guys who got a virus alerts every day. Now the network guys are getting network alerts every single day. I spent two years, my first two years at Gartner talking, I talked to all the vendors. They told me how great they were generating millions of alerts. And then I talked to the teams that were doing IDS. In two years, I never met one that had a 24x7 coverage for IDS.

In other words, they were capturing all these alerts, but they weren't doing anything with them. so I finally decided to issue my proclamation that IDS was worthless and you shouldn't spend a penny on it anymore.

That turned into the Pentagon. Well, first of all, it turned into a lot of flack from the industry. but the, the CIO of the Pentagon came up to me after I got off the stage making this grand pronouncement. And he said, you know, you've been telling us this for months. I want you to come to the Pentagon to, you know, explain to my teams. They had 20 separate networks inside the Pentagon, one for every branch and division of the military.

So as I finally get to go to the Pentagon and as I'm being escorted down the hall by a Colonel, he says, we've invited some other industry experts to this meeting. So I get to the meeting and it's all of the Pentagon people are around the wall and all of the founders of the IDS companies are sitting at the table and I have to debate them. And so I debated, made all my arguments. They made their arguments was heated discussion going on. They accused me of doing what, what the vendors pay me to, to do.

And which was funny because they were the vendors in the room that were my customers. And I was telling them that their products were really bad. And so at end of the day, the CIO said, you know, it's a draw, but they changed their RFPs from ideas to IPS. And here's my If you have a signature for a SQL slammer, not pet you, you know, so you can actually see it coming in on the network. Why would you create an alert when you get to stop those packets and shut off the connection that it came from, you know, create a firewall rule to do it. Shun it, whatever that's IPS, right? And there were 3000, you know, really well -known attacks can be stopped with IPS. You should just turn that ON Right now, right?

Cause you just, it's just all good. No bad. Instead people just wanted to continue to collect all this data. Cause you know, a lot of engineers are data hordes, hoarders. and they just want lots and lots of data. But because of that, now mind you, there aren't any ideas companies. Right. So, so yes, ideas is dead as a market. It doesn't exist yet. There's a lot of freeware out there that does ideas.

And people still collect that, but the evaporation of the market, know, the ability for companies to make money selling ideas. When that went away, created two new industries that are still with us. One is MSSPs. Managed security service providers back in the mid-2000s were a way to outsource ignoring logs to somebody else.

So you still tell your auditor, yeah, we got all logs, call up the MSSP. They'll give you as many logs as you want. But nobody looked at them, right? Bruce Schneier had a MSSP called CounterPain back in the day. One of the most highly funded at the time, $90 million invested by Bessemer. And he'd brief me every quarter. And every quarter you'd have a bigger chart showing a bigger number of alerts that they captured and how they'd start with, know, 2 billion alerts and they'd get them down to 20,000 alerts a day.

You know, and like they can't, nobody can handle 20,000 alerts a day. A single alert can take one person a full day just to respond to. So it's like, yeah. So, you know, obviously counter pain didn't survive. was sold for $90 million to British telecom is still part of their service offering. Um, and then the other industry that was created was the SIM.

A place to store alerts. So now you've got a really good data management platform for alerts that you can also ignore. And pretty much what people are doing. And here we are today, you know, with all these new Sims, there are 200 SIM products. I got that from my data. So Cisco buying Splunk, you know, there's going to be a lot of better Sims to replace Splunk in all these places that said, you know, now's the time to switch vendors because Splunk is way too expensive that's going to be the case.

Host: Yeah. Yeah, So it looks like an amazing story. Thank you for sharing that around intergen detection and prevention. One takeaway from that is action versus alert, right? That you are getting alerts, but if you are not taking any actions, then it's pointless to even set up that system because nobody is even looking at it. It's not getting prioritized

Richard Stiennon: Yeah. Yeah. you know, maybe it'll come full circle, and then because we have that much data, especially Microsoft and Google who have created their own Sims, right? But they're both looking at it. We got a lot of data. We should be able to apply artificial intelligence to us. So maybe it will come full circle that we can actually use all that data effectively in the not-too-distant future.

Host: Yeah, let's hope that happens soon. So yeah, that's a great way to end the podcast.

But before I let you go, one last question that I have is, do you have any reading recommendation for our audience? It can be a blog or a book or a podcast or anything like

Richard Stiennon: Reading for sure, you of course I want you to read my books, but I think Sandworm, which is the story of the GRU. So the Russian military's attacks primarily on Ukraine, but they, you know, they're some of the first attacks that worked against the power grid and the rest of the infrastructure in Ukraine, but it really, really well told story. And of course, Yep, sandworm and Kim Zetter's Zero Day, which is the story of Stuxnet. It's such a beautiful story, right? Because it's such a beautiful worm. Single purpose worm that succeeded, right? It set Iran back, you know, years and years in their nuclear enrichment activities. So just, know, you think But you know, that was a good use of it. Everybody in the world except Iran thinks it was a good thing. And yet it was totally malicious and, you an attack. No question. Think about your own enemies using techniques like that against you.

Host: Yeah, yeah, that is amazing. So yeah, when we publish the episode, we'll tag both of these so that our audience can go in and learn from it. So thank you so much, Richard, for joining and sharing your insights. It was lovely to have you here. And to our audience, thank you so much for watching. See you in the next episode. Thank you.