What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
Demystifying Observability in Cybersecurity: Insights and Experiences with Haim Mazal
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Interested in being a guest? Email us at admin@evankirstel.com
Ready to demystify observability in cybersecurity? Our guest today is none other than Haim Mazal, Chief Security Officer at GigaMon. Haim's profound insights reveal the crucial role observability plays in enhancing the security posture of organizations. He shares his experiences dealing with sophisticated threats and sheds light on how deep observability can make an organization's security approach more efficient and resource-effective.
Navigating the world of encrypted traffic in a hybrid work environment can be challenging; Haim helps us understand these waters better. He outlines the importance of partnerships, growth, and the evolution of observability amidst the COVID-19 pandemic. As we chart the future of observability, we discuss emerging methodologies and the benefits of maintaining a uniform view of assets across all environments. And if you're a cybersecurity enthusiast, don't miss Haim's tales from Defcon and Black Hat, along with his valuable advice for burgeoning CSOs. Let's embark on this enlightening journey.
More at https://linktr.ee/EvanKirstel
The Role of Observability in Cybersecurity
Speaker 1Hey everybody , Evan Kirstel here . I'm really excited for this chat today with Haim Mazal of GigaMon . Haim , how are you ?
Speaker 2I'm doing great . Thanks for having me , Evan .
Speaker 1Thanks for being here . You have a really legendary career to be Frank and I'm so excited to pick your brain on so many different topics around the cybersecurity space . For that would love for you to introduce yourself , your background , your bio and your role at GigaMon these days , yeah , absolutely .
Speaker 2Thank you so much . So my name is Haim Mazal . I'm the Chief Security Officer at GigaMon , so I'm responsible for all corporate security , product security , it , back-end business applications pretty much the whole technology stack at GigaMon . Prior to GigaMon , I was at Congee where I was the SVP of Technology in CISO , where I was in charge of product development and security for that MDM platform , and prior to that I was at CISO at Active Campaign , which is a global leader in sales and marketing automation , competitors to Marketo and HubSpot . A little bit about me I've been in the community in security for about 15 years . I've been highly involved with a multitude of different security product companies , helping working on product roadmaps , really being able to drive solutions for the industry and for my peer group because security is an evolving challenge and making sure that I'm able to go ahead and influence it selfishly , to be successful within my role and to help my peer group be successful within theirs .
Speaker 1Love the mission we're going to dive in . The focus today is observability , and you know definitionally . Let's start there . I've seen many different definitions . How do you define observability today and why is it such an increasingly fundamental role in protection , security in the modern enterprise ?
Speaker 2Yeah , absolutely so . I'm going to talk about it in the broad sense and then I'll talk about it in a more particular sense as well . So observability , first and foremost , is the ability to have visibility and to end across all of your applications and or assets in your environment . So the key to security and reducing risk for organizations is being able to have detailed insight into what you own , and if you can't do that , it becomes extremely hard to be able to fulfill your mission statement in the world . So observability historically has been really around application performance monitoring and a lot of the things that have gone into it are , you know , using metrics , events , traces , logs , to be able to have indications of what's happening across your applications and or what's happening across your server from a non-intrusive perspective . The only problem with that is that there's limitations to those data sets and it doesn't give you the full end-to-end spectrum . And so , in the broader sense , it's helped us get to where we are as an industry , being able to have a lot of visibility and detailed insight into what's happening across our environments and our applications and our assets .
Speaker 2But you know it's not , it's not without its own shortcomings as well , which I'll , you know , talk about here a little bit as well . So one of the things that we believe is at Gigamon , is missing from this picture , is having deep observability , which is one step further , which is kind of how we take this to the next level . And deep observability means that we take one of the shortcomings of observability , which is that mutable traffic via logs right , which can be altered and tampered with and overridden , and we say we're going to take that network level telemetry , the full packet capture , we're going to go ahead and take that data and which is immutable , right you cannot go ahead and alter and change those data sets and we're going to go ahead and reduce it down to metadata so an organization could fully reconstitute that data and be able to have the insight and detail and validation , verification that this isn't true , the real information that's taking place and being transferred across their environments , whether that's their servers and or their applications .
Speaker 1Fantastic . Give us some examples of more recent threats , specifically that have led to this shift in need for deep observability . What are you seeing out there today ?
Speaker 2Yeah , absolutely so . Not the long go , without going into a great amount of detail here , but within the last three to four months there was a pretty considerable breach and that breach there was a batch in that was held within an organization for over six months worth of time and they were able to go ahead and gain access to some network level hardware and they rewrote the logs to go ahead and show essentially for the EDR solution that was in place that there was no alert that was actually bypass or triggered . So within that six-month period of time they used that to do reconnaissance and be able to pivot laterally throughout that environment to be able to gain access , obviously , to more critical information and datasets . And this isn't something new , this is something that we've seen historically for a while , but it's something that's become more and more prevalent as sophistication evolves amongst attackers .
Speaker 1Yeah , sophisticated indeed . Now there are cost implications , resource implications for increased observability and security . So how do you balance this demand for increased threat protection with other priorities of the business ?
Speaker 2Yeah , definitely , definitely something that has to be taken into consideration . Obviously there's a give and take . So historically with observability , right , you have to have a detailed amount of individuals who are working either in your security operations or they're working in your infrastructure team or network operations team , being able to go over and view these logs , being able to write rulesets and perform threat hunting and things like that . So obviously that cost that everyone has been paying for is going to stay there . But the difference is is like hey , how can we be more effective with some of these observability , with some of this data transfer ? How can we be more performant ? How can we essentially be able to have a better outcome for less money in on the performance side within our environments while still staffing it appropriately with the right individuals across the right business units ? But really , something that we've seen is success with our net flows .
Speaker 2Not all tools need all access to all data at all times . So being able to figure out effectively how we transfer the appropriate data to the appropriate tools so you can get that steel threading with that full end to end view across your environment is something that's been key for us . It's easy to log right . It's hard to log . Well , this is an age old adage across technology organizations . So for us , right , we want to be able to have the full view of that immutable network level data . We want to be able to have the full actionability of that data , but we want to make sure that we're piping it to the right places at the right time , and that's giving us advantages as far as performance , as far as egress ingress , and being able to be successful across a multitude of environments .
Speaker 2So one of the big problems that we're seeing as far as cost-effective disinficiencies is with the hybrid cloud and on-premise environments . The diversity of these different areas has a huge impact to cost , right ? So a lot of times organizations say , hey , how can I get the furthest without being completely stuck in this circular fashion of like we're never going to be able to afford for the value that we're getting out of this . So I think Kigamon solves this problem in an unique way by saying , hey , we're going to reduce the amount of egress that you might have or reduce the amount of ingress that you might have and make sure that you're still getting that full view holistically across all of your environments . You have that steel thread , that single pane of glass , but we're doing it in a much more performant , cost-effective way where we're feeding the right tools , the right data sets to have that full view .
Speaker 1That's fantastic . What differentiates deep observability from other best practices or approaches to security ? You've seen them all personally , firsthand , absolutely .
Speaker 2So I think the most interesting part is it's that continuous validation of your data set across the board , which for me , is worth , you know , every single dollar spent in my security program , because it gives me an extra level of confidence that allows me to sleep well at night .
Speaker 2So I have tools and I have systems and I'm feeding all this data across the board and I'm not 100% sure if that data has been validated . I'm not 100% sure if that east-west traffic right that I seemingly have insight into that , if it's nefarious or normalized traffic , and being able to have insight to this information , saying like , hey , I have all my tools , I have all the metrics , I have all these things being fed , but then , underneath that right , I have this continuous flow of data that's continuously validating that my data is in fact real and true . That's something that I think most organizations are seeing that they can't live without right , because , as things become complex , as attackers go ahead and continue to evolve , it's very , very difficult to make sure that the data that we do in fact has been tampered , especially in the event that someone were able to gain access and be able to tamper with those traditional set of metrics and longs that we look at .
Speaker 1Fantastic . The environment is so complex . Now , when it comes to the enterprise , we have enterprises with multiple clouds now not just hyperscaler public clouds , but private clouds and hybrid scenarios . How do you protect across that very complex environment ? Multi-cloud environment ?
Speaker 2Absolutely so . That's the interesting portion , too , is like , as organizations grow and the environments become more complex , there's not a silver bullet , right ? Every single cloud is going to have a different set of security tooling and or baked in offerings that are gonna allow individuals to be successful with implementing security controls . But one of the things that we continue to see across the board , across all of our customers , is that there is a hybrid cloud approach , and that has been the industry kind of direction , right ? So everyone is using different cloud providers to solve different issues within the organization . So AWS is for application development , or GCP has been used for data storage and analytics , or Azure has been used for back-end business applications , right ? So the world as a whole has chosen that there will be a multitude of cloud providers in place , and people are still obviously using their private cloud as well , using virtualization , solving that half-weight step between an on-premise environment and going to the public cloud . So we're seeing that across the board .
Speaker 2And , of course , right , you wanna make sure that you have a holistic view across these things , everything that you're doing for your on-premise data centers and that end-to-end visibility you want to be able to ensure that you have across your cloud providers , and every cloud provider is probably going to have a different set of toolings that's built in natively , a different set of applications that's running natively , but the commonality amongst all of them is you want to have those continuous data feeds right , being sent to a place where your security operations team or your network operations team has full visibility to do thread hunting or to do triage against performance to make sure that your environments are humming along and running without any major implications .
Speaker 2So , as we continue to evolve across the board and we look at all of the security controls put in place , I think there's a good set of standards for cloud-based applications and cloud-based security tools that people are using . I think there's a good set of standards for observability tools that people are using . But I think in making sure that all the appropriate tooling and all the environments is being fed that appropriate network level set of data , I think that's where Gigamon comes in and really shines . So it allows you to take the individuality of all of your environments but to perform the unified way of consuming that data and being able to approach it and address things in a pragmatic way .
Speaker 1Oh , that's really great . And you guys at Gigamon recently introduced a report on security in the hybrid cloud . Any findings there that were surprising ? Maybe that informed some of your best practices ?
Speaker 2Yeah , absolutely . For me it was . One of the stats that came out was 97% of the people surveyed felt that they had NTEN visibility across all their environments and assets . But that's like a direct contradiction of 33% of individuals experiencing a breach for a significant period of time before it's actually identified . So just the difference in gap in those numbers .
Speaker 2Number one we've kind of been molded into a false sense of confidence a little bit with some of the things that we're able to do today and with some of the evolution of security tooling as far as cloud security , posture management tooling and vulnerability management and just the general hygiene that all of us implement in our programs in the day to day .
Speaker 2But the second one is what about those known unknowns and how we're going ahead and continuously validating and checking and making sure that we really do have that full NTEN view , that full breadth of everything that exists in our environments ? Because , again , as businesses continue to evolve and as we continue to add value for our customers right , the complexity of environments increase we're going to continue to add additional assets and resources . Making sure that we have a way to continue to scale and scope our environments as we go in real time is definitely critical . I think that deep observability really plugs into that Because , in the event that things are being built in your environment , are evolving , you also have again that undeniable data source that tells you what's happening and what's going on . Sometimes , obviously , in businesses that are moving fast and are looking to serve for stakeholders and customers , the right hand doesn't always know what the left hand is doing , and so having another set of data that validates in forms and really gives you that full intent view , I think is critical .
Speaker 1Absolutely , and I'm reading more and more about encryption and encrypted traffic being a real pain point for IT and security teams . First of all , why is that a challenge from your perspective ? Any insights into managing that complexity of increasingly encrypted traffic ?
Speaker 2Absolutely so . One of the things I think this is definitely multifaceted here . But cloud providers said , hey , we're going to encrypt all traffic out of the box . Right , because encryption traffic is a good thing to do and , historically speaking , from an attacker perspective , not all exploits and protocols that were used to gain access to companies and data were over encrypted traffic , so it used to be a best practice . It was an easy way to identify a third party actor nefarious actor was looking for the unencrypted traffic , right .
Encryption and Observability in Cloud-Based Environments
Speaker 2Obviously , as things evolved and as there's been a whole bunch of frameworks written for exploits and to help bad actors be successful in their critical role and mission statement in the world , that has changed to doing it over encrypted protocols and encrypted traffic and using similar ciphers and lending in with normalized traffic and cross environments .
Speaker 2So , as the cloud providers say , hey , everything's going to be encrypted out of the box .
Speaker 2So in the world view , as encrypted traffic is good , so now it's a double-edged sword because all the good traffic is encrypted , potentially bad traffic is encrypted and you don't have any real detailed insight to what's normalized , what's good , what's bad , what's being transferred in East West or North South . So it's very , very hard and most organizations , I think , are starting to come to terms with this and some best practices that organizations had on-premise with running their own key management systems , having their own decryption capabilities . All those things are pretty heavyweight , take resources , take time , take planning and take ongoing , continuous maintenance , and so when you look to the cloud space you're like , hey , we don't have that capability , and if we were going to do that , that would be a pretty significant lift for most organizations . So I think having deeper insight into encrypted traffic , the normalization of that traffic , and make sure that you have a lot of detailed insight into East-West traffic , especially in modern containerized environments using Kubernetes and containerization as a whole in cloud-based environments , is going to be critical for organizations to be successful .
Speaker 1Totally so . We find ourselves in an interesting place in the enterprise now . We went from remote work to hybrid work and it's almost like no two enterprises have the same hybrid strategy . So in this mix of a little bit of chaos and uncertainty , I mean , what is the role of observability now looking forward in this bit chaotic environment ?
Speaker 2in the enterprise .
Speaker 2Yeah , it's funny I mean some peers of mine were just having this conversation yesterday and Gingemann focuses really on the server and the application side , but we were talking about the expansion and the adoption of SASE across the board , making sure that we're looking at identity and access management , we're managing remote networks , we're being able to give all of our end consumers and employees all the freedom to be able to do their job and to do it well , by making sure , and also making sure we have detailed insight into what's taking place across our corporate environments , our network traffic and all those things .
Speaker 2So one of the things that we think is very important is continuing to focus on , you know , continued partnerships and growth , or we're able to take all this information , you're able to plug it into your , you know , your sim , your security data link which I think is the future and the way that everyone was starting to move to and making sure that you're able to look at all those corporate metrics alongside of all of your production metrics and your server side metrics , and being able to paint that full picture holistically . But I think there's been a huge , huge amount of innovation that was driven by COVID and remote work and we're seeing a lot of really cool things happening across the board . I don't want to plug any direct companies , but , listen , I think cloud players been doing instrumentist jobs , the scaler , you know . We've seen some cool stuff from net scope . So I think there's a lot of things , a lot of areas of improvement that we've seen in the last two years that are really helping us evolve as practitioners and operators across the board .
Speaker 1Yeah , it's a Uncommon bright spot in our industry is this enhanced collaboration , speaking of which you do a lot of education with customers , things like this video and face-to-face
Observability and Security Future
Speaker 1meetings . What are some of the common Misunderstandings , misconceptions around observability and security ? There's a lot of fun or unknowns out there . Perhaps with with deep observability , what do you see most often ?
Speaker 2Yeah , absolutely so . I think for me is , you know , people feel very , very strong about a certain set of controls or a certain set of Observability they might have in one environment and then there might be some doubt whether or not that needs to actually be expanded in a uniform , holistic way into alternative environments . And the biggest place we've seen this , I think , is this hybrid cloud . Right , like 85% of my assets are on-premise and I have a great program and I know everything's happening , there might be some divergence , you know , in in team and Responsibilities and I might not have as much influence on my cloud offerings . I might not have as much influence on my security operations team . I would love if I had that same holistic view that I have of my on-premise assets that I had in my cloud-based assets . But really I'm not sure . If the value is there and I think you know we're doing okay kind of , but I don't know and the answer is , obviously , if you want it and you're being successful with it in your on-premise , then the right move is to implement it in your cloud-based deployments as well . Because , again , having you know , a bright , shining light on you know , on on two-thirds of your environment , obviously it's not how we win the day . So I think you know really talking to customers , really saying like , hey , you know what causes breach , you know what causes breaches , what causes security incidents . It's it's the lack of the uniform view and cracks that are created over time as a business continues to go ahead and evolve and adapt and Roll out . You know different product offerings or assets and so making sure that we have the end-to-end visibility I think is one of the things that is really valuable .
Speaker 2And I think , as as we continue to evolve and grow as an industry Especially practitioners who felt very comfortable in on-premise environments and maybe cloud migrations or maybe having you know this whole , you know a cloud . You know a cloud . You know kind of innovation , prioritization within their organization . They don't feel that strong about it and they don't want to . You know press too hard or they don't know if it .
Speaker 2Hey , it's , it's really one-to-one and I would say the answer is yes . Right , all of the best practices that you've done for your on-premise environments you should be doing in the cloud as well , and I would go back and port that over as vice versa Some of the new innovations in the cloud and best practices we should be looking to implement those things on our on-premise environments as well . In this you know great new world that we're approaching , the answer is innovation . The answer is yes , and we have a diversity of environments . So we've learned a lot of things over the last 10 years , and so we should continue to innovate , making sure that we draw the same controls uniformly across all of our assets to give us the best Chance of being able to thwart nefarious actors .
Speaker 1Fantastic . Speaking of innovation . You guys at GigaMon have such a huge R&D effort . You're always looking ahead . Give us a peek . What emerging technologies , or maybe methodologies , do you see shaping the future of observability ? What's on the horizon that you can share ?
Speaker 2Yeah , absolutely . I think we tease that a little bit , but I think really being able to have a detailed end-to-end view across encrypted and unencrypted traffic , as you see fit , in real time , we believe is the future . Being able to have room and flexibility to decide when , where and how you consume data in its full breadth , encrypted and unencrypted , we believe is the future . Looking forward , we have some cool innovations that our customers will be able to implement across a myriad of environments and notwithstanding any specific challenges based on deployment locations . We're very excited about that .
Speaker 1Well , we've been watching with interest . Finally , we're on the dog days of August here . You were just coming back from Defcon and Black Hat . You look like you had a lot of fun . Any takeaways you want to share , besides all of the community building and meeting old friends ?
Speaker 2Yeah , absolutely . First and foremost , I had a blast . I've been going for a long time , longer than I can remember , I think really , some of the things that really resonated this year is that there's a lot of better together , Better together . There's been an extreme amount of focus on partnerships . I think the reoccurring theme that I've heard is that we're all acknowledging that security is a data challenge . Having the right data in the right places is how organizations are going to be successful With that .
Speaker 2We've seen a lot of strong investments moving to security data lakes , as I mentioned previous , Whether that's with Amazon security data lake or Snowflake security data lake being able to have all of your data concentrated in a singular place and then being able to overlay the tools that you want to be successful . Making sure you can aggregate all of the data into the data lake in the first place , then having the tools overlay to be successful , I think is going to provide practitioners new flexibility that previously wasn't had . We're going to be able to be a lot more successful again with making sure that we have the end to end disability . I got to tell you , if I had 10 conversations , security data lake was like seven out of 10 . I think that the industry is moving towards flexibility , with data management being able to overlay SAP security tools and thinking about comprehensive , holistic ways to have everything you need at your fingertips at all times and then choose how you want to view digest report on it . I'm very excited about that .
Speaker 1Well , you're such an inspiration and any advice to aspiring CSOs or cybersecurity geeks in general , career-wise , professionally , personally , you've had an amazing journey and career . What advice can you give those younger folks out there coming up in the industry ?
Speaker 2It's cliche , but if you do , you love us on a job . I think one of the biggest things that we can do as security providers we can provide value , or security professionals is provide value back to the business . We're continuously tying in our efforts and our accomplishments back to the business initiative . That's how we continue to gain funding . That's how we continue to have respect to the organization . Security for the sake of security . While it's important , it has to be security for the sake of the business , making sure that we keep that front and center and that we're solving problems for our customers , we're solving problems for the business , and we'll give us the tools and resources we need to do the job that we're expected to do on a daily basis .
Speaker 1Fantastic . Well , wonderful advice , wonderful insights . Thank you so much for sharing your time . I know you're very busy , much appreciated . Thanks everyone for watching . Reach out to me or Haim from Gigamone with any questions , feedback . We love comments , replies , shares , et cetera . Thanks so much , Haim .
Speaker 2Thanks so much . I have a pleasure being here . Thank you , See you next time .