Colby DeRodeff, Abstract Security

Transcript

SPEAKER_01 0:06

Hello everyone. It's Friday. Welcome to my podcast, The Cybersecurity Bridge. I'm your host, John Woltsik. And if you haven't seen my podcast, really, really? It's been great. You gotta watch it. Each episode we dedicate to an area of cybersecurity, and we're breaking into three parts. In the first part, we talk about the present of that area of cybersecurity. In the second, we talk about the future of that area of cybersecurity. And in the third, the cybersecurity bridge. How do we get from here to there? And so I've got a great guest today, as I always do, but I'm especially excited about this. So Colby DeRodif, the CEO of Abstract. Welcome. Can you introduce yourself to our audience?

SPEAKER_00 0:56

Yeah, hey, John. Thanks for having me. It's great to be on your podcast. And yeah, where are those people that haven't seen it? Um, you know, looking forward to today's conversation. Uh, I'm Colby DeRotiff, I'm the CEO and one of the co-founders at Abstract, and uh really, really excited to be here today. So um looking forward to our conversation.

SPEAKER_01 1:15

As am I, I've got tons of questions for you. But before we get into that, are you, Colby, ready to play cybersecurity trivia? Oh man, let's go. Okay. This might be a layup for you, but uh given your background, but uh I'm gonna try anyway. So I'm gonna name some companies that were early entrance in the sim market. Even I think even before we called it sim, or we called it sim, but not SIEM. Tell me which one is not, was not a sim vendor. So number one, net forensics, number two, e-security, number three, network intelligence, number four, mazu networks, and number number five, high tower security, and number six, log logic. Which one was not a an SIEM player?

SPEAKER_00 2:08

Well, that's um, so I've I guess there's depends on how you defined sim back then. That was going way back. Um you know, I definitely remember eSecurity. We competed against them pretty heavily. I have a very funny story about that. This is back in my arc site days. Um NetForensics definitely competed against them. Um, you know, network intelligence, hightower, um, and log logic. So I'm gonna have to go with my what you said, Mazu.

SPEAKER_01 2:42

Mazu networks.

SPEAKER_00 2:44

So I'm gonna go with Mazu was not a sim.

SPEAKER_01 2:47

You are correct. I and I think my guests are on a roll here of getting it correct. Yeah, they were uh a network behavior anomaly. I think some people, maybe even Gartner, called it NBAD. NBAD. They were kind of in the space, so that was a little bit of a tricky question, but you nailed it.

SPEAKER_00 3:05

Yeah, and High Tower was I would say Hightower borderline, they were interesting for a little bit. Um, they got acquired by McAfee, right? If I recall.

SPEAKER_01 3:14

I don't remember that, but I was definitely throwing you curveballs.

SPEAKER_00 3:18

Yeah, you were. I would expect nothing less.

SPEAKER_01 3:21

So I've got, like I said, I've got a list of questions. Um, we're gonna talk about abstract and and security operations, but let's start. Just give me your perspective on what's the current state of security operations.

SPEAKER_00 3:34

Um, well, I mean, frankly, it's a mess. Um, I think that over the last you know decade, organizations have just really experienced a tremendous increase in cost and a tremendous decrease in value. Um, and that's you know, through conversations that I have with CISOs and you know, industry folks like yourself and whatnot, um, it it just seems that, you know, kind of the legacy sim has really run its course and it's really time for something new. Um, that that's what I'm seeing.

SPEAKER_01 4:14

Yeah, and I I was reading through something you sent me, and uh you said sim is like Machiavelli. Can you can you elaborate on that?

SPEAKER_00 4:24

Well, you know, it's always faking its own death, right? I mean, we how many times have we heard? I mean, going back to probably you know, 2010, sim is dead, sim is dead, it's all gonna be XDR, it's gonna be this, it's gonna be that, and you know, now we're hearing Sim is dead again. Um I I don't think Sim actually dies. Like, I think it's important to think about what Sim does, and maybe the system that we have all known over the last 20, 25 years is maybe changing, reinventing itself. But it's it's certainly a capability that organizations need centralized, you know, capability within their security operations center. So where is that going to come from? And you maybe it's not even called sim, but you know, the the capability still needs to exist.

SPEAKER_01 5:17

Well, tell me what's driving that. Is it the just deluge of data? Is it new types of threats? Is it the emergence of AI? Is it all of the above?

SPEAKER_00 5:28

Oh, I think a little bit of all of the above, but I think you know it's important to think about what happened to SIM along the way, right? So if you go back, you know, to the early days, like when we first met, you know, sim was really a security tool, right? It was a tool that let you collect all of the alerts from your IDSs, from your firewalls, from your, you know, host-based IDs back when those existed, um, you know, and bring all of that data into a centralized view so that you're not doing swivel chair analytics, right? It was single pane of glass. I mean, a lot of different analogies we used to hear. Um, you know, and what happened, in my my opinion, was compliance came along, and you know, back in the kind of mid 2000s, whatever, 2006, 5, 4, whatever, PCI, Sarbanes Oxley, you know, HIPAA, these different regulations said, you know, to these organizations, like, you have to collect and store all this data from all these different systems. And that created, you know, that really created what SIM evolved into, which was much less of a security-focused tool and much more of a regulatory compliance, collect all this data, make sure it's searchable type approach. And what we ended up with was like, you know, massive data swamps of unusable data. You know, it just wasn't being used for anything. But organizations were paying super high tariffs to store this data for years. I mean, some of the regulations were saying seven years that you had to store this data. And I mean, that's longer than we have to store like our tax records and stuff, right?

SPEAKER_01 7:14

So yeah, it was it it was crazy. I mean, what I remember was CISO saying that they dedicate a huge percentage of their security budget to sim, and they always blow through it like within six months. And uh, and and that certainly wasn't a good situation. Now you talk about composable sim, and I love that because it reminds me so much of what I I saw in 2016 with SOP. Um, so talk about what it what is composable sim, and throw in the word soap as much as you want, by the way.

SPEAKER_00 7:49

Yeah, yeah. SOPA, um, SOPA, sopa, sopa. But you know, I think the idea is really that, you know, going back to kind of sim is a capability, right? It's not necessarily an individual product. Um, composable or SOPA, whatever you want term you want to use, really gives organizations the ability to kind of decouple the fundamental components of sim. And so when I when I look at that and what we've done with our platform is we've actually broken apart the key, what are in my mind the the key fundamental um components, which is you know, you have to be able to collect data, right? You gotta get the telemetry. So break out collection, break out detection, break out storage and long-term retention, and then break out the security layer, the interface, the analyst interface, right? The you know, in the old days we'd always call it the console, right? Break out the console, and like that's where security operations lives. You have detection where detection engineering lives, you have data engineers that are leveraging, you know, security data pipelines and storage data lake technologies. And the idea behind SOPA, you know, or composable interchangeable words there really is that you can use different pieces, different components from different vendors based on your architectural or business needs, right? So, for example, let's say you have a large contract with a particular hyperscaler and you get really efficient storage uh you know savings by using that particular hyperscaler and maybe one of their data lake technologies. Why wouldn't you want to use that instead of a you know proprietary back end from some monolithic provider where you're locked in? Right. It's all about really freedom of choice and freedom of architecture and really the ability for organizations to use best of breed technology that fits right for them, right? Not every tech piece of tech is a good fit for a particular business, right? And some of that could do with their policies, how they're architected, um, you know, who they use for a hyperscaler, what other technologies are surrounding in that ecosystem can drive a lot of you know the fit, right?

SPEAKER_01 10:25

Yeah, absolutely. And uh before we move on to the future, I do have to ask you one devil's advocate question. And as we know, there are a lot of very large vendors who would say, well, we do everything in the composable stack or the SOPA stack. And so just buy everything from us. Um, what's your quick answer? What's what's the danger or what's the um what caution would you have about that?

SPEAKER_00 10:48

Well, I mean, I'll I'll give you my snarky answer, which is I think we all saw this play out with Symantec and McAfee back in the 2000s, right? Um, you know, they platformatized, that's a tongue twister, right? Um, you know, starting with antivirus, and they saw, you know, what vendors like ArchSite and others were doing in the sim space. They decided they would have a sim, then they decided they'd have a web gateway, then they decided they'd have a, you know, an IDS, and pretty much they ended up having an entire suite of basically inferior products to what was best to breed out there on the market. And so some organizations I remember who had large contracts with Symantec would, and this was back again in ArcSite days when I was competing, you know, there in the early sim space, um, you know, Symantec would really push their uh their sim, which they named ESM also, which was what Arcsite SIM was called, um, but they, you know, used the name also. And they really pushed that hard on customers that had, you know, kind of enterprise contracts with Symantec. And it really was just not a superior product to what you could get from Arcsite or some of the other um independent, you know, sim providers out there. And I really think it goes back to like a Switzerland type approach where you really want that independence if you want to have you know best of breed capabilities in your organization.

SPEAKER_01 12:17

Yeah, I'm with you. Um the way I always answer that question is though there will there will be some smaller enterprises, some SMBs who uh platform fits, but if you're a large enterprise, uh the threats are going to be very diverse. And IT, and especially with AI development, um, is going to run faster than your security platform can run. So you need those specialized detection engines, you need um data pipelining because you need to keep up and and and you'll have to do that independently. But let's move on to the future.

SPEAKER_00 12:51

Um John, one one other one other quick point on the on the SOPA architecture that I failed to mention. Um, and one thing that I think is is a real driver of it is you know, the the idea of only having one detection engine, right, is silly, right? You you might want to get a best of breed detection engine that's doing you know statistical and anomaly detection, and then another one that's doing you know more of the uh you know logic-based detection, right? And and maybe another one that's doing more, you know, insider threat potentially detection, right? U EBA type stuff. Having the flexibility to plug in different analytical capabilities into a common data fabric just gives you so much more opportunity, right, for really increasing your threat coverage.

SPEAKER_01 13:44

Yeah, I totally agree. And we see that we see innovation in that area. So we see cloud detection and response, we see identity detection response, data detection response, browser, and they're going to be very focused on a particular area, and but somehow you have to pull all that together. And I don't mean centralized, you need a global view. So I think you're you're right. Um, but let me move on to the future. And I mentioned AI briefly, but you haven't talked about AI. What role does AI play in the composable sim?

SPEAKER_00 14:18

I mean, I think it's you know, I I typically don't lead conversations with AI because I think at this point, in my mind, AI is a given, right? It's just really, if you're not using AI in any part of what you're building, you're really kind of you're missing the the capabilities and and the opportunity to make the users' lives easier. So from my perspective, the way it works is AI is embedded into all aspects of composable sim, right? It's I want AI to help me with data collection. And how how does how can it do that? Well, AI can normalize data for me, right? It can map data to schemas. It, you know, if you take a well-documented schema like an OCSF or you know, a uh you know, ECS or any, you know, you name it, as long as there's like generally enough documentation on the schema, AI can really be a powerful asset in normalizing um you know telemetry data to these schemas. And you know, we've seen, you know, I going back in the old days, you know, I spent a lot of time categorizing events uh manually. I mean, we built a little application in Perl that helped us like categorize events, but I mean you're talking about you know normalizing and categorizing events from hundreds of vendors with hundreds of event types each, like that is a massive undertaking and you're bound to make mistakes. And we did, uh, for sure. And you know, AI definitely helpedful there. Um, you know, when you're doing things like analyzing which data I might be using for detection versus just reporting or compliance, like I can make decisions on data routing, where I'm gonna store particular data using AI. Um, you know, and then when it comes to like security operations, all of the capability that AI can help with there from a triage and you know alert perspective. So I think it's really baking AI in where it makes sense to make the job easier for the human.

SPEAKER_01 16:33

Yeah, I agree. And you wrote about AI in investigations, triage, response, analytics workflow, and you you kind of covered that. Anything else you want to add?

SPEAKER_00 16:43

Well, I mean, I I think it's interesting, and maybe we'll touch on this a little bit with kind of all of the activity around AI SOC. Um, you know, that's a pretty hot topic these days. Um, I'd kind of love to hear your thoughts on on that, um, where you see that going. But I have my own opinions, um, which I'm happy to share. Yeah, go ahead. Yes, you're my guest. All right. Well, I mean, I think if you look at AI SOC, um it's getting a lot of attention right now, as I mentioned, a lot of funding from venture, right? Um and really it seems to be going very much down the same path that SOAR went down um about a decade ago. So, you know, it's always it's funny, right? How how things evolve. A lot of a lot of innovation and startups are formed when a larger platform is missing a capability, right? So, you know, Oracle, great example, right? They they built a fantastic database back in the day, and there were capabilities that were missing from their overall platform. So, what did they do? Other entrepreneurs went out and built those capabilities, and then Oracle acquired them and rolled them into the platform. Same thing happens in security, especially with Sim being this SIM being like the center point of security operations, right? This focal point. Um, you know, sim was really missing a response capability, right? So a lot of organizations, a lot of smart entrepreneurs went out and built the first generation of SOR. And you saw companies like Phantom and Demisto and you know, Simplify and others. And all the Sim vendors looked back and said, Oh yeah, that really makes a lot of sense. Why wouldn't that just be part of the larger platform? And then what happened is all those companies got acquired and rolled into Sim. So then you have the next generation of SOAR companies, you know, get started, right? You have the Torques and the Tynes and you know, folks like that that are doing fantastic and really um have brought that capability to the next level. Um, and now they're leveraging the the benefits of AI. And you have AI SOC companies who have just been started recently doing very focused on you know the alerts, triage, the detection, investigation pieces, the hunting. Um and to me, that is not a standalone platform necessarily, right? To me, that is a capability that you want in your larger central focal point of security operations because all of those products, in my mind, independently um without data, are just going to be an additive thing to your overall security operations program, right? They need the data, so they're only as good as the alerts that you send them, right? And so that's where it makes sense for that to be part of this architecture, right? And again, in a composable architecture, it doesn't mean that you have to use the AI sock tools from the vendor that's giving you, you know, the data or that's giving you the other pieces. You can compose, right? You can build with best of breed and plug in the stuff that makes sense for your environment.

SPEAKER_01 20:21

Yes, uh, and as an analyst, and I'm sure just an industry, we would always say that's a feature, not a product. And uh and what you're describing is an AI feature, not a product. Absolute important capability, but doesn't necessarily have to be standalone. So um we're kind of on the cusp of talking about the cybersecurity bridge, but one more question. How much in the future, how much do you think the SOC is automated? Um, what does the composable SIM do for skill sets, any new skill sets that are needed? If you could just kind of give me your thoughts quickly on that.

SPEAKER_00 20:58

Yeah, so quick thoughts. I mean, I think more and more is automated every day. Um, from a skill set perspective, I think you obviously need skilled engineers to be responsible. Um, you know, call it keeping the AI in check. Um, you know, oversight, but maybe not doing as much of the hands-on work that was being done before. Um, it's just like writing code, right? You can have AI generate code for you, but if you don't know what you're doing, you don't want to run that code in production. Um, it, you know, it's full of hallucinations and all kinds of crazy stuff. And so you still need to actually understand how computers work in order to leverage AI coding tools. Um, from you know, if you want to write real performant production level code, right? You can spit out a bunch of garbage, but um, it's gonna be the same in anything. Like you still need the human who actually understands the outcomes that you're looking for. And so, from a data engineering perspective, right, with pipelines, like maybe you don't need to hire, you know, 50. Data engineers, but you still need some data engineers that are responsible for the system, right? To make sure that it's working. From a detection perspective, same thing. Are you really going to turn over all your detection logic to AI? I don't think so. Somebody needs to understand what threat you're looking for, right? They need to understand the threat landscape in order to tell the system what threat logic to build, right? AI is not going to know that by itself. And then from a response perspective, right? I mean, helping with triage, yeah, you're getting some, you're definitely getting like skills benefit, right? Force multiplication when it comes to your team, um, removing kind of the redundant tasks, right?

SPEAKER_01 22:50

Yeah, absolutely. And uh I think that's a great way to look at it. I think you wrote that AI is an enabler, it's not a replacement for humans. Uh, and I couldn't agree more. But let's move on to the cybersecurity bridge, how we get from here to there. So, one issue that I'd really like you to address is complexity. So, someone could say, ah, composable sim, that's gonna be a lot of products. I have to do custom integration, I have to learn all these different products. What do you what do you respond to someone who thinks that?

SPEAKER_00 23:23

Well, there's there's different approaches, right? Some organizations really love to build. Um, you know, they love to architect things themselves and they love to piece things together and you know, leverage a lot of the uh open source tools that are out there, which there's fantastic, you know, software developed by the community. Um, and for them, this idea of composability like really resonates, right? They're like, oh, cool, I can use my my Kafka cues that I already have, and I can hook those into the data lake and I can build on top of that with this, and they love that. Other organizations are like, I don't want to touch any of that stuff, just give me a turnkey system, right? And so that's the beauty of what we've built at abstract is not to go vendor pitchy here, but the idea was always you can break it apart or you can just have the whole thing, right? And that that's really the idea behind composability.

SPEAKER_01 24:18

Okay. Um talk about the data deluge. So you talk your data pipelining, if you can elaborate on that a little bit, because there's just so much data that's security data now. And as you say, some of it's more valuable than other data. And so moving from the present to the future, how do you determine what data to collect? Where to how to route the data? Do you need data engineers? Just kind of randomly thoughts on on those topics.

SPEAKER_00 24:52

Yeah, well, I I think first of all, it's really having a data strategy, right? Um, is where it all starts. Understanding what is the business outcome, what is the reason I am collecting this data, right? We can't live in a world where you know you have a conversation with somebody like, what's what's your business case? Well, I want to collect data from all these 250 different sources. Okay, well, why do you want to, why do you want to collect that? Well, just because I need to. And it's like, okay, that is, you know, I like to jokingly, I like to call that the log limbing approach. It's like, you know, I'm just gonna do it because I heard that I should, right? It's that is not a data strategy. What a data strategy means is you're understanding the business outcomes on the right, and that determines what you do with the data on the left, right? So having the ability to take individual data sets and fork them to different destinations based on use case is what really starts to give organizations the ability to implement a data strategy, right? And so you start thinking about what do I use this data for? Is this data useful for detection? Like take Windows logs, for example. There's probably like 10 events, 10 event types that are useful for actual detection work, right? You're looking at authentications, privilege escalations, account changes, things like that, right? Very useful for detection. Then you have all the just application logs that are being generated on a constant basis that tell you absolutely nothing, and no human even understands what those events mean. Sure, you might want to have those if there was a breach on that system, you might want to look through everything that happened. Fantastic. So when you have that stream of Windows events, why not take the ones that are useful for detection, send those into your detection engines? And you know detection engines are running at higher compute ratios, um, higher storage costs for quick access to data, et cetera. So take a subset of the data, send it into that very expensive infrastructure, and then take the bulk of it, which you're never even going to look at, and send that into object-level storage where if you need access to it, you can access it, but it's not clogging up the pipes.

SPEAKER_01 27:18

Yeah, that's good. Good advice and uh kind of dovetails into my next question, and that is pretty uh dogmatic debate in our industry. Is the future of security operations centralized or is it distributed? What's your feeling?

SPEAKER_00 27:37

Oh boy, this that's a that's a hot button one right now, John. Is it federated? Is it centralized? Exactly. How about how about my answer is it's both? Um, I I think again, there is no cookie cutter answer to this. It's not a it's not an either or, quite frankly. It's a again, what is the business outcome? What's the data? What makes the most sense from my operating environment, right? So I think there's some value in federation. Um, you know, like one of the things that I've always fundamentally believed is that you should try to run analytics as close to the data source as you can. And that closeness depends on what you're trying to do. If I'm running analytics on just simply one data source, like my Windows logs, well, I want to run it as close to my Windows logs as I possibly can. Efficiency, speed, MTTD, all of those good things. Now, if I want to correlate my Windows logs and my firewall logs, I need to get those things kind of near each other in order to do, I mean, you could do search-based correlation that's going to have delay and you know, 10-minute, 30-minute lag. But if you want to do like streaming, actual detection in real time, those data sources need to converge a little bit so you can do that analysis cross-stream. Um then you have the geopolitical aspect of all this, right? Which is some data and data residency, right? Some data can't leave certain areas. So you need to do your analytics, and that data needs to be stored, you know, in a particular geography, right? Like maybe it can't leave the EU, um, you know, or it can't leave a particular country, you know, in the Middle East or what have you. Um, and then you have data that, you know, is in the US, and you don't want those things mixing, except for maybe certain alerts that need to bubble up across um, you know, things like that. But um I I really think the answer and what you know our thesis at Abstract is is that it's both. And that's you know, really the flexibility that we give our customers is the ability to make the right choice for the business based on their data strategy and their business outcomes that they're looking for. Um there's you know been a lot of debate on the federated um, you know, thing lately. And I I've been really digging into what would a 100% federated environment look like. And what, and I I first of all, I don't think a 100% centralized environment necessarily makes sense anymore, right? With the way things are distributed, um, you know, on-prem, multiple clouds, like you don't want to be moving data between Amazon and Microsoft and Google and back and forth and all across. I mean, you pay tremendous data transmission costs to do that, right? Um, and so in a world where you're kind of dual-honed, you know, partially federated, partially um, you know, centralized, I think makes the most sense. Um, and as I dug into like fully federated, I just think there's there's a lot of pitfalls there, right? Um happy to go into some of those details of of what my thoughts are on that, if you'd like.

SPEAKER_01 31:12

I'd love you too, but we're we're almost at a time. Uh my my quick uh response is yeah, I I I totally agree with what you were saying. So I think distributed analytics, distributed data, centralized visibility, and centralized investigations, meaning the ability to bring all that data together. So before I I let you go, let me ask you a couple quick lightning round questions. Oh boy. So if you can keep your just keep your responses as as tight as you can. So um the role of uh miter attack in your composable set.

SPEAKER_00 31:49

Yes.

SPEAKER_01 31:51

Yes, I'm just kidding.

SPEAKER_00 31:52

I can give you a longer answer. I was just kidding. Um I was I was for the lightning round. Um look, I think miter attack has relevance, of course. It from my perspective, it's it's really the you know, the ground truth on your detection coverage and how you map and manage threats. So absolutely relevant.

SPEAKER_01 32:11

Okay, context. What's your what's your feedback on context?

SPEAKER_00 32:15

More. Um gotta have context. So I I think it is absolutely crucial to be able to leverage, you know, asset identity, vulnerability, threat, um, you know, all of this kind of context when you're dealing with your um operating environment. Um, and everybody's operating environment's different, right? So you need context specific to your organization. And is that part of your pipelining? In a way, uh, it's really it does come through pipelines, but it's it's stored and treated differently, right? So it's more of a model-based approach on context.

SPEAKER_01 32:54

Got it. And um and then uh shifting left, sort of predicting instead of reacting to threats, predictability. Do you see that in the future?

SPEAKER_00 33:05

I mean, I I think that that is something that as an industry we all need to be striving towards um getting better. We've we've for 25 years we've been reactive, right? Um 25 years is how long I've been in security, and it's been reactive the entire time. Um, I think figuring out how to get better predictability. I think some of the research I see coming out of you know the intelligence groups is promising. I I do think we've made progress in predictability um with looking at early warning indicators. Um, but I think getting better and better about that, and it's become more important as you know, the adversaries are leveraging, you know, AI tools, they're moving faster. Like we got to get ahead of that. You know, we we really can't be sitting behind the eight ball on those things.

SPEAKER_01 33:55

Couldn't agree more again, and uh, I'm doing the same type of research into what's going on in the threat intelligence world. So uh really easy question. Will you be at RSA?

SPEAKER_00 34:05

Absolutely, wouldn't miss it. It's been uh what, I don't know, since it used to be in San Jose every other year. So it's been a while.

SPEAKER_01 34:15

This is my 20th, uh, and I will be there too. So final question I ask every guest um what's the one piece of advice that you'd give to cybersecurity professionals around SOC, SIM, composable SIM, your choice?

SPEAKER_00 34:29

Honestly, I would say get comfortable with being uncomfortable and you know, get your mind around, you know, getting into a more modern architecture and a more modern capability set than you know what you've had to put up with for the last two, you know, two decades.

SPEAKER_01 34:49

That's great advice. And I would imagine that uh the architects who can take their organizations on that journey um will have great opportunities.

SPEAKER_00 34:59

Absolutely, 100%.

SPEAKER_01 35:02

Well, Colby, it's been a delight talking to you. This is uh, you know, it's SOAPA's 10 years old this year, and so I'm passionate about it and and our our thoughts are aligned. So thanks very much for being a guest on my podcast.

SPEAKER_00 35:18

Absolutely, John. Always great chatting with you, and uh look forward to seeing you again soon at RSA.

SPEAKER_01 35:23

Yeah, I'll see you at RSA and everyone else. I'll see you in two weeks with another edition of the Cybersecurity Bridge podcast.