mnemonic security podcast

Security Validation

September 07, 2020 mnemonic
mnemonic security podcast
Security Validation
Chapters
mnemonic security podcast
Security Validation
Sep 07, 2020
mnemonic

How can we prove cybersecurity effectiveness?

With USD 124 billion being spent worldwide on IT security last year alone, it's no wonder this is a question many would like the answer to. However, finding a quantitative metric to evaluate security investments, outside of positive effects like diminishing risks and reducing the amount of bad things happening, is not straight forward.
 
To help us navigate this question, Robby is joined by someone with a lot of experience making security investments effective. Brian Contos has a long list of merits after his more than two decades of experience working in the cybersecurity field. He has also written several security books and is an award-winning podcaster. Brian is now CISO & VP Technology Innovation in Mandiant Security Validation, also known as Verodin, a business platform for measuring and managing cybersecurity effectiveness.

Technical level: 1/5

Host: Robby Peralta
Producer: Paul Jæger

https://mnemonic.no/podcast

Show Notes Transcript

How can we prove cybersecurity effectiveness?

With USD 124 billion being spent worldwide on IT security last year alone, it's no wonder this is a question many would like the answer to. However, finding a quantitative metric to evaluate security investments, outside of positive effects like diminishing risks and reducing the amount of bad things happening, is not straight forward.
 
To help us navigate this question, Robby is joined by someone with a lot of experience making security investments effective. Brian Contos has a long list of merits after his more than two decades of experience working in the cybersecurity field. He has also written several security books and is an award-winning podcaster. Brian is now CISO & VP Technology Innovation in Mandiant Security Validation, also known as Verodin, a business platform for measuring and managing cybersecurity effectiveness.

Technical level: 1/5

Host: Robby Peralta
Producer: Paul Jæger

https://mnemonic.no/podcast

Robby Peralta :

Alright, Mr. Contos! Thanks for being here.

Brian Contos :

Good morning. How are you?

Robby Peralta :

You know what, before you introduce yourself, I just want to tell the listeners about all the great things that you've been you've been up to, you've been a part of - scrolling down your LinkedIn here. AT&T Bell Labs, Arcsight, Imperva, McAfee, Solera Networks and Bluecoat, Cylance. Is there any companies that you have not touched upon in your lifetime?

Brian Contos :

Another way of saying that is Brian, you can't seem to stick to a job very long.

Robby Peralta :

People keep buying you it seems like. Well, that's a that's a good thing. You're doing something right.

Brian Contos :

It's been fun. It's been a little over 25 years and you know, a lot of fun. Usually I get in very early, usually one of the first few employees and, you know, build them up to acquisition or IPO in some cases both. In Arcsight we went public and then got acquired. But it's been a great ride. And I've been very blessed that some of the people that I've been doing this with building these security companies with, we been together for two decades. So it's, it's been really, really a lot of fun.

Robby Peralta :

But, um, any other general introduction yourself? Would you like to start with that or?

Unknown Speaker :

I've been doing security for a long time. I actually started with DISA, the Defense Information Systems agency, and that's right, sort of indoctrinated into cybersecurity, if you will, in early days, and been building companies since then. I've traveled quite a bit. I used to cover emerging markets. So I've been to over 50 countries. I've ran a couple books. I was in a cyber war documentary with General Michael Hayden, former director of the NSA and the CIA. And so I've got to do a lot on sort of the public sector and private sector, both domestically and internationally. So all that to say this I've had, I've been to expose to a lot of really, really smart people. Some of that, fortunately got to rub off on me, because I'm not very smart. So I think what they tell me and just make it my own, Well, it's an honor to have you here, you're, I'm been really looking forward to this chat. And so today, we're going to talk about ROI and security, which is very, I mean, I've been working with security for only five or six years, and I've not been able to ever, you know, come with like a golden rule of thumb for ROI. So, I've heard that a rule of thumb and security is usually around 7 to 10% of the total IT budget. And according to some of the figures I've seen recently, they said that worldwide spending on IT security in 2019 was $124 billion. And my question to you is then with all that money being spent, why why am I still sitting here with a job in cybersecurity. Why isn't this solved yet? You know, the funny thing about ROI for cybersecurity is it's it's always been kind of squishy, and that it was never based on quantitative metrics. It was very qualitative, which really made it more like ROS return on security investment, which is all about diminishing risk and reducing the chance of bad things happening. And that's okay, that's not a bad thing. But those measures were predicated on the fact that we never really had a way to measure the effectiveness of the security controls we're investing in. So what I mean by that is when you start talking about ROI, and cyber, if you look at security investments, you know, seven to 10%, whatever it is, and then you look at the amount of effort that you're spending resources to make those investments effective. The result we figured out does not necessarily equate to security effectiveness. So no matter how much I'm spending and how much time and effort I'm putting into it, it's not necessarily making my controls effective. So I actually think that the traditional or legacy paradigm about trying to calculate ROI for security is, is broken. It's a broken formula. And that's been represented a number of studies that we've done in other organizations that have done that have basically shown that a lot of organizations, they're lucky if they're getting, you know, 30 - 40% value from their investments, and that's a horrible rate of return.

Robby Peralta :

And value I guess we're gonna dive more into about how you calculate the the value of security. But the reason that I came in contact with you is you are one of the founding members of Verodin. What challenge were you seeking to address when you started that venture?

Brian Contos :

Yeah, I think one of the core items so when the two core founding members of the company approached me and said, hey, we've got this idea. They were finding that they're going into customers big and small public sector, private sector, domestic International, and security was primarily based on assumptions. Organizations were assuming that their endpoint security controls were working, their email security, their cloud, their network security, so on so forth. Furthermore, they're assuming that their employees know what to do, they've been well trained, and that the processes they follow are actually effective. So when you look across people process and technology was a lot of assumption based. What we're lacking was an evidence based approach to security to prove that these controls are effective, and there was a big gap there. And most organizations, if you ask them "Well, how do you know if your security tools are working"? Well, their answer will be well, we do pentests, and we do some red teaming, we do some vulnerability scanning, we do some patching, and those are all good things. I'm not saying those go away. But not one of those things, actually validates that your security tools are working. So instead of an assumption based approach, sort of the founding idea behind what we're doing was an evidence based approach where you can prove the efficacy of the security controls of the people and the processes within your environment. And that it seems like a very simple thing. "Hey, I just want to make sure the stuff I have works". But there simply wasn't a way to do that in the past. And that's that's what ended up becoming Verodin. And more recently, now we're called Mandiant Security validation. We're underneath FireEye umbrella.

Robby Peralta :

How do you how do you validate? How do you provide that value? How does it work?

Brian Contos :

So the product is basically broken into just two parts, an actor or actors rather. And then a director, the director is a management console. And then director is where you'll integrate with threat intelligence feeds, you'll add different attacks through third party databases, you'll have, you know, pull in PCAPS, you'll write your own attacks. It ships with tons and tons of sort of analysis and tests that can be done across various behaviors. That's kind of the heart and it also has reporting capability. And then most importantly, it has API integration with your defensive stack. So think of it this as you have this central system. That's pulling in all this threat intelligence information, all this attack and behavioral information. And then it talks to your firewall manager, your SIEM, your IPS manager, your endpoint managers, all your tools, all your management devices, right, not the endpoints themselves. But the thing that manages them, not firewalls, but the firewall Management Console. So that's, that's piece one of two. The second piece is they're called actors. And this is where it gets really, really cool. So actors act as both an attacker and a target. And they're self contained entities. You don't deploy it on your laptop, your firewall, your database, your web server, they're self contained, typically a virtual machine can be a dedicated piece of hardware can live in the cloud as well. Now, these actors are deployed throughout your environment, you have some in your DMZ, your user zone, your server zones, your partner zones, all these different zones within your environment, some in the cloud, etc. The actors only attack each other and in doing so, they're measuring the efficacy of the security controls for which they pass. So for example, when actor A attacks actor B, we know if the attack got through or not, because we're attacking ourselves, so there's no false positives. Furthermore, we can say, hey, it wasn't blocked, but at least was it detected. So because of that API integration with the director that I mentioned before, we say "Hey, you know what it got through your Palo Alto firewall, but it was detected by Snort. And then from Snort, did it go to Splunk. And then from Splunk, did it actually create a correlated event. And then from there, did it create an alert that a human can respond to". And you can apply these same type of tests across endpoint and email and network and cloud measuring prevention, detection and response. And the thing that's really core to it is we didn't want to create like the next vulnerability scanner, the next firewall, the next SIEM, we actually wanted to create something new in cybersecurity. And this was that new thing. It's not next gen of anything. It's not a firewall that turns red or a firewall that turns green, it's actually a new way of testing and validating. And it's not checking to see if Oracle has the latest patch. Or if Apache has this vulnerability. It's testing to see hey to Checkpoint or Palo or Arcsight, or Splunk, or Snort, or Cylance or FireEye did these products do what they were engineered to do, and they didn't do the right thing, it will tell you prescriptively "Hey, this is the hole, this is what we found. And these are configuration changes you can make to fix that". And the whole process can be automated, which is really nice. The way I kind of walked through is a little bit manual. You want to test these 10,000 attacks or these 5,000 attacks, but you can say I want to run 10,000 behavioral tests every single day. And this is my expectation that they're going to be blocked, they're going to be detected and they're going to create an alert. Now if one of those things stops working, I need you to let me know right away so I can manage by exception. So it's purely there to test your security controls, not scan for vulnerabilities, not do a pen test, anything like that.

Robby Peralta :

Wow. I am, I'm speechless. That's such a cool, such a cool method of doing it. And I can imagine there's so many benefits to using that sort of product. So your customers, I'm looking for some success stories here. What are they doing with the output of this technology and this sort of this way of doing things?

Brian Contos :

know, it's, it's interesting, when we first started the company, we, our minds thought that this would probably be a really powerful solution to augment red teams. People didn't assessment and pen testings and red team work very quickly, like within a few months into the company, we found, oh, yeah, red teams really do like to use this, but more importantly, Blue Team teams, because they want to validate their tools. And as you know, in the last couple years, this notion of purple teaming ha increased in popularity as it should mean that the red teams and the blue teams are working together more cooperatively. So one of the use cases we saw early on as people would say "look, we we do a pen test every six months or every year or something." And the pen test crew, whether they're internal or external, they run a bunch of tests, they'll create a report, you know, some 500 page tome, they'll drop on the desk, and they feel really good about themselves, because they found some holes, and they've sort of earned their keep, if they will, they kick it over to the blue team, and the blue team goes, you know, we just don't have time to get this stuff, we're just, we're just not going to do it. We're busy fighting other fires. So this red team comes back six more months, six months down the road, or 12 months down the road, does the same test. And pretty much all they need to do is change the date, because nothing's changed nothing and we are stuck in this vicious circle. So what we found out very early on is one of the key use cases was you could actually measure the effectiveness of your security controls, working cooperatively with the blue team, and then the blue team could actually make those changes and adjustments and then the red team can revalidate to make sure that those things were working. All of that can be automated. So that certain Have the basic things like testing and validating against different types of attacks. And whether it's command and control or malware or data exfiltration, or lateral movement, you just name it - that can be automated now. And now they can really focus their energy on testing other areas of the environment getting much more detailed. So it allows the red team to scale and allows the blue team to be more effective. So that was a key use case. Another one that was interesting that we didn't see. So that was that one was relatively obvious. This next one wasn't as obvious. We're working with a US government customer. I can't tell you exactly who they are. But they're a very large federal government agency. And with under this agency, there's lots of sub agencies and their main problems actually more people in process than it was technology. So they leveraged the Mandiant security validation to run tests on sort of a semi-continuous basis in order to continually train their employees. To make sure that whether they have somebody that has 10 years experience or somebody that just has 10 weeks of experience, they're constantly getting exposed to these different attacks narrows as you're coming through the environment. And with Mandiant security validation, you can actually run these attack behaviors in transparent or clandestine mode transparent meaning, Hey, I know it's coming from mandiant or clandestine, which I don't I don't know where it's coming from. So then your folks in the SOC, you know, they treat it like a real attack. But in doing this, they're continually practicing. They're continually training, and they're following the processes and they're accessing the tools they have, and they're leveraging the training that they've been given. And it quickly starts to identify holes like wow, Bob's responding in like five hours. But Betty responded in like five minutes, does Betty have more training, access to better tools, visibility into other things that Bob didn't? Is the process broken? So they're continually making these tweaks and modifications, but what they found now, by doing this when a real attack happens, because they're continually training it's kind of like somebody Gotta go play in a, you know, in the World Cup, they're probably not going to sit around drinking beer watching TV all day long for the three months leading to the World Cup, they're probably going to be out there training. Well, this is a thing that's happening in cyber, this government agency said, we're training all the time. So when the real thing hits, we do this every day. We do this every day. And we know how to deal with this. Our processes are fine tuned, our technology is is all up to par. And our people know how to react and how to respond. So the whole people and process thing took us, you know, as one of those things were said, Well, maybe this is an isolated case. But that really started becoming much more popular as we went forward. And the whole idea of validating tech, great, we get it, but also people in process and to help improve them that really fundamentally sort of changed the way that we approached it and we're able to create different reports and dashboards to help you measure effectiveness of those areas.

Robby Peralta :

Hmm. Wow. So and I mean, the red team and the blue team - it's it's all in the same product? They have their own dashboards and they kind of can work together in that way, correct?

Brian Contos :

team's blue team's auditors, auditors, first for CSOs and CIOs, we even have specialized sort of business centric views for non technical non security individuals that need to have some type of a sort of visibility into the state of cybersecurity. They don't need to know the bits and bytes of everything, but they need to know Are we trending up or trending down? A great a great example of this is art coviello. He is the former executive chairman of RSA. Now he's he's part of some other organizations. But one of the things that art said to me early on when we started this company, why he was so excited about it. He eventually joined the board. Art said, he goes, look, I sit on the board of a lot of publicly traded companies, Brian, and he goes, I can tell you right now that the most powerful committee on a publicly traded companies board is now The audit committee of all the other committees mergers and acquisitions, and, you know, payroll, and it's the audit committee. And he said, this committee has stopped asking people responsible for security. Our Do we have security tools in place to mitigate risk? Because the answers are always the same. Of course, we have security tools in place to mitigate risk, and give me another box of money, because we need to buy more and hire more and train more. So now what they've started doing is asking, Can you prove to me that the security controls that we have in place are actually working? And furthermore, can you provide me evidence showing why you need this budget increase why this can't be covered by something else we have. And what happened there is we've we've led to a point of maturation security, where security is being treated more strategically. And as such, the demands upon security practitioners that are much higher, they need to be able to prove with evidence that the security controls are working or they're not steps that can be taken either to improve them or maybe they need to be replaced or retired etc. So this maturation is very similar to like a VP of sales, a VP of Sales has to be pretty close to spot on in terms of how much money is coming in. The CFO hopefully knows how much money's in the bank. You have to follow how much money is in the bank. He goes well, we do PCI audits, and we did a vulnerability scan where patching stuff, probably not going to be your CFO very long. So there's there's now this responsibility upon security practitioners and leaders of security groups CSOs, etc. To be able to communicate to executives to boards to auditors, with evidence clearly outlining This is what's working. This is what's not working. And these are the steps we need to fix it and perhaps there's dollars tied to that etc.

Robby Peralta :

Hmm. And I'm sure that there's going to be a couple CISO's listening to this podcast. They're hearing what you're saying right now. They've been in a position where they've received those tough questions like " Can you can you prove to me that this money I'm giving you is effective?" And yeah, that must be it. But I'm sitting here wondering, is it even possible to actually answer that question without like the technology that you've helped to develop? Like, is it even possible?

Brian Contos :

I really don't think there is a way I mean, you can, you can run vulnerability scans. And you can look at the juxtaposition between, I've scanned for x vulnerabilities and I've patched y and here's the difference z. But that doesn't really tell you anything about your security controls. And if all you're going to do is scan for vulnerabilities and patch, then why are you buying security controls in the first place? Right? Don't you want to make sure that you're you're getting value, and we we did an assessment or a POC for a customer and very, very, very large organization. And again, these numbers don't really matter if it's large or small. But we went in there we found roughly about 20% of their security controls were working the way they expected, either preventing, detecting or responding across email endpoint network cloud, it didn't really matter what event. And we sat in a room and we delivered the output of our proof of concept. We deliver a report at the end of our POC, which generally lasts about a week or two. They're relatively quick. That's it. Yeah, deploys fast, it's easy to learn. It's really we didn't you know, we learned a lot from our days in the sim space where pscs took a year. So we we sat down, we said, Look, here's the results. It's all facts. Base fact fact based and the security team I working for this organization. They agreed, yep, this is this is what they found. And they had a CSO, and a CSO, and they both looked at each other. And they said, So guys, how can we spend another penny on new security tools? If we're only getting 20% value out of what we've already got? And they didn't do anything wrong? It wasn't they didn't have it wasn't that they had bad tools or bad people? what they what the issue was is they never had something in place to help them measure the efficacy of their tools. They You're never able to test. And I think back to my early I was at arcsight for about seven years. And so I got to kind of see that evolution of sim in the early days. And if you take sim for example, so many things have to be right for your sim to work your time. So your NTP Are you getting the logs correctly are they being parsed properly Did somebody update one IPS not the other. So, they have different log formats was the rule written properly the aggregation the pattern discovery, volumetric and temporal analysis, it goes on and on and on a lot of infrastructure and a lot of configurations have to be right to start getting value. So we see most customers are hardly getting any value out of sim for example, because of this. Now, you can say I want to run all these tests as they relate to insider threats or data exfiltration or command and control you name you name the category or I want to test very specific attacks, var tracks and bottlenecks and, and, you know, Apache struts or whatever the latest thing is, I want to validate controls are there. Well, instead of building a rule in your Sim, or configuring your firewall or configuring your IPS based on what you think might happen, you're actually running these real attacks, but you're running them safely, because they're going after the actor and you're doing it in your production environment. So that's a powerful thing. I'm safely executing real attacks in my production environment. And based on that, I can tell you, if Bartle x enters my network, this is exactly how my firewalls, my IPS, my DLP my sim and everything reacts good or bad, this is what's going to happen. And if they're not doing what I want, now I can configure them to make sure they are and that once they're configured, I want to automate that to say now I'm stopping part elects, I'm detecting bottlenecks. I'm generating a rule that's going to fire based on bottlenecks, and I'm going to test this every single day or every hour every week. Whatever you want to throw automated process ever stops preventing bottlenecks or detecting air or alerting on it, then I need to know then you need to make me aware of what's happening. So I can manage by exception. Now multiply that times 1000 or 10,000, or 20,000 different types of attacks. Now you actually have a sim that's providing value. And that's that's the big thing. We, you know, we we just released our 2020 security effectiveness report. And we've done this a few times over the years. And on average, what we're finding and again, this is across all types of products, all types of customers and verticals etc. Prevention's working about 33% of the time, detections working about 26% of the time, and hold on for this one. alerting, working. That means a Sims firing a roll 9% of the time. And it's not because people have bad products. It's simply because you've never had a way to validate and optimize your security tools. And that's a big part of what Mandy and security validation does. It's not just saying here's the holes, it's saying, this is how you fix the holes. This is how you improve and make your systems better. And this is how you keep them better in perpetuity by using these automated Testing over time, but 33%, prevent 26 detect and 9% alert. Those are horrendous statistics. And it's only that way, because we've never been able to look at it before. And I tell every customer going in when we started to see the baby is going to be ugly, and it's not your fault, but the baby is going to be ugly. So prepare yourself for that. Secondly, don't treat this like a pen test. Don't treat this like a security assessment. It's not, we're simply validating the effectiveness of your security tools and giving you a roadmap of how to improve. And we did this for one of our customers that was running Palo Alto firewalls, which I think are great firewalls, but they have to be configured properly. To run effectively, just like any other security tool, they're getting about 20% effectiveness within the three or four days of the PLC. They increase that to about 85 to 87% effectiveness with just basic PLC type tuning. That's a huge gain. And I don't know what they spent, let's say they spent a million dollars. That's a huge amount of money. That was very Gain just from doing that limited PFC. So there's there's real dollars and real savings that can that can be found. And the other side of that is Jay lake. He was the former seaso over at Blackstone, and very early customer of ours. And he said, Look, I love the validation, optimization, testing, reporting. Great. Let me tell you what I really, really like about this solution. He says within the first few weeks of running veriton was called Baird and back then before we changed our name to Mandy, and security validation. within the first few weeks, were able to identify over a million dollars worth of product that we no longer needed, that we could safely remove from our environment and take that money now and reinvest it in other areas. He said, Brian's never pull out security products, because we're afraid maybe it's doing something we don't know about. Maybe it protects this one thing that does this one thing that we're not thinking about or we inherited, who knows? But now with validation, I can test and say you know what, these are unnecessarily redundant. Sometimes you need redundancies, but maybe this is an Unnecessarily redundant solution that I'm paying maintenance for, um, you know, it's taken up Rackspace and all the other services that go with that I have to train people on it and everything that goes with that. Let's get rid of that and invest in more training or more people, or new products that we can replace, which is why a lot of customers actually use us for testing controls during proofs of concepts. I'm going to look at five different DLP solutions. I want to know them with real data exfiltration attacks in my production environment and see how well they do. And more to the point if they're not doing what I expect, how hard is it for me to tune them because maybe for my team, their skill set is maybe better suited for product B, because product a well, it's maybe a better product, pound for pound, it's a lot harder for them to get it to where it needs to be. So that's a it makes security more reasonable in real life, if you will, because now you're basing these decisions on you know, the facts, the evidence, not these assumptions that we've looked at before.

Robby Peralta :

Wow, well, if I was a CISO I know the first thing I would do right now with my money. But what speaking of that, what is the first thing that, customers typically do? You mentioned roadmap a little bit before. Now that you have all this information, do they start testing their products? Or do the look at processes, like what's the first thing they end up doing with output?

Brian Contos :

you know, the first thing that I see folks usually doing is that they'll have a couple key use cases like hey, we want to make sure that our perimeters secure or we want to make sure that we're safe from data exfiltration or we're acquiring this other company. We want to make sure that before we connect them to our environment that we're validating, are there tools, that's a real big one, actually, especially for organizations that go through a lot of M&A. We see that a lot of financial services sector but you know, if you look down the sort of the the list you know, I want identify my gaps I want to prescriptively tune, I maybe want to map my control effectiveness to things like mitre attack or NIST or Oh, loss or some of the other standards, I want to provide assurances to my audit team, here's the proof that my security tools are working. So a lot of it is based is predicated on, you know, a specific specific set of use cases that they want to validate. Another one is, is actually determining, do we need to replace this, you know, this endpoint security tool with this new endpoint security because a lot of people are moving between maybe more traditional legacy secure endpoint security to more of a modern format. And what they're finding sometimes is that the the older stuff maybe works just as well if not better with the proper tuning. But what I really like about this is once you get beyond all those sort of, hey, let me let me validate my controls. Let me test it opens up a conversation now at a business level at a you know, a dollars and cents level that you can start having with senior leadership to say Look, guys, we have a hole here. We're not working not stopping data exfiltration from the sensitive network that has customer data out to the internet, I don't have any tools between those two environments that can block this, that can detect this that can alert on this. Now, if we're going to address this, it's going to cost $2 million. So now you can go to your bosses and say, Look, here's a $2 million issue. Now, they might say, Well, you know what, based on what you've told us, we got, we think that that's worth worth the investment to protect that customer data, here's $2 million, or they say, you know what, we were in the, in the middle of buying this other company, we have to preserve all of our cash right now. Let's push this out one more quarter, we'll deal with risk. Regardless of how you feel about it. At least they're making their decisions based on evidence. They know what the risk is. They can weigh that and they understand the cost against other risk. I mean, we like to think everything cyber risk in our community, but there's a million different types of risks that executives and boards need to deal with all of the time. We're just one flavor.

Robby Peralta :

COVID-19 is a very good example of that actually

Brian Contos :

COVID-19 is a great example right now we've got all these remote users and our VPN is up to par. And what are we doing with data in the cloud and all these other things. So now they can make decisions more quickly, based on evidence. And the security becomes part of that executive conversation much more easily and much more cleanly, as opposed to your once a quarter, you know, five minutes that you get in front of the board and the rest executive team, this becomes a constant conversation. So I love that I love that sort of maturation to the point where executives really are getting fed the data they need without getting into that low, low pieces. They don't, they don't really care about how they just want to know the results, right? You, I'm paying for a result. And the result I want is that we're securing our customer data doesn't get stolen, that how is up to you, that's what you get paid for. But as negative I just want that result. And that's what this and that's, that's now sort of interlinked if you will, the security practitioners and the security executives, with the business leaders in the boards in a way that I've never seen before, in a way that we've always wanted, but there was never that conversation path to talk at that level. So that's been a really powerful sort of outcome of sort of the executive reports and executive dashboards that are part of mandiant security validation.

Robby Peralta :

Yeah, well like you just mentioned, it's always been some sort of uncrossable bridge between CISOs and business and the financial part of the company, because there are so many questions that are literally impossible to answer without something like this. So

Brian Contos :

right. And, you know, it's a it's funny, I was I was doing a speech before COVID. And I haven't done speeches in a while because COVID-19 was down, but it was around critical infrastructure. And this particular one was oil and gas and power and energy, but this could be chemical or automated manufacturing. And, you know, their whole thing was, look, we care about things like business continuity, regulatory compliance protection of our critical assets, rationalization optimization, these weren't security concepts. these are these are concepts that they just cared about as a business. They availability is key, in some cases, literally keeping the lights on. And you know, they're running these very sensitive systems. Some of them are 2030 years old, they're running NT four o, which has been end of life for a couple decades. And it's operating some turbine that's worth millions and millions of dollars. And all this NT four o system does is control speed, it's either goes faster or slower. It's very simple. You can't harden it, you can't secure it, you can't put aveanna you can't put a local firewall, you can't do anything. So what you do is you protect those vulnerable systems with security controls. And because the way Mandy and security validation solution works, you're never attacking that skated device, that programmable logic controller, that turbine, you're validating the security controls that are protecting those devices, and looking at segmentation and communication channels and things like that. So now you can have these conversations about business continuity, and regulatory Compliance and protection of assets and rationalization optimization for this organization that they're never able to have before. So it's allowing conversations to be had that weren't even plausible in the past. And it's allowing you to test and validate in the case of critical infrastructure, you were never able to validate controls within the production environment, because there's too much of a fare that would take down a system and availability is key. So you had to build these NAS beds, and they were kind of sorted, maybe 50% look like what the real world was. Now, you're saying, I can use some technology to safely validate my security controls my production environment, but the output of that are things that map directly to what my business leaders care about. And I can tell them, we're good here, here. And here. We don't have any cyber security issues. But over here, we have these types of problems. And these three out of these five, we can just do some tuning. So within a week or two, we're going to have those resolved. But these other two might require an investment. Maybe that investment is in more people or more or more technology. But it's a very clear outline. And man, what a great way to have a conversation as opposed to, Hey guys, this is the latest ap t, or this is the latest zero day, we really got to hunker down and make sure all our systems are safe. Where, where where's the relevance, right? Where's the rationalization? How does that really tie in? And one of the cool things when fireeye acquired us, was fireeye has a really great threat intelligence capability. And as mandiant security validation, we integrate with everybody, anomaly and Flashpoint and lots of other players. But we of course, also integrate with fireeye. But now what we're able to say is instead of saying here's a whole bunch of tests and behaviors and attacks, and you can add your own is you can have this constant threat intelligence feed to say, Hey, here's some new IOC s or here's some new ttps and I want to validate if something of this nature was in my environment, are we prepared, what would happen?

Robby Peralta :

So you can Threat Hunt with that too, as well?

Brian Contos :

Yeah, it's great because it used to be here's a folder full of a bunch of bad IPS, and don't And URLs and here's a whole bunch of TTPs. Five minutes later, here's another folder. Here's another folder who's got time for that? Nobody does. So you just had all this data kind of stacking up it was good data, but you couldn't get to it. Now you're saying let's automate the process where that's ingested into Mandiant security validation. The actors are testing and validating against those ttps and those IO C's. And they're very quickly telling you, Hey, 99% of this, you got to cover you're blocking, you're detecting you're learning, we're looking good. This 1% though, this is where we need to spend our time and do some tuning. That just changed my whole paradigm. Now I'm actually getting true value out of my threat intelligence, it is not just this thing that I look at, sometimes, it's actually operationally integrated into my entire security stack. So that was one of the really cool things about sort of fireeye bringing us aboard and being able to leverage that. And of course, the other part was taking everything we've just discussed, and turning that into a managed security service for organizations that say look, this is great. And I love the fact that you know, it takes less than one FTA Running, it's easy to operate. But at the end of the day, we don't even have that can you do this for me as a service? And you know, I can log into the cloud and see the latest results and things like that. Yes, we can do it that way too. So those two things got brought on under the fireeye umbrella very quickly and have been tremendously successful with customers they really seem to like those features.

Robby Peralta :

Taking that in consideration and looking back at your career and all the crazy awesome companies you've been involved with. What what's gonna what's next now? Like, what, what's what's in your crystal ball for cybersecurity solutions moving forward?

Brian Contos :

Yeah, yeah. Now it's a it's a fair question. And I think there's still a lot more steam in the validation market. I think some of the conversations we've had about looking at business outcomes. And the automation capabilities and leveraging so are sort of the adversary experiences and, and threat intelligence, you know, information that we get from incident response groups and red teams and information we get from threat intelligence and kind of taking that full circle. So instead of saying, we do red teaming, and then when something happens, we do incident response. And we have security controls, and we have people locally, this acting as the glue to bring that all together. So you have this central platform that does adversary expertise and intelligence that does augmentation of your red teaming and does automation of these tasks and gives you those business outcomes and those results. So I guess what I'm trying to say is, I think, I think the notion of a security platform like the mandate and security validation platform, becoming a business platform that leverages security, in order for those businesses to derive their their outcomes and make their decisions is really that next step, and it's part of that General Security maturation that I've been seeing now. For years where it's becoming much, much more of a business level conversation, we're seeing CEOs, board members, other non security non technical executives, talking about cybersecurity, and showing up in their annual reports, their committee charters, lots of documents that talk about material risk, cyber is a piece of that, which means that they need to be armed with that business relevant knowledge about cyber, again, not the bits and bytes of it, but the business outcomes of that, how is this going to affect my brand? How is this going to affect my finances? How is this gonna affect operations, for example? These are the questions in cyber plays a key part of that. So I think more business platforms that have security DNA in them is going to be sort of that next gen next next gen, if you will, in the security evolution. So look, to look to see organizations and features and capabilities that are much more business minded than I think they were in the past.

Robby Peralta :

Well Mr. Contos now I'm gonna follow your LinkedIn very closely next time you do anything. I'm like my money's on that thing. I'm all in.

Brian Contos :

Yeah. Well, thanks. It's been a real pleasure talking with you and getting the message out to your audience. Yeah.

Robby Peralta :

Well, thank you very much for time and we will I will definitely be following the progress moving forward. Thank you so much.

Brian Contos :

Take care.

Robby Peralta :

Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you would like us to discuss on future episodes, please feel free to send us an email to podcast@nimonic.ml Thank you for listening, and we'll see you next time. Transcribed by https://otter.ai