Measuring Cybersecurity Effectiveness: A Podcast with Brian Contos of Verodin

This podcast is a continuation of the series of conversations that Dan Woods of Early Adopter Research (EAR) conducted with leaders in the cybersecurity field while at RSA 2019. In this interview, he speaks with Brian Contos, CISO of Verodin. Woods asked Contos his three major cybersecurity questions for the year, as well as exploring Verodin’s place in the cybersecurity marketplace. Their conversation covered:

* 4:00 – Can zero trust provide what it promises?
* 4:50 – Why aren’t companies pruning cybersecurity products?
* 9:40 – The need to evaluate cybersecurity through both people and processes
* 15:00 – Why CISOs should focus more on DevOps

Listen below:

Q&A

Woods: Could you explain, referencing the NIST framework of identify, protect, detect, respond and recover, what Verodin does?

Contos: I think NIST is actually a great framework to help describe it because what Verodin does is help you validate and rationalize your security controls across identify, prevent, detect, and respond. It helps you make sure that what you’ve got is actually doing what you thought, making sure those tools are optimized and providing value and then once they are, make sure that they continue providing value and perpetuity.

Our approach is basically, let’s test your endpoint, your network, cloud, and email security controls to make sure they’re functioning properly. If they’re not, let’s help you prescriptively adjust those controls. And let’s make sure we’re getting value out of those and help pinpoint areas where you need focus to get your controls providing optimal value.

So it’s sort of like a bedside monitor for your cybersecurity.

Yes, it’s a great way of making sure that I’m getting value out of my security investment.

My first question is about zero trust. What does it mean in practice because zero trust seems to be another additive responsibility and it doesn’t really take anything away? But if you think of the idea of zero trust, it should take something away because the notion of zero trust is that the perimeter is no longer the only way that we’re going to protect, we’re going to assume that everybody inside the perimeter is also potentially harmful and we’re going to do a lot to make sure that we know about who they are and so that we can protect ourselves and find out if anybody is unauthorized.

Zero trust is one of those things that I think academically makes a lot of sense. “Well, let me add this thing and then I can remove all these other things,” except for the fact that we’re not removing all those other things because we don’t really necessarily know if we can trust our zero trust infrastructure as we’re first laying it out. I think if you start looking at insider threats and lateral movement and attackers that might already be inside your network, it absolutely, positively makes sense. But I don’t think we’re willing to let go and probably shouldn’t let go of some of our other controls such as perimeter security for the foreseeable future because there does have to be some overlap, there does have to be a little bit more depth to sort of fill in the holes that zero trust might have, not from an academic perspective but from a deployment perspective and how you’re leveraging it.

So, what in practice does it really mean? Does it just mean better authentication of users?

Years back we had network access control and then we had user access control and we had all these ways of breaking up specific assets and specific users and how they interact with our network. I think eventually you’ll see that zero trust environment being embraced at a larger scale but in order to do so we need to be able to validate that that zero trust is actually doing what we expect it to do. And when I talk to CISOs, there seems to be a bit of a trust factor and it might have a little bit to do with understanding as to whether or not zero trust can provide the value it promises.

The second question is about portfolio pruning. I have a research mission on Early Adopter Research where it tries to deal with the idea of creating a balanced cybersecurity portfolio. And what seems to be the case is that we get new functionality but what have we gotten rid? I have seen some CSOs mention that they’re able to replace or reduce their reliance on SIEM, security event information monitoring systems, because they are using these new AI powered anomaly detection systems to be able to get a view of every event on the network. But pruning of your portfolio, replacing older stuff with newer stuff, seems to be a very hard to come by concept in cybersecurity. When do you think it’s going to start happening and why hasn’t it happened until now?

I think it has to do with rationalization and to date most organizations measure their security effectiveness predicated upon qualitative metrics instead of quantitative metrics. It’s really hard to have evidence-based data that’s deterministic in saying what’s working, what’s not, here’s a product that I should keep or tune and here’s a product I should get rid of. Until we have that level of evidence and until we can be more strategic about how we rationalize, prioritize, invest and retire, I think we’re always going to be in this sort of buzz word, bingo type of mentality.

Relating this to Verodin’s functionality, I think that one way that you could actually defend the pruning of the program is by measuring what everything is doing and then if you find that a system is no longer catching anything, you can say, “Look, we no longer need it.”

Precisely. In fact, we find that a number of organizations will use Verodin’s security instrumentation platform to help identify products that they can get rid of so they can take that money, reinvest it in people and training and other products. Furthermore, we see people that when their POCing various products, they’ll want to use Verodin SIP to determine which vendors are actually doing what they say they’re doing. And how hard is it for me to configure this device to do it to what I need to do? That’s where security is moving, it’s that much more deterministic, strategic perspective on security so you can align with business initiatives as opposed to, “Let me just buy another buzz word and let me plug this box in and maybe it provides some value or not.”

Every cybersecurity system reports on what it finds. How do you actually report about a larger scope so that you can understand whether it’s effective?

Certainly you want to be able to validate our tools preventing certain types of things. But after the technology bit, you’re also looking at the processes and the people. Are the people effective? Are they following the right processes and are those effective? Are they able to leverage those tools to their maximum efficiency? Do we need more training, do we need more people? And start to answer a lot of questions around people and process and technology as opposed to just myopically focusing on the tech. But really what it comes down to is you’re looking at security as a system of systems and being able to evaluate overall security effectiveness instead of the old paradigm of pen testing or red teaming and seeing if I was able to get in, we want to see how effective is your overall security structure.

What you’re doing is saying, “Look, if something was caught, was it followed up on? Was the information passed to the right person? Was something done about it?” You do have actually a process flow that surrounds everything so that you know that effective action was taken?

Everything from testing if that firewall blocked it or your email security system blocked it or something detected it, we want to actually see from ground zero, all the way up to was the process followed, the most efficient process and were your people actually effective? I think the days of evaluating technology without people and process are dead. You need to look at prevention, detection, response, all those NIST-based paradigms, and then evaluate it from there out to the people and process.

You could look at this as basically a process monitor for your NIST framework?

It’s a great way of putting it. In fact, we have a number of our customers that use this as a process monitor for NIST, for OWASP, for SANS and for MITRE ATT&CK.

I see a lot of people recommending or offering cybersecurity that is based in the cloud. But if you look at most of what people write checks for it’s for systems that are on premise. In most other realms of enterprise software, you’re moving more and more stuff to the cloud, how is the migration of cybersecurity technology from the current on premise infrastructure to the cloud going to take place?

As more enterprise solutions move into the cloud, prudence dictates that the security controls would then follow. What I find that’s interesting in the cloud, whether it’s a next generation firewall or a web application firewall that’s providing security controls for those systems is that in the cloud it’s very easy to make mistakes. It’s very simple to have your critical database or web servers on the wrong side or the internet side of your firewalls and your security controls. A little $5 typing mistake can cause a multimillion-dollar issue. I’ve seen more migration, but I think most organizations are a hybrid of on prem and in the cloud solutions. The problem that I’m seeing is most of these headline grabbing issues as it relates to cloud and security are based on very, very simple mistakes that are made with no way to ensure that your security controls that you have in place have actually segmented your devices properly and they’re actually operating effectively.

The idea of securing the cloud from a certain type of attack, the cloud vendors will do. But then the whole idea of cloud assets is that they can be made available for sharing, they can be made available to whoever you want them to be. You’re saying that there’s a service area over which you would put that that can very easily be vulnerable to mistakes.

Your cloud provider is going to provide a level of security but I think in addition to that, you need to validate and measure and hopefully improve on what’s happening in that structure.

So your security will be completely in the cloud when your infrastructure is completely in the cloud?

That’s right. That’s not to say that there won’t be security solutions that are cloud enabled, whether it’s for email protection or DLP or other controls; I think that will catch on. I’m seeing most people that talk about cloud security are talking about security controls to go ahead and prevent, detect and monitor activity that’s happening to my devices that are cloud-based.

I have three bonus questions. The first one is about ops discipline. How many CISOs would be better off if they took a portion of their budget and instead of buying a new cybersecurity solution, focused on improving their operational discipline and their cybersecurity hygiene so that they could automate more of their configuration, monitoring, changes, and patching?

I think they would all benefit from some level of that. Automation is key now. Where you’re talking about the complexity of your environment, you’re talking about a small group of people that you can pull from. With today’s growing threat landscape, what you need to be able to do is leverage automation, leverage some of these new techniques, leverage some of this new technology in order to help improve. And I really think it comes down to measurement. You know, if you go to a CFO and you say, “How much money do you have in the bank?” and he says, “I don’t know, a million, $10 million, $20 million,” that’s not a very good answer. You go to security people and you always get these qualitative responses instead of quantitative, evidence-based metrics. We need to have CISOs at the point where they actually understand, with evidence-based metrics, what’s working, what’s not, with robust automation that delivers the proof and evidence that you need.

The next question is about cybersecurity culture. How can cybersecurity education and training be made part of the everyday operations of a company? What do the people who get this right do to make sure that people understand that cybersecurity thinking and cybersecurity training is not just nice to have?

At the highest level, it’s all about making sure that the cybersecurity that you have is aligned with your business priorities. That’s sort of a top-down approach. From a bottom-up approach, people have been trying to crack that puzzle for decades in terms of, “How do I make my people more cyber-savvy?” And probably one of the areas that I think has picked up in the last couple of years is just simple gamification. By using enterprise-level gamification to help individuals not only be more secure and learn how to be more secure but give them some level of reward for doing so that tends to get people a little bit more engaged and paying attention. End of the day, people like to click on links, people like to do certain things that we might consider unsavory but it’s just part of doing business. Now, if you’ve done the top-down portion correctly, hopefully you can compensate for the individuals who might not be operating with such a secure mindset.

Finally, I know a lot of people who are in CIO, CTO, CISO roles who have been asked by their board or their CFO to either consider or to buy cybersecurity insurance. Almost none of the people I’ve talked to are eager to buy it because they understand that it doesn’t offer the kind of coverage that you could ever make a claim against. There are very limited areas where it pays and there are also many escape hatches in all these programs. What would you advise a CISO or CTO or CIO who was being forced to do this to do and argue against it?

A lot of CISOs that have been afraid to pull the trigger when they make a claim because they don’t know if it’s the worst of it. It’s like, “Do we do it now or are we going to find out more two weeks from now or two months from now when we really want to cash in on this,” because you can only do it once. So there’s a lot of fear regarding the value that it brings. I’ve also seen CISOs that have thrown their hands up. I think that’s a lazy approach and I don’t think it’s very effective and I don’t think it instills a lot of faith from your team. But is cybersecurity insurance bad? No. Is it still in nascent days? Yes. We’ve been talking about it for 20-plus years, and there’s a lot of people that leverage it but I’ve yet to see a case where it’s proven to be an extremely valuable investment for most organizations to make.