Staying Ahead of the Attackers: A Q&A with Nick Lantuh of Fidelis

Recently, at RSA 2019, Dan Woods of Early Adopter Research (EAR) spoke with Nick Lantuh, CEO of Fidelis in cybersecurity, for the EAR Podcast. During the interview, Woods asked Lantuh his three pressing cybersecurity questions for 2019, as well as getting a sense of where Fidelis fits into the cybersecurity landscape. This is an edited version of their conversation that can be heard in full on the podcast.

Woods: Could you explain what Fidelis does in terms of the NIST framework of identify, protect, detect, respond, and recover?

Lantuh: We are a platform and what we do within the security spaces is we detect and respond to threats, whether they’re inbound, whether they’re insider threats, whether it’s data leaving the organization, and we do that across a hybrid environment. So we do it across on prem, in the data center, in the cloud, across your network and your endpoints. What we also do is we marry that together with some deception technology. So we try to change the cost profile of an attacker by making it harder and slowing them down and then we marry that all together with the ability to do terrain mapping, asset discovering, and classification so we’re bringing together several disciplines together into a platform that allows you to hunt and find bad more readily.

Do you do firewall and endpoint security?

We don’t do firewalls, but we partner with firewalls so that’s a very synergistic technology for us. We do, at the endpoint, detection and response capability, forensic capability, so we have an embedded AV that’s not ours, but we have a very robust detect and respond capability across the enterprise.

Got it. And it’s detect and respond for servers and laptops, not for mobile right?

Correct. We’ll see the traffic. If the mobile connects in then we’ll see that traffic given our network traffic analysis capabilities.

My first question is about zero trust. It seems like the idea of zero trust is that you’re able to focus on a new individual who arrives in the network not knowing who they are. They have to establish who they are and then based on who they are and what they’re trying to do, you envelop them in some kind of personalized segmentation with appropriate permissions. Taking it to its logical limits, you think, well if we have zero trust we shouldn’t really have to worry about a perimeter anymore. But it seems the way that they practically implemented is that zero trust happens inside the perimeter but also zero trust happens outside the perimeter. It’s this additive capability and you really don’t get to get rid of your perimeter. So what does zero trust mean in practice?

Yes. It is an additive. We look at the network from the perspective that we need to find what’s not normal in the normal. And so when you look at a zero trust environment, when you’re adding folks in and it’s more access control and then we say that you’re good and that’s assumed that everything is fine around you, the issue becomes what happens when credentials are hijacked? What happens when someone escalates within an environment? Our view of the world is that we’re just going to assume that everything is bad and we have to inspect everything to the nth degree. And I think that it’s not just perimeter; it’s not just authenticating. It needs to be a holistic view of a security environment where you’re looking at everything, all of the raw data, all of the meta. There needs to be a way to determine how you find the adversary that’s already gained invalid credentials and is moving around your environment as a valid user.

As part of deception technology do you put in decoys and things like that?

We do. What we do is we build out decoys in several different fashions. We’ll build out emulations of networks. We’ll scan a network environment and we’ll be able to look at all of the assets, what they’re connected to, what’s running on them, and then be able to build an emulation of that that moves and flexes just like your real network. And then we also have the ability to put out VMs that allow you to put golden images out there so that you can randomize what that environment looks like. They’re not as easily detectable by adversaries who otherwise be able to determine, hey you know, these are all the same. They’re plain vanilla; we know that those are decoys.

The idea is that your security system doesn’t really care about zero trust because whether or not the person’s trusted you’re going to observe their behavior and try to find out if there’s anything nefarious going on.

Correct. Because the individual may very well be trusted and doing nothing wrong but if his credentials are hijacked, or his ability to access a certain system has been hijacked, and it looks as though it’s him, we need to know if that’s normal behavior or not. We’re looking and trying to pick out the nuances in activity that will be able to determine whether something is good or bad or allowed or not allowed and then put the pieces together, and put that puzzle together in a manner where we can determine what’s actually bad.

The next question I want to ask you is about portfolio pruning. It seems that the cybersecurity world is always adding new capabilities. We have yet to see many capabilities where they’ve actually pruned and made some capabilities unnecessary. What I’m surprised about is that we haven’t had new capabilities that have made certain sets of capabilities no longer needed. Is cybersecurity just an expanding landscape of kitchen gadgets?

That’s a great question because the buildup that’s happened over the last decade in security really has amounted to a spend environment, with the assumption that the end goal is that you’re better off than you were before you started. I’ve had many, many conversations with CISOs, and heads of security, and heads of SOC around the world on this. Everybody is starting to look at how do I make the stack more efficient? What do we take out? Which partners do we partner with who are more strategic? The numbers that I’m hearing is that we’ve got stacks that range anywhere from 40 to 65 security products. We’re looking to bring that down somewhere in the range—I’ve heard as low as 10 and as high as 35. The idea there is that the products that are installed have a lot of overlap now. Some of the vendors are starting to build out and put tentacles into the other areas of the stack. There is a lack of talent to run them very well, and the cost structure is becoming prohibitive now. There is definitely a downward pressure on the overall pricing that there are incurring, but we’re seeing a desire for organizations to say, we want to bring you in, we want you to show us and talk to us about what else you can do. What I’m hearing in the marketplace is the desire to be more on the proactive side and more on the hunting side versus more on the reactive side and on the alert triaging aspect of this. There is a sentiment that the industry isn’t functioning as well as it should. That organizations are questioning whether they are any better off after all the spend and all of the headaches from a security posture standpoint, and some of the CISOs are coming back and saying, no, we don’t feel that we are any better off. We feel that the attack surface has expanded. We feel that we kept investing into the security space and now we’ve got a massive stack and we don’t feel that our security posture is all that much better than it was before we started this.

Vendors are going to solve that by integrating capabilities into larger portfolios, so that you’ll have fewer vendors with bigger products and that those products will be integrated so that the complexity goes down.

Yes. I certainly think that there will be a consolidation, and it’s happening. The space has been overfunded. I think that the space has a lot of “me too” componentry to it. The ability to actually integrate through consolidation and acquisition has not really panned out. It’s been very difficult for organizations and security vendors to actually do that well. Integration in general in the security space has not gone the way I think that users and consumers have wanted it to go.

Essentially, the companies that have integrated have started from a vision of products and created new products to be added to the portfolio from their own development and engineering. But most of the time it’s all organically designed to work together and the integration has essentially failed.

The real desires are just that: an integrated solution. Something that has the embedded automation and orchestration and correlation of activities to find threats. And that has not been an easy thing. That has been thrown on the shoulders of the SEIM (security event information management) has been thrown out of the shoulders of the SOAR (security automation orchestration) and you know all that’s happening is that you’re getting more data and more alerting and that’s not necessarily a good thing.

It seems like more and more of cybersecurity capabilities are offered through cloud systems. Even the on-premise capabilities are reaching out and sending data to the cloud, getting signals back from the cloud, having some of their offline processing or things that make them more intelligent happen in the cloud. Obviously, there’s a whole set of security that needs to take place for cloud infrastructure itself. How do you think the migration of cybersecurity of the cloud is going to happen? What’s going to stay in the cloud, what’s going to stay on premise, what’s going to go in the cloud?

It’s already happening. We’re already in a hybrid environment. There are obviously some types of industries that are not moving yet to the cloud, and we see that but for the most part, they’re in some phase of moving that way. How long it’s going to take? I think it’s going to vary by industry and by company, but I think that this movement is an economic movement in part, it’s a simplicity and access movement, so I think that it’s a freight train that’s not going to stop, but I do think that we are going to be living in a hybrid environment for quite some time. Meaning that we’re still going to have to protect on prem, we’re still going to have to protect the company data center, we’re still going to have to protect in the public and private cloud. We’re still going to have to protect when organizations bring BYOD in, and so we’ll be in this hybrid environment for the foreseeable future.

I think people are surprised when they hear that spending on cloud-based solutions is 10% or something like that. Most of the checks that are written are for on premise solutions.

Yes. Again, we’re in this migration for sure. I would have thought that it would have moved faster in some segments, but I think that there is certainly some caution. I think that there is some vetting taking place. I think that, eventually, the cloud is going to take on the brunt of compute in organizations.

When I talk to CISOs, often they’re interested in new capabilities for cybersecurity and they aren’t as interested in improving their operational discipline. It seems to me that, instead of buying a new capability, most CISOs would benefit from improving their configuration management, their patch management, their ability to inventory assets, and focusing on more automation and more ability to respond and protect their environment through better backups and things like that. Do you agree?

I’m in agreement with the statement that it’s needed. I think that there’s a lack of true operational security focus. I’m not saying everybody, but in general. There’s been a false sense of security in that compliance has become the proxy for true operational security. And that’s not the case, and it shouldn’t be the case. The idea of being able to go in and understand your environment, where the assets are, what your critical assets are—enclaving them, putting them in a place that has extra security around them and extra visibility around them, those are all important things and the pace of business and the need for ease of use in enterprises aren’t necessarily the friends of good security. I think that if organizations just operationally really bore down on it, they would be far better off from a security posture than they are today.

What do you mean by compliance is the proxy for true operational security?

There are a lot of pieces of legislation that have passed throughout the years that have come out to help and assist in security. It goes back to the early 2000s with all well-intentioned legislation coming out to force companies to be secure. You must have a firewall, you must have antivirus, you must do this or that. It’s a checklist. Organizations went out and bought for the checklist, and they were able to sign these off based on the checklist when that isn’t the end. That’s only the beginning of true operations security. Now you have to drive those products, you have to really understand what’s going on, really hire in the talent that knows how to run them the right way. Just because you’re compliant doesn’t mean that you’re actually secure.

The next question that I have is about cybersecurity culture. There’s no way that you can really be truly secure unless you have a security mindset, so that people are aware of the problems that their behavior causes. That it’s not just the security people who stop somebody from putting a post-it note of passwords on their desktop computer. But other people say that’s a bad idea, that’s not going to help us if you do that, it’s going to hurt us. But I haven’t found anybody that can point to companies that have a really powerful model for how to actually get that culture going. It seems like it’s more difficult than you might think.

It is. The places where you can point who do it well are the classified sides of the government, the intelligence community. But you can’t bring that model out to the commercial sector, because it wouldn’t work. So there has to be an ability to modify and bring a security culture out to environments that can’t function if they were too locked down. So I think that the whole concept of security as a culture is a great one and it needs to happen, but it’s not a one size fits all in the industry.

Do you know of anybody that does a good job outside of those intelligence communities?

The financial services industry does a good job of it. I would say that across multiple industries, we see pockets of excellence. Whether it’s retail or energy or industrials or technology firms, we really do see some fantastic companies that do it really well.

The last question I have is about cybersecurity insurance. A lot of CISOs, CIOs and CTOs are being asked to buy this insurance. But they’re very reluctant to spend the money, and wish that they could not buy it, because they don’t believe that it will actually provide much value. There are all sorts of escape hatches in the policies so that they, in many ways, cannot pay. What would you do if you were a CISO and you wanted to argue against cyber insurance as a bad investment?

The insurance industry is still figuring out how to price it. When the first policies came out they were paying out more than they should have, or wanted to. And then they ratcheted up the number of terms and conditions on the backend of these claims, and on the backend of their contracts with the companies. And now the ability to extract payment has gone down sharply because there are all these escape hatches or abilities to not pay. But I do think that from a best practices standpoint, you need it. I think that it would be foolish not to have a policy in place. We’ve had involvement in many instances where there have been breaches and we’ve been brought in, and there have been payouts. I don’t know what the overall sizes of the payouts were, but the insurance policy did, at least in part, what it was supposed to do.