Cybersecurity Requires Understanding: A Q&A with Sam McLane of Arctic Wolf
At RSA 2019, Dan Woods from Early Adopter Research spoke with Sam McLane, the CTSO of Arctic Wolf for the EAR Podcast. They covered Woods’ three key cybersecurity questions for 2019 and discussed how to create a balanced cybersecurity portfolio. This is an edited version of their interview that can be heard in full on the podcast.
Woods: Would you tell me about your job as CTSO and what Arctic Wolf does?
McLane: As CTSO, I work with other vendors, with our customers, to try and figure out technologies and services that we can add into our portfolio to help customers have that more well-balanced security platform.
And what does the S stand for?
Services, so chief technology and services officer. Arctic Wolf Networks was founded in 2012. We provide managed security, managed SOC as a service to our customers. We provide a platform, log aggregation, data collection, plus process and people to provide SOC services to companies that either can’t afford a SOC, can’t build it out themselves or don’t have the technology and the people to do that.
Do you come with a recommended set of portfolio products or will you manage whatever they have?
We will manage whatever a customer has, but our platform was designed with the idea that most companies today, smaller companies—think 400 to 1,000-employee companies—they’ll have a firewall, they’ll have AV. They’ll have some form of an endpoint. Now, whether they have any of the ancillary technologies around IDS, IPS, cloud monitoring and management is sort of hit or miss, and so our platform can go into an environment vendor-agnostic and we can provide the service no matter what infrastructure is there. If they have a good firewall that’s got next gen capabilities, it enhances what we can do. If they’ve got good AV and endpoint, it also enhances what they do, but we can provide the core service and the core value with nothing other than what we bring to the table.
How often do you recommend that they add a component?
It depends on what we see. Most of the time we go into a customer, we get our sensors deployed so we can collect the information we need, and over the first six to eight weeks, we’ll get a pretty decent understanding of what’s in their environment. At that point, we’ll also be able to determine do they need to upgrade their AV technology, do they need a different endpoint.
Excellent. The first question I have is about zero trust and the phenomenon it’s become in the cybersecurity industry. The fundamental insight of the zero trust concept is that you are going to have people with devices coming in and out of your trusted perimeter. If you take the posture of assuming that everybody’s compromised, assuming that until they prove themselves, you will be better off with your cybersecurity. How can somebody figure out what zero trust can do for them in terms of a thought experiment?
It’s an interesting question. The very first thing that we tell everyone is, “Can you tell us what’s in your environment? Can you tell us where your users are? What do they do with their mobile devices that you don’t manage? Do you know what cloud is being used and do you know why it’s being used?” Taking an inventory of what you have, both managed, unmanaged, looking at the holes you have in your environment, the potential threats that may already exist, that’s sort of a first step, along with understanding where are your valuable resources, what are they trying to attack. Understanding that and then being able to say do I have the right resources that need to be applied, am I protecting the right things? What I find interesting is the thing that’s driving zero trust more than anything is the adoption of cloud, because as people move to Azure and move Active Directory out of their environment, as they move their mail services off to the cloud, as they move their compute resources off to the cloud, you’ve really created a model where the cloud becomes part of your data center and you can’t trust anything that’s hitting it.
When you come into an environment, you really try to do a lot of diagnostic work to figure out, you know, what the state of the client is and then you improve from there, and if they need to do any zero trust type things, you will recommend them?
Absolutely. The first thing we do is look at the segmentation of your environment. Most companies today have reasonably advanced switching and networking technology so the ability to segment your network exists. Most of the firewall vendors absolutely want you to do the segmentation because it puts their technology at front and center of the core of your environment and makes them a more valuable player in the area. It’s impressive how many people don’t actually leverage the technology that they’ve invested in.
In cybersecurity, it’s reasonable that the spending has gone up because the attack surface has expanded. You’ve got more and more devices, more and more surface area, whether it’s IoT or cloud, and it makes sense that you would have to spend more to protect it. But at the same time, you would think that as time goes on, that you would get a situation in which you were able to prune your portfolio, and were able to reduce something about your portfolio, either the scope of the number of vendors you have or the scope of the complexity you have, or maybe new capabilities would replace and make other capabilities unnecessary. But it just doesn’t seem we’ve gotten to the point. Will we be able to prune?
We’re actually seeing that shift start to occur, driven by the lack of security talent that’s available to help manage and maintain that functionality. What we see is that, as smaller companies, under 3,000 or 4,000 employees, start to outsource their security services, their managed services like Arctic Wolf, we start to go in and say, “You know what, here’s what we’re seeing. We really think that you should invest more in AV and endpoint,” and then they may have had some kind of an IDS/IPS that they were leveraging that no longer really is required because they’ve got someone watching the front door and we’re paying attention. And so we can start to give them an understanding of the value they’re getting for their security investment spend. The idea is that once they’ve got a managed firm in there, they don’t really want to play with all the other products. Generally, if you hire someone, train them, get them functional on a toolset and then they leave, all that investment goes and your security program is back nine months while you go find the person, if they’re available and you can afford them.
Are there other examples that you’ve seen that you’ve been able to prune?
A good example would be that everyone here at the show in one way or another is trying to combat the lack of talent. Some people do it with AI, some people do it with outsourcing, some people do it with a combination of machine learning, looking at the network differently. A good example of this would be someone makes an investment in an endpoint for EDR (endpoint detection and response). Those platforms tend to collect lots of information about what’s happening on a desktop or a laptop. And then you apply analytics and you can tell has a piece of malware been installed there. You get much better fidelity from managing the endpoint and so that technology replaces it. The improved capability of EDR can actually replace the need for an IDS system.
How often do you recommend products like cloud gateways, whether it’s a Wandera for mobile device management or a Zscaler, where they have a cloud gateway that allows you to protect yourself both when you’re on premise and off premise?
We try to remain vendor agnostic in our environment. The most common scenario where we’d apply that kind of a recommendation is a customer will come to us and say, “Hey, we’re looking at moving to a cloud gateway. What do you think of a Zscaler?” All our security professionals span the gamut, some Active Directory, endpoint, firewall. So we’ll leverage those people to give a well-rounded, “Here’s the value of Palo Alto versus an ASA with FirePower” or whatever. But ultimately, it’s back to the customer, what’s the best buy for your business. We’re not selling that, we don’t manage it, so do you have another trusted partner that you can leverage that would work closely with us?
The third question is about cloud migration. There’s a lot of migration going on to the cloud and, in terms of cybersecurity, vendors are putting more and more of their infrastructure in the cloud, or they’re having on premises systems that then have, in addition to the on premises component, a cloud component. But as you move to the cloud, how are you going to secure the cloud and do that without creating even more complexity and more risk.
From a how do you know that your cloud provider has good security standpoint, I think that’s what the certification process is all about. SOC 2 type 2 sort of certifications, ISO 27001, the different standards that are out there, you absolutely have to put your trust there, provide the documentation, ask the questions.
Couldn’t you also like put monitoring systems in to make sure that you’re secure?
You can. And people do. But if you don’t have enough security professionals to manage it on premises, moving it to the cloud just shifts the locus of where you’re actually looking. It doesn’t actually lighten the load of what you have to do. No one goes a little into cloud. 100% of our customers have some aspect of their environment that’s cloud-based. Most of it is not driven by IT and management. It’s bring your own device. Suddenly you’ve got your data in the cloud whether you like it or not, and it magnifies the number of SaaS systems that you would need to go look at, but you have to get your hands around what’s there. So I agree that purposely moving to cloud lowers your operational security aspects from a physical layer, a data center layer, a networking layer. But then you have six vendors with six different consoles and six different types of alerts that all are different. You still have the problem of trying to consolidate that and get your arms around it.
So how do you do that without creating a mess?
You have to understand it. You need help. You need to be able to look at the alerts that come out of AWS’s security console, and know that one’s real, that one’s not. 80% of the threats that we see, basic security hygiene would solve: patching, strong password management, paying attention to the basics. It’s no different in the cloud. Don’t use the default passwords in software you deploy. Make sure that all of your data access is authenticated.
Your value proposition is the same whether or not the scope is bigger or smaller. The question is, you have to have expertise, you have to have an integrated approach, and that’s what you’re selling.
The next question is perfectly in line with what you just said, and that is, why is it that you think companies often buy another cybersecurity component instead of investing more in operational discipline and cybersecurity hygiene?
It’s an interesting dilemma. I think as vendors, we’re pretty good at marketing what we do, and so the sexy nature of buying the shiny new thing to go play with absolutely is part of that phenomenon. But I also think employee turnover affects it too. A lot of people, because the breadth of maintaining a good security posture requires a lot there that you have to pay attention to and a lot of it is not sexy. A lot of it is boring, for lack of a better description. It’s just basic blocking and tackling, good security hygiene. And a lot of times, you’ll see a security professional come into a company, get their hands around it, get them to a base level of security, and then there’s nothing exciting. It’s sitting around writing controls, talking to auditors, going to meetings with IT about new applications that are being deployed, and that’s not where the really intriguing work is. They want to be building things and creating things, so they move on.
How do you try to improve gradually the operational discipline of your company?
We are quickly moving to standardize on industry standard frameworks, so we are moving to our service following the NIST framework. And also a maturity model that goes with it so that as we talk to a customer over their first year of service with us, we can give them a more holistic picture. But we don’t have any programs per se in that area, but part of our service is an ongoing strategic discussion with them about where they are and where they should be investing. And it’s tied to not just what we think and what we see in the industry, but actual data from what we’ve seen in their environment. If we have a customer where 60 of their 150 events that year were Active Directory login breaches or phishing attempts, we say maybe you need to invest in some user awareness and we can help you with that.
Where have you seen companies do a good job of enforcing and encouraging a culture of cybersecurity awareness?
The very first thing is companies that actually have an awareness program, even if it’s an annual, “Hey, you’ve got to watch this 15-minute video,” those companies automatically get better at it. I’ve seen a lot of interesting sort of security programs where they’ll have a monthly contest of who reports the most spam that they get in their inbox, or phishing attempts, and they broadcast it to the company and the two people that win for the year get an extra vacation day. It costs the company a little bit, but the recognition that you get from being part of a community where you’re all focused on the company’s security together has done a lot. And then, oddly enough, younger—companies that have a younger employee base that have grown up with the technology, they get the idea that you don’t use the same password everywhere and biometrics is a good thing, whereas the people who maybe started the job where there wasn’t a lot of technology involved, they have a harder time adapting.
The last question is about cybersecurity insurance. A lot of people who are in the CIO/CTO/CISO business are sort of forced to buy this insurance by the CFO, by the CEO, and they often cringe when they hear it come up because the insurance isn’t that good, it doesn’t cover that much. It’s still a very early product. There are lots of escape hatches. But very few of these people are able to argue the CFO or CEO out of buying it. So how is it possible to turn that conversation into something that actually has a positive impact?
That’s a good question. The customers of ours that have gone down this path, they actually leverage us, so when they get the insurance and do an audit of what are your security best practices, we’re actually able to deal with those people as a trusted vendor and make that process as painless as possible. We can give them a fairly good assessment, here are the controls we see, here are the programs we see, here’s the incident response plan that we’ve co-developed with them, here’s what we do. Just like any other sort of regulatory or compliance audit, having someone who understands the lingo, knows the jargon, and knows what they’re looking for speak on your behalf makes it easy.