Collaborative Defense: A Q&A with IronNet’s Jamil Jaffer

In this latest episode of the Early Adopter Research podcast at RSA 2019, Dan Woods spoke with Jamil Jaffer, VP of strategy and partnerships for IronNet. They covered Woods’ three big cybersecurity questions for 2019, as well as other pressing topics in the cybersecurity sphere. This is an edited version of their conversation that can be heard in full on the podcast.

Woods: Could you explain what IronNet does?

Jaffer: Sure, IronNet is a network threat analytics product that delivers collective defense to industry across multiple sectors and across multiple nations. The idea being that if you take information from one company and share it at scale speed with other companies, they can better protect one another in a collective defense posture. We expect individual companies to defend themselves against every comer, whether it’s a nation state or a script kiddie, the entire range. And it’s not really a fair fight particularly when it comes to nation states because they have virtually unlimited resources and human capital. Companies that are going to fight that battle and fight it effectively, have to come together both in sectors and across sectors and at times with governments to defend themselves at scale and speed and IronNet provides the capability to deliver that collective defense.

In terms of the NIST framework, the idea is that you’re creating a cooperative threat information sharing network and monitoring network-level data?

That’s exactly right. In the NIST framework, we’re in both the detect and protect spaces. We identify behavior patterns of threat actors that are hard to change. It’s easy to change your IP address. What’s hard to change is the way you behave. AIf we can identify behavioral patterns of threat actors and share that at scale and speed across a community of like-minded companies, they can defend one another and get ahead of the threats, so you can see campaigns that you might not have otherwise detected.

My first question about cybersecurity in general is about zero trust. The way that zero trust was born was from new assumptions that Google made in its BeyondCore platform and then presented to the world in a variety of papers. They are very rational assumptions that the perimeter is much less meaningful than it used to be, as we have devices moving in and out of the perimeter, so we don’t know how to protect them in a zone of trust which doesn’t exist anymore. So how do we create an infrastructure that deals with that reality? Now, that concept is very attractive. But the problem is that you can’t go to any vendor and buy what Google has and even if you could, it might not really be relevant to your infrastructure. I’m trying to help CISOs do is understand what does zero trust mean to them and then how do they figure out what to do about it? What advice would you give to a CISO of how to understand zero trust and how to figure out what to do about it?

That’s a great question. You’re right, the concept is game-changing and the concept is solid, this idea that we’ve got 27.3 billion worldwide of internet connected devices by the year 2020. That’s three devices per person. And you think about enterprises and it’s even higher in the enterprise context. CISOs have a very tough problem to deal with and you have to assume that every single one of those devices is or could have been owned by a threat actor that’s aiming at you. At the end of the day, your users, no matter how many restrictions you put in place, the more creative they get about getting information in and doing the work they need to do. So you have to offer this zero trust model. But then the question is how do you implement? Does Google have all the tools that you need? Can they provide them to you? Can you afford what they’re providing and use them in the way that they make sense? Your enterprise systems, partly because they’re legacy and partly because you’ve chosen a different methodology might not have that capability. You’ve got to implement a suite of products and capabilities across your enterprise. What you need to look for is what are the best in breed capabilities in each area. You buy those best in breed products and then you’ve got to figure out how they work together. You’re looking for products that interoperate well and where you have a layer that can make them sing together — which is why there’s been a lot of talk about orchestration. Orchestration is another way of saying how do I make products work to together in a capable way that can deliver action when I need it? Because it’s great to know about a threat but if I can’t do anything about it at speed and scale, if I can’t push an update to my user devices in real time, that’s a real problem.

So what you can do is use it as a way to reexamine your portfolio with this assumption and understand what are you going to do about addressing that assumption?

That’s right. You’ve got to deal with the reality that zero trust is the world we live in.

The second question relates to that last point you made about how to make everything work together. It seems that cybersecurity has been very additive. Every generation adds new capabilities. Now, that makes sense because the attack surface has been expanding as well. On the other hand, we don’t seem to have gotten to a point where we’ve been able to prune our portfolios and replacing older capabilities with newer capabilities. Why is pruning so hard?

It’s a great question. You only have to walk around the RSA expo floor to see the proliferation of companies in every sector. The way that we’re going to see this play out in the long run is you’re increasingly seeing a shift to cloud and people delivering security in the cloud environment. You’re also seeing vendors like managed security service writers coming together, taking a suite of products, making them hum together and then delivering a capability. If you’re a CISO, you want your systems defended, you don’t have to necessarily buy every single product, every single time and implement it yourself. You can do that both in a cloud infrastructure and you can do it with managed security providers to help you with that. At IronNet we are spending a lot of time figuring out how to take this very highly capable product we built, that was initially designed for the biggest companies in the marketplace and put it into a capability that could be delivered to small and medium-sized businesses. Those businesses really are the engine of the American economy and they’re the ones we need to protect.

What you’re saying essentially is that there may not be pruning of the capabilities but there might be pruning of complexity and that might happen with managed service providers or it might happen with larger product suites that bring everything together?

Exactly right. We’re obviously in a boom time for cybersecurity companies, there’s a lot of money being invested and it’s great for the community. But I think that over time, that capital will slow and you’ll see a natural pruning of capabilities. If and when that day comes, there will also be a lot of interesting intellectual properties and capabilities out there for smart folks to get in and consolidate and bring together some of these capabilities in single platforms.

The next question that happens is about cloud migration. If you look at how much money is being spent on cybersecurity, most of it still is being spent on on premise systems. If you look at the amount of migration to the cloud, you’re having some migration to the cloud of new greenfield development, but how is the migration to the cloud going to relate and be supported or be slowed by cybersecurity?

It’s funny — you and I were talking before we got started about rotary dialed phones. People have comfort in things they know and things they’ve long-used. And so there is a comfort in knowing my data is here, it’s in my datacenter, I can control it, I know where it’s going. At the same time, you think about as we move to this cloud environment, these large cloud companies have every incentive to provide the highest level of security possible for their overall infrastructure, make it resilient, redundant, and not create single points of failure. It’s also in their economic interest to provide robust security around the edges of their platform. Now, all these cloud providers will tell you, “Security is a shared responsibility. We’re responsible for our systems, you’re responsible for your data. We’ve got to figure out how to partner up together and do that.”

There’s nothing they can do about it when they leave S3 buckets open so that people can just look at whatever is in them.

That’s right, exactly. MongoDB database, exactly. At the same time, I think what’s really important to remember is the cloud gives us this ability to leverage scale. You can deliver patches at scale speed in real time to your users in ways that you never could have imagined doing if you had on prem systems, devices that are only operating on their own laptops, people that just don’t come in, don’t log into the system, they don’t update their systems because you’ve tried to push it to them, they just don’t do it. The cloud helps a lot with that kind of thing. You get both extensive sort of infrastructure protection provided by your providers, you have the ability to deliver your own security updates at scale and speed and companies like ours are looking at how to take what we dwith on prem systems or even with cloud with our data analysis at the backend of the cloud and how to apply that in the cloud infrastructure.

The bonus questions I have are difficult issues that people are addressing. The first one is about ops discipline. It seems that most companies would benefit from investing not only in cybersecurity capabilities but improving their operational discipline like better configuration management, patch management, asset inventory, and automation. Yet it seems that while everybody agrees that this is a great idea, it’s not something that is aggressively being pursued. Why is that?

Part of it is it’s hard to manage massive IT systems. In most enterprises, if you asked the CISO, they’d have a hard time telling you with exact detail actually exactly how many devices they own, where they are, what they’re doing and whether they are operating effectively. We’ve seen over the last few years the entrance into the marketplace of some big providers that are offering that capability, know what your assets are, know what they’re doing, and figure out whether they’re operating correctly. A lot of times in our space, we’re looking at devices, we’ll see network traffic coming from a given server which our customers tell us is an email server and it turns out it’s behaving like something else. That’s a common thing, and we alert our customer to that problem and they’re going to go out and deal with that. But if you don’t know what device is supposed to be out there and what it is supposed to be doing, it’s hard. So companies like Qualys, they’re providing this capability. When you’re combining that information with a network threat capability like ours, you combine those capabilities with an understanding of what’s out there on the network and what’s happening out in the deep and dark web space, you can combine all that information, maybe through a managed service provider, maybe working with your cloud service provider who wants to sell you that service, and leverage these capabilities at scale to protect your network better.

Essentially you’re saying that the problem is so hard that the smaller you are, the more you need a managed service provider and the larger you are the more, you just accept it’s going to be a very difficult task and invest in it?

That’s right. That’s why we’ve got to educate boards. We’ve talked for a long time in the cybersecurity community about making sure that at the board level of the company, people understand the threat and are willing to invest the resources in it. The challenge in cybersecurity for most boards is is it’s a cost center. We have to look at it as a systemic threat to industry, whether it’s in the financial services sector or energy or health care — these are things that create systemic risk. This is something that should not necessarily be owned by the CIO but should be owned by the chief risk officer, if not the CEO and COO themselves. And so part of this is an education effort and explaining how these things cut across companies of large scale. We’ve also seen in the threat environment today is a proliferation of threats where you’re not the target but you’re being affected. Like the NotPetya attack. Russia aiming at Ukraine, looking to take out some banking institutions in Ukraine, but the biggest effect though in the hundreds of billions dollar range were felt by American companies across a range of industries — not the intended targets but collateral damage. So even if you as a CISO think, “Well, I’m not a real target of the Russians or the Chinese,” you probably are and you just don’t know it yet. So you need to make sure your board and your managers are educated and they’re treating this at the highest levels of the company.

What advice would you have to CISOs about how to promote a good cybersecurity awareness culture?

You’ve got to make security fun. You’ve got to engage people the way they come to you. You can’t push it on them and expect them to click through the slide deck every six months and think that’s going to do it. One company that we were recently talking to in the oil and gas sector, they had a really innovative idea, I don’t want to name them because I don’t know if they want to be named, but they had an escape room where they taught people about cybersecurity by putting their employees through an escape room scenario where part of it was cybersecurity techniques.

The last question is about cybersecurity insurance. A lot of CISOs, CIOs and CTOs are being forced to buy cybersecurity insurance and it pisses them off. They don’t like the cybersecurity insurance because they feel that it’s bad insurance and has a lot of escape hatches. How can they turn this process from something that’s annoying and feels like a waste of money to one that’s actually productive?

Dave Weinstein at Claroty and I recently wrote an op-ed together about this very issue and how we’re seeing courts actually set the standards for what constitutes an act of war in cyberspace, as we’re watching what’s happening with the NotPetya lawsuits going on out there. You make a good point which is how can CISOs and CIOs turn insurance to their advantage? Insurance employees are going to come in, they’re going to want to assess your cybersecurity capabilities. Normally, you’re thinking, “Man, this is the worst thing. I don’t want these guys coming in and telling me what I need to do better.” But this is an opportunity for you to say, “Okay, where can we improve and let’s buy some coverage,” assuming that the coverage actually works. If you can identify where your vulnerabilities are and buy the insurance targeted to address those areas but then get better and build your capabilities, you can reduce your premiums, increase your limits, and make it more likely that if and when you have to collect that policy you’re going to get paid.