Simplicity Leads to Security: A Podcast with McAfee’s Grant Bourzikas

At RSA 2019 in San Francisco, Dan Woods of the Early Adopter Research Podcast met with a number of cybersecurity leaders. In this interview, he sat down with Grant Bourzikas, the CISO of McAfee, one of the major vendors in the cybersecurity space. They covered Woods’ three major cybersecurity questions for the year, as well as exploring McAfee’s place in the cybersecurity landscape. The conversation included:

* 3:10 – McAfee’s product portfolio
* 6:30 – What does zero trust look like in practice
* 13:00 – Can companies prune their cybersecurity portfolios?
* 20:00 – The importance of using a product the way it was intended to be used

Listen below:

Q&A

Woods: Can you explain your role at McAfee?

Bourzikas: Being the CISO at McAfee, I have three charters. One is what I call the traditional CISO role: protecting and ensuring that McAfee’s security posture is what we expect it to be. The second is providing feedback and using all of our internal McAfee developed products before the rest of all of our customers use them. We call that our One McAfee program and we consider ourselves as customer zero. The third one is: sharing my successes with our customers and giving them best practice models. We also do Fusion Center tours in Plano and Ireland and try to share best practices with many organizations across the world.

McAfee has been known for a long time as an antivirus vendor, but its portfolio is much larger than that. Could you explain the roots of the company quickly and then where your portfolio has ended up in the modern day?

McAfee is one of the largest cybersecurity organizations in the world. We secure enterprises, the corporate environment, and we also secure home users as well. We also work with telcos to help provide security there as well. The global threat intelligence that McAfee has is very powerful. We have over a billion sensors across the world where we can actually give a really good footprint of where the organization is.

By those billion sensors, you mean individual’s PCs and things like that?

It could be a PC. It could be a corporate PC. It could be an intrusion prevention device. Now, with the integration of Skyhigh, it includes the Skyhigh sensors as well.

From a product portfolio, what do you have in terms of capabilities?

Being the device-to-cloud organization is what we’re really targeting and how we’re going to market. McAfee has a long footprint with the antivirus, and I think when we look at the footprint, we believe that the device-to-cloud strategy is the right one because the perimeters are eroding and there’s a lot of migration into the world. When we look at our footprint consumer-wise, like Home Safe and TunnelBear was another acquisition from a VPN that has really helped secure the home networks. And then from a corporate standpoint, we updated loss protection on an endpoint, we have real machine learning, we have artificial intelligence. We have everything that you would expect on an endpoint to secure it, and then as you transverse into the cloud, we have the network capabilities with intrusion protection, the web gateways that secure proxy solutions, and then Skyhigh is an incredible product that is in the CASB market.

Essentially, you have a portfolio of products that spans the device-to-cloud landscape, and then, where you don’t have solutions, I assume you integrate with other people’s solutions and they integrate with yours?

Yes. We also have our SI partnership. That is we have other third parties that integrate with our products. One of the marquee things that McAfee has is the ePolicy Orchestrator, our ePO, which is one of the platforms that manages all of our products. And then we’ve also been able to integrate many parties into that same platform, so it allows customers to manage things a little bit easier versus always having to stand up management infrastructures to support one product.

Now let’s go to my questions. The first is about the idea of zero trust. When you think of zero trust in a pure academic idea, it’s a vision that Google originally put out, recognizing a big change in the cybersecurity landscape, which was that all the mobile devices we have means that the perimeter means a lot less than it used to. The most rational assumption is to assume that we can’t trust anything that is inside the network or outside the network, and once you do that, the whole idea of a perimeter becomes far less important. What does zero trust mean to a small or medium business? What does zero trust mean to an average company?

When we think about the perimeter, it’s historically been, “outside the firewall are bad things and inside the firewall are good things,” and we’ve traditionally done that. And then anything that interacts with the two, we’ve put them into DMZ segmented networks. That philosophy has been in place for a long time and is widely accepted within the security community. As zero trust has come in, it is the direction the industry needs to move to. The idea that the perimeter is dead isn’t exactly true. I think there will always be layers of security that will help a zero trust model, but I do think the concept of implementing and not trusting internal networks is the way organizations should start thinking about it. You always talk about the Tootsie Roll Pop, hard on the outside and soft and gooey in the middle. That’s the way that a lot of the networks have been built. Zero trust takes the concepts in my mind that we traditionally have managed externally internally. We’re not going to trust anything internally. We’re going to have to actually adopt the philosophy. To implement zero trust is a philosophy thing. It is a way that we have to start communicating and getting new thought leadership within the organizations.

Practically, it seems like one move you can make is to make it either multifactor or to make it passwordless where that authentication is stronger or more effective. Then you’ve got device management and protecting the device. That’s an important aspect of this. Then being able to route traffic, when you’re outside of the perimeter, in a way that ensures that you’re as safe as possible when accessing internal resources or cloud resources. Those three things seem to get you a long way towards zero trust. Now you can take the concept too far and expand it. What is you assume every server has been compromised. What would you do then to make sure that every server is clean? Do you reconfigure it? Take it down? Create it from a clean image every day or every week or whatever? What would you add to those basic food groups?

I think that you hit a lot of the key points on this. Authentication is a big one. The different cloud providers, they’re heavily, heavily weighted on identity and access. That is an area that all organizations should be very focused on. Same on the endpoint. All of those are very good things. One of the things that I think is important is there’s a lot of philosophy, but how do we actually take some action with this? I think implementing strong authentication internally and treating your endpoints as secured devices that can’t be connected is the way to go. From an execution standpoint, you really need to understand how applications work. You really have to understand what protocols are going on within your organization. And that’s something that I’ve seen not done very well in most organizations is understanding the footprint of how things connect within the internal network.

That fits into the next question that I have. The idea of portfolios of cybersecurity is something I’ve been very interested in and on Early Adopter Research where we have a research mission called Creating a Balanced Cybersecurity Portfolio. We look at the cybersecurity portfolio using concepts like the NIST Framework and also using ideas from financial portfolio management to try to understand, in each of the buckets that you’ve decided you were going to have a portfolio, what’s enough? And what’s too much? And how do you balance spending to get optimal results across them? And how do you integrate those capabilities that you have? I you do this properly, at some point you should be able to do what I call portfolio pruning. Maybe it’s fewer vendors. Maybe it’s less complexity. Maybe it’s some capabilities you determined, because you understand your network, are no longer needed and you can retire capabilities. But you know what? If you talk to most CISOs, it’s very rare that they retire cybersecurity solutions. So what do you see the prospects are for portfolio pruning to be in the modern world?

That’s an interesting way to look at it, and I will say every organization that I’ve been in, I’ve done that. Everybody’s trying to sell you the next machine learning platform that will solve all of your problems. At the end of the day, I think the things that will get you breached are not going to be the technology. I think they are going to be more around how you actually built your architecture, your infrastructure, your process to support it. A lot of organizations will have 30 different products with 30 different vendors. I think when you start to integrate that type of an environment, it becomes very complex. And then you will start to not optimize products. I met up with a couple other CISOs and we talked about the same thing, which is we buy all of these products but we don’t optimize. We have this great Magic Quadrant from Gartner that everybody says you need to buy in the upper right, but then we would go to implement, we’re so far to the bottom left that we’ve never really optimized the actual products.

Can you give me some examples of how you’ve actually pruned a portfolio?

One of the organizations that I have been involved with had three different antivirus products. And I think that’s a very easy one. Super easy.

I agree that that is pruning, going from multiple vendors to one vendor, and that’s one thing that I have seen people do. But the more interesting part of pruning would be to be able to eliminate capabilities completely. So what other types of pruning have you done?

That’s the big one. I think the other one is there are also tools that will help you manage a firewall. Trying to simplify the environment from a management perspective is another one. How do I get control over how I’m managing the environment?

You can change the infrastructure to reflect your security desires?

Yes. And then really look at the capabilities. Everybody has the ability to do network access control. To your point on zero trust, the other one that I would have said is network access control and making sure you understand what assets are in the network becomes very important. Simplification that reduces complexity increases security.

When you buy a product, you should implement it to its fullest capabilities and its viewpoint. That’s the real key to understanding an enterprise software product in general and using it effectively is using it to the way that it was intended to be used. You might have to adapt either the way you work to the product or the product to the way you work in some ways, but if that fit isn’t there, you really are not going to get a lot of value out of that product. So how do you go about understanding the viewpoint and making sure you’re not having a screwdriver be a hammer?

It’s something that the technology world has dealt with for a long time. If you take the big financial system implementations, the Oracles, the SAPs, and you think about it from an accounting or finance perspective, what you see is that we’re always told not to customize things. So many organizations, years ago, customized their big implementations and then, when they upgraded, they became this monster. Even in the security world, we’re doing the same thing. We’re trying to fit a tool into our existing process versus really looking at how our process can be adapted using the tools. Ideally, you get tools that are congruent and compatible with your idea of a best practice.

How is the migration to the cloud going to affect the way CISOs have to do their jobs? What type of security will move to the cloud? How will cybersecurity change as more and more applications and assets become cloud-oriented?

Two things are very important. The first is that CISOs have to lead an organization. At the end of the day, we have to be leaders. We’re not technicians. We are business leaders that have to help business achieve the results and the outcomes that they’re looking for. Being able to articulate the risk and the challenges that are there from a security standpoint, as simple as leaving an S3 bucket open, becomes very valuable with how it is. The second one is diversity. We have to think differently about the problem than we’ve historically done. So if we have the concept and the mindset that we need a firewall and a DMZ and a NAT rule and all of these things to work and not adopt and really change our approach to the cloud, I think we’ll end up failing as well. So I think bringing in and having that different thought process to go to the cloud becomes important.