The New CISO Podcast Episode 60: Invest in People as Much as Tools
Podcast Transcript | Air Date October 21, 2021
Steve: From Exabeam, this is The New CISO, a show about the people who lead IT security teams, the challenges they face, and how they overcome them. If you like what you hear, please rate, review and subscribe to hear our new episodes first.
Steve: Luk, thank you so much for being on the show. If you would, for the uninitiated, introduce yourself. Who are you, and where do you work, and what do you do?
Luk: All right. So my pleasure, and then thanks for having me. My name is Luk Schoonaert. I am the CISO for Exclusive Networks, so we are a value distributor focusing on emerging technology, basically. We have offices worldwide, and I just got new into the role as CISO, so it’s a pretty exciting time for me.
Steve: How long have you been CISO now, Luk?
Luk: Officially, about two months. I started a little bit before I actually officially got the role. So, yeah, I’d say two or three months, yeah.
Steve: So how long were you doing the work before you got the title?
Luk: Just a month and a half, but I always got involved also in some of the security stuff, if they needed help, here and there. I am based in Belgium, right? But I always got involved in some of the other countries, so that’s probably one of the reasons that I got the job offer eventually, so…
Steve: So you have had a long career. You are not new to information security. And I think those that know you, or who have seen you work would say that you are much more on the technical side. What was your career like, if you could explain it to us, for those that are new? What was your career like before right now?
Luk: I’ve been in security for I think almost 25 years. I think even before it was called cyber. I left school and I started working for, back in the day, EDS, which later became HP. I kind of, early on figured out that I didn’t really like that such large environments to work in. It wasn’t really my thing. I didn’t feel the impact. So I went to work for very small companies, for startups. Worked for a Canadian company then worked for a European firewall vendor, because I was really into security, and I was like, “If I can get to a security vendor then I’m at the source of all the real stuff.”
Luk: And then I worked my way through that, and I joined IronPort, when IronPort was very small still, 2005, as a pre-sales engineer, and spent four, five years building the business in Benelux, together with my long term sales person and then also mentor, Kris Van Den Bergh. So we did that and we got acquired by Cisco, and I think I had a brief stint at McAfee, which got acquired by a whole bunch of companies just after I joined. And then I ended up back again with Kris actually, that said, “Why don’t you come and work for Exclusive Networks. We’re doing all this cool stuff with new vendors,” and I decided to do that, and I joined as a pre-sales and went up to pre-sales manager, director of technology, and then now in the last few months, in the CISO role.
Steve: So that’s also a very different… You know when you take on a CISO role in most organizations, that’s a very internally focused position, and you’ve had that in the past, but for a while you had kind of more upfront, you know, consulting, implementation, educational positions. How are you managing the difference between those positions? Because one of them is sort of more outwardly and social focused, and this is at least partially, or a good component of it is going to be internal. How do you balance that? How are you adjusting to that, or is there anything that you’re recognizing about yourself now that you’ve had this change?
Luk: Oh yeah. It’s a big challenge personally for me, because I’ve always been a very technical, hands-on kind of guy, and very result oriented, and probably like one many army kind of thing, because working for startups there is no big framework around you, right? You just need to make sure everything happens, and getting into like a, let’s say, C-level position like the CISO now, for me the really big challenge is stakeholder management and also how do I communicate to my management, right? Because I can’t go into really technical stuff, and that’s not really the concern typically, I think, of the board. They are looking at what’s the business risk. And how you translate that, and how do you get your point across, and for me that I think, is my biggest learning curve is there. I mean, I’m a very direct communicator and so that’s… For me to kind of learn, like, “How does this work?” And that’s something pretty interesting for me.
Luk: And on the other side is also, when you’ve been pitching products and you’ve been installing products, you’re basically… You have a problem, you get the problem solved, and you move on, and you don’t really see afterwards what happens, and you don’t really look at the integrations and so on. You’re just there to do this one specific thing.
Luk: So with the CISO role, this is a much broader kind of approach, and you also run into like the reality sometimes of things. When you work for a vendor, you go and pitch a solution. You have this mission like, “I’m going to sell this to you,” right, and you don’t see it from their point of view. You don’t understand, look, probably this person I’m talking to, this CISO, that’s my champion, right? I need to help him. If he is interested in my product, I need to help him to kind of sell that inside his environment, and inside of his company. And that’s something that I start realizing a lot more. It’s not as simple as you think when you’re just more of a sales oriented position.
Steve: You covered a lot there, and I think that I want to go back in a little bit into some of the areas that you’re identifying that you need to improve on, or that you’re interested in getting get good at, which is back in how do you manage stakeholders and how do you communicate with management. We’re going to get there.
Steve: But one of the things I think you also noted that I really enjoy, and everybody misses this, especially on the vendor side, is… And you hit it right on the head. You have to make sure that you equip the buyer, especially the advocate, but really they’re all advocates, that how do they… How can you teach them to sell internally? How do you help them with the challenges of influence and cooperation that they have when they’re trying to make change inside their company? What is it that you leave with them that is a picture, or a number, or a graph, or a story, that allows them to get the job done more quickly, which ultimately allows them to make the decisions they need to, to get the funding they need to.
Steve: And I think that the cool thing, I think, and you’ve realized this, is now that you’re in this CISO position you’re realizing that, and I think it’s going to make you better at sort of both, no matter what you’re doing, right? No matter what you’re involved in, you’re going to see it from sort of both sides. I want to call that out for the listener. The listeners that work for vendors, and the listeners that work as sort of defenders in traditional networks. Is there any more that you want to add to that? Because I think it’s super important to highlight.
Luk: I think it starts with listening, right? So, I see very often… I’ve probably been part of that as well. When you’re working on the vendor side of things you need to sell, and you go in, and you go into the meeting, and you start going through your slide deck, and you just talk and talk and talk and talk. And one of the things is like, first listen, and ask the right questions. And from my experience, talking with CISOs, and talking with large integrators, they’re not necessarily interested in the feature set of your product. They have a specific problem they are trying to solve.
Luk: And more and more, and especially in the last whatever, five or ten years, it’s more about the whole feature set, yes, everybody kind of has these features, but how well can you integrate what I already have? And that’s something that for me as a CISO is also super important. Like, you can have the coolest technology, but if I can’t integrate it into my SOC, into my data lake, or in my other tool sets, then I’m probably not going to continue. And I think that’s one important aspect, is first have a conversation, and really listen to what are they trying to accomplish, and then adjust your pitch to that, and don’t start going on and on and on about your standards, features, and your slide deck, and so on. So I think that’s an important one.
Luk: And I also try to understand what their process is, right? So who approves what? What kind of other things are you looking at? What are the projects that you are currently working on? So to get a better understanding of the big picture.
Steve: I recently had a great conversation with a CISO out east, and she was fantastic. She was talking about kind of where they were, and of course I was there representing Exabeam, but we spent the whole hour actually talking about the big picture of what she had to get done. And I gave my opinion on kind of the order of how I would approach it, and listened and gave advice from my own experiences, and we really spent very little time talking about product, but you could tell that she was genuinely appreciative of the time. She’s like, this has really been kind of the highlight of her day, is what she noted, and I was very proud of that.
Steve: And I think that if you sit and just slow down a little bit and ask questions, people appreciate that. And if they’re sincere, and you give sort of high candor and sincere feedback, I think that’s a pretty rare thing these days. People are pretty receptive to that, I think. It’s a good skill to hone in on.
Luk: I think it’s a mindset, right? Like when I used to be in more the pre-sales function, I had a personal pride kind of thing that’s, if I see that the product that I’m trying to pitch is not a good fit, I’m probably going to tell you that, which probably didn’t make my sales guy happy, but I was like, “If you’re going to buy something from us, and I know that’s really not going to work, well you’re not going to be happy, and we’re going to have an unhappy customer, and again, the bigger picture, maybe next year you work somewhere else, or I work somewhere else, and I don’t want to blow up the relationship just because I want to bring in a commission check.”
Luk: So I’ve always tried to be pretty transparent about like, “This is what we can and cannot do, and probably, maybe in this case this is not a good match for you guys,” and trying to have some credibility, and not just trying to push it anyhow. And I think that’s an important one, and long term people will respect that and say, “Okay, this thing wasn’t for us, but we appreciate that at least you were honest about it.”
Steve: Yep. People appreciate candor, and I think they look for any type of opportunity to interact. People are looking for help. People are… And you don’t want to damage, or make them nervous about interacting with you, no matter who you represent. And that’s good for your brand and for the brand that you’re representative of.
Steve: You told me something earlier, when I was kind of asking you… We spoke before this show. That you were very technical, you were focusing on attacks, but you noticed something, that you were running into other issues, issues that weren’t technical, and that I think is a key to kind of this next phase of your career, now becoming a CISO. Now you’re sort of reflecting on, “Okay, what do I need to prepare more for?” I want to go back to stakeholder management, and communication with management. How are you fixing that? How do you shift from technical explanations to business explanations in terms of what you’re trying to do?
Luk: I tend to, very often, compare cybersecurity to the real life kind of security. So if you talk about prevention based technologies, I would say like, “Okay, you have an airport, and in that airport maybe you have police and they check everybody. You have scanners that scan if you have devices on you. And that’s kind of like prevention based technology. If we look at something like user behavior analytics, that would be in an airport they have cameras, and they can identify by the behavior of how people walk and how they act, that there might be something going on.” So I very often try to make that link to something people can relate to.
Luk: Another example is when people say, “Well, but I have a firewall. Why do I need XYZ other security solution.” I’m going to like, “Well, you have a front door, right? Why do you have a key on the front door? Because you don’t want everybody to walk in. Well what if they get in through a window? Then that’s why you have a security system, or a video camera. It’s not a prevention thing, because they still get in, but the window in which they have the opportunity to do something is going to significantly decrease.” It’s these kind of analogies that I try to use by saying, “Why do you need certain things?” And try to make that link to real life.
Steve: So in that vein though, on an ongoing manner, how do you think… And you may still be figuring this out. I think everyone still is, no matter how long they’ve been doing this. You’re explaining concepts there. What do you think that a CISO operationally should discuss or report on to, you know, you mentioned the board, you mentioned other stakeholders and other sort of executive management. How do you want to represent your program? Sort of in words, or verbally, or in a graph, or… How are you figuring that out, right? You’re sort of starting out, so what is it that you’re doing there, and what’s working and what’s not?
Luk: For me, I see my role really as there for the business to do their thing, right? Security by itself is not the core… Well, we are actually a distributor of security solutions, but let’s say I work for a cookie company, security is not what they sell. So whatever I do is to enable the business to do that in a secure way, so that there’s no dramas. All right?
Luk: I think that to understand that part, how can I explain that we need to have certain processes or certain technologies or whatever? How does that translate into enabling the business to sell more, or to grow more, or to transact more safely? And I think that’s the very difficult part, right? It’s because there’s two different languages that are being spoken. There’s a business language and there’s a more technical aspect. And the thing with cyber, is it very easily goes into these concepts that are sometimes very abstract, like [inaudible] I’ve been doing it for 25 years. It all makes sense.
Luk: But if my car breaks, I have no clue what to do. I just call somebody, and I say like, “My car doesn’t work.” And they start asking me all these technical questions. I’m like, “Look, I don’t care. I don’t want to answer the questions. Just go to my car and fix it.” I think that’s what a lot of people have with computers, and with security. It’s a tool they use, and if it doesn’t work, somebody please come and fix it, but I don’t need to know the whole technical mumbo-jumbo, and how you fixed that and whatnot, as long as it’s fixed. And I think that’s with security definitely the case. Like, how good are we in security? What if we were to have this type of attack? Would we survive that? Would we be able to respond to that? And that’s always a very tough one to measure, right? How good are you against a ransomware attack? Yeah, let’s try it out, right?
Steve: I think there’s more interest these days. I think there’s still a fair amount of ignorance amongst executive leadership on what is security. I think there’s still a fair amount of ignorance amongst CISOs, that are still struggling with how to articulate this gap between their knowledge or indifference of the executive, and sort of the translation that has to happen for a connection to be made of general concepts, and then weighing that against sort of what you’re seeing on the news.
Steve: You know, you mentioned ransomware. That’s now showing up on the nightly news, where… We’ve had failed intrusion detections for 25 years and no-one cared. No-one gave a damn. And now we have ransomware, which is just a continuation of another type of failed intrusion, detection of that intrusion, and now it’s the news, because it sort of detects itself, right? It’s sort of disruptive, and it stops a business, and it detects itself. It lets you know that it’s there. And so there’s a little more interest in it.
Steve: I struggle sometimes because I think many businesses, they say they’re interested in security, but they still don’t want to really understand it. And I see that a lot in many companies, where they’re just doing sort of the minimum. And I think we dumb it down too much, in many ways. So I think there needs to be a bit of education on both sides, is my opinion at this point.
Luk: Yeah, I think there’s a combination of things. If you go 10, 15 years back, you’re talking about advanced persistent threats, like the FireEye stuff. But try to explain that to somebody. Like there is something or somebody in your network, but you don’t see them, or they might or might not be there. It’s very abstract, right? It’s like, try to explain a DDoS attack if you’ve never experienced one. So this makes it very abstract to understand what the risk is. I think it’s kind of a sword that cuts on both ends with the ransomware attacks that we have been seeing, in what, the last 5, 6, 7 years? That it’s creating a lot of havoc, but it’s also in your face, and it has real consequences, so it raises the awareness.
Luk: And I think on the dumbing down part, again linking it to real life, first of all, the first time you see that in the news, everybody is in shock. And the second time you are a little bit in shock. And the third time it better be bigger than the first two or nobody cares anymore. This is like when you see… I don’t know, there’s like a hurricane somewhere, and you see that everyday on the news. You just numb down eventually about these things.
Luk: And I think that happens also in our industry, and then with media going like, “Oh, this was a very advanced attack,” while if you’re a little bit technical you know there was nothing advanced about this attack. Most of the ransomware attacks are not advanced at all. It’s baby stuff, as I call it. So there is a lot of this fear-mongering, and then too much of the same news without really any kind of in depth analysis of it. Like, another ransomware attack. Okay, yeah, another one, another one.
Luk: And on the other side, companies that are struggling to deal with this because there’s a enormous shortage in qualified people. If you start talking about incident response, or SOC engineers, these are very specialized people that are very hard to find, and if you bake cookies, where are you going to find these people, and even if you can afford to build your own SOC and get these people on board, how long are they going to stay interested? How many incidents are they going to deal with? So it’s a very, very hard problem to solve, and it’s what we see in the market as well, with Exclusive Networks. There’s an enormous shortage in knowledge and especially with professional services and integrating.
Luk: And now the… Obviously as in Europe it’s a little bit too late, right? But companies moving into the cloud and how do these things now work in the cloud? And which new security holes do we open up? And it’s not that much about a silver bullet solution anymore. It’s really about how do we actually architect this properly, and integrate these things, because the attacks are getting more complex as well. We need to integrate different kinds of things together, and then have people that, if they look at it, actually know, “Okay, this is bad, and we need to respond this or this way.” It’s a very tough one.
Steve: You mentioned something that I’ve seen, where people are sort of on this, some may say, digital transformation. Other times it’s just sort of forklifting their data center to the cloud. But whichever it is, or some combination of the two, in many cases the security team is left behind. Whether it’s their fault or not is immaterial in this discussion. But something happens, and they figure out that they’re less able to see, and less able to act, because they haven’t done anything to kind of go along with it.
Steve: So they have less visibility, they have less ability to respond. You know, they don’t have the ability to pull forensic information, or sometimes they’re missing logs, or sometimes aren’t even aware that a shift to the cloud has happened. And having talent to interface with that, to architect and to programmatically design and operate a SOC, as that change is happening, that’s a lot of extra help that’s required, and so there’s a lot of organizations I see that are getting… That aren’t not thinking about it, and they’re not planning ahead for it, and they’re getting caught flatfooted. They’re having bad mistakes. And some of them don’t even know they’ve had a mistake. They don’t even know they’ve had a breach, or a loss of data until it’s too late.
Luk: Yeah. Yeah, especially with the cloud adoption. When you go 20 years back and everything is in your own data center, and you know nothing can get to your RDP servers unless you open it up, and it’s all very controlled. And now it moves into the cloud and companies don’t even know… Somebody reconfigures something in the cloud, they don’t even know that somebody opened up like RDP to the public internet. Even look at Office 365, Azure, AWS, they have tons and tons and tons of features and functionalities, but you do have to go in there, and properly configure them, not just on the functionality, but on the security as well. And otherwise this is what you read about very often, right? There was open databases, or Amazon buckets. I forget.
Steve: S3s, yeah.
Luk: S3 buckets, yeah. So there’s these open S3 buckets, and the customer’s completely unaware, right? It’s the default configuration. We figure if we move it into the cloud, then it’s going to be properly configured. The visibility with moving into the cloud disappears completely for most enterprises. Like if you have an Exchange server on premise and something happens, at least you have your logs on premise. If that’s running in the cloud, and you’re not doing anything with those Exchange logs, you’re not pulling them in somewhere, you have no clue what’s going on, and you cannot just go and say, “I need the logs now.” It becomes something you need to think about beforehand.
Luk: And tech security historically has always been this bolt-on thing. Like, we’ll first get it running, and then we’ll secure it. And with the cloud it’s like well now you’re probably exposing a whole bunch of things you didn’t expose before, which means that your security should be there from the start. And it’s a mind shift right? And it’s not an easy thing. I think this is where, when you say, “We’re going to do a cloud migration. Well, we’re going to have to assign budget for the security, and involve the security team, and that makes it more expensive right, so maybe we should do that next year when we have budget to do that.” That’s what I think a lot of companies are going through.
Steve: I think it’s a great opportunity for many organizations, and can be a great one, especially for security, but to your point, you’ve got to get ahead of it, and it’s almost like running two programs for a period of time. Because you’ve got to… You’ve not only have to retool some of your capabilities on the technical side, but you’ve got to retool or uplevel, upskill some of your security, your technicians and security staff to give them time to sort of rethink, retool, to say, “Hey, how am I going to capture visibility? What are the attacks that happen here? What does an attack look like that’s cloud specific or hybrid? What does adversary behavior look like in this example? How are credentials used in this environment?” Rather than… Again, “What is the flavor of lateral movement in the cloud? How are points of federation attacked?” All these things. And then, “How do I capture that? How do I view that? How do I know what normal looks like in these environments?”
Steve: It’s all very important. And if you’re behind that, you’re really going to be behind. And you mentioned bolt-on. You can’t afford to bolt-on in that world. But I think long term, there’s… If you can sort of trust whoever the vendors are to kind of manage the ping power pipe, and maybe some of the OS, and so you can focus more on the app, there’s a lot of really cool things that can be done, a lot of great intelligence that can be extracted, and you can free up more time to do other, more high angle work, in theory. There’s a payoff in the future that can happen for all of us. I don’t know that we’re all seeing it quite yet, or at least security teams are still sort of… most of them are catching up still.
Luk: Yeah, you know, they say security is a journey, right? It’s not a destination. And some of the things you just mentioned, if you have an incident in your cloud environment, how do I take a packet capture? Is it even supported in that cloud environment? How do I do a memory dump? Like, the things I used to do in my own environment, all of a sudden they don’t work anymore. And I think this is where people and process sometimes gets forgotten, and training gets forgotten, because tools don’t really solve the problem if the people that are looking at the tools don’t know how they behave in a different environment, or how to operate them.
Luk: And I think the mindset of, “I just put really good technology in my network and I’ll be safe,” still comes from the safe, 10 years plus ago, where it was like, “prevention, prevention, prevention. Buy my product and we are going to block everything.” And that’s again, I think, something that I think people are now realizing, well that’s not really true, right? We’re seeing enough of this stuff, and all these companies had all these tools, and still it wasn’t prevented, so we need to have something else than prevention. And then you have to look at it, and you need to know what that means, that you’re looking at.
Steve: I think with anything that you make an investment in… And that’s a question I raise to many CISOs, or at least a point that I make, where you’re going to get out of… Whatever you buy, you’re going to get out of it what you put in, and if you’re having shelfware, things that are under-deployed, or installed but not maintained, if you’re not worried about the hygiene, and the interaction of the inputs and outputs, sort of the outcomes with this, you’re going to have a largely ineffective program. If you own it, you need to sort of work to maintain it, and that’s a partnership with a vendor.
Steve: But really it starts with your expectation before you even buy the platform, and it’s an expectation for the staff to say, “You know, look, this is something that needs care and feeding.” Not unlike any other tool or platform that you’d have in the physical world, right? You can’t have equipment that’s not maintained, that you’re not looking after. It just doesn’t work. And so I think we miss that often as well, and I see a lot of people, that they’re looking for this… I don’t know if they have it. These sort of Easy-Bake Oven. It was like this little kids’ toy with a light-bulb in it, and you could cook bread in it, or brownies or whatever, and it’s simple. Nothing is that simple. And that’s one of my other sort of pet peeves that I see, both in my current role and my prior.
Luk: Yeah. For me it all comes down to investment. If you invest in the tools, you also should invest in the people and the training of the people.
Luk: Because otherwise your investment is not going to really bring any return. And I think additionally, what I see with a lot of companies that I work with, the skills shortage means that there’s not enough people, so they get completely overwhelmed, and they’re trying to extinguish fires all over the place. They don’t get the time to really fix the root causes, leave alone to go on training, and you get in a vicious circle, right? And it’s hard to get out of I think, to say, “Okay, we’re going to let this thing burn now, and take some time to structurally change something in the environment.” It takes, I think, quite some courage to do that, and depending on what is burning, right? If there’s a business process down, you can’t say, “Well no, we’re basically now doing something else that’s going to be good in one year from now.” Yeah, you can’t. You can’t do business anymore.
Steve: That is a tough one. You have to… I have said this to a lot of people and I did this myself for many years, is if you’re starting out especially as a new CISO, my statement is… Or a new team lead, anything, is pick one thing you want to do and do that well. So try to figure out what’s your quick win going to be? What’s the capability? What’s sort of phase one of this capability you want to create? Do that and get that right, for everything, for the esprit de corps, for you to call your own shots, sort of get credit, celebrate that, rather than doing 10 things very poorly. And that’s just a sort of a personal choice, but I think it also has a lot of sort of leadership merit as well, where I’ve success with it in the past.
Steve: One thing I want to go back into… You and I spoke about something cool that you have personally done and helped build at your current employer, and it’s not part of your new CISO role, but it’s certainly something interesting that your company has done that you’ve helped build, and I think people would find it interesting. You helped build a Threat Hunting Academy. And I guess to start off, everyone has a different definition of threat hunting, but what is specifically the Threat Hunting Academy and what are you hopeful that it’s… Is it an educational piece? Is it a technology testing platform? Is it… Why build a threat hunting academy, and what are your early observations of it?
Luk: Yeah, so I find it a pretty funny story in a way, but at Exclusive Networks we are always like on the bleeding edge of new technology, right? We started with Exabeam for example, I think 6, 7 years ago almost. Vendors like SentinelOne, FireEye back in the day, Palo Alto, when all these companies were very small, so we were always on the bleeding edge, and when you do that it means that you’re ahead of the market, right? Most people, and I think, there’s difference in the European markets and then the markets in the States for example. With what I see over here very often is people are very connected with the technology that they bought like five years ago. It’s like, “I am using this specific product and I don’t want to ever leave it. It’s my baby.”
Luk: And so when you come with this, you see these new problems emerging, and you see how the powers that be don’t deal with that properly. And you say, “Well, we have this new vendor that really deals with this problem,” as an evangelization thing, as an educational thing. And what we used to do is we gave workshops, right, and well, typically when you just talk about the product, you get the pushback like, “Oh, vendor XYZ actually, they block that.” And we would go like, “No, they don’t.” And you’d get into this yes no discussion, right? And the person doesn’t want to change his mind.
Luk: So we said like, “that doesn’t work. Why don’t we show how we breach a company? We’ll show people how it’s done.” Not on a real company, of course, but we set up a lab environment that looked like a real environment, and we really showed, without using any malware or any exploits, how we would get in, how we would move around in the environment, how we would do privilege escalation, and just visually show them. Most people have never seen an attack happen, and you never get to see the attack from the attacker’s point of view, so we would have both points of view. We would have the attacker on one side, and then we would see on the, say on the victim’s side, what’s happening there. Typically you don’t see anything on that side.
Luk: And then we would go into… We would ask the question, “So, how would your… whatever product, legacy product… How would it detect this?” And you would see people go like, “Yeah, we can’t do that.” So we were trying to, by showing it, how it happened, that they understand. Like, “You don’t have to believe us, but please tell me how your product can deal with that. Because I didn’t use any virus, I didn’t use any files even, so there’s nothing that can trigger on this.”
Luk: And we got feedback. People really liked that. They were very successful. And then people said, “Well this is really cool, but we would like to do that hands on.” So we said, “How are we going to deal with that?” And we had to go into older automation stuff, Terraform [inaudible] because we said, “Well, let’s build this in the cloud so we can put up the environment for a class.” So as we learn all of these things, and again, security people can’t just stay in the security silo anymore. We built a two day training that’s called the Threat Hunting Academy, where we took those things on board.
Luk: And what I learned from a lot of trainings I followed, you go on a training for, let’s say Elastic, or you go on a training for, let’s say, detection engineering, it’s always very specific to that one thing. Like if you go for detection engineering, you get a data lake full of all the relevant data that you need, and they explain you how to build detections, but you don’t understand the pipeline. You don’t understand where the data came from, and why that data is important, and so on. And so when we built the training we said, “Well, I think it’s important for a SOC analyst, or an instant responder, or a reverse engineer, or anybody in security to understand the architecture of what data do I need? Why do I need that data? How do I collect that data? How do I get that centralized?”
Luk: Typically when you build a SOC you need to have data, so we refocused the first day on building a complete SOC infrastructure, so this is completely on open-source stuff. This is not a vendor based workshop. We don’t talk about vendors, or we don’t teach training on products.
Luk: So once they have built that whole pipeline, so they understand where the logs come from and how that flows, the second day we go into the attacks. So we explain, we take a specific kill chain, the most used techniques like recall techniques or lateral movement privilege escalation techniques. All of them basically file stuff, so we’re not using malware, just using PowerShell. We’re using whatever’s available, living off the land. And we explain how these attacks work. We use the MITRE framework as a reference. How they work, we let the students perform these attacks on their environment, and then we go and explain how we can go about detecting this, and that brings everything together, right, because they also now know where that data came from, and if they don’t see something, they know, “Oh, well maybe there’s a problem with my end point, or there’s a problem somewhere in the middle.”
Luk: And that was the idea behind that, so that people really get a better idea of, “Hey, all these attacks that are getting through my legacy security solutions, that seem to be like so mysterious and impossible to detect, they’re actually not that hard to detect if you know how to architect something like that, and if you know what to look for.” And that was the whole idea. Again it’s a very high level educational thing. It’s very technical, but it’s not about like, “How do I configure my firewall? How do I configure… whatever product you have.” It’s more all these products work that way, right? Any SIM vendor does the same thing. They have a different GUI, they have different features, but on the back end there’s the same components.
Steve: I think that many people also need help with after… They don’t know how an attack happens. They’re not familiar or comfortable with that, and often times there’s assumptions made that the big investments that they’ve made in tooling, or their internal process… They’re just making an assumption that they will see that, whatever that bad thing is, whatever that intrusion is. So illuminating that, and saying, “Hey, here’s what is actually happening,” but then also letting them know that they may lack a capability.
Steve: And that’s what I like to talk a lot about, is say, “Hey, do you have the ability to detect lateral movement in your environment, in the variety of ways that it can happen?” I don’t remember MITRE, but how many… I think it’s like 15 or 16 or 17 different TTPs it related into, including PowerShell and stolen credentials and other things. But many organizations have no way to tap into, maybe any of those to say… But they believe they’re in good shape.
Steve: We used to do The State of the SOC Report where most organizations thought they could detect an advanced attack, but most of them didn’t have… They said they could only see… Those same people said they could only see at max 40% of their environment in terms of visibility. So it’s like there’s this assumption that you’re better than you really are. But I think it takes things like this Threat Hunting Academy to kind of illuminate that for most teams.
Luk: And a lot of vendors depends on technology to fix their problem, and a lot of the problems arise from misconfiguration or lack of coverage. If I deploy the same EDR solution, I buy a bunch of licenses and I tell my IT staff, “deploy this.” Okay, so is it deployed everywhere? How do you know? Because if you miss 10%, now you have a problem. You think you’re covered, but you still have a big, big attack surface. I think it’s this… It’s not about implementing something, but it’s also about validating. Like, is this now actually doing what it’s supposed to do?
Luk: That’s also part of the Threat Hunting Academy. We also go into the validation. Like, if you have built a specific detection, and we’re still doing the manual kind of detections that we talk about, where machine learning and artificial intelligence, if you can call it that, comes in and actually can elevate that to the next level, to reduce noise and false positives and alert fatigue.
Luk: But I think it’s important to test that solution, right? You implement something, well maybe a month in, let’s run a few tests and see if all these use cases, if they still trigger, because there might be somewhere a component that is no, not sending logs anymore, or that’s not functioning anymore, and we don’t know about it.
Luk: And it’s similar with… Oh, when I was little administrator, like I was really young and we had backup tapes, and we’d be making backups. And when I arrived in a company, one of the first thing I ask is I say, “Have you ever tried to restore a backup?” And they’re like, “What do you mean? We’re making backups every week.” I’m like, “Let’s try to restore one.” It’s like, I think 8 out of 10 tapes were broken, and it’s just like, architect, implement and validate, and then see where you can improve, and where you have blind spots and then do it again, test it again, and that’s a continuous thing, right?
Steve: I couldn’t have said it better. Back to detection logic. Your environment changes, people make mistakes, people make assumptions. Perform some sort of adversary simulation in your environment, and then see what can be detected. It’s an ongoing effort, that’s… In some organizations we were doing it monthly, to assert these assumptions, and then also have feedback loop from our threat hunting program, to say “Hey, there’s…” To ask… You’re effectively asking, “What if?” or, “Could this thing happen? And what do I see? What is beyond my commodity controls of detection? Let’s make an assumption and then test it to validate it.” Super important. I would implore anyone that’s listening to consider adding that to what you do. Just ask, and start to develop a program if you don’t already. It’s adversary simulation, threat hunting, fantastic things, but make sure you get it right and define it specifically, and then look for ways that you can sort of speed up the answers related to it.
Luk: Yeah. It’s a good point. Adversary… I’m not a big fan of pen testing for example. I think honestly it’s useless. Like, okay, let’s scan a network. Here’s your vulnerabilities, here’s a report. See you next year. But when you start talking about adversary simulation, this is more to the real life kind of attacks that happen, right? They’re going to behave like an attacker within the environment, so that you get a lot more value out of it.
Luk: I think the problem with that is that these are expensive exercises if people are doing it, and you might do that once a year, or twice a year. And then again, depending on how your infrastructure looks like, if you have like 80 locations then you can’t do 80 of those. So there is limitations to what you can do with that.
Luk: And networks and infrastructure is fluid nowadays. Things change constantly, like I’m migrating our Exchange to the cloud, so now all my use cases for Exchange don’t work anymore, so there’s all this stuff going on, but there’s also new technology out there that does this kind of adversary simulations, where you can say well, it works with an agent, you give it a campaign, and you can run that campaign like on a weekly basis.
Luk: And I find those things are, for me, I find very interesting, because like, number one question typically that companies get from their board is, “How good are we at security compared to other ones?” If you do this continuous pen testing, or adversary simulation, then that actually shows you. Like, “We did a ransomware kill chain here, your firewall detected this, and your ATR detected and blocked that, but in your data lake you didn’t see that show up.” It actually gives you a pretty good idea on how good you would be against something like that.
Luk: And then if you have to test, let’s say… Or if you have to look at where do I go make new investments, at least you have an idea, like, “We have a blind spot there.” And then at the next level you can say, “Instead of just buying something, or doing a proof of concept, well, I can actually do two or three proof of concepts. I have this continuous adversary simulation running, and I can very quickly identify what technology is bringing me to a higher level.”
Luk: And you get a much more objective judgment also, to go and defend that to the business. Like, “Why are we selecting this? Well, look, we did three tests, and this is what came out of it, and this is how much each solution costs, and this is the one that we think… You know, we have numbers actually behind this, that show that in our environment this had better results.”
Luk: So I’m a big fan of those kind of technologies. There’s a bunch of vendors now in the market space, and it’s still pretty new, but I do think there’s… Not just for security, but also translating that technical aspect to the business, right? Say, “Well, we actually have something that can show you a graph on where we were and where we are now.” So I find that really interesting.
Steve: It’s a measure of efficacy versus just maturity, and it allows you to tell a story, and within that story you can talk about strengths and weaknesses, opportunities for improvement, investments, and it also shows, it allows you to confidently answer, to say, “You know, this is how good I think we are, and here’s validation that supports my assertion. That we are in fact able to see these kinds of problems, but are unable to see these others.” And I think that’s…
Steve: One last thing I’ll state. It doesn’t always have to be an outside group, and I share… Pen testing is a product of compliance and it’s usually nonsense. You need to do things, just for the listener, that actually lead to what I would consider end point or credential compromise. If it’s not doing that, it’s not worth your time for what we’re discussing, what Luk and I are talking about. And if you get advanced enough, or at least in the middle, you can sort of run these on your own if you’re skilled enough, but sometimes you need outside help.
Steve: Luk, I’ve got a ton more questions for you, but we’re about out of time. I want to give you a chance… We close the show on the same question each time. You, as a new CISO, pursuant to the name of the show, The New CISO, what does that mean to you?
Luk: Personally, it’s a really, really exciting experience for me, because I’ve been implementing security solutions for a very long time, and being able now to implement that in my own company, and drive that into a certain direction and say, “I think this is the way we should go with this. Let’s not build a SOC that’s based on technology from 20 years ago, but let’s build this the right way now.” And having that impact, and making sure that Exclusive as a company can transact in a secure way with our vendors, with our partners, that’s something that is really, really important to me. I take it really, really serious. That’s my…
Luk: For me the key role is like, we need to be on top of things. We are a security distributor ourselves. We distribute the most high-end, emerging, new companies and we implement them ourselves, and we make sure that we have the in-house knowledge on these products, and I think that’s the story to tell here, is like, we are dared to kind of evangelize the market, and show there are solutions for these things, and we are actually doing them ourselves, and we see the results. I find that really, really interesting, to have that kind of impact in my own company.
Steve: Yeah, that’s an excellent point. You’re sort of proving your own actions. And Luk, you get to be the point, the leader of that, which is special. Thank you so much for your time today. I’ve enjoyed having you on the show, and I hope to have a chat again soon. Thanks again so much.
Luk: Thanks for having me. That was fun.
Steve: That’s it for this episode of The New CISO. Thank you for listening. Check out more episodes on exabeam.com/podcast, and remember to rate, review and subscribe to get brand new episodes first.