Security’s Dirty Little Secret: The Conservation of Complexity

Posted on in Presentations

Security is in a vicious cycle of incrementalism. Breach, fix. New attack, new product. Rinse, repeat. We need to break these old habits fast because risk and security complexity have run amok. How can CISOs and security teams get a clean slate and move forward? Join Forcepoint CEO Manny Rivelo for a fresh approach to accelerating business based on simplifying security in the digital enterprise.

Video Transcript

>> ANNOUNCER:  Please welcome Chief Executive Officer, Forcepoint, Manny Rivelo.


   >> MANNY RIVELO:  Hello, everybody. It is great to see all of you. It has been two and a half years since we have all gotten together and it's been amazing to kind of walk the floor and have the event and actually rekindle a lot of old relationships. And the other key finding that I want to share at this moment is how many people I have seen with new post-COVID wardrobes. Right? It's kind of – a lot of folks were nervous to come into the event. Getting around a new crowd. And also, I heard a lot of people saying, I'm not sure what I'm going to wear.


   So, we are all here. We are hopefully all having a good event. And I wanted to talk today about security's dirty little secret and this concept of the conservation of complexity.


   And folks ask me, well what does that mean? Well, what that means is the world, as you just heard, is progressing very, very quickly. The hacking community is not slowing down. I will show you some stats here in a second. And yet, with all of this productivity that we have created, with all of the – the way we are changing the way we work, the way we live, the way we do everything, right, it isn't getting easier. The problem is still there and we have to simplify that problem, which means we need to change. And when I say we, that is our customers need to move quicker, our partners need to move quicker, and us as vendors need to move much quicker.


   So, I thought I would start by talking a little bit about what's my day look like. And I'm an early riser, if you know me, so I usually get up and I get up about 5:00 in the morning, and I usually have an iPad next to me and I usually pick it up and go through my corporate email on my iPad.


   And as I walk around the house and get ready for the morning, I usually head out early in the morning and go to the gym and try to get a couple of miles on the treadmill. And as I'm stopping at stoplights on the way there, I may check, using my personal device, additional emails and just try to get my day organized.


   Now, I have been on two unmanaged devices in my corporation, finished my workout. I may order a cup of coffee from Starbucks, pick it up, get home, get ready, and I'm on my first video conference session on my corporate computer.


   That could be followed very quickly with a search on the web, and this could be anything. I remember last week doing a quick search just to try to get an address because I was meeting a customer later that day and I wanted their corporate address.


   I may also turn around and check our Salesforce numbers, what are we doing. Maybe I look at an opportunity on Salesforce because I want to understand the situation that that customer has and what that deal is all about. And that could be on a corporate provided device.


   I may turn around and check the bio. RSA asked me to confirm my bio, so I had to do that, and I did that off of my iPad. And I may turn around and actually go into Slack to download our corporate presentation. And the reason for doing that is predominantly because I had a customer meeting that I had to present at later in the day.


   Then I may go a little further than that and pay a personal bill using my bank account. And I may actually even go a little further than that and approve, on my mobile device, basically a rec to approve a payment for a vendor.


   And all of this happens probably by 8:00 in the morning, and it repeats itself in different patterns every single day. And this week, you know, I have been on public Wi-Fi. I have been on Gogo Internet. I have been a whole bunch of different places accessing the network. And this gives me an incredible amount of productivity that has changed my workday and my personal life, allowing me to enjoy it a lot further.


   And this basically has come because the innovation that we have created over the last fifty years in this industry, right? In the early 70's, the open standards – and the keyword here is “open” – standards for TCP/IP emerged. And since that day, we have been chasing and fighting hackers because they also have access to all of the openness that's created this change that we have.


   So, you see early viruses were introduced. You see the formation of the web. You see the formation of applications on the web, cloud-based services, continuing to see additional, additional attacks inside the environment.


   And then over the last couple of years, because of the pandemic, everything accelerated at a fast pace. We all went home and worked from home. Our applications went further to the cloud and our data went further to the cloud.


   And I would argue it's only the beginning. There is more change. There is additional change happening whether it be what happens with post quantum computing, how is the world going to look for us? What happens with things like the metaverse?


   I could assume a couple of years from now, for sure within five years, I will be spending some time on the metaverse prior to 8:00 in the morning because we may be doing business on the metaverse, and/or there might be something in my personal life that I want to take advantage of.


   And all of this gain which is unstoppable comes with a great cost. And this is the cost. I will share only – I will talk about two metrics here. The first is $10.5 trillion is the cost of cybercrime, and that's what's projected by the year 2025. That is the third – if you compare this through a GDP, it would be the third largest economy in the world behind the US and China. So, it is good business to hack. It is not going away.


   The second is we live as security professionals in an industry that has negative unemployment. There are 3.5 million jobs and growing requesting security professionals every single day.


   And as a community, what have we done? We have given you an alphabet soup of three, four-letter acronyms that most individuals can't conceive, with management consoles with different ways of managing that, and the world has become just way, way too complex.


   So, we need to fix this.


   And if you think about the architectures of the past, these perimeter-based, rigid architectures which used to work, no longer work. The users aren't in the office as often as they used to be and the applications are not there. So, yet we hairpin the traffic back and we do all of this with implicit security, creating a poor user experience. It just has to change. And it has to change at a fast pace.


   And this is the time to begin to think differently. Because it is rare, really rare, where you see the analyst community and everybody come around and begin to gel around a new architecture, a new way of driving your business. And if we want to get in front of these hacks, we have to adapt that and change at an incredible pace.


   So, this new architecture starts out, as you heard just from the previous presentation, with zero trust. Now, what is zero trust? Zero trust has been around for over twenty years. There was a research document that was written in the early 70's. Google implemented it in about 2009 in the BeyondCorp. And then it was written by, by Forester, and named by Forester. And about 2018, NIST and other government organizations came out with a security – a zero trust architecture.


   So, it's taken twenty years to get here and yet we haven't adopted it and yet it is a great solution for some of the attacks that are happening today. Because on one side, it separates a user, the location, the device from the applications and the data, and it creates this zone. It only allows that connection to happen through explicit trust. And it has a fundamental principle; never trust, always verify. So, it creates this perimeter-less environment, and it's a very, very different way.


   So, your architecture needs to take this into consideration.


   The second major change is this concept of moving the stack of equipment that you have and services at the edge of your network and shifting them to the cloud. Through these frameworks, these secure access services edge frameworks like SASE, which are usually comprised of a foundational element that is zero trust, but it's also got to be risk adaptive because zero trust is always verify. So, after the connection has been established, I have to understand what the behavior is of that connection and be able to change or terminate that connection if required with a single console.


   Sitting on top of it is the capability to prevent threats, and that is technology such as AV, sandboxing, CDR, content disarmament and reconstruction, remote browser isolation, data discovery, data protection, data monitoring, et cetera.


   And then sitting on top of that is a series of gateways so that as you are communicating through an email channel or through a web channel or through a private application channel, that I can intercept that data and inspect that data.


   And if you place this in the cloud and it is available everywhere in the world with high availability, now you can connect from anywhere in the world to any application. You could liberate your organization. You could liberate your employees to work from anywhere and provide these security services instantaneously.


   The third major component is what I referred to as smart edge. There is a need at times to push those security services to the edge. Now, you may push those services to an office through something like SD-WAN and secure SD-WAN which would allow you to get away from your traditional NPLS circuits and create better connectivity by application or by user through those security services, or you may have an agent on an endpoint, that agent giving you that flexibility, or you are actually – actually be implementing smart browser-like technology inside that environment also.


   What's amazing is from the endpoint, there are three actions you can have with this architecture. The first is if you want to inspect the traffic, you can send it through the proxies by application and inspect that traffic using any one of those data plane services and the right security services behind that.


   However, you also have the capability at the endpoint to make two other decisions. One it would be, I want to block the traffic, so you just drop it. Or the other is, this is traffic that doesn't need to be inspected. It is a simple Google search. Maybe I don't want to inspect that. Maybe it's a web conference that I don't want to inspect. Maybe it's an audio conference that I don’t need to inspect and I just want to listen to it, or music. As a result of that, you could bypass those security services, creating a better user experience.


   So, those are three basic principles.


   Now, what's interesting is it opens up a whole bunch of solutions. One I will talk to here is zero trust, as I refer to it, as zero trust web access. What does that mean? From any place in the world, any device in the office, outside the office, managed, unmanaged, I want to access the web and I want to access it and be confident.


   So, obviously, you do have the traditional secure web gateways where you could categorize websites as good, as bad.

But if I'm going to a suspicious website that I don't know, I could insert a remote browser in front of it, which means I could go in the website knowing very well that I have a machine on the web that's executing my commands, and all I'm seeing is a pixel – smart pixel rendering of what is on the machine, giving me a lot of capabilities. So, if the machine was to get contaminated, it's okay. When the session is over, we gold image that machine and we move on.


   But I also have the capability to upload and download files using sandboxing technology for executables or content disarmament and reconstruction technology. And the way to think about that technology, which is basically government grade technology, is you actually open up office documents like Word, Excel, PDFs. You look at the object model inside the document which tells you what should be in the document, and you remove everything else that should not be in that document. So, if there is a virus in there or something that shouldn't be in there, it gets taken out. It is simply putting bleach on every single document that you upload or download. No different than we sanitize our hands as often as possible through this pandemic, that technology is there.


   So, in this situation, now I can go to the web, go anywhere, block what I need to block, allow what I need to allow, and all of the other traffic, whether it's traffic that I'm uploading or downloading, feels safe that it has been disinfected in the environment.


   Very simple to accomplish leveraging this architecture.


   Or I talked about using Slack to download our corporate presentation. What if I was right in front of the customer's location and all I had was my iPad? That's an unmanaged device. I could lose that. I may lose it on a plane ride.


   Well, it's interesting that you can actually apply the same principles here because inside the browser of that laptop, if you only enable your employees to use their personal devices through the browser, we can inject in that browser, an AJAX virtual machine inside that, and now we can apply a CASB connection with data protection on top of that to make sure that, yes, I downloaded the presentation, I can present the presentation, but I can't AirDrop it somewhere else. I can't print it somewhere else. I can't do something.


   So, the technology is there to empower your employees and allow them to use unmanaged devices. Or a very simple use case, which is I'm not sure why we are VPNing, I'm not sure why we are VPNing back to corporate. We are hair pinning the traffic back to the corporation, yet we don't need to go there. Can I shift that? If not for all employees, can I start with contractors? And can I check those contractors and give them explicit trust just to the applications that I approve for them to have? And do that so when I log in, all I see is my – maybe Okta screen that has two or three applications. I can log into all of those. I can check the users’ credentials. I can assess that the devices are good. And I could connect them just to that application. And then I can inspect the traffic that’s flowing from that application down to those devices through data protection. Simple to accomplish. There is a lot of use cases that we could take advantage with this modern architecture.


   So, the modern architecture gives you a couple of basic business benefits. Number one, implementation of zero trust, moving from implicit security, which is access to all network resources through applications and data on a user device, geolocation, permission level.


   The second thing is it increases your productivity because you don't have to send everything through to get inspected. You send what's appropriate to get inspected. The rest of the traffic goes directly to the endpoint and you create a better QOE, quality of experience, for those users.


   The third is you reduce the complexity. You don't have technology to maintain on your websites anymore and your corporate locations. That conga line of gear goes away. No more software upgrades. No more patches. No more replacing the hardware when it gets slow. All of that is provided for you in the web, in infrastructures that are infinite scale, such as the hyperscalers that are out there. So, lots of benefits associated with this.


   So, the path forward is fairly straightforward. You will hear it as SASE, you will hear it as SSE and SD-WAN which are components of SASE, and it solves an incredible amount of challenges for you.


   These are some of the ones that I hear as I talk to customers and they are asking me, Manny, can you – can you simplify my environment, the way I operate my environment, while reducing the cost? The answer is, yes, we can do that.


   Can you give me basically for zero trust, something like network – zero trust network access so only – I don't get access to the network, I only get access to the applications that I should be getting access to? Or can you discover all of my data? I don't even know what's out there. Can you do that, categorize it, use machine learning and AI to get it correct, then implement tags on that data and then protect that data? Because I have data that I have not only in my corporate environment, but now I have out in the Cloud. So, we can get this done with these architectures.


   And I will close by saying, and this is – Benjamin Franklin is one of my heroes. I think we all have our own heroes. And he said this quote a long time ago.


   “When you are finished changing, you're finished.”


   And there couldn't be anything more true today in our industry. We have to move quicker. The hackers are moving quicker. We have to move quicker. And we have to be able to take the technology and change at an incredible pace. We have to adopt it or we will be left behind because the innovation that is driving the digital economy and what our organizations are doing and what we are doing personally require this change.


   So, I want to thank you. If you have some time, stop by our booth. And have a great, great event.


   Thank you very much.

Manny Rivelo


Chief Executive Officer, Forcepoint

Cloud Security Security Strategy & Architecture

cloud security data security cloud access security brokers (CASB) edge security perimeter-less security



Share With Your Community