Why I’m Optimistic (And You Should Be, Too)

Posted on in Presentations

In a world where each new technology innovation “gifts” bad actors a fresh attack landscape, it's natural to wonder if everyone should just stock up on cyber insurance. But Lee Klarich believes cybersecurity is becoming a solvable problem (and that you should, too). Lee will discuss how new advances have changed what’s possible, and a framework that organizations can adopt to embrace what's next.

Video Transcript

   >> ANNOUNCER:  Please welcome Chief Product Officer, Palo Alto Networks, Lee Klarich.


   >> LEE KLARICH:  Good morning. Good morning.


   >> AUDIENCE: Good morning.


   >> LEE KLARICH:  All right. Wonderful to see you. I hope you're all doing well.


   You know, every year we all get together at RSA Conference and we talk about the latest in cyber threats. We talk about future trends. Seems like every year some unofficial theme emerges that we have to talk about.


   Anyone done talking about AI yet? Just let me know. We can talk about other things too.


   I'm actually going to talk about all of those things, though.

But first, I thought we would rewind the clock a little bit and talk about what I think of as the good old days of cybersecurity.


   Now, I have had the honor of running products at Palo Alto Networks for about last seventeen years, so I have had a front row seat to amazing innovation, market disruption. When I think about the good old days, I go back even further. And I don't know why, but for some reason when I think about the good old days, I always think about the I Love You Virus. I don't know. It's this weird thing. I think it was because when I got into cybersecurity, it was around the time that I Love You Virus hit.


   Was anyone doing cybersecurity back when this happened? Does anyone have, like – sit there wondering like what on earth is he talking about?


   Is that a computer? No, it's actually a monitor.


   So, the reason – so, the I Love You Virus, I think the reason I always think back to this, like, it was actually a pretty horrible event, just to bring everyone up to speed. It's estimated that it cost about $25 billion in damages, which would probably make you question my statement about the good old days.


   But you know what? Like, leading up to it, everyone in cybersecurity slept well at night. Afterward, everyone was sleeping well. It's just like this one thing we had to deal with.


   So, that's why I think, like, man, that kind of would feel good, wouldn't it, if like most days you could wake up and it’s just like everything is good?


   By the way, can you imagine like this successfully spreading today? This was state of the art twenty-three years ago. Imagine if we could just deal with that again.


   Now, we don't get to deal with that again unfortunately. Today's threat landscape is really quite different. The level of sophistication that we all have to deal with is incredible. You know, we, our unit 42 threat intelligence organization, tracks leak sites to see frequency and where things are happening. We see new data leaks posted every few hours every day. That sucks.


   Attackers have figured out how to infiltrate the software supply chain, which is kind of mean of them, if you think about it. Because they somehow made patching software feel questionable, like unsafe.


   The cloud has opened up all sorts of new opportunities as well for attackers to target a much broader set of infrastructure.


   And they’ve become so good at this, it's actually become its own industry. I saw data recently that suggested that if you add up the entire cost of data breaches and the impact of it, it would basically amount to the third largest GDP in the world. It has become an industry.


   You don't even have to be that sophisticated. You can get ransomware as a service. There's customer support hotlines for this stuff. It's crazy.


   And the breadth of the attacks is basically anyone with money effectively, now.


   Now, it's pretty easy to see, given all of that, how, you know, breaches have almost become normalized. How it's hard to judge anyone for thinking or feeling this presumption of failure. I get it.


   And it's only getting harder. Hybrid work means that, you know, all of the employees that you have to protect are basically working from anywhere. The advent of cloud and SaaS means that the application infrastructure is basically everywhere. So, on top of all of this, your jobs just got harder.


   So, you know, it's easy, I think, sometimes to feel this way. I get it. Now, what's strange about this to me is it would be one thing if like we were all sitting here going like, I don't know what to do. But I don't think that’s the case. I think for the most part, we all kind of know what is needed to provide effective security, right?


   The frameworks out there are not elusive, right? I will share my thoughts on this, just real quick. You know, I always think of this as starting with, you know, just if you could harden the attack surface of everything inside and out, that would be a good place to start, right? Is everything configured correctly? Or if you prefer, you know, just do you have good cyber hygiene? Every application, every endpoint, every user, et cetera, right? That would be a good foundation.


   On that foundation, I would suggest that we would all sort of agree that we would like to have a consistent and comprehensive zero trust policy everywhere. Is default deny so hard? Actually, it is, but in concept, it should not be. We all understand this. Right?


   If you started with good cyber hygiene, if you then implemented zero trust policy on top of that, and then the third piece that we all want to do is we want to be able to say, if I could take every attack that had ever been seen anywhere in the world and block it the next time an attacker tries to use it, now we would be making some progress, right? Is it too much to imagine that being possible? All right.


   Because if we did that, then what would that mean? It would mean that every time an attacker wanted to launch an attack, they would have to develop a new attack. They would have to come up with new techniques. That would make attacks much more expensive for the attacker. It would put us in a position where we, of course, would say I want to be able to detect those attacks. And ideally, if I could respond fast enough, I even want to be able to prevent attacks that I had never seen before.


   And then the fifth piece that we would want to do, that we all know that we need to do, is we would want to ensure that that was consistently applied everywhere that security had to happen. Again, every application, every user, every network, every identity, everywhere. That would be a reasonable framework.


   Now, it's not that easy. How do you scale this? It's easy to imagine securing one user, one endpoint, one application. How about 300,000 cloud workloads? That gets harder.


   It's easy to imagine. I saw this attack before so now I'm going to block it if it happens again. But can you do that for the last billion attacks that took place? That's harder.


   So, the first piece that makes this hard is scale. The second piece is disruption. And what I mean by this is, you know, I have seen environments where even the loss of a single packet on the network elicits like crazy fear about what the implications are operationally.


   In projects, new security deployments that should take a week or a month will take twelve months of planning to make sure that that doesn't happen.


   We need to be willing to accept just a little bit of risk for a lot of cybersecurity. But that's not how things generally work today.


   And third, I think with this backdrop, there is this tendency to prioritize security – or prioritize compliance over security. Compliance is important but it's not the same thing as security.


   If breaches are normalized, presumption of failure, you almost sort of say, well, at least I can be compliant. Then no one can blame me. I get it. It's hard.


   Now, I am what I refer to as an optimist. I think in cybersecurity, that might be somewhat rare. You see, I actually believe security is solvable. I actually believe that this is a winnable battle.


   Now, before you assume that I'm crazy or unstable or whatever, let me explain. See, I'm a product person, so I start with technology, and there are some incredible things that are happening in technology that give me optimism.


   Number one, over the last several years, the ability to operate at machine scale, leveraging what effectively is unlimited compute, unlimited bandwidth in the cloud to change the way security is delivered completely changes the notion of what can be done from a scale perspective.


   Suddenly, being able to prevent the last billion things that we saw everywhere it needs to happen, endpoints, network, identity, et cetera, is suddenly possible. Suddenly, the 100,000 alerts that the SOC analyst has to respond to, well, when that turns into a machine doing most of the work, it suddenly feels doable. The ability to leverage the cloud to operate at machine scale is unprecedented.


   By the way, this also sets up the second technological reason that gives me optimism. I promised I could not get on stage without talking at least a little bit about AI.


  One of the interesting discussions about AI is the question of, well, if we can use AI, can't attackers use AI? Most evidence would suggest they are at this point, by the way.

But the interesting piece about AI, at least the way I believe, AI is most powerful when it is driven by great data. And I actually believe that through the cloud delivery machine scale that we can now use in our security architectures, that we have the potential to really collect the best possible data to drive AI based outcomes, and I don't believe that attackers will be able to use that to their benefit, not the way that we can.


   AI does have the power to be truly transformative in cybersecurity.


   Third, the cybersecurity industry is one of the strangest in that it is not uncommon for a company to have a hundred cybersecurity products, two hundred, three hundred even. I think the record I have seen is over four hundred in one company. That is insane, if you are wondering.


   We have to be able to transition to an architecture where cybersecurity is delivered in natively integrated capabilities from platforms, not point products.


   This does not mean that there will be a single platform for all cybersecurity, but it does mean we have to start to rationalize our infrastructure. And one of the key things that has changed that I believe has not existed in the past is that there are now emerging security platforms that are delivering best of breed capabilities that are natively integrated.


   You see, in the past, it was always a trade off. Best of breed or platforms. Today, it is possible to have both.


   So, imagine bringing these three technology trends together. Imagine being able to use cloud and machine scale. And as a byproduct of that, collecting amazing security relevant data to drive next generation AI. And imagine being able to deliver that from a set of cybersecurity platforms where these capabilities are natively integrated together, where the system integration is done in the platform more so than in your environment.


   Now, as much as I like to think that technology is the solution, and it is, obviously, to some extent, this has to be combined with a mindset shift. We collectively have to believe that cybersecurity is a solvable problem. And through that belief, start to change how we behave. Start to prioritize security – I was going to say above compliance, but at least in addition to compliance. Start to accept just a little bit of risk for a lot of cybersecurity.


   And every time something happens that's not supposed to, use as an opportunity to learn and get better so the next time it doesn't happen. And build that into our mindset, build that into our platforms, build that into everything we do operationally.



   This mindset shift cannot be underestimated in terms of the importance.


   And I see the green chutes of this playing out. I see these technology trends taking hold. I see the mindset shift happening. There's one more piece, though, that is needed to deliver the outcomes that I am talking about.


   Imagine in this example, saying how do you get from point A to point B? And it was like, here's a hundred choices. Good luck.


   I believe the third requirement of achieving great cybersecurity is we have to start to become much more prescriptive in how to accomplish the outcomes that are needed.


   It is not enough to provide a hundred different options. To truly transform how we do cybersecurity, we have to provide the path. We have to provide a viewpoint on how we achieve the outcomes we are trying to achieve. We have to be able to quantify the outcomes that we are going to deliver.


   And that is why I am optimistic about cybersecurity. Despite how challenging the cyberthreat landscape feels at time, despite how overwhelming the frequency, the sophistication, despite the scale challenges, disruption challenges, and everything else, I see the technology transformations that are happening. I see the mindset shift that that results in. And I see the opportunity to drive real outcomes in cybersecurity.


   So, I hope all of you join me in viewing cybersecurity as a solvable problem. Thank you all very much.

Lee Klarich


Chief Product Officer, Palo Alto Networks

Share With Your Community