Posted on
in Presentations
The world of cyber shares many similarities to issues in the real world. Misinformation, bad actors, and new threats make it difficult to determine friend from foe. Obtaining the most high-fidelity data is critical in gaining ground truth to stop advanced threat actors. Join Sumit Dhawan as he shares how we can use infrastructure to establish a new ground truth for today’s cyber professionals.
Video Transcript
>> ANNOUNCER: Please welcome President VMware, Sumit Dhawan.
>> SUMIT DHAWAN: Good afternoon. For those of you who are coming, traveling in, welcome to San Francisco, city I love. Sure, it has its quirkiness, but the city that has created amazing innovations in technology. Technology that's changing all our lives in terms of how we keep our memories, in terms of how we handle our finances, and even how we do our national defense.
It's impacting everyone in this world with millions of businesses and all of us relying on digital technologies in amazing ways.
And it's never, ever been more important to have your roles, Small number of people who are security experts protecting all the critical applications, data, everything that we interact with digitally.
Now, the world is only getting harder. Our jobs, your jobs are only getting harder. How can I not bring in ChatGPT since everyone else has?
About a month ago, I asked a colleague of mine, Chad Skipper, hey, ask ChatGPT, see if you can get some security exploits from this expert.
So, Chad went to work, asks simple questions. You know, ChatGPT, I have to say, gave good response. It's not going to participate in illegal activities.
However, Chad, being a security expert, now actually played the role of an expert and did some social and security engineering to ask ChatGPT questions where it could get the information that he was looking for.
He got two possible exploits in just thirty-two seconds.
Now, I am not suggesting that ChatGPT is going to democratize all the hacking possible and the world is coming to an end. We don't know. And clearly, there are a lot of great, positive ways of using the technology, as my colleagues here have come in and shared.
However, it does mean that what we are doing today requires us to have some degree of rethink. So, I want to share what I believe are three main mindset shifts all of us need to have.
First, we are all protecting ourselves against threats. We are all looking for outsiders coming in and attacking us. But I want us to have the mindset, when we are seeking or searching for any kind of an attacker coming from outside, it's best to assume that they have in-depth knowledge that an insider would have.
What do I mean by that? Well, it used to be the attacks used to be just like bungling burglars. An attacker would find the most vulnerable part of your environment, enter through there, and then make multiple lateral moves. In a high profile attack, there were forty-four lateral moves before they got to the monetizable prize. As they are doing it, they are leaving behind some cues, anomalous behavior that simple systems like segmentation or basic anomaly detection could detect.
However, today's attacks look like Ocean’s Eleven heists. These use techniques like stolen passwords. Coming in, an attacker living off the land, oftentimes for days or even longer, really assessing the details of your network. Oftentimes developing a map of the network and understanding it better than you may even know. And when it's time to attack, making two or three lateral moves to get to the monetizable prize.
And they use commonly used technologies. Samba, RDP, Pass the Hash, things that are very difficult for to you detect if this is anomalous.
So, what do we do? So, in this type of attack, the most important thing to do is to develop a holistic context, a context that spans users, devices, network, application, and data across your entire environment. Without this kind of a context and then applying intelligence on it, you are really seeking very basic anomaly detection that doesn't get you to understand today's threats and attacks.
This takes me to the second mindset shift. Now, when you are doing AI for anomaly detection, AI is only as good as the data that you provide. To really, really leverage AI, you need to have – you need to make sure you have complete data. And unfortunately, I will share with you that all of us and all the systems and AI that we apply have blind spots.
What do I mean by that? All of you are familiar with techniques like backhauling. Many of you probably do this, where you are taking the traffic, sending it through your networking and security appliances to do all forms of detection and protection.
I spend a lot of time with customers and I have yet to meet one who says that 100% of their traffic is backhauled. What does that mean? That means by definition, they have blind spots.
Now, people say they have network TAPs, but unfortunately, there are a lot of applications running as virtual machines on single hosts, and there is a lot of these VMs that are communicating on those hosts. It means blind spots.
And guess what? Over time, these servers and systems have become bigger and bigger, and they have been denser and denser in terms of number of machines they can host, which means the blind spots have only grown.
To add to that, nearly two thirds of the East-West traffic now is encrypted due to various compliances. Good, however, that creates further blind spots.
So, how do you work around these blind spots? You have to think how your infrastructure, the infrastructure that's actually running the applications, can have intrinsically advantage of making sure it can eliminate these blind spots. Let me tell you what I mean.
In a centralized world, your applications, both enterprise applications and modern applications, rely on some centralized appliances for doing security. In order to really use your infrastructure and leverage security in an intrinsic way, let's change that. Move that and distribute it into your infrastructure. This leads to no backhauling, no network TAPs, no blind spots.
I'm going to start off with virtual machines but this applies to modern apps running different technologies. In the case of virtual machines, you have hypervisors, hypervisors that run multiple virtual machines, and when they are communicating with each other, we have hypervisor making sure it has security and visibility built in. These technologies are now built into the hypervisor.
For encrypted traffic, you can have full guest introspection so you can see the payload. This is how you are not just seeing all the connections. You are, actually, seeing the conversations.
The tools and technologies for traditional or enterprise applications running in virtual machines may be different than the ones for modern applications but the concept, the objective is the same.
So, in the first two mindsets, I have talked a bit about how you can detect and prevent. For the third mindset shift, I am going to talk a bit about ransomware.
The best prevention for ransomware, the best defense for ransomware actually goes beyond just preventing ransomware. Because unfortunately, we are dealing with an environment where this is an undeniable reality, or at least we all as security professionals need to assume that.
If that's the case, then I will say, what if your entire applications that consist of all of the piece parts running in your private or hybrid cloud could automatically be available in an on demand fashion, completely isolated and air gapped in a recovery environment? If the snapshots were continually taken and in case you run into that situation, unfortunate incident with ransomware, you knew at any given point in time what was the latest fully validated and verified snapshot. And after that verification, you could quickly recover into another cloud environment even though your current infrastructure that's running the environment is not available due to forensics.
This is applying cloud principles and applying the power of infrastructure and leveraging the infrastructure in an intrinsic fashion to recover from ransomware.
I have shared three major changes to mindset. I would like to bring in and have someone share another perspective. No, I am not going to bring GoodGPT or Ames. I am going to bring in a real expert.
I have CISO and CSO of Cognizant Technology, Alicia Lynch. Let me quickly read her credentials for you. Alicia brings over thirty years of intelligence security and cyber experience with the Department of Defense, the defense contracting community, and the private sector. In addition, she retired from the U.S. Army as a Colonel.
So, please welcome Alicia Lynch to join me on stage. Alicia.
>> SUMIT DHAWAN: Thank you, Alicia. Alicia, you have had amazing credentials both in defense, as well as now in commercial sector. What would you say the learnings from defense that you have carried forward and see it apply in commercial?
>> ALICIA LYNCH: That's a really good question. I have spent a lot of time in the defense space and a lot of time in military intelligence and cyber units and have a lot of best practices that I use on a daily basis. But today I just want to talk about two that I think really are the most important.
The first being cyber threat intelligence and analysis, right? In the defense space, you have the defense departments, you have the defense agencies providing threat assessments, really great products to the commanders of the units, telling them who is the threat actors and what vectors are they taking to get into their environments. And when I transitioned from the military space over to the commercial space, I walked in and I was by myself. There was not a big organization behind me providing any kind of information like that.
So, the onus fell on me to produce my own defense plans and to look at what threat actors I thought might want to be getting into my environment based on the data that we had. And then I had to validate my own assessment and start to validate that with actual forensic data, telemetry data that I had in my environment, right. So, I think it's super important that if CISOs aren't doing that, that they need to do that because we have a lot of attackers coming at us and you have very limited resources.
And the second piece, which is a good practice that I brought from the military side to the commercial side, was using a framework. Believe it or not, I found that a lot of commercial companies don't have a cybersecurity framework. And in the defense space, we use NIST, heavy user of the NIST products, so I brought that into all the commercial companies that I have been in. And it's super important that the CIO and the CISO align on a framework, implement those cyber controls, because it is the basic, fundamental cyber hygiene that you need to stop about 80% of the threat actors trying to get into your environment.
>> SUMIT DHAWAN: You mentioned interesting things, firstly the framework, and then just how you described the role of CISOs and the interaction with CIO. Maybe a question for you; What does this mean for the security architecture and then also the evolution of the CISO role?
>> ALICIA LYNCH: Yeah, so, another really good question. I think that the security space is super dynamic right now and there’s a lot of things impacting us and we really have to change with the times. I think the first thing – I'm going to say this and everybody is going to go, oh, come on now – but secure development lifecycle. Everybody uses the term but I actually haven't seen it implemented very well in any company that I have been in. And the CIO and the CISO need to really get together, they need to knit the teams together, they need to do upfront requirements development properly. They need to look at the — bring the engineers and the architects together and they need to build security through the whole entire lifecycle. And then we as a CIO and CISO have to be disciplined to make our teams do that every single time, right? So, basic thing but definitely not being done that well.
The second piece, which is really exciting to me, is all the products that are out there now, not just on the security side but on the CIO side. There are modernized products, heavily automated, and coming out now is hardly a product without security in it in some way, right? So, it's either embedded in it out of the box or the CISO needs to enable that. So, it's important that the CISO understands the products the CIO is using and work with them to enable those controls. And what that does from my perspective is it takes us from a centralized model to a distributed model.
So, for example, every CISO in here has described, if you have been doing it for ten years, your model as the castle and the moat. That is a very centralized model of security. And since COVID and other factors, that's actually gone out the window.
So, I am super excited with the products that not just I have but that the CIO has because I can take and enable security in the infrastructure down in the workloads and also closest to the user. So, to use some military terms, I can keep it down at the pointy end of the spear and I can keep the blast radius very, very small with that type of a model.
And then the third piece which is really the most important to me in the defense space, we always work super-fast. So, coming into the commercial space, we really need to work fast around detecting, analyzing what's going on, remediating, and recovering.
And just a couple years ago, a company came out with a 1/10/60 model, and a lot of you CISOs probably know about it or maybe use it, but for those of you that don’t, 1/10/60. One, you've got one minute to identify that there's something going on in your environment and you need to start to get together the team and you've got ten minutes to get the talent together, hands on keyboard to figure out is this a false positive or is there actually an incident going on? And then you’ve got sixty minutes to remediate it out of your environment. That's a total of seventy-one minutes. That is really hard to get at. It takes actually years. If you start today, it's going to take you quite a while as a CISO to get that going. But that is the only metric out of the thousands that I get telemetry on that I actually focus on and drive my team is to drive it down to seventy-one minutes.
Because the threat actors, as everybody has said on the stage today, they are smart, it's their fulltime job. They are coming in very stealthy. They used to bang their way in and, you know, surprise, you know, hey, I am here. They are not doing that anymore. They are coming in. You hardly know they are there. They are living off the land and it's easy for them to get a foothold and start moving around and then you can hardly find them. So, just use the automation and use the speed.
>> SUMIT DHAWAN: Seventy-one minutes, that's amazing.
So, to sum up what Alicia just shared and what I have said, it's as simple as the cloud operating model means better security.
In the cloud operating model, as Alicia mentioned, you put security policies close to the workload. We do that in the cloud for configurations. It can be done for security policies so that when workloads come up, the security policies come with it. When they retire, security policies move away. When they move, security policies move with the workload. It's done. It's possible. The technologies and tools for doing this exist today.
So, what's getting in the way? Maybe, maybe it's time to move away from the love of a box and instead thinking about security in the intrinsic way in your infrastructure.
Thank you for listening to me. Thank you, Alicia, for being here with me.
>> ALICIA LYNCH: Thanks for having me. Appreciate it.
>> SUMIT DHAWAN: Thank you. Enjoy the show.
>> ALICIA LYNCH: Yes. Thank you.
Share With Your Community