Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security.


Kacy Zurkus:
Hello listeners, welcome to this edition of our RSAC 365 Podcast Series. Thank you so much for tuning in. I'm your host, Kacy Zurkus, content strategist with RSA Conference. And today I am joined by our guest, Nipun Gupta and Sounil Yu who will be talking about what security teams need to do to get their heads in the cloud. Today's podcast is sponsored by Acronis. Acronis, unified data protection, cybersecurity and endpoint protection management for IT professionals and service providers, delivering integrated cyber protection that solves the modern digital world's challenges. With Acronis, you not only ensure proven threat protection, but enables faster return to productivity in case of incidents. You can learn more at acronis.com. Also, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to please subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Nipun and Sounil to take a moment to introduce themselves before we dive into today's topic. Nipun over to you.


Nipun Gupta:
Thanks, Kacy. Hi everyone, my name is Nipun Gupta and I'm the lead product manager at TiVo. And in the past, I've worked at many consulting organizations where I've helped Fortune 500 companies secure their applications and infrastructure. Most recently, I was the global health security innovation at Deutsche Bank, where I helped lead some of these transformations into the cloud and help secure that.


Sounil Yu:
And I'm Sounil Yu and I'm the CISO and head of research at JupiterOne. And prior to that, I was the CISO and residence at YL Ventures and the chief security scientist at Bank of America.


Kacy Zurkus:
Wonderful. We're thrilled to have you here with us today. Both of you, Nipun and Sounil. I want to start by asking each of you to maybe share with our listeners what you have seen as the security complexities that resulted from massive cloud proliferation and perhaps, maybe even a little bit about the source of those complexities. Nipun, let's start with you.


Nipun Gupta:
Sure. So with adoption of the cloud, I think every company is starting to become a tech company. What that means is every company is starting to make digital products. That means now the security teams are dealing with larger data volumes than ever before with an increased speed of delivery with their products and the perimeter that they would be able to easily control and approve and manage is starting to disappear. So all of these changes have challenged the security operations team as now there's an enhanced threat surface for them to defend limited visibility. It's very challenging to get that data all in one place to analyze and then ever changing cloud infrastructure is making it very challenging for them to find that expert skills to defend their organization effectively.


Sounil Yu:
Kacy, as we did the introduction, I should have mentioned one other thing about myself, which is that those who know me, know that I love frameworks and frameworks help us think through some of the big challenges that we have in our environment. So you used the word complexities as a part of your question and it made me realize there's another framework that is worth considering to help us understand how we got to where we are today from a complexity notion. That framework is called the Cynefin framework, and it's spelled C-Y-N-E-F-I-N, for those who can't speak Welsh. Anyway, it's called the Cynefin framework and it goes through four phases, chaotic, complex, complicated and simple. What we see is that challenges that we run into go through these four phases. And what we have encountered is that when we started having these massive deployments into public cloud, it was a very chaotic moment.


Sounil Yu:
Businesses, enterprises were very comfortable with on-premise environments. We got it to a point where it's at least complicated, maybe even simple, and all of a sudden the world has changed. And so the cloud introduced this chaos and over time as we got a better hold of it, it became complex because we can actually manage the risks associated with it. And over time and with better technologies, we're starting to make it more moving into the complicated stage and not complex. I don't know if we're quite at the simple stage yet, but the goal is to move into that sort of pattern. Eventually getting to the point where the users of the cloud and cloud security is simple. And then we'll get ready for the next challenge that causes everything to become chaotic again. But that progression is something that we should be aware of and anticipate and know how to plan for and look for so that we can make our lives simpler.


Kacy Zurkus:
I love that because as you were walking us through those chaos to complexities, to complicated to symbol, my thinking was right until the next chaos comes, right? But I think your point about the cycle and being prepared for that, knowing that that is the cycle of the way that things work and being prepared for that is what's important because then you can make those changes, it's not as complex and chaotic for as long as it was before when you've planned for it, right? So even though you can [inaudible 00:06:04] that those complexities are coming, you can work through them much more easily.


Sounil Yu:
That's right. One of the other aspects that's worth noting is when things are chaotic and complex, we don't actually have immediate solutions for those. Rather, we just manage the challenges that we have associated with them. Once they become complicated and simple, we actually do have solutions and that becomes usually embodied in some technology. So it's another way to think about the problem space, where when we look at chaotic and complex, at best, we manage the risks associated with them, but then when it becomes complicated and simple, we actually solve or address directly, remove the risk associated with them.


Kacy Zurkus:
So my next question is to that point, then what are some of the processes that become more challenging as enterprises move to the cloud? How do we work towards solving those?


Nipun Gupta:
Firstly, I want to say, Sounil, I love the light at the end of the tunnel analogy here that you shared with the framework. I think over the last three to five years, it started to dawn on people that, these challenges that were really complex, that the early stages of cloud adoption has started to become relatively more manageable and maybe solvable, as you said. So I think that's really great. With that being said, what has happened in that journey is that the traditional security teams and processes, it's very hard for them to keep up with that pace of change and high data volumes and the evolving threat landscape. And all of this means that these teams need to gear up for a cultural talent and platform change that will provide a ton of benefit. Maybe something they cannot do immediately, but over the next two, three, four, five years, when these challenges become a lot more simpler to deal with, this is going to be helpful.


Nipun Gupta:
So that's the superpower I think all the forward looking enterprises need to be building as at the tempo to capture the benefits of the agility and the speed that cloud transformation is bringing to the business, but also can be brought to security. For example, one of the things that we've heard from our customers and I personally was working on in my last role as well, is that a lot of based off on the level one and level two, if you are in a tiered sock environment, that needs to be automated. In fact, so much to the effect that everybody starts understanding more of the business context and starts to act as level three, a threat hunter in a way and all that tool set that previously was probably set in stone for three to five years, needs to be a lot more flexible.


Nipun Gupta:
And with that being said, this will bring the security operations center's architecture to be a lot more cloud native and all of this will start to make sense as they deal with larger data volumes, higher speeds of delivery. All of this change will eventually get them to closer to dealing with these challenges and eventually solving them.


Kacy Zurkus:
Thank you for that Nipun and I want to talk about, you talked about cloud transformation there Nipun and Sounil, how can cloud transformation help to augment security and even the DevOps process itself?


Sounil Yu:
Yeah, so cloud transformation, I think poses opportunities and challenges as we do security. To deconstruct a word transformation, the question that I would wonder is what is actually transforming. And if we can have a better understanding of what that transformation actually is, then it helps us again, prepare as we talked about before, in terms of where it will help security and our DevOps processes and where we actually need to adjust and make sure that we can catch up in some ways. So one of the major aspects of the cloud transformation is the transformation of everything as code things are built as code, things are governed by code, things are checked by code. So of course we should also do security as code, but what does that mean? And fundamentally, what new skillsets do we need to be able to address that new challenge that we have?


Sounil Yu:
And this is fundamentally, I think one of the biggest challenges that we in the security community have, which is to move towards this path of everything as code to embrace that. But to do that in a way that I will find some of the people who are unfortunately familiar with just point and click type of environment, where we don't have programming skills, we don't have necessary requisite background to be able to jump into GitHub and start doing everything as code. I think that's why we're also seeing the proliferation, a lot of the low code, no code type of solutions, because it's not just security that's moving the code, the whole business, a lot of businesses are moving towards that path. And so security also has to transform in that same sort of way.


Sounil Yu:
But as I mentioned, it requires new skillsets in these people who have a background and some sort of programming language or at least some scripting language, so they can [inaudible 00:11:42] the logic and be able to craft that into code. And as I said unfortunately that shift hasn't fully happened across many organizations. So I think there are people who are going to struggle with that transformation, but once we can make that transformation, I think we're in the right place to help in the broader cloud transformation that's happening across enterprises.


Kacy Zurkus:
It's interesting because our focus for the month is cloud security, right? And so I'm starting to understand as someone outside of cloud security, just how truly difficult it is, you mentioned the skillsets, right? And to find the right people and who have the right skills that you need to augment your cloud security in this transformation process. Nipun, what do organizations need aside from those, with the right skillset? What do they need to understand about readiness for cloud security and maybe what are some good tools to help them mature?


Nipun Gupta:
Yep. That's a great question. I think, firstly, they have to set some principles, [inaudible 00:13:02] principles for them to work toward so that they can get ready for this change and track themselves towards those changes. So as we discussed earlier, that changing skillset, which means the biggest thing that we are looking for in terms of this personnel changes is an engineering approach to solving security problems, the automation, continuous measurement and experimentation. This will be the predominant method of solving these security problem across the cloud, as opposed to something that we were used to maybe point and click and tools that were there for three, four, five years, that's not going to work any longer. And then, the other major change that is going to happen here is you cannot protect what you don't see right?


Nipun Gupta:
So enterprises that continue this transformation by becoming cloud optimized are able to bring these relevant alerts and events and provide that real-time extensive visibility. That's something that they're looking for, in order to make those decisions in times of response or incidents and then lastly, as the culture of the organization changes, something that security needs to get more used to is rapid and iterative feedback loops. So in traditional security teams, we believe in making scans or being very reactive after the fact that the products and systems have been put in place to tell the business that look, we are insecure, we are at risk, please fix these things. I think that part needs to change. And the more quicker we can get to this feedback of risk and manage it quickly in the infancy is going to be the tool for the security teams to become better at managing risk in the cloud environments.


Nipun Gupta:
That being said, I think there are open source tools that are available right now for security teams to let's say, do scanning in their container environments, Kubernetes environments, so they can start to get a sense of these newer infrastructures and as to how risky they are and in production. And also they start to develop a sense and appreciation for DevOps environments and start to take application security, left towards the developer as much as possible. And then finally, there are many tools available from cloud security alliance, such as cloud controls metrics that allows you to measure your maturity as you make this move and then track that as you grow.


Kacy Zurkus:
That's a lot of really good guidance. And I'd like to ask both of you, what are some lessons that you have learned as you've helped enterprises through the transformation of their security operations to become cloud optimized? Sounil, let's start with you.


Sounil Yu:
Yeah, so one of the key lessons I learned was just understanding this statement around why is cloud different? There's a camp of folks who say, "Well, cloud's no different, it's just somebody else's computer." Then, there's another whole camp that says, "No, cloud is fundamentally different." Well, what is it about that fundamental difference that should then change our behavior as we transform into this environment and become cloud optimized? The cloud optimization to me means to adapt the way that we build and the way that we use this environment towards the way that cloud was designed. And to do that, I actually offer a new set of ways that we can think about how we do security. So the old way of doing security is something that we're all familiar with, which is the confidentiality, integrity and availability, goals that we have when it comes to securing things.


Sounil Yu:
However, for cloud, I actually don't think that CIA triad is the right model. I actually offer a different model, which is the DIE triad and DIE stands for distributed, immutable and ephemeral. And our goal should be to design and build systems to be DIE and in doing so, what I have found quite remarkable is that it offsets the burden for having to perform CIA. So just as a quick aside, if something is highly ephemeral, do I really need to worry about the confidentiality of those things that are highly ephemeral? The point I was mentioning, for example, scanning systems. Well, if I have a system that goes away in like 30 seconds or 30 minutes, do I really need to patch it, right? Do I need to make changes to it? Can I just make it immutable and then rebuild it with presumably the patches done, when it's rebuilt, can I not have to worry about making changes in C2?


Sounil Yu:
So this whole notion of what was the cloud designed for, what sort of new architectures and patterns was it designed for? And can we actually align security towards those patterns instead of trying to fit old wine skin with new wine, can I instead align new wine skin with new wine and is that new wine skin, the DIE triad. That's what I'm proposing. And that's the lesson I've been sharing with enterprises to help them in their cloud transformation journey to say, how do we start thinking more towards the DIE triad and build in a DIE centric way, as opposed to the old CIA centric way?


Nipun Gupta:
That's a great point. I think these are the design principles we need to start adopting in security operations to make it easier for us to manage the complexity in the cloud environments. And these changes can be a lot easier enough. With that being said, one of the things that I experienced personally was the resistance to change when it comes to approach in security. So in one of my projects, talking to leaders and helping them see the advantages of adopting cloud, it was clear that some of the leaders propose just taking whatever tools they have to protect the on-prem environment and reinstalling them in the cloud environment. Essentially from the camp, that cloud is just someone else's computer, right? So that's a terrible approach because that, again, you're not taking advantage of the cloud in the way it was designed and really going to those principles, cloud was designed to enable automation, speed of delivery, connectivity.


Nipun Gupta:
And I think pure security is just not used to that. So most of the security tools that were probably pre-cloud were not designed to be transparent, connective and did not have those pieces in place, such as APIs to enable that relationship between the other tools and all of that once we see the advantage of tools that are connected, you start to break down silos and complexity and enables most importantly, the automation for just going to relax your security operations team a lot further. And I think that was the biggest lesson that I took was like, look, until we are able to adopt these tools that are cloud first in their own architecture, we are not going to be able to start taking advantage of moving to the cloud.


Kacy Zurkus:
I love that there's been so much mention of, these distinctions between is cloud this, is it that or these different nuances of language, I don't know if either of you realized that this year we shifted the RSA conference track from what was traditionally just cloud security and now we've opened it up to include cloud security and cloud security operations. Some might think, well, what's important about that distinction? I don't know. And I would love to hear your opinion just in your professional experience, what you see as those distinctions that might be helpful for others to understand about cloud sec ops?


Sounil Yu:
Well, so I'm going to have to hazard a guess as to what the term the distinction means. So let me offer one perspective. So the first is the perspective that if I'm going to do cloud security, then I want to build towards the notion of DIE as I mentioned before. I don't want to have to build things that I have to continue to secure, but rather I want to build things that can be distributed, immutable and ephemeral. And I can frame that in the cloud security mindset. For cloud security operations, there's a whole different mindset I have with that. And then I have to explain one quick analogy to explain that piece. So one of the things that's well understood in the cloud native world is this distinction between pets and cattle. Pets are things that we care about. Pets are things that we have a name for.


Sounil Yu:
We go patch those pets when they get sick, by taking to the vet, whatever. So we have a bunch of pets which are great for premise environments, but aren't really great for cloud environments. For the cloud, what we want to do is design towards cattle, okay? And cattle are things that you can't even pronounce the name for. It's branded with some obscure string of characters. And when it gets sick, you shoot it and you move on. So cattle are things like serverless functions, containers, things that are really well designed for the cloud. When it comes to operations, one of the things that I think we wanted to think about is how do we avoid cattle from becoming pets, okay? So our old way of thinking about security operations is how do I take care of this pet, right? How do I keep it safe?


Sounil Yu:
How do I secure it? So on and so on. But what if the change in cloud security operations is less around, how do I take care of my pets and more around how do I avoid cattle from becoming pets, okay? How do I avoid that unnecessary pet creation? Because every time I do that, I'm now having to burden myself with a whole new set of veterinary bills, a whole new set of requirements around pet care, but that's not what the cloud was designed for. The cloud was designed for a cattle, DIE aligns really well with cattle. DIE, your cattle and CIA, your pets, okay? And the goal here is to continue to incentivize and drive towards cattle creation that are again designed towards DIE and try to avoid unnecessary pet creation. And I emphasize the word unnecessary, because I'm not saying that we get rid of all our pets, for any pet lover, they should be aghast at that notion. We love our pets, and we want to make sure that pets live as long as they possibly can. We just don't want to have 50 pets in our house, right?


Sounil Yu:
And I don't know how many pets people have in their enterprises, but if you carry that analogy forward, then I'm sure you don't want all those pets running around in your organization either. So is cloud security operations, then a function of pet control, not veterinary services, but how do I become the chief pet control officer and not the chief veterinarian?


Kacy Zurkus:
That's a great analogy. I love it. Although I have to say, I am glad that I was on mute when you shot the cattle. Nipun, did you have anything you wanted to add?


Nipun Gupta:
Yeah, absolutely. I think, this pets versus cattle analogy makes me go back to the early days of the cloud. Then, we are trying to understand how to adopt containers and cloud environments and how to get ready for a similar infrastructure. So I'm glad we're using security right now as well. Okay, so cloud security versus cloud sec ops, and why have we shifted that track in RSA conference? Firstly, I think as the last three years have evolved, we have started to realize that cloud security, a problem that we earlier understood as something that was purely based on detecting misconfiguration and infrastructure shift, the drift in security settings is not just that. I think it's bigger and what we have to do in order to deal with this bigger shift is to gear up our security operations in a way that it can get us that visibility across different infrastructure environments, as well as start to take advantage of those automation opportunities that exist with the adoption of the cloud.


Nipun Gupta:
And I think what that really starts to mean is that with this really high amount of data volumes that we are dealing with, the alerting systems we're used to, the old security operation tool set, is not going to be enough, right? So in fact, like one of my friends posted in a recent blog that when a human being is needed to manually receive an alert, contextualize it, investigate it and mitigate it, it's a declaration of failure, right? So I think that is a huge problem now, as Sounil has in fact shared in some of the conversations that we have had too and it comes to attackers, they think in graphs and defenders traditionally have always thought in lists, right? They're always looking at lists of alerts. We are looking at lists of compliance, challenges, controls, right? And that means that we are always going to be much slower than attackers when it comes to making decisions, right?


Nipun Gupta:
So I want to take this idea of cloud security operations and apply it to this class methodology off of defense and see that, how can we start to automate away for these pains for the security operations team and start to move towards the idea of autonomous security operations, where we don't have to deal with every single alert and we start to think about problems and graphs rather than lists. So that's my one takeaway with this change of name.


Kacy Zurkus:
I love that. And I love that you were both brave enough to hazard a guess, as Sounil said, right? Because that's how we move the needle forward, right? That we engage in these important conversations. And we start to think a little bit differently about these nuances within the idea of cloud security. There are all these different elements that are important to think about and even Sounil with the shifting thought on the framework, right? And that ability to be resilient and evolve as needed is hugely important to the success of transformation to the cloud and making that secure. So I appreciate you both being courageous enough to share your thoughts on it and hopefully people keep the conversation going and think maybe a little bit differently about what it means to them.


Kacy Zurkus:
I do have one final question for each of you. So when it comes to getting your head in the cloud, what are the most valuable things that you can share with our listeners today about what they can do? Not only today, but in the coming weeks and in the coming months to address their own security complexities? Sounil, why don't we start with you?


Sounil Yu:
Sure. Yeah. So first is really to again, have that mindset around DIE instead of CIA and one other things I really love about the DIE triad is that it's actually extremely measurable. How do you measure confidentiality? Good luck. How do you measure ephemerality? Oh, actually that's a lot easier. It turns out and not only is it easier, but that information is oftentimes very readily available as well. So from a long-term standpoint or at least in the coming months, get that information and understand how DIE your own environment is. It helps you frame, how many pets do you have in your own environment? How ready your organization is to start embracing this mindset of DIE which to me puts one into a great position to adopt cloud and embrace cloud and cloud security and cloud security operations, however, we might want to define it.


Sounil Yu:
So that's one thing, just start measuring how DIE your environment is and you'll find some interesting things about that as well. I also have a couple other adages that I usually leave people with, which is, I was hitting at this earlier, but I have this adage, which is "Pets on-prem, cattle in the cloud," so what you don't want to do is move your pets to the cloud. That is like feeding your pets to cattle, which should be abhorrent, right? What you do instead is you usually feed your cattle to your pets. That progression is a lot more natural, but that's it, avoid the lift and shift model that we've all learned and found to be the worst thing you could possibly do. Because you're taking an old model, the old wine, as I mentioned, and putting it into new wine skin and suffering the consequences of that.


Sounil Yu:
So avoid that. And if you have plans on doing that, change those plans, change your model how you operate so that you can ensure that going forward, as you do your call transformation, that you have design systems to be DIE, that you're designing systems to actually operate in the way that it was supposed to operate in the cloud. And unfortunately that may require new tooling, it may require new technologies, new team members, people with different skillsets. So it is a transformation and you can't, if people on things are being transformed, we have to prepare for it and anticipate that we all have to change to adapt to this new model, this new way of working.


Nipun Gupta:
So what I would add here is to get ahead of this transformation, start thinking about what are your core principles for taking your security team and getting it ready for the clouds, right? So I think the biggest challenge that you'll start to see is having that expertise at scale, to deal with the high data volumes, to deal with perimeter less infrastructure, and to start taking advantage of that automation opportunity that's out there. And for that to happen, at the minimum, stop being afraid of collecting security telemetry, the infrastructure telemetry that you need to make sense of your environment. So collect all data at any scale and then finally, start taking advantage of the analytics, the automation, the machine learning that's available to you by adopting tools that have that capability and then last but not the least is no company can hire the best experts all the time for everything that you need to manage your risk. So start taking advantage of the community out there and adopt those solutions that are able to get you access to that community.


Nipun Gupta:
So you cannot think of it as something that is only possible if you hire the right people, but you can also start taking help from the people who are available on demand to assist you in the mission to defend your organization.


Kacy Zurkus:
That's great advice. Thank you so much. I think my takeaway is you don't want to be the 'crazy cat lady' in the cloud security crew. So make sure you only keep a few pets at a time. What a great and fun conversation. Thank you both so much for joining us. It was a pleasure to have you here. Listeners, thank you for tuning in. To find products and solutions related to cloud security and cloud sec ops, we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the #RSAC and be sure to visit rsaconference.com for new content posted year round. Thank you so much.