Cybersecurity & Networking

Anton Chuvakin knows his stuff, so I was excited to have him participate in Enterprise Strategy Group’s SOAPA video series. In part 2 of our video, Anton and I chat about:

1. Security data. I mention to Anton that many SOC teams are buried in large volumes of security telemetry and then ask if we are trying to collect, process, and analyze more data than we need. Anton responds that we have too much “dirty data” that really isn’t useful. Therefore, the challenge is understanding which telemetry is useful, how it’s useful, and which other data elements we need for data enrichment to improve the efficacy and efficiency of our analytics.
2. Common Chronicle use cases. Speaking of data, Google Chronicle is unique in that customers can keep security data on-line for long periods of time (without a hefty price tag). What do customers do with this data? Anton mentions the most common Chronicle use cases are incident response and threat detection. He also says that Chronicle is the first security platform to include threat hunting as a core function. No, these use cases aren’t unique, but Chronicle’s approach is.
3. The tradeoff between security efficacy and complexity. This will always be a balancing act because security analytics and operations are difficult by default. Anton doesn’t believe there will ever be a magic single solution. Rather, best-of-breed tools interoperability will improve through API integration. Kind of sounds like SOAPA.
4. SOC modernization. A nebulous term from the start, so I ask Anton for his definition. Anton describes SOC modernization across people, process, and technology, highlighting things like distributed/integrated tools, changing skill sets and specializations, and broader processes beyond alert triage – like threat hunting and data exploration.
5. The future of SOAPA. I always ask my guests to predict the future of the SOC and SOAPA, so it was somewhat surprising that Anton chose to focus on the human element. Despite technologies like machine learning and process automation, Anton insists that we will still need highly motivated and skilled SOC analysts who understand the threat landscape and use their experience and intuition to make sense of the data. I couldn’t agree more.

Many thanks to Anton and the Google Chronicle team for participating in the SOAPA video series. Look for more SOAPA videos soon.

I’ve long admired the work of Dr. Anton Chuvakin, head of solution strategy at Google Chronicle. Anton really knows security analytics and operations so now that he’s no longer a Gartner analyst, it was great to have him participate in the SOAPA video series. In part 1, Anton and I discuss:

• Detection as code. In a recent blog, Anton proposes, “detection as code.” The thought here is that you want to “devops” your detections to keep up with threats and strive for constant improvement. This is an intriguing concept that may be especially useful for large organizations in specific industries under attack. We have focused industry ISACs, why not focused industry detection code?
• SOC nuclear triad progression. Anton’s nuclear triad concept combines logs (SIEM), endpoint telemetry (EDR), and network traffic analysis (NTA/NDR) into a SOC architecture like ESG’s SOAPA. In this era where everything runs on software, Anton believes the triad may be supplemented with specific application visibility telemetry in the future.
• New data sources. Anton believes that deeper application visibility is the biggest missing link in security analytics today but perhaps we’ll add more logging sources as well. We both anticipate more use of deception technology as a new telemetry source in an auxiliary role.
• My colleague Dave Gruber and I are knee deep in research in this area, but I wanted to ask an old hand like Anton what he thinks about this new trend. In the past, Anton had a log-centric view of SOC technology, but he is now open to an endpoint-oriented architecture a la XDR. In the short-term, XDR must coexist with SIEM, but the two models are bound for a collision course.

Dr. Chuvakin and I have lived in the same neighborhood for years so it’s great to finally spend some time together. More from Anton on SOAPA and Google Chronicle in part 2 of our video soon.

Operationalizing the IT requirements for a remote workforce for many businesses means accelerating digital transformation initiatives, which leverage a range of cloud services. As a result, an organization’s cloud footprint increasingly includes a mix of third-party SaaS applications as well as internally developed cloud-native apps to support critical back, middle, and front office operations. But different organizations are in different stages of cloud adoption from born-in-the-cloud companies fully indexed on the cloud to enterprises who operate in a hybrid, multi-cloud world.

 A challenge shared by all companies, however, is unifying security policies across disparate environments. Maintaining consistency across data centers and public cloud environments where cloud-native applications are deployed was cited by 43% of respondents who participated in ESG’s annual Secure DevOps study as the biggest challenge securing those applications. In this second of a two-part video series, Greg Keller, JumpCloud’s CTO, and I discuss how the use cases of a directory-as-a-service (DaaS) offerings meet the needs of businesses at different stages of their cloud journey.

The IT implications of the pandemic-induced surge in remote work are headlined by an increased reliance on cloud applications and services. Supporting and securing direct-to-cloud access has necessitated a focus on identity and access management (IAM) initiatives including:

• Extending single sign-on (SSO) to additional SaaS applications
• Implementing MFA (finally!) to secure access to an organization’s most critical and sensitive apps and data
• Rethinking privilege access management (PAM) in a cloud context
• Monitoring user activity to detect both insider threats and stolen credentials
• And, because new devices are being used by remote employees, extending trust-based authentication to device profiles

Updating these aspects and others of an IAM program to secure a remote workforce starts with a focus on policies. However, developing and adjusting policies to support the increase in the work-from-home population is the top security challenge associated with remote work as reported by a third of the respondents in a recent ESG study. In this first of a two-part video series, Greg Keller, JumpCloud’s CTO, and I discuss the challenges and solves for the strategic imperative to secure the identity perimeter expanded by remote work. Click here to watch Part 2 »

Zero-trust has seen an explosion in interest over the last few years. As the perimeter has become increasingly porous due to cloud usage and distributed network architectures, a fresh look at some of the foundational cybersecurity concepts was sorely needed. This has only been exacerbated by the pandemic, with many organizations not only supporting a primarily remote workforce, but also trying to complete their digital transformation journey in a matter of months, rather than the years they originally planned.

Despite the clear applicability, there remains some confusion in the market regarding exactly what implementing zero-trust entails, where to start, and how to ensure the initiative is successful. The recent finalization of the NIST guidelines on zero-trust architectures may help provide some clarity, but much work remains.

With all that in mind, Mark Peters posed several questions to me on the topic of zero-trust as a part of Enterprise Strategy Group’s recent virtual breakfast at Black Hat 2020. In the following video, Mark and I touch upon:

• Zero-trust interest and adoption. By now, nearly everyone even tangentially involved with cybersecurity has some awareness of zero-trust. In fact, Enterprise Strategy Group research has found that 88% of respondents are very or somewhat familiar with the concept. However, when we consider adoption, the data simply doesn’t match up with real-world scenarios, pointing to the aforementioned confusion.
• Data security as a component of zero-trust. The short answer is that it is a part of a complete zero-trust strategy. However, it should not be the starting point.
• How to incorporate zero-trust. We don’t provide an exhaustive list, but do touch on some of the high-level keys to success with these projects, including starting small while maintaining a long-term vision and how to think about vendor partnerships.