Cybersecurity Panel featuring Bluewave, Ntirety, Comcast Business, Akamai, and CBTS

Sumera Riaz, Bluewave:

Welcome to Bluewave’s webinar series: The Current. This webinar series is designed to provide information on the latest technologies and how they can solve your business challenges. Today we’ll be exploring cybersecurity, and we have with us a few of our strategic partners from Akamai, CBTS, Comcast, and Ntirety. I’ll be your moderator. I’m Samara Riaz, senior director of cybersecurity here at Bluewave. I have been a cybersecurity professional for over 18 years with experience as a CISO and consulting for managed service providers like Capgemini. Let’s welcome our panelists. We’re so excited to have you here today. Please tell us a little bit about yourselves. We’ll start with Tony from Akamai.

Tony Lauro, Akamai:

Sure. Samara, good morning. Thank you for having me. My name is Tony Lauro, Director of Security Strategy and Technology. I’ve been with Akamai for about 11 years, and my role is specifically around how does Akamai engage with our customers, how do we make sure that the needs that our customers are being met, in terms of as we create new technology and try to solve tough problems. So I’m really happy to be here and look forward to the conversation.

Sumera Riaz, Bluewave:

Good to have you here. Tony. Let’s go with CBTS. Jon.

Jon Lloyd, CBTS:

Yeah, thank you. Thank you for having me as well and letting CBTS be a part of this. Jon Lloyd. I’m the practice principal for strategic accounts and our channel Field CTO for CBTS. I’ve been here 12 years. My job, if done correctly, is really helping our customers understand the entire journey through the CBTS portfolio of offerings from managed services, voice security, application development, you name it. What’s really apropos to kind of this conversation is we can’t separate security from any of those. So in the past, security was its own conversation and our customers, we really tried to walk through that entire journey and the role that security plays in it. So excited to be here.

Sumera Riaz, Bluewave:

So excited to have you, Jon. And next we’ve got Trevor Parks from Comcast.

Trevor Parks, Comcast Business:

Thanks for having me here today. I’m real excited about this. My name is Trevor Parks. I spent over 20 years in the cybersecurity arena operating as a security analyst, a pen tester, product director. I’ve managed SOCs and today I’m the director of our advanced solutions at CB Global, where we design security products and solutions for our customers with the sole purpose to improve their security posture. And we do this by helping identify security gaps that exist today in designing solutions that can close those gaps and save our customers money. It’s no longer if your company will suffer a cyber attack, the cliche is now, how often will you suffer an attack? And so we have several solutions here in our toolbox such as MDR and managed EDR that can help any organizations. And we’re really excited about this panel to talk about cybersecurity of the future.

Sumera Riaz, Bluewave:

Glad to have you here. And last, but definitely not least Tony at Ntirety, take it away.

Tony Scribner, Ntirety:

Thank you for having me today. My name is Tony Scribner and I’m the corporate Chief Information Security Officer for Ntirety. And I also play a role as Field CTO. For those of you that might not be familiar with Ntirety, we are a managed services provider and we offer services portfolio covering everything from managed infrastructure, data services, managed compliance, and we’re highly focused on managed IT security. I’ve been with Ntirety for over 15 years and 30 plus years in the IT world.

Sumera Riaz, Bluewave:

Awesome. Glad to have you. Well, great. Let’s dive in. We’ll start off with the first question. What are the latest trends that you’re seeing today around cybersecurity? Tony at Akamai, if you’d like to start us off.

Tony Lauro, Akamai:

Sure. I think that some of the big trends we see are really around application security. This is something that’s kind of been waiting to happen for quite a long time. Years ago, we addressed this from kind of a software development lifecycle. We realized that those issues were not really being solved in the software development lifecycle stage. So then we said, Hey, how can we look at as our applications are being communicated to by a customer or a client, how do we secure that transaction? So Akamai developed the first cloud-based web application firewall. But even beyond that, you look at all of the different intricacies behind that. While attackers might come in and interface with your application, but then the real problem is, they know that you have a web application firewall or some kind of defensive posture there. So they’re going to try to abuse the business logic of the application, and they’re going to come from a lot of different locations.

So this is where you get bots and the idea of this army of machines all trying to do one thing against your business app. But this has evolved even more into the future. We see that a majority of these applications are run by APIs and APIs are just a tiny little programming call that usually comes from mobile apps, but it can come from pretty much anything and that they’re very clean and concise and they’re small. So the performance of applications are improved by using APIs. But security wise, APIs leave a big gap. One, lots of times they’re not being inspected. And then two, lots of times there’s APIs on the backend within your infrastructure that aren’t being looked at. So we’re focusing a lot on those real key areas. That’s a big problem. But in the end, when you look at the news, ransomware, DDoS attacks. The idea that somebody can disrupt a business with little or no effort, that’s kind of a scary prospect. So we have a portfolio that’s looking across all of these different areas from application security to ransomware to secure remote access with ZTNA, remote access as well as DDoS defense because it doesn’t matter what the trend is now, eventually that’s going to ebb and flow and something else is going to become more popular. So we want to be able to create kind of a platform to deal with these problems at large scale.

Thanks. Tony. What do you think about that, Jon?

Jon Lloyd, CBTS:

Well, so I think Tony’s spot on. I think that leads into one of the things that we’re seeing, which is this idea of vendor fatigue in the security space. And that’s leading to more and more managed service providers, right? The MSSP world as an organization, in the past, I’d buy a tool and I’d have that tool do whatever for me. One, the threat landscape is evolving faster than ever before, but also industry standards and compliance policies, the NIST framework, and we’re adding governance now and everything changes daily. So for an organization to be able to keep up with it, one, I’ve got to buy so many tools and I get this vendor fatigue. So we’re seeing a consolidation with companies like Akamai of, okay, I used to use web application firewall. They were the best at it. We’ve used it for years. Where else can we take advantage of that partnership and that spend?

But there are areas in the security attack, surface management as we refer to it, that an Akamai is not going to cover. That you’re going to need multiple tools depending on across identity management all the way through your traditional firewalling, cloud apps, et cetera. So we’re seeing customers come to CBTS and say, we want best of breed good enough is no longer good enough when it comes to security. So I want the point solutions. I want the vendors, the OEMs, that are the best at this specific thing, but I don’t want to take on this vendor fatigue of managing 70 relationships or trying to hire a staff for it. And so we put this wrapper around what we consider best of breed, where we’re bringing in the correct technology, the correct OEM. I think that’s, and honestly, getting ’em out of the business of security. It’s so hard to keep up with the technology, but also the standards, and that’s the value of an MSSP.

Sumera Riaz, Bluewave:

Agree. Trevor at, Comcast, tell us what your thoughts on it.

Trevor Parks, Comcast Business:

So those are both great answers, and I actually agree with both of them. The trends, I mean the expanded use of APIs, that kind of compliments what we’ve seen over the past several years since Covid. Where the expanded attack surface has really exploded and customers and anyone needs to be able to be aware that their attack surface is everywhere from home to wherever the case may be, where they’re accessing resources. And the vendor fatigue is a real thing with a lot of companies and consolidation. I see that’s a big trend. A lot of consolidation of vendors where they’re either acquiring resources or buying companies to make it easier. And outsourcing to an MSSP, really finding a good solution that can solve your business problems from a security perspective is really the trend I see. Whether we have an MDR platform, and I think it’s really, really important, and you’ll probably hear me say this many times throughout, is having 24/7 eyes on the environment and protecting it.

Because look, with threat actors, they can, with the use of ChatGPT and other generative AI tools out there, they can automate their attack methodology. And overall they’re streamlining their tactics and they’re way more efficient, near perfect phishing emails. Things like these are occurring every day. Their success rates are through the roof, and it’s much harder for people to defend against this. And so having an MSSP where that’s their dedicated job versus having a few guys on staff or a smaller IT team or security team, you need to have the expertise. So best of breed tools or just having those tools work together versus siloed tools. That’s kind of where the market’s going right now. And on the flip side of that, these tools, they’re actually able to use some AI themselves to implement tool sets that can help better detect from these attacks and uncover them after the fact, reducing that dwell time and help them recover them much faster than historically has been possible.

Sumera Riaz, Bluewave:

Couldn’t agree more. How about you, Tony at Ntirety? Tell us your thoughts on that.

Tony Scribner, Ntirety:

Yeah, so look, all great answers. I think I’ll just put on a wrapper. Security has become comprehensive in nature. So we have to consider the entire enterprise, where people work, where data exists, and we have to consider really all devices that sit on our network when not too long ago, these devices were ignored. Things like IOT, right? So subjects like supply chain management become critical. We have to know that those things that we’re putting on our network are secure by design, and then we can add the proper mitigations to secure those as they exist on our network. But these things that we used to ignore, they’re now entry points and they’re now part of that attack surface and they’re not being ignored anymore. And so that’s a big trend we’re seeing from customers.

Sumera Riaz, Bluewave:

I couldn’t agree more. Speaking of artificial intelligence, going back to what Trevor said. Where are you seeing today AI being a challenge to cybersecurity? And we’ll start with you Tony at Akamai.

Tony Lauro, Akamai:

Some of the challenges are kind of twofold, right? So one, the idea of the amount of data that we have to sift through these days is growing more rapidly than it ever has. One, not just because there’s more people on the internet, there’s more websites, there’s more applications being accessed. But because we have capabilities now to filter and to inspect this application data flow at so many different levels, whether it be DNS or BGP journey or the HTTP requests or the APIs within that. All of these things, you’re now kind of creating more and more data in your data lake, if you will, to be analyzed. And without machine learning and artificial intelligence, it would be a really huge challenge. So because AI and ML have been around for so long, a lot of us were already using that to look at big data and to do analysis, to look at standard deviations to understand is this traffic unique because it’s just a new person making a request, or is it unique in terms of it’s something we’ve never seen before and it looks just enough malicious to look just like this other thing that we already know is malicious, right?

And to be able to draw those conclusions is a big piece of the puzzle and still part of the challenge in terms of using AI and ML to do big data analysis. So that’s one area I’ll leave for someone else to comment on the other sides. But yeah, it is definitely an ongoing thing and something we’ve been focusing on for quite some time to make sure that we can stay ahead of that challenge.

Sumera Riaz, Bluewave:

Thanks for that. So Jon, from CBTS, what challenges in a cybersecurity practice do you think it’s solving today?

Jon Lloyd, CBTS:

I think a big one is really correlation, right? What a machine can do across different, as Tony mentioned, data lakes, the idea of being able to pull different feeds and have it be analyzed in real time doesn’t replace the need for a SOC. That’s a lot of the conversation that we have with customers. There’s still, I always equate it to AIOps before AI now in security. And I always would use the analogy that back in the sixties and seventies, your car was making a noise, you took it to a mechanic. The mechanic had to take the car apart or use their years of experience of going, it might be this, it might be that. Now we know exactly what it is. We go to AutoZone, we plug in the car, we get our code, and we still now take it to a mechanic. That’s the analogy I use.

Me knowing what’s wrong with it doesn’t make me a mechanic. And I think in the AI space, me having the tools, me ingesting logs, me correlating logs, me looking for anomalies, me being able to do this analysis at quantum computing, that’s great. I still need a team of professionals of what’s my plan. I think Trevor mentioned how many times, what’s my plan when? So I think AI is helping my team of professionals get a better landscape and understand attack vectors, understand correlation, understand blind spots, because the computers are looking in areas that are automated and people may forget. They might not know to look, or sometimes it’s just the…I think about if… I have young kids, the war of attrition where they scream and they cry and you go, don’t give in, don’t give in, don’t give in. Some days that’s really hard. Now imagine in an AI space, that war of attrition, when it’s not a person attacking you, it is bots, it’s programs that have already been written and your team is going to lose that war of attrition. So AI is really helping counter that, but there still need people in SOC behind that to actionize that intelligence.

Sumera Riaz, Bluewave:

What do you think about that, Trevor?

Trevor Parks, Comcast Business:

I love his answer and I’m going to piggyback off that a tiny bit. I mean, I think the first area that AI is going to have the biggest positive impact on the challenge that we’re all facing is going to help solve the problem that we’ve all been hearing about for two decades is the staffing deficits in the InfoSec industry. There’s a huge problem. There’s more open head count than people exist. I think AI can actually fill that headcount in such a way that it’s the ability to automate much of what is considered more of a tier one security. I love this analogy of AutoZone plugging in something in your car to figure what’s wrong. Well, AI can automate a lot of the things that tier ones have historically done. A lot of these tools out there, they do detect things that are absolutely bad, but they also generate a lot of noise.

And it requires a human to make a decision on is this real? Is it important? Does action need to be taken? AI can automate almost all of that stuff. It’s going to be a huge boon to SOCs everywhere. And allow those skill sets to move into a tier two or tier three role where it does require the intelligence to be human to actually make a decision. Just because you know this has happened, now you need to understand what to do next. And that’s the human component. So when you pair that with tool sets into a single solution as the vendor consolidation does occur, as we mentioned, this includes store type of tools. AI will help security orchestration tools be better. It’ll be a game changer and a force multiplier for all the security analysts, pretty much for any platform, whether it’s an MDR based platform or anything to help incident response that they’re tasked with protecting for those customers.

Sumera Riaz, Bluewave:

Yeah, thank you for that. Tony, what do you think?

Tony Scribner, Ntirety:

Yeah, so I think we’ve covered a lot of the parts, and Trevor actually used the term that I like to use a lot when talking about AI in conjunction with security tooling. And that’s a force multiplier. The amount of data that we need to sift through to find that needle in the haystack is immense. Jon mentioned, look, we’re not going to replace SOC personnel, and we’re certainly not, but those SOC personnel need help sifting through the massive amounts of data. So AI and machine learning stand as a rule force multiplier for that. We just have to remember that with the good comes the bad. And so just like we have a force multiplier for the good using ML and AI, we have the same aspect on the negative side with the threat actors having access to the exact same technologies.

Sumera Riaz, Bluewave:

Exactly, and that’s exactly where I’m leading next. A few years ago when I was a CISO and AI was a big thing on the market, I was very apprehensive in introducing AI into my attack service. As a CISO, cybersecurity flows through employees, processes, and your technology and you have to be able to control it. And AI at that time when it first came out, I didn’t know how to quantify it, how to measure it. Therefore something that cannot be measured cannot be controlled. So this was a few years ago. But a lot has changed in the last couple of years. So I would love to get your thoughts on today, why are some CISOs or head of security still a little apprehensive about introducing AI into their environment?

Tony Scribner, Ntirety:

CISOs and CIOs are always keen on where the data resides and what the controls are protecting that data. And with third party AI tools, we have to be sure that we’re not sending customer data, identifiable data, health data, any of the really protected silos of data to other providers that haven’t been properly vetted, that I don’t have business associates agreements with, that I don’t have proper controls around. And it’s not just the data lakes themselves, it’s also the prompting. So are my employees going out to ChatGPT and putting in something in the prompts that I don’t like?

While there’s a big push to use AI, there’s also a big push to contain and control that flow of data. So for example, at Ntirety we use AI extensively internally, but they’re internal data lakes. And we’re using external AI APIs. But we’re only sending specific pieces of context. So there’s nothing in the data that’s going to cause any type of exposure. And even with that, we’re only using vendors that we have contracts with, that we know their data retention policies, we know their data protection policies, we know everything legally about them, and how they interact with and protect our data sets.

Sumera Riaz, Bluewave:

That’s excellent. What do you think, Trevor?

Trevor Parks, Comcast Business:

I’m going to take this in a little different direction and I’m going to lead with, I just saw in the news recently where a company in the Middle East. They did the wire transfer for $25 million after participating in an MS Teams meeting full of deep fake hackers pretending to be coworkers and even the CFO of the company. It was so effective that they were convinced to wire $25 million. Now I think with AI, I mean that’s the extreme example. A few weeks ago there was a deepfake of Biden calling people and telling them not to vote. These things are very convincing. What I’ll say is we don’t know what we don’t know in the AI world. I think in the coming years it’s going to be revolutionary. Everything’s going to be evolving. The biggest challenge is threat actors are able to weaponize AI tools much faster than vendors can protect against them. That’s the facts. This challenge is a formidable problem. And so I think as we kind of evolve our tools to come up against these attackers using these tools, what Tony just mentioned. AI is going to be probably sending data through ChatGBT on its own. It knows the things to do to extract data and compromise networks. These are big challenges and I don’t think we really have good answers to all of them. It’s going to be kind of fun over the next year to see how this plays out.

Sumera Riaz, Bluewave:

Exactly. Yep. What are your thoughts on it, Jon?

Jon Lloyd, CBTS:

So Trevor took exactly where I was going to go, the deep fake thing. I just read about that. That was wild. I think the key is it’s not just about making these new tools for bad actors. It’s that it’s going to make bad actors. And what I mean by that is you don’t need 30 years of experience of trying to hack these networks. We talked about DDoS earlier on, and we’d go through these issues with swatting. Kids get mad on a video game and an IP addresses in the corner, and they will call this in. They can call in a SWAT to that IP address because they can look up the address. Or you can go to a website if you’re mad because somebody beat you in a video game and pay $30 to send a two terabyte DDoS attack to that IP address.

Those were easy tools for people to ask. Maliciously that same concept, something so simple is going to now expand and permeate into, what used to be the global country backed government backed, hacking is automated. So I think that’s probably the biggest concern that I have around AI. Aside from all the things about how do you honeycomb your data in a data lake and who are you sharing with and who do you have access in private GPT, all of those things are real. They’re all very, very real. However, for me, the biggest concern is just in the past you had to be better than the person across from you and you could buy tools to be better than them. Those days are kind of done. Anybody can be a bad actor now if they want.

Sumera Riaz, Bluewave:

Definitely Tony at Akamai?

Tony Lauro, Akamai:

Yeah, I think to take it in a different approach or from a different approach. The organizations that are developing these large language models used for AI responses, obviously there’s a couple big concerns. One, within the US based on our laws and data privacy, you cannot feed an LLM with proprietary or potentially government secret data. In other parts of the world, they’re feeding LLMs with data that’s stolen intellectual property data, data that contains trade secrets, government secrets, source codes, schematics, all of these different things. And it’s in those areas, a lot of which is stolen from the U.S.

And if you want an example, if you look up in China, there’s a vehicle called the land wind. The land wind. And if you look at it, it looks a lot like a Range Rover or a Land Rover. And it’s interesting to see how these things kind of develop, but what I’m really getting at here is the data sets themselves are at risk, and we think that there’s protection and guardrails and safety built into these tools. At DEFCON 30, they had the first generative AI hacking challenge, if you will. That’s what they were calling it. I’m not sure that totally hit the nail on the head, but some of the activities were bypassing guardrails. So if you ask an LLM to give you malicious source code for hacking this government firewall, it shouldn’t be able to do that. Well with a few concise commands, you can basically trick it into responding to you.

So bypassing those guardrails, getting information about how the LLM is built itself by making it reveal part of its own internal structure. I mean these are problems that could kind of really upset the whole AI marketplace that’s kind of being built right now. To me, that’s a huge concern. My son was doing something just this weekend, we were talking about this. He was like, yeah, I was trying to make ChatGPT give me this response. And it said it’s restricted to give that kind of response. So he just did five minutes of Googling and found something called yes man. And yes man is this super long script, a prompt, that you put into ChatGPT that makes any response that would normally be restricted answer based on the yes man prompts and basically saying, if one were to do this, you should respond in this way.

And I’m just thinking to myself, I’m like, listen, there’s no more secrets. There’s no more saying that, Hey, we can’t talk about these vulnerabilities or these problems because bad guys might find out. They already know about this. We need to inform our customers, our friends, our kids, that there are some real risks here and what they are. And ultimately all of this has to be done around the scope of how do we reduce the risk to our organization? So if we’re using ChatGPT or any type of large language model for corporate purposes. One, you either need to build one yourself and use it internally and have it tightly controlled and restricted, or two, like Tony was saying, have some kind of mechanism to say, we know that there are very tight restrictions on what we can feed or ask of a generative AI model externally and have some controls around that. Because these problems are just going to grow exponentially over time.

Sumera Riaz, Bluewave:

Couldn’t agree more. Switching gears. So businesses are in the market to make money. Security and risk leaders today are being asked to respond quickly to these business demands. What are some of the examples of how they can pivot quickly more and more efficiently? Jon, do you want to start?

Jon Lloyd, CBTS:

Sure. So at CBTS, we actually, we are no longer looking at it as security. We’re starting to use the phrase resiliency and really understanding security should be tied into everything. So there isn’t a security department anymore. And as Trevor said at the start of the call, it’s not if but when and how. It’s not even when, but it’s how many times. And so for us, as you look at security, we’re using the phrase resiliency. What is your plan? Whether it’s reducing your attack surface so that in the event of an attack you can isolate an air gap off the part of the network and continue to be resilient and continue to operate. Or if that’s DR and backup and how quickly can you restore? What is the impact of a bad actor getting access to your network? What is your plan in place? If you were to get malicious data or your data stolen by a malicious actor, what was the plan from a marketing standpoint?

What’s the plan from your errors and ommission insurance policy standpoint? And so the quickest way when we look at how do you pivot? If I’m an organization, I’m going first, how can I outsource it? I think we kind of beat the managed service provider horse to death a little bit in the beginning of the call, but that’s why you’re seeing more and more companies move away from it. But the second is involving your entire organization. It’s not the CISO’s job to keep the company safe. It’s the CISO’s job to keep the company informed of potential threats, of looking at the frameworks and guidance and what’s changed, and continuing to kind of be that cheerleader internally for security focused programs. The business still needs to enact. They need to budget for it, they need to put the right tools in place, they need to bring the right partners in, and it really does become everyone’s job.

So we talk with customers all the time about your employee. Every employee is a firewall. That is your biggest weakness. You can buy training tools, you can buy all the stuff you want, ZTNA access and SASE. At the end of the day, an employee is going to click a link and employee is going to be an employee, and that’s your biggest challenge. To me, how we pivot is really looking at what is our resiliency plan as opposed to how are we going to stop this or prevent it. Those days are gone. It has to be what is our resiliency plan when it happens.

Sumera Riaz, Bluewave:

Exactly. I love that. What do you think about it, Tony from Ntirety?

Tony Scribner, Ntirety:

Yeah, Jon, that was a great answer. And I think one of the things that I’d add to it to really be able to respond quickly is I need that buy-in and alignment organization wide, which means that starts from the top, right? So when I’m talking to people out there and I’m having conversations with the CEOs, the COOs, the CIOs, I know that this is an organization that’s going to have a top down approach, which means the awareness is there, hopefully the budgeting is going to be there, and they’re truly interested in mitigating risk to the corporation. When these conversations start at lower levels or mid-level management and they don’t have the buy-in from the top yet, I know that there’s going to be a lot of roadblocks. I know that there’s going to be budgeting issues. And I know that a comprehensive security programs probably going to be a bit away because we’re going to have to do some selling up the line. So I really look for early executive buy-in from the companies who are needing help within the security area. And of course not everybody has the budget, as Jon mentioned, to build it on our own. And yeah, we’ve beaten that MSSP and MDR horse, MSP horse a little bit today, but this is how people are solving the issue. They’re finding providers that can supply a comprehensive security solution and putting that in place and getting to where they need to be quicker rather than waiting for budget cycles and having to sell up the line.

Sumera Riaz, Bluewave:

Totally agree. What do you think, Trevor?

Trevor Parks, Comcast Business:

They both had great responses, so I’m going to give a little twist on it. Look, everyone’s on their own security journey and everyone’s somewhere different in their security journey. We can all be better. All businesses should always be looking to improve their security posture. Whatever that means to them is different to everybody. The low hanging fruit in my mind is the users are the weakest link. They’re always going to click those links. Look, those need to be protected first. Time is your enemy. You need to be more efficient with the time that you have to respond because as we’ve all said, it’s going to happen. Time has passed before stopping it. These things are going to happen. So having something in place, whether, I mean. People ask me a lot of times, what’s the single best thing you can do for a company is advice, if they only have budget for one item, and there’s no silver bullets in cybersecurity.

But I personally think the security unicorn out there, if you don’t have anything or limited resources, is a managed EDR solution, it’s like a security unicorn. It helps with ransomware at best. You have some limited protection, but as we’ve already, not to beat the dead horse again, is having 24/7 coverage. That’ll reduce the time it takes to recover when it does happen. And that’s the key thing here is resiliency to overcome when it happens. And that’s how you pivot quickly is you have a plan in place to recover quickly. And that’s have these tools in place ahead of time, not after the fact.

Sumera Riaz, Bluewave:

Yeah, exactly. I don’t want to know that a breach happened seven days ago. I want to know now that in lifetime that it’s happening right now so I can stop it. So yeah, fully agree. What do you think, Tony from Akamai?

Tony Lauro, Akamai:

Yeah, I think one thing that kind of strikes me is the word pivot, right? So that’s the assumption that maybe you’re going in a different direction. I think a great kind of foundational way to get ahead of things from a risk perspective is to review the architecture of the technology and the tools that you’re using. Because your tools should be made to allow extensibility and flexibility and to pivot in a different direction if one is so desired. So a lot of times in the security realm, your tools only do one thing and they only have one perspective. And I think Trevor mentioned this and Jon did as well, there’s a huge need for tools to be able to share information with each other, to share threat intelligence, tooling information, risk scores, et cetera. And when it comes time to pivot, you want to be able to look across your organization and make well-informed business decisions based on a larger picture.

The larger picture would be some sort of collective intelligence, which is this bad just for me or is this bad based on other telemetry that I have from across the world that says, this for sure is bad and this for sure is worth addressing and blocking. Because a lot of times when it comes time to pull the switch and say, Hey, we’re now going to turn on a block that’s going to be enterprise wide, it’s always kind of like a resume writing opportunity for one person. Tthe person that said, trust me, this is going to be okay, we’re not going to block business from happening. Organizations are so sensitive about stopping the flow of business that lots of times security because they don’t know if they can trust it becomes a backseat driver, so to speak. So I think it’s important for these tools to be able to communicate with each other and have a big broad view of what bad looks like so you can make a better informed business decision if and when you need to pivot.

Because just kind of taking maybe one analyst using one tool and they say, Hey, this looks bad based on X, Y, Z, let’s implement new EDR block across the whole enterprise. You could potentially be blocking a new agent that has been installed or something like that. So having the visibility and having the observability across your organization and having the ability to make those decisions based on telemetry that’s from a larger swath of the world, to me, is probably the best way to be able to pivot quickly. Because so many organizations have pivoted and then they’ve gotten themselves down into another bad rabbit hole because they didn’t have all the information they needed. So that’s my perspective.

Sumera Riaz, Bluewave:

Yeah, I love it. Spot on. Why is checking the box with point security solutions not an optimal strategy? What do you think about that, Tony at Akamai?

Tony Lauro, Akamai:

Well, I think checking the box. I’ll go to PCI version one, the idea of do you have a web application firewall checkbox. The checkbox literally was, do you have one? It’s not, is it sitting in line in front of your applications. It’s not is it in blocking mode. It is, do you have one? So it was kind of putting the onus on, Hey, are you thinking about the fact that you need to inspect application traffic before it hits your PCI environment? Now that you’re thinking about it, it’s the most rewarding experience of my life. No, you actually have to be doing it. So checkbox versus what you should be doing, what you could be doing and what you are doing, there’s a lot of nuance there in just a single check. And I think that’s the biggest situation that comes about with checkbox security is human nature and the nature of the fact that we all have so many other things to do. That checkbox, you kind of do the bare minimum and I think that’s a dangerous place to play. I think they’ve tried to change this over the years in terms of the check means all of these other checks. I think that’s a lot safer way to roll forward.

Sumera Riaz, Bluewave:

What do you think, Tony at Ntirely?

Tony Scribner, Ntirety:

Yeah, so ostensibly, when we talk about checking the box, we’re really talking about references to control frameworks, to security frameworks, and audits and assessments. So everyone has to remember, a lot of these are meant as minimal baselines, not the end game. They’re the minimum of what you have to do to pass a particular audit. Not the maximum of what you should be doing. So we always have to have that framework. So I like to talk to people about the huge difference between passing an audit or having an assessment that finds no gaps because you have a comprehensive security program and you’re doing all the things and more that need to be in place to pass that particular audit. Or then passing that audit because you put in place the minimal things that need to be put in place according to the audit. Those are two very different worlds. It is the preference to always pass because you have a comprehensive program and you have all the things in place and more all the time. That’s why you should pass an audit. But it’s very dangerous to just consider minimal baselines and think that I’m secure. Because I promise you that’s not the case.

Sumera Riaz, Bluewave:

Great. Jon, what do you think?

Jon Lloyd, CBTS:

About that? So I’ll look at it from checkbox of a solution, not a framework. And that is, it’s a point in time, it’s a snapshot in time, and there’s no correlation. So I buy a firewall, I put in a firewall. That doesn’t mean that it’s working with other tools to create these data lakes that it’s feeding into a seim or a source. I think the first thing is when you look at it as a checkbox or a point solution, you’re not looking at a platform and having a full security platform and all of those pieces. Maybe you like this vendor for this and this vendor for that, and that’s okay. If you’re comfortable managing it and supporting it, it’s okay to not focus on consolidation. But when you’re buying it just to be a checkbox and they aren’t working together. For instance, I’m buying this for load balancing and this for firewalls, and this for web application firewalls, and this for API gateway security, and this for identity access management, and this for multifactor, I can keep going on and on and on. And when there isn’t symmetry between them, when there isn’t correlation, you have a really big problem. And the other piece is when you do a kind of a checkbox approach, you end up kind of setting it and forgetting it and moving on. The platform doesn’t continue to evolve, and so you’re always going to be looking for the new checkbox. You’re going to be looking for the new point solution because you haven’t built a program that shares information, shares data, and continues to evolve.

Sumera Riaz, Bluewave:

Trevor, what are your thoughts on that?

Trevor Parks, Comcast Business:

They all summed it up pretty nicely. What I’ll say is the checkbox solution and only satisfies some compliance requirement. It’s actually not a security strategy, and it offers virtually no defense to modern threats. Look at all the AI attacks that we’ve been discussing. Do you think there’s any checkbox out there that’s going to slow that down even a little bit? I think not. And something Jon said, it’s just a spot in time. Look, every time you update your software, when you hit restart because updates are available, or your phone reboots, you’ve just introduced new zero days, regardless of what checkbox compliance you may be adhering to, you have zero days on your device. So having a life cycle for security, not a checkbox security strategy, is going to be more beneficial. At the end of the day, checkbox compliance is kind of a thing of the past, and I’ll be happy when it dies. Personally, I think having a living life cycle for cybersecurity for all organizations is a much better approach.

Sumera Riaz, Bluewave:

I love that analogy. Yep, for sure.

So thank you for joining me today, Jon from CBTS, Tony from Ntirety, Tony from Akamai, and Trevor Parks from Comcast Business. Love working with you guys. Love your knowledge and wisdom you bring into this space. So thank you for joining me today and thank you so much for watching.