Security Superfriends Episode 6: Rick Howard
Security Superfriends | Rick Howard, CSO, Senior Fellow, Chief Analyst, The CyberWire
Rick Howard’s story is as security as it gets. It starts as a boy escaping from his dusty hometown – only to land in a fox hole with the US Army. He soon emerges from his fox hole to become the first commander for the Army’s Computer Emergency Response Team (CERT). After the military Rick climbs his way to the top of the security world as the CSO of Palo Alto Networks. Now in faux retirement he spends his days teaching security at Carnegie Mellon, podcasting as a security journalist, security investing and more.
In this installment of Security Superfriends, Rick shares his thoughts on the SolarWinds Breach, supply chain risk, cloud native development, and security books we all must read. Rick also shares why he likes the underdog superheroes, like the Miles Morales Spiderman, or Jessica Jones. These are the ones who don’t have unlimited power. They struggle, overcome and prove their mettle over time. He likens this to the CISO life. I do too! I hope you enjoy this installment of Security Superfriends.
I hope you enjoy this installment of Security Superfriends! Check out some edited highlights below, and be sure to watch the video or tune in via podcasts on our Soluble channels on Apple Podcasts, Spotify, Soundcloud, and Stitcher.
RS: How should the modern CISO prepare themselves for the emerging threat landscape? We’re seeing a big difference in how software’s produced in terms of the advent of massive amounts of third-party, SaaS, lots of open source, etc. What should a CISO need to start thinking about, how do they need to be scaling up – what’s your advice?
RH: Most of the CISOs that I talked to during my show and this past year have been raising the bar about where they focus their efforts, and it’s really about where their data is, what is the data that’s going to cause a material impact to their organization. When I was doing CISO work 10 years ago, we all basically had a firewall that made us a perimeter back at headquarters, some of us that were a little bit larger had our own data centers but that was it. There wasn’t a whole lot of places where data was going to be stored. But just in the last decade, your data is everywhere. It’s still in those data centers and still back on prem, it’s in every sales office around the world, but it’s also in a gazillion SaaS applications.
As we all race to the cloud for lots of benefits, then our data is scattered all through there and so what we’re trying to do is protect where the data is, and it’s become so complicated to put prevention controls in all those places that we’ve almost become overwhelmed with the amount of work that has to get done so much so that most of us aren’t getting it done with any kind of speed or efficiency.
Even before we went to the cloud, we had too many security tools that we all had to manage. You know when I started doing this back in the 90s, we had a firewall, we had an intrusion detection system, and we all had antivirus, and if we had some money some of us had two antivirus systems on our endpoints.
But today’s businesses – even small companies have 10 to 15 security tools that they’re managing, and that’s before they go to the cloud big organizations, like big finance, U.S. government, some of those organizations have 300 security tools that they’re trying to manage, and they can’t do it with the amount of people they have, especially doing it manually.
So what we’re looking for is that the big thing that’s coming to fruition in the last five years or so is an ability to orchestrate your security toolset across all the data islands. How do you do that? You’re going to do that with automation and you’re going to try to find a tool or a set of tools that integrates in all data sets.
RS: When we look at modern, high speed development, where data is seemingly deployed everywhere across SaaS services, the cloud, etc. – everyone’s accessing it everyone’s committing to it. What do you see, putting your futurist hat on, what do you see emerging that’s going to help solve for that risk?
RH: Well I think there’s a couple of pieces of good news here, and one of the conversations we’ve been having with the CISO this past year is you know trying to figure out what is the ultimate thing that we are trying to accomplish? I’m a big believer in first principle theories, so if you put a bunch of CISOs in the room and said, “okay I know our day consists of a bazillion different things, but at the end of it, what are you trying to accomplish? What is the thing that you’re trying to solve?”
From my perspective, we’re trying to reduce the probability of a material impact to our organization… in my mind that’s the most important thing. So the basic steps then from that the very next things you would do in terms of strategy is I have three or four that we could talk about right. First one is intrusion kill chain prevention. That means that we know pretty much what all adversaries do across the intrusion kill chain at least 95 percent of it. Why wouldn’t we have prevention controls in place across the entire attack sequence?
The second one is Zero Trust. Zero Trust assumes that bad guys are gonna get in, but you can reduce the amount of damage they can do. So (the SolarWinds attack) happened the bad guys compromised them – they sent in a Trojan horse basically with their update software. But that wasn’t where the problem was. The problem was that from there the bad guys authorized tokens for their cloud environments of their victims, and nobody was watching that. That’s the Zero Trust that we should have locked down. There should be nobody saying automatically that this machine or this person gets to authorize access tokens to our cloud environments.
The third one that you should be pursuing is resilience. How do you survive an attack like SolarWinds? Look at the way FireEye responded to the SolarWinds attack. That is the textbook way to respond to the press all right, yes there was damage to them but it was minimal damage because of the way they did it you could tell they had planned it out beforehand and they executed their playbook. So resilience in the face of an attack – that’s a great way to do it.
The last one is near and dear to both of our hearts is how do you measure risk. You and I talk about risk all the time right and if the first principle theory is to reduce the probability of material impact, how do you figure out what the probability is? Most of us CISOs we have no idea how to do this, and you should absolutely read your book How to Measure Everything in Cyber Security Risk to get a feeling for what you’re up against in the coming year.
RS: We’ve been talking about cloud native, you know, software is eating or has eaten the world, so it’s software defined everything. So now infrastructure is defined as code right? Developers are defining and deploying cloud infrastructure that combined with things like serverless or functions as a service are also changing how people structure their teams and their titles actually, so putting again your futurist hat on, how do you think the roles and responsibilities are changing with technology – as we’re moving into an incredibly distributed software-defined everything world - what does that mean for security?
RH: Yeah I had an epiphany on this this past year because I had a different thought about this, and I think you and I have even talked about this in various places, and we’ve all recognized that software or infrastructure is code is the way we’re going to go.
So for the last three or four years, I’ve been saying you know in the future the best skill a security person is going to have is a coder first and then security second. I just assumed that we would all become developers and I’ve come to realize that doesn’t work. That’s not how it’s going to be. You’re not going to have a super person in your SOC somewhere who is a high-speed developer who understands intrusion kill chain, who understands resilience. You know that person doesn’t exist.
What is going to happen though I believe is this working together. We need the devs and the security people and the SOC people and the intel people all in the same room as they design the infrastructure as code infrastructure that they’re going to have. So the code, the skills that we need to develop as security professionals is how do we reach across the aisle to the CIO to the dev team to the dev ops team to the site reliability engineers and get embedded in their development process so that we can put in the framework that we need to manage our security environments the way we need to manage them.
Want to catch the latest and greatest in Security Superfriends? Subscribe to our Youtube channel for past shows and updates, and listen on Apple Podcasts, Spotify, Soundcloud, Stitcher, or wherever else you get your podcasts.