Cybersecurity Modernization
Hi, I'm Bob Kalka with IBM Security, and I'd like to talk to you today about a fascinating topic. And that is how cybersecurity programs are modernizing. I think it's stating the obvious to point out that most organizations and their IT investments are migrating towards hybrid cloud and leveraging AI more, and that is creating some essential physics in the industry that are forcing cyber teams to modernize as well. So what we're going to talk about today is what exactly is going on with cyber modernization, because cyber modernization is really occurring across two major areas right now.
The first one is how do you actually do threat management? So for most organizations, that would be how do you run your security operations center or SOC? And the way most organizations do that today, it's it's pretty straightforward. It's not easy, of course, but it's pretty straightforward where everybody starts... is that you start by making sure that you can detect threats and then that you can respond to threats.
I used to say, you know, you'd have to find the needles in the haystack of what looks suspicious and then go fix what you find. And I had a client somewhat politely inform me that he said, well, you're not really trying to find needles in a haystack. You're trying to find needles in the needle stack because everything looks bad. I said touche, exactly right.
So how do organizations do this today? And this is just table stakes, right? This isn't the modernization part of it. So the way everybody does this today is you start by collecting, normalizing, correlating reporting and monitoring on logs. Right..and so we pull all that data together. There's lots of different sources that are being pulled in here, and we cross-reference and normalize and see what's going on. Now, logs are just the starting point, though, because, of course, that's just looking at stuff that's already happened to somewhere out there.
So where almost every organization then migrates is also looking at real time network flow analytics. And some people even go as far as calling this network detection response or NDR. So you can see that, for example, if you have a contractor and your typical contractor downloads three confidential documents a week and all of a sudden you have a contractor downloading 300 confidential documents, Flow analytics allows you to get there and figure out that that's happening in real time. And they were most organizations then as go up their user behavior analytics because that's where you get that. Then add in what are actual people and what are specific identities doing.
And our 95% of our problems coming from the actions of a single user, for example. And then as it is transforming, we essentially get into hybrid cloud. And this is the source of some of the physics issues that I was referring to, and I'll get to that in a moment now. So once an organization works on being able to process all of these things for finding the needles in the needle stack, then of course, where we go is how do you actually respond to those threats? And unfortunately, most studies still show that the vast majority of organizations still have not defined and tested incident response playbooks or run books for the major events they're worried about. So I'm going to write the default state as a null said, I was a math minor in college and I like math symbols. That means that most organizations are making up their incident response playbooks after something happens and it doesn't take a social psychologist to point out that the worst time to come up with a collaborative plan is when everybody's running around pointing fingers at each other.
So the way to improve that is first to grow awareness outside of just the cyber team that security really is everyone's job. And that's where things like cyber ranges come in really handy. And then ultimately, not only defining, but automating the incident response playbooks.
Okay. That's how the typical threat management organization works today and what they seek to do is how do we continually get more mature of how we're doing this. Okay, so that's just the way it exists today. However, when an organization is migrating to hybrid cloud and leveraging A.I. more, as I said, there's some physics issues that cause cybersecurity teams to have to modernize.
And in threat management, the first of the two use cases I'm going to take you through. There are three ways this cyber teams are modernizing. The first one is based on the stark reality, and it's amazing that nobody was really thinking about this until about a year and a half or two years ago. But all of our threat detection activities are generally reactive.
What I mean by that is that all these different sources right coming into our detector are generally sent technology to to do security analytics is responding to signals of things happening to us right now. So in other words, bluntly, we're not really looking for attack able surfaces until they're getting attacked, and then we're trying to find out as quick as possible what's going on. So there are obviously two leads to the obvious question, which is why don't we get proactive about looking for attack able surfaces and then protecting those surfaces before anyone does attack? So that's the first of the three trends in cyber modernization for threat management is the fact that what we're realizing that we need to do now is not only do it the way we've been doing it, but we also need to identify the attack surface proactively.
So we go from reactive only into proactive and with the term everybody to use in these days is attack surface management for the right reasons, right. And then lockdown and protect the most attacked surfaces, starting with endpoints. And of course, most organizations will have some kind of EDR tooling in place today.
But what we're finding is there's some Achilles heels to most of those tools, such as the fact that the malware is getting smarter. And if it sees it's being watched, then what it will do is it won't fire right while it's being watched by the EDR tool. So what we see is the need for greater stealth.
For example, running EDR as a hypervisor as opposed in the operating system. And then this is one of many, many areas where A.I. is a huge plus because, for example, a lot of EDR tools essentially operate on signatures. And of course the malware is constantly evolving. And so if you as an air engine, then you can actually detect new strains, live and protect a live, right? So this ability to get proactive about finding the attack surface and about protecting the surfaces, not only endpoints, also transactions, devices and stuff like that, that is the first of three ways that cyber teams are modernizing the threat management.
You have to get proactive. The second way cyber teams are modernizing is literally following the lead of what I.T in our Agile DevOps teams and organizations are doing, and that's building cyber on an open platform. Now what do I mean by that? So let me show you this because this is actually pretty dramatic. What I mean by that is that when you look at the typical cyber tools today, every cyber tool has functionality that, you know, you use to do this cool cyber protection stuff, whatever happens to be. And then underneath that tool is some kind of built in infrastructure that the vendor had to build in, you know, like a data store and stuff like that.
So as you grow and perform and do more with it, it grows and performs with you. And so development shops have to not only build the functionality that you care about, but it also has to build and maintain that infrastructure code in each and every solution that you use. So when you think of the terms technical debt, the typical organization has dozens of cyber tools that has this functionality you want and this infrastructure underneath that has to be improved and updated and stuff as usage grows, etc.. So what we realized a couple of years ago is that as organizations move to hybrid cloud and kind of have a greater focus is that we really we should really be building new cyber functionality on top of the open platform of, of course, Docker and Kubernetes. In our case, of course for us, starting with Red Hat, OpenShift, since it's Enterprise Grade Kubernetes, and being able to actually get rid of having to write that code underneath each app and what it does is it frees development shops to innovate a lot faster and what it allows our clients to do is that instead of when there's a new functionality coming in, instead of putting in another thing of technical debt, instead you just turn it on and off. Microservices, right? Leveraging the scalable elastic platform underneath it.
So open platform building this stuff on an open platform has become an absolutely huge thing, not only writing cyber as microservices, running on Docker and Kubernetes, but also leveraging all other open standards such as Click House for Scalable Elastic database underneath the solutions. Right? So that's the second way Cyber teams are modernizing is shifting towards microservices, which are just far easier to consume and far easier to innovate on faster. Now that's the second one. So it's getting proactive and secondly, moving to an open platform. And then the third one is kind of the, you know, icing on the cake.
It's the big thing. And the big thing is, is that as cyber teams start modernizing by getting proactive and building in an open platform, then there is some net benefit which is very measurable to our security analysts. In particular, we see analyst acceleration, meaning security analysts are able to do things much faster than they've done before. And there's two particular innovations in the industry that we've helped steer spearhead that have had a dramatic impact. The first one is called Federation and the second one is a unified workflow. What are these things? Well, remember I said at the beginning there's some physics problems as you move to hybrid cloud.
Here's one of the fundamental ones, is that as your organization starts deploying workloads in one or more cloud providers, then obviously you're going to start generating cyber relevant, relevant information in one or more clouds. And as you do that, of course, what everybody says is, I know what to do with that data. I'm going to go over here to the tech bubble and I'm just going to constantly pull that data into whatever right. I'm using for Syn to evaluate that stuff.
The problem there, of course, is twofold. Number one is that the cloud business model is to have you move more to it, not take off of it. So the cloud providers charge you an egress charge to pull that data off of the cloud, to pull it into your local tooling and depend. Then depending on what local tooling you're using, you have to pay and pay an integral charge, right, to ingest that data.
So in essence, to do what we've done for the last 20 years in the cyber industry, which is pull everything into that one place, is that you're signing up for potentially a double tax that's only going to get larger and larger, right? I've heard CFO say to assist CISOs in the past, you're not really thinking clearly. I'm not going to give you approval to do that. And so what happens is the physics of it is you start to do some unnatural acts. We see some clients that will say, Well, I'm just not going to collect all that data because I don't want to pay that egress charge. Or they'll say, I'll pre process on the cloud platform and then send it down. But then you lose a lot of the richness of the data that the SIM tool is.
It's a good one right. Can do a lot of of of analysis on so that's causing a serious problem across the industry right now. What federation means is Federated Search and Federated investigation.
When you see an indicator of compromised, what you're able to do is instead of having to pull that data from the cloud, instead you can just query it. You don't have to move it, and then you do a real time investigation. So your investigations are faster and you completely eliminate.
Those were basically permanent taxes, the egress and just charge it. And so that's federation. So that's one radical thing that is all about cyber modernization.
The second one is unified workflow. One of the things we discovered is that when you start doing Federated Investigations, you're able to actually build a workflow from proactive detection confirmation kicking off playbooks. You can all do that as a unified workflow. And because you're able to query what other tools are seeing instead of having to run around and check each tool for what they're seeing and something you see it all on a single console.
So you have a unified workflow and a unified gully by which you can see what all the tools are saying. All right. So that's the first of the two major parts of what we're going to share cyber modernization and threat management. It's all about getting proactive about attack, surface management and protection.
Secondly, is going to an open platform. So you shift from building technical debt constantly enough to integrate stuff all the time to just going to turning it on and off microservices on an elastic platform. And then finally is we're able to literally accelerate how the analysts do their job through federation and unified workflow. So that's the first of the two. Now let's talk about the second major area that is seeing big changes from cyber modernization, and that is data protection.
You know, oftentimes our conversations with cyber organizations is data security is always important, but it's usually kind of a 20% discussion, maybe 30%. And 6070 is under threat management. And we've seen a big change in part because of increased regulations in part because there's a lot of war stories out there. Right.
Of data getting compromised across hybrid cloud and stuff like that. So data protection, we're also seeing a massive change because as organizations go to hybrid cloud, what it's doing is essentially accentuating problems that were already there. But we had figured out in the past organizations had figured out in the past how to put in compensating controls to address the problem. You know, a big example of this is that I've seen a couple of studies on what percentage of organizations are confident they know where all their sensitive data is in a hybrid cloud deployment.
And in the numbers that I've seen are between seven and 30% feel confident they know where all their sensitive data is. And my typical conversation with a, you know, CISO or a CISO is whenever I share that statistic, they'll laugh and say, yeah, and that 7 to 30% are lying. All right. We know it's an ongoing issue.
So once you go to hybrid cloud, where as you may have been able to put compensating controls before around data protection, it was all on prem. Once you go to hybrid cloud, you kind of lose that control, especially if you have agile DevOps teams putting out workloads. Sometimes you're not even fully aware of, Right. So what is happening there? Well, what we're seeing is the way cyber teams are modernizing their data protection is by focus, sitting on a discrete set of controls that allow them to do the following. How do you make sure that only the right users have only the right access to only the right data for only the right reason? And all the projects that we're doing with clients? What we're seeing is that there is a coordinated set of controls for hybrid hybrid cloud data protection with some cool innovation that I'm going to share with you here of making sure that you have both the IAM the identity and access management system as well as the data protection beyond it all working together to do this well. So let me take you briefly through what are the controls that we see most organizations focused on and what are the innovations that are essentially the modernized way of doing data protection? So first of all, how do you make sure that only the right users can come in? What everybody starts with is governance, identity, governance, who has access to what? Because, look, if you don't know who has access to what, I can do anything else, right? The second thing that we see everybody focused on right now is privileged account management.
You know, somehow 20 years after Sarbanes-Oxley, this is still a major problem, but it comes from the fact that Pan is not simple. The technologies are really good out there to do it, but getting the processes and getting a whole organization to work together well to implement it across the board has always been a tough out. And so the typical shop we walk into will have some privileged account management but spotty deployment. But now that we're seeing like cyber insurance providers, a lot of them now will not reissue or renew a policy if you don't have pan across the board.
That's driving a ton of the tension here. Right. And then ultimately, where you want to get to here is identity analytics. And what this means is it's kind of like an identity posture thing. You say who has access to what, but does that really make sense? Right? So we see a lot of activity of focusing on controls to be able to do this. Then the next thing is I'm letting the right users in how to make sure they only get the right access. Of course, I mean, for 20 plus years. Right.
And the whole idea of access management has been fundamental and continues to be in the industry. But the white hot piece for modernizing this part of it is what a lot of people are calling adaptive access and what is adaptive access. It essentially is multifactor authentication, MFA on steroids, right? What do I mean by that? So typical MFA tool bobs on the same laptop, configured in the same way from the same location that is connected to me the last 250 times.
So when he goes comes in for the 251st time, that sounds like a low risk thing. However, if you pull in a lot of fraud detection algorithms that have been developed over the years, especially in the financial services industry, you can detect that. Well, you know, but if you look at Bob's typing rate and his error rate and his typing, you know, Bob, that might not be Bob, we need to do some quick, you know, step up authentication. So adaptive access is all about essentially advanced ways of applying MFA.
So you start looking behaviorally at what's going on out there in real time. And so that's really cool. Then once we've got the right users getting the right access, then we get to the right data and remember the seven or 30%, are they lying? They actually are confident. They know where all their sensitive data is. There's three pieces that have gotten white hot very quickly here.
The first, which has been around a while, is how do you identify sensitive data across a hybrid cloud environment? Right? So it's discovering classification, but it's doing it consistently, including reaching into not only on prem and hybrid cloud environments, but also into cloud native apps. This has been a blindspot for everybody for a while. It's how do you detect it? Someone's taken a copy because they had legitimate access to a piece of sensitive data, but then they put it, for example, in a Slack message and send it to some people who weren't supposed to have access to it. Nobody said visibility to that. So the ability to do identification of sensitive data, even into SAS apps has become huge. And then the second piece, which is also gotten huge very quickly, is posture.
What does this mean? What does data security posture mean? There's a new term that's being bandied about a lot and rightfully so, called DSP and data security posture management. And what DSP is all about is not only do I know where the sensitive data is, but then who can access that data if, regardless if they're accessing it yet, who can actually look at that data? And does that make sense? And then third is who's actually looking at it. So once again, find the sensitive data anywhere, including in apps.
Look at who can get access to it. The posture essentially is that good or bad or do we have to make changes and then who's actually looking at it? So this whole idea of data security posture management once again has gotten hot very, very quickly for obvious reasons. And then once you find it, you've got to protect it. All right. So let's protect that sensitive data that includes data level access control.
It includes data encryption, of course. Right. Etc., etc.. So being able to do this one, this one is so white hot right now, it's not even funny. So that's a huge one. And then let's get to the last piece. Make sure the right users get only the right access to only data for only the right reason.
What does that mean? Well, I've seen for decades I've been doing cyber for almost three decades now. And as I've worked with clients on this, everybody would like to look at access to sensitive data over long periods of time, but most don't because it takes a lot of storage space and they don't have the algorithms really to check it. But looking at access to sensitive data over a long period of time has always been something that people have wanted to do and yet few do. And so I'm going to start with another null set here because few people do this. What we see people wanting to do is look at things like, how can I detect insider threat activity by looking at what's happening with access to sensitive data? And then ultimately, because we're seeing this acute problem in most shops with increasing regs, the amount of time that the teams are having to spending to prove compliance, adherence to regulations is starting to get out of control in some places. And so not only being able to detect things like insider threat, but then also being until automatically generate compliance reporting and stuff like that. Right.
So that has become a big deal. So this is what's happening out there on modernizing data protection. It's around getting our act together on identity management better. It's getting into looking at the data security posture, not only protecting it, but also including that obviously, and then looking at access to sensitive data over long periods of time.
So you can find things that frankly, you missed the first time. Okay. So at IBM, we have been investing around addressing this stuff for three or four years because we saw this coming rate, IBM as a hybrid cloud in a company. So not only how are we addressing the hybrid cloud stuff that comes up, but we're also infusing a AI, right? We made our major announcement of our Watson X platform and we are infusing AI across almost every piece that you see up here in our technologies that we've done to do this. so that's what we're seeing happening to cybersecurity programs, how they're really being driven to modernize as the organizations around them are modernizing the hybrid cloud and leveraging A.I. much more. So it's modernizing how we do threat management, getting proactive about finding the attack surface and protecting the surfaces rather than wait till someone attacks them.
And then secondly, is moving to an open platform. So you get all the advantages of innovation and integration and scalability and performance, and then ultimately enable your security analysts to accelerate what they do through Federated search and Investigation, as well as a unified workflow. And then on data protection, making sure that you have an integrated view of both identity and access management, as well as data security, including proactively and constantly identifying, discovering the sensitive data, checking its posture, who can get access to it? Does it make sense? Who's accessing it? Does it make sense? Right.
Protecting that data through encryption and data level, access control, etc. And then also looking at data usage over long periods of time to be able to detect problems like insider threat and ultimately being able to automate compliance reporting as much as possible. So our teams aren't just stuck on that all the time. That's what's going on with cyber today. That's something that we're very passionate about that we've invested a lot in to address.
And so thank you for your time. If you like this video and want to see more like it, please like and subscribe. If you have questions, please drop them in the comments below. So what I'm going to close with is just show you a quick mapping of what we're actually doing across these things.
So what we've done for proactive identification of the attack surface is we acquired about a year and a half ago a company called Ran Dory out of Cambridge, Massachusetts. They were the leader in the very young, fresh space of attack surface management and ran. Dory is now part of us for protect for endpoint management. We went out and find this and found this incredibly innovative company called React to about two years ago.
A lot of the Netherlands and we now call that Q radar EDR and that is an incredible tool that does run as a hypervisor and has an air engine attached to it. And so it addresses the Achilles heels that I mentioned that a lot of EDR tools out then for detect and respond. Most people are well aware of our cue radar platform and this is our key radar SIM and Q Radar saw, and most people are also aware that we have a credible cyber range that help that, you know, hundreds of clients have used to help the organization all realize that, yes, cyber is everybody's job and how do we work together better for the open platform? We have gone all in on this and we announced something just recently called Hue Radar Log Insights.
And what curator log insights gives us is essentially going to open standards, open source for the back end for our capabilities based on Click house. Right. And one of the if not the leading elastic databases that's cloud native.
And so we're essentially providing the ability to have this elastic back end. So the discussion around having to build infrastructure in our solutions, which is used as the infrastructure, right? So very powerful. And then this analyst acceleration piece, this federated search and investigation, as well as a unified workflow, we announced just recently our Q radar suite, which gives us the ability to do those things. And to be honest with you, we've actually had the federated support for a couple of years now.
It's just people are realizing how powerful it is of getting rid of those egress charges and stuff like that. So that's the threat management side of things. And then on the data protection side of things for user and access management, that of course is our verified portfolio. And we also have our Z secure portfolio extending that to the mainframe. So we also have that. And then for data protection for for identifying the data, for doing the posture management and then actually protecting the data.
It is our Guardian platform. We have Guardian data protection, we have Guardian data encryption number one product in the market, and then we also, for the posture management just announced just recently our acquisition of an Israeli company called Polar Security. So Polar gives us the ability to do that posture management that I mentioned, the three layers of it, including seeing the data in the SAS apps, incredibly powerful, a great addition for us. And then the final piece of being able to look at sensitive data access over long periods of time and seeing trends, etc.. That is our cloud native extension to Guardian, that's called Guardian Insights and that includes the polar capability as well. That helps as well.
And you'll see us integrate that stuff together. So that's what's going on with cyber cyber modernization as organizations are going to hybrid cloud and leveraging A.I. more, it's causing those physics such as those egress charges and stuff that we in the cyber space have to adapt to. And what we've done in IBM security have been investing for several years now to allow you to do those things, to ultimately deliver that increased value of being able to get the analyst to do their job much better as being able to innovate for you far
2023-07-25 04:14