Scaling Security for Agile Organizations with Data Analytics by BP
welcome everybody uh thank you for joining the conversation today uh cloud and covid and security transformation are top of mind for a lot of us in the security community uh nowadays uh as organizations move more and more to the cloud and there's more demands in the security teams we have to maintain the hybrid infrastructures we have to maintain multi-cloud infrastructures my guest today is a 20-year veteran of the security industry he's done everything from being an audit to being his chief information security officer he has seen multiple inflection points in the security industry and community over the past 20 years or so and today he's going to talk to us about the new inflection point that he's seen around how security teams can enable the the organization or the business itself instead of being the stick so with much further ado dennis welcome to the conversation how are you doing great i'm i'm doing great manzie thanks for for having me and for the opportunity to share share our journey with with with you and with the audience so dennis let's just jump right into it give us a little bit of introduction about about bp and and why this security conversation is so important yeah i mean it it's interesting there's this massive disruption in in in the whole energy industry right and and especially you know in the oil and gas industry i think um there's a lot going out as you said you know covered the pandemic and a lot of digital transformation happening everywhere but especially in the in the energy industry there's this this massive need for that energy transition towards a lower carbon right and and bp has made a very conscious decision in the ambition to declare themselves net zero by 2050 uh or sooner so the next decade is going to be a um a massive um journey for bp to transform itself from a from from an international oil company to an integrated energy company right um and using you know digital innovation as as a driver for that so it really is about reimagining um the whole energy sort of paradigm um for our people and for our planet right which means we really need to invent ourselves as a company um and security isn't different right so we also need to to form part of that reinvent that's amazing so you you really are driving uh security from the perspective of a business driven effort and and really being sensitive to to that business so how is that transformation happening for for your team you're the director of engineering for security what are some of the big items that that are top of mind for you yeah i think it means quite a lot for security i always find the angle how security can provide value and i think the key thing is our ceo bernadine said it right we we cannot do this alone right and that's very authentic in the sense of these are difficult problems right we're going to have to collaborate with a large amount of our you know of the industry partners collaboration is going to be more data sharing than ever before right so to be able to facilitate that that um that you know that whole innovation cycle to find the new technology that's going to save the planet from from the energy challenges it has or the new battery technology that will enable us any low carbon sort of technology in general um you know or be more efficient in our operations we need to facilitate that right we need to facilitate that in a secure manner so i think security plays a massive um role in that and and i always talk about this dichotomy right between a false dichotomy and a true dichotomy a false dichotomy is this we need to compromise privacy for security right or security for privacy and then you've got this true dichotomy which is how can we set the data free securely right and that that's a that's a challenge that we have so we need to enable the business on that side so that's one piece you know how can we enable uh the business the people building the digital builders uh building things that's our first thing and the second thing is to facilitate that in each transition right through through innovation how can securians ourselves use technology more how can we use al how can we use ml how can we use big data you know how can we use um you know the the cloud you know uh sort of technologies uh more natively right and so in other words you know we've got a legacy in in large scale uh data right we you know we stream today you know over five billion events per day right and that's great that's growing so how can we can't do that with the old way of doing things we need to think about differently so i think we have a very exciting role to play in in this value chain very cool and so you're really looking at security as as an enabler to accelerate the business to go forward and you're also taking this approach of thinking about this true dichotomy that that you believe in that it's not just about how to just protect the information and say yes as a nose but really how to embrace that kind of a future because it's required so that security is responsible for sharing responsibly sharing properly and and really using big data technologies and and ml and ai types of technologies in in into the mixture there so as you so as you think through that talk to us a little bit i mean it sounds like there are flavors there of scale that that would be required because now you're sharing lots and lots of information there's probably there's probably elements a lot of of of automation like how does that how does that come into come into your mindset yes scale scale is an interesting one because i think that's the problem i think we really don't scale right and and and especially process et cetera you know so talked about how we need to share information right i mean one thing is front and center right digital trust right so we need to make sure you know that trust that consumers and customers have put on us is is always maintained right so i just want to you know make sure that that's that's clear but i mean scale is the biggest problem you know we need to scale from a technology perspective we need to scale from a process perspective and from a people perspective from a technology perspective clearly you know um you know you know moving towards cloud native technologies is there but it's it's really embracing those architectures as i said before i think the second thing is process-wise if i go back to the agile manifesto you know you know individuals and and interactions over process you know as much process as we need how can we orchestrate and automate some of those processes so that that's a key thing and people-wise there's a massive shortage right in the industry and you don't find those unicorns right in the securities we talked about always that there's this you know how many ops people how many deaf people you have versus ops people while security people you know even have less upgrades so i think those those are true so how can we build the knowledge we have into the platforms codified it so we can scale from that perspective so that that's really i think what we have ahead of us when we moved to the cloud we made a conscious decision that we're not going to take the legacy with us and we're going to use this an opportunity to transform how we architect security and how we architect things how we architect teams is actually has a direct impact on what the result is or what comes out so i think that that was uh it's not only a technology but it's also a team architecture of how we think about things um so that that was that's that's key we do have a cloud dual cloud strategy and and you know like many other companies you'll be working with dual three types of clouds right so i think it's key that we we have um some core components that are always common you know data identity protection security um using platforms like databricks to make sure we had a harmonized layer across everything and we can keep that visibility which the cloud sometimes is a challenge because of the scale right so i think those are fundamental elements that uh that we can do and and that they fundamentally at the core of it is you know when we talk about scale we talk about you know data permits us to automate which permits us to scale right and and and if you follow that through it it always plays true right um that permits us to have frictionless and pace right so i think that that's at the at the core of our philosophy of how we're going to scale i really like that expression that you just used that data permits you to create automation that permits you to create scale and because oftentimes we think of scale in terms of how are we going to scale our capacity to acquire the data or store the data and you're almost going farther down that kill chain so to speak to say it's not just about collecting it at scale but it's about how do you analyze it how do you how do you create automation techniques out of out of that sort of scaling capability now i think oftentimes people talk about automation and i've talked to you a few times you you have a very you have a very particular sense of automation and what it means so share share your view a little bit uh with the audience so yeah it's a good question i mean i really find it interesting and and this is something that's just you know the last in a couple of years has come to my head but automation is always associated with you know doing things fast and doing things cheaper right but but really what i believe automation brings us it forces us to think in a different way it when you automate something you know it's like you know sre engineering right you know you put a developer and you put a problem and you get a solution right but um it it forces us to think much more declaratively it force us to think you know how our processes really work and how we can design them so that's the the big value of it on top of obviously you know getting things to be done faster and at a lower cost so being more declarative is really good because when we interact with our customers the developers the builders the people assembling the solutions that for that innovation the traditional security interaction is is not is quite subjective right it's not very objective so be much more declarative around that relation what the expectation is you know you can go back to you know motivational theory when somebody has clear goals and objectives and and and the expectations are clear it's just a better relationship know it'll be a happier relationship in general and i think that helps us you know to codify what our expectations are with the other parties with the developers um that's what i think automation really uh brings us and in the end i think it's about you know making sure that cso's future seizures will be judged on their ability to enable those digital innovation teams as digital builders you know there is simply less of an appetite for control that is a reality but i think we can still keep that control if we change the way we think about things through automation and be much more declarative around our policies so i'm i'm really excited with that challenge um you know orchestration around automation is is fundamental we've automated many things right i mean um it's it's uh i think uh we we've we've done things with data and automation around you know self-servicing you know our vulnerability management processes um we we able to you know collect information around our usage of all our dashboards so we can remove access early right uh and basically nudging users when something is of risk right so nudging theory but using data behind it for security purposes so i'm it's just the beginning really i mean i mean all that data is there latent and and platforms like big data platforms like databricks accelerates that journey especially for the developers right get running very quickly right we don't have to worry about the infrastructure you know if how emr clusters are scaling properly right we can just get straight to it right so i think that that's really useful in our automation journey so databricks is really serving as that as that layer that allows you to scale and and be elastic really as as as things go and and enables you to do a lot of um really create that value as you say that the data was there was latent but not now you're able to now you're able to make use of it one of the other things that that you had shared with me in the past that i thought was was a pretty exciting story is uh oftentimes when big data is talked about in the security context we talk about in the context of of of detection of you know of of of bad things or you know whether it's user behavior kind of detection or whether it's threat detection of some kind and anomaly detection and so on especially in the machine learning context but the story that you shared with me that i thought was interesting was around this vulnerability management piece where you and team have created these i think you called it a barometer a uh for for for individuals so talk to the audience about about the data challenge there and also maybe the outcome of and what maybe from a cultural aspect as well as uh just from a technology perspective yeah i think you know to talk about culture you know in the in in the normal tech security community sort of uh it doesn't feel feels quite awkward to to to security but really at the base of it you can see people are talking about it more and more because it's so true is how can you change how can you create a different culture around security security by choice right how do you achieve that and and i've got a couple examples there i mean one is is our cyber barometer right and and i you know you know i've studied you know business and really behavioral economics or behavioral science is is how can we apply that to cyber right so we um if the barometer basically is is a is a dashboard which we surface to people and it is really one of our most successful products security products within um our digital security uh practice at bp and and it's great because it creates lots of conversations typical things why am i uh 65 and not a 75 and why am i you know yellow and not green right and it the important thing is it drives a conversation right and especially around a topic like security which you know a normal a normal topic to discuss about but it it definitely what it makes us think about and you know we we build that whole platform on on again on on components of data breaks together with visualization layers like power bi and and on on the azure infrastructure um but it's a it's a great success from perspective around oh you're driving the right outcomes right the typical conversation is you know um some people are interested you know why their scores are high and what they can do about it others are all right if i do this will my score go up right and that's not the behavior we want to drive so it's in are we building products that are driving the right outcomes to our consumers and our users are we are we making them choose the safest path you know transparently so that that's one culture we're going to drive other cultures in in the development building community so we do threat modeling we try and drive a different culture there making them think about things what could go wrong very early in the process in the in in the life cycle around the application development and we've had great results on that which you are measuring again through data right we're taking all that data and we're surfacing you know um all that data to the developers in a dashboard using you know platforms like like databricks again to give them you know very early insight of what's going on there's those rapid feedback loops which are so important and agile right so again there's a different culture to shift and then finally i mean how do we drive the greatest things to drive is a cult of change within the security teams is is to give something back to the community we take so much from the community and it'd be great to give back to the open source community so um on on that topic i mean it's great to announce in the week of the the second of november we we have released a a spark based uh ceph reader um which which is uh you know we've developed uh within the security group that permits people to go and do normal sql queries without any programming directly against set format ceph is you know common event format so you know you know everywhere within the security tooling it's been knit together um from from from many different sources and i think that permits people to go directly into the notebooks and basically you don't have to transform any information you just can use this reader and you can go do a query directly against ceph wherever it is stored in s3 or azure blob or wherever you have it right um and and we feel very proud that we're able to give a little bit back of so much should we take back from the community so again all those things combined right all those things combined so you you called out a couple different things first i want to re-emphasize the point on on the on the surf reader it it it allows anyone to take data in it's a surf reader for spark yes and so it allows every anyone to take data in uh and and be able to be able to do sql queries against this formatted data no matter where the data is coming from so that's the key point the second key point on that is that it's available on bp's public github so far github slash and they can they can contribute as well right if we can improve it as well but yeah that you can run that on the databricks platform and uh and and you can get the benefit of it today very cool and then the second piece going back from the from the cultural perspective that that that you were that you were talking about is really this concept of of of of security becoming more of a conversation but but in very tactical terms it's not it's not some sort of a you know pie in the sky sort of a random idea or just kind of nice to talk about is you've made vulnerability man it's how i would almost say you made vulnerability management exciting by by by creating this barometer so that people can excuse me people can have a conversation about it they can see where they are they can measure their own behavior and they can and they can see the improvements as they as they adopt and modify modify their behaviors and this is not just rolled in for the individuals uh from a from a user you know what we call a business user perspective but also that your developers are using that as a capability so that all of their development life cycles are plugged into this so they are not for example waiting for code release for a vulnerability check for example for days of time they can do that very quickly now so that's that's the other important thing go ahead yeah i mean we we started our journey with the end users and that's where our barometers sort of started and now we train we we're basically extrapolating that to adjacent use cases for different communities of interest the developers you know the developers are the ones creating building that's where there's risk right how can you help them be as successful as possible how can we take the security tools to them versus they come to us right and the reality is just you know working around their tool sets right um so yeah the barometers started there and you know we absolutely taking that to the developer community giving those feedback loops very quickly to them and the other communities of interest that will bring risk right that we need to make sure we support them so they're successful and we're doing that all through data right um so so that you know really excited about that so is there i i'm sure there are other things that you're working on that that are going to bleed into the future uh is there is there a sneak peek that you you know you announced the set reader uh the week of november 2nd that's awesome is going to be a big part of what the community is able to do any other things that that you're imagining that are gonna that are gonna happen next either with data breaks or or or as you think through uh as the world keeps changing well as i said you know it's everything's changing continuously so we're gonna whatever we build today we might have to disassemble tomorrow and i think we need to approach things from that emotional perspective right and i think um we always talk about that in the developer community but not so much in security communities communities much more much more static to a certain degree so we need to take some of those learnings from the developer community so nothing stands you know so technology-wise things change a lot but also the circumstances which we use technology we just need to be prepared for that continuously but i mean in the end we just want to we talk about the term of sort of centralizing to be able to decentralize right or or have federated control and again it comes with that scale thing security teams will not scale right we need to build platforms on which developers can do things securely right build great things innovate things find the next sort of low carbon energy right and and i think that's what our journey is there right how can we create security as a service where people by choice can come and say hey i want to secure and it really is frictionless there's the api there's the data you know there's there's a common way of doing this is how manage secrets right so i think it's it's about doing that and you know if you build something great that's frictionless then the the adoption will come right and and and that's our kpi you know how can we move to mass adoption how can we reduce the time from when we detect something to when we resolve things and data really is at the core of all of that and actually has been there for a while it's just now the the the big data technology that is at our disposal at a good you know sort of um entry point i mean commits that to be possible so i'm really excited about i think we're only starting really right now so as you as you talk about these things is there is there a specific is there a specific thing that you have started like a baby step that helps you that or you believe is already helping your team go in that go in that direction yeah i mean i think um we've built our data lake on top of you know cloud compute within one of the clouds and and i think you know using again technology like like databricks is is is basically bringing all those data sets together and then started to basically um contextualize them against the business processes right so we can from from having any sort of uh uh asset or digital asset that's supporting a business process we're able to very collectively you know very quickly um contextualize all the information about that so we know where it's hosted we know what business process it's doing we know if it has any vulnerabilities we know who's accessed it we know when they've accessed it we know you know if it's been code committed recently if there were any vulnerabilities in that code so you start to think about this as the full stack right from identity to the application to the data uh to the infrastructure because really the vulnerability stack cuts across right it isn't we've always traditionally treated all those elements as secret pockets right and and actually it's one thing it's one kill chain if you can call it it's not really a kill chain but it it really is we need to be thinking about securing making sure everything's compliant making sure the arnold vulnerabilities across all those layers is one thing right um and that's what wasn't possible before and now we can stitch that data together very cool very cool well one one last thing before we move to audience questions that i that i really wanted to uh to see maybe you want to highlight a little bit is you have often times talked about something that i kind of relate to as technology rationalization where you know you people there's a lot of security tools that are used in any given organization and and you're using some techniques to try to figure out what's useful what's not what's not useful and how to do that so you want to share a little bit of comment about that with the audience as well yeah i mean i think i think we've got a lot of technology at our disposal so we we do and there's a lot of convergence in the security community and the security tooling environment so i think these new technologies permit us to rationalize some of that which is great um but you know and and you know it's just it i've spent so much time in my life stitching together security tools right so much time and so little time actually getting the benefit of what comes out of the security tools that it it's really i sort of regret that but you you know you can't you can't go back in time so the only thing is moving forward how can we get those developers the security engineers up and running the cyber data scientists right on on what i call you know hunters paradise right on the data lakes how can we get them on there quickly and not have to worry about all the rest of this stuff right we talk about the business sort of abstracting that stuff from the business but we should also do it for the security community right because the value is not in stitching those things together doing platform engineering right or network engineering the value is actually getting the value out of that stuff so i think again we're only at the beginning of that journey and and and i think we can just cut that time very quickly and get productive much faster and the ceph reader is really your big step not just for yourself that you that you announced this week november 2nd but it's also big stuff for the community so that the community can also get accelerant out of that instead of instead of doing a lot of this data engineering platform-y stuff it's one less thing now that people have to worry about uh on on rolling on rolling their own so that's that's really cool so dennis thank you so much for for joining this conversation uh a couple of big takeaways from me uh the biggest one really i i think is around using data uh and then to enable yourself to be more declarative as as information is shared the the second one is really around automation i really liked your concept the way you illustrated the automation is something that enables you to to get scale and and also i heard a lot of flavor and automation from you on on analytical automation not just the traditional block and tackle style of style of automation and the last one is i will kind of bundle this in the category of enabling enabling the enabling people at bp in the organization in general and also then enabling the the community for the security community to to come together because we are really cloud is a new terrain and it is it is going to require a new mindset uh to do that and i think maybe for me the biggest kind of takeaway of all of those three is that if you you you said something to the effect of that there is a there is you're taking this opportunity as a mindset to go to the cloud to take the benefit of what you've learned but not taking the baggage with you to to give you acceleration to be able to do things better so dennis thank you so much for joining us this conversation thank you for being a databricks customer and uh and let's let's take some questions yeah my pleasure thank you you
2021-01-01 11:41
