Industry Roundtable for the changing landscape of cybersecurity

I moderated a webinar panel with some of our portfolio companies to get their thoughts on the cybersecurity market. You can view the recording here.

Panel Participants:

Balaji Parimi: founder, CEO of CloudKnox, VP of Engineering Cloudphysics, Staff Engineer at VMware

Avihai Ben Yossef: founder, CTO of Cymulate, former head of cyber research at Avnet Cyber & Information Security

Tim Keeler: founder, CEO of Remediant, leader of security incident response team at Genetech/Roche

Rich Seiersen: founder, CEO of Soluble, former CISO at LendingClub, Twilio, and GE Healthcare, Author of “How To Measure Anything In Cybersecurity Risk”

Now onto the content! Here is the transcript of the panel, lightly edited for clarity.

Let's get started by having each company give you a quick introduction of themselves.

Balaji Parimi: Thank you, Frank. Our platform managed identity permissions for your hybrid and multi-clouds. Starting with complete visibility into all identities, what operations those R&Ds can do, what operations that they have actually done across these different services, including machines and access keys and all these kinds of things, no matter where that it is coming from.

We also give you a metric to measure how effective your policy implementation is. How effective all these entities are using those permissions, and also provide solutions to manage those permissions. All with a single model.

Avihai Ben-Yossef: Yes, thank you, Frank. Yeah, so my name's Avihai Ben-Yossef, I'm one of the co-founders and a CTO here in Cymulate, and Cymulate is a breach and attack simulation platform. Actually an automated security test platform that really gives you the ability to test your security posture automatically, anytime, anywhere, 24/7. So that's my two cents here.

Tim Keeler: Frank, thanks for having me. So my name is Tim Keeler, I'm the CEO and co-founder of Remediant. We are really about taking a very new approach to privileged access management. So when we take a look at the breakdown of the breaches, we always see compromised admin credentials at the very top of that list.

So we're about making that very easy for enterprises to implement security around administrative sprawl, getting that under control, introducing new concepts, like Just-in-Time administration, as well as introducing zero trust and zero privilege. Really just making it very easy for enterprises to deploy company-wide.

Richard Seiersen: Hey thanks, Frank. This is Richard Seiersen, I'm a recovering Serial CISO, Security Author, and the CEO of Soluble. So Soluble is solving vexing identity and security problems for the cloud native developer and the teams that support them. And this is where I think we distinguish ourselves. We are [decidedably 00:04:12] developer first in terms of our platform. Thank you.

As I talk with CISOs, the biggest concern they have is cloud security. And this will kind of be a big theme of this panel, so as you talk to customers what are some specific challenges that you hear they are facing?

Balaji Parimi: Yeah, I mean cloud enabled, ubiquitous access to any computing power or data customers want, right? So basically the cloud has eliminated the parameter, or eliminated the boundary. So any employee or any contractor or any machine or board can get to the infrastructure.

That has been the biggest issue. That's been the biggest concern for pretty much every CISO we've been talking to. Combine that with the level of automation that is in place, all it takes is a one-liner, either accidentally or maliciously, to cause significant damage. So especially the cloud infrastructure layer level every CISO and every security organization is looking at, I need that visibility.

Today, every one of the CISOs are serially lacking that visibility in terms of what is going on? How many entities can get to my infrastructure? What are they actually entitled to do? What are they actually doing? That type of visibility and having the tool set to take actions to prevent any catastrophic event from happening, this has been predominantly dominating the thought process.

And these recent incidents have kind of prioritized, acted as a catalyst for customers to transform their workloads from private into public cloud even at a much faster pace. So, all this is kind of making them nervous about hey, I need to get this visibility, I need to get ahead of this problem, I need to go with the prevention first approach type of thing.

Avihai Ben-Yossef: Yeah, so I think I'll try to maybe give my two cents about that. It also relates to what Balaji also said on his end, but at the end of the day I think there are so many different kind of these configurations that can be used in cloud security at the end of the day, you really need to know what you're doing, and visibility will be a part of it.

But at the end of the day, attackers can leverage very specific and small things because an attack is, at the end of the day, it's a chain of events, it's not just something very, very specific. So chain of events, definitely in cloud security is a different kind of mis-configuration on a web app, and it can be a mis-configuration on your cloud infrastructure, it can be a mis-configuration on the deployment, and when they all come together, that's it. You're out.

So every time visibility can be, I would say enlightened here, that will be giving a lot of the ... I will say it will save a lot of the challenges and will give a lot of answers to a lot of challenges that people will probably be concerning now that most services will be exported and outsourced to the cloud and the security will become a more major factor in those areas as well.

Tim Keeler: Yeah, I completely agree with both of the points that's covered. I mean taking a look at this specific pandemic situation, there's a lot of companies that had to scramble really quickly to put remote access tools, cloud platforms, all of these things into play. And as they were reacting to a sudden shift of the way people are working, security is not always at the forefront of that. So there's really two things to really make sure that you're doing well that's really important.

Because when we're looking at this from an attacker perspective, attackers were already seeing a lot of activity around this, trying to exploit some of these weaknesses in companies. So obviously we've seen an increase in spearfishing as targeting credentials, and then also making sure it's understanding where different identities have privileged access as it relates to all of these solutions.

Because one of the points earlier was around visibility. I completely agree with that. The biggest challenge we have is understanding okay, who has privileged access, where? And if you go in with the mindset of assuming a credential is going to be compromised, right? The next question is, okay, how do we put in effective security controls? You really want to make sure you're tying in the principles of least privileged and coupling that with multi-factor authentication.

Richard Seiersen: Sure, and I might take this a little bit different direction. So what I'm hearing, particularly from my CISO super friends and whatnot, is that there's a lot of hastening of digital transformation happening. And I think particularly now in light of the pandemic, and also I just think everyone knew that a cost-out world was coming. I think we're all forecasting that.

So what that means is, own less, and develop more, practically speaking, right? So less cost, more value. And I think this is what's hastening, really concretely, cloud native development, right? That's the hope there. That we can scale a lot more and go from 100 releases or 1000 releases to 10,000 releases or more a year at even less the cost than what we're doing before.

But the challenge in getting there, and I think we all probably know that, is both technology and talent. And I think top of mind in all those discussions, be it with my CEO, super friends, or CISOs or whatnot, is really security. And the thing here is that same still of less is more is there.

So how do we scale security in a world that's expecting us to go from again, 100 releases to 10,000 releases or more? How do we scale security with actually less resources? And I think this is really one of the biggest problems they're really facing, us as an industry, and particularly us as CISOs, is how do we go about thinking about this? And how to be successful?

How do we be like DevOps and SRE? I mean SRE and DevOps, these are developers supporting developers, how does security become that? I think this is the real ... This for me, this is the big challenge, this is what I'm hearing, and honestly obviously this is what Soluble is trying to hasten, that evolution.

That's a good segue into our next question which is directed at Tim at Remdiant and Rich and Soluble. So Rich, you've been a CISO many times, some at Fortune 100 companies, and Tim, you've been a security practitioner for many years before you started Remediant, so what would be really top of mind for you at this time?

Tim Keeler: Yeah, and you know a lot of my background was focused on the incident response, and coming in, handling a lot of the post-breach remediation processes for large enterprises. And there were really two key learnings that came out of that. The first is, okay, especially when we're dealing with nation-state level adversaries, we're definitely seeing the same playbook being executed over and over.

And it's because that playbook is being ... It's universal across industries, and when you have a lot of success you're going to see that same cycle being repeated over and over. And that's targeting administrative level credentials. And that kind of segue is perfectly into that second side of it is, okay, when you're coming in with a post-breach remediation and you identify certain accounts that have been compromised, the first question that you ask is, what was the exposure of that account?

Where did that account have admin level privilege, and how are attackers leveraging those credentials to access those resources? That right there, and having the visibility around that question has always been a struggle. Especially the larger the enterprise you are the bigger challenge you have answering that question.

That means you have to go scour all the different endpoints, the different technologies, to understand where that account had a level privilege. So that is one of those things that is always at the top of my mind. Making sure you had visibility around there. Because you're not going to be effective implementing security controls around privileged access until you have complete visibility on that front.

Richard Seiersen: Sure, so again maybe a little bit of a different take. What I'm observing is we're living in a world where businesses are exposing more value to more people through a lot more digital channels, right?

So everything is really in support of software throughput and resiliency, right? So everything is absolutely in service of development and developers. And again, I say this a lot, you will hear me say this, and if you're not a developer you're a developer supporting developers, right? That's DevOps, that's SRE, etc.

And all they're doing, by the way, their job is to stay out of the way and/or clear the way. And then there's security, right? And we're still supposed to be accountable to security outcomes, right? Which I think is a little [inaudible 00:13:49], right? So what's my observation here?

Is that the biggest thing, the biggest challenge for security. And again in a post-COVID, it's not post-COVID world, in a currently COVID world, in a world where we're really moving into cost out is, how does security shift into being a support function for development, for throughput, for digital transformation? That means we have to get in the business of staying out of the way and clearing the way.

So, I think this is incredibly important, because we have a lot of, again, what I call perhaps legacy approaches, maybe data center based approaches, or even first generation cloud approaches that are still just modest subtractions over the standard objects, be they servers, network, and what have you.

Those approaches, those frameworks, frankly, all those vendors, absolutely just do not work in a cloud native world. Again, the thing that I'm thinking about, the thing that I'm focused on and the things that the CISOs I talk to are focusing on is, oh my gosh, what do I do? What I've been doing doesn't work here, please help me. So that's again, just completely top of mind for me.

Great, so moving on to our next question is about cloud native and the digital perimeter. So this question is targeted at Balaji at CloudKnox and Tim at Remediant because they have worked a lot around managing identities, especially identities as people shift to the cloud. Which is kind of the big issue in enterprises, is this idea of identity in general. So how do you think cloud adoption and the move to cloud native identities will change the way we think about identity at a digital perimeter?

Balaji Parimi: Yeah, traditionally if you look at it, before the cloud environment existed, if I had to log into my corporate network, or if I was managing my infrastructure, let's say based on my VMware, I had to VPN into my network, and then only I can get to my cloud infrastructure.

This is completely private cloud. So there is always a gate that existed for me to get to there. Whereas if I'm using any of the public clouds there is no such gate. I can go straight into, and I can reach it from anywhere in the world.

And the level of automation has created tremendous capabilities for us to add many, many such identities. So if you look at it, it enable us to do so many machines, so many bars, so many access keys, so many scripts, that on one hand, you've eliminated one protection gate, on the other hand, the number of identities that could get to the infrastructure has also gone up tremendously.

With the DevOps revolution, pretty much every developer, every machine, every script, there's a lot of that happening. So which means, we had some extra protections that existed before. We not only took down those protections but we also increased the number of identities that can get through the intro.

So this is kind of making it a big, big deal. Because the level of automation's also increased the power of all these identities to the point all it takes is a one-liner for any identity to do pretty much anything.

So if you look at it 10, 20 years ago, if somebody had an administrative role at an infrastructure player level, their access was confined to that one box. Come private cloud and virtualization, when you are an administrator in a VMware environment you're not limited to one machine, you have all the virtual machines, all the histories, all the network.

Same paradigm exists in the public cloud. And when you move into the public cloud there's not even that perimeter. So that kind of risk, when it comes to this, has gone up in a significant way. And while we're gaining so much efficiency the risk has gone up in a significant way.

That's why we are coming into how to deal with that kind of risk, to throw visibility. And Tim and Remediant has been trying to do some things around those kinds of things as well.

Tim Keeler: Yeah, certainly. And I love Balaji's answer to that question. I mean it's definitely spot on. When we take a look at the way enterprise is, especially enterprise security was originally built. It definitely was this castle with four walls around this. It's like, okay, we're going to protect this at the network layer, we're going to make sure that nobody can come in.

But once you're in it's like, okay, it's the safe zone, you don't need to worry about trust so much, and everything is just inherently trusted. Definitely as we started expanding into the cloud, working with external business partners, companies they had to make a lot of very important decisions like, okay, we need this type of access going into our network, and then you have remote workforces, so you have things like the new traditional VPN approach, all of these different aspects.

And then tying that into the migration and expansion of cloud solutions, it really became a major challenge for organizations to effectively, one, understand what kind of network traffic is relevant, what is malicious. And that was really the whole start of introducing this concept around zero trust.

And it's like, hey, we're now living in a world where the network is not confined by these four walls around your data center. You're moving into the cloud, you're moving into applications that are in the cloud. So that is less and less relevant.

And so when we take a look at this from a security perspective it's like, okay, well what is the new parameter, right? And that's the whole premise of where identities really are the identity perimeter.

And so this extends to not just pure data center but your full cloud or your hybrid cloud. And the most important question, as it relates to the identity is, how do you know the difference between legitimate use of an identity versus maybe a compromised identity and someone doing something malicious?

I mean even today that's a very, very hard question to answer, and we try to add certain things, such as multi-factor authentication on top of that. But what's really important is in areas that you maybe don't have complete visibility into is, okay, where is over-privileging of different types of access across accounts? Because there's always the struggle with the business of hey, I need admin privileges in order to do my job.

People give out admin privileges, but rarely do you ever see that taken away. So this just starts sprawling over time and really managing this well at a least privilege or zero trust perspective, that really helps you from a security perspective of being able to control this from the identity.

I think the theme so far has been that cloud and cloud native have really kind of changed a lot of ways we do security. And so I think Rich you also mentioned a little bit of this and you were motivated to work on cloud native security at Soluble based on your CISO experience, and Avihai you've probably seen a range of threats or kind of gaps in security software as a result of breach and attack simulation as people adopt cloud native technologies like Kubernetes. But it would be great if you both can talk a little bit about how you've seen these threats evolve as companies spend more time moving toward cloud native technology.

Avihai Ben-Yossef: I think as you mentioned I think the threat landscape, once things also shifted to cloud and Kubernetes, there are so many as a service that already launched in the cloud and you can deploy so easily. It did make the life of the developers a lot easier at the end of the day, which is also a good, I would say, outcome. But it did also broaden the range of threats and the range of attacks from cloud can be hybrid cloud, it can be full on cloud, and network can be connected right now from internal networks to cloud networks can be connected.

Those will be the ones that will expose each other to different kind of things. Some different kind of these configurations on the cloud can expose network and vice versa. And at the end of the day attackers will start leveraging more exploits and more vulnerabilities that can be found on the cloud to try and derive more data and sensitive information and more, I would say, attack chains that they can start from those places.

So I think even the different kind of attacks we've seen this year, not all of them were 100% cloud-based attacks. Some of them started off with a web app vulnerability and then moved forward to a misconfiguration on the cloud and then ended up with having internal ... Lots of different kinds of records that you don't want, of course, being published.

So these things are definitely going to affect a lot, and the treat landscape is actually now getting bigger than it used to be, because it's not that everybody shifted to cloud. Some of them shifted their entire infrastructure, some of them just shifted some of their infrastructure, and that actually made the threat landscape even bigger than it used to be.

And it actually now, the next step of, I will say, the side, and the security side next steps will actually be to really know what are these exposures? What are the actual exposures? What are the actual points? Where are my blind spots? Where do I really need to invest my resources? How do those things affect my network? How do those things affect my data? How do I really know if I'm really secured, if what I've done is really right?

I believe that automation will be one of the key factors when we go to those places, because there are so many things that needs to be done, and without something that can give you a very clear idea, and a very clear, I will say, visibility in how well secured are you within those new configurations, within those new networks, within those new development, it will start to get a lot more difficult to really handle all of those different threats that are out there. Yeah.

Richard Seiersen: Sure, but Frank, I hope I don't upset you with how I'm going to take this question or how I'm going to answer it. I really want to speak to the security leaders listening, or who will listen to this.

And these are the ones who are, I think, I suppose like myself, like I was as a CISO, that are really, really grounded in operational reality. For those folks there are really only two types of threats that matter. The first threat is the stuff we know about and didn't fix, operationally.

The second threat is the stuff we didn't know about but should have, and thus didn't fix. I know security likes to talk a lot about the unknown, unknown threats, right? I think that's really security theater, particularly for the operational CISO. For us fighting the fight we've got food and water concerns.

So, for cloud native security, it shifts everything, listen for the CISO it shifts everything into the stuff we didn't know about but should have, right? It's really a shift into blindness. And I think that blindness is really caused by two things. Yes, there's the technical stuff, but I think in large part it's a role and responsibility problem. That goes back to DevOps and SRE thing I mentioned.

So, again, if you are part of the team that's developers helping developers, many of those visibility issues they just go away. You have access, you're part of the pit crew, you're on the inside, you can [inaudible 00:26:59] and do all this stuff, you can see it. But I'll say this, that falls apart when you become successful.

What I mean by becomes successful, your company's moved on to their next round of funding, or you're public and you're digitally transforming. And all of a sudden you've gone from one cluster to N cluster. You have thousands if not tens of thousands of nodes. You have hundreds of thousands of objects that are coming and going. And you're spanning across clouds. You're EKS, AKS, right? You're rolling your own or on Rancher or whatever, you're totally at scale.

So even though you're on the inside in theory, some of those things in terms of visibility really, really start to fall apart. So, it really is an application, particularly for the CSO, it's an application for all that stuff I could have, in theory, I could have known about, but didn't. So I did nothing.

So I really think that is the threat for security. I think that's really the threat for the CISO. I'm sorry, all that nation-state crap, it's just theater when you're dealing with food and water problems. I hope that makes sense. I'll kind of get off my soapbox here, I just wanted to get that out there.

Cymulate, a lot of your platform is around rethinking security testing, and security testing has been around for a while, so what trends have you think has forced companies to reconsider how they do testing?

Avihai Ben-Yossef: Yeah, thank you. I think testing is ... That's definitely not a new word, and it's definitely not a new concept, but I think also if we look at ... We'll take it also to the developer as well, at the end of the day developers themselves they have QA, they do tests, they do tests themselves, they automated test for QA, lots of regression tests are being done automatically. Almost every development team that respects itself will have automatic testing for their development.

And I think that maybe the untraditional, when going to security testing, so actually automating that. And that's really the key feature. We can, even in a development company, we can QA everything manually to take lots of time and that's a key feature. At the end of the day you want to test it as fast as possible.

In the cyber security world it will have even higher impact. If you're going to have a bug in your code, might not have a high impact, might have even a low impact. But in the cyber security world, if you're going to miss a test, if you're lacking something this can impact your entire organization that can be a loss of your entire data. It can be a leak of your entire data.

Or there's so many different impacts if you're going to be exposed with something that you just missed it out because you didn't test it well. That will be something that's going to be very bad for your company. And these are maybe one of the key features when I'm talking about automation and what we do here at Cymulate at the end of the day, automating the security testing will give you a lot of different options to really make sure that you don't base any of your decisions on assumptions.

At the end of the day you're going to actually know if you're exposed to something, if you're lacking something. If there is a mis-configuration in your network that actually exposes you to real live threats, because those things happen all the time. This is a very dynamic world. The cyber security landscape, it changes all the time, the attackers are getting more creative as we go, there are new techniques.

At the end of the day it's all about also creativity. New techniques are popping up all the time to do some bad stuff. It doesn't have to be a zero day vulnerability. It can just ... A simple thing that you find on the operating system that nobody looked at because it's so big these days, can be something that will be a bridge into your network if you had no idea.

So, getting into that state of mind of the attackers and starting to automate and actually simulate what they do on your environment, it's a very key feature into the, I will say, the next-gen of security testing environment. Really automate everything, have regression tests. Every time something changes in your infrastructure run those tests, validate nothing will expose you, then before nothing has changed the effectiveness of your security controls, nothing has changed the effectiveness of your infrastructure.

And your whole end to end security architecture should be the same, even if you had like a 90 upgrade of the IT environment, or a new security solution that you've added, or it can even be, you know, a different policy that you've implemented in your security control, and you'll have to know and validate that new policy, that new configuration did not actually expose you.

And just assuming that it did not expose you is not good enough. You're going to have to make sure you validate that and if you really want to validate so many parameters, I will say, in a very efficient way, automation will be a key factor here as well.

Tim, you've been doing a different type of thinking at Remediant around admin access and you had this unique solution around Just-in-Time admin access. Can you explain to the audience why this is important and different from traditional approaches?

Tim Keeler: Yeah, certainly. I would say the most traditional approach to privilege access and management, if we rewind back to the first enterprise password vaults, and I think it was like 1999. That was really the way to manage people's access to different systems. You go in your password vault, you check out this shared account or shared credential and you use that to log onto all your machines.

Fast-forwarding to today and looking at the different types of vectors that attackers are exploiting to compromise credentials, the biggest struggle that we see with enterprises still trying to use that approach to tackle all of the problems in privileged access management.

Now, password vaults, they definitely have their place, but the key focus is they manage credentials, and that's really important when you're dealing with shared accounts. But when we take a look at individuals accounts, the amount of privileged access that they have on different types of endpoints is ... It's very huge.

So we take a look at the concept of help desk admins, server admins, IT operations, even business folks that need admin privilege on systems, this starts sprawling over time, so even just having visibility is a big challenge for organizations, but what's even more important, and this is where the Just-in-Time comes in is this concept of zero standing privilege.

And that's basically addressing the problem that everyone is facing. It's like, okay, we know we have admin sprawl, and we need to get this under control. So what zero standing privilege is intended to do is say hey, we shouldn't have this sprawl of persistent admin privileges, what we should do is really just be giving a particular individual, a particular identity, access to the resource for just the amount of time that they need with admin privilege. So that's where this whole just in time model comes into play. And really addresses the larger problem of privilege sprawl, having visibility and most importantly going in with the mindset of okay, how do we actually put protection in place when a credential is compromised? Well it really comes to understanding the authorization of that account and making sure that doesn't have basically persistent privilege all over the place.

Still on that topic of privilege and permissioning. Balaji, your product, a big selling point of it is to prevent a lot of over-permissioning. So can you explain some of the challenges and threats posed by that and how CloudKnox goes about solving it?

Balaji Parimi: Yeah, I mean there are multiple layers, as Tim explained. To protect from compromised credentials you need to make sure that not everybody has standing administrative role all the time, right?

Correct, once you go beyond that, let's say if an identity is in, how do you protect from accidents and malicious insiders and those kinds of things? So typically when you look at the permission, an identity having the ability to perform an action on a resource, that combination is the permission, right? Before cloud infrastructure the number of actions were fairly simple. Maybe a couple of hundred. And the number of resources are also a couple of hundred.

When you take the cloud infrastructure, you take anything, private cloud based on VMware, or any of the three public clouds, AWS, [inaudible 00:36:27] across all these you're looking at 40,000 plus actions. Even if you're running a small set of publications you're looking at thousands and thousands of resources. That permission combination could grow into million, even for a small to medium level organization.

When it comes time for you to figure out what kind of permissions that each and every identity should have, it's humanly impossible to determine what should those functions be. And to make matters complicated, every machine is going to have certain permissions.

You take the case of any cloud infrastructure, every machine has certain set of permissions, third party extensions, access keys, all of these things. So when you are dealing with this kind of scale, and we are still using the same old 30 year ago model, which was today all the permissions are assigned, are managed completely based on assumptions. You assume that John Doe may need these permissions on this. And those permissions are aggregated.

All these cloud providers provide aggregated groups, like power user, like administrative, power user, and all these kinds of things. When you look at a power user, he probably has the ability to do 10,000 actions, and in reality that power user only does about 20 or 30 actions on a daily basis.

It's this level of over-provisioning, because there is no automated system to determine what the right set of permissions are for each and every identity within the system makes this super complicated. Because of this, what happens is, combine this with the level of automation that is in place, I'll just take the one liner, for example, in VMware vSphere there's an API called destroy data center. How many times people use it? I've never seen that API being used in production.

But if somebody is a power user or if somebody is an administrator, that identity has that capability. Same thing in AWS. If somebody gets [S3 00:38:47] read only, all it takes is a one liner, S3 syncs that one liner for them to download all the data within the account. Even if the data is encrypted, because you are going through the legitimate API channel.

So this is the level of risk, this is the level of complexity that is involved. These are the risks that are coming up with over-provisioning, over-permissioning side of things. Unless the paradigm changes from ... Today everything is based on assumptions, you need to create this driven by data. You need to do this management driven by data.

That's where CloudKnox invented its activity based authorization protocol. Where you look at each and every identity, what action that identity has performed on what resources, you imagine that you profile that information based on the past three months or six months, and then you know exactly, in your infrastructure, if there are 1000 identities, you know exactly what all those other identities are because you have the profiles.

Then you group all these different identities into different job functions or something like that. Now you have a data driven deterministic way to figure out what those permissions are which lead to implementing the least [inaudible 00:40:07] implementation along.

Rich, you've been pretty passionate about solving the cloud native security problems, because we believe there's a new set of challenges, you've talked throughout the panel about how security is fundamentally changing and you could have started any company, having seen all the security gaps as a CISO at all these different types of companies, but you thought that cloud native security, specifically Kubernetes security had the biggest opportunity. So can you talk a little bit more about what do you think is kind of the biggest challenge companies will face in the future with cloud native security? And how Soluble is trying to solve this problem?

Richard Seiersen: Sure, and I'm sorry to be a little bit of a broken record, but I suppose that's my habit. The challenge I saw came from the first cloud native company I was a CISO for, this was four, five years ago, we were doing 40,000 plus releases a year. To be honest I hired a great team, we brought in a lot of the great first generation cloud stuff, even some cloud native stuff.

And it honestly didn't work. I mean great technology, don't get me wrong, but it just didn't apply. And I knew this. Right? And enjoyed the experience and moved to my second company that was cloud native as well and saw the same thing. And it was there that I realized that gosh, the only way I was able to get anything done was by partnering with DevOps, and actually my co-founder Rob Channing is the VP of tech ops at the last place I worked and I had to really partner, I started channeling my budget and resources in helping him hire people and deploy technology.

It was the quickest way for me to effect change. Because he ran all the [CITD 00:41:56], ran all the platforming, had developers, had everything. And it was there that he and I together had this epiphany, you know, if security is going to work we've got to be able to drop security into development and then move on, by the way. And move on. There can't be any sort of religion or fetishness about things, it's got to be like data drops, just drop it in, or like cache just drop it in and move on.

We thought, gosh, that seems really novel. So why don't we do that? And that's really what I think, when I talk about food and water, when I talk about that other stuff being theater, this is what I mean by you've got to address the food and water problems. Before starving they are completely blind yet they're still accountable, right?

Because the reality is, if a breach happens, whatever the source, be it nation state, or fat fingering or who knows what, if it's the kind of thing that coulda shoulda been known, but wasn't, and the reason you didn't know is you were hermetically sealed from the action. Meaning you weren't a part of DevOps, you're weren't a part of SRE, you weren't a developer, you were two or three steps removed sitting there going, please help me?

There's going to be no excuse, right? So what we saw is, hey, let's go solve that problem. Right? So this is a big categorical shift for security, by the way. Products are important, but this is a categorical shift in how you actually approach the whole domain.

So what we're doing, we're saying hey, security CISO, I was at a Fortune 10, I was at a publicly traded first cloud native company, and I was at the largest fintech company as a CISO, and what I'm saying to people like me, what I'm saying to them is hey look, great, good for you, for the last 20 years you were in the business of acquiring, deploying, and babysitting enterprise software. I'm going to tell you, and this is a fact, that is not your job anymore when it comes to cloud native security.

Which by the way it is digital transformation, and that's where you're all going. You just are. If you're going to compete in a cost out world that's where you're going, or else you're going to perish. So you're going to this world. If you're going to go to this world you're no longer in that role, right? You're in the same role, you have to be in the same role that DevOps and SRE is in.

That means you must become developers helping developers. You are in service of velocity, your job is to stay out of the way and clear the way. So what does that mean for you? That means you're going to go from probably developing no software to developing some. Right? You're going to be doing some of that, you have to be doing that.

And you're going to be acquiring the sorts of solutions that enable that. That give you scale. That allow you to drop security into development without disturbing development, and getting out of the way. So I don't want to get into detail, but that is exactly the problem that Soluble is solving, at a macro scale, it is a new category, we're looking to change that. So that's the problem, I'm sorry I'm passionate but I lived at the bottom of the salt mines banging rocks together for 20 years as a CISO at some of the worlds largest companies, and I ran at the cloud native space first and learned some hard lessons and I'm here to save you from that. Thank you.

We're going to do what I call a lightning round. So these are one word answers to questions and to kind of maintain some order I won't prompt people, I think we'll go in the order Balaji, Avihai, Tim, and then Rich. So, everyone just kind of give their one word answers for this topic. Okay, so the first thing is, favorite security product other than yours?

Balaji Parimi: LifeLock.

Tim Keeler: I'm really excited about Soluble.

Richard Seiersen: APIs. Go.

Black Hat or DefCon?

Balaji Parimi: DefCon.

Avihai Ben-Yossef: Black Hat.

Tim Keeler: DefCon.

Richard Seiersen: Paid vacation.

Emacs or VIM?

Balaji Parimi: VIM.

Avihai Ben-Yossef: Nano.

Tim Keeler: VIM.

Richard Seiersen: You know I used to say VIM until I got into lists, now I'm on Emacs, sorry.

Most interesting security hack?

Balaji Parimi: I've seen it at a customer where somebody using the existing automation stuff to do something.

Avihai Ben-Yossef: I really like the phone hack for Jeff Bezos. I think it was a really cool one.

Richard Seiersen: For me it's not turning multi-tetra authentication on.

1Password or LastPass?

Balaji Parimi: LastPass.

Avihai Ben-Yossef: LastPass for me too.

Tim Keeler: 1Password here.

Richard Seiersen: LastPass.

Capture the flag or lock picking?

Balaji Parimi: Lock picking.

Avihai Ben-Yossef: Capture the flag, yeah, I have two left hands.

Tim Keeler: CTF for me all the way.

Richard Seiersen: Capture the lock picker.

Most underrated security issue?

Balaji Parimi: Managing permissions.

Avihai Ben-Yossef: SMB signing on Windows environment.

Tim Keeler: Visibility.

Richard Seiersen: Security acting like they're accountable to software development.

Most overrated security issue?

Balaji Parimi: Network intrusion.

Richard Seiersen:Nation-state actors when you don't know what the hell is going on.

Avihai Ben-Yossef: Sundays. I've got to say.

Tim Keeler: Intrusion detection systems. IDS.

Okay, so we have one quick question from the audience and we'll do it Twitter style. So biggest IT trend to influence next gen security. 280 characters.

Balaji Parimi: Everybody is moving towards public cloud. Especially this ... And cloud computing is the way to go and everybody is looking at how can I protect in a prevention first approach. That will be the next big thing.

Avihai Ben-Yossef: So I would say automation. As we go the tasks only get bigger, human resource doesn't. And that will be the only way to really scale security teams.

Tim Keeler: I'll throw zero standing privilege, with everyone moving into the cloud there are so many microservices with so many different permissions around that, this is really going to be the next nightmare for every company. So that's why I'm double-bounding on that.

Richard Seiersen: I can't disagree with any of those, but I would say the biggest change for security practitioners is that they're going to have to completely retool. In fact they likely will have to be absorbed into SRE, potentially DevOps, and they'll have to become developers supporting developers.

The old idea of the security practitioner. I mean we used to be ... Listen we used to be CIS admins helping CIS admins, we used to be network admins helping network admins, but that all fell apart when software came in the game. So the reality is we either have to switch or die. That's the biggest problem at least for security practitioners in my opinion.

280 characters, again, Twitter style, closing thoughts on the future of the security industry.

Balaji Parimi: Yeah, I mean as Avihai has pointed out, everything is going in the direction of automation, and everything is going in the direction of prevention first approach. So and more and more the implementation of security is also being pushed more and more into the developer side of things. Developers are taking more and more on in terms of implementing the security controls right at the implementation stage rather than being looked upon as an afterthought type of thing.

So I think as we go through in the future, security is going to be part of the development practice, and automation is going to be part of that and most of it is going to go in that direction.

Avihai Ben-Yossef: Yeah, so yeah, the security industry will definitely ... As I can see it, continue to flourish. Cyber crime is still paid and paid a lot, and at the end of the day there's still going to be flaws, bugs, mis-configurations, people is going to do bad jobs, and then somebody will be able to leverage that.

So the more we do more IT and software the more security will be needed. So it's just going to be even more than that, than even today.

Tim Keeler: You know, talking to so many CISOs, they're all just overwhelmed with the flood of security products and technologies and approaches that come at them. And I would say my parting thought is, don't get overwhelmed by that. Just start taking a look at the things that are most meaningful and relevant to the problems that you have today, and make sure that whether it's a technology solution or changing your approach and process, make sure that automation and integration is tied into all of that. Because that's just going to set up your foundation so strong to be able to start tackling that remaining 10% of security needs. And that's where maybe the future state is, but getting that foundation in place now is just so critically important.

Richard Seiersen: The broken record. So I think security has to move away from being the cops and they have to realize that they're involved in a race. And the developer is the one in the race car, and instead of whispering sweet nothings in their ears or shaming them, they have to join their pit crew, and again, become developers helping developers. In a cloud native world, in a digitally transforming world, that's the only way security will win.