cyberSECURITY EFFECTIVENESS PODCAST:

the Age of the Intelligent SOC

01/09/2019
The Cybersecurity Effectiveness Podcast is kicking off the New Year with a forward-thinking episode featuring JASK CEO and Co-Founder Greg Martin. Hear his predictions about the key cybersecurity challenges that organizations will be facing in 2019. Learn about the ground-breaking developments in AI and SOC automation enabling security teams to combat the rising sophistication of cyber attacks at a super-human level.
“Without AI and intelligent automation of the SOC, there’s no path forward to being successful. You can’t fill all the roles but even if we did, we believe it still wouldn’t be good enough. The rate of attacks and the rise in sophistication of attacks are growing in such a way that it’s no longer a human scalable problem.”
greg martin
CEO & Co-Founder at JASK
stay up-to-date with the latest from verodin

greg Martin

ceo & co-founder
JASK
@GregCMartin is the CEO and co-founder of JASK. He is a renowned cybersecurity expert and successful serial entrepreneur based in Silicon Valley. Prior to JASK, Martin founded Anomali (formerly ThreatStream), the leading Threat Intelligence Platform company. His experience includes roles as a cybersecurity advisor to the FBI, Secret Service and NASA; Chief Information Security Officer (CISO) at Sentinel IPS; and Security Operations practice lead at ArcSight.

Brian Contos

CISO
Verodin
@BrianContos has two decades of experience as an executive, board advisor, entrepreneur, and author. Brian worked at DISA, Bell Labs, Riptech, ArcSight, Imperva, McAfee, and Solera in over 50 countries, across six continents. He speaks at events such as Black Hat, BSides, and RSA, and is frequently interviewed by the press.
about the series:

cybersecurity effectiveness podcast

Cybersecurity experts from around the globe share experiences about their journey to increase security effectiveness. Do boards and business leaders understand the risks? Is security improving, barely keeping up with threats, or falling painfully behind? And more importantly, if what kept us secure has stopped working, what do we need to do to fix it? Join host Brian Contos and his guests as they explore these questions on the Cybersecurity Effectiveness Podcast.
Transcript: The Age of the Intelligent SOC
Brian Contos:
Welcome to the Cybersecurity Effectiveness podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Greg Martin. Welcome to the podcast, Greg.

Greg Martin:
Hey. Thanks for having me, Brian.

Brian Contos:
Hey, Greg. Before we get started, give our listeners a little bit of background on you and the journey that you've taken, which has ultimately landed you as the CEO of JASK.

Greg Martin:
Sure, happy to. Well, probably not unlike many of the folks that landed in this industry, I started off as a hacker myself, a white hat hacker, a good one. Started a very early age, did my teenage years in the 90s breaking into networks and having fun and writing code, and that brought me to doing some work for the government. I did some SOC analysis work in training for NASA, did some consulting for FBI, Secret Service, and had a really fun career in my teenage years and early 20s. When most people were going to high school and college, I was working with federal authorities to kind of track down and bust cyber-criminals.

Brian Contos:
That's pretty cool.

Greg Martin:
Yeah, it was different. It was fun. I really enjoyed that time in my life. I then ended up joining a small startup called ArcSight, based in Silicon Valley. That kind of got me exposed to the very large enterprise. I was out building and designing security operations centers for some of the largest organizations out there. We built the SOC for Walmart and JP Morgan and some really great organizations. After ArcSight got acquired by HP, I founded my first company as a founder. That company is called Anomali today. They are the leader in the threat intelligence platform space. The idea behind it is, how do we take information about the bad guys and disseminate it and make it actionable in all our tools, and share that information in a secure way. So, think indicators of compromise, indicators of attack. So, very successful. It's the leading product in the space. We're very proud of what we've built there.

Greg Martin:
After Anomali, I left because what I saw was the Security Operation Centers that we built were struggling, and I saw an opportunity to do something much bigger to help address some of the problems that we're having in our space. Some of the things that I saw was that analysts are struggling to kind of keep up with the number of alerts and attacks. They are struggling to be able to wrap their heads around all the data that they have, both internal and external data like threat intelligence. And generally, Brian, they just have a sense of being overwhelmed. So I knew we had to do something about that, and adding some automation with SOC to really help us be effective and do our jobs better was really the founding principles behind JASK. So, really excited to be in the saddle creating another technology company and running another tech company, and we certainly think that Jask is going to be a big one, and really have some important innovations in our field.

Brian Contos:
Yeah. Well, certainly Anomali and JASK have definitely made a name for themselves in our industry, as you have as an individual as well. So I think this is going to be a really game-changing solution for organizations that are struggling with SOCs. And to be very honest with you, we were both at ArcSight for quite a while, and you very rarely ran into a SOC that just had everything nailed down, it was just running smoothly, and everything figured out. There were always issues 15 years ago, and there [are] still issues today, they're just compounded. So I think it's great timing. But let's talk about 2019, let's talk about going into 2019. There's a lot of organizations and folks talking about predictions, but what do you feel are the things organizations need to focus on, stuff that doesn't pass the duh test, the low-hanging fruit, if you will. What are some of the key issues that the Fortune 500s, government agencies, Global 2000s, maybe even mid-market organizations should be focusing on?

Greg Martin:
Yeah. I think that ... I hate to sound like a broken record, but I think that making sure that you're not using technology as a crutch, and focusing on the basic security hygiene is going to be really important. Your patch management, your policies, making sure that you stay on top of that. Testing your security equipment. What I love about Verodin is, now, we have technologies that we can actually test what we implement, make sure it's working effectively. These are part and parcel for making sure that the strategies that we deploy, what we're doing, are running and they're effective. And I think that's where most organizations are falling down. It's not about buying more intelligence or more tools all the time, more detections all the time. It's like, how do we take what we have today and make it more effective? How do we make our people more effective in the SOC, like what JASK does.

Greg Martin:
How do we make our technology more effective, prove that it's actually working? And I think that's the exciting time that we're in now, is that we have the technologies to actually start to measure success. So in terms of 2019, certainly back to your question, "What's new?" I think there's going to be an increased focus on education. Phishing seems to still be the most successful attack vector. I don't believe that the attacks themselves will become incredibly more sophisticated. We're seeing the same things, software bugs, zero days in popular business-related software like Java-related products, concat, WebOS. These are the things that are continually seeing vulnerabilities, so it's the same types of attacks.

Greg Martin:
What we do see is that, on the attacker side, the sophistication and the ease to change tactics, basically send out more attacks in a more effective manner, that level of sophistication has sharply risen over the past couple of years. So turning cybercrime into a service and making sure that it's a successful one has been really the trend. So how do we defend that in our organizations? Well, first of all, security hygiene. Second of all, educating our users. I think that in 2019 there's going to be a lot more investment on security training and education in the enterprise, across all domains, because security is not the job of just the CISO [of the] organization and the security professionals in the company. It's really got to be everybody's job. To Kathy in the billing department, Bill in technical support, down to the lowest levels, because as you know, it only takes one weak link in the chain for an attacker to be successful and get a foothold in the network.

Brian Contos:
Yeah, absolutely. Every time you talk about predictions with anybody about the coming year, it seems to include a lot of the things we've talked about in predictions for the last 20 years. The basic hygiene, the patch management, the validating your tools, et cetera. But there's kind of a new kid on the block, as well. And I know this is something that you're very passionate about, which is AI – Artificial Intelligence. You've been quoted as saying, "AI will change security operations as we know it." I was wondering if you could give a little bit of detail. Exactly what do you mean by that? And how will AI actually be able to help security ops?

Greg Martin:
Well, I'm glad you asked that question. It is something I'm very passionate about. It's exactly what we're working on at JASK. We believe that without AI and intelligent automation of the SOC, there's just no path forward to being successful. Everybody knows that there's a massive shortage in talent in cybersecurity. You can't fill all the roles. But let's say that we did. Let's say that we had the people. It's our belief that it still wouldn't be good enough. The rate of attacks, the rise in sophistication of attacks are growing in such a way that it's no longer a human scalable problem. We have to start adding automation and changing the way that we do things.

Greg Martin:
We have to question this whole concept of, "let's fill up a giant theater with three-tiered analyst structure, level one, level two, level three, and feed them the alerts from our security detection equipment." That model no longer works today, and I challenge it in multiple areas. First of all, if we have a human capital problem, we don't have enough skilled employees to run and manage our security operations centers, well, let's literally think outside of the SOC. Let's actually hire people remotely. Let's run our SOC on collaborative tools like Slack. Instead of thinking about a big, giant room, a big, dark theater with frosted glass and big movie screens showing attack visualizations and, what do they call them? Pew Pew Map?

Brian Contos:
Pew Pew Maps, yep.

Greg Martin:
Maybe the time has come that we realize that the effectiveness of that... yes, it looks cool, absolutely. But having that level of shift work all in one room, it's very expensive, and it's hard to do successfully. We have to go back and ask ourselves, "What is the purpose of the SOC?" My belief is that the SOC's purpose is to reduce the risk of the organization from cyber threats. So if we take that for what it is, and not a dog and pony show for the board and for the investors, if we truly want to make a difference, then we have to rethink, "What are the ground rules?"

Greg Martin:
Right now, it's the Tier One analyst stage that I believe needs to change. I think that that is going to go the way of the grocery store checkout kiosk. And not to throw any level one SOC analysts under the bus, some of my favorite experiences in my entire career is working with training and seeing level one SOC analysts in action. They're the best, because they're the fresh minds. They have very little biases. They're new to the industry, and great ideas. So our entry level folks are always going to be really exciting. But, do we need them picking alerts off of FireEye and off of Cylance, investigating each alert one by one off the SIEM. It's no longer something that makes sense. We have to put these individuals in a better role. And you know, what can we do with them?

Brian Contos:
Yeah.

Greg Martin:
That's the fun question. How would we repurpose the SOC analysts if all of a sudden, we had all this time back?

Brian Contos:
Yeah, you know, while you were going through that, I was thinking about my... My very first startup was Riptech which was an MSSP, and it was eventually acquired by Symantec, and right before I joined ArcSight, this was where I was. I had left Bell Labs and me and Amit Yoran – Amit's of course the CEO over at Tenable and Grant Geyer, Grant's executive over at RSA. We all came together with some of the other folks and built this MSSP, to which most people said, "What the heck's an MSSP?" But I remember building, when the initial SOC was being build out it was in Alexandria, Virginia, it had the frosted glass, there were all these pods, that we called them the the Tier One analysts, would sit in. And throughout the day they'd rotate 360 degrees and they had natural lighting and the chairs had 25,000 different adjustment levels and this and that.

Brian Contos:
It was a marketing SOC. It was functional, yes, but it was, to your point, it was about, "Hey, let's take a customer on a tour," or "Let's have NPR come in," or "Let's have C-Span shoot a episode with the pew pews on the screen," and things of this nature. So, fast forward a year or so, the company that made those 360 degrees rotating chairs, they went out of business so the chairs were broken. We found out that the analysts, with all these cool gizmos and stuff were just as happy and just as effective sitting in a cubicle and doing their work. They didn't have to be in this room, and in fact, being in this large theater wasn't the most productive mechanism. And there was a whole bunch of other things regarding the bathroom, you had to go through a man trap to get there and type in a code, and it was just a pain.

Brian Contos:
It was more marketing than utility. And I think you really hit the nail on the head by saying there's the marketing SOC, if you will, and it's cool to look at, and maybe for some organizations it's actually the right design, but with the new collaborative capabilities and cloud and using Slack to communicate and other tools like that, I think we've matured past that idea. And it's good to hear somebody like you, that's not just on the forefront of that, but even as a kid, as a high schooler, where you were helping organizations embrace SOCs and how to better manage them, it's good to see that that's the path we've gone down, because I think it's much more productive.

Brian Contos:
And when it comes to a people perspective, at the end of the day, the folks that are good enough to look at log files coming through and determine this is a real attack or if it's something critical, or if it's just noise, you can't pay them enough money to keep them interested where that's their only job. You have to have different tracks for them, and they have to be able to move up and move sideways and do different things, because at the end of the day looking at log files, by themselves and that's your only job day in and day out, not super interesting, especially for very talented folks in security. So, I think that's a big one when we start talking about the talent side of things as well.

Greg Martin:
Absolutely. I mean, think about what they could be doing, how helpful that is for the organization, vulnerability and patch management, threat intelligence attribution, malware reversing, just policy work. They could be exposed to so [many] more different areas in cybersecurity within their organization, have such a strong impact. Being a level one analyst, no matter where you go, seems to be the same job, it's not the most glamorous job, as you know.

Brian Contos:
Well, you know, SIEM was supposed to love a lot of this. SIEM, and then there was next gen SIEM, and all these other flavors. Again, you've been on the SIEM side, I've been on the SIEM side. What is it that you think it is about SIEM that remains so challenging? After all these years, people are still struggling to get value out of it. They know there's something there, that's why they're investing millions if not tens of millions of dollars into SIEM solutions, but are they getting that money out, and usually the answer is no. And my question is, why do you think that is?

Greg Martin:
Yeah, I think one of the reasons is that SIEM traditionally has focused heavily on logs, and I think it's lacked a lot of the context to do the job properly. So, it's really been a tool that's required a tremendous amount of heavy uplift around human programming and maintenance. So, if you recall back at ArcSight we had to constantly have teams of professional services folks programming the system, updating the rules and the heuristics, making sure that the latest attacks were always being detected. But then that was updated over time as things in the environment changed, or the attacks changed, so it was really intensive and not very effective, because an attacker could just change up their tactics all of a sudden and these rules are no longer effective anymore.

Greg Martin:
So, this is one of the core issues with how SIEM was built. It wasn't built from the ground up to take an analytical approach, looking for anomalies, connecting multiple disparate data types from logs and network to user to behaviors. These are all the things that we have the capability to do today with cloud, with big data technologies, with analytical technologies that are ubiquitous, like Apache Spark, machine learning libraries like TensorFlow. We have some very powerful technologies now that are being applied to many different areas outside of cybersecurity very successfully, so applying it to the SOC now, to really transform what we can do with SIEM is really a no-brainer.

Brian Contos:
Yeah. Well, great input and great advice, Greg. I think you always have a lot of fantastic thoughts, and well thought through ideas on how to approach security, especially as it relates to the SOC. Final question, something we like to ask everybody that we interview on the show, who is your favorite superhero or super villain, and why?

Greg Martin:
I really like Batman, actually. My favorite Batman movies were the Christopher Nolan, Christian Bale Batman, of course. But why do I like Batman? I think it's because he wasn't necessarily relying on superpowers. He had technologies, he used training and skills to be a total badass. And I love the realistic slant of Batman.

Brian Contos:
Yeah. I love that quote from the last movie where, "What's your superpower?" "I'm rich." Awesome.

Brian Contos:
Well, thanks so much, Greg, for being on the show, and thanks to all our listeners for joining. Be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.
download
stay up-to-date with the latest from verodin