Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Adam Fletcher

It's increasingly hard to find good security people but it's much more increasingly hard to find good cloud security people, which means we really have to build them. We have to find ways to free up our teams to understand and learn how to secure the cloud. And it's up-skilling them using existing tools, using existing training, using the products that the cloud providers are releasing, and giving them the ability to really learn it and spend time on it, you know, is going to be hugely beneficial to us as well as to them.

Adam Fletcher, CISM, is the CISO for Blackstone and has worked with global security organizations large and small including McAfee, Nokia, VeriSign, ISS, and Accuvant.

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve and communicate security effectiveness. I'm your host, Brian Contos and we've got a really special guest today. Joining me is Adam Fletcher. Welcome to the podcast, Adam.

Adam Fletcher:            

Thanks, Brian.

Brian Contos:                

Hey Adam, before we start, can you give everybody a little bit of background about yourself and sort of the career path you took that ultimately ended up at Blackstone?

Adam Fletcher:            

Sure. So, I've been at Blackstone for about five years now. I've been in a CISO role for about two and a half and was deputy CISO for the two and a half prior to that. Started my career in what was then called IT security about 20 years ago now after my unsuccessful management consulting career at Deloitte. I was there for about nine months, wasn't really happy with the projects that I was on. And a friend of mine from university called up and said, "What do you know about IT security?" I said, "Not much." He said, "Well, we have stock options." I said, "That sounds good." And I ended up the third hire in the New York office of a small reseller and managed security services provider called Netrex. And we spent our days on the floor of our boss's apartment learning how to install checkpoint firewalls because in 1999, not everybody had a firewall.

Brian Contos:                

What's a firewall in 1999, right?

Adam Fletcher:            

They were still learning what T1 connections were and realizing that there needed to be something between the internet and them. So, I started my career very technical doing two day firewall installs. Continued the technical path, got the opportunity to build a SOC in Brazil for Embratel, the Brazilian phone company.Then went and did a whole bunch of consulting in Helsinki, Finland with Nokia.Then spent some time in Switzerland trying to build managed security services practices with Verisign in Europe.

Adam Fletcher:            

And then came back and started an enterprise career. And I was at a Network Associates, which became McAfee for a few years as an internal security architect. Then went back into consulting and helped Jay Leek and Nokia build what eventually became kind of Archer's security product. So, you know, we had this vision of bringing together security data and application data and ownership data, and trying to put that all in one place to manage vulnerabilities and application flaws and things like that. Did that for a while, then joined Equifax in 2010.

Adam Fletcher:            

Went back to Latin America, lived in Sao Paulo, where I met my wife actually. Spent some time in Brazil and in Lima, Peru, running Latin America for security for Equifax untilI came back, took over all of international. And then eventually, when Jay was here at Blackstone, he hired me on to be his deputy. And that kind of started my career here.

Brian Contos:                

That's awesome. You know, it's so funny that so many of us, you and I both, of course, I spent a year living in Brazil with Bell Labs, and your time in Brazil and the rest of Latin America. I've got to do an episode just about Brazil I think because so many security professionals took a pit stop there.

Brian Contos:                

But, you know, I want to talk to you today about cloud. And a lot of CISOs I'm talking with and I know you're talking with, they're really diving deep and trying to understand, should I be spending more time and more effort actually learning about the cloud and how to secure it? What's your overall perspective on that?

Adam Fletcher:            

Well, I think we have to. I think that, I liken it to 20 years ago when there were probably less than 10 security vendors on the market and everyone who had gotten into this new industry had to learn the technologies themselves kind of by diving in and doing it. And here we are in this kind of new wave or new generation where so much is being built in the cloud and so much is changing in terms of what we need to do to secure this new architecture, whether it's infrastructure as a service or software as a service. And as security professionals and CISOs, if we think about what things are going to look like, you know, two, five, 10 years from now, I really think that you have to understand security in the cloud as much as we had to understand basic security fundamentals so long ago when this industry really started forming.

Brian Contos:                

Let me ask you this, a lot of people, they talk about the cloud as like, you know, it's no different than when we started moving into data centers and maybe we moved our servers from the basement downstairs and stuck in a data center. I don't necessarily think that's true, but, you know, where do you stand on it? Do you think cloud security is actually fundamentally different?

Adam Fletcher:            

I don't think that security is fundamentally different as much as the tools and techniques that you use to implement security are different. I think that if we were to look at a map of the domains of security, we're going to think through the same types of things in the cloud that we think through in the data center. We're gonna think through identity and access management. We're going to think through intrusion detection, anomaly detection. We're going to think through OS layer security.

Adam Fletcher:            

The difference is that the cloud and whether you're talking about software as a service or infrastructure as a service, offers new tools, new techniques, new mechanisms to implement those fundamentals that are not necessarily the traditional security technologies and security stack that security programs and security teams have gotten comfortable with over the last five or 10 years. So we have to find a way to adapt and apply those fundamental rules using the new technologies and techniques that fit into the cloud models.

Brian Contos:                

Well, you know, that brings up a good point. It makes me think about migration. So, how do you think about migrating an existing security program, if you will, to cloud as applications and infrastructure are being migrated?

Adam Fletcher:            

I think you have to think about it in terms of the same domains that we talk about in a security program today. Whether you use prevent, detect, respond, or prevention, visibility and response, whatever your terminologies are, you have to approach it by looking at those domains in the cloud the same way that you had previously looked at them on-prem or in a data center. And you want to ask yourself, where is my data? What data is it? How important is it to protect? What types of threats are there that I need to prevent from taking my data or affecting my workloads and how would I detect them? And then if I detect them, how would I respond to them? And what techniques and what tools are available to me in these infrastructures or these applications that I'm moving to in order to be able to do that?

Brian Contos:                

So, I'm a C, so I've got all these security tools in front of me. Do these products that I've spent years, perhaps decades deploying and maturing, do they translate into the cloud or are you finding it's a direct translation or is there a gap there?

Adam Fletcher:            

I think it's 50/50 so far. I think that some of the technology providers have found a way to apply their technology to cloud architectures, especially the ones that jumped on the virtual bandwagon early on and created virtual appliances. They've been able to translate those to the cloud I think easier and faster than some of the ones that are holding on to more legacy infrastructure for whatever reason.

Adam Fletcher:            

Others, you have to ask yourself whether it makes sense to take a technology and apply it to the cloud because the ephemeral workloads or the ones that are scaling up and down to supply massive compute power to certain applications or functions, it may not make sense to, for example, deploy a certain security technology to 20,000 workloads that are only going to exist for 10 minutes.

Adam Fletcher:            

So, I think you have to be very mindful of what you're trying to do and whether or not it makes sense to try and take that stack that you've been building and maturing on-prem, and just kind of forklift it. That's probably not always the right approach. Whereas, the downside of using native tools is that they may not integrate well into your existing monitoring solutions. If you have a single pane of glass for certain things, you may not be able to pull that data in without a large amount of effort. It's finding that balance.

Brian Contos:                

Yeah. You know, we've sort of focused on the technology piece of that and I think you hit some really good points there. But let's talk a little bit about people. You're a security leader. What do you do to develop that knowledge and get that expertise that's required so you can make educated decisions about what's the right thing and am I actually doing what needs to be done?

Adam Fletcher:            

I think that it's kind of the same conversations that we had before the cloud and it's using the techniques that we've learned as security leaders to manage risk. We're using fundamental principles, again, the same fundamental principles apply of risk management to say, what are we trying to protect against. What losses or what impacts are we trying to prevent? What are the potential threats that we need to identify and deal with? And basically, translating that and saying, okay, now that I'm using this software as a service, now that I'm using this cloud provider, how do I do those things? And I think, it's on us to mature and kind of learn continuously about the new technologies and the new environments and how we can manage risk in those environments.

Brian Contos:                

Yeah. I think that tracks. We've talked tech and we've talked to people, let's talk a little bit about policy.How do you get started? Assuming that you don't have a cloud "security policy," how do you create one and do your existing security policies apply?

Adam Fletcher:            

Not necessarily. I mean, I think some do. For example, least privilege is something that everyone strives to implement in their on-prem, in your role-based access permissions ,things like that. That's certainly one that applies. You want to apply that principle in your software as a service application or in your cloud workloads or in your AWS accounts the same way that you would have in data centers or inactive directory. So, again, a fundamental principle applied using kind of modern techniques.

Adam Fletcher:            

But I think that there's a harder kind of question to solve which is one that we went through, which is, we didn't have a lot of skill in cloud security. It was relatively new to us. And we wanted to find a way to enable the business to quickly start testing in the cloud to see if developing in the cloud, if building applications in the cloud was something that would be more efficient for them than building it in our data centers.

Adam Fletcher:    

What we did was we identified an off the shelf tool that was designed to manage configuration compliance of cloud workloads. And we said, all right, show us your best practices policy for kind of how to stay secure in the cloud. So what are the things that, you know, if you picked your best practices policy, what are the things that you would check for on a periodic 15, every 15 minute basis, every hour basis, you know, to make sure that we weren't doing things like leaving an S3 bucket exposed or leaving root credentials exposed or things like that.

Adam Fletcher:            

And then we reversed that. We took that policy and we reversed it and said, okay, here are the starting guardrails for moving a workload into one of the infrastructure as a service providers. And we said, we're going to start here and these are the guard rails that we're going to set up, and we're going to enable people to start testing in the cloud using these guardrails. And then we're going to use the tool to verify that the guardrails haven't been, people haven't gone outside the guardrails or that these configurations remain in place so that our risks are mitigated.

Adam Fletcher:            

So, I think that it was a combination of learning what controls could be in place, but also, finding a way to accelerate our path to setting those guardrails and being able to test them on a periodic basis so that we could manage and mitigate the risk.

Brian Contos:                

I love the way you walk through that because you can tell it's somebody that's actually been in the trenches and probably took the bumps and bruises along the way to learn what works and what doesn't. I can hear a lot of that in how you explained it and I think our listeners really appreciate that.

Brian Contos:                

One of the things that I still today hear about is visibility, and this notion that, look, I just can't get the same visibility in the cloud that I'd have, for example, if something was on-prem. And I guess academically I think that's probably true. But what's your experience been? I mean, have solutions evolved to the point where your visibility is pretty much on par or is there still a gap there?

Adam Fletcher:             I think we're getting there. I think this one's a moving target. And the velocity with which the cloud providers are releasing new capabilities, new products, specifically new security products and features is really impressive. I think that we started with cloud trail and you could get certain logs and you could pull those back or you could search them in Amazon's console. Now you have Guard Duty which has additional monitoring features. And then, they announced security center and I think, you know, they'll continue, AWS specifically, they'll continue to get better and provide these features.

Adam Fletcher:            

I think the question for security teams to ask is, do you need a single pane of glass if you're living in a hybrid cloud world? Do you need the same visibility system for your on-prem data center workloads and your cloud workloads, or can you separate that and say, well, I have my existing SIEM for everything that's in a datacenter, and then I'm using either native tools or building a separate SIEM for my cloud workloads?

Adam Fletcher:            

I guess it really comes down to how hybrid your hybrid cloud environment is and whether or not you need to connect the dots between those multiple environments, or if you're transitioning to the cloud in such a way that the workloads that you put in infrastructure as a service are relatively separate and unique and have, you can live with the visibility that you have over there while maintaining your kind of traditional SIEM that's mature and that you've been working with for years.

Brian Contos:                

Sure. Well, how does that port to an investigation or you're in the midst of incident response? Is it better, is it faster, is it harder, is it more complicated? How are you seeing that port?

Adam Fletcher:            

Yeah, it's complicated, right? I mean, you have, the shared responsibility model is such that you only have access to a certain layer of visibility. And if it's not provided by the software as a service or infrastructure as a service provider, then you're just not going to get it. And in some cases, software as a service providers are even charging you for a layer of visibility to security events or security logs that should be yours to begin with. So, I think that it's a case by case basis and you go back to, well, what do I care about, right? Do I care about dataloss? Do I care about unauthorized access? Do I care about escalation of privileges?

Adam Fletcher:            

And you're probably going to take the same playbooks and run books that you've built for on-prem applications and migrate those or rejigger those for the applications thatyou're building in the cloud, and say, well, I want to be able to do this. This is how I did it on-prem. This is how I can do it in the cloud. Or, you know, I can do it to 80%. So, you build a similar run book with automation if you have it and try and do the same type of investigation. And in some cases it works, and in some cases, it doesn't.

Brian Contos:              

You know, Adam, I think we could probably go on for hours and hours on this. I love the lessons learned and your unique perspectives on this. But as we wrap up here, are there any last thoughts that you want to leave our listeners with?

Adam Fletcher:            

Yeah. I want to go back to the people question a little because I didn't answer really on one of the kind of biggest challenges that I think we as an industry are facing, which is really how we build the capability to secure the cloud. I think that the broader cybersecurity talent gap is really exacerbated when we talk about cloud security.

Adam Fletcher:            

It's increasingly hard to find good security people but it's much more increasingly hard to find good cloud security people, which means we really have to build them. We have to find ways to free up our teams to understand and learn how to secure the cloud. And it's up-skilling them using existing tools, using existing training, using the products that the cloud providers are releasing, and giving them the ability to really learn it and spend time on it, you know, is going to be hugely beneficial to us as well as to them.

Adam Fletcher:            

I mean, especially the people who are closer to the beginning of their career than the end, this is I think where their lives are going to be for the next 15 or 20 years. And understanding the cloud, understanding how to secure the cloud is definitely something that will carry them.

Brian Contos:                

Well said. Well said. And, Adam, I have one final question for you, and arguably the most important question of the podcast. And that's, who's your favorite superhero or super villain and why?

Adam Fletcher:            

Definitely Superman. I'm an idealist and sometimes black and white to a fault, kind of right or wrong to a fault. And I think that Superman is, he represents the ideal state of kind of doing what's right and doing what's best for humanity. Sometimes he fails but he's always trying to get there. And that's always kind of resonated with me.

Brian Contos:                

Awesome. Yeah, he's a humanist, right? Well, thanks Adam, and thanks to our listeners for joining. And be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog