Menu
Contact Us
Get a Demo
Whiskey Wine Water Wednesday

Episode Four

Remediant's Cyber Whiskey, Wine & Water Video Podcast

JD Sherry

February 3, 2021

Episode Four: SOAR, Incident Response, Zero Trust and Security Integrations

Hosted by JD Sherry, Chief Strategy Officer, Remediant

Guest: Rob Randell, Security Expert with VMware, ServiceNow

We’re fortunate today to have Rob Randell, considered a Security Technology subject matter expert with in-depth experience, enhancing IT capabilities and strengthening Security environments for over 20-years. Today, we discuss the challenges, issues and solutions to SOAR, Incident Response, Zero Trust and Security Integrations.

Episode Four Transcript

Welcome again to this installment of Cyber Whiskey, Wine & Water Wednesdays. We try to do this every couple weeks during the month to get together with some of my network in the cybersecurity field to chat about current topics, get some exposure to some really, really smart people, present company not included on that, but certainly my esteem guests.

Today and tonight is no different. I am super lucky to have Rob Randell join me today. Rob has been in the cybersecurity space for a long time. I want to touch on a couple of different things about how Rob and I got together. Rob and I met first in 2012, if you can imagine that. Rob was with VMware at the time, assuming a really cool security leadership role there. When I say that he was essentially the first principle security specialist, and I'll have him talk a little bit more about that journey at VMware.

Rob and I met because I was with Trend Micro at the time. Trend Micro was doing some really interesting things with VMware to embed security into the hypervisor and change the way people manage the anti-virus and things of that nature. The relationship was strong. Rob and I go way back, and he's probably, I always like to say, he's probably forgotten more about cybersecurity than I may ever know with regard to virtualization and hypervisor certainly cloud now. So, Rob welcome...

Rob Randell:

Thank you.

JD Sherry:

Cheers to our Wine Wednesday in this space. Cheers. We like to get on and have a drink of choice. That doesn't even have to be an alcoholic beverage. It's just we don't get to do these happy hours much anymore, rob, so thanks for taking the time out of your busy schedule.

I want to give the folks a chance to hear a little bit about your background, your journey, because I do think it's really unique for somebody that was embedded in what was an infrastructure world that decided to really embed security into that. Then I think your career has just taken off since then. So take a few moments to talk a little bit about your background and why you decided to jump into cybersecurity.

Rob Randell:

Sure. Yeah, so interestingly you mentioned being at these infrastructure companies and really focusing on security in these intricate infrastructure companies. The way that happened because I do have a background in some security startups over the years. Everybody remembers Vericept, Webroot, Determina. I headed a number of those. Back in '07 and it seems like forever ago, but back in '07, VMware acquired my company Determina and we had really a pretty cool technology. But the cool thing about it for me was, I mean the acquisition was great and all of that, and unfortunately didn't make much money out of it, but that's okay. But what it gave me was an opportunity and a huge opportunity to bring security into an infrastructure company, such as VMware. At the time, VMware was starting its field specialist practice and specialists for things like VDI, specialists for things like security.

So with me coming in with the background in security, the VP of SE at the time was like, look, we want you to take this on and go out and talk to our customers about the security, the hypervisor, and understanding why it's okay to virtualize, why it's okay to put two different workloads of different security levels on the same physical hardware, how do you deploy it securely and all those things.

Then we started getting into things like leveraging the hypervisor to provide security. That was pretty cool. So that's when we came out with initially I think we called it vShield and then it became vCloud Network and Security. And eventually we made the acquisition of Nicera, which then became ultimately NSX and really helped us take off in that virtualization security space. It was quite the journey at VMware, a great time. Yeah, I really enjoyed that time.

From there decided to make a move over to a service now where a bunch of my former colleagues were actually at the time and got to really dive into this space of security operations. So think of security, incident response, think of vulnerability management, those types of operational-type of aspects of security that we don't always think of very much when we're thinking about security.

What I've found is typically you see, when you talk security, most people think first of prevention solutions and then detection solutions, but they very often miss out on the response piece of it. They don't think too much about that. That's an integral part of security, because you can have all the great detection and all the great prevention solutions that you want, but if you can't actually respond when one of those solutions fails, and then at the end of the day, you're always there's always ways in. Attackers are going to find their way in. How do you respond to that? How do you quickly mitigate the risk?

JD Sherry:

Yeah, that's a really key point as we talk with a lot of customers the acronym MTTR, right? Mean Time To Respond, and you get into Mean Time To Detect and all of that as well. The response pieces is key because ultimately dwell time continues through when you detect, because they're still dwelling, but it's until you respond and get them out of the environment and eradicate them out is the real key to be able to jump on and you can get them out of the environment.

I want to hit on a couple of key things that I think are relevant for our talk today. Number one, you brought up NSX and network virtualization. The other part of where our relationship basically continued on is when I was then at Optiv, when you were at ServiceNow we were looking at ways to collaborate in the cloud and figure out how we could really improve the partnership, but even then the NSX piece from micro-segmentation. I mean, I was very fascinated at both of what ServiceNow was doing in the automation orchestration and tying all the glue together around security operations. That was key for me as a cloud leader, but the other piece from a hybrid cloud perspective that was so important, because we all know, I mean, it's even consistent with today. People weren't just going to jump into the cloud with both feet. They were going to run hybrid cloud, multi-cloud strategies.

What I loved about what VMware was doing at the time that was so innovative and then still is doing, is that network segmentation, which is the epitome and the foundational components of zero trust. We talk a lot about zero trust on our show and at Remediant.

Tell me and the listeners, what did that mean from a network segmentation perspective on how you could improve the defense in depth capability and the mitigation or the prevention of attacks and lateral movement with that network segmentation?

Rob Randell:

Sure, so I think the beauty of it initially was number one, everything got moved into software. It wasn't hardware-based anymore. So you didn't have to think about the network in terms of my routers and my switches, and then this X network segment, Y network segment with by moving into software and everything running in the hypervisor and providing that the virtual firewalling, for lack of a better term, at the virtual NIC, essentially, we were able to then get more logical when we started creating our zones, if you will, or our segments.

So when we talk about micro-segmentation in theory, yeah, you can go down to an individual VM, or even an individual virtual NIC card on a VM and block traffic at that level and create policy at that level. Now, you could have always done that with things like host-based type solutions agent-based type solutions, you put those on the endpoint, and then you try to do that.

The challenge with that is you have to do that on a one-by-one bay basis. You may have a central console that does some things, but you have to make sure the agent's there. You've got to make sure that it's there, but with the hypervisor it's just built in. So by doing that, we were able to get very logical, and say, these are my web servers as an example for X application. This is my application. I've got five servers maybe that makes up that application. These are my web servers for that application. These are my app servers. This is my database server. Then we can go back and then we can be very granular and say, for this application you can have an unrestricted conversation between the systems. Although from my front end web servers, the only way I'm going to be able to talk to my app server, as an example, is through whatever port that you wanted to choose, and be very specific about that.

You can do that again, not in the aspect of, hey, they have to be in this specific sub-net on the network and then route, and then you have a firewall in between and those types of things. You can create these virtual DMZs at any level of granularity that you wanted. That was the real exciting thing about it.

I haven't been keeping up with my buddies at VMware, but you know, everything I'm hearing where I do hear about it is it's still very relevant. Then you see companies like a Palo Alto Networks really digging in on that and living that. You see other firewall-type companies realizing that it's not just hardware-based anymore, but you got to get to the software. You got to be in the cloud and be able to be that and have that level of granularity to provide that level of zero trust.

JD Sherry:

Yeah. That's a great point on the Palo Alto side and other integrations. What's so exciting to me, and we're working on a lot of integrations currently at Remediant right now, is you've got to have that better together story. Like you can't do it all on your own. What I love about what I've seen evolve in the last 10 years certainly with hybrid cloud, the cloud, is these security vendors are getting better at putting the glue together and doing integrations. I think that's key because everybody ha I mean, I think when I was at Optiv, they said your typical large company had over 80 plus security pools and there's [crosstalk 00:10:48]. I'm sure that's grown now, if you think about it. So the integration piece, I'm glad you brought that up about VMware. That's key.

Let's move a little bit to where you've evolved into really, I think, a really interesting career around security operations and your days it's ServiceNow, the SOAR phenomenon, right? So security, orchestration, automation, and response. Let's dive in a little bit more on the response side.

We've seen a lot of vendors get acquired in that space. I think it's been highly acquisitive because there's been some really good technologies in there that have been gobbled up by some of the larger players. Talk a little bit about how you've seen that space evolve. Where do you think we still have a way to go in SOAR? Where would you recommend customers to start thinking about? Whether they've been on that journey for a while and they're trying to mature it, or they're just embarking on that journey.

Rob Randell:

Sure. Again, it's definitely challenging, but you know, there is a maturity level that you have to go through. Or a maturity journey that you have to go through in that space. I'll go back to a long time ago. When you talk about the automation piece of it. Security folks tend to be a little bit loath for lack of a better term to automate right off the bat. It's been a challenge. We went from the days of IDS. If you remember back then to the concept of IPS, and unfortunately that didn't do so well, because of false positives, because of issues with detections, you ended up creating a bunch of these essentially self-inflicted denial of service attacks. So the older security folks like myself, remember those days and lived that. It was a challenge, but as things have evolved as our confidence levels gone up and our detection solutions and our monitoring, not to mention the ability to bring a number of different solutions together versus just relying on one, that's really goes back to what you were talking about earlier about the integrations piece of it.

Back in the day, there weren't the APIs to do those integrations, to connect and to automate a lot of these things. Now you've got pretty much every vendor out there has got API accessible solutions. There's almost nothing you can't do by the API. That's really key. As far as the evolution for customers, typically what we would tell them is look, start out small. Start out, create some workflows. Figure out what your current playbooks are when you're doing response and let's put that into an automated workflow.

But it doesn't mean that every layer of that workflow has to be automated. Maybe you just start with, when you initially detect something and you get an alert, you take that alert, you create a security incident out of that. That's the extent of your initial automation. Then from there you take [inaudible 00:13:59], but then the next step is, well, you know what I know I need my next step is to go out to my end point and to pull all the running processes and to pull all the open network connections and to see what's running on that system. To look for those indicators of compromise. No reason now why you can't make an API call and then go ahead and automate that piece of it.

All of this is very low risk because you're not remediating yet. You're not shutting down access. You're not rebooting the machine. You're not re-imaging the machine or anything like that. But as you get better and better at this, and as you get greater competence, then you can start doing that and make a call out to like a Remediant as an example. Say, you know what, this user, we need to cut off access. We need to cut off admin access to this system. We'll go ahead and make a call to Remediant. Or, Hey, this is my security responder. They need route access into this specific system so they can continue their investigation and have it automatically go through the approval process. And really just once it's approved, that automatically opens up that access, gives that admin, the security analyst, the credentials they need, so they can go on and do the analysis that they need. Those types of things.

So you can get more and more and further down the road without ever actually doing anything invasive or again, potentially causing yourself a denial of service. You can still have people in that process and make sure you get the proper approvals as you go through, so you don't shoot yourself in the foot for lack of a better term.

JD Sherry:

That is an excellent insight. I appreciate you sharing that. The thing that I just read recently, you said DDoS, and yes, I've, I've felt that for sure. Back in the day in operations, but you know, the other theme that we talk a little bit about that it's not going to go away. In fact, I think we're going to see more destructive attacks with ransomware. It's certainly everywhere, but now what's coming with these packages as they iterate just like software developers are iterating on software, they're innovating on their capabilities.

They're building in DDoS capabilities into the ransomware as another way to force your hand to pay.

Rob Randell:

Wow.

JD Sherry:

Yeah. I just saw that today that's a new capability that they're starting to build in there. So the DDoS trigger is I get the heebie-jeebies when you talk about that.

Rob Randell:

Oh yeah.

JD Sherry:

Including like a Christmas Day DDoSs that I had to deal with way back in the day.

Rob Randell:

Oh gosh. I can't even imagine that.

JD Sherry:

I'll never forget about that one. Yeah.

Rob Randell:

I'm sure your family won't forget about it either.

JD Sherry:

Oh yeah. It was the typical we try to do a Christmas Day movie back when we could go to movies, right?

Rob Randell:

Yeah.

JD Sherry:

It was like, Oh, all that stuff was coming down during. I was in and out of the movie theater because we were trying to figure out what, at any rate. The joys of being in operations, right?

Rob Randell:

Yup. Yup. We don't miss it.

JD Sherry:

No. I know our time is precious here and I appreciate you chatting a little bit. I'd like to close the talk a little bit more, we were talking about incident response. Whether it's ransomware or other types of incidents, we work a lot with customers around, at the core of a credential being the culprit in most IR incidents it's going to be used because of the access and the lateral movement, and therefore, the need for network segmentation and identity centric segmentation.

If you could talk to the folks about IR, what are some of your lessons learned around that maturity level? Where do they start? I mean, it can be so daunting but we try to just back in your ServiceNow days, it'd start with knowing what you have, right?

Rob Randell:

Yes.

JD Sherry:

Knowing what assets you have to even determine the response to those. Then we follow that up with, you got to know where your identities are because if you don't know where your identities are...

Rob Randell:

Oh yeah.

JD Sherry:

You're really in trouble. So give us a couple of takeaways on IR and some guidance for folks if they're struggling a little bit there.

Rob Randell:

Sure. I think you nailed it. If you look at all the different frameworks that are out there, the number one thing that's, and when I talk like the CIS benchmarks and the STIGs and all those types of things, you look at them, one of the first things I say is, know what you're protecting, right? Know your inventory. If you don't know that, then you don't have a good idea of what you're protecting, you're going to be in a world of hurt. So that's a first step is start to build out that. At ServiceNow we called it the CMDB, the configuration management database. So build that out and grow that and maintain it.

One thing we will say is, don't look at building out your CMDB as a one-time project. It is an ongoing process that you're going to need to maintain it. It's not a one-time thing that you go out, you discover all your systems and then you're done. No. You're continually updating it, managing it, and [inaudible 00:18:57] with that.

But once you have that, and again, you don't even necessarily need to start there, but at least you have to have some of your critical assets built out. Once you've got that figured out and your identities, right, and understand in my environment, who are the folks that need access to certain systems? Why do they need access to those types of things? So figure that out, but then you're going to want to go ahead and again, build out those base runbooks that you've got.

You've got playbooks. Most organizations that at some level should have playbooks to, this is how I'm going to respond to an event. Typically, they're written down on a binder. But the first step is, let's get it out. Let's build a basic workflow. Every step in that workflow could be manual, but it'll take you from step A to step B, to step C, to step D, and work you through that.

Then you go each step and look at which ones you can go ahead and automate. Which are the ones that are going to be the biggest bang for my buck? Which are the lowest risk ones as well? But what are the things that I'm doing 20 times a day or 50 times a day or a hundred times a day that I can have the machine do for me? So that's the, how you go into that and mature [crosstalk 00:20:08].

JD Sherry:

That's great advice. I appreciate you sharing that with everybody. I'll wrap up with that concept of response and it really is pertinent to what I hear more and more CSOs arming themselves with, which is good, and that cyber insurance. Don't feel like that is the parachute that's going to save you. It's an important part of your security program, but to everything we've been talking about with responses, cyber insurance companies are going to become with all the ransomware cases that they're writing and that they're paying out, they're going to become much more diligent in working with the customer and the client in the underwriting process, to understand at a deeper level, what's their response plan? Is [crosstalk 00:20:54] automated? Do they have the proper controls? Because they're not going to take a hundred percent word for it that that client's doing everything that they say they're doing.

They want to have a little bit more due diligence on that, so everybody wins. So the customer is more protected, that the cyber insurance company doesn't write policies that are just bad policies, and they're going to have to pay out for bad security practices, but they are really diligent around an incident response plan and how much you automate that, how much you have controls that are constantly being assessed and evaluated. In a very simple level, whether it's the CIS top 20 controls or the NIST cybersecurity framework, they're really focused on those-

Rob Randell:

Well, they're your new auditor. Your insurance companies are your new auditors. They're not going to write a policy for somebody that's not taking the proper precautions, right? [crosstalk 00:21:49] needs to go really what has to happen, they're writing the policy for worst case scenario. You still need to put as much security in place as you can. Just like, when you have you get insurance on your car. You put an alarm on your car, it lowers your rates, right? So [crosstalk 00:22:05].

JD Sherry:

Yeah. We just don't have a history of life insurance and car insurance like we have with cyber.

Rob Randell:

Exactly.

JD Sherry:

That's why we're trying to play catch up. Rob. Hey, thanks a million for jumping on the podcast. Always good to catch up with you. I know you've got [crosstalk 00:22:20] a lot of things going on. We'll check back in with you as things develop, but thanks for the time brother, and I appreciate you coming on the show.

Rob Randell:

All right. Cheers. Thank you.

JD Sherry:

Cheers. Thanks, Rob.

Rob Randell:

All right, man.

JD Sherry:

Have a good one.

Rob Randell:

You too.