On the latest CISO/Security Vendor Relationship Podcast with Mike Johnson (Lyft CISO) and David Spark, our CEO, Tomer Weingarten, joined the hosts to discuss the following topics:
- Why are Microsoft Office macros still the number one vector for malware attacks? It’s all about legacy software. While Microsoft turns macros off by default, many enterprises turn them back on and it’s creating a huge vulnerability. This goes to our recurring theme that you need to cover your basics first.
- What’s the real value of diversity? Before you say we’re three white men talking about diversity, I’m letting you know ahead of time we’re three white men talking about diversity. We have no shame! But we do recognize that when people from the same backgrounds work together, they fall into group think which creates unconscious bias. And THAT limits creative and technical thinking.
- We play a round of “What’s Worse?!” Two scenarios of seemingly equal horribleness drove a split decision between Tomer and Mike. It was such an intense divide that we’re reaching out to listeners to let us know which one they think is worse.
- Endpoint security should cover more than just Windows systems. To have true endpoint security you need to cover all possible endpoints and that includes an annoyingly long list of varying operating systems. If you’re only covering one platform, you’re definitely not covering all the endpoints.
- Does complicating security infrastructure make us safer? While no security professional would protect a network with a single protection layer, they’re also aware that every security implementation brings about brand new vulnerabilities. What’s the right balance?
Find below the full transcript
Ten second security tech go. Question base assumptions. Data is everywhere and devices are everywhere. Most security models that we know or have in place are just not really adequate anymore. We sometimes insist on doing something just because it was done in the past and it seems like the norm but the norm is changing and infrastructure is evolving in record speeds. Imagine or reimagine what your network would look like if there were no boundaries. Don’t separate between and on tram. Think about a network in the most literal way you can
It’s time to begin the CSO security vendor relationship podcast.
Welcome to the security vendor relationship podcast. My name is David Sparke with me as always is my Cohoes. Mike Johnson the CEO of Lyft and Mike on every single show you make a call out for
For staff that you are hiring you’re always hiring you’re always looking for talent. I know that this podcast has become extremely popular. So my hope is
That maybe some of the listeners have actually applied do you know if any have actually applied.
So it’s hard to say. I’ve actually certainly spoken with candidates who said hey you know I listen to the podcast. Want to ask you a couple of questions about it so it’s certainly great during the interview stage. Hard to say if we can attribute our leads to the podcast but it certainly doesn’t hurt.
It’s good to know that some of the people coming up are listening and into the other good thing for them is they actually know kind of from from your viewpoint where you’re coming from because they hear your voice on the show.
It helps them understand what they might be getting themselves into.
Well let’s bring in our guest this week it’s Tomer Weingarten who is the CEO of sentinel 1 and Sentinel is actually sponsoring the entire episode of this podcast and they’ve actually sponsored previous episodes too so Tumer. Thank you so much for joining us today.
Sure thing. Thank you for having me.
Well let’s dive right into the show.
How are digesting the latest security news in Microsoft macro’s remained top of vector for malware delivery.
I saw that headline and thought wait wasn’t that the story 30 years ago. Has this ever changed the story says that Microsoft turns macro’s off by default but some enterprise turned them on regardless. What if any interesting is that while there are far more advanced techniques that don’t require a macro to be executed for an infection gene to begin Microsoft macro’s written just in Visual Basic are still topping the charts. Why is that still happening Mike. And does this just go back to our theme of covering the basics.
I think one of it is the old adage of why do you rob banks well that’s because that’s where the money is. And so if macro’s still work for him more infection it makes sense to attack it as to why this is still a thing. Why that’s actually still a factor especially given that Microsoft comes off by default the most popular vector.
That’s the thing that blows my mind.
Yeah yeah well it’s again because it works. It’s one of those it kind of feeds on itself. But what you have in many environments is you have these legacy spreadsheets or legacy applications built for were built for excel. And so enterprises end up turning the backrest back on. And a lot of that is because this tool that has been built and has probably been used for many years either nobody knows how it works or the owner doesn’t really have the ability to to make a change. And so they’re they’re kind of stuck in this catch 22 situation where I don’t think enterprises really want to enable macros but they don’t have a choice because they have some of these these things flying around and yet someone hasn’t gone through and taking the effort to change it. And while while this is certainly back to cover the basics theme. I also see this as a great opportunity for a security team to go in and actually solve a problem rather than scolding people. So find these macros find these spreadsheets that exist in your environment offer to fix them. You know maybe if you don’t have the skills on your team that’s fine. Contracted Out but fix it replace it and it’s a win win situation where you’re now able to disable macros and the owner now has a more up to date tool. Tomer how much. Antiquated
Software have you seen when you when you’re working with clients. I mean have you. Have you seen this situation before.
Yeah sure sure. I mean macros are very prominent still. I think you know for some environments it definitely makes sense to shut them off but for some others I mean you just kind of seats a fact of life that people use. But I think it also there’s there’s really a wider problem if you think about it and no macros are just kind of taking advantage of an inherent inherent problem we have with document based attacks because documents in general are slightly harder to profile. We you know as a security vendor ecosystem in general have made strides in kind of applying Yafei in machine learning on portable executables which are a little bit more meat here. You know when it comes to trying and kind of extracting headers and applying machine learning to predict it or something is better or good but when it comes to documents a signature is completely useless like entirely. Not even just a tiny bit but completely useless when it comes to documents and then even when you try to apply machine learning models it becomes a bit harder because you know each one of these fires tend to be unique. There’s not a lot of other aspects that you can sign about that file in terms of finding these kind of heat signatures that go along with what you typically use as an attribute to apply machine learning on. So that really compounds the situation there and then macros I mean it’s just easy it’s super easy anyone can do it. You easily create a command and control using macros. So it just leads to something that is incredibly effective still today.
Why is everyone talking about this now.
I’m intrigued to know why is diversity and security hiring so important to having a secure organization. We hear it all the time that you know while we’re trying to diversify but this is a tough question. You may not have the answer to but can you clearly explain how an unconscious bias from a non diverse workforce makes you less secure. We’ve seen how lack of diversity causes problems in the development of artificial intelligence. Do you have any examples of how diversity in your work force has allowed you and your staff to see new opportunities. I’ll begin with you Mike again.
So there’s a lot of answers to this. My usual go to to the security part of this question is avoidance of groupthink when you’ve got a team where everyone comes from similar backgrounds. There are individual biases are going to sneak into their decisions whether they know it or not you know that the unconscious bias but then that tends to compound itself when there’s not someone there to challenge them. When everyone comes from the same background and is actually sharing the same unconscious bias. And so it’s really easy for that that bias to build on itself and for a group for individuals part of a group to miss important issues or details.
Can you think of actually a moment even with yourself where you had an unconscious bias. You know obviously we can’t all have all the experiences in the world. And somebody who was from a different background to you should be thinking about this too and it never even crossed your mind.
Oh sure I think that was probably my first month that left frankly. You know I brought all of my experiences that you could almost substitute experience for bias. And I brought all of that from sales force with me. And so not only in the area of security outside of security my biases about how engineering teams work with each other or how security teams work with the business. Those are all biases that I brought with me that were challenged. Well that’s not how we do things here or one of those decision making processes. One of those communication mechanisms that I was my go to in the past try it left and then get dead air. You know it’s not only the security side of us but also all of the experiences that we’ve brought with us over the years from our various employments Tomer.
Can you speak to an example how diversity in your workforce has allowed you to add your staff to see new opportunities or be more secure. I mean either way to sort of bring a concrete sort of explanation and example to this.
I’ll try to. But I mean first of all I completely agree with Mike and you know at the end of the day it kind of becomes an echo chamber of the same opinions if you don’t have a diverse enough group of people trying to solve a problem.
I mean you just want to try and cover as many perspectives as you can. I mean sometimes it becomes hard where no one’s kind of thinking about the same. Same problem from kind of the same prism you want to try and cover a wide spectrum. I mean to me as a CEO I mean diversity’s polio one of the key things that I try to consciously pay attention to because at the end of the day I mean when I’m a you know one of the gazillion decisions that I take on a daily basis. I just want to make sure that I got enough perspectives on you know the different folks in the different areas. And you know we we think of it as something that’s incredibly critical. I mean just just give me some concrete example in our research team. We typically for almost every problem that we want to tackle we always come into the table with both an offensive attack her mindset and a defensive attack her mindset. So now you kind of get the expertise in the thinking of someone who would kind of try and get in the place and you know then the defensive mindset then when you try and cover both then you know you get some of these perspectives that are sometimes conflicting but you know it’s that gives you an entire let’s call it dataset that you can eventually kind of synthesize a decision from. But just like one example in how we try and do stuff to eliminate Dubai’s because we know leaders bias everything we say and do contains a certain degree of bias. So for us and for the things that we can control we try to always kind of bring a very diverse group around the table always still within that subject matter but generally just getting different perspectives.
Yeah I think combers said something really interesting there that’s really worth calling out and amplifying is something as simple as an attacker mindset versus a defender mindset and knowing I have a bias towards the defender mindset. That’s where I came up having folks on my team that have come from the attacker background. We can have those conversations and challenge each other and what comes out of it as a much better control much better situation much better system for the company.
So you do have black hat hackers I work for live black eye now.
Now I doubt buy. I do have people who come from a red team perspective who come from a Red Team background of doing internal authorized attacks in their environments.
It’s time to play. What’s worse. All right. This is a game that we play. Like you pretty often lately but I’ve been getting so many great questions from are comparisons actually from the audience that I just love to play it and I love to hear your answers.
I think this question comes from an anonymous listener who actually gave me lots and lots of great sort of comparisons here for the what’s worst game. I think this may be a tough one. I hope it is because usually a lot of them embed been a little lopsided but this one I think may be tough. So Tomer just to clue you in. I’m going to give you two scenarios. Both are horrible but I want you to determine which one is worse and I’ll go to you first. So here it is you get adequate budget with little to no support in the C suite or the board room or second option. You’re completely strapped for cash but you get all the executive byan you could ask for. So Tomer which one is worse.
Wow. These are kind of you know not great situations. I know they’re both bad. I would absolutely opt for the first one. You know I don’t know the kind of that answer the question is Will what’s yours. But but I think it really is kind of from the perspective of the person who’s dealing with the situation.
So you prefer the first one to aim for the worst case.
The second one is the worse situation that when you and some budget and then you need to kind of figure out the support I think support you need regardless like you have them but you don’t have a budget. You really have to get people to understand that what you’re doing is important because you know the budget is just one element. You know you don’t want implementation you really want truly coverage across the board from everyone that’s involved in security which nowadays is pretty much everyone’s. So you know I guess no support there is the toughest one to deal with. But it’s the absolutely most mandatory one budget you know kind of easy to eventually get somehow. But to me it’s like the first one probably the first one is preferable.
So your answer though really is the second one is worse. Strapped for cash with little. With all the executive buy and you could ask for much worse right Mia yoga I’d say so. All right Mike. Which one do you think is worse.
This is a great one because it gives me the opportunity to disagree with with our guests here which always makes for better radio.
Ok. So I’ll take support over budget any day.
I think the first one where I have all of the budget and none of the sport is the worst one. So
I’ve I’ve had a lot of success in the past finding creative ways of implementing solutions where I have the support from executive leadership even without money. I can I can get a lot done if I’ve got the CEO offering me all the support that I need even without having the money to spend. And so from my perspective. The support is the most important thing to me and I can make do without bias that I can get creative.
Let me ask both of you here. Is there ever a situation where. You do actually get the money like you implement something you’ve got the money to implement something but because there’s no support it just fails miserably like it needs the support to succeed. So without the support it just can’t succeed. Have you ever had a situation like that.
I’ve I’ve certainly been there. You know you can be ready to roll out an endpoint protection solution where you know you’ve done all those all of your testing all of your validation you’ve got the right solution you’ve gone and purchased it and then you’re ready to roll it out and everyone looks at you like you’re going to install software on all of our systems and suddenly everything comes crashing down
And you certainly have have seen that happen have been part of that and passed past experience Tomer all at the same exact thing has it. Has it happened to you where you did get a budget to do something
But it failed miserably because of the lack of support.
Yeah. And to him that even more broadly like trying to explain my my probably minority minority vote here with no no no it’s not a minority vote on it.
It’s a split split decision here.
I just feel like you know an entire humanity probably the minority can vote right now with this choice.
You know what. By the way I love to hear from the audience who posted would love to hear where you stand on this whether which is which scenario would like and will actually find out. It’s possible Mike might be in the minority.
I wouldn’t be the first time.
Go ahead. To me support is something. It’s something that you really have to earn. I think I’ve been in very few situations in my life where support was just completely grand. I think that support is something that you have to earn. Specifically when things go wrong when you know Mike’s example deploying a new piece of sulphur and then running into pauldrons I mean you know it’s kind of something that I’ve seen more than once and I don’t know in the last few years so you I’ve seen a leader with it and I’ve seen how it works when you have support and when you don’t have support at the end of the day. I mean you really have to have some level of trust that’s for sure but don’t eat you need to educate for support. You need to get and for support. I think it’s something that you always have to kind of earn in every given situation. It’s something that I’ve seen that you rarely also carry over. So it might be good for a specific topic it might not be that great for another topic. So generally I think it’s something that when you have the budget and if you have the budget then you go and you just build support and you have to be done regardless. There is no such thing as deploying a budget without
A freeze. No more.
Today’s topic is endpoint protection and this is the big one that I’m sure we’ll be revisiting again.
But I’m going to start with you Mike. What have you heard enough of on the subject of endpoint protection and what would you like to hear a lot more.
Yes. A few areas that are kind of my pet peeves around employment protection these days is one of them is a focus strictly on Windows. I can’t tell you the number of times that I have spoken with a vendor said hey your solution looks great. I get the technology. How about Macs support O. Well that’s that’s on a roadmap and it’s just it’s really frustrating to get that. You know that that monoculture of hey you know their solution is only for windows. So that’s one area. Another is focusing only on what is the latest headline grabbing threat. Usually these products solve more than one problem but I get really tired when all of the marketing is around whatever is current. I understand the reason I recognize that that marketing isn’t for me.
Well that is from the news angle. I would say people like to use a news hook to bring in a story so I do understand the value of that.
Yeah. Say it’s one of those I understand why it’s being used. But that’s one of those that I’d like to hear less of. And the last is having these solutions being islands upon themselves where they don’t integrate with other solutions. They give you a console on their console is great and you have to do everything in that console and all the data stays in there which kind of brings me to the the more side of it. You know I’d really like to see more open API as integrations with other solutions so I can tie a suite together. There’s no security package solutions software out there that solves all of my problems.
So I need them to talk with each other. I’d like to see a little bit more upfront talk about cross platform. You could almost lead with it because of how important it is in this day and age and the last thing is talk more about the performance implications and have them be real world and repeatable. You know when I bring your solution in for a test and your performance claims are not at all what I’m seeing in my environment then it’s not going to go well for anyone. So talk more about the like the real world performance implications of of the solutions. So that’s that’s what I have heard enough of and what I’d like to hear more of.
That’s quite a list all right. Tomer you are in this business this is what Sentinel one does. So let me just in general because you know you’re helping your competitors. What have you heard enough of in the endpoint security protection space and what would you like to hear a lot more.
So I’m I’m in full agreement with you know with my care and really have nothing to add.
No I’m kidding of course.
But no but generally these are these are great points. I mean we see a lot of siloed solutions and obviously it’s not a it’s not a single vendor world anymore. And you know when you kind of choose an end point security solution. It’s much more than endpoint security. I mean we’re talking about one of the most foundational pieces of security you’ll have in your enterprise. I mean this is this is device health and you know this is device trust. It’s probably one of the key components in any security strategy probably right alongside things like identity as an example. Definitely if you think about how networks are evolving indefinitely if you think about the different kinds of operating systems you have different kinds of applications that you use some of them are obviously in the cloud some of them are on Prime. So the weight of the fence really moves to the endpoint which means that you know you’re going to see a lot of the data that you don’t see elsewhere on the endpoint. And now once you have that data you really want to try and enrich pretty much every other security product you have in your ecosystem. So you know having a prize and you know zanies as an example we have about 250 API as we tried to basically externalize every aspect of our platform to be accessible with API eyes and either are complete two way API.
So you know we want the security fabric to be enriched we want what our product seems to be shared with other products that you have. So again integrating like Mike said I mean to me it’s one of the most important elements of what we do. OS diversity at the end of the day I mean we want to try and protect every asset that you have in your enterprise be it a workload in the cloud or traditional laptop or a desktop. I mean obviously you want to cover windows and Mac and you want as much of a feature parity between them. You want support for linux. You know we support like 10 different flavors of Linux. It’s no easy feat. And we have a separate codebase for every platform that we cover. But at the end of the day I mean you just want to make sure that when you come into an enterprise and you kind of pitch your product to that there is no like stepchild. I mean Windows is great but you know you want to cover Mac you want to cover linux. You want to basically get good visibility into pretty much every device every asset that you have.
So I also you know fully fully agree with that.
And lastly I’ll say it really is about trying to now days I think really focus on visibility and what you can see and then apply as many different elements and as many different technologies that you can to enable detection. And you know if if we kind of talked about AI generally I mean great of course you want to use machine learning of course you want to try and do as much as you as you can on the data sets that you extract from the endpoint. But you also want to try and basically apply as many different methods as you can to try and catch anything that you know that’s that’s possible. It’s a very giant threat landscape right now and I don’t see it changing like we’re we’re seeing attackers evolve. I know pretty rapid pace and you just want technology that can move in the pace of the threats and the very least. We know that you know the incumbent kind of solutions are good for certain types of attacks. But right now we just need the flexibility and the velocity of deploying new models new patterns new stacks that would allow you to then deal with really what’s happening on the point of time for us to get more.
The CEO of noggins says there’s an old adage in cybersecurity that the enemy only needs to be lucky once the target needs to be lucky every single time. So why do people think that severely complicating their own set up makes it easier to defend their stuff. OK lots to unpack with that question. Tomer what’s your response.
You know it’s a difficult one. I mean there’s a there’s multiple shades of grey here on. You know how much you want something to be complex or simple and obviously pros and cons to both. But generally speaking I mean you want layers of security. I think that’s that’s something that I have a hard time thinking otherwise or to believe that anyone can say that we are less secure dealers will be more secure. Just don’t see that happening. So you know layers are really really needed. That’s for sure. But more than that I tried to kind of say trying really understand like you know how your data flows like where is your data. How do people access try and kind of research what would be the most meaningful technologies in enabling that that data access in a robust and secure way across the entire enterprise. I mean remember you have you know you people you have devices you have applications and tried to kind of envision how it all kind of works together. And I think then you can actually start and understand where it might be bottlenecks or blind spots or areas where you just want to start first with whatever it is that you want to deploy. But generally I mean typically in security. Right now you know more is better than less.
Mike. So I kind of look at it as a first of all we need to be cognizant of this that everything that we’re adding to our environment certainly is another X another potential exposure. And so hopefully any security tool that we’re bringing in is like it’s a net positive. I distinctly remember one of well over a decade now having to deal with a worm that was attacking vulnerabilities in Symantec enterprise antivirus and Symantec enterprise antivirus was everywhere within our environment. And so it really became this complete nightmare to deal with.
And so it certainly happens that there are issues with security products but at the same time these these additional solutions that we’re adding as they need to be bringing significantly something additional as long as they are them the complexity complexity is worth it. You have to manage it. It’s absolutely manageable. But you also have to pay attention to it at the same time.
Well that I think brings us to the close of the show. I want to thank to my group Wal-Mart me for sponsoring this show and being a part of this show cause you were awesome. Tomer thank you so much easier.
Is there anything you would like to to let the audience know how to connect with you. Get more from Centinela 1 and he offers anything you’d like to tell the audience.
I mean this has been great. So again thank you for the opportunity. Proud to be sponsoring this podcast. I think it’s you know one of the most forward thinking ones generally I mean you know go to our Web site. Plenty of data there if you need me. Or Sentinel 1 pretty pretty straight forward. And you know we’d love to hear any feedback that people might have.
Yes please send it. And Mike as always you’re looking to hire. By the way if anybody who does speak with Mike about a job at left do drop the podcast name and they get a 10 percent discount right Mike.
Yeah. Figure out how to implement that. Yeah sure. Ten times discount even do 12. Oh wow. So generous.
So yes we’re always hiring. We’ve shared a few posts recently on LinkedIn as highlight some of the important ones that we’re looking for right now. But I also really want to thank you for joining us. Homer it’s. Great to get the person get your perspective get the perspective from a vendor where the whole point of this show is talking about the CSO
And security vendor relationship so really appreciate you joining us and bringing your perspective to the show and continuing to challenge us on the CSO side to bring diversity into our thoughts.
Thank you very much.
I was going to say thank you for saying it for me and to the audience I’m going to be at the GSA conference in Las Vegas I’m going to be leading three different discussions about the integration of physical and digital security security.
If you go onto LinkedIn you’ll see my post about that and you can register to join in those discussions that’ll be September 25th through the 27. So I hope to see some of you listeners have those discussions. Thank you.
Tomer thank you. And thank you audience for listening. If you have a loved one to review. Do. Thank you again.
That wraps up another episode. If you haven’t subscribed to the podcast please do. If you’re already a subscriber write a review. We eagerly seek your input for the show. Please send us vendor pitches you’d like us to critique. Asking CSA questions and anything else. If you’re interested in sponsoring this show contact David Sparke at Sparke media solutions dot com. Thank you for listening to the CSO security vendor relationship podcast.