EP60 – A CTO Weighs in on Motivation and Automation in Cybersecurity
Tom Garrison: Our guest today is Todd Weber. After an early start at NASA, helping with communications for the International Space Station, he shifted to computer networking and spent over 20 years in IT engineering, cyber security and operations. My co-host Camille Morhardt and I spoke to Todd when he was just wrapping up his work as Chief Technology Officer at Optiv and moving into the post of CTO and Operating Partner at Ten Eleven Ventures – a venture capital firm exclusively dedicated to helping cyber security companies thrive.
We started our conversation by asking Todd to talk briefly about the shift in security– from his early days in networking to the cyber security needs of today.
Todd Weber: We all, you know, from an older generation started off with, you know, having to have a real fundamental understanding of how the plumbing work underneath. And then, you know, as we’ve gone over time, look at now how we’re at kind of the software world and the application world, and then how security is developed over time. It just wasn’t a function of what any sort of design consideration was when we first started.
And now just looking at some of the fundamental components of what we put in back then, designed by geniuses, however, geniuses of 40 years ago, putting in things that still work, but they fundamentally just don’t have the security built into them at a fundamental level that we all have to still live with, uh, at this point. And then, you know, now to today’s problems of how applications work and, and privacy and the rest and how that has all evolved into our industry of cyber today.
Tom Garrison: I mean, the world is so different now, even then just a few decades ago where the technology that was built at the time was so groundbreaking and that enabled people to communicate and connect in ways they’d never done before. And that was good enough. Just the fact that it worked was incredible. And now, of course, that level is taken for granted. And now you have to think about all of these other potential vulnerabilities that may or may not exist and design something vastly, vastly more complicated. And even those initial, uh, you know, the initial technology just to keep it safe.
Todd Weber: And it’s not easy to do. You think of the fundamental aspects of DNS and BGP and an SNMP. All of these are fundamental things of how like our networks work and underlying things that we all depend on and they weren’t designed for security. T hat’s the part we struggle. So you think of SolarWinds, particularly; that was somebody taking advantage of a loophole of everybody always knows their network management system is whitelisted and it does SNMP poles and it has admin privileges to pretty much everything in the network. Somebody took advantage of that.
And you know, those are the things we have to always be thinking differently about, uh, and I don’t wanna, you know, under-emphasized fundamentals of security, meaning talk to clients so much. And a lot of contacts me, like, “how does. Yeah, furthest down the field with doing the fewest number of things.
And I really always point to the same things. It’s always about like, you know, how well do you do the fundamental aspects? How well do you do things like patch management? How well do you do the things like asset management and attack surface management? Just very simplistic things that, um, it’s like something like 90, some percent of all malware in the world is written in known vulnerabilities and five applications.
I’m gonna make this sound very easy and it’s not is, you know; if you could just do your asset inventory and patch those assets, as those vulnerabilities come up, then you wouldn’t be vulnerable to 90 some percent of all malware in the world. Those kinds of things are the ones that get you furthest down the field, and then you start working towards inches and that’s how we fundamentally build strategies.
[00:04:40] Camille Morhardt: Does it vary? The advice, depending on what kind of company or organization you’re dealing with, or the kinds of products that it’s producing?
Todd Weber: It’s not the same. Uh, but people do tend to simplify around the wrong things. You see people try to simplify around large companies versus small companies and that the problems are different. The advice that I give is mostly structured. Uh, you brought up one of the points is what industry are you in? If I’m a weapons manufacturer, you know, for the U.S. federal government, well, then you’re going to have a very different security posture and a very different profile. And you’re going to have a forced level of maturity upon you. And you’re going to have much different levels of advice than I would give to somebody who is in retail.
But, uh, you know, what you do see is you tailor your advice based on what maturity curve that they’re on. And you can have very small companies that are very mature in their technology stacks and their security processes and their security.
So I viewpoint it in two different ways. One is where are they on the maturity curve? And that, you know, that maturity curve is also remember a reflection of what the business is, how tolerant are they for risk. You know, frequently us in insecurity and technology, we kind of tend to think that we rule the roost as far as like, you know, choosing technologies and, you know, defining what use cases are and do. We really need to fundamentally look at like, what kind of business are we? what level of risk do we take on? what sort of regulatory and compliance components that are put onto us from our business perspective. And that should reflect what technology we buy and what use cases we do as opposed to the other way around.
Camille Morhardt: You’re defining it almost as a single curve. So where is anybody on that curve? And if your weapons are Department of Defense or maybe automotive or something really high on the curve, and if you’re something that’s not likely to be attacked and it’s not a functional safety concern, then maybe you’re lower on the curve, or maybe you’re a smaller business.
Are there different curves though? I mean, does the entire structure of how you’re going to protect. Ultimately look different depending on industry or depending on some sort of category.
Todd Weber: There are multiple curves and you did hit on it right there is kind of that risk function of, you know, what sort of risk level tolerance can we take if it’s like the phones are going to go down. But different people define things in different ways.
I’ll give you a story. I was working for one of the casinos in Las Vegas, one of the large ones. And it’s really the entire network that they have and everything is built around their voice network. And every bit of fault tolerance and every bit of like security is built in to making sure that those phones stay up and that calls don’t drop. Those curves do differ, but it also is dependent upon our point of view.
So I’ll give you another great example that people are struggling with nowadays is ?Scion? So how do you do controls and things down to your client level? I know what tolerance I can give to like my corporate users. I know what they can deal with. I know what will make them bend. I kind of, you know, have a good understanding of what makes them break. But when you think of ?Scion? you got to think in an entirely different mindset of what can my grandmother pull off in a hotel room with her cell phone?
I’ll be honest. I get very uncomfortable trying to figure that out because it’s not about my level of technology or even people that I know. These are going to be like clients. And, you know, you have to fit into their demographics and everything that they’re based on is to what level of, uh, user experience they’re having. And if it’s too difficult, they’ll move to a different platform. And that becomes very difficult for us to deal with in security because, let’s face it, security isn’t all about user experience. It’s about kind of controls. So you you’re doing your best, but that, that also puts into that curve. It’s almost a three-dimensional curve.
[00:09:02] Tom Garrison: You know you mentioned a bit ago that most of the attacks that have happened are well-known vulnerabilities on, on a relatively few number of applications. And I guess from my standpoint, I’m curious, why do you think that as an industry, we’ve had such a hard time addressing those? And I say that in it with the following context, right; we know that it’s work. We know that it requires people to go off and do patching and so forth like that. But even if you just focused on the big ones and get the patches out in a timely fashion, from your experience, why aren’t people doing more of it?
Todd Weber: I think it really has to do with motivations of people. It’s certainly not laziness, but people, how are people measured? What do people get yelled at for? What I mean, think of it down to that visceral level. “What am I going to get yelled at for?” more. Am I going to get yelled at that I went from patch level two to patch level three, or am I going to yell that if for whatever reason I took down the production SAP server and that caused some 20 other people to have a real problem. And what it does is it makes people take a foundationally, very cautious approach to things.
And we’ve created a world as people create this very methodical change control world. That, uh, you know, we actually put out something on the automated patch management kind of defining how we’ve created this.
And, you know, it’s a huge complex graphic that we show of how most companies have acted. And we actually used our client advisory board to give us what their processes were and to every one in there, it was incredibly complicated. It was incredibly laborious and it was incredibly manual in all cases.
Tom Garrison: And do you think it needed to be?
Todd Weber: No. And that’s where we kind of tried to get people to think differently and be motivated differently. And we understand that you probably can’t automate everything, but in the end, don’t try. Try to automate the things that you can, and then put the process in where you have to still.
If you think of even like things like sort, the number of use cases that you can come down to where a human has to make no decision whatsoever is actually right now, not very many. But what can you do with automation? If you think about how many tools we have out there, I think about just enriching all of the data of like, you know, you get an email alert or you get an endpoint alert. Typically your security operations person has to go look at like six different tools to go figure out, is this a false positive, or is this something that needs to move up to level two?
Okay, well then use your sort just to automate all that, collecting all that data, being able to present it in a very easy way to get just that decision point, instead of trying to come up with, like, “how do I get humans totally out of the loop.” Don’t try to do that. Try to come up with just automating and making the things easy that can be made possible.
Camille Morhardt: How does automation crossover with Artificial Intelligence?
Todd Weber: Well, what I view AI, at least, uh, in the machine learning world these days is more of like just amassed data. And to find patterns in that as a human being and looking at all that data, there’s almost no possible ways. So I first look at it from that standpoint for how does it help train models and how does it help, like give us more efficacy towards alert structures and to pattern matching and then still having humans make decisions. Uh, you know, when you go to AI, I kind of tend to see it as well then the machines take over and they start making the response decisions based on what they see in those patterns. I don’t think we’re there yet, to be honest.
Camille Morhardt: Do you think that we’re going to see AI or machine learning as they build models and get smarter about the kinds of threats or the kinds of vulnerabilities, will they be mapped within an organization and improving that individual organization’s ability to do things? Or will we see models be built that can transfer across organizations and kind of be used more broadly? Is it going to be horizontal or is it going to be specific?
Todd Weber: I think it’s going to have to be horizontal. And the reason I say that is for ML and AI to work at a fundamental level of concept, it has to have a massive amount of data. For the most part, any one individual is not going to have enough data for them to, to pattern match, and to actually train those AI models to anything that I would have considered to be holistically accurate.
We’re going to need to train based on the entire, in the community, not level of knowledge, not on the individual level of knowledge. And that’s where you’ve seen many of the technologies they’re cloud-driven. There was many reasons to do that. Kind of making it a little bit more version agnostic by being able to control versions at a cloud-level–in some cases, negating the need for constant patch management structures as our security technologies are cloud delivered and, you know, as when you update in the cloud version, everybody’s version is updated. So that’s one aspect.
Then two, you know, as it learns more and more, it will be able to holistically help the community, not just individuals. We’re going to need to have more data than any individual company can actually provide.
Tom Garrison: So it occurs to me that based on your years of experience and your engagement across all these different customers, that you probably have a great perspective on that sort of journey that you described earlier on, uh, companies that have more of an immature view on security and maybe their journey eventually to a more mature stance.
Todd Weber: Uh, I’ll give you one of our, um, large manufacturers that, uh, I’ll be honest, this terrible, uh, at the maturity scale. They were very immature and what they did is they ended up buying a financial company and that financial company was, uh, you know, because financials, uh, you know, they a) they have the most and b) they’re the biggest targets because they keep money. So people are usually going after money.
So, you know, the financials tend to be on the more mature side in that vertical side. So them buying that, um, that company kind of forced them along the maturity scale. But where it really fundamentally started is just what we said is, first of all, I really have to know what all my assets are. You know, the basic stuff, what assets do I have? What is my attack surface? And then, you know, formation behind that. Okay, now that I know what all of my assets are now move to the next thing. How do I control these assets? How do I do patch management? How do I know what they do? How do I get them into a CMDB?
None of this is rocket science stuff. But it is fundamentally, you can’t do the, the really heuristic level type stuff and the interesting stuff until you have this foundational component built, and that’s what they were forced to do that because now they were under regulatory things that they were never under before. And that moved them along.
Where I see technology being stifled a little bit, the ones that are heavily regulated towards the other way. So you think of like embedded devices into hospitals, embedded devices in critical infrastructure who have to follow kind of the older models like Purdue models or the FDA validation components. Because they’re so heavily regulated, you can’t introduce new technology sets and you can’t introduce even some of those fundamental aspects.
I remember You know, when I was working at a, at a hospital group and I was like, “Hey, that’s pretty easy. Just go fix that, you know, and you can go patch that and then you’ll be good.” And they’re like, “oh, we’re not allowed to touch that because only the people like who were know certified by the manufacturer and whether or not that’s like, you know, Medtronic or some of the hospital manufacturers, they’re the only people who can touch that per FDA regulations.”
Tom Garrison: Well, and if you touch it, then you might have to go through recertification. What does, whatever else it is interesting though, that those, those spaces that you describe–which are probably some of the most sensitive areas–because they’re so sensitive, they tend to be disconnected. So you can’t even connect to them to update them.
And then they’re sort of design by security because it’s so hard to get to these devices that that’s the sort of security fortress that’s built around these devices, but it also makes them next to impossible to actually update in any way.
Todd Weber: And as we talk about that motivational aspect of things, your power producers and, uh, power generation type stuff. They’re only measured on one thing–is the power on, or is the power off. They’re not measured on? Like, how secure is the environment or anything else
To your point around what you were talking about earlier is why did we make it so difficult because of that motivational aspect. Us all as users here, I don’t really care how the sausage is made. I just care that the powers and that I can talk to you guys across the internet. That’s, what’s made it difficult to keep those foundational level aspects and the basic things like patch management, because it does interrupt—or has the potential to interrupt–that flow of uh, you know, binary on or off.
Tom Garrison: Yeah. The one piece that really strikes me from hearing you speak here is around that motivation piece. Like you said before–you’re using kinder language now, but earlier you said—“what is a person going to get yelled at for?” And maybe there’s a lesson there. Maybe there’s some wisdom there for companies to start asking themselves, like for my IT parts of the organization, what do I really care about? and is security part of that? And if it’s not, then realize that you may be unintentionally driving people in an unsafe way; because they think that what’s really important is, you know, uptime or keeping the power on. They’re not spending time and effort trying to keep the infrastructure safe.
Todd Weber: Well, and unfortunately we’re paying those bills right now. As you see, like, you know, many people who put things off and particularly into critical parts of their business, whether or not it’d be email or the VPNs. And we’ve all seen many of the vulnerabilities these days where like the CISO is like down on their knees, begging us, “please. I’m watching people like actually exploit these things, you know, while we’re talking, please patch your stuff.”
We have to have that motivational change to understand that we may have to take some downtime to upgrade things or to patch things across these security vulnerabilities, because one way or another, we’re going to have to pay for that.
Tom Garrison: Yeah. Either you pay for it like a dollar a day, or you pay for it in millions of dollars. When you get exploited or something like that. And it, and, and it said sort of a little bit each day versus a big, massive painful bill that comes due.
Todd Weber: And eventually where I think we’ll get is, you know, many of the newer application sets and many of the newer as, as we go to cloud, and as we go to things like Kubernetes and microservices, we’re going to build resiliency into where we can do patch management on the fly and security upgrades on the fly to where we’re not near as effecting towards the business that we were when we had just Patch Tuesday and whenever it was Linux Wednesday, and we ever had to go do those things in a fundamental more manual way. And that’s where I think digital transformation will be helpful. And it’ll take people down maturity curves faster just by the technologies that they’re adopting.
Tom Garrison: Yep. Well, and as an industry too, you know, the updating mechanism was, first of all, it was painful and sometimes it failed. And so that led people to say, “well, maybe I don’t want to be on the forefront of updating machines because maybe that’s going to make the machine unavailable or, you know, it’s going to cause other problems.” So as an industry, now we’re better at these updates. It’s not perfect yet, but it’s still much better. And maybe that’s part of the that journey that we all have to travel is is your confidence that if I update it, not only am I fixing the problem, but I’m not going to create another problem somewhere else.
Todd Weber: Uh, you bring up an incredibly interesting thing there. Uh, as you know–and Camille, you brought this up a little bit as far as like, you know, embedded devices and IOT functions–this is where we’re going to be challenged as IT professionals and security professionals to go work with our procurement teams. How much do you think our procurement teams put value on those kinds of things when they go buy elevators or air conditioners or thermostat. Not only, you know, are there security, embedded features into these things? Or they’re logging features built into these things or is that upgradability? How easy is that to do patch management? How long are updates available?
These aren’t traditional things that purchasing people have looked at as they’re buying those kinds of, uh, function sets. And we’re going to have to assign value to that. And we’re going to have to say, “I would rather spend an extra 2 cents per unit. And you think of the most attacked, uh, asset is going to be a camera right now. I’m willing to spend 2 cents more on that camera. If it has security features built in, or it has automatic update functions or updates that I can easily manage towards and can manage in my security operations.” We’re going to be challenged to do that and work with our procurement teams, uh, around those kinds of things.
Camille Morhardt: I think that’s true. I think people are starting to look at the entire life cycle of a device or system that they’re implementing, as opposed to just, what is the cost of this device initially? They’re starting to factor in how long am I going to use this device? And how safe is the, are the different areas of it? Like how safe is the provisioning of the device? And then can I update? And then what happens at the end of life of the device? Do I have some way of taking care of it?
Because it seems like a lot of different elements are coming together. People are looking at corporate responsibility and sustainable compute, you know, kind of on the far side, as well as design in, um, and secure sourcing on the far left. It seems to me, people have much more of a holistic view now than they used to.
Todd Weber: I think they are. But I think as, as we do that, we’re also uncovering these entire portions that we didn’t actually know before. You know, I mean, if, if you think of, uh, the SolarWinds and I know Sudhakar personally, you know, he’s the CEO of SolarWinds actually, he hasn’t necessarily said where it is, but he says, you know, it’s, it’s only from a few places. And one of the possibilities is, is looking at, you know, not just how the development was done, it’s also where it was done, you know, and what the development tools that were used. And then you have to go back, trace on that supply chain. You look at like, you know, GitHub’s functions and where it was GitHub and you’re looking at the factory it was built in it. It keeps making it more complicated in that, along with the consumerization of IT these days, if you look at like, you know, your Office 365 and you go, huh, “I can add like, you know, one of these 400 little things in here, that’s very different than, you know, when I grew up in the IT world, it was like the clients had to come to you and say, “Hey, I want to add this piece of software into the environment.” They don’t have to do that anymore. And you know, how do you suppose to do security posture checks on each of those applications that get introduced in? And it’s very difficult and it’s challenging.
[00:24:54] Tom Garrison: We do have a segment on our podcast where we like to share something that, people probably didn’t know, uh, maybe we should title this. The, I didn’t know that segment. Um, and so I wonder if you have something that you would like to share with our listeners that you think they might find interesting.
Todd Weber: My daughter, I think I told a joke about a bear hibernating and she goes, “Dad, bears don’t actually hibernate.” And I was like, you know, I tried to be the understanding father and tell her like, “I’m sorry, sweetie, of course bears hibernate.” And then she was very insistent and told me, “no, they don’t.”
And then I kind of had to, you know, do the, okay, now we have Google, so we can go look these things up. And it turns out she is totally correct. And I’m totally wrong. That bears do not hibernate. They go into a state of torpor. So, uh, my daughter taught me, uh, something the other day and, uh, I’ll probably remember that every day for the rest of my life.
Camille Morhardt: I find this to be a big problem. Now that the kids, it turns out they’re usually right, whenever I go to Google.
Tom Garrison: And, and so what’s the difference between this state o–what’d you call it–torpor?
Todd Weber: Torpor. Uh, apparently the differences is like the level of activity, in true hibernation, they are totally out and like their heartbeats go and I mean, in blood flow changes. Torpor is just a deep sleep. So bears actually do wake up at periods during the winter. And again, I’m going totally on Google results in Wikipedia here.
Tom Garrison: So I’m sure if it’s online, it’s got to be true. to
Todd Weber: Got to be. Has to be. (laughs)
Camille Morhardt: Well, we’re talking about conservation of energy in the animal kingdom. So, uh, my fun fact of the day is that firefly lights are the most efficient lights in the world. 100% of the energy from the f irefly is admitted as light, whereas there’s like this 90-10 rule with what we can do. Fluorescent bulbs are 90% efficient–90% of the energy comes out as light. 10% is heat, but fireflies are 100% of that energy is admitted as light. I think that’s cool.
Todd Weber: That’s is cool. You just took me back to high school physics about the heat is the grim Reaper.
Camille Morhardt: There you go!
Tom Garrison: So I’m going to stick with a myth theme that Todd brought up before. And, uh, my myth that I’m going to bust right now is that it is a myth that we only use 10% of our brains. So. There’s a caveat, unless you have like a traumatic brain injury or some other sort of neurological disorder, you have access to a 100% of your brain, even when you’re sleeping.
Even the most basic functions of your brain use more than 10%. So for all of us that have heard that you only use 10% of your brain, that is completely false. So that’s my little fun, fun facts of the day there for that one. So, Todd, I’d like to thank you again for joining us and sharing your, uh, the stories from your background. I thought that was fascinating. And a couple of really good lessons for our listeners.
Todd Weber: I appreciate you having me on it was a lot of fun and a lot love do it again sometime.