[00:00:00] Rob Aragao: Well, welcome everyone to another episode of Reimagining Cyber. Rob here with Stan. And Stan, we actually had a great conversation. We turned into a webinar back on the 15th of May, and we'll promote that again. We mentioned it previously, but it's now available on demand. And the topic was cyber risk posture management.
[00:00:17] And if you think about that, that's a very broad topic, obviously, but We wanted to just go through and kind of focus on different areas of posture management in the cyberspace that are pretty important to have good visibility into there are many flavors, as we discussed, there are many different flavors of.
[00:00:37] Cyber posture management type of solutions in the marketplace, a little bit too much. In my opinion, a little bit too much marketing, in my opinion you know, the analysts obviously have to kind of create their own areas and focuses. And so some of that is driven by them. Of course,
[00:00:51] Stan Wisseman: it seems like every domain is like, well, we can do a posture management of that.
[00:00:55] Let's do it for applications. Let's do it for data. Let's do it for Kubernetes. You know what I mean? That's sort of like, like. And I guess part of the challenge, so I was at RSA, and there were a number of booths, including ours, that were talking about this topic. And again, there are different emphasis, whether it be an organization that is focused on application security, talking about application security management.
[00:01:21] In our case, what we're trying to also talk about is the top level, right? You know, the fact that you can roll all this up, you have an understanding of a comprehensive. But I think. To your point, it can get very complex and, you know, we can't lose sight of the objective, which is, you know, ultimately trying to have some kind of framework that allows you to protect and have, have awareness of how your, how effective your protections are against the threats.
[00:01:49] And are you able to be resilient? And is that, you know, is that interconnection of different components and different domains working well for you and, and not doing this in a, a typical, you know, snapshot. of an assessment. Point in
[00:02:07] Rob Aragao: time. Yeah. Point in time. And that's, that's actually the key, I think, in the definition of cyber posture management.
[00:02:13] So like, if you look back and we've, we've talked about different NIST standards many a times. We've had Dr. Ron Rossman,
[00:02:19] Stan Wisseman: NIST,
[00:02:19] Rob Aragao: right, on the episode on cyber resiliency back in the beginning and then came back for a refresher in the past. They have their own definition of, you know, what cyber risk posture management is all about.
[00:02:30] I think again, the, the continuous verb. Is what's critical, right? You have to ensure that this is something that is ongoing. You know, you mentioned RSA and we talk about all these different flavors of posture management. Now, the latest one I saw was AI posture management. And to a sense, it's all about the definition of what these things are trying to drive at.
[00:02:48] But as you called out, right, there's, there's the need to have that visibility for each of these different areas. And so, you know, one of the early. Kind of releases of a posture management platform again, driven in this case, I think was by Gartner was cloud security posture management, and it was obviously at the onset of organizations as they're going to the cloud.
[00:03:07] It was a means, in my opinion, of really kind of helping build up the reality of, as we discussed previously in many episodes as well, the shared responsibilities model. Right. Right. Right. And so it's a key aspect of, as you're shifting your workloads to cloud environments, it doesn't matter what CSP or CSPs in many cases now you're using, it's still your responsibility.
[00:03:29] The onus is on you to ensure that the right security controls are in place. They're going to provide you some security controls, which is great, but you have to ensure that that's either at the level. You expect and need and require for your business, or are you going to have to add some additional capabilities on top of that?
[00:03:43] Stan Wisseman: And making sure you have the visibility of what controls are in place. And I think in all these different contexts, it's acting on what information you're being provided. Right. And, and so having that visibility to then say, okay, I now see that, you know, these S3 buckets aren't adequately protected. You know, they don't have the access controls that it should have been applied.
[00:04:11] And again, it's just having that visibility to then know what to act on and prioritize. I think again, 1 of the other challenges, though, is there's sometimes this overlap. You know, so do you, do you have in your, your cloud security posture management and overlap with potentially your application security posture management?
[00:04:30] Good point. So if you think about the complexities there, if you're doing dev within your, your cloud domain and you're obviously running applications, but you have. On prim as well, as far as applications being running in production in that environment. So, again, you have to ensure that you're not duplicating work as you're trying to get perspective.
[00:04:55] And, and, and, and slice the pie different ways,
[00:04:59] Rob Aragao: right? Right. You know, and when we did this, this discussion previously on the webinar, we covered kind of four areas, right? We talked about just now cloud security, posture management, we just discussed application security, posture management. We also got into the data side of it.
[00:05:12] Right. And so that, that's another key area of. Again, a growing interest. To me, at the end of the day, though, it's really about that life cycle of how you actually deal with data when you think about data security posture management. Which is
[00:05:24] Stan Wisseman: all about data governance.
[00:05:26] Rob Aragao: Absolutely. You have to know what type of information is sitting out there.
[00:05:29] What do you deem as sensitive data sets? Where are they within the environment on prem up in the cloud, right? Different applications have access. How do you ensure that you understand, again, continuously that wherever sensitive data is being added into the environments, you're aware of that. You're able to obviously tag it or classify it accordingly.
[00:05:49] And then what do you want to do with it, right? Are there the protection schemes in place to support that? What are you trying to accomplish at that point in time?
[00:05:55] Stan Wisseman: But I, I do think another aspect of it is the whole data access governance, you know, so again, I, I am, I'm depending on the lens you're looking at, right?
[00:06:04] It's not just knowing where your sensitive data is, but who has access to it. Is that appropriate? So that, that is, you know, again, if, if, if part of the objective here is to be resilient, you need to be able to then be able with this information. Act appropriately. And so if there is a potential breach, you know, are you able to then respond more quickly because you actually have an idea of where your sensitive assets are, you know, the ramifications of those systems being impacted by the breach, and then you can act accordingly.
[00:06:37] You know, I, I, I think ultimately we also want to be able to adapt. So again, that coal resilience life cycle and, and hopefully this greater awareness of your posture. Enables you to adapt to the threat more appropriately because you're able to look at again in the context of your, your threat awareness.
[00:06:59] And the posture that you have to shift priorities. To enforce areas that, you know, you're going to be. under some kind of attack.
[00:07:10] Rob Aragao: You're more vulnerable in those particular areas, because again, you now have the visibility and awareness of that. But, but as you said, Stan, you know, that's, it's the key emphasis behind this, the theme, the theme of cyber resiliency is underlying.
[00:07:22] What we're talking about from cyber risk posture management, that's really more at the visibility. But as you said, right, it's about how do you actually adapt to the different types of attacks that are coming your way? How do you continue to be able to have better visibility of what those different things are that are happening within the environment, but what actually is potentially coming your way as well and then how do you recover?
[00:07:39] Obviously. So we, we, we kind of went into that, but I think, you know, one of the other aspects that was, I think, you know, pretty important to call out is just kind of getting started and we discussed this kind of mature. approach or attorney model for cyber risk posture management. And it's getting started in one of those areas, which most likely many organizations have something, if not in multiple areas coverage, right?
[00:08:02] So they could have pieces within cloud posture management or the data side, the application side, identity side, what have you. So that's what we discussed is, you know, if you look at the maturity model. That's tier one, right? You're just getting started. You have some visibility. It is continuous. That's the key.
[00:08:18] And maybe again, it's at the applications here, which is great. And then from there you move on, you say, okay, now I'm going to continue to expand upon that visibility. And I'm going to start having more understanding of what's happening, maybe on the data side as an example. Right. And then I discussed one example of a customer of ours that we've worked with in the past pretty closely, which is I think very mature for what we've seen in this space, right.
[00:08:41] Which is they've taken that to the line of business. So they literally have mapped out the visibility as relates to the impacted assets for the line of business.
[00:08:51] Stan Wisseman: In that line of business.
[00:08:52] Rob Aragao: Specifically for that line of business. And in their example, they have seven different lines of businesses. But what they did is again, they've gotten the buy in from the executive level, right?
[00:09:01] And that's the key. We're going to have, I think, a great conversation coming up after this episode in the following week. That's going to be much more focused on, you know, your cyber programs and the things you should be investing. And I think that's going to help kind of really drive that emphasis there on what we've seen with this particular example I'm calling out, but, but it's important, right?
[00:09:20] Because if you don't have that buy in from the business side, they would never have gotten off the ground other than leaving tier one. They would have been stuck when that potentially failed, right? Right.
[00:09:28] Stan Wisseman: Right. Now, I guess, question for you, do you think. The resource demands, the cost of maintaining this kind of awareness and a posture management in the various domains is attainable to smaller organizations.
[00:09:44] Is this something that I could, I can envision everybody wanting to have this kind of awareness, right? And being able to prioritize more effectively, but is, is, is this a, a, a kind of approach that is really only for large organizations?
[00:10:03] Rob Aragao: So as you asked in the question, I initially said not likely for SMB kind of, you know, businesses.
[00:10:10] But then as I think about it, you might be okay. And here's why. Because if you have from an SMB perspective, right, you do have lesser resources, obviously, from helping kind of put this in place, managing an ongoing basis, but you also typically have less resources to have visibility into. So, right, so you could say, Hey, listen, again, if I'm putting the right framework in place to support how I have visibility across data applications identity.
[00:10:37] And I can bring it all back up together, right. And in one common view, a dashboard view is an example to, to, to have again, maybe these salaries to start, but then how do I actually kind of start connecting them together? You could do okay. We, we, we, we've talked with, was it maybe cost, it
[00:10:51] Stan Wisseman: may be cost effective if you can actually get the lift up front to be reasonable.
[00:10:55] Rob Aragao: And I was thinking back to an episode we had with Ty Sabano a while back, right? More about dealing with startups and him coming in, getting him off the ground. But starting right out of the gates with, again, this is how we're going to be able to really have proper security controls in place to support what the business is needing.
[00:11:13] Something like that kind of aspect of, you know, that type of mind coming in to support, to build out a smaller company. I think that's, it's possible.
[00:11:22] Stan Wisseman: Well, if you also follow that up, and again, this is something that's an, I think a leg of this whole posture management is the automation. And orchestration that you could have to help things, make things more efficient.
[00:11:33] So again, to your point, you have fewer resources. So if you are able to get that perspective and then act on it more efficiently, perhaps that's, you know, attainable then for the smaller organizations.
[00:11:46] Rob Aragao: Yeah. And I think for smaller organizations, like you really have to be looking at those opportunities to put automation in place.
[00:11:53] Stan Wisseman: I think another couple aspects of this that we don't want to forget about there. There's also the. The people aspect, you know, and, and again, part of that you're, you're part of your posture has to be whether the resources that you have associated to it are actually capable. Are they, are they. Are the developers trained up?
[00:12:17] Do you have that DevSecOps culture where security is built in and, and not just in the processes and the testing, but also the, the developers are, are in, in line with that philosophy, right? Do, do you have the evidence to track that the human capital is, is going and trending in the right direction as far as that?
[00:12:39] Goal of a security culture that you want in your organization, because, you know, again, we always say that there are a number of weak links, but the people many times are that weak link. And, you know, if, if you forget about that aspect, it's not just tracking the technology and the vulnerabilities that you have, it's also whether or not the effectiveness of your security awareness training and the, the actual metrics that demonstrate that they are successfully, you Getting it is another key aspect.
[00:13:09] Rob Aragao: Yeah, that's a good, that's a good call out because the example organization I was referring to, you know, they, they did start in the application space from application security posture perspective. And as you're calling out, it was a great lever for them to pull, to get more education back to the developers.
[00:13:28] And being able to actually properly develop secure code, right? And so I think that's a great example of where that's applied because you're absolutely right. The people are always going to be the weakest link. When you look at that particular, you know, development organization, very mature in the way that they're used to doing development, right?
[00:13:46] How do we embed now security? Because we are coming in after the fact, unfortunately. But they did a great job of getting in there and getting them bought into the education. And it was very, very successful for them.
[00:13:57] Stan Wisseman: I guess another question for you on how you see this playing out. We've talked in the past on the, on the podcast the fact that compliance does not equate to security, but compliance is important to organizations, especially as more regulations are hitting them and it's, and it's a complex, especially for an international company, mosaic of regulations that you have to demonstrate compliance to.
[00:14:24] Does posture management in its various forms. Reflect not only the vulnerabilities and the weaknesses in your posture, but also regulatory compliance and demonstrate. Potential problem areas, you know, that you need to focus on be able to help close that gap. I mean, what is the role between the compliance.
[00:14:46] Reporting. And awareness as to potential gaps versus the whole risk posture.
[00:14:54] Rob Aragao: So I think there's definitely a linkage between the two because, you know, one of the things we've always discussed as well is when you look at what compliance requirements you have, whatever particular vertical you may be in, you're, you're, you're not building your cybersecurity program around the compliance requirements.
[00:15:12] You're building a cybersecurity program as it relates to what the risk appetite is for that particular organization. Inherently, you're going to leverage what you're doing in that approach to become compliant with whatever regulations you've been dealing with previously and obviously make the adjustments for what's new.
[00:15:32] So I think when you look at this, this kind of posture management aspect, the linkage is that it gives you better visibility. You have the reporting capabilities there, but again, I always go back to as long as you're really driving it from what is the right thing that is going to enable you to meet the risk appetite of that organization that you are supporting and building out your program or continue to evolve that program that will tie back into support what you need from a compliance specific mandate
[00:16:00] Stan Wisseman: and because let's face it that that has to be connected.
[00:16:04] I mean, the fact that the organization is willing to take risk of being non compliant, you know, and, you know, but, you know, I don't know if the fines, sometimes let's face it, from a business perspective, it's sort of like, well, the fines are not worth worrying about given the potential monetary benefit of going this direction and they have to make that business call.
[00:16:26] What about in the context of you know, again, scaling as organizations. have moved from being strictly on prem. To again, cloud, multi cloud, SAS services MSSP, how, how, you know, I think it's going to be potentially challenging for some of these posture management approaches to get that scale get that visibility into these always different environments.
[00:16:59] Rob Aragao: It definitely will be a challenge. There's, there's no question, especially I think at the level we're talking about to take that out to an MSSP as an example, all these different customers that they're supporting and, and having that way to break them down effectively. Difficult per silo, not so difficult, but starting to really kind of stitch together, you know, that view across the assets between what's happening at the data level, the data levels impacting the identities, how they actually deal with the application that, that is going to be very difficult from a scale perspective.
[00:17:31] It's difficult enough in, you know, in, in one organization, right. And, and as you said, all these different environments to have to take into account. So it comes back to really what is. The prioritization of those assets that you need to ensure you have the right visibility across the specific different types of elements of information that you want to prioritize.
[00:17:49] And you have to really look at that way to start. And then you're going to continue. I don't, I don't know that anyone's ever going to get to a point where they have complete visibility. I just can't imagine that.
[00:17:58] Stan Wisseman: No, I mean, you're trying to get again a better handle on your organization's posture. We talk about generically, or you have done so for years, security posture.
[00:18:09] What is your security posture? And many times that is reflected in the context of a risk assessment slash pen test. And that is a point in time to say, okay, You know, this is third party has done an assessment. This is our security posture that we see for 2024. Okay, great. But what we're talking about now is this continuous monitoring because the threat isn't a one time event.
[00:18:33] I mean, the threat changes daily. We just, you know, this last week alone, you know, Intel and Microsoft announced a whole bunch of different vulnerabilities that are actively, these zero days are actively being exploited right now. That wasn't on your radar. two weeks ago, right? So it's sort of like you have to be constantly be aware of, of the changes that are going on.
[00:18:54] And whether or not you achieve the pinnacle of, of, of this overarching cyber risk posture management that we've talked about and we talked about in the webinar. I don't know, but I think it is something that is, is being talked about a fair amount. And I think it's a nice aspiration. If we can pull it off, I think it'll help organizations be able to understand how to prioritize and act.
[00:19:19] Rob Aragao: Yeah, I, I, I agree with you and I think at the end of the day, really what it comes down to is the more visibility that you can have the better. Right. And so you're, you're not likely ever going to get to this utopian world of I can see and understand my complete cyber security posture across all these different realms of information.
[00:19:35] But if you can really do that prioritization of these are the assets, we need to ensure we have as much visibility as possible on an ongoing basis. That's really what the kind of focal point is of this.
[00:19:45] Stan Wisseman: Now, now, we haven't talked about, we didn't talk about this in the the webinar, but, you know, I, I wonder in, in some respects how AI or copilot approach could also play, play into this, you know, in the context of you have all this information available in your posture management system systems, and you're fronting that have a front end of some kind of AI interface that allows you to query, you know, what's, what, what is the status?
[00:20:15] Of my firewall perimeter at this site, you know, I mean, could, could you. Take advantage of, again how we operate as people where we typically are asking questions about, well, shoot is, you know, this happened, this, this set of vulnerabilities got released and there's a zero day, am I vulnerable with this, you know, this particular and, and be able to query that and have some level of confidence that what comes back reflects truly the posture of where you stand.
[00:20:44] Rob Aragao: Yeah, I think that that is something that absolutely is needed. I think we're starting to see some areas where that's actually coming to fruition, but that's the way we operate, as you said, right? As humans, we ask questions. So if I need to ask a question of, you know, does this vulnerability exist within my environment, or very specifically across this application or set of systems, right?
[00:21:05] I need those answers back. If it has the knowledge to be able to pull that back for you, absolutely. Something as simple as, as you mentioned earlier too, hey, this is what's happening. Is this particular type of firewall rule in place to ensure that we're not allowing that traffic through? Right? So, so questions like that, because now that that's the efficiency aspect, right?
[00:21:23] I can ask the question and get the responses very quickly and say, okay, good. We're covered or not. Versus I have to go log into the firewall console and have to go now review my rule sets and figure out. Yeah. Which rule is there that actually covers this thing or does not now? How much time have I lost?
[00:21:38] Stan Wisseman: And of course, there's that other question of, you know, remediation and whether or not that kind of interface can then follow up with, okay, then put that rule in place. Now that's where it becomes interesting. That again, operations folks are saying, no, don't do that. It's not going to be that easy.
[00:21:56] Rob Aragao: Exactly.
[00:21:56] That's when AI says it's not in place. Would you like me to go ahead and do that for you? And you go hold on, pump the brakes.
[00:22:03] Stan Wisseman: Well, hey, I mean, I think this is a, again, a topic that. Is going to be around for a while. I don't know where it is in Gartner hype cycle. You know, maybe it's up on the upslope and we'll see if it actually can be realized in this various form.
[00:22:16] I think each of the domains. So again, when you think about application security, posture management with with let's let's face it different interpretations of what that means by the different providers, you know, there will there will be. We saw this again. I saw this at RSA when you go to the different booths when they're talking, you're hearing the same.
[00:22:36] Acronym ASPM, but what they're talking about is different than what this other vendors talking about, you know, so again, we're going to, we're going to, you know, have a bit of a challenge there until somebody norms up. Nope. Nope. This is what ASPM is. And, you know, everybody has to norm up to that definition.
[00:22:52] But I think that's more achievable than the overall Nirvana at this point, but I I, I think it'll help people, but, but again, to your point about data governance. In some respects, in each of these areas, I mean, same thing with identity. Identity governance, to some degree, is the same thing as ISPM, but perhaps the way it's represented.
[00:23:14] And how you actually are able to digest that information, and maybe it's more comprehensive than this, the governance aspect, you can also get insight into how, you know, you're doing more specific privilege management or, you know, I don't know, again, depends on the definition of how you're going to cut the slice that particular Pie down into the granular aspects of what it means for each one.
[00:23:36] But
[00:23:37] Rob Aragao: yeah, it does. It does. So we're going to continue to see more and more of these flavors thrown out there. I, I like your example of the identity security posture management, because I do view it that way where it's, it's identity governance is kind of the core of what that's all about. But There's so many additional elements of identity like privilege that could be mapped into that.
[00:23:55] So we'll see how it evolves. Not sure that people are going to get to this world of, hey, we have this complete coverage, but I think it's just important to say, you very likely have some different kind of silos of coverage today. What about the importance of starting to see where there's opportunities to start connecting that to get a kind of, you know, have better visibility across the environment versus that one element of information that you have.
[00:24:15] So interesting topic. Good for people to be able to go back and actually go through our webinar. Hopefully. We,
[00:24:21] Stan Wisseman: we, we took a different approach in the webinar. So listen to this episode, you can watch the webinar and, and, and hear the questions people ask us as well.
[00:24:32] Rob Aragao: Yes. Yes, absolutely. We'll stand until next time.
[00:24:35] Stan Wisseman: Talk to you then, Rob.