As an SMB, you’re probably thinking you’re too insignificant for a targeted cyberattack.
That’s not even a little bit true.
In this episode, I interview Danielle Russell, Director of Product Marketing Management at AT&T Cybersecurity, about SIEM solutions for SMBs.
What we talked about:
- Why an organization needs a SIEM
- Small orgs are definitely a target
- How to get started with a SIEM
- The #1 characteristic of a good SIEM for SMBs
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to The Virtual CISO podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-B.S. answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there and welcome to another episode of The Virtual CISO podcast. As always, I’m your host, John Verry, and with me as always, the Chewbacca to my Han, Jeremy Sporn. Hey, Jeremy.
John Verry (00:37):
I won’t tell you, people listening, how many times it took Jeremy to get that tape right. It wasn’t even worth it. But okay, let’s go. What do you think about the conversation I had with Danielle?
Jeremy Sporn (00:49):
All right. What is super cool about Danielle, she is just extremely passionate about SMBs being secure. She certainly chose a great company to foster that passion and she’s just very genuine. Her desire is to help SMBs be more secure and stay safe from cybercriminals. That just showed through.
John Verry (01:08):
Yeah, I agree she was a fun interview and is working for the right company in that small organizations that don’t have all the resources that they need to be secure. AT&T Solutions is just a wonderful solution in terms of bang for the buck, value proposition, ease of setting up. Her excitement and knowledge that really did show through.
Jeremy Sporn (01:30):
Absolutely. If you have ever considered running a SIM solution or are struggling with your own SIM, expect to walk away with really actionable guidance to determine one, if you should be running a SIM at all and two, if you should be, you will learn how to get the most out of your solution and really avoid some common pitfalls that SIM projects can fall into.
John Verry (01:52):
Yeah, I think she gave an inordinate amount of great information. With that, let’s get to the show. Thanks.
John Verry (02:01):
Danielle, good to see you again. How are you?
Danielle Russell (02:04):
Hey, John, good to be here. Thanks.
John Verry (02:05):
I always like to start super simple like who are you and what is it that you do every day?
Danielle Russell (02:13):
Yeah, thanks for asking. I’m Danielle Russell. I am a director of product marketing management for AT&T Cybersecurity. AT&T Cybersecurity is the second largest MSSP and we have a large portfolio of products and managed security services.
John Verry (02:28):
Excellent. We also have on the phone, Leslie Johnson. Leslie, can I ask the same question? Who are you and what is it that you do every day?
Leslie Johnson (02:36):
Hi, thanks for introducing me. This is Leslie Johnson, lead PR manager for AT&T Cybersecurity helping Danielle to share the awareness and bring visibility to our platforms.
John Verry (02:50):
I’m sure you’re here to make sure that we behave, aren’t you? Anybody who knows me would know it’s a good idea to have you on the phone. I always like to start, Danielle, getting to know a person a little bit. I always find this an interesting question I can ask to get to know somebody before we get down to business. What is your drink of choice? You can answer that any way you want.
Danielle Russell (03:14):
Oh, this might actually be the longest answer I give you in our time to say. I’m from Wisconsin so by birthright I think I have to first list beer and brandy, old fashions. But I live in Austin, Texas now and we have a lot of great mezcalerias and we also have a little bit of a Tiki scene. I always enjoy any kind of weird Tiki drink whether it’s three dots and a dash, birds of paradise, mai tais, so anything with an umbrella out of a skullcap I’m happy to drink in that.
John Verry (03:48):
Do you like them with the dragons or the monkeys hanging on the side as well?
Danielle Russell (03:52):
The wilder, the better. I want full fake grass on the walls. I want cheesy old surf movies playing in the background.
John Verry (04:01):
Something that’s a color that just doesn’t exist in true nature, correct?
Danielle Russell (04:04):
John Verry (04:04):
Like Curacao blue. Real quickly, you said a mezcaleria. Is that a place that serves mezcal as the primary drink?
Danielle Russell (04:12):
You got it. Yes.
John Verry (04:13):
That’s pretty cool. It’s funny how that suddenly become hot and hip. I was in a restaurant in Grand Cayman over the Christmas holidays. They had a mezcal menu and they had imported, might be the wrong word… A gentleman moved from Mexico to Grand Cayman just so he could be the mezcal, sort of the sommelier. He comes to your table and you sample mezcals with him and he explains to you all the differences. It’s amazing how many different versions of a meszal they are. Fun stuff.
Danielle Russell (04:44):
It’ll do the trick.
John Verry (04:46):
All right. Let’s get down to business. One of the things that we find working everyday through SMB space clients is increasingly there is this recognition that log monitoring or security information event management is a key thing for them. One of the questions I would have for you is where is the line, if you will, when an SMB gets to a point where it needs a SIM? That might be in terms of size, that might be in terms of risk drivers or compliance drivers. How does somebody listening to this podcast who’s in that space know, “I should go out and get an AT&T Cybersecurity SIM solution.”
Danielle Russell (05:25):
Yeah, that’s a great question and it’s a tough one to answer. Because really there’s no line. There’s no magic milestone that when an organization has a certain size or hits a certain age or is in a certain industry that they should consider getting some type of log management or SIM solution.
Danielle Russell (05:47):
I would say that what we know is that for the SMB space that there’s no such thing anymore as security through obscurity. Overall, cyber criminals are really operating at scale and they’re operating opportunistically and targeting businesses of all sizes. I think we know that about 43% of attacks target small businesses in 2018. That’s according to Score. Unfortunately, it is true that every organization today is a potential target. What that means for a small business is that it’s important to take a close look at your cybersecurity posture and your cyber risk posture.
Danielle Russell (06:27):
Now, the question is to when does an organization get to the point where they need a SIM? I would maybe back up and ask the organization, “Where are you at in your cybersecurity maturity? Where are you at in addressing your overall cyber risk posture?” Ultimately, the question, “Do we need to have log management for the purpose of security?” There’s many reasons to do log management but for the purpose of cybersecurity, doing logging or using a purpose built SIM really that is a means to an end of being able to do threat detection and incident response. That’s what a SIM is really built to do.
Danielle Russell (07:07):
So as we look at the progression or the maturity of an organization through something like a NIST cybersecurity framework, at the point that an organization says, “We recognize that we not only need to try to prevent and protect against potential cyber risk, but we also now want to make sure that we have visibility of what’s happening within our perimeter, within our environment, and be able to detect things and then respond to them in a quick manner.” That’s really becomes, I think, a strong motivator for a SIM log management tool.
John Verry (07:39):
One thing which I consistently hear with clients… And I just want to point out, because you said small organizations are a target. It’s amazing how often when I’m speaking with a small organization, they’ll say, “No, no. You don’t understand. We’re small. We’re not a target.” I do think it’s an interesting differentiation there.
John Verry (07:56):
Sometimes you are a target but there’s a large percentage of the breaches and threats that are out there that are, what I would call, opportunistic in nature. This idea that you’re running WordPress. There’s a new WordPress plugin vulnerability and somebody starts a scanner that scans the entire internet and happens upon your particular infrastructure. There’s the target attack but there’s also that opportunistic attack which is, I think, for many SMBs perhaps even more dangerous, right?
Danielle Russell (08:26):
Yeah, absolutely. In reality, we see both. But let’s separate those out. The opportunistic attack, you’re totally right. Organizations… It’s almost like if you’re being chased by a pack of lions, you want to make sure you’re not the slowest runner in the pack.
John Verry (08:44):
I use bears or sharks, but okay. Lions, I’m going to use from now. You just got to run faster than the next one.
Danielle Russell (08:49):
I was thinking zombies but okay, let’s stick with lions. Overall, the question is, “Who’s the low hanging fruit?” Because cybercriminals today are able to operate at scale and to use a lot of automation, the same type of automation and even machine learning and other types of capabilities, in order to really scale out their operations and scale at their attack absolutely. Organizations small to large, it’s equal opportunity attacks today.
Danielle Russell (09:22):
I think it’s interesting, though, that we still do see incidents in which organizations who are smaller, nonprofits, even churches, folks within church groups who I’ve spoken to said, “We had a new pastor come into our congregation and we realized then we were victimized by an attacker who sent out a malicious email looking like it was coming from the new pastor of the congregation.” That’s a highly targeted phishing campaign.
Danielle Russell (09:48):
Even if you’re a small organization putting any type of public information out that can be enough for an attacker who understands the financial economics of being able to prey on a congregation or if it’s a nonprofit to be able to prey on donors to attack an organization even if it’s small. We see both.
John Verry (10:13):
Yeah. I agree completely. What I always say to people is that generally speaking, change equals risk at some level. When we reach a point where we’ve architected a really strong information security posture, what we’ve done is we balanced the risk that we know about with the controls that we’ve implemented. Anything that changes that external to your organization, internal to your organization, can present a risk. That’s a good point.
John Verry (10:34):
One other question for you that you said in your initial answer was you talked about a SIM as a security solution and I think that’s the most important thing that a SIM does do. But that being said, SIMs are sometimes a tool for compliance or are in of themselves, easy for me to say, are an answer to a compliance issue. With the new CMMC guidance, there’s a requirement that they have some type of a log monitoring solution where something like AT&T Cybersecurity would be an excellent choice. Talk a little bit about the compliance side of a SIM as well.
Danielle Russell (11:06):
Yeah, absolutely. Compliance is a strong driver and strong motivator. When you look at any kind of compliance regime that has some cyber risk aspect, whether it’s PCI DSS, HIPAA, or others, there’s usually some prescriptive log monitoring, log management type of function built into that absolutely.
Danielle Russell (11:26):
What we see is a lot of organizations that are just getting started with a SIM or are evaluating some tools. They are at the point where they’re trying to prepare for that audit or they, unfortunately, have failed an audit and now are looking for some kind of solution.
John Verry (11:44):
Unfortunately, too often the latter.
Danielle Russell (11:46):
Unfortunately, yes. We do see compliance as being a strong motivator, but again, compliance is really a question of, “Are you able to demonstrate that you are doing good security or you are doing security well?”
Danielle Russell (12:03):
The idea of why does it become important for an organization to maintain and to monitor logs, having that visibility, first and foremost, of the things that are happening within your network environment, or your cloud environment, or on your endpoints in real time can give us information about a potential security incident or a threat and give us the opportunity to disrupt or to mitigate that threat before it becomes some longstanding type of attack that an organization might not find out about for months until the attacker has taken off with a lot of data but also from a forensic standpoint.
Danielle Russell (12:44):
In the event that you didn’t catch the attacker while they were in your environment, while they were moving laterally or escalating privilege in order to get to sensitive information, after the fact, if there are any implications from a compliance standpoint that would cause you to need to do some kind of forensics analysis or demonstrate that you were acting in good faith and you were doing what was reasonable to maintain those logs. That’s where it also becomes important as well.
John Verry (13:15):
I think that’s especially important because… The numbers vary all the time, but it’s about four and a half months, I think, is the current estimate between how long from a breach initially occurs to when we detect it. Really, what you’re talking to is shorten that threat detection window and by shortening the threat detection window, of course, we’re minimizing the impact of a breach if one should occur, correct?
Danielle Russell (13:37):
That’s the hope and I think it’s an interesting conversation that gets us into does a SIM automagically help us to do good threat detection and incident response and the answer is no. SIM deploys and the SIM is the stool. It’s a means by which you can detect and respond to threats, but there are so many other elements to that that come into play.
John Verry (14:02):
And we’re about to get to those. It’s perfectly lead in. You’re not cheating and looking at the notes, are you?
Danielle Russell (14:06):
Not at all.
John Verry (14:09):
Now, let’s say that we are an SMB and we’ve determined that we need a SIM and we’re about to turn one on. How do we determine? What would be your guidance to someone when they say, “Okay, we’ve got this great new AT&T Cybersecurity Solution. What devices or application or events should I be capturing?” How do you answer that question? Because it’s a tough one.
Danielle Russell (14:29):
You answer that question with a big it depends.
John Verry (14:34):
My favorite phrase.
Danielle Russell (14:34):
Here’s the thing. This is why it’s good to start with the question of risk. The question that I think a small to medium-sized business could start by asking is, “Where is our sensitive information? Where is that information or that data or those systems or processes that we simply can’t afford to lose or we simply can’t afford to be breached or to be exposed?”
Danielle Russell (15:05):
Those environments, those assets, those places that are transmitting and storing that information those become the things that you should be monitoring first and foremost. Absolutely, it’s a matter of risk and criticality and from there, it’s a question of just how much makes sense for your organization.
Danielle Russell (15:25):
There’s somewhat, I would say, maybe a balance. Some SIM providers and security analysts might have the impression that more data is better and so we should collect all of the information that we can, good or bad, dump it into a SIM and then start searching through it looking for trends, looking for correlations, looking for anomalies. For most organizations, that is just creating that environment where you’re looking for needles in a big haystack.
Danielle Russell (15:57):
Again, it really depends on the organization. It’s up to the organization but I will say that it’s not always the case that more data is always better and that you should just collect everything.
John Verry (16:09):
I could not agree with you more. I’ve been involved in a lot of SIM projects over a lot of years. I go back and SIM all the way back to 2004. If you look holistically across all of those projects, many of them failed and the reason that they failed was exactly what you just said. We got to SIM. Let’s dump all the data that we can into there. It becomes an endless log consolidation process.
John Verry (16:30):
We never really get to what the objective was. What risk are we trying to mitigate? What compliance are we trying to prove it? What is it that we’re looking to actually accomplish? What’s the objective of implementing the SIM? I absolutely love your, “More data is better isn’t,” line is fantastic. Thank you.
John Verry (16:46):
We’ve got the SIM. We’ve got someone intelligent like you who’s helping us figure out what we should put into the SIM and we’re starting with less is more, which I love. When do we get to a point where I not only need to SIM but I need to SOC? Maybe you should actually even define what a SOC is for people that might not know exactly what I mean by that.
Danielle Russell (17:05):
Sure, yeah. SOC stands for security operation center. The way that I think about a SOC versus a SIM… Again, a SIM is a tool. It’s a security technology that you might include as part of an overall cybersecurity program. A SOC, I would say, is where you start to see the people process and technology of cyber risk management and cybersecurity coming together.
Danielle Russell (17:33):
The question is to whether do you need a SIM or do you need a SOC and then probably there is a secondary question there, do you need a managed SIM or a managed SOC or a managed security service provider is I think especially for small organizations starts with a question of resources and starts with the question of, “Who is the person on my team or the people in my organization or in a provider’s organization who are going to be using the SIM?”
Danielle Russell (18:04):
“Who are going to be doing the security plumbing, the security work to get the information that I need into my SIM to bring in threat intelligence that’s timely and diverse and helps to resiliently detect threats into that environment and then who’s actually looking through those security alerts, triaging them, escalating them, and walking through that security investigation and response process all the way through remediation?”
Danielle Russell (18:32):
I think even before an organization says, “Aha, we have a compliance requirement. We need to go get a log manager. We need to go get a SIM.” It’s worth having that question of, “Who is going to manage it and,” to your earlier point, “what is the objective and then who’s going to participate in getting there?”
John Verry (18:48):
Got you. When you’re using the term manage SIM, just to make sure we’re all on the same page for the people that are listening, so the manage SIM from your perspective is, “I might manage the SIM internally because I’ve got enough security team and when you say manage that, they have the responsibility for caring and feeding of the SIM?” Or, “I might use an external third party to care and feed for the SIM.” Is that what you mean by manage SIM?
Danielle Russell (19:09):
The latter, yeah, absolutely.
John Verry (19:11):
And then the same thing on the SOC side, right? Because they might have someone sitting looking at screens and responding to those events internally or where they might have a third party that might be operating 24 by seven on their behalf and either taking some level of action and/or escalating to them, right?
Danielle Russell (19:28):
John Verry (19:29):
Just want to make sure because the terms in our spaces are so widely different used. Just want to make sure we’re on the same page.
Danielle Russell (19:36):
I can’t tell you how many conversations that we have had around managed SIM versus SIM as a service versus managing SOC versus MSSP. It gets a little weedy there.
John Verry (19:49):
Yeah. But at the end of the day, like you said, I love the way you call it a tool. You got to implement the tool. Tools, like any other tool, need to be maintained, updated, cared and fed for and then somebody’s got to respond to the tool when it says, “Hey, I got something to tell you.” Who’s going to answer it? Who’s going to take that action? Cool.
John Verry (20:08):
Now, we’ve got this idea of we know what we’re monitoring, we figured out how we’re going to actually interact with the product, how we’re going to manage it. One of the key features that an SMB needs or should be looking for… You hear all these terms. You’ve got concepts of log consolidation and we want alerting and we want correlation and the big buzz is threat hunting and SOAR and all these new terms.
John Verry (20:27):
What about the cloud? How do you guide someone on when they’re going out to market to look at the different alternatives that are out there? Which services or which features are the most important? How do they figure that out?
Danielle Russell (20:38):
Again, I think the most important question to come back to is a question of, “What your objectives are and what your resources are?” SIM tools that have all of the latest features and all of the capabilities of AI and SOAR. They’re great as long as you have the resources to be able to manage those. Too often, we hear of organizations who go out and purchase the proverbial million dollar doorstop with a SIM project that fails.
Danielle Russell (21:10):
When you look at it from a resource perspective, the features that I would advocate or the characteristics or quality that I would advocate most strongly for a small to medium-sized business to evaluate a SIM against would be ease of use.
John Verry (21:25):
That simplicity, right?
Danielle Russell (21:28):
Simplicity throughout. To be able to look for a SIM that is easy to deploy, that isn’t going to take a lot of security engineering to bring in information from separate tools whether that’s your own scanner, whether that is your intrusion detection system, but can help accelerate that deployment timeframe. By that, I mean not weeks to months, I mean minutes to hours, today. You should be able to get up and running with a SIM within a few minutes to hours. If that’s what you’re not finding, please come see me.
Danielle Russell (22:04):
From ease of use all the way from deployment through alerting and triaging those alarms and then being able to handle that orchestration and response capabilities.
Danielle Russell (22:14):
You also mentioned the requirements are the key features of being able to monitor cloud environments. I think that becomes increasingly important as organizations move their workloads and services not only to public cloud, IaaS or infrastructure providers but also introducing SAS application, looking at productivity tools like Office 365 and G Suite and Box. Having the ability to pull that information into your SIM environment and being able to detect threats as it manifests or as they would reveal themselves in those types of environments specifically is important.
Danielle Russell (22:54):
I would say that even for organizations who are just getting started and might have the approach of, “We’re not in the cloud. We do most things on-prem.” Or “We’re really small. We’re not putting critical information into the cloud.” I would still advise to look at that three to five-year roadmap or perhaps just even imagine whether or not there’s a time that your organization might be moving into the cloud. There’s a strong likelihood-
John Verry (23:20):
Have you met a company that’s not… I don’t think you need to say three to five-year roadmap. Look three to five years in your history or look in the window for tomorrow because I don’t know too many SMBs these days. I’m amazed how many are cloud first.
John Verry (23:31):
Interesting story with… We run AT&T Cybersecurity internally, fans of the product to be blunt. The way that you’ve done it with these apps that you can just turn on and you just go into your portal or your Office 365, the main appropriate, and you click a couple buttons and we turn it on and that’s like the next day and all of a sudden, I look up on my doorway and our IT guy stand there and he looks at me. He goes, “Please tell me you just delete a whole crap load of stuff in SharePoint.” And I was like, “Maybe?”
John Verry (24:04):
It was interesting because he had gotten an alert. We hadn’t really done anything. We hadn’t even really configured things but immediately, it was already telling us. It already had said, “Hey, I saw something that you might be concerned about,” which I thought was fantastic. So I agree with you. I think the cloud integration that you guys have done is really wonderful and I think it’s something.
John Verry (24:24):
It’s great, too, because we’ve got clients that I know that are using hybrid environments. They’ve got 100 machines on-prem. They’ve got an Office 365 implementation. They might have Salesforce. They might have some Azure or Amazon EC2 stuff and having this ability to consolidate all that information into a single pane of glass? Really elegant.
Danielle Russell (24:44):
Yeah, absolutely. I think there’s another element there, too, that I want to address which is threat intelligence.
John Verry (24:50):
Yeah, please, [crosstalk 00:24:51].
Danielle Russell (24:51):
Because I think this is probably one of the, if not understood, least appreciated aspects of what can make or break a SIM deployment and that is the quality of the threat intelligence that the SIM platform uses.
Danielle Russell (25:06):
What you just described being able to just turn on a cloud application and have the ability to automatically alert on things that might be suspicious or anomalous within specific environments, whether that’s SharePoint or whether that’s Box, if you see a user starting to escalate privileges within your AWS environment and deleting a lot of production instances, those types of alerts, those are pretty specific types of events that you might want to be alerted to that are really unique to cloud environments.
Danielle Russell (25:37):
I would argue that it’s the quality of the threat intelligence and the security researchers who are building that threat intelligence that can provide that information.
Danielle Russell (25:46):
For AT&T Cybersecurity, our AT&T Alien Labs team is actually delivering continuous threat intelligence updates that are fully baked, fully actionable, that allow the platform to automatic-
John Verry (25:59):
Danielle Russell (26:00):
John Verry (26:00):
Can I ask a question? Can I just interject? Can you do me a favor? Because I think you said that, and I love what you said one of the least understood, most misunderstood, whatever the right way you said this, can you define threat intelligence? Because even this idea of a threat intelligence feed, I think, most people don’t really understand that. They’ll give you the, “Uh-huh (affirmative), uh-huh (affirmative)” but I don’t think they get it. So can you define threat intelligence? Can you define what you’re actually doing when you talk about a threat intelligence feed and how that data might get used and how do you do it by the way?
Danielle Russell (26:30):
[inaudible 00:26:30] Yeah, absolutely. Let me give you the disclaimer first. Hold on one second.
John Verry (26:39):
Don’t worry about it.
Danielle Russell (26:40):
[Nola 00:26:40], no. Hush. I think what’s probably most important to understand is the difference between threat data and threat intelligence.
Danielle Russell (26:51):
The way that I might describe this is that piece of threat data might be something like a thumbprint or an indicator. It might be a piece of information, whether that is a hash or a domain address or IP address, that gives us some indication that we can correlate against activities in our environment to identify whether one of our systems is communicating with a malicious system. That might be threat data.
Danielle Russell (27:20):
There are a lot of ways, a lot of resources, to get threat data or threat information into a SIM. Again, if it’s not highly actionable, fully baked intelligence, which I’ll describe in a second, that really leaves your own security resources, if you have them, to make those connections between what the threat data is alerting on in my environment and what’s happening in my environment.
Danielle Russell (27:47):
A threat data can give us an indication of, “Hey, here’s a system. It communicated with a bad IP address.” That can be done through a SIM.
Danielle Russell (27:56):
Threat intelligence, I would argue, is it gives you much more context about what is happening in your environment. It might not just be a piece like an IP address or it might not just be a hash or some kind of indicator of compromise, but it might be kind of a higher level or more sophisticated types of TTPs or tools, tactics, and procedures that cybercriminals use.
Danielle Russell (28:22):
The way that we implement threat intelligence in AT&T Cybersecurity in our threat detection and response tools is our AT&T Alien Labs team is actually taking threat data, and that comes from many sources one of which is the AT&T Alien Labs Open Threat Exchange, which I’ll come back to in a second, but we’re taking that threat data and that team actually is transforming that into threat intelligence. That includes correlation rules and directives that our platform uses to automatically detect threats so that you’re not just getting a lot of noise and a lot of alerts that might result in false positives or volatile types of indicators, but rather you’re getting high level information to work off of.
John Verry (29:12):
Let me just summarize that, oversimplify, that for a COO or CFO that’s listening. It sounds like what you said, and correct me if I’m wrong. It sounds as if you said, “You’re sitting out there at AT&T and you got all of this data that’s coming from all of your customers and you’ve got these super smart brainiacs that are sitting in the backroom. They’re looking at this data. They’re using that data and the bad things that are happening in all those other places to protect me automatically?”
Danielle Russell (29:37):
Absolutely. Let me-
John Verry (29:38):
Now, that’s cool as hell.
Danielle Russell (29:41):
That is intelligence. I want to share one more analogy around this because I think this helps to simplify it as well. And this I stole directly from our CTO. You might think of threat data as someone telling you, “Someone is going to kill you. Someone is out to kill you.” That might be threat data, might be a piece of information that you get and that’s not highly actionable, but might make you a little paranoid, might make you start looking around or looking over your shoulder for more information or clues.
Danielle Russell (30:08):
Threat Intelligence would be something more like, “Someone is trying to kill you. They will be coming for you at 4:00 on a Friday afternoon. They will be parking a white van outside of your environment or outside of your house. They’ll be carrying a pistol and they’ll be dressed in all black.” That is threat intelligence.
Danielle Russell (30:27):
You can imagine there’s a pretty big difference in quality and difference in how actionable that information is. I think that is the crux of having any kind of SIM deployment. If you are evaluating, demoing, looking at a SIM, if you can’t get to that answer like, “Show me how I would use all of the context that I’m getting in this environment-“
John Verry (30:49):
I love that word.
Danielle Russell (30:50):
All of that threat context, “Show me how I would use that to immediately understand what is going on in this environment. How am I at risk? What has been affected? And how…” That’s really the crux of being able to do good threat detection.
John Verry (31:07):
That was a great answer. I’m a fan of the product. I said that from the beginning. I’m going to throw you a, what do they call this, a lob pitch. Why is AT&T Cybersecurity such a good choice for SMBs?
Danielle Russell (31:20):
How much time do you have?
John Verry (31:25):
I’m going to limit you. I have a buzzer on my desk and it goes off after three minutes. No, I’m kidding, of course.
Danielle Russell (31:31):
Fair enough. Okay, so let me try to be concise here. But I’m also a fan of the product.
Danielle Russell (31:38):
AT&T Cybersecurity, our threat detection and response solutions, come in a few different flavors. We offer an unmanaged platform or a SIM type of solution that you can use and have your own team manage in your environment that’s delivered as a SAS or you can have a managed threat detection and response service where AT&T Cybersecurity is actually managing the operations of your detection and response program 24 by seven. We have eyes on glass 24 by seven. We also have a rate environment of MSSP partners who also use the platform to provide that service as well.
Danielle Russell (32:21):
In addition, the platform itself, our USM platform, is incredibly easy to use. What’s unique about AT&T Cybersecurity threat detection and response solution is that we bring together not just SIM capabilities but also asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, cloud monitoring, even dark web monitoring, all in one unified platform, and that helps organizations, especially organizations that are resource limited in their security departments and let’s be honest most are, to be able to get started a lot faster without having to do a lot of that security plumbing or security integration.
Danielle Russell (33:00):
It’s incredibly easy to get up and running because it’s cloud hosted, SAS delivered, and it’s an all in one type of solution. Most of our customers can actually get up and running within a few hours and start seeing security alerts within the first few hours of using the platform. That’s also due to the fact that the platform itself receives continuous threat intelligence updates from AT&T Alien Labs. Again, those threat intelligence updates are highly actionable. They’re timely and they allow for resilient and automated threat detection and response.
Danielle Russell (33:32):
So instead of having to have a team of security analysts who are sitting there, again, digging for that needle in the haystack or searching through a lot of false positives and a lot of different types of alerts looking for something that actually constitutes a security incident, with our threat intelligence, there’s no need to sit there and write correlation rules and queries. The alerts that your team sees are indicative of actual threats or actual areas of risk in your environment.
Danielle Russell (33:59):
The third aspect, and you mentioned it earlier, is our Alien apps framework. The platform is architected to be highly extensible. What we’re able to do is to deliver integrations with third party tools whether that’s security tools or whether that’s productivity applications, cloud environment that allow you to not only ingest and collect and detect threats from those environments, but then also to take response actions.
Danielle Russell (34:27):
Let me give you an example. We have an Alien app for Palo Alto Networks Next-Generation Firewall. Let’s say that I see that one of my servers is communicating with a known command and control server and for some reason, my firewall didn’t pick it up or my firewall isn’t tuned to address that. With the Alien app for Palo Alto Networks Next-Generation Firewalls, you can actually go in and immediately just click through and say, “Go update my firewall blacklist” without having to leave the platform, without having to toggle a lot of different application. You can orchestrate that response to just work that much faster.
Danielle Russell (35:05):
You can even automate actions. If I wanted to automatically create service tickets in Jira or ServiceNow off of things that I’m detecting in my environment and maybe kick it over to my IT team to deal with or respond to, you can do that automatically. Again, for those teams that don’t have a lot of resources in their security department that type of operational efficiency can be pretty significant.
John Verry (35:30):
Got you. Would that be what’s referred to as security orchestration and response or SOAR?
Danielle Russell (35:34):
John Verry (35:39):
At one point, you were predominantly using or installing these systems internally. Now, you’re definitely going to a cloud first or cloud only model. I’m not sure which one but it’s certainly a cloud centric model. What are the benefits of cloud? Why are you moving AT&T Cybersecurity to the cloud so aggressively?
Danielle Russell (35:56):
Yeah, absolutely. I think this is not unique to AT&T Cybersecurity but obviously we’re leading the way in this area. We do see a lot of security technology vendors moving to cloud native or cloud first type of security applications. Just as you would expect with other types of software applications or tools that you would use in a cloud environment, you really gain a lot of the benefits that a cloud infrastructure can provide.
Danielle Russell (36:26):
For customers, this means that there’s no more appliance, piece of hardware that you have to deploy in your own data center or in your own server room. We know that security leaders are trying to actually consolidate the number of boxes and reduce the number of boxes that they’re managing on premises. When you can remove that hardware, obviously, you remove all of the management availability and update that are required to just administer that type of environment. All of that goes away and is then handled by the vendor like AT&T Cybersecurity.
Danielle Russell (37:03):
Scalability also is another benefit for a lot of organizations. As your organization grows, it’s much easier to add capacity in a cloud environment than to the horizontally or vertically scale whatever application you have running in your data center. Specifically with log management and especially for compliance too, I’ll say that cloud hosted or cloud delivered security or SIMs have an added benefit that all of that log management and all of that log storage also is alleviated.
Danielle Russell (37:36):
With AT&T Cybersecurity, because we’re storing customer logs in our secure and compliant certified environment, it alleviates the customer having to maintain those logs and those records on site or rotate logs, if you will, and store them to meet whatever compliance requirement. Some compliance requirements regimes like PCI DSS have up to a year that you have to keep those logs in a very tamper proof environment and you have to demonstrate the integrity of those logs.
Danielle Russell (38:06):
All of that we’re taking on for customers as well and because we’ve achieved our own certifications of compliance for PCI DSS SOC 2 type 2 ISO 27001 as well as attestations of compliance for HIPAA and the GDPR, we’re able to actually help customers to accelerate and simplify their own compliance processes as that pass through benefit. Because your logs are already stored in our certified compliant environment and certified compliant cloud infrastructure, it can help to accelerate and tick those boxes for the auditor as well.
John Verry (38:42):
One unusual thing that people sometimes don’t think about… One of the things that I like about cloud based is that what is a malicious individual want to do? Once they compromised an environment, what do they want to do? They want to erase the evidence of that. That’s what they try to cover their tracks. One of the ways to cover the tracks is if they gain admin access is they delete the log entries that show that.
John Verry (39:01):
By virtue of the fact that you’re breaking that, same idea with malware, we want to make sure that we have non-persistently connected back up somewhere else to make sure we’re able to recover. I actually think you improve somebody’s instant response capacity and reduce the risk of that happening just by virtue of the fact that you move to the cloud. That’s another really good reason for doing it.
John Verry (39:18):
One of the things you mentioned is AT&T has a great offering themselves. You also have a very robust and very populated partner program, lots of good people that are in your program. From your perspective, why did AT&T choose to take that type of an approach and what might be the value be to somebody listening to the podcast?
Danielle Russell (39:36):
Yeah, absolutely. I would say that, first of all, managed security services and managed security service providers, like Pivot Security, are absolutely excellent partners and extra options especially for organizations who have established relationships or who might already be engaged for security and other types of services.
Danielle Russell (39:59):
I would say what sets us apart and what the benefit to customers who are looking at our partner program or our network of managed security services providers is that even when you work with an MSSP that is a partner of AT&T Cybersecurity you’re benefiting from the same type of platform technology development that we’re using to deliver our own managed threat detection and response services. Every feature, every capability of our threat detection and response technologies we’re delivering to and making available through our MSSP partners as well.
Danielle Russell (40:32):
You can imagine that AT&T, we have [inaudible 00:40:35] becomes one of our biggest customers and they are very vocal about the types of things that they need in order to be successful and deliver really successful and really effective detection and response services to our customers. Again, those types of capabilities we’re making available to our MSSP partners as well so they’re benefiting from that.
Danielle Russell (40:57):
Similarly, with our threat intelligence… The AT&T Alien Labs threat intelligence updates are baked in to the platform regardless of where you’re getting it from AT&T Cybersecurity or if you’re getting it from one of our partners as well.
John Verry (41:11):
One of the things that I think is really cool about your partner program is that because of the way you structured and it’s cloud based and Pivot Point can have access or client can have access. What it puts them in a position to do is actually transition the instance from themselves to a partner like us or to another partner.
John Verry (41:29):
Let’s say that they’re working with Pivot Point and let’s say for some reason they don’t like Pivot Point, that couldn’t possibly happen but let’s say it did, they’d be able to actually transfer their AT&T Cybersecurity instance to another managed partner or to AT&T itself without losing any ground.
John Verry (41:43):
I think it’s really important because… There was a client recently I was chatting with. They’re spending 12,000 bucks a month with a vendor they absolutely hate and I said to him finally, “Why don’t you just transition?” He says, “That’s a lot harder than you think. I’ve got a whole new technology to deploy, new instances to deploy, and I have this concern that I’m not going to be able to produce the logs that I need during my external audit. So it’s just easier to stay with them.”
John Verry (42:05):
I think that’s another really great thing that you guys do is the way that it’s architected. It really gives people a significant amount of flexibility.
Danielle Russell (42:17):
Along the same vein too, it’s the same type of flexibility that you might have with a self-managed versus managed environment. Whether you’re using the USM platform on your own and you have your own security resources and you want to get started that way and then get to a point where you say, “Hey, we’d like to bring in an MSSP, like Pivot Point, to come co-pilot this program with us.” Again, you don’t have to rip and replace what you were doing.
Danielle Russell (42:43):
Or on the reverse too, you could get started with a partner and then say, “We really aspire to grow this threat detection response, grow our own SOC someday, but right now, we’re just not there or right now, that’s not our priority, but we know that it is in our roadmap. So let’s bring in a partner like Pivot Point to manage our USM instance and again, when we are ready to take that over, that we can do that without losing any kind of logs or missing a beat in your security posture absolutely.”
John Verry (43:15):
Yeah, I think it’s fantastic. I think we did a pretty good job here. Let me ask you an off topic question. You deal every day with people like are listening to this. If I asked you this question, what fictional character or even real world character do you think would make an amazing CISO or a horrible CISO and why? Why would you say?
Danielle Russell (43:38):
Oh, wow, that is such a tough question. Okay, terrible CISO, I’m going to go with Eeyore from Winnie the Pooh, the eternal pessimist.
John Verry (43:53):
That’s actually really good. I like that one.
Danielle Russell (43:55):
Let me explain why. You might think that it’s a good quality of as CISOs are security practitioner to be a pessimist or you might say a realist. I would argue, though, that first for the mental and emotional health of security practitioners, this is a tough space to work in and we know that burnout is pretty rampant.
Danielle Russell (44:18):
Being kind of optimistic and thinking about what new business possibilities can we open up with a good cyber risk posture? How can we earn more brand trust? How can we help the business to achieve our outcomes faster? That takes a lot of optimism and it takes a lot of being able to not always think about the [inaudible 00:44:40] or think about the potential disasters and bringing that energy or that type of an argument into the business.
Danielle Russell (44:48):
The space that comes in as the Eeyore and says, “Oh, well, we need more money over here to do this,” or “We’re at risk over here.” That can be a tough sell to the rest of the organization. But positioning that as an opportunity for the business again to protect the great work that the business is doing, ensure business continuity, create new opportunities for the business, I think that’s important. Then again, I’m a marketer so I’m always trying to spin things positively.
John Verry (45:20):
I love that. I have a followup question now. I have to ask, does that make Christopher Robin a great CISO? Or Tigger? Let me reverse. Does it make Tigger a great CISO? Or is Tigger going to be a bad CISO, too?
Danielle Russell (45:33):
I think Tigger is awesome.
John Verry (45:36):
Are there any good CISOs in the whole Winnie the Pooh universe? Is anyone going to be a good CISO?
Danielle Russell (45:38):
No. Absolutely not. Maybe because they’re fictional animals.
John Verry (45:45):
Wait a second. We have all met Tigger CISOs. They’re just all over… ADHD. It’s the classic silver bullet, crazy, all over the place guy, right? ADHD.
Danielle Russell (45:57):
Yeah. The next silver bullet vendor loves the Tiggers because, “I’m going to sell you the thing that’s going to solve all your problems tomorrow. Forget your roadmap. Forget your cyber risk posture goals. Let’s just get the new, cool shiny object.” That would be the Tigger CISO for sure.
John Verry (46:14):
Okay, so I want to give you credit. You’re the first person in all the podcasts that I’ve done that give me two bad CISOs so thank you for that. Last question, again, you talk every day to the people that we talked to, the people that will listen to this podcast. Any specific topics that you think would be interesting for a future Virtual CISO podcast?
Danielle Russell (46:34):
Yeah. I always want to hear from CISOs and practitioners. Thank you for having me on but I much rather have you talking to folks who are in the trenches every day. As far as topics go, there’s no shortage of interesting topics in cybersecurity and in cyber risk.
Danielle Russell (46:55):
One thing that I’m thinking about a lot right now and it relates to what I just said, but I’m thinking about the idea of brand trust and brand credibility and what responsibilities the rest of the organization have to lean into the cybersecurity program. I think this is especially true in an era where consumers and customers are becoming so hyperaware of the cyber threat landscape and so hyperaware of how their own personal data might be exposed or might be used.
Danielle Russell (47:27):
As we see more types of consumer privacy regulations and guidance come out, following the GDPR and in California CCPA, I think it’s super interesting to think about how cybersecurity and cyber risk and data privacy not only affect the CISO office but affect the other areas of the business, whether it’s the COO, the CMO, or broadly thinking about the organization’s brand trust.
John Verry (48:00):
That’s really cool. So more security as a strategic differentiator.
Danielle Russell (48:03):
John Verry (48:04):
It is interesting because and I know this is going to warm your heart, but increasingly like this morning, I was on a call with a potential client and it was the chief marketing officer. It was a privacy issue. That’s exactly what she was talking about. It’s so funny that you mentioned that because I’m like, “Why is the chief marketing officer…” She goes, “Because I think this is something that I need to be able to communicate to my clients to better differentiate us from the people that aren’t doing that.”
John Verry (48:30):
And then on the CMMC side, the Cyber Maturity Model Certification, which was going on in the DoD space, increasingly, the people were talking to their vice presidents of sales and the reason they are is because without getting to a certain CMMC certification level, they’re not able to bid on RFIs or RFPs.
John Verry (48:48):
I actually think your thought process is really good. I like that. We’ll try to figure out a way to do that. I’m not sure who would be the subject matter expert to have to talk to, but I like your idea so thanks.
John Verry (48:59):
Before I say farewell, how can people get in touch with the good folks over at AT&T if they want to learn a little bit more about the stuff we talked about today?
Danielle Russell (49:08):
Yeah, absolutely. First, I would point you to our website. That’s www.cybersecurity.att.com. We have a lot of great resources there. A lot of white papers and webcasts to reference and you’ll find information as to how to test out our demo to do a free trial of our product, find a partner, whatever you might need. That’s probably the best way.
Danielle Russell (49:32):
I get out my Twitter handle, but to be honest, I am awful at Twitter. I missed that generational [inaudible 00:49:39].
John Verry (49:42):
They’re going to take your marketing license away. Come on. Social media, you’re not… Come on. All right. You probably have an email address. You have a fax machine, Danielle? Should they fax you, Danielle?
Danielle Russell (49:57):
Please knock on my door.
John Verry (49:58):
Do you have a postal address? Or maybe just the Pony Express delivered to your house there in San Antonio.
Danielle Russell (50:07):
John Verry (50:23):
Danielle, thank you so much for coming on the podcast.
Danielle Russell (50:25):
John Verry (50:25):
This is awesome.
You’ve been listening to The Virtual CISO podcast. As you probably figured out we really enjoy information security. If there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.