Interviewer: What cybersecurity tools and technologies do you see as crucial in the coming years?
Michiel de Lepper: The biggest challenge with cybersecurity is that it's really hard to look one year ahead, let alone multiple years. There are two major paradigm shifts I see. The first one is AI as everyone is leveraging AI, some for better and some for worse. At the same time the bad guys are leveraging it as well. So, that's a major shift in the paradigm as well. However, AI can be a very powerful agent for good, if you leverage it correctly.
If you joined my Attack Surface Reduction session [at Runecast’s SecOps 360 Day event on 22 June 2023], I referenced the fact that you have human machine teaming where you amplify each other's strengths. This is where AI can be very powerful. On the other hand, the other paradigm shift is that the industry has been talking about platforms for a gazillion years by now and we´re now finally starting to see integrations happening and the security industry really looking at things from almost a vendor agnostic kind point of view, where we just want to help people, and it doesn't really matter what vendor they´re around, or what else they have implemented. That interoperability and that integration with other solutions is really key. And you see that with SIEM moving to SOAR, SASE moving to SSE, EDR going to XDR, everything is going towards a platform approach. Because cybersecurity is really complex and you don't have resources, people or time to manage it.
So that siloed approach of cybersecurity we are talking about, a lot of people have been preaching about this for years, but now we are finally starting to see it a little bit. The siloed approach is slowly but surely leaving, and that we are really going to look at integrated security, which is exactly what we do [at Runecast], because all of our environments are integrated into each other. Overall, the more holistic approach, the better it is in terms of tools and interoperability with them.
Interviewer: How do you stay up-to-date with the latest cybersecurity threats and solutions? Could you share some tips for good reading/listening?
Michiel de Lepper: One way that I think is very important is reading the news about the latest threats. Also, reading, researching, and following different channels to listen to podcasts and finally discussing with people in the industry. So basically the recipe to stay on top of the latest threats and solutions to fight these threats is the combination of reading the news, listening to podcasts and talking to people who are interested in the cybersecurity field.
About the tips and tricks, from a news point of view there is The Hacker News which would be good to register and follow. Also, there is Ars Technica and it has really good content as well. From a podcast point of view, which I listen to weekly, is Risky.biz which is run by Patrick Grey in New Zealand, who is a security researcher and Tom Uren comes there as well. It is a very informative podcast and they really have good speakers.
Interviewer: How far can Runecast help with Cloud Migration projects?
Michiel de Lepper: This is actually a really good question. It depends how you look at it though. A lot of answers are going to be like that today because of my view on cybersecurity, as I always tend to look at the bigger picture right in the entire organization. So, cloud migrations are happening all the time and I think that one of the big things with cloud migration is that when people migrate, they think about the data and the applications, which is okay, but when you look at Runecast and how we see infrastructure, you notice we can help before you do that migration.
When you are setting up your cloud infrastructure, this is where Runecast can be a very critical part, because you can check your configurations, you can track your vulnerabilities, you can check your compliance standards that you want, whether it is regulatory or security compliance. So, once you actually start with a particular cloud migration, you have a safe space where you can actually put that data.
In a previous session I made a reference to Pizza as a Service for the cloud responsibility model. When we look at the cloud responsibility model, data is always your own responsibility. So having the ability to put that data into a prepared space that is actually secure, configured properly and compliant with all of the compliance regulations that you need, is a very big win – and you don't have to do all that stuff manually, but you hook us into it. Then we will tell you exactly what needs fixing, and what you need to do to actually fix it. So, from this point of view I think we can be really helpful.
Interviewer: How is preparing to pass a one-time audit by anyone to be compliant, and do cybersecurity firms ever cover claims from organizations that prove compliance?
Michiel de Lepper: Let me start with the basics on this one. Why do we have compliance? If I am a bank, and I handle payment card industry, payment card details, I need to be PCI DSS compliant. Why? Is it because someone tells me to? Well partly, but down when you look at the essentials and the basics, compliance is driven by breaches.
Compliance is nothing more than a standardized set of rules and regulations of checks and balances within your environment to make sure that you have a minimum risk, and calling what we do in our industry as security is a misnomer. This is because we don’t secure and we don’t protect. Instead what we do is risk management. We minimize risks. Nonetheless, we can never take the risk away [entirely] unless you give me your data on a hard drive then I pour it into concrete and shoot it up into space and then maybe… but otherwise, what we do is risk management.
So, we need to acknowledge that the main driver for compliance is risk management and minimizing risk. If you look at the compliance from that point of view, you start to understand that compliance is not just a tick box exercise, but instead something that I continuously need to do throughout the year to make sure that my risk is minimized. If you treat compliance as a tickbox then you are going to have issues, because at that particular stage, I have six weeks of an audit and everyone is running around like a headless chicken. Noone is happy, not even the auditors trust me, because I talk to them. So, finally, on a Tuesday morning at 10 am, you pass your audit. Congratulations! So you passed your tickbox. Then someone somewhere makes a change in your environment. Five minutes later you have been breached. But wasn’t I compliant? No no no! You were compliant five minutes ago. You had no insight if you were still compliant.
As a result, compliance as a ‘tick box’ is never going to work. If you realize and acknowledge that, great! But this is something that from a vendor point of view we need to start educating people around us on and make them aware, both from distributor/partner and a customer’s perspectives. We need everyone to start realizing that whenever we talk about compliance, this is driven by protection and this is something that we need to do continuously. That is why a part of our messaging is about continuous compliance.
Interviewer: What steps and procedures do we have to take to ensure continuous compliance then, if an organization doesn't want to do the ‘one-time tickbox activity’ that you mentioned before?
Michiel de Lepper: Generally, there are four steps that I generally talk about when we talk about compliance and the processes behind compliance. First of all, before you do anything you define what is the ‘must-have’ for my organization, and then what’s ‘nice-to-have’ and focus on your ‘must-haves’. Once you have that, that’s where you start the process of implementing compliance.
The first step is getting visibility. Visibility is the foundation on which everything else is built, because you can’t protect what you can’t see, let alone scan or judge something if you don’t know it’s there. So you need to get visibility across all of your assets, including that web server in the basement that no one thinks about, or the dev environment that was used for testing. Because a developer wanted to have data, they use the live database and that data is still on the server. So, visibility is always the very key aspect.
Once you have visibility across your entire environment, you go to step two, which is vulnerability management. So you need to start doing vulnerability assessments. Then once again, coming back to that topic, ownership and accountability for that, both from a discovery perspective and a remediation perspective. And that is continuous. When we look at vulnerabilities, vulnerabilities and compliance go hand in hand. So once I start tackling my vulnerabilities, doing all the stuff around that, that’s when you move into regulatory compliance. That is when you start to benchmark against your compliance standards, because half of that work is around vulnerability. So you are doing that anyway. Now, it sounds very easy but it’s not. It is very time-consuming and a lot of manual work.
The next step is automation. Because you want to automate as much as possible as it takes you from whatever state you are to a desired state, which is nice, but the most important aspect is remaining there. Furthermore, without automation you are never going to stay compliant. This is where you start to monitor that drift that I talked to you about. Everytime you drift out of compliance, you proactively need to do something and go back again. So it’s visibility, vulnerability, compliance and automation. Once you have that in a cycle, because this is a lifecycle process, that’s when you start to move towards continuous compliance.
Interviewer: And that itself gets even more complex if you have various types of infrastructure or a hybrid environment, right?
Michiel de Lepper: Correct. You need to do this across all your environments. So you have clients, servers, virtualized infrastructure, and you have your cloud and your SaaS applications, all that stuff needs to be benchmarked if you want to be compliant.
Interviewer: Is there any difference in terms of the processes or steps that will be implemented?
Michiel de Lepper: No. The only difference is where you apply those checks and balances. If we refer back to the shared responsibility model for cloud, for instance, take AWS; you are never going to be able to touch the underlying infrastructure for AWS, ever! And for good reasons. That is not your problem. Amazon, Microsoft and Google make sure their underlying infrastructure is secure but everything else you put on top of that is still your problem. So the process remains the same. It’s just where you apply to process for instance, on-prem versus cloud versus SaaS. SaaS is a different beast as well. But once again, data is very important there. So, we will look at SaaS applications, who is accessing them. That’s part of compliance as well. Where is that stored and how am I sharing that? Everything remains the same. It’s just different applications of the same thing.
Interviewer: How much then does remote work play into that, with people bringing their own devices and things like that? I suppose that people have to be extra careful and diligent in terms of the process?
Michiel de Lepper: Absolutely right. And this is the exact reason why there’s a whole industry being spun up right now all around SASE or SSE (Security Service Edge). It’s not something that we do as an organization. We work on infrastructure, but from a basic principle. SSE, which is the evolution of SASE, was born to solve that problem because everyone is working remotely. So what you need to do is you need to make sure that the people accessing your applications and data, wherever they are, are actually the people that they are instead of someone pretending to be. I can give you an example. There are very simple checks that solutions like that do. When you look at me, I am based in Ireland. So, I log into Salesforce, for instance and start to make notes and they register i’m in Ireland. Great, awesome. Then a couple of hours later, I log in from the Netherlands. Okay, given his behavior tracking, he travels a lot and Amsterdam is an airport so it’s feasible that he is there. Another week later, I logged in from the US. All fine because I traveled to the US as well. And then on Monday morning, I log in from Ireland again and in the afternoon I log in from China. That is the super human example, right? Unless I am Superman, there is no way I can go from Ireland to China in under a few hours. This is a very basic example. There is a lot more that they are checking but yes, things like that need to be taken into account when you are working remotely. Remote Work is a good thing for a lot of people. On the other hand, from a security point of view, it can be a massive headache as well, which is why SSE is there, among other things.
Interviewer: Given that the cybersecurity threats and compliance trends or security trends and solutions are evolving fast, how do you keep yourself up to date?
Michiel de Lepper: Thankfully, there is someone internal in Runecast smart enough to create a Slack channel with a crawler that just crawls a lot of cybersecurity news articles in there. So I check those very regularly because I am so obsessive compulsive about having nothing unread in my Slack. As a result, I check it everyday. So that’s one way to keep on top of the news. Another thing that I practice is listening to podcasts, reading news articles and talking to a number of friends because I’ve been in this industry for so long and a lot of my friends are very serious into cybersecurity. So whenever we meet either virtually or physically for a coffee or beer, or we have virtual meetups with X team members and whatnot, staying on top of everything, listening to podcasts and then just discussing it with people. I think that is a really good way of at least staying on top of everything.
The main thing I always see, as I have been in cybersecurity for a long time, is that I don’t know everything. That is alright, and never be afraid to ask. I think it is really important not to be afraid to acknowledge that you don’t know something, instead search for that knowledge and ask someone who explains it to you – because that’s the best way you are going to get it.
Meet other Runecasters here:
Be Proactive and Secure Your Environment!
Don’t wait for your vulnerabilities to be exploited.