An inside-out look at cyber security from Arctic Wolf CISO Adam Marrè

Speaker 1: 0:22

Welcome to this new episode of Tech Scene Talks on Tour. I'm at the RSA conference in San Francisco and I'm here with Adam Marais. He's the CISO of Arctic Wolf. Adam, welcome, it's great to be here. What does a CISO of?

Speaker 2: 0:36

a security company do? It's a good question, one I actually get a surprising amount. I should clarify I'm not a field CISO or a CISO that's really outward-facing, although I do talk to customers and I do things like this, podcasts and various interviews with the press my focus is on securing the company. So really, my job is not unlike any other CISO. It is to secure Arctic Wolf against attacks, against misconfiguration, against negligence, all the risks that might come from a cybersecurity standpoint. It is my job to make sure that we have the team against negligence, all the risks that might come from a cybersecurity standpoint. It is my job to make sure that we have the team, tools, operations, everything we need in place to protect the organization.

Speaker 1: 1:14

That's what I do. That's quite interesting, because does a cybersecurity company itself run the same risks as a normal company does, as a normal company does, or do you build in more security controls from the get-go as a security company? How does that work?

Speaker 2: 1:33

Yeah, you really hope that you do. The risks are the same, they're no different, but obviously the reputational cost is significantly higher for a security company when when that's your job so many companies can. I mean, the truth of it is, many companies can withstand a cybersecurity event, a breach or something like that, depending on what they do and the level of their customers needing to trust that company. Security and you know what kind of information they're dealing with. It's very different for, you know, maybe a company that makes some sort of widget or a hardware store or something like that. It's going to be very different than a security company or things like a bank.

Speaker 1: 2:14

Yeah, with lots of personal information, credit card information. Those are the high risk kind of environments.

Speaker 2: 2:21

Yeah correct, but even a lot of organizations that have lost that kind of information have survived a breach. But if you had a major breach of a cybersecurity company, that is going to be a huge reputational hit and you may survive it, depending on your size. But it's very different, and so you take security to a different level and different priority when you're a cybersecurity company.

Speaker 1: 2:42

It is quite concerning how many security companies have well bad code in their solutions or maybe even their security posture is just not right. I mean, we've seen lots of coverage on Microsoft, but also recently we had MITRE who was breached. We had MITRE who was breached. Those are companies that other companies put a lot of trust in and to me it's weird to especially the Microsoft case. It's very weird because they didn't have their basic hygiene in order at all. Right, and how can that be? It just amazes me, it really amazes me that be.

Speaker 2: 3:31

It's just I, just it amazes me, it really amazes me. Yeah, it really shows that cyber security is not easy, even for companies that make it a priority, or supposedly make it a priority. Yeah, and even the, the quote-unquote easy things or the things that we've known about for a long time, are hard to get right and they're hard to get right over time. And you have to understand, especially with smaller startup companies, the incentives are to deliver features, deliver the product, and security even at a security company is sometimes some companies, can you know, try to sacrifice in the face of time and and shipping features and things like that. Now, obviously, article. We do our very, very best not to do those things, not to cut those corners and try to set up the very highest and utmost of security. But I am humble enough to realize that no one's perfect and we're all trying our best here.

Speaker 2: 4:19

So I don't like to point fingers, but I do like to learn, yeah, from what I see at other companies and try to bring those things inside and make sure we learn from what I see at other companies and try to bring those things inside and make sure we learn from. You know, let no incident go to waste, even if it's at another company.

Speaker 1: 4:33

I think that's an interesting point, because a lot of the problems that are still around are with the basic hygiene right. I mean, even things that are supposedly easy to do don't get done. Is that? I mean? That's my perception, at least, of the market. Is that your perception as well? Absolutely.

Speaker 2: 4:54

You can look at Arctic Wolf's threat report. You could look at Verizon's DBIR report. You know that comes out every year and you are going to see two main themes and this is across. You know tens of thousands of incidents. It's not patching vulnerabilities and taking care of your identity, whether that's you know passwords or or other things. Those are the two main factors that allow attackers to get in and you know they may. They may get those credentials through phishing or something like that and maybe, maybe some random thing you haven't thought about in a long time that's not patched. But the fact of the matter is it comes down to those basics and that's what companies need to work on. And it's great to talk about all this fancy new stuff that's come out and worry about these risks, like with AI and I'm not saying those risks aren't real, but what affects companies day in and day out is patching vulnerabilities and identity.

Speaker 1: 5:47

We're going to get to the AI part later, obviously because we have to talk about it, otherwise it's 2024. But it's 2024. And we're still talking about patching. I think that's why is that right why?

Speaker 1: 6:02

I mean, I get that some environments are not easy to patch, some environments may not be patched at all or aren't allowed to be patched, or whatever IoT or OT kind of stuff. But why haven't we solved this yet? Because I've been around in this industry for quite some time and I don't think I've ever had a discussion about cybersecurity without talking about patching.

Speaker 2: 6:25

Yeah, I mean, and if I knew the answer to that I'd probably be making a lot of money at a company solving that problem but I think there's a number of things that go into it. And it's interesting to realize we're not talking about zero days here. In fact, in our Arctic Wolf threat report, zero days accounted for 3.4% of breaches a very, very low number. We're talking about vulnerabilities, and most of them have been out for more than a year and had a patch. So this isn't, like you know, unpatchable stuff. It's. It's, uh, you know, pieces of software code, things like that, that are you know, the patches available.

Speaker 2: 6:59

Um, I think we're starting to do things a little bit more intelligently. For example, sisa now has their known exploited vulnerabilities list, which allows you to prioritize what you patch to things like not just all the bajillions of patches you have to do out there, but just the things you know. This is much more likely to be exploited. And then also, if you have a better understanding of your network and where your important information is, then you can focus on the things to patch, because really, what we're dealing with here is time, time and effort, and a lot of times that time and effort is taking away from producing the product, shipping more features, all of those things, and it's actually counting against your bottom line, because you know the way it's calculated financially and the number of patches that aren't being deployed is only increasing, I would imagine right, Because the environments themselves are getting ever more larger and more distributed, more complicated, more complex.

Speaker 1: 8:00

So we're not going to end this discussion anytime soon, I think, about patching.

Speaker 2: 8:05

No, I don't think so, and as long as we have attackers out there with lots of time and resources, they're going to continue to find bugs and ways to exploit these different features, and we've got to patch them. So it's not going to end the conversation.

Speaker 1: 8:20

Because patching, especially in certain environments, is a very manual thing. Still right.

Speaker 2: 8:27

Many environments, yes, Automating?

Speaker 1: 8:29

it is not. I spoke to someone from a bank recently and he said, well, it's very nice to have automated kind of cybersecurity, but if my traders they don't want to go offline, right. So my traders always want to trade because they want to make money, so I don't want automated uh, patching or automated ai and that's probably something that you hear a lot out of the market as well right, because there are a lot of reasons not to patch correct.

Speaker 2: 8:59

It can break things, and it can break things catastrophically. I think that's becoming less common, but in a lot of places where you cannot have downtime, you've got to. This is why it's so time-consuming. It's not just like on your home computer oh, the update button comes up and I click the update button. There is a lot of time and testing that has to go into this to make sure you're doing it right and not breaking things.

Speaker 1: 9:20

I think the home computer update is annoying as well it is, and that's only five minutes. Yeah, it is annoying.

Speaker 2: 9:27

And there have been times when, hey, you updated to the last OS and now a whole bunch of stuff doesn't work. That doesn't happen as often anymore, but for a while there it was happening a lot and that can be extrapolated. You can basically say there's a version of that at work where if I update these things. So that's why you have to have a lot of time and attention to making sure that you don't break things when you patch, which is why it's not super cheap and expensive.

Speaker 1: 9:50

Do you think deep down it's more of a software development problem than a security problem, the patching problem, to use three times problem in one sentence, yeah, I think that that's a complicated question.

Speaker 2: 10:03

Yes, I do think if we adopted more of the secure by design principles like CISA is trying to put out right now and other organizations have, I do think that would lower the number of patches. But I do not think, with as complex as our online world is and our software world is, I just don't think we're going to design our way out of the problem and create perfect software that doesn't need to be patched. That's not going to be part of it. Although, yes, if we code more securely, we make things secure by design. It is going to lower the number of patches.

Speaker 1: 10:33

You should be able to do updates or patches. You should be able to do those in the way that you, for example, update your VMs on your servers, right? That happens without going offline and without going down, so with zero downtime, and that's something I think the software development world could work on, and I'm pretty sure they are to do this. Because it works on your phone, right? Your phone doesn't really go offline a lot, at least it just does it at night and it's gone, and then the next morning you have a new version of your OS.

Speaker 2: 11:10

Yeah, and think of where we've come, how far we've come to get to that point. And, yes, more and more systems are actually doing this, but there are still those legacy systems. There are still systems that are so intrinsic to what's happening, so deep, that you're not going to be able to get to that level where there's zero downtime to update it, but you can have other systems come online. That's a way to test your resiliency and things like that. So all of that comes into play, but this underscores the fact that it's not simple, and I don't think it's going to get very simple in the near future, although it does appear that more and more people are working toward that future which we need to get to.

Speaker 1: 11:46

Well, at least there are good signs.

Speaker 2: 11:48

Yes.

Speaker 1: 11:50

But the problem that we need to solve is getting bigger by the day as well, so you're gonna keep pace with it.

Speaker 2: 11:58

Correct, yes.

Speaker 1: 12:00

And I think you also mentioned something about organizations needing to determine which one have priority which ones are priority, which ones don't? So that basically means you're talking about sort of a risk-based approach to cybersecurity. You don't necessarily have to patch everything all the time. You just have to look for the things that you really need. You have to patch. This always sounds nice, but how do you determine risk as an organization Having to do this kind of we don't do this, we will do that.

Speaker 2: 12:38

Yeah, and that's a very deep question and there have been lots of books written on the subject and it's an incredible.

Speaker 1: 12:46

We have 10 minutes.

Speaker 2: 12:46

Correct, correct, it's an incredible field that continues to advance and change with the landscape Right. So it's a great field to look into. Basically, at the fundamental level, you have to know what all your stuff is. Yeah, what are all my systems, what's all the information and data that I have? And then you have to be able to prioritize that in some way, and we do that using risk. And there are very complicated methods, like the full fare model, and there are very you know it's kind of back of the napkin really quick and hasty ways to do it, and I don't think any of those are wrong. Some are a little more accurate, maybe a little more useful, and you've got to find out what works for you at your level.

Speaker 2: 13:27

But I even, I think, even if you're a very small organization using a risk-based approach, even if it's just hey, I think it's this probable and I think it'll have this impact, is better than not thinking about that at all.

Speaker 1: 13:39

It reminds me of I think it was a statistician in the late 70s who said oh, models are wrong, but some are useful. Yes, correct, correct.

Speaker 2: 13:48

Or much like our system of government. Right, it's the worst, except for all the others right.

Speaker 2: 13:53

So you need to use that risk-based approach and there are a couple of, I think, fundamental principles that really help here. So, yes, knowing your environment is really important, but also really understanding which are the biggest risks that you want to worry about, collecting them together at a level where, if you're talking to decision makers, it's the right level of complexity for them, the right level of depth. You don't want tactical risks to be at that level. At the executive level, you want strategic risks. So you've got to understand how to sort of bundle them together or sort of collect them together into sort of larger strategic risks. And then you need to translate those risks into something that those other leaders will understand. And the reason I'm talking about the other leaders is you, as the CISO or the security person at your organization, you don't own all the risks. You should not. No, those should be given to each of the business leaders that have the ability to affect that risk.

Speaker 1: 14:47

And ideally everybody in a company has to sort of be aware of risk to a certain extent, right.

Speaker 2: 14:52

Correct, and that's why I like to convene a steering committee, or I call it the Information Security Council or some sort of group that gets together, looks at how everybody else has decided to handle these risks and decide collectively are we at the right level of risk? And that fundamentally underlying all of this. You should have a risk tolerance or a risk appetite, and it should be written out as a statement that you, as an organization, have thought this through, you've debated it, you've discussed it and you've said this is the level of risk we will accept, and nothing less than, and that can be sort of your Even that first step of actually discussing it and talking about what will we accept and what won't we accept, Correct?

Speaker 1: 15:30

I think that's something that a lot of companies don't even do right.

Speaker 2: 15:33

Yes, they don't even do it. So then, characterizing the risk and say should we accept this risk, should we try to mitigate it, should we transfer it? What should we do with this?

Speaker 1: 15:40

It becomes much difficult because you haven't even decided, as a leadership organization, how much risk are we willing to accept as an organization, and probably everybody has a different opinion on that, probably, so you need to talk about this. Otherwise somebody's going to say this is very important. No, no, no, it's not important, that's important. And then you're not getting anywhere as a company, right, correct?

Speaker 2: 15:59

And then it's also important, as you get together to discuss, how are you going to talk about risk? How do you evaluate the probability and impact? Do you translate it into dollars? Do you translate it into something else? How do you sort of normalize all these different risks so you can talk about it in the same way and then say this is going to be our plan and this is how we're going to address it?

Speaker 1: 16:18

Well, I think that ties in nicely with another topic I would like to discuss. It's outsourcing more and more of your security. That has a tendency to, maybe for companies, think well, I'm outsourcing a lot of my stuff now, or all my security, because I have an MDR provider or whatever the acronym is of the day, so why do I still have to care about this? Is that something that you see happening in the market? I know you don't speak to a lot of customers, but you must have your ear to the ground every now and again. Is that something that you see happening in the market that people tend to think well, now, with the rise of managed services around security, we don't really have to think about security that much anymore.

Speaker 2: 17:02

Yeah, it's interesting. I'm also a customer of Arctic Wolf, so I get to experience this and I do talk to a few customers. I haven't really actually heard anybody say now I don't need to worry about this. Really, what it is is they have a small security team. They've either decided not to invest more in in-house security, which may be the right choice for them, or they just don't have the resources to do it. So they bring on a partner like Arctic Wolf that's going to handle a lot of this for them. But ultimately, at the end of the day, they still own it for them. But ultimately at the end of the day, they still own it. They still need to make the decisions, because you can't just point your finger at your security provider and say you know they screwed up to your customers because they're going to say no, you're in charge here. So it really is still your responsibility to oversee that program.

Speaker 2: 17:47

But yes, you can, especially a lot of the minutiae or day-to-day. You know decisions or actions that need to be taken. You can, especially a lot of the minutiae or day-to-day. Uh, you know decisions or actions that need to be taken. You can have a partner really help you with those. But at the end of the day, you're the one deciding yes, this is how I want to handle those kinds of incidents. I want to have this kind of escalation. You've got to make those decisions. And also, you can't be working against your security provider. You can't completely not care, and then I'm going to spin up a bunch of stuff in my cloud service that I'm not going to tell my security provider about. It's going to be totally insecure. You can't be working against them. So this is not something you can fully outsource to another company. You have to be involved.

Speaker 1: 18:26

Are there also levels of how much you can outsource? Because then you get back to the previous discussion on what do you outsource, right, because, uh, and because. Then you get back to the previous discussion on what, what do you? Also, because you can, you could say the highest risk stuff, I'm going to outsource that, and all the lower risk stuff, we're going to keep it, keep it ourselves. Is that something that makes sense, or should you just not do that?

Speaker 2: 18:46

yeah, I think it really depends on your organization how much you can involve a partner in helping you deal with your risk.

Speaker 2: 18:54

But it's still your risk, at the end of the day, that you have to deal with, and so it just really depends on what your organization is, what your risk appetite is, how you handle that and making sure you have the right partner involved that cares about you, that knows about you, that knows about your environment. That is really important to making sure you have that good relationship and that you can talk to them frequently and you understand how they're handling your security. I think it's not a good recipe to fully just try to throw your security out to another company, and this is I mean, this is cybersecurity, but it's also physical security. You can't just bring in a physical security company, have a bunch of guards around and not talk to them and realize that it's your ultimate responsibility to oversee them. So, regardless of what kind of security you're talking about, it's really important to make sure that you're still involved in that conversation all the way, All right.

Speaker 1: 19:43

So I mentioned earlier that we would get back to the AI discussion right.

Speaker 1: 19:46

So we're going to talk about it a little bit. I mean, there's so much buzz around at the moment, right, Both on the attacking side and on the defending side as a company or as a potential victim or target. I would be either very scared now or completely. I wouldn't know where to start or what to do, so I would be very confused as well. What should we take out of this AI discussion when it comes to cybersecurity? What should companies get out of that or learn from that?

Speaker 2: 20:23

Well, first of all, I think we all need to take a deep breath, because it does seem like we're a little breathlessly talking about AI and everything that's happening, so take a deep breath. A little breathlessly talking about AI and everything that's happening, so take a deep breath. This, however, is a technology that I don't think we're overblowing the potential risks that could be coming. Sometimes, things come out and people are like, oh, the sky's falling and it's probably not as bad as what they think, or maybe even be different With AI, I don't think we are blowing the problem out of proportion. Our thoughts and our imagination are maybe a little ahead of reality right now, which isn't bad, actually, that's good, because we need to have ways to regulate, oversee, legislate, litigate, do all the things we need to do to try to corral this huge thing of AI.

Speaker 1: 21:17

Because somebody, I think it was maybe it was Sam Altman, I don't know but he said that AI is the dumbest it's ever going to be. Now, right.

Speaker 2: 21:23

Correct. It's the worst it's ever going to be right now.

Speaker 1: 21:26

And you're not. So you don't really know what to prepare yourself for right. So you can't really know what to prepare yourself for right. So you can talk about we need to think about how we do this in terms of I don't know compliance, in terms of this or that, but if you don't really know what you're up against, that's quite hard to do.

Speaker 2: 21:48

Yeah, and I don't think we can extrapolate too far in the future, but there are categories of things that we can talk about now that we should deal with, Like, for example, deep fakes. So, whether we're talking about deep fake audio, deep fake video representing a real person, with a video of them that looks totally real but that is not them saying things, that is something we can grapple with today and really talk about. Similarly, articles or other pieces of media that maybe aren't a person but are completely unfactual or miss or disinformation.

Speaker 1: 22:22

I have some opinion on that as well, being a journalist.

Speaker 2: 22:25

Yeah, exactly that is something we can grapple with today. So, just because we don't understand all the problems that could arise, like sentience, the singularity, we should deal with what is happening now and what we're extrapolating into the future.

Speaker 1: 22:39

Yeah, and then obviously you have the offensive and the defensive side of AI the offense, I mean and I think the balance will still be the same right, the defenders still have to be right every time, and the offenders or the attackers only have to be right once. You know the old saying. But do you see that dynamic changing when you deploy AI at the defense as well? So, for example, you see now that a lot of attackers have all of the software that's available, all of the antivirus software, all the endpoint security software available to them as well. So they know where the, they know how deterministic those models, those things are, how they work, what they do when they see something, so they can actually prepare for it.

Speaker 1: 23:35

That's a lot harder when you're defending using an AI, I would imagine, right, without getting too esoteric, but those are not necessarily very deterministic, so you never know how it's going to respond. So that could Maybe I'm just being idealistic here, but a bit too much of an idealist, so that could maybe I'm just being idealistic here, but a bit too much of an idealist, but that could potentially give the defenders the upper hand a little bit.

Speaker 2: 23:59

Or am I making it too? Yeah, no, I don't think you're wrong. I actually think there's a lot to be excited about here when it comes to defense, because one of the problems with defense has been not necessarily the tools or the data, but making sense and using the tools properly and making sense of the data, and it's one of the things Arctic Wolf does really great.

Speaker 1: 24:21

Oh really, I wouldn't expect you to say that Arctic Wolf does it very well, but no, I'm joking. Yeah, yeah, yeah.

Speaker 2: 24:28

But bringing together all of that information and having AI make even more use of it is actually something I'm really excited about.

Speaker 1: 24:35

So when you?

Speaker 2: 24:36

have lots of data coming through, finding even more anomalies and trying to stay ahead, anticipate how someone is going to try to break in. But be AI-powered or not is really going to. I think it's going to supercharge the ability to do that because they're like you said, it's deterministic. There's a finite amount of ways that people can break things and break in just because there's a. There's a finite amount of software and different entry points to protect, and I think AI is really going to help the defender. Now it's going to be really interesting to see how attackers start to leverage this. So I think there's a lot to be seen here, but both sides are going to benefit. So it is a bit of an arms race to see how this unfolds, but there is hope, I think, in the good uses of AI too. We shouldn't just be afraid of the threats and risks that it represents.

Speaker 1: 25:26

And that's actually a nice way into. The final point I'd like to discuss is how companies like Arctic Wolf, but maybe the entire cybersecurity industry, could improve how they do, what they do, to make it more, to make it easier, to make it maybe to protect companies better. Basically, where do you see room for growth for the cybersecurity industry itself?

Speaker 2: 25:55

Well, we've heard a lot of talk recently about platformization, and I think the reason that that is becoming something that companies are talking about is not just because they want everyone to be on their platform. That helps.

Speaker 1: 26:08

Yes.

Speaker 2: 26:10

But also I think it's really because what customers ultimately want is outcomes. They actually don't really care about this technology, that technology Maybe some of us who are in cybersecurity are really interested in that but what business leaders want? What businesses want, they just want to get to their business. They don't want to have to deal with this. So they want to look at outcomes, and the more that they can simplify and have the outcomes they want without having to worry about the individual parts, the better it's going to be. And so I think we're going to see a consolidation of that and maybe even some categories are going to get kind of get subsumed into larger cybersecurity providers. We're going to provide subsumed into larger cybersecurity providers that are going to say we're going to provide these outcomes to you.

Speaker 1: 26:53

Because one of the issues obviously is that there are way too many security companies anyway.

Speaker 2: 26:57

We just go to the show floor at RSA and see.

Speaker 1: 27:00

I mean, I used to quote, I used to use 2,500 as a number, but apparently it's 3,500 already or whatever, maybe even more. But I don't really see that that decreasing a lot, because obviously every time a new challenge arises, 55 new companies pop up that say that connection that they can deal with, that they get subsumed or bought by bigger companies again, but then a different challenge arises and then you get the same spiel again. So I think it's quite hard to reduce the number of companies on the market. So in that sense I don't think that platformization, I don't think that's going to happen. Otherwise it would have happened already, I would imagine.

Speaker 2: 27:52

Well, I think it is happening, but it doesn't happen faster than there are people, ideas and new vulnerabilities that are introduced to the market and maybe there's going to be a shift there where it happens. But actually some of this is a sign of a healthy ecosystem where you have new ideas and new things that are tried, and we've got a lot of great technology out of that, which is which is really good.

Speaker 1: 28:14

Maybe there's a little too many right, as a customer now looking for cybersecurity solutions, I would be completely well.

Speaker 2: 28:21

I mean, I wouldn't know where to start correct if, if you start with the, let me look at all the companies, yeah, but I think companies are doing this more and more where they're saying what are the outcomes that I want? Yeah, what do I actually want to do, rather than do I want this point solution to protect it, or that point solution? And, yes, you know your, your managers of various teams, are going to look at all these different solutions and see is there a new way, a better way of doing this? But I think a lot of times, more, more, we're going to look to platforms to help us say how many problems can I solve with this platform, how many different ways, and can I get the outcomes that I want for bang for my buck?

Speaker 1: 28:58

Yeah, and that's something that the industry as a whole should work towards. So, because that was the question, obviously, what could the industry do better?

Speaker 2: 29:14

So they obviously what, what could you, what would the industry do better? So they need to take that more into account or maybe also collaborate more on stuff or partner more, join up more. There's no way that companies are going to look at 3500 different solutions to their problem. It's just not going to happen. That's too many. Many of those businesses are going to fail, some of them are going to get bought, some are going to become big in their own right, and I think what customers are really looking for is solutions. So the better way that we can serve our customers is to make it easier for them, more simple for them, a place where they can come and they can have more of their solutions talked. So, yes, cooperation is definitely one, and I really just think, naturally, we're going to push toward platformization, because it's just going to be easier for customers. I'm already on this platform, I'm already in this ecosystem. Now I need to bring on these other solutions as my business grows.

Speaker 1: 29:58

Yeah, but then obviously the question is who are going to be those big platforms? Yeah, well. Because also, platforms is sort of a definition problem as well, right, because some smaller companies also call themselves platforms, and then you have the big ones. They call themselves platforms, but that's a different. I mean that's not the same. So there's platforms and there's platforms.

Speaker 2: 30:18

That's the it's true and that I mean that is obviously what savvy customers have to do. They're looking for their outcomes and they have to. You know, yeah, look, marketing is great, but then they have to say what does this really do for me? Is it the right fit for my company? Maybe one of those smaller players is good when they're smaller, and then the bigger ones are going to be better for them as they grow into a bigger company.

Speaker 1: 30:37

Well, it makes sense. So you grow with the market, or the market grows with you, or whatever yeah somebody grows with somebody else somebody grows.