Cloud AWS re:Invent Coverage | Myke Lyons, Cribl

Clips
News
More from Cloud AWS re:Invent Coverage

Myke Lyons

CISO

Cribl

Cribl taps into Amazon S3 to power smarter operations and sharper threat intelligence

Cribl Inc. is redefining how organizations manage and utilize machine-generated data by transforming Amazon S3 from a traditional archival tool into a...

play_circle_outline AWS re:Invent 2024 and gen AI innovation

play_circle_outline Leveraging S3 for storing operational data efficiently

play_circle_outline Leveraging threat intelligence for faster investigations

play_circle_outline Open Cybersecurity Schema Framework for data exchange

play_circle_outline Focus on cloud security and shared responsibility model

play_circle_outline Addressing emerging threats like deepfakes and phishing attacks

play_circle_outline Importance of user awareness and security partnerships in the digital-native era

Info
Transcript

Myke Lyons, Cribl

Myke Lyons

CISO Cribl

TheCUBE covers AWS re:Invent 2024, highlighting gen AI and security with Mike Lyons, CISO. Cribl helps avoid security data overload by sending relevant data to S3 buckets. Trends for 2025 include SIEM migrations and data strategy changes. Cribl supports the Open Cybersecurity Schema Framework for data exchange. Integration with AWS Security Lake and S3 enables real-time security insights. Observability aids in threat intelligence and identifying past security threats faster. Edge on endpoints helps with zero trust principles by securing laptops. Cribl assists... Read more

explore Keep Exploring

What is the focus of the conversation at AWS re:Invent 2024? add

What are the benefits of using Cribl for efficiently managing machine-generated log data into S3 buckets with only relevant information for specific use cases? add

What is one of the most exciting use cases for security personnel in terms of leveraging threat intelligence information in logs? add

What is the Open Cybersecurity Schema Framework (OCSF) and how does it impact the security industry? add

What are the implications of better observability and data pipelines on security postures? add

What are some emerging security threats that organizations should be aware of and on the lookout for? add

What are the considerations around using strong AI capabilities in technologies to improve services and the importance of security partnerships in a business environment? add

bolt Powered by CUBE AI

Myke Lyons, Cribl

search

Dave Vellante

>> Welcome back to theCUBE's coverage of AWS re:Invent 2024. re:Invent is the exclamation point on a year of innovation. This year has been all about gen AI, and of course security is the heart of the conversation. Mike Lyons is the chief information security officer, AKA the CISO, as Mike and I pronounce the acronym. Mike, good to see you again. Thanks for coming back on the program.

Myke Lyons

>> Great to see you again, Dave. Hope you're well.

Dave Vellante

>> Yeah, indeed. You too. When we last spoke, very recently, at the New York Stock Exchange, we talked about how Cribl's helping companies avoid the whole, we called it the security data swamp. Focusing on actionable high fidelity data. So as we're ending here, 2024, and with AWS re:Invent at the heart of our conversation today, there's a lot of excitement around new capabilities that are being announced around Amazon Security Lake. I know you guys leverage S3. How are you helping security professionals leverage tools like this from the AWS platform?

Myke Lyons

>> First and foremost, so many of our partners are customers of AWS and customers of Cribl. And one of the major things that they are using on their back end is those S3 technologies, like we're using. And that's the block storage. It's a really great place to put data that used to just be for archival purposes but now is becoming much more operational. And Cribl allows you to put data, mostly machine-generated data log type data, into these S3 buckets, if you will, very efficiently as well as quickly, and with only the information that's germane to the use case that you distinctly have related to those logs. So if you think about, you want to capture log on, log off data, off-Z data, off-end data. You can capture those things in discrete ways. And with Cribl specifically, you can send them to a bucket over here for this purpose or a bucket over there for a different purpose. And in many large institutions, those businesses are separate and they have to get approvals back and forth. But if you can do it right at the generation of the data itself with Cribl, it helps reduce a lot of the friction across those security teams and IT teams.

Dave Vellante

>> Thank you for that. So just zooming out more broadly, this is a time of year when we do a lot of predictions. I'm interested in what you're seeing for broader trends. We talked about tools consolidation, which is impossible, it doesn't seem to happen. We talk about the role of data and analytics and gen AI. What are the broader trends that you're seeing as we head into 2025, Mike?

Myke Lyons

>> It's been a lot of SIEM migration, so security information event management system, migrations. That seems to be front and center for a lot of organizations. And what a lot of them are trying to do is not just do a migration but do it in an efficient way. And also changing the way that some of their data strategy is operating today. Most of it is related to the amount of data that people are generating. There's that 28% CAGR of IT and security information or just data generally. And Cribl is uniquely posed to be able to help people with specifically that migration, but even those POCs and those testing of the next SIEM technology that you're using. Also, it allows you to better leverage things like a security data lake, like with the AWS security data lake.

Dave Vellante

>> So you mentioned migration. Are we talking about migration, and presumably modernization, right? Is that a fair understanding? And so you got these new capabilities that you're announcing constantly. What are some of the things that have really caught your attention? Some of the things that excite you as a security practitioner? The features that customers are going to be able to take advantage of, and enhancing your offerings.

Myke Lyons

>> I think, as a security person, one of the most exciting use cases that I have is we can go back into some of our logs and apply and better leverage our threat intelligence information to find out whether this IP address existed in our environment at some point in the past. Today, what a lot of companies are doing is they're looking at it at real time right through their SIEM. Do we have a detection based on this particular watch list? As we're looking backwards, though, it's a lot more of a challenge, and we have to take longer investigations over longer periods of time. So we're super excited at Cribl that we can do those things a lot faster than ever before. And even seeing in the industry is being able to look back a month, six months, even longer. Apply those same sort of technologies to other use cases across security. That's been really interesting. Better leveraging threat intelligence is super hard for a lot of security teams, and this is just one of those really early use cases that we're excited about.

Dave Vellante

>> One of the other merging things that we've been tracking is the OCSF framework, the Open Cybersecurity Schema Framework. For those of you who don't know, it's a vendor-agnostic framework that's gaining traction across the security industry. Mike, can you explain to the audience, what is it? What impact do you see it having? And how does Cribl fit into this emerging standard?

Myke Lyons

>> Yeah. First and foremost, we support it strongly. AWS Security Lake is also a big proponent of OCSF. What it is is it allows you to exchange data across various technologies that you have, better leveraging those data so that you can communicate back and forth and not have to rewrite schema. So the idea is it's sort of a standardization, reducing a lot of those data disparity issues that organizations are having. And this is allowing us as security professionals and security practitioners to better leverage the existing data. Because in many cases the bad guys are coming against us, and anywhere where we can produce or be better efficient with our data and allow us to scale those things across our systems, the better off that we are.

Dave Vellante

>> Let's talk a little bit more about the AWS partnership and just cloud security generally. We talked about the integration that you're doing with Security Lake, S3. The goal is real time security insights and scalable solutions, so I wonder if you could talk to that. Where are we today? And how do you see that evolving into that real time capability that is so important? Speed is everything in this game. I wonder if you could comment on that, Mike.

Myke Lyons

>> Sure. To the start of your question around our partnership with AWS, couldn't be stronger, couldn't be better. Every day it seems to be helping our shared customers grow and just get better with their adoption of AWS, our own adoption of AWS. We're big consumers of our own technologies there. I would say a lot of where we're seeing the growth in these areas has been around better utilization of those lower cost storage environments and also reducing some of the bad information or maybe the lower value information from getting into those high cost systems. Those high cost processing systems, the SIEMs of the world. Those are sort of coveted by security practitioners. I've been a longtime... I actually got my start in security in logging, and specifically within early SIEM technologies. At the time it was called something slightly different. You can probably tell by the grays on my face related to the age of which those technologies were born. But really being able to keep a lot of the noise out of those systems. And then looking forward, and this is really what makes technology so exciting, looking forward, I can take the data that I know generally, its shape, its size, the way that it's sourced, the lineage of those data, and be able to better apply some AI technologies there. So as these AI technologies get developed, can I leverage them with a higher degree of data governance, confidence, in the outcomes of those things, and also be able to trust that it's only those data that are being leveraged to train these model so that I can better get results out of these things? We're all being pressured pretty heavily in the security front and other parts of the technology industry to adopt gen AI capabilities. These types of use cases, or at least these governance that we can have over our data, specifically our IT and security log data and observability data, understanding what these things look like will only allow us to adopt these really cutting edge technologies faster and with bigger ease and also confidence, so we can measure their results in a much more controlled way.

Dave Vellante

>> Thank you. This kind of sets up my next question. This past June my family took me out for Father's Day to this buffet. It was unbelievable. It was so much good food. There was seafood and meats and all kinds of other accoutrements and salads. I couldn't absorb it all. And sometimes I feel like that when I think about the AWS cloud. A lot of organizations struggle with cloud native security. There's so much to choose from. They can't absorb it all, and so it creates some challenges. So I'm wondering how you guys approach this. What unique things that you do to help address some of the AWS-specific optimization. And how does that fit into your roadmap?

Myke Lyons

>> As a security person we've got a certain amount of budget that we can spend. Let's just say we got $10 to spend. And some of those monies are going to go to things like a SIEM technology. Now, my spend with my SIEM might be $5, might be $7, something along those lines. However, what we know we need to do is we need to get access to a lot of the East-West data and a lot of those cloud-related logs and flows that we today don't necessarily have access to because we don't have as much control or we don't have as much understanding of those data, and then therefore we're putting them all in a generic bucket. We might be shoving them all into the SIEM and therefore wasting a lot of opportunity there. So one thing that we're helping our customers do is take some of those data that we know we need to capture for reasons but not necessarily operational reasons, and we put it over in an S3 bucket. And we can allow it for archiving purposes or for audit purposes or regulatory purposes. We can stick those data over there. Now what we can do is bring in some of these new VPC flow logs and some of these things that really help us with the telemetry of what's going on in our environment in the event of a security incident or an investigation or something along those lines. All security practitioners that I speak with, and myself included, that's just context that is massively valuable for us. But unfortunately, due to the high volume or high... volume is probably the right word. The high volume of those logs. It's really difficult to put them in such a specific operational tool. But if we can keep them for just a short period of time, let's say we keep VPC flow logs for two weeks or three weeks or something like that and then we keep our more generic security data or our more SIEM-focused data for six months or maybe 270 days or something like that. These types of technology, like what we're doing with Cribl, really allow for a much better experience there. So I can take not only my general log data that I would typically throw on my SIEM. Now I have access to this additional flow. Really contextualizes the event that occurred and allows my operators to quickly respond to this particular threat.

Dave Vellante

>> Right. All about focus and prioritization. Speaking of that, I went to the inaugural AWS re:Inforce, which, for those who don't know, that's AWS's dedicated security conference. The first one was I think in 2018. It was in Boston. And there was a lot of discussion back then about the shared responsibility model, which I think now is much better understood. At the time I'm not sure it was. But the shared responsibility model in cloud security says you've got clear distinctions on the AWS side and then the customers have their responsibility. AWS has a lot of resources, obviously, so they got their end covered. Sometimes the customers, they're putting out fires, so it's a challenge. How does Cribl help organizations meet their requirements and fulfill their part of that shared responsibility model, especially around things like monitoring and securing data flows?

Myke Lyons

>> Well, first and foremost, observability is a key part of our customer base, the use cases that we see constantly growing. I think security is also looking at ways to better leverage those observability data points there. But with regards to shared responsibilities, a lot of the things that we experience there, and just my own being a security person full stop and have been for my career, it's about understanding how I can grab the right pieces of information, bring them into the right location, and then be responsible for it. Know where I start and I end. So an example for that would be a customer of AWS. A customer like us. A customer of AWS like a customer of ours, and where AWS plays a key role in there. One thing that would be interesting for me, and an opportunity that I haven't firsthand had the experience of working with yet but no I doubt probably will be talking to people. I will be at re:Invent next week and so no doubt we'll be talking to folks about this, will be how they can send certain pieces of information through Cribl, whether it's in their own environment within AWS or in an environment that we're, in some part, playing or providing to them. And being able to parse those information to understand what it is that's occurring in this environment. The other side is there's SaaS technologies that are obviously bringing in a large shared responsibilities matrix. Where are you responsible for configuring a particular technology? Where are you responsible for authentication to that SaaS application? What are you going to do with those logs? We ourselves, here at Cribl, we adopt and bring in our logs from the majority of our SaaS... not just authentication. We capture that from everywhere. But our actual discrete application logs in there. And with our vendors, many of which you know the names of those vendors, the larger SaaS players in the world, there is a component where we need to step up as a consumer of those technologies that understand what's going on, whether someone's accessing our system as part of a support case or a third party is going to be enabling or unlocking some future potential of a SaaS application. These understandings and what is normal and understanding and digesting what is normal, that's a key part of this shared matrix.

Dave Vellante

>> Sticking on observability, if I could. Going back to that. That's at the heart of your mission. Explain for the audience how better observability and data pipelines affect and specifically strengthen security postures. And I'm particularly interested in these complex hybrid environments.

Myke Lyons

>> Yeah. First and foremost, so many of the DevOps folks have been leveraging observability technologies to better understand how these applications work. And I think one of the use cases... maybe I'm going to be a little bit biased here and give you my security point of view, just given that's in my DNA and what's near and dear to me. But what I would think about is things like ransomware or crypto mining and capabilities around that. One of the things that we've struggled with as a security person is we're leveraging our endpoint detection capabilities there, or we're leveraging a managed security services provider to be able to detect some of these behaviors. Unfortunately, in a lot of cases those are post-an event's already happening, or they've already been able to breach a particular environment or get access to an environment that they shouldn't. And then they start to run up our bill. Or they are taking over our environments and then they're holding this particular system ransom or this application ransom. Observability is one of those key technologies that'll allow us to have insight into those things way earlier versus someone going to log into a system and seeing that they've been locked out of it, or someone like a partner like AWS is contacting us saying, "Hey, we see this behavior or this signature within your AWS environment and it looks like someone who's trying to mine cryptocurrencies," or something along those lines. I think that's where the massive opportunity is for us to better leverage it as security people. IT people have a really strong understanding of the value of observability data today. One thing that we're really excited about is unlocking the higher value components of those data, or the higher value data within that, versus the less important or maybe the more nuanced or maybe the more short-lived value data in that flow.

Dave Vellante

>> That's interesting. You've just injected a lot more complications into the equation, but technology evolves to address that. And then I'm going to throw another wrench in here, which is regulation. You've got, obviously, rapid growth of enterprise data, sctricter global oversight. What do you see as the key challenges that organizations face in managing security at scale given those increased regulations, whether it's public policy or executive orders? How do you help organizations deal with that, Mike?

Myke Lyons

>> First and foremost, your Department of Financial Services has a regulation that they've put out where certain data needs to be kept for a duration of time. I think it's seven years for a particular set of data. Now, that's actually pretty well-articulated in the regulation itself, and many of our customers understand that and had brought in experts to help them really digest what that means. So when it comes to something like a regulatory statute like your DFS, where what's really important is that you capture the information so that you can run in line with the regulatory authority. What Cribl can do specifically is send it to an appropriate location. So if you think seven years, the reality of those data is the majority's never going to be used. People aren't going to pull those logs on a continuous basis. Otherwise we would have them in these higher cost systems and we would see those auditors likely front and center for our customers constantly. However, when an event happens and someone does come in and is requested to pull those data, we want to make sure that we can do it in a really efficient way. So first off, at the source of the generation of those data, Cribl can very specifically send it off to its appropriate storage location. In most cases it is Amazon S3. The second part of that story, though, maybe the B of the one is that unlocking that potential can be a little bit challenging. And so unlocking the S3 account, getting access to it, can be challenging. So one thing that Cribl is uniquely doing is we can actually very efficiently create an S3 bucket for that discrete use case in our lake offering. The second activity is when an auditor is going to come back in and ask you. So they want to know when Sally Smith was making this particular trade happened in October of 2020. And they want to know all the information around that. And they might have some additional pieces and tidbits of information, and they want to run that search. Now, one thing that has historically been challenging is that time. I've heard in many instances from customers of ours and just people in the industry that this could take months. I hate to say it like that, but it could take months. Weeks on the short side, but typically months. And specifically what we've been able to do is reduce that down to minutes, which is a significant improvement. Now, this is time back for the operators, this is time back for the auditors, and this all in turn results in cost reductions overall. Now, if those data that are going out to that S3 bucket, they have other operational value, there's nothing restricting you from leveraging those values in other ways because we can make copies of those data. We can modify the data to shrink it down. We can reduce information you might not need. Perhaps you don't need three dates and timestamps. Perhaps you only want the category of the events because that's pertinent, or you don't need the payload. You just need the username or some component there. Cribl really allows you to slice and dice. I know we were talking about cooking stuff before we went live here, but slice and dice those things. Those are near and dear to my heart. Being able to do that with data reduces the amount of volume of each record, can really allow you to succinctly operate it and also deal with some of those regulatory requirements that you may have.

Dave Vellante

>> Yeah. That really resonates with me. Who did what where? How? How long? Being able to really track that precisely with confidence is vital. I want to ask you about zero trust. Pre-pandemic it was sort of a buzzword and now it's gone mainstream. People tell me that the challenge they have is operationalizing zero trust, but it's clearly a major focus for CISOs and the cybersecurity industry generally. How does Cribl align with zero trust principles? Is there any specific value that your platform provides to help organizations operationalize zero trusts and things that you read about, whether it's NIST framework or other best practices?

Myke Lyons

>> First and foremost, you need to know what's going on in your environments in order to start to do zero trust activities. And one of the things that we are seeing some of our customers begin to adopt are, we have something called edge, which actually resides on endpoints. And typically you would apply edge or use edge in an environment like a data center or an AWS infrastructure as a service style data center, a VPC or something like that. But we're also seeing adoption now at the endpoint, so on a laptop. I'd pick my laptop up but it's plugged in right now. But on a laptop specifically. And being able to figure out what events are going there, and then seeing them there. One thing around zero trust is still having those data, because those laptops are online, they're offline. By nature they're portable and therefore move around. We're a remote-first company, and Cribl has always been a remote-first company. And one of the things that we really need to ensure is that the endpoints themselves are secured properly and that we have an understanding of what's going on on those endpoints. And so Cribl, specifically with edge, can help unlock some of those potential and send those information off to a SIEM or off to another operational component. That's one aspect of what we're seeing in the zero trust space. Obviously there's a number of agents on endpoints. I'm actually not sure what the current count of agent per endpoint is at this stage, and I know it ebbs and flows a little bit with certain consolidations. However, there is still a ton of data, and each one of those discrete protections that you have as part of your zero trust solution are going to be generating various pieces of information. And being able to consolidate them, make them very concise, digestible is a key value prop for someone like Cribl.

Dave Vellante

>> A couple more questions, if I may. I know I'm taking up a lot of your time here, but as a CISO you see a lot. You have a big observation space and I'm wondering if there are any novel things that you're seeing in terms of attack approaches, methodologies that you're seeing from attackers, and anything new that's on the radar, and how you see Cribl identifying those and helping organizations stay ahead of these ever evolving threats.

Myke Lyons

>> Well, we're just a month after the National Cybersecurity Awareness Month. One large part of the campaign that we ran here at Cribl, we actually extended October into six weeks. Probably never been done before. Yay. But the reality was that we just communicated with our user population over a period of six weeks and just made them aware of what the heck was going on and what they should be on the lookout for. One of those things is deepfakes. They are happening. We are seeing them. Some organizations and some peers in my industry are seeing them more than others, but there is a reality that these things are out there. And so being able to capture those pieces of information and being able to understand and have a clean, concise process to take them in from our user population. "Hey, did you just call me and record this video of yourself saying, "Please give me a bunch of gift cards?"" Having a mechanism to be able to report that into IT and security, that's a big thing that we're seeing, or at least that I'm seeing in my industry. Quite specifically in firsthand, phishing still has a super high rate of return for these attackers. The cost of generating these deepfakes, whether they're a voice-based attack or a video-based attack, the cost is not increasing massively and the availability of these things leveraging open source technologies or just generally subscribing to them is increasing, so we've got to stay ahead of that. We're contemporary company. Digital-native, if you will, and therefore a lot of our technologies are SaaS technologies. So we want to make sure that we are appropriately working with our providers as well as making our user population aware of what these providers are doing. So many technologies out there just AI wash, if you will, their solution. Some technologies out there very discreetly leverage strong AI capabilities to improve their service. Not all of them do that, but there are a few vendors that I work with that happily leverage that, understanding and ensuring that our users understand what it is. Like, are you trading on my laptop? Are you installed on my laptop as an agent? That's a little bit of maybe a Black Mirror episode, if you will. But then there's other capabilities there. Think about our word processing documents and things like that. Things that could improve the way we send email, maybe help a go-to-market team better leverage those things. That's where the security partnerships are becoming more important to the business, because we can't be in all these instances. Every one of our employees is an agent of the cybersecurity team. They may not have that cybersecurity hat on, they may not have that title, but every one of them is helping us improve our business.

Dave Vellante

>> Cyber industry is so exciting. Gen AI, obviously front and center. Business resilience is another big theme, with IT and SecOps coming together. It's not just the SecOps. A lot of bad stuff can happen independent of cyber attacks. Businesses need to stay up. You've got new attack vectors. So Mike, looking ahead to 2025, what are your priorities as a CISO heading into next year? Where do you see the industry's focus? Any shifting sands that you want to call attention to over the next 12 to 24 months?

Myke Lyons

>> Maybe I'll bring it full circle. I think a big part of it has been SIEMs and the adoption and migration of SIEMs, whether it's adoption of a new style of SIEM or adoption of maybe an agent that can help my security operation practitioners function better. Getting more value out of my data. Being able to leverage it more specifically, being able to train LLMs. Those are really key things for me next year, to be able to understand what's going on in my environment as well as being able to help my operators operate better, deal with threats in a faster way. That's where I'm going to be investing my time. That's where I'm going to be asking my team to invest their time. And I think it's going to improve our ability to respond, make us more resilient. Security teams, at the end of the day we're not just about building better locks or securing the fortress. It's about being resilient, because the pieces that... the CIA triad, if you will. Confidentiality, integrity, and availability all really could be surmised in the word resilient. So we need to partner better with our IT folks, our operators, our development folks. But at the same time, we need to be able to make our operators operate better and faster. And they're going to become more specialized. I think that engineers themselves, just generically engineers, they're going to get more specialized in their area. We need to get more specialized in our area. And I think the only way that they can be more specialized is to have more cyber knowledge. Therefore, us in cyber need to be able to operate more efficiently. And being able to ensure that we have trust around our partnerships and our abilities. That's on us. That's a large part of my plan for next year.

Dave Vellante

>> Mike, thank you. Great to see you again.

Myke Lyons

>> Be well, Dave. Good to see you.

Dave Vellante

>> All right, and thank you for watching this episode with Mike Lyons, CISO of Cribl, a key part of our AWS and cloud coverage as we wrap up 2024, get ready for next year. This is Dave Vellante. Keep it right there for more great content live from Las Vegas and on demand from our studios in Palo Alto, Boston, and our newest studio at the NYSE. Keep it right there.