Cyber Resiliency Summit | Meritt Baer, Reco

Clips
News
More from Cyber Resiliency Summit

Three insights you may have missed from theCUBE’s Cyber Resiliency Summit

Cyber resilience is no longer just an IT concern. It’s become a strategic imperative for businesses facing an onslaught of artificial intelligence-driven threats and sophisticated ransomware attacks. Organizations are adopting proactive, integrated approaches that blend technology, people and processes to safeguard operations and ensure business continuity in the face of evolving threats.This shift demands collaboration across business functions, rigorous testing and strategic planning, according to industry analyst Jon Oltsik, during theCUBE’s recent Cyber Resiliency Summit

Tackling cybersecurity risks: Insights from Recolabs on building resilience

As the cybersecurity landscape continues evolving, organizations grapple with increasingly complex challenges. From managing risks across sprawling software-as-a-service ecosystems to navigating the rise of cyberattacks fueled by artificial intelligence, the stakes have never been higher.This “democratized insecurity” reflects how readily available artificial intelligence tools are lowering the barrier for attackers. Amid this complexity, resilience has emerged as a critical priority for businesses looking to secure their operations while enabling growth, according to Merritt Baer (pictured), chief information security officer at Recolabs Inc

play_circle_outline 2. DevOps guardrails, security democratization, and automation in decision-making process.

play_circle_outline 3. Democratization of attacks, rise of ransomware as a service, and insider threats.

play_circle_outline 4. Importance of KPIs and outcome-driven metrics for business resiliency.

play_circle_outline Uncovering the vast app landscape: best practices for configs, tracking threats by research team

play_circle_outline Future of security is contextual, enabling business while maintaining least privilege.

Info
Transcript

Meritt Baer, Reco

At the Cyber Resiliency Summit, Christophe Bertrand, principal analyst at theCUBE Research, interviews Merritt Baer, CISO of Recolabs, and an expert in cybersecurity across public and private sectors. The conversation delves into building cyber resiliency to ensure business continuity, with Merritt highlighting the critical role of availability in the CIA triad and the need for flexible security practices in the era of expanding cloud infrastructure.

Find out more about theCUBE's coverage of the Cyber Resiliency Summit https://www.thecube.net/events... Read more

explore Keep Exploring

What are some strategies to make security seamless and painless for both DevOps engineers and end users? add

What challenges do enterprises, especially large ones, face in terms of cybersecurity in today's digital age? add

What are some key indicators to consider when evaluating the success of security practices in a business? add

What services does the company offer in terms of app discovery and mapping to best practices for configurations, including addressing behaviors related to SSPM, insider threats, and other potential security risks? add

What is the future of security? add

bolt Powered by CUBE AI

Meritt Baer, Reco

search

Christophe Bertrand

>> Welcome back to the Cyber Resiliency Summit. My name is Christophe Bertrand, principal analyst at theCUBEResearch. I'm very pleased to be joined today for the segment by Merritt Baer, who is serial CISO, to say the least, and an expert on the topic of cyber resiliency. We had a great preparatory conversation. I think you're going to enjoy this segment very much. Of course, Merritt, you know theCUBE really well, so welcome back.

Merritt Baer

>> Thank you so much. Yes, happy to be here, and I love working with theCUBE and promise to keep it never boring.

Christophe Bertrand

>> Excellent. And this is a great coast-to-coast conversation, I'm here in the Palo Alto Studio, while you are in our Boston studio, so we're leveraging the full CUBE infrastructure here. So Merritt, tell us a little bit about yourself and about what you do right now for Reco.

Merritt Baer

>> Yes, of course. I'm a career CISO, like you mentioned, at this point. I spent five and a half years at AWS as their deputy CISO, and before that, in US government, I've worked in all three branches, doing security on behalf of the American people. I am now in the private companies world, I'm the CISO at Reco, which is a SaaS security company. So that constellation of apps that is ever-growing in your enterprise, we discover them, we protect them, and even do advanced contextualized heuristics around that. And I advise a small handful of young companies as well, including Enkrypt AI, Andesite, GTS, and Level Six Cyber.

Christophe Bertrand

>> Excellent. So both an advisor, active CISO, lots of experience in public and private sector, so clearly it's going to be a great conversation. My first question is this, okay, this is the Cyber Resiliency Summit, did I pick the right name for the summit?

Merritt Baer

>> I think that you did. However, folks are often tempted to pick a sexier term instead of the one that actually matters from a business perspective. So I think resiliency, it's hugely important, we always forget that in the CIA triad, to the extent that we accept that as one of the definitions of security, where it's confidentiality, integrity, availability, that that availability piece is actually really critical, and that your data that is so well-protected might not mean anything to the business unless you can actually access the infrastructure. And I think increasingly, we're seeing folks really have demands around flexibility and availability and the kinds of ways in which security and sustainability go hand-in-hand. So it's certainly a timely issue, and I think especially with the growth of cloud as infrastructure, you have so many options for how to make yourself more resilient, but at the same time, you have to architect for that, so it's an ongoing set of challenges.

Christophe Bertrand

>> Absolutely. I had a great conversation with one of my colleagues who focuses on the DevOps space as an analyst, and we were just talking about this, why not build all of this from the onset, from the initial effort in developing applications and processes that are secure? So let's talk about that for a second, should there be guardrails in place for DevOps? Let's start with the starting point here.

Merritt Baer

>> Yes. My personal view is that it is understandable that DevOps engineers want to run hard and fast and not care about other goods, like security, and it is also security's job to make security democratized and make it seamless and painless as an experience for both your engineers and for your end users. So I think that can be achieved through some tech, for example, templatization of environments, guardrails, like you mentioned, and other taking advantage of ephemeral environments, lots of approaches that I think are increasingly available now that we are vending ourselves environments in this modular way. But it also takes a set of behaviors and prioritization as an entity. There's some elements of business and political will that come from a security shop having the wherewithal to implement some of these as must-haves, because they do take some time and investment to develop.

Christophe Bertrand

>> Right. So it seems to me that, we talk about cyber resiliency, infrastructure resiliency, really what this is about is building a system that delivers business resiliency, looking at all of the facets you mentioned, the data, the infrastructure. I come from that world, and certainly there's so much more around it that needs to be addressed. In our discussion, when we were preparing for this conversation, you used the term democratized insecurity, that's what we're talking about, of course, attackers and how they leverage AI. What do you mean by that? Are we more at risk today than we were maybe a couple of years ago?

Merritt Baer

>> I would hesitate to give any made-up math about whether we are more or less at risk today than any other time in human history. But I will say that I think with the rise of ransomware as a service and of the ability to buy toolkits online for malware or for bad behavior in a variety of manifestations, on some level, that has meant that you don't even have to be very good to launch an attack or to quietly steal data from an entity. And I think that is a challenge for enterprises of any size, but especially for large enterprises that may have an ever-expanding number of resources within their environment of lots of human and non-human identities, apps, app-to-app interactions, you're just looking at such a vast set of data that it's really hard to know what to pay attention to and how to prioritize. And I think ultimately, what it means for attackers is that, for the most part, they are coming in the front door using valid credentials. And by that, I mean they're not burning Zero Days or novel exploits being able to get into your enterprise environment. They're just able to hijack a legitimate set of credentials, and then lateral around to get increasingly significant amounts of access and then be able to enact damage. And like I said, this could take the form of something like ransomware or of a data exfil ransomware, they threaten to release sensitive data. And of course, we see with the rise of regulations, like GDPR, that sometimes, they actually create incentives for bad actors to monetize their compromise of an enterprise, where if it became public that they had gotten compromised, then the victim entity might be subject to really large fines. So the incentives really play in both directions, in a lot of ways, and I think as we see that democratization, where dark web forums are basically allowing folks to purchase some of this bad behavior, your enterprises are going to have to defend themselves in the ways that are also being made possible using that kind of technology that is distributed and also programmatic, being able to know what you know in a programmatic way, and not just hope that you have dotted your Is and crossed your Ts.

Christophe Bertrand

>> Right, that's a very important point, because there's clearly some mechanistic dimension to this. You have to have those muscle groups and have muscle memory and be able to really understand, as an organization, what you need to do, not only to prevent, but also to respond. Is it fair to say that it doesn't really matter what will you do, it's going to happen anyway, you're going to have to deal with it at some point, so you might just as well be ready for the inevitable, but how you do it, how you react to an attack, how you react as a team, is more important maybe than what you do to prevent something that may not be preventable? What do you think, is this controversial, is this fair?

Merritt Baer

>> On some level, I think it's not particularly helpful. Even if it is true, it's not particularly helpful to say, "Oh, it's just a matter of when, not if," because I think that can be paralyzing. It's Chicken Little, where the sky is falling and it doesn't feel like there's something practical to take from that. But I think it is probably fair to expect that you will have a bad day, a day where something breaks or where you don't notice something that you should have noticed earlier. It's one reason why I think I often use that metaphor of muscle groups. There will always be a next Log4j, just given what we know about the nature of open source development and our dependencies within libraries and libraries. For example, there will always be a next bad day when it comes to availability and failing over. We've learned from a number of recent incidents, including CrowdStrike, who's a sophisticated company, and they still had a really bad outage. So I think you can see examples of how doing security work actually is this process of iterative learning, and I think having run books and playbooks and actually doing the policies that you say you do is really important, but it's the kind of thing that security folks work on in their weekly metrics meeting. And hopefully, you get to the point where you're just saying, "Why did it take us 45 minutes to notice this? Why did we set the threshold at 1,000 dropped calls per second and not 999?" You get to the point where you're really refining some of your judgment calls and really relying more on... You can call it AI, but it's really around automation and the ability to make data-driven judgment calls, so that humans are usually in the loop at some degree, but they are not making real-time decisions about much of the apparatus of the security shop, that you basically narrow down that gray area of human decision-making to the truly novel or high stakes issues that may happen to your enterprise.

Christophe Bertrand

>> Right. So this brings up the question of a couple of points I want to cover. KPIs, I think, is one of them, and then the usefulness of frameworks, like the NIST framework. So let's cover KPIs first. Clearly, depending on the situation, depending on the team and the environment, you're going to be looking at a bunch of dimensions, lots of small stuff. But really, what you're saying is, let's focus on the big stuff, the big decisions, let's automate some of the collection of those metrics. But do we have, or do you feel you have today a good set of KPIs that you can go after for both IT and security teams that have to work hand-in-hand really to make big decisions when the time comes?

Merritt Baer

>> Yeah. I think you'll have a number of metrics, and there's no gospel here, you'll change and refine what you're looking at over time as measures or proxies of good outcomes, because ultimately, for example, number of CBEs you've eradicated this week means basically nothing to a board member, for example. What they care about are outcomes, so amount of downtime that you've been able to get rid of or buying down the risk of a data breach or an intrusion. There are ways in which I think security runs into that problem that's like the tree falling in the forest, where a good day is one where no one actually knows that you have been working, where everything goes according to the business plan and it's not significant from a security perspective, and that's the product of hard work, in a lot of ways, building your house right. So I think when it comes to KPIs, what you really are looking for is not just internal security indicators, which I think can be really helpful just for the team to notice that they're getting better over time, but also outcome-driven, so things that impact the business and how you translate good security practices into business outcomes that they can take to their leadership and also demonstrate to their end user, no matter what industry you're in, if you're in retail or hospitality or oil and gas or whatever, that you have outcomes that your customers, and in the case of governments, your citizen consumers, are able to really have confidence in the security as part of the business value that you deliver, because they can count on your practices. So I think KPIs are really critical there. When it comes to frameworks, I think... Look, everyone loves NIST, and I like it too. I came from, well, a range of government work, including DHS, where we worked on the NIST framework, along with commerce who owns it. However, of course, it is not a set of requirements, and I think there are pros and cons to that fact. The fact that it is a flexible and reusable and evergreen, or at least it attempts to be an evergreen, set of standards is great, and it's what makes folks really like it. On the other hand, it doesn't have the teeth that some other requirements do, and that really push budgets, for example, or that really push a risk-averse company leadership to say, "We need to buy down the risk that the SEC or the PCI standards board or other folks show up at our doorstep and say, 'You missed the mark.'" So I think that frameworks are really helpful. I actually developed a framework for secure use of AI for practitioners that I'm going to be publishing shortly with Oxford University Press, so stay tuned for that, we'll circle back around. And I think it's really helpful to have things like frameworks for emerging questions so that you can see how other practitioners are approaching some of these problems, but they're certainly not going to be your be-all, end-all. I think a first principles and a primitives-based approach is certainly inherent to security practitioners, but it doesn't mean that someone's going to do the work for you.

Christophe Bertrand

>> Right. So yeah, maybe it creates some sort of common language, but the work still has to happen and be very specific and fundamental to the culture of the organization. A couple of takeaways from what you just said, and really for our viewers, it's very important, I think number one is cyber resiliency, cybersecurity, data protection, this is a business conversation. You must be able to translate and converse with the business leaders, even the board of directors, depending on the circumstances to communicate in terms of outcomes, and those are business outcomes. So technology, fantastic, but at the end of the day, what does it mean for the business? So that's a big takeaway. The other thing is, you mentioned, Merritt, the fact that while compliance has some great benefits in potentially setting the bar somewhere and creating enough fear that people will actually do the right thing, it also offers the attackers that same incentive, in a sense, the positive or the negative becomes a positive for the other guys. So how do you reconcile that? Is there really a new role for compliance folks to be more involved in really mapping what the requirements are realistically from a resiliency standpoint? Because I agree with you, you look at GDPR, you look at CCPA, or CPRA, and a bunch of other regulations, and there are so many by industry, everything has a lot of cyber in it, but it seems to be so vague sometimes, or so specific, how do you make sense of that? Should the compliance folks be more involved with the cyber teams and the IT folks as well?

Merritt Baer

>> I think that, to some degree, what we are looking for when we look to frameworks is a defensible approach. So you get to get in front of your regulator and say, "Look, we may not have been perfect." Certainly if you're in front of your regulator, you weren't, most likely. "But we took a reasonable approach, it was repeatable, attestable, defensible, and by the way, it meets these standards that you have set." And so, I think that compliance actually can be more of a protection for the business's liability and for other concerns around diligence. But I also think that if you're asking whether it can have functional benefits, the answer is sure. I think that we see that every time that a new compliance framework comes out, we see benefits where folks actually get more leeway from the business to spend time and energy on these things. But does one-for-one compliance and risk line up in some kind of buy-down? No. I think that there is some hope, or at least there's glimmers of this idea of continuous compliance, where we could actually map configurations and the requirements of specific compliance requirements to the actual infrastructure and architecture choices that folks make in their enterprise. It's sort of like cold fusion, where in theory, it should exist, and in practice, you don't see it happening in any kind of reusable, repeatable way. But maybe we will also see that continue to grow, and I think it could be a good thing if we're looking... Because of course, anything that is not continuous will be a point in time, and any kind of static picture of your environment, these days, with the building patterns that folks are using, where they're able to kill an environment and spin up a new one to take advantage of ephemerality as a security tool, there's a lot of ways in which, actually, the idea of compliance might be, in some ways, a cool way to map your ideals into reality. But in practice, that too has its limits, because we haven't gotten to a point where we see that playing out in practice.

Christophe Bertrand

>> Right. Which brings up a number of additional points, because we're talking here in general terms, but you think about all the complexity that most environments have to deal with, with obviously on-prem, cloud, hybrid, multi-cloud, et cetera, so I'd like to double click a little bit on what you do every day on the SaaS side of things, real quick, quick ad for Reco here. But obviously SaaS applications are pervasive in many ways, organizations have given up control, by definition, that's what a SaaS application is, you're having somebody else run that show for you, and they control the security, to a large extent, they control the backups, the recoveries, et cetera. So many organizations somehow still think there are magical people in the cloud doing backups for you. Well, let me tell you, they don't. But you have a responsibility also to maintain control on who accesses the data in those SaaS environments, because again, if the data gets modified, changed, altered, in any way, it's on you, it's not on the provider. So how do you help with that in your current position?

Merritt Baer

>> Yeah, exactly. It's interesting, because one reason that I was attracted to this space is that it does map, in a lot of ways, to that shared responsibility model conversation that happens, just as you described with cloud, where AWS or your cloud provider owns the infrastructure and they own the security of AWS, but you, the enterprise that is building in the cloud, you own the architectural decisions, you own the security of your build. So I think similarly, now that we see that folks... You're not going to go out and build your own CRM database, you're going to use a Salesforce or a whatever. You're not going to go out and build your own payroll, you're going to use an ADP or a whatever. And so, I think as folks are building modularly, which totally makes sense, why wouldn't you avail yourself of all of these kinds of productivity apps of the kinds of business and other apps that everyone is using, OneDrive, ShareDrive, and then, of course GenAI, apps and copilots that are attached to so many applications now, at the same time, folks don't generally know the apps that are in their ecosystem, and they couldn't really know without some programmatic approach to finding those. So we do that, we do app discovery, we'll tell you, most folks think they have something like 15 to 50 apps, and they have hundreds, and sometimes thousands, within their ecosystem. And then, we will map to best practices for configurations. So as you were referring to, with SSPM, things like MFA, restricting admin accounts, just the known good behaviors. And then, beyond that, we have a threat research team that is also mapping current behaviors of all the sophisticated adapters, and then just where we see insider threat and other behaviors popping up and how that surfaces as an alert. So it's not just, should Kristoff have access to this file, but did he look at six sensitive files in a row and print a lot of pages right after and then walk out the door, so correlating behavior. And I think the future of security is contextual, so in a lot of ways, we are going to see folks trying to find ways to look at enabling the business, so allowing for permissiveness as a overall policy, while still being able to trim down, prune and refine that least privilege, but also be able to alarm on patterns of behavior that look suspicious.

Christophe Bertrand

>> Great. I think that's such an important topic. I'm sure we'll talk a lot more about it in the next few quarters. Merritt, thank you so much for joining us today, great conversation. Maybe some closing comments or one recommendation for our viewers, what should they do next after watching this segment?

Merritt Baer

>> Oh goodness. Well, go kiss someone you love. I think that at the end of the day, usually on these kinds of panels, folks say something like, "What keeps you up at night?" And I really do think that the answer should be that you aren't up at night. Given that this is a resiliency summit, but I think I might say this no matter what, build in a system that doesn't rely on any one human. So make sure that there is this good intentions are not enough foundational belief to your security approach, where you have taking advantage of automation, but also, you have an alias for your break glass notifications that goes to more than one person, for example. Putting these behaviors in and tactical ways that reflect this fundamental belief that your security shop should run as a series of good behaviors over time, this muscle group that gets stronger, and certainly that any one individual can't make or break your enterprise.

Christophe Bertrand

>> Well, Merritt, thank you so much for your time. Great advice, great conversation. I'm sure we'll see you on theCUBE very soon. Thank you again.

Merritt Baer

>> I hope so. Thank you.

Christophe Bertrand

>> And to our viewers, stay tuned. thecube.net Cyber Resiliency Summit, stay tuned, there's more coming your way.