Detecting Cybersecurity Threats with Devo's CEO Marc van Zadelhoff
John: Welcome to episode three of our podcasts here is in cybersecurity. We'll be talking about what it means to detect threats. You have to see that mole pop- up from the whack- a- mole game before you can do anything keen eye, fast responses and all that. With me is Marc van Zadelhoff. Marc, tell us more.
Marc: Hey John, my name is Marc van Zadelhoff. I'm the CEO of Devo Technology based in Boston.
John: Tell us what Devo does.
Marc: Devo is a enterprise logging and security analytics company. So we ingest all of the data that a company, an enterprise, an organization can think about creating in the area of cybersecurity and bringing into one analytics dashboard. It overlaps with what we typically have called SIEM, Security Information and Event Management. We actually also serve use cases outside of security, like figuring out your IT Ops or DevOps or application performance area. But most of our projects today is software as a service platform being deployed for security analytics.
John: One of the most important parts of being in the middle of an infrastructure like this is how many other piece parts you work with, obviously. So if within a security network there're sniffers out there, or detectors out there, you've got a large way of bringing all these pieces into your common platform.
Marc: Yeah, I think there's two elements that we bring together for a client in the area of security. One is their security infrastructure, and that's what you were just mentioning. So in security, you have identity capabilities that you've deployed. You have application security, you have data security, you have network security, you have endpoint security, you have encryption technology, right. The average CSO is using 60 to 200 tools from 20 to 40 vendors. So all of those tools generate logs and generate metadata, that is interesting. But secondly is your infrastructure. Your applications have logs, your operating systems are generating logs, your network routers and switches are generating logs. Your AWS instances are generating logs called cloud trail Azure GCP. So your infrastructure, all the network layers of your infrastructure is generating logs combined with all of your security tools are generating logs. We take all of those in hundreds of different log types, machine data types into one massive analytics, SAS platform.
John: What could really matter here is if somebody breaks in one door, that's one thing. But if at the same time couple of other doors are being broken into it's a whole different world. How do you treat that as you begin to analyze the impact to a system?
Marc: I would take a step back beyond the breaking in metaphor, because I think there is three reasons. I've been in security for 24 years. There's three reasons why people buy cybersecurity solutions and they actually haven't fundamentally changed over the last 24 years. One is people breaking in, the hacker. The hacker has evolved from as we used to say, young kid sitting in his basement, parents' basement trying to impress his girlfriend, which he doesn't have to now nation states and organized criminals hacking for the purpose of generating money for the people's liberation army of China or intellectual property or supporting North Korean regime or being the new organized criminals but that's just one. The second is insiders. Insiders, when I got into cybersecurity, it was all about the insiders. It was a huge scandal at one of the... I think it was Dow Chemical or one of the scientists had taken some of the intellectual property and left the building, right? So insider theft, insider stupidity, insider mistakes, right? The third is compliance. People spend a lot of money on security for compliance. Compliance being, did you violate California Senate Bill 1386 that says that you must notify somebody. Did you violate the European data privacy standard, or GDPR. Did an American access European HR or PII data, right? So you have to be able to prove nowadays as certainly as a multinational, that you are compliant with regulations both locally and internationally and that's a third reason for buying security solutions. So it's not just the breaking in it's the breaking in, it's the insiders and it's the compliance that cause you to spend money on cyber.
John: This concept of somebody an insider doing something untoward accidentally or maliciously. So just the movement of a large file or a large data thing is a theft. Is that something that could be detected as well?
Marc: In the Devo platform you would put in rules and machine learning algorithms to detect activity of insiders, such as John who is in finance suddenly seems to be spending a lot of time browsing HR salary data. Or Susie who's in marketing suddenly sent a bunch of customer files to her Gmail account and you're a query away from detecting that kind of activity in a system like ours, because we have literally collected every piece of event evidence on the planet in your environment. So we are able to see all the activity of insiders and then also the outsiders coming in to the inside on your network. So you can see all of that and we have out of the box rules, and then we allow you to just basically, do a drag and drop or SQL like query language that allows you to figure out anything that's happening, and that changes. I mean like one day you're going to wake up and your CIO is going to say," I'm worried about that thing happening and can you detect it?" You can't predict their everything in advance. You get on Devo, you go, boom, boom, boom, let me see if I can figure out if that's happened.
John: Is there a balance that you have to strike between false positives and false negatives and do you come out with some recommendations out of the box or your companies have to decide how they want to behave? Because obviously everything could be alert and alert, but maybe you don't want it to be. How do you begin to think about that balance?
Marc: Yeah. Through tuning and through context that you provide. So for example, if you go back to the hacker or the external thread as opposed to the insider, the hacker, you would for example, do a few things. One is you use machine learning algorithms to try and figure out what your normal patterns are, right? So if you on an average working day are transferring a megabyte or a gigabyte between your U. S. office and your Moscow office and all of a sudden you start seeing that go out of band, right? I mean, doing business with Moscow is not a crime, but all of a sudden doing terabytes of business when you usually are doing megabytes or gigabytes of business is something. So there's machine learning algorithms that you can do to try and find these things. But then there's also correlation with threat data. So we allow our customers subscribe to any threat provider and correlate that data. So for example, all of a sudden you start seeing IP addresses pinging you that are known to be associated with a campaign by a hacking group, an organized criminal group in Eastern Europe. While all of a sudden you want that to flag really fast or MD5 hashes, a particular malware types that are coming in and are detected by our system, matching that to a repository of no own malware that is bad.
John: So if to some degree what goes around, comes around, I think about the original days of antivirus software and then always be constantly be updating what the latest viral attack might be. Well, yours doing the same thing, but from a network intrusion point of view, MD5, or what different types of ways somebody might be coming your assistance. So you've got to stay close to what's out there in the real world all the time.
Marc: Yeah, agreed. It's not network or endpoint per se. We're seeing everything, right, so even the antivirus tools, we're bringing those logs in with the network tools, with the external threat research. I think the difference with AV is AV certainly in the all old days and antivirus has evolved to be more what we call endpoint detection and response or EDR. Where there is some machine learning built into the endpoint detection. The old AV was super stupid, right? It was like really simple rules. As soon as a hacker figured out that rule, they could go around it. The current ways that you detect on the endpoint and the current ways that we do correlations and AI on the much larger set of data that we get from every point across the organization allows you to, again, use more algorithmic machine learning techniques that are more contemporary and then correlate that with external feeds so you don't get as many false positives, but you tune it right, you learn. I mean, anybody who deploys a solution like Devo will deploy it, tune it and get a lower sense of false positive, but you'd rather have some false positives than miss the real event.
John: Sure. So speed obviously matters here, but I guess that help me understand if there's like a DDoS happening where speed really matters versus maybe detecting a bot that's slightly different. Talk about speed and how you might think about DDoS and bots attacking a system?
Marc: Yeah. I mean, Distributed Denial of Service is an interesting attack, which is not super sophisticated to detect. As a friend of mine once said a DDoS attack is like someone putting a sledgehammer to your toe and then telling you, you get hit by a sledgehammer. I mean that you knew that already, right? A DDoS is so overwhelming to your infrastructure that you barely need help detecting it. With a DDoS we need more help in overcoming the challenge that provides to your network. Speed for us involves the ability to ingest terabytes dozens of terabytes of data a day. So this is where I think I've seen an evolution. I've been in this space for a long time and this is the third time that I'm in a log and secure analytics company. In the old days you were talking megabytes and gigabytes of logs a day. Now we're talking terabytes. We have a large retail provider that surge from seven terabytes with one of our competitors to 60 terabytes a day, which we keep for 400 days, you're talking petabytes of data. So speed for us means ingesting at real time streaming. So from the time the event happens to the console, you're talking milliseconds correlating all that in milliseconds, and then being able to do all of the querying that you do on that. Like I said before, did John access data in the last 400 days, he shouldn't have entered on the query phone was your answer. Now it used to be you could go get a three martini lunch before you got the answer to that question because it took so long in the query engine. But now with cloud native, with the scale that we're able to do this at, you can do really sophisticated searches at speed quickly. It's the ingest, it's the query, it's the scale that matter for our clients.
John: Tell me how SOC Security Operations Centers fit into this space.
Marc: Well, the Security Operation Center or the fusion center as is called, or I was talking to a customer yesterday that was calling it cyber fusion center. I mean, these are all different terms for essentially the hub of security operations. So you basically need to have a group of people working together to figure out and detect and respond to incidents and that's the role of the security operation center of the SOC. They are a trained analyst. They work almost like a call center, if you want to really dumb it down where there's kind of level one, level two and level three analysts. Level ones are kind of looking at the basic rules, figuring out what's going on to your point earlier, is this a false positive? It doesn't look real. Then it will pass that on to the level two and three analysts that are much more educated, mature advance in their capabilities and they will do additional forensic investigations. So a level one analyst might say, geez, I'm seeing a significant increase in traffic to a certain foreign area. I'm getting alerts that it might be correlated to IP addresses and destinations that are untoward based on our threat intelligence, let me pass it off. Then that escalates up. Visually what a SOC is, it's like in the movies, it's the guys are sitting in these beautiful desks. They have five monitors each and then there're monitors on the wall, CNN in one corner, Fox news in the other corner, BBC in the other corner. They got that who call the pew- pew maps, right? The pew- pew maps or the maps of the world where we see pew- pew, the data going from Russia into American to United Kingdom, right? So these are all the kind of things that you would picture, but that's the sex and sizzle of a SOC. The reality is like a call center where these guys are staring at screens all day and when they see something, they start to escalate it. The outcome eventually is a response. If it gets validated and the response can be calls with the FBI, it can be the police coming in, it can be criminal investigations, it can be arrests, it can be extradition, right? It can be calling your customers and seeking upon them to stop activity or shut down systems. I mean, that's the scary part, could be paying a ransomware.
John: Some of the responses as we move with more and more ML and AI be automated, could we be shutting things down automatically and then tell them after the fact what actions were taken? Are we going to see that happening more and more?
Marc: Yeah, I think there's more and more possibility to do that. To be honest, we've been talking about response for a long time and the truth is I would say 98% of the time will always be a incident response process where a human is going to check. I mean like an easy response is, oh my God, we're getting attacked there. Let's shut that port down on the firewall. But if that port in the firewall is the same one all your customers are using for e- commerce activity. You probably on a human in between there going, is that really worth the risk reward in that particular case, right? Also sometimes you're better off by the way, letting hackers do some stuff, calling the investigators, calling your incident response team, watching them for a little while, what the hell are they doing? Where are they coming from? Now that we've figured out that they're here, maybe they let them tool around. The old days, used to pull the plug out of the server. Now sometimes the best thing to do is watch them for a bit and figure out who the hell they are and what are they doing before you shut it down.
John: That is a different world. That really is. That's interesting. So I want to ask a question around point solutions and platforms. If I'm a CISO, the CISO thinks through the things we've talked about over the series of podcasts, identity prevention, detection, and response. Talk to me a little bit about your thoughts of the CISO to make decision of the best. This is a long term IT discussion that goes back and forth and we'll never have a single answer, but I'd love your thoughts on the value of the perfect point solution or the value of a broader platform and vendor selection. How does a CISO just kind of deal with the complexity of this astoundingly complex space?
Marc: Yeah. I've been on both sides of that. So my prior job was running IBM security where we were in 14 different segments of the market with generally market leading products and fortunate of those different magic quadrants. Certainly our pitch then was that you need a system of capabilities for fewer vendors to pull it together. I think the issue, and one of the reasons I'm so excited to be at Devo is that the velocity of this market is so fast. It is hard to really be with a sweet vendor when all the piece parts are moving quickly. If you look at the space I'm in, it is shifted from, as I said before, megabytes to gigabytes to terabytes to petabytes of data that you need to do this job. With COVID, with the work from home, with the shift to cloud, with IOT and everything having an IP address associated to it, you have so much more data you need to ingest to do your job. I mean, if you think about a company like Shell Oil, just to name a random company, any oil company, you think about the amount of data they now get from the oil fields that didn't exist before, because nothing had an IP address attached to it or a network connection and now they do. So you have just so much more data to collect that that metaphor holds for almost every segment of the market. More identities, more endpoints, more IOT devices. It's hard to have a suite vendor that can keep up with all that. I think that's why there's a resurgence now of the pure place. If you look at all the large security companies have gone by the wayside. I mean, that's I think a story that hasn't gotten as much press. But when I was first at IBM and we were dreaming of starting a security division, we dreamed of building a division bigger than McAfee or Symantec. Well we did and at the same time and maybe the two are related, those two companies are no longer formal forces and the marketing anymore. The big players now are more pure players or players that have gone from a pure play tool to trying to become the new platform players. But the old platform players have all exited the market or become less of where the market's at. So it is interesting to see the point players really come up as the ones that are most relevant to CISOs because I think just a speed of innovation on the customer side and the speed of innovation on the hacking side.
John: Fantastic. We'll have to do another one of these series in a year from now and see how things have changed, but that's a great state of the business as we speak. Marc, thank you for the time. I really appreciate it.
Marc: Enjoyed it, John. Thank you.
John: I don't know about you, but I found Marc's summary of this piece of the industry to be really enlightening. I'd like to bring back Alex Manna one last time to give his, his view of how one should be responding to threats. Now, Alex, Marc gave us a great overview of security operations centers, and we're going to be talking about that and the ML and AI for our next and final podcast in this series. Tell me why this space is important to you.
Alex: All right. Last but definitely not least the other big challenge that a lot of companies are facing, including George and ourselves and including a lot of our companies is the cybersecurity talent gap. The fact that quite frankly, there just aren't enough great cybersecurity talent out there that are available for hire and that we're able to use to scale up our teams. In an ideal world, we would each hire a team of 10, 15 cybersecurity analysts and build out our own SOC, but that's just not realistic.
John: SOC being?
Alex: SOC being a Security Operation Center.
John: Thank you.
Alex: So in an ideal world, that's how we would approach it. But in the real world, we need to look at bigger, scalable solutions that we can leverage. One of those solutions is the idea of MDR and XDR Managed Detection and Response because ultimately those solutions can help us scale our individual security teams by essentially acting as an outsourced security operation center and looking at our end- to- end security stack and looking for threats and vulnerabilities in real time. So we have a podcast with the CTO of a company called [ Centaur00: 19:07], who does exactly this, and he's a brilliant guy. He comes from a really strong tech background around artificial intelligence and machine learning. They're able to really solve this problem by leveraging large amounts of data and by leveraging machine learning algorithms to help once again find that needle in the security haystack.
John: Thanks again. We'll be talking with you all soon.
As we continue to discuss cybersecurity, we ask the question, what exactly does it mean to detect cyber threats? After all, before you can respond and take action, you have to know that something wrong even occurred. In this episode, we talk to Marc Van Zadelhoff, CEO of Devo, about just that.