To keep pace with today’s digital transformation, fundamental strategies upon which cybersecurity was built are changing
Secureworks Chief Technology Officer Jon R. Ramsey shares why strategies like defense-in-depth are inadequate for safeguarding organizations and sheds light on where forward-thinking cybersecurity pros are heading.
KARIN: Hello NASDAQ followers. We are live from MarketSite for today's NASDAQ Spotlight. Joining us we have John Ramsey, Chief Technology Officer at Secureworks. My name is Karin McKinnell and I am glad you're here to join us. And welcome, John.
JOHN: Thanks, Karin.
KARIN: I was reading an article with Jim Coulter who is at TPG talking about security – well, actually, talking about technology and how quickly that's evolving. And what he's really focused on is where we can provide seatbelts for technology. So when I think about Secureworks and I think about the role that you have, can you tell us what is driving today's biggest changes in cybersecurity industry?
JOHN: Yeah, so technology is clearly one of the biggest changes. Actually, think about four areas that are putting externalities or forces on changing what's happening in the cybersecurity space, technology is definitely one of those with Internet of Things. The architectures we're using for compute today around cloud are completely different. Data sciences and what we're learning from our data is different. So defending the technology base and how it shifts is changing, sort of like adding seatbelts as the car's changing underneath it.
The other area is businesses. Businesses are really moving into a world where they're using data and analytics to drive revenue and profits, whether it's to reduce costs or at the top line. And that is becoming more material and more important for businesses. And because of that, what you have is cybersecurity being a business imperative instead of just an IT imperative sort of stuck down in the corner. Like it has to be front and center.
The other thing is is how we defend – and we'll talk a little bit more about this – but the nature and how we defend in terms of the technology and the processes we use is changing very rapidly. And then of course, the bad guys. There's a fourth externality. They're always looking for new ways to work through the gaps of all the controls and they are constantly innovating. For example, recently the ability to go lateral from one compromise machine to all the other compromised machines, we've seen a lot of innovation in that area.
So those are the four areas that are driving change in the cybersecurity space. The biggest risk is if you don't recognize that it's changing out from underneath you, you're not going to be prepared.
KARIN: Yeah, no question and we've certainly seen that as a board topic, cybersecurity now. So it is going to the highest levels as a business imperative. So tell me a little bit about cybersecurity's role within business changing in the near-term and long-term.
JOHN: Yeah, so in the short-term, of course, the increase of information technology that either supports the business or is creating new business models is very, very important. Businesses want to get to value as quickly as they can from the point at which they have an idea, to the point it's in market and growing and driving revenue. And so what we see is a shift in the way that technology is delivered and deployed.
In our space it's called DevOps or development operations where a developer can submit a piece of code, commit it to the system and then the code is out in the customer's hands in a matter of minutes or hours. And it used to take weeks or months, because the need to get to value is imperative. The way we defend today in that short-term and long-term vision of how businesses are driving value quicker, to be more competitive and drive greater revenue, is security has to support that as a function to be able to say yes, that code is good, that capability isn't going to introduce the risks to the business in as fast as the code is being developed and deployed. And so that's how sort of cybersecurity and business need to align right now.
KARIN: Thank you. Now for the viewers who may not know, can you tell us a little bit about Defense-in-Depth and why it is no longer a sustainable strategy?
JOHN: Yeah, sure. So Defense-in-Depth as a concept that has gone way, way far back in time, in terms of in castles, you have castles that have moats and walls and bridges and towers and lots of different layers of security to prevent an invader from getting to the people. We use that in the cybersecurity world, too. We have application defenses and controls, network defenses/controls, user and endpoint and web and all kinds of layers of defense. And we've been doing this for 30 years.
And as an example, our clients, on average, our larger clients, have about 56 layers in their control set, which is an awful lot of layers. And strategy to me is allocation of finite resources. And so when you're a CISO and you're thinking about how do I reduce the greatest amount of risk per dollar spent, is it adding the 57th layer? Is it adding the 58th layer? Well, maybe/maybe not. And so one of the challenges in the industry is how do we fundamentally think about the problem, approach the problem differently to be able to reduce the risk per dollar spent materially instead of just adding the 57th/58th layer?
And for us, our strategy in that is what we call Defense-in-Concert, which is having layers – the bad guys work the gaps between layers. So the system that is used to prevent phishing, meaning inbound email that's malicious and malicious into trying to steal username and password, and the system that actually like authenticates the user and takes the username and password, don't communicate with one another. So the bad guy works the gaps between the two. He gets the username – eventually gets a phishing email through, gets username and password and the identity and access management system has no idea that that user was under active attack with all these phishing attacks. And that's traditionally, in cybersecurity, the way that Defense-in-Depth works. The layers work independent of one another and don't share any context.
I think what we need to move to and what Secureworks is moving to, is a Defense-in-Concert, which is the layers are aware of everything that's happening in the environment. So when a user receives a very aggressive phishing email, identity and access management system is informed that this user is under attack and they can then take that context, in essence make a decision as to do I want to ask the user a third question or do I want to remove access to the core intellectual property system until I can confirm that the username and password hasn't been stolen?
And so in this context what we get is fewer layers probably, not 56, maybe half, but the ability for those layers to act smarter, observe faster and respond to be able to interdict the threat quicker.
KARIN: Interesting. I like that concept of cutting down the number of moats and having them be smarter working together.
JOHN: Yeah, yeah.
KARIN: It makes a lot of sense. You know, you're a long-term veteran in this space and I would love to know a little bit about the strategies that should be implemented to keep up with today's challenges.
JOHN: Yeah. I think at the highest levels, there are several strategies. One of those is what we seem to be missing is actually getting to action. I think there's a lot of analysis going on, there's a lot of detection going on. Like this is compromised or here's this bad guy and he's developing this trade craft. He's coming after someone. But if you're not actually doing anything with that, if you're not putting preventative capability or response capability in place, what you're learning from a detection or prediction perspective, especially in a Defense-in-Concert way, you're not reducing any risk. You're just – knowing is half the battle.
And so the first thing is get to action. Specifically around preventing attacks or responding to compromises. The second thing in that space is don't go it alone. The Secureworks' strategy is what we call the network-effect, which is make the bad guys have to be really subversive on lots of places and in that context, we can use that network-effect to see where they're going and what they're doing, and use that to inform people to what the bad guy is doing. So it's this collectively smarter, exponentially safer capability. So going it alone is really hard in this space.
The other thing is a balance between prevention and response. We talked about getting the action, but it's not 100% prevention and it's not 100% response. You have to figure out what your risk tolerance is and what you need –how fast you want to respond or how many attacks you want to prevent and balance your resources across those, too.
KARIN: Well, thank you. We certainly covered a lot here today on NASDAQ's Spotlight. We loved having you here, John. Thanks for being with us.
JOHN: Thanks, Karin.
KARIN: Thanks for joining us.
JOHN: Sure.
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that protects customer progress with Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improving customers’ ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.
