Recently Phil Neray, VP of Cyber Defense Strategy at CardinalOps, was invited to join the State of Identity Podcast for a conversation on the latest cybersecurity threats and why orchestration is the key to a robust defense.
Listen to the full podcast episode recording here – Episode 320: Detection Posture Management, or read through the transcript below.
Cameron D’Ambrosi Enterprise Information and security event management solutions are only as effective as their coverage. Join me for my conversation with CardinalOps VP of Cyber Defense Strategy, Phil Neray. As we explore the latest cyber threats and why leading CISOs are turning to orchestration to bolster their defenses. Welcome, everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Phil Neray, VP of cyber defense strategy at Cardinal Ops. Phil, welcome to the podcast. Well, I’m so excited to have you. You know, I think the cybersecurity space more broadly, you know, white hot. I mean, it well, it should have been white hot for years now. But I think, you know, this increasing pace of data breaches and the continuing vulnerabilities that, you know, enterprises of all shapes and sizes seem to have to this next generation of cyber threats is really keeping folks up at night. And I think driving some really important conversations around, you know, security postures more generally from that perspective. You know, before we dive into, you know, what you’re building at CardinalOps, you have quite an interesting background more broadly in the cybersecurity space. I would love to hear a little bit about your kind of career journey before you joined CardinalOps and kind of how that built up to what you’ve built there.
Phil Neray Yeah, thanks for asking. So, I’ve been in cybersecurity for quite a while, and it’s given me an opportunity to learn about the many different aspects of cybersecurity. So, cybersecurity means monitoring and analyzing many different layers to be able to detect attacks. And that’s what modern security operations centers need to do. They need to look at what’s happening on the endpoint. They need to see what’s happening at the network layer. They need to look at their email traffic. They need to look at their identity and access management systems like Okta, an Active Directory. And now more and more, they need to also be looking at what’s happening in their cloud instances. So, I’ve had the opportunity to learn about all those different layers, and it’s really helped me in my current role because we’re helping security operations centers be more effective and to optimize how they use all these different tools in their stack to identify when an attack is happening so they can quickly respond and mitigate it before it causes any critical damage to their business.
Cameron D’Ambrosi CardinalOps sits, I think, at a very interesting place in the cybersecurity and digital identity landscape in that in some ways I think your kind of orchestrating among some existing tools and platforms that folks already have. You’re not necessarily trying to displace a bunch of folks from the stack. As I understand it, you’re looking to be additive in value and apologies if I’m maybe botching your elevator pitch a little bit, but at that 15,000-foot level, how would you describe, you know, what CardinalOps does and what value adding to your customers?
Phil Neray Yeah. So, you know, especially in today’s economic climate, CISOs are looking to optimize and rationalize their security stacks. They’re looking to get more out of their existing investments. And we’ve focused specifically on the SIEM, the Security information and event management system that most SOCs use as their central operating system. Where all the data comes in, they analyze the data, they look for anomalies and if necessary, they create alerts that then analysts need to follow up on. So, these are security solutions like Splunk, IBM QRadar, Microsoft Sentinel, those are kind of the top three that are at the center of most enterprise security operations center. So, what we’re doing is helping people get more out of their existing systems and specifically by helping them understand where their coverage gaps are in those SIEMs using miter attack, which is a standard framework for describing adversary behaviors and using analytics and automation. Because a lot of the way these systems are being managed today is very manual, very ad hoc, very reactive analysts using spreadsheets to track, you know, which adversary techniques they’re covered for. And they’d rather be doing more interesting work like threat hunting than then doing some of these more mundane tasks. And B, CISOs want to know where are there gaps, where are we covered for the adversary techniques that are most relevant to our organization? Where are our gaps? How do we quickly close those gaps? Do we have broken detections? Do we have detections in our SIEM that we think will detect this a certain kind of attack? But in fact, something broke along the way. It changed where a server is located in the network, or a log file format has changed and now that detection is no longer working. So, we’re focused on helping organizations find those gaps, remediate those gaps and be able to report on their detection posture. And so, in a way, it complements some. Other ways today that organizations are looking for the gaps. They’re using penetration testing or they’re using red teams, which is kind of an outside in approach to finding the gaps. We’re doing it from an inside out by connecting to the SIEM through the native API of the SIEM, analyzing log sources, analyzing the detections they have, and then presenting that information in a way that helps organizations find the gaps and remediate the gaps.
Cameron D’Ambrosi So from our perspective, you know, we think of digital identity in a very holistic sense. We have the latest version of the liminal digital identity market landscape that’s come out. Obviously, cybersecurity, I think, has played an increasing role in many ways in the discussions we have around digital identity. And I, you know, I’m proud to a large degree about the work we’ve done, I think in illuminating the critical nature that identity has in thinking about cybersecurity threats. You know, I think the perimeter, for lack of a better word, is dead, right. You know, the notion that you’re going to secure every endpoint of your network all of the time is something that’s now an impossible task. And in many ways, I think we see identity as kind of that new focal point understanding, you know, who is doing what, and should you be authorized to do that, not necessarily trying to whitelist or blacklist devices themselves. What role does identity play? I know that, you know, you guys can integrate with a lot of the IAM, and SIEM players and that identity data is a really critical part of SIEM. I, I’ve been calling it SIEM this whole time. I feel like you’re expanding my mind. I need to talk more pure cyber folks so I’m not butchering the acronyms here but not to not to digress into a pronunciation spat. But you know what role do you see as identity playing within the CardinalOps stack? And how are you seeing, you know, these shifts from a CSO perspective around how they’re thinking about their identity posture with regard to cybersecurity?
Phil Neray Yeah, and by the way, on the pronunciation side, you’ll hear sometimes Europeans will call it a seam, so SIEM or SIEM both work. But to get to your question, I think identity, as you just said, is becoming more and more important, especially as organizations move to the cloud. So, you know, using an endpoint detection and response solution in the cloud doesn’t really make sense anymore because now you’ve got containers and you’ve got microservices. You can’t really put agents on those things. You can’t really go and find out what happened on this endpoint because the endpoint, if it’s a container or a microservice, might just be in existence for a minute or less and then gets replaced by another one. So, identity becomes even more important. And specifically in the SIEM, what we’re finding is our customers want to know are we looking for suspicious or unauthorized activities in the admin consoles of our identity system? So, Azure Active would be two great examples. You know, is someone in that system creating new roles, new accounts that they shouldn’t be in a suspicious or unauthorized way? And that’s a key tip off that you might have an adversary in your network or in your cloud infrastructure that you need to figure out how to get them out of there.
Cameron D’Ambrosi Very interesting. And what kind of integrations are you seeing as being in highest demand? Broadly speaking, I know you called out some of the top SIEM platforms that you’re working with. I know you also work with XDR platforms, but I presume, you know, you are kind of at the tip of the spear in terms of seeing what’s the latest and greatest in terms of how organizations are trying to, you know, protect, and capture those data logs from across their enterprise. Any new and exciting trends to speak of in that in that neck of the woods?
Phil Neray Yeah, there’s a couple of important trends when it comes to SIEMs. One is that organizations are increasingly looking at cloud native or cloud based SIEMs because of all the benefits of putting that type of solution in the cloud, it’s more scalable, it’s easier to manage, it’s easier to put a lot of data in the cloud and keep it for a longer period of time in case you need to go back and do some forensics and say, Hey, we found this attack. I wonder how long these folks have been in our network or have been in our infrastructure. So, there’s a lot of benefits to cloud native SIEMs. There are also some new licensing models for cloud native SIEMs, like Google Chronicle, for example, that allow you to put a lot of data in the cloud and save money compared to traditional on premises SIEMs. So, what we’re seeing often is that people are using a combination of SIEMs, so they might now have two SIEMs one that’s Cloud native like Google Chronicle or Microsoft’s Microsoft Sentinel, and one that’s more traditional on premises like Splunk or IBM radar because they can’t move everything to the cloud all at once. And certain licensing models like for Microsoft Sentinel, make it advantageous to put all your Microsoft Logs in Sentinel, but you still have to bring in all your other logs, your firewall logs, your end point. If you’re not using a Microsoft endpoint detection solution, your email. So, we’re often seeing side by side. So that introduces additional complexity for the folks managing these infrastructures. And we can help with that as well by giving them a view into both SIEMs, by giving them an aggregate coverage score using wider attack across both SIEMs so they can see that they have some aspects of minor tech covered in one sim, other in another SIEM by ensuring that they have consistent detections across both SIEMs. So, they might have in different parts of the world or different business units. So, it does introduce additional complexity, but it is helping companies be more scalable and save money as well.
Cameron D’Ambrosi Interesting. I mean, so it sounds to me like it’s basically a microcosm of the broader trends we’re seeing across, you know, corporate I.T., which is moving away from on prem, moving to cloud and then beyond that, moving to multi-cloud, which obviously has a tremendous number of advantages that you just highlighted. But you’re also creating cracks, so to speak, that things can fall through. I mean, you know, and I’m not a cybersecurity professional by any means, but, you know, if you now have two SIEMs figuring out, okay, what is SIEM covering versus what is SIEM be covering, you know, it feels like a classic situation where you could realize, well, we thought we were double covered, but it turns out we were actually zero covered.
Phil Neray Exactly. Exactly. And then the other thing that cloud does is it says, now we need to start sending a whole new category of logs or alerts into our SIEM from Azure, from GCP, from us, and we need to start building detections for those logs or those alerting systems in our SIEM. And that requires learning, you know, all new ways of looking for suspicious or anonymous activities. So, we can help with that as well by providing deployment ready curated detections for the cloud-based logs in the same way we provided for all the other systems they might have like endpoint email and identity.
Cameron D’Ambrosi and this potentially has a chance of becoming a, you know, almost a meta conversation. But I think one of the most interesting things we are seeing is, you know, the role that identity needs to play within these types of systems as well. Obviously, there’s an entire identity component and layer when it comes to who has access to the SIEM, who has access to the XDR, who has access to the CardinalOps platform. From that perspective, you know, from an internal perspective within the CardinalOps team, how are you thinking about identity and what trends are you seeing with regard to how your clients are using, you know, whether it’s identity governance, administration tools or privileged access management tools to keep track of the identities that need to be moving laterally, you know, across all of these systems. We’ve been talking about integrating, you know, under the umbrella of CardinalOps.
Phil Neray Yes. So, I mean, our solution, the solution that, you know, provides detection coverage or detection posture management for the SIEM, that’s what our solution does. It is a privileged system. It requires privileged access because you’re looking inside the semi, you’re seeing a lot of important information that’s critical. And the SIEM itself, of course, has a lot of that information as well. So, in general, what we’re seeing is folks moving to kind of a DevOps model around how detections get into the SIEM keeping an audit trail of what’s going on, what changed, who made the change. It’s still in its very early stages and I would say it’s still only the most mature organizations that are looking at it that way. But I see that’s the way it’s going to go. It’s the same thing that would happen with database activity monitoring ten years ago, where all of a sudden people realized, hey, we have no idea what our privileged users are doing on the database. We need to monitor their activities, keep an audit trail of their activities. I see the same thing happening with the SIEM.
Cameron D’Ambrosi That’s very, very fascinating. And from a threat perspective, you know, I’m dangerously, uh, I what’s the term I’m. I’m thinking of, you know, there’s that that graph of kind of where your knowledge as you progress within a field, you know, you kind of hit this peak of like, I know enough, I know everything. And then you get into actually I know nothing at all. I would say I’m in that, you know, trough of disillusionment, if you will, around my knowledge of, you know, frameworks like might or attack. Yeah. From your perspective, like what are the interesting trends you’re seeing in that threat landscape? I think as I’ve been speaking with our clients, you know, it seems like the cyber security threat actors have followed a lot of the trends, you know, in again, thinking about these shifts to, you know, multi-cloud moving away from on prem. The similar trends we’re seeing in the cybersecurity threat actor landscape are, you know, the effective version of like offshoring, for lack of a better word, like script Kitty kind of approaches where you have these big, well-funded teams that are building forks of existing tools and then kind of shotgun blasting them out, really being as opportunistic as possible, moving with high velocity once they identify a threat. What are some of the trends you’re seeing out in that threat landscape on behalf of your clients?
Phil Neray Yeah. So, I mean, cybercrime today is a multitrillion dollar business, and you know, you can just look at recent ransomware attacks. The city of Oakland is basically shut down due to ransomware. Last month, major hosting provider called Rackspace was attacked by a ransomware gang called Play. They exploited vulnerabilities in Microsoft Exchange to take control of those exchange servers, to look at sensitive data that was being stored there. Microsoft had issued patches for some of those vulnerabilities, but then had also told organizations that they could mitigate the vulnerability by making certain configuration changes. And this gang found another way to get in that had not been thought of before, and they were able to compromise all these Microsoft exchange servers. So, I think what that illustrates is that the adversaries, the attackers are getting smarter and smarter because it is such a lucrative business, they can invest in looking for zero-day vulnerabilities, finding new and innovative ways, innovative ways to get into the organization. And so, the attack techniques are constantly changing. And so combined with the fact that your own infrastructure and attack surface is constantly changing because you have DevOps teams building new things in the cloud, you’ve got the network constantly changing. So, there’s constant change in the attack techniques, there’s constant change in your own infrastructure, and there’s also constant change in you by your business priorities. The business might say, you know, we want to focus on the cloud, we want to put more stuff in the cloud. So now let’s focus on how we secure the cloud. So Minor attack is a standard framework that emerged out of all of this. It’s from a government organization called Miter, and it’s a playbook. It’s a standard framework that describes adversary playbooks. So, it says when attackers get into your network, there’s certain steps they need to follow. They need to get initial access, then they need to deploy their malware. Then they need to establish persistence, so you don’t discover them. Then they need to get to your data, then they need to exfiltrate your data. And so, it’s a standard terminology and a lingua franca for describing all the different things an adversary can do in your network. Plus, Miter has gone ahead and looked at all the adversary groups in the ecosystem, of which there are several hundred, about 100 nation state, about a 250 that are more cybercriminal, you know, financially motivated. And they’ve said these are the common tactics and techniques that each group uses. So as an organization, you can never cover the entire mired tech framework, but you can prioritize based on the adversaries that are most likely to attack your organization based on, for example, your sector, what vertical you’re in. And then you can use a platform like ours to identify what are the tactics and techniques that those adversaries are using. And where are we covered and where are we not covered? And then our platform will deliver high fidelity curated detections to fill those gaps and might attack itself. The framework has been evolving over the years. It started with less than 100 techniques and now it’s got over 500 techniques and sub techniques. So that illustrates the challenge for network defenders that they have to keep up with all of these different techniques as they evolve, and they have to make sure they’re covered for it. The other thing that we’re seeing is that there used to be a distinction between nation state adversaries like apt29 and financially motivated adversaries, and that distinction is blurring. Nation states are sharing sophisticated tools with the financially motivated groups and vice versa. And you can see that, for example, in the Russia Ukraine conflict, where cyber-criminal organizations that are allied with the Russian interests are helping them. And so, they’re sharing tools. And so, what that means is if you previously were only concerned about nation states for nations for cyber espionage, now you need to worry about them from a ransomware point of view as well. And we’re seeing that with, for example, Chinese actors that are part of a nation state organization. But perhaps they’re freelancing at night to do ransomware. You’re seeing that with North Korea, which you would think is nation state worried about cyber espionage. But they’re also stealing cryptocurrencies to fund their nuclear program. And Iran would be another example which nation state you would think only cares about cyber espionage. But they’re deploying ransomware looking for vulnerabilities like log for GE. So that makes the adversary landscape much more complex, much more sophisticated, constantly changing. And that’s another way we can help our customers keep up with that constant change.
Cameron D’Ambrosi That’s fantastic. Thank you so much for that perspective. I think it’s always fun for me to kind of speak with true thought leaders in the space and get a peek under that proverbial hood, because I think in many regards, cybersecurity can be, you know, intimidating to outsiders and maybe a little bit opaque, despite the fact that it really while touches on all of our lives, whether we want it to or not. I would say from a consumer perspective, it’s only you know, it’s like plumbing, right? You’re only thinking about it when there is, you know, crap bubbling out of bubbling out onto the floor.
Phil Neray So there are risks here where we’re choosing to mitigate those risks here, where we’re going, here’s where we’re going to sort of assume those risks and not do anything about them either because it’s too expensive or too complex or we have higher priority things that we need to address. So that’s another way in which our platform can help, is it can provide a reporting mechanism to report to the business on your detection posture using standardized framework like or attack.
Cameron D’Ambrosi So pulling that, you know, thread a little bit further in terms of the future of the space and where you see things going. Obviously from our perspective as laid out by the market landscape we put together, we really see a continued consolidation push, you know, whether that is vertically integrated platforms or tightly integrated platforms that are pulling together, you know, cybersecurity capabilities, identity and access management capabilities, you know, Pam and IGA capabilities, again, to give those CISOs kind of a full 360 degree view of what identities exist, who is doing what, where am I gaps, where am I vulnerabilities from your perspective, you know, what do you see trending in the year and, you know, years ahead that we should be keeping our eyes on?
Phil Neray It’s always a tradeoff between reducing complexity in your security toolset by bringing things together into single platforms, because complexity hurts security as well. If you have many different tools and no easy way to manage all the different security tools, that creates gaps for attackers as well. And so, there is a move to, as you say, bringing more tools together into unified platforms. But at the same time, because the adversaries are constantly innovating, the industry needs to constantly innovate. And so, we’re still finding that in large enterprises they’re using a combination of best of breed tools, which might be point solutions and unified solutions, because they’re always looking for the most innovative way. To detect and respond to attacks. And sometimes that requires looking at point solutions that are more innovative than the larger companies can deliver, because bigger companies tend to innovate not as quickly as smaller companies.
Cameron D’Ambrosi Where do you look to see the biggest opportunities emerging for Cardinal Ops? I know we had alluded to this a little bit before, but you know, where are you seeing the biggest product market fit in terms of, you know, scale and types of organizations? And where do you hope that you can take the Cardinal Apps platform, you know, in the near future?
Phil Neray Yeah. So, detection posture management is a fairly new category, and most organizations are not using this type of technology today. They’re realizing that they have gaps. They’re realizing that a lot of their processes around managing the SOC and managing the SIEM are still highly manual, but they haven’t been able to take advantage of these new technologies. So, for us, it’s a greenfield market. In many cases. We have large Fortune 50 organizations using our product, but there are many more. And so, for us, the challenge is around education and awareness. And our primary mission is to help organizations understand that they have options for automating these processes, for using analytics to help them understand where their gaps are, for helping them understand that there is a platform that they can use to help them fill those gaps. And so, our primary focus, as I said, is on education. And we have white papers, for example, that we offer on, you know, here are the top ten ways to reduce noise in your SIEM because you think about it, noise is another way for attackers to get into your network. If you have many noisy alerts, the SOC doesn’t know which ones the important ones and which ones are the ones they should focus on. So, we’re focused on innovation in that area, in educating and explaining to our customers that that they can use the automated analytics and standard frameworks like might attack to attack these problems.
Cameron D’Ambrosi I love that. And, you know, the I think one of the more interesting things to me as I’ve continued to evolve, you know, my role within the identity space and have more of these conversations is the degree to which education is still so critical. You know, we never stopped learning. And more importantly, as you know, these systems grow increasingly complex. And as people are coming up with new and innovative technologies to deploy, you know, a big part of how you can sell them successfully is, quite frankly, getting out and explaining to people like, hey, you don’t even know what this is, and let me explain that to you so I can have you buy it from me, because otherwise you wouldn’t even know that this necessarily existed.
Phil Neray Yeah. You know, and this sort of circles back to your first question about, you know, how I got into cybersecurity and why I find it’s such an interesting field to be in is it’s constantly evolving. So, your class, you constantly have to learn and understand what’s going on because the adversaries are constantly changing the way they get into organizations.
Cameron D’Ambrosi Fantastic. Well, to bring us home, I have an opportunity for what I like to call shameless plug. So, for those folks who are listening, who are realizing that, you know, their security posture is not where they need it to be, and they’ve been intrigued by what you’ve been laying down and want to engage. To learn more about CardinalOps and how to improve their security posture, what is the best place for them to go to learn more and or, you know, if they’d like to get in touch with you or your team, how do you recommend they do that?
Phil Neray Yeah, thanks for asking. So, our website is CardinalOps.com. You will find the resources section on the website with some of these white educational papers. And the other thing that we’ve done that has been very well received is a series of webinars with Sands, which is the number one educational resource for security professionals. We’ve done a series of webinars with Dr. Anton Chuvakin, and he’s very well known in this space as being an expert in security operations. He’s a former Gartner analyst. He’s now at Google Chronicle and he’s on our advisory board, and we’ve done a series of webinars with him that explore some of these thought leadership and educational topics. So, you will find links to those webinars on the resources page as well.
Cameron D’Ambrosi Amazing. Well, Phil, thank you again for your time. I really, really appreciate it. Looking forward to continuing the conversation. And you know, yeah, this is such an exciting space. Apologies if I’m a fan going a little bit, but I always love to kind of expand my knowledge and expand my horizons in this critical cybersecurity space.
Phil Neray Thank you, Cameron. It’s really been a pleasure talking about it with you.