“A Contemporary Approach for Security Assessments Would Be Continuous With Material Deficiencies Addressed Immediately.”
Please tell us about your role and the team / technology you handle at JupiterOne. What led you to join the organization?
I serve in the role of CISO and Head of Research. It’s currently a small team of 3 people focused on the day-to-day security operations, but given that JupiterOne sells a product that enables a CISO to automate many of the traditional activities of a CISO, I look at our 30+ member product development team as an extension of my team, helping me automate many tedious activities that CISOs do. This frees me up to spend time on the Head of Research role, which involves finding interesting patterns and antipatterns that enable enterprises to be more secure.
The Head of Research role also enables me to further develop two models that I created prior to coming to JupiterOne: the Cyber Defense Matrix and the DIE Triad. These models provide holistic ways to rethink how we approach cybersecurity, but I need a way to make these models easier to implement and use. Fortunately, JupiterOne is already well-aligned to deliver against this goal because JupiterOne embraces a broader view of what constitutes a cyber asset consistent with my Cyber Defense Matrix.
Furthermore, the team has already adopted the principles of the DIE Triad (Distributed, Immutable, Ephemeral). The DIE Triad encourages us to avoid creating pets, which require our constant attention and tender loving care. Instead, the DIE Triad allows us to focus on building cattle, which are meant to be short-lived, easily replaceable, and low impact even if it gets compromised. This makes my job so much easier because it means that I have fewer “pets” to worry about.
As CISO, how will you keep your company protected from security risks?
99.99% of our assets are cattle, which aligns extremely well with what I’ve been espousing around the DIE triad (Distributed, Immutable, Ephemeral) and the need for us to focus on building more cattle and fewer pets. The fact that we have only a few pets makes my job as the Chief Cyber Veterinarian significantly easier. For the few pets that we have, the JupiterOne platform itself is what I’ll be using as my primary means to understand our security risks and drive risk reduction activities.
What is the most contemporary definition of ‘Enterprise Security Assessment’?
Most security assessments that I know of are a point in time assessment with an annual, or perhaps quarterly refresh. However, this is wholly inadequate because our security environment is an ever moving target. A security assessment done yesterday may not account for changes to the threat environment today.
A contemporary approach for security assessments would be continuous with material deficiencies addressed immediately. Consider how the US Secret Service does a security assessment for POTUS. The White House continuously undergoes a security assessment. As new forms of attack manifest (e.g., knife wielders jumping over fences), they assess where the existing controls failed and implement mitigations immediately. When POTUS travels, the USSS conducts thorough security assessments of the destination and adjusts their real-time security posture based on a continuous assessment of the threat environment. A contemporary view of an enterprise security assessment should not be much different. It should be continuous, enabling the enterprise to adjust immediately to adapt to the latest threats.
What are the major security challenges for IT-driven companies that have erupted in the recent times? How have security assessment models transformed with data analytics and predictive intelligence?
Many successful companies are able to accelerate and quickly produce value because they have pivoted to technologies that enable them to perform various functions without having the burden of setting it up and maintaining the infrastructure necessary for it (i.e., more cattle-like technologies).
What kinds of IT frameworks are most susceptible to cyber-attacks? How does JupiterOne ensure protection to digital assets?
The slower an enterprise moves, the more susceptible they are to cyber attacks. A faster moving enterprise requires attackers to constantly catch up, by which time, hopefully the enterprise has moved already. Regardless of which IT frameworks an enterprise uses, if the implementation of the framework impedes the ability for the enterprise to move fast, then the enterprise will likely face a greater amount of both cybersecurity threats and business threats.
What is your prediction for the future of Cloud Computing in Information Security? Can you provide your take on IOT, 5G AND RPA technologies that could complement Data Science/AI in the future?
When it comes to Cloud Computing, security practitioners can embrace it or fear it, but I think we should embrace it. Whether it’s because we have fewer pets and more cattle or because the uniformity of cloud computing environments make it easier to reuse defensible patterns and avoid bad anti-patterns, Cloud Computing can radically simplify and improve how we do information security.
Thank you, Sounil Yu! That was fun and we hope to see you back on itechnologyseries.com soon.
[To participate in our interview series, please write to us at firstname.lastname@example.org]
With more than 30 years of hands-on security experience, Sounil Yu is the Chief Information Security Officer at JupiterOne. He is the creator of the Cyber Defense Matrix and the DIE Resiliency Framework, serves on the board of SCVX Corp and the FAIR Institute, teaches security as an Adjunct Professor, co-chairs Art into Science: A Conference on Defense, and advises many startups. He previously served as the CISO-in-Residence at YL Ventures and as the Chief Security Scientist at Bank of America, driving innovation to meet emerging security needs and develop alternative approaches to hard problems in security.
JupiterOne is a cyber asset management and governance solution company, providing visibility and security into your entire cyber asset universe. JupiterOne creates a contextual knowledge base using graphs and relationships as the single source of truth for an organization’s cyber asset operations. With JupiterOne, teams can discover, monitor, understand, and act on changes in their digital environments. Cloud resources, ephemeral devices, identities, access rights, code, pull requests, and much more are collected, graphed, and monitored automatically by JupiterOne.