January 3, 2023
In this episode, Eveline Oehrlich is joined by Brian Smith to discuss the importance of humans in cybersecurity.
Brian is a computer scientist and veteran entrepreneur with 30 years of experience ranging from academics to startups, from multimedia to computer security. Passion and skill for innovation and for defining and solving difficult and challenging problems at the intersection of technology and market needs that unlock massive value for customers and investors.
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today.
Have questions, feedback or just want to chat about the podcast? Send us an email at [email protected]
You’re listening to the Humans of DevOps Podcast, a podcast focused on advancing the humans of DevOps through skills, knowledge, ideas and learning, or the SKIL Framework.
Brian Smith 0:17
In a lot of companies they see the CISOs. They were doing all this, but there’s this DevOps group over here, and I’m not quite sure what they’re doing, I fully understand it and so bridging that gap, I think is sort of where a lot of companies are fairly immature.
Eveline Oehrlich 0:34
Hello, all this is Eveline Oehrlich, Chief Research Officer at DevOps Institute, and this is the Humans of DevOps Podcast. We are excited to have a wonderful gentleman with us today, Brian Smith. But before I introduce Brian, to you, the title of our episode today is The Importance of Humans in Cybersecurity. As you all know, we’re focusing much on the human angle within DevOps and and the greater topic. So welcome, Brian. Hello, there.
Brian Smith 1:07
Hi, It’s great to be here. Thanks for having me.
Eveline Oehrlich 1:11
Thanks for taking the time out of your busy day to come to us and speak with us and me quizzing you on a variety of things. So let me, to our audience, introduce Brian a little bit here. There’s a lot of things I will read because I cannot remember them all. So Brian Smith is a 20 year veteran, an entrepreneur in multimedia, cybersecurity, and technologies alike. He is co founder and CTO at Spyderbat, an automated runtime security platform, we’ll talk a little bit about Spyderbat in a minute. spider bit Just quickly, stops attacks and automates root cause analysis on cloud native environments by proactively recording cloud systems and container activities into a living Google Map. That sounds very intriguing. So Brian has some background here and technologies in 2000, Brian founded in conjunction with somebody else, tipping point technologies, which was acquired by three come. Then in 2009. He founded click Security acquired by alert logic. I remember those guys, that’s exactly the time when I was thinking about going into security, but I stayed in doing infrastructure and operations at my former company. Brian has a PhD in Computer Science from the University of California at Berkeley, and in 1994, and was the Xerox Professor of Computer Science at Cornell University until 1998. I’m sure maybe there are some former students of yours, Brian, who are listening in wouldn’t that be super? And he holds 13. One three patents and is a fellow of the Alfred P. Sloan Foundation. Fantastic. This reads wonderful, Brian, we’re excited to have you here. My first question, I have to ask this Spyderbat. That’s quite a name of a company. So first, how did you come up with this name? And second, tell us a little bit more about Spyderbat?
Brian Smith 3:12
Yeah, so when you this is like you said, this is my kind of my third startup that I’ve done. And when you are coming up with names for startups, there’s couple of considerations. One is you want it to be memorable. One is it’s it needs to be not too cute or too tricky. These names where you say them and you can never spell them and say can never find a website. And so when we were coming out when we’re talking about names with a company, we wanted something that was kind of fun. And we’re from Austin. So Austin, I don’t know if you know it has this big bridge that goes across the the Colorado River, that big lake there in central Los I have been there. And it’s the Congress Avenue Bridge, and underneath it has the largest colony of bats, Mexican free tailed bats in the North America, I believe. And they’re like the million bats live under there so often is known as bats. And the city has that. So we there’s a type of bat called the spider bat. And so we decided to have that as the name but it’s spelled SPI D or that they expire. And so when we went to open up our bank account, we’re just getting started. The guy at the bank misspelled the name with spyder, and we thought well that’s pretty cool. So we we hadn’t actually fired the corporation documents yet. So we read incorporated under under that name. And that’s it story.
Eveline Oehrlich 4:39
That is a great story and the banker has done you a favor by making a spelling mistake. That’s a great story. And at some point you want it to be instead of you go Google it you want to say you go spyder batted right. That’s kind of the goal. So when people say let’s go Spyderbat, did what? What does that mean? In what what? Tell me about this Google map recording? Tell us myself, of course, I’m curious as I’m an analyst. Tell us about Spyderbat a little bit.
Brian Smith 5:09
Yeah, we’ve been, you know, I’ve been working in security for for 20 years now and one of the toughest problems is, you’ll usually get notified about a security incident when sort of when it goes boom, when something goes boom. And then the tricky problem is trying to root cause that trying to figure out what actually happened, do you have a bunch of considerations? Like, what is it still happening? What happened? What was the impact? How do I how do I stop it right now, who do I need to inform and how to prevent it in the future. And a lot of that is trying to figure out what happened. And the problem we have right now is the traditional way that people do that is they start going through the logs and trying to figure out, you know, just from from log analysis, it’s painful. And a lot of times the data that you need is not there in a box. But we looked at that and said, you know, the, these things are all just computers running. And so if we could record everything, build this kind of DVR like capability of everything good, bad and different that happened, and then use that data to flag this is interesting, this is interesting. This was something bad happening. Once you have the bad, you could trace back to root cause where this thing started. So we started building something that could record everything that happened like a DVR for your entire network. It built this map, we put that raw data is if you just looked at the raw data, you’d be kind of sad. So it built an analytic system that turned that into a amount that you could understand, have a world call a causal map that for any instance, you can say this caused all this stuff to happen. And this is the stuff that caused it. And then if you can just attach a security incident onto that, then you can go from that and say, Okay, this is all the bad stuff that happened. As a side effect of that, and work backwards to this is what caused it. When you have that base capability, then it’s not a long stretch to add in security content on top of that, that says these are bad things happening. And then pretty easy to add on top of that, well, let’s stop it dead in its tracks. Because what we find is that when something the average industry time at I’m sure you know this level is that when something bad has happened, it’s 56 days that they’ve been in your network, because the what they call the dwell time, and then it’s 178 days to actually inventory everything that happened and figure out of investigation time and then 96 days to clean it up. That whole process is this massive manual effort. And so we by having this recording, we can really crush that time.
Eveline Oehrlich 7:49
So you really reducing MTTR quite significantly, right. That’s, that’s I think, to me and infrastructure and operations, which is what I come from, it sounds like it is an application. It’s almost like a dependency map, right? As we sometimes have application dependency maps, but with the focus on what’s actually happening from a security perspective, which then allows me as a team member, not necessarily security, but maybe others to kind of look at it, where we can collaborate and say, Hey, here’s something and this is where we need to hone in and need to do something file. That sounds fantastic. Great. I love the name spiral bad superduper. Well, thanks for sharing that anybody out there? Go check out spinal bad. But again, I wanted to focus on a few things here. Because when I started at Forrester, I had a colleague, and I know your LinkedIn with him a John Kinder bag. I know, you know, John, so John, dear friend of mine. He told me once, Eveline, you know, you have to remember insecurity, it’s not really, it’s not really to technology, it’s to humans. It’s the people who make the change. And challenges always have a head and into shoulders. Right? And I never really, I never had the chance to do research with him. But I was always intrigued. And I did some research before this podcast. And there’s a couple of challenges and a couple of shifts were actually a few shifts happening. This is from Gartner want to make sure I shout out to two colleagues, Gartner. And I want to highlight them quickly. So first of all, this role of the CFO, the chief information security officer is reshaping. So Gartner saying it’s reshaping from preventing breaches to facilitating risk management. So that’s very different, a very different role. second shift is from cyber risk is a security problem to cyber risk is a business problem. And I think we’ve seen that there’s multiple headlines out there, which made to the to the demise of those. And then third, from security being a road plaque blog to say Speed. Security is actually an Abler of agile and secure products. And that’s the one for me in the DevOps in the DevOps folks, which is, that’s a great statement of shifts. But if you think about so now, your question for you, Brian, if you think about the three shifts, and think about the clients and your connections and your networks, and the folks you talk to and your experience of 20 years, and I don’t believe that 20 years, I think you’ll have more than that. But we’ll leave it at that. Where are we there? We will somewhere in these three things? Are we somewhere at the beginning? Are we already kind of if we think of a hype cycle, right, are we somewhere at the beginning of those things? Are we somewhere in the middle? Or have we already matured on to organizations making these shifts from that, to that? What What are your thoughts on that?
Brian Smith 10:56
Well, I think there’s three, there’s a lot to unpack there. But there’s, there’s from the risk standpoint, I think that the CISOs have been taking that attitude for for a fair amount of time. So I think most companies are fairly mature. And I think part of that is just, it’s an acknowledgement of just having a very pragmatic approach to it. One way, that the sort of notion that you can prevent all breaches through, you know, some magic bullet security project or some magic bullet process is is just kind of fantasyland. Honestly, it’s the waste I best way I heard described as imagine a castle, like a medieval castle. And so it’s got it’s out on a plane, and there are, you know, hundreds of windows and hundreds of doors. And it’s and, and you’re the defender of that, you have all these different ways that, that an attacker can come in, and you have to defend every single possible entry point. And it’s just kind of this impossible, impossible task. So the pragmatic approach is, to certainly shore things up, you don’t want to leave just everything unlocked. But then also have, you know, sort of patrols and guards and humans in there that are, that are watching watching the fortress and saying, that’s a little weird and being able to investigate. And so the risk management is focusing on those areas that give you the most bang for your buck on those things. Whereas if a breach happened here, it doesn’t really matter if a breach happens here, that’s really, really bad. And so the risk is, you know, assessing, assessing that situation, it’s fairly, depending on the organization fairly mature. The, the agility part is really interesting part to me. Because traditionally, the security opera, you know, security was a bit of a roadblock. And part of that was the developers bring in security as they’re the main guys come in at that the last minute, and then they’re the guys that say, Hey, wait, we need to make this secure. And it feels like it slows things down. And by involving them earlier, earlier in the cycle, which is a lot of the ship left stuff, that opportunities that we’ve seen, you end up being able to, for them to become enablers of having things go faster, but still, we still have to be secure as we deploy these things. And part of the reason for that is just that, if you if you’re not secure, if your application gets popped, you’re gonna have a really bad week, or really bad month while you try to, you know, clean up and assess the damage and stuff as as a developer or development manager, DevOps. So it’s all in all our interest to prevent that from happening also from from the business standpoint, and I think the business side is just the recognition of, of all the damage that these things do to the business. And so it’s gotten bored level attention at this point. So it’s not just the security group that says isolated silo, but it’s much more on the business side.
Are you looking to get DevOps certified? Demonstrate your DevOps knowledge and advance your career with a certification from DevOps Institute, get certified in DevOps Leader, SRE or DevSEC Ops, just to name a few. Learn anywhere, anytime. The choice is yours. Choose to get certified through our vast partner network self study programs, or our new skillup elearning videos. The exams are developed in collaboration with industry thought leaders, and subject matter experts in the DevOps space. Learn more at DevOpsInstitute.com/certifications.
Eveline Oehrlich 14:37
So I’ve heard conversations, or I’ve overheard, and I’ve heard at RSA or other places. Now, of course, most of them might join virtually, hopefully soon, I can go again, we can all travel again, where I’ve noticed that I’ve actually seen more business people at those conventions and joining so I an admin Many times I always wondered, so why is business not wandering? In asking it more questions relative to those types of things? What is your what are your thinking? What’s your thinking on the wise business, they don’t seem to chime up when things have happened. And then they are all worried and now, but they haven’t in the past kind of worried about it. They’re just like, Oh, you guys, techies, you guys got it?
Brian Smith 15:24
Well, I think I mean, I think there’s a couple different things going on. One is, you know, I like the part of the shift towards pragmatism is this realization that, it’s, it’s really hard to make it make yourself completely bullet proof for one of these things. If someone really wants to go after you like a nation state, it’s, it’s very difficult to defend against that practice, and to prevent the breach. But if you can have a rapid response to it, then that involves people and processes and technology. So you want you have to do a little bit rehearsal. But that means it’s not just a security only kind of these guys, the guys in the security group, it really has to be kind of everyone’s business. And the other is that where we get, you know, a lot of the breaches come in at is through exploiting people, honestly, exploiting social engineering attacks and things like that, which is why companies focus on training the people is a good way. One of the one of the many good ways to prevent breaches, but what I’ve seen is that, you know, sort of the, their, this traditional security group has been focused on securing sort of laptops and mobile devices, and IT systems and things like that. And then as we’ve moved into DevOps, and more cloud native world, those are often are, especially in Kubernetes, those are Linux systems. And they’re a little outside of the expertise. So I must have seen these bifurcation of the security responsibility falling on DevOps dev SEC ops and sre. And this other group, on the side, LLC, suicide in the traditional SEC ops group, sort of managing the the people and processes over here, and bridging those two gaps together, I think is a business thing, because it has it. Otherwise, the two sides, sort of can fight each other. And in a lot of companies, I see the CISOs say, We’re doing all this. But there’s this DevOps group over here, and I’m not quite sure what they’re doing, and they don’t fully understand it. And so bridging that gap, I think, is sort of where a lot of companies are fairly immature.
Eveline Oehrlich 17:39
Yeah, I would agree. I would agree with seeing that in our research. And you’ll be delighted to hear in our latest upskilling, it 2022 Which report is out on our website, security, and cybersecurity was the number one technical skill, even before even above cloud, so that, you know, cloud computing skills and things like that. So I think that’s fantastic. So if people are out there thinking about new careers, whatever changes you want to make security, cybersecurity is one of those I wish, I wish I would have followed John, way back into into this field. And I tried to get my kids into it. Unfortunately, one is an architect, the other one is a psychologist. So they never really got interested in either.
Brian Smith 18:27
Now, one thing I heard along those lines is there was my data was from a couple of years ago, but at that time, there were something like half a million open jobs in cybersecurity was forecast to grow by 2025 to over a million open positions. And some of that is because at least at the time, and still is the job is so manual. And so one of the ways we have to look at is automating it, but not automating it away. But automating it as in providing, making the computer these automated systems, partners with humans that make the there are force multipliers for the humans.
Eveline Oehrlich 19:09
That gets me to my next question, actually, because there is behaviors and culture, right, which play into all of that, you know, if I think of my family in terms of their laptops and their devices, I probably could break in easily to most of them because the passwords are, I can get them. But there’s also there’s more than just on the client side. But there’s other challenges. So around humans and cultural changes, what have you seen and what would what can you suggest to our listeners, what should they do? What should they look out for? What advice can you give folks how to respond and how to work within this challenge of helping out in around organizations and both in IT and business?
Brian Smith 19:59
Yes. So I, you know, I think, you know, part of this is what I was saying before is that traditionally, this was viewed as a SEC Ops problem. And so we could kind of compartmentalize it and say that’s their problem, I’m just going to focus on what happened. And I think there’s this growing recognition. And this is, this is a good thing, that it is a business problem, and so that everyone has a has a bit of a role to play, because you don’t want your laptop to be the entry point for a giant breach of some sort. So some of this is just, you know, go, if you’re a leader, make sure you start training, have company wide training on this. Because every individual should know what the signs are of someone trying to trying to break in or trying to fool you. Social engineering is a big attack. But the the, the other that that sort of, from the human standpoint, from the, from the, you know, frontline workers, people and in non technical positions, for people in technical positions, it started building those bridges to the SEC Ops and not treating them as the enemy, but kind of inviting them in to try to try to work together. And I think a lot of the problem there is that we, we almost talk in different worlds. And in those things, so finding ways that we can communicate with each other so that we can, the developers, for example, that are developing application can pass along artifacts to sec ops to say, this is the way I expect my application to behave. If it’s not behaving, contact me be that way. Because I want to know, because we’re all you know, DevOps, we’re all responsible for keeping our piece up and running, and we know our piece better than any anything else in the world. So I see that kind of role of DevOps, if they can establish those communications of this is what my piece is supposed to be doing. That would be that would be awesome. And we’re kind of working on at about about, about developing those artifacts that help automate those processes. But then, in the the other parts of the roles are, you know, there’s typically like SRS or more kind of DevSEC Ops, which are responsible for the full platform security, and as opposed to individual component securities. And so I think all of those have kind of roles to play within this. But there’s but it’s, it’s treating it not as the SEC ops problems, but SEC Ops being more of a coordinator of how we how we deal with responses and sort of best practices for longest, and then facilitating communication and treat them as a partner.
Eveline Oehrlich 22:47
I love that when you said coordinator, I would actually sometimes think that word means different things. Maybe it’s more of an orchestrator. But I think that’s the same idea, right? It’s said orchestration, going out and bringing those folks together because many of those folks have their own roles. And they have their own projects and things to do on a daily on a daily list on a daily the daily tasks. whenever necessary. I’m responsible for whatever on call plus I’m supposed to be also doing some development, but really highlighting that and orchestrating what have we done now, that makes me think of this is not something I have any done any research, but metrics, sometimes. We don’t, it seems like we don’t measure the right things. We don’t incent people to be reaching out and orchestrating right. Have you seen any, any specific examples of organizations who say, Well, we’re going to go and do something completely different, we’re going to incent everybody on doing one security thing a week, or having little jam sessions or little whatever those things are called anything, anything creative. You’ve seen on on humans getting together and saying we need to change something.
Brian Smith 24:03
You know, the one thing I think about is there’s this this book called Thinking Fast and Slow. Oh, yes. And it’s about, you know, how did this sort of help? There’s parts of our brain where we really engage our brain and our rational thought, and that’s the thinking slow part. And then there’s the, I don’t know, scrolling your social media feed. And that’s the thinking fast part, right? Where you just kind of you’re, you’re doing what I think they call the information scavenging where you’re scrolling through and just looking around, and that tends to be based on our biological. It’s the information equivalent of our biological version of scavenging for food. And for us just looking around and trying to find pattern matching. You’re saying, Oh, this looks interesting to go get or this is a threat. And what I Think once you there, one of the most interesting things is trying to teach people about that and use it to train that train the people not to kind of just click on things mindlessly, because but actually spend it, but sort of see the warning signs, train train them in that information scavenging to see the warning signs and say, Well, that looks like a threat and turn on the slope. And, and, and and think before they click on that thing or do that, that I haven’t seen too much in the way of, you know, kind of what I what I think about metrics of, you know, sort of dials on gauges. Yeah, thanks.
Eveline Oehrlich 25:39
I think there is still there’s still some work to do in this in this notion of the safety culture, and shaping that safety culture, as you said, first, just quickly summarizing, so first, really not just sick ops, but really the DevOps and the other side of, of security, to bridge across to the SEC ops folks who do the normal things, and then for business to ensure that they are aware of what’s happening, right. So if we do design thinking, for example, in that stage, right, if we do development of products and projects, that we have that awareness, and then for us, as individuals, no matter if we’re in it, and business in whatever, then we have a safety culture and start helping ourselves and training each other and helping each other out. So fantastic. Anything, any other thoughts you want to share with us?
Brian Smith 26:30
Yeah, the one other thought is just, you know, in general, security tends to have these trends. And one of the more recent trends was in the ship love culture was we would try to build, get everything to be invulnerable, before we actually shifted ship. And that sort of, I’ve seen sometimes that sort of great being the enemy of the good in the sense of, Well, once I do that, I don’t have to monitor anything. It’s sort of like I’ve built perfect locks on my house. So I don’t need an alarm system. And I think that’s a not a pragmatic approach. So I think as we as we go through this evolution towards, you know, sort of understanding spirit, just try to be pragmatic about it, don’t try to vote and the focusing on risk is a good part of that. And the focusing kind of what is actually happening as opposed to what theoretically could happen. Is a good general trend. And just don’t let the the perfection over here be the enemy of good.
Eveline Oehrlich 26:50
That is that is a that is great advice. I remember, Diego and myself at Forrester talking about shift left many, many years ago. I think we took too much of a theoretical approach at the time. So what you just said, really thinking about that in a programmatic way is great advice to our listeners. Appreciate it. I have one more question has nothing to do with security. What do you do it? And don’t tell me you’re doing security things on the weekend. But what do you do for fun, Brian?
Brian Smith 28:10
Oh, recently I’ve gotten into tennis see, I have two boys. They’re they’re 18 and 21. Now, but my younger son had gotten really into tennis, from about the age of nine. And I started playing with him. And then he rapidly advanced and I couldn’t play with them anymore. So last year, I’ve been trying the last three years, I’ve been playing tennis pretty aggressively to try to get up the points just so I can play with my boy.
Eveline Oehrlich 28:38
That sounds great. Well, maybe there’s a natural Roger Federer just retire. So maybe there was a Roger Federer out there in one of your sons, who knows, never know. Well, Brian, this has been wonderful. We learned a lot. This was great meeting you great chatting with you. And thanks for your time always interested in few points from the other groups such as security. If folks want to learn more about your spider bat company, I guess it’s easy to find, but anything else you want to point out to any white papers, any other things?
Brian Smith 29:16
No, just it’s one thing in I guess the one thing I doubt in Spyderbat is that it’s got a free mode. So one of the things that’s always annoyed me about companies is where they you have to talk to a sales guy and sign away things I want people just to try it, experience it. And then if it turns out to be useful for you, let’s talk but just getting feedback is always good.
Eveline Oehrlich 29:40
Excellent and as an analyst I approve that because that’s exactly what we recommend to our vendors. Super. Thank you Brian this was wonderful. Enjoy your upcoming day for me. I will enjoy the rest of my day as well and everybody else here listening into this is Eveline Oehrlichm Chief Research Officer DevOps Institute with Brian Smith from Spyderbat. Thank you, Brian. Have a great day everybody out there. Thank you.
Thanks for listening to this episode of the Humans of DevOps Podcast. Don’t forget to join our global community to get access to even more great resources like this. Until next time, remember, you are part of something bigger than yourself. You belong.