blog

Bitglass Podcasts

Bitcast Cyber Security Series is an interactive audio-only podcast series that goes “in-depth” into important enterprise security technology and business issues that matter to today’s IT and security leaders.

Bitglass + Exabeam: Why IT Needs Smarter Cloud Security

By Bitglass | September 28, 2020 at 10:25 AM

 

bitcast-logo

Bitcast Cyber Security Series is an interactive podcast series that goes in-depth into important IT security issues that matter to today’s business and technology leaders. 

In this episode we delve into the area of modern security management, and how security management must evolve to meet the needs of the rapidly changing workplace. We interview Vicky Ngo-Lam, Product Marketing Manager at Exabeam – an industry Leader in Security Information and Event Management (SIEM) systems, and Ben Rice, Vice-President of Business Development at Bitglass. We also cover the partnership and integration between Bitglass’ CASB technology and Exabeam’s next generation SIEM.

About this episode:

Bitcast Cyber Security Series | Episode 2

Duration: 31 min

Host:  Jonathan Andresen

Guests:  Benjamin Rice, Bitglass & Vicky Ngo-Lam, Exabeam

Bitcast Play Button

 

Audio Transcription 

Jonathan Andresen:

Hello, and welcome to another session of Bitcast Cybersecurity series, an interactive session that goes in depth into important security issues that matter to today's IT and security professionals. My name is Jonathan Andresen. I'm senior director of marketing and products at Bitglass. I'll be your host today. And I'm joined today by Vicky Ngo-Lam, product marketing manager at Exabeam, an industry leader in security and information and event management systems, otherwise known as SIEM. And we're also joined by Ben Rice, our VP of business development here at Bitglass.

Jonathan Andresen:

Today's session will cover the issue of why IT needs smarter security and we'll delve into the area of modern security management and how security management needs a change to take into account the new world of cloud services, BYOD and remote access. We'll also cover the partnership between Bitglass and Exabeam and their next generation SIEM product. So with that being said, welcome to you both. Thanks for joining the show. But before we begin, let's take a few seconds. Hey, how are you guys doing? How are you guys doing during the lockdown in California? I mean, between the COVID topic and the wildfires, it must be a very different reality. How's things for you, Vicky?

Vicky Ngo-Lam:

Just trying to stay sane here, between cooking inside, doing some other hobbies and trying to stay healthy.

Jonathan Andresen:

Excellent. Sounds like most of us. How about you, Ben? How's things over there?

Ben Rice:

Definitely interesting doing homeschooling and adding air filters in the house because we got to stay inside and keeping young kids from jumping off the roof because they can't go outside, but that's a good entree into near anything we're in the background, where that's what's going on. We're really stoked this week. The air is clear and we've been able to go outside. And so that's kind of making life normal again.

Jonathan Andresen:

Excellent. It's about time. Well, let's get started for everyone. Let's talk about modern security management. I mean, SIEM has been with us for a few years and plays an important role in bridging the gap between security infrastructure products for the enterprise. So let's start with you Vicky, for those who don't know what SIEM is, maybe you could explain what SIEM is and how it's important or integral to the enterprise security architecture of today.

Vicky Ngo-Lam:

Absolutely. So to talk a little bit about the history of SIEM and how it's evolved. Log collection or log management platforms were the original basis for SIEM, traditionally focused on compliance and audit use cases. Think like PCI or SOX compliance. And historically people have just needed to collect logs from a variety of data sources and be able to point to a log or a trail of events to say, "Yes, we're tracking that." What has been really interesting in recent years though, call it maybe the last five or so is SIEM has really involved to be an integral part of the security stack for threat detection. And so that's part of where Exabeam kind of entered the market and really try to focus on how can SIEM help enable threat detection by way of analytics.

Jonathan Andresen:

Interesting. And we often hear the term UEBA, User and Entity Behavior Analytics associated with SIEM. Can you explain how Exabeam uses UEBA and how it works and maybe how it's different from others in the market?

Vicky Ngo-Lam:

Sure. So UEBA or User and Event Behavior Analytics is really the core of what our platform, our SIEM is all about. We started with an analytics product and kind of bridge out into these other areas of log collection as well as response. But UEBA is really important for threat detection because it's a new way of thinking about how to find attackers. It uses machine learning and first identifies normal activity for any particular user. That's where that user or entity comes in in the acronym. And it says, what is this person normally doing throughout their day?

Vicky Ngo-Lam:

Say Vicky logs on at 9:00 AM Pacific time out of somewhere in the Bay Area, she opens a few SaaS applications and she goes on about her day. But where UEBA comes in is if an attacker comes in and tries to mask themselves as me, say my passwords are compromised, or what have you, I click on a phishing email, traditional security tools have a lot of trouble identifying that that is someone else and not really Vicky, especially when traditional security tools are focused more on indicators of compromise or IOCs. So UEBA really identifies that activity of a compromised user as abnormal behavior and will go ahead and flag that. So that means no matter my role or department or what have you, we're not really focused on a static rules or using signatures to detect threats, but we're really complimenting that with a whole set of analytics that will detect anything out of the ordinary.

Jonathan Andresen:

One question I always have about SIEM is just the volume, the sheer volume of activity that it has to cover and look at. I guess, volume plays a big part of this equation for SIEM, right, in today's world?

Vicky Ngo-Lam:

Absolutely. And I think that's one of the challenges for folks considering either in a situation where they don't have a SIEM already, understanding what do I absolutely need to bring in? It's often this kind of guessing game or a cherry picking of what sources might bring the most value, but really at Exabeam we actually try to help educate our customers and say, with more visibility across your security stack, i.e. inputting more data sources you'll have better visibility for a more comprehensive threat detection, but that being said, you need a technology that can kind of work with large volumes of data sets.

Jonathan Andresen:

That's where the machine learning comes in. And I guess it's much faster. So, but for the last question around that kind of fits in with how does SIEM fit with the rest of your security architecture? So your network security architecture, your cloud security architecture, how does it work and how does it work given the fact that things are moving to cloud services or more data is outside the enterprise?

Vicky Ngo-Lam:

So we like to think of SIEM as a central repository for all your data sources across multiple environments, whether that means you have SaaS applications in the cloud, maybe you have some agents on prem, but it's really the one place that you go to ingest all those different log sources. So when we're talking to folks in the market who are thinking about moving into the cloud and ensuring that they still have visibility into what folks are up to or new attack vectors, we recommend having SIEM as a way to get that visibility.

Jonathan Andresen:

And I assume it ties then into the CASB world, Cloud Access Security Brokers in terms of visibility for cloud services, correct?

Vicky Ngo-Lam:

Absolutely. So kind of tying this back to UEBA. What Exabeam can do is ingest data from a CASB service like, they class and understand what is a normal application for Vicky to be using on any given day or Jonathan or using Chrome right now, or a different webcasting service and say like, okay, this is fine. This is normal. But when a threat after it comes in, we'll use that CASB data to say, oh, it looks like they're accessing an application that they have never looked at before, maybe from a different geo location or a different time of day, maybe from a different VPN and go ahead and flag an alert to go ahead and investigate.

Jonathan Andresen:

Interesting. So that was going to be, my next question was how SIEM and CASB worked together. I guess you kind of answered that, right, when it comes to cloud services?

Vicky Ngo-Lam:

Yeah. I think SIEM and CASB make for a pretty compelling combination because of the adoption of SaaS applications today.

Jonathan Andresen:

Interesting. And so Ben coming from the world of cloud security, how do you look at the integration between SIEM and CASB? How do you think of it?

Ben Rice:

Well, it's really enriching for our customers in a number of ways. The first one is that while we are experts at web security and cloud security in general, and we have a heritage in the cloud access security broker world, the fact is that we are only looking at the information that goes through our service, which is typically either web traffic or traffic to a SaaS application, a user going from their device to that application. So we're unique in that our different deployment models allow us to get insight into what a user does in a SaaS application after they authenticate, which is kind of unique in the market. A lot of our competitors are able to gather data after the fact, if the application has an API, but in fact, being able to do it in real time has been really meaningful. But getting back to your question, we're acknowledging that's just a slice of what's interesting and important for a customer to look at with regard to an individual user and in general to their enterprise security posture. And so we encourage our customers to look at more data besides what we provide. The second aspect of this is, in the reality in the world is a lot of our customers use SIEMs to look at their Bitglass data and they may not spend as much time looking at the analytic tools that Bitglass provides, particularly in a larger enterprise or a company that has SOC analysts that are able to look at the SIEM data, to look at Exabeam's output, and then make decisions based on that. Sometimes in smaller customers. They don't have the ability to afford either [inaudible 00:11:03] or the ability to have dedicated analysts. And so we love for our customers to use SIEM. That's why we have partnerships with companies like Exabeam.

Jonathan Andresen:

Seems like the word visibility comes up a lot in terms of like understanding where your data is, where it is across your security stack, what your users are doing, especially when it comes to cloud services where the data is outside your data boundary and in someone else's data center. So Ben, particularly about the partnership between Bitglass and Exabeam, can you share a little bit about how it came about and any interesting stories about how the partnership works and how it matters to both companies?

Ben Rice:

Sure. So I have a lot of experience in the past working with SIEM vendors and usually there's a customer request. I have vendor X as my SIEM and I just bought my new thingymajiggy for security. And I'd like to make sure that that data gets consumed and I go to my SIEM vendor and they say, oh, we don't support that data source yet. So usually there's a process of creating something like a custom connector between the two things and take some time and let me fast forward, we had a customer of ours ask us about being able to display Bitglass data in Exabeam. And so having worked with Exabeam at previous companies, I knew the right people to talk to at Exabeam. We met at RSA and I'm happy to say within about 30 days, a connector was built for us by Exabeam. And we have a connector supported integration and there are documents that you can find to show you how to configure that. So long story short, the customer requested it, the two companies got it done. And now all of our joint customers benefit. And we do have some partnership activities we work on to bring new prospects into the installed basis of both companies.

Jonathan Andresen:

Yeah. Interesting. You'd think that in today's world, like integration between multiple security products, especially when it comes to security and cloud visibility integration is really a key from a customer perspective when they want to put these technologies together and make sure they get the benefits of both. So, how does the actual, from a technology standpoint, how does the technologies actually integrate and work together? Maybe Ben, you can start off if you don't mind.

Ben Rice:

Yeah. So we take this custom built software that Exabeam made that allows Exabeam to both ingest and understand how Bitglass formats its data. If you can imagine, if you looked at a Bitglass log, this would tell you what a specific user did. They authenticated to Office 365, they next downloaded this document called Secret Files. They next uploaded a document called Secret Files Changed. Then they clicked on something else. And so that comes into a sort of human readable form. If you imagine a spreadsheet and you could have columns and it would show what time of day this happened, what IP address this happened from, what the URL of the link that was clicked on was, what the true file name is and a number of things like that. But you could imagine if you only had one user, even after one day, it would be a lot of information. And so Bitglass can log all this activity, but then to make it really useful and to allow it to correlate with other information, there's a way for this output to just automatically get ingested into Exabeam's data sources, and then it can be displayed in Exabeam. And so that connector is the way that the information flows from the Bitglass cloud to Exabeam.

Vicky Ngo-Lam:

And then just to add on to that. So if they ingest that cloud activity data from something like Bitglass, and we'll go ahead and correlate that across multiple data sources. So think about a security stack that looks at firewall activity, maybe something from your IAM, identity and access solution, maybe some endpoint activity, and we'll apply analytics to all of that and put it together in what we call an incident timeline. So every user for every session, whether they have risky activity or not is captured in a session data model that we call our smart timelines. And there, once you see maybe like risky activity that's bubbled up for a particular user, we'll go ahead and investigate in the timeline and say, what was the story here between their cloud activity, between their access between other security solutions and say like, is this a threat or not? Or do we need, and if so, do we need to take remedial actions? So that's where the sort part of our platform comes back in. And we can write actions back to something like Bitglass or other security products that might block access to a SaaS application or a prompt for re-authentication in one of your identity solutions, just to make sure that you're kind of containing the incident.

Jonathan Andresen:

And those policies can be obviously segmented by different groups and different requirements. But also, I guess there's some intelligence there too, to make sure that some of it's automated from a management standpoint, Vicky?

Vicky Ngo-Lam:

Yeah, that's right. So we can set triggers to say if this then that and what we'll call our sort of power play book will automatically run, but we really encourage folks to blend both human judgment and that automation. So that way analysts are focusing on the areas they really need to be focused on. In other words, with the timeline that I mentioned we've seen in the market analysts will spend hours, if not days running queries for their investigation to figure out what really happened when we feel that the more important decision making happens, not with the searching, but with finding the answers to, is this an incident or not, and what do we need to do next.

Jonathan Andresen:

And doing it quickly. Interesting. My final question has to do with just the solution itself. So for Ben, how easy is the joint solution to install and manage if customers have both technologies, what's really required?

Ben Rice:

Not much. And anyone who has Exabeam and is familiar with setting up a new connector would probably be able to do this in a very short period of time. I don't want to say it's minutes, but it's probably not more than hours. There are just a few components. The setup instructions only take up a couple of pages, and it's really the process of getting that connector up and running on the Exabeam side. And then doing some things on Bitglass to point the data to that connector.

Jonathan Andresen:

Interesting.

Ben Rice:

So really easy to use, I would say.

Jonathan Andresen:

Yeah, I think in this cloud world, things get little easier and faster, easier from a management standpoint. So maybe we could switch gears for the next few minutes and just talk about broader topics and going back to our title here of why IT needs smarter cloud security and talk about management. I'm interested in both of your perspectives on the future here, given where we are right now and going into a fourth quarter for a lot of companies in the 21, 2021 is around the corner. Given where we are right now and companies and our customers starting to plan for next year, what advice would you give them when they're looking to plan it for next year, in terms of like security management, maybe Ben, we start with you.

Ben Rice:

Well, there's a really big trend that's been in place for a long time that has a significant impact on what I'm about to say, which is the level of threats have increased, but the number of individuals working at companies as security analysts has not. And so the gap in the number of humans that are available to do this work is already short three or four million people worldwide. And in spite of efforts to train more individuals, in spite of efforts to market and make more attractive the role of a security operation center analyst, nobody in the world has figured out how to get more people to be security folks. And so the trend that I think the future involves, it's already here, but it hasn't fully become a mature technology in everyone's organization, but it's taking all of these security technologies and automating not just the collection of the data, but perhaps even enforcement actions. And I agree with Vicky and with the Exabeam notion of keeping the human in the loop. But the idea being, are humans that were so precious that we were able to recruit into these IT security roles should be doing the highest level work? They should be looking at the information that is, we're not sure is this bad, is this not? What do the trends say? Are our adversaries changing their attack patterns? And then the things that are really simple, like somebody clicked on a phishing email, okay, well, we should automatically stop anybody else in the company from getting that email. And we should also tell Bitglass that if anyone clicks on that link to not let them go to that URL and just to block it. So if all that could be done automatically, because we know every day we're going to get phishing emails into our organization. So if we can quickly detect those and then tell our enforcement ends and our visibility ends about the problem, we can keep the humans focused on new threats and we can automate the protection against known or sort of threats that we recognize pretty easily.

Jonathan Andresen:

Interesting. And I assume that a lot of that starts with just combining the automation with the visibility and just making your IT a little more efficient, making it smarter, basically. Vicky, what's your perspective on the future and your advice for companies?

Vicky Ngo-Lam:

To add on to that, I think when we're talking about how can we have humans using their highest levels of judgment or using them for the most important problems? One thing that we're seeing in the market is folks increasingly adopting frameworks like MITRE ATT&CK. It's been around for a few years now, but really the shift from looking at techniques, tactics, and protocols or TTPs for attackers as they become more advanced, as opposed to just chasing IFCs. And again, that really requires quite a bit of, I think, judgment and expertise from the analysts that we have. And one important point that we like to bring up is that also means training your junior analysts. Sometimes we've seen in the market an L one or tier one analyst might be doing quite tedious activities like copying and pasting URLs and in a threat intelligence service and checking if it's malicious or reviewing notifications for like in the phishing inbox day in and day out. And that really leads to a lot of burnout and churn. And what we're hoping is to empower analysts to really up level their career, to get into that higher order decision making so they can grow the community over time.

Jonathan Andresen:

Interesting. And the job is getting just more complex day by day. You've got people in more places, people working from home, all sorts of new technologies, more and more cloud apps, all that coming together. So the final question here for our podcast today is like looking to the future with the issue of remote working. I think it's top of mind for so many people. Gardner's come out and said that 74% of companies don't want their employees to return to the office. So likely, we're going to be stuck with a lot of more remote working than in the past, from a security standpoint, when you've got more data and more places, access by more users and it gets more complicated, given the future of remote work, what are the trends that companies should be paying attention to, planning for 2021. On that point, Vicky, I guess besides the human element, what do you see as some major areas that they should focus on next year?

Vicky Ngo-Lam:

Sure. So when we think about the distributed or remote workforce, I think what folks are increasingly realizing and that your statistic kind of hit on, is that regardless if we're in a, sorry, I'm going to go ahead and redo that with my Outlook - apologies.

Jonathan Andresen:

It's okay.

Vicky Ngo-Lam:

So in talking about the future, planning for 2021 and the concept of distributed or remote workforces, I think what we've come to realize, and this statistic nails it on the head is that this is something that's here to say, whether we're in a pandemic or not. And so leadership, not just security leadership needs to consider their long term strategy for talent management. And what that means for the security folks is how do you have a future proof technology where you have a much more fluid and flexible workforce. And that means that while it's important to implement pretty robust policies and controls, it's also imperative to adopt technology that's able to adapt quickly and self-learn so that way if, for instance, at my company, we recently implemented a policy where employees can work from many different states now across the US. So when we run Exabeam at our own company, it needs to be able to adapt to say, Vicky is now working out of Chicago for the next six months without having to manually update something in a context table or active directory, but really learning that from the behavior.

Jonathan Andresen:

Interesting.

Ben Rice:

Is that's true, are you still working in Chicago?

Vicky Ngo-Lam:

I'm going for the holidays, I think for Thanksgiving and Christmas. So I'll be there for, I think a few weeks, like six weeks.

Jonathan Andresen:

And so isn't it great that your company's IT infrastructure can detect that change without being told and then not lock you out?

Vicky Ngo-Lam:

Absolutely. That's absolutely right. That's one of the main use cases we have is saying like, hey, you might want to look at this, but know that this is kind of the new normal for this employee.

Ben Rice:

Yeah. So I'll maybe jump in on that question too. Because it's made a big change at Bitglass because we've gone fully remote. We're kind of an atypical Silicon Valley company where we had most of our workers other than Jonathan up there in Canada, most of our workers were located in Campbell, California in Silicon Valley. And so we really collaborated a lot in person, in small kitchens and really very close group, but within a matter of weeks, we switched to this method where everybody's working at home and we're using Zoom. And so what's been really good for us as a company in spite of this challenge has been, we are facing the same challenge all of our customers are, which is especially for an IT and a security group, the sense of loss of control is great, which is, not only are people not necessarily physically within the office and physically on our network anymore, or physically behind the firewall here on premise, they actually, in addition to using the SAS applications they need to do their work are sometimes now using personal devices to access things just out of necessity, especially new employees who are hired over Zoom. They may not get a laptop in the mail on the first day. And so what are they going to do to check email, to get going? They're going to use something at home. And so we've seen some very scary and dramatically bad things happen for people who are not paying attention to how they're managing their SaaS applications and how they're managing web access. So the first part on the web side, if you're not doing some kind of web security, like a secure web gateway, it's very likely that your end points not only will be attacked, but they'll be compromised. The notion that everybody's now working at home is as if to a hacker, it looks like we took off all our armor and we made ourselves vulnerable. And so the level of attacks on individuals working at home has gone up hugely over the last six months, which we've seen and the second aspect of this is really useful functions that you might want to have on a managed computer, like sync, let's say where you were able to sync files in the cloud with files on your laptop, in your OneDrive, let's say. This is a disaster if there's not a policy in place to prevent that from happening with unmanaged devices. And so we've actually seen across a number of our customers where we've had to go in through customer success and make recommendations on changing things. And we've had one customer of ours that wasn't able to implement our recommendation as quickly as we would've liked. And we saw literally thousands and thousands of personal devices syncing corporate data. And so, for the next year, it's going to be really important to accept the reality of remote work from a company perspective, because I think, many workers have enjoyed the benefit of it, the ability to balance home tasks and work tasks, and to have a little bit more of a balance, although I'd say many of us probably would like to go a little bit back on the balance and get a little bit into work, but the point is from a cultural and feel good sense this is something that's here to stay. And so the security departments and IT departments have to adopt security tools to allow their companies to more readily meet the challenge of supporting remote work with SAS applications while maintaining the same kind of security they had when they were living in an on-premise world. And Bitglass and Exabeam are both companies that have already tuned their products and services to meet this challenge. And that's one of the reasons both of them are doing so well. It's one of the reasons we're super excited about this partnership and this combination and thanks for letting us talk about it.

Jonathan Andresen:

Excellent. Well with that being said, let's leave it at that. Well said Ben, and definitely security is becoming an enabler for remote work and these technologies sort of support that whole direction. Thanks to both of you for joining today. And thanks everyone for joining this session of Bitcast. If you'd like to learn more about Bitglass or Exabeam, you can go to our websites, talk to our local sales representative and we'll be happy to help you. Thanks everyone for listening and see you next time on another session of Bitcast. Thank you.

 

FOLLOW US

Resources to Support You Along the Way

duoLogo-web
Bitglass&DUO
Configuration Guide
The integration between Duo and Bitglass provides leading identity management and comprehensive cloud access security broker protections
Download
duoLogo-web
Bitglass&DUO
Integrated Soluition Brief
Bitglass’ Next-Gen CASB provides data protection policies for comprehensive visibility and control wherever data goes. Duo Security ensures secure authentication in the cloud for all users
Download
duoLogo-web
Bitglass Strengthens Security
for the Modern Workforce
Bitglass, the Next-Gen Cloud Security Company, today announced a deepened integration with Duo Security, leading MFA and Zero Trust solution provider
Learn More