• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

How to get the most from analyst firms - With Joseph Blankenship, VP & Research Director at Forrester

Content

Our guest on the show this week is Joseph Blankenship, Vice President and Research Director at Forrester. Joseph helps clients develop security strategies and make informed decisions to protect against cyberattacks. His research focuses on security monitoring, threat detection, insider threat, phishing prevention, operations, and management.

Show host Gar O’Hara and Joseph discuss analyst firms and how to get the most from them, insider threats and how zero trust thinking aligns with email security, and Joseph takes out his crystal ball to make some predictions on what the future holds for cybersecurity and what he’s most excited about.

Content

The Get Cyber Resilient Show Episode #60 Transcript

Garrett O'Hara: welcome to the Get Cyber Resilient podcast I'm Gar O'Hara. And today I'm joined by Joseph Blankenship, vice president research, director security and risk with Forrester Joseph supports, security and risk professionals. Helping clients develop security strategies and make informed decisions to protect against cyber attacks.

As a research director for security and risk, he leads the analyst team researching security. leadership, The role of the CSO infrastructure and operations detection and response and Forrester's zero trust model, his research focuses on insider threat prevention, email security, security, operations, and security managements. In the conversation we covered the role of analyst firms and how to get the most value from them. Joseph's perspective on what's changed during his time. Insider threats, ransomware zero trust, and also has zero trust thinking aligns with email. Third-party risk management and we get the crystal ball head for his view of the future.

And what he's excited about as always there's lots here. So over to the episode, welcome to the get Cyber resilient podcast I'm Gar O'Hara, And today we're joined by Joseph Blankenship, vice president research, director security and risk at Forrester. How are you going today, Joseph?

Joseph Blankenship: Doing well so far. Thank you for having me on.

Garrett O'Hara: Yes. it's great to have you on you're coming in uh, to us from Atlanta. right?

Joseph Blankenship: Yep. From stormy Atlanta, Georgia in the US.

Garrett O'Hara: Good. good, good times. I hear there's a football team. There's rumors that like people are passionate about uh, American football over there. Is that true?

Joseph Blankenship: Well, well, in the Southeast United States we're, uh, particularly passionate about, um, actually about, uh, college football So a- actually college football team football.

Um, and if I decide out of the way slightly, you can see this small. Um, I don't know what I would even call this an Auburn university football and sign, maybe like a small shrine here, uh, dedicated in the office to Auburn university football

Garrett O'Hara: Sport as a religion.

Gotta love it. Gotta love it.

Joseph Blankenship: Absolutely.

Garrett O'Hara: Uh, so Joseph look, we, we always start the show with, uh, the guests kind of introducing themselves to the audience and just give me like a bit of a bio on how they got to where they are today. And obviously, you know, sitting as a vice president in Forrester, I'm guessing you've got a a pretty interesting journey to get there.

It'd be great to hear. Yeah. How you landed in in your position today.

Joseph Blankenship: Absolutely. Um, i- it was interesting because I got into cyber security about 16 years ago with a company here in, the, in the US internet security systems. Uh, and i- i- it was interesting for me because I initially took the job, not because I was some sort of a cybersecurity expert, but because uh, I thought the technology was really interesting.

I thought you know, cybersecurity was an interesting. um, Problem to solve, but, you know, really I was, I was a marketer at at heart, uh, and I took this job, you know, working with the, uh, the services team, uh, at internet security systems. And was there just to kind of a little while, and I realized, wow, these are some really smart people.

Um, you know, at that point we were doing some very, um, Very cutting edge you know, threat research publishing a lot of threat research. And so getting to work with some of those folks was really humbling. And, uh, at the same time, very educational Uh, and was able to take sort of the, the, the passion I had for what we were doing at internet security systems.

And take that to uh, to another role, What, uh, where I had the. Uh, I was very fortunate to work with a gentleman named John , Kindevarg. uh, and John was our chief architect at this little company called Vigilar where we both worked, uh, John went on to leave Vigilar and become a, uh, an analyst here at Forrester research and every now and then John and I would talk and he'd say, well, when are you going to come over to Forrester?

And I'm like, well, I'm not ready for that yet. I've got other things to go and, uh, and, and conquer. So I had a few more stops at a couple of other cybersecurity vendors. And then as we were, I was kind of wrapping up my, at my last you know, vendor where I was working and doing some, some fun things. I called John up and said, you know, Hey, I think, I think it's time.

I think I wanna talk about this Forrester thing. And so, uh, That's a very, grueling interview process. If you ever have an interview to be an industry analyst at any of the firm, that's actually a fairly grueling process. I think they're just trying to weed people out and see who will fall off. Um, fina- finally, you know, got here and uh, you know, really loved what we were doing And, and one of the things I warned Gar about Before I started do, to do this podcast is one of the things about analysts is we love to talk. Um, you know, some people will actually call us. Uh pontificators uh, so I think anybody who loves to talk is passionate about their subject matter and has the knowledge, uh, you know, they have the potential to make a, a decent analyst.

Garrett O'Hara: That's very cool. Uh, you know, very cool. We get to work with Forrester a little bit uh, here in Australia and, uh, yeah, it's been a you know, really good experience actually. And you, so you've been there for five and a half years, right?

Joseph Blankenship: right.

Garrett O'Hara: And working in that security and risk area as the, the VP research director for security and risk.

What's your remit or your responsibility. there?

Joseph Blankenship: Really my responsibility theoretically, is to, uh, kind of shepherd the, uh, the, the research along. So I've got a team of analysts, uh, that, uh, yeah, I always feel, It always feels weird for me to say that I got this, I manage this team, or I run this team. You know, you know, really m- my role is to help them get their jobs done, help them get all the great ideas.

Uh, and wisdom that they've got uh, trapped inside of them, you know, out into research where our clients can access it. Right? So the analysts on our team include our zero trust researchers. So if you're following zero trust at all, um, it's the, uh, the analysts who are leading that research, uh, if the analysts that are covering you know, topics like Security leadership, you know, what are CSOs, you know, thinking about and worried about, and how do we educate CSOs? Uh, it's about threat detection and response, uh, you know, things like uh, extended detection and response, which is now a big topic. XDR, uh, as well as things like, uh, you know, email security, uh, anti-phishing ransomware.

So you know, really that's what, uh, what our, our team is focused on.

Garrett O'Hara: And, you know, you, you've kind of mentioned quite a few things that are sort of relatively new. as well as the idea of XDR and, you know, there's a big debate about that versus seam and the overlap, et cetera. And, and, and clearly the, you know, our industry has evolved and it's, I would say very complex and, and we operate in, uh, an ever changing very dynamic.

Uh, sort of space do you see that the role of analyst firms has changed over the years?

Joseph Blankenship: I think yes and no. Um, I can re recall, you know, when I, I had never even heard of an analyst firm, uh, you know, when I, I got into my sort of my career you know, some really long time ago, I'm not gonna threw out a number because they've actually would age me even more than this gray hair.

Um, does, Uh, I'd never even heard of what any of these things were. And When I got introduced to analysts, I was like, "Well, what an interesting job, you know, you get to uh, to pontificate and get to kind of, kind of, uh, evaluate. all these, uh, all these uh, products and so forth. So you know, essentially I don't know that the role has really changed.

And what, uh, you know, what the analyst firms do? I think one, maybe one, one aspect or at least more standpoint, uh, that we've realized is that we've got to get a little bit more practical. Um, you know, analyst firms have been well-known uh, for for a you know, long time for your kind of big strategy level, vision thinking and, and stuff like that, but they were never really It's sort of geared toward, you know, Hey, here's how to go approach a problem.

Here are the steps you should go take

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: "...to solve that problem and getting that out into research. And I think that's one of the things. Um, that has changed a little bit. We're not gonna ...not to say that we at first are going to veer away from doing the strategy and big vision thinking, but we're also you know, going to uh, you know, publish a little bit more of the, of the, how-to. uh, and you know, kind of the, you know, Mo a little bit more of the practical side.

That's not to say we're going to start doing technical guides and how tos and, and things like that. But, you know, really kind to trying to help our clients you know, solve problems in a real way. and Not just be uh, completely theoretical. about it.

Garrett O'Hara: Yeah, I get that uh, 100%. and, you know, we, so we, we talked about how complex the operating environments are today and that's across lots of different things, right?

Yes. Technology, And, you know, and we've, we've talked about some of those, you mentioned those at least risk management, legal, uh, it's, it's a really kind of, I would say kind of very complex uh, Environment for CSOs to operate in, in these days. And you've described, you know, The the Forrester side of things, but I wonder from your perspective, what's the best way for an organization to work with a company like Forrester and, you know, ultimately get the maximum benefits from the, the research, that practical knowledge that you just described.

Joseph Blankenship: Yeah, I I think one of the best things like an end user that comes to Forrester are CSO or I guess, security leader CIO, or, or what-have-you, the, one of the best things they can do with the analyst firm is treat treat the analyst firm and the analyst a, a bit like the extension of their team in some ways, you know, some of my Favorite inquiries are ones where I read the the question that comes through from our inquiry team.

I'm like, okay, well, that's, that's interesting. These folks have a phishing problem, let's let's say, um, or they're trying to figure out how to migrate their, their email security infrastructure from one thing to the next thing. And I'm like, "Oh, that's, that's interesting. I get on the call and there's a bunch of people there, and I can tell that the, the, the.

The leader is, you know, kinda just introduce this, and go, "Here, here's what, we're all here today, and I'm gonna let so and so run with the call and blah, blah, blah. And it quickly becomes clear that the question that was asked was not the question. What was really happening is there's a disagreement.

Inside the firm where one side wants to do a thing and the other side wants to do a different thing or does not want that thing to happen. And what they're looking for is the third party to come in and be the referee. You know,

Garrett O'Hara: Right.

Joseph Blankenship: hopefully no one gets a, gets a red card in, the, uh, in the interim.

Right. Uh, And for me, that that is the most satisfying part of the, uh, the analyst role is kind of, I I actually even sort of jokingly liken this a bit to it, to a, to a therapy session, right. You know, you're kind of like explain to me what's happening and

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: "...you know, why you're, why are you taking that, that approach and blah, blah, blah, then coming back and you know, asking some pointed questions to help them get to a solution and, you know, kind of.

the ...You know, the thing that really kind of makes it go makes you feel good inside is when somebody goes, aha, that's it? Yes, yes, yes. Now I get it. You know, and that is you know, pretty satisfying for, uh, for an analyst. So I think a lot of people, you know, think of analysts firms of, you know, Hey, these are the folks that can help me decide, you know, which uh, solution to buy.

So I'll either call the the analyst up and say, Hey, which of these things should I. get? I've got a list of three, which one's the best, Um, or they're only gonna look at the evaluation report that we do. And so say, we're going to only gonna choose these leaders and and it's not really the, the best way to think about it, right.

You're really trying to zone in on the, on the vendor. That's gonna solve your problem for your enterprise size, uh, the best. I think that's one of the things that, uh, talking to the analyst, uh, really helps you get to, even beyond the report and the tools

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...that we, you know, we have for download, um, you know, to help you with that report, You talk to the analyst, the analyst can kinda help match you as the, as the buyer to the solution.

So you may not need the, the leader solution. You know, that may be,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: That may be priced out of the market, right? They actually may not be the best fit for what you need. they may not have the Service offering that best fits you know, what what you need to do all that kind of stuff. So I actually think that uh, using the analyst as a sounding board and uh, and a bit as an extension of the team is better than only thinking of the analyst as, oh, well, it's, it's time to buy a thing.

uh, We should call the analyst and see what they think to make sure we don't buy the wrong thing. Or we can tell the board, you know, Hey, we asked the analysts, they told us to buy this one, you know, if the, if it doesn't work out, it's their fault, not mine, you know, use us, use us as the sounding board. and, you know, Bring us in early on all these projects.

Garrett O'Hara: Yeah. That's, it's, it's incredible that you're saying that. So I, I remember it's probably like four years ago I'm at a conference where, uh, somebody was talking through exactly what you've just described there, where it's not always the, the product, that's the leader or what, you know, whatever language you want.

to use. That nuance of matching the tech to the organization. And, uh, it, and It probably sounds silly at the onset but it never occurred to me. You know, I always thought it's number one on the list. and that's probably what you know, is the best match for everybody. But actually, you know, when you think about it, that just doesn't really make sense.

Um,

Joseph Blankenship: right.

Garrett O'Hara: Yeah. And you look, you've been around cyber for. Quite a while I would say. And you know, you at the the start of the call, you kind of mentioned, um, things like XDR, uh, you know, which is uh, sort of a relatively new, uh, acronym that we can add to the very long list of acronyms in the, uh, in the industry.

Uh ...

Joseph Blankenship: You say that because one of our account managers here at Forrester, we were going back and forth on on chat yesterday in, in, I'm doing all these acronyms around. She's like, what is up with all the acronyms and, you know, I couldn't get ...I kinda couldn't help myself. I had to tweet it out. It was like live tweeting, this conversation I was having with this account manager.

And finally I told her, I was like, you know, this has been incredible. I had to live tweet this at the same time, because you know, we do have alphabet soup uh, for acronyms in this space.

Garrett O'Hara: We really do. And the thing that gets me is that the same three letters can mean four different things. Just depending on the context, sometimes

Joseph Blankenship: Absolutely.

Garrett O'Hara: it's uh, it's astonishing.

Um, how how have you seen the the industry evolve over time and maybe this is a two part question? Because, you know, you know, we can clearly see this in evolution of technology. And I would say a maturity of security leadership is another thing that I'm definitely observing in in the industry. Um, but like when I, when I think about an analyst, uh, organization and somebody in your, uh, in your shoes in your role.

There's probably a little bit of you're looking at it. Um, sort of from a, like, not a distance, obviously you're in it, but you're kind of evaluating a landscape and I'd be keen to understand how you make decisions on what you think is gonna be real versus just something that looks good on a marketing brochure.

and, And it's probably not gonna really turn out to be something.

Joseph Blankenship: Yeah. I'd I'd say the, the analyst's role. is, Gives you a unique perspective, uh, because it'll, it'll ...just like some of those inquiries I was just talking about, right? So you're a fly on the wall as the decision's getting made And you're understanding, the problem statements and you're, why are they, is the buyer actually gonna go buy a thing You know, and, or perhaps they're lamenting the fact that there's not an elegant solution for what it is you're trying to solve for.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: You're trying to figure out. you know, if there's not a solution in the market for that today, you know, how do we go and, you know, how do we go and piecemeal something together or find a workable fix It's, I think that's one of the things that kind of you you do enough of those, uh, you know, you'll see, you'll see a pattern and say, "Well, you know, this is actually not uh, an opportunity, you know, to go solve a real client problem, uh, in, you know, that that either becomes a, a product or perhaps a, a product feature at some point down the, uh, down the line.

I think the other thing that's really important, Gar is. As we come up with all of these things, right? And Whether it's XDR or, um, you know, you know, UVA or soar or whatever you name, you name the acronym, right. Wha- whatever the the thing is, if it doesn't have an actual outcome that helps. move us Forward.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...And it, that's, that's kind of one of my measures of, is it gonna be a thing or not?

So when we, can't, when we, when we looked at when XVR was first coined, I think that was it's first, uh, kind of coined back, way back in 2018. Right. It it was kind of looking at what are we doing? with SIEMs right now, we're, I've always kind of talked about SIEM as being this big data problem right And the idea would be, if we're going to dump terabytes of data into this, uh, you know, this platform, we're gonna sift through all this stuff.

We're gonna find the bits that are really important. And then we're gonna alert somebody to go do something about it, right. That is really hard to do.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Yeah. It's really hard to do, uh, it's speed and it's scale and to get it right. And you know, probably a lot of folks out there that have SIEMs or have different technologies.

that shall be, remain nameless to protect the innocent or even the guilty. Um, you know, you've probably felt that pain felt that struggle. And so when we, when X- XDR first kind of bubbled up, you know, it was kind of like, well, this big data approach isn't really working. So where do we find. a rich Signal right.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Where do we find the thing that people can actually you know, be actionable with and then get finite with the amount of data that we're trying to analyze instead of, Hey, let's analyze the entire universe.

Let's get finite with rich uh, rich signal and, you know, To a large degree that was endpoint data It was coming off the endpoint where interesting things are happening, uh, where users are interacting with technology where attackers want to go and gain control. Uh, that actually gives us a lot of rich signal.

It also gives us a control point. So the, o- the other you know, kind of really important part of XDR is that is the R is the response,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: how do we stop it when we see it? Uh, and so how do we take automated action? And where's a good place to do that. What do I need to do uh, the endpoint than it is someplace else.

Maybe it's the network layer or somewhere, like, or you ask me one question? Like, how have you seen the, uh, the, the, the industry mature, when I ...years ago, when I'm working in internet security systems, and we've got this Big you know, IPS appliances, right? Um, Gar, I don't know how long you've been doing this. Right. But you take that IPS.

You'd put it out at the edge of the network and then you would dare the customer to turn the blocking signatures on because you turn the blocking signatures on, is it going to stop network traffic is it going to make it really, slow or are we just not gonna see anything right. Any, Any of the above could happen and it would affect giant pieces of, uh, of a network.

right. it could actually take a company down. Uh, I won't, uh, won't, won't tell you the stories like that on this podcast? but I can tell you that uh, there are instances where bad signatures may have been. pushed By a vendor

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...and it had a huge impact, but so we got scared of doing anything automatically at the network. So instead, Hey, if we, if we shut down a process or we block an IP, or maybe we isolate a, uh, uh, an endpoint, or maybe we force a.

uh, re-authentication Or or a password reset or anything like that for a single user. Is that really that bad? Can we do that automatically without taking down half of a, uh, a company or a network segment? Yeah, we can do that. Right. So now that that response piece is really important. So those are the kinds of things.

When I look at something like XDR, and in first out ...I, I gotta be honest. I'm the, I'm the guy covering SIEM. I'm the guy doing the security analytics coverage. So when the other analyst comes to me and says, XDR, I'm like, no, we're solving that problem. Right. We've got SIEMs over here. And we're, we're doing really good analytics and we're solving that problem.

What I'll, what we're seeing now is sort of that convergence between the two, um, and my. colleague, Uh, Allie Mellen did a, uh, a really awesome piece of research. I think she's blogged some of that at Forrester, uh, called Adapt or die. it's really talking about where you know, SIEMs and security analytics and XDR are all gonna meet. And what do we need to be thinking about in terms of tech ops, uh, you know, kind of meet to the future.

Garrett O'Hara: Yeah, and and it is that evolution, right. And one of the things that there's lots of conversations happening on, and I know you wrote about uh, is the zero trust piece. And, you know, you mentioned the the sort of richness and the dialing up the signal dialing down the noise, certainly in the endpoints. And you know that the utility there, um, that seems like a big thing is the the availability of kind of meaningful signal. And, you know,

Joseph Blankenship: Right.

Garrett O'Hara: ... endpoint is being obviously a clear example of that and user behavior. Um, I mean, there's, there's lots of places you can get context from, um, for a zero trust approach, but you know, beginning to get your thoughts on that.

You know, the, the evolution of technology to the point where zero trust is now possible, you know, you mentioned sort of segmenting controls at a user level rather than network level. And obviously can do at a data, uh, in, a data sort of sense too, but yeah, can, can we get your thoughts on. On zero trust in general, given it's the, the sort of new rock and roll [

Joseph Blankenship: laughs] well yeah, it's the new rock and roll.

And, uh, actually I I think it's probably, you know, the evolution of rock and roll. Uh, a little bit. Like I mentioned earlier. that I had the good fortune of working with a gentleman named John Kindervag, uh, ye- years ago, before I came to Forrester. He's very instrumental in helping me get to Forrester. Uh, John was actually the person who got kind of coined the term Zero trust, uh, here at Forrester, you know, way back in, uh, I think it was 2009, uh, you know, John you know, coined this and if you've ever heard John Speak back then, you know what, the way he would have probably kicked off this conversation is he would have called himself a recovering QSA uh, for uh, qualified security assessor for PCI DSS assessments, and the way that we you know, would use to do PCI assessments, right? The PCI assessor would show up with a questionnaire and the questionnaire would go, kind of Like like this, "Where's all your cardholder data and you know, the people around the table kind of look at each other and go, "Uh, we don't know what cardholder data is. And then you know, would say, what systems, you know, are connected, you know, card, you know, cardholder holding systems are connected to the network. And can I get a map of your network?

And so we can start plotting how the data moves around and everyone would kind of collectively shrug. So you're there for a two-day assessment. And those are the, the, That's the opening salvo of the two day assessment and everyone would say, oh my gosh, all of this stuff is everywhere. And so what, one of the, one of the ways to kind of solve for that was how do we get the thing, the cardholder data segmented and segregated So we're, it's not all over the network. Now, the entire networks, not in scope. How do we limit the scope? And that was part of the whole idea of zero trust is we can't let everyone have access to everything. We've got to limit the scope. We want to protect that sensitive data. We want to protect that cardholder data.

So That was like one of the ways to do it. Unfortunately, kind of in the early days, the way to do that. was Segmenting a network Uh, using things like a firewall sitting in between, uh, with ACL saying "These, these, these users can go, this traffic can go. This traffic can't go. These users can't go. But, uh, with the evolution of technology, as you said, we can get a lot more finite, you know, where we actually do micro segmentation via, via software.

We can, you know, have a risk-based, Uh, you know, user authentication. So, you know, depending on your role and the riskiness of, of you as an individual user at that time, and whether or not you're involved with this particular you know, data set, maybe you get access to that system and you get denied access in that system.

Uh, So the technology has definitely evolved to make it a heck of a lot more practical. So maybe not quite new rock and roll, but you know, we're, we're definitely we've brought in some new instruments, You know, perhaps

Garrett O'Hara: Yeah.

Joseph Blankenship: And, and our production value is a heck of a lot higher.

Garrett O'Hara: That Better foot pedals and some nice [inaudible 00:24:13] and and whatnot.

Yeah.

Joseph Blankenship: Totally.

Garrett O'Hara: Good times. So, I mean, as you described that, one of the, one of the things that, uh, does a clear application is the idea of the insider threat. you know, that's something that we've, we've been talking about for quite some times. And I know it's one of your uh, research focus areas.

Joseph Blankenship: Right.

Garrett O'Hara: And we're very keen to get your thoughts on insider threats and how they can impact.

the companies.

Joseph Blankenship: Yeah, Uh, absolutely I think insider threat is like one of the thing ...I used to use this slide, when we talk about insider threat. And it had this, um, this laundry basket that was turned over with all this dirty laundry, all over the floor. And usually when I would show that people were like, why are you having a slide of dirty laundry?

But it was the thing we didn't wanna talk about. Right? It's like airing your dirty laundry to say we've got insiders that are doing things that are either a careless and reckless or B they're actively malicious, Right. Well, No one wants to talk about that stuff right up until the point that they have an incident and they're like, oh my gosh, what are we doing about this?

Um, and you think about the way an insider can either be, you know, sort of weaponized in some ways, depending on the sensitivity of the data that you that you have, they may be. uh, you know, approached by an external entity and say, Hey, we want you to go in and use your access to extract this data. uh, And we will pay you for that.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Or we will allow you to, you know, move to this, this country and promote you to you know, some kind of a, uh, a great research position because of all this intellectual property you brought us or anything, anything of the sort. So the in- insider can actually be fairly impactful,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: especially, uh, Given i- if your access controls, uh, are such that an insider you know, sort of has carte blanche to move around uh, your systems and extract data.

And that's one of the things I think that has been most telling with, uh, with for Zero Trust Helps to address that insider threat, And especially when we start getting into uh, monitoring behaviors, controlling access to our systems and, uh, and oh, by the way, having a process for turning off access when employees and, uh, partners and vendors are no longer employees, partners, and vendors anymore.

uh, that's a big one, Right. The person goes out the door. Uh, maybe you collect their badge to get in the front door. You collect their laptop now, but you failed to turn off their user credentials. Uh, so they still have, uh, they still have the ability to to sign in remotely from some other device, uh, that that's, uh, obviously A problem, but insiders are impactful because they have knowledge and they have access, you know, so they've got two critical pieces and you know, they actually may have you know, some idea of how to move around without being detected by

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ... uh, the mechanisms you've got in place.

Especially if your mechanisms are doing what most security mechanisms are, which are looking outside because you know, we're worried about external attackers. We're

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...worried about people from the outside, getting into the system, uh, not necessarily. Thinking that uh, maybe one of our trusted co-workers uh, isn't so trusted.

Garrett O'Hara: Yeah, I I definitely get that. Um, it's, it's funny. You're kind of tweaking a a thought in my head around, Uh, so we obviously, you know, we focus heavily on email It's the company I work for and one of the things that, um, When I think about that insider threat that's particularly relevant when it comes to email, right?

You, you've, I think you've even written on this, you know, where, you know, the lateral movement through email is one of those very, very common things. And I've been definitely having the conversations around the zero trust as it applies to the email world. And you actually have written articles on this and, uh, we'll include them actually in the show notes.

So they, the trusted third party fishes, the catch of the day was the, the article that you wrote, which was, was really good. and I'm gonna quote it actually the, in, in that article, you said our trust relationship with email has to change.

Joseph Blankenship: Yup.

Garrett O'Hara: And so yeah, for the folks who haven't read the article, what does that involve?

Joseph Blankenship: Well, you, you know, I was kind of joking with, uh, with somebody e- earlier today, you know, we're talking about, uh, how email has, and hasn't changed. I was like, well, SMTP hasn't changed at all. You know,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...in 30 years, Uh, what has changed is the way that we use email, uh, the way that it's been abused and then a lot of our systems for, uh, for handling email.

Uh, but yeah, you think about it, right? Uh, if I, if if, without any other mechanism in place, Gar, if I send you an, an email, you know, kind of, you know, SMTP you, I send it to you, you get it. Nothing's in the way. Right?

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: So we're trusting. Hey, JB is an okay person. Uh, you know, it's fine. If I get an email from him, I wonder what he sent me I open that." Um, so maybe we can't be that trusting of of all email, right? It's we built all the mechanisms. We built gateways, we built filtering technologies. We start, we designed awareness programs. We told people not to click on things. And then inevitably we all click on things, even, uh, even the you know, security people who have been doing this stuff for you know, a really long time.

We inadvertently sometimes click on things. So kind of my, uh, my idea about the trust relationship uh, is you, know, we can't always be trusting that the thing that comes from from a, from a sender is trustworthy. Uh, and in the particular uh, you know, you know, article that you, that you brought up, you know, it looked like it was coming from a trusted sender.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: It came from a trusted IP range. Uh, it came from a trusted domain that. had been spoofed And then sent from a trusted IP range. Um, so the problem became if we didn't catch it in the filtering technology, that user can still interact with it. So then all you're left with is can the user discern whether or not uh, this is malicious,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: but if they say, they see a trusted domain trusted brand name that I trust, I want to open this and interact with it now.

If we haven't taken away the ability for that user to interact with that email, we haven't got ...maybe stripped the URLs out of the email, stripped all the script out of the email and left them with nothing but the context uh, so that they can't possibly you know, do harm to themselves. That's what I'm talking about.

When I say the trust [inaudible 00:30:11] ...

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...has to change, where we've got that sort of a scenario happening. You know, maybe we're just better off, uh, either, you know, handling that in something like a browser isolation technology, or just completely defending the email. So if the user wants to interact with it, uh, they've got to send it to the security team to release it or something of that sort Much like, what we do with quarantine.

today.

Garrett O'Hara: Yeah, I totally get that. And I, it's, it's, an, it's such an interesting one because I think it plays into the utility versus security uh, discussion that's age old. And I can tell you, you know, working in this space, you mess with people's email in any way, shape or form, and then the end users, uh, there's a mutiny.

Um, and that's all we've seen time. again is the security teams. They know what good security looks like, but ultimately. You know, it, they can't really get those very aggressive controls in place because uh, you know, productivity is hit so bad. What are your thoughts on things like, um, things like DMARC as a, you know, a way to start locking out sort of, um, you know, direct spoofing attacks or even the.

You know, the evolution of finding custom domains at, on the infinite web and then doing kind of proactive takedowns to get ahead of some of this. I mean, it feels a little bit like whack-a-mole, but I mean, that's security, right. It's, it's it's always just, you know, the incremental changes and increases in in security posture, but yeah.

Can I get your thoughts on this kind of broader approaches.

Joseph Blankenship: Yeah. I think DMARC i- i- is useful for a from a couple of standpoints, right? There's obviously the uh, direct spoofing attack, um, you know, standpoint, uh, to stop those or at least slow them down. Right. Uh, it's also you know, kind of getting back to the the con the concept of trust.

Uh, you know, when we do have, um, when we do get a e- email from a, uh, from a sender like you know, with a, with a DMARC record. and um, it's like trusted uh tr-- and they're a trusted sender, you know, now we know we can interact with it.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Uh, And also one of those things where the ISPs and the mailbox owners are also looking at DMARC as a may, as a matter of do we allow this into the user inbox?

You know, they aren't actually, um, If we if the, if we aren't actually sure that the domain that's sending is a domain that can send on behalf of the, of the sender, Maybe we don't allow that email to come in in the first place. Right.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: So I think there there's definitely some, uh, some, some positives there. Um, you know, maybe it doesn't solve for every use case.

Um, but it does help with things like email deliverability, making sure that, a, that an email from a legitimate sender, uh, from a legitimate domain gets to the, uh, to the recipient. Uh, it also gives us a way to you know, to stop or slow down, direct uh, spoofing attacks. Uh, your, your other question about, you know, kind of takedowns, um, especially for big brands.

I think it's almost a necessity, you know,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...to be quite honest with you, uh, it becomes a security cost of doing business because, um, you you can remember the, uh, you know, the days where we had the. uh, the mass Spam and phishing attacks, you know, they were sort of spoofing like all of the, uh, the, the package senders, uh, and a lot of e-commerce providers just think about brand

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...damage that does.

Garrett O'Hara: Yeah.

Joseph Blankenship: And the productivity hit, you know, to your point about productivity. If I can't trust that I can open an email from the company, who's gonna deliver my package to see where my package is. Then I've got a real issue. Right? So that was like one of those instances where, you know, a technology, like DMARC helps stop the direct spoofing uh, and then going and doing uh, take-downs of all the cousin domains, like you said, and maybe even taking those over, um, you know, so you're controlling those domains that it can't be revived.

I I think that that, that actually is, uh, is worthwhile for a big brand. Maybe not for everybody. I don't know that everyone needs to go through. that expense.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: but uh, anybody that has got a lot of brand equity and needs to communicate, uh, you know, openly with their, uh, with their user community. Yeah. I think it's uh, I think it's almost a necessity in some cases.

Garrett O'Hara: Yep. Yeah, absolutely. And, And one of the things that when I think about those kind of domains they're often used for things like, um, you know, event phishing attacks, and generally, you know, that sort ends up in some sort of ransomware or, you know, And let's be honest. I mean, ransomware is an absolutely plague at the moment.

Um, I've seen it actually over in the US that, uh, the department of justice has elevated the, the ransomware investigations to the same priority as, as terrorism, which I think is a really uh, important

Joseph Blankenship: Mm-hmm [affirmative].

Garrett O'Hara: ...signal to the world. Um, and it's at the top levels of conversation here in Australian politics. Also,

Joseph Blankenship: Right.

Garrett O'Hara: w what's your take on sort of the national and the global strategies that you'll see kind of evolve over the coming years to tackle this problem, that seems almost untackable? on some days it just seems like really, you know, what do we do?

Joseph Blankenship: I think what, what, um, what we're saying is, is finally policy to start catching up with the, uh, with the threat level.

Garrett O'Hara: Yeah.

Joseph Blankenship: You know, I've I've had this notion for the longest time at least here in the, in the US, and uh, actually probably probably the most, uh, most capitalistic economies, right. In a lot of ways. The, uh, the government has sort of outsourced cyber security to the private sector.

Right? So you you think about it, um, let's just say an adversary, wanted to come and directly attack your physical uh, plant someplace, right. Or they want you to you know, come over here and blow up a port uh, and shut or shut or blockade a port where shipping, couldn't come and go. The, you know, the Navy of any of our respective c- uh, countries would respond to that and say, get out of here.

You can't uh, shut down commerce like that. Now, what is the response for a ransomware attack or a large cyber attack that targets uh, you know, even banking, you know, here in the US, they've, they've, they've actually gone after after some really sacred things. They went after beer, uh, you know, with Molson Coors. uh, then they went after the, uh, the gasoline supply.

Then lastly, they went after the, the, the meat supply. So, you got beer in ...

Garrett O'Hara: the holy Trinity

Joseph Blankenship: Exactly. Right. What was. left to be done? But, uh, to raise the stakes, um, in terms of the way we investigate these things, but now actually, I, I I think policy is finally starting to catch up, you know, on the theme of how has this evolved

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...over the 15 years, almost 16, that I've been in this, in the cyberspace.

You know, I, I remember. you know, We ran all these campaigns and internet security system's trying to get anyone to care about security because no one cared,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: you know, uh, it wasn't a, a conversation that, uh, got held, um, at the sea level. It was an it problem, you know, Hey, you know, here's the money, you know, get get yourself some antivirus and a firewall and leave us the heck alone.

You know, we don't really care about your security stuff. And we spent all this time and effort and energy trying to help people. you know, get educated uh, about this as a, as a problem. set. And here we here, it took 15 years for us to elevate the conversation. of What happened right. In in, you know, kind of the the traditional way that anything gets done in cybersecurity, it was a massive sort of an event.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Uh, it was an event that actually had uh, an impact. Beyond just the company that was being targeted, right? When you start targeting things like critical infrastructure or supply chains, and now you start seeing trickle down effects, then suddenly people say, wow, this is actually a real issue.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: "Um, There are people outside our jurisdiction who are now targeting us, uh, for this thing.

And now having an impact on the way people go about their lives. So now we have to elevate, uh, the policy level conversation. So I I actually think that we'll be, we'll start seeing uh, things get a little more proactive from a policy standpoint in the way that we defend, uh, things like infrastructure.

Garrett O'Hara: Yeah. Yeah.

And you, I I don't know, um, you know Biden's got plans there. We've got a, a critical infrastructure bill, uh, working its way through our parliament at the moment, which I think is, I think is broad support. I mean, there's some nuances there that I think, uh, you know, private industry or private enterprise are, um, asking questions about, but I think the overall sentiment is, yeah, we need to, we need to take this stuff uh, seriously.

and, and maybe part of the, Part of the problem is that complex supply chains, as I think about it. And, you know, the ways into organizations you, you wrote actually in that article that we'll include in the show notes, uh, you know, the idea of third party, risk management and, and supply chain, which again, just seems like one of those incredibly difficult problems to solve.

Um, what are your thoughts on that? Like root cause approaches? Like, where does that end?

Joseph Blankenship: Oh, wow. That is a huge, uh, hu- huge kind of [inaudible 00:38:32]

Garrett O'Hara: [laughs].

Joseph Blankenship: ... I'll try to unwind. Um, you know, I, and this is, this is like uh, this is like the, uh, the crux that so many security people use, right? Especially uh, folks like myself, you know, you have to take it back to you know, risk,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...uh, and really understanding you know, what is your risk profile.

Uh, If I know that, uh, my, my business is dependent on, um, you know, something like, uh, I I hate to use the, uh, I don't wanna use the example of the, uh, of the pipeline, Frenzy. I'm thinking of another useful e- example. Um, But if I, if I'm dependent on anything right. For, for transport, for raw materials, whatever it is, if ...and if you've ever had to fill out one of these awful, you know, third party risk assessment questionnaires, you know, do you have a firewall?

Yes. Do you have a policy? Yes. You know, it's probably. taking it Like a a step or two further to really understand how that business is resilient.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: So if you're really dependent on, uh, something in the supply chain it's doing, probably getting a little bit Uh, making that process a little bit more, more robust. I think that's one of the areas where we're going to start seeing these uh, risk professionals catch up a bit Uh, and then say, it's not enough to have the checklist.

Now we actually need them sort of a measure of resiliency,

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: ...um, you know, for that business, because if if the thing goes down, Somewhere up the supply chain. What does that mean for us? Uh, and then how, what's our plan to recover. We actually probably have to start working that stuff into our incident response plan.

Cause like today our IR plan is basically what happens if if we're impacted here today, not necessarily what happens, you know, somewhere up the, uh, you know, up the supply chain someplace.

Garrett O'Hara: Yeah, it's in, it's just such a huge topic. And then, you know, it's

Joseph Blankenship: Right.

Garrett O'Hara: yeah, it really, it almost is an episode at some point in the future, if you're looking to just talk about that, because it's uh, it just it's a Whopper, but, um, yeah.

You mentioned the security questionnaires And, and there's times I think there should be support groups for the folks who have to work yeah, through those. Because I, I spend a significant amount of time as the, the rest of the the team here, uh, doing exactly those. And to your point, it often feels like

Joseph Blankenship: A Software to help with it.

Get off ... Uh, when they were like, all Excel-based and you get the Excel-based one. Yeah.

Garrett O'Hara: We still get those. Um, and they can, they just take so long. Um, to, to, And I, I understand why you have to do them, you know, not for a second saying there's no uh, usefulness, but, uh, yeah, man, they're, they're, uh, they require many beers afterwards sometimes to, to kind of get through, um,

Joseph Blankenship: Absolutely.

Garrett O'Hara: So one, one last question, because we're kind of heading towards time here, but I'd I'd love to hear, um, what you're excited about when it comes to emerging technologies or cybersecurity approaches and, and things like, you know, AI automation, you know, we've, we sort of touched on soar, but I'd love to hear your thoughts on, on what you're kind of excited about coming, coming forward.

Joseph Blankenship: Yeah, that's one of the things that, uh, I think we all get excited about in in security, or pretty much any, any tech space, right. Is, you know, what is the new and innovative approach? And when I took this job five-and-a-half years ago, one of the things I was actually really excited about was AI, you know, cause I had this vision that we were gonna have, you know, AI doing a lot of the decisioning for us and the the people were gonna be over here.

Um, either tackling things that the AI couldn't find or. trying to Solve problems, um, that we had never seen before then train the new models and all that kind of stuff. So I was really kind of disappointed uh, to be honest with the, the, of the state of AI, um, at that stage, uh, because what, I, what I really found out was, Hey, this is a building block technology right now.

It's not, it's not the end state. We haven't reached the point of the autonomous security control yet.

Garrett O'Hara: Mm-hmm [affirmative].

Joseph Blankenship: Um, do I think we'll get there. We'll probably will, I think, that, uh, at some point, at least at some level, Uh, I don't believe that'll be. in the next Five years. Um, but if I look at, you know, kind of, what am I excited about, I'm excited about the fact that, you know, I remember, you know, doing my, uh, my, my SOC training, you know, at a couple of the, uh, couple of stops during my, my career.

And I would watch these poor folks, you know, sit in front of a screen and they would get a, uh, get an incident in their queue or an event in their queue. And they would look at it and they would spend a couple of. minutes Running some queries Then I would watch them copying and pasting the queries into a, into a journal and blah, blah, blah, then close the ticket then move on.

I was like, If, if I had to do this every day for eight hours a day, I might, I might go insane. I'm, I'm only here for a couple of days

Garrett O'Hara: Yeah.

Joseph Blankenship: ...doing, doing this stuff. Um, we've we've moved beyond that. W we're actually getting to the point, we can automate a lot of like You mention, like soar, It gives us, that's a great use of some of the, the SOAR technologies. uh, I think we're also getting to the point that we're getting away from hard, rigid rules that are written someplace uh, that we have to keep tweaking. Uh, That is one of the things that you know, technology like or a capability I should say. Like AI gives us is the ability to learn, um, from behaviors, right? As we're you know, seeing the same thing happen over and over again.

Now we can allow, uh, an algorithm to take over. So maybe we're not relying uh, on a brittle rule, uh, to always fire and get it right. Um, a 100% of the time. So things like those, those those kinds of things are, are pretty, um, pretty exciting. I know that sounds you know, kind of mundane, but you know, it's light years beyond, uh, Excel being the number one productivity tool in cybersecurity, right.

Garrett O'Hara: [laughs].

Joseph Blankenship: It a- It actually varies between Excel and notepad, which one is the, is the most useful,

Garrett O'Hara: I think the hardcore people use Notepad plus these days, you know, it's a [laughing]. yeah. yeah, yeah. Oh, it's layers. So I'm gonna run something past you that I just can't get support for. Um, I think it's the ultimate approach in security, which is that we go back to notepads and abacuses.

Uh, what do you think of that as a security approach? No one seems interested. I feel like it's a great idea.

Joseph Blankenship: We couldn't shut down the insider threat with that one, Gar, you know,

Garrett O'Hara: Yeah. it gets, it gets tricky It gets tricky.

Joseph Blankenship: [inaudible 00:44:28] your phone tablet.

Garrett O'Hara: There you go [laughs]. Yeah, yeah, yeah. Good luck to chisels, uh, yeah, fun times. Um, Joseph, thank you. So, so much for the conversation, it's been an absolute pleasure to, uh, to speak to you And I genuinely, um, yeah, look forward to hopefully at some point in the future, if you, if you were keen to come back on and, and have that massive conversation about third party risk management, because it is a Whopper.

Um, but, uh, yeah. Thank you so much for joining us uh, today and, um, yeah. Have a good rest of your day there.

Joseph Blankenship: Thank you, you as well, Thanks for having me on.

Garrett O'Hara: Thanks so much to Joseph, such a good conversation as always. Thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like subscribe and leave us a review. For now stay safe and I look forward to catching you on the next episode. .

 

 

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara