Transcript
Hi, everyone. Thanks so much for joining us today. I'm Ashley Spinelli, your host for today's Data First Forum, DLP's back tell a friend. It's been so empty without DLP, and we're thrilled to have you all here for its comeback. Along with our panel, we'll be spitting fire through the wire. So let's lose ourselves in the moment and get some great insights, win some prizes, and earn CPE credit. CPE credit should appear in your account within two weeks. If you have any issues or didn't provide your ISC squared number when you registered, you can email it to me, and we will take care of that for you. So will the real panelists please unmute? Now, this looks like a job for you. I'd like to first introduce our resident mic master. He's not nervous. He's calm and ready. A staple on the Data First Forum, and Varonis' VP of incident response and cloud operations and EU sales engineering, say hello, Matt Radulak. Hello. I am the real Matt Radulak. You are. These next masters of the microphone don't just lose themselves in the moment. They own it. We have John Koester, CISO at Graphic Packaging. Say hello, John. Hello. And we have Pete Sasha, Director of Information Security and Compliance at SIA. Say hello, Pete. Hello. And with that, Matt, I'm going to hand things over to you. Awesome. Well, thanks so much for the very eloquent introduction. I, for one, am excited to join these prestigious panelists on another Data First Forum, and I think we should get right into it. I think one of the things I want to start with is really to just ask both of you and Pete or John, you guys can pick who goes first. I'll call on you first on this one. What are the challenges of the legacy approaches to DLP or legacy DLP solutions? So I think probably the biggest challenge is just the mass explosion of data that we're seeing now from, and it's not just databases, right? It's unstructured data. It's semi-structured data from all this IoT stuff. And I think legacy DLP gives you visibility into some of that, but then what do you do, right? Visibility is only telling you how big the problem is, not solving any problem. Sure, and John, anything you want to add to that? Yeah, I mean, I think Pete is spot on. And then you couple that massive growth, the explosion, with most organizations are hesitant to delete old data, things like that, and then the manageability of the DLP solution. So I think many of us probably have been doing this for a while, start down the path of putting in great blocking rules, but then quickly find that managing all of that data and the alerts that you get from it is kind of untenable, very difficult to maintain long-term with limited staff and resources. Yeah, one thing that always comes up to me when I talk with organizations about this is that kind of legacy approach of a point-in-time scan and how distant that is from the day-to-day and the desire to get to more of a day-to-day blocking standpoint. I also hear a stark contrast between the people that are in alerting mode versus blocking mode or some mixture of both. I want to ask our panelists another question, though, because obviously, threat actors have a real advantage right now when it comes to exfiltrating sensitive data. One of the questions I like to ask is, how would you take data out? From your guys' standpoint, what are the attackers' advantages today in exfiltrating information? I'll go first if you want, Pete. I think, look, the traditional boundary of an enterprise is at a minimum blurred, but probably somewhat non-existent in many ways as compared to a few years ago. And then you have this proliferation of data sharing, SaaS applications, Box, Dropbox, SharePoint Online, OneDrive, and you want to enable your users. But when you do that, you also open the door for bad actors to easily exfiltrate data. And then you couple that with the challenges with DLP that we talked about, and it starts to be a bit scary when you sit in the seat, to be honest. Yeah, I think for me, I would just log in as the person I wanted to steal their data, right? You compromise the identity. And once you're in, you've got a tell-hold, even if it's an unprivileged account. Eventually, you're going to move laterally and escalate. And then once you get your privileged account, you have access to everything, especially in the way I think traditional DLP works. It's just all the data is just sort of, it's not a least privileged sort of model. There's no real data owners defined. So once you're in, you get that level of privilege. I mean, the game's over. You know, one of the things I always like to say is attackers, they only have to find that one weakness in your security posture. But us as defenders, we have to block or stop or monitor everything else 100% of the time and be 100% effective in order to avoid a data breach. Now, when we think about that, and maybe to try to take a positive note, some things can be done. You guys are both experts on how to improve data security posture or improve data security resilience. Do either of you have tips on how to do that? Like how someone can improve their posture and their resilience? Sure. So the first thing is really, you've got to have some policies, right? I mean, you've got to have something that is requiring you to take action, right? I know we used Varonis at a former place of employment I had and now as well. And so the next thing is kind of figuring out who owns the data, right? Because you have these vast troves of information and it's like, who owns this? Because you really can't make any decisions. You get, it's analysis paralysis, right? It's like, you don't know what you can get rid of. And I think John mentioned that earlier, right? Is nobody wants to get rid of anything because we might need it someday. But without something other than human beings looking at a screen, you're going to have a real challenge in trying to figure out what's disposable, what should be kept, how to lock it down, how to get to a least privileged model. Yeah. Yeah, you have to understand what you have out there, right? And then secondary to that is like, what value is it really providing? We're data hoarders, right? I do it my personal life and we run into that challenge here in the business all the time. So I think it starts with shameless plug for Varonis, great product, but really having a data map to understand what's out there and then recognize that most organizations are resource constrained. And so if you know what's out there, you can focus on at least the most critical data sets that you have, highly regulated information like PII. And then at a minimum, you're starting to put in monitoring and controls around that data. I think also starting to have those conversations around data hygiene, right? Getting rid of old data. I mean, that's kind of an easy win and you'd be surprised once you start to have those conversations, how kind of easy it is to convince many other business leaders that it's the right thing to do and that there isn't a huge negative impact to most business operations by doing that. Yeah, and maybe there's even a cost benefit. One of the projects that we get engaged with a lot of clients about right now is a rot project or redundant, obsolete and trivial data because of the cost and the risk associated with keeping that data around, especially if you're backing it up three times and you've got people sharing it, you get to the point where the availability of that data becomes one of the most expensive things and just getting rid of it can be super helpful. Now, one thing neither of you mentioned though, and I kind of be curious to hear your thoughts on is what about when it comes to sharing? Data has to be shared in order to realize its value. How do you enable your business with collaboration but not allow oversharing? Yeah, I'll go for it. I mean, that's kind of next level, right? So understand what you have but then providing the secure channels, be able to share data, like sort of enterprise approved methods to do that. And for us where we've had success is starting to implement the concept of a data owner. I think somebody put that in the chat and they're absolutely right. It's difficult to layer in the right controls and approval chains to actually share that data. I think the technology piece of it is fairly easy. It's the ongoing governance once you allow it to be shared and that's hard for a security professional to do. You can't do it alone, not adequately in my opinion. So it takes a partnership. Yeah, go ahead. Yeah, so we started meeting with our legal team about retention policy, right? So we wanted to get sort of a framework of, what types of data as a publicly traded company do we need to keep and for how long, right? What's the recommendation? And then we started meeting with our senior leadership and saying, this is what legal is saying. We legally have to retain this data for this amount of time. And I even brought up the Sony hack, right? I guarantee you the Sony executives would have loved to have a data retention policy on their email that talked about President Obama when they got hacked, right? And you start talking about that reputational risk of keeping stuff around forever and ever. And they understand that. The leaders of businesses understand risk and this is just another risk that we have to educate them on. Seems like there's also some conflicting data retention that might drive organizations to have a bit of, I'll say a paralysis when it comes to actually getting rid of anything. Yeah, and that's kind of why I started with the retention policy, right? Cause we had all of that challenge and I'm formerly from healthcare and there are some records that you have to keep 25 years past their 18th birthday, which is, I mean, essentially forever. Right, I think so. Yeah, go ahead. So we worked, we like hammered all of that out first. Like that was step one, hammer out the retention policy, then meet with the data owners, right? Figure out who the data owners are, meet with the data owners and say, here's the retention policy. Tell me where this doesn't work and why we should make exceptions to this. And I think John even mentioned this, for the most part, they all just kind of went along with it, right? They were like, yeah, this is great. Yeah, why are we keeping this stuff? I didn't even know this was out there. And so it did get, it was very hard to get going, but once the wheels started rolling, it really, it went pretty fast. We got rid of a hundred million files in about six months. And you know, legal, usually most organizations sets a classification policy. That's a very powerful thing that we already talked about, but there's also this layer of litigation risk with old data, right? So once it stops serving a business purpose, I think when you get your general counsel on board to say, hey, if this is not really providing our business some type of positive outcome or value, then it can only be negative. And oftentimes that's related to litigation, right? So you'd be surprised that what an ally that your legal team can be in this type of initiative. Yeah, and it sounds like a couple of people have even mentioned that some data, like mortgage data has to be kept for the length of the mortgage or patient data has to be kept for a long time. So maybe even being able to set the guardrails on certain types of data would be a great place to start that conversation with like a general counsel or a risk committee. Now shifting gears a little bit, guys, what does the next generation of DLP look like? You gotta take the human out of it. I think there's a lot of opportunity with AI. And I know companies are looking at it for compliance purposes, but I think DLP is right in there. A lot of opportunity. We talk about the people hours required to do this right and across an enterprise. We almost have to leverage AI to be successful here. And FYI, bad actors are leveraging it to get the data out. So we have to keep up. Yeah, Pete? Yeah, so same answer. I would add giving the end users feedback as they're sharing data, right? So helping them make the right decision instead of traditionally you're kind of like, hey, by the way, you overshared this very sensitive piece of information. It's gone out the door, but it's kind of akin to saying the barn door is open. By the way, the horse left an hour ago, right? You wanna try to help the end user do it the right way because people do, generally speaking. People want to do the right thing. We just have to help them know what that is. Or make it easy to make the right choice. Correct. I'll say this too. I hope that the next generation of DLP includes blocking. You know, what would, I think if we look back to the survey, only 18% of organizations were actually performing some type of a block. 54% were alerting, a handful doing a mixture of both, but I bet very few are actually blocking effectively at different points of their network, whether that's like cloud or browser or network or endpoint. So I think the next generation of DLP is definitely gonna include some AI, some type of like abnormality type detection. Like you said, Pete, some kind of feedback from the person or from the AI, you know, so that the employee is involved in the conversation, but definitely some blocking. If it's not blocking, I think we're missing the mark. For sure. Now, when we think about like our audience here, we've got people from lots and lots of different backgrounds. We've probably got some, you know, CyberSec folks. We've got some data security and privacy. I'm sure some people will mention other ones that I haven't named yet. When you think about giving people tips to improve their security posture or just get better security in general, you guys are both very experienced security leaders. What tips do you have for just overall better security outcomes? I think Matt just called us old Pete, but I'll take it. I think- I just said more years of experience than me. How about that? I was translating. I think, look, recognizing that you can't run cybersecurity from a silo, period, and it takes partnerships. So I found great success in establishing the strategic partnerships, right? And building those relationships, invest in them. It's not just buying a product. It's a true relationship. And to be successful, you need those strategic relationships. The other thing is the power of awareness within your company. You have to be out in front of the company, talking to the associates, recognizing and understanding like how they do their work so that you can design a security program around your business. Very, very important. Yep. I don't know how I could add anything to that. I mean, that's it. That's the job in a nutshell. You know, gain consensus, get other people bought in. Learn the business. Yeah, we're here to serve them. Every business is there to make money and provide shareholder value, right? And it's easy to say no a lot. So instead of saying no, offer a no but, like partner on a solution. And the only way you can do that is if you understand your employees and how they operate. Yeah, I think that overall message of encouraging security practitioners to think about the business context and like we often run to this is why it can't happen. But instead of maybe starting with why it needs to happen and how we can do it safely might be a more kind of resolute path forward. Well said. What is the right point to, and Peter, I think you had some strong statements about this earlier. What is that right point to engage our employees when it comes to data security or data ownership or data loss prevention? John talked about this earlier, right? Same sort of situation, right? If you're not talking to the business and the employees in the business and learning what their day-to-day is, and you have no relationship with them, they're not gonna follow best practices. They're not gonna do what you need them to do. They're gonna see you as a blocker, right? All you're trying to do is stop me from doing my job. And so building the relationships and then educating. So for me, when I first started, there wasn't this understanding of data type. So what we had, right? There really was a thought that there wasn't really much here in sensitive information. And so I did a lot of education about data and retention. And then an event occurred outside our organization that then like a light bulb went on for them. They're like, oh, this is what he was talking about all this time. This is what he was talking about all this time. And then we started having a real conversation about what do we need to do to protect ourselves from legal risk, from reputational risk, and just the loss of data. And so it really started a really good conversation with the senior leadership about what we needed to do as a company. So I don't know if that answered the question, but- No, it does, it does. Yeah, I talk with people all the time about this and I often find there's a struggle on it. I think what I'm gonna take away from what you're saying is kind of a top-down, like let's get the top of the company engaged about data security and let's let it propagate down into the ranks because it can't only come from security. Yeah, I've never been successful getting anything to go uphill at any organization. It's always got, you always have to start with the guys that are running the company, get them bought in, and then everybody falls in line at that point. Just like any, just like co-pilot, right? Yeah, anything to add, John? No, I think Pete's right. I mean, if the question was when to engage, I think it's a full-time job. It's as soon as possible, right? And not fear-mongering, I am strongly against that, but using real world examples or some of the pains that other organizations have gone through and it's public, like using those to point to, to say, this is why we should care. Last thing is, is if you can find a way, and this is true of any security initiative, I think, to make it real for the employee, to make them feel like they've got some skin in the game, I think that that's pretty powerful. And sometimes we use, hey, we're teaching you great practices or hygiene for data, whatever it may be here at work, but you should carry this home to your personal life too, to protect you and your family. And I think those, one, if you're sincere and genuine about really caring about their wellbeing, both at work and at home, I think that goes a long way too. Yeah, that is an excellent point, is if I can make it more about your personal security at home, that 100% translates to work. So I do a lot of education with personal stuff as well. And thanks for bringing that up, John, that was a good point. Yeah, and pulling that through a little more, Pete, like if you think about how, I mean, look, with all the best intents of a security professional to keep the private and the professional world separate with remote work and BYOD and all those things, at many levels, like those worlds are not completely separate anymore for most employees, right? And so it is a little self-serving, keep them safe at home, that translates to better security in the workplace as well. I think one of the things I wanted to mention earlier, when I think just not about the next generation of DLP, including blocking, I think it's gonna include a lot more abnormal behavior and heuristics-based. Depending on an organization to define thousands and thousands of rules, I just don't see that as the future of DLP. I see more about behavioral profiling, understanding what normal is, depending on maybe the risk of the transaction that's being alerted on, decide whether or not to block it or stop it or reset it. I think a lot about like, how can we do more of the work for an organization as the future of DLP versus heavy configuration? So more behavior-based detection, more behavior-based blocking, more anomaly-based interruption or disruption. Any other closing comments, Peter or John? I would say, oh, sorry, Pete, go ahead. No, go ahead. I would agree with those statements. Like, look, I mean, technology, we have to leverage technology, specifically AI and heuristics, all those things you mentioned, Matt, spot on. But I would also underscore the fact that it still takes people, right? And so never discount the value of a solid team with great skill sets. At the end of the day, bad actors are leveraging AI, but there is still a person on the other side of that equation, right? And you need people on our side to defend appropriately and also to generate that awareness, which I think above everything else, awareness, your culture within your organization is top priority, period. Thanks. Anything to close on, Pete? So a baseline of user behavior and then user behavior analysis to detect anomalies. That's the future. You can do it now to an extent, but it's got to get better. We really appreciate you being here with us. Otherwise, we look forward to seeing you on the next Data First Forum.
