How to Manage Cybersecurity Challenges in 2022 and beyond?

Michael Krigsman: Managing security challenges in 2022 and beyond.

Anand Oswal: The attacks are getting more and more sophisticated and more and more evasive. The attackers are using the tools that we, in development, are using as well. They're using the power of AI and machine learning.

On the cybersecurity threat environment in 2022 and beyond

Michael Krigsman: That's Anand Oswal from Palo Alto Networks. Can you give us an overview or a sense of the security landscape, the kind of threat landscape that we're facing today?

Anand Oswal: I think there are three big trends that we are seeing when it comes to network security.

The first one is no surprise. Hybrid is here to stay. We were in the pandemic, all working from home. We're starting to come back to the offices, but not five days a week. With this comes different implications around security.

The second big trend that we are seeing is applications moving to the cloud. This was always something that was a trend that was happening. The pandemic has made every company accelerate their digital transformation, and we're seeing that continue to happen. That's a trend to stay.

Third, and the most important one, is that the attacks are getting more and more sophisticated and more and more evasive. The attackers are using the tools that we, in development, are using as well.

They're using red team tools. They're using the power of AI and machine learning. And so, these attacks are getting more sophisticated and more evasive.

These three trends are having a massive implication on how security is done. The threat landscape is increasing by having users everywhere.

Michael Krigsman: The bad guys are getting more sophisticated and more intelligent and, therefore, the attacks are becoming more challenging to stop.

Anand Oswal: As applications move to the cloud, many enterprises recreated a software security stack, as we access applications in the public cloud. With the remote workforce in the pandemic, IT scrambled, as you know, to make sure that their workforce is productive and, in many cases, they recreated a SaaSi stack for the remote workforce accessing cloud applications.

But if you think about it now, as we are now going back to the office and IT has a chance to look at all the infrastructure they have, in many cases they have inconsistencies. They have these three disparate stacks.

They're managed differently. They give different security outcomes. They have different policies.

Now, they are looking at how do I ensure that I have consistent security when the user is at home, and when I'm in the office? How do I have the equal and best security experience? How do I have the optimal user experience? And how does IT have the singular admin experience?

On managing cybersecurity challenges

Michael Krigsman: Anand, you work for Palo Alto Networks, and so you have lots of customers. What are the kinds of challenges that you see or the patterns that you observe among your customers as they're trying to deal with this complicated security situation?

Anand Oswal: Most of the customers I talk to have multiple security vendors (from a network perspective) that they've been using. As they're looking at their infrastructure, they're looking to do a couple of things.

First, how do you automate what you do on a day-to-day basis? How do you automate your policies that you're applying as you're adding new SaaS applications, as you're adding new users?

How do you ensure that you have all the capabilities that are supporting the platform are used in the most optimal manner? A.k.a., do you have the right security posture for your infrastructure?

Third, how do you ensure that you have a zero-trust implementation across the entire enterprise from users, from applications, and from your device on the network?

On the importance of a unified security platform

Michael Krigsman: Since the platform concept is so important, can you explain what you actually mean by a platform, in this case when it comes to security?

Anand Oswal: What I mean by a platform in this case, if I break it down into more details, think of it like you have a physical hardware firewall. You have a software firewall that can be in a virtual machine or a containerized firewall, or you have cloud-delivered security like we have in SaaSi.

All the security constructs that you have, the advanced malware prevention, the prevention against command control, antivirus, exploits, DNS, you want all those security services consistently applied for Web applications, for non-Web applications, the user in the officer, the user at home, if he's on the go, if the user is accessing an application that sits in the public cloud, on the private cloud. It doesn't matter.

Michael Krigsman: All the pieces are designed and working together as, we could say, one broader unit, so to speak.

Anand Oswal: You have now a consistent security policy. When the netsec admin defines policies for users, you would define one policy. It's basically instantiated on different form factors of network security: hardware form factor, software form factor, or a cloud-delivered form factor (depending on what you're using in which scenario). Every customer is in this transition phase, so it's hybrid. It's not just one.

On zero trust security

Michael Krigsman: I had, as a guest on CXOTalk, the head of CERT at Carnegie Mellon University Software Engineering Institute. He explicitly brought up the general concept of zero trust as something that they believe is very important.

Anand Oswal: Absolutely. Look, you've seen this from the government as well. They're asking us to implement a zero-trust infrastructure. But in many cases, there's a lot of confusion on what it means, how you navigate that journey.

We talked in the past about ensuring that you have zero-trust across the entire enterprise: users, applications, infrastructure. And from four key pillars around authenticating the user, on ensuring that the device the user accesses has the right integrity, protecting the access to the applications or data the user has, and ensuring that what transaction you do is secure, and do that on a continuous basis.

The principle being no notion of implied trust. You want zero trust with zero exceptions.

Michael Krigsman: In general, and among your customers, to what extent do security professionals need to adopt a new kind of mindset, that zero trust mindset? How important is that?

Anand Oswal: I think it's very important because as they're living in this new world where users are everywhere, with the applications everywhere, they really want to ensure that they have consistent security. Just because I'm in the office today, I badged in, and I have certain security experience, when I go home in the evening, if I log in at night, I want to have the same security experience as access to applications and data.

Michael Krigsman: Of course, this approach is very different from the way we managed security in the past.

Anand Oswal: Yes, it's very different, and also the security landscape itself is changing. This is the only industry, Michael, that has an active adversary.

It's a little bit like a Tom and Jerry game. You've got to keep up with the industry.

Think about malware. Ninety-five percent of malware that we are seeing is morph malware, which means it's variations of existing malware.

I don't need to go and process everything back in the cloud, come back, give a verdict, sometimes update my signature. I'm able to do that now with the power of machine learning inline, in real-time, on the platform itself. Now I can protect 95% of the traffic with just analysis done through static analysis.

For a small part that's dynamic analysis that I need to have more, that's completely new malware, I can use a cloud assist function but still do it in a single pass architecture in real-time.

The two key principles to note here is that we need to do things real-time, and we need to do things inline because there's no letting the first person get attacked, hacked. It's what the industry calls patient zero. We want to prevent never been seen attacks as well. We want to prevent the first person who gets infected from all sorts of things, from phishing, from malware, from command and control, antivirus, and so on and so forth.

Michael Krigsman: All of this is arising from the increasing sophistication, as you were describing earlier, of the bad guys who now have this expertise in AI and machine learning and similar kinds of techniques.

Anand Oswal: Yes, and up to a while ago, almost 45% of all phishing attacks were getting undetected. You've got to update new mechanisms to do, and we pioneered that way at Palo Alto Networks when we announced advanced URL filtering, advanced threat prevention, to ensure that we are preventing and protecting our customers from never-before- seen attacks (inline, in real-time, across the entire platform).

On the need for cloud-native security in a hybrid work environment

Michael Krigsman: We have many, many more endpoints with people working both in the office and from home, so all of this begs the question of what we should do.

Anand Oswal: You need a platform approach. You need best-of-breed individual products. But you also want them fully integrated so they can have shared intelligence of data.

Let me explain a little bit more. What I mean is that you're in the office; you're at home. You have a firewall in the office, a physical hardware firewall. You're accessing some applications in the cloud, and you have a software firewall as a front-end.

You are at home. You are accessing your public cloud applications through your SASE infrastructure or your applications in the private cloud.

Now, all the notions of security, whether your threat prevention, your sandboxing for files, your URL filtering, your protections against DNS attacks, your data and SaaS security, you want a consistent security experience no matter where you are.

Lastly, you also want to have that singular and consistent experience for the netsec admin, so you want a platform approach that can basically give you a consistent security experience no matter where you are, no matter what you're accessing, and where that application or data reside. You want the best user experience and the consistent admin experience.

On machine learning and automation for managing security

Michael Krigsman: How do users know the right strategy to take in order to ensure that they're fully protected?

Anand Oswal: That leads to all the power of AI and machine learning. What I mean is that the AI operations for network security.

You cannot keep updating your policies manually. As you know, there's an explosion of SaaS applications, the explosion of users, and you are not able to do this manually.

This is the power of AI and ML, and what we can do is automate policy creation. In some cases, we automate the policy creation and the netsec admin can review it and apply it.

Once they get comfortable over time, maybe you automatically apply it without having an approval process. But it's very important that we don't rely on manual operations.

The second thing is that you also want to ensure that you have the best practices assessment done continuously. There are checks that we can do based on best practices that we would recommend that you apply. In our case, in Palo Alto, we have 280 best practice checks to apply the next-gen firewall.

The last thing that you want to do is also have what-if scenarios. What I mean by that is to help our customers understand what happens if they enable certain new security functions.

What happens if they enable decryption? What happens if they enable malware? Many times, features or functionalities are enabled because the admins are not sure what will happen if they do it.

Michael Krigsman: You made an interesting point. You said you don't want users making manual changes, manual setup. Why is that?

Anand Oswal: There's a lot of data on this one. Over 90% of the errors that you see in configurations in policy that leads to some sort of a break in security happens because of manual configurations. It's not intentional, but it happens.

Michael Krigsman: What do you say to old-time security folks who come back, and they say, "I've been doing this manually since the beginning of time. I don't make mistakes. And I don't trust the machines"?

Anand Oswal: It worked in the past, to some extent. It's because the number of policies that you are to enforce, the number of applications that you are to enforce were minimal. Users were in the office. Applications were in the data center. Then you had some applications maybe in the cloud over the years.

But now we're living in a different world. The threat landscape is more and more wide. Users are everywhere. The applications are on multiple clouds, in the private cloud.

You're not only having IT-issued devices. You have bring your own devices. You're accessing applications from anywhere. That requires us.

It's a very complicated situation, and also you have new and new applications rising every single day. You want to automate the policies, reduce the errors, and then have the security architects focus on other high-value things that they want to drive from a design and architecture perspective.

Michael Krigsman: The platform, based on machine learning and automation, then the goal here is to reduce configuration errors and, at the same time, make things much, much faster to deploy.

Anand Oswal: Yes, absolutely, and also be able to predict things. For example, even things which are not related to security.

Say how much bandwidth is used on a certain firewall. I'm able to predict what will happen to the firewall in six months, nine months, based on usage patterns that I'm seeing in the enterprise.

Instead of somebody manually looking at the memory available every day, I'm able to automate and say, "Hey, you're reaching a threshold of 80%," or 90%, or multiple thresholds. They can plan better.

Michael Krigsman: I suppose the platform approach means that because the pieces are tightly integrated, tightly coupled, you're getting a seamless view across that landscape.

Anand Oswal: Across the entire enterprise because, like you said, applications are in the cloud, and the data center. It's a hybrid workforce. You want to have that visibility across the entire enterprise.

On the evolving nature of cybersecurity threats

Michael Krigsman: What are you seeing regarding the nature of security threats and where that's headed?

Anand Oswal: The security teams are using more and more of, like I said, the power of AI and ML. You've seen tools like Cobalt Strike being used by hackers.

You've seen what has happened when attackers are moving laterally. You've seen that with the Colonial Pipeline. You've seen things happen with Log4j where certain vulnerabilities have spread laterally.

I think we no longer can assume that the attacker is always from the outside. It's from the outside, but there's a lot of lateral movement of threats as well. You want to build your platform, your infrastructure to ensure that you're able to continuously verify activities and really ensure that you're secure from all aspects of it.

On advice for security professionals

Michael Krigsman: We need to talk about what organizations should be doing. Let's start with security professionals. What advice do you have for security professionals?

Anand Oswal: For security professionals, I think there are a couple of things that are very important. First is, are you thinking of your infrastructure from a zero-trust perspective? Are you having a single unified policy infrastructure that you can apply for users and devices and your workloads no matter where they reside?

How are you ensuring that you are keeping up with the newer threats that you're seeing in the industry? Are you ensuring that you're able to have the advanced protection from malware, the advanced protection for phishing, command and control connections?

Is your infrastructure having too many fragmented vendors? Are you having not only an integrated approach, but are you having a best-in-class approach? Are you sharing intelligence with the different point products you have?

Those are important things that security professionals need to think about as they decide how to design and architecture their security infrastructure.

On security advice for business leaders and board members

Michael Krigsman: Let's shift gears slightly. What advice do you have for business leaders and for boards of directors in terms of what they should be asking and expecting of their security teams?

Anand Oswal: I think the most important thing I would say for them would be to review the roadmap of the security vendors they have. Are they having the most highly innovative roadmap to prevent them of attacks from the future? How integrated are the individual components that you are having in your infrastructure? Are you sharing intelligence across that? Are you building a more secure offering for your enterprise?

Having a lot of fragmentation of security vendors actually leads to a poor security outcome than a better security outcome. How do you ensure that you are using best-in-class of the individual components but an integrated fashion so that you are able to get the sharing of intelligence and a consistent security across the enterprise?

All in all, also helping them reduce their operating costs, their cost to configure, their cost to manage the infrastructure.

Michael Krigsman: Simplicity of the environment actually is really important here.

Anand Oswal: Simplicity is very important. The integrated nature is very important. Then easier to manage, reduce the operational complexity and the operational cost.

Michael Krigsman: I think, for many business people, the nightmare is they think their security posture is strong, tight, and in place, and then there is an attack, a data breach. It's out in the newspapers, and they discover, after the fact, that things weren't quite as good as they were led to believe. How can business leaders just make sure that never happens?

Anand Oswal: There are two things that I think are important for you to understand here. One is that most of the enterprises that get attacked usually have all the security capability in the product but haven't enabled and consumed those services appropriately. The most important thing is to ensure that it's not just that you purchased it. That you activated it.

That even you consumed it. But have you consumed it in the appropriate fashion? Are you still having policies which say any-any, as an example?

Michael Krigsman: The platform is looking over the environment to help ensure that nothing is missed, essentially.

Anand Oswal: The platform will ensure that it will tell you what services you have enabled, what services you have not enabled. For the services that you have enabled, have you activated and consumed them and consumed them appropriately, which means they're using it to the full extent with all the power of what you can use. If you haven't, it'll tell you a step-by-step way of how you can get there.

Michael Krigsman: Anand, any final thoughts as we finish up?

Anand Oswal: The threat landscape is increasing with users and applications and data just everywhere. You want to have the consistent security across the entire enterprise. You want to have the best-in-class point products, but also fully integrated into the platform to ensure that any users accessing any application, any data, is consistently secure.

You also want to ensure that they have the best user experience and IT or netsec has the best admin experience.

Michael Krigsman: Okay. A very informative discussion. Anand Oswal, thank you so much for taking the time to speak with us. I really, really appreciate it.

Anand Oswal: Thank you, Michael. Have a good day.