How do you prevent juggling thirty disparate security tools? Do you find it hard to correlate relationships between massive amounts of information and events happening in your network?
In this episode, Plurilock’s Stephen Boughton talks to Ciaran Foley, CMO at XENEX. They discuss the importance of automation, not being a lone ranger, and the role security platforms play in consolidating tooling.
Ready to listen in? Click play below.
Stephen: Hello everyone. I am today’s host Steven Boughton, community manager at Plurilock. We are joined today by Ciaran Foley. Ciaran is a technologist, futurist, and entrepreneur who’s nearly three decades of experience spans multiple industries and roles, including founding one of the first global application development firms in the world and serving co-founder, board member, and mentor to a range of entrepreneurial and market-making businesses focused on internet and software technology, gaming security, and more. Today he joins us in his role as CMO of XENEX, a Los Angeles-based cybersecurity firm, whose platform XENEX, SOC delivers the technologies and tools that today’s cybersecurity professionals need to keep their enterprises secure.
Stephen: Welcome, Ciaran. Thanks for joining us today.
Ciaran: Hey, thanks for having me, Stephen. I’m glad to be here.
Stephen: We are going to be talking a little bit about identity and access management today. And as you are an experienced person in the industry, and I’m a bit of a newcomer—we’re both marketers— I wanted to talk a little bit today about how things changed and how we can tell the story of security to security professionals and to business leaders. I’m looking forward to our conversation.
Ciaran: Yeah, same here. Same here.
Stephen: Over the last 20 to 30 years, the world has obviously changed a lot. And with that comes a change in business. And one of the main things to cause that change is a thing called the internet. So I was hoping that you could explain some of the major changes you’ve seen throughout your career in security and identity in the world of business.
Ciaran: Yeah, I’d be happy to. I mean, certainly things have changed a great deal. You know, many of us today can’t imagine a pre-internet world, but yes, I was around during that time—I’m starting to date myself. And it was really, really different. Certainly in the last 10 years, things have only accelerated, but the amount of changes it’s quite shocking. When one looks at the idea of security, I think it’s important to state that security is often seen as a solution, a technology, a destination; it’s really none of those things. I mean, at the end of the day, security is a process and that process is never-ending. And this is evidenced by the changes that have been occurring, both on the protective side and of course the hacking and malicious side of the house. So part of this part of addressing security involves this idea of identity. And of course in the real world, when you can sit across from someone, you get an idea as to who they are and who they say they are—it matches, we don’t get that convenience in any sort of digital format today.
Security is a process and that process is never-ending.” —Ciaran
Ciaran: In fact, one need only look at—recently even video technologies where you can make someone look like they’re saying something they’re not to evidence that we can no longer really trust our senses. Online, of course, is even worse because somebody is not actually sitting across from me. So at the end of the day, this is about defining and managing the roles and access privileges of individual users’ systems on a network that you can’t see that you’re not in front of. Granting or denying privileges to them, and assigning an identity somehow to that individual—a single identity. And it’s really a huge challenge. It’s really a huge challenge.
Ciaran: Pre-internet, we were in a time where identity and access to information was physically controlled. We could put paper materials in a desk, lock them up and we can lock our offices and prevent physical access that way. And then over time, we added the idea of private local networks, inside of organizations, and bridged networks that were, connecting, computers within an organization that started, an entire situation with, with security, where you started to have logins, right? So people were no longer really physically separated from each other, and in terms of identity, but they were rather on a single network and now had to be isolated in that way.
Ciaran: And then, we looked at everything from the days of dial-up and BBS ISDN lines, we started seeing sort of specialized hacking. These were the early days of hacking, the days before everybody had the tools to be able to do this and it required a fairly rich knowledge of infrastructure and technology and know-how to actually hack. These were sort of the quaint days of connectivity and the internet comes along, as you say, and suddenly we’re connecting to each other across vast networks, public networks, specifically. The internet is really by and large, a large public network. And so we started seeing new hacking modalities. Still early days, very difficult, and required a lot of technical know-how, but a lot more accessible. I didn’t have to tie into your dedicated line anymore. I could come in through some other resource on the open internet. And then, as we’ve progressed, we’ve seen a number of different—a confluence of events— the democratization of hacking tools.
Ciaran: So now, script kiddies can now hack as easily as someone who had experienced, 10-20 years ago. They may not even know what they’re doing, but they’re successful at it. Haha. And the tools are becoming more and more available to the amateur hacker. And at the same time, we’re also seeing the advent of AI-based tools and machine learning tools and bots, which are constantly hitting networks that are probably exposed.
Ciaran: So, all of this to say that today we have an enormous challenge in the security industry. We have a public-private hybrid mix with on-prem or (on premises) devices connected to a public network. And then, more and more of our businesses are also becoming reliant upon public-facing, private company networks and resources. We’re moving to the cloud, we’re moving to web-based applications. So the challenge is this in a nutshell: between, say 1995 where we had 16 million users online, or about 0.4% of the entire world, to today where we have 4.83 billion users representing about 60 odd percent of the world.
Ciaran: Every single one of those endpoints requires some form of identity—otherwise you don’t know who you’re talking to or what you’re talking to.
Every single one of those endpoints requires some form of identity—otherwise you don’t know who you’re talking to or what you’re talking to.” —Ciaran
Stephen: Right! You talked about so much there, and that makes sense, because so much has changed pre-internet until now. And I guess that leads me to. What story are we trying to tell as security marketers to business owners, business leaders, anyone who’s dealing with, securing a business? Since it is such a complex field now, it can be overwhelming for business leaders. I feel like it could be so complex that many people will just shy away from it and cross their fingers and hope that something won’t go wrong—which obviously, as I think you’d agree —is not a good strategy. So what do you think are some good ways that you can kind of cut through the noise and explain to people how security in today’s age works and the main things you need to be looking after?
Ciaran: Yeah. And I think, addressing complex problems often requires simplification because otherwise it is too complex, but let’s start at the human level. At the end of the day, we’re all human beings trying to get something done. We’re working with each other collaboratively using these technologies. And, let’s just start with the idea of stress. Haha. To give you an example and underscore this issue, the average tenure of a chief information security officer today is only about 18 to 24 months.
Ciaran: So they are stressing out and they’re stressing out of their jobs. They’re burning up and it’s understandable. And the reason why I think comes down to a number of different factors, not the least of which is when you look at the advancement of any technology, virtually every technology goes through these various stages. Back in the days of the first websites, for instance, we used to have all this specialized knowledge and we would hand code websites, HTML etc. and today, you look at that and you think,”Well, that’s really, that’s a quaint idea.” Haha. We now have tools to be able to do that and virtually—anybody can use a WYSIWYG display and just throw stuff up on a page and get a website going in 10 minutes. But this shows the extent to which things have changed and the extent to which technology has changed. Well, there were various periods that occurred where you started off very basically using a text editor and you did everything by hand and then you had this—barrage of tools that came onto the marketplace and suddenly you had too many tools.
Ciaran: And it was actually easier, but also more difficult because you had so much selection to do what you were doing. And suddenly there was specialization. People became very good at one tool and not another and so on and so forth. And eventually you’ve reached the sort of artistry stage where we—I think we’re getting close to, with the websites today—where they’re just a known quantity—it’s no big deal. You fire up your WordPress site or your Squarespace site and a kid in junior high can light up a site in a few minutes. Right? Security is similar in the sense that the tool sets originally, if you are talking about really early days—now this was all manual stuff. I mean, it was people doing phone phreaking, tying physically into phone lines, tying physically into connected lines, doing SSH and firing up a shell and getting into the back ends of systems and mainframes.
Ciaran: Then, we have steadily moved towards the stage now where we have tens of thousands of tools. And the idea of cybersecurity and security in general, being a process is made up of so many of these tools and so many of these disciplines. And then let’s not forget, let’s throw in a hefty dose of regulation and make that regulation and compliance completely different for every jurisdiction in the world-—whether it be a nation-state or, even here in the United States. And the thing is a hot dumpster fire of confusion and stress. So how do you make that simple? What do you do? If you’re a CISO, you move from the idea of being a juggler, in some sort of perverse Cirque du Soleil show who is really enamored with technology solutions and has 30 solutions that they have to maintain and understand and integrate somehow—and correlate into this idea of visibility in the organization and remediation and mitigation and you start to go more towards platforms. You start to look at solutions that are doing that type of integration for you.
You move from the idea of being a juggler and correlate into this idea of visibility in the organization and remediation and mitigation and you start to go more towards platforms.” —Ciaran
Ciaran: So, as an example, we look at—here at XENEX—we have XENEX SOC, which is really a platform that plays well with other technologies. So you may choose to gain access to one of the technologies that we use for a particular security function, where you could use a XENEX SOC to actually. run that and 10 or 20 other functions altogether. And the magic of that is that you’re not the one who has to knit it all together. You’re not the one who has to correlate and see the relationships between these massive amounts of information and events happening in your network. Instead, the platform is doing that. And, it’s really about simplification. It’s about starting to use new tools. It’s also to a degree just as we did with website design and other things, you start to get away from the metal—you start to get away from the hardware.
Ciaran: You start to get away from coding, HTML by hand using tools at your disposal. And this is not a trend that is going to change. It’s going to, it’s going to increase—it’s going to speed up. And the reason why is that along with the complexity—which in and of itself is enormous given the number of different potential ways in which one might, have leaks in the boat, so to speak —the speed of change, the speed— the automation that’s occurring on the other side with automated AI-machine learning attacks coming in, that is a huge concern for CISOs and there’s, there’s no way to deal with that, except with technology that is equally smart. So, I think the message is don’t fall in love with any particular one of these technologies. Don’t fall in love with the fact that you, as a human being, get to twiddle the knob and manually do X, Y, and Z. Maybe you still need to, in some of these cases, instead, start looking to… machines are taking over this space. Software is eating this space. AI is eating this space. Platforms are eating this space because there is no way to keep up with it as a lone ranger anymore.
Ciaran: You know, we’re just speaking about a security team within a company. This also requires longer-term planning where security professionals are more connected to each other, even between companies and organizations. So it’s really collaboration, simplification, and start to look at automation and look at systems that can reduce the level of stress and noise in your life. Because if you imagine that you’re getting constantly hit by this noise— it’s a nightmare. You’re not going to be effective as a human being, let alone a CISO or in your role.
Stephen: Right. And that totally makes sense to me, even as someone who’s new to the industry. The security leader in the organization whose job is to create a congruent ecosystem of security for the company to play in that’s simple—like you said, there’s just too much complexity now to do that effectively and you’ll just run out of steam.
Ciaran: There’s some really neat ways in which automation in different systems are coming to the floor to enable this to happen. We talked earlier about this idea of machines talking to each other systems, talking to each other. It’s not just people connecting to their account, but it’s. Very large systems that are distributed from different companies talking to each other. And so the idea of API security, for instance, the transfer of data through APIs or application programming interfaces. So companies, systems can actually talk to each other in a secure way that is one focus area of identity. You don’t normally think of a machine as having identity, but of course it does. The other of course is, customer identity and access management.
So, on the customer level, you order something from a company, how do you manage that information, and understand who they are? There’s a whole field of this—identity analytics, where we manage risk based upon the way that you use applications and which applications you use. Again, none of this is manual. I mean, you can imagine as a human being going through this,—it’s impossible. So you have systems that really look at “Okay. You have the keys taking them to the bank account that has a lot of money in it? Or are you just updating a CMS, (content management system) on our website, the two have very different profiles. Identity analytics concerns itself with that aspect of it.
Ciaran: Then, you’ve got there, there are service providers who are providing this idea of identity as a service.
Ciaran: So there’s a whole new crop of providers who are saying, look, don’t roll your own solutions for identity. We’re a cloud base based authentication. You authenticate with us once and we’ll manage your identity as you go through your day, connecting to all these different systems. You’ve got government governance, so identity management and governance. And then, we’re all used to, single-sign on operations and federated identity. This idea that, okay. If I log in with this one system, then I can log into a number of others. So for instance, single sign-on with Google. So you sign onto your Google account and your G Suite account then can be used to authenticate you on other systems.
You’re not the one who has to correlate and see the relationships between these massive amounts of information and events happening in your network. Instead, the platform is doing that.” —Ciaran
Ciaran: So, all of these things, all of this is to say that even within a subset of security known as identity management, there’s incredible work going on. And I would argue also potentially confusion and in many options going hand in hand to understanding just the single slice. That is, are you who you say you are? And that’s a tough question. As with all technology, it’s fascinating for most people, it blows their minds and their eyes roll back into the back of their head.
Ciaran: The goal is our users shouldn’t feel this stuff. They should be able to go to get on with our work. CISOs shouldn’t be able to feel this either, but I’m not praying for that day anytime soon.
Stephen: Exactly. At Plurilock, that’s one of the things we work on—are you who you say you are and is the person who signed on at the beginning of this session still the same person? And it’s just something that I think when you’re not inside, the cybersecurity industry, you don’t really think of. What are one or two most exciting developments that you’ve seen in the identity space as far as technology goes?
Ciaran: I think what you’re talking about and what your firm does is probably one of the more exciting areas. It’s this idea that who you are is not so much, just a single set of credentials, but it’s a set of behaviors, a set of signals that you give off. For instance, on authentication on Android phones and other phones, there is the ability for instance, to be able to correlate somebody’s gait and the way that they use their phone physically, using sensors to find out with who they are and whether they’re still using the phone or somebody else has gained access to that hardware. But these are just concepts that we have to get used to because at the end of the day, there are certain things that we are unable to, or that are much more difficult to lie about and one of them is our biology—one of them is who we are and how we act. Human beings do things in various, sort of automatic ways, often unknown even to ourselves. And so, the area of technology that is able to notice these patterns, that is able to correlate those patterns with some sort of identity specifically with respect to, hardening perimeters and increasing security is a fascinating and exciting area for me.
Ciaran: In one of my past lives, I did work in the virtual space and we were studying ways in which —inside virtual environments—imagine being able to capture somebody’s movement, what they’re gazing at, not only what they’re doing within that environment, but their entire physical essence within that environment, and then correlating that to certain behaviors. And so we are going to see that we’re going to see the leak of this from what we know today, which is I’m sitting at my keyboard. And you still know it’s me because I’m typing in a certain way and I’m using my mouse in a certain way. And you’ve got some credentials—all the way to, “how do you know that it’s still me behind those AR glasses?” But I know somebody else didn’t steal that off my face, give me a black eye and now they’re accessing my bank account.
Ciaran: Well, we may be able to use those sensors and those mobile objects to, to attain that insight. That’s, I think, the only way eventually that we’re going to be able to really understand who we’re talking to. It’s almost like it kind of comes full circle. It’s almost as if, in the beginning of time, when we sat around the campfire and we looked each other in the eyes and he said, “Yes, you’re Stephen. I see you. I’ve got an essence of who you are. I trust you.” We’re almost coming back to that. But now, instead of me sitting in front of you, you’ve got a computer that’s actually trusting you because it can feel you. It’s reading your signals. And I’m using it as a proxy for my physical presence. And I think that’s really where security has to go at the end of the day. Everything else can be tricked.
Stephen: Right. And there’s a couple of times we’ve talked about them coming full circle. Pre-advanced technology it’s one way, then after the technology gets so advanced that it’s so complicated that it almost comes back to being, “how can we simplify this?”
Platforms are eating this space because there is no way to keep up with it as a lone ranger anymore.” —Ciaran
Stephen: It started at, it’s obviously this person cause they’re in our office, but now it’s gone to, how do we know who is accessing this information? Because it’s a world wide web and we have worked from home people and there’s also people working in different countries, like in our case. How do we know that that person is still the right person? So I like the picture that you painted there with sitting around the campfire.
Ciaran: It does and and we’re, and we’re wanting to work as we did once in the past. Coming back around to this idea of, I want to be free physically, I want to be free of the shackles of the desktop. I want to be able to go out for a walk and still dictate emails while I’m doing that or listen to what I’d like to. I’d like to be connected. and of course, the COVID crisis has really accelerated elements of this, but we were going towards this anyway with firms, that are largely distributed leading the way. We weren’t concentrating on it as much. But I think, it opens up a whole new world of opportunities. and hopefully, as we do, we pioneer these solutions and deliver them to the marketplace. One thing I would say is for those creating the solution, please pay attention not only to the end-users and their experience but importantly, attention to those who have to deal with this stress. Of integrating and managing the solution in the enterprises that are using them. Because if those people stress out of the job, I don’t think we’re at a stage where computers are gonna take over everything. We still need people in those jobs, and let’s make their lives easier, make their tools easier.
Let’s simplify for them. take things off their plate instead of—cause the tendency is and I came from an engineering background, so I totally get it—the tendency is if it’s got more blinking lights and it’s got more lines of code and it looks cooler and it’s an amazing interface and I can show my other engineering friends. I’m like, look at this. It’s so detailed. We’ve got to move away from that. Sorry. There still will, of course, be tools like that, but we’ve got to move away from that. We’ve got to move to meet human beings where most people operate.
Stephen: Yeah. And I think you’re spot on with saying that, pre-COVID people don’t want to be trapped in their office nine-to-five anymore. So now we’re playing a little bit of catch-up, but I do think the technologies are out there that can arm these mobile workforces. So just before we let you go here, cause I know, you got a lot on your plate. What are a couple of suggestions that you would give any enterprises who are now facing this crisis of having dozens or hundreds of workers at home, but not quite there with their security? What would be a couple of things that companies can quickly do to increase their security?
Ciaran: It’s not—unfortunately—it’s not fast or quick. but really, look at what other companies around you are doing. But first and foremost is—collaborate! Security is not something that’s solved in isolation. And so attempting to choose solutions, attempting to solve a problem, attempting to even understand the problem alone is, is most certainly a recipe for disaster. So, the first thing I would do is get involved with local groups, which include business leaders, which include, security experts and engineers. and then vendors and providers and, connect with organizations that are focused on security and get involved. Security is not one of those things, which is “by the way, I’ve got my business, everything’s running fine. Oh, by the way, now we have to add security to the mix. Right?”
Ciaran: The process of security occurs at every single interaction inside your company, every single one. And if it’s not being addressed as such, you’re gonna lose opportunities and you’re gonna put yourself at risk. So the idea is, get together with other people, understand that and see, just as much as this idea of information flowing through your organization is the lifeblood of the organization. Well, so too is security because when you don’t have security, that lifeblood is going to be leaking out of you really fast. So that’s really the primary advice I would give someone, I don’t know how fast or slowly I can do it, but the main thing is don’t do this alone.
Stephen: Yeah. It’s not an afterthought. It’s part of a sustainable building of a business.
Ciaran: It is, and make sure that your board of directors understands that.
Ciaran: Make sure that your investors understand that you must all be of a like-mind, because if security is not baked into your solutions, if you’re creating solutions, if it’s not baked into your customer journey, if it’s not baked into your, obviously your backend systems, even the most mundane technology today is one that is rife for attack. One quick example on that front, we’re working with, one of our partners has a browser isolation technology—the browser, the innocent little browser, I mean, who cares? But guess what? 80% of attacks occur through the browser! Yeah, so it occurs everywhere. So you really have to learn about this stuff and get connected with professionals early on. And every aspect of your business needs to have security as an idea baked in.
Stephen: Right? That makes sense. And I think with the amount of news and coverage, I think there’s a lot of opportunity for security businesses, and professionals to have their voices heard now and create a better and a safer future for businesses and the greater good in our world. So. Thank you, Ciaran.
Thank you for joining our podcast and sharing your wisdom. I appreciated hearing your take. Where can people find you and where can people find XENEX online?
Stephen:Right on. Well, thanks for joining us today, Ciaran.
Ciaran: My pleasure. Stay safe, everybody! ■