How to implement a true Secure Access Service Edge (SASE) architecture.

Episode Table of Contents

• [00:51] Talking About SASE
• [06:50] The Privacy Boundary That You Don’t Want to Cross
• [12:38] A Large Scale Purview
• [17:20] SASE as an Architecture and a Framework
• [24:00] Ways to Migrate Into the SASE Infrastructure
• About Our Guest

Talking About SASE

Carolyn: We have a great guest again today. Myrna Soto, Forcepoint Chief Strategy and Trust Officer. Before coming to Forcepoint, she was a Senior Manager at American Express. She was also a former Corporate Senior Vice President and Global CISO at Comcast and MGM. This morning, she's going to talk to us about SASE.

Eric: So casinos, we have finance, we have media and telecommunications. This'll be a good one.

Myrna: Thank you for having me guys. It's a thrill to be here with you both.

Eric: I'll start it off a little different than normal. As you look back over your career and you've seen the space evolve, what's the biggest surprise that's come to you? Which snuck up on you or what would you have expected?

Myrna: One of the biggest surprises is that over the last 10, 15 years, the security issue really hasn't changed too much.

Eric: 15 or 30?

Myrna: Well, you had to go there, didn't you?

Eric: I'm just going back to 1987 when we saw the first virus. No other commentary, but has it really changed materially over the decades?

Myrna: It has changed in some fashion. It's changed in the way that we evaluate threats. It has changed in the way that we try to attempt to combat threats, but what hasn't changed is our defense. Our defense in depth approach has been around forever.

Myrna: You said 30 years. You’re just dating me in my career, but it has not really changed much. We continue to kind of do the layer cake on how we combat threats and how we'll deal with attack vectors.

The Adversaries Have Changed

Eric: Very similar to the way the military has approached a lot of things with trench warfare, the Maginot line or defensive lines, defense in depth. We'll keep throwing reserves at it, but cyber is different. They're not full frontal assaults.

Carolyn: What I think I just heard you say Myrna, is that the adversary has changed, the defense has not. That's a little terrifying.

Myrna: Indeed. The adversaries have changed and continue to change. Even when we learn about motives and tactics, they continue to evolve. They're very organized, they're very well funded. It's definitely something that continues to evolve at a rapid rate and is very difficult to combat against that. That doesn't mean that we haven't made strides and that we've improved our defenses over time.

Myrna: I will say that, we have improved our defenses over time. We've learned more. We have looked at networks very differently, and the defense in depth approach has served us moderately well. But it hasn't really been a silver bullet to put us in a position of accurate and proactive defenses. We still are very reactionary.

Eric: One, time has proven since the first virus, we've been spending more money, we've been spending more effort. We've been doing a better job, but we've been getting further and further behind the adversary. They're stealing more information, they're impacting our businesses.

Eric: They're sabotaging our systems and I'm not talking only in the United States, anywhere. There's a common phrase in the cybersecurity industry. Something to the effect of they're the people who have been hacked and the people who don't know they've been hacked.

Myrna: Unfortunately, that is such a true statement. We've often said you just don't know you've been hacked yet.

The Achilles Heel for Many Organizations

Myrna: Then by the time you realize it, the amount of dwell time the adversaries have had in your environment, it’s the most embarrassing and most crippling thing about these attacks.

Myrna: I've been in many different industries of which have had a very significant amount of activity against them. To sit here and say, we never had any attacks, no, we had attacks all day long. We had attacks at a volume metric pace. The difference was how quickly can you detect those attacks from happening?

Myrna: How can you quickly contain them once they're discovered, and that's the Achilles heel for many organizations. They are looking at their detection mechanisms in a certain way. They’re reacting to what I call the sea of logs and events.

Myrna: Where a really more adaptive and intelligent way of looking at what are these attacks mean to me? Where are they coming from, what are the motives? What are the adversaries actually looking for? For me to apply different adaptive defense techniques?

Carolyn: So adaptive, are we talking about AI?

Myrna: We are. I'm reluctant to use that term because unfortunately, it's been an overused term in many areas of the technology stacks. But at the end of the day, it is about learning, it's about learning predictive behaviors. It's about understanding the pattern of adversaries and sometimes the pattern of our own users to understand where is there some anomaly in place.

Myrna: We can automate that so we don't have to have a human being, an analyst determine good, bad or indifferent. That's where we have the greatest amount of opportunity.

The Privacy Boundary That You Don’t Want to Cross

Eric: Then as you look back over your career, are there things you would have done sooner? Things that you would have done differently maybe, knowing what you know now as a chief strategy and trust officer? And knowing where we are or where we're not maybe with AI?

Myrna: Absolutely. I'll give you an example from one of my previous lives. We spent a lot of time trying to coalesce the enormity of the intelligence that we had within our network. We’ve been one of the largest internet service providers in North America. You can imagine how much data we had about the traffic in our environment.

Myrna: Now having been a consumer facing entity, we had a number of privacy regulations that we were adhering to. And we stood by them for our customers. The depth of what we call in the industry, deep packet inspection of the network traffic was limited. There was a privacy boundary that you never wanted to cross.

Myrna: But there were so many opportunities to get the macro data. To be able to share that data for a proactive defenses across the industry, that's something. We spoke about from 2012 and to 2016 about how could we do that as a collective industry.

Myrna: In my role now, I'm hoping to not only work with the team at Forcepoint, but the product teams as well. And all of the teams that are focused on this to figure out how can we do that at a grand scale. I'm happy to say that we already are making some major strides in that fashion.

Carolyn: When you were at Comcast, you wanted to share the data. Did you, on any level?

A Collective Consortium

Myrna: We did at a very macro level as part of a collective consortium of telecom and internet providers under a very strict protocol with completely anonymized information. By the way, that creates some difficulties when you want to defend against them. When they're completely anonymous and you cannot go back and identify attribution.

Myrna: But at least we were able to identify trends that were happening in the industry. So our partners could defend against them and vice versa. From a national security perspective, that was one of the enormous things we’re able to do to protect that piece of critical infrastructure.

Eric: Are you talking to the ISACs then, the information sharing and analysis centers? From your perspective, are they somewhat effective?

Myrna: Some are more effective than others. Ours, because we were part of the communications ISAC that we created during those years I just quoted. We had a lot of growing up to do as far as how we're going to manage information sharing. The biggest challenge for us, the financial services ISAC, was way ahead of their time across the industries.

Myrna: But even they would say, "Hey, we still are kind of limited to how much we can share." There's the potential for the inference of competitive data being shared. There is the potential that consumers could say, “Hey, what are you doing with my data?”

Myrna: Even today, when we think about the Googles of the world, the Amazons of the world. People are concerned about that. You asked me before, what should we have done sooner? It was being able to tackle the trust aspect of how data and analytics are used to defend.

Establishing the Trust Framework and Paradigm

Myrna: Granted there have been companies that misused data, that have not necessarily honored their commitment to their customers. That makes it that much harder, but we're here at Forcepoint. One of the things that I'm working on is establishing that trust framework and paradigm for the company. So then we talk about how we use analytics, how we use data collected from a threat landscape.

Myrna: Then our customers know that eight is protected pseudonymized so that we can go back and attribute who the attribution is. But certainly safeguarding and the trust of the hub. We're using the data, how we're securing the data and how that data will never be used against them in particular.

Eric: It's amazing. They're two words in cyber that come up over and over again, over my years of experience, at least, trust and risk. They're two simple words. If you go back to the beginning of time, they describe components of everyday society. But they come up in cyber over and over again. They're very difficult concepts to wrap your words, to wrap your head around when you're talking cyber operations.

Eric: In this case, do you give data to your competitors so that they can be safer, but you can learn from them? And how much data do you give? How do you make sure you're not giving them something of competitive advantage while you're trying to make the world a safer place? I can't imagine those discussions

Myrna: I'll tell you, they were discussions that went on for years. I'm sure it continued to do so in the industry that I was in prior.

Eric: Probably in all industries.

A Large Scale Purview

Myrna: All of them, but when you think about attacks against infrastructure, it is irrelevant. The service, the customer, or the transaction, that's where the competitive landscape comes into place. If I'm revealing my customer, and I'm revealing the service that I'm offering that may be under attack? You don't want to do that, again, from a competitive perspective.

Myrna: But when you're able to identify trends, either regionally or tactics or some reverse engineered malware and you're able to attribute them to the industry, those are types of things that you want to share. Why? Because it's the right thing to do for our national infrastructure.

Myrna: Again, speaking of a critical infrastructure type of industry. For security, the number one thing that assists people to be much more effective in their defenses is intelligence. You are obviously much more intelligent when you have trending data, analytics, and risk data that’s greater than your own enterprise.

Myrna: That's one of the things from a government perspective, the agencies have been able to do quite well. They've got such a large scale purview to be able to identify things at a rate and at a depth that not one single enterprise can do on their own.

Eric: Did the government help you though? Carolyn, I'll let you get in a second here. Did the government help you and did they facilitate that info sharing? Were they beneficial to you or was it more the industry coming together?

Eric: Maybe it's a leading question. I've seen so much friction between the government and industry. What do we industry share with the government? And what does the government want to share with us, or can't?

Reasons to Mistrust

Carolyn: There's been a lot of reasons to mistrust through the years between government and industry.

Myrna: I will tell you through my experience, and this now encompasses multiple industries. Because while I was the CISO at MGM Resorts in Las Vegas, we were heavily regulated. We've dealt significantly with the Secret Service on anti money laundering and treasury.

Myrna: We had a lot of governmental agencies that we worked with directly. It's amazing the amount of terrorist activities that actually can happen through the casino infrastructure just to launder funds. And to be able to distribute funds for the support of these unfortunate adversaries.

Myrna: In that industry, there was a lot more collaboration for obvious reasons. It was all about currency. It’s all about cash movement. It was about where it was going. And it’s about being able to identify the large sums of money that would traverse the infrastructure of the casinos.

Myrna: In the telecommunications and communication space, speaking about internet services and things of that nature, it's a little bit different. It’s unfortunate that we did not receive as much information as we would have liked from the government. However, we were very much cooperative to share information with the government.

Myrna: Very often, there were investigations that happen at a national security level. The internet, unfortunately, is being used to communicate on multiple forms. So being able to participate, that was a no brainer. In the spirit of national security when we needed to, under the proper legal structure, we did.

Myrna: I just wish we would have gotten more in exchange. That should be changing a lot more.

The Mechanisms in Place

Myrna: For whatever reason, there’s just not that productive two way information sharing that we would love to see. I think anybody in any industry would say the same thing.

Eric: You're saying gaming actually was much tighter?

Myrna: They’re much tighter, and it’s because it’s simpler in the sense that there’s no real competitive or consumer perception. It's something egregious may have been happening with the government. It sounds simple, but it's very complex, it's as simple as the WG reporting for casino winnings. It's a regulation.

Myrna: You got to do it. There were mechanisms in place. Everyone that comes into the casinos know that's happening. If those WGs were investigated to find patterns because Eric happens to always have a large amount week over week. It seems to be odd, it would not be seen as a distrusting activity.

Eric: But if I came in and drop half a million dollars on the blackjack table.

Myrna: We're watching you.

Eric: Interesting. I've never thought about it like that.

Carolyn: In addition to better and faster information sharing, what else should we be doing to improve our cyber defenses? Defense in depth has been around a long time. It has a nice ring to it. Do we throw it out?

Myrna: No, we don't. We don't throw it out because there's always going to be table stakes. There's always going to be layers of the cake that you're always going to want to utilize. When I speak of it not changing enough, I think back to my years as a practitioner at Comcast, we're running about 50, 60 products across the enterprise. We did so at a large scale with a humongous team in order to support that.

SASE as an Architecture and a Framework

Myrna:  In this day and age, it's really hard to sustain organically such a large team in many of these enterprises. Rationalizing the number of tools and moving parts that we use to defend is where we need to go. We're heading in that direction. Some of our listeners may have heard us refer to SASE as an architecture and a framework. We are really working to kind of converge a lot of capabilities into single platforms.

Myrna: Not to replace everything, but to be able to rationalize a subset of capabilities in a converged platform. Eliminate the complexities of the moving parts, and the touchpoints. And the ability to gather data at a much more holistic perspective, even if it's just for subset of controls.

Eric: But do you believe SASE will be a consolidation driver in the security industry? We have thousands of companies doing thousands of different things. I couldn't imagine being a CISO today. Where do I start? What do I buy? How do I implement it? What are my priorities? Do I understand risk and then how do I make it work together?

Myrna: If you're a CISO today, depending on what industry you're in, you're going to have the layer cake that’s a must have. There are certain industries where you're going to have must have layer cake, as far as your defense in depth. It’s probably going to be generated by your regulatory construct or some compliance construct.

Myrna: When it comes to the SASE play, the converged platform. The best approach is to understand where you have the greatest amount of opportunity to consolidate capabilities. Whether it be data protection capabilities, user access capabilities, and/or your edge.

The Real Icing on the Cake for SASE

Myrna: When we think about the edge, the network edge, that is radically changed. What is the network edge today? It's all over. We're all working remote. There's a ton. We've blurred the lines of the network edge. So how do you protect against that?

Myrna: Those are the areas where, whether it's data edge and then really a primary piece is how do you protect your users? We've often talked at Forcepoint that many of the static "best in breed solutions" out there from a defense perspective.

Myrna: They’ve forgotten about the user, forgotten about how does the user transact. How does the user use data? What is the movement of a user? What’s an anomalous behavioralistic pattern of the user? When I say user, it could be a machine, a service account, a user, a third party provider.

Myrna: As a CISO today, you've got to ask yourself, where can I consolidate my capabilities around how I manage my users? How can I consolidate my capabilities on how I manage my edge network protection? And how can I consolidate my capabilities around data?

Myrna: So DLP is a known function in the security space with varying levels of success. DLP alone isn't the answer. It's how you manage the risk of the data that's being used? How do you apply adaptive policies to those data movements? And how do you contain any type of anomalous behavior?

Carolyn: Is SASE the solution for all of that consolidation that you're talking about? Is that what SASE is?

Myrna: Think of SASE as a framework and an architecture. The real icing on the cake for SASE is that it is facilitated via the cloud.

Where Does SASE Comes Into Play

Myrna: What that allows people to do, when I talk about all these other things to look at data user and edge is how quickly you can stitch these things together. SASE actually is not stitching it.

Myrna: It's actually converging it. To converge this natively on-prem with physical boxes and physical servers and physical capabilities, can it be done? Sure, but it's quite expensive, very hard to scale. The time to value is where SASE comes into play. You can accelerate your adoption via SASE architecture in the cloud or a hybrid approach.

Myrna: I do believe that SASE and the approach of SASE on the converged platform is what will get us there sooner. That will allow us to use a lot of the behavioral dynamics and behavior analytics. And to facilitate the actions of these different control points.

Eric: But it's confusing. It's complex. If I'm a smaller organization, where do I start? Or if I'm a larger organization, where do I start? It's predominantly focused on the cloud, as I understand.

Eric: How do I dovetail my on-prem, more traditional, which I still need to keep modern security technologies in with SASE. And not have it just be another marketing buzzword. If you search on SASE, every vendor out there has their play on it now because that's what we do. But how do I bring that all together?

Myrna: You start small. You start with one capability. One of the three I mentioned, whether it's edge protection, cloud-based firewalls, things of that nature, or user or data. The brilliance of a SASE approach is you don't have to sit there and rewrite everything.

Ways to Migrate Into the SASE Infrastructure

Myrna: You could take your on-prem policies and migrate them to the cloud. What the cloud should offer you and will offer you is the depth of scalability at a much more efficient cost basis. You don't have to have the capital investment of having to maintain your physical on-prem assets.

Myrna: It also gives you the capability to integrate with some of the other converged platforms at a much rapid rate. That is really the SASE framework and why the migration of taking these security capabilities to the cloud. Think about the cloud. We first started talking about the cloud way back when we were talking about compute and storage,

Myrna: Storage took off a bit faster than compute, and that was based on trust factors. I'm willing to put certain data in the cloud, but I'm not willing to put all of my data in the cloud. Then compute came into play. There’s an immediate economies of scale that came into play for security and the converged platform.

Myrna: It was via the SASE based architecture and framework. There’s a significant economy of scale versus the point product, physical asset management that we all have been living through today. But if you're a small enterprise, there are ways to kind of migrate into the SASE infrastructure.

Myrna: It could be web content filtering. It could be SASE cloud based services for CASPI. And it could also be DLP in the cloud. We call it a little different, but DLP in the cloud. There's a number of ways to approach it.

Understanding the Risks Around Your Applications

Myrna: Once people adopt the cloud based service and they adopt the converged platform, it will quickly grow a lot of logs because there will be no reason for you to manage 70 products. Then you may go from 70 to 35, but guess what? That's still a great reduction.

Eric: That's a huge improvement. Going back to trust and risk, you have to trust the cloud service provider. You have to trust your security providers and move your data into the cloud. You've got to be able to understand risk around your applications. Same old time forever concepts.

Myrna: Risk is one of those concepts we've talked about in the security field a lot, quite a bit.

Eric: I feel like we don't. I feel like half of my customers, they have no understanding of the risk of different assets, different applications. They're just starting to talk about it.

Myrna: One of the critical advantages to looking at a risk based approach is noise. You have all of these signals, you have all of this noise in the system. Get data from all these point products. You get data from all your logs and how you sit there and you look at everything. And you say, “okay, what's the so what to my business?”

Eric: What really matters?

Myrna: What really matters, and the risk based approach allows you to kind of reduce the noise. To really now harness in true risk based signals because you can have things happening in your world. They could create an alert, meaning that you have to tune a policy or you have to tune an engine.

Myrna: But we're spending so much time over here looking at all this noise. Right under our nose is an adversary that is doing lateral movements across our enterprise.

SASE Is the Key to Effective and Fast Information Sharing

Eric: The story of our lives, Carolyn.

Carolyn: I know, and time is beating us, as usual. As I'm listening to you though, Myrna, I keep hearing you going back to your original point which is the need for that effective, fast information sharing. You said that SASE is going to really enable that. It's one of the pieces. That's the queen. That information sharing, that's the key.

Myrna: One of the ways we can combat the challenges of point to point information sharing is the ability to use technology. I will use the buzzword of the decade, artificial intelligence, machine learning. To be able to look at the analytics of users and activity monitoring, and again, anonymized.

Myrna: Who it is really doesn't matter at that first layer. It may matter later on when it's proven to be a legitimate threat or legitimate adversary. But being able to use technology to facilitate that information sharing, that event and risk-based sharing, it solves the issue of company ABC is talking to a company DEX.

Myrna: What are they saying? What are they sharing with one another? If we're able to take the data that we're able to collect, identify as true risk-based threats to certain companies. Then share that systematically without any attribution to individuals, that's a huge game changer in the industry.

Eric: We need to do the same thing within organizations, within applications with your cloud service provider and other people. The organizations I've experienced have had challenges. They may see something in one network or one application. But they don't share that across the board either very well today.

Artificial Intelligence Machine Learning

Eric: That's an area where artificial intelligence machine learning, some level of, we'll just call it automation. It can make a difference within the org as much as outside.

Myrna: One of the tactics used in the past to protect, and we call it building moats, was network segmentation. In various industries, you could do a network segmentation where your PCI applications are firewalled. They're segmented away from other components of your network where other back office applications operate.

Myrna: Another great one would be in the energy sector. In the energy sector, there’s a very controlled operational control network that is around energy delivery and transmission delivery. Then you have the enterprise over here segmented. The challenge there is the lack of ability to talk.

Myrna:  Not to transact, but to talk and learn from each other. To use some, and I use a term that’s very native to us internally at Forcepoint, the cross domain capabilities. That is another area where we have some really great advances in front of us.

Carolyn: We just brought up about four or five more topics for new shows. Unfortunately, we're going to have to leave it here. Thank you so much for your time today, Myrna.

Myrna: Thank you both. This was a lot of fun. I look forward to doing it again.

Carolyn: We will definitely have you back. So thanks to our listeners. Join us next week. Until then, do your updates.

About Our Guest

Myrna Soto is Forcepoint Chief Strategy and Trust Officer. She’s a security and information technology veteran. Having held senior leadership roles with many of the world's most recognized brands, Soto brings more than 25 years' experience to Forcepoint. Utilizing her experience as a transformational security and business leader at Fortune 500 companies.

These companies include American Express, Comcast and MGM Resorts.

Soto will serve as a trusted security and technology innovation partner to customers. They’ll re-assess their security posture in today's new business reality reliant on cloud-driven security solutions to protect the work-from-everywhere workforce.

She will also partner cross-functionally with the company's IT and engineering teams to act as a pathfinder and modern problem-solver for the organization. In this capacity she will help teams envision, strategize and execute programs. These accelerate customers' digital transformations with modern security architectures that optimize security as a business enabler.

"Today we are in a world irrevocably changed. Businesses must embrace the new workforce reality ahead that takes security beyond the four walls of the office to a work-from-everywhere environment. Every company today needs to reassess their security posture in this new business reality. It’s now heavily reliant on SaaS applications and platforms to operate 'business as usual'," said Matthew Moynahan, CEO of Forcepoint.

"As Chief Strategy and Trust Officer, Myrna brings to Forcepoint an inherent understanding of the challenges global enterprises face today. What it requires to be a security leader driving transformational change at scale. She will serve as a trusted partner to customers as well as a technology leader within the company.

She’ll partner with R&D and engineering teams to align and accelerate Forcepoint's roadmap strategy to address customers' evolving security needs. These include product improvements and long-term innovation."

Driving Forcepoint’s Industry Leadership Forward

“I’m excited to partner with Myrna to continue driving Forcepoint's industry leadership forward. To establish the company as global enterprises' and government agencies' most trusted cybersecurity partner for the modern cloud era." Soto joins Forcepoint from award-winning managed security service provider Digital Hands where she served as Chief Operating Officer.

In this role she was a critical leader in securing the company's first capital round of funding and building the company's world-class leadership team. She also served as the senior business leader across the company's Security Operations.

Service Delivery, Sales, Customer Success, Marketing and HR functions. Prior to Digital Hands, Soto was a Partner at ForgePoint Capital (Formerly known as Trident Capital Cybersecurity).

She’s a member of the ForgePoint Capital Investment Team focused exclusively on investing in cybersecurity companies.

For nearly a decade Soto served as Corporate SVP & Global Chief Information Security Officer (GCISO) for Comcast Corporation. In this role, Soto led security and technology risk management for the Enterprise business.

It’s responsible for aligning security initiatives with enterprise programs and business objectives across the company's 54 business lines within the Comcast Portfolio. To ensure information assets and technologies were protected across the global corporation. She has also held senior leadership roles at companies including MGM Resorts International (formerly known as MGM MIRAGE).

At American Express, Royal Caribbean Cruise Line, Norwegian Cruise Lines and Kemper Insurance. Soto also serves on the Boards of CMS Energy/Consumers Energy, Spirit Airlines and Popular Inc. which operates under the brand names of Banco Popular, and Popular Bank. And is recognized as a Governance and Board Leadership Fellow by the National Association of Corp Directors.

A Driving Impetus for Enterprises to Get Cybersecurity

"There’s never been more of a driving impetus for enterprises to get cybersecurity right than this moment in time. The legacy approach to security building walls and moats isn't an option. Current global events have businesses racing to secure today's people perimeter. Where the line between home and work no longer exists," said Soto.

"A successful modern security approach requires businesses today to think about what data they own. And how the compromise of that data could represent a material threat to their customers and to their business. It’s extremely critical for organizations to have a formative plan in place to address the risks associated with a compromise. Forcepoint offers enterprises and government agencies a modern cybersecurity path forward.

It aims to understand the constants in every security equation – people interacting with data. I look forward to helping drive forward the company's cloud-first security vision and innovating new programs and services. Samples are Forcepoint Advantage that changes the game for security licensing models. That will revolutionize what cybersecurity will look like in the next five years."