Good Security Comes From Good IT

Good Security Comes From Good IT Summary

In the inaugural episode of the CISO IT series, Automox CISO Jason Kikta discusses the importance of IT in security and the challenges faced by IT professionals. He emphasizes the need for a strong IT program as the foundation for effective security.

Kikta highlights the central challenge in security as anomaly detection and the importance of achieving a sense of normalcy in IT configurations. Jason also explores the trade-off between efficiency and agility in IT and the impact of configuration on security and concludes by urging IT and security teams to work together in partnership.

Read the Good Security Comes From Good IT Transcript

All right, let's get this party started. Cue the cheesy intro music.

Hello everyone and welcome to the inaugural episode of the CISO IT series. I'm your host Jason Kikta, I'm the CISO at Automox. And this series is not your typical IT podcast nor is it your typical security podcast.

What we're trying to do here is a little bit different than what you're used to. So there are a lot of podcasts for security practitioners to talk to security practitioners, and IT folks to talk to other IT professionals. But what we're going to try to do with this is have someone with an IT background, who went over to the dark side and became a CISO. Uh, talk to you and guide you through a journey along the way, we'll have guests in future episodes, but we're going to talk about security from the IT perspective and what it is that, you know, IT folks should know about both being able to improve the security of the organization on their own, and also in sort of understanding all those things that, uh, your security team might be asking you for, uh, and, and helping decipher like, why are they asking that? What is it that they want out of us? Um, why do they prioritize things the way they do? So we'll, uh, we'll be getting to some of that as well. Um, but first a little bit about me.

Uh, so I started, um, in IT really, uh, in the nineties, uh, you know, just fixing computers, breaking them apart, putting them back together again. Had a lot of fun doing it and then made either an amazing choice or a terrible mistake depending on what day of the week it was of joining the United States Marine Corps and seemed to be having fun. So I stuck with that for over 20 years and then finally retired last year and came to Automox about, I guess it was 15 months ago now.

Um, and through that journey, uh, I saw a vast and dazzling array of its practices, both, uh, in the government, military side of things, and also on the civilian, uh, you know, the private sector and industry settings, as well as a lot of academia along the way, believe it or not, because I had a very, uh, non-traditional career path as they might call it. And it's given me a lot of insights that even when your resources are extremely high, you still struggle with a lot of the same things that you know, those with fewer resources have to deal with, you know, a better budget doesn't necessarily make your life better, but better practices, having a more agile mindset to be able to rapidly adapt and change those will make your life markedly better.

And so, you know, this is my opportunity to give back to the community, and I'm really excited about it because I have long been a proponent that the very best security really starts with and is founded upon good IT. And in fact, if I had to choose between having a really strong security program and having a really strong IT program, I would choose the IT program every time and I would choose it for security reasons, because I think that, you know, people don't understand that the central challenge in security is anomaly detection, right? Like that's where it all boils down to.

So it doesn't matter whether you're running some level of, of EDR, antivirus trying to, to find malicious binaries, um, you know, malicious programs running on a particular endpoint, or whether you're looking at firewall logs at your boundary, uh, or on, you know, logs on, on internet-facing applications or servers or appliances, whether you're, you know, going through and analyzing what's happening in your cloud, it all boils down to is this activity that I'm looking at? What is what is normal? Are any of us truly normal? What is normal? And what is anomalous, right? If it's anomalous, I need to investigate it and then determine if is it malicious or is it not malicious?

And so like, that's the crux of it. And, you know, we as it professionals too often find ourselves, you know, also trying to achieve that sense of normalcy that, you know, our security colleagues want as well because that leads to greater predictability, greater efficiency in your network, right? If your users have a consistent experience, that's extremely helpful. And, you know, it's great if they're on a, you know, very homogenous, you know, setup. Okay, everyone runs Windows or everyone runs Mac. We all have these baseline applications installed based on a gold disk. And, you know, we have these configuration settings that we enforce across our network. And it all sounds great and happy.

Because that is an ideal IT state, right? That is much faster for your help desk to troubleshoot and assess what's going on with an individual user. It leads to more predictable outcomes for your IT engineers trying to do things at scale. It makes it much easier from procurement and refresh, like hardware and software refresh point of view, because you know what you're buying, you know what your users have, you know what they need, you know how to adjust that upwards or downwards. And that sounds fantastic, but it's not the reality we live in, right?

Everyone has some level of different configurations, you have drift, right? Drift happens over time, even if you were able to baseline various endpoints and user types. At the outset, there's no guarantee that they'll still be in that state a few months from now, let alone over several years. And, and no one frankly has, um, you know, users that are all the same. Your, your engineering or developers are going to be different than your finance department is going to be different than marketing is going to be different than sales is going to be different than, um, you know, uh, HR legal, you know, on and on it goes that people have.

different requirements based on their job roles, and you have to meet those requirements, you have to meet those fundamental business needs. And it's gonna require you to adjust and adapt your IT configuration, but at the same time, that makes security that much harder to do because if everyone's a little bit different than what...

is normal, what is expected behavior becomes a broader question. And so we, you know, we tend to compromise people in groups, okay, everyone in the finance department, they're going to have this sort of configuration, and we're going to try to enforce that configuration, everyone in, you know, sales, they're going to have this configuration, and they're going to have, you know, these types of computers, these types of applications and try to achieve some sense of normalcy. So I think the bridge that we need to build better between security and IT is that you know, IT can make the security team much happier and enable them to do their jobs better when they have a more predictable environment.

But that's a wonderful thing because it's also a fantastic outcome for IT right that getting to that state of normalcy getting that state of commonality, even if it is only at the group level and not the entire organization level. That makes IT's life so much easier, you know, troubleshooting and security are really about what is normal and what differs from it and do I need to worry about this thing? Yes or no.

I think as we head into 2024, people have the impression that a lot of these are solved problems. And while there are solutions for these problems, they're not uniformly in place. You know, here at Automox, we have a study we do every year and see the State of ITOps study that we do. And we looked at, you know, high agility organizations, organizations that cannot just innovate really, but really just change rapidly and adapt to new circumstances, right?

New business circumstances, new organizational imperatives. And so we looked at those who are well able to do it and those who say that they struggle with it. And out of the high agility organizations, 62% said that they're confident in their ability to configure and enforce desired configurations across their network 62% that's, that's actually pretty good that actually makes me feel very, very good that 62% of high agility self-identified, highly agile teams, that's still not perfect. It's it's a long way from perfect. And you know, that's not as high as you might hope it would be. But when you look at the ones who identify as low agility, who say that, you know, hey, we have trouble adapting to change, we have trouble adjusting the way that we do business or, you know, changing our network to meet changes in business needs to, you know, rapidly developing situations, only 19% feel confident in their ability to, you know, implement and enforce those configurations, 19%. That's, that's depressingly low.

And it's not a reflection in my, in my mind, that's not a reflection of like, poor performance of those IT teams. That's a reflection of, you know, the challenges that IT has been put in the challenging position that IT has been put in over the last couple of decades because you know, when I was starting out, it was I mean, we were literally at the point of, hey, we should probably have the internet in the office, right? We have computers, but most of them are standalone or they're only locally networked and we should get this internet thing, right? So that's my frame of reference for my early career. And I've watched over the decades as we saw this massive embrace of IT as a cornerstone capability for businesses. And it was fantastic. It was great. Like, like, like people really, really jumped in with both feet to embrace it to the point where, you know, everyone, it's just unthinkable that you would have employees who don't have computers on their desktop today, right?

So some have more than one mobile device on and on it goes, but we are, you know, IT saturation as far as adoption goes. But that started this sort of, you know, counter movement to lower cost, right? You wanted to reduce costs as much as possible while still delivering good services, right? And that was efficiency, right? Efficiency is lowering those costs while still being able to deliver good enough services. And so what that did, that pressure on IT as a profession, forced us to, you know, make trade-offs and that the, the number one thing that got, that was traded off in most cases was agility. It was your ability to rapidly adapt to circumstances because now you.

You only had enough engineers and help desk technicians to be able to cover steady-state things, right? I can keep things going as they are today. Indefinitely with this many people. But now when you throw a curveball at me and say, hey, we got to change this thing out, we have to move these things from Mac to Windows or vice versa, we have to swap out this major piece of software. We need to do this massive hardware refresh because we've delayed it too long. And so rather than just doing baseline over time, we have to do whole departments. That really, really adversely impacts the IT organization and it makes it somewhat untenable for them to get things into the configuration state that they want. It's just not feasible for them to achieve that with the resources they have. So that I think is a central challenge. That's something that you know, even here at Automox, we've, we spend a lot of time thinking about how to make that easier. And you know, there, there are no shortcuts to it. The answer is it's, it's a lot of hard work and it's a lot of, uh, you know, demonstrating success small and then being able to implement at scale, you know, Hey, do I have, I have this script and you know, this will change, uh, these test machines that work. Let's now let's push it out across the network. And like, that's great that it implemented that change, but now how do I enforce that change? How do I make sure that that, you know, that we stay in that configuration state over time? Okay, now I need a slightly different script that, you know, double-checks all of that stuff and puts it back in, and how often do I run it? If I run it too often, I slow down the machine. If I run it too infrequently, then I'm gonna have drift. And so, you know, just trying to fine-tune that policy to get right in that sweet spot is a big challenge. But that has, again, not only tangible IT outcomes, but it has tangible security outcomes as well. Because, you know, when you look at a machine that isn't in the configuration state that you expect it to be in, as a security practitioner, well, now there's a question of, okay, what happened here? Right? Did an IT script or IT, you know, configuration not get applied for some reason?

Did the user do something? Did the user inadvertently have permission to do something? Is there a bad actor on this box or some malware in place that is causing this configuration change? You don't know. And so that's, I think the crux of this dilemma is that you not only have a suboptimal IT outcome, you potentially have a lot of uh, security concern that you now have to worry about because things aren't in the expected configuration state. And so now you get these two teams that ought to be, you know, the best of friends and natural allies as they have very much aligned goals, but you have the two of them with some friction between them as they try to solve this and figure out who did what and why is this, uh, system in this state.

So what I want to leave you with today is to think about configuration, not just as an IT imperative, but as a security imperative as well. And your ability to, you know, implement and maintain a common configuration across a set of computers is central not only to your IT efficiency but is central to the efficacy of your security team as well. And the two of you should work together in partnership on that and never in conflict. Thanks for joining today, everyone. I hope you've appreciated this, this first episode. And, you know, by all means, reach out to us with suggestions of guests or topics that you would like to hear in the future. I've been your host Jason Kikta and thanks for listening.