Been there, done that, wrote the README
One thing I’ve heard a lot in my career is, “Joe, that’s crazy.”
No, I don’t do extreme sports or create niche YouTube channels. I hear this often because I *love* technology and am constantly at the “edge.” Because of this enthusiasm, I’m willing to endure the pain of being a “first adopter,” “beta tester,” and sometimes the inventor of something I spend more time explaining than developing.
The curious thing about “crazy” is that the passage of time can transform that to “visionary.” I was one of the first to implement network security technologies such as IDS and was told, “We have a firewall, we don’t need that.” Then I was part of an amazing team that developed and deployed the world’s largest SIEM implementations. There too I was told, “S-I-E-M? My network security device sends me plenty of alerts…not sure why I’d want to parse logs.” Don’t get me started on how I inadvertently created a SOAR because I was tired of repetition. Those acronyms are now part of the foundational security operations stack, and I’m proud to have been part of their creation and help more people become crazy like me.
I’m still crazy
Well, now I’m 10x crazy because not only am I at the trough of the next wave in InfoSec, I also co-founded a startup to realize what we hopefully call someday “The Vision!” and not, “What the heck was that?!” This vision is a new approach and application of technologies now called Cyber Security Mesh Architecture. I’m grateful that not only has Gartner acknowledged and defined it, Gartner has also referred to it as one of the “Top Strategic Technology Trends for 2022”. Our technology partners, such as Fortinet have embraced it too. Similar to my unintentional creation of a SOAR, I wanted to build something that would help me and other practitioners reduce the friction and frustration of working with disparate security solutions, and not be in the business of creating new acronyms.
Why Cybersecurity Mesh?
When my co-founder and I started appNovi in 2020, we weren’t thinking, “Let’s build some mesh!”… what we imagined wasn’t even called anything back then. We created appNovi to solve the following key persistent problems:
- Security data is difficult to connect together
- Data from different domains is hard to communicate to others
- Risk is contextual, existing solutions are not
We’ve seen these problems result in slower incident response, confused patch management, and loss of sight when it comes to actual business and technology risk. I have tons of stories from the SOC where I would relay security incidents to customers, only to get asked, “Do you know what that server is? What happens if we block that? Do you know if we have X technology installed?” Back then, when we were still in the confines of the OSI model, I could tell you what port, what protocol, or how the exploit worked, but “What impact does remediation have to the business?” or “What employee can we call to ask?” were not questions I could answer. Today, those questions remain difficult to answer even with access to the relevant data. Although a myriad of technologies has been developed in the last decade, those questions are still not easily answered. And so my co-founder and I knew we had to do something “crazy” to provide those answers quickly and efficiently.
Silver bullets exist, werewolves do not
Along the way, technologies have either improved aspects of security awareness or reduced the overhead of security administration, but all have failed to provide the complete instrumentation to understand both the business and technology when addressing security issues. For example, SIEM provides excellent value, whether you believe it is “dead” or not. SIEMs acquire data from many sources, use parsers to handle different formats, and use correlation to derive new value from data. But what happens when you want to correlate logs to business assets? Or you want to connect your org chart so you can understand which person in real life is responsible for a particular asset? Perhaps you overcome and accomplish those feats… but then who benefits? Is this data more accessible for stakeholders in the SIEM than it was before?
I thought you were into technology?!
I am… I really am. Even outside of career endeavors, I take the time to explore technologies, and test if I can find novel applications of them, whether it’s tensors for image recognition, machine learning for behavioral analysis of home automation, graph databases to find unique correlations, or NoSQL to process inconsistent data. It turns out that this discipline would be a requirement in order to solve those key problems we laid out. We knew a single technology would not be enough, it would require a combination of technologies abstracted into a cohesive and simple-to-understand user experience. Technology is a big part of my life, but what happened on the other side of the keyboard was just as fascinating. I devoted part of my career to unraveling how technology was intertwined with business outcomes. This combination of technology and business knowledge has become a key tenet of appNovi’s success.
Everything I’ve learned, singular focus
It starts with the data. It always does. Fortunately, there is no lack of data in infosec or any large enterprise. The problem is data is everywhere. It is in databases or text files. It is streaming across a network via flows. It is in message queues, APIs, and even in the minds of others. Once the data we want is found, the data is either in a wide variety of formats (some standard, some at the whims of a developer) or gated by the knowledge required to access it. Want to acquire data from a database? You need to know SQL. APIs? You need to understand REST/GQL/HTTP and a programming language, of course. At appNovi, we benefit from the experience with all those technologies, and were even present at the genesis of a few.
I also learned, quite painfully, that paths to data are not straightforward and not all data is structured. I might find structured data, but it could be stored in three different database vendors. I could be given a great API, but the data returned is missing attributes that I would need to magically fill in. Understanding this pain, and furthering our mission of “acquiring all the things,” we intentionally provide users the ability to “pop the hood” on appNovi and engineer solutions using industry standard languages and methods. Implementing these standards makes your work in appNovi portable and work outside of appNovi importable, resulting in faster time to value. No more vendor locked-in methods that can take several weeks of training and hundreds of hours of professional services to use, because that was always a pain for us as practitioners.
Connectivity, it’s not just for networks
One consequence of the data silo era has been the loss of relevance and connectivity of the data generated. For too long, data has taken a one-way trip into vendor solutions, only to emit the vendor’s idea of an “alert,” risk indicator, or some top N summary. It’s from this isolated view in which an analyst must decide: patch or don’t patch, quarantine or don’t quarantine, etc.
Let’s imagine a generic exploit attempt, in which an attacker sends an exploit to a protected server with a vulnerability. This attack will cross several knowledge domains and data silos: The attacker (1. threat management) sends exploits (2. network management, 3. security event management) to the server (4. asset management) to attempt exploitation (5. vulnerability management) which is protected with a security control (6. endpoint management). In this simple example, one attack attempt has crossed six specializations. If you had one attack per day, asking for team leads to meet and share data seems feasible. However, that magical time ended long before AOL stopped sending people CDs in the mail. Now we need to respond in minutes (e.g., MTTR). Facilitating rapid response requires connecting data and insights from those silos to form a complete picture of assets, dependencies, controls, and risk.
CVE? SCP? TCP? EC2?
Once we can acquire, transform, and connect the data, there’s the next problem: Communication. When I first started, I was a Security Engineer. I stood up the firewall, wrote its rules, installed group policy, patched servers… the only person I had to communicate how these things were interconnected (if anyone) was a single colleague with similar knowledge. But now we have teams of people managing a single discipline, and those teams have developed their own language, their own acronyms, and their own technology. While those technologies have improved in leaps and bounds, the medium to communicate their findings has stood still with CSV, XML, and PDF. How does the vulnerability team convey, “This is really bad” to the infrastructure team? How does the infrastructure team convey to the vulnerability team, “What you want to do will stop email for the entire company?” Charts, graphs, and top ten event reports don’t supply much aid to communication, nor do they help convey business impact.
A picture is worth a thousand rows
I want to show you an incident. I could either send you some JSON describing what I know of the assets, some parseable text of network communications between those assets, and a CSV of logins to those assets, or I can send you a picture generated from those things that visually describes the incident. Which of the two options do you choose? If you choose the former, find me on LinkedIn, because I want to get to know you better. But the vast majority of people will choose the picture. Why? Because it’s immediately understandable and requires zero knowledge of CSV, JSON or how to correlate that data. This is why we at appNovi chose to utilize a highly visual workspace to work with data. Presenting data visually eliminates those language barriers. Anyone can see that “dangerous thing communicating to that server which Joe is logged into.” We chose to call it a workspace and not “the viz” because its goal is to allow any team or stakeholder to get their work done. With converged data available through an easy-to-search-and-navigate workspace, you get the data you need without knowledge barriers, but you also comprehend how that data connects to your mission. You can also share it with others to share your perspective in a collaborative way.
Context is all
When we combine the ability to interconnect data and visualize that data for communication, we solve our last problem: Context. Context is the background to all risk evaluation and it’s rarely present in current solutions. Evaluating risk is an interrogative process: “What is the vulnerability? What is the exposure? What information is at risk? What business service could be interrupted?” In the Operations center, you’re fortunate to have the answer to one of these questions, but you still must declare a risk and act upon it. Context is realized when all these questions are answered immediately and confidently.
It has taken many technologies, the empathy of “being in that chair”, and much listening to other practitioners, to achieve our mission of contextual understanding.
Now with a few clicks, you can retrieve and process data from AWS, Tenable, SentinelOne, or any one of your many tools. You visualize that data in a meaningful way, discover insights through exploration, and utilize analytics to find actionable pivot points. What we have created enables Cyber Security Mesh at organizations of all sizes, and I’m hopeful that our ethos and the ethos of CSMA encourage the critical examination of current tools and practice.
I will never stop being crazy
We’ve created new ways to visualize, understand, and acquire data at appNovi. Of all the things I’ve done, it might be the least “crazy” because I’ve had to spend less time explaining than developing it! People understand our solution immediately, and for me, that has been immensely gratifying. Throughout my life, I’ve fought for change and have told folks, “It doesn’t have to be this way.” Things don’t have to be Defcon 1 every day, data should be accessible, and collaboration should stand next to vigilance at the core of security operations.
How you can help
At appNovi we are on the forefront of something novel and are changing the way analytics and visualization are utilized in security operations. We’d love feedback on our product and would happily provide a free installation of appNovi to those that want to assess the value of a CSMA platform. We’re all just a little crazy right?