Thursday, September 28, 2023

How dashboard analytics bolster security and risk management insights across IT supply chains

The next  BriefingsDirect security enhancement discussion examines how innovative managers are increasingly benefiting from interactive dashboard analytics. The resulting actionable knowledge elevates security situation awareness to the higher order value of overall business risk assessment and mitigation.

Learn how Bruce Auto Group has gained such deep insights -- not only into how its distributed apps, systems, and data are secured, but also into the hidden risks that can develop across entire IT and data services supply chains.

Listen to the podcast. Find it on iTunes. Read a full transcript or Download a copy. 


Here to share his story on how to elevate IT security to a mission-critical value of comprehensive risk mitigation and overall business resiliency is Paul Jobson, Director of Marketing and IT Strategy at Bruce Auto Group in Wolfville, Nova Scotia, Canada. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Jobson: Like many auto dealerships, Bruce Auto Group started off as a family-owned business. I bring that up because when it’s a dealership of one store, IT security tends to be an afterthought. But if we roll back the tapes to 15 years ago, we were lucky to have had someone related to the family who took an interest in the IT and secured us before it was in vogue. It was probably overkill at that time.


Like most automotive retailers, everyone has been going through consolidation. We began from humble roots in 1927. Until the last decade or so, we were one or two stores. Now, we’ve expanded to 10 dealerships, spread across close to 200 miles, with head office consolidation, and, of course, a lot of remote workers. So, the IT security part has really gained prominence in the past couple of years.


Gardner: Like most expanding organizations, it’s not only what goes on inside your business, you need to also keep track of the many tendrils that extend out to your service providers. That includes online interactions, as well as emails and communications. We’re all now part of a complex, rich ecosystem, and risks sometimes pop up between the cracks among these organizations.


Security as diverse as each buyer


Jobson: Yes, and car dealerships are unique in the sense that although our businesses may appear similar, each of the original equipment manufacturers (OEMs) – such as HyundaiFordGM -- they all have their own niches. They all have their own way of doing business. Of course, our integrations with them are critical to the way we do business.


As a result, we don’t get to scale as easily as some other businesses do. It’s as if with each IT solution, we start with customization and then find a way to make it more standardized across  the group.


Gardner: And, of course, the car business is really the transportation services business. So, the way you communicate and gather financial data from your customers, not just your suppliers, is essential. Therefore, you need to be especially secure and resilient. No one in the ecosystem wants to think that communicating with their automotive transportation provider is a risk.


Jobson: That’s right. What we’ve learned is that security is synonymous with privacy. When people apply for a car loan, they’re providing us critical information. There’s an ongoing relationship because we continue to service these people. We want to do everything we can to protect their information.

There's a lot of hard work to do in the IT world, but by focusing on making us secure, we actually help to make the client secure as well.

There’s a lot of hard work to do in the IT world, but one of the nice synergies is that by focusing on making us secure, we actually help to make the client secure as well. So, we really appreciate the importance of that part.


Gardner: You are the digital man in the middle, right? You’re in between all of those suppliers for parts, for OEM cars, and for financial services. You have a panoply of financial organizations – from credit to insurance to government agencies -- and that all leads back to the customer and their data.


By being in the digital middle, you’ve had to move beyond mere IT security and into risk management.


Jobson: Well, that’s right. Keep in mind, too, that a lot of times your biggest risk is people. You have a new employee, and it takes time to onboard and orient them. You must build systems that consider where people are, and not put them at risk. We’re the first line of defense to make sure we’re protecting both our security and the private information of our customers.


Gardner: That requires both education and awareness, which brings us back to the need for visibility -- not just inside your own systems, but as far and wide as possible. How have you developed such extended enterprise risk management (ERM)?


Risk management at root of protection


Jobson: That’s a great question, and it’s been really interesting. My background is in digital marketing and enterprise software. Security has always been an aspect of that, so I’m comfortable working with cloud applications and setting up service integrations. It’s second nature. So, it became logical as we expanded that this would fall under my domain.


The challenge was, coming from a marketing background, we have a lot of people to help us with security, but it’s more about putting together an operational plan. How do you put the day-to-day activities all together? That was a challenge. We needed a way to communicate that to the executive team.


To adopt such a risk management strategy, we worked with Bitdefender because we really liked their people. On a quarterly basis, we’d get together, and they’d give us a rundown of what they had been seeing in the field and across our businesses.


That’s how we came across their dashboard with the executive summary. The second I saw that, I knew I had my tool to manage our day-to-day progress on securing the enterprise.


It’s funny, when you come from the outside, your first perception is it’s the people and the passwords that are going to be the highest risks. And when you know your risks, you can manage them. For us, the first ground zero for IT security was making sure we understood these risks.


So, we put in endpoint security across the organization. We run about 300 desktops. Installing that on every single one of them was a logistical feat. But everyone understood why, and we did it. Once we did, we started to get all these signals back to our Bitdefender GravityZone executive summary dashboard.


For the very first time we got a score. I wish I could say differently, but when we first got our score, the risk was high. It indicated a high level of risk, and that made all of us very uncomfortable. We immediately began to determine what our risks were. We found some real surprises.


Our top category was misconfigurations, and those misconfigurations could be anything from a printer that has not been updated to a traditional user of computer services. The first reflex is to think about your laptops and desktops. You don’t always think about the printers, but it’s a computer in the same sense as your desktop endpoint is.


Once we began to understand the true risks, we looked at security very differently. We realized that every connected device was potentially a risk that we needed to pay attention to. We liked the Bitdefender dashboard because it told us where we were on a score of 100, and it broke that down into three categories: misconfigurations, app vulnerabilities, and human risk.


We were quickly able to target the high-risk areas in each one of those categories. We put weekly plans into place for the IT team to say, “Okay, this week we need to address this.” And it was much more fun and so there was more engagement from the IT team because we were proactively setting the agenda.

Once we began to understand the true risks, we looked at security very differently. We  realized that every connected device was potentially a risk that we needed to pay attention to.

It wasn’t just the typical, general red flag alert: There’s something wrong with a computer. It moved us from firefighting to fire prevention. And I have to tell you, we got hooked. That’s the way my team wants to work. They can collaborate together. They’re excited to come back and say, “We worked on 40 endpoints and got the risk from high to medium.” That’s instant reward and you get gratitude for protecting the whole organization.


There wasn’t a measurable way to go back to the team and say, “You did well,” until we had this dashboard. We all saw the risk score coming down in real-time, in front of our eyes, and it just transformed the way that we work as a team.


Gardner: It gives you a whole new sense of knowledge about your situation, and to what degree you can be in control over your destiny. But also having those scores gives you some ammunition you can take to other people in terms of, “Here’s what we’re accomplishing. Here’s why we can get cyber insurance if we want to. Here’s how we can increase the knowledge across our workforce about how to be better prepared or to modify behaviors.”


It certainly sounds like you’ve crossed the Rubicon, if you will, of not being a deer the headlights, unaware of what’s coming next, and instead being in charge of your destiny and having the tools to further reduce risk.


Deal with risk consciously, confidently


Jobson: That’s right. There’s a matrix where you’re unconsciously unaware, and then you get conscious on risks. I’d say we’re now consciously competent. Although some days we roll back, we’re more and more in the consciously competent part. The IT team is more comfortable approaching big tasks because, again, we can be proactive. We’re ahead of the curve. We’re not waiting until there is a situation. We’re dealing with it before it’s a problem.


For example, in just six months we have effectively accomplished an agenda that had hovered around for three to four years. I attribute that to having a score. Anyone out there who’s wondering what the first step is: First, I would say, is read the Cybersecurity Framework by NIST. It’s an overwhelming document at first, but it’s an unbelievable document because it gives you context. Once you’ve read through it, and then you match it up with a scorecard – such as we’re getting right now with the Bitdfender executive summary -- you’re able to put a game plan in place for everything you need to do.


Gardner: Let’s drill into the executive dashboard. While you’re getting a top-level view, because  there are agents and technologies to bring you all the information you need, you are able to drill in and find out more information. But it doesn’t flood you like a fire hose with too much information.


How confident are you that you’re attaining a comprehensive view when you drill into the level of detail that’s possible?


Jobson: The dashboard and the sensors -- you could think of your whole network as sensors – are giving us information much faster than we could realize from our own logs and audits. For example, we have a Voice over Internet Protocol (VoIP) system that a threat recently emerged in rather quickly. It was developing literally by the hour, and the dashboard was the first one to bring it to our attention.


Incidentally, twice a day, I look at the IT news and it was only in the second half of the day that this threat started to emerge in the news. But our GravityZone program served that up to us first thing in the morning. We were already ahead of the threat. That allowed me to reach out to the suppliers earlier. I wasn’t waiting in line saying, “Okay, what’s the best way?” We still needed to function as a business. Right away we were able to mitigate the situation quickly. And to our knowledge, we mitigated a rather large risk with very little disruption to our staff -- and more importantly, no privacy breaches.


Gardner: With that sense of accomplishment, you’re able to reduce the overall stress on your IT and security staff. That’s important these days because it’s hard to find and hold onto qualified people. If you can give them an environment where they feel like they’re making a difference, they have the tools to attack these problems early -- and do it so they’re not in a fire drill -- that must make for a good labor environment.


Move beyond reacting to assessing


Jobson: Yes, that’s a really good way to say it, Dana. When you’re reacting, you’re just reacting. You haven’t had time to read through the different mitigations, the plans A and B. Now, most of the time, we don’t have to react with intensity. We still need to act, but we have different mitigations in place. The team can talk about what’s the best approach. We can do a store by store and kind of learn from each store as we apply the process. We can do a quick follow-up with the team and say, “Okay, great. What problems did you encounter? Were there any dependencies that were affected?” So, it’s the way to go if you want to come out of this and be able to go home and sleep well at night.


Gardner: Right. And it’s interesting, too, Paul, because you are not trained as an IT person, but you’ve been able to get into this at a higher risk assessment and mitigation level. By having the right technology, you have crossed a barrier from when only a techie could do this to now, when somebody who can use the tools well is managing rather than struggling.


Jobson: One of the interesting side-effects of having a dashboard like this is you can focus on the people element. At the end of the day, for me, I wish IT stood for innovation and team, because we’re using the tools to help people be more productive. We’re assisting the team with solutions that work for them and allow them to function better and better.

The second we see the dashboard alert and look at the affected devices ... we tighten our policies. People are more understanding because we share the insights that we get from the security system.

What’s nice about having a tool like this is that you’re actually able to share the information with the users. Sometimes we’ve had to reach out to users and say, “You know what? Sorry to interrupt you, but our system has flagged you. You have an app or configuration that’s been flagged as high-risk. We need to deal with it immediately.”


By just seeing the words “high-risk,” our users deescalate. They do not wonder, “Okay, do you need me to do this? Do you really need to touch my computer right now while I’m at work?”


They may be with a customer, but the second we see the dashboard alert and look at the affected devices, we say, “Hey, sorry, but you’re one of them.” As we tighten our policies, people are more understanding because we share the insights that we get from the security system.


We can say, “Listen, it’s not that we want to block you on this photo app, or it’s not that we don’t want you to be able to put your favorite picture on the desktop background. But there is a greater agenda that we have, and these are some of the ways we’ve been told to mitigate it,” whether it’s from signals from our security system or from looking to the NIST Cybersecurity Framework.


Gardner: We would be remiss in talking about your security posture if we didn’t bring up email. It is still one of the leading threat vectors -- after all these years. Tell us how you deal with email security. I’m sure you have it coming in all different directions. Is there a way in which you’re managing your email issues and leveraging this dashboard at the same time?


Successful email security systems


Jobson: Yes, email security is the single most important vector of any security program because it’s where the rubber meets the road for most users. That’s where we get the most outside influences.


We have a three-tiered approach to how we do things. First, we make sure to protect all the endpoints. Second, we secure the network using an XDR solution. But last, and we did it last because it’s the most involved, we have an email security process in place. And when I say it’s the most involved, it’s because if you are truly trying to achieve email security, you are going to put in rules and guidelines that are going to be restrictive.


So, on a typical day, we probably quarantine about 800 emails that get reviewed quickly by the IT team. They are assessed for their risk and then forwarded on. But what’s nice is we’re able to quickly see patterns. We’re also able to call people and say, “What are you sending? You’re sending an encrypted, password-protected thing. We have no idea what’s in there. Is there a way we can make a change, or is there another way we can get the information, like can we get it off a web link?”


We find a way to reduce the risk. And when we’re sharing with our suppliers, some are rigid. They can’t make the changes, but we have had some that said there is another way to deliver the service.


Combined, that all reduces the risk from email. But something else amazed us initially. When I said we were quarantining about 800 a day, we get about 2,000 that are genuine spam. They’re not all evil, if you will. Some of them are just people promoting themselves. But when you have 300 users a day using their computers, there will be risks in the spam. By putting in this frontline of defense, we have not had any significant scares, and I attribute it to our processes.


The email security feature I like the most: Every single link in an email, when it is clicked, goes through a secure scanner first. So, we don’t have to count on a person who’s a day or two in who doesn’t know if they’re receiving a legitimate link from one of the manufacturers or not. The system has their back on that. We’ll scan it for them.


And we do get some angry calls every now and then from someone saying, “I was trying to do this. I’m blocked.” But it changes very quickly when we go back to them and say, “Hey, you know what? Are you aware that was a malicious site? Did you know that site was trying to take your credentials and our system blocked you and protected you?”


The business team is just so much more supportive of additional initiatives once they’ve gone through that process. You don’t know what you need until the need comes up. So, once they’ve gone through that process, we just find they’re so much more willing to help secure the business.


Gardner: And again, with email -- like some of your other services you mentioned earlier -- it’s the knowledge about what’s going on that brings you to that higher-order discussion about how to be risk-averse rather than how to be unproductive. And so, that’s the key, I think, is you’re able to get people’s buy-in rather than have it just seem like they’re being naughty.


Jobson: That’s right. But I will say to anybody implementing it, there is a transition period. The first day you turn it on, be prepared. One of the things we’re learning is communication is critical. We do a style of management that’s all about cascading messages to employees and we found that, you know what? I think the perception of the IT team sometimes is, “Oh, does anybody notice what we do?” The answer is yes. On a grand scale, they notice what we do.

Communication is critical. We do a style of management that's all about cascading messages to employees. They notice what we do.

When we make small changes, users are affected, and they communicate back to us. So, good messaging helped us get through it. We had a tuning process that we did and we were grateful to our user’s patience while we did it. But today, everybody’s confident that we’re much more secure because of these measures that we put in place and it’s worth the inconvenience or sometimes having to wait an extra hour for a flagged email to pass through the gates.


Gardner: The alternative might be that your business is down for three or four days -- and talk about aggravation.


Jobson: That’s right, and the reality is we just can’t monitor the volume. You need to leverage a system to monitor that for you.


Gardner: IT and security people are dealing with so many different tools. There’s a new tool coming out every week for some other new aspect of security issues. What’s your philosophy about how to handle that sprawl, to get the most out of the tools but without being overwhelmed by them? Is the dashboard part of that ability to get the right balance?


Plan ahead to prevent tool sprawl


Jobson: That’s a great question. You need a plan on how you’re going to implement these things. For us, in looking at the dashboard, we love the information that we get back. It scans a lot of the network, but there were some limitations on endpoint security.


That led us to the next path, which the NIST Cybersecurity Framework also hinted at, and that’s the internet of things (IoT). And for us that meant raising our awareness about how much priority and privilege each device should get. We started to think about segmented network security, which is what you can do with XDR. So, we’d have networks for IoT, networks for our guests, networks for our main enterprise business, network for staff devices, and we’re able to reduce the risk by going into these specific lanes for each category.


When you get a signal back from the dashboard, the solution isn’t always an IT thing. Sometimes the solution could be sending a memo saying, “Please don’t install any unapproved apps unless you reach out to the IT department first.” Or it might be going further, as we’ve done, and put some clamps down on what can or cannot be installed on people’s PCs.


So, we have used education, restructuring the network, calling the manufacturers, and further isolating some devices. We have some suppliers that have devices that they never update. It’s not our property. No problem, we’ll put that on a network outside of our regular network to keep us safe. So, each one is a problem to solve. How you solve it is really up to you.


Gardner: Right. But the key is that you have that knowledge and insight that the risk is there.


Jobson: Absolutely.


Gardner: Before we close out, Paul, let’s look to the future. How do you expect to leverage automation more? You said you can’t do this all manually, and even using intelligence to gain a larger view of risk. Do you look to the dashboard to help you attain more automation and intelligence?


Embrace expertise to manage threats


Jobson: The dashboard is one of the tools we’re using, along with Bitdefender GravityZone. There is a series of tools we use to manage things. One thing we really like is like the Bitdefender Threats Xplorer. A lot of people’s notion of security is just an antivirus scanner on the PCs. Scarily, for a lot of businesses, that is their level of understanding. But the threats are becoming more sophisticated. You can either ignore that or you can work with partners that have more experience.


As we look to the future, XDR has been an area where we’re paying more attention. It gives us greater insights on the devices that aren’t PCs and it watches our whole network. But it’s also giving us in real time a description of the threats as they’re happening.


For example, we recently had an incident. It was from a remote software that we use to support people. The supplier made a change in their software, and the change had a piece of software that was associated with malignant code. That malicious software was attacking businesses, and we were in a meeting at the time, the whole IT team, and our system started to shut down users.


By the fourth or fifth person being shut down, someone knocked on the glass and pulled us out of the meeting, and said, “You know, there’s four or five PCs shut down.” We were nervous that this was a virus. In fact, what it was our system operating in real time. When it saw a threat, it turned that PC off and isolated it. When it did that, the software, the remote software would go to the next node and try to scan the network. And, so, it would be shut off, too.


In a very short amount of time, it shut off the five offending PCs. If that had been a real risk … What’s so great is my team cannot be on alert all of the time. We are relying on the automation and technology to take care of things and let us to do the analysis after-the-fact. If you’re not leveraging these tools that can do that for you, you might be creating a lot of risk for yourself.


Gardner: Any recommendations to those listening?


Jobson: In IT, you have so many choices. I mean, you just have to run any popular program, PC optimization program, and it’ll tell you 1,700 fixes you can do to fix your PC. You scale that over a large organization, and you can literally have hundreds of thousands of choices.


For us here at Bruce, the tech team, it was critical that we had something that prioritized it from a risk point of view -- from mildly inconvenient to threatening your business. Once we had that prioritization, and the whole team understood what it meant, that’s when we started to gain enormous traction on long-standing issues with how we were managing our PCs.


In order to have a game plan, you need to know what the objectives are. Our Bitdefender scorecard helps us identify the highest priority objectives.


Listen to the podcast. Find it on iTunes. Read a full transcript or Download a copy. Sponsor: Bitdefender.


You may also be interested in:

Tuesday, July 11, 2023

How WFH accelerated IT and security transformation at global publisher Hachette Book Group

The next BriefingsDirect security innovations discussion examines how the rapid shift to remote work has accelerated a rethinking of security and IT processes at a New York-based publishing organization.

Rearchitecting the security posture of a business means adjusting work patterns and IT in ways that both reduce risk and heighten performance. But the trick is to do so without alienating workers -- wherever they may be -- and maintaining strong productivity.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.


Here to share her story on how to digitally transform a traditional business structure, reduce risk factors, and preserve a highly creative culture is Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group (HBG) in New York. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tell us about HBG and why you needed to significantly adjust your security objectives over the past couple of years.


Holmes: HBG is one of the world’s largest publishers. The United States branch is part of a larger global Hachette, and we have some very, very big authors, such as James Patterson and David Baldacci.



We literally print almost every kind of book you can think of. So, our company is highly creative, and very intelligent. On a personal note, it amuses me because at other IT organizations I’ve been with, I could send out an email and never think twice about it. But here, you send out an email and you’re going to be critiqued from every editor across the board. It’s amazing. Even the CEO, he spots things that aren’t quite in the right order. It’s awesome.

So, Hachette: We’re a pretty amazing company. I’ve been here since 2019. I came into a very different IT organization. The leadership in place was great, but around some of the security practices, we really had to mature, to grow our business, and to grow how we monitor, maintain, and secure everything -- from the PC all the way to the edge.


Gardner: It sounds like – being global and dealing with so many authors, editors, and artists – that you were already a fairly distributed organization. And then we all had the move to more remote work in 2020. How did that rapid shift impact your digital transformation journey?


Diversity strengthens security strategies


Holmes: In such a diverse organization, no two sets of tools are the same. Just in the IT organization, every group is unique. And we’re talking five to 20 people. We are an amalgamation because we’ve acquired many different companies over time.


For example, Orbit, which is our science-fiction department. They are amazing, but they operate in one way, whereas Little, Brown Books for Young Readers, which is all of our young readers’ literature, operates completely differently. It’s almost as though it’s IT for a ton of small businesses that operate within a large business structure. It’s pretty interesting.

Once people began working from home, then all their data lived in their laptops. How do you manage and secure that? This is where our new challenges arose. 

So, they were diversified to begin with. But when more people began working from home, supporting them all became even more critical. The traditional IT model was moat and castle. We had to protect ourselves by using the best firewalls. You can protect anything, but once you’re outside the castle, everything is looser.


Once people began working from home, then all of their data lived in their laptops. How do you manage and secure that? What do you do to get your arms around that? This is where our new challenges arose. If you’re used to the castle technology, you have to create high-speed connections to and from every office to access all of your data for home workers.


Gardner: So, you had constellations of different businesses and cultures – as well as legacies of different IT. To corral that together, you almost have to be a managed service provider (MSP) as an IT organization. Is that fair?


Holmes: I do manage the help desk infrastructure. We also serve up all of the data, all the data center services, and the cloud data management, as well as cybersecurity. From my position, we are set up to service different groups on different platforms and support a wide range of tools across the larger IT organization.


It’s amazing. We’ve taken those requirements and built the tools to service the overall organization. And some of them are complex. Then we come back in with the security and managing compliance around how users access data inside of the tools and how it’s all unique across each of those separate publishing entities. It’s fascinating.


Gardner: In addition to a focus on endpoint security to support a distributed and remote work force, you’ve also had to look at transforming IT.


A lot of times, people have architected their IT -- and then they add on security. Did you try to simultaneous engineer for security and IT productivity and digital transformation? Is there a new way of doing security from your vantage point given your responsibilities?


Security as speed bump, not roadblock


Holmes: Yes, there is a new way of doing security. When I entered, security was a bolt-on, after-the-fact approach. For example, they may have already built a tool. But have they tested it? Or an application. What has been done with them?


We were at the ground floor, as new projects were coming up, on security. The teams were coming to us from a cybersecurity standpoint and saying, “What’s the best way for us to secure this? How about outside software-as-a-service (SaaS) providers?” Things like that.


We needed to make sure that they filled out the security forms to make sure that their architecture and best practices matched with what we were looking for with security. But we found out early in the game that they weren’t compliant. They didn’t have security as their first thought. 

It’s more about balancing risks and building in security. As I tell everybody here, cybersecurity is about being a speed bump -- and not a roadblock. Everything we do should be about slowing down, so you don’t bottom-out your car. You want to keep going, not come to a full stop. There’s no productivity if we have to come to a complete stop. We need to keep moving. We’re getting there.


Gardner: Of course, if you have a security breach, that’s one way of coming to a full stop. You need to have a balance between reducing risk, but also maintaining productivity and creativity.


What have you learned the past couple years about those balances? Has it changed with the remote work? How does digital transformation give you the tools to have the insights to reach that balance better?


Holmes: One of the tools we use, and why I’m here, is Bitdefender. We’re looking at their dashboards all the time. We can see what’s commonly going on. The [endpoint detection and response (EDR)] tools are great for our digital transformation because they’re on every one of our computers, on all of our servers, monitoring and automatically blocking risks.


If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It’s really given us an advantage. It gives us the capability to look at what’s going on. Because if we see a large increase, then we can look into our other tools that complement Bitdefender and say, “What are we seeing on our firewalls? What are we seeing in our security information management (SIM) tool? What are we seeing on our email filtering? Do we see a coordinated attack or is this just a run-of-the-mill type of attack?”

If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It's really given us an advantage. ... Bitdefender helps us be proactive on what's going on. For us, it's been great.

Bitdefender helps us be proactive on what’s going on. For us, it’s been great.


Gardner: And being proactive means you want to react swiftly. Is there a way that you’ve adjusted to the remote workforce -- all of those laptops and home desktops -- rather than being  inside the moat? Is there a way for you to take the information you’re getting from your Bitdefender dashboards and be more actionable with it?


Holmes: Absolutely. If we see a large number of attacks, even if they’ve stopped, we can open up a help desk security ticket and reach out to the user. If the incursion seems to be trying to install something or to attack others in the environment, we can remotely deactivate that device. We just have them ship their laptop to us so we can take a closer look, and we ship them out a new one.


We don’t play games with anything in our environment. It’s better to stop it at the source and move on. But, yes, the tools give us the capability to get out ahead of it all. And we’ve developed a team that is constantly monitoring, seven days a week. Our dashboards look for any correlation, anything ahead, and then work with us to automate or alert us if something needs to be acted on more quickly.


Gardner: And, Heidi, how does your background as a network engineer help in your digital transformation and with security concerns? Have you been able to bring more of an architect’s perspective to how you’re modernizing your IT and security?


Architecting for change


Holmes: Yes, I have. For the past 20-plus years, I’ve worked as an architect, network engineer, and network security engineer. The biggest thing I’ve learned is to go back to the business risk. We understand what the business risk is, and how to mitigate or isolate that risk. But that also means understanding the business you’re working with.


Part of an architecture isn’t designing the fanciest, most secure tooling -- because that’s how you get the balance versus the speed bumps. You have to learn the business, learn about the people, know where their risks are, and then architect around that to say, “Okay, stage one is where we see in our transformation the need to move certain things to the cloud.”

Or, “Our most vulnerable systems need to be isolated because some of them might be near end-of-life and we can’t do certain things with them anymore. We’re going to move them over to something such as a different layer or to firewall them with intrusion prevention and monitor it that way. Maybe some of our websites are older and we need to do something with that.”

We might put some sort of a web application firewall (WAF) in front of it. But you have to lay it all out in stages. And the easiest way to architect and build is to know what the business needs. And then you start designing to have the least productivity impact while giving the most security. So, the biggest bang for your buck: “Let’s start there, let’s hit the quick wins while we’re still planning out the other things.”


And part of architecture is understanding that when you build a process and a project that it changes. It’s a constant re-evaluation. What are the latest tools? The tools from 2019 are not the same tools that I’m working in at this point. Because every year, every six months, every month, something else is out there offering a better way to do things.


For example, a zero-trust architecture was at first a little bit nebulous. Trust nobody and everybody’s like, “Why can’t we trust people?” That’s like, “Well, not everyone’s your friend and even the computer next to you isn’t your friend necessarily either.”


Gardner: Well, that’s a perfect transition to my next question. In an organization like Hachette Book Group, the goal is for people to communicate, collaborate, be creative, and be open.


When you come to them with a security mentality of, “You need to be very suspicious and zero trust-oriented,” that creates potentially a cultural conflict. How have you been able to get people’s buy-in on what you need? Behavior is such an important part of security. At the same time, you want to allow them to be as open as possible and share ideas as they are used to.


Make wide, yet light, security footprints


Holmes: The right mentality is to have the least visible footprint in the things that you’re communicating on, on any given computer. But you also have to trust the communication tools. The things that you use such as Zoom or Teams or something like that. Those are commonly known ports and IP addresses.


We don’t have to overthink it like 15 or 20 years ago, when I needed to know every port that the teams used and qualify that. Our security tools will automatically understand, and part of the artificial intelligence (AI) built into them, knows that these are okay communication methods and it’s fine for us to continue to communicate that way.


So, there’s an openness with video communication and collaboration with a level of security and staying away from custom-built tools to communicate. That will protect you because inherently, custom-built tools usually need extra updating and the people who develop them don’t always keep them up to date. That also will protect you in a zero-trust environment.


But honestly, it’s gotten so much easier with zero trust … because Bitdefender is fantastic for that. It’s always monitoring. The AI is telling us as it’s looking at patterns instead of always at a specific port where you can lock people down and isolate them. So, it can see a lot of the lateral movements, you can see different firewall rules that are not industry-standard and as attacks try to pass through. It’s the only real way to go.


Gardner: You’re describing what people have come to think of as what a security operations center (SOC) as a service could be. Is that how you’re starting to view something like Bitdefender? Or is that a place you’d like to see it go, of where you have a SOC as a service benefit all the time and everywhere?


Holmes: Well, that would be fantastic. And we have spoken to Bitdefender about this. From my past experience, I’ve worked with SOCs, did a little bit of management of SOCs, and brought that into a new organization.


What you see a lot of times is they give you a lot of data. And traditionally, any SOC will overwhelm you with 3,000 alerts and events in a day. And you have a team of three and you’re hiring a SOC to help you. But instead, your team of three needs to remediate all of these things, otherwise they’ll keep showing up, and the SOC’s going to keep reporting and then it becomes completely useless to you.

Bitdefender is using more AI to filter out the things that are less meaningful. It's no longer every single thing that comes across your dashboard. That helps you dive in quicker when there's a problem. 

The modern SOCs, and a lot of what I understood from the Bitdefender side is, they’re using more AI to filter out the things that are less meaningful. It’s no longer every single thing that comes across your dashboard. That helps you dive in quicker when there’s a bigger problem. A SOC can become a benefit instead of a hindrance to a small team because the teams are always already trying to remediate their problems. They only need to know about the things that are brand new major holes because patching everything else should take care of the rest.


Another thing I wanted to mention on SOCs: Back to our transformation, when I mentioned the SIM tools, and having the different dashboards, it takes a while to bring a security team up to speed on what they should be watching for. That’s about identifying what’s meaningful to you. And then to fix the problems they’re finding from doing the scans. The last few years, we’ve been training security staff to do just that. When a SOC comes into play now is when the team is already expert at security and then everything is meaningful. Sometimes you can take the jump to a SOC too fast.


Gardner: A lot of what we hear in the marketplace now is that people are resisting tool sprawl. Too many security tools are not a good thing. They also want tools that will integrate, that play well together.


How are you looking at that balance between having the right number of tools, but also tools that are integrated well in advance?


Just say ‘no’ to tool sprawl


Holmes: I literally just said “no” this week to a couple of security tools because it was just more sprawl. We need to use our tools right. Tools should be useful. They should give you information you don’t already know, or they should coordinate multiple things into one tool so that you can easily discern where a problem is.


So, if a tool doesn’t have multiple uses and it’s not cost-effective, then we don’t want it. There has to be a very specific reason to look at it. Also, every tool needs to be easy to use because we can’t send somebody to three weeks of training. We can’t train a second person for when the first person goes on vacation.


And it has to be automated, it has to be able to page us if it hits certain thresholds. All of that needs to be set up very quickly. Because when we take holidays, there are always less eyes on dashboards. And we still need to know if something’s going on. We need to get paged, woken up, and brought back to the dashboard.

So that’s what we’re looking for. The tool sprawl: Everybody has a tool that they want to sell you -- everybody. It needs to work for on-premises, and it also needs to work in the cloud. It needs to give us all of the information we need. It needs to work in your home to tell me what’s going on in your laptop there. That’s what we need from our security tools.


Gardner: Whenever you ask folks to qualify and quantify how their security is working, the number one response is, “Well we’re not getting hacked, so that’s good.” But because you’re involved with not just security but IT and digital transformation, there’s probably more ways that you can measure the effectiveness of your security approach in terms of productivity, team collaboration, and how your IT support group is able to please your end-users.


Do you have specific ways of looking back and saying, “We made good choices, and we can prove it by blank?” How do you measure your success in digital transformation and security?


Holmes: As far as the users go with collaboration, the easiest way for us to tell is the number of help desk tickets we get. If the users aren’t calling us because they can’t work on their computer -- either because they’ve had an attack or because they just can’t use it because it’s still in lock down -- that’s a good measure.


And if we’re not seeing a proliferation of viruses and malware in our environment then those metrics are great for us, too. We’re constantly watching them, we’re updating them, and we’re reporting all those metrics to our senior leadership in the company. So, it’s been amazing.


Gardner: Let’s briefly look at costs. We’re also seeing many organizations that need to do more with less. Is there a way for you to balance the economic side of the equation with these metrics of success?


Holmes: With the metrics for success, if we purchase tools that help us get ahead of a problem and we don’t have any downtime or a loss of productivity, that is our number one way of evaluating that. So, know your risk, your way of knowledge, and the tools. Tools must do multiple things, be easy to use, and be cost effective.


That’s huge for us because I don’t have to hire extra people, which is cost. I don’t have to have extremely skilled people. I can weigh the cost and the amount that we’re spending in our security and IT budgets and say, “We are doing the right things for our people with the right level of protection and our downtime is in individual users -- not systems.”


That’s how we measure it. Productivity; not lost time. The ability to shift if there is a problem. And that gets back to the training. For example, we recently had a security incident. It turned out to be something from something very old, more than 10 years old, that was transferred to our environment, and we found it with our tools. We shut down a portion of the network and -- because of the training – we only lost about two hours while we investigated it.

A couple years ago, we would have had vice presidents down our throats saying, “Why can’t we do this?” But because we’ve trained our team so well, it was literally, “Okay, let us know when it’s available again. We want to support you. We’ll work on something else.” It was great.


So, it’s all about having the tools, the costs managed, and being able to measure all of our training and practices around the knowledge and people that are behind us. They want a secure environment, and they’re willing to pause if they need to for a little bit while we look at things.


Gardner: You had a speed bump, not a car crash. So that’s a really good indicator.


Holmes: Yes, it was great.


Gardner: Before we end, let’s look to the future. I’ve heard a few words from you, Heidi, like “automation,” “AI,” and “SOC as a service.” What new challenges do you foresee, and what are the best tools or approaches for you to meet them proactively?


Detection advances to patterns


Holmes: The problem is, we don’t know what we don’t know or what the next security problem will be. You need to be prepared for everything. You need to stay ahead as a leader in this field and just listen, watch the articles, and be prepared to pivot when things happen.


The AI and the new tools are great because they are looking for patterns. It’s not like the old days where I would just look for a signature. So, somebody would do something that applies a specific signature, and it could only catch that. It’s now looking for the pattern and then correlating the pattern. As a result, we’re getting many less false positives because it doesn’t look for just one minor anomaly. It looks for a pattern of anomalies, and then it might immediately block it.


There may still be some false positives because of the old applications out there.

We love the tools we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and easiest to drill into. 

We love the tools that we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and the easiest to drill into. I can say, “Wait, there’s a spike in viruses.” I click on it even though they’re blocked. It shows right there on the line if any of them got through. Then we can raise the flag, even though it’s already been blocked. But who is affected and where? I can click, and it shows me the actual machines, and it shows me what it was trying to do.


That’s the best way to stay ahead. That is part of the automation; it is automatically blocking. So, our firewalls automatically block, or quarantine, or do whatever needs to be done. We get automated alerts that ring our cellphones, that send us messages depending on what it is, and we have bridges. We also have automated [processes] where we can automate traditional patching or fight zero days [attacks] or anything that comes up. We have that all scheduled to go. So, that’s not a manual process anymore.


Gardner: Heidi, before we sign off, for those who are also going on a journey where they want to change the way they’ve done security, where it becomes simultaneous to and maybe even in advance of IT decision-making or IT architecting, what advice do you have for them now that you’ve gone through this? What words of advice do you have for people who can make security part-and-parcel with their digital transformation activities?


Start where you are, then dig deeper


Holmes: Get to know your business. Learn. Learn what your business is doing. Then, while you’re learning, start with the fundamentals. What are you doing well in your business right now or in your security?


Do you have good malware protection? Firewalls on your laptops? Things like that. Start with your servers, with your laptops, every device in your environment. That’s an easy place to start. Make sure your patching is up to date.


And then you can start looking a little bit deeper. Vendors -- understand what your vendors are doing. Just because it’s in the cloud doesn’t mean it’s secure. It is not the same thing. You need to understand where you’re putting your data, and what your people are doing. And that goes back to learning the business. 

Lastly, shadow IT. Because everything can go to the cloud, every business is going to try, and every department is going to try, to find their own tool in the cloud. But they won’t necessarily vet it the way your IT security organization will.

So, get to know the business, gain their trust, and help them by giving them speed bumps and not roadblocks. That’s my advice.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in: