At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Bluecore CISO, Brent Lassi joins us for a discussion about his two decades of experience within security. Brent takes us through the earliest days of application security to the modern cloud security era, which is heavily defined by security hygiene.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at firstname.lastname@example.org.
Chris Martinez: Hi everyone. It's Chris here. When we were doing the audio editing for the episode with Brent here, we realized that the first five minutes or so had some spotty audio quality. So we did the best we could to improve the audio, but we hope that the episode is still as good as it can be. So thanks for sticking with us and enjoy the show.
Chris Martinez: Welcome to CISO Insider Nightfall's chat with chief information security officers. We host CISOs from different industries to discuss their pathways to their role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
I'm Chris Martinez. Today on CISO Insider Bluecore CISO, Brent Lassi, joins me to chat about the many things he's seen and learned and worked on over the last two decades in the cybersecurity industry, from founding one of the first application security companies in the world to following the evolution of DLP over the years, and now to working in a cloud-native world without a traditional perimeter and how those challenges led him to Nightfall. Brent has many stories to tell.
Here are just a few of the topics we get into today. How security can be a sales tool, the connections between risk tolerance and revenue for a business, and why a great staff around him is the true X factor in security success. We hope you enjoy this extra long addition of CISO Insider with Brent Lassi. Please join us in welcoming Brent to CISCO Insider.
Brent Lassi: It's a real pleasure.
Chris Martinez: So before we get started into the main questions of our podcast episode, can you explain what Bluecore is and what you do there?
Brent Lassi: Absolutely. I am in charge of security at Bluecore, really all things security and most things privacy. Bluecore's a marketing technology company that helps major brands identify their best customers and keep them for life.
Chris Martinez: You started out with a very interesting career path as an English and philosophy major in college, and now you work in cybersecurity today. So can you talk a little bit about your educational background and how you came into the cybersecurity field?
Brent Lassi: I've been kind of a nerd when it comes to computer stuff since I was probably 10 years old, and I started to write some code on the old Apple II plus back when I was around something like 11. I continued to do that, learning other languages, working with computers a lot. But I really didn't want to take all the math requirements that a computer science degree required at the time because computer science and math, they're two very different things. And yet the colleges, at least at the time that I went to college, they felt like they were very tied to one another. I was like, "I'm not taking through calc four."
Brent Lassi: And so I went with my first love, which was English and writing. I studied that through college, but I also continued to work on my technical skills, and started a small gaming company back in college, and continued to hone my skills as a programmer. Then when I graduated, I actually went out and got a programming job immediately. I did that for a handful of years before migrating into security.
Brent Lassi: I like security because it allows you to do what they call full stack. You kind of touch everything. And I realized at some point that I wasn't going to be the best programmer around, but I had a passion for security. And at the time application security was starting to emerge as an issue because we were putting all these new applications that we're developing online, and in a browser, and it introduced a whole host of new kinds of vulnerabilities. And I started noticing that these were existing, and so I looked to migrate into that space.
Chris Martinez: You probably covered this a little bit, but if you could go a little bit more into how your background influenced your work as a cybersecurity leader today?
Brent Lassi: Absolutely. My background, like I said, was in programming, even if it wasn't from an educational standpoint. And at one point probably it was in the very late nineties. I was working at a solution company startup. We're building applications for some of the big Minneapolis companies. That's where we saw a lot of Fortune 500's around here, like 3M and Land O'Lakes and General Mills and all those.
Brent Lassi: One day I was working on a program with a good friend of mine and we started to realize there were all these vulnerabilities in it. And the company we worked for had a network security practice. And so we went to them and said, "We think there might be an angle for this application security angle as part of our offering." And they said, "That sounds really interesting. Go figure it out, tell us what it would look like."
Brent Lassi: So we went away and we wrote all these documents, and at this time imagine there was no such term as cross-site scripting or anything like that. None of these terms even existed. And so we were just making it up as we went along. We wrote a huge document about all the different kinds of vulnerabilities, so forth, that were occurring in the development technologies at the time. We brought it back to the owners of the company and they said, "That's really cool. We don't want to do it." And we went, "Oh, okay."
Brent Lassi: So we back to work. When we went back to them, me and my business partner, Mitch Moon, who's still in the security space as well, and we said, "You know, we know you don't want to do this, but we kind of do. Would you mind if we tried it? We built all this info on your diagram." And they said, "We like entrepreneurs. Go for it guys. We'll miss you."
Brent Lassi: And so that's what we did. We founded Apex Technologies in '99, which was way too early for application security, because you still had to explain to people what application security actually was and everything was. So you just put a password on it? No, it's a lot more than that. And we were one of the world's very first application security-focused organizations.
Brent Lassi: There was one other one that started here in Minneapolis at the time. So there was one other one on the East Coast. It started about the same time as us. It's hard to say who was first. But we started developing the training that would be necessary. We started developing a code review practice, secure architecture practice, and started refining what the vulnerabilities and application security actually look like. And then we ended up being contributors to the original OWASP manuals and so forth back in the early days. That's how it came about.
Chris Martinez: So you were talking about your work in application security, and I know you founded Apex Technologies in 1999 as one of the world's first application security businesses. So talk a little bit about founding the company and what the security landscape was at the time.
Brent Lassi: Well, at the time most organizations were beginning to, as I mentioned, move to the web browser for their business applications. So they weren't building applications that installed directly on the computer anymore. They were building for the web browser and they were accessing all their company data stores over a variety of different methods. And the issue was that the books and the guidance you got from the development technology companies like Microsoft and ColdFusion, and all of them, they actually told you to do it an insecure way because they, honestly, they just hadn't considered the possibility of these applications being exposures of data or potential hacking ingress points and so forth.
Brent Lassi: And so it was really up to us as developers to uncover them and go, hey, you really shouldn't be able to just change this value in the URL and then switch to being an admin. So that brought up the formerly-described initiative that me and my business partner at Apex tackled. We were thinking there's got to be something here that can help guide companies toward doing the right things.
Brent Lassi: Frankly, when we first started trying to sell this, obviously we were trying to sell something that was a completely new idea, developers were a little bit surly about it. They said, "Oh no, no, no, our applications are fine. They don't have any of these problems." We actually ended up sometimes showing them compromises of their environment right in a meeting saying like, "I bet that if you put a colon and a backslash here and then type something it's probably going to..." And things happened in their web browser apps that made them go, "Whoa, I had no idea." That got the attention of development directors and CTOs and so forth to say, "Well, we can't have this happening, especially for public facing applications."
Brent Lassi: And so we designed an entire training course around the various vulnerability types and how to mitigate them, help build libraries that would help protect applications just by being plugged in. Although we've always said that it's important that security's baked in a new application, not just frosted on at the end. And so it's important to make sure the developers understand while they're doing it, what possible risks there are. And it means that if you think about people who work in the networking space, traditional hardware routers, firewalls, and so forth, or people who are system engineers on servers and so forth, a good solid chunk of their job has always been to be security people, right? There's like a chunk of it that's just like, "Oh yeah. Have to restrict access to this and have to make these settings on servers."
Brent Lassi: Well, developers in the pre-2000s, they didn't have any of that inclination. And so it was something that had to be baked into developers over the course of the last 20-plus years. And it was new, right? Now developers come right out of college and they understand security concerns at some level already, even if they haven't been burnt by it in their profession yet. They understand the need, whereas if you go back 20, 25 years, the need was not even understood. And so it was a huge problem. There's a lot of vulnerabilities.
Brent Lassi: I'm a firm believer in source code review by humans, because only humans can really see some of the issues. Most of the technologies that we have even today after all these years can really only detect about half of the different classes of applications' vulnerabilities. So having people look at it is really important.
Chris Martinez: For our listeners who don't know what application security is, can you describe it briefly?
Brent Lassi: Yeah, absolutely. Writing tamper-resistant code is what it is. I'll take it to the easiest level: if you've got a field on a webpage that says it's a zip code field, well, it should not accept anything besides numbers. And if it accepts anything besides numbers, there's the possibility that once it gets passed along to the backend systems and so forth, that it will behave unexpectedly with unexpected results.
Brent Lassi: Now it can get way, way more complicated than that when you start thinking about applications that have a number of different permission roles associated with them. The deeper that the business logic goes, the more potential opportunities for a user doing something that you didn't expect that could lead to security vulnerability. Back in the original days of people making these mistakes that were... the really, really bad ones, you could maybe change a zero to a one and switch yourself from being you to being the admin of the environment.
Brent Lassi: Or you could insert a little bit of SQL into a form, and it would end up returning back the contents of the database back to your screen. Those are the kinds of things you're trying to avoid from an application security perspective. These days, those ones I mentioned are the most basic level of problems that get increasingly more sophisticated and varied and hard to uncover. But when it comes right down to it, I think even today, there's still really only about 13 different classes of application security vulnerability. But most people focus on about five or six of the really common ones.
Chris Martinez: You've been leading InfoSec teams for almost 20 years now. Can you talk a little bit about what you've kept in your InfoSec leader toolbox as the industry has evolved over the years?
Brent Lassi: First things first; it's about people, right? As a security team leader for quite a while now as you mentioned, the number one thing is having great people. And in security, you have to have the jack-of-all-trades sort of mentality, because, like I said, we're kind of full stack. We need to understand everything from the bits and the bytes to the way memory's stored all the way up to database architectures and network flows and firewall configurations, and then application security that we've talked about in depth.
Brent Lassi: You need to understand a bit about all of it, which means that in security, you really have to hire people that have no fear of new technologies, because they're going to be constantly encountering new technologies. Every time that all of our vendors or our cloud providers or companies that create the languages that we use to make software, every time that they add something new or make a new cool feature, it's another potential security problem or another potential thing that needs to be investigated by the team.
Brent Lassi: And so one of the things that I make sure that I put in the toolbox of every security professional I work with is the ability to write some level of code. That's a superpower, and you've heard it before, but it really is especially in security. If you go back to the early 2000s or even before that, people who worked in the security field tended to come from network backgrounds. They come from server infrastructure backgrounds. They didn't really come from the AppSec backgrounds, because AppSec wasn't a thing.
Brent Lassi: Now it is the only thing in a lot of ways. Because of the advent of cloud and cloud-native organizations, in particular at Bluecore, we don't even own a single router. I guess we have some in the office that route wifi, but that's it. We don't have big Cisco devices or huge lumbering firewalls and intrusion-detection appliances that have to be racked and stacked and cabled and so forth.
Brent Lassi: And so now it's all about the applications, even when it comes to the infrastructure, because now you have the term people throw around called infrastructure is code. Because when you work in a cloud environment, you don't ever touch any of the routers and networks at their lowest level. You just kind of tell them with a couple configuration files here's what I want you to do. And here's how I want you to act.
Brent Lassi: And so what this means is that every security person needs to understand rather intimately what it is that the developers, the DevOps people, and infrastructure teams and so forth, are actually doing at that level. Because it's not about like, well, if this cable runs to this switch and then this firewall, now you're going to have a network segmentation that's set up via hard wire. No, it doesn't like that anymore. You have to do it all in configurations.
Brent Lassi: And so understanding code is key, right? Not to mention the fact that you can get things done so much quicker, build your own little tools, build your own little detection rules. So the one thing I make sure that every security person should have in their toolbox is to build and write code in some language or two. They don't have to be enterprise development-worthy. My code is probably super ugly, but it gets stuff done and it pushes the progress forward on the team. So that's the key thing I keep in the toolbox.
Chris Martinez: Where are the biggest opportunities for learning coming from in the field, both for the teams you manage and for yourself as a leader?
Brent Lassi: You know, this is a great question, and it's because I think some of the best learning that you can get in the security space is by talking to the people who are inventing security technologies. I talk to peers of mine, they go, "Oh, I go into Black Hat," or, "I went to RSA conference," or some other security conference. And they don't go down to the showroom floor where all the vendors are that are pedaling their software and hardware and so forth. They don't do it because they don't want people to sell to them.
Brent Lassi: I look at it a little bit differently. I believe that every single company that has taken the time to put a booth at a conference, whether they are a huge company that's been around for 30 years, or whether they're two people working out of their basement who had a great idea, every one of those companies has something to teach us. Every one of them has a little nugget of wisdom that they're like, "Look, I figured out how to solve a problem."
Brent Lassi: Even the smallest new companies that maybe they'll fail, right? Maybe their product will never come to market the way they want it to, but chances are they still had one great idea at least about how to solve a problem. That idea might serve you very well later, even if you never buy their product, or they don't even survive as an organization.
Brent Lassi: And so I spend probably an inordinate amount of time talking to the security technology vendors, because I think that they all have something keen to offer us different ways to look at problems, different ways to solve problems. Nightfall is a great example of that.
Chris Martinez: That's awesome to hear. How do you balance the needs of your teams with the overall goals of the company you work for? Like priorities such as business growth and driving revenue?
Brent Lassi: Security has two sides to it. One is the actual security work, meaning the bits and the bytes and the configurations and the code quality and so forth. All the things that go into actually making an environment secure, antivirus, intrusion detection, you name it. But the other side of security is there's an optics side to it. It's about what it looks like. And every company has to deal with that whether they like it or not. And I can't just have a good security program. I have to have good optics around it as well. Meaning that I have to be able to show to auditors, to clients, to boards, to investors that our security program is good and where it's not good I have to be able demonstrate that for them as well, so that we can get the right team built and the right budgets and the right tools in place.
Brent Lassi: So one of the things about that balance is that you have to have at least a couple people on your team who are good at that optics piece, right? They have to be able to go and express in many different corporate languages, if you will, why it's important, where we're winning, where we're not winning. You need to be able to talk to it in terms of dollars. So when you're talking to your CFO, you need to be able to talk about it in terms of technologies and nimbleness of the environment and so forth with your CTO.
Brent Lassi: For example, I always tell the entire company this actually, but I focus it definitely in engineering. I say, "If I ever ask you to do something or I put something in place that makes your job harder, you need to let me know, because that means that I didn't work hard enough." I need to find the right solution, and it's not always the first one on my list. I might need to roll back to the second solution that maybe it costs less. Maybe it's easier to implement. Maybe it increases the nimbleness of the day-to-day.
Brent Lassi: So this all comes down to risk tolerance, of course. It comes down to understanding what the risk tolerance of your organization is. And every organization is on a trajectory of reduced risk tolerance typically, right? Constantly reducing risk costs. When you're a startup, you got three people, you know that your risk tolerance is extremely high, because you have nothing to lose. And as a result, you might not be thinking about all the security things that you need to do that might come back to bite you three years down the road. But then three years down the road, you're going to have more, what I call Delta suspenders in place, you're going to start to implement the security things, but that trajectory never ends.
Brent Lassi: As you might guess, the risk tolerance at Bluecore is certainly a little higher than it would be at Wells Fargo. And the reason is that we're a smaller organization. We have less surface, we have less people. Many things within an organization can increase the overall risk posture. And one of those, the biggest one, is probably employee count. Because the more people you have touching things and making changes and access to data, the more risk there is.
Brent Lassi: The next one is how many clients you have and how big they are. If you're working with lots of tiny little stores, mom and pop shops or something like that, your risk tolerance is going to be higher because they don't have much at stake. But if you're with large enterprises, obviously, it's going to reduce your tolerance significantly.
Brent Lassi: And then the next thing that can affect your risk tolerance is your actual revenue, right? When you're making $10, your risk is really low. When you're making a $100 million, your risk is a lot higher. You constantly have to have to balance that. And it's particularly actually kind of fun and interesting to balance it in an organization like Bluecore, because we're eight years in, but we still feel like we're a startup. And that means that our security risk tolerance and posture over the last, just even four years that I've been there, has dramatically evolved.
Brent Lassi: We went from much smaller earnings, much smaller client list, to where we are now, and it's only going to continue. Three years from now, it's going to be a completely different game again. So it's important to keep that in mind, be flexible. Too many CISOs, I believe, come into a role and retain the exact same risk tolerance that they've had in their last role. And you can't do that as a security leader. You need to be able to reset and say, "Look, the risk tolerance for each organization is going to be different based on your vertical, based on your size, based on your compliance requirements."
Brent Lassi: Are you a healthcare company; changes it immediately. Are you a FinTech company; changes it immediately. If you're a manufacturing company, your risk tolerance probably goes up, because you probably don't have quite as many risks as you would as a bank or a healthcare company. So, yeah, it's a constant reassessment.
Chris Martinez: I think you spoke really well to all those things, but I'd like to know if there's any other ways that security factors into company OKRs and other metrics?
Brent Lassi: Yeah, absolutely. I'll go back to the optics thing again. Too many security teams forget that there is a business at hand, right? They tend to think like, “oh, I just got to secure this stuff.” No, no, no. You have to be part of the sales cycle. Security works best when it's actually taken off the table as an issue. And the best way to take security off the table as an issue is to be really good at it. That's just, that's the fact.
Brent Lassi: When we can go and pitch a client on our security posture using a combination of documentation and audit results and me going in and actually just talking to them, if at the end of that conversation, the security team from the potential client or prospect says, "Oh, you guys really got this stuff together." Well, you know what? That conversation is pretty much over and now we can go right to actually doing business and solving the problems that they originally came to us to solve.
Brent Lassi: So, and that's something that comes into our OKRs all the time. Understanding that second component, which is security can be a tool to sell your organization. It can be a tool that accelerates deals and it retains clients. If you've got a great position in handling compliance data, a hundred compliance programs reporting on it, dealing with PII and all the new privacy laws and so forth. If you clearly have an organization that is handling all of that for your prospects and clients, what I would call out of the box, that gives them a ton of confidence, because you have all the answers and you have everything that they need already baked into your capabilities. That goes a long way and we do focus on that quite a bit at Bluecore.
Chris Martinez: In our previous conversations, you mentioned that most people at work treat Slack like it's a corporate environment, but it's actually someone else's corporate environment. Can you talk more about the security challenges that come from using SaaS platforms like Slack and how you educate your internal users on best practices when communicating in these apps?
Brent Lassi: Yeah, absolutely. First, let's tackle that whole SaaS scenario and Slack being the obvious example. But it extends itself to things like GitHub and Salesforce and JIRA and all of the usual suspects that people use: Dropbox and Box, and even Google and Microsoft, as the cornerstone of many people's corporate environment.
Brent Lassi: It used to be that when you started a company, you would get an office then you put some servers in a closet somewhere, and you'd put an email server on there, you'd host your own email and you would host all of your own stuff. You'd host your own CRM. Well, now almost nobody does that. Big legacy organizations will have some of that stuff internal. But even they are starting to migrate that stuff out.
Brent Lassi: Let's take a company, say General Mills. It's like our core competency is making food. It's not running an IT environment. And so they say, "Well, let's just take that HR system out and go and hire somebody to use their cloud environment." Well, when you do that, you gain a ton of positive things. Obviously, it could be cost reduction. It could be just a better platform. It could be not having to support it. It could be reduction in the size of teams that is required and so forth, nimbleness, all kinds of things.
Brent Lassi: But what you do lose is you lose possession of your data, right? You lose possession and control. That's a security thing. Your perimeter all of a sudden got extended out into someone else's network. It used to be that I could put my arms around an entire environment and go like, "This is ours, this is ours." So I secure at the edge first, and then I start securing the individual components within that.
Brent Lassi: Well, now the edge is almost undefinable because at Bluecore we don't have any on-prem stuff. We have no CoLOS. We have nothing in a server closet. Everything is a SaaS tool or something running in our cloud environments. And our SaaS count probably goes north of 70 different SaaS platforms that are being used.
Brent Lassi: Well, that means that most of our business day-to-day operations, whether it be finance or HR, or what have you, things like Slack are actually running on somebody else's premise. So I can't put my arms around it anymore in that sense. And it's important to make sure that people understand that when they post something into one of those tools or one of those platforms, that they really are putting it out in the world.
Brent Lassi: And because of the way that a lot of compliance and privacy laws work and so forth, it's super important from a security perspective that we know exactly where all that data's going. A good example would be like JIRA. When you're posting something in ticket, if you post data that is compliance-impacted in some way, regulatory impacted, that means that you have a ton of work you have to do in order to validate that the platform is okay for storing, say PII or healthcare information or something like that.
Brent Lassi: Well, guess what? There's a ton of legal and security work that needs to happen. And you also need to inform all of your clients that you're doing it. So that's a ton of work. What's the solution? Let's not put any data in there, right? Let's not put that kind of data in there. And that's where DLP comes in. When data loss prevention comes in, is that ability to see what people are doing with all of these SaaS platforms. And then when they go astray, usually not maliciously, usually just by accident or lack of knowledge, you need it to come back into light.
Brent Lassi: And so it's important to make sure that it's a strong point in your policies, in your general security training, that people get that fact that they're essentially distributing data outside the company when they use these SaaS platforms, especially if they use them improperly.
Brent Lassi: The nice thing about DLP is that when you implement it and you detect like, say, somebody puts a piece of healthcare information in JIRA or something like that, you go like, "That is not the system for that to be stored." DLP gives you the opportunity to go and do a micro training session with that person say, "Hey, I see what you did there. I'm sure that you didn't mean to do that and it wasn't malicious. But you can't do that."
Brent Lassi: Well, every time you have one of those little micro education sessions, that person tells all the people that they work with, "Security called me and said we can't do that." You get this water balloon effect every time you do one of those. So beyond just the regular training, DLP actually facilitates the further training and notification of those problems in what I think is a graceful and polite way.
Chris Martinez: I think it's really interesting you brought up DLP, because that goes into our next question about the evolution of DLP over your career. And what your experiences have been through the shift from the old ways to the new ways of thinking and working in data security.
Brent Lassi: Yeah. That comes right back to that whole perimeter thing. The DLP solutions they used to have, they had the three traditional sort of modes of DLP, which was data in use. It's usually like when it's actually on laptops and things like that or on endpoints. Data in motion, so that means it's floating over a network. And then data at rest, which is wherever it's stored, whether it be a database or bucket of files or something like that.
Brent Lassi: And we used to implement separate technologies for each one of those. And while those concepts are still completely valid, the way of achieving them is completely different because of that proliferation of SaaS, as I mentioned. I worked in an organization, we had nine data centers globally, and then 22 offices or something, but they were all on the same network. I could still, even though they were distributed globally, and I mean very globally, and that's like 30-something-plus sites, from a network perspective, I still had complete containment around that network, even at that scale. Meaning that there were firewalls and DLP appliances and intrusion detections tools and so forth at every one of those locations wherever data egressed, or when it moved between those locations.
Brent Lassi: So what that means is that you could put essentially appliances in that sniff the network traffic, and look for people moving data around and so forth. and tey're like, "Hey, that's the DLP problem. You don't want to move data from here to there." Or we could scan all of our file stores because they were all in our data centers. They were all under our direct control. And so we could just deploy the scanner and say, "Go scan all this stuff, tell us if there's any sensitive data in there."
Brent Lassi: Well, now, again, with all of the SaaS tools that everyone uses, you don't have that access anymore. You can't go to Salesforce and go, "I'd like to put an appliance on the edge of your network so that I can see if data..." You don't get to do that. You don't get to scan the Salesforce's databases or directly for PII. And so that's why there needs to be this new breed of DLP technologies that facilitates similar concepts to those three that I mentioned, but has to do them in a completely different way technologically.
Chris Martinez: Yeah. And I think you definitely covered the shift from on-prem to cloud-native, but if you can give us any more insights on your journey as a security leader through those shifts?
Brent Lassi: Yeah. At first it was really hard, because the technologies that I traditionally used... I started using DLP technologies in 2007 when they first arrived on the scene as a term. Frankly, a lot of people failed to use them properly. It was one of those things where I would talk to peers and they would say, "Oh yeah, we bought that DLP tool," whatever it was, "and it didn't work and it then sits in the corner doesn't do anything for us." And I think that that's definitively wrong regardless of what product you chose.
Brent Lassi: And the reason that I found that most people failed in their DLP journey was because they didn't really know what they wanted out of it. They got the buzzword, oh, loss prevention so forth. And then somebody said, "Hey, do we have this stuff?" And they're like, "Oh no." "You should get it." And then they went out and got it, but they didn't really know what they wanted to do with it.
Brent Lassi: I took the exact opposite approach. I said, "I want to solve these five problems." We found the right tools and we went and solved those problems and then expanded from there. And then the programs were very successful and very useful. And when people say, "What the best technology you'd deploy?" I would often times cite our DLP as one of the top two.
Brent Lassi: Now, the evolution that you mentioned, what happened was with the advent of cloud and cloud-native organizations, and, in particular, my move from a more traditional data center and on-prem organization to a cloud-native organization, I found myself at a loss because the technologies that I've been using just wouldn't work. They just plain wouldn't work.
Brent Lassi: And so I started thinking, okay, Brent, how would you do this sort of thing? And to be perfectly honest, I was casting about and thinking, okay, so what I need is a tool that we'll be able to hook into a bunch of different SaaS platforms in one way or the other and use the APIs or capabilities that do exist there to at least keep me informed. And then I found Nightfall. And I said, "Wow, Nightfall does exactly that."
Brent Lassi: So we had conversations very early when you were literally just coming onto the market. And I said, "Yeah, that's how it's going to be now." There's other point solutions out there. But what I wanted was something that would be able to handle a number of different platforms in a consistent manner. And coming back to the original point was that I also had to know exactly what I wanted to do. I had to have objectives. I think we'll talk about those objectives probably in a moment. Or would you like me to go through them now?
Chris Martinez: Yeah, absolutely.
Brent Lassi: Yeah. So my objectives started very simply. I wanted to detect secrets in GitHub, and I wanted to find data that people were posting into Slack that maybe belong there. Maybe it's PII, maybe it's HR data, maybe it's finance data. And with the GitHub piece, what I found is that it's usually just about laziness and lack of people being educated on the fact that they shouldn't store credentials within their code base or in configuration of files that are stored in a source repository. So once you find them, then you go and you kick and scream a little bit and then they go, "Oh, yeah, we shouldn't do that," and then they go and fix it.
Brent Lassi: So that one's kind of simple in that sense, but there wasn't a lot of good tools available for doing that. I know that some companies will claim they're really good at it, but I found that most of them are not, and have a lot of false positives and so forth. I was super impressed with Nightfall when I ran the first scan. And I was like, "There are almost no false positives in here." And the ones that were there, I was like, "Yeah, it should have flagged that anyway." I'm glad that I saw it, but I just was able to ignore it, because I knew it wasn't as sensitive as it might have appeared, but I was really happy with that.
Brent Lassi: And then when I was pursuing that, the CEO watched me do a little presentation on the fact, on that problem and how we were going to look to solve it. And this was before we engaged with Nightfall. And then he said, "I also worry about things like Slack." And I was like, "Yeah, that's a really good point, because it's kind of the same problem, and that everyone has access to it and they can post anything they want in there." They can just upload files, contracts, or detailed financials, HR data. And you just want to keep an eye on that stuff because it could become exposed to too many people.
Brent Lassi: And back to the prior fact is that it's going onto somebody else's server and pretty much stored in perpetuity. So you definitely want to keep that down to a minimum. And that's when I really started casting about looking for the solutions that might do that and that's when I came across Nightfall.
Chris Martinez: That's so great to hear. And I think it leads into our next question about why data hygiene is so important in your work and how it's connected to data security and privacy.
Brent Lassi: Yeah. I like that you used the term "data hygiene," because it's the term that I've actually been using for a couple years now to describe the current state of the world when it comes to DLP. Because it used to be, like I said, that whole containment scenario, and you could actually, when you had control of all of the networks and all of the servers and everything in the perimeter, you really could contain it.
Brent Lassi: Where now it's a little bit more about just good hygiene. Where it's like you know there's going to be mistakes. You know that people are going to do things that might not be optimal. But rather than strictly preventing them from doing it, because you can't in a lot of SaaS tools, you have to just be hyper aware of it and be able to treat it like hygiene. Like let's brush our teeth every morning.
Brent Lassi: Just like we should look at GitHub every day and see if there's any credentials that somebody accidentally wrote in there. That's what it's about. It's about keeping on it constantly. And in Nightfall's case, it's kind of nice because I never anticipated that the solution that I came to would give me immediate notifications of things, but Nightfall does. I get a notification immediately if somebody puts a file in Slack that has SSN, right? I'd be like, "No, don't that."
Brent Lassi: And before it gets too broadly clicked on or anything like that, I can say like, "Oh, let's redact that, get that out of there." The development team probably thinks I'm crazy, because I don't think a lot of them know about Nightfall. They'll check something in the GitHub and I'll immediately Slack them and say, "Hey, I don't know. You put this key in there. I don't know if it's sensitive or not." They're just like, "Wow, this is insane. How does he know this stuff so fast?" I'm like, "Well, I didn't do it. Nightfall just Slacked me and told me that somebody put something in there." And I never anticipated having a tool that would give me live updates like that, but it does. And that's really powerful.
Brent Lassi: And so now it's just about expanding the objectives. Like I said, originally I had two objectives. I was like, let's deal with GitHub and Slack. Okay. And then this year we said, "Okay, let's deal with JIRA." And then maybe next it'll be Box or Zendesk or Salesforce or something. We'll just continue to look at where the key areas of concern might be and knock them down.
Chris Martinez: So we've talked about the shift from on-prem to cloud-native, and we've talked about data hygiene. Are there any other big blind spots in data security currently that you're concerned about?
Brent Lassi: Oh, big blind spots in data security, you mean as an industry, like generally? Yeah. I think that there's one and that is the misallocation of responsibility for security. And this has reared its head mostly because of DevOps and the move to the cloud and cloud-native environments. And engineers that really are programmers, but then also are expected to do security work in that they're configuring environments and network paths and so forth in the cloud.
Brent Lassi: And if you look back at more legacy organizations, they would have an IT team that was usually distinct from the development team in every way. And those IT teams would include network engineers and database administrators and server experts and so forth. And usually a security team as well would be usually wrapped into that group.
Brent Lassi: Well, with the advent of cloud-native and DevOps, it actually crossed off a lot of those teams in that they don't exist in a lot of new organizations, and they're getting smaller and smaller or less noteworthy or less powerful, if you will, in larger organizations and legacy organizations.
Brent Lassi: And what I've found is that the responsibility for security, which used to usually sit with CIOs that were handling the IT side of things, has not effectively migrated to the CTO environment, which is usually where the development and product people sit and so forth. And that's a problem, because what it means is that the people that are most directly in control of security configurations and due diligence and doing things in a resilient, secure proper manner, actually don't know they're supposed to be doing it and they don't necessarily have the training to do it either.
Brent Lassi: A good example of this would be I once hired an amazing developer to run some application security programs for me on a team. And that person is as much as they're a very, very experienced developer at an enterprise level, really couldn't navigate a Linux prompt or set up a server, that a person could not do that. Well, if you take that person and throw them into a cloud DevOps environment, do you want that person configuring your Docker containers and your Kubernetes environment? You kind of don't, right? That person doesn't know anything about that.
Brent Lassi: And so there's been a big miss there, I think, in the transition of responsibilities and the notification that these responsibilities are migrating away from the traditional roles of networkers and security personnel and server administrators. It's migrated over to that development engineering team, and they need to have the capabilities of doing all of those things. Or they need to have a team that's embedded within them that does those things and checks through properly.
Brent Lassi: So, yeah, I think that's the biggest blind spot I've seen over the last five years. Missing that shift in responsibility of security away from traditional IT into a DevOps and engineering organizations.
Chris Martinez: And how do you approach these issues effectively?
Brent Lassi: You know, education, right? The first thing I did when I got to Bluecore is I went around and found all the people that didn't know that stuff. Here's why it happens, and then the why it happens can help you address it. Why it happens is because when companies started tackling this whole new DevOps model of writing code and developing in the cloud and so forth, what happened was CTOs or CEOs told those teams to run off and go ahead and create new stuff and to not get the other teams involved, just because they can do it themselves in a cloud environment.
Brent Lassi: And they made that decision based on the smartest people in their org. It was all the really awesome, full stack-type of people that were like, "Yeah, we could do this." That's great, but that's only the top 10% of your development staff. The other ones aren't necessarily as well versed. So when I got the Bluecore, I went around and found the people on the engineering team who were very full stack in that sense, and started to peel the onion, if you will, and find out where the problems might be within the... not so much the products code, but within the underlying infrastructure and so forth. Was it being properly set up by people that understood the underlying technologies?
Brent Lassi: And then once you've identified those things, you can go ahead and start pushing that education out to the people that need it. And at Bluecore it actually ended up turning into something really powerful, because we ended up building up an actual infrastructure team that is a slew of engineers and programmers essentially, but who also are really experts in things like Kubernetes and cloud fabric configuration and so forth. So it's about education, but first you have to identify what the problem is and identify your, not just your stakeholders, but also your champions.
Chris Martinez: What is your worst cybersecurity nightmare?
Brent Lassi: I guess it probably would be ransomware, that one's pretty bad. I don't really get a lot of nightmares. People ask me what keeps me up at night, and I say, "Well, nothing keeps me up at night," because if I was kept up at night by worrying about security things, I wouldn't be able to do my job very effectively. And I wouldn't last, I'd burn out. I wouldn't have made it 23 years in security if I could not sleep at night.
Chris Martinez: So just out of curiosity, how plausible is that hack?
Brent Lassi: Well, it could be an internal job at Google could probably make it pretty possible. But I'm guessing that they know how serious that code is and how dangerous it would be if somebody injected something malicious into it. So I have a feeling that they don't just roll that stuff out without a lot of review and simultaneous lever pulling and button pushing that happens across a lot of approvals. I would hope so.
Chris Martinez: Yes, definitely. Me too. What's the best lesson you've learned from your team over the last year?
Brent Lassi: You know, one of the best things that one of my team members brought to my attention, and I've taken it to heart, is the sensitivity of the access granted to executives. This is probably true more often in younger organizations where the founders are on hand and are now the executives of the organization and so forth, or there's people that have been around for a really long time. But I've found that it also happens at organizations that have been around for 20 years.
Brent Lassi: If you inspect the access granted to many of the high level executives, the C-suites and so forth, and sometimes even board members, and sometimes I found the spouses of people that are in those positions, sometimes you find that access is incredibly inappropriate. And it's not because they're going to misuse it, but it's because they're targets. If somebody's a target, you need to protect them.
Brent Lassi: It's just like if you were in a hostage situation and you're the police officers and so forth, or the SWAT team, you're trying to protect the victims, the hostages. It's the same sort of thing, it's like you want to protect the most valuable assets and the ones that are actually at risk. And I find that the executives of organizations are those. They're the ones that are the most at risk. They're targeted constantly by impersonation attempts. They're targeted constantly by phishing and so forth.
Brent Lassi: And so it's super important as a result that you keep their access really squeezed down tight. And as much as they might go like, "I should have access to that. I'm the boss." Well, technically I get what you're saying, but you don't need it, and you also generate an enormous amount of risk by having that access because you're such a target.
Brent Lassi: So the worst thing you could do is give Jeff Bezos RIB access to all the Amazon servers. He'd be the number one target and so you don't do that. And that came from a member of my team who has only been in the industry a couple years. And I was like, "That's really smart. We need to take that as a tenet of our approach to identity management and access constraints and controls," and we have.
Chris Martinez: How do you stay on top of the current trends and issues in the field? What kind of resources do you use, like industry groups, newsletters, conferences, and other things?
Brent Lassi: Yeah. Well, first off, I'll mention the conference thing that I mentioned earlier. It's been really bad these last 18 months where we haven't had the conferences to go to. And even though you can do virtual ones, it's way different when you walk around the floor at a conference and actually talk to the founder or the chief technology officer of these startups that are building new, cool stuff. I get a ton from that. That's one of my favorite things to do and I learn a lot.
Brent Lassi: Sure, I read the news and so forth, but I've also found that articles posted about security incidents tend to be only about 50% correct. And I know that because I've had articles printed about incidents that I've been involved in and they were only about 50% accurate. And I know a lot of other people who have said, "Oh yeah, yeah. You see that article that came out about X, Y, Z company? Well, I work there and that is not how it happened at all." And so there's only so much you can take from the things that people blog about and write about when it comes to keeping abreast of the situation.
Brent Lassi: I also lean really heavily on trusted partners of mine. Oftentimes they're my technology resellers. As you might guess after 23 years in the business, I have some really, really long-standing relationships with people that I trust that are well informed and highly educated on the risks out there and the technology solutions for those things.
Brent Lassi: And perhaps even more importantly, is that those people not only know those things, but they also know what I like and don't like, and how I think about security. So they tend to be able to advise me in directions that jive well with my particular style and tendencies for implementing security programs and technologies. So those are the two biggest things that I do probably is conferences, talking to people, and then having those trusted partners
Chris Martinez: When it comes to getting cybersecurity certifications, what's your general standpoint? Is it a positive thing or a negative thing?
Brent Lassi: I think that when you're early in your career, it can't hurt. Because it shows people that you've taken it seriously. You've done a modicum of studying at the very least. And that you definitely want to get into the field, or that you definitely want to stay in the field and advance in the field. I found that a lot of the certifications over time become sort of like a treadmill. Where you're paying a bill every year and then saying you went to all these classes. When you're in a position like mine, it's actually hard get those points in some ways. Or it's so easy to get them that you're like, "Well, I could get a thousand of those points, and so does it really matter? Do I really need somebody after 20 years to tell me that I'm certified?"
Brent Lassi: I don't know. So I have mixed feelings about it. I think it's great for people in their first five years, but I know a lot of my peers and so forth have let a lot of those things go, because it just doesn't seem to be serving any purpose after a while.
Chris Martinez: Great. And here's our last question. Do you have any podcasts or books that you have read or listened to lately that you can recommend to our listeners?
Brent Lassi: Yes. I recently read a book called, it's literally called The Kubernetes Book, and I'd highly recommend, just search for it. It's The Kubernetes Book. It's by a fellow named Nigel Poulton. And the reason I bring that one up is because if you are in security right now and you don't know Kubernetes, you're probably missing out on a bunch of things that you should know. I didn't really know the underpinnings of Kubernetes and how it worked. And using that book, I read it cover to cover, and then I went and actually stood up my own Kubernetes environment. I actually built it out of raspberry pies. I made six raspberry pies together, like a mini cluster, and it's this big, but it has six computers in it. And I installed Kubernetes across it and was able to play with it. And did I ever use it for anything useful? No, I actually didn't, but I learned a ton and got real hands-on experience.
Brent Lassi: On podcasts, there's a podcast that I highly recommend. It's called Alexa's Input. Alexa is a coworker of mine who has been doing this podcast for a couple years now. And she has the most amazing guests across the technology industry. Usually it's highly engineering-focused and very technical, but has had just some amazing, amazing guests. It's called Alexa's Input and it's on Anchor.fm, if you wanted to go and find it, and it's great. She's a great host. Her guests are exceedingly impressive. And I don't say that just because I was on it, I was on that podcast, but I'm the least impressive guest she’s had.
Chris Martinez: Awesome. So we'll make sure to include information on both the book and the podcast in our episode notes. So definitely check those out. All right, Brent, I want to say thank you so much for joining us. And I want to ask if there's anything else you want to share today.
Brent Lassi: No, I guess not. I'll just say thank you so much for this opportunity to talk to you. I've really enjoyed working with the entire team at Nightfall. I look forward to continue to doing so and seeing your technologies expand and solve all of my dealer key problems. It's going to be great.
Chris Martinez: Great. Thank you. Once again, Brent Lassi, CISO at Bluecore. Thank you once again for joining us.