CISO’s are Goal Keepers, All Guts No Glory - An Interview with Giovanni Vigna of Lastline

Giovanni Vigna.jpg

Interview with Giovanni Vigna of Lastline:

Cyber Security Dispatch: Season 2, Episode 08

 

Show Notes:
Today on the show, we speak with Giovanni Vigna – CTO and co-founder of Lastline, a cyber security startup, and Director of UC’s Santa Barbara Center for Cyber Security, where he also serves as a computer science professor. In this episode Giovanni shares his unique perspective as both a security technologist and an academic on educating and diversifying the next generation of software programmers and data scientists. Giovanni also shares his insight on technical superiority, buzz word trends, and how triage is the most overlooked and probably the most impactful aspect of security operations today. If done right, triage could be a powerful ally. If done poorly it can suck up time, investment, and leave you exposed. Lastly, we head to the soccer field and find out why CISO’s are just like goal keepers – all guts no glory. Can we really get credit for the attacks that didn’t happen? Find out in this episode.

Key Points From This Episode:

  • Vendor tools: Who should we be routing detections to?
  • The importance of giving the right information to the right people.
  • Tips for dealing with technical superiority and buzz word trends.
  • How small companies can establish their own technical superiority.
  • Why no one really believes how great you tell them you are.
  • What the next generation of software programmers are looking at.
  • How cyber security has become a cross-disciplinary concern.
  • What it takes to educate the next cyber security force.
  • Finding new tools to teach security in new ways.
  • Diversifying cyber security culture as we move into the future.
  • The benefits of hacking competitions and events.
  • Why a CISO is just like the goalie in soccer.
  • How do we get credit for the attacks that didn’t happen?
  • Evaluating pain points and the result of not solving them.
  • And much more!

Links Mentioned in Today’s Episode:
Giovanni Vigna – https://www.linkedin.com/in/giovanni-vigna-7881542/
Lastline – https://www.lastline.com/
Lastline on Instagram – https://www.instagram.com/Lastline_inc/
Lastline on LinkedIn – https://www.linkedin.com/company/lastlineinc/
UC’s Santa Barbara Center for Cyber Security – https://seclab.cs.ucsb.edu/
Black Hat – https://www.blackhat.com/us-17/training/advanced-practical-social-engineering.html

Introduction:
Welcome to another edition of Cyber Security Dispatch. This is your host, Ashwin Krishnan. In this episode, CISO’s are Goal Keepers, All Guts No Glory. We speak with Giovanni Vigna, CTO and co-founder of Lastline, a cyber-security startup, and Director of UC’s Santa Barbara Center for Cyber Security, as well as a computer science professor.
As he shares his unique perspective as both a security technologist and an academic, he shares his insight on how triage is the most overlooked and probably the most impactful aspect of security operations. If done right, it could be a powerful ally, done poorly it can suck up time, investment and leave you exposed.

TRANSCRIPT
[0:00:42.7] AK: So, welcome folks. This is another edition of Cyber Security Dispatch where we get security practitioners, both on the vendor side as well as the customer side, to come and talk about not your everyday conversation about, “Hey how we are bigger and faster and better than the other guy,” but really, talk about some of the things that are either overlooked because they don’t fit the “buzz word barometer” or because they involve what I consider to be non-tech stuff. 
Like humans and behaviors and affiliations and so forth. So with me today, I have Giovanni Vigna. I will have Giovanni talk about where he comes from. He wears actually two different hats, so it is a very interesting duality of conversations we can have but I’ll hand it over to Giovanni to talk about what he does and then we can dive in.
[0:01:29.6] GV: Okay, so yes, I am Giovanni Vigna. I am both a professor of computer science at the University of California in Santa Barbara and I am also the co-founder and CTO (Chief Technology Officer) of Lastline, which is a company that provides malware protection; tools to sort of fundamentally large enterprises. 
[0:01:49.0] AK: So why don’t we kick it off where we left off but just before we started the podcast; the conversation about what is happening in enterprises today when it comes to the mismatch of people, qualifications, and the real problems that they are trying to chase. You brought up a really interesting point. I want to make sure that the listeners get to hear for this.

this friend of mine is a security expert, an incident responder, and he was telling me that nine out of 10 times - hands up - doing stuff that he is completely overqualified for. So I was telling you, he gave me the example of reinstalling your mom’s laptop where you do it because you like your mom, but - you know - I am a computer science professor, so you know that is not my job. It should be somebody else’s job.
— Giovanni Vigna

[0:02:09.7] GV: No absolutely and this is something that surfaced more in my interaction with people around this convention than looking at the marketing materials of various vendors - the basic idea is that I think that we are experienced in evolution from a tool that does something, to looking at a tool that does something for somebody. So there is a new human aspect where you don’t want just a tool to provide you with some functionality, but you put more into the human context where like, “Oh this tool will allow this particular persona to do something better, more efficiently,” or to be the right persona in the first place. 
So I was telling about this friend of mine who is a security expert, an incident responder, and he was telling me that nine out of 10 times - hands up - doing stuff that he is completely overqualified for. So I was telling you, he gave me the example of reinstalling your mom’s laptop where you do it because you like your mom, but - you know - I am a computer science professor, so you know that is not my job. It should be somebody else’s job.
It’s sort of like, in the industry, there is this problem that now we surface all these alerts, detections, and things, but who do we route this detection to? And it is really a triaging problem, if you think about it, it is finding the right person with the right skill set that is not underqualified nor overqualified for the job. 
And so, these days there is a good rationale to actually also evaluating solutions. They’re like: “This solution in my context wouldn’t be able to sort of percolate up the right information for the person that I think will use this tool”. I think this is an important framework that is not as sexy as artificial intelligence and blockchain and other things that are very hot at the moment. But at the very core, it is a human problem and it will save money and time for companies because human resources are getting more and more expensive.
[0:04:23.6] AK: So let’s talk about the human element, right? Because given the number of vendors on the show floor over here, my eyes literally popped out like it’s been crazy. Yeah, on the one hand the supply is going through the roof right? Effectiveness is a different story, but supply is going through the roof, and on the other hand, you are saying that the first bar is - let’s say you are doing a POC (Proof of Concept) - but the POC’s is more on your terms in terms of how does this tool help me and my team? So that requires more time and time is probably the only commodity that people don’t have. You can even get budget but you can’t get time. So what’s your opinion in terms of how does a time-strapped organization which is every organization now go this extra step of saying, “Okay what does this particular vendor’s tool do to me and my environment?” So the POC actually is reflective of not what the vendor wants to tell you, but really what it means to you. 
[0:05:14.4] GV: Yeah, I think this is something that is focusing - the answer has to focus around value. So there are many situations in which vendors have a very set process in which they do their POC; they come to you with little or no flexibility and they don’t interpret the customer needs correctly. I think that I can tell my personal experience at last and I am not saying that we are the perfect POC people, so this is not a vendor plug. 
[0:05:44.8] AK: Pitch, okay. 
[0:05:45.4] GV: Yeah, not at all but I think that when I am personally involved, I really sit down and the first question I am going to ask is, “What is your pain? What is it that makes you really ‘ugh having that moment’” and sometimes, it is something that our solution has nothing to do with which is in any case interesting for me. I love these conversations with customers but often times, it’s really “I don’t have enough people. I cannot deal with this, too much stuff.”
And so, it becomes feedback for us as a company, but also - as somebody who thinks about these things - about how important it is to just give the right information to the right people. So this triaging of information is really important, and you see that in a way. It’s a great metaphor to say it’s in a hospital: you know somebody got in who has been shot, it is like what kind of wound that is because if you have been compromised where you have a generic ransomware on your machine is not as bad as major nation state actor that just came to your network and is trying to set up shop. 
Those are two different things, they should be sent to different personas. So the question that the customer can ask is, “Are you exposing to me these different scenarios that allows me to make the decision of sending this to X or Y?” I think that is something that is worthwhile to apply almost to any technology. You know, “Are you giving me the right information for my decision?”
[0:07:18.6] AK: So let me ask you this and again, I am not doing any vendor bashing right? Even though I have been on the vendor side for 20 years, I am extremely cautious about not throwing pot-shots but there is also this almost competitive nature, where if you are on the show floor in Moscone and you don’t have AI or machine learning in some shape or form in your booth, you are not going to get traffic. 
But on the flip side, it looks confident too, if you actually did not have that people actually look at you and say, “Okay so…” right? So in some sense from a vendor’s perspective while even if the most right minded ones where they want to do the right things, but they still have to elevate themselves, maybe above and beyond what they can and should be doing just to stay afloat right? So when you talk about this first meeting where you actually want to go there and ask the customer the question of the pain. 
To get to that first meeting, I need to throw all of these buzz words about otherwise I won’t even get to that first meeting and so what advice do you have? 
[0:08:16.0] GV: I think that in this environment especially, technical superiority is perceived as a plus. So first, make sure that you find ways to establish your technical superiority. Maybe you are a small startup, you don’t have a lot of marketing power, but do something - prove that you can do something really well. And sometimes, that means for example setting up a website where you allow people to submit samples and you analyze them for free to give a possibility for people to appreciate your technical credibility. 
And the credibility piece is the basics, then once you have that you start having a few friendly customers that you convince that you are small, but you move fast and you can really innovate the field because what I expect from a small company is that you innovate. If you are a five people company that does exactly the same thing that IBM, Trent, Marcus and Mega Feed do - well no, I expect you to move fast and break things. So please do so. 
Prove that you don’t have the marketing infrastructure, you don’t have the sales force infrastructure, but you have something new then you will get the POC. Then you will prove your superiority and then word of mouth will spread out. I think that buzz words – heading up a small company that says, “Oh we’re great, we do this, we do that, we’re great at this, we’re great at that” that no one believes anyway. No one believes it anymore. 
So you have some credentials, for us for example, once again we come from academia and so we actually had academic tools, Anubis and Weapon Ware that we made for free available to the customers. People use them, they love them, and that feedback is what actually prompted us to start Lastline and for us, it was like: “Hey we did that stuff and you seem to like it”. Now we have redone it “the right way” and now we are selling it, and that was a very good starting point to sort of say, “Hey we are not a bunch of bozos, we actually kind of know what we are doing”.
[0:10:22.4] AK: Right, so you bring up a counter example of what most value startups or even outside of the value, right? Where you have an idea, you go pitch it to a bunch of VC’s, try to convince them, maybe do – I mean it is getting harder right now. You still need to have at least a beta product that you can actually show. Well they are saying is: “It no longer a PowerPoint, it needs to be a demo”. 
So the bar is getting higher but to prove that you are not talking about that you had as an executive at Lastline. To be able to actually open source something, get feedback, you know that is an unfair advantage that you’ve got that most companies do not have that, right? And sometimes they have to retrofit the existing product to changing market needs which is where most of them are caught up but let us switch gears a little bit. I mean let us go back to your other hack, right? And so you are in the throes of looking at what the next generation, software programmers and computer scientists, and data scientists are looking at. 
What are you seeing different than let’s say what you or me have encountered and is there a mind shift difference? We keep talking about them as the Pinterest generation which have very little attention span so on and so forth, what’s your experience been? I mean how are they looking at this new world? Are they shocked, are they jaded by what their parents have been doing? 
[0:11:37.3] GV: No, I don’t think they are shocked or jaded. Maybe jaded but not shocked. I think that if I look at when I was a kid or when I was certain of my student’s age - and I was one of the few people in a huge university caring about security. Security was not a topic. Nobody knew about security. If I would say that I knew how to do a buffer overflow, I would be considered like – 
[0:12:05.8] AK: The good one. 
[0:12:07.1] GV: Oh my god, like this amazing hacker. Now it is considered the lamest possible thing that you can do and also probably not applicable to 99% of the technology out there. I see nowadays security being a concern everywhere. People got it. People got it that some cameras can be network to generate the largest DDOS (Distributed Denial of Service) we have seen in history. We get it that somebody can steal your information and steal your identity. 
This is every day experience. So this reflects directly in the experience that we have in computer science and education. Right now, it would be unthinkable to teach an operating system class and not teach security. It would be unthinkable to teach them a machine learning class and not teach adversarial machine learning. So what was a narrow discipline has become a more cross disciplinary concern that you have to take into account every time. 
People realize that. We still have to do a lot, to be able to educate enough people and a diverse group of people to be the next security cyber force. In this, there are many things that we have to do. We have to change some more aspects of the culture that has been white and homophobic and sometimes not receptive to women in the past. We have to change that and in addition, we have to find new tools to teach security in new ways. 
For example, I love the use of hacking competitions. I think that it is great because students get in this competitive environment - they go crazy. They develop new tools, they do a 180% of what they would otherwise do. So I like those new tools to involve people and make them think about security very early since high school and even sooner if possible. 
[0:13:54.5] AK: So that is really interesting that you mentioned that because you’d probably noticed as well but I found this really surprising at the social engineering contest they had at Black Hat. 
[0:14:00.6] GV: Yep. 
[0:14:01.0] AK: This one’s got the simple phone booth and social engineers are on their way and that has gotten so many people now much more aware; versus getting something either from security and IT saying, “Hey you got to go through this training” because having this person who has very little “computer science security experience” be able to completely social engineer a way of people giving their credit card numbers and social security. Their mother’s maiden name, everything. So in some sense, I think it is important - what you are saying is to be able to transform that culture. 
So coming back to the ecosystem within an enterprise where you have a “lonely job” of a CISO (Chief Information Security Officer) which is really trying to continuously show ROI (Return on Investment) and not be in the news for the wrong reasons. 
[0:14:48.9] GV: Exactly. 
[0:14:49.8] AK: And be able to bridge the gap with marketing and IT operations and customer support who can literally show RIO pretty much at any given moment, right? I had this conversation before - I want to hear your opinion on this. How does that group now make themselves much more frictionless in terms of what they do but also, do they have to be better at marketing and sales internally? So that they become part and parcel of the larger, they are not fighting this lonely battle of, “Okay so we are the Darth Vaders of…”?
[0:15:25.1] GV: Yeah, I mean this goes back to the problem of sort of like selling insurance in a way and if you look, there was simply ransomware attack in the Atlanta administration and they lost millions of dollars. So those are the sort of the case studies. They say, “Hey your investment in some effective security ecosystem eventually will have an ROI in not having an incident that caused you $2 million,” but this is very difficult. 
You know I always compare the job of a security or a CISO to the one of the goalie in soccer, you know? Nobody cares about you. You’re like “Yeah, you did your job.” You know, you can be an amazing – nobody recognizes – “We had zero goals, you’re amazing, okay, good”. But the moment something goes in, “You failed, you are a failure”. It’s very difficult to quantify ROI and I think that’s when we go back to that triaging thing that my value is the time of my people. 
If I can process events faster because I assigned those events to the right people, then I’m providing value because otherwise, say, I blocked that, yeah, imagine someone saying, “Blocked attack, blocked attack, blocked attack”. After a while, it’s like yeah, that’s not – 
[0:16:45.3] AK: That’s not value.
[0:16:46.8] GV: That could have gone through. You’d been calling some incident response team from some big firm asking you, you know, 35 million dollars to handle the whole – don’t do that, you know, think in advance, think – it’s not just insurance it is being prepared. 
We live in California - I mean, I live in California - and I am very well prepared for an earthquake. Do I want an earthquake? Hell no. But the moment it happens, I hope I have enough water, and enough, you know, the supplies that I need and so forth. You have to think in advance even though I bought all these 30-year preserved food that I will never eat and I don’t want to eat.
[0:17:29.0] AK: Yeah, it probably doesn’t taste good either.
[0:17:31.4] GV: It tastes probably horrible, but I know it’s there and in case something bad happens, I feel more protected.
[0:17:37.4] AK: This goalie analogy is a very interesting one because how does – like you’re saying, the ROI, right? The stop and attack or hit a firewall rule and - no one wants to know about that, right? I mean, in a 4 - 0 match a goalie comes, “Hey, I prevented all those from happening” but at the same time, if you don’t’ do that, you’re not going to get credit for the fact that they actually are stopping attacks day in and day out.
[0:18:02.2] GV: Absolutely.
[0:18:04.4] AK: Is there a PR function? A soccer PR function that has to be like every single day, the CISO and his or her team have to play this out, it’s almost like “Guess what? Play was secure,” right? After a while, obviously, people tune out. But in some instances, that you don’t do that, then yes, let’s say, an attack happens. But all the millions of attacks and hundreds of attacks that did not happen is completely lost.
[0:18:29.9] GV: I think that an interesting experiment which I don’t necessarily advocate just because of how I work. Is taking - not just how you have been protected - but how you fare compared to your peers? You know, compared to a company of my size in my same sector, how well am I doing? 
How many attachments they were malicious went through or not? Because that would give you an idea because that delta can also represent a gain in: “Now I’m better.” You can see the ROI in that respect. You can sort of like fudge up a number across multiple things without being, “Who’s better? Giovanni or John?” You know?
I think that could be a way to create an awareness of that. The fact that every day you present somebody, a report and say, “We saved your ass like 50 times”. After a while, people are going to say, you become numb. Okay, we have RS fix a file, “Okay, whatever”. You know, instead, having for example, really, an evaluation of the time that a certain person has spent on specific tasks.
Since you pay by the minute then it comes today, you know, “Before you got this tool, we were spending eight hours on this. Now we spend 1.5”. Then you can translate, you multiply by the hourly rate and the cost of those employees and you have a number - that’s your ROI - once again, you go back to the human, the time, and to the right person for the right job.
[0:20:10.1] AK: I found this particular observation revealing to me. Maybe it’s not to you but I’ll just test this with you anyway. I was at Black Hat, I think it was two years ago, actually, last year. Whenever [inaudible] happened, right? It was like around that time. This person and a typical Black Hat fashion, they either turned their badges around or they have a fake name anyway - remembering that person’s name, doesn’t even make any sense. 
But what he told me was, he says, “Okay, ransomware is now top of mind” but yeah, just happened to one of his competitors and he said, “My budget went up about $500,000. I’m going to tell the management that the system prevents ransomware from happening and I’m going to go and fix all the shit in my system for which I never got budget. Those are real problems”.
I then look at them and say, “This is actually a forward-thinking security guy,” who is, I mean, is a “gaming the system” for the right reasons.

The problem there is not stealing budget from one thing and using it for another - I can see how you end up doing that, I mean, it happens in any environment... But suddenly you know, you need to progress that particular research direction. The important thing is communication and being able to make people understand what is pain and what is the resolve of not solving that pain point.
— Giovanni Vigna

[0:21:00.6] GV: Yeah, everybody does that.
[0:21:03.6] AK: But is that the right kind of message to be sending where you’re projecting upwards that ‘Hey, your board is asking you this and yes we have it covered” and going and protecting to stuff that, again, which is of highest risk for the organization.
[0:21:20.0] GV: I think the particular interaction that you described is unfortunately evidence of a lack of communication between that person and the upper management. Because in a healthy environment, you would actually be able to pass the pain points, you know?
Maybe your pain point is handling the laptops of people that gets compromised all the time. I know of a company that have only chrome books. Every time, there was no compromise, it’s all in the cloud and something is bad with the thing, you throw it away, you put your key in the next thing and you’re done. 
They solved that gigantic pain point, you know? The problem there is not stealing budget from one thing and using it for another - I can see how you end up doing that, I mean, it happens in any environment, universities; you know, you get a gift for one thing, you ended up doing other – you do for good things, you’re not wasting the time. But suddenly you know, you need to progress that particular research direction. The important thing is communication and being able to make people understand what is pain and what is the resolve of not solving that pain point.
[0:22:32.7] AK: I know we’re almost out of time. I know we are on day three, I suppose depending on when you count but any big – if you had one take away so far – something you didn’t anticipate either positive or negative, doesn’t matter.
[0:22:49.3] GV: Maybe I’m jaded. I’m very seldom surprised. I would say that I had very interesting conversations with customers with more than vendors that surfaced, you know, these problems about saving time, the analyst to be really – I see the customer is trying to understand but that was surprising, in a way, was in line with our previous conversation but seeing that in the context of “I’m a little frustrated, they only tell me this - who does this, how they do it, why they do it”. You know, “They don’t take care of work on my use case persona.” That was interesting.
[0:23:34.3] AK: Cool, thanks for your time, this has been a very fascinating conversation.
[0:23:38.5] GV: Thank you for having me, that was very fun indeed.
[0:23:39.8] AK: Good luck with molding the next generation of leaders and thanks for your time.
[0:23:44.1] GV: Okay, thank you very much.
[0:23:44.8] AK: Thank you.
[0:23:45.6] GV: Bye-bye.