 Okay, we're back, this is Dave Vellante with Jeff Kelley. We're live at the splunk.conf 2013, this is the second year for the Cube. The Cube is a live mobile studio. We go out to the events, we extract the signal from the noise. We bring you the best guests that are attending these events. Demetrius Lazarecos is here, he's otherwise known as Laz. He is an IT security strategist, he's a thought leader in the area of security and big data. He's a former CISO at Sears Online, Laz, welcome to the Cube. Thank you, it's great to be here. Yeah, so tell us a little bit about your career. You very recently left Sears Online, you're kind of out in your own now doing the consultant thing. So tell us about your background and your areas of expertise. Yeah, I grew up on the computer, my first computer was when I was 12, I was recruited by the Air Force at a very young age. What was that computer? It was VIC-20, then I had 64 and then TRS-80, et cetera, got a thumbs up out there, thank you. And then the military gave me actually proper computers to work on, well not proper, but you know. It's a real one. Yeah, it graduated to a bigger platform. Okay, so take us through the rest of your career. Sure, absolutely, post Air Force I spent a lot of time working in the private sector and then with some of the agencies around the areas of privacy and security. And you know, one of the things that I learned when I stepped out of the Air Force was that a lot of companies really didn't take security seriously back then, and what I mean by that is it was more of a checklist or something they had to do as part of a regulation. And I think when it really started to get pretty serious was when however you want to look at it is when PCI really became powerful. And that was the Payment Card Industry standard. When they put teeth into the, you know, the fines and you know, you could actually quantify what it was going to cost you to not be compliant. I think that was a time where people started to really take security seriously. And that was around 2000. And you know, at that time I had a couple consulting companies and as I was starting to build platforms on security for both quantifying and producing loss exposure formulas, I think one of the challenges that I was faced with was, well, the government and financial institutions really understand this. Who else understands it? And at that time retailers really started to take off. So companies like Orbitz really understood it, Travelport, e-bookers, Hotel Club, and those were some of my clients back then. And as, you know, and as I started to grow in my career, you know, I received a phone call from Sears. They asked me to come and build a security platform and a program from the ground up, which I did. It was, I grew up outside Chicago, so it was, you know, I welcomed the opportunity to go back there and build something from the ground up. They gave me a lot of latitude to look at emerging technologies and also look at what we needed to do to make sure the platform was going to extend and grow and keep continuing to feed the big data. So I'm listening to you describe this, Lars, and I'm feeling like there's a series of concentric circles. You said the PCI, you know, standard was sort of the catalyst within narrow industries, government and well, government has always been sort of security conscious, but the financial services industry has started to expand out there, HIPAA with health care. And it's still, I still feel like the circles are growing now with the NSA and Prism, you know, people think, oh, wow, I'm concerned about, oh, you're saying the NSA actually can get my data if they ask Amazon for it and work day or anybody else? Sure. I can't comment on that one, but thanks for asking. Yeah, well, so what you may be able to comment on is people, because of the media now, are much more aware of the way in which their data is exposed. Yeah, absolutely. And they're starting to ask questions that they weren't just six, nine months ago. Absolutely. And I think part of the challenge is, right, so, you know, going back and look into those circles, right, started with the government, then it made its way, you know, to the financial institutions, you know, with GLBA and some of the FDIC guidelines that were there, and then, you know, PCI and then PII data protection, EU. So as we started to see it expand, it just became more powerful. And now the challenge is communicating with each other and figuring out, you know, do I need to build this program? And if so, where are my assets? How are they collecting, storing and processing that information? A lot of companies don't do that. So, Les, tell us a little bit about your perspective on how you've seen some of the security threats grow and change over the last 10, 20 years, and how companies are responding to them. We heard Prescott Winters in the keynote earlier talk a little bit about, you know, the idea of keeping everybody out of your network now is pretty much, really not doable, and people are getting in, and now you've got to kind of understand based on data patterns of what people are doing once they're there. Absolutely. So a couple things on that. I said through Prescott's discussion, and one of the challenges that he pointed out was organizations want to go out. They want to communicate with the cloud. They want to communicate more with third parties. I think there's a way to do that, but you need to understand behavioral patterns. You need to understand session intelligence. So, you know, there are tools that are out there that will help you quantify, you know, the good or bad traffic on a website and figure out what to do about monitoring that behavior piece of it. I think, you know, you have tools in place for, you know, analytics. Companies like Silvertail are out there. They have a wonderful tool that you can look at session behavior for, and that's one aspect of it. You also need to complement it with other threats that are going on. So when I talk about behavior analytics, that really gets to the problem of internet-based traffic for internet-facing web applications. The other challenges I think organizations are faced with is the traditional security tools are being bypassed by cyber criminals and malicious activity. So when I talk about, you know, the traditional tools like IDS, IPS, and firewalls, not only are they being passed, bypassed by these cyber criminals and hackers, if you will, behavior analytics becomes so much more important at that level, and that just opens the door for big data. And when I talk about big data, it's a marketing term. It's what the industry is using. It really goes above and beyond just the behavior analytics. It's tying together all the pieces and parts of the application, the infrastructure, the mobile devices, third-party people touching the network, and then looking at it and being able to determine what is good or bad behavior and sending up alerts based off of that, so operation center personnel can make better decisions about what to do with that type of behavior. So it sounds like you almost have to approach this like a CSI situation. You've got to take the different data points and put them together to kind of create a profile of activity, and then determine what is good behavior, what is bad behavior, or suspect behavior. Absolutely, and that's a great approach, and I think you touched on it just a second ago. It was what does the evolution look like over the 10 or 15 years, and I think, you know, I touched on it a little bit with the behavior analytics, but I also think it's important to understand that the criminals are actually organized now better. They're communicating the same way businesses do, online, text, tweets, chat, et cetera, and I think as they are progressing in their ways of attacking businesses, we as security professionals have to do the same thing. We have to keep moving forward in evolving. We know they are, we have to do the same thing. So one of the big changes that we've talked about in terms of the way in which the bad guys have evolved is, you know, even five, seven years ago, it used to be when they, you know, when they got in, they would do jumping jacks and, you know, say, hey, we're launching a virus, yay, look at us, look at us, and it's completely changed. There's big, you know, some bad guys are making big money. There's marketplaces, they're trading, you know, identities and the like, and so it seems like the industry, we've talked about this a lot on theCUBE, really needs to and has shifted some of its emphasis from, you know, the perimeter, keeping the bad guys out to, you know, I think I saw a stat recently that the, after an intrusion, on average, it's something like 415 days before the intrusion is even detected, on average. So better technology and processes that need to identify the fact that there's been a breach. So I wonder if you could, first of all, is that a legitimate trend? I mean, is that a legitimate observation? And what is the industry doing? Is it doing enough? What can be done? Well, so there's a handful of things that can be done. First one is that statistic is high. It appears to be high, but it's actually been published. So over 400 days to figure out if you've actually had a breach or a compromise. So usually that means that somebody's been inside the network or on the computing systems for over eight months. Now you're saying that's a high, in reality you're saying the number's lower than that? No, no, no, that is an accurate number. It isn't accepted. The number may actually be low. That's when people, think about the organizations that come forward. Exactly, yeah. So there are organizations out there that don't know they've had a breach or compromise that are in that window right now of 400 days and they haven't published the stat. So I'm going to say that stat is actually probably higher than that 400 that you've been hearing. You know, the second thing is, security has to be driven from the board of directors and that the C level down. It is critical for organizations to realize that they are a target. So when you talk to an organization, typically when you talk to the C level or the board of directors, they may make a statement and I've experienced this myself. When I talk to board level executives or C levels, typically the response is, well, I'm not a target. Why would I be a target? And when I work with organizations I typically peel it back and say, okay, well, are you a publicly traded company? Okay, well, you have sensitive financials, product roadmaps, you have trade secrets, intellectual property that you're trying to protect. How much is that worth if somebody from overseas took that from you? What if somebody had your roadmap or the intellectual property that you're protecting? Is that a billion dollars, 10 billion dollars? What's that worth? And executives need to understand not only their target, but they have to understand the risk. And we're watching the evolution of this. Security professionals are starting to move towards a risk-based approach in security. We need to be better at it as professionals in the security aspect, but I think educating the board level, senior level and taking a risk-based approach will have to happen and it's got to happen quickly. So conceptually the business case seems pretty straightforward. It's the probability of some kind of breach and it's the severity of that breach. And I would think the probability is almost a certainty these days. Well, unless you have a computer that's turned off on a network, off a network and in a closet, you're not prone to that. You don't use social media. Right, you don't use social media, Twitter, LinkedIn, et cetera. Yes, then you're protected. However, the entire world, as we were just talking about this a moment ago, the entire world is going to the path of this open environment, this open network. How do we communicate? How do we collaborate and share information? We do it online. And the challenge is is we're doing this as a business. The cyber criminals and the hack-divists are also doing this as a business. As we mobilize, they mobilize. And unfortunately, sometimes the business doesn't align to what the best practice should be for information security. But it would seem the hard part of that equation is to figure out, okay, I know that within the next 10 years I'm going to have a breach, maybe probably multiple breaches, but it must be hard for executives to determine the severity of that breach in terms of determining, okay, how much should we actually invest in security? What are your thoughts on that? Can you help them? Do you have a framework to help them understand that? Or what's the best practice there? Yeah, absolutely. Some of the time that's put into this is the research above and beyond what a traditional executive may have to do. So when I say the research that has to be put into it, I typically coach executives to reach out to Forester, Gartner, and talk to the analysts there. And Forester and Gartner are actually moving in the direction where it's not just a hard number, not a percentage of IT, they're actually looking at information security as a risk-based approach. There's other organizations like CXOware who take a risk-based approach and then can quantify those losses for executives. Excellent. So let's talk a little bit about the vendor landscape. So how has that changed in your time? So we're seeing, obviously now we're here at Splunk.com and they're known for analytics around machine data, not specifically a security play, but obviously it's a big part of their businesses, is applying their technology to security use cases. Are you seeing a merging or a coming together of some of the traditional security vendors and some of these newer, big data analytics players? What's the landscape look out there? If you're a C-level exec or you're a CIO or CSO and you're looking to make some investments, you know what technology to go with. Yeah, absolutely. Well, and I'm just going to be very transparent with you on this. Splunk has a wonderful tool and it's open and what I mean by that is it can take data feeds from any system or device and that's critical today because it's going to help companies extend on their big data strategy. Specifically for security, you know, those numbers are growing and increasing the events, the threats and the potential data that you want to put in there. As far as the vendors that are out there, we're seeing a lot more vendors in the mobile space. We're seeing a lot more vendors that are trying to do big data analysis. You know, the tools that are out there, I mentioned Silver Tail earlier, there was an acquisition there by RSA and now they've got a great portfolio that ties into the intelligence behind the scenes and how do you manage that? That data could actually feed into Splunk as well to feed it for data. So we're starting to see vendors come up with cool and innovative tools, mobile, analysis, big data, but we're also seeing the acquisition of some of those companies. So it's going to be an exciting, it's going to be an exciting next three years. And how is the role of a security professional evolving? Do you need more data analytics skills now but then perhaps in the past? How is that evolving and are security pros keeping up with this changing world? Okay, great question. So I think if you look back, and I'm just going to talk historically, network and OS security is kind of where people thought of traditional security professionals, but now it's extended. So as the spectrum grows, now we're taking in mobile, social, big data. There are areas and disciplines that you could actually build a career on right now. So it's really challenging for the security professional to keep in touch with all of the different types of threats. So that's why I lean on the risk-based approach and the threat landscape and tying those two together. As if I were going to coach somebody right now that wants to grow in the Infosec arena, pick a place, learn several areas, but then collaborate with other security practitioners to see what's happening in their environment at the same time. I think it's critical that we collaborate. I think it's critical that we mentor the younger security professionals as they're coming up. And I think it's just going to be something that we have to be cognizant of in the next three to five years. All right, Laz, we got a run, but one last question is you're in front of a board. You're talking to the C-level executives. What's the one action item that you would advise they take immediately? The one action item is to perform a risk assessment on all of their IT assets right now. Put a budget in place, hire a company to go in there and coach them and train them on why this is important and what they need to do. Don't spend money on firewalls. Don't spend money on hardware. Don't spend money on software. Do a formal, perform a formal risk analysis of your environment before you make that investment. Now, how do people get in touch with you? If they want help, of course, you're not plugged into the internet. You don't know social media, you know. Yeah, you know what? I'm going to give you my contact information. Smoke signal, maybe? Smoke signal, yeah. All right, contact at D-Valante on Twitter and I'll put you in touch with Laz. How's that? Sounds good. All right, great. Thanks very much for coming on theCUBE, Laz. It was great to have you. Thank you. All right, keep it right there, everybody. We'll be right back with our next guest. theCUBE, we're live from splunk.conf.conf in Las Vegas.