Instrumenting Security

To this day, when I wander the Baltimore Inner Harbor, my mind returns to the early NCSC Conferences of the 80’s and 90’s that helped define our industry. Perhaps the salient aspects of those events were not the tech presentations – even though there were some fine ones. Rather, what was so prescient in those days was the recognition that half the game in cyber security was proving that you did it right: Do security. Now show me you did it correctly.

We referred to that demonstration process as assurance, and fully half the NCSC talks each year would focus on this aspect of the challenge. Granted, many security researchers (like me) approached the task using formal methods, and this did not exactly pan out as we’d expected. But the assurance portion of cyber security has not changed – which is a problem, because it is approached today using that weak substitute for formal methods: Compliance.

With this as backdrop, I connected this past week with industry veteran Brian Contos, CISO and VP of Technology for security start-up Verodin. Brian’s resume includes time at some of the finest security companies in our history such as Riptech, ArcSight, Imperva, McAfee, and Solera Networks. And all this came after breaking in at DISA and Bell Labs. So, I knew in advance that time with Contos would be well-spent – and I was not disappointed.

“Our goal at Verodin is to help customers to automate the evaluation and fine-tuning of their security infrastructure,” explained Contos. “Our solution is best described as a Security Instrumentation Platform (SIP), which is a new category in our industry. It is designed specifically to help cyber security teams optimize their investments and to validate that our recommended improvements actually work.”

The way this works is that security teams entangle the Verodin platform into their existing protection infrastructure. The Verodin platform then actively engages with the security stack to identify potential gaps. This is done by running attacks and tests to either find problems or validate that things look OK from a security perspective. “We prescriptively help customer measure, manage, and improve their security settings to the best configuration,” Contos said.

This starts with a so-called Director, which serves as the centralized engine for the SIP. It can be situated locally or in the cloud, and it integrates with all the various cyber security stack components in an enterprise through native APIs. Contos showed me a graphic with the logos of integrated tools and it looked like the sponsor sheet for the RSA conference. (Contos and others from Verodin helped invent the SIEM, so they know integrations.)

To complement the Director, Verodin provides a collection of SIP Actors that actively engage with the security stack to detect misconfigurations, gaps, and areas for improvement. These Actors focus on network controls such as NGFW and IDS; endpoint controls such as host and PC security tools; email controls for on-premise servers or cloud services such as Office 365; and cloud controls deployed into AWS and Azure.

Operationally, what happens is that the Director instructs Actors to test some specific control area. The Actor will thus run queries, check for proper formats, investigate timestamps, review parsing, examine correlations, and on and on. The overall process is referred to as the Verodin Effectiveness Validation Process (EVP), which presumably provides good insights into how well (or how badly) the enterprise security controls have been arranged.

I asked Contos how improvements are implemented and how a security operator would make Verodin-suggested rule changes to tools such as Splunk or Snort. My concern was that these changes can introduce errors, especially when a human might fat-finger a new rule or configuration change. “We pay close attention to this update process,” he explained, “and our clear suggestions for DLP, endpoint security tools, IPS, WAFs, firewalls, SIEMs, and the like can be cut-and-pasted by operators to assist in creating or updating configurations.”

I also asked Contos about how they protect this powerful instrumentation infrastructure. Obviously, if the wrong person got hold of the SIP steering wheel, then erroneous instrumentation might be recommended and the entire enterprise security stack could be corrupted. His answer was involved, and rooted in a comprehensive RBAC-based protection process. I was glad to see that they’d considered such access control as an obligation.

In case you’ve not heard of Verodin, it’s not for lack of star power on their team. Along with veterans like Contos and CEO Chris Key (former Chief Architect for ArcSight), the company brags advisors such as Jay Leek and Art Coviello. The team recently closed a Series B round led by TenEleven for $21M, and is backed by venture teams at Bessemer, Blackstone, CapitalOne, Cisco, Citi, ClearSky, Crosslink Capital, Rally, and Vital. That’s some list.

If you are interested in improving the instrumentation of your cyber security stack – and it’s hard to imagine who wouldn’t be, then perhaps you should connect with Brian Contos and the team at Verodin. Ask for a demo of their fine SIP solution and check out the impressive reporting screens that summarize their findings. And as always, after your discussion, remember to share with us your learning.