Compliance & Risks
#LetsTalkSecurity: Adapt or Die
Let's Talk Security: Season 02 // Episode 02: Host, Rik Ferguson, interviews Forrester Analyst, Allie Mellen. Together they discuss to adapt or die.
Save to Folio
Allie Mellen, Forrester Analyst covering SecOps, EDR, XDR, SA, SIEM, SOA
This episode was originally streamed on Thu, 27-May-2021 to multiple platforms. You can watch the streams (along with the comments) on-demand on:
Rik Ferguson: [00:00:00] yes. I didn't even wait for the music to end. We are live. Um, in fact, I wanted to directly quote from, uh, the fantastic diamond David Lee Roth. We are live in front of your naked steaming eyes and ears. Um, it is season two episode two of let's talk security. Um, I just wanted to start by saying that I was absolutely overwhelmed with the response to last week's, um, episode.
The number of people that we had, um, viewing live across all of the various channels was, uh, mind blowing. So, thank you all for joining us. I hope you're all back today. Um, it's, it's, um, it's an absolute pleasure, uh, to have the chance to speak with you every week. Um, I might even try and persuade them to let me do more than six episodes this time.
Uh, who knows. Um, we had a fantastic chat last week, uh, with Alyssa or we have nothing less, uh, for you this week as well. I have made a conscious effort. Uh, I think in this season to bring you the wisdom, the thoughts, the journeys, the points of view of people that you may have been less exposed to than the people I spoke to in the first season.
Um, because I think I, I, I like to make up, uh, pithy, uh, almost worthless phrases and post them on Twitter, but I think we all like to do that. And today I said, um, less, more of the same, it's more skin in the game. So, I think it's really important that we bring in more voices into the global conversation.
And the first voice that I want to bring in today is a coder is a scientist is a researcher, is a hacker and is now a Forrester analyst and she is Allie Mellen.
Allie Mellen: [00:06:46] Hi
Rik Ferguson: [00:06:48] Welcome to let's talk security. Thank you so much for agreeing to, to come on and talk to us.
Allie Mellen: [00:06:53] Thank you so much for having me.
Rik Ferguson: [00:06:55] Um, so I said a whole load of words about you just then coder, scientists, researcher, hacker.
Uh, I could have said material scientists actually, I think, and now, um, analyst at Forrester. So first of all, I think for, for the benefit of all is who is, who is Allie? Who are you?
Allie Mellen: [00:07:14] That's a big question. Um, well, at this time I am a Forrester analyst covering security operations. Um, I have been in this role for almost six months now, which is pretty exciting.
I do love, um, security. I love public speaking. Um, I love talking about and helping our clients with their security strategy and it's something that I think I'm the most passionate about and feel very lucky that I found a job that I really love. Um, but then there's that whole outside role of me. That's not tied to my work, um, which we get also get into, but I don't want to, you know, spend the whole hour just hearing me talk.
Rik Ferguson: [00:07:57] Hey, everybody else does. That's why they're here. Don't be shy. Don't be backwards about coming forward. Right. So, you're your first analyst. You're right now um covering XDR and SOC and those kinds of technologies. And you've been in the role, um, for this year basically. And you start at the beginning of this year. So, um, that's I mean, the first question then is how was that?
How was onboarding it and organization, you know, the size and scale and reputation of, of Forrester. How has it been onboarding during a time? Have you met anybody face to face?
Allie Mellen: [00:08:31] I have met one-person face to face and it was wonderful. It was one of my colleagues who covers compliance. Her name is Allah Valenti.
And actually, so we both live in New York city and she invited me over and made me spaghetti and meatballs. And we hung out in her backyard and it was like, it was such a nice moment to actually see another human face to face. Since we're both vaccinated.
Rik Ferguson: [00:08:55] That sounds like the best onboarding ever turning up in a, in a office where no one knows who you are to look at a second hand laptop on the desk in front of you.
I mean, I liked the idea of spaghetti and meatballs and boarding in the pandemic for the win.
Allie Mellen: [00:09:08] No, but really, um, the onboarding process with Forrester was really, really great. Um, I was joining at the same time as another one of my colleagues, Steve Turner, and, um, my boss, Joseph Blankenship was kind enough to introduce us before we started.
So, we got to kind of know someone going into it. And, um, I've just had the best time with this team, such a smart team, such a fun team. Um, it's been really great.
Rik Ferguson: [00:09:32] So what's the journey been up up until now? I mean, a lot of people will be looking at you thinking, how do I do that? What's my, what's my trajectory.
If a lot of people have a goal of working for, uh, an analyst organization, for example, or being a public spokesperson for an organization, a lot of people have a lot of stored knowledge, wisdom, um, that they want to share with everybody else. And, and we need to hear from them. So how do people, what was your journey?
How did you get to where you are?
Allie Mellen: [00:09:59] Yeah. So, one of the interesting things that I find with security, especially more than I think any other field is, there are no traditional trajectories. People just kind of end up here in these very weird ways, whether they have a technical background or not. And, um, it's, it's kind of amazing.
It really shows how much creativity we need to bring to the situation that we can have people who specialize in all of these different things, contributing to security in some fashion for me. Um, I really got started in security, uh, back when I was in college. I, so I started my career doing research out of MIT, on material science and the department of material science and engineering specifically on liquid metal battery research, which was so cool because this was a while ago.
I'm not going to tell you how long I don't want to date myself, but really at the time. Um, and I think still even now grid scale energy storage is so pivotal as we look to, to help out our environment. And so there really, we were solving a problem that really still needs to be solved. And that was so cool to have the opportunity to work in that lab.
Um, at the same time I was going to Boston university studying computer science and I liked computer science, but it was very theoretical to me. And, um, there's a big divide at Boston university between the computer science department and the computer engineering department. And so, I switched to computer engineering.
Um, and that was, that ended up being my degree was computer engineering at BU and senior year. This is where the fun part starts senior year. Um, I took a cybersecurity class. It was like the only one available in the entire, um, in the entire university. And it was so freaking cool. It was. The beginning sucked, but then we got to things like our midterm, we had to hack a server.
That was, it was just, it was so real and it was so exciting and fun and we get to apply all the boring stuff we had learned, and I just loved it. And, um, for that, um, for that class, I had to do a, uh, mid-year assignment and my assignment was to either recreate someone else's security research or to do some of my own.
And so with a couple of colleagues, I, um, we worked to ultimately hack the square Veeder and turn it into a credit.
Rik Ferguson: [00:12:25] This is what led to the blackout talk. Right?
Allie Mellen: [00:12:28] Yeah. And so, um, it was really just a Thanksgiving break need to get the project done. So, we can, you get an A type of decision, um, after some very long nights.
And, um, our professor was so thrilled. He was like, you should submit this to black hat. And it was just like, I think maybe like a month until the deadline for submissions and we submitted and got accepted. And so that was my real first experience in cybersecurity. Was Vegas. What?
2015 Blackhat, right?
2015 Blackhat. Yeah. Yeah. Going to Vegas, um, presenting at black hat, getting to meet the really awesome and crazy community, um, being on CNN and CNBC. And I was like, my God, I love this. How could I not, you know?
Rik Ferguson: [00:13:20] I was going to say how was it because we've never met in person. Um, in fact, um, we've only spoken on two occasions prior to this broadcast.
Um, but you strike me as being a relatively fearless person. Um, and maybe taking those first steps needs that kind of character or were you nervous?
Allie Mellen: [00:13:40] I was nervous as hell. Oh my God. I was like, so I ended up going with one of my, um, one of my good friends who was also doing the research with me. And we went to my parents' house for like two weeks before because they live in Florida.
So, it was a nice, nice place to prepare for black adult put it that way. But my sister, we would stand in front of her and do the presentation and she would write down every single arm or like hopeless. And then she would tell us the count. And she was like, this is a pinnacle. We had to keep doing it over and over again.
Um, I have never, historically I've had a really hard time public speaking. Uh, as a definite introvert, um, it's one of those things that just scared the hell out of me, but actually because of the pandemic, that was where I really started to hone my public speaking skills. Um, because like we were doing conferences every week, you know?
And so, there were so many opportunities to speak in front of other people. And I just was like, I'm just going to do this until it doesn't suck anymore. Which is pretty much my life it's.
Rik Ferguson: [00:14:49] Yeah, it's been kind of, it's been a lot like that for me as well too. I mean, the, the volume of events actually went up during pandemic, which is what we expected initially, so.
Okay. And then, so you, you, you went through that, you did your blackout presentation, you did some, uh, you did some work at cyber reason and from cyber reason, you're into Forester and you're focused on XDR. Now I found a quote, uh, from you relating to XDR. Um, uh, I think it was published on tech target, but as far as I know,
Allie Mellen: [00:15:17] You did your research.
Rik Ferguson: [00:15:19] Yeah. A lot of vendors are saying we enable faster detection, faster response and better integration. So, we must be XDR, but that's not what XDR is, which is a great quote, but it doesn't help me understand what XDR is. So maybe we should start there. What is XDR why is it important? And actually, I've got a ton of more questions.
So, let's stick with that. What is it? Why is it?
Allie Mellen: [00:15:44] Yeah, so XDR is a term that's been around for a few years now. Um, but it hasn't really been a term with a strict definition in part because the term kind of originated at Palo Alto networks. I was such, I feel like when these terms come up at a vendor, they're very outcome focused, which is really important for clients, but at the same time, the marketing language, it can be difficult to parse through that and understand what exactly is happening.
And I think, especially in security, we have this mix of really, really technical people and really, really skeptical people who they want to understand. What's actually going on under the hood before they're really comfortable with saying, okay, this is going to be better. This is not just someone saying, Hey, I'm throwing AI on the problem and it's going to be great.
Yeah. So, but that doesn't answer your question about what XDR is. So, I'm getting that that's a set up. Yeah. So I, um, since I started at Forester, actually kind of since before I started Forrester or even I've been doing research into what XDR is, I interviewed over 40 different vendors and talk to a wide array of end users, as well as other leaders in the space that might not be affiliated with a vendor, but, um, keep, uh, keep a good tab on the industry.
And based on all of that research, I came to the understanding that XDR is really the next evolution of endpoint detection and response. And it makes a lot of sense when you think about it because EDR technology has had really impressive market adoption, but at the same time has been limited to the end point, which while a very important, uh, source for detections doesn't include things that would give an analyst a lot more context about what's happening in the environment and how they can respond.
They still need the SIM. They still need the soar in order to orchestrate those response actions. So what XDR looks to do is to bring in other sources of telemetry to aid investigation, and also to allow, um, XDR to act as an orchestrator for response actions on these other control points, so we'll be replacing
Rik Ferguson: [00:17:53] SIM and saw, or is it complimentary to, or what's the, yeah,
Allie Mellen: [00:17:58] right now it's complimentary to there are, but I think in the next five years, we're going to see it outright.
A main competitor to security analytics platforms, combination of SIM soar and, uh, UMBA and all of that. But really what XDR looks to deliver are improvements to three different issues that we see security teams facing today. The first is alert, fatigue and too many false positives in the SOC and the way that it does this is by instead of taking that more nebulous approach of let's put all the data in one place and perform security analytics on top of it to figure out what's going on XDR is like, Nope, what we're going to do instead is continue to base detections in these high efficacy, uh, telemetry sources, like the end point and soon like cloud, and then enrich that with telemetry from other security tools in order to, um, not only make the alerts themselves higher efficacy, but also aid in the investigation in that response.
The other two are on the investigation side. Um, which is really pivotal. And we've kind of talked about this already, just in these few minutes where analysts need more context. And so by bringing in those other sources of telemetry, um, XDR can, can give them that. And it's not just about bringing in all of this data, but it's also about being mindful about how it's presented and presenting it through automated root cause analysis to say, this is where the attack started.
This is where it's been going. These are all the effected assets that need help.
Rik Ferguson: [00:19:36] And it's about presenting stuff as a story, right? For me, it's one of the things that strikes me as being really key to effectiveness of an XDR type solution is being able to take a whole bunch of discreet events and present them as a narrative and say it started here.
It went in all these different directions and it had these different outcomes and you can follow the path of every single one and you can follow it back as well. So you've not only have you got effective mitigation, you can do root cause analysis. Um, and you can even, I guess, hone in on, um, the kinds of tactics that may be beneficial to the organization for behavioral change as well, which has gotta be a key part of it.
Right. I think to be honest, that stuff is missing from this is, this is me thinking out loud right now. This is literally, um, I think a lot of that stuff is missing from XDR platforms as they stand today, because it's a, it's a key part of a security response. Isn't just responding to the events on end points.
Um, the code level events, the process level events. It's also responding to the behavioral events that make attacks successful. And I would love to see that integrated in XDR type platforms. Not only, you know, the following files were dropped and DLLs were hooked and processes and so on. Analytics say, for example, of a phishing email, these were the, you know, the ones that have been most successful in your environment were the ones that had this kind of message.
And, you know, ML can do that kind of analysis on email content already, or we're not asking for the moon on a stick, but it would be, you know, that would be good functionality to begin throwing into XDR I just invented something live on air marvelous.
Allie Mellen: [00:21:16] Well, no, it's a really great point. And we're seeing this, this is especially happening with MDR providers right now, but some XDR providers are also doing this where it's not just about the response in that moment, but you can also recommend either resilience or mitigation recommendations.
And this kind of ties back to MITRE shield where they're building out that, um, that framework in that library of things. Um, analysts can do in order to make their environment more secure. Why aren't these tools helping us with that they really should be. And this also ties really well with what you were talking about.
Um, what we were talking about a little earlier on, uh, like the nontraditional paths you take to get into security, we need to give people more time to be creative in the SOC. Um, we need to give them time to like, say, Hey, that didn't look quite right. And I actually have time to investigate why and enable them to use the different perspectives that they bring to the table in the SOC.
I think that's so incredibly important and it's something that we can really help support if we can make these tools.
Rik Ferguson: [00:22:22] And I think that's one of the key things. And I just want to, by the way, reassure you William Markham, I've seen your question and I am going to address your question. I'm just waiting for the context to address it in the, in the right place.
So, despair not, and we welcome any other questions to come in live while you're watching. If anything, just pops into your cranium that you want to get an answer to now is the time now is your chance. You don't get a chance with the first analyst like this very often. So, take it. Um, I talking of SOC I in, in one of the last sort of in-person presentations I did before the world, a lot to sought down, I was talking about SOC and alert fatigue, and that was trying to quantify it.
And I found a survey. I think it was a survey carried out by over men. It was a survey of the financial sector, uh, and it was something like, um, 66% of respondents to this survey in the financial sector said that they regularly dealt with more than $100,000. In every 24-hour period. So, it was a huge number of respondents with this massive volume of alerts.
And I thought, what does that actually mean? What w what is, what is happening then in the SOC, if that's the volume of data. And so, I tried to quantify it with numbers. Um, if you take 25 minutes to deal with every alert, because you've got to look for false positives, you've got a downgrade, you've got to correlate, you've got to do the triage.
Basically, say it takes 25 minutes per alert for a hundred thousand alerts. That's 41,667 hours of work to do in every 24-hour period. But if you have, I mean, this is the whole thing of alert, fatigue. This is why it's a real thing, but a lot of people talk about it, but it's real. And it's borne out by the numbers.
So, if you wanted a SOC team that was big enough to do just that triage with that volume of work, you'd need over 1700 people in your SOC to be sure that you weren't missing. And I think for me, that's the biggest, uh, driver, the biggest argument for XDR type technologies. Right?
Allie Mellen: [00:24:23] Yeah. I think that what's interesting about that is really, I see the goal of XDR as being an automation engine in the SOC and an optimization engine.
Moreover, it's not about making an autonomous SOC. I really, really despise that terminology. Um, because I think that humans are really important in the SOC but it's about being able to give the analyst everything they need to make that decision really quickly and not have to worry about, um, doing deeper investigation.
In most cases, like there are things that we should be able to automate that we're not automating in an optimal way right now. I guess I should say
Rik Ferguson: [00:25:03] we, we did some, um, research that we published, um, at RSA, actually a couple of weeks ago, project 2030, um, which was looking at the next 10 years of technology and security and trying to.
Arrive at a vision of the future. Uh, one of the tools we use for testing our assumptions was a whole bunch of survey questions to InfoSec professionals, but also professionals in lots of other industries, too. One quote that Springs to mind right now that was a survey respondent said to us, was that in five years’ time, every SOC analyst will be a data scientist.
Do you think that's a fair characterization?
Allie Mellen: [00:25:39] I really hope not. I don't. I mean, so I think that data science is incredibly important in the SOC. There should be a data scientist that the team is able to consult and is able to work with them. But I don't want any, there is no room for all people in the SOC all people in security to be the same way and to be built the same way and to have the same background.
That is the thing that I am afraid that we are moving towards with comments like that, because ultimately there's a lot of creativity that you have to bring to this problem. And that's why I love it. And I think it would just be, yeah, a shame to see it kind of all, all be put into one single box where you're doing this task and you know exactly the, the tasks that you need to fill in.
You're doing that. You know?
Rik Ferguson: [00:26:28] So when the, when the baseline stuff is not automated, but more automated where machine learning is doing a better job when XDR is, is fully mature and fully deployed, however many years that that takes, you know, we, we will reach that point for sure. What's the role of the SOC analyst at that point,
Allie Mellen: [00:26:48] they get to do the cool stuff.
So, this is something interesting. Um, I've been doing some research with one of my colleagues, Jeff Pollard, and the conversation, uh, has been around threat hunting and. It's really interesting to hear perspectives on threat hunting and on, um, when a SOC should be choosing to start threat hunting. These things that we do, because our tools cannot meet those needs, use cases and meet those needs.
That's the creative stuff. That's where a human gets to come in and say, this is interesting. I don't know why my intuition is telling me this is interesting and I need to investigate deeper and kind of become a researcher way. And so, I think that that's, that's the point that I really want us to get to where we can bring people into these situations with diverse backgrounds and say, okay, take a look at what's going on in this environment.
And, um, find something that we can't find with the tools that we have right now. So, I really, with the improvements to XDR, I want to give analysts time to start growing as people and growing in their skillset and their capabilities and to find their niche. Um, I think. One of the things that we need the most to address the skills gap that we're seeing.
And, um, w what I really like to say about this is I have this running joke that I say where I'm like all, um, tech innovation is just an abstraction of human thought. Like, just like, let's raise it up so that it's easier for someone without a technical degree to get into this field and to start using the creativity that they have in their own weird way.
Let's make this more of an art than a science.
Rik Ferguson: [00:28:30] You know, what's crazy is that for people of a certain vintage, who said staring intently, Uh, when we, when, when I got my start in this industry, there was no, there was no formal way in. So, if you talk to people of a similar age to me, if they've been in this industry for a similar amount of time, there is a huge diversity of backgrounds.
And actually, it's that diversity of backgrounds and routes into the industry that got us to where we are today, which, which is, you know, is, is a period, the past 25 years more of course, more, but within cyber security, the past 25 years has been a period of massive, uh, innovation and invention and expansion and new ways to address all problems and new solutions to new problems.
So, I mean, the, the evidence is there that says that, that, that, um, diverse way, diverse ways into the industry is, is really significantly important. You, you, you spoke about the, uh, or we spoke about onboarding during the pandemic. I wanted to address a William's question that he reached on LinkedIn. Um, because I think it is related to, uh, the role of the SOC analyst as well, because the SOC analyst to a large extent is seeing the outcome of the challenges.
So, William's question was what are the main challenges of people working from home in regards to security? So, what has the, what is the pandemic and the lockdown done from a security perspective? What are SOC analysts having to deal with now?
Allie Mellen: [00:29:59] Yeah, this is a complicated question because the easy answer is, oh, there's no perimeter anymore, which I know a lot of people like to say, but really, it's.
Um, it has, I think that there are a couple of things that are really important here. First, it's forced. Insecurity to take a different, a bit of a different approach and a different angle to the security problem. Um, specifically making it more around the individual users around the end points that they're using, that they're allowed to use when they need to connect to the VPN, things like that, making sure that even from rural, we can make sure that we're patching and updating people's machines.
Like all of these basic things that when you're in an office, you can always like walk around and say, Hey, I need your computer for 20 minutes, but you can't really do that when everyone is remote. The second thing is that I think is the bigger piece picture and the more critical picture of what the pandemic has shown us is the importance of the ability to be adaptable and.
It, which was really showcased over the last year because the people who were built to be adaptable, who were built to allow people to work from home versus working in the office, we're able to make this transition a lot easier than others. And this ties back to what our state conference this year was about, which is resiliency.
Um, I think really it ties in really well, and it was the focal point of the presentation that I did with, uh, with Persa Varma, CSO from old mutual. There are, I don't know, to what depth do you want to get into the technical points? But I think that there are elements of this that impact the broader way that we think about security from an adaptability standpoint, and then from like an individual security standpoint, it, it raises implications about the other things that are available in your network.
The way, like from a social engineering standpoint, how you're actually using your personal laptop versus your work laptop, where the crossover is, where the potential for your kid to get on your laptop and install malware by accident is things like that.
Rik Ferguson: [00:32:02] Yeah. And for me, the other challenges, I suppose, in answer to your question, William is definitely about an increase in attack surface and the diversification of criminal, um, opportunities and, and methods and opportunities that the threat actors are taking.
So, every corporate end point, that's now in a home environment than everything else in the home environment becomes a security concern to the enterprise where. It wasn't at all. So suddenly I hesitate to say her name because she's in the house somewhere, suddenly things like Alexa, um, shush um, uh, become a problem as well, or your, your smart TV, which is basically running Android or your, all of these connected devices become a part of the, the attack surface that an enterprise does have to worry about.
Um, and, and, and the other thing was looking at vulnerabilities that have been targeted throughout, throughout last year. Um, you know, we see vulnerabilities. Year in year out growing numbers of vulnerabilities year on year. Uh, and there only a certain, very small percentage of those vulnerabilities that are ever exploited.
And they tend to be in very predictable areas and sectors, like if it's a Microsoft windows, vulnerability, and it's particularly effective, it's going to be exploited. But what we saw last year was vulnerabilities in VPN gateways, for example, suddenly seeing mass exploitation, which they wouldn't have seen the year before, because criminals know that those VPN gateways have been deployed, uh, in these enterprises to, as a stop gap solution in some cases to solve the immediate problem of how do I get my dispersed workforce, um, connected and, and working from home.
Allie Mellen: [00:33:37] it, it speaks to the rise in cloud attacks. We're seeing as well. It's like as the, as the environment shifts, the attackers. Target the thing that's being used the most, it's the same thing with why hospitals have been hit with so many ransomware attacks, which is horrifying and awful, but also it makes a lot of sense because we need them to be running a hundred percent of the time.
And without that, it's a dire situation that you'd gladly pay out to, to not have to deal with anymore. Yeah. Yeah, for sure. I mean, on, on the, the ransomware front, it's, here's a question for you, which, um, um, might allow you to be polemic or might allow you to, to shy away from it. It's your choice? Um,
Rik Ferguson: [00:34:21] So ransomware was a huge problem, was a huge problem. Um, 20 14, 15, I'm trying to remember the dates, uh, when we saw, you know, exponentially growing new numbers of new families, of ransomware being created exponentially growing numbers of detections of ransomware events. Uh, but it was all focused on consumers or massively focused on consumers by, I think it was 2016, maybe 17 as an industry.
And as practitioners, we were looking at it thinking maybe we beat this. Maybe the criminals are moving away from this now because the numbers are going down and the attacks are becoming less frequent. Maybe all the education work, maybe the people finally implementing good backup strategies has really helped.
You know, people, you know, there's a lot of awareness raising and ransomware is at least receding a bit. Um, and then now happened and now has been happening for probably a couple of years, uh, maybe three years where ransomware threat actors. Change their modus operandi. They're focusing much more on enterprise, um, uh, victims, much, much bigger orders of magnitude, bigger ransom demands being made, you know, multiple millions of dollars per attack.
So bigger bang for the buck, fewer victims. Why are organizations? And it's not in one particular industry vertical, you know, even in recent times, you know, we see oil and gas, we see, uh, manufacturing, we see healthcare being hit by ransomware. Why are organizations continuing to fall victim to these attacks what's changed or what hasn't changed?
Allie Mellen: [00:35:54] I wouldn't. So, I wouldn't say so much that this, the reason that ransomware dropped off was necessarily a change with or solely a change that could be attributed to the defender side. I think that attackers really took the time to. Like almost rethink how they were approaching ransomware. We now see that it's, it's not just about the ransom.
It's also about the data, data exfiltration, um, so that they can, they can attack your multiple ways. But I think that over the past few years, it's really picked up for a couple of reasons. The first being, um, you can really use business continuity as like a stab in the back for these companies where if they can't access their systems, they can't, they can't do virtually anything.
And that's just what's happened because of the technological innovation we've been going through in the last like 30, 40 years. But, um, on the other side of that, I completely lost where I was going to say
Rik Ferguson: [00:36:53] that happens to me all the time. You're like I have a series of free points and I'm going to do this one first.
Allie Mellen: [00:37:01] I'm just not enough. Like I don't have that thing where I can hold them in my brain.
Rik Ferguson: [00:37:05] I have exactly the same holes, the same calendar. There you go.
Allie Mellen: [00:37:11] Cropping malware as a service cropping up has made this a lot easier for non-technical and non-technical criminals to become cyber criminals by utilizing ransomware as a service, which we've seen with dark side.
Um, for example, and it also makes these ransomware gangs or malware gangs a lot of money because they can kind of like just expand their operations exponentially and then just treat it like a S like any other startup, except with this one, you don't have to pay taxes.
Rik Ferguson: [00:37:40] Yeah. And you know, the other thing about the, as a service model, I mean, if you look back through the history of.
Industrialized cyber, you know, the past 20 odd years where, where it really became a global business, um, you can see the lessons that they've picked up and learned from legitimate business and things like the affiliate model is absolutely one of those like selling through affiliates. But one of the really attractive things from a criminal perspective, I think with the affiliate model is that it removes you one step that you, the, the, the, the author of the ransomware or the, the person offering the service, it removes you one step from the crime, because actually, if you're not the person carrying out the intrusion, uh, carrying out the encryption in arguably you're not the person committing the crime and it makes enforcement activity against you much less likely to succeed, but it means you still get to reap the financial rewards of criminal activity.
Allie Mellen: [00:38:32] Totally. Yep. And it also kind of takes you away from your, or you could make the case in your brain that it takes you away from the guilt.
Rik Ferguson: [00:38:42] Yeah. Yeah. I, I guess, I guess that's, that's also a thing. Yeah. Um, oh, I can see William is active again. We have a question from Michael Stone. First of all, I wonder if that's the same Michael Stone that I used to work with, if it is hi, I'm Michael.
Uh, I have to admit to being puzzled by Michael's question. So, I'm hoping that you can understand it. If you just stop just a mechanical Turk. I don't even know what a mechanical turkey.
Allie Mellen: [00:39:12] Oh, so there's this. I do know what this is because I used to work for Sam Curry. He's the CISO at Cybereason. And, um, he loved the phrase mechanical Turk.
So, I, I know this through that. Um, but mechanical Turk is basically, there was this machine that, um, that was made that was supposed to be able to do all these amazing things, but it turns out there was just a man inside pulling all the pulling all the gears. So that's the mechanical part. Um, I think that ultimately, I'm a mechanical Turk.
I wouldn't say that that's the right way to put it. I think that you, if you're saying it from the aspect of you will need people in the SOC in the future, I absolutely think that's the case. And I think it's for good reason. If what you're saying is, uh, the technology won't actually be able to do anything and the analysts are going to be the ones doing all that work.
And it's just gonna be a massive number of people really hope. And I don't think that's where we're headed. Um, but ultimately having humans do the creative stuff, which I think kind of takes it away from that mechanical Turk idea, um, is, is what it should be in the future. But we shouldn't just automate this whole process away.
That's not something we do with other departments, like, um, marketing. Yeah.
Rik Ferguson: [00:40:34] So you think the SOC role isn't under immediate threat from machine learning? You wouldn't put it on the list of jobs that will be.
Allie Mellen: [00:40:41] No, not at all. Yeah. I think, honestly, this is the reason why I don't like the autonomous SOC phrasing is because it's like first off, what does that even mean?
Second off. Um, we need people to do these things. There's, there's no way around that. If, if we default to the technology, then attackers have their way to very easily bypass it. Like they, this is what they do for a living is look for ways to bypass these technologies. So if we don't have another human who's thinking creatively about how to fend them off, then we might as well just like roll over and let them hit us with ransomware.
Rik Ferguson: [00:41:18] So what do you think about this for a threat model in the near future? Uh, you know, speaking of ransomware, um, things are inevitably becoming more interconnected, inevitably becoming more automated and inevitably I think. Uh, relying more on machine learning and AI that, you know, that that's a technology, which is only increasing in importance and relevance, uh, in every industry and in every way, actually not confined to security.
So in, in this future, highly automated world of say five to 10 years’ time, um, instead of, uh, data, um, encryption attack or effectively a denial of service attack on your data. Um, what about the scope and possibility for data manipulation attacks or even, um, in that same vein, imagine the scenario where you have a data lake within your organization, which is very important, and most of your automated activities are based on learning from the data lake.
If an actor comes to you as an organization and says, Hey, by the way, I've poisoned your data lake and all the things that rely on it are now not, not operating the way that you think. We don't have any visible evidence of the threat. There's no encrypted file to go, oh, I can't access my encrypted files.
But do you have any choice as an organization? Um, you know, whether or not you say I have to shut down this process because I can't guarantee its integrity. Is that, is that a huge concern? Do you think going forward or am I way off target, right?
Allie Mellen: [00:42:49] No, I think that is a huge concern now and moving forward, but the conversation there, I've had a few conversations with people where I asked them like, okay, you were under attack.
Do you know that data was accessed? Do you know if it was altered? And they're like, no idea. Um, and that has a huge impact. Now on, on a small scale, if it's like, oh one, one piece of information was changed, it, it maybe won't have as big an impact. But when you take that up to the amount of data that.
Seeing these companies process in a given day, then it can really have an impact on their operations, on the recommendations they provide to people on whatever their application is that like data integrity is really important.
Rik Ferguson: [00:43:39] So, so let's talk solutions then. I mean, stick with that subject for now, because one of the things that I'm acutely aware of whenever I have a conversation, um, with anybody else who works in this space, or whenever I give a presentation myself, is that it's really easy to be dystopian.
It's really easy to be doom and gloom. And it's very easy to talk only about the problem, just like when you're making music. It's for me, it's really easy to write a sad song. It's really difficult to write a happy song. I find that a continuous challenge. Um, so let's shift from purely characterizing the problem.
Um, although I think it was a really valuable discussion. So, sticking with what we were just talking about. I don't know that right now, there are too many solutions, technologies, even projects that would help in that sort of five years from now scenario. Am I wrong? Or is there things that people, are there things that people could be thinking about or doing already on that kind of level for, for data integrity protection?
Allie Mellen: [00:44:42] That's a good question. Um, I, this is not my area at all, so I don't want to butcher it, but, um, my colleague, um, Heidi Chay, she, she talks about this a lot and this is actually the space that she covers. So I would definitely read her work for more information on data, maintaining data integrity. But I think it's something that security teams are thinking about to some capacity and especially those that are, uh, more mature, but yeah.
On the smaller level. I think that that's where we're going to see it be a bit of a challenge to address, especially when you take into account, how many other tools you already need in the SOC your biggest concern is going to be the business disruption aspect more than the potential minor data manipulation.
Unless of course you are in a country that is, that is regulating breaches and, and basically setting up regulations that you need to meet in the event of a breach. In which case, then it might be more
Rik Ferguson: [00:45:43] yeah. Or unless you do the industry, you're in has a huge potential for health and safety concerns. If you're in an automated factory type environment or whatever, and you think, okay, I have to shut things down because I don't know if someone's going to die or not as a result of this threat.
Right? So it's a future where even. The rumor of an attack or the threat of an attack might be enough to interrupt business. Unless we start thinking about solutions right now. William Markham has another question. How do we protect the link from laptops to home wifi? Uh, and you also mentioned letting other people like children use your, um, your, um, work device and doing things like accepting, uh, cookies or, or installing, I guess, untrusted software, basically.
What, what options are out there for enterprises who are in this situation now? Um, luckily my, my two year old doesn't know my password yet. Um, but I'm sure that they will come. Um, w what options are out there to, for enterprises large and small, um, to, to help secure, help employees secure themselves when they're in this distributed environment.
Allie Mellen: [00:46:51] Yeah. Um, I'd say that the majority of enterprises tend to, if they don't have it as a listed policy, tend to, um, heavily dissuade their employees from letting children use their work laptops or really using work laptops or any other purpose than work. Um, I think there have been exceptions that we saw that last year, where for a lot of parents, there was no other option and they didn't have another laptop for their kid to do, do their zoom classes or whatever, whatever the child needed.
So in those cases, it's kind of a, it's an imperative. The, um, there are a couple of really minor things that we can do. And I like to talk about this in the context of, um, do you know that it's not really a fable, but that story about the two men that are walking through the woods and they come across a bear.
Rik Ferguson: [00:47:43] Okay.
Allie Mellen: [00:47:46] And, um, It sits down to pray and the other one starts like making sure his shoes are tied. And the guy's like, what are you doing? You can't outrun that bear or lion. And the guy's like, I don't have to outrun him. I just have to outrun you. Yeah, yeah. That is what we have to do insecurity, especially right now is like, just do things as basic as making sure that the default password on your browser, isn't it, isn't still active.
And that you've changed that it's, um, things like making sure you have a secure wifi network and are keeping track of what devices are actually accessing it. Um, and then on the enterprise side, there are of course more complex things that you can do to monitor end points and make sure that there's no malware on endpoint specifically.
Um, but typically that be. Along with the basics that we kind of like talk about, but then we're like, oh, but look at the coolest, shiny tech, but ultimately like you can have the cool, shiny tech and you can still eat in a load of trouble if you aren't doing the basics. Right.
Rik Ferguson: [00:48:48] Um, problem of cool, shiny tech.
I mean, I definitely hear anecdotally, um, well from the horse's mouth and, and, and, uh, and word of mouth about the problem of companies buying tech and then not deploying it for one reason or another, uh, didn't realize how much effort it was to deploy. Uh, don't have enough people to be able to manage it once it is deployed.
I mean, there's, there's a ton of reasons. How big a problem do you think that is? I mean, you, part of the role of an analyst is to dialogue with your customers, right? So is that something that people come to you and say, I can't handle another technology. I already have five that I'm not using. Yep.
Allie Mellen: [00:49:27] Definitely a problem. Um, not so much on the, like, I can't handle another tech. Um, I already have too many to use, but more along the lines of, should I be adopting this new technology? And then we really get into a conversation around like, what are you doing with everything else? How has your relationship with the it team?
What does that look like? What are like, what is your patching schedule? Do you have a patching schedule? Things like that. And that's where things start to kind of break down. Um, a lot of times, sometimes not sometimes it's like, there's an organization that's just. Doing the cutting edge, of course. And then we have some really fun conversations about the new tech, but really there's a divide here, I think between, um, those organizations and organizations that are like, okay, we'll get these defensive measures in now.
And then in parallel, we'll work on the cyber and it hygiene stuff. But it, it kind of, in some cases, I think Lowes them into a false sense of security. Those other things that they need to do on the hygiene side are really hard. And, um, so it kind of becomes this, this bit of a mess where they're like, okay, now I have this tool, but I also have this big hairball of a project that I don't want to work on.
So I'll just rely on the tool.
Rik Ferguson: [00:50:40] So if you, if you had, um, if you had to, I'm totally going to put you on the spot. I Al I already feel bad, so I apologize, but I'm going to put you on bio that you had to give. Five coming out of pandemic recommendations. So we all know where we've been for the past. Well, almost 18 months now.
Um, professionally we know what's happened to the workplace. What's happened to us as individual employees. We haven't been working from home. We've been living at work. And I think, you know, there's a huge difference between those two dynamics. Um, if you had to make, uh, to, uh, to a CISO to a CIO, to a head of InfoSec, that kind of person five recommendations, five is really unfair.
Three recommendations, things to consider as we come out of pandemic, what would those three things be? Where should attention be focused?
Allie Mellen: [00:51:37] I mean, I think initially the attention needs to be focused around what, um, employees could be bringing back into the office. And thinking about it from that standpoint, not from the COVID side, but, um, depending upon the infrastructure that you have in place, if they come back into the office and they've been used to working on their machine and they bring malware back into the office, what do your controls look like to prevent that from happening?
Or have you adopted more of the internet cafe style where, um, these individual end points are protected on their own? And the connection that you make to the, to the corporate network is, um, just untrusted by default. But this really ties into, um, something that I love talking about as a Forrester analyst, which is zero trust.
Um, ultimately like no matter where the conversation, um, started, it does at some point end up when you're talking about best practices to think about in the concept of. Where are you on your journey to zero trust? What does that look like for you? Um, my colleagues have written a couple of papers on this that give a lot of really prescriptive advice, which is helpful.
And I also like to think of it in the context of security operations, um, especially around like where is the data that you need to protect and how are you protecting it? Um, the, the other thing that I think people should be thinking about not so much, because they're going back to the office, but because, um, of the change that being out of the office has caused is how are you protecting the cloud?
What are you doing to predict the cloud? This is something that a lot of CISOs have been talking about for the last few years, but I think it's become almost an imperative for any organization to, to consider, um, beyond just like the cloud protects itself.
Rik Ferguson: [00:53:22] Yeah. I think there's been a massive upswell of cloud adoption during the pandemic.
Right. Because a lot of companies have had to work out. How do I take into. Facing resources and make them externally available for my dispersed workforce. So I think that's a really valid point. I think when, as we go back into the office that no one's going to put the cloud back in the box, all the cloud stuff that, that you deployed over the past 18 months, um, is it secured?
Is it, is it as fit for purpose as you want it to be? That's a really, that's a really solid point. Thank you.
Allie Mellen: [00:53:50] I think it's also a time. This would be a good time for a retrospective analysis on what went well and what didn't and why. Um, because as we kind of were talking about in the beginning, a lot of the challenges that organizations faced when making the shift to remote work was just not having the resilience in place that they needed, um, when it comes to like being adaptable to, to new adverse situations.
And so definitely this is the time to be doing a retrospective, as you should, with any incident, also making sure your incident response plans are available, updated. Everyone's aware of them. Things like that.
Rik Ferguson: [00:54:29] You did some other work. I said, I'd been stalking you in the best possible sense. I'm like I have to do with anyone who I'm going to talk to.
I got to find out what your areas of expertise are. Um, I watched, uh, a really interesting webinar of yours. Um, it made me think, wow, a lot of, um, a lot of Allie's stuff is three words, uh, adapt or die, and I watched a trust, but verify your work on, uh, election security and influence operations. Um, which was really interesting.
I want to ask you a little bit about the future. So as we, as, as AI advances and, um, deep fakes become ever more credible. And I think as we approach a world where we are talking about. Uh, actors not necessarily having to appear in films, but just licensing their image, um, so that they can be deep faked into a film.
I think that's, that's, you know, why would an actor not want to act in six films at the same time and make six times the money? Right. So I think that kind of thing is coming. I think we'll see the same thing with deep faked. Um, politicians, why would you, why would you risk, um, not looking great in front of the camera where you can just have the whole thing, deed, faked and record your voiceover, or even maybe have AI do your voice over for you.
And I think we'll see, this is one of the things in project 2030, we'll see the rise of synthetic influences rather than, rather than Instagram celebrity influencers or whatever synthetic inferences will be just as viable. So thinking back to your work on election security and influence operations and that kind of stuff.
How, how concerned are you about that from an influence ops perspective, you know, using video, using audio using fully immersive AR VR things to alter people's beliefs. Yeah.
Allie Mellen: [00:56:15] So this sounds like an episode of black mirror, but, um, no. So on the one hand I am concerned about it. Absolutely. Because I think that it's going to be used as the, the new and improved form of disinformation, which we've already seen, can really tear countries apart.
Um, but I also think that it, it ties back to a piece of research that my colleagues put out recently called the trust imperative, and which talks about how and why trust is going to be so pivotal in the next 10, 20, 30 years. Um, more so than it's ever been. And, and it kind of links back to what you're saying, where it's like, okay, politicians can, can license their, their image and use that instead of having to show what they actually look like that day or something like that.
Those are instances where I think that that has the potential to really deeply degrade trust. And, um, so I think that there's going to be. Um, paths kind of like we've seen on like Twitter when someone is verified pants, to make sure that certain videos are verified to be of that person, or, um, ways that social media companies in particular, given the vitality of disinformation are going to need to be able to give some type of proof or validity to certain videos and images to make sure that people know which ones are the real ones and which ones maybe aren't.
Rik Ferguson: [00:57:37] Right.
Allie Mellen: [00:57:37] Um, it, I think that's going to be absolutely critical. And part of the way that I talk about election security is that it's way, way, way, way more than a government problem. It is a problem, especially as, um, we really see organizations that have almost developed their own tiny countries. Like we saw with Facebook and having their own little Supreme court, um, they are also a part of the election security conversation, a big part of it.
Um, especially around this.
Rik Ferguson: [00:58:07] Yeah. And I think, you know, the more, the more of that we see, um, and if you just, the first thing that really shocked me to thinking about it was seeing princess leia in, in the, the final Star Wars film, right. Who she was there and they finished the film, but she was dead. Right.
The actress, Carrie Fisher was no longer with us. Um, and we're still at the point where you can just about say, yeah, that looks a little bit more like PlayStation four footage than movie footage, but those days are rapidly in the rear-view mirror. And I think that even if it's verified, right, even if we have verified celebrities and verify politicians and, and, and everyone gets a blue tick, what it does do is it desensitizes the population to, um, being able to tell the difference one from another and then enables things like influence of, so we definitely need as a society, as a security industry and as nation, state, state, I think devote some brain space to thinking, what, what do we do about this problem?
How do we detect deep, fake audio, deep, fake video? And what do we do when we detect it? Because recognizing it is only half the battle, right? How do we combat the fallout from that? We already know what fake news looks like, but we really don't know what to do about it.
Allie Mellen: [00:59:21] Yeah, no, I think it's really interesting too, because it's like, if there's a, um, Tik Tok account that is a deep fake of, um, oh my God, I lost his name.
Rik Ferguson: [00:59:31] Tom Cruise.
Allie Mellen: [00:59:31] Very, very convincing. But I wonder how much of what we see online with deep fakes can be used consistently because there's a lot more to it. Recognizing someone than just how their face looks and making sure that it looks like it's actually on their body, but it's also like about those individual movements that you see and the way that they speak.
And so I wonder what the future is going to look like in those terms, because I feel like part of me watches those Tom cruise videos and I'm like, damn, that looks so much like him, but there's something that still isn't quite there.
And, um, my experience
Rik Ferguson: [01:00:10] with that recently. And anyone following me on Twitter might have seen the tweets.
Um, there is a genealogy research website called my heritage and they. Um, introduced not very long ago, a little bit of, um, AI GAN uh, um, generated animated footage from a photograph, right? They say, you can upload a photo of your dead ancestors, uh, and we can make them, uh, we can bring them to life for you, which if you have a, an ancestor who died in 1834, and you want to see the black and white person move, or even be recolored or whatever, I'm sure.
That's very interesting. But I thought I would try with a picture of my dad who died when I was 26.
Allie Mellen: [01:00:48] Oh my God. That's heartbreaking.
Rik Ferguson: [01:00:51] But just to see, right. Just to see what is like, and what I learned from that, what I wasn't expecting actually is particularly because I was 26, quite a long time ago, uh, how strong the memory is that the memory imprint is of someone's mannerisms.
Exactly what you're talking about, not just the fact that they're moving, but how they move. And it was a really odd experience to see an animated photo of my own father from a day when I know that no moving footage exists. But he looked like a broken human. It looked like someone who wasn't quite working correctly, you know, it was just like weird.
And my dad never moved in that way. So I think that for people that we know, well, the ability to tell fake from real will stay with us for a very long time for people that like Tom cruise. Um, I have no idea what's fake and what's real, all ready with those
Allie Mellen: [01:01:43] you clearly are not watching enough of his movies
Rik Ferguson: [01:01:48] Well we use the phrase bad actor, a lot in the information security.
I always think of Tom cruise whenever anyone says that. And what, what can you say? Um, although he was one of my favorite ever films, the outsiders must be credited for that, but he still had his imperfect teeth back then. Clearly, I could go on about Tom Cruise for a long time. We don't have time for me to do that.
I have one more, one more question for you, Allie. Uh, because we're rapidly approaching, believe it or not an hour gone by while we've been sitting here chatting, um, 2020 to 21 has been an odd time for everybody. And we've all had to, um, I can see a question coming from a colleague, Andre, uh, dare I ignore it or not.
No, I can't ignore it. Can security vendors keep pace with AI?
Allie Mellen: [01:02:36] with AI offense?
Rik Ferguson: [01:02:38] So if criminals and to the best of my knowledge, they're not weaponizing AI yet. Uh, I absolutely expect them to, um, particularly for automated reconnaissance, uh, for the finding of new vulnerabilities or, uh, poor configurations, those kinds of things.
I fully expect all of that to be, um, to be automated, uh, at some near future and also fully expect to see AI used in anger, in, um, obfuscation techniques to make the identification of infrastructure and of bad actors. Uh, Yeah. So AI will definitely have a role to play in offense. Do you think security vendors will be able to keep pace with that?
Uh, or do you think it will be a constant catch up and that the, the bad actors will always be ahead. I'm stuck on bad actors now. Yeah.
Allie Mellen: [01:03:31] Um, so, uh, we are definitely seeing them and to some, this is like more of a minor or not a minor, but it's, it's less common than I think it will be just kind of speaking to what you're saying, but like with, with bot management, that's a great place where they're starting to use AI to appear more like actual people, as opposed to being, uh, being bots.
They're trying to gather information. So, uh, but I think that. Security vendors can keep pace with AI being used for offensive purposes. Um, very much so like the, the kind of tug of war that we have today with, with malware. Um, the challenge is, and I think the challenge that we're seeing already with malware generally is the community aspect and making sure that the information sharing is happening to keep us ahead of them because ultimately the attackers in many ways rely on their community in order to help them, um, help them continue to evolve.
And also of course, things like nation state bleed, which can help them evolve even when they're technically not able to. So, I think that that community aspect, threat Intel sharing all of that is going to be very critical in order to keep all of us ahead, as opposed to some of us have.
Rik Ferguson: [01:04:48] Very cool. Now I'm going back to the question I was going to ask you, which was my closing question, how we all know it's been a bit odd and a bit different and a bit weird.
20, 20, 20, 21. You're a person, uh, to the best of my intelligence gathering activities who loves to travel and loves to be active. Your, you know, you're not a person to be sat on your sofa, um, drinking the Kool-Aid. So, what have you done? What have you adopted change learned? What have you done to cope with, to deal with the changes in the world of 20 20, 20, 21, before we go back to normal, how did you survive?
Allie Mellen: [01:05:26] It was really hard. Um, I love to travel. Like I I'm obsessed with traveling. I spent time as a digital map, just bouncing around between cities, um, European cities and in Africa as well, and not being able to do that for the past year and a half has been very challenging uh, the first thing that I did was move from Boston to New York because I was like, I can't, I don't think I can be in Boston for another second.
Um, and that helps having a new place to explore, but I also, I'm a big believer in the importance of meditation and also the importance of yoga and mindfulness. And so, I've been doing a lot of that and, um, it's just helped me appreciate the life that I have here and the, the beauty that's in the life that I have in this place, as opposed to trying to chase that beauty in other countries.
Rik Ferguson: [01:06:17] Wow. What a profound note to end on. Thank you, Allie. Very much. That was a perfectly orchestrated ending. And I mean, that was, that was proper wisdom. Thank you very. Um, I'm really grateful to you for accepting the invitation to come and talk to me today. Um, I hope that the people who've been watching will continue the conversation with you online Allie's Twitter handle is there right under her, uh, image.
Uh, I guess you're on LinkedIn as well. Um, and, uh, thank you very much for joining us. Um, coder scientist, researcher, hacker analyst, Allie Mellen thank you.
Allie Mellen: [01:06:57] Thank you so much for having me.
Rik Ferguson: [01:07:00] There you go. Uh, another hour of your lives has flown by in the, in the company of, of Allie Mellon, um, guest speaker today and forest analyst.
Um, I am consistently amazed by the capacity. People I have never met before. Certainly, never met in person, uh, to have so much to impart so much knowledge, so much experience, so much wisdom to impart. Uh, and every single guest has more to share and we have more to learn from. So, stay tuned. There are more episodes coming.
I have more fantastic guests to unveil, um, particular focus. Like I said on people you may not have heard from before, but people who are very definitely practitioners in the space, I'm talking not only to, uh, you know, to, to researchers, but I'm talking to your peers, people in positions who knows, I might even be talking to you, if you would like to be a guest, let me know, reach out, drop me a drop me a message.
Uh, but for now, um, thank you very much for watching. I've been Ron burgundy. You stay classy.