Date: May 3, 2022
Listen to KPMG Principal Tarun Sondhi discuss the most critical factors in cyber resiliency with Microsoft’s Ann Johnson in the Microsoft Security Afternoon Cyber Tea podcast. In this episode, they discuss how his guidance in security has changed, investing in AI and automation and what he believes is currently the most significant innovation in security. They also address:
- How clients and organizations should handle today's threat landscape
- When companies should start to invest in artificial intelligence and automation
- Why organizations often overlook the evolving sophistication of current cyberattacks
Ann Johnson (00:00):
Welcome to Afternoon Cyber Tea where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what should be top of mind for the C-Suite and other key security decision makers. I'm Ann Johnson. And today I'm joined by Tarun Sondhi, who is a principal with KPMG Managed Services where he leads the cyber managed services across security operations, cyber defense strategy, governments, and transformational offerings. It's great to have you here Tarun.
Tarun Sondhi (00:30):
Thanks Ann. It's great to be here.
Ann Johnson (00:33):
You have such deep expertise in security architecture and infrastructure, identity and access management, cyber ops, incident response, regulatory compliance, and led this transformation and rebuilding of the security operation center for one of the largest financial services organization in the world. Also, I understand you've developed disciplined processes in the SOC, such as cyber hunting and user and behavioral analytics what we call UEBA and the industry monitoring endpoint detection and response and security orchestration and automation. You have this amazing breadth of experience, and I'm really excited to have you on the show.
Ann Johnson (01:11):
So, as we think about these programs and Tarun that you've designed and you've integrated all this actionable threat intelligence and brief response within organizations, I know that several years ago you also wrote an article for Forbes focused on the five ways to reinforce your company's cyber program. When you think about that article and you think about today's threat landscape, how has your guidance actually changed from then to now?
Tarun Sondhi (01:35):
And that's a great point. What's interesting is that the spirit of what I wrote eight years ago now is still relevant today, but the problems we face have grown exponentially, the surface of attack has become vast as we see increase in adoption of things like The Internet of Everything, which has put into motion this hoarding of vast amount of data that we now store in the cloud all around the world and our clients are putting a lot more emphasis on SaaS products to shorten the return on investment. So, we're not doing transformation like we used to in the past. Not everything but most things now are available in a SaaS format, which is also causing this new constant reevaluation of regulations and compliance frameworks that are constantly evolving. Now, our adversaries have kept up with us pace of disruption in the market.
Tarun Sondhi (02:40):
Their techniques are becoming a lot more sophisticated. They're super targeted against what they're trying to do, the mission that they have. And they've been able to evade those traditional controls and monitoring instruments that have been in place for a while. And they know the firms that they are attacking, don't have the capacity to deal with the volume of threats. They just can't keep up with it. There's not enough practitioners out there that are available to fulfill all those jobs. So now with the cloud expansion, as I call, it's no longer cloud adoption. It's really expansion in the cloud itself. Crypto, blockchain as a next wave of new innovation that's coming up. It's actually deepened the [inaudible 00:03:25] of an already overworked cyber team. So, what's really changed in my mind are really three core areas that I hear from our clients or joint clients.
Tarun Sondhi (03:36):
One is that they're looking for greater utility of smart systems that they're invested in, that share intelligence, have an effective strategy, a set of processes to use those tools that harden their security controls. The second would be they're looking for more native instrumentation that makes extracting heuristics out of these tools into a single apparatus that they can look down on rather than stitching together 10 different tools with its own kind of this Frankenstein that gets built up at the [inaudible 00:04:13], having to manage it. They want to spend more time analyzing and having a stronger conviction. When they see some anomalous behavior, they want to be able to react on it. And I think the third is really around driving more automation, making progress towards this autonomic models that allow systems to self-heal, raise the defense mode as you will, as they see different activities taking place, malicious activity taking place.
Tarun Sondhi (04:45):
I'll use KPMG MDR practice as an example. This issue around alert fatigue, it's still here. It's very prominent. It's a real problem that even I face in operations and I faced that throughout my career. It's how do I reduce the alert fatigue of my practitioners that are constantly looking at different alerts and trying to manage through it. And I had a single objective when we decided to introduce a very differentiated offering in the market.
Tarun Sondhi (05:15):
In the early stages of the design that we worked very closely together with the Microsoft Sentinel team was a challenge on how can we use Microsoft Sentinel to deliver the outcomes to our clients in a way that our analysts are using their high cyber IQ and freely exercising their curiosity. Where's the threat? What can we know about the adversary? What do we know about the attributions of that adversary? Why the routine alerts are automatically convicted and the response actions are automated throughout? So I think the third area that I'm seeing that has changed is really around the spending more time on the work that needs this experienced technician rather than spending time waiting to commodity threats if you will.
Ann Johnson (06:06):
Well, that makes sense. Look, threats have increased, both the pace of threats, the sophistication of threats. And I think organizations are still struggling with things like automation and how do they actually gear their really smart humans to be solving the hardest problems and then automate and remediate as much as possible that's below that layer. When you think about that, when you think about how [inaudible 00:06:28] are evolving even right now, right? What's the one thing that you notice that organizations should be thinking about, but that they often overlook because it's just so hard for them to keep pace?
Tarun Sondhi (06:40):
Most organizations today collect a vast amount of data like I talked about earlier. And as you think about why they're collecting this information, they're trying to build a better experience for their customers. They're producing targeted goods just in time. They're producing better ads that is a lot more precisioned towards the audience that they're going after. What comes with that is a responsibility to not only safeguard their own IP, but also the data of their customers, the vendors, and not to mention their own employees. So what I find one of the most overlooked items is the data. The data is no longer in one place. It's distributed across hundreds of applications and it's spawned into new sets of information, or even merged with other tools and other data and probably the most important aspect is also shared with third parties.
Tarun Sondhi (07:40):
Getting a handle and an effective strategy around the controls and the recovery process is one of the pieces that I see as a high priority that most organizations overlook. They don't really understand or have enough discipline in place to know how this data is being used from the single repository that they assume it's in and where else within the organization that can be used.
Tarun Sondhi (08:07):
And I think the second priority is really around this discipline structure, the approach to continuously test those applications or systems or network that the data traverses, what are those vulnerabilities that exist in there. And they need to have a really good plan and how they surface to the top these vulnerabilities. And then they remediate them in the right time, not to mention getting earlier on during the development process of those applications, so you make sure you have this security as part of your design. This is one area that I've seen almost 300% growth from the data that I have of the demand that I'm seeing from my clients is being able to test those applications more continuously is one of the other areas that we see are most overlooked.
Ann Johnson (09:00):
And so, as we think about that right, the pivot for organizations and their need to actually try to stay ahead of threats and I was reading just this morning actually that Jen Easterly made a comment that it's really hard and it's becoming harder to have a good defensive posture and really what organizations also need to focus on is resilience and recovery almost not more so than detection, but almost in a way that's more meaningful and really investing because as we found organizations by the way are underinvested in operation resilience and maybe very invested in defense. So when you think about that, when you think about the current landscape, when you think about this increase, we expect to continue this increase of both cyber crime and nation state effects, you think about a lack of people, you think about everything you just said about automation. Talk to me a little bit about the MDR service that you offer, the value that your customers see from not just a defense capability, but from a response capability. And how does that help them build better operational resilience?
Tarun Sondhi (10:10):
Yeah, look, I sat down with my clients. I've been offering MDR-like services. It's a newly created term I think about the five years ago, known as MDR, but the managed security services is something I've been in the space for 24 years. And so about a year, year and a half ago, I started on this journey to discover what is the new underserved unmet market needs. And how are clients struggling to keep and maintain this complexity of tools? The lack of nativeness that's available within the instruments that they have, they're stitching together like I mentioned earlier this Frankenstein of sets of tools to detect and respond, but they don't really talk to each other very well. So they're constantly trying to maintain that. And with the new challenges of data sovereignty, evolution of the data boundary laws and data custody laws, we are seeing a heightened awareness and a need to come together.
Tarun Sondhi (11:15):
And and that's what we went out on a journey to fix. So together with Microsoft, we decided to take on this challenge and look for ways that brings together the disciplines and the different methods our clients are trying to build better resiliency, defend their organization, things like zero trust, digital identity, ATP, the defender, the endpoint, they have these amazing solutions that they have put in place. They've put a lot of money into it. The next step is to be able to get instrumentation out of it, to get the insights out of it so that you can shift left. You can start to understand if they are primary indicators of compromise or adversary is lurking in the environment. This is where instrumentation is really important, whether you're using MITRE ATT&CK framework, you're using other types of framework to be able to come up with your own model of what shift left means.
Tarun Sondhi (12:23):
This is where engineering and management goes into place and monitoring goes into place. So, we spend that time cracking through this veneer, that detection and response is hard. You can't really bring it together. It still requires humans. We decided to spend energy to maximize the utility of the AI models and building these complex algorithms. So, you can harvest all that information and shrink it down to the single unit of measure that I'm personally obsessed over which is dwell time. The more we can shrink the dwell time, the better off we're going to be. All these other data points that we talk about, what is our meantime to respond, meantime to detect. Those are great operational tools, but I still believe that the real unit of measure is dwell time and we are obsessed around that dwell time.
Ann Johnson (13:19):
You know what? I don't disagree with you and time to detection, as you know, varies by geography and varies by sector. But the less time you have someone in your environment, the less harm they can do, it's intuitive and I explained it to folks in the way if someone breaks into your house and you're on vacation and you don't know they broke into your house and they can spend a week in there harvesting whatever they want out of your goods, that's really meaningful as opposed to someone breaks into your house in the middle of the day, the alarm goes off, the police are there in three minutes. That's how I try to get people to actually conceptualize what dwell time means and the impact it could have in their environments.
Tarun Sondhi (13:55):
Your spot on. We want to be able to... I think the market is looking for how can we shift the attention of hiring and retaining our top analysts in the industry so that they can use this discipline structure, this obsession, define elusive threads, use techniques such as cyber hunting. But if you don't have the breathing room to be able to do that, and you're stuck in day-to-day mundane task that you know that you can use the tools for, it's very hard to retain that stuff and being able to kind of manage through it.
Ann Johnson (14:36):
Yeah, exactly. Well, let's switch for a second. Let's talk about the place that machine learning and artificial intelligence hopefully are going to help us have a really critical step up, right, for cybersecurity because they're going to allow us to look through the trillions of signals that folks get today. And they're going to allow us to make some better decision and also empower automation. How critical do you think is for companies to invest? And I have another question because you know, just about, and I'll say this as a vendor, every vendor wants to build their solutions as the latest of machine learning and AI. So, how much should companies be investing, but also how should they be determining if something is real? What are the key indicators that they should be looking for to understand that solution actually works and will work in their environment?
Tarun Sondhi (15:23):
In the past, when we heard about words like AI, machine learning, automation, it sounded very buzz wordy stuff, right? We heard all kinds of objections, especially in the cybersecurity space, right? Cyber has no defined pattern. Each thread is unique. Each adversary constantly changes their technique and tries to evade normal, the data footprints or the digital footprint that they leave behind, the dust that they leave behind. While some of it is still true, but I think we've turned AI automation into reality by fusing together different sources of data that helps us inform the AI algorithms much better than we ever did before. We talked earlier about like this, this connected devices, The Internet of Everything, organizations are looking for ways to make their employees take their devices to their firms, work remotely and so on.
Tarun Sondhi (16:29):
Let me just take my home as an example. Ten years ago, I had maybe four devices that were connected to my Wi-Fi system. Now, I'm a geek. I'm a technician at heart. I'm a product guy at heart. So I was looking at the data that's coming out of my Wi-Fi system that I had to make sure I don't see any anomalous behavior. I have all kinds of controls put in place. Just this morning, right before our call, I logged onto my system just to check in on it. I have 37 devices in my home that are connected to my Internet and being able to look through that anomaly one device at a time is just not possible. This is the same challenge an organization has today. Now with their connected systems if they're feeding the tool, the AI and they build good algorithms, you want to be able to bring digital identity information. You want to bring end user or end devices from end to edge if you will, your cloud system, your SaaS systems, everything into the machine and allow and start to hydrate the machine with this intelligence.
Tarun Sondhi (17:42):
This is where AI and machine learning will help. It helps you synthesize all those data so much more faster than a human can. And we talked earlier about the lack of practitioners. We're never going to have enough people to look at this. So why not leverage the tools that have become so much better and can become smarter with more data? In my experience, focusing on SLAs like I mentioned earlier, those things go out of the window. We can finally bring using AI and machine learning from three digit days of dwell time and I really believe that we can bring it down to two or one as we continue to expand into autonomous systems or autonomic systems that start to self-heal and repair things. And that all will come through the intelligence.
Ann Johnson (18:36):
It makes a lot of sense. The more we can do self-healing, if you want to call that or automated remediation, obviously the better enterprises are going to be, and then they can reduce those security alerts. Speaking of alerts, we went from this mostly people working in the office model, not everyone, but mostly people working in the office model to mostly people working at home model. And now we're going into this hybrid model and a lot of organizations I'm talking to talk about how that's really changing the attack surface and their threat vectors. How do you think about making recommendations to organizations now that we're switching from, you know, people are going to be back in the office part-time.
Tarun Sondhi (19:14):
It really is about trying to bring and stitch together all the information that are you getting from the tools from edge to edge, the seamless work experience that we want our employees, our practitioners, our customers, our third parties to who have when they access our data, or when we're working with them is to be able to as much as you can use the native disciplines, use the native capabilities and drive that deep inspection of the jobs of our skilled technicians who are on a day to day basis trying to figure out all this anomalous behavior. How much can you automate? How much of it can you digitize? We used to be able to be in a place where we would log into four different applications four different ways, all of that using the digital identity solutions, you can bring it into a single place, you can manage it in one place, and you can make faster decisions, whether you want to onboard or offboard a particular user or their access to it.
Tarun Sondhi (20:20):
This really kind of thinking hard about what's core to your business and focusing on that will be one big macro recommendation. And I think the other area that I would highlight is, is to think really hard about what's core to your business in terms of domain expertise that you want to retain and manage the critical few cyber practitioners that you have while out tasking as much of the work of routine operations to a service provider. That's one way that you can balance what you keep in-house and what you out task and I'm purposely using the term out task. I don't think the idea of outsource really exists any more or there's a need for it. It is, I have a function operation, I have tools that are already in the cloud, I just [inaudible 00:21:15] perform these tasks on my behalf.
Tarun Sondhi (21:17):
And that's another area that I would recommend our clients to consider. I think the last thing I would say is really a measured risk approach. This idea that we had in the past, that once we go through a development process, we'll test these applications, our network, and our solutions that we have in place as a point in time thing is no longer valid. We are going in a rapid development cycle. Applications are coming in out much faster because our clients are demanding it, our employees are demanding it. So testing that continuously whether it's techniques such as ethical hacking, red teaming, pen testing, whatever those modes are that you need to have, put a continuous in front of it. That continuous part is going to be something that we see as a way for organizations to stay ahead of the risk and have a more measured approach, so they know what the associated tolerances are to manage through those risks.
Ann Johnson (22:21):
I think you hit on something a lot of organizations are coming to realize, which is cyber security is always a risk decision. There're some organizations that are obviously ahead of the curve or on the more mature program end of the curve that know its risk decision right. You could shut down everything and have perfect security, but you have to be able to do business. So whatever decision you make, it needs to enable your business whilst keeping your business secure.
Tarun Sondhi (22:42):
Yeah, that's right.
Ann Johnson (22:45):
So, I love my job because I get to see the newest companies and innovations, and I see them pretty early. I know you also have the opportunity to meet with a lot of companies and see innovations, whether it's in technology or people or process. What's one thing you've seen recently that you just really were impressed with and you think has a big future in cyber.
Tarun Sondhi (23:07):
Oh wow. Bringing something down to just one thing. There're so many amazing things that are going on in our industry. If I could lump together a blockchain, Metaverse, this decentralized autonomous organization kind of business context, I think that would be one place where I see a massive disruption that's going to take place. There's just billions of dollars being invested in the blockchain and Metaverse space, if you will. And I think the innovation around cyber that I get super excited about is really with this disruption, this kind of distributed applications, new advancements in encryption that's taking place, the proxy re-encryption space, that's one area that I see that is going to get a lot more notice on. I think we're going to see some really interesting things happen there, especially when we're thinking about private data being stored out in public decentralized networks. This idea around proxy re-encryption or PRE, if you will, is something that I'm taking a very close look on and trying to get ahead of it.
Tarun Sondhi (24:27):
And I think along with that is with the speed, quantum computing becoming more of mainstream, this is also being leveraged by the adversaries. They're using that to create more sophisticated brute-force attacks and becoming more efficient and more speedy. So, quantum resistant cryptography, these algorithms are becoming much more important for us to combat this rise in quantum computing and also the associated adversary use of it. We're going to see a lot more need for resistance around cryptography for that. And I think at last, and you said one area, but there are three subparts to it. And I think there's new innovation that's going around zero trust. I think it sits within the intersection of digital identity, SASE and micro-segmentation where we can start to insulate our data, our business into smaller segments and reduce the radiant of impact. That I think will be the last area that I think about. And I'm getting really excited about what we're going to do here in the future.
Ann Johnson (25:45):
I agree with you by the way in quantum resistant cryptography. Having spent so many years at RSA and with the crypto folks, it's exciting to me. I know other people will be like, is cryptography exciting, but it is. It's really exciting. So, I really have appreciated you sharing your insights today. And I would love if you could help us send off our listeners with one or two key takeaways. It's something we always want to do. Things that you would recommend they do today to overcome cyber challenges or things you're hopeful about of the future or all of the above. And you definitely don't just have to limit it to two, but we always try to leave with a little bit of practical guidance.
Tarun Sondhi (26:24):
And it was a pleasure speaking with you as well. Yeah. I'll leave behind a couple of thoughts. One, we'll continue to see exponential growth in new innovations. I continue to believe that blockchain is going to evolve. It's in early stages. Similarly, when you add Metaverse on top of it, it is going to start to stress the edges of our security discipline. We're going to have to think differently. We today evolved from this era of having servers and machines that we're sitting in data centers that were ours, we were very possessive of it and then the idea of cloud started to disrupt and we were still kind of possessive of it. We weren't really sure if sending something to the cloud is safe and easy to do. And today no one wants to keep any data and data centers. They want to put it all in the cloud.
Tarun Sondhi (27:21):
So we'll see that type of a maturity happen and adoption happen around blockchain, Metaverse. We're going to find new spaces to come together. So with that again, it's going to stress our security, it's going to make us think a little bit differently, and I think we need to be ready for that. We talked about cryptography in the sense of quantum computing. We need to move at that speed going forward. The second I think I will remind the audience is don't be afraid to out task the services to service providers, whether it's us, or you go with someone else. Really think about where your business priorities are. What do you truly want to maintain within your business and reserve those skilled practitioners that has been very difficult to get it from the market?
Tarun Sondhi (28:10):
I think I read yesterday in one of the articles that talked that there's 30% year over year demand growth for security practitioners and there're 600,000 security positions that are open. We're never going to be able to fill that. Let's accept the fact that there's always going to be a deficit of security practitioners in our space. So let's focus as much as we can during early design, early strategy on how much do you want to... Can you automate, use AI and machine learning? Because I think they've really matured a lot over the years and augment those jobs. So, you can reserve those security practitioners and preserve them to do things that are really important to your business and they add value rather than being deductive.
Ann Johnson (29:02):
Thank you so much, Tarun. That's wonderful. It was really a pleasure. I know you're incredibly busy, so thank you for taking the time to join us today.
Tarun Sondhi (29:09):
Thanks Ann. Glad to be here with you.
Ann Johnson (29:13):
And many thanks always to our audience for listening. Join us next time on Afternoon Cyber Tea. Okay. Studio, do we need anything else from Tarun?