It’s been seven months since DisruptOps joined FireMon with a mission to improve security outcomes by improving security operations. I’m excited to announce that DisruptOp co-founder Rich Mogull is joining us as SVP Cloud Security to continue pioneering the future of cloud security operations. Rich’s experience living in the future of security operations and seeing firsthand how strategies and tactics from the SRE and DevOps movements deliver both effectiveness and efficiency across a new model of distributed security operations, will be key to the future successful outcomes FireMon’s customers achieve. I sat down with Rich as he prepared for day one.
<Matt Eberhart, COO @ FireMon> Rich, welcome to team FireMon as SVP Cloud Security. Tell me a little bit about your decision to join full-time after being a long time advisor, and originally a founder, of DisruptOps.
<Rich Mogull, SVP Cloud Security @ FireMon> Am I allowed to say FOMO? It really came down to seeing the opportunities in front of us and wanting to be more involved than I ever could as an advisor. We spent years building DisruptOps from a hacked-together demo I did last minute at Black Hat into a full-featured cloud security operations product. Rather than being an end, the FireMon acquisition just added more fuel to the fire.
I see a massive opportunity to improve how we run security operations, especially in the cloud, and it wasn’t one I wanted to watch from the sidelines. Moving into this role not only allows me to continue executing on our vision for DisruptOps, but now we get to play in an expanded arena thanks to the rest of the FireMon product line. For example, DisruptOps really worked best in pure-cloud scenarios, but now we get to extend into hybrid and zero trust environments. Plus we gained some huge cloud network security capabilities, which is one of the toughest areas to manage even if you start with a blank slate.
There are some very cool things in the works at FireMon and joining full time allows me to help influence the solutions we build in a way I never could as an advisor. And it allows me to give the community something more than just words and slides.
<Matt> You’ve worn a lot of hats in your security career and have a long history of sharing your opinions. You were a big part of my journey to cloud security. What trends are you excited about and how does that play into your new role at FireMon?
<Rich> When I first started in cloud security over a decade ago I was part of a very small group being told that no real company would ever move into the cloud. Now everyone and everything is moving to the cloud, in many cases faster than enterprise IT and security teams can support.
The most exciting trend is that organizations are adopting cloud native ways of doing things. Yes, it’s still early and there are plenty of places still carrying across their old security practices, but there are a lot more people that understand how cloud is different and takes its own approach. I will also add DevOps to the mix, just to create a little more chaos.
We are in the early phases of a generational shift in how we approach and execute security operations. Everything is becoming more distributed, event-driven, and automated.
Aside from the generally increasing usage and importance of cloud, there are a few trends right now I find really interesting and fun. For the past year or two, I’ve been spending a lot of time on cloud incident response and that has influenced the advice I’ve been feeding back to the product team. There are some really cool things you can do in the cloud that are much harder on-premise thanks to the ubiquitous nature of APIs in the cloud.
Identity and access management is also really heating up, thanks to just-in-time capabilities converging with attribute based access controls. 20 years ago I wrote up a concept of “dynamic authorization” in a long-dead Gartner research report and we now have the capabilities to achieve risk-based authentication and authorization at scale. It’s a game changer, and just in time since we are putting all of our administrative interfaces on the Internet and letting admins access them from personally owned devices on untrusted networks.
The last trend isn’t new to us, but is just starting to get real traction. At DisruptOps we built our product early on for what people now call ClickOps. Just to be annoying I’ll call it ClickSec, and I love the idea of pushing security notifications with one-click remediations into the hands of those who own an application or environment. Let’s bust some silos.
<Matt> I’ve always been fascinated by your longtime passion for being a first responder. How does that shape your views of security and the way you look at the world?
<Rich> Heh…anyone who follows me on Twitter knows I can’t shut up about my emergency services work. I was a lifeguard at 16, an EMT at 19, and a paramedic by 22. These days I mostly focus on disaster response but I’ve worked fire, ski patrol, mountain rescue, and other odd jobs. Those were some of my most formative years and that work is really foundational to who I am and how I view things.
Working as a medic colors you with a certain approach to decision making. We are taught to assess incredibly chaotic situations in very little time, frequently in austere or even hostile environments. Paramedics are the masters of answering “sick or not sick” and developing a plan of action without a fraction of the diagnostic tooling other medical clinicians have available. In security, especially in incident response, we are often in the same position of making critical decisions without access to complete information, and we need to constantly revisit our decisions for changing circumstances.
Taking a step back there are the larger perspectives around risk and people. Human behavior governs everything, and we can’t assume we can slather on some technology fix to a systemic or behavioral problem. Our technologies need to account for human behavior, and not assume it will change. It’s like the patient having the heart attack that doesn’t want to go to the hospital–do I spend an hour arguing with them? Or do I just tell their spouse they’ll need the number of a good funeral home before bedtime? One of those is a lot more effective at getting the person into the back of my ambulance.
<Matt> I know the answer to this question, and I’m glad I’m not close enough for you to take a swing at me, but…Star Trek or Star Wars? And why?
<Rich> Oh heck, I like them both, but both are kind of hit or miss with the new stuff. I’ve been a bit disappointed by Discovery and Picard. Heck, The Orville is doing Trek better than Trek right now. The latest Star Wars films weren’t all what I hoped, but they are nailing it with most of the TV shows. I’m especially looking forward to Ahsoka since I consider Rebels to be probably my favorite Star Wars property not counting the original films.
But if I have to choose, Star Wars. It’s a bigger canvas that plays with fantasy and archetypes, whereas Trek is more a treatise on humanity and optimism. I think I’ve become too cynical in my old age to put Trek in the lead.
<Matt> FireMon and DisruptOps both have a focus on security hygiene. I’ve heard you say – in security, it isn’t just knowing what to do, but often the ability to do the right thing at the right time that makes all the difference. What should security hygiene look like in the future?
<Rich> How long do you want this post to be? Alright… I’ll try to keep it short(ish).
As I mentioned a bit earlier, for most of the history of security we have relied on silos. Well, not just security, that’s how we handled pretty much all IT operations. The silos weren’t created randomly; they are the natural outcome of how we had to build and manage our technology. In a datacenter someone had to own and run the network, someone else the servers, someone else the security. Physical architectures create chokepoints because it isn’t like we can let everyone run around and plug in their own wires. IT was defined by scarcity.
Cloud blew a lot of that apart. Anyone with a big enough credit card has access to thousands of custom networks and servers they can build with a few API calls. The choke-points disappear, everyone is an admin, and now we are all catching up to figure out the best ways to still manage risk.
The future of security hygiene is retooling operations to account for the more distributed nature of IT operations themselves. To me, the ideal is that security defines the “rules” for managing risks, which are then codified into policies, infrastructure as code templates, and other tools for detective, preventative, and reactive controls. Then the individual teams manage their day-to-day issues, with security keeping an eye on things and stepping in to manage the big incidents.
We use automation to identify issues and deviations in near real-time, and then, when possible, route the issue and a recommended fix (or automation button) right to the team that owns that environment. At the same time, it shows up on security’s list of open issues for tracking and validation. As great as preventative guardrails are, they can’t account for everything so we need the right mix of controls to reduce friction and enable high velocities while still managing risk.
Security hygiene is a mix of secure baseline templates, configuration, threat, and event monitoring, preventative guardrails (when we can), and finding and routing issues and remediations to someone empowered to take action right then and there. Everything is much more collaborative and real time. Right now, a lot of this looks like IaC/DevOps for a good start, and ClickOps for keeping things there, but we are really only at the earliest stages.
<Matt> Thanks for sharing your thoughts Rich. Welcome to FireMon! Right now, RSA 2022 is in person. Rich and I are both attending and hope to see you there.