00:03 Steve McDowell: Welcome to the DataCentric podcast with Steve McDowell, that's me, and Matt Kimball, both senior technology analysts at Moor Insights & Strategy. Hey Matt, why don't you tell everybody what we're gonna be talking about this week? It's a very special episode. 00:17 Matt Kimball: On our last podcast, we talked about how Edge was really interesting kind of topic to hit on a little bit, something we haven't spent a lot of time, so we're not just talking Edge, we're talking security at the Edge. So this should be a lot of fun. 00:32 SM: Well, it's timely, right? We're seeing an explosion I think of Edge deployments. A lot of this is driven by 5G but just the capabilities that we're able to push out outside of the data center is driving a lot of growth. And as you said, that's naturally impacting how we think about security from a number of perspectives. 00:53 MK: Actually, I didn't say that, but thanks for throwing that up there. I appreciate it, Steve. Yeah. So it's like if we're gonna talk about Edge and we're gonna talk about security at the Edge, we may as well get the guys in that know the most about this. So we've invited some friends from HPE and Aruba, an HPE company. So, with us this morning, we have a couple of folks that have been spending a lot of years kind of up to their necks in this. 01:21 MK: We have Jon Green from Aruba, an HPE company. Jon is VP and Chief Security Technologist at Aruba. Jon, thanks for being with us. Appreciate it. And also, we have Tim Farrell. Tim Ferrell, I'm sorry. I have a buddy Tim Farrell at home. Tim Ferrell, who's a Master Cyber Security Architect at HPE and interfaces with customers day in and day out on security challenges, especially with the, I'm guessing, especially with the Edge right now and Edge deployment. So Tim, thank you for being with us as well. 01:52 Tim Ferell: Thank you and good day, guys. 01:54 MK: Thank you. Yeah, we're all holed up in our home offices, kind of the impact of these days I guess, but so thank you. And so let's just kind of start off and talk about Edge. I mean, when you throw the word Edge up there, depending on the people you speak to and what industry they're in and what company they work for, the Edge takes on a lot of different meanings. There is a network Edge, there's all these different... And even within Edge, there are a lot of sub, you know, kind of sub Edges, if you will. You've got retail versus robo versus industrial. And then in industrial, you've got manufacturing and healthcare, et cetera, et cetera. 02:33 MK: The point is, how do you kind of from an Aruba and an HPE perspective, how would you, if you're going to kind of, to frame up our discussion, how would you kind of... What's your take on what the Edge is? Is it any device that's out there that is managed through IT resources? How do you define it? 02:52 Jon Green: Yeah, I'll take a shot at that first, I guess. Our division of HPE and we call Intelligent Edge and then people of course, ask the question, well, what does that mean? We kind of look at it as the Edge of the network is from the perspective of an enterprise organization. The Edge is the place where the users or the devices first interact with that enterprise organization. In today's world, I mean, things are connected all over the place and connected all the time. And so it's tough to kind of delineate between what's the Internet Edge and what's the Enterprise Edge and so on. But we kind of look at it as, I'm sitting in my home office right now, I'm a full time teleworker, but I've got a corporate network presence in this room. There's a device behind me that's providing enterprise WiFi to my home office here, so I'm connected to HPE's network, sitting here. Even if I'm not, I can be connected to my home network with my corporate laptop here and I've got a VPN connection in. And even if I'm not doing that, I'm still interacting with enterprise resources through things like Office 365. So that's the Edge from a user perspective. 04:15 JG: It also kind of incorporates the transition between the physical world and the network world. So think about inside the four walls of our office buildings, all of the sensors that are in there and the lighting control systems and the IoT devices and the vending machines and all these sorts of things. That's really the Edge to us it's that first point where a device or a user interacts with the enterprise organization. That's how Aruba thinks about it anyway. 04:46 TF: Yeah. And Matt, what we generally see with our customers is, most of them view as, the Edge is that which is not in the data center. And that tends to come across industry. So if you're in pharmaceuticals, the core systems and the data centers that are doing all the crunching and everything, that's the core. If it's out in a factory, if it's not in the data center, it's the Edge. If it's transportation, if it's the gadgets out on the rail yards and the switches, and the truck sensors, that's the Edge. But that's where the data is created, that is the life and breath of the company. 05:26 MK: And with that said, and I'm glad we're able to kind of bound this discussion or kind of put a more perimeter or kind of [05:35] ____ discussion a little bit by level setting, when you see these, specifically on the industrial side, there's all this hype around, we've got to make, we've got to turn data into intelligence and we have to be able to make sense of... Be faster to react to that manufacturing floor or bad actors that might be trying to come into the network. Specifically around the data side, Tim, this is probably more directed at you right now, but do you find that these digital transformations really are leading to, or companies really are kind of employing or deploying these real-time analytics platforms and using that to make more intelligent decisions, or is it more hype right now that you're seeing with your customers? 06:29 TF: Well, in the old days, your factory floor could operate relatively statically and could even operate detached from the core data center. And those decisions were made in a slower pace, a slower cadence. Now, with the economy, the digital economy, those changes and those decisions are having to be made minute by minute, hour by hour, and you can't tolerate those delays. So for the companies that really want to be able to make very fast changes to those devices on the factory floor, to those rail yard switches, to those robots, that intelligence is being pushed closer to the Edge because that also gives the ability for each of those Edge nodes, whether it's a factory, factory A, factory B, to operate somewhat autonomously. And you could, if you have something that you want to test out, you could, for example, push it down to factory floor A and try it out there as a pilot to see how well it works without necessarily affecting a change at the core that's going to affect everybody. But of course, that brings with it its share of security problems, because typically, security has been core-focused and not so much Edge-focused in the industrial world, anyway. 07:51 JG: It's interesting, given the news just within the past day of saying, "Well, we're gonna suddenly convert auto manufacturing plants into building medical supplies." I don't know how you do that, but it's certainly not, take the production line down for six months to retool it. There's gonna be, that digital... 08:10 TF: And there's a completely different set of regulatory requirements that come into play too, which you can't fix with technology. 08:20 SM: Right. But you talk about security and you talk about security at the Edge, it's not just about security of the device, right? It's really end to end. We treat Edge as an extension of our enterprise architecture, at our infrastructure when you take a holistic approach to security, right? How do you think about that? 08:40 JG: The kind of classic security definition of confidentiality and integrity and availability, if we use that classic one, we've got different things to worry about there and confidentiality might be one of them. That tends to be the one that comes top of mind when a lot of people think about security. Depending on what it is you're doing, if we're talking still factory automation, integrity might be the thing we really care about. How do I make sure that the data that I'm measuring is actually the real data and that somebody isn't injecting something incorrect into that? So... And availability is probably the even more important part. If that thing goes down, I can't manufacture whatever I'm supposed to manufacture. So there's two angles there from a security standpoint. Making sure that the data that's going to and from the core is protected, is trusted, is one of those things. Making sure that those devices at the Edge aren't a gateway and a way to compromise the rest of my organization is another piece, but an equally important piece. So those two things are kinda how we see it break down. 09:57 MK: Yeah, so it's interesting 'cause it's... To what you're saying and to what Steve is saying, there is this... You have to look at security, it seems like, as this multi-dimensional approach, right? It's not just make sure those servers are secure, make sure your perimeter is secure, make sure only the right people are coming on or that devices are locked down. It's really the sum of all of this and how well you can tie that together, right? Kind of people, processes, products, but if you're not looking at all of these dimensions, it seems like you're only putting Band-Aids over the wounds instead of really addressing the issue, right? I think... We were talking the other day and it was brought up that the average enterprise has, what is it, 40 to 60 security products in place that they use or in-house that they use, and they're all point products. That doesn't seem like it's a smart approach by enterprise IT to deploy all these point products that maybe don't even integrate or don't consider one another, and... 11:01 MK: So, you both have been in industry for a while, right? Jon, you've been at Aruba for quite a while and Tim, you've been at HPE for quite a while, and your roles tell me that you know a little bit about security. Do you find that the current state is, enterprises are, I'm not gonna say not as prepared as they should be, but they tend to focus on address the needs of right now for this specific problem instead of taking this more holistic approach and this multi-dimensional approach? 11:33 TF: I think the confidentiality and integrity of availability discussion is interesting because in a bank, for example, integrity is key. If I can't trust that the balance you're showing me is the balance I really have, then I'm not sure I want you to be my bank. And a bank is less concerned about confidentiality than about integrity, because that's their key ingredient, and so it will vary by industry. If you're air traffic control, man, it's all about availability, so it does vary. 12:08 JG: So as an example of that, just a standard kind of enterprise scenario, TV screens on conference room walls. They're popping up everywhere, and what tends to happen is that the facilities department goes out and they acquire a bunch of television screens and say, "We're gonna put these in the conference rooms." And they say, "Well, there's an open ethernet port on the wall, let me connect the smart TV to the open ethernet port." Probably a good idea, maybe. It depends on the use case for that sort of thing. But then think about these television sets, a lot of them have microphones built in, they're designed for voice control so you can change the channel by talking to it. Where is that voice control going? And what's that television set talking to? And did I just put basically a bug into my boardroom that can allow anybody to listen in? And if it's dialing out and somebody can come back in through it, is that a gateway back into the enterprise network? People don't think through that whole thing, and there are some basic security techniques like network segmentation that we've had for years and years and years that can help with things like this... 13:23 JG: But it's not considered, I guess, sexy, you don't see... When I go to RSA, for example, and you go out on that exhibit floor, you don't see a lot of people talking network segmentation. You see threat detection here and threat detection there, and AI operations. And we're gonna automatically discover all the malware and the threats, and the threat intelligence, and this sort of thing. It's basic stuff that people are not... They're not doing that will solve the problem better than a lot of these fancy tools. 13:54 TF: There is a bit of a... What I call a shiny object syndrome in cyber security. And there's this pervasive belief that if I just buy the right tool this year or the right toolset, then my problems will magically be handled for me. But it's so much bigger than that, because a product can only work as well as the people who operate the product and deploy the product, and set policies that drive how a product is configured. So it is multi-dimensional. We tend to look at things with our P5 model, which is People, Policy, Proof, Product, and Process. And we assess all those 5 Ps, and all it takes is for one of those to not work well and the whole chain is suddenly weakened. So yeah, it is a very broad approach, but you have to do that. And most of the major failures we've seen in recent past where there've been major security breaches have been process failures. Products generally do what they're supposed to do. It's been people and process that have been the failures. 15:06 MK: So two, follow-on questions to that. First, Jon, from your perspective at Aruba, I mean, you guys have been doing this for a long time, right? Do you look at Edge and go, "Eh, it's just another... Kind of another deployment model, you know we can... " You talked about network segmentation, and kind of the security... The inherent security that comes with that. Do you not stress as much, not... Stress is the wrong word, but do you look at Edge as just another deployment model that, you know, you can easily resolve? Not easily, but resolve through a combination of Aruba and HPE technologies? Or do you see it as much bigger than that? And I have a follow-on to that one. 15:48 JG: There's some basics. Yeah, there's some basics, I mean, we got started at Aruba in 2002, I think. And that was right around the time that, if you remember WiFi and WEP encryption, it was [16:00] ____ broken back then, around that time. And so here we are trying to build an enterprise WiFi company and enterprise customers are actively ripping WiFi out of their organization, because of these sort of security problems. So I think we probably over-rotated and over-engineered on security from the very beginning. But we looked at it and said, "This WiFi network is gonna be a multi-user, multi-device type of infrastructure. We're not gonna deploy a separate network for every class of usage on the system." So I don't have one WiFi network for my employees and a separate one for guests, and a separate one for barcode scanners, and a separate one for medical devices, and so on. It's all the same infrastructure. So how do you treat the users coming into that network as a limited amount of trust? I don't wanna throw the zero trust phrase out there, 'cause that's one of these over-hyped things as well these days. 17:00 JG: But looking at it and saying, "I don't trust anybody coming into the Edge of the network, I need to identify who they are, what they are, and then apply appropriate security policies against them." That's what we've been about since the very beginning. And it's served us very well. What I'll say is, from a user perspective, that can be a tough problem to solve, in the sense that I've got all these employees, they got all these devices out there. I don't necessarily know what an employee is gonna do on the network. And so trying to put restrictions around their network traffic is difficult because users do unpredictable things. The devices, it's a different story, I mean, the devices we kinda know like that thermostat over there does one thing and it does it all day long. And so allowing it to do only thermostat things is a reasonable sort of security practice that we can put in. But you know, we've been preaching this message of role-based access control on the network for a very long time. The customers that we have that have embraced that have found that their exposure to bad stuff coming in through that edge of the network has been very low. Customers, who have just said, well it's just a... You know, I'm gonna treat it like a cordless phone, and we'll just extend the wired network into the wireless domain, have had more challenges. 18:24 TF: And Jon, I agree with you because a lot of what I see is shiny objects being purchased and deployed, but the failure is basic blocking and tackling, to use a football term. 18:37 MK: So with that said, right? I like the way put it, you kind of maybe over-rotated a little bit on the security side, but it's paid dividends down the line. But that will never account for people, and... Or the people and the lack of processes. So you go back to like the Target hack a few years ago, where hundreds of millions of dollars paid out. And it all was because of a password that was left out for an HVAC system, right? So that goes back to the... You can put all the technology in place that you want, but you still can't account for... I don't wanna say stupid, but you still can't account for people being careless or people not being as diligent than not having the right processes. So tying that back to that, this... And Tim, maybe this is, given your interface with customers a lot, is this kind of where... When you go in and engage a customer on, you know, kind of securing security products around the Edge, is that kind of your first thing is, "Hey, let's get level set"? You talked about the five Ps, "Let's make people and processes kind of the foundational element to this entire approach" and then build and add products on top of that or do you have some kind of standard approach you take with customers? 19:52 TF: We usually look at this based on... We tend to be control-focused, so we use control standards like NIST and ISO and others that are industry-specific to guide us. And you can look at the controls in an organization and look at those for any individual control, you can evaluate how mature is that control based on each of those five Ps? Then you can start to decompose behavior. And really that's what we often find is that they all support each other. And ideally, you like to believe that your people are doing things that support what you're doing with product and product supports what you're doing with policy, but all it takes is for one of those to be out of line or undealt with, and suddenly the whole thing becomes very soft. So we look at them uniformly and product is to be one of the 5Ps, it's a fifth of the equation. We do weight process a little heavier than product because process is so critical and products are generally there to support a process. 21:06 MK: So let me ask you this, so when you say that though and hitting on the process and the people part, do you find, we were talking the other day about, kind of depending on what vertical that gap, if you will, that exist between your traditional IT folks and those operational technology folks that are sitting out on a factory floor or water treatment plant, those gaps can be broad or they can be somewhat narrow depending on the maturity of the organization and how far along they are. Do you find that being one of the bigger challenges you have when you're kind of engaging with customers? 21:41 TF: Yeah, because it's fairly typical for a company that is an IT/OT company, in other words, they're operating in both worlds, that the IT infrastructure is more mature in terms of cybersecurity than the OT infrastructure is. And they've existed in relative isolation for 20 or 30 years. And now that a lot of the OT standards, everything's becoming ethernet IP based, now we're starting to operate on a common technology platform, which is ethernet IP standard operating systems, Linux kernels, things like that, driving programmable logic controllers. So suddenly, we're finding a lot of commonality between IT and OT. And so we work with customers to try to, how do we take some of the lessons that we learned from IT and apply those to OT? And then likewise, we can take lessons from OT and apply those to IT. But trying to get those two groups to work together, it's often difficult because they've been isolated for decades and each done their own thing. OT tends to be more engineers, IT tends to be more IT practitioners, and they come from different worlds, but they are coming together. 23:06 JG: There's a tendency that we have to suppress in the IT security world to jump over to the OT side and say, "Hey, we know everything and you guys are idiots. You're running Windows 98 and unencrypted protocols and all that... " They're under a different set of constraints entirely, and if it's keeping an electric grid up, okay, I can't tolerate having encrypted packets on my network because that stops me from troubleshooting quickly, and if that impacts the switchover time for a transformer switching, that's a big deal. So they are different worlds and we kind of each understand each other, but there's a lot more to go there. 23:50 TF: And you have to respect the world, like Jon was saying, in its own right. The OT world, they're a little more delayed in security, but it's not because they're not as smart or as educated or anything else, it's because they're in a world where downtime is often a matter of life and death. And so you may have a Windows 98 machine running there, but as a security practitioner, it's not your job to say, "Well that's just crazy. Why are you doing that?" Your job is to understand, why is it there? What is its necessary function in life? What are the constraints that stop that platform from becoming more advanced? And if the answer is it's got to stay on Windows 98 for the foreseeable future, then those are the cards you're dealt, and you work with that and you secure that platform as best you can. Perhaps you wrap it in something that's protective. But yeah, like Jon says, you can't just jump in and say, "I'm an IT guy and I've got all your answers." That doesn't work and it's never received well. 24:57 MK: And that goes against how IT folks usually... 25:00 TF: Absolutely, yeah. So when we're dealing with an IT/OT mixed customer, we have to be very careful that we respect each world, what it is and where it came from, and why it's operating the way it's operating. 25:13 MK: And to what you're saying, I have a friend who, he runs the manufacturing floor for a semiconductor company and they run their entire factory on NT4. And I remember having a conversation with him sometime ago and he's like, "You don't understand, zero downtime. We have a very stable build and we've built everything around this. We can't just rip and replace and we're quite happy with the way it performs. So yeah, sure, we don't have Windows Server 2018 or 2019, but we don't need it for what we're doing." 25:46 TF: And often it's simple cost benefit. What is or... It's risk/reward is what I meant to say is, what is the risk/reward of leaving it where it is, which is a known good working thing versus disrupting it perhaps just for the sake of saying, "I'm upgrading." And of course you'll get security benefits, but if your choice is NT and it's rock solid and it's stable and it's working, and you can protect that with something, you can wrap something around it to protect it, like perhaps put it behind a piece of Aruba gear that protect that traffic and only certain things come in and out and it's very tightly locked down, if you can do that, then you can buy that customer three to five or more years of safe operation of that platform. 26:36 JG: I was gonna say, just on the, along those lines, the embedded software world that we operate in. So I own the PSIRT at Aruba, so the Product Security Incident Response Team and as our customers become more and more security savvy, they're running things like vulnerability scans against our products and coming back to us and saying, "Hey, you have a vulnerability in your product." "What is it?" "Well, you have an old version of the NGINX web server. It's version 1 dot... " Whatever. This just happened that... I came in yesterday on this front. "Why haven't you updated it?" "Well, we haven't updated it because it's not broken." And they said, "Well, but our vulnerability scanner says that that's not supported by the vendor anymore." And we said, "Well, we're the vendor, we do support that. We do keep track of, is there a problem with it?" 27:28 JG: People are uncomfortable with this idea that there's old software out there and somehow, the word has gotten out from patch every day and patch constantly, you gotta be on the latest version. We've avoided a whole number of security vulnerabilities in open source code by not being on the latest and greatest. That comes with its own set of stability challenges. Anytime somebody is writing new code, there's potential for things to break and there's potential for new security vulnerabilities to creep in. So we very purposely control that kind of stuff but it's very similar to the discussion we're having about the OT side of things, but just in the software front of, if it's not broken, sometimes you're better off leaving it alone. 28:12 TF: If it's not broken and you can find alternate ways to secure it. And there are many alternatives. 28:19 MK: So with that said, and kind of tying this back to the emergence of Edge and kind of real-time analytics, real-time decision-making and activity, are you finding that there are specific, either kind of in the industrial side. I know retail is very big on kind of embracing the Edge to help drive shopping experiences, but on the industrial side, are you finding that there are certain verticals or industries that are, they're just, they're way ahead of everybody else in their adoption of kind of the Intelligent Edge or is everybody kind of going along at their own pace kind of, or at the same pace, I should say? 29:00 TF: What I've seen is every company is doing their own thing based on their culture, their risk appetite, their finances, their ability to absorb pain that would come with moving forward with some sort of upgrade. It really does vary widely. There are some companies, and I've talked to a few where the leadership is very key on this idea of trying to merge IT/OT operations and security management because they believe there are substantial cost savings to be realized there, but that they're early in that journey and that remains to be seen how that will play out or how much success that would have. But it really is sort of those early adopters. 29:48 MK: Jon, what about you from like the, kind of the networking side [29:53] ____, I hate to use that phrase, but are you finding that there's a greater kind of vertical affinity say, with ClearPass or some of the other kind of Aruba products where you're finding more advanced deployment or usage, or management of devices and access control through product, or is it pretty much... Again, I know you've been at it for quite a while. 30:18 JG: Yeah. I wouldn't say it's within a particular vertical segment. I'd say it's particular companies and organizations within different vertical segments that are deciding to be leaders in that, or deciding to follow, or what have you. So I don't think it's probably universal across any segments. I would say the place where we see things like mobility being adopted the fastest is probably in education and possibly followed by healthcare, where it's like, get everything on the network that you can get onto the network, and you find new solutions and you find new cool technologies and things you can do with that once you do network everything, but those places probably jump on it the quickest. 31:10 MK: But it sounds like to what Tim said, it's really kind of, the company has an appetite for kind of taking on some of the risks associated in managing that, it's really kind of more company culture-based versus industry-based. 31:28 JG: Yeah, definitely. Even in the military, the last place you might expect it, but people like the US Army adopting mobile technology and commercial mobile technology to carry out their mission. We see some of that happening in certain places and then we see other parts of the government that's very much conservative on that front. So you find it varies all over. 32:00 TF: And even the companies that have decided to go forward with merging these two worlds to get the benefits, they acknowledge that there is going to be pain. We know that and we accept it, but we've decided that we can manage that pain because it's going to be worth it for what we believe the benefits we're going to reap when we emerge from this, and often that takes great leadership to take a leap like that. 32:24 MK: And so in tying to that, in tying to kind of building out holistic approaches to security for those companies that are more on the leading edge, you mentioned NIST earlier, it's kind of like a good standard for approaching security. And I know that HPE Pointnext... I think it's Pointnext, but HP in general has taken this as its kind of guideline and you built your own kind of standards that align to NIST, if you will. Have you found that based on industry, based on geo, based on, you name it, that there are different other standards companies should consider or... 33:08 TF: It's interesting because about 10 years ago, ISO was king and everybody adopted ISO because it's an international standard. And this was a US federal government standard. And there was some hesitation by foreign states to adopt what was a US federal government standard. Now, what we're seeing is that other countries, other companies in other countries are now starting to adopt the NIST standard. It really has started to accelerate. I don't know what this means for ISO going forward, but they are broad standards that can cover any company of any size across any vertical. Then there are very specific standards, like PCI for the credit card industry. And there's NERC CIP for the energy industry. Those verticals tend to be governed closely according to those measures. So PCI, for example, you do it because you have to, if you wanna be in the credit card business. NERC CIP, you do it if you wanna be in the energy business. 34:09 TF: There are companies that don't have to follow any standard to be in any business, but they have adopted standards like NIST and ISO because that really does start to form the foundation of your security program. And here's the catcher is if you adopt NIST or ISO, and you do those well, they get you 95% of the way there to PCI compliance or NIST, NERC CIP or FFIEC in the federal... In the financial world, sorry. But yeah, you don't have to treat security and compliance as two different things. They're close cousins. But I really believe that if you do security well, you will get most of the way there for your compliance efforts, but it's not the other way around. You can be compliant and be unsecured, insecure. 35:04 JG: It's important to not get hung up on which of these frameworks you wanna pick up on. But the NIST Cybersecurity Framework is a good one. It's free, anybody can look at it. It's not so much I'm gonna take every control in SP 800-53 and implement that control. But it's I'm gonna at least sit down and think about that and say, "In my particular organization and my particular environment, what do I need to actually secure my systems? Those frameworks are really good at covering all the bases and saying, "Have you thought about this? Oh, we didn't think about this aspect of identity or what have you." So that's where those things are really helpful. As you said, if you're subject to specific industry regulations and compliance requirements, well then obviously that's what you gotta do. But there's a lot of us that are not subject to anything specific there. In which case, pick something and get started, whether it's ISO or whether it's NIST or what have you. We just like NIST because it's free. 36:16 TF: Yeah. The price is right. 36:19 MK: What I liked... I went through and I was... As I was getting ready for this, I looked at NIST and I looked at what HPE Aruba has put together for your engagements. And what I like and I think, Jon, you hit on it, it's not necessarily about, "Here are the 12 things you do." It's the exercise of applying critical thought to security and doing it in a complete way. Kind of answering all the what-ifs all the way down the line until you get to root along all vectors and all dimensions of security. And that to me is probably the more, as an ex-IT guy, that would be the most valuable exercise. The product follows that critical thought and that planning. But if I do that upfront, then I'm gonna be a large part of the way there. And even those areas where I'm exposed, at least I know where I'm exposed. So I have the opportunity to try and mitigate that even more. 37:17 JG: It's overwhelming otherwise. Here's, I'll show you in the video... I've got a copy of SP 800-53 printed out here. Amazon,20 bucks, I think is what that costs. But it's a good size book, if you look through every single one of these controls in here. And the reality is most of them are not applicable for every single organization. So you gotta look through it and say, "What makes sense for me?" And you can take the framework and craft your own control into that to say, "Well, for my organization, that stuff that's in the book doesn't really apply, but I need to create something to control that risk. Here's what I'm gonna do." And as long as you're measuring that and saying, "We're getting it done," great. 38:02 TF: And Matt, a lot of customers asked me, "Where do I even start?" And to Jon's point is, find a standard, pick a standard, and start aligning yourself to it. Start at the beginning and just... You don't have to do it perfect. But at least be aware of what are the areas of security that you should be thinking about and start going through a critical exercises of, "Am I doing this? Am I doing that? Am I not doing this?" And then second is start thinking like a bad guy. You know your infrastructure, be your own bad guy and start figuring out, "How would I attack me? How would I get inside my own organizations?" And that thought process, it's often called threat modeling. But it's basically, you know your network, you know where the soft spots are, you know your infrastructure, how would you attack you? 38:57 JG: One of the pieces of the NIST Cybersecurity Framework, if you look at the five pillars there, Identify is the first one. A lot of times, people don't spend a lot of time there. 39:07 MK: That's right. 39:07 JG: And that's... With our ClearPass product, that's one of the big reasons people buy that product. It's a network access control system but one of the big pieces it does is profiling the network to figure out what's actually on the network in the first place. If you don't start with that basic stuff of identify what's out there, it's tough to go to the next step which is Protect. And if you're not protecting, then detecting is hard to do. So that early stuff on there is a big deal. 39:38 MK: Well, to what you're saying, that's what leads to a company deploying 40 to 60 security products that are all point in nature and addressing a specific incident that may have happened or... Instead of that holistic approach. 39:53 TF: Yeah, it's not as cohesive. 39:56 MK: Yeah, so a couple of questions, and I know we're gonna... I'm gonna be forced to stop talking here a little bit but a couple of questions I have for you guys, the first is... And one for each of you, and Tim to you I would ask the question of... I'm an ex-IT guy, I lived in the IT world, and I had my own biases and when I... For my own organization and I "knew" what was best. I didn't need somebody coming in from the outside to tell me what was best, but speak to the importance of having that kind of neutral third-party broker come in and give you a better, more sober assessment of your current state and a strategy moving forward. Is it important? Does IT know best? I mean, what are your thoughts? 40:48 TF: Well, thing you run into with IT folks and specifically cyber security folks that... In an organization is they're so vested in just the day-to-day survival and getting through their day and doing their jobs that they often don't have the chance to step back and take a fresh look, a clean look, a truly objective look. And so bringing in a third party, it does a couple of things, one is, it's a very objective look 'cause a third party has nothing to gain or lose by whether they find or don't find anything. They're just there to dig and to help you understand. The third party often brings the benefit of having done this type of analysis so many times that they know what to look for, they can quickly find the low-hanging fruit, and they can often quickly find some of that higher hanging fruit. If you're trying to do this yourself, you may not have the benefit of having done it 30, 40, 50 times with companies of your size or in your vertical. 41:56 MK: Yes, yeah, yeah. I think that's it, and to what you're saying... And this is not a plug for Pointnext but for our listeners out there, if you're going at your security strategy alone, you're doing your company a huge disservice. It is companies like HPE's Pointnext services or organizations like Pointnext that really do bring the depth of experience and breadth of experience, and neutrality to the equation. And not just help with a cohesive security strategy, but also help bring all of the different actors, IT, OT and others in the business line together, and can act as the parent in the room, if you will, as you kind of... [chuckle] 42:43 TF: We often refer to ourselves as therapists. So you bring all the people together in the room, you bring the family together and you start problem solving, it's like... And you do really, you have to play therapist. It's like, "Let's talk about what your problem is. Now, let's talk about your view of the problem. Now, let's find some common ground. Now, let's take a look at ways we can solve that problem that address person A's need, person B's need, person C's need, and it's within your budget, it's culturally acceptable, et cetera. 43:17 MK: Yeah, and we have found it has worked at... Yeah. Now so not... But to say all that, and the importance of all that, I feel like, as I've talked throughout this, I've kind of not given product its due recognition because we understand that it starts with people, process, standards. But Jon, from your perspective, I mean... Look, Aruba has been around for a long time, has been wildly successful because of a product. HPE, with silicon root of trust and [43:50] ____ some are recovery capabilities, there's a reason why ProLiant and Edgeline servers are being differentiated out in the market, right? Through all of these technologies. Jon, can you speak to the product side a little bit and... As you look at the marketplace in those companies that are deploying 40-point solutions, can you speak to the kind of Aruba story and how that... What makes HPE and Aruba uniquely positioned in the space? 44:21 JG: Yeah, without giving a product pitch which I know nobody wants to hear especially in the morning. But starting with the assumption that if you can't trust the infrastructure that you put into your IT organization, it's really tough to trust the data and the services that you're putting on top of that. We spend an inordinate amount of effort to try to make sure that the infrastructure itself is something that's trustworthy and that starts with, "How do we build code? How do we publish code? How do we build our supply chains to make sure that the hardware is trustworthy from the beginning? How do we think about the ways that people will attack our infrastructure?" So from a WiFi perspective, for example, I've got WiFi access points scattered all throughout a building, how do I make sure if somebody gets their hands on that physical piece of hardware, it doesn't turn into a security incident in that way? So there's a whole lot of... And it's a bit boring if you're not a security nerd, but the threat modeling that we do against our own people, our own software, our own hardware, it's pretty extensive in making sure that that stuff can all be trusted. 45:46 JG: And from that, from that basis, you can build things on top of it and add additional features, and a lot of customers to go out and say, "Well, I wanna do this type of a service. I wanna deploy... " We've got networks deployed in some pretty interesting places in the DC area where I sit; places you wouldn't expect to see and that foundation of trust in the infrastructure is the reason we can do those things. We don't talk about it that much. We probably should talk more about those sorts of things but it gets a little dry for people when you go into silicon root of trust and chaining of a boot loader process on an HPE server. There's actually a lot to it, but people's eyes glaze over at that point. 46:40 MK: Well, yeah, and quite frankly, as an ex-IT guy, I'll say, I think even a lot of folks that are in IT, it's not just your casual listener because casual listeners love to talk about security, but even folks within IT, when you start speaking to silicon root of trust and some of the deeper level technologies, they get a little bit off because they don't tend to be rooted... Their worlds didn't start in this. But the higher level message to that is that security is, from a product perspective, isn't just securing your server, it's not just securing a perimeter, it's not just access control, it's not just protection of data. 47:25 MK: I think we started out with the classic definition, if you will: Confidentiality, integrity, availability. And I mean it, I can't overstate it. It is definitely multi-dimensional and if you're going to... I'm an IT person, and I'm looking for a solution that can address as many of these dimensions as possible, I have to think about hardware, software, services, processes, all of these things working together in unison and in harmony to deliver the best results for me. I just can't go by product A, product B, product C and hope that it all works right. 48:04 JG: Yeah, and customers are getting tired of this, the endless... We all know the cyber security industry is a bit overheated at the moment with just the number of vendors that are out there trying to sell those things. People are getting a little weary of that and saying, "It's time to cut back a little bit and focus." 48:30 MK: One last question 'cause Steve just gave me the hook. One last question. For folks that are listening at home that are not related to Steve or myself, top three recommendations you would give to any IT practitioner that was looking to deploy Intelligent Edge and considering security as a fundamental element to that project. 49:04 JG: I think I'd say, first of all, it's something that is eminently doable. There's not... People need to make risk management decisions and decide... There is a risk of doing these sorts of Edge projects but there's a big reward that comes with it. Managing the risk is the key. So, we don't need to shut it all down and say, "No wireless, no BYOD, no mobility, no whatever, is we're gonna do." But we need to be intelligent about... 49:36 JG: And I think the most valuable thing people can do that they tend to skip is really that threat modeling process, "Let me think about what could go wrong. Let me think about, are there intelligent things I could do to prevent those things from going wrong and then take those steps?" It doesn't have to be super complicated, and a formal model to follow of having threat modeling, but this is what I tell our software engineers when they're building new features, "Think about how it could be of use, think about what could happen, and try to take some step ahead of time to prevent that from occurring." That would be my biggest piece of advice. 50:14 TF: Yeah, and mine is very close to that. One is, as a pure security practitioner who's product agnostic, one, pick a security control standard and start to adopt it. Understand it, start to live it and breathe it, slowly at first. And the second one is, just to what Jon said, start doing some threat modeling. Start... One of the most useful exercises, I have a customer that does a red-blue team exercise every year and I have the red team attack the blue team, and what they learned from that process is just unbelievable. And they sit down and discuss it afterwards. It's a threat modeling exercise. Often called a red team exercise but it's more threat modeling. And the third is look at security holistically, look at those five Ps, because all it takes is one of those to be weak and the entire chain is weak. 51:15 MK: We actually did a research paper. We're gonna flash it in the notes of this podcast. We just did a paper. In full disclosure, we were commissioned by HPE and Aruba but it goes over exactly this kind of the... We call it the IT Practitioner's Guide to Security at the Edge and take the time. Guys out there, folks out there, read it. A lot of really good useful information about how to approach security at the Edge. While we do hit on product, we really focused heavily on the people-process element of the equation and starting off on the right foot in adopting a holistic security strategy. 52:00 MK: And so, Tim and Jon. I wanna thank you... Steve... I wanna thank you for taking part. This is gonna be a fun conversation and I think there are a couple areas where... I don't know about your thoughts, Steve, but where we can dig a little bit deeper maybe in a separate podcast. 52:13 SM: No, I think we will. You've given us, I think, quite a bit to think about, especially where we're talking about the overlap between IT and OT, and that's something that not all IT practitioners, I think, are equipped today to think about and deal with. So, I think we'll definitely be going deeper as we do that. But again, thanks a lot for your time. This was fantastic. It gave me a lot to think about, I learned, I know. 52:38 MK: Thank you, guys. 52:39 TF: Thank you. 52:40 JG: Absolutely, thank you. [music]