Founder & CEO Peter House of Risk Management MSP Deeptree discusses the importance of machine learning as a fundamental component of Security Ops
1. Tell us how you came to be the CEO at Deeptree. How has InfoSec tech changed from the time you took over as CEO?
I founded the company in 2013 with a vision of bringing holistic risk management to all levels of business. 2013 was a watershed year for InfoSec in a variety of ways. CryptoLocker was, for those paying attention, a warning shot. Most organizations, at that time, even the large financial organizations we worked with, focused mostly on firewalling and endpoint protection. The limitations of relying solely on those toolsets are apparent to many of us today. This is largely due to the weaponization of cryptography and increasing sophistication around delivery. At the same time, we have also seen the rise of advance persistent threat (APT) actors around the globe. While it’s important to not get breathless about their activities, it’s important to recognize that mimicry of their tools, techniques, and procedures will eventually make their way down to lower trophic layers in the marketplace. In that way, their activities concern us all.
Fortunately, our industry hasn’t stood still either. We know that year over year, investment into the space grows apace.
InfoSec was at US $159 billion globally for 2019. In contrast, the global annual spend was 95 billion in 2013. And, the forecast for 2020 is 173 billion. That’s a lot of opportunity and investment. It reflects a certain amount of dedication worldwide to deliver security.
And because of that, we have seen an explosion in tooling and capabilities. There are more industry certifications and college degree programs than ever. And our discipline is being aided by cutting edge technology. Even now, it’s hard not to remain excited about the promise of machine learning and data science as a means to effectively protect our organizations. The discipline holds much more promise than it did in 2013.
2. How did you define the vision of Deeptree? How did you approach your first 100 days as the CEO?
As a founder, vision definition was an organic process that arrived alongside value proposition exercises. In defining our target customer and how we addressed their needs – the larger question of the existential why arrived. It was naturally part of the founding process. Ours is that we want to contribute to making the world a, “safer place to live, work, and compute”. I feel that simple vision statements akin to Google’s desire to organize the world’s information is simple enough to understand and gives staff the degrees of freedom to be agile in the moment yet remained aligned to our North Star.
At the time of founding, the first 100 days were very simple and straightforward. Execute on the anchoring contracts we had secured, develop relationships with suppliers and prospects, and establish our place in the world. There was a lot of failure and rejection involved. Earning trust when one’s firm is so young is a lesson in grit. Fortunately, I had a good number of friends who are founders and CEOs who offered valuable insight into running a firm. And following their advice yielded fruit.
3. What are some of the opportunities, like ease in managing SecOps, while offering the best in cyber security tech that Deeptree is helping large and small enterprises leverage?
Ease in managing SecOps is indeed a significant opportunity for Deeptree, and one that our partnership with Stellar Cyber really helps us achieve. So much of information security relies upon finding anti-patterns. There’s a famous aphorism that malware can hide but it has to run. And that’s where the real opportunity for us arrives. There’s a fantastic book by Andrew McAfee and Erik Brynjolfsson titled, “Race Against the Machine”. In there, they describe open format chess tournaments where individuals, teams, machine, and hybrid compositions thereof were allowed to compete. The highest performers were consistently hybrid teams of individuals and computers. We see information security in that same light. We want to race with the machines to deliver best-in-class information security.
SecOps is fundamentally an exercise in big data – its high volume and high velocity. Bringing the crucial “and” of, “Big data and cyber security” is where we see opportunity to protect enterprises large and small. By working with our tooling, we free up our staff to threat hunt, to discover the quiet signals before they get out of hand.
4. What are some of the unique lessons you have learnt from analyzing your customer behavior?
People actually use Microsoft Office macros. Really. Coming up in the way of the security analyst, one of the early myths I internalized is that people do not regularly use Office macros. I was once disabused of this notion by spending time with the head accountant of one of our larger customers. Spreadsheets are flying around between the CPA and the accounting staff complete with macros on every worksheet. And asking them to not enable them is just simply not tenable. So the scales fell from my eyes on that. One’s mission evolves from training users to not enable macros but to capture, inspect, and allow non-malicious files through.
Another one is that businesses with a strong culture of efficiency are often naturally resistant to controls like multi-factor authentication. It’s crucial to understand that strong cyber security programs are exercises in organizational change management. They are programs, not projects, and concepts like gamification, reinforcement, and measurement takes the undertaking from simply a technological one to a human one. Patience, determination, and communication are key to success. People fundamentally want to do a good job – what is required is establishing what a good job looks like today in this new era.
5. What are the common challenges that some of your customers aim to resolve with your MSSP offerings?
First and foremost, our customers are seeking to limit exposure. In our marketplace, there have been a few high-visibility events with non-trivial price tags associated with them. And business leaders are recognizing that addressing this kind of exposure is one that requires the kind of pro-active service that Deeptree offers.
Our clients have a number of tickets that need to be punched – active vulnerability management, regulatory compliance, network security monitoring, end-user and entity behavior analytics, just to name a few. Meeting those challenges make up the baseline of engagement. What’s interesting is what arrives after those matters have been attended to.
An unexpected outcome is that many of our clients are using the opportunity to become more secure in general. Instead of a purely transactional relationship, the relationship moves to an active dialogue. For example, when we deliver our scheduled reports, we often receive follow-up questions about ways they can better secure their environments and better secure their work habits. This leads to conversations beyond vulnerability management, as an example. We did not fully anticipate this when designing our services. It’s a delightful outcome that reinforces our generally (gritty) optimistic outlook.
6. Deeptree was recently in the news for partnering with Stellar Cyber to build an intelligent SOC platform for businesses. Can you elaborate on the partnership and the target customers for it?
Initially, we were on the journey of developing our own in-house solution when we encountered Stellar Cyber at a conference. During the demos, it became apparent to us that they had built what we had envisioned. So we made the correct business choice and discarded our efforts and jumped over to Stellar. We see Stellar as a category killer because they agree with us; a fundamental component of SecOps is data processing and machine learning. And their implementation leaves little to be desired.
Going back to the example from, “Race Against the Machine”, we need a platform that frees up our staff to threat hunt, to proactively work with our clients to secure their environments further, and to plan and prepare for DFIR (Digital Forensics and Incident Response) activities. They cannot do that if they are having to pound big rocks into small rocks by iterating on baseline queries. By removing that requirement, Deeptree staff is empowered to deliver first-order value to our clients.
This simple fact about Stellar Cyber demonstrates the power of machine learning at its best. It frees up our staff and enables organizational agility. It allows us to see more, know more, and act faster.
With that in mind, our target customer is anyone who cares enough to be secure. Pithy statement aside – these customers tend to cluster in segments like healthcare, finance, and defense contracting. It’s worthy to note that scalability isn’t a trait that is monotonically increasing alone. Scalability means scaling up or down. And so we do both thanks in large part to Stellar Cyber. We serve small clientele and enterprises alike. Not to sound repetitious but we do appreciate machine learning in enabling that value delivery.
7. What are some of the challenges SMEs face in securing their businesses compared to those that large enterprises have to deal with?
This is a significant question that I believe merits much reflection. I believe that as the IT department is often the ultimate target to getting to the business, so are InfoSec SMEs the ultimate target in potentially accessing client networks. We have seen world-class cyber security consulting firms targeted and successfully compromised in the recent past and it’s a stark reminder that vigilance is required.
The easiest person to lie to is oneself. And it’s easy to convince oneself that it can’t possibly happen because one knows security. For example, we have seen environments where the malware is on privileged IT workstations and servers, not locked down end-user workstations. Because the same principle applies to SMEs, it means ensuring technical controls are implemented and monitored. Active reporting, measurement, and including one’s own business in the list of clientele are how we address this weakness. We buy our own services from us just as we deliver them.
But technical controls aren’t enough either. Complacency can arrive through behavior as well. This means having a higher standard of secure computing and conduct. It means having an in-depth culture of security. A mildly humorous anecdote is the response one receives if they type the wrong thing into something like Signal, “This is how breaches happen!” By reinforcing to ourselves that thoughtfulness and awareness are part and parcel of a secure computing environment, sometimes light-heartedly and sometimes very seriously, we feel that we can meet this challenge.
8. Can you give us a sneak peek into some of the upcoming product upgrades that your customers can look forward to?
There are number of areas we are putting thought-work into. We have a significant interest in addressing certain classes of attacks such as living-off-the-land attacks and process hollowing. We want to build better identification and turnaround time for identifying these classes of attacks.
It’s also been said that at a certain level, bad code is almost indistinguishable from malware. So when it comes to securing line of business applications there’s a certain level of validity to that statement. So much attention is being paid to host security – yet how many critical business applications are being used that do not have similar security programs such as bug bounties and disclosure programs? So, we’re exploring ways to improve on this issue.
Third-party risk management seems to be quite nascent yet we have seen a number of supply chain attacks. Imagine the level of compromise that could occur if remote monitoring and management (RMM) tools used by managed service providers (MSPs) were attacked. This is an area of concern for us.
9. How do you keep pace with rapidly changing cyber security tech space?
Frankly, it’s a blend of book-reading, social media, conferences, news media, and old-fashioned conversation with my peers. Anything less and there are gaps. I am a big fan of “Thinking Fast and Slow” by Daniel Kahneman. To keep pace with the space and yet not be tossed about like a cork on the ocean, I have to stay rooted in the fundamentals while also searching for what arrives presently. One area that I use to look ahead and skate to where the puck will be is through research papers. University-level research in cyber security has really taken a quantum leap forward. A good cup of tea, a good record, and a research paper from time to time is a fantastic way to explore the gap between practice and theory.
10. What is that one cyber security breakthrough that you will be on the lookout for in the upcoming year?
I am really on the lookout for greater involvement in Security Orchestration, Automation, and Response (SOAR) by vendors across the board. SOAR adoption hasn’t become ubiquitous quite yet and I believe that’s reflective of a lack of uniform adoption. Until SOAR arrives as a concept in the small to medium-sized business space, work there is not yet done. We need fuller participation there.
The Target breach was facilitated by going after an authorized vendor. F-35 plans were boosted from Australian defense contractors. Until we recognize fully that network security includes conceptual networks like organizational ones, we are limiting our coverage. The fundamental discipline of mathematics driving the age is network mathematics. A secure marketplace is one that delivers SOAR not just at the enterprise level but at the SMB level as well.
11. What advice would you like to give to the emerging cyber security tech start-ups?
Whatever you do, have some level of focus on simplicity. The space is wide open but a major inhibitor to adoption, outside of a shifting vocabulary, is the level of complexity inherent in the discipline. I apologize for the inevitable comparison to the car industry but look at the sophistication of the vehicle underneath the hood and compare that with how the dashboard has stayed relatively static for the driver. This, I think, is instructive.
The Internet is a very different place from 2013 or even 2003. Where it will be in 2023 will be different than today. I have another treasured book titled, “Proofs from the Book”. It’s an anthology of Paul Erdös’ favorite mathematical proofs. The simple ones showing great mastery of the subject. True masters don’t revel in the squalor of complexity but rise out of it. We need, more than ever, given the inherent complexity of the system, masterful simplicity.
For a start-up, this is obviously a goal and not something one does right away. But if it’s never a goal, it’ll never be accomplished. It has to be baked in not added on.
12. Please share a recent piece of content (can be a video, podcast, blog, movie, webinar) you liked that set you thinking about cyber security tech in general?
This is like asking me to select my favorite child or book. Top of mind today is this briefing from Black Hat 2019: MITRE ATT&CK: The Play at Home Edition –
Organizations everywhere need to lean into the ATT&CK Framework. It pushes us from regulatory compliance checklists to seeing attacks through the eyes of an attacker.
13. As the CEO of a tech company, how do you inculcate a culture of innovation and problem-solving among your employees, be it at the entry-level or a higher management level?
A prime ingredient for innovation is empowerment. To do that – we made it known that whoever is presented with the problem has the power to solve the problem. This includes the power to spend money. Many of our staff has company credit cards. I have been greatly influenced by “The Tiger’s Way: A U.S. Private’s Best Chance for Survival” by H. John Poole alongside systems thinking books like “The 5th Discipline” by Peter Senge. They are unequivocal in their message – build systems that incentivize initiative. Initiative begets innovation. And innovation begets excellence. Culture is our default decision system. It’s what we do when we don’t have a reason to do anything else. So our focus is enablement and support.
This might sound high-minded and impractical. So what does that look like practically speaking? It means letting the staff assign priorities to their tasks. That task assignment is an active conversation. It also means that the processing of mistakes is performed routinely and dispassionately. I, myself, have made mistakes and performed a root cause analysis exercise with the team. By establishing it is something we do as part of our work and not something done as blame assignment, we have opened a way of performing our work that incentivizes innovation and provides a safety net of support in case innovation goes awry which it can do when one is trying something new.
14. What is the one leadership motto you live by?
“Memento mori” – I have experienced one very-near-death event and one serious misdiagnosis. I have been reminded of my mortality, it feels, more times than many of my friends and colleagues. Life seen through this lens creates space for holding gratitude for what is here and now and also promotes reflecting on the legacy we want to leave. Each of us, through our work and our choices, leaves a trail behind us. I want all our staff, including myself, to focus on creating a trail of positive effort behind us. One that truly promotes the kind of security we aim for, the kind of security that the word itself is rooted in – the Latin word securus, “free from care”. In my mind, that comes not from carefree neglect but from handling one’s business.