Sponsored: Breaking the deadlock between IT and security teams - Risky Bulletin

Summary4 min read

Risky Business News - Episode Summary: Sponsored: Breaking the Deadlock Between IT and Security Teams

Podcast Information:

Title: Risky Business News
Host/Author: risky.biz
Episode: Sponsored: Breaking the Deadlock Between IT and Security Teams
Release Date: November 24, 2024

Introduction

In this episode of Risky Business News, host Tom Uren engages in an insightful conversation with Mike Wiachek, the CEO and founder of Stairwell. Stairwell specializes in a file analysis platform designed to detect malware and potentially malicious files within enterprise networks. The focal point of their discussion centers on bridging the often strained relationship between IT and security teams within organizations, exploring strategies to foster collaboration and mutual understanding.

Understanding the IT and Security Teams Dynamic

Tom opens the discussion by inquiring about the typical dynamics between IT and security teams. Mike provides a nuanced perspective:

“The security team, while responsible for controls and securing machines, ultimately is beholden to what the IT team is willing to deploy. Any new security software ends up costing political capital with the IT team or the administrators to actually get that rolled out.”
— Mike Wiachek, [00:51]

Mike highlights a common challenge: security teams often introduce tools that require IT teams to allocate resources for deployment. This can lead to "agent fatigue," where IT teams are overwhelmed by the multitude of security agents running on each device, potentially impacting system stability.

Overcoming Adversarial Perceptions

Addressing whether the relationship between IT and security teams is adversarial, Mike emphasizes a collaborative mindset:

“You're all on the same side. The security team wants to keep data safe... The IT team is focused on stability... I don't think it's a good idea to view it as adversarial.”
— Mike Wiachek, [02:04]

He advocates for viewing IT and security as partners with aligned goals—security ensuring data integrity and IT maintaining system stability. This unified approach can transform potential conflicts into win-win scenarios, where both teams derive value from new security solutions.

Demonstrating Mutual Value

Tom probes into how security solutions can demonstrate value to IT teams even before installation. Mike shares Stairwell's strategy:

“We solve it as a data search problem... This allows you to get instant visibility into anything like that.”
— Mike Wiachek, [03:36]

Stairwell’s platform collects and analyzes data centrally, enabling various use cases that appeal to both IT and security teams. For instance, by aggregating executable files and their versions across the network, Stairwell can inform IT teams about outdated software versions, facilitating proactive patch management without overburdening system resources.

Engaging IT Teams Early in the Sales Process

Discussing best practices for cybersecurity startups, Mike advises:

“Go talk to IT managers or CIOs... understand what their priorities and concerns are.”
— Mike Wiachek, [07:15]

Stairwell's initial focus often lies with security team members, but Mike underscores the importance of involving IT teams early to ensure that solutions align with their objectives. This dual-focus approach ensures that security tools are not only effective but also seamlessly integrate into existing IT infrastructures.

Real-World Insights and Lessons Learned

Reflecting on his experiences, Mike shares pivotal moments that underscored the necessity of bridging IT and security:

“These guys are bothering Me again. And I'm just trying to figure out like, how do you come in there and be an ambassador of stability.”
— Mike Wiachek, [09:11]

He recounts instances where security initiatives faltered due to a lack of IT collaboration and how proactive engagement with IT teams led to successful deployments. One notable example involved addressing a vulnerability in OpenSSH—a collaboration between IT and security was crucial in effectively communicating and mitigating the risk.

Extending Value Beyond Security

Mike elaborates on how Stairwell's platform uncovers additional value propositions beyond traditional security use cases:

“The value of the data set... is only limited by the imagination that we have to actually see the use cases that can exist.”
— Mike Wiachek, [04:07]

By centralizing data collection and analysis, Stairwell enables IT teams to leverage this information for diverse applications, such as patch management and vulnerability assessments. This multifaceted utility ensures that both IT and security teams find tangible benefits, fostering a collaborative environment.

Promoting Holistic Security Hygiene

Concluding the discussion, Mike emphasizes the importance of foundational security practices:

“Security most of the time, all the time, most of the time is a hygiene problem... I need to make sure my patches are installed.”
— Mike Wiachek, [11:44]

He asserts that while advanced threats like Stuxnet are significant, maintaining basic security hygiene—such as timely patching and proper software configurations—is paramount in mitigating a vast majority of risks. By ensuring these practices are upheld, organizations can significantly enhance their overall security posture.

Conclusion

Mike Wiachek's insights shed light on the intricate balance between IT and security teams within organizations. By advocating for collaborative strategies, mutual value creation, and a focus on security hygiene, Stairwell exemplifies how cybersecurity solutions can bridge departmental divides. This episode serves as a valuable guide for cybersecurity startups and organizations aiming to harmonize their IT and security efforts, ultimately fostering a more secure and resilient infrastructure.

Notable Quotes:

Mike Wiachek [00:51]: “The security team... is beholden to what the IT team is willing to deploy.”
Mike Wiachek [02:04]: “You're all on the same side... I don't think it's a good idea to view it as adversarial.”
Mike Wiachek [07:15]: “Go talk to IT managers or CIOs... understand what their priorities and concerns are.”
Mike Wiachek [09:11]: “How do you come in there and be an ambassador of stability.”
Mike Wiachek [11:44]: “Security most of the time... is a hygiene problem.”

This comprehensive summary encapsulates the key discussions, insights, and practical recommendations shared by Mike Wiachek, providing valuable takeaways for listeners interested in enhancing collaboration between IT and security teams within their organizations.

Loading summary

Transcript22 lines

[00:04]
A
Hello, everyone. This is Tom Uren. I'm here with another Risky Business News sponsor interview, and today I have with me Mike Wiachek. G'day, Mike. How are you?
[00:14]
B
Good, how are you?
[00:15]
A
I'm good. Mike is the CEO and founder of Stairwell. Stairwell makes a file analysis platform that sucks up all the potentially risky files that you specify and slices and dices and analyzes them so that you can detect malware and potentially malicious stuff in your network. So today we thought we'd talk about bringing IT teams along for the journey when you're selling security products. So how would you describe the dynamic, Mike, between IT teams and security teams?
[00:52]
B
I mean, I think it's different organization by organization. Right. The power that exists varies, but the most consistent case is that the security team, while responsible for controls and securing machines, ultimately is beholden to what the IT team is willing to deploy. And so any new security software ends up costing political capital, if you will, with the IT team or the administrators to actually get that rolled out. And, you know, I think there's a bit of a bloat, there's a sense of agent fatigue on a lot of systems because when you go to a big company, they'll tell you openly, you know, we have 14 different security agents on every laptop, and that's a bit crazy to think about of how you get in that hole. So I understand the IT team thinking about stability and so forth. They would love to simplify it, but that is definitely a challenge that exists out there.
[01:48]
A
So would you describe that as a fight, or would you describe that as, you know, you have to win an argument to get a piece of security software installed, but that's the challenge that security teams face. So how do you overcome that?
[02:04]
B
Yeah, I think by argument implies a sense of adversarial nature between the parties. I think the important thing to always think about is that you're all on the same side. The security team wants to. Wants to keep data safe. They want to keep the machines operating with a high level of integrity. The IT team is focused on stability, the management, the sustainability of what the overhead and footprint of all of the various tools are on a particular system. So everyone's trying to do the right thing. They may have different local objectives in terms of security as the security person's primary purview and general manageable of the whole thing is the IT team's purview. I don't think it's a good idea to view it as adversarial. And that nature, I actually think it's a Win, win. I think the key thing that we've learned at Stairwell is to approach this in a way that the IT team gets value out of a solution and the security team gets value out of a solution. And when you can get that from both of them, then you actually can kind of overcome some of those hurdles and challenges that people get faced with when it's a. I want this for me that no one wins with that.
[03:22]
A
So the problem I see there is how do you demonstrate that you're going to give something to the IT team when you don't have that product installed? What's the sort of approach there that you guys take or you found successful? I guess over time.
[03:37]
B
I think it's always helpful that, you know, when we talk with companies like, I would always welcome the opportunity to talk to a representative from the IT team and the security team together. You have to understand what are the challenges that the IT team is facing in any one particular company and then really try and sit down and figure out how does what I offer provide value to them and to the security team.
[04:02]
A
Is it common that they would be in those kind of initial. Are they sales meetings?
[04:07]
B
Yeah, I don't think initially. I think initially you're probably talking with someone in a security team like aspect a SOC manager, detection, engineering, incident response lead. Very rarely you would talk directly to a CISO on the first call. I think the nice thing to do would be like try and loop them in. My goal is to try and make the IT team an ally of what Stairwell provides for the security team and also show them how they can leverage this data as well. When you take a look at Stairwell, like I say, we solve it as a data search problem, which is collecting data, storing it, analyzing, reanalyzing and serving it. That fundamental approach in the data that we collect enables a lot of really interesting IT use cases that were not immediately apparent even to us. It's actually as we started working with more companies and customers that we realized we could help them with this. So an example would be if we collect all of the executable files from every machine in the fleet, we know the version numbers for all of that. We have all that data there. So we could actually go over to the people doing patch management and making sure all the upgrades are installed and say, hey, these set of computers here have a copy of Foobar DLL that's lower than the average machine's high watermark version number and we can point that stuff out. I don't need to go over and query the machines and like put load on them because we're collecting all those files and we do all this processing in the cloud. It allows you to get instant visibility into anything like that. On the flip side, in the vulnerability management space, even now, it depends upon if that's the security team or the IT team. But when regression, the OpenSSH regression bug hit in, I think it was in July of this year, we were able to write a Yara rule to look for not malware or bad stuff, but look for the vulnerable versions of sshd, deploy it, and then notify all of our customers when they had files that matched versions of SSHD that were on machines that were vulnerable to that particular attack. And so instead, no network port scans. One financial institution we work with, they were kind of a little bit weirded out because we were able to tell them that a machine that was powered off had vulnerable software on it. And they were like, how? I'm like, remember we're collecting all the files in advance? And they were like, oh, wow, that's actually really useful. And so when you start thinking about it, the value of the data set that you have is really, you know, in my mind, it's only limited by the imagination that we have to actually see the use cases that can exist. We can definitely find low prevalent suspicious files and malicious things of that nature. But what's not malicious, that's also of concern. You know, having general ability to search makes that really easy.
[06:55]
A
Right. So that sounds like you've been on a bit of a journey in the sense that here are these use cases that you didn't even realize were a thing. And so if there was a recommendation you have for a new cybersecurity startup, you know, relating to bringing IT teams on board, what would the, what would that be?
[07:16]
B
I think the obvious one. You know, it might seem counterintuitive, but go talk to IT managers or CIOs if you can get time with them and understand what their priorities and concerns are.
[07:30]
A
Is that a common, Is that a common thing right now, or is that something you go out of your way to do nowadays?
[07:36]
B
I would always go talk to like, you know, before Steroid, I always go talk to the security teams and, you know, test and validate ideas and theories and features that we can offer. Over time, I've gotten much more in tune with wanting to go talk to the IT team as well. Just so I understand what their roadmap and their objectives are. I need to reverse pattern match, right? I think the worst thing I can do is go in there and say, like, these are the three things we do and if that doesn't match them, I'm going to have this uphill battle. And like, my goal is to try and find win win situations across the board. Like, how do I enable IT and security simultaneously? I always tell people, Stairwell actually stands for Security Operations, Threat Analysis, Incident response, Done well. And the idea was always to provide. It's a silly company name, I get it. But I wanted something that was memorable. And it's trying to show that, you know, a lot of the same tools and capabilities you're going to use across those three security functional areas are actually the same. What happens is they happen at different points of the kill chain. One's early, one's mid, one's late. But a lot of the capabilities, if you centralize them, can empower all three of those teams or can just empower one of those teams. And that's actually really exciting. And so now the thing is, how do I introduce the IT team into that as well? Because I think we have value there too.
[08:54]
A
To me, that sounds like you've learned something over a long time. Was there any point in time where you had like a light bulb moment, something that happened in terms of a sales cycle where you went, ah, if only I'd talk to the IT team, or conversely, you went talking to the IT team really made the difference?
[09:12]
B
Yeah, in a couple of cases. So early on, one of the first companies we were speaking with years ago at Stairwell, it was the story I told you earlier. Like, the security team was all on board. They loved this. And once they actually realized they had to install software, it just kind of fell apart because they were like, well, we don't have any friends in IT right now. And it's amazing to me that that's what happens in an organization. Right. But it's like I had the privilege of before Stairwell and Chronicle. I was at Google for over a decade, and Google was much more engineering driven in terms of give me the engineering argument that we should do this. And then if you had a good one, it would usually just happen. And so there was not too much of a adversarial nature between the security team and what you would consider it. There's actually a very symbiotic approach of like, how do I help you do better and how do we help you do better? And that I probably took for granted as being much more normal. And I think what I've learned over time is, no, it's not. It's much more of a these guys are bothering Me again. And I'm just trying to figure out like, how do you come in there and be an ambassador of stability? Right? Because that's what security at the end of the day, if you're secure, you're going to have stable systems. That's what I tease after. And so it's like, how do I speak their language and their language and bring these folks together because they are all on the same team. And I think that's one of the most important things to remember. Organizational politics often end up feeling like they're zero sum games. And that's one of the most challenging things to overcome in any big enterprise. The other case that I would even bring up would be the regression thing. There was some internal debate about should we go over and tell people where they might have this vulnerable version of sshd? And the argument was, well, we should tell them if they're exploited. And I'm like, well, we should definitely tell them that they have a potential for exploitation, because that's good. And you know, it was a quick two minute conversation, but we very quickly were like, no, we should go tell them this. There's like a lot of value there.
[11:22]
A
So what was the concern? Why wouldn't you tell them?
[11:24]
B
I guess I think the thought process from the person who said this was more in line of like, people buy stairwell to find malware, right. And we're not telling them about malware. So.
[11:36]
A
And so this is extending the, I guess, implicit contract in a way that may be surprising or unexpected to the customer.
[11:45]
B
Exactly. And I'm like, I sit there and I put on, you know, co founder chronicle, I had the chief security officer hat and it's like, there is not a way or measure of reason in the world I would not want to know. I actually have live network connected vulnerable software here, here, here and here. Like I would want to know that. I want to make sure I get that cleaned up. And if you're telling me that with false positives or, you know, a high degree of uncertainty, then I might not be happy about it. But no, we were actually saying the file user bin SSHD on this Ubuntu machine with this hash is vulnerable. And that was 100% hit rate. That is where that became like really kind of interesting. And that's where we actually started realizing like, no, there's actually value here in talking to IT teams as much as possible. Because like, I think the goal is to try and help raise the tide. And not just for the SoC, not just for the incident response team, not just for detection engineering. But like, how do we raise the tide for it security in general? Like, how do we make every organization a much harder target? Because at the end of the day, I will tell people security most of the time, all the time, most of the time is a hygiene problem. And people don't want to hear that too often. Right. They want the magic bullet. You know, I want the magic vaccine which will protect me from the things and have no side effects and be free and this and this and this. And the answer to a lot of it really comes down to I need to make sure my patches are installed. I need to make sure software is configured properly. That doesn't keep me safe from, you know, Stuxnet or Dooku showing up in my backyard, but it will stop a lot of stuff. And now the question is, how do we go make sure we find the other stuff when it shows up?
[13:37]
A
Mike Wyochek, CEO and founder of Stairwell. Thanks a lot.
[13:41]
B
Thank you.