GDIT Emerge

Palo Alto Networks’ CSO Rick Howard on DevSecOps and Cloud

Palo Alto Networks

What emerging technology has the most power to change the game in addressing government’s biggest challenges?

From my viewpoint, the collision of two recent technology trends has the biggest potential to address challenges faced by government IT and security leaders: DevOps and Cloud. DevOps is the idea that we automate our infrastructure, not just the applications that run our business. If you can do that, your deployment cycles are shorter, your maintenance updates are faster, and you are less prone to human error because you have automated everything.

If you are new to the subject, I recommend two books: “The Phoenix Project,” a novel that explains the DevOps philosophy, and “Site Reliability Engineering,” a technical discussion about how the Google engineers do DevOps. The Google book is mind blowing about the art of the possible and the Google team is so ahead of the rest of us, that the task seems daunting to everyone else. But fear not. The availability of cloud services from Amazon, Google, and Microsoft provide even the least advanced of us to begin the movement to a DevOps architecture. And if I can be so bold, it can be a movement to a DevSecOps architecture because with this philosophy, you automate the security controls right along with the rest of the infrastructure.

DevSecOps and Cloud deployments are the future and if you don’t have a pilot running yet, you should start immediately.

How does Palo Alto see this technology evolving over the next few years?

In terms of security, the prevention landscape has transitioned in the last ten years from devising security schemes to protect your perimeter and data centers, to protecting what I like to call data islands. In 2005, Cocnur became the first pure-play SaaS Provider followed immediately by Salesforce. In 2006, Amazon launched its Amazon Web Service product for IaaS workloads. Google and Microsoft soon followed with similar services. Sometime around 2014, it became acceptable for organizations to allow their employees to use their personal devices— laptops, pads, phones— for work. The point is that your organization’s data sits on these islands: behind the perimeter, in the data center, on our mobile devices, in SaaS applications, and in our IaaS workloads. It was hard enough to secure data when it was just behind the perimeter and in our data centers – we already had too many tools to manage. But with these extra data islands, and each of the respective vendors that service those islands saying that you should use their native security tools to secure the data, network defenders can’t consume one more security product.

The solution is to find a security vendor partner you trust that provides the same general prevention controls for all the data islands. In that way, you can deploy a single policy that applies to all data islands which provides prevention controls for all phases of the intrusion kill chain, generates compliance reporting for each space, and notifies you when you’ve made configuration errors in your deployed policy.

If you can find that vendor, your life becomes less complex and you might have a chance to prevent a material breach to your organization.

You know the saying “many hands make light work.” Why is collaboration among technology partners so important in addressing government’s toughest challenges? Can you share an example where you saw this in action?

Integration of security tools is perhaps the single greatest challenge to the network defender – especially for the government network defender who might not benefit from a deep set of resources that their commercial counterparts might benefit from. The practical impact is that when you buy a new security tool that does not integrate with the tools you’ve previously deployed, you’re adding another burden to your internal security team who already can’t keep up with the workload. The old best practices of vendor in depth and best of breed has gotten us to this untenable situation. I submit that the way out is to jettison those old best practices and adopt a new one: seek vendors that integrate themselves so that you don’t have to.

The best example of this is the Cyber Threat Alliance, which is an information sharing organization for security vendors. When Palo Alto Networks finds some new bad guy, we can deploy multiple prevention controls down the intrusion kill chain to counter it to our 70,000 customers in five minutes.

The other members of the Alliance have a similar capability. If you’ve deployed one or more of the Alliance vendors security kit to protect your organization, you are likely to be automatically updated with the latest threat intelligence and corresponding prevention controls within minutes to hours. That means your staff is free to do other things. They don’t have to read alerts and sift through SIEM logic to decide to protect their organization. This is integration and orchestration at its best. The question you must ask is this: if you are buying security kit from vendors who don’t belong to the Cyber Threat Alliance, why?

Continue the conversation and hear more from Palo Alto Networks’ CSO Rick Howard during the “Adaptive Response to Cyber Automation” session at GDIT Emerge on April 23. Register today.