Bharath Vasudevan of Alert Logic: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Visibility is crucial. Do you have visibility everywhere you operate? Is your asset discovery comprehensive? Given the dynamic nature of modern cloud deployments, this assessment needs to be a continuous process. It’s impossible to be secure if you only have visibility to a portion of your IT estate. In the same vein, it’s easy to get lulled into a false sense of security because you’ve got the best possible protection tools covering a single vector. Unfortunately, your adversaries are all trying to evade your silos of protection when planning an attack and lacking visibility plays to their advantage.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Bharath Vasudevan.

Bharath Vasudevan is Vice President, Product Marketing at Alert Logic. His organization is responsible for the go-to-market strategy of Alert Logic’s offerings and technical marketing efforts. In addition to this, his team leads Alert Logic’s customer advocacy programs. Prior to Alert Logic, Bharath held leadership roles at Forcepoint (a subsidiary of Raytheon), Hewlett Packard Enterprise and Dell Technologies across engineering, product marketing, product management, business development, and technology partnerships. In his 20 years in the IT industry, Bharath has been very active in intellectual property programs and has received 13 patents from the USPTO covering both hardware and software designs. He holds a bachelor’s degree and a master of science in electrical and computer engineering from Carnegie Mellon University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in central Florida, in the shadow of the space center, during the height of the space shuttle era. Growing up and watching feats of engineering and science on a daily basis definitely pointed me toward a career rooted in STEM.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My foray into cybersecurity came from an interest in data protection. I initially focused on backup, recovery and archiving, and designed high availability systems focused on uptime. I have a couple of patents covering these types of technologies. With this perspective, I saw cybersecurity as not only keeping the bad guys out, but also keeping the good-stuff in. Data protection was my bridge into this space.

Can you share the most interesting story that happened to you since you began this fascinating career?

I was talking to a security leader for a Fortune 500 company that was experiencing some challenges with their data center infrastructure in China. The company recently learned they were in a colocation facility and urgently needed to move data into their own facility to ensure that the data couldn’t be sniffed and taken by local authorities.

As the security leader started describing to me what they were intending to do, combining physical security, disaster recovery schemes and cybersecurity, I asked him “Are you buying time in order to initiate a self-destruct sequence and you are trying to salvage as much data as possible?” In a semi-stunned manner, he responded affirmatively and asked how I figured it out. My imagination had kicked into high-gear and what he was describing sounded like a spy novel. It’s really strange when real life starts to mimic fiction.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are a handful of people that have helped me throughout my career, and they all have one thing in common. I’ve found that there is strength in interpersonal relationships built by continual networking. Fostering relationships led certain individuals to take a chance on me to do new jobs that I was not uniquely qualified to perform. This is what facilitated my move from pure engineering to product management, then later a move from traditional IT into cybersecurity.

Are you working on any exciting new projects now? How do you think that will help people?

Almost all of our customers are outcome driven. While there is much talk about preventing breaches, the majority of an analyst’s job is spent performing investigations that ultimately do not result in identifying a breach. We are currently working on a project where we’re automating response actions. Ideally these will automate actions that are directly tied to preventing, containing, or mitigating a breach. A secondary benefit will be an automated response for lower severity or non-critical issues. This allows security teams to focus on issues that matter as the volume of ‘noise’ can be safely filtered. We’re even creating a human-assisted interim phase between fully manual and fully automated to give organizations an additional layer of oversight before going fully automated.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Find an outlet. It can be creative like baking or drawing; it can be sports like biking or tennis; or it can be as simple as playing video games or getting away for a weekend. If you are filling up your day with happiness outside of your job, then you are preventing burning out.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. Efficiency: With the ever present talent shortage, advancements in the industry are all about making analysts more efficient. We can make things easier for analysts and organizations, whether it’s providing peace of mind that someone else ‘has their back,’ making it easy for them to access a report or dashboard, or prioritizing their workload by identifying the most bang for the buck activities. In many ways, cybersecurity is like insurance, but with the added benefit that it can also prevent the accident — having an effective solution in place makes day to day operations run more smoothly.
2. Achieving scale through analytics, automation, and orchestration: Cybersecurity is moving from Human Speed to Machine Speed, but not entirely ditching the human element. It’s exciting to see how the industry can selectively and surgically apply human intellect and instinct where it can make the most impact.
3. Ever-evolving: Bad actors are some of the most sophisticated organizations on the planet. It’s a game of cat-and-mouse. Whenever there’s an IT innovation that unlocks some efficiency, there’s a corresponding threat vector than can be exploited. We’ve spent some time redefining what good looks like — It’s not always if you fall down, but it’s how you get back up. Putting a focus on that part of the equation requires constant change to people, process, and technology. Being resilient requires evolution.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Companies need to prepare for commoditization of the ransomware economy and a rise of social engineering influenced phishing attacks.

Consider this — emergency patching protocols have been overlooked for the eternity of IT. There’s only so much a software tool or a managed service can highlight what needs to get done. The moment a vulnerability becomes public or a malicious link gets clicked, the clock starts for the masses of attackers — doors opening for malware deployment that can lead to ransomware. Proper patching protocols can help to prevent these holes and a proper detection plan can help lower the risk exposure.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

The best story about a cybersecurity breach that we fixed involved an upload to a code repository maintained in an S3 bucket. In hindsight, there were a series of process failures that resulted in the breach — and all of them seemed to get a spotlight shone on them at once.

During the initial test builds of code, the organization’s AWS credentials were hard-coded as a constant instead of prompting for the user’s input at runtime. That was never remedied as the code was pushed to the cloud-based shared repository. Now, the S3 bucket that was used to house all the code was also left ‘open.’ Adversaries are always performing recon and constantly scanning for changes. Within an hour of the code being pushed to the repository, loads of anomalous admin activity was taking place in the customer’s AWS environment.

Once it hit our radar, we immediately informed the customer and explained that they needed to change their AWS password NOW. We were actually surprised that this stopped the attack. Once the attack had been blunted, we went back to ensure that it was caught quickly enough such that nothing malicious had been deployed. This organization got lucky because this turned out to be someone out having fun rather than a more organized operation.

One other thing that came from this was that the customer implemented MFA. It was something that was on their security roadmap, but this incident highlighted the need to accelerate the deployment.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Personally, I spend the majority of my time in the Alert Logic console. While Alert Logic offers a managed detection and response service, this console provides me a lot of visibility to take stock of my current security posture. Across multiple compute environments (on-prem, AWS and Azure), the console provides me with a view of exposures and incidents in the form of easy to navigate dashboards. There is also a feature called the “threat risk index” that helps me prioritize where I should patch.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

For someone that doesn’t have a large team or can’t hire all the security talent they need, I recommend exploring a managed service. Off-the-shelf software and SaaS products are great if you’ve got a competent staff that can consume and act on the volume of information these tools generate. I do not think every organization has to have a CISO, but I do think there is a giant gap if someone on the team is not empowered to lead the security discussions. There needs to be a person within the organization who aligns with the goals of the CIO or head of IT. This person needs to know what needs to happen and is capable of sourcing the right talent, whether that’s a direct hire, a partner or from a managed security vendor.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

For general IT people who might not fully understand cybersecurity, here are four signs:

1. When you know how things are supposed to act, it becomes easier to spot activity that ‘shouldn’t be happening’. Abnormally high CPU utilization or memory consumption during non-peak hours can be a red flag.
2. Over-credentialed service accounts that are performing actions that are out of the norm is another sign of compromised activity.
3. Check outbound firewall blocks, top 10 and bottom 5. If your firewall is blocking outbound requests from internal assets, something might be going wrong (configuration or security related).
4. Look at inbox forwarding rules — seeing if they are getting forwarded to addresses outside your corporate domain.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First and foremost: ensure the bleeding is stopped and then communicate honestly about what happened, what needs to happen immediately, and what steps are taking place to prevent it from happening in the future.

With the state of breaches today, it’s not going to come as a shock that an organization got breached, but being dishonest or trying to cover it up, makes it much worse. Don’t let the coverup become worse than the incident. It’s important to run this through your organization’s crisis-comms process (or potentially create one if it’s not already in place).

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

We had to make a ton of changes to get ready for the initial GDPR readiness in May 2018. It made no sense for us to implement those changes for a subset of our customer base, so we rolled it out across our entire installed base. Now, when we have new localized regulations that ‘look and feel’ like GDPR, but for a different locale, it’s fairly straightforward to show the appropriate controls to demonstrate compliance.

What are the most common data security and cybersecurity mistakes you have seen companies make?

There’s only so much the best laid plans can protect you against. One vector that prevention tools really do not consider is “what if the threat originates within the organization itself?” I’m not suggesting that employees are malicious, but sometimes their forgetfulness or apathy can cause serious damage. Continuous training and security awareness can go a long way to keeping security top of mind and reduce the likelihood of these events.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

I have seen an uptick in errors, but I haven’t really seen a straightforward answer. The shift to a remote workforce during the pandemic has presented many well-documented challenges. A byproduct of this move is digital transformation acceleration — specifically cloud adoption. Expanding to the cloud means increasing an organization’s attack surface.

For many companies, this means a larger cloud footprint, but IT teams that have been in the cloud for years are now increasing the adoption of new compute models, leveraging containers and other serverless options like AWS Lambda and Fargate. This rise in the ‘depth’ of cloud adoption directly correlates to an increase in cloud related exposures. Leveraging best practice cloud deployment efforts, aided by tools like the CIS benchmarks, help uncover the misconfigurations that lead to breaches. It’s more about being aware of this reality and proactively taking the right steps to reduce it.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Visibility is crucial. Do you have visibility everywhere you operate? Is your asset discovery comprehensive? Given the dynamic nature of modern cloud deployments, this assessment needs to be a continuous process. It’s impossible to be secure if you only have visibility to a portion of your IT estate. In the same vein, it’s easy to get lulled into a false sense of security because you’ve got the best possible protection tools covering a single vector. Unfortunately, your adversaries are all trying to evade your silos of protection when planning an attack and lacking visibility plays to their advantage.
2. Understand that compliance regulations are fluid, and that new ones are being enacted all the time in the name of privacy and better data protection. It may also shift an organization’s investment priorities when they realize that the ones that apply may be changing or update to address a different environment. Many different regions, countries, and locales are developing their own standards and it’s important from a governance risk and compliance perspective to manage it. There’s no quicker way to get in trouble than failing an audit when all it took was a little diligence to stay on top of it.
3. Have a patching program in place that’s tied off between your security and IT teams. This is really one of the ‘low hanging fruit’ actions that an organization can perform. However, given the cross-organizational planning and orchestration it requires, it’s often the one that’s overlooked. There has been a rise in ‘managed patching’ services to help assist with this. Consider this — when the Hafnium related vulnerabilities were made public, Microsoft almost immediately released the patch to close that exposure and prevent exploits. Weeks after the initial disclosure, the security community started reading about ransomware being deployed on unpatched systems.
4. Embrace behavioral or pattern based analytics and machine learning. This allows your security team to move from ‘analyst speed’ to ‘machine speed,’ unlocking an immense amount of scalability for your security teams. Throughout the pandemic, we have increased our use of analytics and machine learning. In doing so, we been able to process far more of our customer data by leveraging the technology to separate the real incidents from false positives and general noise. We have also been able to manipulate that data to offer more insights for our customers, examples including changes in posture over time and peer group comparisons.
5. If you operate in a model where you ‘Assume Breach,’ it’s important to have documented plans in place with clearly defined roles and responsibilities that can be quickly executed. Planning helps uncover a lot of holes. Whether it’s for a board or your boss, it is important to have a defensible plan addressing:

• Pre-breach hardening: what you are doing to prevent security incidents?
• Breach detection: what is your identification and containment plan in the event the prevention tools fails
• Post-breach recovery: How do you recover from a breach and communicate that to the outside world?

Having this guide or playbook and periodically testing it offers the benefit of not relying on real-time thinking in a crisis situation.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

In so many aspects of life, teamwork makes the dream work. When everyone is aware of a problem, everyone can be part of the solution. Cybersecurity is a team sport — IT and security need to be united against a common foe and collaboration is the name of the game.

How can our readers further follow your work online?

The majority of my teams’ work is available on AlertLogic.com and the Alert Logic YouTube Channel. The team is constantly addressing different topics related to Managed Detection and Response including automation, orchestration, analytics, and cloud adoption. Everthing we do is in service of two primary outcomes we drive for our customers: reduce the likelihood of a breach and to limit the damage in the event of one.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!