Presidio: managing migration risk

Presidio: managing migration risk

We talk to the Chief Information Security Officer (CISO) of Presidio, a role we have seen evolve rapidly as cyber attacks have grown in number and seve...

In the words of Gartner, “Many security teams have overinvested in a plethora of tools. As a result, they are also suffering from alert fatigue and multiple console complexity and facing the challenges in recruiting and retaining security operations analysts with the right set of skills and expertise to effectively use all those tools.” Facing this dilemma is the stock-in-trade of Presidio, through its full life cycle model of professional, managed, and support services including strategy, consulting, implementation and design – and above all security. 

The company has demonstrated its expertise in helping customers design, architect, build, migrate and manage their workloads by building close partnerships with all the major infrastructure and cloud providers - including Microsoft, Google, Palo Alto, Red Hat and IBM - and in February 2021 achieved Premier Partner status within the AWS partner network. In the last year Presidio has brought into its portfolio two companies that extend both its global reach and its full-stack capability. Coda adds software development and coding abilities the company didn't have before, while Dublin-based Arkphire brings access to wider global markets.

However, alongside infrastructure delivery, Presidio has developed unique expertise around cloud, collaboration and crucially cybersecurity. The level of threat has rocketed this century as new ways of using, accessing, and storing data are adopted and vulnerabilities proliferate. “We are able not only to help companies transition and transfer their workloads to the cloud, but also we can effectively enable them to secure those workloads,” says Dave Trader, who has been Presidio's Cybersecurity Practice Lead since the beginning of 2019, and global Field CISO since January 2021. He is one of the industry's leading security experts with 20 years' experience, including eight years with the Marines specializing in critical military security and communications, and most recently Chief Information Security Officer at GalaxE Solutions. He's also a graduate of the FBI CISO Academy, one of fewer than 200 since the program was inaugurated in 2015.

Since early 2020 the market has seen a rush to migrate to the cloud. “We are trying to get applications closer to the user, which raises issues around latency and security concerns about the right way to achieve that as the workforce moves from office to home,” says Trader. “We have moved from 'cloud first' to 'cloud right'. We start with an evaluation so that we can advise as to whether cloud is really best for this client and if so in what configuration.” 

Intrinsic Security and vSOC

Security can't be an add-on anymore. Security baked into everything from code to the DevSecOps space right through to deployment at the edge is what Dave Trader calls intrinsic security. “AWS is a good example of that in the cloud space. We believe that security has to be in the process every step of the way as we test the environment and look for gaps and vulnerabilities that we can exploit.” His team rigorously looks for cracks in the clients' systems, then makes sure they are all sealed.

Since his arrival Trader has made a point of highlighting certain key services. “I've really tried to double down on our virtual security operations center (vSOC) services and bring those forward.” A vSOC, he explains, is an outsourced, comprehensive, round-the-clock data monitoring solution that enables a company to identify threats as they arise. “We saw a gap in the market where we found companies building their own SOC. That can work for a while for companies but ends up enveloping their entire team as the vulnerabilities overwhelm them. They were looking for some help and we saw an opportunity to bring in our expertise and promote internal enterprise security teams so they can handle major events, while we are at hand to deal with the day-to-day events and protect their environment. We have been able to build a great practice around that.”

Traditionally, security events have been viewed through aggregating or logging programs like Palo Alto's Prisma, he explains. “When those logs and events come in they typically go to a security center dashboard or platform, but we now see clients getting overwhelmed with a host of lower level alerts. They'd never be able to hire enough analysts to cope with the onslaught of events. That's why our managed service component utilizes automation to the hilt to combat the problem of alert fatigue. We are doing that very successfully with the help of partners like Palo Alto and others, fighting automated attacks with our own machine learning defenses: our team here at Presidio has built a first class offering and a first class vSOC service.” 

Another benefit for Presidio's vSOC is its portability. Clients can stay with platforms they have in place – automation enables the solution to run without the end user noticing any change. “Customers tell us they had no idea that level of automation was even possible and are really enjoying the insights and outputs they are getting through being able to leverage the automation we have baked in through APIs.” 

Covid opportunities and challenges

In March 2020 Presidio saw a freeze on travel and has since worked mainly from home. “Generally, about 70% of people now work entirely from home,” says Trader. “That brings with it a lot of security concerns, for example shadow IT. We saw VPN licensing go through the roof. The home network may be insecure, and once it is connected to the office network, others using a shared device may be downloading malware through games or social media. Cybercriminals look for their chance, well aware of the wormholes that can open up this way.”

The secure access service edge (SASE) is made front and center of his conversations with clients. “Latency became a problem. We had engineering companies and architects that were spending six or seven hours downloading blueprints they were working on at home, rather than the secure networks they had in the office. That placed a focus on identity access management and real-time assessment of the end user at the end-point. That is why identity is so important: the perimeter has shifted!”

Addressing the end-point required user and entity behavior analytics (UEBA), a process of gathering insight into the network events that users generate every day. It can pick up the 'impossible traveler' where a user appears to interact with the same resource from two different locations but could not possibly have made that trip in that time. “We'd have to ask that user to add another layer of validation, and we are seeing companies adopt that, which is very encouraging,” says Trader. One of Presidio's main partners Cisco has a gold standard UEBA solution in DUO, which is scalable, easy and inexpensive to set up. “I see DUO becoming integrated with identity access planning at many enterprises and it is really working out well.”

COVID-19 has proved that a dispersed workforce can work as well as a concentrated one, so this is likely to become a permanent change. However, in most cases people are working on systems that the company does not own or control so what used to be called BYOD has morphed into MDM, or mobile device management. This enables IT departments to secure, monitor, and manage end-user mobile devices from smartphones, tablets, laptops, and even IoT devices. “Nevertheless, I'd say that 70% of companies are not doing validation on their employees' devices ahead of time, so these systems may not have antivirus and we are seeing compromised systems being allowed into enterprises,” cautions Trader. “Hacking organizations are aware of this and I have seen them purposefully seeking out these back doors to the enterprise networks. I have also seen an uptick since November 2020 of hacking organizations doubling down on ransomware in almost every vertical.”

Prevention better than cure

The problem is very serious: Trader is getting around four calls a week from major companies under attack despite taking reasonable care. “We are helping companies recover and step through triage, getting them stabilized and moving them through into recovery. But I have also seen companies where up to 50% of their network is scorched earth, irrecoverable. A situation like that is an existential threat for a business. But I am trying to have more conversations on the proactive side so that firefighting is not needed. But even if you do everything I would prescribe as best practice it doesn't mean that a state-sponsored entity won't be able to breach your defenses with some kind of ransomware or other form of cyber-attack.” 

This may seem bleak, but Presidio and its partner ecosystem have the best minds in cybersecurity focused on staying ahead in this war. “In 2021,” he says, “ransomware will pick up, so our trusted advisor position will become even more relevant. Many more companies are hiring CISOs, and their conversations are going direct to the board. I have been doing presentations at the board level to give them a perspective on cyber threats and best practice solutions. My message is that this mountain is not insurmountable. If you get the fundamentals right and follow best practice you can prevent the majority of the issues that are happening all around the world. We are doubling down this year on the advisory services our vSOC and MDR+ services that are coming to the market this summer.”

Partnership, and cooperation

In the war against cyber attackers, alliances become vital. “I rely heavily on what our partners bring to the table,” insists Dave Trader. “We work with tremendous partners, depending on their specific specialty. Palo Alto and Cisco are always our number one and two partners across the board. They do a great job full stack, and they have solutions around everything we have talked about today.” 

Cisco is working on SecureX, an open, cloud-native platform that connects Cisco's integrated security portfolio with those of customers for a simpler, more consistent experience across endpoints, cloud, network, and applications. “SecureX will be the hub joining the spokes of all Cisco's security products and that is really working out well. We engage well with them because so many customers leverage the full portfolio of services they have.”

For the rest, he is guided by his customer. “When we go into a customer's environment and ask them to lay out the controls they have in place to protect themselves, I am actively listening for over a dozen key areas.” Basically, he follows the NIST-CSF governance controls, and as he goes through those domains, customers tell him which solutions they prefer and have adopted. “I routinely find they have covered most of the best practice controls, but I introduce some partners they may not have considered.”

He always starts with the data. “With the edge dissolving if you don't have a good handle on who is accessing your data, when, where and how, you can quickly lose your grip on it. Varonis is a good example because they really understand how the data is encrypted, how it lives and breathes and traverses the network.” If we start with the data, we know what we’re protecting. If we secure the data properly and absolutely, we have less risk when an intruder does get into the network. Varonis provides outstanding visibility to that data and helps us understand the level of security needed.

  1. To address internet response issues, another partner he might suggest would be CyberDefenses. “I have done at least a dozen engagements with this team. They bring rigor to the security response, bringing in forensics, knowing how to run triage then move on through stabilization to recovery. They can find out not only how the target was compromised but what was taken and what this event looks like from a governance risk and compliance perspective.”

Many attacks get through because the alert was missed or not actioned. To prevent that he has found Arctic Wolf an important ally for its (SIEM) offering. “From a concierge perspective my customers feel that Arctic Wolf has a handle on everything they do.” Though at first glance some of these services may seem to compete with Presidio's in-house portfolio, he believes there is no such thing as one size fits all. “Where I can I always lead with Presidio's services, but we need to bring in partners at every stage.” AWN does a fantastic job in helping our customers build SOC playbooks that are relevant while also leveraging automation. They are a tremendous partner of ours and they do great work.

One problem facing the end user may be different dashboards that complicate authentication. To overcome this, he has found Okta a big help in managing secure user authentication, while allowing developers to build identity controls into applications, website web services and devices. “In practice I may have different options to suggest. I feel that IAM (Identity Access Management) is a cornerstone for so many broader security methodologies like Zero Trust, SASE, and others. Okta does a great job helping with IAM at every level from CASB through MFA. I have many larger enterprise companies that utilize Okta as their primary identity partner and they are incredibly happy with the versatility.”

These partners and many others are bringing in new applications and services all the time, so here Presidio's strength is knowing exactly what is in development. This work will continue, he promises. “My team is going to continue to grow: we are hiring across the country and across the world and we are going to continue to be able to support our customers in every region. I see monumental opportunities in what our security practice can accomplish in 2021.”