An Insider’s Look at Security, Identity and Compliance Edgile

What are the greatest areas of risk in your organization and how can you effectively manage them amid constantly evolving regulations? Join David Wilson, ServiceNow Global Area VP, and Hunter Freeman, Senior Manager at Edgile, in this Innovation Today podcast about how there’s never been a more important time to think about risk, its impact on operations, and how it’s all part of a broader business strategy.

New podcast hosted by Edgile expert Brad Smith, where we discuss the one trait shared by today’s attackers and enterprise CISOs: both are leveraging AI’s Machine Learning (ML) to either attack better or defend better. Both sides are collecting as much information and telemetry as they possibly can and then aggregating it in such volume that they can derive patterns of vulnerability.

Today’s attackers and enterprise CISOs share one trait: both are leveraging AI’s Machine Learning (ML) to either attack better or defend better. Both sides are collecting as much information and telemetry as they possibly can and then aggregating it in such volume that they can derive patterns of vulnerability.

This doesn’t merely mean getting better tools. Sometimes, it’s merely a matter of looking at existing tools differently and then leveraging them better. One good example is how Microsoft came up with Azure Sentinel.

It started when Microsoft started to aggressively embrace the cloud in a wide range of ways. Its challenge: How will it defend one of the single largest global infrastructures that has ever been created by mankind, namely the Microsoft global network and all of the data centers that it hosts in almost every country in the world. With that infrastructure, Microsoft had to develop tooling to be able to consolidate a massive volume of information and to able to extract patterns for operationalization and security from that data, with enough velocity to be able to act on it.

The tooling that ended up being created for their own operations and security teams became a product known as Azure Sentinel. It didn’t start out as product development. Microsoft is an organization that is fundamentally sharing liability with their customers around trying to defend the data systems and information systems that are critical to businesses, economies and governments globally.

Microsoft is using those same set of innovations and tool developments and then offering them back to the customers as part of tools like Azure Sentinel to be able to deliver that large-scale data aggregation. It’s not a SIEM. More precisely, it’s a lot more than a SIEM. It’s technically sold as a SIEM and messaged to the market as a SIEM product. It obviously can function as a SIEM, but that’s just one use-case. It’s a massive telemetry data lake that allows you to pull that information together, to be able to retain it for as long as you possibly can in order to ensure that that which is being recorded in the telemetry, that which is being aggregated over time, that which is so critical to being able to do that pattern detection that drives machine learning drives, is available and that you can extract that signal from the noise.

A lot of the focus we have with our clients is lead by our experience with the tooling and our broader perspective on what one can do with Azure Sentinel.

Cybersecurity has always been–and likely will always be–an incredibly fast-moving arena, where the behaviors of the attackers and the best defense tactics of enterprises are constantly changing. Sometimes, defense mechanisms that were absolutely appropriate just a year ago suddenly are undermining defenses rather than strengthening them. To a certain extent, the signal-to-noise-ratio approach is a good example of where change is needed.

The issue is that much of what appears to be noise today might actually become high-quality signal tomorrow. Not only are SOCs not retaining enough information today, but they are not not retaining the data that they choose to save nearly long enough. Fortunately, the need to discard seemingly irrelevant data is much lower today, thanks mostly to the cloud.

Historically, data storage has been costly. That drove security and IT operations to limit their spend to only data that was seen as critically important. Many enterprises have systems in place to purge necessary telemetry that they didn’t realize they needed. With cloud having driven data storage costs way down, there is much less of a need to quickly delete data. And today, there is a need to be able to analyze signals in new ways.

The systems themselves today are producing more data and that trend is only going to continue. What enterprises need to do is learn the lessons of big data, machine learning and overall AI development. If you’re talking about solving this problem with your on-prem infrastructure, you’re solving the wrong problem. The cost of storage has gotten down to the point where it’s almost irrelevant.

The threats that we’re encountering are no longer typically representative of Zero Day Layer 1 through Layer 4 threat detections. The adversaries aren’t penetrating our systems at scale to drive that three trillion dollar global dark market around ransomware and identity theft. They’re not doing that by coming up with clever ways of decrypting packet traffic. They’re not doing that by finding individual penetrations with firewalls. Those individual vulnerabilities that come up represent only minute steps in what the actual emergent threat is. 

Attackers now adapt and agilely seek vulnerabilities between governance boundaries. And they are doing that at Layer 7 and Layer 8. They are manipulating human behavior and system behavior, application behavior and exploiting those behaviors by looking at them in aggregate. In order to be able to defend against such a thing, we have to be able to look at it in aggregate as well. That is a machine learning function. It’s not about reducing the telemetry until a human can analyze it. It’s about increasing telemetry so that you can train a machine to detect it.

A data lake is a critical part of the threat analysis process, but CISOs sometimes do not appreciate its role. A lot of the emergent threats like supply chain vector attacks, human behavior manipulation or compromise are exploiting unmonitored activities or activities that, in all other historical contexts, seem totally normal and follow expected behavioral patterns. In order to be able to understand how those interact, you need to store the data in its raw original source schema. The purpose of a data lake is to be able to store the original state of the information, with the original properties and the original metadata that was part of that transaction that was recorded. You are then able to derive its lifecycle, such as “this thing changed this number of times because of X.” You have to retain that raw in its original schemas so that you can start building inference models and data models across those different schemas to understand the differences and the changes that are happening. This helps identify patterns that you weren’t seeing in the information before.

With accelerated reliance on third party vendors, partners, supply chains and external digital services, managing user access is getting harder. If you’re looking to securely manage identities with efficient automated functionality, you need a proven Identity Governance and Administration (IGA) platform in the cloud.

In this podcast, David Brockmyer, Director of Cyber Operations at VSP Global, discusses how Edgile helped VSP establish an IGA system that integrates SailPoint IdentityNow with Microsoft Active Directory.

Automating for efficient management and improved compliance
“Our access reviews and certification campaigns were being done manually with spreadsheets,” notes Brockmyer. “Edgile’s SailPoint implementation automated these business processes, saving hundreds of hours of management time and making it much easier to prove compliance for auditors—a critical benefit in a regulated business like healthcare.”

About VSP Global
VSP Global is a doctor-governed company that exists to create value for members and opportunities for VSP network doctors. Their industry-leading businesses include VSP® Vision Care; Marchon® Eyewear Inc.; VSP Optics; Eyefinity®; VSP Retail; and VSP® Ventures.

About the host
Evan Schuman has tracked security and compliance for enterprise IT audiences since the late 1980s, having served as a columnist for Computerworld, eWEEK and CBSNews.com. He has also run editorial operations for IT media outlets tracking payments, retail and general technology issues. Evan lectures on security and compliance topics at Columbia University and New York University graduate schools and moderates webcasts for MIT Sloan Management and VentureBeat.

In this latest edition of An Insider’s Look At Security and Compliance hosted by Evan Schuman, Edgile’s Brian Rizman explains that in order to get board level budget buy-ins, CISOs need to first define the more strategic “whys” behind specific risk mitigation initiatives before focusing on the more technical and product oriented “whats” and “hows.” An accurate and dynamic risk register is critical as it ties back to risk mandates and help guide the “why” when lobbying for security funding.

Key Points


Keeping an accurate and updated risk register can help justify security budget requests.
An outdated or inaccurate risk register can give senior management a reason to cut security spending because the true risks aren’t apparent.
Edgile’s iGRC content library subscription service brings laws, regulations and risk frameworks into a common reporting and measuring mechanism that’s understandable and functional across the enterprise.
iGRC is a relatively small investment considering it lays the risk register foundations that drive security development and deployment.
CISOs need to be part of the conversations around how planned organizational changes may affect future risks.
As CISOs get more board level air time, they need to employ business-focused language that ties back to business value so management can support proper security funding.
Don’t wait for a big breach before taking strategic actions that identify critical risks.



About the Speaker

An experienced leader, Brian Rizman has been helping clients through complex technology, strategy and compliance challenges and opportunities for nearly twelve years. His most recent experience was in PwC’s Process, Risk, Controls, Security and Governance national practice, where he was responsible for leading the competency, team, solution strategy, client relationships and sales in the Southern California region.

About the Host

Evan Schuman has tracked security and compliance for enterprise IT audiences since the late 1980s, having served as a columnist for Computerworld, eWEEK and CBSNews.com. He has also run editorial operations for IT media outlets tracking payments, retail and general technology issues. Evan lectures on security and compliance topics at Columbia University and New York University graduate schools and moderates webcasts for MIT Sloan Management and VentureBeat.

The transition to digital is accelerating. And it’s causing the dynamics of Identity and Access Management to change rapidly.

In this podcast hosted by Evan Schuman, Edgile Managing Partner Lawrence Wolf talks about the shifts in thinking necessary for an organization’s leaders to reboot their IAM program.

Strategy-first approach

In the past, IAM was focused around IT infrastructure and technology products. Today, the focus is on a holistic vision around people, process, data and technology. “In this environment, you need to start with a strategy,” says Wolf. “I like to say you set your compass before you get in the boat so you know where you’re going within a multi-year program.”

About Larry Wolf

Larry Wolf has more than 30 years of industry experience including software development and consulting management. For the past 15 years, Larry has focused on identity and access management (IAM), governance and security. Prior to joining Edgile, he held partner and vice president roles at Capgemini, Ernst & Young, Fishnet/Optiv, Sun Microsystems and EMC. Larry has a degree in Business and Information Technology from the University of Cincinnati and is PMP certified.

About Evan Schuman

Evan Schuman has tracked security and compliance for enterprise IT audiences since the late 1980s, having served as a columnist for Computerworld, eWEEK and CBSNews.com. He has also run editorial operations for IT media outlets tracking payments, retail and general technology issues. Evan lectures on security and compliance topics at Columbia University and New York University graduate schools and moderates webcasts for MIT Sloan Management and VentureBeat.