Discover how Abstract Security is revolutionizing cybersecurity data management at the RSA Conference.
In the bustling atmosphere of the RSA Conference, a conversation unfolded that shed light on the evolution of cybersecurity and the innovative solutions paving the way for a more efficient and effective approach to data management. Colby DeRodeff, the CEO and co-founder of Abstract Security, shared insights into the journey that led to the creation of a groundbreaking platform designed to transform the way organizations tackle data collection, analysis, and threat detection.
A Walk Down Memory Lane
The dialogue between Colby DeRodeff and Sean Martin at the RSA Conference delved into the history of cybersecurity, reflecting on the shifts from perimeter security to compliance-driven approaches and the emergence of new technologies like XDR. This introspective look highlighted the need for a paradigm shift in cybersecurity strategies to keep pace with the rapidly evolving threat landscape.
Challenges in Traditional Approaches
One of the key challenges discussed was the inefficiency of traditional SIEM solutions, which often resulted in data overload, lack of actionable insights, and hefty costs associated with data storage. Colby emphasized the importance of focusing on outcome-driven data collection and detection scenarios rather than accumulating vast amounts of data with limited value.
The Birth of Abstract Security
The catalyst for Abstract Security stemmed from Colby's experiences in previous companies, where the disconnect between data collection and effective threat detection became glaringly apparent. This realization led to the inception of a platform that prioritizes data relevance, streamlining the process of identifying and responding to security threats efficiently.
Abstract Security's Unique Approach
Abstract Security's modular platform offers a refreshing take on cybersecurity data management, with a focus on tailored data collection, analytics, and storage solutions. By enabling organizations to align data sources with specific detection outcomes, Abstract Security empowers teams to make informed decisions and optimize their cybersecurity strategies.
Seamless Integration with Existing Tech Stack
One of the standout features of Abstract Security is its seamless integration capabilities with existing tech stacks. The platform can complement and enhance current security infrastructure without the need for rip-and-replace, offering a smooth transition towards more effective threat detection and response mechanisms.
Looking Towards the Future
As organizations navigate the complexities of cloud environments and evolving cybersecurity challenges, Abstract Security stands out with fresh innovative ideas and practicality. By reimagining the data management process and emphasizing outcome-driven approaches, Abstract Security is poised to shape the future of cybersecurity operations.
Conclusion
The conversation between Colby DeRodeff and Sean Martin at the RSA Conference not only highlighted the pivotal role of Abstract Security in revolutionizing cybersecurity data management but also underscored the importance of reevaluating traditional approaches in the face of modern threats. With Abstract Security leading the charge towards a more efficient and proactive cybersecurity landscape, organizations have the opportunity to elevate their security posture and stay ahead of emerging cyber risks.
Learn more about Abstract Security: https://itspm.ag/abstractsec-zao
Note: This story contains promotional content. Learn more.
Guest: Colby DeRodeff, CEO and Co-Founder, Abstract Security [@get_abstracted]
On LinkedIn | https://www.linkedin.com/in/colbyderodeff/
Resources
Learn more and catch more stories from Abstract Security: https://www.itspmagazine.com/directory/abstract-security
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Shaking Up the Security Information and Event Management Market | A Brand Story Conversation From RSA Conference 2024 | An Abstract Security Story with Colby DeRodeff | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And here we are on the floor of RSA conference. Thanks everybody for joining me for this brand story with abstract security.
I'm thrilled to have Colby Grodoff with me. How are you, man?
[00:00:12] Colby DeRodeff: Hey, I'm doing great. Good to see you, Sean.
[00:00:14] Sean Martin: It's always good to see you, Colby. Absolutely. I mean, uh, I don't know how many years we've known each other. A couple decades. A couple decades. I didn't want to date myself, but there we are.
[00:00:22] Colby DeRodeff: It's easier to say two decades than, like, count the number of years.
[00:00:25] Sean Martin: I know. I know. Let's just say we're both sitting in loyalty plus. Yes. A few, a few days, a few days of RSA Conference. We've seen some things as well. Um, this isn't about me. This is about you and the cool things you've been up to with abstract art. It's a space that I love, so I'm thrilled to have this chat with you.
And, uh, before we dig into the company and all the cool things you're doing there, give folks a sense of who Colby is, what you've been up to.
[00:00:51] Colby DeRodeff: Excellent. Sure. Uh, well, hey. Hey, everybody. Um, Colby Derotiff. I'm the CEO and co founder of Abstract Security. Um, you cybersecurity back in 2001 at a company called ArcSight.
And You know, ArcSight was really kind of the first dominant sim player on the market. As that's when we met and, uh, you know, kind of stayed there and watched the company grow from year 2001 all the way through IPO and acquisition by HP.
[00:01:21] Sean Martin: Exactly.
[00:01:22] Colby DeRodeff: Yeah.
[00:01:23] Sean Martin: And, um, lots happened in that. I'm sure you had grand visions for what that space would be as, as did I.
And I think we saw some innovations there. Um, what have you seen in the last few years where. You think that's not going to really either meet the mark now or necessarily hold up?
[00:01:45] Colby DeRodeff: Yeah, well, you know, some things changed, right? So when we started building ArcSight, it was all about perimeter security, detection at the edge, you know, insider threat, and then along came compliance.
And compliance really changed the dynamic of SIEM, because all of a sudden you had regulations saying you had to collect data from all these different sources And everybody, you know, you have a hammer, everything looks like a nail. So us vendors said, fantastic, we have a sim, put all the data in there.
[00:02:11] Sean Martin: A few more connectors and we're set.
[00:02:12] Colby DeRodeff: Yeah, a few more connectors and you're all set. And so, what happened is the volume of data increased so much that companies like Splunk came along and said, hey, forget doing analytics, forget doing detection, just write, collect this data right at the disk super fast. And so, that's when I say we kind of went into the data swamp era.
Which is like these mass data stores, not adding a lot of business value. And a whole other category of companies came along onto the market, which is XDR. And that's really because a lack of capability within the SIEM. So entrepreneurs, myself included, went out and built XDR systems that sat on top of the SIEM.
Extracted data, did analytics, and then sent the data back to the SIEM because they weren't doing analytics.
[00:02:57] Sean Martin: And so what, um It's funny because I have, I feel like I know some of the answers, but I want to hear them from you anyway. But the, so when you're talking to business folks, um, security has found its way into the boardroom.
Absolutely. People want to know, are we protected against this thing? Are we weak here? Have we seen any signs of X, Y, and Z? Um, those answers have to come quick, they have to come with confidence, they have to be backed up by data. And, so how How do you see organizations struggling with that at this point?
[00:03:32] Colby DeRodeff: Oh, so a number of different things, right? I mean, getting answers quickly out of any system that's, you know, indexing data all day. Quick is not really a thing. So, you know, you're talking hours, days to get answers to questions and that's just not, you know, that's not efficient. If you think about the average adversary breakout time being like 62 minutes, um, you know, if you spend an hour indexing data before you get access to it.
That puts you kind of behind the eight ball as it goes, right? You know, my grandmother always had this funny cartoon on her wall, on her refrigerator. It said, don't walk across a river just because the average depth is three feet. So if the average adversary breakout time is 62 minutes, you know, it can happen a lot faster.
[00:04:14] Sean Martin: Yeah, I'm sure there are many analogies similar to that you can give.
Yeah, exactly. Ah, boy. Uh, so, what, what are you hearing? I know you talk to a lot of people, um, research, a lot of, uh, Security analysts sitting in the SOC, business leaders trying to get a handle on this. What were they saying to you that, and what were you seeing that said we need to kind of shift, shift things here?
[00:04:37] Colby DeRodeff: Well, we need to stop modernizing the mistakes of the past. So there's, well, there's a lot of solutions right now being touted as next gen sim. A lot of these solutions are built on legacy technology that was originally built to compete with Splunk. Right? Back in 2010, 2011, there were a lot of people going after Splunk back then.
They're like, oh, we're going to build this faster version of Splunk. Well, these technologies ended up getting purchased, acquired by larger tech companies, and now they're being rebranded as next gen SIEM, and ultimately, they don't have the background on SIEM and the pitfalls and the landmines and all the lessons learned over the years, and, you know, so if you're starting at that right now, You're going to fundamentally fall into the same pitfalls that have happened to folks years and years ago, right?
[00:05:29] Sean Martin: At scale.
[00:05:29] Colby DeRodeff: At scale, yeah, just at a much larger scale. And so, you know, you see this approach of like, let's just take a, you know, a data lake, stick it in the cloud, put a dashboard in front of it and call it a next gen sim. Um, fundamentally that just doesn't work.
[00:05:45] Sean Martin: The CISO is going to, I'm sorry to the CISO crowd for this one.
instance where I had a conversation with a CISO at a CISO meetup. Where I said, I believe security is due for a transformation. All the rest of the business has been in transformation. And this particular person said, well we have transformed security. We've moved a lot of it to the cloud. And I'm like, that's not exactly what I was thinking.
So I want your perspective. How do CISOs view this problem? Is that the answer? Where they're not maintaining Systems and just moving stuff to the cloud? Is that, do they think that's the answer?
[00:06:28] Colby DeRodeff: You know, I think that answers an immediate transformation problem because as you are migrating everything to the cloud, all of a sudden there's this whole new data set that analysts fundamentally are learning still because it's complicated.
There's an environment from a resource perspective that folks are learning still. And I mean, you talk to a number of different people and, you know, the varying levels of cloud security expertise, right? Um, and so I think some of that is like, there's got to be a quick answer. We're being forced to migrate everything to the cloud.
What is my quick solution for that? But now we're going to be at a point where organizations that have put like kind of stopgap solutions in place to get them on their cloud journey are now going to have to sit back and re evaluate and say, Okay, what is my Next 10 years look like because it's probably not the solutions that they chose as a quick stop You have to either get off a splunk or migrate to the cloud or whatever the case may be, right?
[00:07:27] Sean Martin: so what Started abstract
Big news, so tell us what what was the catalyst? I mean I Know you're a thinker you're a doer where I've seen you grow and then create some amazing things It takes something to change from, this is a great idea to let's go for it. What was that catalyst?
[00:07:54] Colby DeRodeff: Maybe I have a screw loose. Could be, I don't know, but if we're in cybersecurity, we probably have a screw loose, but you know, I think actually it was kind of a culmination of the last couple of companies that I've been involved with.
And, you know, at Veriton, the last company I was at before the acquisition by FireEye and ultimately Google, um, You know, we're doing controls validation, so we'd go into customers environments and run live fire attacks in their environment, and we would try to see how their controls respond. So, prior to running those attacks, we'd ask the customer, like, hey, how's your coverage for, like, privilege escalation?
And they're, oh, we have all these rules, like, tons, we'll detect it, no problem. So, we'd run privilege escalation, you know, exploits in their environment, and we'd go back into their sim of choice, whichever one it was, and there were no alerts. That's weird, you have all these rules, though. Then they dig into the rules and they're, Oh, those are looking for PowerShell logs or we don't actually log PowerShell.
So there was no way these rules were ever going to fire. They're totally ineffective. They had them, but they weren't effective because they didn't have the data that drives them. And so, you know, one of the things I've been thinking a lot about and kind of led to this is we have to abstract this away, no pun intended, or maybe pun intended, one or the other.
We have to abstract this away and get to a position where we can say, We're thinking about the outcomes. We're thinking about the detection scenarios that we care about. And then we're going to, okay, to drive this detection, what data do I need? Right? As opposed to, I have all this data, what can I do with it?
Which is the old way of thinking about this.
[00:09:27] Sean Martin: So what types of data, well, the power logs, power shell logs, if I can say that properly, was one obviously that you just described. What other areas of the business were they kind of missing things? Or kind of not giving them the insight they need.
[00:09:42] Colby DeRodeff: Yeah, well there's, I mean, take cloud logs, you know, CloudTrail, Azure Activity logs, you know, GCP logs.
There are nuggets of gold in those logs, but maybe like 1 percent of the data is valuable for detection, and the other 99 percent of the 55 terabytes a day that's generated is useful. So why are organizations collecting that data and putting it into high cost storage? for no business purpose other than a compliance business purpose.
We could just easily put it into low cost storage where it's still accessible. You don't need it to drive your detection scenarios. So that's one of the things we're doing at abstract is actually bifurcating the data stream and splitting out security and compliance, put the compliance data into low cost, longterm storage, put the threat data that you actually care about, the things that are driving your detection.
Put that into your hot storage. Put that into your high fidelity, real time analytics streams.
[00:10:42] Sean Martin: Okay. And so, does this then change the way that they interact with the rest of the organization? In terms of getting access to data and, and
[00:10:54] Colby DeRodeff: It does because I think it, it drives better behavior in the data collection.
You know, I feel bad for like the DevOps folks who are constantly being asked by the security team, you know, hey, can I have all the Kubernetes logs? Well, which ones? Well, I don't know. All of them. And it's like, do you know what all of them actually means? And then they back up a dump truck filled with logs, and they're like, here you go, what are you gonna do with it?
It's been sitting in this S3 bucket for months now, you haven't touched it. Well, of course you haven't touched it, because it's like 3 petabytes of data that no human's ever gonna look through. And it's just not effective from a cost perspective to actually process all that.
[00:11:30] Sean Martin: So what do you do with the SecOps team with that?
[00:11:35] Colby DeRodeff: Well, you have to determine, again, back to the outcomes, right? So, figure out what are the detection scenarios that you actually care about, right? And then, figure out what data you need to drive those detection scenarios. Fork that data, put the rest in low cost storage, and keep the stuff that matters.
[00:11:51] Sean Martin: That is, that is where we are at. Yeah, sounds good. Yeah, sounds good. But now what?
[00:11:59] Colby DeRodeff: Yeah, exactly. Well, now, try abstract and, you know, get abstracted. So what's that process look like? Well, um, a lot of folks know how to get a hold of me. For the ones that don't, we have, uh, our website at abstract. security.
HTTPS, colon, slash slash, abstract. security. And, uh, you know, check us out there. There's, uh, you know, learn more info page there. Um, we'll be at RSA all week. Find me on LinkedIn. Yep. Um, I'm all over the place, so. Yeah,
[00:12:28] Sean Martin: you're very accessible as well.
[00:12:29] Colby DeRodeff: Yep, absolutely. And always happy to chat about this kind of stuff.
I love it.
[00:12:32] Sean Martin: I know, me too. I'm glad for that. What's um, I want to speak to the CISOs now. So what are some signs that they might see in their current processes that can flag them to say, you really should be looking at this differently? Network signals, risk signals. I don't know, team burnout signals. What are some things that are coming across as you're talking to CISOs that you're seeing as signals for them?
[00:13:06] Colby DeRodeff: Yeah, I mean, one I think is just purely a budget thing, right? Um, spending, paying significant tax to store data in a cloud provider and you're not getting any value out of it. So if there's nothing tangible coming out of, you know, your log aggregation slash sim solution, you're That's a sure sign. And I'm sure, you know, these things come with a hefty price tag.
[00:13:30] Sean Martin: So they're wasting money,
[00:13:34] Colby DeRodeff: wasting money. What about, uh, not getting operational value out of the, out of the SIM, especially when it comes to,
[00:13:41] Sean Martin: you know, I'm trying to put me on the spot. I think this is important because it might seem fine, right? They're detecting, they're responding. They're focused on bringing the XTT.
D's and R's down, right? That's how they're measured? Yeah. So it seems like we're doing okay. We're getting better each quarter. Yeah. But what's the big sign?
[00:14:02] Colby DeRodeff: You know, I think it's the kind of, one big sign would be cloud visibility gaps. So like, you know, cloud is a complex beast, right? I mean, there's lots of applications, lots of accounts.
Um, getting good visibility across that is tough. And so I think I think from a CISO's perspective, they definitely know whether they have a level of comfort with what's going on in the cloud or not. Um, as they've been on this transformation journey, so I think that would be a sure sign that if I couldn't sleep at night because I'm worried about what's going on in my cloud environments.
Definitely a sign.
[00:14:39] Sean Martin: So an honest question to themselves. The confidence level and comfort of. Yeah, absolutely.
[00:14:44] Colby DeRodeff: The level of visibility. Absolutely.
[00:14:45] Sean Martin: Perfect. What's um, I know you've been talking to some customers here, what's some of the feedback you've received thus far?
[00:14:52] Colby DeRodeff: UI looks fantastic. Yeah? Ready to rock and roll.
Um, you know I think we were just demoing to a customer earlier today and we're showing them kind of our, you know, our detection effectiveness process. Which is basically like a workflow within our platform that allows the user to kind of scope out what are their detection outcomes. And then what data sources they need to drive those.
Because the conversation, like I said earlier, has always been, What are all the data sources you have? Great. Let's spend the next three years going around your enterprise, collecting all those logs. Because all of them are hard to do, because it's all change control and everything else, the process. So, if you can actually prioritize the logs that you're going to collect and the data that you need based on your detection outcome desires, then it changes the conversation.
It changes the dynamic. And so one of the CISOs I was chatting with was like, why didn't you start with this? You know, I was going through a bunch of other features in the product and stuff. And he goes, no, no, this is the part that matters. And so, you know, we definitely on the next meeting honed in on that a little quicker.
And, you know, so it's been good getting a lot of good feedback. I think, you know, it's a novel approach based on kind of old school thinking, I guess. Um, You know, so it's, it's pretty fun.
[00:16:13] Sean Martin: Yeah. Change the, change the mindset a bit. Yeah. Um, last question before we wrap. How do you, how do you fit in to the existing tech stack?
Do you sit alongside, sit on top? Trying to figure out how, how existing teams kind of embrace you and make the most of what you offer.
[00:16:32] Colby DeRodeff: So it's, you know, we have a pretty easy adoption path, right? So our platform's modular. We have three modules. One is pipelines. That's usually where customers will start.
And pipelines means we're collecting data from the sources, we're doing ETL type work on the data, um, aggregation, filtering, enrichment, and then we're forwarding the data off to their data lake of choice or their sim of choice.
[00:16:54] Sean Martin: Okay.
[00:16:55] Colby DeRodeff: The next thing they can do is easily add our analytics. No rip and replace of that?
No rip and replace. We're just kind of sitting in front of existing solutions, side by side. Um, then they can add our analytics module, which basically allows them to start doing detection scenarios in our product. But then we're forwarding the data And the alerts from our detection output to their SIM of choice, again.
And then the third module is like, OK, I'm done with all this other stuff. I'm going to turn on the data lake component. And basically now we are the long term and short term data storage solution as well.
[00:17:24] Sean Martin: Got it. OK. It's an easy path. Very, very straightforward.
[00:17:28] Colby DeRodeff: And we don't charge by the gigabyte. We're not doing that.
So, OK. It's a different model, different times. I know all the customers I've talked to hate the gigabyte per day pricing. So We're just doing things different. We're already wasting money there. We're already wasting money there. We're doing things different, so. I know. Yep, it's all fun. Well, I'm
[00:17:47] Sean Martin: excited for you and, uh, sounds like a great, uh, great solution to the problem that many probably know they have and haven't figured out how to, how to get ahead of it.
[00:17:57] Colby DeRodeff: Right, exactly. So.
[00:18:00] Sean Martin: Alright, well thanks, uh, thanks for joining me here. Yeah. And, uh, have a fantastic week at the conference. Absolutely, you as well. Tremendous luck with the launch.
[00:18:08] Colby DeRodeff: Absolutely. This is just day zero, right? Day
[00:18:10] Sean Martin: zero. You're on a good start here. Thank you everybody for joining us for this chat.
Please do connect with Colby and the Abstract Security team. And of course, stay tuned. Lots more coming to you here from RSA Conference. Thank you.
[00:18:23] Colby DeRodeff: Cheers.