Sounil Yu of Knostic on NIST CSF Update & Governance

0:00
[Music]
0:08
all right hello and welcome back to
0:09
another episode of the modern cyber
0:11
podcast brought to you by firetail
0:13
leaders in API Security find Us online
0:15
at firetail IO please remember to rate
0:17
like subscribe share with your friends
0:18
Etc I am delighted to be joined by
0:20
somebody who really doesn't need much of
0:22
an introduction especially if you work
0:24
in the cyber security space I'm sure
0:25
it's a very well-known name but I am
0:27
joined today by Sunil U Sunil is the co-
0:30
founder at Gnostic AI spelled k n s. a
0:35
and previously Sunil was the ceso and
0:37
head of research at Jupiter 1 as well as
0:40
Chief security scientist at Bank of
0:42
America among other cybercity leadership
0:44
roles Sunil is a well-known name as I
0:46
said in the cyber security space he
0:48
created the Cyber defense Matrix and the
0:50
die Triad which are reshaping approaches
0:52
to cyber security I know I find them Inc
0:55
uh incredibly informative and helpful in
0:57
terms of just shaping some product
0:58
Direction and things that were doing
1:00
over here at firetail I hope all of you
1:02
are actually referring to them Sunil has
1:04
an MS in electrical engineering from
1:06
Virginia Tech a BS in electrical
1:07
engineering and a ba in economics from
1:09
Duke University and just by way of
1:11
disclosure before we dive into today's
1:13
conversation Sunil U is an Advisory
1:15
Board member at firetail seil thanks so
1:17
much for taking the time to join us
1:18
today I wanted to get your take on
1:20
something that I know you posted about
1:22
recently and I think is something that a
1:24
lot of people myself included were kind
1:26
of wondering your thoughts about and
1:28
that is the update to the cyber security
1:30
framework that just came out from nist I
1:32
know from having talked to you Offline
1:35
that some of the things in nist were
1:37
part of a framework that you used in
1:39
your own mental model that you used to
1:40
derive the cyber security uh Cy the
1:43
Cyber defense Matrix so I'm just kind of
1:45
curious I mean first of all what was
1:46
your reaction to the update anything
1:48
super significant or meaningful in there
1:51
that really caught your
1:53
attention uh well meaningful uh well let
1:57
let me kind of give you my original
1:59
perspective if I look at uh CSF version
2:02
1 1.1 as one dimension that would have
2:07
been the five functions identify protect
2:09
detect respond recover right uh what I
2:11
was hoping for in version two is the
2:14
second dimension which is what the Cyber
2:17
defense Matrix is right so having some
2:19
sort of articulation of the other um
2:21
other dimension but that's okay the I
2:23
think in the context of um I was talking
2:26
to Sher over at nist um just earlier
2:30
this week and I can appreciate the
2:32
tradeoff that they have today there
2:34
there's a lot of stakeholders that they
2:35
have to wrestle with and um and because
2:39
it's nist one little change that they
2:41
make has massive impact across yeah big
2:45
parts of the industry so I sympathize
2:47
with the challenge that they're dealing
2:48
with and these small little I have I
2:51
imagine that these changes have to be
2:53
really well thought through to
2:54
understand what is the downstream impact
2:57
all that said um I actually absolutely
3:00
do have opinions about the the the
3:02
latest edition um and of course the the
3:05
biggest uh addition is the function of
3:08
govern that they added um and my biggest
3:13
challenge with um that particular
3:17
Edition is
3:20
um is that we're the problem with the
3:23
term govern relative to those functions
3:27
is a problem of U altit
3:30
itude
3:32
okay so what I mean by altitude is um if
3:36
I look at the Cyber defense Matrix as
3:39
let's say the map of the United
3:43
States uh with its with all the
3:45
different if I look at the if I look at
3:47
it as a um um state level map governance
3:51
might be more like a country level map
3:55
okay okay and so you're looking at it
3:59
from a 50,000 foot view versus let's say
4:01
10,000 ft
4:02
View and I would say when you start
4:06
putting in principles that operate at
4:08
different tiers or different altitudes
4:10
you start confusing the audience and
4:14
people around wait wait what altitude
4:16
are you actually talking about let me
4:18
give you another
4:19
example uh well using Maps again um the
4:24
words for directions okay so I ask you
4:26
for directions what are the words that
4:28
you use to describe directions well if I
4:32
were in your house the words that you
4:34
would use for directions wouldn't be
4:36
east north south west right right up the
4:39
stairs turn left second door on the
4:40
right right if um you were looking on
4:44
the city map you wouldn't say up the
4:47
stairs you wouldn't even say like yeah
4:50
and by the way I wouldn't use north
4:51
south I'd say go that way two blocks
4:53
turn right you know maybe give you a
4:56
landmark or something like that yeah so
4:59
the same way for cyber security we have
5:02
this word risk yeah and how you describe
5:05
risk at a 10 foot level is very
5:08
different than how you describe the
5:09
words I use to describe risk at the
5:11
50,000 foot level and so likewise in the
5:14
context of the Cyber um security
5:16
framework if we start putting if you
5:19
start co-mingling things like governance
5:22
which I think is at a higher level than
5:24
the functions of identify protect detect
5:25
respond recover then we start confusing
5:28
wait what who are we speaking to what
5:30
language are we talking at um what did
5:33
you what do you mean by left because
5:35
that's not even in my vocabulary right
5:37
okay so that's the challenge now if
5:40
there's a clean mapping between the
5:42
function of governance or the activity
5:44
of governance with all the other
5:45
subfunctions of identifi protect detect
5:47
respond recover then you can say oh okay
5:50
in the country of the United States
5:52
there's 50 states and these 50 states
5:54
are as such and there's a translation
5:57
function that we can naturally see in
5:58
the physical world of course
6:00
um but in the cyber world we're still
6:03
kind of figuring out like wait what are
6:06
we talking at the state level are we
6:08
talking at the city level yeah right
6:12
yeah but to your point I mean doesn't
6:14
that also in a way kind of imply a
6:16
secondary Dimension because govern is
6:18
not really one of these sequential
6:20
activities like um identify um identify
6:24
protect detect respond recover you know
6:27
it is kind of something that overlies
6:29
all of them and it is something that
6:31
should be like you're you're doing it at
6:33
every step along the
6:34
way and and so to that extent it's kind
6:38
of a second dimension or do you not
6:39
really see it that way you see it as
6:41
just kind of a zoom in zoom out lens on
6:44
on those things well it's not a second
6:46
dimension but a third dimension right
6:49
the the you look at the world sorry yeah
6:51
not a second dimension yeah yeah yeah
6:53
yeah and so yes I do see governance as
6:56
uh or different layers there's um
7:00
DOD has what it's called their
7:03
architectural framework doaf doaf yeah
7:06
and in the architectural framework they
7:09
have all these different types of views
7:10
they have a technical view they have a
7:13
um um operational view they have a
7:17
there's like seven different views yeah
7:19
okay yeah AWS has their well architected
7:21
framework and similarly you know it has
7:22
a cost View and an efficiency View and a
7:24
resiliency View and a security View and
7:26
so on right so you look at a physical
7:28
map and you see a political map you see
7:31
a Terrain map you see a weather map
7:34
right so you have all these different
7:36
types of representations at different
7:38
layers as well and so I look at
7:39
governance as one of those types of I
7:41
mean it's like a political Terrain map
7:45
uh sorry political map versus let's say
7:48
um an analytics view yeah okay an
7:52
analytics view might be a weather map or
7:54
a traffic map or something yeah right
7:56
yeah yeah and where does analytic fit
8:00
across the Matrix or across the these
8:02
functions it fits everywhere right every
8:05
aspect of the Matrix every aspect of
8:08
governance and whatever there's
8:09
measurement and there's analytics that
8:11
we can do on top of all that so where
8:13
where's the home for that and the
8:15
reality is it doesn't it kind of
8:17
transcends the you know that physical um
8:21
anyway it provides this this that
8:23
another layer of abstraction and that's
8:25
the challenge with the function of
8:27
governance because then I can also say
8:29
well if you add governance then where is
8:31
where's analytics right yeah where is
8:34
all these other maps that we kind of
8:37
need to be able to run and operate a
8:39
good security program it brings me to
8:41
like three follow-up questions that I
8:44
that come to my mind number one is
8:47
through my work in Cloud security
8:49
governance is a term that got used in
8:51
like many different ways and pretty much
8:55
every customer that we went into to talk
8:56
about governance had a different view on
8:58
what governance was but I would say the
9:00
one kind of Common Thread if I had to
9:03
pull one out from X number of customers
9:06
that I worked with over the years of
9:07
what governance is is it really is we're
9:10
doing things the way that we intend them
9:11
to be done and that could be as simple
9:15
as um let's say on a cloud platform we
9:18
run production in us uh North uh Us East
9:22
Northern Virginia and we run Disaster
9:23
Recovery in um Us East Ohio region and
9:27
we use a certain set of services from
9:30
these Cloud providers nothing else and
9:33
everything that we stand up has to have
9:34
a certain set of labels or tags on it so
9:37
we know how to identify every asset that
9:39
we're running and for many organizations
9:42
first of all that was a challenge they
9:44
they often had challenges getting people
9:45
to abide by those rules but they often
9:49
also had challenges even kind of
9:50
codifying those rules or expressing
9:53
where they fit to your point into a
9:55
cyber security um program and so do you
9:59
think of governance as this kind of set
10:01
of governance is like a set of
10:03
guidelines for how we organization X
10:06
intend to do things or do you think we
10:07
should think about it differently uh so
10:10
the way I thought about it is governance
10:12
at least in the context of the Cyber
10:13
defense Matrix creates the structure of
10:16
the Matrix itself the governance in my
10:19
view um provides a a way to understand
10:23
how people process and Technology
10:25
operate in this
10:27
environment um and then one can can use
10:31
uh governance functions to say is it
10:34
operating as expected right um but let's
10:39
I mean I love the analogies because it
10:40
does help me process the world um
10:42
there's different types of governance
10:44
even on a map s to speak right you have
10:46
federal government you have state
10:49
government you have local government
10:51
yeah uh do they all exist at different
10:53
they exist at different layers um and
10:56
they may have different forms of
10:58
government as well or governance as well
11:02
you can have a um a democratic
11:06
government and a Republican state and a
11:10
uh Marxist local government whatever
11:13
okay right right right and so in in fact
11:16
there's this notion that every person
11:18
you may every person has a different has
11:20
multiple political affiliations you
11:22
could be you know at the federal level
11:24
Democrat a state level Republican at the
11:26
family level a communist and a mar
11:30
so anyway point is that at different
11:32
scales you have different Ty of
11:35
governance constructs and they look
11:37
different but the struct the the notion
11:39
of structure is still the same meaning
11:42
you have these bodies of um uh these
11:47
these governing bodies and the structure
11:50
of these governing bodies uh have a
11:52
self-similarity throughout the the
11:55
different structures so similarly you
11:56
know the Cyber defense Matrix to me is
11:58
creating that that governance structure
12:01
under which we can understand how people
12:03
process and Technology
12:04
fit one of the things I really like
12:07
about the Cyber defense matrix model is
12:09
that you underly all of those functions
12:12
with the kind of um I don't know what
12:13
the right word for the uh for the
12:15
diagram is but it shows you know which
12:17
activities are very heavily people
12:19
driven and which activities are very
12:20
heavy uh heavily technology driven and
12:23
they kind of bleed together as you go
12:25
across the Spectrum I'm curious so when
12:28
you say governance kind of fits that is
12:32
it is it kind of fair to say that let's
12:34
say if I sample an activity in there
12:36
like um
12:38
detect governance to me says okay my
12:40
detect approaches should be 60%
12:44
technology-driven 40% human just picking
12:47
random numbers and for various attack
12:50
surfaces that I'm covering or various
12:52
asset types as you have in The Matrix um
12:55
you know just checking that we're
12:57
applying the right levels of technology
13:00
versus the right levels of human
13:01
interaction for the attack surfaces that
13:04
we've defined that we want our approach
13:06
to be that's governance it governance
13:10
provide that structure right to Define
13:13
then what we consider to be optimal or
13:16
efficient or desirable whatever else is
13:18
right and then tests against that would
13:20
be kind of checks that we are actually
13:22
complying with the the governance that
13:24
we as an organization have set forth
13:26
right and it's and the bottom part of it
13:28
is around the resource allocation The
13:31
Matrix itself the 555 Matrix is to say
13:34
are we actually do we have um are we
13:36
doing what are we doing in each of these
13:39
boxes and are we doing what we should be
13:42
doing in each of these boxes you know
13:43
there's a government's aspect because
13:45
you've now created that structure that
13:46
says these are things that need to be
13:48
done yeah yeah and just a reminder to
13:51
our listeners as you once show told me
13:54
it's not a bingo blackout card you're
13:56
not trying to check every box on the
13:57
Cyber defense Matrix
13:59
um unless you're you know maybe way out
14:02
uh um a severe outlier in terms of what
14:06
your defense needs are your your cyber
14:08
defense needs are um I'm curious but at
14:11
the same time the go the goal of the
14:13
Matrix was to bring awareness to the
14:15
fact that there is there exists these
14:18
functions there exist these assets and
14:21
you should see whether or not it's
14:23
relevant for you to do something about
14:25
those boxes yeah in the same way um
14:29
when I was talking to Sher over at nist
14:32
I think part of the goal was to say look
14:33
folks don't forget about governance
14:35
let's explicitly call out governance so
14:38
that people don't forget about it yeah
14:40
um that was partly my goal with the
14:42
Cyber defense Matrix to say hey folks
14:45
when you say cyber don't forget that
14:47
cyber includes not just the devices you
14:49
use but the applications but the n and
14:51
also the networks and the data and the
14:53
users don't forget that those are all
14:55
things that need to be identified
14:56
protected detect respond recovered and
14:59
so it was a way to just reme remind
15:01
ourselves don't forget these things
15:03
don't forget that this is not just about
15:05
technology but it also includes people
15:07
process as well and ultimately what I
15:10
think part of the goal of nist was with
15:12
the governance function is to say hey
15:13
don't forget there's governance too yeah
15:17
for me I I I would say okay great I I
15:20
agree with that principle but if it's
15:22
operating at this higher level then I
15:24
would say at this higher level there's
15:26
not just governance there's also things
15:28
like uh analytics there's orchestration
15:31
there's um automation there's all these
15:35
things that we should consider at this
15:38
more higher level of abstraction that
15:41
includes governance but it's not only
15:43
governance and right now we will forget
15:46
about these other things because all we
15:47
see on that diagram is
15:50
governance well this brings me to one of
15:52
the other questions that I mentioned
15:53
earlier I said I had three so the second
15:55
one that I have is in in other contexts
15:57
where I've talked to customers about
15:59
governance one of the questions that I
16:01
very often get or one of the reactions
16:03
that I get is well governance means
16:04
hygiene and hygiene is kind of you know
16:08
are we running the things that we intend
16:10
to run and many organizations find that
16:12
they have a lot of sprawl that they have
16:14
lots more systems running than they
16:16
thought because old Project X never got
16:19
decommissioned old server y never got
16:22
shut down Cloud instances one through
16:26
350 are still running outside of um
16:29
outside of their production hours Etc
16:31
and I found that people would when I
16:34
would ask people about
16:36
hygiene either I would ask them about
16:38
governance and they would jump to
16:39
hygiene or i' ask them about hygiene and
16:41
they would say oh that's part of our
16:42
governance function and it would get
16:44
pushed to a separate set of individuals
16:46
than for instance potentially the Cyber
16:48
team it would say they would say oh
16:49
that's the GRC team governance risk
16:51
compliance they're responsible for that
16:54
and so there was this kind of weird
16:55
conflation of those two terms that I
16:57
experienced it sounds like from you know
17:00
from your perspective there definitely
17:01
not the same thing although there is
17:03
some connected nature of hygiene you
17:05
know feeding governance or or maybe
17:08
being like a rule set within governance
17:10
but how do you think about that yeah so
17:13
I I would not actually put hygiene and
17:15
governance and equate them to be or say
17:18
that um governance that hygiene
17:22
is governance is more than just hygiene
17:25
is that right is what I was going to say
17:27
um and by the way just to give you
17:29
context uh the term hygiene is also
17:31
often times misunderstood uh and one way
17:34
to have a clearer understanding of what
17:36
we mean by hygiene is by considering the
17:39
word
17:41
safety yeah so um in uh most in many
17:46
other languages the word for Safety and
17:48
Security are the same word the same yeah
17:51
in English we have two words yeah in
17:53
cyber security we seem to have the same
17:55
word again yeah okay but what do we mean
17:58
by safe what what's the word safety mean
18:00
in cyber well one way to think about it
18:02
is to add the word food in front of it
18:04
so what is food safety well food safety
18:07
includes
18:08
hygiene compliance inspections best
18:13
practices sounds a lot like what we call
18:16
cyber security right yeah yeah then
18:20
there's something separate called cyber
18:22
security um or food security and food
18:25
security is something that uh is there's
18:29
concerns around food security that is
18:30
triggered from like things like famine
18:32
or what happened to all the baby formula
18:34
or what are we going to do about all the
18:35
Ukrainian wheat and getting it out there
18:37
right um and that they're usually
18:39
incident driven in my view um and we
18:43
what we try to do is to prepare for
18:45
those incidents and when we think about
18:47
good governance to me it's the both the
18:51
safety and the security side of it okay
18:54
uh and the safety side again is the
18:55
hygiene part but the what we call
18:58
security what I'm calling security is
19:00
the what do you do when something bad
19:02
happens and how do you ensure that you
19:04
have good governance to ensure that um
19:06
when something inevitably bad happens
19:09
you know how to prepare for it you know
19:11
how you've been prepared for it so that
19:12
you can then U make that not
19:16
Material yeah and the third question
19:19
that kind of came up in my mind when I
19:22
looked at this is governance is a
19:25
concept and it's very hard to kind of
19:28
Define a set of prescriptive controls
19:30
around it and I think for a lot of
19:33
people especially a lot of let's say
19:36
younger or or less mature cyber security
19:39
practices one thing that I find them
19:41
consistently struggle with is they're
19:43
often looking for prescriptive because
19:46
absent good awareness of a threat model
19:49
and in
19:50
in a a strategy for kind of responding
19:54
to the appropriate threat model for that
19:57
which by the way again I think the cyber
19:58
Matrix because it does a good job of
20:00
bringing awareness to kind of asking
20:02
yourself all the right questions about
20:04
where your risks might be and where you
20:05
might want to apply mitigations and
20:07
defenses um so plug for that again but
20:10
you know absent that a lot of people
20:12
look for look at things like this and
20:14
they say like well I'm just going to
20:16
follow the N CSF but you don't find a
20:19
lot of prescriptive controls in there
20:20
and I think that's an often cited
20:22
criticism of something like the
20:24
CSF what's your reaction to that and and
20:27
you know also from your S as a
20:29
practitioner in larger organizations
20:30
like did you look at at things like the
20:33
CSF for controls or did you look at them
20:35
as just you know hey guidance that we
20:37
need to check in on and see what we
20:39
think about it and you know just ask
20:41
oursel a set of questions again are we
20:42
doing all the things we think we should
20:44
be doing yeah and so let me um let me
20:48
again use the uh the map analogy for a
20:50
moment um oftentimes when people are
20:53
asking for a very tactical level control
20:57
and they look at the this cyber security
20:58
framework work which is again at a much
21:00
higher level then they're communicating
21:02
already in the wrong wrong level they're
21:04
expecting things at the wrong level and
21:06
for the Cyber defense Matrix again I
21:08
think to me it's at this higher
21:10
abstraction that makes it really hard
21:12
for us to say give me a tactical level
21:14
control that fits in this particular box
21:16
and I can give you that but then you're
21:18
are you're asking for something that's
21:19
at the this very low level um this you
21:23
started off this conversation around
21:25
controls for governance so let me give
21:28
you then the analogy there because this
21:30
will also help as well so if the Cyber
21:32
defense Matrix and how we represent the
21:34
program is at the you know 50,000 foot
21:37
level or whatever then the board of
21:39
directors is something like at the
21:41
100,000 or 250,000 foot level okay and
21:45
the controls that you operate at that
21:47
level are very different than the kind
21:48
of controls that you operate at the
21:50
50,000 foot
21:51
level at the board of directors level
21:54
and what's the job of the board of
21:56
directors governance
21:59
y okay what are the controls that we
22:02
have for board of directors well there
22:05
are laws whether from the SEC or uh
22:09
sarban Oxley that says you are expected
22:13
to exercise your governance functions in
22:17
such a way that if you don't do it
22:19
properly you can be sued or you can be
22:22
personally liable for failing to do your
22:27
proper corporate governance functions
22:31
that's the
22:32
control
22:33
yeah I think that is a great note to
22:36
leave today's conversation on seil I
22:38
appreciate your thoughts on the cyber
22:40
security framework how it ties into the
22:42
Cyber defense Matrix and how
22:44
organizations could think about
22:45
governance thanks for taking the time to
22:46
share your thoughts with us today on
22:48
Modern cyber thanks for having
22:50
[Music]

‍