Episode 31

Preparing for the Future of Device Management

With the growing move towards a hybrid and remote work environment, more and more people are relying on their smart devices to get work done. Keeping track of all of these devices, and ensuring that they are being used in a very secure manner, can be a challenging proposition. A recent survey finds organizations unprepared and overwhelmed with managing thousands or hundreds of thousands of these endpoint devices. Mike McNeill, CEO, Fleet Device Management, sheds light on some of these critical security issues and addresses questions such as: How does an organization manage its devices? Do they know if their devices are compliant and secure? Do they have ways to query them to learn more about their status in real-time? Mike also offers recommendations on how to prepare for the future of device management.


Time Stamps

01:28 -- Share with the listeners some highlights of your professional journey.

02:11 -- Let's talk about the motivation for the study.

03:54 -- The study is fairly recent; it was started on February 25, 2022. It was conducted online via Pollfish using organic sampling. And when I look at the industry is represented. It's pretty comprehensive. You all didn't leave out any sector. Am I correct?

04:52 -- Were you surprised by the survey findings relating to the state of device management?

06:48 -- Talking about managing the devices and keeping track of the devices, I read here that only a quarter of the sample population said that their devices are fully enrolled and upgraded. You know, that's worrisome. Why do you think organizations would allow that to happen?

07:54 -- So, if I'm understanding you correctly, the use of multiple operating systems and multiple platforms is part of the problem when it comes to tracking the devices, right?

08:33 -- Another finding that got my attention is that one of the best practices is to have a good Bring-Your-Own-Device (BYOD) policy. And to be more specific, 32% said, having a documented BYOD policy is a crucial best practice for their MDM (mobile device management) strategy. Can you expand on this?

09:57 -- BYOD, Bring Your Own devices, as an approach has its pros and cons. It was interesting to read that 32% of the respondents felt that having a documented BYOD policy is a crucial best practice for their MDM strategy. What are your thoughts?

11:49-- Another best practice documented here is measuring point-in-time compliance across all devices. Share with the listeners what you mean by point-in-time compliance or real-time compliance across devices.

13:56 -- How feasible is it to try and automate the patching process and thereby remove the responsibility (of patching) from the users?

17:51 -- Another finding that I find interesting is that multi-factor authentication becoming a top priority for 2022. The reason I find it interesting is I would assume that by now, multi-factor authentication would be a standard. I wonder why the delay in the adoption of a security mechanism that is universally accepted to be a very robust protective measure. What are your thoughts?

19:35 -- What were some unanticipated or unexpected findings?

20:59 -- I think the extent to which security and IT teams can work together and appreciate the significance of each other's work would make the development and implementation process more effective and efficient. What do you think?

23:12 -- What would you say to organizations interested in improving device management? How should they prepare themselves?

25:46 -- Going back to the report, where you're talking about preparing for the future of device management, you have several recommendations, one of which is to start managing containers. Can you expand on that?

28:21 -- Another recommendation in this report is to protect remote workers with zero trust, TLS, and multi-factor authentication. I'd like you to expand on this TLS when you suggest " move away from VPNs to granular proxies with TLS." Can you explain this?

30:38 -- Share some final thoughts with the listeners.


Memorable Mike McNeill Quotes

For endpoint security and risk management overall, you are starting to see more security engineers and security operations roles live in the IT department, and you're starting to see more IT engineering roles effectively taking on security challenges. And I think there's an argument to be made that in a couple of years, we're gonna see blended IT and security departments. So they will not be all that distinct anymore, other than the risk management aspect and crunching the numbers.

I think your success then comes down to, can we take inventory of what we have, and look at this from first principles, like, what are we trying to achieve here? We have a security posture we want to get to, we need to have an accurate inventory, and we need to make sure that we're collecting the right data that we can empower our security team with to like go run and build what they need themselves without having to go ask IT for more and more data every time.

If you are pocketed in and are part of a big organization, look for ways to find portable formats and solutions that don't lock you into a particular future, and that can work for other people in your company, even if they do have to use a different set of tools.


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

Officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast series. Our discussion today will revolve around the

Dr. Dave Chatterjee:

current state and future of endpoint security management.

Dr. Dave Chatterjee:

I'm thrilled to have Mike McNeil, CEO and cofounder, Fleet

Dr. Dave Chatterjee:

Device Management, as my guest today. And Mike will share his

Dr. Dave Chatterjee:

thoughts and perspectives, and also some very interesting

Dr. Dave Chatterjee:

findings from a study that his organization has conducted. So

Dr. Dave Chatterjee:

Mike, welcome.

Mike McNeill:

Thanks for having me, Dave.

Dr. Dave Chatterjee:

Hey, before we get into the details of the

Dr. Dave Chatterjee:

discussion, the study, let's talk about yourself a little bit

Dr. Dave Chatterjee:

share with the listeners some highlights of your professional

Dr. Dave Chatterjee:

journey.

Mike McNeill:

Oh, yeah, so I got into Open Source, in 2011-2012

Mike McNeill:

or so, did a bunch of different packages over the course of of

Mike McNeill:

my time in Open Source, but I built a framework called

Mike McNeill:

Sails.js for the Node.js community. And then more

Mike McNeill:

recently, I've teamed up with Zack Wasserman from the Osquery

Mike McNeill:

project on his app called Fleet, which is a open source platform

Mike McNeill:

for collecting data from the devices and servers that you

Mike McNeill:

manage.

Dr. Dave Chatterjee:

Okay, fantastic. So as I was reading

Dr. Dave Chatterjee:

the report on the state of device management, I found some

Dr. Dave Chatterjee:

of the findings to be quite concerning. But I'm not

Dr. Dave Chatterjee:

surprised. With the growing move towards a hybrid and remote work

Dr. Dave Chatterjee:

environment, you expect that more and more people will rely

Dr. Dave Chatterjee:

on their smart devices to get work done. Keeping track of all

Dr. Dave Chatterjee:

of these devices, and ensuring that they are being used in a

Dr. Dave Chatterjee:

very secure manner, can be a challenging proposition. So

Dr. Dave Chatterjee:

there are a lot of challenges that we're going to be talking

Dr. Dave Chatterjee:

about today. But let's first talk about the motivation for

Dr. Dave Chatterjee:

the study.

Mike McNeill:

Yeah, so we in the in the Fleet, the company,

Mike McNeill:

right, because we're a company that built built around an open

Mike McNeill:

source project and community, we wanted to understand how is the

Mike McNeill:

problem of device management shaping up, right, because it's

Mike McNeill:

getting more and more complicated. You got all these

Mike McNeill:

different cloud accounts with your AWS servers and your GCP

Mike McNeill:

servers, which is Google Cloud Platform, and Azure, from

Mike McNeill:

Microsoft, and many other providers. Plus, you might even

Mike McNeill:

have some stuff on-prem (on-premise), you've got mobile

Mike McNeill:

devices, right, and maybe they are corporate issued or company

Mike McNeill:

issued, maybe they're your own personal device. And the same

Mike McNeill:

thing can be happening with with laptops. And so in the

Mike McNeill:

transition that was going on, a big problem that we saw was

Mike McNeill:

people would end up with like a lot of different device

Mike McNeill:

management platforms. And we wanted to understand like, what

Mike McNeill:

is the actual underlying goals here? And how effective are

Mike McNeill:

people in this increasingly complicated environment at

Mike McNeill:

achieving this device management goals?

Dr. Dave Chatterjee:

Excellent. And you all spoke, or you all

Dr. Dave Chatterjee:

sampled 205 members of professional security teams who

Dr. Dave Chatterjee:

are directly responsible for device management. The study is

Dr. Dave Chatterjee:

fairly recent, it was started on February 25 2022. It was

Dr. Dave Chatterjee:

conducted online via Pollfish using organic sampling. And when

Dr. Dave Chatterjee:

I look at the industries represented, it's pretty

Dr. Dave Chatterjee:

comprehensive. Y'all didn't leave out any sector. Am I

Dr. Dave Chatterjee:

correct?

Mike McNeill:

That's right. Yeah, we tried to go as broad as

Mike McNeill:

we could, so that we could get, there's a lot of fish farms,

Mike McNeill:

right? Have IoT devices like there's it's a much more

Mike McNeill:

complicated regulatory environment. But there's also a

Mike McNeill:

lot of medical devices out there. And we were mostly

Mike McNeill:

focused on kind of the the corporate devices and the

Mike McNeill:

production devices like servers, or virtual servers or

Mike McNeill:

containers. But we did we did factor in some of the IoT stuff

Mike McNeill:

as well.

Dr. Dave Chatterjee:

Good to know. Good to know. So let's get

Dr. Dave Chatterjee:

to some of the insights from the study. Let's begin at a high

Dr. Dave Chatterjee:

level by discussing the overall state of device management. Your

Dr. Dave Chatterjee:

survey finds that organizations are struggling to manage a large

Dr. Dave Chatterjee:

number of endpoints. A quarter of the respondents report having

Dr. Dave Chatterjee:

to manage 250,000 devices or more. And another quarter of

Dr. Dave Chatterjee:

respondents are in organizations with over 10,000 workstations.

Dr. Dave Chatterjee:

The respondents also said that devices in their organizations

Dr. Dave Chatterjee:

are at various stages of enrollment, and upgrade. While

Dr. Dave Chatterjee:

some organizations report having enrolled nearly all devices in

Dr. Dave Chatterjee:

their MDM with the latest operating system, there are

Dr. Dave Chatterjee:

others, where not even a quarter of the devices are enrolled and

Dr. Dave Chatterjee:

upgraded. This means many organizations don't know which

Dr. Dave Chatterjee:

devices are at risk. And that is very concerning. Does this

Dr. Dave Chatterjee:

finding surprise you?

Mike McNeill:

Yes and no, right? Because qualitatively, we've

Mike McNeill:

been hearing for a long time, just from the contributors to

Mike McNeill:

the project that we have so many different tools on the security

Mike McNeill:

side. And on the IT side, we have maybe a platform that

Mike McNeill:

manages our Macs and a different platform that manages our

Mike McNeill:

windows, we knew there were some complications there. But it was

Mike McNeill:

it was pretty surprising just how much how varied the the

Mike McNeill:

issues were. It's not like people were the only thing wrong

Mike McNeill:

is, Hey, I can't collect my security data, right, from my

Mike McNeill:

devices. It's like, people are having issues across the board

Mike McNeill:

in effectively managing their computers. And that's true in

Mike McNeill:

every industry.

Dr. Dave Chatterjee:

Interesting, talking about managing the

Dr. Dave Chatterjee:

devices, keeping track of the devices, I read here that only a

Dr. Dave Chatterjee:

quarter of the sample population said that their devices are

Dr. Dave Chatterjee:

fully enrolled and upgraded. You know, that's worrisome, why do

Dr. Dave Chatterjee:

you think organizations would allow that to happen?

Dr. Dave Chatterjee:

So the organization's wake up, You know, it's not like they

Dr. Dave Chatterjee:

wake up in the morning, and it's, they look around, and

Dr. Dave Chatterjee:

they, they have this problem? And and they got here overnight,

Dr. Dave Chatterjee:

right? It's, it's, I think that you have, you always have even

Dr. Dave Chatterjee:

at a small company, maybe a few devices that are on, you know,

Dr. Dave Chatterjee:

Linux, Ubuntu laptops, or maybe you're mostly a Mac shop, and

Dr. Dave Chatterjee:

you have a couple of Windows PCs, maybe you have most of your

Dr. Dave Chatterjee:

infrastructure in AWS, but there's just one or two Google

Dr. Dave Chatterjee:

Cloud accounts. And I think what does happen is they start making

Dr. Dave Chatterjee:

exceptions, and then they look 12 months later, and it's sort

Dr. Dave Chatterjee:

of ballooned out of control, the problem. And then they started

Dr. Dave Chatterjee:

having to say, alright, we're gonna have to really invest some

Dr. Dave Chatterjee:

serious time and resources to figure out how to catch back up

Dr. Dave Chatterjee:

for our compliance purposes, or our security posture.

Dr. Dave Chatterjee:

So if I'm understanding you correctly, the use of multiple

Dr. Dave Chatterjee:

operating systems, multiple platforms, that's part of the

Dr. Dave Chatterjee:

problem, right, when it comes to tracking the devices?

Mike McNeill:

Absolutely, that and then shadow IT. So on this

Mike McNeill:

on the server side of the world, like you, maybe you have a large

Mike McNeill:

organization, and you want to have an enterprise agreement

Mike McNeill:

that says like, all of our cloud usage from Acme Inc, is gonna go

Mike McNeill:

to Microsoft, for example. But then there's some teams that end

Mike McNeill:

up just kind of creating individual Google Cloud accounts

Mike McNeill:

or individual AWS accounts, and those start to add up. And then

Mike McNeill:

before you know it, you've got a bunch of mystery servers that

Mike McNeill:

aren't tracked as part of your big strategy.

Dr. Dave Chatterjee:

Interesting, you know, another finding that

Dr. Dave Chatterjee:

got my attention, where the report states states, one of the

Dr. Dave Chatterjee:

best practices is to have a good Bring Your Own Device Policy.

Dr. Dave Chatterjee:

And to be more specific, 32% said, having a documented BYOD

Dr. Dave Chatterjee:

policy is a crucial best practice for their MDM strategy.

Dr. Dave Chatterjee:

And again, MDM stands for mobile device management. Can you

Dr. Dave Chatterjee:

expand on this?

Mike McNeill:

Yeah, I mean, so if you're familiar with with

Mike McNeill:

Aristotle's concept of like, the golden mean, right, there's one

Mike McNeill:

reality where you just say, hey, nobody can use their own device.

Mike McNeill:

Or if you do, you're gonna have to, like enroll it, and all of

Mike McNeill:

your text messages are gonna belong to us. And like, all of

Mike McNeill:

your, all of your web browsing activity is going to belong to

Mike McNeill:

us, et cetera, that makes it really hard. It's a hard pill

Mike McNeill:

for employees to swallow. And then on the other side of the

Mike McNeill:

coin, you have what happens at a lot of companies where they

Mike McNeill:

started off and everybody kind of has their own laptop and

Mike McNeill:

before you know it, you're 100 people, before you know it,

Mike McNeill:

you're like 500 people, or maybe you know, this happened recently

Mike McNeill:

with the supply chain issues. The Apple store in the US or in

Mike McNeill:

other countries where you're going through resellers, can't

Mike McNeill:

get you a laptop quickly enough. And so you're just having to

Mike McNeill:

say, you know what, it's been five weeks like just just go get

Mike McNeill:

one, Mike go anywhere you can. And then maybe that person

Mike McNeill:

encrypts their hard disk using their personal iCloud password

Mike McNeill:

and before you know it, you don't have access to the hard

Dr. Dave Chatterjee:

Good to know BYOD. Bring Your Own

Dr. Dave Chatterjee:

disk.

Dr. Dave Chatterjee:

Devices as an approach has its pros and cons. It was

Dr. Dave Chatterjee:

interesting to read that 32% of the respondents felt that having

Dr. Dave Chatterjee:

a documented BYOD policy is a crucial best practice for their

Dr. Dave Chatterjee:

MDM strategy. What are your thoughts?

Mike McNeill:

So I think, especially when it comes to I'll

Mike McNeill:

work, I'll work back from BYOD. With BYOD think there is it's

Mike McNeill:

kind of like time off policies, right? You can tell everyone at

Mike McNeill:

your company, here's the process, you go through to take

Mike McNeill:

some time off, maybe you let your manager No, you put it in a

Mike McNeill:

calendar of some kind, and, and then you're good, right. But

Mike McNeill:

sometimes you get sick and or an emergency happens. And you have

Mike McNeill:

to go around the process. And I think it's I think organizations

Mike McNeill:

are realizing that they have to have a way to support that, and

Mike McNeill:

then catch back up, while also still kind of having their best

Mike McNeill:

practice standard process for getting devices enrolled. And I

Mike McNeill:

think that's kind of true across the board with shadow it as

Mike McNeill:

well. Folks are folks are realizing that people are going

Mike McNeill:

to have cloud accounts. Sometimes when you need to get

Mike McNeill:

something done, people just go get it done, right. And they

Mike McNeill:

sign up for the account without going through procurement, or

Mike McNeill:

they they go and go by their own. Maybe they go by their own

Mike McNeill:

laptop, right outside of maybe the marketing team uses their

Mike McNeill:

budget instead of using the it team's budget. I think it's kind

Mike McNeill:

of having a dual strategy for like, what do we do in the

Mike McNeill:

standard case? And then what do we do when there's an exception.

Mike McNeill:

And as far as the platforms, I think we're seeing a lot more

Mike McNeill:

convergence, people are spending a lot of time building custom

Mike McNeill:

scripts trying to extract data from their MDM platform. And

Mike McNeill:

then they're having to go redo that same work for their other

Mike McNeill:

platforms, right or for their for the way they deploy things

Mike McNeill:

to their servers. And it's just, it takes too much time.

Dr. Dave Chatterjee:

Wow! Complicated. Moving on to

Dr. Dave Chatterjee:

another best practice documented here, which talks about

Dr. Dave Chatterjee:

measuring point-in-time compliance, across all devices.

Dr. Dave Chatterjee:

Share with the listeners, what do you all mean by point-in-time

Dr. Dave Chatterjee:

compliance, or real -time compliance across devices.

Mike McNeill:

So the, I'll use an example from, let's say,

Mike McNeill:

let's say you start a company, right, and you and you're like,

Mike McNeill:

I'm going to go sell to, you know, I don't know Bloomberg,

Mike McNeill:

right. And they look at your, your awesome product that you

Mike McNeill:

have, it probably has a website where they log in and add some

Mike McNeill:

servers that are powering that product. Well, one of the things

Mike McNeill:

they're gonna want you to do, if you're hosting the product for

Mike McNeill:

them is go through in the US, usually a SOC2 compliance. And

Mike McNeill:

Europe, it's more easily ISO 27001 compliance. And that can

Mike McNeill:

vary for different organizations and use cases. But those are the

Mike McNeill:

most common. So a lot of companies find themselves

Mike McNeill:

dealing with that first, really just to be able to sell

Mike McNeill:

effectively. So that usually is a one time thing. And then

Mike McNeill:

you're kind of good for you good for a while, right and good for

Mike McNeill:

a year or two, there's a lot of different flavors that get you

Mike McNeill:

different levels of compliance. But at a certain point, when you

Mike McNeill:

get big enough, and these days, it's actually trickling down to

Mike McNeill:

smaller and smaller organizations, you start to

Mike McNeill:

actually have a need to make sure that your security posture

Mike McNeill:

is kind of next level, right? Like you're getting, you're

Mike McNeill:

getting real phishing attempts, like every single day, you're

Mike McNeill:

actually getting compromises happening across your fleet. And

Mike McNeill:

then that's where the point-in-time compliance becomes

Mike McNeill:

bigger than just, you know, not only can I prove to the auditors

Mike McNeill:

that on this particular day, I was either compliant or I

Mike McNeill:

wasn't, which oftentimes, you know, the reality is that people

Mike McNeill:

aren't right in the middle between these audits, there's

Mike McNeill:

gaps, because there's always going to be exceptions. But

Mike McNeill:

point-in-time compliance is also like a lot more valuable for the

Mike McNeill:

fact that it doesn't have to be a compliance standard that's

Mike McNeill:

general across the industry, it could just be that, hey, we

Mike McNeill:

decided that nobody should have their one recovery kits sitting

Mike McNeill:

on their desktop, you can enforce that, right? So why not

Mike McNeill:

turn on an alert that goes off and lets that person know, so

Mike McNeill:

they can like remediate the problem? Or get IT involved to

Mike McNeill:

help them out.

Dr. Dave Chatterjee:

Yep. In fact, vulnerability management

Dr. Dave Chatterjee:

is the number one focus area. As I talk to subject matter experts

Dr. Dave Chatterjee:

on this show, one particular expert emphasized that if he had

Dr. Dave Chatterjee:

to select one area where a lot of attention needs to be paid,

Dr. Dave Chatterjee:

and that is vulnerability management, making sure your

Dr. Dave Chatterjee:

devices are all patched up. And so when I'm thinking about

Dr. Dave Chatterjee:

enforcing that across the board, given the different types of

Dr. Dave Chatterjee:

devices, the different operating systems, and then people using

Dr. Dave Chatterjee:

their own devices, from a technical standpoint, Mike, how

Dr. Dave Chatterjee:

feasible is it to try to automate the process and take

Dr. Dave Chatterjee:

the action, the the action of updating, you know, patches away

Dr. Dave Chatterjee:

from the user, and I will admit that I'm one of those people,

Dr. Dave Chatterjee:

when I see an update, update alert, I don't right away, do

Dr. Dave Chatterjee:

it. I'm lazy about it, but that is not a good practice. And so

Dr. Dave Chatterjee:

how do you ensure that people like me,don't engage in that, if

Dr. Dave Chatterjee:

I may.

Mike McNeill:

Well, pretty, so it's, uh, I'd say there's two,

Mike McNeill:

there's actually two pieces to this. There's the operating

Mike McNeill:

system patching. Yeah, yeah, a lot more invasive, it's a total

Mike McNeill:

takedown of your system, right. And that's where I think that's

Mike McNeill:

where actually where companies want to start a lot of times,

Mike McNeill:

because that's where you it's very easy to report on

Mike McNeill:

generally. I mean, again, you might be pulling from multiple

Mike McNeill:

different tools, if you don't have a cross-platform device

Mike McNeill:

management solution. But you are being it's just one data point,

Mike McNeill:

right? You can say like, what how many people are up to the

Mike McNeill:

latest operating system for Mac, for Windows, and that there's

Mike McNeill:

actually there's a tool called Nudge that his I'm actually

Mike McNeill:

sometimes Dave can end up being just like you. One thing that's

Mike McNeill:

consistently gotten me to update my OS, in a timely fashion is

Mike McNeill:

Nudge popping up its window, it's open source, it's free,

Mike McNeill:

it's by this guy, Eric Gomez, it pops up a window that you can't

Mike McNeill:

close. And you'd have to explicitly tell it, do I want to

Mike McNeill:

defer this later, for like, three hours or so or tomorrow,

Mike McNeill:

and it only lets you do that, I think a handful of times,

Mike McNeill:

whatever Apple has built in, you know, it talks about only

Mike McNeill:

letting me do it a certain number of times, but for

Mike McNeill:

whatever reason, it didn't work, but Nudge Nudge was how we

Mike McNeill:

solved that problem at Fleet even just for our small team,

Mike McNeill:

you know, 30 to 40 folks. On the other side, though, for for

Mike McNeill:

patching software packages, way more complicated problem space.

Mike McNeill:

And also because historically, you know, we were all in the

Mike McNeill:

world of IT, people were hooked up to physical desktop computers

Mike McNeill:

on a network, or companies that would send people off into the

Mike McNeill:

wild would would have VPNs. And a lot of companies still do a

Mike McNeill:

VPN. So a lot of the infrastructure was really built

Mike McNeill:

around this idea of network scanners, where it sits on your

Mike McNeill:

network, and it kind of sniffs out all the devices and whether

Mike McNeill:

they have any vulnerabilities. But that's a lot less detailed

Mike McNeill:

information you can get if you actually have an agent installed

Mike McNeill:

on the computer, whether that's a server or a laptop. So that's

Mike McNeill:

actually something we've we've dug into a lot with the fleet

Mike McNeill:

project, is trying to understand what what can we add, we already

Mike McNeill:

have an agent on the system, because we're with OSquery,

Mike McNeill:

right? Monitoring, telemetry about the the actions, the usage

Mike McNeill:

of the device, anything that might be suspicious. So if we

Mike McNeill:

can use that to grab the software inventory, what we

Mike McNeill:

learned, well, you know, could we automate this, right? And we

Mike McNeill:

learned that a lot of companies are already consuming

Mike McNeill:

vulnerability feeds. So they'll get the CVEs (Common

Mike McNeill:

Vulnerabilities and Exposures), which are represent like a

Mike McNeill:

vulnerability in a piece of software, come in, and they'll

Mike McNeill:

have analysts that either with scripts or by hand, match up

Mike McNeill:

those CVEs to actual software that's installed, whether that's

Mike McNeill:

like a Chrome extension, or a package running on a server, or

Mike McNeill:

an app like Figma. And that can definitely be automated. And

Mike McNeill:

that's actually something we built into Fleet. It's one of

Mike McNeill:

the free features of the product.

Dr. Dave Chatterjee:

Okay, you know, another finding that I

Dr. Dave Chatterjee:

find interesting is multifactor authentication becoming a top

Dr. Dave Chatterjee:

priority for 2022. The reason I find it interesting is I would

Dr. Dave Chatterjee:

assume that by now, multifactor authentication would be a

Dr. Dave Chatterjee:

standard. So I get a sense that several of the folks who were

Dr. Dave Chatterjee:

sampled in their organization, they were still moving in that

Dr. Dave Chatterjee:

direction, they we're not quite there yet. And that's when

Dr. Dave Chatterjee:

again, I wonder why the delay in adoption of a security mechanism

Dr. Dave Chatterjee:

that is universally accepted to be a very robust protective

Dr. Dave Chatterjee:

measure. What are your thoughts?

Mike McNeill:

If you've ever played racquetball and you've

Mike McNeill:

gone into the gym, and you look at the courts, and you see how

Mike McNeill:

many of these people are wearing goggles, right? I'm not I'm not

Mike McNeill:

wearing the goggles, right? I mean, and there's a I think a

Mike McNeill:

lot of people just anytime when you ask them to do something

Mike McNeill:

that isn't in their immediate right now interest, it can be

Mike McNeill:

really hard to motivate people to do that, because we just

Mike McNeill:

don't think that way as humans. So that's, I think the

Mike McNeill:

psychology is a big factor. But on the other side vendors,

Mike McNeill:

right, they've had to learn to love MFA. I think it's really

Mike McNeill:

easy to deprioritize security features like this, especially

Mike McNeill:

ones that involve extra UI, and you know, your product managers,

Mike McNeill:

like ah customers are going to get have bad experiences getting

Mike McNeill:

into the product. Like we don't want to do that. Right. And so

Mike McNeill:

it is I think it was a hard thing to prioritize for a lot of

Mike McNeill:

companies until they realize that it helps prevent account

Mike McNeill:

sharing. And so I think, I think we've seen a lot more MFA take

Mike McNeill:

off from the vendor side, as companies realize, hey, this is

Mike McNeill:

a way we can actually make more money because we can get people

Mike McNeill:

to prove that they are who they say they are, and therefore, you

Mike McNeill:

know, it's not two people sharing the same account.

Dr. Dave Chatterjee:

Okay, that's a good point. So what

Dr. Dave Chatterjee:

were some of the things that you found in the report that got

Dr. Dave Chatterjee:

your attention? I mean, I would like to call it say,

Dr. Dave Chatterjee:

unanticipated or unexpected findings. What would that be?

Mike McNeill:

Well, one thing we saw we actually did a report or

Mike McNeill:

we did a separate we asked the same question right, but to IT

Mike McNeill:

respondents, and it was interesting to see how the IT

Mike McNeill:

and security respondents answered differently. Right? To

Mike McNeill:

see on the security side, folks were far more interested in

Mike McNeill:

like, enforcing that the configuration of the operating

Mike McNeill:

system is secure and appropriate, versus on the IT

Mike McNeill:

side, like a lot of the challenge, like, Yeah, that's

Mike McNeill:

great. My security teams asking me to do that. But the

Mike McNeill:

challenges were a lot more diverse. The IT side was a lot

Mike McNeill:

more aware of how long it took to roll out an MDM. I think they

Mike McNeill:

actually said it took three months longer on average than

Mike McNeill:

the security respondents did, probably because the security

Mike McNeill:

folks saw it three months in and in the process, and I think the

Mike McNeill:

IT folks were more exposed to the actual nitty gritty of the

Mike McNeill:

migration. And then the other thing was just how much more

Mike McNeill:

aware that the IT side of the house was about the challenges

Mike McNeill:

of enrollment and trying to hit your enrollment goals. And and

Mike McNeill:

some of the pushback that the that the employees gave when

Mike McNeill:

they're when they don't necessarily want their devices

Mike McNeill:

to have to be under management or monitored.

Dr. Dave Chatterjee:

You bring up this, this apparent

Dr. Dave Chatterjee:

disconnect between the security team and the IT team, and a lot

Dr. Dave Chatterjee:

has been written about it, and a lot will be. A fundamental

Dr. Dave Chatterjee:

question that does always come to my mind is why don't

Dr. Dave Chatterjee:

organizations get these people, these teams to work in tandem,

Dr. Dave Chatterjee:

work together, so that can facilitate implementations? Like

Dr. Dave Chatterjee:

when I'm reading this report, I see one of the challenges is

Dr. Dave Chatterjee:

effective implementation of MDM tools and platforms. And though

Dr. Dave Chatterjee:

this was not explicitly mentioned, as a potential

Dr. Dave Chatterjee:

success factor, I'm going to put it out there that I think the

Dr. Dave Chatterjee:

extent to which security and IT teams can work together and

Dr. Dave Chatterjee:

appreciate the significance of what is being done that, would

Dr. Dave Chatterjee:

speed up matters. What do you think?

Mike McNeill:

I think anytime when you have different

Mike McNeill:

organizations, departments, teams that have to have an

Mike McNeill:

interface point, and this is true in software, too, right? If

Mike McNeill:

you've ever worked with microservices, you know, what it

Mike McNeill:

can be like. There starts to have to be a lot more things you

Mike McNeill:

layer on right to be able to make sure that that interface

Mike McNeill:

point is successful, maybe you have like an intake process so

Mike McNeill:

that the IT team can take requests from security, because

Mike McNeill:

they're getting asked things from a lot of different

Mike McNeill:

stakeholders. And so I think it can be successful with a lot of

Mike McNeill:

work. But it also is seeming like more and more that

Mike McNeill:

security, you know, on the Appsec side, application

Mike McNeill:

security, there's a shift left idea where security is actually

Mike McNeill:

infiltrating into the actual software engineering

Mike McNeill:

organization and making sure that it's like it's like a

Mike McNeill:

DevOps stage, right? It's, and you could actually make the same

Mike McNeill:

argument about design, right, and how as becoming a DevOps

Mike McNeill:

stage for user interfaces, but for the other part is security

Mike McNeill:

for kind of endpoint security and risk management overall,

Mike McNeill:

it's starting to you start to see more security engineers and

Mike McNeill:

security operations roles, live in the IT department, and you're

Mike McNeill:

starting to see more IT engineering roles, effectively

Mike McNeill:

taking on security challenges. And I think that there's an

Mike McNeill:

argument to be made that in a couple of years, we're gonna see

Mike McNeill:

blended IT in security departments. So they're not

Mike McNeill:

going to be all that distinct anymore, other than the risk

Mike McNeill:

management aspect and actually crunching the numbers.

Dr. Dave Chatterjee:

That is very encouraging. I think that's

Dr. Dave Chatterjee:

the first thing I've heard that makes me very optimistic. It

Dr. Dave Chatterjee:

should have happened a long time back that, but now that you're

Dr. Dave Chatterjee:

mentioning that, that things are moving in that direction about a

Dr. Dave Chatterjee:

blended IT and security department, that sounds awesome.

Dr. Dave Chatterjee:

Moving along those lines in terms of facilitating

Dr. Dave Chatterjee:

compliance, facilitating implementation, based on your

Dr. Dave Chatterjee:

experience, what makes a company better prepared in device

Dr. Dave Chatterjee:

management? What are some factors, technical, managerial

Dr. Dave Chatterjee:

that because you will appreciate or agree that there can be a lot

Dr. Dave Chatterjee:

of tools out there, and let's say Tool A is highly popular,

Dr. Dave Chatterjee:

highly effective, but it may not be effective for an organization

Dr. Dave Chatterjee:

that's not ready for that tool, because there is that

Dr. Dave Chatterjee:

people-process-technology alignment, that is very

Dr. Dave Chatterjee:

important to make sure that you realize you get the most out of

Dr. Dave Chatterjee:

these platforms and tools. So what what what would you say to

Dr. Dave Chatterjee:

organizations who are interested to get better at device

Mike McNeill:

Well, I'll say it depends, but I'll give you I'll

Mike McNeill:

give you a better answer than that. But I would say the first

Mike McNeill:

thing I would do is ask myself, how big are we right? How do we

Mike McNeill:

currently do IT? Is it still part of the engineering

Mike McNeill:

organization? Because if so, then then you know, you're going

Mike McNeill:

to have this tendency if you bring on any security focus is

Mike McNeill:

now going to be split between applications security and making

Mike McNeill:

sure your code is safe, and actually looking at your own

Mike McNeill:

internal needs. So I think I would look towards where your IT

Mike McNeill:

is now. Like, how do your laptops get ordered? How do you

Mike McNeill:

keep track of you know, if you're doing anything for like,

Mike McNeill:

warranty expiration, or how do we recycle laptops, what's our

Mike McNeill:

offboarding process look like? And whether that's, you know, a

Mike McNeill:

wiki page somewhere or like a checklist and an issue or

Mike McNeill:

something, I think jumping off from those human processes, and

Mike McNeill:

management? How should they prepare themselves?

Mike McNeill:

then saying, okay, who's going to own this? And what kind of

Mike McNeill:

framework are they going to use to solve the entire problem? You

Mike McNeill:

know, if you have a team of 30 people already in your security

Mike McNeill:

department, well, it's going to be a lot more complicated for

Mike McNeill:

you, because you've probably already bought a lot of

Mike McNeill:

different tools. So I think your success really then comes down

Mike McNeill:

to, can we take inventory of what we have, and really look at

Mike McNeill:

this from first principles? Like, what are we really trying

Mike McNeill:

to achieve? Here, we have a security posture we want to get

Mike McNeill:

to, we need to have an accurate inventory. And we need to make

Mike McNeill:

sure that we're collecting the right data that we can empower

Mike McNeill:

our security team with to like go run and build what they need

Mike McNeill:

themselves without having to go ask IT for more and more data

Dr. Dave Chatterjee:

You know, you're spot on. And that's part

Dr. Dave Chatterjee:

every time,

Dr. Dave Chatterjee:

of, you know, comprehensive planning. Unless you know, what

Dr. Dave Chatterjee:

you what you have that needs to be secured, you really can't

Dr. Dave Chatterjee:

make progress. But then as we were discussing, the the way

Dr. Dave Chatterjee:

companies are today, highly distributed with a lot of remote

Dr. Dave Chatterjee:

operations, that can be a huge challenge is just to keep track

Dr. Dave Chatterjee:

of who's using what and whether it's their personal device, or

Dr. Dave Chatterjee:

it's an organizational device. So once again, going back to the

Dr. Dave Chatterjee:

report, where you all talk about preparing for the future of

Dr. Dave Chatterjee:

device management, and you have several recommendations, one of

Dr. Dave Chatterjee:

which is "start managing containers." Can you expand on

Mike McNeill:

Yeah, so today, you know, more and more

Mike McNeill:

that?

Mike McNeill:

companies are moving from, let's say, look, 20 years back, right,

Mike McNeill:

like you would have a server in a closet somewhere, right, or in

Mike McNeill:

a data center, then we moved to the cloud, and you have a

Mike McNeill:

virtual pretend server that's living in in AWS, like somewhere

Mike McNeill:

in their in their data centers. And then with containers, you

Mike McNeill:

know, we're able to basically let anybody run their own cloud,

Mike McNeill:

effectively, on a container host, whether it's Kubernetes

Mike McNeill:

and using Docker, whatever it is, and I think a lot of people

Mike McNeill:

assume that because my container image is secure, and because the

Mike McNeill:

life of my container is short, the risk is relatively low. And

Mike McNeill:

it is right compared to something that's running for

Mike McNeill:

weeks and weeks, you know, what's the worst that's gonna

Mike McNeill:

happen, somebody can compromise it for a few minutes. But there

Mike McNeill:

are some sticky issues that can still come out of that. And as

Mike McNeill:

the reality of what's possible changes, you know, attackers are

Mike McNeill:

going to learn to make the most of what they got right to get,

Mike McNeill:

get what they want. Exactly. And so if that means your script has

Mike McNeill:

to run faster to do an attack than it will. So I think a lot

Mike McNeill:

of companies are looking at moving to can we monitor each

Mike McNeill:

container, maybe maybe we we don't install Osquery on every

Mike McNeill:

container, although you can. And we've seen that maybe I install

Mike McNeill:

it on the host, or maybe I'm using like cube query on the

Mike McNeill:

container host to get more information about Kubernetes as

Mike McNeill:

a whole, I think people are realizing the need to have that

Mike McNeill:

telemetry. And just even just to see what's going on. The other

Mike McNeill:

part of this is with, you know, we talked about shadow it

Mike McNeill:

before, if you have 100 Google Cloud accounts, and you're a big

Mike McNeill:

company, that is a nightmare to keep up with and figure out the

Mike McNeill:

billing and just where they're all at. So the other nice side

Mike McNeill:

effect of device management is not just security like, and

Mike McNeill:

especially if we're defining a device as a container, as

Mike McNeill:

abstract as that might be. We're giving you a way to see from

Mike McNeill:

like a legal and billing and privacy perspective, like

Mike McNeill:

where's our data flowing to? And what else do we have, and in

Mike McNeill:

what accounts?

Dr. Dave Chatterjee:

And then you know, another recommendation

Dr. Dave Chatterjee:

that that is made in this report that "protect remote workers

Dr. Dave Chatterjee:

with zero trust, TLS and multifactor authentication." I'd

Dr. Dave Chatterjee:

like you to expand on this TLS, when when you all suggest that

Dr. Dave Chatterjee:

move away from VPNs to granular proxies with TLS. Can you

Dr. Dave Chatterjee:

explain this?

Mike McNeill:

Yeah, I'll give you the real short version, as I

Mike McNeill:

understand it, but I'll point you towards this guy, Richard

Mike McNeill:

Steinan has a good book. Can't remember the name of it now. But

Mike McNeill:

if you look him up on on LinkedIn, I'm sure his book is

Mike McNeill:

there, where he goes, and he just interviews a bunch of IT

Mike McNeill:

security leaders about like, Hey, how are you dealing with

Mike McNeill:

this specific problem. And if I had to sum it up, it really

Mike McNeill:

comes back to it's used to be in the office, or you used to be on

Mike McNeill:

a network. And we have all this infrastructure we built up as a

Mike McNeill:

community to support that use case, like if you the idea is if

Mike McNeill:

you locked down that perimeter, you're just good. And then it

Mike McNeill:

kind of lets us not worry as much about this is similar. If

Mike McNeill:

you have a code repository, and you check in some secrets to it,

Mike McNeill:

if you expect that the codes never going to be public. It's

Mike McNeill:

like, well, worst thing is insider risk. Somebody takes the

Mike McNeill:

token causes some trouble, whatever. It's not that big of a

Mike McNeill:

risk. But I think a lot of people are reevaluating that

Mike McNeill:

whole idea in general, and especially once remote work

Mike McNeill:

became the unavoidable reality that we all lived with, you

Mike McNeill:

know, in the last few years. It's, it's 2022. Right now for

Mike McNeill:

context on 2020 everything changed and remote work had

Mike McNeill:

already been a long time coming. So how this all ties together

Mike McNeill:

with TLS is if I'm sitting in a Starbucks, right and I'm, I'm on

Mike McNeill:

my computer and I log into an HTTP website, even if it's just

Mike McNeill:

some little internal thing that no one thought would matter,

Mike McNeill:

maybe they didn't want to deal with let's encrypt, and I type

Mike McNeill:

in anything in plain text and send that in at a request over

Mike McNeill:

the network. Anybody who's sitting there just by nature of

Mike McNeill:

how Wi Fi or any of the link layer protocols work, like I can

Mike McNeill:

see those bytes flowing through the air. And I can grab those

Mike McNeill:

and I can borrow your plaintext password or your session ID for

Mike McNeill:

as long as I want. But TLS prevents that, right? It gives

Mike McNeill:

you a secure tube between your laptop and the place where

Mike McNeill:

you're headed, that no one can intercept except maybe the

Mike McNeill:

certificate authority.

Dr. Dave Chatterjee:

Interesting. What does TLS stands for?

Mike McNeill:

Its Transport Layer Security.

Dr. Dave Chatterjee:

Okay, there you go. Transport Layer

Dr. Dave Chatterjee:

Security. Fantastic. Let's start wrapping things up. It's been a

Dr. Dave Chatterjee:

great conversation. Great insights. I'd like to give you

Dr. Dave Chatterjee:

the opportunity to summarize things, share anything you'd

Dr. Dave Chatterjee:

like with the listeners, before we call it today.

Mike McNeill:

Yeah, I think I would just for anyone that's

Mike McNeill:

that's struggling with device management out there, I think I

Mike McNeill:

would encourage you to really look at what you're doing right

Mike McNeill:

now from first principles. If you are pocketed and and part of

Mike McNeill:

a big organization, look for ways to find portable formats

Mike McNeill:

and solutions that don't lock you in, to a particular future,

Mike McNeill:

and that can work for other people in your company, even if

Mike McNeill:

they do have to use a different set of tools. And then lastly,

Mike McNeill:

I'd say whether or not you're you know anything about device

Mike McNeill:

management, or you're facing these problems, if you're

Mike McNeill:

someone who is interested in contributing to open source,

Mike McNeill:

Fleet is open source. And so is Osquery. We would love to

Mike McNeill:

anything you'd like to add, if you read our docs, it's all

Mike McNeill:

online on fleetdm.com. And you can hop on to GitHub and

Mike McNeill:

contribute to everything from go back in source code to our React

Mike McNeill:

frontend to Osquery, which is written in C++, even all the way

Mike McNeill:

over to our company handbook, which is public and edits are

Mike McNeill:

welcome.

Dr. Dave Chatterjee:

Fantastic! Well, Mike, thanks again, for

Dr. Dave Chatterjee:

your time and insights. It's been a pleasure.

Mike McNeill:

Thanks Dave, it was fun!

Dr. Dave Chatterjee:

A special thanks to Mike McNeil for his

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.