Episode 31
Preparing for the Future of Device Management
With the growing move towards a hybrid and remote work environment, more and more people are relying on their smart devices to get work done. Keeping track of all of these devices, and ensuring that they are being used in a very secure manner, can be a challenging proposition. A recent survey finds organizations unprepared and overwhelmed with managing thousands or hundreds of thousands of these endpoint devices. Mike McNeill, CEO, Fleet Device Management, sheds light on some of these critical security issues and addresses questions such as: How does an organization manage its devices? Do they know if their devices are compliant and secure? Do they have ways to query them to learn more about their status in real-time? Mike also offers recommendations on how to prepare for the future of device management.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-31-preparing-for-the-future-of-device-management/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:Officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast series. Our discussion today will revolve around the
Dr. Dave Chatterjee:current state and future of endpoint security management.
Dr. Dave Chatterjee:I'm thrilled to have Mike McNeil, CEO and cofounder, Fleet
Dr. Dave Chatterjee:Device Management, as my guest today. And Mike will share his
Dr. Dave Chatterjee:thoughts and perspectives, and also some very interesting
Dr. Dave Chatterjee:findings from a study that his organization has conducted. So
Dr. Dave Chatterjee:Mike, welcome.
Mike McNeill:Thanks for having me, Dave.
Dr. Dave Chatterjee:Hey, before we get into the details of the
Dr. Dave Chatterjee:discussion, the study, let's talk about yourself a little bit
Dr. Dave Chatterjee:share with the listeners some highlights of your professional
Dr. Dave Chatterjee:journey.
Mike McNeill:Oh, yeah, so I got into Open Source, in 2011-2012
Mike McNeill:or so, did a bunch of different packages over the course of of
Mike McNeill:my time in Open Source, but I built a framework called
Mike McNeill:Sails.js for the Node.js community. And then more
Mike McNeill:recently, I've teamed up with Zack Wasserman from the Osquery
Mike McNeill:project on his app called Fleet, which is a open source platform
Mike McNeill:for collecting data from the devices and servers that you
Mike McNeill:manage.
Dr. Dave Chatterjee:Okay, fantastic. So as I was reading
Dr. Dave Chatterjee:the report on the state of device management, I found some
Dr. Dave Chatterjee:of the findings to be quite concerning. But I'm not
Dr. Dave Chatterjee:surprised. With the growing move towards a hybrid and remote work
Dr. Dave Chatterjee:environment, you expect that more and more people will rely
Dr. Dave Chatterjee:on their smart devices to get work done. Keeping track of all
Dr. Dave Chatterjee:of these devices, and ensuring that they are being used in a
Dr. Dave Chatterjee:very secure manner, can be a challenging proposition. So
Dr. Dave Chatterjee:there are a lot of challenges that we're going to be talking
Dr. Dave Chatterjee:about today. But let's first talk about the motivation for
Dr. Dave Chatterjee:the study.
Mike McNeill:Yeah, so we in the in the Fleet, the company,
Mike McNeill:right, because we're a company that built built around an open
Mike McNeill:source project and community, we wanted to understand how is the
Mike McNeill:problem of device management shaping up, right, because it's
Mike McNeill:getting more and more complicated. You got all these
Mike McNeill:different cloud accounts with your AWS servers and your GCP
Mike McNeill:servers, which is Google Cloud Platform, and Azure, from
Mike McNeill:Microsoft, and many other providers. Plus, you might even
Mike McNeill:have some stuff on-prem (on-premise), you've got mobile
Mike McNeill:devices, right, and maybe they are corporate issued or company
Mike McNeill:issued, maybe they're your own personal device. And the same
Mike McNeill:thing can be happening with with laptops. And so in the
Mike McNeill:transition that was going on, a big problem that we saw was
Mike McNeill:people would end up with like a lot of different device
Mike McNeill:management platforms. And we wanted to understand like, what
Mike McNeill:is the actual underlying goals here? And how effective are
Mike McNeill:people in this increasingly complicated environment at
Mike McNeill:achieving this device management goals?
Dr. Dave Chatterjee:Excellent. And you all spoke, or you all
Dr. Dave Chatterjee:sampled 205 members of professional security teams who
Dr. Dave Chatterjee:are directly responsible for device management. The study is
Dr. Dave Chatterjee:fairly recent, it was started on February 25 2022. It was
Dr. Dave Chatterjee:conducted online via Pollfish using organic sampling. And when
Dr. Dave Chatterjee:I look at the industries represented, it's pretty
Dr. Dave Chatterjee:comprehensive. Y'all didn't leave out any sector. Am I
Dr. Dave Chatterjee:correct?
Mike McNeill:That's right. Yeah, we tried to go as broad as
Mike McNeill:we could, so that we could get, there's a lot of fish farms,
Mike McNeill:right? Have IoT devices like there's it's a much more
Mike McNeill:complicated regulatory environment. But there's also a
Mike McNeill:lot of medical devices out there. And we were mostly
Mike McNeill:focused on kind of the the corporate devices and the
Mike McNeill:production devices like servers, or virtual servers or
Mike McNeill:containers. But we did we did factor in some of the IoT stuff
Mike McNeill:as well.
Dr. Dave Chatterjee:Good to know. Good to know. So let's get
Dr. Dave Chatterjee:to some of the insights from the study. Let's begin at a high
Dr. Dave Chatterjee:level by discussing the overall state of device management. Your
Dr. Dave Chatterjee:survey finds that organizations are struggling to manage a large
Dr. Dave Chatterjee:number of endpoints. A quarter of the respondents report having
Dr. Dave Chatterjee:to manage 250,000 devices or more. And another quarter of
Dr. Dave Chatterjee:respondents are in organizations with over 10,000 workstations.
Dr. Dave Chatterjee:The respondents also said that devices in their organizations
Dr. Dave Chatterjee:are at various stages of enrollment, and upgrade. While
Dr. Dave Chatterjee:some organizations report having enrolled nearly all devices in
Dr. Dave Chatterjee:their MDM with the latest operating system, there are
Dr. Dave Chatterjee:others, where not even a quarter of the devices are enrolled and
Dr. Dave Chatterjee:upgraded. This means many organizations don't know which
Dr. Dave Chatterjee:devices are at risk. And that is very concerning. Does this
Dr. Dave Chatterjee:finding surprise you?
Mike McNeill:Yes and no, right? Because qualitatively, we've
Mike McNeill:been hearing for a long time, just from the contributors to
Mike McNeill:the project that we have so many different tools on the security
Mike McNeill:side. And on the IT side, we have maybe a platform that
Mike McNeill:manages our Macs and a different platform that manages our
Mike McNeill:windows, we knew there were some complications there. But it was
Mike McNeill:it was pretty surprising just how much how varied the the
Mike McNeill:issues were. It's not like people were the only thing wrong
Mike McNeill:is, Hey, I can't collect my security data, right, from my
Mike McNeill:devices. It's like, people are having issues across the board
Mike McNeill:in effectively managing their computers. And that's true in
Mike McNeill:every industry.
Dr. Dave Chatterjee:Interesting, talking about managing the
Dr. Dave Chatterjee:devices, keeping track of the devices, I read here that only a
Dr. Dave Chatterjee:quarter of the sample population said that their devices are
Dr. Dave Chatterjee:fully enrolled and upgraded. You know, that's worrisome, why do
Dr. Dave Chatterjee:you think organizations would allow that to happen?
Dr. Dave Chatterjee:So the organization's wake up, You know, it's not like they
Dr. Dave Chatterjee:wake up in the morning, and it's, they look around, and
Dr. Dave Chatterjee:they, they have this problem? And and they got here overnight,
Dr. Dave Chatterjee:right? It's, it's, I think that you have, you always have even
Dr. Dave Chatterjee:at a small company, maybe a few devices that are on, you know,
Dr. Dave Chatterjee:Linux, Ubuntu laptops, or maybe you're mostly a Mac shop, and
Dr. Dave Chatterjee:you have a couple of Windows PCs, maybe you have most of your
Dr. Dave Chatterjee:infrastructure in AWS, but there's just one or two Google
Dr. Dave Chatterjee:Cloud accounts. And I think what does happen is they start making
Dr. Dave Chatterjee:exceptions, and then they look 12 months later, and it's sort
Dr. Dave Chatterjee:of ballooned out of control, the problem. And then they started
Dr. Dave Chatterjee:having to say, alright, we're gonna have to really invest some
Dr. Dave Chatterjee:serious time and resources to figure out how to catch back up
Dr. Dave Chatterjee:for our compliance purposes, or our security posture.
Dr. Dave Chatterjee:So if I'm understanding you correctly, the use of multiple
Dr. Dave Chatterjee:operating systems, multiple platforms, that's part of the
Dr. Dave Chatterjee:problem, right, when it comes to tracking the devices?
Mike McNeill:Absolutely, that and then shadow IT. So on this
Mike McNeill:on the server side of the world, like you, maybe you have a large
Mike McNeill:organization, and you want to have an enterprise agreement
Mike McNeill:that says like, all of our cloud usage from Acme Inc, is gonna go
Mike McNeill:to Microsoft, for example. But then there's some teams that end
Mike McNeill:up just kind of creating individual Google Cloud accounts
Mike McNeill:or individual AWS accounts, and those start to add up. And then
Mike McNeill:before you know it, you've got a bunch of mystery servers that
Mike McNeill:aren't tracked as part of your big strategy.
Dr. Dave Chatterjee:Interesting, you know, another finding that
Dr. Dave Chatterjee:got my attention, where the report states states, one of the
Dr. Dave Chatterjee:best practices is to have a good Bring Your Own Device Policy.
Dr. Dave Chatterjee:And to be more specific, 32% said, having a documented BYOD
Dr. Dave Chatterjee:policy is a crucial best practice for their MDM strategy.
Dr. Dave Chatterjee:And again, MDM stands for mobile device management. Can you
Dr. Dave Chatterjee:expand on this?
Mike McNeill:Yeah, I mean, so if you're familiar with with
Mike McNeill:Aristotle's concept of like, the golden mean, right, there's one
Mike McNeill:reality where you just say, hey, nobody can use their own device.
Mike McNeill:Or if you do, you're gonna have to, like enroll it, and all of
Mike McNeill:your text messages are gonna belong to us. And like, all of
Mike McNeill:your, all of your web browsing activity is going to belong to
Mike McNeill:us, et cetera, that makes it really hard. It's a hard pill
Mike McNeill:for employees to swallow. And then on the other side of the
Mike McNeill:coin, you have what happens at a lot of companies where they
Mike McNeill:started off and everybody kind of has their own laptop and
Mike McNeill:before you know it, you're 100 people, before you know it,
Mike McNeill:you're like 500 people, or maybe you know, this happened recently
Mike McNeill:with the supply chain issues. The Apple store in the US or in
Mike McNeill:other countries where you're going through resellers, can't
Mike McNeill:get you a laptop quickly enough. And so you're just having to
Mike McNeill:say, you know what, it's been five weeks like just just go get
Mike McNeill:one, Mike go anywhere you can. And then maybe that person
Mike McNeill:encrypts their hard disk using their personal iCloud password
Mike McNeill:and before you know it, you don't have access to the hard
Dr. Dave Chatterjee:Good to know BYOD. Bring Your Own
Dr. Dave Chatterjee:disk.
Dr. Dave Chatterjee:Devices as an approach has its pros and cons. It was
Dr. Dave Chatterjee:interesting to read that 32% of the respondents felt that having
Dr. Dave Chatterjee:a documented BYOD policy is a crucial best practice for their
Dr. Dave Chatterjee:MDM strategy. What are your thoughts?
Mike McNeill:So I think, especially when it comes to I'll
Mike McNeill:work, I'll work back from BYOD. With BYOD think there is it's
Mike McNeill:kind of like time off policies, right? You can tell everyone at
Mike McNeill:your company, here's the process, you go through to take
Mike McNeill:some time off, maybe you let your manager No, you put it in a
Mike McNeill:calendar of some kind, and, and then you're good, right. But
Mike McNeill:sometimes you get sick and or an emergency happens. And you have
Mike McNeill:to go around the process. And I think it's I think organizations
Mike McNeill:are realizing that they have to have a way to support that, and
Mike McNeill:then catch back up, while also still kind of having their best
Mike McNeill:practice standard process for getting devices enrolled. And I
Mike McNeill:think that's kind of true across the board with shadow it as
Mike McNeill:well. Folks are folks are realizing that people are going
Mike McNeill:to have cloud accounts. Sometimes when you need to get
Mike McNeill:something done, people just go get it done, right. And they
Mike McNeill:sign up for the account without going through procurement, or
Mike McNeill:they they go and go by their own. Maybe they go by their own
Mike McNeill:laptop, right outside of maybe the marketing team uses their
Mike McNeill:budget instead of using the it team's budget. I think it's kind
Mike McNeill:of having a dual strategy for like, what do we do in the
Mike McNeill:standard case? And then what do we do when there's an exception.
Mike McNeill:And as far as the platforms, I think we're seeing a lot more
Mike McNeill:convergence, people are spending a lot of time building custom
Mike McNeill:scripts trying to extract data from their MDM platform. And
Mike McNeill:then they're having to go redo that same work for their other
Mike McNeill:platforms, right or for their for the way they deploy things
Mike McNeill:to their servers. And it's just, it takes too much time.
Dr. Dave Chatterjee:Wow! Complicated. Moving on to
Dr. Dave Chatterjee:another best practice documented here, which talks about
Dr. Dave Chatterjee:measuring point-in-time compliance, across all devices.
Dr. Dave Chatterjee:Share with the listeners, what do you all mean by point-in-time
Dr. Dave Chatterjee:compliance, or real -time compliance across devices.
Mike McNeill:So the, I'll use an example from, let's say,
Mike McNeill:let's say you start a company, right, and you and you're like,
Mike McNeill:I'm going to go sell to, you know, I don't know Bloomberg,
Mike McNeill:right. And they look at your, your awesome product that you
Mike McNeill:have, it probably has a website where they log in and add some
Mike McNeill:servers that are powering that product. Well, one of the things
Mike McNeill:they're gonna want you to do, if you're hosting the product for
Mike McNeill:them is go through in the US, usually a SOC2 compliance. And
Mike McNeill:Europe, it's more easily ISO 27001 compliance. And that can
Mike McNeill:vary for different organizations and use cases. But those are the
Mike McNeill:most common. So a lot of companies find themselves
Mike McNeill:dealing with that first, really just to be able to sell
Mike McNeill:effectively. So that usually is a one time thing. And then
Mike McNeill:you're kind of good for you good for a while, right and good for
Mike McNeill:a year or two, there's a lot of different flavors that get you
Mike McNeill:different levels of compliance. But at a certain point, when you
Mike McNeill:get big enough, and these days, it's actually trickling down to
Mike McNeill:smaller and smaller organizations, you start to
Mike McNeill:actually have a need to make sure that your security posture
Mike McNeill:is kind of next level, right? Like you're getting, you're
Mike McNeill:getting real phishing attempts, like every single day, you're
Mike McNeill:actually getting compromises happening across your fleet. And
Mike McNeill:then that's where the point-in-time compliance becomes
Mike McNeill:bigger than just, you know, not only can I prove to the auditors
Mike McNeill:that on this particular day, I was either compliant or I
Mike McNeill:wasn't, which oftentimes, you know, the reality is that people
Mike McNeill:aren't right in the middle between these audits, there's
Mike McNeill:gaps, because there's always going to be exceptions. But
Mike McNeill:point-in-time compliance is also like a lot more valuable for the
Mike McNeill:fact that it doesn't have to be a compliance standard that's
Mike McNeill:general across the industry, it could just be that, hey, we
Mike McNeill:decided that nobody should have their one recovery kits sitting
Mike McNeill:on their desktop, you can enforce that, right? So why not
Mike McNeill:turn on an alert that goes off and lets that person know, so
Mike McNeill:they can like remediate the problem? Or get IT involved to
Mike McNeill:help them out.
Dr. Dave Chatterjee:Yep. In fact, vulnerability management
Dr. Dave Chatterjee:is the number one focus area. As I talk to subject matter experts
Dr. Dave Chatterjee:on this show, one particular expert emphasized that if he had
Dr. Dave Chatterjee:to select one area where a lot of attention needs to be paid,
Dr. Dave Chatterjee:and that is vulnerability management, making sure your
Dr. Dave Chatterjee:devices are all patched up. And so when I'm thinking about
Dr. Dave Chatterjee:enforcing that across the board, given the different types of
Dr. Dave Chatterjee:devices, the different operating systems, and then people using
Dr. Dave Chatterjee:their own devices, from a technical standpoint, Mike, how
Dr. Dave Chatterjee:feasible is it to try to automate the process and take
Dr. Dave Chatterjee:the action, the the action of updating, you know, patches away
Dr. Dave Chatterjee:from the user, and I will admit that I'm one of those people,
Dr. Dave Chatterjee:when I see an update, update alert, I don't right away, do
Dr. Dave Chatterjee:it. I'm lazy about it, but that is not a good practice. And so
Dr. Dave Chatterjee:how do you ensure that people like me,don't engage in that, if
Dr. Dave Chatterjee:I may.
Mike McNeill:Well, pretty, so it's, uh, I'd say there's two,
Mike McNeill:there's actually two pieces to this. There's the operating
Mike McNeill:system patching. Yeah, yeah, a lot more invasive, it's a total
Mike McNeill:takedown of your system, right. And that's where I think that's
Mike McNeill:where actually where companies want to start a lot of times,
Mike McNeill:because that's where you it's very easy to report on
Mike McNeill:generally. I mean, again, you might be pulling from multiple
Mike McNeill:different tools, if you don't have a cross-platform device
Mike McNeill:management solution. But you are being it's just one data point,
Mike McNeill:right? You can say like, what how many people are up to the
Mike McNeill:latest operating system for Mac, for Windows, and that there's
Mike McNeill:actually there's a tool called Nudge that his I'm actually
Mike McNeill:sometimes Dave can end up being just like you. One thing that's
Mike McNeill:consistently gotten me to update my OS, in a timely fashion is
Mike McNeill:Nudge popping up its window, it's open source, it's free,
Mike McNeill:it's by this guy, Eric Gomez, it pops up a window that you can't
Mike McNeill:close. And you'd have to explicitly tell it, do I want to
Mike McNeill:defer this later, for like, three hours or so or tomorrow,
Mike McNeill:and it only lets you do that, I think a handful of times,
Mike McNeill:whatever Apple has built in, you know, it talks about only
Mike McNeill:letting me do it a certain number of times, but for
Mike McNeill:whatever reason, it didn't work, but Nudge Nudge was how we
Mike McNeill:solved that problem at Fleet even just for our small team,
Mike McNeill:you know, 30 to 40 folks. On the other side, though, for for
Mike McNeill:patching software packages, way more complicated problem space.
Mike McNeill:And also because historically, you know, we were all in the
Mike McNeill:world of IT, people were hooked up to physical desktop computers
Mike McNeill:on a network, or companies that would send people off into the
Mike McNeill:wild would would have VPNs. And a lot of companies still do a
Mike McNeill:VPN. So a lot of the infrastructure was really built
Mike McNeill:around this idea of network scanners, where it sits on your
Mike McNeill:network, and it kind of sniffs out all the devices and whether
Mike McNeill:they have any vulnerabilities. But that's a lot less detailed
Mike McNeill:information you can get if you actually have an agent installed
Mike McNeill:on the computer, whether that's a server or a laptop. So that's
Mike McNeill:actually something we've we've dug into a lot with the fleet
Mike McNeill:project, is trying to understand what what can we add, we already
Mike McNeill:have an agent on the system, because we're with OSquery,
Mike McNeill:right? Monitoring, telemetry about the the actions, the usage
Mike McNeill:of the device, anything that might be suspicious. So if we
Mike McNeill:can use that to grab the software inventory, what we
Mike McNeill:learned, well, you know, could we automate this, right? And we
Mike McNeill:learned that a lot of companies are already consuming
Mike McNeill:vulnerability feeds. So they'll get the CVEs (Common
Mike McNeill:Vulnerabilities and Exposures), which are represent like a
Mike McNeill:vulnerability in a piece of software, come in, and they'll
Mike McNeill:have analysts that either with scripts or by hand, match up
Mike McNeill:those CVEs to actual software that's installed, whether that's
Mike McNeill:like a Chrome extension, or a package running on a server, or
Mike McNeill:an app like Figma. And that can definitely be automated. And
Mike McNeill:that's actually something we built into Fleet. It's one of
Mike McNeill:the free features of the product.
Dr. Dave Chatterjee:Okay, you know, another finding that I
Dr. Dave Chatterjee:find interesting is multifactor authentication becoming a top
Dr. Dave Chatterjee:priority for 2022. The reason I find it interesting is I would
Dr. Dave Chatterjee:assume that by now, multifactor authentication would be a
Dr. Dave Chatterjee:standard. So I get a sense that several of the folks who were
Dr. Dave Chatterjee:sampled in their organization, they were still moving in that
Dr. Dave Chatterjee:direction, they we're not quite there yet. And that's when
Dr. Dave Chatterjee:again, I wonder why the delay in adoption of a security mechanism
Dr. Dave Chatterjee:that is universally accepted to be a very robust protective
Dr. Dave Chatterjee:measure. What are your thoughts?
Mike McNeill:If you've ever played racquetball and you've
Mike McNeill:gone into the gym, and you look at the courts, and you see how
Mike McNeill:many of these people are wearing goggles, right? I'm not I'm not
Mike McNeill:wearing the goggles, right? I mean, and there's a I think a
Mike McNeill:lot of people just anytime when you ask them to do something
Mike McNeill:that isn't in their immediate right now interest, it can be
Mike McNeill:really hard to motivate people to do that, because we just
Mike McNeill:don't think that way as humans. So that's, I think the
Mike McNeill:psychology is a big factor. But on the other side vendors,
Mike McNeill:right, they've had to learn to love MFA. I think it's really
Mike McNeill:easy to deprioritize security features like this, especially
Mike McNeill:ones that involve extra UI, and you know, your product managers,
Mike McNeill:like ah customers are going to get have bad experiences getting
Mike McNeill:into the product. Like we don't want to do that. Right. And so
Mike McNeill:it is I think it was a hard thing to prioritize for a lot of
Mike McNeill:companies until they realize that it helps prevent account
Mike McNeill:sharing. And so I think, I think we've seen a lot more MFA take
Mike McNeill:off from the vendor side, as companies realize, hey, this is
Mike McNeill:a way we can actually make more money because we can get people
Mike McNeill:to prove that they are who they say they are, and therefore, you
Mike McNeill:know, it's not two people sharing the same account.
Dr. Dave Chatterjee:Okay, that's a good point. So what
Dr. Dave Chatterjee:were some of the things that you found in the report that got
Dr. Dave Chatterjee:your attention? I mean, I would like to call it say,
Dr. Dave Chatterjee:unanticipated or unexpected findings. What would that be?
Mike McNeill:Well, one thing we saw we actually did a report or
Mike McNeill:we did a separate we asked the same question right, but to IT
Mike McNeill:respondents, and it was interesting to see how the IT
Mike McNeill:and security respondents answered differently. Right? To
Mike McNeill:see on the security side, folks were far more interested in
Mike McNeill:like, enforcing that the configuration of the operating
Mike McNeill:system is secure and appropriate, versus on the IT
Mike McNeill:side, like a lot of the challenge, like, Yeah, that's
Mike McNeill:great. My security teams asking me to do that. But the
Mike McNeill:challenges were a lot more diverse. The IT side was a lot
Mike McNeill:more aware of how long it took to roll out an MDM. I think they
Mike McNeill:actually said it took three months longer on average than
Mike McNeill:the security respondents did, probably because the security
Mike McNeill:folks saw it three months in and in the process, and I think the
Mike McNeill:IT folks were more exposed to the actual nitty gritty of the
Mike McNeill:migration. And then the other thing was just how much more
Mike McNeill:aware that the IT side of the house was about the challenges
Mike McNeill:of enrollment and trying to hit your enrollment goals. And and
Mike McNeill:some of the pushback that the that the employees gave when
Mike McNeill:they're when they don't necessarily want their devices
Mike McNeill:to have to be under management or monitored.
Dr. Dave Chatterjee:You bring up this, this apparent
Dr. Dave Chatterjee:disconnect between the security team and the IT team, and a lot
Dr. Dave Chatterjee:has been written about it, and a lot will be. A fundamental
Dr. Dave Chatterjee:question that does always come to my mind is why don't
Dr. Dave Chatterjee:organizations get these people, these teams to work in tandem,
Dr. Dave Chatterjee:work together, so that can facilitate implementations? Like
Dr. Dave Chatterjee:when I'm reading this report, I see one of the challenges is
Dr. Dave Chatterjee:effective implementation of MDM tools and platforms. And though
Dr. Dave Chatterjee:this was not explicitly mentioned, as a potential
Dr. Dave Chatterjee:success factor, I'm going to put it out there that I think the
Dr. Dave Chatterjee:extent to which security and IT teams can work together and
Dr. Dave Chatterjee:appreciate the significance of what is being done that, would
Dr. Dave Chatterjee:speed up matters. What do you think?
Mike McNeill:I think anytime when you have different
Mike McNeill:organizations, departments, teams that have to have an
Mike McNeill:interface point, and this is true in software, too, right? If
Mike McNeill:you've ever worked with microservices, you know, what it
Mike McNeill:can be like. There starts to have to be a lot more things you
Mike McNeill:layer on right to be able to make sure that that interface
Mike McNeill:point is successful, maybe you have like an intake process so
Mike McNeill:that the IT team can take requests from security, because
Mike McNeill:they're getting asked things from a lot of different
Mike McNeill:stakeholders. And so I think it can be successful with a lot of
Mike McNeill:work. But it also is seeming like more and more that
Mike McNeill:security, you know, on the Appsec side, application
Mike McNeill:security, there's a shift left idea where security is actually
Mike McNeill:infiltrating into the actual software engineering
Mike McNeill:organization and making sure that it's like it's like a
Mike McNeill:DevOps stage, right? It's, and you could actually make the same
Mike McNeill:argument about design, right, and how as becoming a DevOps
Mike McNeill:stage for user interfaces, but for the other part is security
Mike McNeill:for kind of endpoint security and risk management overall,
Mike McNeill:it's starting to you start to see more security engineers and
Mike McNeill:security operations roles, live in the IT department, and you're
Mike McNeill:starting to see more IT engineering roles, effectively
Mike McNeill:taking on security challenges. And I think that there's an
Mike McNeill:argument to be made that in a couple of years, we're gonna see
Mike McNeill:blended IT in security departments. So they're not
Mike McNeill:going to be all that distinct anymore, other than the risk
Mike McNeill:management aspect and actually crunching the numbers.
Dr. Dave Chatterjee:That is very encouraging. I think that's
Dr. Dave Chatterjee:the first thing I've heard that makes me very optimistic. It
Dr. Dave Chatterjee:should have happened a long time back that, but now that you're
Dr. Dave Chatterjee:mentioning that, that things are moving in that direction about a
Dr. Dave Chatterjee:blended IT and security department, that sounds awesome.
Dr. Dave Chatterjee:Moving along those lines in terms of facilitating
Dr. Dave Chatterjee:compliance, facilitating implementation, based on your
Dr. Dave Chatterjee:experience, what makes a company better prepared in device
Dr. Dave Chatterjee:management? What are some factors, technical, managerial
Dr. Dave Chatterjee:that because you will appreciate or agree that there can be a lot
Dr. Dave Chatterjee:of tools out there, and let's say Tool A is highly popular,
Dr. Dave Chatterjee:highly effective, but it may not be effective for an organization
Dr. Dave Chatterjee:that's not ready for that tool, because there is that
Dr. Dave Chatterjee:people-process-technology alignment, that is very
Dr. Dave Chatterjee:important to make sure that you realize you get the most out of
Dr. Dave Chatterjee:these platforms and tools. So what what what would you say to
Dr. Dave Chatterjee:organizations who are interested to get better at device
Mike McNeill:Well, I'll say it depends, but I'll give you I'll
Mike McNeill:give you a better answer than that. But I would say the first
Mike McNeill:thing I would do is ask myself, how big are we right? How do we
Mike McNeill:currently do IT? Is it still part of the engineering
Mike McNeill:organization? Because if so, then then you know, you're going
Mike McNeill:to have this tendency if you bring on any security focus is
Mike McNeill:now going to be split between applications security and making
Mike McNeill:sure your code is safe, and actually looking at your own
Mike McNeill:internal needs. So I think I would look towards where your IT
Mike McNeill:is now. Like, how do your laptops get ordered? How do you
Mike McNeill:keep track of you know, if you're doing anything for like,
Mike McNeill:warranty expiration, or how do we recycle laptops, what's our
Mike McNeill:offboarding process look like? And whether that's, you know, a
Mike McNeill:wiki page somewhere or like a checklist and an issue or
Mike McNeill:something, I think jumping off from those human processes, and
Mike McNeill:management? How should they prepare themselves?
Mike McNeill:then saying, okay, who's going to own this? And what kind of
Mike McNeill:framework are they going to use to solve the entire problem? You
Mike McNeill:know, if you have a team of 30 people already in your security
Mike McNeill:department, well, it's going to be a lot more complicated for
Mike McNeill:you, because you've probably already bought a lot of
Mike McNeill:different tools. So I think your success really then comes down
Mike McNeill:to, can we take inventory of what we have, and really look at
Mike McNeill:this from first principles? Like, what are we really trying
Mike McNeill:to achieve? Here, we have a security posture we want to get
Mike McNeill:to, we need to have an accurate inventory. And we need to make
Mike McNeill:sure that we're collecting the right data that we can empower
Mike McNeill:our security team with to like go run and build what they need
Mike McNeill:themselves without having to go ask IT for more and more data
Dr. Dave Chatterjee:You know, you're spot on. And that's part
Dr. Dave Chatterjee:every time,
Dr. Dave Chatterjee:of, you know, comprehensive planning. Unless you know, what
Dr. Dave Chatterjee:you what you have that needs to be secured, you really can't
Dr. Dave Chatterjee:make progress. But then as we were discussing, the the way
Dr. Dave Chatterjee:companies are today, highly distributed with a lot of remote
Dr. Dave Chatterjee:operations, that can be a huge challenge is just to keep track
Dr. Dave Chatterjee:of who's using what and whether it's their personal device, or
Dr. Dave Chatterjee:it's an organizational device. So once again, going back to the
Dr. Dave Chatterjee:report, where you all talk about preparing for the future of
Dr. Dave Chatterjee:device management, and you have several recommendations, one of
Dr. Dave Chatterjee:which is "start managing containers." Can you expand on
Mike McNeill:Yeah, so today, you know, more and more
Mike McNeill:that?
Mike McNeill:companies are moving from, let's say, look, 20 years back, right,
Mike McNeill:like you would have a server in a closet somewhere, right, or in
Mike McNeill:a data center, then we moved to the cloud, and you have a
Mike McNeill:virtual pretend server that's living in in AWS, like somewhere
Mike McNeill:in their in their data centers. And then with containers, you
Mike McNeill:know, we're able to basically let anybody run their own cloud,
Mike McNeill:effectively, on a container host, whether it's Kubernetes
Mike McNeill:and using Docker, whatever it is, and I think a lot of people
Mike McNeill:assume that because my container image is secure, and because the
Mike McNeill:life of my container is short, the risk is relatively low. And
Mike McNeill:it is right compared to something that's running for
Mike McNeill:weeks and weeks, you know, what's the worst that's gonna
Mike McNeill:happen, somebody can compromise it for a few minutes. But there
Mike McNeill:are some sticky issues that can still come out of that. And as
Mike McNeill:the reality of what's possible changes, you know, attackers are
Mike McNeill:going to learn to make the most of what they got right to get,
Mike McNeill:get what they want. Exactly. And so if that means your script has
Mike McNeill:to run faster to do an attack than it will. So I think a lot
Mike McNeill:of companies are looking at moving to can we monitor each
Mike McNeill:container, maybe maybe we we don't install Osquery on every
Mike McNeill:container, although you can. And we've seen that maybe I install
Mike McNeill:it on the host, or maybe I'm using like cube query on the
Mike McNeill:container host to get more information about Kubernetes as
Mike McNeill:a whole, I think people are realizing the need to have that
Mike McNeill:telemetry. And just even just to see what's going on. The other
Mike McNeill:part of this is with, you know, we talked about shadow it
Mike McNeill:before, if you have 100 Google Cloud accounts, and you're a big
Mike McNeill:company, that is a nightmare to keep up with and figure out the
Mike McNeill:billing and just where they're all at. So the other nice side
Mike McNeill:effect of device management is not just security like, and
Mike McNeill:especially if we're defining a device as a container, as
Mike McNeill:abstract as that might be. We're giving you a way to see from
Mike McNeill:like a legal and billing and privacy perspective, like
Mike McNeill:where's our data flowing to? And what else do we have, and in
Mike McNeill:what accounts?
Dr. Dave Chatterjee:And then you know, another recommendation
Dr. Dave Chatterjee:that that is made in this report that "protect remote workers
Dr. Dave Chatterjee:with zero trust, TLS and multifactor authentication." I'd
Dr. Dave Chatterjee:like you to expand on this TLS, when when you all suggest that
Dr. Dave Chatterjee:move away from VPNs to granular proxies with TLS. Can you
Dr. Dave Chatterjee:explain this?
Mike McNeill:Yeah, I'll give you the real short version, as I
Mike McNeill:understand it, but I'll point you towards this guy, Richard
Mike McNeill:Steinan has a good book. Can't remember the name of it now. But
Mike McNeill:if you look him up on on LinkedIn, I'm sure his book is
Mike McNeill:there, where he goes, and he just interviews a bunch of IT
Mike McNeill:security leaders about like, Hey, how are you dealing with
Mike McNeill:this specific problem. And if I had to sum it up, it really
Mike McNeill:comes back to it's used to be in the office, or you used to be on
Mike McNeill:a network. And we have all this infrastructure we built up as a
Mike McNeill:community to support that use case, like if you the idea is if
Mike McNeill:you locked down that perimeter, you're just good. And then it
Mike McNeill:kind of lets us not worry as much about this is similar. If
Mike McNeill:you have a code repository, and you check in some secrets to it,
Mike McNeill:if you expect that the codes never going to be public. It's
Mike McNeill:like, well, worst thing is insider risk. Somebody takes the
Mike McNeill:token causes some trouble, whatever. It's not that big of a
Mike McNeill:risk. But I think a lot of people are reevaluating that
Mike McNeill:whole idea in general, and especially once remote work
Mike McNeill:became the unavoidable reality that we all lived with, you
Mike McNeill:know, in the last few years. It's, it's 2022. Right now for
Mike McNeill:context on 2020 everything changed and remote work had
Mike McNeill:already been a long time coming. So how this all ties together
Mike McNeill:with TLS is if I'm sitting in a Starbucks, right and I'm, I'm on
Mike McNeill:my computer and I log into an HTTP website, even if it's just
Mike McNeill:some little internal thing that no one thought would matter,
Mike McNeill:maybe they didn't want to deal with let's encrypt, and I type
Mike McNeill:in anything in plain text and send that in at a request over
Mike McNeill:the network. Anybody who's sitting there just by nature of
Mike McNeill:how Wi Fi or any of the link layer protocols work, like I can
Mike McNeill:see those bytes flowing through the air. And I can grab those
Mike McNeill:and I can borrow your plaintext password or your session ID for
Mike McNeill:as long as I want. But TLS prevents that, right? It gives
Mike McNeill:you a secure tube between your laptop and the place where
Mike McNeill:you're headed, that no one can intercept except maybe the
Mike McNeill:certificate authority.
Dr. Dave Chatterjee:Interesting. What does TLS stands for?
Mike McNeill:Its Transport Layer Security.
Dr. Dave Chatterjee:Okay, there you go. Transport Layer
Dr. Dave Chatterjee:Security. Fantastic. Let's start wrapping things up. It's been a
Dr. Dave Chatterjee:great conversation. Great insights. I'd like to give you
Dr. Dave Chatterjee:the opportunity to summarize things, share anything you'd
Dr. Dave Chatterjee:like with the listeners, before we call it today.
Mike McNeill:Yeah, I think I would just for anyone that's
Mike McNeill:that's struggling with device management out there, I think I
Mike McNeill:would encourage you to really look at what you're doing right
Mike McNeill:now from first principles. If you are pocketed and and part of
Mike McNeill:a big organization, look for ways to find portable formats
Mike McNeill:and solutions that don't lock you in, to a particular future,
Mike McNeill:and that can work for other people in your company, even if
Mike McNeill:they do have to use a different set of tools. And then lastly,
Mike McNeill:I'd say whether or not you're you know anything about device
Mike McNeill:management, or you're facing these problems, if you're
Mike McNeill:someone who is interested in contributing to open source,
Mike McNeill:Fleet is open source. And so is Osquery. We would love to
Mike McNeill:anything you'd like to add, if you read our docs, it's all
Mike McNeill:online on fleetdm.com. And you can hop on to GitHub and
Mike McNeill:contribute to everything from go back in source code to our React
Mike McNeill:frontend to Osquery, which is written in C++, even all the way
Mike McNeill:over to our company handbook, which is public and edits are
Mike McNeill:welcome.
Dr. Dave Chatterjee:Fantastic! Well, Mike, thanks again, for
Dr. Dave Chatterjee:your time and insights. It's been a pleasure.
Mike McNeill:Thanks Dave, it was fun!
Dr. Dave Chatterjee:A special thanks to Mike McNeil for his
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.