The Emerging Role of SASE and the Cloud

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 167 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

As many organizations accelerate their move to the cloud — thanks in no small part to the global pandemic and the shift to working from home — the adoption of SASE protocols is proving attractive. SASE stands for Secure Access Service Edge, but as with most of these technologies, there’s more to it than that.

Joining us this week to help our understanding of SASE is John Peterson, chief product officer at Ericom Software. We discuss the motivations for the industry’s move toward SASE, the potential pros and cons, as well as what kinds of businesses it is best suited for. In addition, John shares his views on leadership and what he looks for when hiring members of his team.

John Peterson:

I started my career in the United States Marine Corps. I started off as an aviation electronics engineer, and after my tour of duty in the Marine Corps, I got out and got into high tech, started a job at a company called USRobotics back in the early nineties. And at USRobotics, I had a number of different roles. Started off in engineering as an applications engineer and then turned sales engineer. I did that for a number of years and then the company was acquired by 3Com. I continued on with 3Com after the acquisition. After that, I ended up moving out to Silicon Valley to work for Cisco Systems and ran a sales engineering team at Cisco Systems. And that portion of my career, I was really on the networking side of the house, working on routers and switches and access systems like that.

And then I left Cisco and became a cybersecurity guy and went to a startup company called NetScreen. NetScreen was a firewall company and the company went IPO about 2001 and the company skyrocketed and I was in charge of the global sales engineering organization. I grew my team from about two people to about 120 people in four years’ time. And then Juniper acquired the company for $4.2 billion and I left after that and went on to Fortinet where I was the vice president of product management at Fortinet, another well known cybersecurity company out here in the Valley. And I did that for a number of years and have been on the cybersecurity track ever since then. Other roles I've had since then were Barracuda Networks — I was vice president and general manager there. Comodo — helped start a company called Stellar Cyber. So on and so forth, and here I am at Ericom as the chief product officer.

Dave Bittner:

And so give us some insights, what is your day-to-day like these days? What sort of things fill your time?

John Peterson:

I'm spending most of my time really focused on product strategy. Analyzing the market, identifying the trends, and identifying problems. Then taking those problems that I find and really trying to figure out solutions for those problems and then map it to our product roadmap. That's my day-to-day, along with doing a little bit of software developing. I still keep my hands on the keyboard and prototype things and build new technology and bring it to market.

Dave Bittner:

How would you describe your management style?

John Peterson:

I lead by example. I think that comes from my days in the Marine Corps. As far as how I manage, it's really showing people that are underneath me how I do things, and learning and working together collectively. I'm a very collaborative type of person. But yeah, I think lead by example is probably the best way that sums up how we operate.

Dave Bittner:

We want to touch on this notion of SASE and how that applies to things like zero trust. Can we start with just some basics here for folks who might not be familiar with it — can you describe to us what is SASE?

John Peterson:

Yeah, so SASE — it stands for Secure Access Service Edge, and it's an emerging concept I think that Gartner put out into the market about a year or so ago, and it's really about moving the network security stack to the cloud. When you think about what a network security stack is, it's a combination of things that include firewalls and secure web gateways and VPN type of technology, software defined perimeter, remote browser isolation, the things that you used to have in your organization on premise, all of those things, that entire security stack is now migrating to the cloud. When that occurs, users of this new security stack that's residing in the cloud have better scalability, better security, better control. There's a lot of larger corporations that are starting to put these security stacks together and offer SASE type services.

If I were to go back in time, I remember when there was an appliance for every one of those things that I just described — a firewall appliance, a secure web gateway appliance, a VPN appliance. And then during my Fortinet days, I saw that consolidation occur into what was called a UTM — unified threat management — where all those different technologies, instead of being separate appliances, they consolidated it into a single appliance, an all-in-one appliance. What's now happening is that same concept of consolidation is occurring, but it's not an appliance anymore, it's all moving to a cloud and consolidated into a single cloud.

Dave Bittner:

Are there any limitations there? Are there any shortcomings to moving to SASE?

John Peterson:

Yeah. Some will argue that they really want best of breed and they will argue that you can't really get best of breed when you select one single cloud provider to offer all of those services. Some organizations will see that as a weakness and say, "Well, I want this part of the security stack provided by vendor X and a different part of the security stack offered by vendor Y," so that they can build a best of breed approach. That, I think, is probably one of the biggest limitations to doing it.

Dave Bittner:

And what are some of the major benefits then?

John Peterson:

Well, the benefits are that you don't have to go out and purchase all of these different appliances and then try to deploy them everywhere you have offices. It's all centrally located and in the cloud, so it reduces your deployment footprint significantly. And the administration of all of those things starts to get a lot easier because the cloud provider is doing a lot of that work for you, updates and things like that. I think huge benefits come from that.

I think one of the things that was very telling is when COVID-19 hit, a lot of organizations scrambled to figure out how to get their employees working remotely better. If they were using the appliance approach, their appliances weren't necessarily big enough to handle the load that they were now being tasked with or put on them. Before they might've had a 100 users connecting to the VPN, and now it's 1,000 users connecting to the VPN to get remote access to the network. If they had deployed a SASE solution, it's just really a matter of dialing up more capacity from the SASE cloud provider then dialing it down once they don't need it anymore.

Dave Bittner:

Are there particular sizes of organizations that this is best suited for?

John Peterson:

Yeah, I think SASE really works for organizations of any size. I can envision having a small organization like a law firm that may have 10 or 20 people in the organization, but there's a high degree of need for security because of the data that they're keeping. On the small side, it's definitely useful there primarily because small organizations don't have the IT and security staff to manage all of this stuff. If you could deliver that by way of a cloud solution, it makes their life a lot easier. But then on the other extreme, the largest of large organizations can benefit from it too, because those organizations are constantly scaling up and down and growing. And it's really hard to maintain appliances, buying new ones and upgrading them and redeploying them and all of that stuff. I think it really is a beneficial concept for all organizations.

Dave Bittner:

Now, in terms of it being able to coexist with zero trust, what's the status of things there?

John Peterson:

Yeah. I think SASE has to come with zero trust. Zero trust is another new trend that's happening right now. And a lot of the technologies that are in the security stack for SASE need to be zero trust. Zero trust has been a concept that's been around for a number of years and it's starting to regain popularity. The challenge, I think, of zero trust from say 10 years ago, was the difficulty in deploying zero trust. With SASE now on the horizon, I think SASE makes it easier to deploy zero trust. What zero trust is all about is making sure that users don't have access to things that they don't need access to. It's all about isolation. Isolating the users from the applications that they are allowed or not allowed access to.

If I think about some of those technologies in the security stack for SASE like remote browser isolation — remote browser isolation is a technology that's all about zero trust. It says isolate the web from the end device. Let the local browser talk to a remote browser in the cloud and let that remote browser in the cloud do the browsing on behalf of the user. You're isolating web content which could be malicious and you're doing it via the cloud. Another zero trust technology that's in the SASE stack is something called SDP — software defined perimeter. It's a zero trust way of getting remote access to applications. It's the next generation of VPN, if you will, but done in a zero trust way.

Dave Bittner:

I want to switch gears a little bit and talk to you about your take on threat intelligence and where you think it fits into an organization's defenses.

John Peterson:

Yeah, threat intelligence is also very important. The threat landscape is constantly changing, therefore you have to have a constant way of building a threat intelligence database. And what a threat intelligence database looks like is a database that collects and keeps track of malicious URLs, malicious websites, or malicious files and maybe there's some sort of new ransomware or virus that's out there. There needs to be a database or collection of those things, malicious URLs, malicious files, malicious IP addresses, known bad actors on the internet. And that is constantly changing.

There are solutions out there in the market where you can actually buy threat intelligence feeds and then push those feeds into products like endpoint security devices so that they're keeping track of viruses and malware or secure web gateways that are keeping track of known bad sites, as well as known good sites. But it is very important. All organizations need to have some sort of threat intelligence feed that's constantly being updated as a part of their security stack, whether they're getting it from a SASE architecture or getting it from on-premise appliance devices.

Dave Bittner:

Do you have recommendations or tips for organizations that are looking to get started with threat intelligence, to dial it in? What's the best way to get going?

John Peterson:

Yeah. There's a lot of community threat intelligence feeds that are out there that are free. At a minimum, organizations should try to leverage those things. It is very easy to do, is to go grab those feeds. But then there's also commercial offerings that come by way of the products that organizations are buying. Like I said, you might have a web filtering or secure web gateway device in your organization and those products are only as good as the threat intelligence data that's coming into them.

If you have a secure web gateway, for example, in your organization but the threat intelligence database hasn't been updated in a year or two, then you're not really that secure because the threat landscape has significantly changed in the course of a year. Really to get started is to again, try to either purchase something commercial, or if an organization can't afford to do that at the time, to go out there and grab some of the community free threat intelligence feeds that are out there.

Dave Bittner:

I'm interested in your experience in the Marine Corps. A lot of the folks that I speak to say that they got a lot out of their military experience. That it's really been valuable, time well spent when they look back on it, that they learned a lot of lessons that they've taken with him through their lives. Is that the case for you?

John Peterson:

Oh absolutely. In the military it's security, but a different type of security is what I did. I wasn't necessarily on the cybersecurity side, but when I think about security in general, it's really about stopping the bad guys and understanding the environment. And then once you understand the environment, you can start to build policy and procedure and models to combat the threat landscape.

Absolutely a lot of training in the military, a lot of discipline I gained from the military and just a lot of understanding of how to secure things, how to set up a perimeter around things that you're trying to protect, be it physical things, or be it data assets. A lot of my colleagues are also prior military people as well. And for some reason, a lot of us gravitated to the cybersecurity industry, probably for that very reason that we're just used to that way of thinking.

Dave Bittner:

What do you look for when you're hiring someone? What sort of experiences are important to you and what sort of things don't matter so much?

John Peterson:

Yeah, experience-wise, there's two things I look for. I think I look for experience, so do they have the relevant skillset for what I'm trying to do? But probably more important than experience is attitude. I look for that first. I look for individuals that have passion, that have drive, that have a can do attitude, that are problem solvers. You give someone a task and if they don't understand how to solve it right there, at least if they have the right attitude and ability to learn, they can solve many problems. And it's one of the other things I gained from my time in the military is problem solving. Personality traits is also something I look for — can they coexist and operate in a team environment? I look for people that are team-oriented that are very collaborative versus individuals.

But then back on the skillset side, looking for people that have been in the cybersecurity space for a bit, that may have certifications, there's a number of different certifications in the cybersecurity industry. Those things are also very important to me. And then when you sum it all up, it's really about finding the person with the right attitude, the right skillset and passion and drive.

Dave Bittner:

What are your recommendations for folks who are looking to get started in the industry or maybe switching career paths, maybe someone who's a little bit older? Do you have any recommendations for them?

John Peterson:

Yes. I would suggest that people go off and prepare to get the certification in cybersecurity. One of them is a CISSP certification. There's also something called the SANS Institute. There's a lot of places you can go online and study and learn. It's really hard to find people that have the skillset to be in the cybersecurity industry, because a lot of the stuff is not taught in college. A lot of the stuff is taught through organizations like SANS and things like that. That's the first place I would direct people to start. You might be able to get a basic understanding of technology in college, but the cybersecurity industry is changing so rapidly and there's new types of threats every day. The best way to stay on top of that is to align to some of these organizations that are out there, like SANS.

Dave Bittner:

Where do you suppose we're going? When you look at things like SASE, when you look at things like zero trust, these things that are the current trends, where do you think we're headed? What does the future look like to you?

John Peterson:

Well, it's definitely headed to the cloud for sure. We saw applications go to the cloud and it just makes sense for security to go to the cloud as well. That trend is happening very, very rapidly. I think we'll continue to see more cloud services than on-premise type of products.

I think that the endpoint constantly needs to be protected. The endpoint security is going to continue to evolve. Gone are the days where you just had some antivirus software on your endpoint, that endpoint software is going to become more intelligent over time and start tracking things that are anomalous. And we'll start to see more utilization of technologies like artificial intelligence and machine learning. The old way of having static detection and lists of known bad things and known good things is going away because the known bad is happening so rapidly that security researchers can't even keep up.

Artificial intelligence and machine learning is going to continue to be a trend to help identify things that are anomalous and malicious. When you sum it all up, it's really the cloud and machine learning and AI and better visibility into who's accessing what and when and from where. It'll be an interesting coming years, I guess, when it comes to cybersecurity.

Like I said, I guess I would guide the audience here to really start to take a look at SASE and understand the components of it. When you hear SASE, it's one word, but it really means a number of different things because it's about the different components in the SASE stack that are important. And I would guide people to look for SASE providers that have best of breed components in that stack.

Remote browser isolation is a very, very difficult thing to do just because it's in the stack and there's a checkbox that says that it's there doesn't necessarily mean that it's the best technology. When you sign up for SASE, you really, really have to dig in a little bit deeper, double click on that SASE component and see all the different things in the stack, and then start doing proof of concepts on the individual components in the stack. Be it secure web gateway, remote browser isolation, software defined perimeter, firewall, et cetera. It's really important to take a look at all of the pieces individually.

Dave Bittner:

Is there any standardization so that if someone says we're offering a SASE solution, you could compare it between vendors? Or is there enough variability that folks really need to take a closer look?

John Peterson:

I think there should be some standardization. To my knowledge, there hasn't been any yet because it's still fairly new. There should be some standard way, I guess, that organizations can measure and judge and grade the viability of each component. But I don't think there's one yet at this point.

Dave Bittner:

Our thanks to John Peterson from Ericom for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.