Podcast-Ep-2.1- ML, Automation & ShiftLeft at CapitalOne — A conversation with Vincent Weafer

Podcast-Ep-2.1- ML, Automation & ShiftLeft at CapitalOne — A conversation with Vincent Weafer

Vincent Weafer, SVP Security Engineering at Capital One in a conversation with Alok Shukla, VP Product Management at ShiftLeft and host of this podcast.

Vincent and Alok converse on a range of topics — security engineering and #shiftleft of security, security quality automation, machine learning success/failures, Vincent’s predictions and his asks from new security startups.

Vincent in his current role at Capital One, oversees the entire security engineering function. Prior to Capital One, Vincent spent 24 years in security research leading the function at two formidable security players — Symantec and McAfee.

Podcast transcript

Automation has been rather one of the largest business phenomena driving a large part of the industrial process over the last decade in the United States.In the IT sector itself, automation of regular repetitive tasks, something exemplified by business models of Amazon, Azure and GCP, has resulted in significant gains of productivity.

However, this desire for automation also changes the nature of jobs significantly. So, now in modern corporations, rather than regular repetitive tasks, one is expected to either implement or take advantage by the gain of productivity. That requires a much higher skilled talent to be employed at both sides of the vendor/customer equation.

In the field of security, at-least at the onset of this decade, most engineering talent expectedly went to be on the vendor side. They used to provide the best of product capabilities backed up with the best of security research. Whether Symantec, McAfee, Palo Alto Networks, TrendMicro — you name it and you could find them there. They built the best security research, best delivery system, threat research and exchange systems and helped the world get secure a bit more every day.

WIth the onset of automation and software becoming central to how business are run, this vendor/customer dynamic started to change. By the middle of last decade, one could see sophisticated security automations and threat information exchange systems being built inside the large banks and e-commerce players. This is also the time when a lot of top security talent decided to move to the customer side of the house. Organizations like Netflix built up their own security products and Banks like Capital One with their state of the art cloud based deployments were far ahead than anyone in the industry in terms of their thought process.

My Today’s guest is Vincent Weafter, who decided to make this journey from moving from leading security research/products at product companies like Symantec and McAfee, now to head security engineering at Capital One.

Alok — Hello Vincent, Why do you think such a transition is happening? What is your suggestion for other folks and how should they look at such opportunities?

Vincent — Gartner recently called this out in their Top 9 Security and Risk Trends for 2020. The shortage of skilled security professionals, the availability of API driven automation in security tools and the increased leverage of machine learning techniques have all contributed to drive deployment of such automation in the enterprise environments. We talk about how AI automates and augments human decision making across a broad set of use cases. In the same manner, we are increasingly investing in automation tools in the enterprise to augment the technology solutions provided by the vendors to help eliminate repetitive tasks and enable us to focus more on the critical security functions

Alok — At McAfee, you led security research and development teams. Do you think your relationship with engineering gets recasted in a different mould now?

Vincent — My mission while leading the teams at McAfee labs and Symantec Security Response was to develop best in class signature, behavioral and ML scanners as well as the automation for content creation, testing and cloud delivery required to sustain those technologies. As such you always had to balance the daily operational needs of threat research vs the engineering roadmap delivery capabilities and constraints. You could identify a new class of threat and add basic protection content or update an ML model for it fairly quickly, but engineering that protection in a robust way into a product solution takes time to develop and deploy into the field. It is very similar on the enterprise side where there is a constant tension between the daily operational needs and building up robust & effective automated controls. It may not be as deep and as focused as product engineering in a specific domain, but it is as complex and is broader as it touches upon multiple control points in the environment.

Alok — How do you see the role of these newly created functions such “security engineering” whose whole mandate is to protect just a single organisation?

Vincent — Security Engineering goes beyond automating the mundane and repetitive tasks to gathering intelligence, performing deep analysis and taking automated actions where appropriate. The value comes from knowing the context of the enterprise, where that asset is located on the perimeter and more exposed and what business value it supports. Information Security teams are no longer spending their days shifting through multiple dashboards and configuration screens on vendor solutions and instead programming the API’s to gain those insights and perform actions across their defense technologies in a codified repeatable manner. Teams today are made up with not just information security engineers, they are increasingly composed of software engineers and data scientists who are being trained in security practices.

Alok — After you joined McAfee in 2010 after the infamous 5958 incident As part of the recovery, you initiated one of the most effective quality automation projects inside McAfee. What were your goals and learnings?

Vincent — At McAfee, we implemented a process that tackled not just the technology and process gaps but also the quality cultural gaps that existed in the organization. We first focused on the false prevention process improvements such as false prevention coverage improvements throughout the delivement cycle (starting with the developers). At the same time we systematically improved false rates with automated content, early identification and greater coverage. And finally also improved our release cycle times significantly so that we could identify and respond to pre/post production issues much faster than ever before, thus enabling a more effective learning cycle. Our goal was to first prevent quality issues wherever possible and then detect and remove any remaining issues as early as possible in the production and delivery process. At each step we developed feedback loops to measure quality so that the whole system became a continuous improvement framework. We knew that this process had to start with the content generators and developers to get them educated and owing end to end quality. That was our early version of ‘shift left’.

Alok — As we both were at McAfee in those years, one of the clear understanding was the need of educating/involving engineering teams with respect to quality/security outcomes of their work. How do you expect security to be inserted into the development process as in the case of large banks like Capital One?

Vincent -The challenge and solutions for engineering are largely the same at a large financial institution as they are at a technology vendor. What is different is the scale and the depth of the issues to be tackled. Capital One has overgone a multi-year transformation of its digital capabilities and since 2011, has expanded its technology staff from 2,500 to 9,000, adding software engineers and AI experts, among others . I may not need to build every component in the technology stack to protect the enterprise as I can leverage vendor solutions, but that’s not dissimilar to a technology vendor who partners or OEM’s a component of their solution. For everything we build or support we consider product quality and security a key engineering performance factor. Every release or update to an engineered control should be measurably better than the previous one and quality/security goals , plans and reviews need to be an integral part of the delivery lifecycle. You need regular senior leadership engagement and reviews of the delivery process, and their strong support for quality/security improvements, including agile development, peer reviews, unit testing, static and dynamic analysis. I am very grateful to have that opportunity and support at Capital One.

Alok — Developer/Engineers are usually motivated on the idea of delivering their projects, getting their code in, delivering their project. How do you think they could be motivated/incentivized for security?

Vincent — The relationship between developers and security has traditionally been like teams on opposite sides of a tug of war each pulling at the other until one wins and one loses. On one end developers are pulling hard to produce functional products at breakneck speeds, while at the other end security is pulling hard to ensure the product is as secure as possible. It doesn’t have to be that way. First and foremost, you need to move security to the top of the leadership agenda. Your aim is to show how increased software security prioritization will both make the development cycle more agile, while negating the need for any preventable last-minute security remediation or infield issues. Secondly, you need to get the developers engaged and trained to deal with security issues in their code. If developers can’t see the actual risk and consequences of security vulnerabilities, they are far less likely to invest the time to get educated on how to prevent these types of issues occurring. Security is embedded throughout the development lifecycle, from initial design patterns, through coding, initial testing all the way to production.

Alok — Moving to a different topic, You have also seen your share of success and failure on use of machine learning in security products. In your experience, what kind of use cases will you count as failures?

Vincent — ML models started being used way back in the late 1900’s to drive behavioral detection in the traditional AV engines. Those solutions had a performance impact on the PC and were relatively ineffective given the amount of time it took us to train new models and the computing power on the PC’s of that time. We could build and deploy signature based heuristics at a much faster rate and in general they had far less impact on the performance of the PC.

Alok — And what use case you will count as success? Do you have a product in mind?

Vincent — The industry has had great success using ML in multiple use cases in the past 5–6 years including cloud reputation services , advanced endpoint protection, EDR solutions and network analytics. I started on the ML journey back in 2010 while on the vendor side. It was apparent that the main challenges were going to be the time it would take us to re-engineer our products to expose the data and signals and also to deliver the backend cloud scalable services we needed to support the ML models. The cloud journey was accelerated by the adoption of cloud services like AWS, Azure and GCP. It did take quite a while to design and build the enabling technologies into our product roadmaps but once we had the API’s and signals available, we were able to rapidly accelerate the deployment of ML models into those cloud enabled services.

Alok — As someone who has done security research for a long time, what are your top three problems that you want new security companies to solve?

Vincent — First on my list is that smart internet enabled consumer devices are spreading faster than they can be secured. With the proliferation of these unsecured smart devices the attack surface could quickly increase hundreds or thousand of times. I also worry about the uncontrolled access to personal data as that not only exposes us all to cyber attacks it may ultimately cause people to lose faith in our movement to the digital society. Finally I worry about increasingly sophisticated attacks on our supply chains. We have seen in the recent months just how reliant we all are on these highly interconnected, just in time delivery models. We are likely to see future attacks that not only disrupt, but also undermine the integrity of these supply chains, especially by state actors.

Alok — If you had to make security predictions for this year — What are the top three security issues that the industry will face this year?

Vincent — We’ve already spoken to several of these in the podcast such as automation and integration in Cybersecurity as well as the growing awareness of the importance of

Cybersecurity, but from a threat prospective. Attackers are increasingly applying AI techniques to help create custom malware designs to evade known defenses and help spread new attack campaigns by predicting vulnerable entry points and attack code that is able to mutate itself as it learns about its environment.. A good example of this is the Emotet Trojan. Emotet’s main distribution mechanism is spam phishing, usually via invoice scams that trick users into clicking on malicious email attachments. Recent updates to Emotet include stealing email data from the victim. Using that data and some ML natural language processing Emotest is able to send out contextualized phishing emails at scale. The insertion of the malware into pre-existing emails gives the phishing email more context, thereby making them appear more legitimate. I also expect that we will continue to see new exploits on IoT devices as many have a long list of security issues including hard coded credentials, Insecure wireless communications, unencrypted personal data and unverified firmware updates and lack of effective patching for vulnerabilities.

Alok — Thanks Vincent for joining me on this episode of Podcast.

Vincent — You are very welcome. It was great getting the opportunity to speak with you today.

Podcast-Ep-2.1- ML, Automation & ShiftLeft at CapitalOne — A conversation with Vincent Weafer was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Alok Shukla. Read the original post at: