Recently, Nathan Burke, CMO at Axonius, connected with Federal News Network to chat about cybersecurity asset management in federal agencies, federal regulations, and more. Watch the second in this three part series or read the transcript of the conversation below. Missed part one? Click here to watch and read it now.
Federal News Network (FNN): Let's talk about security. In tennis you're told to hit it where they aren't, perhaps malicious actors are using the same advice. Any large system inevitably will have gaps in its protection. How can Axonius help with, for example, missing security controls?
Nathan Burke (NB): The way I think about it is that in most cases, malicious actors are looking for the easiest way in, right. And of course there are APTs and sophisticated nation state actors with really sophisticated attack vectors.
But if the door is wide open and the bank vault is open, you don't really need to dig a tunnel or come on in through the ceiling, Mission Impossible style. I think that's why there is such a huge focus right now on the fundamentals of asset management for cybersecurity. Because if an organization is able to know everything they have and then understand how every device, every cloud instance, every user aligns to their security policy, they're then able to focus on the more strategic initiatives.
The things that the highly trained and mostly scarce security professionals are always going to do best. Things like proactive threat hunting and security awareness training. I've often referred to a proactive threat hunting as the Hawaiian vacation of cybersecurity, because it's the thing that everyone says they want to do, but they just never get to because they're doing the manual stuff.
There's a couple of quick examples I have for you. Recently, we were talking to a customer that went through all of the time and effort to research, evaluate, test and deploy an endpoint protection solution. And you think that'd be it, all the hard work is done. But after they deployed Axonius, they noticed that only 40% of their devices that should have that endpoint protection agent actually had it installed. Just imagine that you went through all of that time and effort and dollars, and let's say that someone just is able to get in on a machine that should have been protected, but wasn't and you already paid for it.
There's tons of examples out there of things like the internet connected fish tank that took down a casino or the raspberry PI at NASA used the exfiltrate data. Instead of like using FUD and fear to talk about what we do. I hate doing that. I like to flip it and instead note that in every one of these cases, it's not that the security teams were inept or that they did something wrong. They just didn't have a way to quickly reliably and automatically detect anything that showed up that either shouldn't be there or had some kind of exploit that was easy to exfiltrate data from, or to be an attack vector in.
And that's exactly what customers do with Axonius.
Because if an organization is able to know everything they have and then understand how every device, every cloud instance, every user aligns to their security policy, they're then able to focus on the more strategic initiatives.
— Nathan Burke, CMO at Axonius
FNN: When I think of raspberry PI and all these new data points and points coming in, federal IT right now is living in a constantly changing data landscape. And so Axonius can help agencies with this flood as well. Can't it?
NB: Yeah, absolutely.
I think the only thing that is constant is the rate of change is increasing. If you look at the increase in the number and the types of devices that are in those federal environments today, and then you look at the number of tools that manage and secure them, it can be overwhelming.
The positive is that all of the data is there. If you're able to nail the fundamentals and get that always up-to-date inventory, now you can both anticipate and plan for the change that's. absolutely inevitable.
We will have different types of devices that we don't even think of today. We can't even imagine today. They're going to be there. So if you're in a position where you can detect the new things, you can make sure whenever something changes that you didn't expect, that puts you in the position for the inevitable flood. And it actually doesn't matter how much data you have, because you're able to separate what matters from the noise.
FNN: Public facing cloud instances are everywhere for the federal government. Is Axonius limited to these systems or the direct control, or they operate in many different systems?
It's a great point because what is even an asset anymore, right? If we were having this conversation 25 years ago, it would be pretty easy; We had windows devices on a physical network and everything's an active directory and you pushed out updates.
Over the course of time, that all changed. Now we're in the world of cloud and IoT. Everything that can be connected is connected. And, and that's exactly why Axonius takes the approach of connecting to any system that knows about the devices, about the cloud instances and the users, because you can't just assume everything's on the network.
Right now I'm talking to you from my house on Cape Cod. I'm using my Mac on my home internet connection. Later I'll be accessing systems that are entirely cloud-based. Almost nothing I do today happens through the network, but I've got an endpoint protection agent on this machine and I'm able to access company data using single-sign-on IAM.
The reality is that to be able to understand the full environment, the full asset landscape for any organization or federal agency, you've got to assume that the data lives outside of their direct control and many different sources. And that's why we have over 300 integrations with all of the sources of data that know about assets.
FNN: When you look at cybersecurity events, you can see that some are the result of overly permissive rights access. A trending term in the federal world is zero trust. Can Axonius assist in accomplishing this amorphous concept of zero trust?
NB: Yeah, for sure. I think that the first step to zero trust is understanding exactly what you have. I personally love the idea of zero trust because it assumes that just because you're able to get access once that doesn't mean that you have a lifetime backstage pass. Because of that speed of change I referred to earlier, your assets and accounts are so dynamic that constantly interrogating whether they should be given access as the only way to go.
I think the only way to realistically get to zero trust is by having a way to immediately and automatically discover and classify every user, every device, every cloud instance. And then understand its context to make sure that the configuration or patch level or permission level are appropriate and then repeat it continuously.
Every step you need to be able to answer questions like, you know, what device is accessing resources? Is it managed or what software is it running? Is it up to date? Are there vulnerabilities? What's the use? What data is being accessed? It's impossible to answer these questions without a full understanding of the assets, the software and the users in your environment.
Just because you're able to get access once that doesn't mean that you have a lifetime backstage pass.