As the CIO of Palo Alto Networks, Naveen Zutshi is in the hot seat, heading the IT team of a company that faces a large volume of cyber attacks each day.
After all, being a cyber security supplier, Palo Alto Networks has a lot more to lose in the event of a successful cyber attack – given the expertise and intellectual property it has built up over time to help other organisations stay secure.
But Zutshi is not alone in his fight against cyber adversaries. He works with the company’s chief information security officer (CISO) to roll out a slew of measures to keep out hackers, including the use of various techniques to protect data and disrupt the cyber kill chain.
In an exclusive interview with Computer Weekly, Zutshi shares more about Palo Alto Network’s general approach in securing its systems and data, minimising shadow IT practices and mitigating supply-chain risks.
What is it like being the CIO of a cyber security company?
Zutshi: I’ve been in the company for over three years now. Being in a cyber security company, preventing industrial and reputation losses is very important. We also focus a lot on customer data, employee data and intellectual property. I work very closely with a CISO, with the notion of joint responsibility in ensuring cyber security hygiene, health and wellbeing of the company. That’s anywhere from the way we think about testing and finding vulnerabilities, to looking at changes in technology.
What is your general approach to cyber security?
Zutshi: Fundamentally, we have a zero-trust approach to cyber security, and one that focuses on prevention – any alert that can be blocked and prevented is an alert that the SOC [security operations centre] team doesn’t have to react to and remediate. Hence, we want to have the ability to prevent as many known and unknown attacks as possible.
Our approach is pretty straightforward – we want to have as much visibility into the traffic as possible, be it network, cloud or endpoint, including encrypted traffic. This is important because you can’t protect what you don’t see.
Second, we want to reduce the threat and attack surface. You don’t want to have too many holes and gaps and there are lots of techniques to achieve that.
Third, we look at blocking the vast majority of known threats. In fact, for known threats, we should already have the right systems in place to block them even before they become a threat. For unknown threats, we will try to block as much as possible.
This is complemented with a strong and robust detection and response capability. We have built the ability to collect security logs into a system – not just alerts – where we can correlate them quickly to identify threats at speed.
Lastly, we want to automate remediation activities to reduce reliance on manpower. This frees up resources to focus on tabletop exercises, red teaming and continuous learning to better locate and address vulnerabilities.
Can you elaborate on the technologies used for threat detection? How do you minimise the number of false positives?
Zutshi: We use machine learning techniques to complement traditional security technologies. For example, we complement our firewall with the sandboxing technique WildFire to determine whether unknown threats are of a malicious nature, adding machine learning-based heuristics as an extra layer.
Naveen Zutshi, Palo Alto Networks
The same applies to user behaviour analytics. We correlate threats and alerts across datacentres, network traffic, cloud and endpoints. In the case of a phishing attack, we try to understand how bugs move laterally, how they escalate privileges and how to disrupt the attack lifecycle.
The technology we use is Magnifier, now part of the Cortex XDR Suite, which enables us to obtain user behaviour analytics. It looks at baseline normal behaviour and groups users into dynamic groups established from machine learning classification. It then determines the risks and finds anomalous behaviour. Through new alerts that reach the SOC team, we train the model to recognise false positives, so we can minimise them.
What do you do around threat intelligence, especially those targeted at Palo Alto Networks?
Zutshi: Unit 42 is our threat intelligence arm. We also have an intelligence and response team, who are often at the cutting edge of identifying indicators of compromise. Unit 42 recently built adversarial playbooks – there might be numerous indicators of compromise, but hackers only deploy a small number or certain sets of adversarial playbooks. If we can document these playbooks and address them automatically, then we can better identify and remediate related threats.
We also collaborate with other companies, even other cyber security vendors, in the Cyber Threat Alliance where we actively share threat intelligence. We aim not to compete on threat intelligence, and focus on what we can do with it.
What is the scale and volume of attacks are you seeing as an organisation? How much of them are you blocking each day?
Zutshi: I don’t want to give a number, but you can imagine millions of attacks – and 99% of them are being blocked.
What are your thoughts on data protection?
Zutshi: When it comes to protecting data, there’s a whole host of things we need to do – data governance and practices, data asset inventory, looking at data lineage, working with the external vendors that have access to our data, complying with data protection standards (General Data Protection Regulation, FedRAMP certification), looking at encryption both at rest and in transit, proper data hygiene practices, looking at who has access to data (normal and privileged access users), and end-user behaviour.
What about user education within Palo Alto Networks?
Zutshi: Our CISO team did a great job at internal educational campaigns. To raise awareness about phishing, we created interesting and humorous educational videos involving senior leadership. We also conducted phishing simulation sessions and pitted internal teams against each other in a friendly competition, which drastically reduced phishing-based clickthroughs over time. We also held “capture the flag” events for developers, which was a fun way to educate them on the need to factor in cyber security into how they code.
Read more about cyber security in APAC
- A security expert has called for businesses to manage the risks of adopting new technologies and improve their cyber hygiene, rather than see AI as a panacea for their security woes.
- Even as Southeast Asia works towards coordinating cyber security strategies, more needs to be done to establish cyber norms.
- Healthcare organisations in the Asia-Pacific region could lose an average of $23.3m to cyber attacks, including losses from productivity and customer churn, a study finds.
- Australia’s privacy watchdog recorded over 800 cases of data breaches, nearly one year into the country’s mandatory data breach notification regime.
As a CIO, how do you make the assessment on application security? Would you say you are more conservative or risk-averse?
Zutshi: I think we’re quite forward-leaning. We try to balance two things – growing incredibly fast and scaling very quickly. We’re balancing the need for speed and agility with security.
We continue to improve and are making the process of selecting new SaaS [software-as-a-service] products more rigorous. This is important because 70% of our deployments are SaaS-based. Taking a holistic approach, we look at architecture, information security and rationalisation of applications together.
Any new application request has to pass three tests. First, is it congruent with our architecture? Second, does it meet the security and privacy standards we established? And third, is it addressing a gap that can be solved by an existing application? We tie this process with sourcing of our business partners to ensure we avoid shadow IT, which is quite possible in a large organisation.
How big is your team globally?
Zutshi: We are primarily a US-based team. We have folks in Israel, Europe and Asia. IT has about 200 employees while the security team has around 55 to 60 employees now. We also have some contractors to provide helpdesk and support, but most of the work is done by employees in-house based in Santa Clara.
How are you managing the potential supply chain risks that may emerge with the external vendors?
Zutshi: We classify data and keep track of which vendor has access to which data. We go through deep packet inspection reviews and we also do new vendor audits when they first come in.
What do you typically look for in the new vendor assessment exercises?
Zutshi: Beyond their applications, we look at the security practices they have in place, how they are ensuring the security of our data and what kind of access controls they have in place. Aside from a questionnaire, we also do interviews and discussions with their CISO and team.
What keeps you up at night as CIO of a large cyber security company?
Zutshi: Ensuring that we’re doing everything we can to keep the organisation secure. It’s important for my team and CISO to be responsible and proactive about security.