In this episode, host Silas Glines, Solutions Engineer at Cyberhaven, speaks to Chris about:

• Chis’ thoughts on SIEM platforms and the ways that emerging technologies are supplanting them.
• The unique challenges faced by a health technology company in the current regulatory and economic environment.
• Chris’ journey to finding the right solution for his data loss prevention program, and why data detection and response was a perfect fit.
• Why communication with stakeholders is a core pillar of VaxCare’s security posture
• And more

Check out the highlights below, or watch the full discussion here.

In what ways are SIEM platforms being replaced?

We spoke to Chris about an article he wrote titled EDR, DLP, and SIEM: Tools Evolving Together. Within the article, Chris explores how security teams are moving away from aggregating more and more data about their environments, and trying to rely on technologies  that provide better context surrounding events—something that’s becoming easier and easier due to the rise of AI. Chris talks about emerging categories like EDR and DDR that are augmenting, or in even some instances, supplanting SIEM, and why in general teams are moving away from traditional SIEM solutions.

"What do you need a SIM tool for? Like a dedicated SIEM tool? In our experience, those are kind of a relic. They are a first generation kind of way of approaching [the problem of what to prioritize in your environments]. That was great at the time, but tools have evolved so much and give you the same amount and kind of data, just which much more context."

– Chris Payne, VP of Information Security, VaxCare

What adapting security to a hybrid-first world looks like

In this clip, Chris speaks to the challenges that came with the shift to hybrid work as a result of COVID. Historically, organizations relied on network-based security solutions to manage egress outside a well-defined perimeter. Perimeter-based security—relying on firewalls, packet inspection of egress from your intranet and a liberal use of blocking users from sending out content that looked sensitive—slowly disappeared as a result of cloud migration. This transition was hastened when COVID hit. For Chris, this represented an opportunity to adopt a more flexible approach to security that didn’t rely on centralized infrastructure to secure his organization. 

“We can no longer rely on everyone going through a single point in the network to monitor traffic and the data going through that … being willing to adapt, that’s the biggest key.”

– Chris Payne, VP of Information Security, VaxCare

The role of communication in building a security culture

Here, Chris speaks to the critical importance of gaining buy-in with executives throughout the organization about the importance of security. In addition, he articulates the value of communicating with stakeholders about the purpose of security, as well as what to expect while working with the security function.

“Regular communication is key. Make yourself as the security function visible to the company.”

– Chris Payne, VP of Information Security, VaxCare

Why more data doesn’t solve the challenges faced by modern security teams

Chris directly speaks to the challenges many modern security teams face in managing their security programs. With smaller teams, many organizations don’t have time to work with tools that provide limited insight on the content and context surrounding alerts. Chris and his team have rejected more traditional security solutions, which are noisy due to relying on limited content inspection, and have instead embraced solutions that let them see the bigger picture through features like data lineage.

“Our goal has always been to get better insight. I think that's probably the number one goal. Like better insight into everything that's going on, not more not necessarily more data, just better data or more concentrated data in a way.”

– Chris Payne, VP of Information Security, VaxCare

‍

{{ promo }}

The limitations of legacy data loss prevention within modern, hybrid environments

Reflecting on his experiences searching for security vendors, Chis discusses why the current state of affairs in the security industry proves challenging for modern security teams like his. With traditional and legacy DLP vendors failing to provide uniform policy coverage over cloud, on-premise, and endpoint, teams like Chris’ are unable to have consistent visibility or policy enforcement. These gaps can create limitations that ultimately frustrate the efforts of their security program.

“As I was saying, we want better data. So I don't want to just see what's being stopped. I want to know where it came from. I want to know who's doing this and why. So some of these, you know, I'll call them classic DLP vendors can give that to you. But it's a really kind of chopped up system where you've got to buy this module for one thing, and you got to buy another module for another thing, and they don't really communicate very well together.”

– Chris Payne, VP of Information Security, VaxCare

DLP as endpoint detection and response for context and data visibility

From the moment Chris saw data detection and response, which leverages data lineage to provide visibility into where data is and how employees are using it, he recognized how transformational it was. Unlike traditional DLP, which solely revolves around classifying data based on user defined rules and regexes, Chris knew that the insights from data lineage would allow him to monitor what was happening in his environment with a high level of accuracy and granularity.

“This totally redefines how DLP is approached today. We’re treating data loss prevention not as just a firewall but as data visibility into your whole organization. I get to see a whole picture of everything that’s going on, regardless of whatever rules, policies, or data sets that I’ve set up. That’s transformational. That is so different from anything we’ve seen before.”

– Chris Payne, VP of Information Security, VaxCare

Data lineage as empowering and enabling comprehensive security

Chris recalls one of the first times he saw Cyberhaven’s data lineage in action and speaks to how empowering it felt for him to be able to at a glance distinguish a false positive from a real finding by simply being able to surface basic facts about the data, like the file it came from, or the data store the file was from, and additional details like the team members accessing the data and what they’ve done to it. This has resulted in huge time savings and efficiency for Chris and his team.

“Having the lineage of this data is hugely important. I can look at the source of the data or who used it or what network share it came from. I can look at all this stuff and that now gives me the context to know what’s safe to send through. That is huge. The amount of false positives we would get before Cyberhaven, it’s almost all gone.”

– Chris Payne, VP of Information Security, VaxCare

Enabling data security without disrupting productivity

Going back to communication, which is one of the core pillars of Chris’ data security program, he discusses how a tool like Cyberhaven enables him to enforce policies with the flexibility of allowing users to learn what policy they’re violating through a just-in-time popup. Chris’ especially likes that he has the possibility to enable users to justify their actions and override the policy if there’s a compelling business purpose for their actions.

“Another nice feature of Cyberhaven is that you can tailor the response to the end users when they do something that triggers your policies.”

– Chris Payne, VP of Information Security, VaxCare

Moving beyond blocking to taking effective action

In this final clip, Chris articulates why data detection and response, or “EDR for data” is an important step in the evolution of security, which is a concept he elaborated on in his post about the limitations of SIEM platforms. The ability to have greater context lets security practitioners move from just blocking everything out of caution, and having a more deliberate approach to security, allowing them to protect the data that’s important while limiting disruptions that would hamper productivity.

“With traditional DLP, I can do keyword filtering, regular expressions. But that's just putting the lock on your way out, right? With EDR and with the way that Cyberhaven is approaching DLP, I have a whole picture now of what’s going on.”

– Chris Payne, VP of Information Security, VaxCare

Learn from the industry’s top-notch security innovators

If you enjoyed this recap, make sure you join us for our next installment of the Data Security Innovator series by subscribing to our blog.