Humans of InfoSec Episode 65: Building a Product Assurance Organization

Swathi: We want to maintain the ability to effectively detect and respond to any suspected security threats to Oracle SaaS products and services. And in the same way, if you look at sort of our threat and vulnerability management, how can we empower our SaaS engineering, and each of our product teams, and our shared services to identify, analyze, report, and also remediate on these specific vulnerabilities?

Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information and security industry. I am so excited to welcome my guest today. Swathi Joshi. Swathi, welcome.

Swathi: Caroline, thanks for having me. Excited to be here.

Caroline: Swathi is an information security executive who focuses on risk management, crisis response, security services, and cloud security engineering. She is currently the vice president of cloud security at Oracle, where she leads a global team of engineers, analysts, and operators to secure Oracle SaaS applications and keep customer data safe. Prior to Oracle, Swathi led Netflix's Detection and Response teams to manage inevitable security incidents and minimize risk to Netflix. Swathi, let's start out from the beginning. Please tell us about your career journey. You've been at super cool places, including Gartner, Netflix, Oracle. How did you get started? And can you tell us a little bit about your path throughout your career?

Swathi: Yeah, for sure. You know, Caroline, I was really lucky early part of my career to spend time in various technical security domains, doing forensics, being a security analyst in the SOC, you know, doing risk management, doing compliance, then moving to more security engineering work, like network access management, you know, two-factor authentication, things like that.

So, early part of my career, and as I grew to be an associate director at Gartner, where I was managing three different teams, that was focused on more proactive security, right, how can we do more preventative controls? And how can we bake those into our security program? At that point in my career, one of the things I hadn't done was focus on defensive operations, right, like attack simulations. How do you defend your organizations against threats? So, I was thinking around, how can I round out my security experience, and I had a fantastic opportunity come up to go join Mandiant as a security consultant, and I took that on.

So, then I spent the next six years, two years at Mandiant, four years at Netflix, doing defense operations. And it was just exciting, exhilarating sort of being in the frontlines of defense, doing detection engineering, incident response. And of course, it's tiring too, right? As first responders, it's a tough job. There's a lot of burn and turn. And I kind of enjoyed that. So, at that point in my career, I had done proactive security and had done defense work. And then I wanted to kind of put that together. And I was excited to come to Oracle to do that, where I lead sort of this broad program that consists of governance, risk, and compliance, you know, detection and response, vulnerability management, a red team, or ethical hacking team. So, to think about how to put that together. So, it's been wonderful. I mean, I wish I can say that it was very intentional. It wasn't to an extent. You know, it kind of grew organically for me.

Caroline: Yeah. It's an incredible story. You know, when I was a young girl, I did not think to myself, when I grow up, I want to be a cybersecurity executive. And I'm willing to bet that when you were a young girl, perhaps you did not have this thinking either. But I think that it is so interesting how these career journeys, they have unfolded. And sometimes it's funny to look backwards and it'll make sense, but kind of when you're in the middle of it, you know, I similarly, I didn't really have a plan. But it worked out. And I'm grateful for that.

Swathi: Absolutely. And same here. Like, I wasn't thinking, "Oh, I want to lead detection and response one day. Oh, I wanna join as an executive, doing security. Right?" Yeah, that was not the thing that popped out. But I am glad I caught the security wave, I guess.

Caroline: Totally, I love it, actually. And I have a lot of passion around it, you know. I have kids now. And I want them to grow up in a world that is secure. I mean, it's become something deep for me. Swathi, you are an expert in an area that many people find to be difficult. Incident response can be very stressful. It can be exhausting. Trying to do something like scaling incident response can be a huge challenge. I wonder if you would share your wisdom with our listeners, what have you learned about doing this?

Swathi: Sure, you know, yes, scaling incident response, it's tough. And we don't want to simply focus on scaling it linearly, right? Like, just by headcount or number of people that we can throw at the problem. Of course, there is a place to do that as well. And there's no silver bullet here. There are a few strategies, of course, you can apply. We can raise the bar for an incident, right? We all know, you know, an email thread starts with phishing or breach, and then there's suddenly panic, right?

And oftentimes, I think by establishing a good baseline of what is an incident, right? What is an investigation? What's an event versus what's an incident? I think that that's a great way to start. And often, you know, if it's your internal customers or external customers, often they need some assurance to say, "No, this doesn't look like much." And sometimes it is a problem, right? Like, so how can you raise the bar of what an actual incident is, and establishing sort of that baseline can go a long way?

I read an article, it was titled, you know, "Funnel fidelity," right? How can we truly reduce false positives? How can we write better quality, higher quality detections? That would be kind of another strategy to make sure there's less noise in the environment. And truly, how can we have really a great funnel, where sort of all the alerts and all the data comes through, and then there is a funnel that it goes through? And then here we have some high-quality detections, right? And another thing, this is something that we did at Netflix was, if a specific detection doesn't have a response plan or a mitigation plan attached to it, it doesn't move to production. So, unless the detection has an active resolution plan, then we push that to production, right, which really helped us control the quality of our alerts.

Caroline: That is so cool. I love that. I mean, I think that is revolutionary. You know, what a forward-thinking way, and what a proactive way to build that into your process. I think that's so cool.

Swathi: Thank you. And you know, of course, if you have a bigger security organization, if that's at your disposal, you could do, okay, there is an application security team, there is an infrastructure security team, there is product management. So, these different teams can help you scale. So, if these teams can do your, for a lack of a better term, first-level triage, right? And then all the escalations go to your incident response team. That way, sort of different subject matter experts that are closer to the problem can help you resolve this.

And then if this goes really big, then, of course, you need incident response to come in and perform the incident command or function. And then we also try to have kind of alerts directly go to the app owner for them to handle that. I will say though, all these strategies do have a certain ceiling, right? Like, there is a level that you will reach with automation, where automation will taper off. Like, you have made the gains that you can make with automation. So, there is a ceiling. So basically, once you meet that ceiling, then of course you can have a pool of incident responders, maybe a reservist model, or just grow the team to match the business need.

Caroline: Awesome. Thank you so, so much for sharing with us your thoughts on that. I want to ask another question. Let's talk about vulnerability management, detection, and response. I think that you and I are aligned in the concept that it takes many different players. I actually have been exploring an analogy, this last year or so, where I think we have so many analogies for security. And I actually think security is not a vitamin, I think it's not a band-aid. I don't think it's something you can inject or do at the last minute. I don't think it's a feature. I think, actually, it's always been the result of decisions and actions that are made by different people. And because of this, actually, I call it a dance. I think it's a dance. I want to know from you, what do you think about building a robust product assurance organization?

Swathi: Mm-hmm. Yeah, great question. You know, these terms like assurance, and I think same applies to governance too, gets thrown around a lot. And I think assurance...product assurance can be a couple of different ways, right? Like, at Oracle, in our SaaS cloud security team, we want to provide assurance to our customers that we are protecting their data. And we want to do sort of, you know, a really, not just baseline, but beyond that, how are we forecasting this? How are we looking ahead? How are we doing customer engagement and enablement? Right? Like, how are the key business drivers helping us move in that direction?

So, a couple of points that I want to make there, and exactly to what you said, it definitely takes an entire team to do this, right? With detection and response org, we want to maintain the ability to effectively detect and respond to any suspected security threats to Oracle SaaS products and services. And in the same way, if you look at sort of our threat and vulnerability management, how can we empower our SaaS engineering, and each of our product teams, and our shared services to identify, analyze, report, and also remediate on these specific vulnerabilities, right, like that could threaten the security, and our ability to meet compliance because it's important to keep our services operational.

The third piece to this, of course, is, you know, our governance and risk program. You know, how can we provide our advisory and reliable risk service? How can we ensure this confidentiality, integrity, availability, the classic triad for our information, so then we can give that out to our stakeholder groups? So, in that way, we're trying to move towards a more risk-based decision model, right? Like, how can we quantify specific risks? How can we compare different applications and the risk scoring for those applications? So, I would say, Caroline, those three kind of areas, detection, response, threat and vulnerability management, and GRC function. So, through these three pillars, we are trying to build sort of a solid product assurance org here.

Caroline: Incredible. You know, I'm glad you brought the conversation to GRC because we as an industry, we have all these different security frameworks. And then at the same time, there are many technology things that are changing. And so, I'm curious to know, throughout your career, how would you describe the way in which security has changed? And what do you think organizations should be focused on as they look toward the future?

Swathi: Yeah, a really good question. And, you know, we use this term, I think it's often overused, the threat landscape, right? Ever-changing threat landscape. I agree. I agree that there is sort of a...it's a bit of a cat and mouse game, right? Like, there is changing threat environment and landscape. But we also should realize that, you know, attackers will continue to use some of the existing holes that exist. I think I was reading the threat report that Google had published, you know, attackers will continue scanning for vulnerable instances of Log4j, for example, as long as you know, exploitation is easy, and the vulnerable Log4j instances can be found, right? Like, that will continue to happen.

I was also reading the latest, of course, CrowdStrike Threat Intel Report, as cloud-based services are now becoming, you know, crucial elements of a lot of the business processes. Now, the cloud providers are being used for a lot of different kinds of vulnerability exploitation, you know, credential theft, cloud service provider abuse, and use of cloud services for malware hosting, and for situ infrastructure and all of that, right? So, I think those are becoming increasingly common for big, big cloud providers. So, I think there's a lot of cleanup activity to be done. As we've seen like Log4j instances things like that. I think it's important to have a balanced approach of, like, yes, the threat landscape is changing. But also, our existing infrastructure could also be used in nefarious ways. So, how can we balance the two?

Caroline: Very cool. Thank you so much for sharing your thoughts on that. You know, it's not only the threat landscape that is changing. It's also the workforce that is changing. Certainly, when I began my career in this field, and I expect when you began your career in this field, you know, folks like you and I, we'd look around, and there were fewer women in the room.

And I think that, you know, we've been really fortunate to see some improvements in terms of diversity and inclusion. But we still have a long way to go. And where we are today, even though some of it is well-intentioned, there are some funny things about where we are right now. And so, my question to you is, in your experience, observing different diversity and inclusion initiatives, what do you think folks are getting wrong? What do you think they could do a little differently?

Swathi: Yeah, a great question. And I think yeah, I agree. I think there's been sort of this increased focus on diversity, inclusion, belongingness, you know, all of these are really, really important topics to consider. I think one of the things I've been thinking a little bit about is I think some companies are doing...or inadvertently, right, like, to your point, I think it's well, good intentions, well-placed intentions around the quarter system. Oh, can we get 10% of women? No, 20% of women? I think this has led to a little bit of like tokenism, right, like token feminism.

I definitely don't want to be that person in the room who says, "Oh, yeah, I'm there to fill a quota." Right? No, we have specific skill set. We can help, you know, move the business in the right direction. We are kind of technical experts here who want to come to the table with that equal footing. So, I'd love to see, I think these diversity and inclusion-specific programs can move away from that. And we can reject this notion of tokenism and say, "Yeah, you know, we need the right skill set, talented people with different perspectives, and different skill sets that they offer, and get them to the table." So, I would like to see a little bit of that change happen.

Caroline: Yeah, I totally agree. I have a personal pet peeve. And I do think that when folks do this, it is well-intentioned. You know, folks will say, "Oh, we're doing a panel and it's all women, and it's like women perspectives. And we want you to be on it." You know, and I'm like, "Okay, I get that you're trying to get female speakers and I appreciate that. But actually, I have a lot to say about all of these really strategic and technical topics that I'd like to talk about also." You know, and so, it's just very interesting. You know, Swathi, switching gears a bit. Tell me, you've been working in tech for a long time now. I wonder if you would tell me about yourself as a young person, and about what first sparked your interest in technology? And also today, what is it that you love about technology?

Swathi: Yeah, a great question. You know, I definitely didn't start out, you know, say, even middle school, high school thinking, "Yeah, I'm gonna get into technology, or I'm gonna get into cybersecurity." I learned about security much, much later in my career. So, you know, of course, I used to be...I was into Indian classical dancing. So, at one point, I even thought, "I'm gonna quit all of this, and I'm going to be an artist," right? And, of course, my mom, I remember at the time, was like, "No, no, no, you're gonna get a real job." And I was like, "Okay, oh, gosh." And I was unfortunate that I come from, like, both my parents are professors. And, you know, they were like, "Yeah, you know, you have a couple of options here at the table, what do you want to do?" And I picked computer science. You know, my sister had done computer science. And it was like, "Hey, this would be a great base for me. And from there, I could kind of go different places." Right?

Like, so that's what I did. And I picked up computer science. And then, after I finished my college, there was, you know, campus placement, or campus recruitment, right? Like, when you're in college, you get a job. So, I got a job with one of the top consulting companies in India. And that's where I really learned about security. So, one of the first projects I was on when I was a Java developer was doing offshore development in India for Apple. And Apple has incredible standards for their software integrity and assurance. So, it was great to be exposed to security there. And as I started kind of digging, I thought, yeah, I wanted to do my masters and do my specialization, and not just maybe do a bit more generic computer science. I said, "Okay, I'm gonna pick my specialization," and I picked security. And I came to Virginia, to the U.S., to do my masters. So yeah, that's how I got into the field. And I didn't think at this time security would, you know, grow to be such a big field. And, you know, I would catch the wave. But I'm glad I did.

Caroline: That's so cool. I just love hearing about your story and your path and your adventure. And I learned something about you, which I did not know. That's one of the things that I love about interviewing friends of mine on the podcast, I always learn things that I did not know before. And it just feels so awesome to know these things. So, when I was 16, my Chinese immigrant father said to me, "Caroline, what do you want to study in college?" And I said, "I want to study dance or psychology." Because I love dance. And I think psychology is very interesting. And he said to me, "You're going to study engineering, and you're going to do it at the best school you can get accepted to." And so, it's just really funny. I did not know until now that you and I had these stories that are a little bit in common. Swathi, we're coming to the end of our time together, and I'm so grateful for you for taking the time with me. I wonder if you would share with our listeners, what is one of the most important things that you have learned throughout your career in cybersecurity?

Swathi: This is... Yeah, I was kind of thinking back. You know, I think one of the most recent experiences, and this experience I think also holds true throughout my journey. I'd say if someone says, "Hey, your capabilities don't match your aspirations," then I would say, learn a new capability and, you know, increase your aspirations. Because I think there is kind of no room to think that, "Hey, you can't achieve this." It's the blocks are how you're going to achieve it and what are some of the skill sets that you don't have right now that you have to learn along the way, and how can you increase your aspirations to get to that level. So, that would be one thing that I've learned from my career.

Caroline: Incredible. Thank you so much. Swathi, I have enjoyed this so much. I am looking forward to many more conversations with you. And I really appreciate you taking the time to do this with me today. Thank you so, so much.

Swathi: Same here, Caroline. It was a pleasure. Thanks for having me. And thanks for doing the "Humans of InfoSec" podcast.

Caroline: You're welcome. "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @humansofinfosec.