Buying Intelligence
for Enterprise Technology

The only part that is actually tough for us is that we have a professional services resource from Palo Alto working with us on customization. One of the things that we are thinking about is that if we have similar requirements in the future, how can we get his capability in-house? The professional services person is a developer and he takes our requirements and writes the code for the APIs or whatever he needs to access. We will likely be looking for a resource for the Demisto platform. The automation also took us time, more than we thought it would take. We had some challenges because Demisto was a third-party product. Initially, the engineer who is with us thought that everything was possible, but later on, when he tried to do everything, he was not able to do some things. We had to change the strategy multiple times. But we have now reached a point where we are in a comfort zone and we have been able to achieve what we wanted to do. Also, getting new guys trained on using the solution requires some thought. If someone is already trained on Palo Alto then he's able to adapt quickly. But, if someone is coming from another platform such as Fortinet, or maybe he's from the system side, that is where we need some help. We need to find out if there is an online track or training that they can go to. Related to training is the fact that changes made in the solution are reflected directly in the production environment. As of now, we are not aware of any method for creating a demo environment where we can train new people. These are the challenges we have.

One of the coolest features, for me at least, is to be able to type in a website and have it give an overall summary of how safe that website appears. Part of that is just so that we can investigate. And if there's any sort of confusion between our cyber team and us, we can look further into that site and dive more into that risk score that Umbrella gives us. We can just analyze [those sites] and make sure that we're unblocking safe sites and blocking sites that we deem could be harmful for our employees. I would say it provides single-pane-of-glass management. We still, of course, use those old WSAs, but in the long run, our plan is to get those replaced with Umbrella. We have locations in Japan, Korea, China. So it's a little bit more difficult to go through one proxy for all of those, especially because it's a bit slower. What's nice is, [with] Umbrella being in the cloud, we can just go into the site, see everything from the management console in that page. Nothing is slow [and] nothing is hosted by us so that we don't have to worry about network issues or management issues. Everything is just laid out right in front of us from the Umbrella dashboard on the internet, in the cloud. And that makes it super helpful for us to just manage all that from one spot across all of our locations across the world. We aren't a very big team, so that's the main thing. Going through filtering web traffic or blocking sites or unblocking sites, whatever we need to do, can be a bit tedious, especially when we have all these different locations and we would have to go into each location specifically to perform these tasks. Umbrella, being one pane for managing, being all-encompassing, allows us to quickly go in, make a change, and it applies to either every location, if we want it to, or we can have policies in place that only apply to certain users or certain computers. And that makes it super useful for us because we're not messing around with jumping into all these different locations and manually doing each and every one individually. It is extremely helpful for us and it improves efficiency exponentially.

When I was a component owner for PAM's Privileged Threat Analytics (PTA) component, what I wanted was a clear mapping to the MITRE ATT&CK framework, a framework which has a comprehensive list of use cases. We reached out to the vendor and asked them how much coverage they have of the uses cases found on MITRE, which would have given us a better view of things while I was the product owner. Unfortunately they did not have the capability of mapping onto MITRE's framework at that time. PTA is essentially the monitoring interface of the broker (e.g. Privileged Access Management, the Vault, CPM, PSM, etc.), and it's where you can capture your broker bypass and perform related actions. For this reason, we thought that this kind of mapping would be required, but CyberArk informed us that they did not have the capability we had in mind with regard to MITRE ATT&CK. I am not sure what the situation is now, but it would definitely help to have that kind of alignment with one of the more well-known frameworks like MITRE. For CyberArk as a vendor, it would also help them to clearly spell out in which areas they have full functionality and in which ares they have partial or none. Of course, it also greatly benefits the customers when they're evaluating the product.