Privacy and Security Defenses for Cloud Software With Michael Moore

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello, I’m Justin Daniels. I’m a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk and when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  0:57  

And this episode is brought to you by — no one can hear that well — Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Are you ready for another engaging podcast episode? I’m ready if you are. All right. Well, today, we have Michael Moore and as Chief Privacy Officer Michael is responsible for privacy and cybersecurity product counseling transactions, intellectual property strategy, open source software and other matters. At Lacework. Michael holds the IPP privacy qualifications of CIP US, E, CS, M, and T. Lots of acronyms. And Michael is also the inventor on 10 patents and author of over 20 published articles. Michael, welcome to the show.

 

Michael Moore  1:10  

Thank you so much. I’m really glad to be here.

 

Justin Daniels  1:48  

So please share with us your career journey and how you evolved to your current role.

 

Michael Moore  2:26  

Sure, absolutely. I started out as as an engineer by background — electronic and computer engineering. And I practiced as an engineer for a number of years, and throughout that process, became an inventor and actually became very interested in the whole process around innovation and patenting and developing new technology. And that interests me and often back that decided to pursue a career path as a patent practitioner. So I became certified as a Patent Agent and spent a number of years working at bat, and it’s a conductor company while I was going to law school and business school. And at the end of many years of study and work, I became an attorney. Once graduated as an attorney, I worked for London Law Firm for a couple of years, which is great, very good practice and training. Although I found I really enjoyed the business of business. So I decided then to go back into an in house role. And they worked initially at a large security company for a number of years, then I moved on to a semiconductor R&D and licensing company. After several years there, I moved on to a company in the data storage space, which is very interesting, rapid growth, just post IPO when I joined — very rapid growth over the years, which is actually a really interesting place to see and grow and develop. And after being there a number of years, and enjoying it very much. I decided to try the startup route. So I went to my current company, please work.

 

Jodi Daniels  3:44  

I think it’s always so interesting to have a background of being a patent creator and an attorney. And in business, I have a couple of friends who do that. And I think that’s just a really eclectic background. So Michael, thank you so much for sharing. Let’s dive a little bit into Lacework and your cloud security solution. Can you share with us more about the product features and the problem it is solving? 

 

Michael Moore  4:08  

Yes, absolutely. So Lacework is a tile-based security platform. And we address risk, threat and identity to protect against both known and unknown threats. And one of the things Lacework is best known for is very effective and rapid identification using anomaly detection. So you can baseline what is normal in the environment, and then very quickly identify unusual behavior in the customer environment and flag it early to the customer. And that’s key in addressing some of the sophisticated attackers out there, such as the more advanced ransomware gangs or nation-state actors or other attackers who enter into the customer system stay low and slow. Well, under the threat, the threshold of detection of traditional rules based products are able to persist and spread across the system. We have technology that makes it much more effective to catch those kinds of actors early and detect them so you can shut them down and prevent them. And when you combine everything in platforms, we have risk data and threat data and identity data all together, you can use each to enrich the other. And that allows you to create very high fidelity alerts, low noise, high fidelity, very accurate alerts, that you can fly into your customer to let them know early that something unusual is happening in their environment, and gives them warning time to be able to either restrict the environment or shut it down or otherwise blocked the tiger. Blocking is good. Blocking is very good.

 

Justin Daniels  5:31  

So where does Lacework fit within a company’s security tech stack?

 

Michael Moore  5:37  

Generally within the cloud security toolset, so we’re primarily a cloud based company securing cloud. So usually it’s run by the group Toby responsible for cloud security, threat, risk and compliance.

 

Jodi Daniels  5:50  

Privacy, wearing the privacy hat that I do is always a really important piece. But here I think privacy plays a unique role in the Lacework approach, which is a bit different than how other companies might help trying to solve these security problems. Can you elaborate? 

 

Michael Moore  6:08  

Yes, absolutely. We follow a very much a private by design approach and how we design products. So I will engage with the engineers designing or architecting products very early to ensure that we’re building using privacy by design principles, and how we design the product, the features we build into the product, the the configurability, we allow the customers in terms of what they do to ensure the product is private, stays private, and protects the personal and confidential information of customers. So we design our products in such a way that they only take the very minimum required information, in order to protect the customer environment, and leave the rest of the customer information in the customer environment. We think that customers should be able to safeguard their own information within their environment. So we do the processing in their environment, and just take out the bare minimum required to secure their environment and detect threats.

 

Jodi Daniels  7:01  

Well, with so much around data minimization, that approach is really helpful to being able to build trust and have a partner be able to assist in writing your security stack that way with the least amount of data possible. Absolutely.

 

Justin Daniels  7:18  

So from a security team perspective, they often run pretty lean. And then the volume of threats keeps increasing. What advice can you give for these companies to try to keep up in that imbalanced situation?

 

Michael Moore  7:34  

That’s a really good question. And many security teams suffer from burnout or alert fatigue, there’s only so much they can process in a day in terms of getting alerts. So to the extent that the companies can use tooling that raises the number of travelers and reduces the number of false positive alerts, and really points a team at audit priority to address that’s key. lacework provides such a tool. So we have feedback for our customers that the alerts we give them or the alerts that matter and allows them to focus on what really matters. Now, instead of spending time fixing a bunch of alerts that may in fact, not be impactful, or may not have any real active threat to the customer. So to the extent that you can provide customers with “this is real, this alert applies.” Here’s what happens with the attack path. It’s a real effective alert, as to play going on what to fix that allows customers to prioritize their time and their effort and focus on fixing what matters first, it also allows security teams some relief effectively, since we’re not chasing thousands and thousands of alerts, many of which turn out to be nothing’s, they can really focus on what matters and it gives them more time and less fatigue.

 

Jodi Daniels  8:41  

Well, that’s always good because sometimes it feels like people are running around like chickens with their heads off and trying, just trying to, to manage all these different things to be able to have a tool that lets you really just focus on what’s important, I think is very, very helpful.

 

Michael Moore  8:57  

Exactly. It also gives security teams they’re weakened by all that I mean, we’re all human, we know many of us have families or kids or whatnot, to give them time back to spend dealing with things that matter to them. So they’re not burning every night and weekend and evening just chasing large kind of burned out alerts 

 

Jodi Daniels  9:13  

Michael, love what you just said about that, because some people would say, “Oh, I have more time, then you can do more work.” And instead here it’s about the balance because these security teams are so incredibly valuable and burnouts real. And we want to try and help reduce the work burden and make them still happy and like what they’re doing and appreciate the really important work. So I really appreciate that perspective.

 

Michael Moore  9:37  

Yeah, that’s true. Security work can be quite stressful. I mean, if you’re under attack or believed under attack, it can be a very stressful moment for the people involved. So to the extent you can really allow them to focus on what matters and quickly remediate anything that occurs or even better, detect it early and prevent it from becoming an incident. It gives them just more peace of mind and allows them to have a lower stress, lower stress, frankly — and more productive activity. 

 

Justin Daniels  10:04  

Well, speaking of more productive activity, could you share with our audience? What is your best personal privacy tip?

 

Michael Moore  10:13  

I think the key one I would say is turn on two-factor for all your accounts. That’s really key for any account that has personal information or sensitive information or financial or medical, it’s really key to make sure your two-factor is turned on. And the other thing I’d say is don’t don’t share personal sensitive information online unless absolutely necessary. I mean, that’s something that people tend to overshare more than they should and that can be used against in different ways or by attackers or fraudsters or whatnot. So generally, I would say, keep your personal information, particularly sensitive personal information offline to the extent possible, and only put on the minimum, only put online the minimum that you actually wish to share with others. 

 

Jodi Daniels  10:52  

I would add to that, where sometimes I think people fill in the blanks because they feel like they have to, especially on some medical forms and other places. You don’t actually have to put that there, they asked for it. But many times you don’t need to necessarily provide it.

 

Michael Moore  11:10  

Exactly. medical forms, asking you for a social that’s over collection of data typically have very sensitive data that you really don’t want floating around on a piece of paper somewhere.

 

Jodi Daniels  11:18  

Exactly. 

 

Justin Daniels  11:19  

You know, that’s funny, because I remember for my largest pro bono client having to fill out a form where they wanted her social for some state form. And I only wanted to get in the last four digits, and I got remonstrated when the state said, No, we really have to have it and my client, her name will be withheld for privacy purposes, was like, “why didn’t you fill it out right the first time?”

 

Jodi Daniels  11:42  

They write it because they didn’t accept it. I had to fix it. So there’s a good example of a particular organization that is not following the data, the data minimization rules, and they required it for us to mail in my social security number, which is just a terrible system. So we can’t solve that right now. So we will, Michael, when you are not providing amazing security advice, and building Lacework, what do you like to do for fun?

 

Michael Moore  12:11  

A number of things. I like to speak at conferences, I also write articles in the legal space. So I tend to be a fairly prolific author, I actually enjoy writing articles sharing knowledge with others, I do think that a lot of our best practices are things that are not confidential, but just general good practices are worth sharing with others, particularly for folks who are earlier in their career or people looking to move into the space. And I’ve personally learned a lot from reading, you know, the thoughts and writings of others in the legal space. So I try to share and reciprocate. And I encourage my team to do the same. So we tend to write quite a bit and publish in ACC Dhaka, an M&A magazine, many of the leading publications and privacy or IP, I also tend to speak at conferences, which I enjoy. It’s good for networking, it’s good to get out and share knowledge. And it’s also good for both company and personal profile. So that’s on the professional side that I enjoy doing. On the personal side, I do a lot of outdoor stuff, so I might kayak or hike or bike. I also do quite a bit of gardening vegetables and so on. And just generally spending time outside. Anytime I’m on the water or open hillside or something like that is time well spent.

 

Jodi Daniels  13:14  

Justin I know you resonate with all that hiking, and kayaking and working outdoors. I do. Michael, I’m curious, do you have a favorite, favorite vegetable that you’d like to grow? Pumpkins?

 

Michael Moore  13:26  

Pumpkins. So my kids love pumpkins, we grow a bunch of them and very much enjoy going out and carving them and harvest and then come Halloween time?

 

Jodi Daniels  13:31  

Oh, I want to learn more about how you harvest a pumpkin. That sounds so fun.

 

Michael Moore  13:37  

Yeah, the fun the girl has gives us a lot of fun with the kids to carve them and play with them and whatnot. 

 

Jodi Daniels  13:44  

So I might need to have another podcast just so I can learn more about pumpkins. Well, Michael, if people would like to learn more and connect with you, where should they go?

 

Michael Moore  13:52  

They can check out my LinkedIn, I believe you’ll post the URL for that. And I will also give you some interesting articles to link as well for folks if you want to read them. 

 

Jodi Daniels  14:01  

Okay, well, that sounds wonderful. Michael, thank you again for coming and sharing more about your experience and lacework. We really appreciate it.

 

Michael Moore  14:09  

Thank you very much. I appreciate your time. Thank you for the conversation.

 

Outro  14:17  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.