How data science and machine learning are affecting cybersecurity

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to help us all stay one step ahead of the bad guys. As part of InfoSec's effort to close the skills gap and empower people through security education, CyberSpeak will continue to be speaking with diverse and interesting women in the cybersecurity industry and hearing their stories, including today's guest. Anu Yamunan, vice president, product management, and research at Exabeam brings 18 years of experience in designing and building enterprise software and security products. Prior to joining Exabeam, she held senior level product management roles at Map Our Technologies, Imperva and EMC Data Domain, building industry leading products and application security and backup storage markets. Anu has an M.S in computer science from Arizona State University and an MBA from Santa Clara University. Anu, thank you very much for being here today.

Anu Yamunan: Oh thank you Chris. A pleasure to be joining you over this call. Yeah.

Chris: Lovely. So to start at the very beginning, as we do with all our guests, how and when did you first get started and get interested in computers and security?

Anu: So I would say even as early as grade seven. I feel like computers and math and science are very interconnected because it requires a certain level of analytical abilities. Until my grade six, I was always scared to attempt math problems. Math was always a scary topic, scary subject for me. And my grade six teacher kind of changed my perspective on how I approached problems, how I solve quantitative topics. And that's kind of my first foray into STEM, science technology. And my first introduction to computers was in my junior year at high school. That was the first time I saw a computer. And that was the first time I started playing with the computer. And then I also, beyond the games, it opened up my world in terms of what technology can do.

Chris: Mm-hmm (affirmative). Yeah. So you connected to it pretty solidly though.

Anu: Yeah. So from that time I knew that I wanted to get my bachelor's degree in computer science. I also did my master's degree in computer science. I started my career as an engineer at HP, right out of college. And then spent a few years as an engineer technical lead. And then decided to kind of have a bigger say in building products, designing products, and then stepped into product management.

Chris: I see.

Anu: But I see each of these steps as a building block of where I am as a person, and yeah.

Chris: Hmm. So walk me through your everyday work day with Exabeam. A lot of our listeners are sort of getting started in the industry or maybe are still sort of working help desk or doing things like that. So what are some job duties or tasks that you perform every day, and what are some of your favorite aspects of the job?

Anu: So yeah, at Exabeam my role is I lead all products, design, threat research, security research and security analytics. So it's a pretty broad portfolio. From a day to day perspective, my workday can range from talking to customers, talking to sales, enabling sales and sales engineering, to working with engineering on a next set of products and features that we need to build. Working with my innovation research team in terms of what's next coming up in the cybersecurity space, and what are the new threats. What are the things that we need to build either from a data science perspective or a machine learning perspective. And working with the support organization or dealing with either customers post sales. So it's a very broad set of things that I would be doing on a day to day basis depending upon the day of the week. The types of things that I do would also differ.

So what I really enjoy is the breadth that comes with my role, the things that I touch on a daily basis. So there's both the inbound part, which is more around building products and defining features and kind of making things available to the market. And the outbound part, talking to customers, understanding their needs, and enabling their sales to sell more of our products.

Chris: So you've had a pretty impressive career so far, and in your bio it notes that's you've held senior level product management roles at Map Our and Imperva and EMC Data Domain, building industry leading products and application security, backup storage markets. However, for many listeners who might want these types of jobs but are still in lower level positions, they might not know how to make the next move. So what were some of the jobs you had before this and what skills did you learn on each job that helped you to sort of springboard into these dynamic and high profile positions?

Anu: Absolutely. So my first job, like I mentioned, was as an engineer.

Chris: Okay.

Anu: It's always good to have the first break when you're coming out of college, and you learn a lot in terms of what products need to be built and learning skills on the go. But that said, for me the hard break was changing from an engineer to a product manager. Because then you're looking at kind of the macro perspective, you have a much broader role rather than just a component or a feature that you're working on, that you're building on, so forth. You need to understand the market needs, you need to understand the competitive landscape. You need to understand what customers are willing, whether they are willing to pay money to buy your product, whether that product solves a larger market need, what's your total addressable market. And then working on the execution side in terms of prioritizing features and so forth. So kind of changing my role from an engineer to a product manager was a very hard break.

And the way I went about it is I was looking at ways to help out my then PMT. So I was kind of going beyond what I was doing on a day to day as an engineer. I took on helping them out to begin with. In the meanwhile also bolstered my ... to a certain degree you also need the tool set to be able to do some of the things that I mentioned. So I decided to get my part time MBA. While I was kind of learning on the job, on the product management side, I also decided that I needed some more tools to help me with where I wanted to be from a career perspective. So both of those together is what kind of helped me move into product management.

The thing that I would tell people that are either joining the field right now, is don't be scared to wear multiple hats. There's always the comfort zone that you need to get out of. Everybody has the fear of unknown. Embrace it. I always think about it from the perspective of I have a lot to gain, and what's the worst that could happen?

Chris: Yeah. Yes. Sure, sure. Absolutely. Yeah, no. And the worst thing that happens is you learn a new skill that you don't need at the immediate moment.

Anu: That's right. And from the perspective I would also say this wasn't possible when I moved into product management. My first product management role was at HP. And I've been with Exabeam for four years leading the product and design team. The four years that I've spent here in a startup, you get to wear so many different hats, you get to experience some of the things that you probably would not experience in a bigger company where there are more established roles and processes and whatnot. So one thing I would encourage folks would be also kind of experience that startup, building something from the scratch or being part of something that's early on.

Chris: Yeah. That opportunity to like you say, wear multiple hats and try different things. So yes, now tell me about some of your current work in the realms of data science and machine learning. I mean this isn't an area of expertise that we've had on CyberSpeak. So just to start at the beginning, for those new to the terms, what are data science and machine learning?

Anu: Yeah. At a high level data science and machine learning is kind of a category of technology algorithms that allow software applications predict based on the data that's being collected. What I mean by that is, let me give you concrete examples, right?

Chris: Yes please.

Anu: When Netflix users, all viewers and the all the folks that are listening to this probably are very familiar with Netflix. They look at purchase behavior, usage behavior of users. Based on your demographic, based on your gender, based on your profile, based on what you've done in the past to predict what the movie recommendations for the future. Similarly, we all are part of LinkedIn, you're part of the professional network. And LinkedIn gives you recommendations in terms of jobs. Hey, I see you here with your capabilities in these spectrum, here's a new job that's available to you. Or here are people that you need to connect on and so forth.

All of that is essentially machine learning or data science underneath that's using volumes of data, big data, so to speak, and automatically using algorithms and based of usage patterns and profiles and behaviors, figuring out what the next best course of action is. Okay?

Chris: Mm-hmm (affirmative).

Anu: So that at a high level is machine learning or data science for dummies, right?

Chris: Right.

Anu: Now, what are we doing at Exabeam is taking that approach to detect cybersecurity threats.

Chris: Okay.

Anu: And I can elaborate a little bit more on what we are doing in terms of machine learning and data science, if that's okay.

Chris: Yep. Oh, please. Please, absolutely.

Anu: Yeah. So if you look at Exabeam, what we do is we build fingerprints or profiles similar to that Netflix analogy or the LinkedIn analogy, we are using machine learning to apply to the cybersecurity space. What we do in an environment is sit within an environment and kind of build fingerprints and profiles of users and devices within the environment. Which laptops do I typically connect from? Which devices do I typically connect to? How many volumes of records? How many emails do I send? Who do I send emails to? What time of the day do I join? What are the types of web activities that I do on a daily basis? And we build these profiles. And why is it important, is to identify threats in an environment. The threat can be what is called a compromised insider. As in somebody taking over my credentials and trying to move laterally within the environment and siphon off data. That's one type of threat.

The second type of threat is more of a malicious insider. This is an insider that has access to the intellectual property, that has the access to all kinds of information in an environment. And maybe he leaves a company, he or she leaves a company and then walk away with that critical bulk of knowledge. So we are there as an Exabeam. We are in the cybersecurity analytics plane. That market is called SIEM, S-I-E-M. It stands for Security Information Event Management, it's a $4 billion market. And we are disrupting that space with our technology where we are identifying both the insider threat, the malicious insider and the compromised insiders.

Chris: Right. Now if someone were interested in sort of getting into this type of work specifically, working with machine learning and so forth, what kind of background would you recommend for them? In terms of education, certification, job skills, soft skills?

Anu: So there are a variety of roles in the space. Right?

Chris: Mm-hmm (affirmative).

Anu: You can become a product person like me. There what you would need is a lot of analytic skills, math, computer science, data analysis and so forth. You can be somebody like a security analyst or a CSO type of a profile, where your mission is you're operationalizing and kind of bringing cybersecurity products into your environment, and triaging alerts, working on alerts, or dealing with forensics and so forth. And there's a significant career there as well, where you're a practitioner and you're making sure that your organization is secure.

And then there's the whole, I want to be an implementer, I want to be a consultant in the space. Again, there's a lot of room for growth there as well. So in terms of what I would say is things that you could do, find what you care about in the cybersecurity space, whether it's a product, it's a consulting, it's a security practitioner, it's a designer, product designer. Now for example, I want to build things that are pretty, that are usable, that are user-friendly and so forth. There's a design path as well. So there are a lot of opportunities in the cybersecurity space. In fact, cyber security is the most underemployed space in the industry in that there are way too many job openings available, too few resources or too few people available to occupy those positions. So this market is seeing boom right now.

Chris: Right. Yeah. Oh yeah. No, we've had plenty of episodes on the skills gap. So the other reason I wanted to talk to you, as I mentioned at the start of the show, is that we are interested in hearing stories from women in cybersecurity industry who, not speaking out of school when I say women comprise a small minority of the cybersecurity landscape overall. So what has been your experience as a woman in the cyber security field? What are some specific challenges and setbacks that you've had to endure that are not likely put upon men of a similar background or skillset?

Anu: Yeah. I mean, I think all of the things about me being a ... I'm used to being the sole woman in the room to the point that I don't notice this anymore. That is true. I've been in the space like you mentioned for 18 years. The thing that I am more encouraged about is I'm happy to see more and more women in cybersecurity.

Chris: Yes.

Anu: I've seen many more women's CSOs now than five years ago. And I also see women CSOs leading the large organizations, large enterprises. Speaking from my experience, now I talked about what kind of challenges me, what makes me kind of exciting, what makes my role exciting is the fact that I deal with the breadth of things. And I feel like stereotypes aside, women have the innate ability to multitask, juggling multiple projects at the same time.

Chris: Okay.

Anu: They also bring the diversity in terms of attention to detail. I feel like women, again, innately speak, regardless of generalizations, I feel like in addition to kind of being able to multitask, they bring a different perspective that kind of rounds out the different roles that are needed in an organization. Okay. And the attention to detail. So there are projects that require a lot more attention to detail. I feel like women are a lot more stronger in that particular regard. So I mean, like I said, while I see a lot more women taking on bigger roles within organizations, the one thing that I feel like as a woman, we are also risk averse. We are also more cautious when we try to grab onto larger opportunities, we always think thrice before we feel that we are the right person for it. And if I contrast that with a generic man, like they grab opportunities much more easier than women do.

Chris: Right, right. Just kind of go for it.

Anu: Go for it, yeah.

Chris: Right. To that end I've also heard tech leaders say things like, "We would have like to have more women at our company, but none of them answer our job application." So is there a way that crafting job listings or targeting women correctly as a part of the process, do you find that at Exabeam that it's harder to find women candidates, or are there more just coming through the doors?

Anu: Actually, I find that compared to all my previous jobs and previous organizations, Exabeam has a lot of diversity across a variety of positions. Not just in product, not just in programs. In marketing, in sales operations, in professional services, in design. We have a pretty good representation of women in the company. That said, I feel like it's less of a ... my perspective is it's not just crafting the job listing to target women. It's more about, I think women want to join companies where they feel like they have the strong support system, they know that they're valued. It's about showcasing how you're embracing diversity, whether it's women, whether it's minorities, whether it's other groups. So making sure that you highlight as a company, you highlight diversity, and embracing diversity is key to bringing more talent. I feel like a word of mouth and things like reviews either on LinkedIn or Glassdoor or whatnot, makes a much more stronger impact in recruiting talent than what you say in the job listing itself.

Chris: Right. Yeah. Yeah. And I guess the tech industry is starting to wake up to this, but how do we make the tech industry understand that more women in tech ultimately makes the entire industry stronger and more capable of solving these kinds of problems?

Anu: Yeah. Like I mentioned, I think the key part here is that if you look at very successful companies like Google, and even when universities bring in applicants, they're not looking for a cookie cutter. They want diversity. And the idea is that when you're working on complex projects, different types of ideas is what makes project successful. Different skillsets, different strengths, and even different weaknesses is what kind of ... The complimentary factor is what makes projects successful. So from that perspective, I think more and more companies are waking up to the fact that, hey, you need more diversity in the teams for ... and most of us are doing complex jobs, it requires a variety of skillset. And we are pulling engineers, product design, sales engineering and whatnot to kind of make a specific project successful. And from that perspective having women having, the ability to multicast, having the ability to pay attention to detail are skills that women bring. And I think more and more companies are waking up to that.

Chris: Well, so another thing that I've seen occasionally is that you do get a diverse team that brings out different opinions. And I mean that's great in terms of actual problem solving, but then you have the sort of leaderships that like, "Well I've already sort of decided what I wanted and I was hoping for a rubber stamp on it." So then you have the problem of like, now we have this diverse staff that brings like all these sort of different approaches. Is there some sort of finessing that needs to be done on leadership levels to understand that not only do you get more opinions, but more opinions are actually useful?

Anu: Yeah, yeah, definitely. Let me probably give you a concrete example right.

Chris: Yes please.

Anu: In Exabeam, we have data scientists that are women too. And I feel like one of the problems that we built with our whole smart timelines, the ability to kind of look at the user behavior in their gender [inaudible 00:19:40] and finding anomalies and so forth, are built with our data science and engineering teams, and some of them are women, and they are pretty strong technical talent. And there is that marriage of the diverse perspectives and diverse skills that built the product to where it is today.

Chris: Right.

Anu: Yeah.

Chris: Yeah. Yeah, yeah, absolutely. So having worked in information security or product management security and so forth for so long, what are some tips you would give to women entering the field?

Anu: So my biggest piece of advice would be to not be afraid to use your voice. Typically, now going back to your previous question, the diverse perspectives, diverse ideas, at the end of the day you still need to make a call. And I see in most meetings men are lot more vocal than women. Part of it is that well, women don't like either confrontation, or they do not want to either not seem confrontational, not seem supremely confident and so forth. My take is if you have a perspective, we do not want your voice, we do not want anybody's voice not to be heard. So my take is do not be afraid to use your voice, bring your perspective. We all bring different ideas and strengths. Be confident in what you're good at. Pursue what you're passionate about. Let that be the focal point, not the stereotypes.

Chris: Yeah. Yeah, yeah, yeah. So for companies trying to recruit more women and minority professionals, what should they do not only to find these candidates but make them desirable to the professionals that they're trying to recruit? Is there something that, when you say people are more likely to come to a company that shows diversity in its ranks, but how do we sort of let potential candidates know this is a welcoming space.

Anu: Yeah. So one of the things that we have done at Exabeam is we have monthly women's lunches. Right?

Chris: Okay. Mm-hmm (affirmative).

Anu: A women's forum where we come together. Now it started with maybe 10 people like over three years ago, and now we have around 50 people that are part of this. And we are from diverse backgrounds, diverse ethnicities, diverse kind of academic backgrounds, different roles that we have within the organization. But we are there to support each other. We are there to mentor each other. We are there to learn from each other. And we capture that and we make that available even on exabeam.com to show the ... or LinkedIn. We dress up on occasions, or we have [inaudible 00:22:24] birthdays and celebrations and whatnot, baby showers and whatnot. All of that makes both the emotional, the social bonding that happens is important so that people feel that they're part of a community. Right?

Now going back to how do you recruit, how do you hire? So one of the ways that we feel, regardless if women are not where we feel like we are really successful in hiring is through referral programs. Like if you want friends to come over and work. And I'm using the term friends broadly, right? If you like the place that you work for, you pull in other people that you want. Whether you know them personally or not, you want to kind of make them work for the company as well. So I see that the referral program and using your connections to bring people in, it seems to be extremely successful here at Exabeam.

And I think the other thing that always comes up when you're discussing women's career growth and so forth is always that work-life balance. Right?

Chris: Yes. Yes.

Anu: I battle with that, that's always a struggle. I have two daughters. So there's always a question of when you're taking on the more senior roles, an exec role, a leadership role, there's always that. And especially in a startup which is growing as fast as we are, there's always that struggle to balance your work and life. Now there's no doubt about it. There's no question about it. You do need a strong support system. You do need a strong support system both at work as well as in your personal life to be able to juggle that.

Chris: Yeah. As we wrap up today, where do you see, or the interesting sort of innovations that are going to be coming in data science and machine learning in the year or years to come? What are some of the things on the horizon that you're looking forward to?

Anu: Yeah. Maybe I'll start a little bit on where we came from, right? If you look at five years ago, we kind of went out with the mission of most of the legacies since were created prior to the big data influx. They are on older technology, and they were born out of a compliance checkbox. They were not solving the problem of detecting cyber security threats. So we started Exabeam as a company where we were the helper [inaudible 00:24:50] to begin with, where our mission was to detect the inside attack, the malicious and the compromised insider, and threats like data exfiltration, data leaving the company and so forth. But we always were built with big data in mind, leveraging the big data technologies like Hadoop and Elasticsearch and so forth. But one of our core competitive differentiators is the whole smart timeline where we collate user and device behavior, and make sure that we can keep the scent of the user regardless of the user changing credentials or the device changing IP addresses and so forth.

That's kind of how we were born as a company beyond the machine learning and data science and fingerprinting profiles, that's our core IP. And then around three years ago we branched out into not just being a helper on top of SIEMS, we became the next Jensen. That has always been our mission, and [inaudible 00:25:41] on that mission, where we now have an offering that's called the Exabeam Security Intelligence Platform that collects logs, aggregates logs. And that data [inaudible 00:25:51] product detects threats on our advanced analytics products and responds and automates response to our incident responder product.

Now in terms of the next set of capabilities that we are looking at, is obviously the threats are often evolving, they're morphing, they're becoming more and more sophisticated. It means that we are always innovating in terms of machine learning and data science. One example is one of the main concerns of organization is data leaving the company, right? Whether the data is a credit card data, customer data, intellectual property, be it core IP and whatnot. And data can leave in variety of ways. It can leave via email, it can leave via cloud, especially now that everything is connected to the cloud. It can leave via printing paper. Like I print a copy of the file on a paper and take it out. I can take my USB. No, there are different types of media available. And one of the innovations that we are doing is identifying what are the personal email addresses of a user so that we can then alert somebody sending confidential information or abnormal volume of information to their email account.

So while that's a specific example, you can see that as the threats are evolving, we are kind of using a variety of data science approaches to identify insider threat. Another example is usually, I know, attackers spoof devices within an environment. They come with their own bot and they spoof a device. But to a normal eye it might look normal, but when you use machine learning you can identify that that device is an anomalous asset, it's an asset that seems like a bot, that seems like an attacker, and presents that results to the security professionals, to the [inaudible 00:27:38].

Chris: Wow. So if people want to find more about you are Exabeam, where can they go online?

Anu: So regarding me, I have my LinkedIn profile, linkedin.com/anuyamunan. I'm also on the exabeam.com website as part of the execs team. With regards to the company itself, again, we are pretty active on social media. We are active on [crosstalk 00:27:59] you can find more details on exabeam.com. We always looking for talent in terms of hiring. If anybody's interested in joining the company go to careers. linkedin.com/company/exabeam is where they can find more about the company. We're also on Twitter, we're also on Instagram. So on Instagram you will find us embracing our diversity [crosstalk 00:28:21] and having fun. While we work hard we also play hard, so you can see all those aspects that I talked about.

Chris: That's great. And that's E-X-A-B-E-A-M.com. Is that right?

Anu: That's right.

Chris: Okay.

Anu: Thanks-

Chris: Very good.

Anu: Yeah.

Chris: Anu Yamunan thank you very much for joining me today.

Anu: And thank you. My pleasure. Yeah, it was an honor.

Chris: And thank you all today for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in CyberSpeak with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts, including this one. Just search CyberSpeak with InfoSec in your favorite podcast app. To see the current promotional offers available for podcast listeners and to learn more about our InfoSec pro-live bootcamps, InfoSec skills on demand training library, and InfoSec IQ security awareness and training platform, go to infosecpkstage.wpengine.com/podcast or click the link in the description below. Thank you once again to Anu Yamunan at Exabeam, and thank you all for watching and listening. We'll speak to you next week.