In this interview, PeerWise had the opportunity to talk with Rick Mischka. Rick has had an interesting career to get to where he is now as a cybersecurity professional. After a career in IT, as a Green Beret, a volleyball coach, and a software vendor (among other roles), Rick now finds himself working as a Senior Manager in cybersecurity business development and strategy at BluVector. He also hosts the Cyber Pro Podcast alongside Jeff Chao, where each episode they ask cyber professionals 5 questions related to the field. Read on to see Rick’s insights into the cybersecurity software space. He talks about machine learning, AI as both a buzzword and a tool, and how the software landscape looks in the modern day.

Nick Zeckets:

Rick, thank you so much for joining us here at PeerWise to talk a little bit about cybersecurity. I’m going to start off with the easy question. Tell us a little bit about yourself and what brought you to the world of cyber security.

Rick Mischka:

My name is Rick Mischka and I am probably six years into cyber, but a lifelong IT nerd. I actually took a different path. I joined the military thinking I was going to do something civil affairs IT-based and ended up becoming a Green Beret. So I did not have a normal experience. I went from the military into professional sports and coaching.

I just decided a couple of years ago that I had not used enough of my veteran benefits. So I went and got a bunch of educational courses and certifications in the cybersecurity space and instantly got hired by a digital forensics firm. So it was pretty quick, and that was fun. That was a good opportunity for me to work in the solutions architecture side and then move into digital forensics.

And now I moved into technical product management and I’m actually moving beyond hands on a keyboard again, into more cyber strategy for a machine learning and AI program and detection engine. So kind of a fun transition, but not your normal one, for sure.

Nick Zeckets:

That’s interesting. Is that AI company BluVector?

Rick Mischka:

It is. Yep.

Nick Zeckets:

Why don’t you tell us a little bit more about what BluVector is doing?

Rick Mischka:

BluVector came out of the federal government and Northrop Grumman in a combined program about 12 years ago now. Their focus was on what can we do in an air gapped environment where you can’t use a signature based detection tool? We still need to identify zero day or polymorphic malware. And this tool created a great machine learning model supervised to start with and was able to meet the needs of the government agencies.

Since then we’ve been acquired by good old Comcast. So we are a large company now and it’s been great. We have a good strategy. Comcast has actually put us in two thirds of their entire network, which has shown the commercial use case. And now we are just in the pivot stage of opening our commercial and channel partner play regarding both the advanced threat detection, or malware detection side, and a new machine learning model that we’ve just patented that’s focused on building campaigns for threat hunting.

Nick Zeckets:

That’s very cool. That’s super exciting. This is an interesting opportunity that as someone who has built and someone who has designed and commercially supported and led a number of interesting cybersecurity ventures, it would be compelling to hear you describe the cybersecurity software space as you see it.

Rick Mischka:

Vast, that’s probably the biggest and most important word to say. Vast. I think there are so many different areas that software can go, and it doesn’t matter if it’s SaaS or what the software looks like, but ideally we’ve gone past antivirus and we’ve gone past all of our signature tools and we’ve gone past firewalls. Those are all things that are the norm now. And so when we talk about software, it’s what’s the next iteration of protection.

It’s starting to go down almost a warpath between network detection software, those types of tools out there like ExtraHop and the Zeek tools, versus your endpoint software like CrowdStrike or Carbon Black or others. Both sides are extremely good at what they do, but neither side is focused. Now you’re seeing software that’s coming out, calling it XDR or EDR, extending the detection and response. All of it has some play on the machine learning (ML) side, right?

I think that’s important because it lends itself to the big question, how can we alleviate the workforce gap? A lot of companies are looking for people and they just don’t have the people, or they’re not right skilled yet. And they are looking for software to alleviate some of their stresses where the problem is that there are so many to choose from. It really is going to be dependent upon what you need and how you view your cyber profile.

I would always caution somebody not to just choose the biggest and brightest. Choose the one that meets your business intent. What’s the software that’s going to help you make money with your business. And if the software doesn’t let you do that it’s probably not the right software for you. So is that what you’re looking for?

Nick Zeckets:

That was so much of what I was looking for and now I have 47 follow on questions. That was such a great seed. And I think a sharp response, this idea that the cybersecurity software market has evolved as you laid out from, “Hey, I’m going to make sure that I’ve got antivirus here locally on my computer,” through to “where is machine learning playing a role”. And then there are these two siloed markets that are starting to intermingle. The one thing that they hold in common, which seems to be a response to a pretty severe market issue, is leveraging machine learning in order to address the fact that frankly there just aren’t enough operators in this space. 

We’ve talked about this a bit here at PeerWise. About the gap in cybersecurity job requirements and needs and how many people are out there actually getting those jobs. And we could talk about that until the end of time. And maybe we should, but I’ve got a couple of other questions that have come out of some of the things that you shared.

One of my questions is about machine learning. Machine learning is one of those really fascinating areas of technology where I think a lot of software buyers see it a little bit as a bit of a black box, right? There’s this magic that happens inside of this vendor. They use these interesting buzzwords and now that means that their software is better.

I’m curious to ask a few things, particularly to help this audience, what are some ways in which you’re seeing the software market doing interesting, truly value add things with machine learning. And what are some claims of machine learning that you feel are occurring reasonably often and are probably overstated?

Rick Mischka:

I’ll actually answer your second question first because you asked the question about machine learning, but oftentimes software vendors and cybersecurity people are using the word AI artificial intelligence, and they don’t understand what that means. You go watch a movie about some robot that’s come to life and you think, man, this is what AI is. And I truly believe in the market AI is overused. I think it’s a buzzword. I think it’s a word that nobody understands. I think it’s opaque and mysterious, but it’s fancy and fun.

When you hear machine learning you’re like, well, okay, that’s a box learning how to do something. What’s so fancy about that? But that’s actually what’s happening in most situations. While I’m not a data scientist, true machine learning is done through data. And if you’re going to have software that has true ML, my recommendation is you review their internal team. Do they have a team of data scientists that are feeding their ML tool in a way that’s going to give you what you need out of it. If they don’t then that’s okay, but they’re most likely using a preconceived ML that came from somewhere else. And it truly becomes this turnkey black box off the wall off the shelf solution.

I think the most interesting part about machine learning is all of the different models and algorithms that are out there, but you don’t need to understand the algorithms. You just need to understand what the data is going to be used for. Take the fact that there are companies out there that do supervised versus unsupervised machine learning. Well, what’s the difference and why does it matter?

In cybersecurity this is a huge difference. If you do supervised machine learning you’re going lower your false positives because you supervise the machine learning and you’ve done it on a data set that’s probably so robust that you’re limiting that. You’re lowering your false positives, but over time it may not find new or modified data unless you’re consistently updating that model. Versus unsupervised, it’s going to find trends. It’s going to find abilities that your supervised ML models won’t find, but it’s going to take time and it’s going to throw a lot of false positives and false negatives.

Understand what you’re getting into. Right? If you want to do deep learning that’s a completely different beast. And that’s probably the closest thing we have to AI at this point, but do you need it? I mean, no offense, you probably don’t. Even Microsoft 365 comes with some built-in ML all based upon the fact that they have a huge database that they can say, oh, this is what we normally see, you shouldn’t open this even though it’s not in the signature tool.

When I look at machine learning it’s not overly mystifying and I feel people need to take a step back and say, what is it doing? Okay. It’s taking all of this data that we have in our lives and it’s doing something with it that makes my life easier. Automation gives me data that matters to me and kicks out the noise. That’s really what’s important for me. It might not be important for you. You may not care what the noise looks like. You may want something else out of the data, but that’s where I fall.

Nick Zeckets:

I think that’s a nice distillation of what’s happening in the market. I can’t agree more with your comment about how these concepts are being represented, frankly by product marketers, the idea that it’s AI. There’s that kind of funny tongue-in-cheek joke about what the definition of AI is, and the definition is the thing that we haven’t done yet. And it’s true. Independently having an algorithm make decisions about information that it hasn’t seen before. That’s not there yet. You’ve got a couple of interesting applications, but so far as I know there are not any real ones yet in cybersecurity.

I think it’s really important for people to kind of keep that in mind, and I think by knowing to your point that it’s not real, but that what people are actually representing is machine learning. And then having that view on it of what data are you using and what questions are you answering with that data? I think is a nice way for someone who is busy, and perhaps wearing 12 hats, inclusive of cybersecurity to evaluate the pragmatic value of any kind of given software solution for their organization.

That segues into the next question that I would have which is very much related to the wonderful rubric that you gave around evaluating things that are ML related within the cybersecurity software space. Can you share with us, as someone who’s been in the room and in those pursuits around selling and transacting against cybersecurity software offerings and service offerings, what are the questions that you’ve heard in the last year or so from a buyer that you’ve said, that’s a fantastic vendor question? That’s smart. That’s the type of question that they should be asking every vendor and every vendor should be hearing from every buyer.

Rick Mischka:

Yeah. So, I mean, there’s a couple just off the top of my head. The first one I was impressed with because I heard it about a month ago and that’s the first time I’ve heard it. Vendors talk about all the good things our tool can do and how they can make your other tools better because we integrate. And oftentimes you get the question, how do you integrate?

Then you have an answer for that, right. Blah, blah, blah. This is the reason we can JSON, blah. I mean you name the way you can integrate. Oftentimes it comes back to an API integration. And the question that was posed to me was – you have a secure solution. We have a secure network. How do we know that API integration isn’t the weak spot? How do we know the API security is as strong as what you have and what we have? It was a really good question.

We actually dug into it and we found there are not a lot of API integration security tools out there. Those that are out there are fairly new. It was something that when we dug into our API integration, especially with one specific tool that they had, and it was absolutely a weak spot. And we caught it before we installed and implemented, but that was interesting.

Having been in the industry, not as long as many of the people I know, but just even the last couple of years for the first time a month ago hearing about API integration security was integral, and then catching it. That was pretty interesting. So I think if you’re looking at a tool to help you automate, if you’re looking at a tool to help make your other tools better, ask about the integrations, but also ask about the security around the integrations.

So that’s one. I think the other one that I’m seeing a lot because I do play in both the government side and the commercial space is why is it important that your tool meets our compliance requirements? And “our” is a general, it’s the Royal we. It’s if I’m government, I have to meet NIST or CMMC requirements. If I’m commercial and I’m a bank, I probably have to meet the FRBs requirements or FTCs or all these other requirements. How does your tool help me make those compliance requirements and do it in a way that I don’t have to add work to my staff?

I think any cybersecurity tool should have value from not just what the tool does, but how it’s helping you from both compliance and a risk standpoint. Is it lowering your risk? Good. It should be. That’s why you’re buying a tool. Is it helping me understand my compliance profile? And I would argue that it should help you in some way. It should check a box as well. You shouldn’t just buy a product that doesn’t check some box. Those are the two things that I think I’m hearing the most of lately.

Nick Zeckets:

That’s fantastic. And on the flip, what is it that you’re hearing from cybersecurity decision makers that you feel like is maybe chasing the wrong things? Or what are the questions that people are asking that cause you to step back and say that question isn’t coming from the right place, or you’re chasing after marketing, not fundamentals? What are those things that marketers have convinced cyber security software buyers are important? Meanwhile obfuscating the things that really matter from your perspective.

Rick Mischka:

There’s a lot of little in the weeds we could get into that, but I think the biggest one that really confounds me is cybersecurity is secret. And marketing teams, product teams have made this idea that if you’re not protecting your data, if you’re not keeping your network secure and secret, you’re not doing your job.

Here’s my take on it right or wrong. This could cause some debate, which is a good thing. I feel that the bad actors of the world already know what we’re doing. And they’re finding ways through, we’re patching, they’re finding ways through, we’re patching, it’s this constant never ending battle. It’s just going to keep happening. However, what if the top 10 technology firms and the top 10 agencies in the government got together and said, let’s stop saying all of the stuff we’re doing is secret. I’m not telling you I have these 15 products because I don’t want people to know how they can break into my network. Instead I have these 15 products and I’m working with 20 other people and we’re making these products virtually indestructible. I mean, not completely, but virtually

 I feel that it’s starting to shift a little bit, but I do think that a lot of people, especially cyber vendors are going out there and saying we’re going to keep your data private because we have to legally, but also this is more important to make sure that nobody knows what else you’re doing. And I just don’t agree with that.

I think that it would be better to share your use cases and share your story. And now everyone can be like, oh, great, I mean, let’s not let another SolarWinds happen because we had a trusted file come through. Hey guys, I caught this, Comcast didn’t let it go through because we actually do lab testing on all new patches and updates. If Comcast was more friendly with our competitors protecting our internet infrastructure, we could have shared that and said, hey guys, stop, hold on. This is our best practice and we think we’ve caught something, But it wasn’t caught until it was a bad thing. Hey, we’ve been breached. Stop waiting for the breach.

I think if I was going to put it in simple terms, stop waiting for the breach and share what’s happening. You don’t have to share with people things like this is what we use for a password manager, but share what’s happening in your network. So people understand.

Nick Zeckets:

So having some kind of an attack exchange.

Rick Mischka:

Yeah. I don’t know if you’ve ever heard of the hive. It’s an open-source threat intelligence tool. And basically you’re sharing with all the other people in the community things that are happening or you’re highlighting in your threat intelligence feeds using whatever tools you use. 

And other solutions are doing that. There’s a national solution down in the Southern shield area, kind of near Florida and Georgia, that is doing something similar. And they’re noticing fewer breaches. It’s not a complete removal, but they’re noticing fewer breaches because when somebody catches something, everybody now can catch it. And so they don’t have to purchase the same tool that Bob has, because Bob is sharing that information with them and they can go use their tool to stop it, which is kind of cool.

Nick Zeckets:

That’s interesting. That’s a tough pill probably for a number of cybersecurity software vendors to swallow that ostensibly you could walk your way out of deals because somebody within a consortium like that is already “covered”. Right. And so long as they’re opened up the rest of that consortium maybe becomes unsalable.

But I think on the other of that Seesaw you could say that your security impact is significantly higher as a vendor. And we all know at the end of the day that everybody wants control. So I think you’re getting marketed to by the rest of your consortium members and you go, wow. Bob caught it with tool X. I don’t want Bob to be my point of failure. So now I’m going to go get that tool, but geez, Bob, thanks for letting me know you caught it, and thanks for letting me know how you caught it. I think that if I were in the marketer shoes or the business development team shoes that’s probably how I would be thinking about that consortium value proposition.

I feel like we could probably cover a lot of additional ground. It has been so fascinating to get the perspective of leadership from a major vendor in the space. Particularly given your coverage on both commercial and government. I think that that’s a really fascinating pairing of insights. I’ll ask one more question. Is there anything that you want to impart community with from your years of experience across the space, something that you feel is your Occam’s razor of how to stay safe in the modern cybersecurity environment?

Rick Mischka:

I’m going to take the easy path on this one. Never stop learning. Don’t think you know it all. Just continue to think that you don’t have all the answers and the answers will come to you because of that. I think if you get so set in your ways, you’re going to start missing things, especially in cybersecurity.

Just because your endpoint solution has worked every time to date doesn’t mean you shouldn’t be asking questions about how it may not work and help the vendor make that not happen. Be awesome about just working with your vendors in a proactive stance.

 And that lends itself to the second part of that, which is if you’re always learning and you’re always asking questions that allow you to be proactive. I think today’s cybersecurity is very reactive. It’s all about I know I’m going to be breached. So when I’m breached, what do I need to do? And I think you should have that mentality at a time. But if you’re proactive about what you’re doing, what you’re learning about, what questions you’re asking, then you truly have cyber resilience. And with cyber resilience, it doesn’t matter if you get breached because you have both the proactive and the reactive sides covered. That’s my take on the thought process around it.

Nick Zeckets:

I love that. And it’s also doable, right? You’re not prescribing the people sign up for a million dollar a year software solution. You’re offering up something that’s within reach for anybody. And I think everybody in our community very much loves that kind of guidance. Thank you. Killed it. This was phenomenally insightful.

Rick Mischka:

Thanks guys.

The Takeaways

Rick starts off by summarizing the cybersecurity software space with one word – vast. Firewalls and antivirus software have become the norm and owned by established players. New softwares are being made to fill another layer of protection. He sees them going down two general paths, network detection software and endpoint software. Cross-layer and extended end point response softwares (XDR and EDR) are also coming out.

All of these are in some way utilizing machine learning. AI is a term that carries with it an air of mystique and confusion. When most professionals use this term they are really talking about machine learning. He sees automated softwares as solutions to the skill gap which creates a shortage of employees with required skills.

Rick lays out two questions he feels cyber professionals should be asking their vendors. First, they should ask about security surrounding API integration. Sometimes a vendor’s software can be secure, and the client’s network can be secure, but the API integration can have a vulnerability. For this reason it is important to ask about the integrations as well as the security around the integrations.

Another question clients should ask vendors is- how does your tool help me make those compliance requirements and do it in a way that I don’t have to add work to my staff? Cybersecurity tool should have value in its function, and also from a compliance and a risk standpoint.

A potentially controversial idea Rick believes is that an increase in data sharing between government agencies and tech firms would be beneficial. Specifically, sharing information regarding tools they use and threats they encounter. Instead of these organizations keeping these aspects of their security a “secret” they would be better off having a more open communication. We talk a bit about this in an article about high alert recommendations put out by the CISA. There is a push to increase information sharing by government contractors to government agencies, and this may not be a bad thing.

As a parting remark Rick says to never stop learning. And on top of that, learn to ask questions that allow you to be proactive and not just reactive. He says, “if you’re proactive about what you’re doing, what you’re learning about, what questions you’re asking, then you truly have cyber resilience. And with cyber resilience, it doesn’t matter if you get breached because you have both the proactive and the reactive sides covered.”