CRN Interview: HPE Aruba VP Lunetta On Partners' Must-Have Security Skills And Why Machine Learning Is Like Carpentry

HPE Aruba executive Larry Lunetta speaks with CRN about why the company wants to empower partners to take on a new set of skills and embrace an open, machine-learning-based philosophy.

Welcome To The Machine

For Larry Lunetta, vice president of security solutions marketing at HPE Aruba, machine learning is a lot like carpentry. With a relatively small number of tools, a carpenter can build just about anything. Machine learning also requires a small toolbox, but requires deep knowledge, skill and expertise to be successful.

Sponsored post

"It's not about knowing how to plug data into an algorithm," Lunetta said. "It's knowing what you want to accomplish, what data you want to use and understanding what result you're getting. That's an iterative process and it depends on the type of machine learning you're using."

Lunetta came to HPE Aruba a year ago when it acquired machine-learning-based security firm Niara. Perhaps it's not surprising that he has come to view HPE Aruba as "a security company wrapped in network products."

Now, Lunetta is laying the groundwork for an effort to bring HPE Aruba's security solutions front and center as the company seeks to differentiate from competitors like Cisco Systems. To do that, the company wants to empower partners to take on a new set of skills and embrace an open, machine-learning-based philosophy, Lunetta said.

What follows is an edited excerpt of Lunetta's conversation with CRN.

Are vendors like Aruba and Cisco, etc. all trying to do the same things the same way when it comes to security, or is there meaningful differences between solutions?

I think there are meaningful differences, and it depends on what problem you're trying to solve, what data you're collecting and how your analytics work. With Cisco, for example, if you drill down inside DNA and how they handle security, the have ICE, which is a NAC [network access control] solution, and from a behavioral perspective, they've plugged in StealthWatch. The legacy of StealthWatch is net flow, so that's the primary data input, and they've put a cloud-based analytics solution on top of that. The vocabulary tends to be the same, but that's a very narrow aperture into IT activity, where for us, we do flow, but we actually have our own packet processing technology so we can mine the packets that come from our switches, that come from Cisco switches. We're very multivendor in that perspective, and we mine 5,000 different meta-variables out of that packet stream.

What advantages does that give you?

We do that for a couple of reasons. One is machine-learning algorithms don't deal with packets, you have to feed it the right level of information. By virtue of the fact that we understand how networks work and understand what's in the traffic, we can harvest a lot of material that's security-relevant out of that activity. We also look at logs, we look at alerts. We have a very broad view of IT activity. One of the axioms of data science is the more data the better, both in volume and in scope.

Will it be more important going forward to have multivendor capabilities?

That's the other philosophical difference, perhaps. Aruba has always been a multivendor, open ecosystem player, because when Aruba got started it was plugging into other peoples' networks. We've carried that philosophy. Some of our biggest ClearPass customers run exclusively on Cisco. Airwave, I've met customers who use Airwave to manage Cisco environments. That's been a virtue for us. In the security world, I think most organizations are trying hard to erect a set of defenses that is, in their mind's eye, comprehensive. There is no vendor, even the McAffees and Symantecs and Ciscos, that check every box. Once you admit that no one is going to deliver it all, the only alternative is to play well in the sandbox. That's very important to us. We have over 120 security technology partners, and they're not just security vendors, they're mobile device management vendors, identity vendors, all of whom contribute to the value that a ClearPass or an Introspect can deliver.

Is that how the relationship with Palo Alto Networks began?

Palo Alto Networks is a very key strategic partner. ClearPass has very tight integration, we have bi-directional integration. One of our largest Introspect customers, for their own reasons, primarily relies on Palo Alto Networks firewall logs as the activity source for our machine learning. There should be a symbiotic relationship between what we do. We sit on the top of the stack with Introspect. We use a big data platform. We have an enormous scaling opportunity. We have an enormous appetite for data. We can run the analytics you need to run. It tends to sit cheek-by-jowl with a SIEM as a complementary turbocharger. We don't want to be a SIEM. We don’t want to try to replace a SIEM. There's so much workflow, training, so much legacy infrastructure built around a SIEM, and we want to complement that.

What are some of the patterns you're noticing among customers in the security market today, and how can partners capitalize on those patterns?

User Entity Behavior Analytics [UEBA], which is where Introspect sits, is in its early stage. ClearPass is going through a renaissance because of IoT. Being able to discover and profile things is becoming more and more important. It's real now. We do [proofs-of-concept] with ClearPass and Introspect that are exclusively on IoT use cases now. If you ask me where the barometer is headed, it's headed right to the 'things' environment. It's not only finding and profiling, which is what ClearPass does, it's assigning policies, and that's another place where partners can add a lot of value. It's not just finding things, it's making sure the authorizations are appropriate, that the organization is assigning the right responsibilities to the things they find.

So it doesn't become the Internet of 'dumb' things?

That's an interesting point, because they actually, from a security point of view, are dumb. No one designs a heart monitor, or a vending machine or lighting to log. There's only one way you can see what's happening, and that's looking at traffic. You find it, then it's the deep packet inspection and the behavioral characterizations that will tell you if it's rogue or not. There's a very nice integration between ClearPass and Introspect where ClearPass will find and profile a device and tell us this is a drop cam, this is a vending machine. That's good to know because when something goes bump in the night, we want to tell the analysts this is not a rack server, it's a drop cam. But we also use that information in the analytics because we do an individual entity baseline, and we also do pure baselining. We'll look at all the drop cams in your building and if one is behaving differently than the others, we'll flag that. The way security is dealing with things is being completely renovated.

What do you need from channel partners that you're not getting today?

We love certifications, and there's going to be a data science element to that. That will wind up being credentials and capabilities that will be applicable to different spaces. They don't need to be data scientists, we'll help them understand it. We want partners that can help us have a conversation with a security buying center. We're very adept with the network buyer, and they're certainly relevant in the security conversation, but now we want to take that same set of concepts, technologies and solutions and make sure the security team is aware of them and comfortable with them, as well.

How do you see HPE Aruba integrating its new solutions like NetInsight and acquisitions like Cape Networks for security purposes?

We'll take the same data over time that Cape is focused on, or that NetInsight is focused on, and start using that same data in a collective way. You're going to see us crowdsource a set of data that Introspect can go in and say I can use that from a security perspective. Cape can go in and say I can use that from a security perspective. We get much more efficient in how we collect it, how we use it. It's very exciting to see how data science is going to permeate.

Where has Niara found a home in the HPE Aruba portfolio?

Introspect has been added to the security portfolio. The Aruba 360 Security Framework was announced last September. It has a number of elements in it, and Introspect is one of the centerpieces of that. Aruba's been in the security business a long time. It has always distinguished its networking product with the amount of security you get along with it for free, not storing encryption keys in wireless access points, for example, because if you steal an access point, you can steal the key. We do encryption end-to-end, and the nature of it is military-grade. A lot of folks told me Aruba's more like a security company wrapped in network products.

How do ClearPass and Introspect work together?

It's been an Aruba product for seven years now and we have 7,000 customers. That also is a security product in the network access control space. NAC isn't a concept that's new, but it's continued to be refined, and pairing it up with some of the embedded security in the network infrastructure has made ClearPass a very powerful part of the security portfolio. Think of ClearPass as pre-admission control and Introspect as post-admission monitoring and attack detection. That's part of the 360. The rest of the 360 comes from using ClearPass as the gatekeeper to the network to not only a device on the network, but also to take action to either restrict or take you off the network if an attack is detected. The idea is that if you're in an all-Aruba environment, if Introspect does detect an attack under way, we can now by menu take an action. We're going to continue to build out the security portfolio, a lot of it leveraging machine learning. That's one of the pivotal technologies that Introspect is bringing, along with NetInsight and now Cape Networks.

Does the maturity of machine-learning technology present the network security market with a big opportunity?

Maturity is a hard thing to characterize, but we believe firmly in that. It's hard to get machine learning right the first time. You can count on two hands the number of algorithms and models you can apply. It's sort of like carpenters. The they have 10 or 12 tools, and they can use them to build highway bridges, or cabinets. It's all about the skill they acquire over time. I look at machine learning in a similar way. It's not about knowing how to plug data into an algorithm, it's knowing what you want to accomplish, what data you want to use and understanding what result you're getting. That's an iterative process and it depends on the type of machine learning you're using.

How do you make the most of your machine-learning capabilities?

There's unsupervised and supervised machine learning. The unsupervised piece is more about building behavioral baselines and looking for changes. Where it gets interesting is on the supervised side, which is use-case-specific. The way we use it in security is we look for activity that's part of the kill chain. The things we look for are not the smash-and-grab kind of attacks, we're looking for attacks that may take days or weeks or months to gestate and we're looking for command-and-control, we're looking for surveillance, we're looking for privilege escalation or big data moves. Building models to look for those types of things is an ongoing process, and refining them with new data and new understanding of how attackers work is an ongoing process. We feel good about what we're doing. Niara, between starting and being acquired by Aruba, is five years old, and we started with machine learning as a core part of the product. We have a lot of competitors that are racing to catch up.

What are the most important things solution providers need to know about selling security solutions today?

There is a sea change going on. Machine learning is a probabilistic process. You do not get a black-and-white answer. The models, if they're done properly, can be tuned. Data science is going to be ubiquitous in our industry. We're using it for productivity, for operational excellence, for user experience and for security. It's almost guaranteed that no matter where you play or what products you sell, you're going to get into the data science experience. So, learning how to tune models, how to interpret them, how to get customers to focus on the right problems is important. Second, no one wants to boil the ocean with data science, so we talk about monitoring users and systems and devices, but you're not going to go into a 300,000-person organization and do it for everybody. So, you're helping the customer understand where it's best applied, helping them decide where the high-value assets are, where the high-value actors are and where it's best suited for the security problems they have.

Can you give an example?

PCI. Watching folks who have permission to touch PCI data and the assets that are housing that data, is a particularly fruitful place to apply a new type of attack detection. You're probably familiar with [the European Unions'] GDPR [General Data Protection Regulation] and data privacy. The wave is coming. Even though we don't have GDPR in the United States, we're going to see similar initiatives and similar requirements. Helping customers find their data, the personal data, and doing red-circle fencing from a data science perspective to watch activity associated with that. There are a lot of ancillary services associated with data science that a partner can apply and we're certainly encouraging our partners to do that.