Scaling Security for Agile Organizations with Data Analytics by bp

Progressive security organizations demand maximizing value of big data and data analytics platforms.

What if there were a way to enable security practitioners to exercise their domain expertise giving them direct access to data for objective decisions, abstracting the complexities?

In this talk, we will introduce the bp journey towards sustainable security whilst facilitating fast paced business change securely.

bp in collaboration with Elastacloud have assembled a cloud-native platform for collaboration around data insights that enable federated teams to maximize value from security data. This involved not only changing the platform but the way of thinking about data and modern event driven architectures to change traditional thinking in the security operations area. bp will also present one of their opensource projects, a Spark CEF Reader accelerating security operations using standard SQL syntax to hunt, query, and investigate threats without the need for any programming.

Speakers: Denis Ontiveros Merlo and Monzy Merza


– Welcome everybody. Thank you for joining the conversation today, Cloud and COVID and security transformation, they’re top of mind for a lot of us in the security community. Nowadays, as organizations move more and more to the cloud and there’s more demands on the security teams, we have to maintain the hybrid infrastructure, we have to maintain multi-cloud infrastructures. My guest today is a 20-year veteran of the security industry. He’s done everything from being an Audit to being a Chief Information Security Officer. He has seen multiple inflection points in the security industry and community over the past 20 years or so. And today, he’s gonna talk to us about the new inflection point that he’s seen around how security teams can enable the organization or the business itself, instead of being the stick. So,, without much further ado, Dennis, welcome to the conversation. How are you doing?

– Great. I’m doing great Monzy, thanks for having me and for the opportunity to share our journey with you and with the audience.

– So Dennis, let’s just jump right into it. Give us a little bit of introduction about BP and why this security conversation is so important.

– Yeah. I mean, it’s interesting, there’s massive disruption in the whole energy industry, right? And especially, in the oil and gas industry. I think there’s a lot going out, as you said, COVID, the pandemic and a lot of digital transformation happening everywhere but especially in the energy industry, there’s this massive need for that energy transition towards a lower carbon, right? And BP has made a very conscious decision in their ambition to declare themselves net zero by 2050 or sooner. So, the next decade is gonna be a massive journey for BP to transform itself from an international oil company to an integrated energy company, right? And using digital innovation as a driver of that. So, it really is about re-imagining the whole energy sort of paradigm for our people, for our planet, right? Which means we really need to reinvent ourselves as a company and security isn’t different, right? So, we also need to form part of that reinvent.

– That’s amazing. So, you really are driving security from the perspective of a business driven effort and really being sensitive to that business. So, how is that transformation happening for your team? You’re the Director of Engineering for Security, what are some of the big items that are top of mind for you?

– Yeah, I think it means quite a lot for security. I always find the angle how security can provide value. And I think the key thing is, I’ll see, oh Burnett Rooney, said it right, “We cannot do this alone.” Right? And that’s very authentic in the sense of that these are difficult problems, right? We’re gonna have to collaborate with a large amount of our… Of the industry, partners, collaboration. There’s gonna be more data sharing than ever before. So, to be able to facilitate that whole innovation cycle to find the new technology that’s going to save the planet from the energy challenges it has or the new battery technology that will enable us any low carbon sort of technology in general, or be more efficient in our operations, we need to facilitate that, right? We need to facilitate that in a secure manner. So, I think security plays a massive role in that. And I always talk about this dichotomy, between a false dichotomy and a true dichotomy. A false dichotomy is this, “We need to compromise privacy for security,” “or security for privacy.” And then, you’ve got this true dichotomy which is, “How can we set the data free, securely?” And that’s a challenge that we have. So, we need to enable the business in that side. So, that’s one piece, how can we enable the business, the people building, the digital builders building things, that’s our first thing. And the second thing is to facilitate transition through innovation, how can security ourselves use technology more? How can we use AI? How can you use ML? How can we use big data? How can we use the cloud, you know, sort of technologies more natively. So, in other words, we’ve got a legacy in large scale data. We stream today over 5 billion events per day, right? And that’s growing, that’s growing. So, how can… We can’t do that with the old way of doing things, we need to think about different things. So, I think we have a very exciting role to play in this value chain.

– Very cool. And so, you’re really looking at security as an enabler to accelerate the business to go forward. And you’re also taking this approach of thinking about this true dichotomy that you believe in that it’s not just about how to just protect the information and say “yes’s” as “nos”, but really how do we embrace that kind of a future because it’s required. So, that security is responsible for sharing responsibly, sharing properly and really using big data technologies and ML and AI types of technologies into the mixture there. So, as you think through that, talk to us a little bit, I mean, it sounds like there are flavors that are of scale that that would be required because now you’re sharing lots and lots of information. There’s probably elements a lot of automation. Like how does that come into your mindset?

– Yeah. Scale is an interesting one because I think that’s the problem. I think we really don’t scale. And especially process, et cetera, so how we need to share information. I mean, one thing is front and center, right, digital trust. So, we need to make sure that trust that consumers and customers have put on us is always maintained. So, I just wanna make sure that’s clear. But I mean, scale is the biggest problem. We need to scale from a technology perspective, we need to scale from a process perspective and from a people perspective. From a technology perspective, clearly, now moving towards cloud native technologies is there but it’s really embracing those architectures, as I said before. I think the second thing is process wise, if I go back to the agile manifesto, individuals and interactions over process, as much a process as we need, how can we orchestrate and automate some of those processes? So, that’s a key thing. And then, people wise, there’s a massive shortage, in the industry. And you don’t find those unicorns in the security industry. We talked about always how many people or how many people you have versus people well security people, you know, even have less of, right? So, I think those are true so how can we build the knowledge we have into the platforms, codifying it so we can scale from that perspective. So, that’s really, I think, what we have ahead of us. When we moved to the cloud we made a conscious decision that we were not gonna take the legacy with us. And we’re going to use this as an opportunity to transform how we architect security and how we architect things, how we architect teams, is actually, has a direct impact on what the result is or what comes out. I think that that was… It’s not only the technology but it’s also a team architecture of how we think about things. So, that’s key. We do have a dual cloud strategy and, you know, like many other companies you’d be working with two or three types of clouds. So, I think it’s key there that we have some core components that always data, identity, protection, security, using platforms like Databricks to make sure we have a harmonized layer across everything and we can keep that visibility which the cloud sometimes is a challenge because of the scale. So, I think those are fundamental elements that we can do. And that’s fundamentally, at the core of it is, when we talk about scale, we talk about data permits us to automate, which permits us to scale. And if you follow that through, it always plays true. That permits us to have frictionless and pace, right? So, I think that that’s at the core of our philosophy of how were we gonna scale.

– I really liked that expression that you just used, that data permits you to create automation that permits you to create scale. And because oftentimes we think of scale in terms of how are we going to scale our capacity to acquire the data or store the data. And you’re almost going further down that kill chain, so to speak, to say, it’s not just about collecting at scale, but it’s about how do you analyze it, how do you create automation techniques out of that sort of scaling capability. Now, I think oftentimes people talk about automation and I’ve talked to you a few times. You have a very particular sense of automation and what it means. So, share your view a little bit with the audience.

– So, yeah, that’s a good question. I mean, I really find it interesting and this is something that’s just in the last couple of years has come to my head but automation is always associated with, you know, doing things faster and doing things cheaper. But really what I believe automation brings us, it forces us to think in a different way. When you automate something it’s like SRE engineering. You put a developer and you put a problem and you get a solution. But it forces us to think much more than declaritively, it force us to think, how our processes really work and how we can design them. So, that’s the big value of it, on top of obviously, getting things to be done faster and at a lower cost. So, being more declarative is really good because when we interact with our customers, the developers the builders, the people assembling the solutions for that innovation, in the traditional security interaction is not… is quite subjective, it’s not very objective. So, be much more declarative around that relation, what the expectation is. You can go back to you know, motivational theory when somebody has clear goals and objectives and the expectations are clear, it’s just a better relationship. It’ll be a happier relationship in general. And I think that helps us you know, to codify what expectations are with the other parties, with the developers. That’s what I think automation really brings us. And in the end, I think it’s about, you know, making sure that the CSOs, future CSOs will be judged on their ability to enable those digital innovation teams, those digital builders. You know, there is simply less of an appetite for control, that is a reality but I think we can still keep that control if we change the way we think about things through automation and be much more declarative around our policies. So, I mean, I’m really excited for that challenge, orchestration around automation is fundamental. We’ve automated many things, right? I think we’ve done things with data and automation around self servicing, our vulnerability management processes. We’re able to collect information around our usage of all our dashboards so we can remove access early. And basically nudging users when something is of risk. So, nudging theory but using data behind it for security purposes. So, it’s just the beginning really. I mean, all that data was there latent and platforms like big data platforms, like Databricks accelerates that journey, especially for the developers. Get running very quickly. We don’t have to worry about the infrastructure. If more clusters are scaling properly. We could just get straight to it. So, I think that’s really useful in our automation journey.

– So, Databricks is really serving as that layer that allows you to scale and be elastic really, as things go and enables you to do a lot of, really create that value as you say, the data was there, it was latent but now be able to make use of it. One of the other things that you had shared with me in the past that I thought was a pretty exciting story is oftentimes when big data is talked about in the security context, we talk about in the context of detection of bad things or… Whether it’s user behavior kind of detection or whether it’s threat detection of some kind and anomaly detection and so on, especially in the machine learning context. But the story that you shared with me that I thought was interesting was around these vulnerability management peaks where you and team have created these, I think you called it a barometer, for individuals. Talk to the audience about the data challenge there, and also maybe the outcome of, what maybe from a cultural aspect, as well as just from a technology perspective.

– Yeah. I think to talk about culture, you know, in the normal tech security community is sort of a… it feels quite awkward to escape it, But really at the base of it, and you can see people are talking about it more and more because it’s so true is how can you change? How can you create a different culture around security? Security by choice, right? How do you achieve that? And I’ve got a couple of examples. I mean, one is our cyber barometer, right? And I’ve studied, business and really behavioral economics or behavioral science, is how can we apply that to cyber? So, the barometer basically is a dashboard, which we surface to people. And it is really one of my most successful products, security products within our digital security practice at BP. And it’s great because it creates lots of conversations, typical things. Why am I a 65 and not a 75? And why am I, you know, yellow and not green? The important thing is it drives the conversation. And especially around a topic like security, which is a normal topic to discuss about. But definitely, what it makes us think about, we’ve built that whole platform on again, on components that data breaks together with visualization layers like BI and on the Azure infrastructure. But it’s a great success from my perspective around “are you driving the right outcomes?” The typical conversation is some people are interested, why the scores are high and what they can do about it. Others are like, “If I do this, will my score go up?” And that’s not the behavior we want to drive. So, it’s in “are we building products “that are driving the right outcomes “to our consumers and our users?” “Are we making them choose the safest path, “transparently?” So, that’s one culture we wanna drive. The other culture’s in the development building community. So, we do threat modeling, we try and drive a different culture there, making them think about things, what could go wrong very early in the process in the life cycle, around the application development. And we’ve had great results on that, which you are measuring again through data. We’re taking all that data and we’re surfacing all that data to the developers in a dashboard, using platforms like Databricks. Again, to give them, very early insight into what’s going on. There’s this rapid feedback loops which are so important in agile. Again, there’s a different culture to shift. And then, finally, I mean, how do we drive, that the greatest things to drive is a culture change within the security teams is to give something back to the community. We take so much from the community and it’d be great to give back to the open source community. So, on that topic, I mean, it’s great to announce in the week of the 2nd of November week we have released a spot based safe reader, which is… we’ve developed within the security group that permits people to go and do normal SQL queries without any programming anything directly against SEF format, SEF is common event format. So, everywhere within the security, tooling has been knit together from many different sources. And I think that permits people to go directly into the note box and basically you don’t have to transform any information, you just can use this reader and you can go and do a query directly against SEF, wherever it is stored, in S3 or Azure Blob, wherever you have it. And we feel very proud that we are able to give a little bit back of so much that we take back from the community. So, again, all those things combined, all those things combined.

– So, you called out a couple of different things. The first I want to reemphasize the point on the SEF reader, it allows anyone to take data and it’s a SEF reader for Spark?

– Yes.

– And so, it allows anyone to take data in and be able to do SQL queries against this SEF formatted data, no matter where the data is coming from. So, that’s key point. The second key point on that is that it’s available on BP’s public GitHub.

– Yeah. So, if go to GitHub slash VP and they can contribute as well. If we can improve it as well, but yeah you can run that on the Databricks platform and you can get the benefit of it today.

– Very cool. And then the second piece going back from the cultural perspective that you were talking about is really this concept of security becoming more of a conversation, but in very tactical terms, it’s not some sort of you know, pie in the sky, sort of a random idea or just kind of nice to talk about is you’ve made vulnerability, I would almost say you made Vulnerability Management exciting by creating this barometer so that people can, excuse me, people can have a conversation about it. They can see where they are. They can measure their own behavior and they can see the improvements as they adopt and modify, modify their behaviors. And this is not just rolled in for the individuals from a user, what we would call a business user perspective, but also that your developers are using that as a capability so that all of their development life cycles are plugged into this. So, they are not, for example, waiting for code release for a vulnerability check, for example, for days at a time, they can do that very quickly now. So, that’s the other important thing. Go ahead.

– Yeah. I mean, we started our journey with the end users and that’s where our barometers sort of started. And now, we try and we mix, we basically extrapolating that to the adjacent use cases for different communities of interest, the developers. And the developers are the ones creating, building, that’s where there’s risk. How can you help them be as successful as possible? How can we take the security tools to them versus they come to us. And the reality is just working around their tool sets. So yeah, the barometer has started there and we absolutely taking that to the developer community giving those feedback loops very quickly to them. And there are other communities of interest that will bring risk that we need to make sure we support them so they’re successful. And we’re doing that all through data. So yeah, really excited about that.

– So is there… I’m sure there are other things that you’re working on that are gonna bleed into the future. Is there a sneak peek that you, you know, you announced the SEF reader the week of November 2nd, that’s awesome, is going to be a big part of what the community is able to do. Any other things that you’re imagining that are gonna happen next either with Databricks or as you think through, as the world keeps changing.

– Well, as I said, everything’s changing continuously, so we’re gonna, whatever we build today we might have to disassemble tomorrow. And I think we need to approach things from that emotional perspective. And I think we always talk about that in the developer community but not so much in security community. Security community is much more static to a certain degree. So, we need to take some of those learnings from the developer community. And nothing stands, so technology-wise things change a lot but also the circumstances which we use we just need to be prepared for that continuously. But I mean, in the end, we just wanna talk about the term of sort of centralizing to be able to decentralize. Or we’ll have federated control. And again, it comes back to the scale thing, security teams will not scale, right? We need to build platforms on which developers can do things securely. Build great things, innovate things, find the next sort of a low carbon energy. And I think that’s what our journey is there, how can we create security as a service where people by choice can come and say, “Hey, I wanna secure it.” And it really is frictionless. There’s the API, there’s the data, there’s a common way of doing. This is how I manage secrets. So, I think it’s about doing that. And if you build something great that’s frictionless, then the adoption will come. And that’s our KPI. How can we move to mass adoption? How can we reduce the time from when we detect something to when we resolve things? And data really is at the core of that. And actually has been there for awhile, it’s just now the big data technology that is at our disposal had a good, you know, sort of entry point, I mean, amidst that to be possible. So I’m really excited about, I think we are only starting really right now.

– So, as you talk about these things, is there a specific thing that you have started like a baby step that helps you or you believe is already helping your team go in that direction?

– Yeah. I mean, I think we’ve built our data lake on top of cloud compute within one of the clouds. and I think, using again technology like Databricks is basically bringing all those datasets together and started to basically contextualize them against the business processes. So, we can, from having any sort of assets or digital assets that supporting a business process we’re able to very collective, you know very quickly contextualize all information about that. So, we know where it’s hosted we know what business process it’s doing, we know it’s has any vulnerabilities, we know who’s accessed it, we know when they’ve accessed it. We know, if there’s been code committed recently, if there were any vulnerabilities in that code. So, you start to think about this, as the full stack, from identity to the application, to the data, to the infrastructure because really the vulnerability stack cuts across It isn’t… We’ve always traditionally treated all those elements as secret pockets. And actually, it’s one thing, it’s one kill chain if you can call it, it’s not really a kill chain, but it really is, we need to be thinking about securing, making sure everything’s compliant, making sure the honor vulnerabilities across all those layers is one thing. And that’s what wasn’t possible before and now we can stitch that data together.

– Very cool, very cool. Well, one last thing before we move to audience questions that I really wanted to see if maybe you want to highlight a little bit is you have oftentimes talked about something that I kind of relate to as technology rationalization where there is a lot of security tools that are used in any given organization and you’re using some techniques to try to figure out what’s useful, what’s not, what’s not useful and how to do that. So, you wanna share a little bit of comment about that with the audience as well.

– Yeah. I mean, I think we’ve got a lot of technology at our disposal. So, we do and there’s a lot of convergence in the security community and the security tooling environment. So, I think these new technologies permit us to rationalize some of that, which is great, but I have spent so much time in my life stitching together security tools. So much time. And so little time actually getting the benefit of what comes out of the security tools. It’s really… I sort of regret that but you can’t go back in time. So, the only thing is moving forward how can we get those developers, the security engineers up and running. The cyber data scientists on what I call hunter’s paradise, on the data lakes, how can we get them on there quickly and not have to worry about all the rest of this stuff? We talk about the business sort of abstracting that stuff from the business but we should also do it for the security community, right? Because the value is not in stitching those things together doing platform engineering or network engineering, the value’s in actually getting the value out of that stuff. So, I think, again, we’re only at the beginning of that journey and I think we can just cut that time very quickly and get productive much faster.

– And the SEF reader is really your big step not just for yourself, that you announced the week of November 2nd but it’s also a big step for the community so that the community can also get accelerant out of that instead of sort of doing a lot of this data engineering platform stuff. It’s one less thing now that people have to worry about on rolling their own. So, that’s really cool. So Dennis, thank you so much for joining this conversation. A couple of big takeaways from me, the biggest one really I think is around using data and to enable yourself to be more declarative as information is shared. The second one is really around automation. I really liked your concept of the way you illustrated the automation as something that enables you to get scale. And also I heard a lot of flavor and automation from you on analytical automation, not just the traditional block and tackle style of automation. And the last one is I will kind of bundle this in the category of enabling, enabling people at BP and the organization in general, and also then enabling the community for the security community to come together because we are really, cloud is a new terrain and it is going to require a new mindset to do that. And I think maybe for me, the biggest kind of takeaway of all of those three is that you said something to the effect of you’ve taken this opportunity as a mindset to go to the cloud to take the benefit of what you’ve learned but not taking the baggage with you to give you acceleration to be able to do things better. So, Dennis thank you so much for joining this conversation. Thank you for being a Databricks customer and let’s take some questions.

– Yeah, my pleasure. Thank you.

Watch more Data + AI sessions here
Try Databricks for free
« back
About Denis Ontiveros Merlo


Denis Ontiveros has been working in the Information Security arena for over 20 years. Throughout his career, starting at KPMG, founding the Information Risk Management Practise in Barcelona, to his nine years as CISO for Douwe Egberts, the primary focus has been to create effective pragmatic Information Security strategies that help business transform and grow in a secure manner.

Currently Director for Security platforms for bp Digital Security, he leads the Information Security Engineering Chapter embedding capability in the extended teams. He is passionate about transforming how internal security teams work and collaborate with others to drive a frictionless, scalable security culture, adapting to new ways of working and eliminating security antipatterns, generating value to Consumer and Customer. Denis holds a degree in Business from the University of the Basque Country and the Fachhochschule für Wirtschaft Berlin in addition to other industry relevant certifications.