OCA 2023 Highlights - Jan 2024

Roseann Guttierrez [00:00:00]:
Our guest today is Mark Mastrangeli. Did I say that right?

Mark Mastrangeli [00:00:04]:
Yeah.

Roseann Guttierrez [00:00:04]:
Mark Mastrangeli? Alright. He is the cloud engagement director at Palo Alto Networks, and he's also, co-chair for our OCA governing board. How are you doing today, Mark?

Mark Mastrangeli [00:00:15]:
I'm doing great. Thanks, Roseann.

Roseann Guttierrez [00:00:17]:
Thank you. Thank you for, coming and joining us today. We're gonna discuss our, basically, OCA's achievements, over the course of 2023 and talk a little bit about, what this year holds. To get started, why don't you tell me a little bit about you and, how you got into tech?

Mark Mastrangeli [00:00:34]:
Yeah. Sure. So, long story short, I did engineering undergrad. I was operations research major, so a lot of, efficiency optimization, you know, modeling algorithms, things like that. I loved solving problems. It's It's one of the things that makes me tick. Once a problem is solved, I'm on to the next one and, you know, kinda have to keep myself busy, but, You know, just kind of fell into cybersecurity. McAfee was at a job fair at my college when many, many years ago now and, started out as an inside sales engineer, did sales engineering for many years, and, again, kinda felt like that was problem solved.

Mark Mastrangeli [00:01:17]:
I wanted to be part of the solution and go influence product design and and really, you know, things that were novel. So moved into the product organization and and then, you know, did that for a little while. And then ultimately, and kind of the origin of The Open Cybersecurity Alliance, I was the lead architect for McAfee's, what we called the Security Innovation Alliance, which was our Partner technology program. I was responsible for, integration pattern design and building integrations between All the McAfee things, which was a pretty broad portfolio from network IPS to SIEM to, you know, firewalls when I started to endpoint protection, of course and Web and you name it. Right? Years later, we had Open DXL, which came out of Intel. So Matthew is part of Intel for about 6 years. And we built an open source implementation of MQTT that evolved to include Kafka and a bunch of other things over time. But I was the lead architect for that program, and that was kinda how we started working really closely with IBM at the time before McAfee, you know, sadly, kind of let Open DXL die.

Mark Mastrangeli [00:02:30]:
They didn't maintain it. We had a lot of new technical leadership that didn't really understand that kinda open source, Open interoperability philosophy, that Intel did. But, nonetheless, it it led to the formation of the Open Cybersecurity Alliance, You know, working with IBM to say, you know, let's not just build our own technology ecosystems of, you know, McAfee and a bunch of partners, IBM and a bunch Partners, let's build an ecosystem of ecosystems and try and drive interoperability with standards, you know, leveraging OASIS as a governing body to do more and do more as a community in a broader ecosystem of Organizations that have the same philosophy. So, that was kinda how I got into tech and and fast forward a little bit. After McAfee, in hindsight, maybe I Stuck around too long, but it's led me to where I am today. Went on a start up adventure for a couple years after that, and, that didn't work out, like, so many, but, it was a great learning experience. And and then joined Palo Alto last May, as a cloud engagement director. So basically, what I'm doing now, I overlay all of our strategic customers.

Mark Mastrangeli [00:03:44]:
As, you know, outside the sales organization, I get to just be a consultant, kind of a field CTO role, if you will. I get to go help them on their cloud security journeys, You know, guide them, help them be successful, and, understand kind of the the landscape and what's out there and what things they should be considering. And, Of course, we have tons of people that do the product side of that. You know, what I'm really passionate about now in my current role is, you know, kind of the people Side of the challenge.

Roseann Guttierrez [00:04:14]:
Right.

Mark Mastrangeli [00:03:43]:
You know, DevOps was, a cultural revolution more than anything, I think, in getting different teams that It used to be desperate to work together, and now DevSecOps includes that. You know, my favorite definition

Roseann Guttierrez [00:04:26]:
And everything else..Yes.

Mark Mastrangeli [00:04:26]:
Yeah. Exactly. But it's, Patrick Debois, I think, has the best definition of what DevOps or DevSecOps is, and it's it's everything you do to remove the efficiency created by silos. And, all the rest is just engineering. Right? So, It's it's really fun. It's always different. Every organization has their are unique challenges and, you know, cloud's one of those things.

Mark Mastrangeli [00:04:50]:
There's not just one reference architecture. It's it's just every permutation of things that you could possibly come up with. And, so it's really fun. You know, I think it's new. It's it's a maturing space. So that's what I'm doing today, but Still really passionate about the OCA, and I've been honored to, you know, be the co-chair

Roseann Guttierrez [00:05:11]:
Thats a perfect lead in.

Mark Mastrangeli [00:05:12]:
Yeah.

Roseann Guttierrez [00:05:13]:
Give me your your elevator pitch on the OCA.

Mark Mastrangeli [00:05:17]:
You know, so I think our marketing elevator pitch is, you know, we want to Build an ecosystem of ecosystems. We wanna develop tooling, code, projects, and things that increase the value of existing tools to help organizations stitch together things that they already own. And if you take that as far as it can go, our goal as OCA is to Really develop reference architecture for, you know, any organization that wants to do as much with open source and standards as possible. I think somebody in marketing could put that more succinctly, but, you know, I think that's our goal is to take all of these All the great work that's out there. There's a whole bunch of disparate standards that exist, you know, whether it's a a Schema for some logging format. There's you know, STIX is a great example of something that, you know, gives us a great standard schema by which we can communicate and share information. How do we take that forward, and and how do we continue to evolve those things, and how do we stitch these things together So that they're more interoperable. So that's really

Mark Mastrangeli [00:06:23]:
You know, been our been our mission.

Roseann Guttierrez [00:06:25]:
Why is OCA important to you?

Mark Mastrangeli [00:06:23]:
I I believe deeply. You know I think part of it is growing up at McAfee. McAfee had this open philosophy, be our central management console EPO. He's e policy orchestrator was very open. We had great SDKs where, Really, anybody could build an extension to that management platform and manage their things. We had customers managing Symantec Through ePolicy Orchestrator back in the day. And then Open DXL.

Mark Mastrangeli [00:06:55]:
And, I love systems design. There was a lot of what I did in undergrad. I love complexity and and trying to control that complexity. So I think there's a ton of that in cybersecurity, and cybersecurity is the ultimate team sport. Like, literally, we all acknowledge that no one can do this alone. There's never gonna be a single vendor solution to cover everything. And so I I really believe philosophically that the right thing to do for organizations and and to Combat the adversaries that are out there, is to work together. And so sometimes that means, you know, I work for a big vendor.

Mark Mastrangeli [00:07:32]:
You know, Palo arguably is one of the Largest dedicated cybersecurity companies on the planet these days. And, you know, we do a lot of things that are proprietary, but, Ultimately, like, we have to interoperate. We have to share data, you know, with all of these other tools. That is a constant challenge For organizations. I mean, every organization I talk to, they've got, you know, 25 to 35 or more, you know, different cybersecurity solutions. They're struggling with data, and they spend an inordinate amount of time just managing the technology versus, You know, I think doing security. You know, we know that there's a talent shortage, etcetera. And so Right.

Mark Mastrangeli [00:08:14]:
I think it's the right thing to do. Like, that's why I'm passionate about it. That's why I've, You know, stayed involved even though, you know, today, it's not directly related to my day job. I think it's a worthy mission.

Roseann Guttierrez [00:08:25]:
Yeah. Agree. Yeah. Totally. That's why I'm here too.

Mark Mastrangeli [00:08:28]:
Yeah. Yeah.

Roseann Guttierrez [00:08:29]:
Alright. So what about this past year for 2023? What what highlights did we have for OCA.

Mark Mastrangeli [00:08:35]:
Two new projects that, came to fruition in 2023. 1 is the OXA, so the Open XDR architecture. And, you know, who knows? We might rename that at some point because I think XDR is a Overused term. But the goal of that project is to take all of these different open source projects and really put it all on the table. You know, it's kind of Apollo 13. We've got all these different pieces. How do we build this thing out of it? And Identify the gaps. Identify the glue in between these pieces so that we can develop that, and then provide that out to the community so that they can, you know, more effectively stitch these things together.

Mark Mastrangeli [00:09:20]:
We at OCA are never going to be the ones that have all of the projects, all of the standards inside and under our umbrella. You know? So we we wanna build the glue and and really help drive these things forward so that it's it's more consumable. I think that's a a really great project that's really just getting started. Our indicator or behavior project, which is really an extension leveraging, you know, STIX 2.1 extension, 2.x Extension capabilities, the indicators of behavior seek to really advance what can be understood about, an adversary. You know, an indicator of compromise, arguably, like, it's too late. Right? It's important. We need to continue to do those things, and identify those things. But if we can identify earlier, you know, in the kill chain, if you will, a behavior that is potentially malicious.

Mark Mastrangeli [00:10:19]:
And so, our great friends at Johns Hopkins, University and the Advanced Propulsion Laboratory Where they have a cybersecurity research group led by Charlie Frick. They've been doing phenomenal work, and the indicator of behavior extension is pretty well baked. Not that anything's ever perfect, but I think that's a project that is consumable and and should be taken a look at. And then just in December, we had a great project contributed by some of our friends at the University of Oslo, Vasileios. And I won't, butcher his last name, but, Vasileios is a a brilliant cybersecurity researcher. He's done a lot in the STIX community, the CACAO community, and others. And, they have launched basically a CACAO playbook editor. That project is gonna be called the CACAO Roaster.

Mark Mastrangeli [00:11:13]:
That's a new project under the Open Cybersecurity Alliance that I'm really excited about that is, you know, I think something that can very tangibly help organizations start to leverage kickoff playbooks and and use them more easily. A lot, you know, easier, onboarding ramp than if you're just having to do that in code, to have a visual editor that you can kinda play around with those things. Trying to think. I I think still, you know, just, The the STIX shifter project is still very much active. We've got a whole bunch more adapters and and things that, STIX shifter is now interoperable with. That's a great project. And Kestrel, of course, from IBM. Roseann, you know these 2 very well.

Mark Mastrangeli [00:11:57]:
Those are great projects They continue to kinda underpin and and really where OCA started with those things. So I'm excited for that. You know, those things have been going well. We had a great, What is it? Beyond Cyber, our annual cybersecurity conference in London that was really well attended. Some really Great people that are involved in policy, especially in EU given that we were in London. We had people from A bunch of different organizations that are affecting policy with regard to AI, with regard to privacy that attended, and and there's some things that are kind of In the works as we continue to follow-up with those people, and we'll see where those things go. But, yeah, I think it was a great year.

Roseann Guttierrez [00:12:39]:
Yeah. That's a lot lot of stuff going on.

Mark Mastrangeli [00:12:42]:
Yeah. With all things standards, you know, like, it it's an uphill battle. Like, we are you know, my organization that I'm working for today is a Perfect example. Just pick on them a little bit. Like, you know, trying to get a vendor like Palo Alto to do things in the open is a challenge. You know? There's It's a lot harder. You know? There's a lot more cost involved for an organization, for a vendor to work with Things that they can't directly control and that gives, you know, timelines and dependencies that, you know, people are afraid of. You know? So I think that's one of our challenge and standards and things.

Mark Mastrangeli [00:13:18]:
But, you know, we're still on this mission and, you know, going to continue. So Looking forward to 2024. I'm really excited. I think

Roseann Guttierrez [00:13:28]:
Such a segue. Yeah. What do we got going on in 2024?

Mark Mastrangeli [00:13:31]:
You know, so I think the big theme this year for us, You know, we're gonna continue working on all these projects. A lot of those things are kind of working in parallel and are independent to some extent. I mentioned the OXA project earlier. That's going to be a project to start to bring all of these things together into a reference architecture. But there are a whole bunch of things that we work with Outside of the OCA. OCSF is a great example or MITRE, SAF, the security automation framework. So, You know, SAF uses a database called Heimdall. That is an OASIS, working group and project that owns the governance of that Project you know, I think the theme for OCA and something we've been talking a lot about in the governing board is how do we do a better job bringing these other communities together, and and just broadening, you know, the umbrella of OCA.

Mark Mastrangeli [00:14:25]:
We wanna bring the OCSF community in. We wanna work more closely with MITRE. We wanna work more closely with the the group and, DHS that is, you know, responsible and really driving the VEX format for indicators of behavior, and and course of action. VEX is super interesting, I think. And, you know, there's a lot of opportunity for us to Broaden our community. And, again, be an ecosystem of ecosystems where, you know, this group's doing great work. How can we help you? How does this work with these other things? And And building more consumable reference architectures that the community can use to protect themselves.

Roseann Guttierrez [00:15:05]:
Nice. Yeah. Because it because it is. Right? It's about visibility. So the more reach that we have and the more visible that we are and we know what's out there, the easier it is to be interoperable, right, to to work with people and and and figure out what what can make us all better. Right?

Mark Mastrangeli [00:15:21]:
Absolutely. Yeah. Absolutely. I and, again, like, We can't do this alone. Like, it's never just one of these projects that's gonna solve everything. So especially in standards, you know, it's often like a really low level piece of technology, or code or a tool. You know, how do we bring these things together so that it's more comprehensive solution?

Roseann Guttierrez [00:15:03]:
Right. Thank you so much. I really appreciate you letting me ask you all these questions.