CYBERSECURITY Trends and Advice to Help YOU Protect Your Business
Dave Erickson 0:04
Hackers want to steal your business IP. How are you going to protect yourself from the hackers in the AI hacks? On this ScreamingBox Podcast? We are going to learn the latest technologies and best practices in cybersecurity. Please like our podcasts and subscribe to our channel to get notified when the next podcast is released.
Dave Erickson 0:45
What are you going to do to protect your business from hackers out to steal your data, or worse steal your customers data? Welcome to the ScreamingBox technology and business rundown podcast. In this podcast I Dave Erickson and my esteemed co host both on set ash are going to peer into the dark world of cybercrime and cybersecurity with our guests Steve Orrin, federal CTO, and Senior Principal Engineer of Intel. Steve is a dynamic leader with a wealth of experience in technology and cybersecurity across various sectors, including public and private companies as well as federal agencies. Notably, he has advised federal agencies, the Department of Defense, and the intelligence community on technology matters, while also influencing cybersecurity strategies at Intel Corporation. Before joining Intel, he had a successful stint launching startup companies and growing them in order to be required. And in doing so delivered market leading solutions to Fortune 1000 clients. So Steve, what got you into cybersecurity in the first place?
Steve Orrin 1:51
Well, thank you, David. And both Tom for having me here today. And cybersecurity is, it's really been an amazing industry and domain to be a part of. I began back in the early 90s with my first startup, and it really sort of happened into it as a professional career. As a, as a child, I was a hacker, and loved playing around with technology back in the 80s, to see things, how things worked, and how things didn't work, how things fell apart, and sort of taking things apart, understanding the protocols, the software. But it didn't see that in the 80s as a career opportunity. And so it was actually going to go the biomedical route. And then in the mid 90s, I had the opportunity to help a company get off the ground, looking at security. Basically, some, a friend of a friend said, hey, you know, the security stuff, you should go help this guy. And I thought that'd be something fun to do for a couple years before I started med school. And fast forward, I fell in love with what we were doing and with the industry and this was the early days of the internet boom. And I just, it was amazing. Just being able to get at the ground floor of what became such an important part of everybody's lives, and try to solve these hard security problems at multiple places, whether it be at the desktop, in enterprise systems across the network in the web, it really has afforded an opportunity to go try to solve those hard problems for a variety of customers. And there's never a dull moment in cybersecurity, because just when you think you've solved one problem, a new kind of attack comes and now you've got to figure out how to solve that, or a new kind of business goes online and now suddenly, we have to figure out how to secure those kinds of systems and applications and workflows. So it's an ever evolving place. And there's never a dull moment.
Botond Seres 3:32
And that's I think that's what can be said about IT as a whole. It is an ever changing landscape. And speaking of landscape, Steve, I wonder if you could provide us with an overview of the current landscape of cybersecurity and some of the major threats that businesses are facing today.
Steve Orrin 3:50
So Botond, that's a really good question and one that's not easy to unpack because the security, the threat adversary is constantly evolving. All you have to do is look at the news and see if the latest data breaches, ransomware attacks or rampant botnets keep coming back every time you whack one to more show up in its place. And so when we look at the overall landscape of cybersecurity, I think there's a couple of key trends we want to focus in on. Number one, the attackers, the adversaries are getting. I've got much more skill, a lot more complexity, and honestly have a lot more invested in making sure that there are applications that are tax work. There's been numbers out there that it's a multi trillion dollar industry, the dark side of cybersecurity, the hackers and so when you think about that level of potential revenue that they can getting in the value of what they can extract from organizations, there's absolutely a level of maturity and quality that they're putting into those attack attacks, threat vectors, the research they're doing, the collaboration that doing all the kinds of things you think to see in a security company or in a any IT organization. They have quality assurance testing, they have service level agreements. So on the one hand, the adversary, some have got a level of maturity that is equal to or sometimes better than the IT operations that we have. The other is that there, they have no hesitation to take advantage of the latest and greatest technologies, it may take months and months for an enterprise to adopt something like AI or some next generation capability. Whereas you'll see the threat actors, they're much quicker to adopt the new technology, because if it gives them a little bit of an edge, they're all in it, because it can give them real, real value. So we see AI being employed in a variety of places across the cyber attacks, everything from more advanced phishing campaigns, to better analysis of the data that they're getting to the kind of information gathering they can do before they launch an attack. So they're absolutely leveraging the latest and greatest machine learning and AI techniques. But the other area that I think is, we're seeing some key trends on is they're also looking to go deeper into systems. So while the botnets, and the ransomware still work, and they're still providing real value, when you look at some of the attacks where they want to get deep, because they want to be stealthy, they want to persist across reboots, and across and they want to hide from whether it be the security tools or other OS level tools, they're looking deeper into those platforms. And we're seeing a strong increase in firmware level attacks heart, you know, targeting the actual platform under the cloud or underneath your applications. And then the last area I focused on is that they're also thinking about how best to get their, their malicious code into the environment. And while people will still click on the link and download the malware, that still happens, and happens quite often. The last several years have seen a stark rise in supply chain attacks, specifically targeting software, whether it be packaged solutions, or open source tools and getting their code in before it's delivered to the customer. Because once the code is built and delivered to the customer, suddenly we have you know, you have software that's legitimate, at least in theory in the organization. And so solar winds and code Carbon Black Log4J are all examples of where the malicious activity happened before you download software, but targeted the supply chain, the software development lifecycle, the software, code repositories, his way of getting in that door. And then once you've downloaded that, well, I got it from the legitimate source, so it must be good. And so supply chain tax is really something that has become a key focus area for, for all enterprises, both public and private sector.
Dave Erickson 7:29
Uh, Botond you made a comment in there.
Botond Seres 7:32
Oh, yeah, I was gonna mention that for Log4J. But Steve, you got around to it eventually. And that was I think that that was something completely unexpected by by most people in the industry, it's sort of I broke the sanctity of open source, the way
Steve Orrin 7:48
I like the way you put “it broke the sanctity.” There was this assumption, I think that well, if I'm getting it from a legit repository, it must be good. And I think that was a false assumption, but it was one that wasn't well looked at. And similarly, we saw with SolarWinds, and many attacks like that, I'm getting it from the vendor, so therefore, it must be good. Now I know that vendors have vulnerabilities, and they patch those and that's a normal course of business. But this was something different. This was actual malicious code that was introduced into the software development cycle prior to delivery. So it wasn't like, oh, there was a bug that we need to fix. It was actual malicious code inserted in there. And so that, again, it changed that assumption, or actually challenged that assumption that the code we get, the software we get, if we're getting it from a legitimate source, it must be good. And I think that's where a lot of the attention has been, whether it be some of the activities in the public sector, around software, build materials, to other initiatives in the open source community to get better visibility into what's inside the box. And that's really at the core of this is how do we get better visibility into the products and technologies we're trying to deploy into enterprise. Not just, you know, is it from the right place, right source, the right company, the right location, but what's actually inside, you know, peeling back that onion and looking at it from a white box approach, as opposed to just assuming it all must be good, because it came from the right place.
Dave Erickson 9:11
Yeah, think about doing some React development, you're using all those third party libraries? I mean, how do you know how good those third party libraries are, and whether those third party libraries have been, you know, attacked and have malicious code in them?
Steve Orrin 9:26
Absolutely. And I think it's also sort of highlighted the need to do better monitoring, even if it's not an attack, but also just knowing what those vulnerabilities are. And I think one of the things that people are starting to look at is understanding their risk now as opposed to waiting for someone to tell me that there's a vulnerability in there in that module. So in the past it was while we have products that maybe have locked for JS, i don't know I'm gonna wait for the vendor to tell me now as I need to know what my applications both outputs are supposed to have in the box so that if I do see a vulnerability disclosure, I can take quicker action to either put in compensating controls, lock down the firewalls put an extra monitoring or accelerate a patch based on real time information knowing that, yes, that web server is using that vulnerable part. And that's one of the benefits we're starting to see from that visibility is that deeper understanding of your current risk within an organization.
Dave Erickson 10:20
One of the things I find interesting is in the software development industry, you have a very wide range of companies that are producing software for another wide range of companies. It's not necessarily that enterprise companies are producing software for just enterprise companies, you could have small software companies producing software and selling to enterprise companies, or governments or other areas. They all have limited resources in securing themselves and you know, like putting locks on a door, you know, you can only put so many locks, or you can only buy so many locks, you know. How do companies say not enterprise companies, but smaller companies provide some level of security, because it seems now that even the code they're writing, they need to protect it from attackers getting into it and corrupting it and using it to enter large corporations that buy their software.
Steve Orrin 11:24
So Dave, let's look at that question from two perspectives. One are what are some practices that small organizations can adopt that don't have, you know, the trillions of dollars of budget to go, you know, hire 1000 person teams specifically focused on security, and there are recommended best practices that even the smallest, you know, three persons garage company can do to better secure the applications and code they’re developing. And then we'll also look at what can they do to help their downstream supply chain get the better visibility or trust into what they're doing. So I'll start with the first. There are a variety of recommendations out there from the federal government as posted a lot of really good content around putting, making security part of the development lifecycle. And so oftentimes, this is something that's been going on for many years. Your time to market and getting your functionality and to get it out the door has been always the most important thing. And then security was an afterthought. And we've seen time and again that that just doesn't work, because by the time you discover you have a vulnerability, it's much more expensive to go back and try to fix it after you've produced a product. The successful organizations have introduced those, those processes earlier. Step one is when you design or you put together your product requirements, documents you put in, it needs to be secure against these kinds of attacks, or these kinds of manipulations you build for security, as opposed to figuring it out later on in the DevOps, DevStack ops lifecycle. And you test for it. So it's building for it, nd that there's a lot of recommendations about how to build proper infrastructure, libraries, sanitation, and validation of content, there's a lot of really good, easy to use, nd by the way, most of your development environments have easy source code that you can pull in to say do input validation, do input, sanity, output, sanitation, do credential checking those kinds of things. The next piece is making sure that your quality assurance is testing the security features, not just that, you know, did the button push, did the, the form return the right information, but also doing security testing. And again, many of the tools that are out there have these, there's all sorts of products, as well as open source tools for doing fuzzing and to do the security analysis as part of the development process and quality assurance process long before you get to the last stage, which is deployment security. And so those are some things that can be easily adopted. If you're already, you're using a programming language or you're using a development environment. There are tools you can provide, there are guidance, there's reference code that you can literally cut and paste and say, Okay, I'm going to do input validation. Here's how you do it in Python, here's how you do it in Rust, here's how you do it in these different languages. One other recommendation, and this is just starting to come out of the federal government, we're seeing it being looked at by large software developers, but looking at memory safe languages as a transition path. And so that's another thing to look at, for small companies as they're first figuring out, okay, what programming language should we use to go build this product? Memory safe languages are a good starting point. It's still early days as in the recommendation side of what's good, what's not, and where do you, where you set the bar. But it's a consideration that folks should start to think about. The flip side then is how do…
Botond Seres 14:21
I hate to interrupt you Steve, (Steve: {sure, go ahead} ) what does memory safe mean, in this context?
Steve Orrin 14:26
So memory safe languages are ones that inherently have mechanisms built into the programming models that enforce memory safety and at the core of things like Buffer overflow, and race conditions and heap of these kinds of attacks that allow for malware to get deep onto a system or to use your privilege to then do other things are these memory corruption attacks, memory manipulation attacks, that legacy languages, you'd have to go build that memory safety around your language. Whereas many of these, what they call memory safe languages, you know, Rust and some others, natively have memory safety built into the coating mechanism. So the developer doesn't know what the, doesn't need to be an expert in memory safety, they just need to call, you know, move malloc this to that, and behind the scenes, the language in the interpreter and the compiler handle and basically implemented in a memory safe way. And so it's really about easing the process of building security and for those type of attacks, by not requiring the developer to be a memory safety expert, the language and the language model that's, you know, sort of supported there makes that case, and there's some papers coming out from from Sissa, from the critical infrastructure security agency, part of DHS, specifically on recommendations around using memory safe languages that are definitely something to go look at. But that's really at the core, it's sort of, these higher level languages have built in memory safety controls, so that you don't have to go back and figure out okay, what did I have that I have a free without amount that I do something wrong, in my code from a memory safety. Now, I'm not saying that secures all of your code, but it's a really good foundation to start with. Because that eliminates,
Dave Erickson 16:05
A whole lot of attacks are memory base now, these days.
Steve Orrin 16:10
Exactly .So that's things you could do inside your company and can do, you don't have to be a large corporation to take advantage of some of this. And like I said, a lot of it's open source and free, you just download it, you can use reference code out there, you can use open source fuzzers and open source security frameworks to help secure your code, even as a small company or a startup that's trying to get stuff out the door quickly. The other piece is how do you help enable your downstream supplier. So again, thinking about the complex ecosystem, you may be building this module that gets included in somebody else's product that's included in someone else's product, and then load it on the cloud as a SaaS product. So you got four people before the actual end customer for organizations, all layering on their coat on top. So this was one of the challenges in software build materials, is thinking about, well, how deep do we need to go? And the, from the customer perspective, it's hard to know, well, you know, how deep should I ask my vendors to go into their validation. But one could recommendation is, is if everyone is doing it, then the data will already be there. And so I don't necessarily have to require a large software vendor to give me everything about every module and every module that that uses, and every month because I can get to be with, you know, turtles all the way down to use the Discworld reference. However, if organizations proactively put an S bomb or a similar bill of materials in with their code and make it available, then you can then a, whether it be an auditor, or secure or a security conscious, a customer can get that visibility. The provider because ultimately, they're on the hook to provide that quality software to the final, you know, the final stage so the end customer can have that information. So when something goes wrong, they can say, oh, I can go look and see that yes, a Log4J was used by this module that I've taken three steps down in there and make the appropriate changes or updates or according, accordingly. And so we're seeing this idea of sharing of information between the different parts of the supply chain is a critical part of how we can secure the overall supply chain without putting the onus on, you know, the lat the end customer, because at the end of the day, that model does doesn't work, because the end customer doesn't have the visibility, nor did they have this, the budget to do that deep analysis. But they can work with the alert, you know, whoever their end customer vendor is to put the right requirements in so that that vendor can validate and so on. And so so so we do the turtles approach, providing the visibility, then you can string together that sort of that chain of supply chain risk management,
Dave Erickson 18:35
I’m trying to process that.
Steve Orrin 18:39
It’s a lot. I mean, again, it's not an easy answer, because it's, this kind of attack has really changed some of our fundamental assumptions. And once you pull away the rug on that we're
Botond Seres 18:47
In the past, perhaps the most sophisticated attacks were usually social engineering, and this is way, way beyond that.
Steve Orrin 18:57
Exactly.
Dave Erickson 18:58
Your title at Intel is Federal CTO, as well as Senior Principal Engineer, federal CTO is not a common CTO term. Maybe you can talk a little bit about that and kind of go into what your role is at Intel related to that.
Steve Orrin 19:14
Sure, and so let me start with the first part of your question. A Federal CTO is somewhat unique at a company like Intel or any large corporation. Because typically, you have a CTO for a particular technology domain, you have maybe a CTO for a product category, or for a particular technology. So a Memory CTO, at Intel, a memory CTO or CTO for your networking technologies. And when they created the role, almost 11 years ago, there was really an understanding that the federal marketplace in the public sector writ large is actually a little different than any one technology may it's a conglomeration of all technology domains. And so understanding that the technology needs of the federal government number one are gonna be specific to public sector that necessarily translate one to one to other, other verticals. And that it's got to be a pan technology of focus, you need to understand high performance computing and edge computing security and AI and networking. And so it's really understanding the breadth of a set of technologies and how they can be applied to a particular set of requirements from a customer that has large scale, has significant security requirements. And what I've always found interesting about the federal market is that it's almost like a microcosm of every other market, you may have, you know, think about health care and insurance providers. The VA is one of the largest health care providers in the world and one of the largest insurers, that's a federal agency. So it's gonna have all the same problems that a large hospital system does at a larger scale, you're going to talk financial services between the IRS and Medicaid, Medicare, Medicare. They're processing payments for vast numbers of people, you know, at a scale that isn't the same as a small bank or even a large bank. Similarly, logistics, you know, UPS, you know, FedEx, you know, Walmart, well, the Defense Logistics Agency has got to get the gas and the trucks and the tires and everything to the place where they need to be at any given time globally. So these large scale vertical lines, kind of use cases all all found inside the federal government. So it really is like the microset of every other industry that you'd find out there. And so when they were thinking about, well, how do we better address the federal market and bring all of these technologies and antennas across multiple business as a, a one voice, a single point of contact from a technology perspective, that's what really the focus, and what I think makes my role a little bit different than some of my peers at other organizations that are much more focused on how they sell their products to the federal government. A lot of what I'm doing is sort of what I call bi-directional translation. Trying to take what Intel does, and translating that into the government needs that government mission requirements, but also being able to turn around and translate government speak back into Intel speak about the requirements and needs that they have various missions, so that we can build better products to meet the public sector requirements. And along the way, being able to take but we are, commercial solutions, and the term I've coined is federalize them so that they can meet those government requirements, they can be adopted in the unique environments that the federal government has to deploy, whether it's a scaling thing, or an at, a far pointy end of the spear kind of edge use case, the end of the day, they're still trying to process data in a particular environment. It may be lower, lower power, it may have certain hardening requirements, but the fundamentals are the same whether you're at a factory or you're in the, you know, on a mission system. And so I think what we've crafted, with that Intel has crafted with this role, and the, what I get to do is help bring the best of what commercial technology does to the federal government. At the same time help advance our technology to meet the ever evolving mission needs of the government customer.
Dave Erickson 23:01
That seems like an interesting job. I mean, I know of intel from a hardware standpoint, and we develop hardware and firmware as well as software. My start in my first career was that of contract manufacturing for the electronics industry. So I'm familiar with Intel on a, you know, a chip basis, right. But over the years, I've also seen as being in gaming, that Intel introduced firmware and software products to go along with their chips. And I assume now that Intel has a whole division or range of products that are firmware based or software based. And I assume that a lot of those products are the ones that are being looked at from a cyber security standpoint. Is that correct?
Steve Orrin 23:49
So Dave that is absolutely correct and there's a couple ways to come about that. So one thing that, as you mentioned, most people know, Intel for it’s chips. But here's the thing that less people know about is that we have almost 20,000 software developers at Intel, whose day job is to build both the firmware and software stacks, or enable the ecosystem of software providers to run better or take advantage of Intel technologies and capabilities. That's a fairly sizable software team, including a very large group that is just focused on open source software and producing open source software, tuned to Intel platforms. Those products and technologies are at the foundation of how the ecosystem and ultimately the end customer can take advantage of some of the hardware security capabilities. So not only are we making sure our software is secure, but that we can expose the hardware security capabilities in an easy to consume way or a scalable way for the software vendors. Oftentimes, if you take a large database provider, a large wet web server platform, the encryption acceleration, the virtualization protection that's underneath it was actually code written by Intel that then has been included and incorporated into these both commercial and open source solutions to help them secure their software stacks. Based on Intel. One of the other things we've been doing in the last several years is producing software capabilities direct for the end customers or for the cloud providers that are servicing those end customers to be able to get better access to those hardware features in a more natural way, whether it's the containers around confidential computing and working with the open source to create a jump code library so that all you have to do is bring your application code and drop it into this container and you can then take advantage of this really complex underlying hardware that provides memory encryption and an hardware access control without having to go deep into the hardware specs to understand how it all works. Those kinds of innovations that we're putting out, both in commercial and open source solutions are really what's helping to drive the hardware enhanced security capabilities that Intel brings to bear.
Botond Seres 25:54
A weird question for you Steve, which is admittedly, something I have a personal stake in is with the rise of work from home, I wonder what are some of the unique security challenges that work from home introduced and maybe what are some of the benefits, if there are some.
Steve Orrin 26:18
So button, let's look at that question. From a couple angles. So work from home, especially when it hit us in the beginning of COVID. It wasn't like, oh, let's naturally start to increase our ability to have people work from home, it was , 0 to 60 overnight.
Botond Seres 26:32
It was a sudden change.
Steve Orrin 26:36
And so there was a lot of fits and starts and that definitely from a cybersecurity perspective, a lot of CIOs, you know, losing hair over how am I going to secure something I have no control over, it's at the home, it's on their home network, maybe I have a VPN, and that's about the extent of it and now I'm suddenly gonna push all my enterprise apps and data to that individual. So there was absolutely some challenges. And when we look at what some of those are only things that the CISOs were worried about it was, you know, secure connectivity, proper authentication, data security at the edge, and how do I enforce data security controls and data rights management in a device that, you know, hopefully it was from an CI, so it's like, maybe it's a managed device that I've provision, often it wasn't and it definitely wasn't a network that they owned. And so there were a lot of things that organizations quickly had to do one, a lot of them jumped onto a variety of cloud service offerings, that were sort of the cloud service versions of their enterprise app. So what it may have been looking at ERP solution and HR Finance solution, or even a collaboration solution that they were doing hosted on Prem, they went to the cloud, because this way, they could serve as their the people who are coming in from a variety of networks. Then there was a benefit to that in that it allowed them to apply security controls at the cloud provider much quicker than waiting for a bunch of new firewalls to show up at the data center, they could just turn switches flip on the VPN, flip on the next, the next generation firewall turn on multi-factor authentication. So there was a benefit when going to those cloud services, obviously, they ran into some issues along the way figuring out how to provision. But once they got those up and running, what they found is that they can manage the security from that single pane of glass that the cloud providers or the SaaS providers provided them. Um, it also required them to change the way they thought about how do I secure my data, because it's not, the data isn't within the four walls. Now it's flowing through a cloud or SaaS provider to and then to an end user, an employee on their home network. And so I know a lot of organizations sent out requirements for how to better secure your home network, because let's face it, a lot of people don't do a good job of even changing the default password on their Wifi or keeping their local Wifi routers up to date on patch. So there was
Botond Seres 28:49
Oooo, that’s a big one. Yeah, there are people who don’t change their passwords.
Steve Orrin 28:53
Yes, change your default passwords. But also make sure they're up to date and patched. And so there were some certain recommendations. It also wouldn't think so is it act, if you think about it, where we are today, where people are talking about zero trust architecture, and that evolution that many organizations are starting their journey on the remote work that worked from home initiative, that sort of, we had no choice but to go for door, it really sort of kick started that idea of I need to be able to trust them, I need to be able to protect data, where I have no trust. And so that cognitive switch actually helped. Because once you realize you have no perimeter, and that you need to be able to trust data and trust application outside your perimeter, aka, on your home PC, in your home network with a bring your own device. It changed the way they thought about how do I protect data. And so organizations start thinking about how do I protect data and do a data centric security model versus a system centric. So in the past, a lot of security and inside large organizations was well. I have this server in this data center and I can protect it. So as long as Data never leaves We're all good. However, in a new in this new world order where data is flowing back and forth across, you know, third party cloud providers, to employees and others outside, you know, business to business partners outside the organization, who may never touch that internal system, how do I have that security control go with the data as opposed to be system or systemic, or bound to that system. And so that cognitive change is what really helped with this evolution to, I need to be able to build security controls that follow the data that follow the transaction. And so that I think where we are today, it's a lot easier to get here, because we had worked from home sort of drive that cognitive change on a lot of security professionals. Not to mention, of course, the adversaries recognize that everyone's working from home and doesn't have the benefit of their own personal Chief Security Officer (CSO) sitting over their shoulder. And so that's why you see some of the elevation of phishing and ransomware techniques targeting individuals to be able to jump the shark over to an enterprise. And so those are considerations that enterprises have been looking at. One of the best practices I've seen in many organizations, is understanding that it's not a binary, either you have the keys to the kingdom, or you don't, it's not a, you know, everything must be you know, you're either super secure data or it's unsecured data, but putting gradation and granularity around the security and making a decision based on where you're coming from. So I'll pick on you Botond for a second. If you're on a corporate laptop, using your corporate ID on a network, I've seen you before, I'll give you access to certain level information. If you're on your phone in a Starbucks, you may get less information, even though you can still authenticate to the system. If you happen to come in that one day a week to the office, you maybe can get better information. And so actually putting sort of what we call like, concentric circles of control over the data. And it's not just about who you are, but it's who you are on what device on what network at what moment in time, in what location, sort of that, that more granular or richer credential, that allows me to make a policy decision about what data to give you what access to give you. And that change in the font. You know, again, it's a zero trust approach. They may not have known at the time that it was gonna be called zero trust, but it's that idea of doing authentication and transactional based risk control as opposed to well, either you're Botond, or you're not and that's, you know, that's the end of the story. Because if you're on your laptop, that's a personal device that did get infected with a Botnet, you're not going to have the keys to the kingdom, even though you're using you know, it's reusing your you know, it's credential stealing, and using your authenticated credential, it's not coming in from the appropriate network, or the appropriate location, or even, you know, in some cases on the appropriate system to get the most sensitive data.
Botond Seres 32:47
Or the appropriate RSA key. I mean, we touch briefly on passwords and I think one of my favorite things in cybersecurity history is I don't know where it originates, but maybe you can shed some light on this thing is a, somehow, we convinced everyone that the more difficult to remember, the more secure password is. And instead of just picking long passwords that are easy to remember, everybody’s just using random characters that are super easy to break.
Steve Orrin 33:20
So there's a lot of problems with that. And again, there was a period in time where people thought, Oh, if I just had a longer password, that would be good. And that was maybe valid for a moment in time when the only threat was a brute force attack with limited computing resources to try every combination. We know today that the adversaries have access to the same level of scale computing that we do. And so cracking even a 16 character random string is a non issue and can be done on a given you know, even on a laptop.
Botond Seres 33:52
I'm sorry to go in depth on this but like, if you double it and say there’s two characters minimum.
Steve Orrin 33:58
I think the key is that if you just have that one factor, whether it be 32 characters or 100 characters, ultimately, there's two problems. Number one, eventually, they can brute force it. And let's face it, the user is never gonna remember 100 characters and get it right. So they're going to write it down on a piece of paper or save it on a text file on your desktop and all your security is out the window. But the other is it's, it's this flawed notion that a single factor, whether it be password or otherwise is good enough by itself. And I think that's really where multi factor authentication comes into play. It's not saying that one factor is better than the other, although there are definitely different factors that have different security levels. But it's about separating the factors.
Botond Seres 34:35
Some factors are equal, but some factors are more equal than others.
Steve Orrin 34:39
I think there are some factors that are even better than more equal. But yes, I like that. But it's about having separate factors even from separate domains. So one great example is you may have a strong password you know, that makes sure it's the right number of characters and uppercase lowercase numbers for a password, but marrying that with say, an off device authentication event. So whether it be Got an app like a Duo or something like that in your, in your phone, or even in some cases, an SMS provides that off device. So a secondary device authentication, you'd be amazed at how much that breaking that, that those two sides if you're authenticating on your laptop and having a phone as your secondary, the level of adversary necessary to compromise both your systems is that much higher. Now, it's not outside the realm again, there's no such thing as 100% secure, but the goal is to raise the bar high enough for the level of risk or threat that you're, you're dealing with. Now button, if you're just accessing your bank account information, alright, we're going to do two factor and that's going to be good enough. If you're trying to get the design specs to Intel's, you know, CPU architecture, that's not going to be good enough, there's gonna be extra controls, and maybe your location will matter. And so for instance, when you talk about really sensitive information, it's, you know, authentication with two factor, but also including your physical location, are you in the actual room where that data should be accessible from using GPS or other methods.
Botond Seres 36:00
Your location should matter. I mean, like, I keep getting these password resets emails from Microsoft. I get like 30 a day. Like, obviously, if they are sent from Bangladesh, and I'm clearly not there, why do I keep getting these emails?
Steve Orrin 36:19
It's actually straightforward. They've got your email address, and they're trying every site that would possibly have that email address to get a password reset.
Botond Seres 36:27
Oh yeah I understand that, but I mean, why can’t like, Microsoft implement some sort of logic to figure out that this guy is getting 50 reset attempts, maybe, maybe someone got his password.
Steve Orrin 36:38
Maybe Botond, that's a good feature request to put into your software provider that absolutely. And this comes down to if the end customer doesn't request the requirement, it's not going to get built in and we see the same thing with a variety of things. Why do we get so much spam text messages? Why do we, you know, it's, again, unless we make it part of the, you know, the channel of the requirement. In this case, you know, when you talk about, you know, enough there, I get the same whether I get the same thing from a variety of counts, people are trying my, my various email addresses to try to do a password reset. This is why again, turning on that two factor authentication for the reset is critical. So that you don't get so they can't easily change your password and take control of your account, having it require more than just an SMS message. So requiring, for instance, a code from an authentication device, if it's supported, is really powerful. And there are freely available today, these code generators, you know, like I pick on Duo because I use them, but there's like I have four or five of them, Authentify, and others that have this capability doesn't cost you as the user anything to support it. And most banks and other online services will have an option for turn on for two factor authentication, as well as for password reset, to require two factor authentication. And again, it's still annoying, I get it, but then you're still going to get 30 emails, but you're actually protecting yourself from someone actually doing that. Even if they've quit, here's the best part. Even if they cracked your password. By having the two factor authentication, they're not on the device that you logged in from the last time. And so they would have to then get that code in order to be registered the device in Bangladesh as being yours. So that, again, these are a series of controls we can put in place in our everyday lives to help raise that bar. Now, if someone really wants to go after you Botond, they're going to put malware on both your phone and on your laptop, and they're going to have all your edge devices in your network compromised. They'll get you and then you so then the question is, how do you, are you doing regular monitoring? Are you checking to make sure that …
Botond Seres 38:39
Ahh that's the thing about cybersecurity. I've been saying this for years, like if somebody really wants to go after you, and it's some of the resources of like, the NSA, you get no shots. None at all.
Dave Erickson 38:51
I was part of the hacker forum and in the beginning of the 2000s I was part of the Association of internet professionals and and we would have a hacker seminar once a year and the best description of cybersecurity that I kind of got was you have a house and you have a door and you have one lock and you can add a second lock or you can make a better lock or you can buy more locks. You can put as many locks as you want in the door and every time you added more security you know you had some low guy, some hacker come by, he knocked on the door, It wasn't open, Okay, it's too much hassle I'm gonna go. A hacker says Oh, I really kind of want to get into this house. He knocks on the door,It's locked. Okay, I'm going to pick the lock, It's hard, he goes away. You know, you keep upping the security making it more and more difficult. So there's, there's a million 100 million people you want to try to attack. The minute you find some resistance just move on to the next one because eventually you're going to find an open door. But if somebody says I want into your house and you have bars on your door you have 100 locks, well, you know, given the amount of resources and time, they're just going to take a bulldozer and just drive it through your front door.
Steve Orrin 40:06
Or better yet, they're going to, you know, they're going to cut out a hole in the sidewall where there are no locks.
Dave Erickson 40:11
Right, or go through the window or, you know, if somebody really wants in, you know, there, it gets to a point where if the, if they have the resources, they'll find a way in. And I think that's really kind of the level of security places like large enterprise and federal government are really thinking about because, you know, people really want into the Department of Defense. So the adversaries out there, some of these countries have $100 million that they can spend on, you know, one focused attack to try to get into the Department of Defense. and that is a huge security challenge, I assume.
Botond Seres 40:53
Wouldn’t that explain the supply chain effects?
Steve Orrin 40:54
Yeah, exactly. That's one thing to consider, though, is that you obviously want to protect to the best of your ability, based on the value of what you can get. No one has a trillion dollars to apply to the security of everything. But then there's also then there's sometimes referred to as the redheaded stepchild of security is resiliency. So if you assume you will be attacked, how do you recover and get back to a known good state? How do you get back the data that may have been ransomware encrypted or destroyed? How do you get back to an operational state quickly? That resiliency is the sort of the second part of having a proper security risk management story you put in through the appropriate level of locks and door bars and everything you want to do. But then your data needs to be backed up, your systems need to have the ability to recover and back to a known good state, whether that be at the firmware level or at the applications level. And so having that plan, as well as the technologies and processes for implementing the recovery, when you assume attack is also part of how do you meet that, you know, that adversarial challenge of eventually, they're going to break down the sidewall and bypass your doors, they're going to get in? But how do you make sure that the data that you have is recoverable, the applications are recoverable. And that you can get, as an organization can get back to servicing your customers spending being locked down for three weeks because they've got the keys, you know, from a ransomware perspective as an example. And so that recovery, and resiliency is a key part of any good cybersecurity plan and posture. And the last piece of advice I often give to CIOs and CSOs is you can have great plans. And you can have all the right technologies and all the right locks, game it, actually go and run the exercise because you don't know what's going to happen until you've actually had the event and you don't want to be figuring out what you missed when you're under a live fire exercise. And so run the gaming scenarios in your organization, actually Instit…,, you know, we're going to do a ransomware drill, we’re to take 12 systems offline and see what happens and see if the plan falls apart or if it actually works. And this way, the organization will already be tuned to what their job is, what each individual's needs to do at that moment in time. So when that does happen, you're not spending, you're not wasting time trying to figure out okay, what am I supposed to do? Which plan am I supposed to go look at? It's already ingrained, it's the same kind of training we do for it. You know, you talk about fire safety, when we're talking about cyber safety training. And actually running those exercises. I want to actually brought up an interesting point, I want to bring it back to something you mentioned earlier, but what can organizations do to help build better security, there are tools out there and Netflix was one of the first to put it out with Chaos Monkey, and now the Simian Army, which are sort of open source freely available tools to cause havoc in your environment, to test your resiliency. So you know, the original Chaos Monkey, what it would do is turn off services, they would just randomly go the, their cloud environment and shut things down. We didn't tell you which one and basically, their mantra was they had to be able to recover, knowing the Chaos Monkey was out there just randomly turning things off. And then they built a much richer set of tools and open source them. It's called the Simian Army, which is basically a bunch of tools to either shut down services, degrade services, take things offline with a full system, or even a particular port, and just, it happens randomly throughout the enterprise. And you can scale up or down just how much of your infrastructure you're going to take out in a given event. And what's nice about deploying these, again, their free tools is that you can test your resiliency without waiting for it to actually happen. And you can do it in a way that you can do it randomly, because if everyone knows that that service is going down there, all eyes are gonna be on that service. But if you know that some service is gonna go down, you need to build a plan that can recover from something happening. That is really how you can test your resiliency of your infrastructure. And it's not just for cybersecurity, it's also for service level agreements. Ultimately, your customers depend on your code or your application or your service running. You have, you know, contracts to make sure that it happens and things like these tools can help you make sure that you're ready to meet, whether it be the fact that you've gotten an attack happening environment, or you're hosting a concert, you know, ticket sales, and you're about to get slammed by millions of people wanting to get those tickets. so you can know that your system is resilient.
Botond Seres 45:02
That is absolutely fascinating. I had no idea Netflix had a solution like this.
Steve Orrin 45:07
They don’t but they were the first to develop it and it's now a whole community of contributors, building these open source tools.
Botond Seres 45:17
And I was wondering, previously, we talked a bit about recovery, disaster recovery, specifically. And one of the things in my mind, anyways which is like the end all be all of disaster recovery is having air gapped regular backups. Like, what's your opinion on those? Because I'm sure you have way more experience with these than I do.
Steve Orrin 45:39
So, absolutely. Well, you won't call air gap, offline backups are a critical part of an overall disaster recovery plan, there's two key things to keep in mind. Number one, is how often and number two, making sure you're not backing up the malware that's sitting there dormant waiting to get backed up so that you recover with the bad word intact. And so it's not just did I backup to an offline storage media, DVD or Blu Ray, DVD or large tape or some other mechanism, but I'm analyzing what I'm backing up, and making sure that I'm only backing up the data, you know, again, it's putting in the controls to make sure that you're not backing up the, a lot of people say, I'm just going to backup this server, well, that's great, you have a copy of the server. But if that server is compromised, you're going to have the cops along for the ride. And so number one is making sure you analyze what you're backing up, make sure you're only doing data updates. And things like operating systems just have a gold image, you don't need to recover the system, you just need to be able to cover the software that you've gotten in a gold image. So a lot of times what larger organizations do when they go deploy a new Linux stack, or they have another web server that they're going to deploy your database. At that time, they will take an image of what they're about to deploy, and they'll put it in a go offline, and this is our gold image. So that and then when you do enough, because let's face it, every couple of weeks, we're gonna be doing updates, you do an update with both the gold image updated as well as the one before in case for instance, supply chain, there's a compromise in that update, I have multiple versions that I can go roll back to that are secure and you do this at an enterprise level. And this allows you to recover the system separate from the data and you keep your data recovery and this way, you can only, you're only pulling over data as opposed to application code that could be compromised. And so absolutely. Another and again, this is not something small companies can easily do, I mean, possibly in a multi cloud environment. But oftentimes, what you'll find is that there will also have a quasi air gap set of live systems sort of waiting to be able to come online when needed. And so it's it requires it's, it's a cost, it's not something that you can do freely. But if you have mission critical systems, and you talked about the five nines of resilience, of resilience of being able to have uptime, to meet those critical infrastructure requirements, oftentimes you'll have is you'll have systems that are air gapped or offline from the network, ready to be turned on by simply, you know, attaching them to the network to start servicing, if something happens to your main line. So this way you have, you know, that failover model, and in the cloud, what's really interesting about this, if you've got systems provisioned with your data, and they're just not, you know, and you can then spin them up on demand. So you've already got your application stack, you already have your data synchronized. And all you have to do is just swap from the, this live system to this other system. And that can be either within the same cloud environment, or you have a multi cloud with a cloud broker to be able to support that. It allows you to quickly recover back to operating state, even if it's not at the same level, you know, again, depending on how much you want to put into those offline or On Demand systems. But as part of an overall strategy of picking what are my most critical applications? And what are those things that have to actually be able to be running all the time or need to get back up and running in 24 hours? What data is most needed? Do we need to have the office football pools backed up with air gap? Probably not, although maybe some of the employees may disagree, but you pick what data needs to be backed up, offline or air gapped. And sometimes it may be, I need this data, it's got to be backed up every 24 hours. Other data can be every two months, if you make that policy decision, based on your risk, and the risk that the data you drive it from the data, not from the system of what, what's required for the data. If it's regulatory data, for instance, if you're in a financial or health care where you have to maintain data integrity for long periods of time, you know that if that data gets corrupted, that's gonna be a problem. And so you're going to want to have that, most of that, that data more regularly updated to an offline so that if anything goes wrong, you can still have that data accessible to meet your auditory, your audited or regulatory requirements. Similarly, if you have sensitive data, that's your corporate IP it's the you know, the, the coke recipe, you're going to have multiple era flight backups, so that makes sure you can always recover that back.
Dave Erickson 49:58
You know, in the, in the industry, the cybersecurity industry, you know, white hat gray hat. One of the tools that was like one of the most used tools or is one of the most used tools is penetration testing, where somebody goes in and tries to actually access your network and find all the gaps and penetration testing has gotten more affordable. So even smaller companies can do it, if they have stopped, but larger companies as well. But AI is now getting involved. How much of a tool is penetration testing really becoming? Is it you know, becoming stronger is getting less used? What's your feelings on that or thoughts?
Steve Orrin 50:38
So it’s, Dave, it's an interesting conversation, because there's a pro and a con to penetration testing. So the pro is that you have somebody other than your team that knows the application going in finding holes. And so it's a way to get fresh eyes, a third party eyes on the application or on the system to test it and see it, you know, is it as secure as we think it is. And so there's a definite pro there, this red teaming approach. The downside is that we overvalue the results. Because it means you know, because we say oh, the pen testers found these six things that was messing things up, that can be exposed, and after it's fixed those six things, and I'm done. And that is also not true, because they found six things in this, you know, the four weeks that you gave them with the limited budget you afforded them. And so now that's not good, that's great. But you're going to deploy this system out in the real world for 16 years with everybody in their kid sister being available to to go bang on it. And so it gives itmay give a false sense of security. And so the way to think about pen testing, and where I've seen it successful us to actually enhance security is a habit earlier in the cycle. So don't wait til your products out the door, and then go have the Dupit have them do it earlier, when you're doing your sort of your regression analysis, you're getting your, you know, your early art release candidates. So they can find those things earlier and have it done often. But have it done as part of the release cycle, and then have the continual, be continuous and this is one of those things where from a cost perspective, yes, these companies and services that do it for you, it makes a lot of sense for you know, for smaller for that one time. But also there are tools that are freely available that you can enable your internal teams to be doing that red teaming internally. And, and be able to, it doesn't have to be the developers that built it. Because again, they're, they're going to have certain biases, and they're going to pre assume things. But having a team, IT security or others that go in and beat up on products as part of the normal agile process to provide that sort of bug if you will feed back into the system as part of a regular cadence. In this way you get to that idea of continuous monitor or continuous audit of the, of the solution. So pen-testing is not a one and done kind of thing. Although a lot of people treat it that way. Well, we did a third party pen-test, we're good. It's that, it can give that false sense of security at the same time, it's going to absolutely give you insights, because they, typically pen-testers, don't think the same way developers do. They’re thinking about, how do I break the system that I make the button work, they think about, well, how much data can I shove down that, that pipe as opposed to well, the requirement said it had to handle 100 gigabits, well, what if I give it 101? I mean, those are the, that set different mindset is actually important in what we call the anti testing, or that negative testing that's required for pen-testers. The other thing is that pen-testing gives your auditors, your client people a warm, fuzzy. So at the end of the day, it's important because it's going to give Hey, we had third party look at it, and it was good enough. But again, I don't want people to think that that's all you need to do, or that one and done is good enough. It's about, how do I incorporate that into my development practices so it becomes a regular operation as opposed to a, yup, we did the pen test. And now we can move on and do whatever we want with the product.
Dave Erickson 53:48
Right? It's elevating your security. So the hacker comes knocks on the door, you've done pen testing, they may say okay, this is fairly secure, I'm just gonna move on. Right, but if they really want it, and they'll find a way in.
Steve Orrin 54:00
And I think there's two other things I would mention on pen-testing, number one is make sure your developers and your your product folks are watching while the pen-testing is, you know, so they can learn from the kind of tests and techniques, even the ones that didn't get through, maybe things they didn't think about and the next product they build, they could have gotten through and so have them learn from that. And the other aspect around pen-testing is where it has been really successful is when you focus in on something that is outside your domain. So one example is if you're going to deploy, you've got a software product, it's going to deploy in a particular kind of platform. Having the pen testers focus on the platform, you're, you focused on your software, you're going to load it on a system and have them beat up on that system so that you understand because you're relying on you know, the memory, the network controller, the the IoT and things like that. Having them focus on the IRS you don't have control over, gives you insights that you're not going to get from your own development team. And so it's a way to help marry those two worlds so you get better insights and well you know, we need to protect our data at rest better because We can't rely on the hard drive to protect everything, things along those lines. And so having them focus in on specific things that are outside your scope. I know it, that sounds unnatural, like I'm only going to test the things that we care about. But understand your stuff is going to live elsewhere. And so what do you need to do to protect your, your code or your application in the environment it's going to be in as opposed to the pristine lab environment that you built when you were building the product?
Botond Seres 55:23
If I may, I would love to circle back to a more, more user based, end user based question. I think he may have a great insight here, Steve, what's your favorite anti malware solution?
Steve Orrin 55:40
Well, I'm not going to name names, but I'll tell you a little bit about what I look for in an anti malware solution. So there are a lot of different approaches to malware, you've got virus scanning, and anti spam and spyware. And there's a litany of tools, I think the key thing is you need to have something there, that's monitoring. Two things I look for, number one, are they providing a comprehensive view, because what I don't want are 12 tools across 12 different types of attack that aren't talking to each other. Because then number one, I can't do anything with that information is too much information for me to process. And number two, if something comes in over here, but it affects over here, if there's no coordination, then it's both aren’t going to be successful. And so having a comprehensive tool that's looking across the differences are vectors. And then the other is ones that are taking advantage of some of the latest technologies, because we know the adversaries, so you want one that's using machine learning and AI to better detect those attacks, one that provides you with control. So again, if it's just scanning and not doing anything about it, that doesn't help me, I want something that, you know, again, the old quarantine ops concept only works with it's a file based malware, I want ones that are also looking to block, you know, they're learning from the intelligence of all of their sensors, to block emails to block, you know, domains to actually do proactive work. And so I take advantage, I'm getting the benefit of the millions of users they have, that actually then will provide that value to me, because if I have to rely on my security, on the tool that I bought to be that you know, securing only because it knows my system, and doesn't have that visibility into the broader ecosystem, and the broader customer base, well, I'm only seeing a small set, they're seeing a lot more. And so that's one of the things I look for. Personally, I also have more than one. I have like six systems here in my office at home. I have three different antiviruses, not that I don't trust any one of them. But sometimes that one will catch something that the other didn't yet. And so again, if you have the opportunity to have more than one, definitely do it. They don't all have to be paid for. There's some free ones that come, you know, Microsoft defender, if you flip on that you turn on all the features, it provides a lot of value, especially if you turn on all the features keyword there. There's a, there are ones that you get, you know, you pay the month, you know, the yearly subscription, you make sure to you one of the things I do is make sure you get the, get the family plan, you know, yes, my wife has a copy. But also I have three systems that are all part of my family. And so therefore, it's just cheaper to have, you know, half those systems covered. But that again, it's, it's a cont, and one thing that I think a lot of people think well, I had I had that antivirus so I should be protected. No, it's a control amongst many. And it doesn't mean I can go off and scan the dark web from my computer and not worry about being infected. It doesn't mean I can click on links in every email spam that I get. It's one of the many controls that you implement. So anti anti malware is an important tool. But it is not the only tool in my tool set, when I'm looking at protecting my edge system. And that's, you know, to Botond to the thing you said earlier, I backup my data onto both, you know, a different system as well as an offline, I have a cadence for it. So I backup to the on to a 2nd system just to have availability. And then you know, on a periodic basis, I you know, I USB or DVD ROM it off, and then store that for a while so that I have the most important data accessible in my personal data and things like that. The multifactor authentication, so you do a comprehensive and what's nice is nowadays, especially with a lot folks that are doing just about everything online, there are tools and there are technology, you can flip on for your online presence that can help protect you without having to do a whole lot on on your laptop. I mean, I'm a heavy I'm a rich laptop user, I have a lot of applications locally, a lot of people it's you know, they just want to see their email, they want to browse the web and maybe they're doing some collaboration. So if a lot of their life, if you will, is online then you should be focusing on how do I protect my online life. And so things like backing up your online repositories, making sure you have good authentication for those services. And making sure that you're protecting the data that any data that you bring down from being compromised and getting from a personal perspective, but there are, is a benefit to having this sort of, the online life and I'm not talking about social media here. I'm gonna be careful about that. I'm talking about you know, so the Google Drive and or other services that are out there is you can secure those you can turn on the security features and then you're relying on a multi trillion dollar organization who's going to do that, as opposed to me trying to figure out which product do I need to download. And so flipping on encryption, making sure you're using multi factor authentication, having backups for your key files and drives, and things along those lines are all good best practices for protecting your digital life, if you will.
Dave Erickson 1:00:21
I want to go back a little bit, you mentioned this. And now I want to open that can of worms. Even though AI as we know, it has been around for a long time, particularly machine learning, and a lot of the other aspects of AI. But because it's now evolving fairly quickly, and generative AI has been part of that. But also even on the machine learning level, there's been a lot of progress in the last couple of years to really advance that. The hackers have access to a lot of the same AI that organizations have. How is AI really going to change the cybersecurity industry? Is it making it better or is it introducing even harder to counter attacks?
Steve Orrin 1:01:14
Today? The answer is yes to both. So we've already seen examples out there of where AI is being used by the threat adversary in novel ways, as well as enhancing stuff they've been doing for years, the phishing schemes that we're seeing are much better than they've ever been. They're crafted by a generative AI. So it's natural English language, it can be targeted at an individual because you can train it on the data set, they've already compromised of you, on your online profiles and other day, they've got to be able to make it look like it is coming from your bank. And yes, this is the amount of money that you just transferred. So you should absolutely check Hey, did I do that and click the link. So we're seeing AI be used to generate, we're seeing there was an example a few months ago, of a really elegant and pretty much as attack where an AI chatbot was combined with a deep fake video. And it was able to trick a financial person at a corporate international corporation to transfer $25 million out of the, and the deep fake was of the CFO. And let's face it most CFOs, a publicly traded company, there's lots of video of them out there talking to analysts on CNN or whatever. And so they were able to create a deep fake video of the of the individual as well as the natural language processing, GBT style chatbot to actually have a overall like a collaborative collaboration video call to be able to have a conversation with the individual telling them what to do to transfer the money out of the system. I mean, that was an elegant attack for $25 million. It's a pretty big win. But the fact is that the technology is available to do that. And for you on the other side is How do I tell you if I'm looking at you right now, Dave? How do I know that you're real? I mean, if I look at your eyes carefully, can I see, are they moving the right direction at the right time, maybe. But chatbots are getting better, you know, the, the deep fakes are getting better. So this is a case of where AI is already being applied, you know, sort of on the, on advancing what they're doing today, making those phishing and targeted spear phishing campaigns that much more successful and looking a lot more real. The second area we're seeing is that there's just like, enterprise cybersecurity experts and CIOs have just volumes of data, all the attacks, all the events that they have to manage and collect and process. The adversaries are, you know, getting just tons of data from data breaches. So they're already using AI to help sift through the, you know, the 20 billion records to find the really good stuff. And so we're seeing AI being employed to be able to process the sheer volume of data to be able to go in when they search all the networks out there and find all this information. How do they know what's the really cool targets, or where to go focus on a lot of times are using machine learning to help automate that process just like we would so it's the end of the day, it's like a hammer, you can use a hammer to build a house, you can use a hammer to bump somebody upside the head. It's a hammer, it's a very powerful hammer, when used in both directions. So on the, on the adversary side, we already are seeing them use AI for phishing, like I said, for doing data analysis. The other area where we're starting to see inklings of is around generative AI malware, where they're using the adversarial AI models to build better polymorphic stealthy malware that can be not. So they have on one side, the malware generator and the other side, they have a detector, and they pit AI on AI violence while they try to get the best AI malware out of the other side. Again, we've seen a lot of this in the research, there was a DARPA Grand Challenge around this. So there has been research about this. And we know that that's already starting to filter into the adversarial space, but it's not as much you know, in the news as you were to some of these other schemes because a little bit behind the scenes. All you see is the malware you don't necessarily know per se although there's been some analysis recently that it's highlighted that this code looks like it was generated by an AI and Not by a human being, because it's maybe too perfect. Which, by the way, that's something to think about. We as coders are not perfect, or we have sort of styles that we use over and over again, whereas AI is gonna look for the best possible way to integrate code from 1000 developers. And so if you're doing the software analysis, you may be able to attack better than, hey, this doesn't look like a human could have written it, because it's just way too good. Or it's got signs of 17 different threat adversaries all in one package that, that would take a lot of work, maybe an AI built it. On the other side, cybersecurity professionals, the CSOs and the cyber defenders, are starting to look at how can we leverage AI to benefit this? How do we secure ourselves using AI, and whether it's advanced anomaly detection and behavioral analysis, we're seeing a lot of examples of that already being deployed at scale. So looking at behaviors or things information that again, would be below the radar, but to an AI can find those similarities. And we'll say You know what, that is ransomware. It may look like, you know, a normal word processor, but it's doing some interesting things that don't fit to a normal model. That's what AI is good at predicting that this application flow doesn't match what I've seen before. We're also seeing it in the non obvious ways. As I mentioned, their sheer volume of data that needs to be processed, if I can process or down select that faster, then my underfunded understaffed cyber team can focus on the really hard problems. And so using AI to do better data quality, ingestion and data labeling, or being able to do some of the data pre processing, say, oh, you know, all this stuff is just firewall hits that we could just flip the switch, here are the really interesting things that you need to go do your EDR on. And so we're seeing AI being applied to things like data ingestion, and data quality and data management, which are not the cyber side of the camp. But it's how we then manage that sheer volume of data. It's the same problem you'd have in any other domain, but now we're applying it to the cybersecurity domain.
Dave Erickson 1:06:54
A lot of the traffic or a lot of the endpoints of data transfer, and application usage are these endpoints of public fiber optic nets for Internet spectrum, you know, FiOS, all these different homes are connected, people are working from their homes. But these networks is part of an infrastructure and, you know, a lot lately has been happening where a lot of the hackers are focusing on infrastructure. And here you have an infrastructure where the data is being transferred. So somebody wants to steal data, one of the ways to steal data is to intercepted en route, right? Do you see any movement from these types of networks to make them more secure? Or is that a, an active effort? I mean, Intel has a role, because a lot of the chips that Intel makes are used in a lot of these routers and transfer stations and other things. What's your thoughts on this infrastructure?
Steve Orrin 1:07:58
So if you make a good point, I want to separate infrastructure from the home network. So the input infrastructure providers, the network providers, and the system vendors that are supporting are absolutely building in the net, you know, technologies to better secure those networks, both from compromise, as well as from confidentiality, leaks or integrity attacks. Absolutely. The infrastructure, especially as we move to a more cloud, and 5g and deployed distributed world are building in those security capabilities to protect the core, where I think some of the challenges is that, you know, once it leaves a core, so this core security, it's sort of like thinking about the end to end, you know, the applicant, the data generator, or the data processor on the cloud side and your home network, which has got, you know, a router modem and maybe a little switch there. That could be an entry point. And if they can get you to click the link on your laptop that downloads a piece of malware, that sort of then does a firmware update, say to the router, those are, that's some of the concern. And so what you're seeing a lot of the, the infrastructure buyers or the big telcos are servicing in user communities, is they're putting a lot tighter controls over verifying the firmware. And the security of those, of those node systems, you see, you know, the people would say, Oh, they're cracking down on internet shedding, well, actually, what they're doing is making sure they can know the device and make sure it's a legitimate device. And if it's not a legitimate device, you know, sometimes you can bring your I know, there's several that allow you to bring your own router, I mean, you don't have to use their the least one that you can actually bring your own. They're going to have minimum requirements that you have to turn on WiFi and you have to turn on the right encryption protocol, you have to keep it up to date. And they will verify that before giving you the premium access to their core network. And so there are more proactive steps, you'll find it's going to be hit or miss of what committees are already sort of evolving to that. And what level of service if you're, you know, the low bandwidth cheapy one, you may get low bandwidth, GPS capabilities, but if you're getting the highest speed with the premium service, there may be additional things they're doing to help secure that link, because again you're paying for quality and service and reliability. There's also like I said best practices like verify, you know, changing the default passwords or when you add a network, because let's face it, most of us in the tech industry don't just have one system, we have most of them wherever we're using, whether we're using wireless, or we're using a hardware, a hardware network connected to that same thing, we should be doing our best practices to protect our data, because ultimately, the telco isn't responsible for Dave, Dave, your your security of your data, they're responsible, protect the connectivity that you're relying on. And so it's understanding the value, you know, who's ultimately responsible in the case of your data, you're ultimately on the hook to protect it from your perspective. Again, your service providers need to protect your data when they're hosting it, but you are responsible for protecting your endpoint. The same thing is when we talked about work from home, the CIO has suddenly realized that there are a part of their network infrastructure they don't own or manage that they've got to drive you as an as an employee to do some things on your home network, to make it securable, or make it more secure, so that you can meet a minimum standard. Again, your mileage may vary depending on how well they can enforce some of that. But ultimately, we are seeing the infrastructure virus start to take this really seriously. Now, the flip side, if you look at it I'll make the example of the UK and a little bit as they have a slightly different dynamic as far as the relationship between government and industry over there. But the central, the National Security Cybersecurity Center over there put out a set of requirements to the telco providers that said, Thou shalt do the following things, you know, turn on DNS sec, and D mark, secure BGP, there are a variety of 10 major things that they said, you're going to do this, to provide service to the UK. And because of the role that the UK Government takes with their infrastructure, they were able to enforce that and say, Thou shalt, now the good news is they published those recommendations, it's out there, it's a freely downloadable PDF that you can read and see what were their best practices for reducing spam and spyware for securing the core infrastructure. And in the US, many of the telco providers have actually, you know, they've been working with them over there, and they've got that. And so they're implementing a lot of those, but it's not a Thou shall from the government, it's more, you know, these are some really good recommendations, you shouldn't really be doing this kind of thing. But we are seeing those kinds of techniques being deployed inside to help better secure our critical infrastructure, especially in the light of the level of adversary, that you know, that they've gotten to the level where things like BGP attacks are absolutely in scope. For those who don't, that's Border Gateway Protocol, which is one of the core sort of signaling protocols. And you know, in the, in the network infrastructure, the adversaries have the skills and the tools to attack that. And so as their bar raises, the infrastructure providers have raised their bar to help meet that. But again, it's you know, it's being driven from a an industry as opposed to in the UK, that government said, Thou shalt
Dave Erickson 1:12:51
You bring up an interesting point. Europe has done a lot, you know, we're GDPR compliant, because our developers are in Europe. And, you know, GDPR compliance, although can be quite painful, it does force people to have kind of a minimum level of security, have a data security policy and educate everybody who's working in the company to secure data and that’s really important. I know California has tried to make something very similar. Do you see, you know, governments in say, the United States and other areas, start implementing such things and focusing more on it?
Steve Orrin 1:13:32
So I don't want to comment on individual political situations across, we know that many states are implementing their own privacy rules and so I think, you know, because of the nature of the United States, keyword states, you'll see a lot of that momentum first at the state level before we see it at a federal level, the same time, there are recommendations already out there coming from DHS and others on how to do better data privacy, but it's not a government requirement to private industry. It is however, if you look at sort of the DOD zero trust architecture and other approaches, they can, if required, make those reforms of the federal government and so the federal government has a security baseline. It's been around for a number of years, and they keep evolving and enhancing it. But I don't think we're at the stage where we see the federal government enforcing security policies, on privacy policies on the private sector, but we will see states sort of adopting state level, which is a good thing that we get the privacy, the bad thing is that, you know, if Massachusetts can't afford to be slightly different things at me as a company got figured out which one, how do I support both and we have this problem, even back before GDPR. I think when they think about GDPR is it gives us one standard to sort of hit for and as long as no one does anything crazy above and beyond that, if we do meet GDPR, we should meet everyone else's in theory. But I think again, we'll see because it's not just the EU, you'll find that large countries around the world are creating their own data policies, both privacy policy as well as other kinds have security policies, India and Australia and others. And so from a global corporation or even a small corporation is trying to serve as a global customer, it does start to get complex of well, How do I meet the requirements of all the different constituent sovereignties that I'm trying to service. And that can be challenging,
Dave Erickson 1:15:16
Yeah, especially if you have like, a SaaS business where you're, you know, you're just out there to the world, you know, who knows who's gonna be and what requirements you need to meet to be able to do business and all these other countries?
Steve Orrin 1:15:29
Yeah, Dave, this is good example with SaaS as that your cloud provider may offer you those services, they may say, hey, we have the GDPR and other privacy, it's going to cost you some more money, but you flip that switch, and then you can get the benefit of them providing the right regions or the right data protection standards, and let them take the onus of trying to protect the infrastructure upon which you're delivering your SaaS.
Botond Seres 1:15:51
Steve, what do you think the future of cybersecurity is?
Steve Orrin 1:15:58
Well, that's a very interesting loaded question, the future of cybersecurity. I can look at it from two and two perspectives. If I look at a third of the past 30-40 years, and take a slightly glass half empty approach, I can say we're going to continually repeat a lot of the mistakes of the past with every new evolution of the future. So I think one, you know, one way to think about it is, we will always have security challenges. There'll be different technologies, different architectures, but we'll be solving a lot of the same fundamental problems for the next foreseeable future. That's the pessimistic one. But I think that we can get into more on an optimistic note, I think the two things are actually happening today that are going to actually make a big impact. Because if you look at the charts that you know, whether whatever analyst or cybersecurity firm has put out there showing how the adversary is always beating and the threat to vendors always lagging, there are two things that are changing that dynamic. And we're seeing it today. And again, it's somebody who talked about AI is one of those, AI is an automation. I'll link those two together, even though they're different technologies. But AI and the adoption of automation are two of the key things that we're going to help organizations get ahead of the curve. It's gonna allow them to automate the stupid stuff. And what I mean by superset was the 80% of things that you don't need a cybersecurity expert to go patch a firewall or flip off a port, or lock down the system, you can automate that with software defined networking, and cloud, there's so many things we can do to make that automatic. And then we can focus in on the hard problems, and then using AI and machine learning and technologies that are evolving there, to start to tackle those harder problems to find those needles in the needle stack. So that's one area that I think is going to help advance cybersecurity to actually catch up to the cyber adversary. And the other is we're seeing that this coordination between hardware, firmware and software to provide a hardware of security and immutable, if you will, are almost immutable security is a game changer from the past. If we think about the past where all of our software, all of our security, relied on something that was running in the OS or something that was running in the network. And so if I, if the malware could bypass the OS or bypass the network, game over. We're seeing innovations in the last five to 10 years of hardware features that are now being able to provide security up the stack, allowing you, for to be able to detect malware from the CPU that it's running on, you cannot lie to the CPU. That's the beauty of hardware based security, you cannot have a malware in the OS that can perform some function that the CPU can't stop. And so as more and more CPU capabilities come out, and more and more software stacks, take advantage of them, we start to see the closing of all of these windows, you know, like you said in the in the house analogy, I don't have to buy a lot because I bought the house with the lock built in. And that's something that is going to, it's not that that's 100% secure. But it means that if I'm going to spend my time and energy buying a lock, I can buy less locks, or I can focus my locks on the more serious other places, because certain things are just built into the house. It's got reinforced walls, so I don't have to worry about someone drilling through the wall, it's got a reinforced door to begin with. And that change is going to again help the cybersecurity teams to focus more on the things that are getting through and less on all the 80% of just the day to day fire drills that we're all fighting. So I think those two things, the use of automation and AI, and the leveraging of hardware, enhance security are two things that are going to help cybersecurity teams be more efficient, and catch up to the adversaries. Now, it's never going to stop the adversaries because like I said, it's a trillion dollar plus industry. But if we can, if we can at least meet them at their own at the, at the same level, we will be much more successful as an industry.
Dave Erickson 1:19:32
And I assume Intel is going to be focusing a lot on hardware based and firmware based security
and already are Yes.
Steve, thank you so much for taking us into the dark depths of cybersecurity. I'm sure we could spend another hour talking about it. Well, dear listeners, we are at the end of the episode today. But before you go, we want you to think about this important question.
Botond Seres 1:19:56
How are you going to make your digital infrastructure secure?
Dave Erickson 1:20:00
Now, for our listeners, please subscribe and click on the notifications to join us for our next ScreamingBox technology and business rundown podcast. Until then secure your network. Thank you very much for taking this journey with us. Join us for our next exciting exploration of technology and business in the first week of every month. Please help us by Subscribing, liking and following us on whichever platform you're listening to or watching us on. We hope you enjoyed this podcast and please let us know any subjects or topics you'd like us to discuss in our next podcast by leaving a message for us in the comment sections or sending us a Twitter DM. Till next month. Please stay happy and healthy.