0:00

Welcome to To The

0:02

Point Cybersecurity Podcast. Each week,

0:05

join Jonathan Nefer and Rachel

0:07

Lyon to explore the latest

0:10

in global cyber security news,

0:12

trending topics, and cyber industry

0:14

initiatives impacting businesses, governments, and

0:17

our way of life. Now,

0:19

let's get to the point.

0:21

Hello everyone. Welcome to this

0:23

week's episode of To The

0:26

Point podcast. I'm Rachel Lyon

0:28

here with my co-host, John

0:30

Nepper. Hi, Rachel, how are you doing?

0:32

I'm doing well, I'm doing well. You

0:34

know, I love to watch TV, I

0:36

love streaming services and I was dying

0:38

to ask you, particularly for today's

0:40

conversation, it's a little prescient, have

0:43

you been watching the Apple TV

0:45

show Prime Target at all? I have not,

0:47

but you'll have to tell me all about

0:49

it. Okay, I will. And you know,

0:51

the premise and I think today's

0:54

guest will have a lot of

0:56

thoughts on this in its validity,

0:58

but at... It's a mathematician getting

1:00

his PhD in Cambridge or something

1:02

like that and he's close to

1:04

cracking the code on crimes and

1:07

the implications of that are stirring

1:09

an international conspiracy and people are

1:11

out to get him because he's going

1:13

to crack the code on crimes and

1:15

what that means for encryption.

1:17

It's very very dramatic. I

1:19

don't know if it's true at all, but

1:21

it made me really want to learn more

1:23

about prime numbers. So

1:29

with that, we'll go ahead and

1:31

jump into introducing today's guest. I

1:33

am so excited to welcome Dr.

1:36

Bill Anderson. He is principal product

1:38

manager at Mattermost where

1:40

he drives innovation across sectors

1:42

including AI, quantum cryptography and

1:45

secure communications. He's also the

1:47

founder of Aculus Labs and

1:50

has deep experience in the

1:52

defense and intelligence communities. Welcome,

1:55

Bill. Thank you. Thanks for having me.

1:57

It's great to be here. So let's

1:59

get off with a fun, fun

2:01

question here. Looking at, you know,

2:04

disk, right, defense intelligence, security, and

2:06

critical infrastructure organizations, how are they

2:08

defining cyber resilience today and is

2:11

this significantly different than the approach

2:13

commercial organizations were taking? It's not

2:15

too different, but what, you know,

2:18

the focus is on national security

2:20

critical infrastructure for those disk organizations.

2:22

So their main difference would be

2:25

that they have to think about

2:27

a very, very highly capable adversary,

2:29

a nation-state that might be trying

2:32

to subvert our electricity supply or

2:34

break into classified networks to steal

2:36

things for various reasons. And it's

2:38

not that commercial doesn't have that

2:41

problem, too. Some elements of commercial,

2:43

too. If you're a bank. which

2:45

we actually consider critical infrastructure by

2:48

the way. But you know if

2:50

you're a bank of course very

2:52

very dedicated people are willing to

2:55

spend almost unlimited amounts of money

2:57

in order to drain unlimited amounts

2:59

of money from the bank. So

3:02

there's a cost reward sort of

3:04

equation there. But in the government

3:06

space you know defense intelligence in

3:09

particular There's a lot of benefit

3:11

to adversaries in in executing these

3:13

same kind of attacks and they're

3:16

infinitely valuable depending on how you

3:18

set your your metrics and so

3:20

When we're designing systems and defense

3:22

and response for them we have

3:25

to think It's possible that there

3:27

will be no holds barred in

3:29

going after this information and so

3:32

we have to get creative Which

3:34

by the way, unfortunately, isn't always

3:36

the case in the approach that

3:39

our governments take. But we should

3:41

be thinking the worst and planning

3:43

for the worst. The downside have

3:46

been this space along. time. They

3:48

don't always do that. And we've

3:50

actually seen the result of some

3:53

of those failures of imagination, of

3:55

bureaucracy, of the horrible slow acquisitions

3:57

process, of waste, of inefficiency, of

4:00

laziness. We see it. And unfortunately,

4:02

as I said, I hope that

4:04

didn't sound too negative, but I've

4:06

also been selling technology to government

4:09

for like 20 years. So, you

4:11

know, I've got a few scars.

4:13

So, but you know, the approach

4:16

is the things that they do,

4:18

the technologies that they buy are

4:20

actually largely the same. If it's

4:23

good to protect, you know, Bank

4:25

of America, it's probably good to

4:27

protect Department of State. And so

4:30

there's a lot of commonality in

4:32

security vendors selling with similar technologies.

4:34

The way it then gets applied

4:37

is the same. The way that

4:39

it's maintained is a little different.

4:41

And there's a lot more scrutiny

4:44

and management of sort of ongoing

4:46

analysis and response in the government

4:48

space. Not that they don't, again,

4:50

not that they don't do it

4:53

in industry, but there's just more

4:55

of it. The other thing that's

4:57

maybe a little bit different is

5:00

around collaboration. So in the commercial

5:02

space, there are these groups called

5:04

ISACs, ISACs, information sharing something. I

5:07

don't know what stands for. So

5:09

there'll be a Health Isaac, a

5:11

financial industry, Isaac, there's probably a

5:14

dozen of them or so. And

5:16

those are really great organizations and

5:18

they collaborate with each other. So

5:21

they'll set up an org that

5:23

everyone can trust, even though, let's

5:25

say 120 banks who might be

5:27

competitors wouldn't share other information. They

5:30

will share patterns of behavior. that

5:32

they're seeing. And that goes up

5:34

to the sort of central group

5:37

and the group says, hey, we're

5:39

seeing this kind of attack, this

5:41

kind of threat on these Midwestern

5:44

regional banks. Probably all the other

5:46

regional banks need to know about

5:48

this because it's going to follow

5:51

and go see them. Government can't

5:53

do that as much. There is

5:55

some information sharing among close allies,

5:58

but there isn't as, unfortunately, the

6:00

way that the international game is

6:02

played, allies who are not super

6:05

close allies might also be the

6:07

ones who are attacking us for

6:09

their own reasons. So there's a

6:11

little bit of competitive pressure there

6:14

to say, we won't tell everyone.

6:16

We're experiencing this right now. Because

6:18

by telling them. And unfortunately, I

6:21

worked closely with folks in the

6:23

intelligence industry for a while. You

6:25

learn that your questions actually reveal

6:28

a lot about your situation and

6:30

your knowledge. And so you really

6:32

don't want to reveal what's going

6:35

on. So that's one of the

6:37

big differences. You know, if your

6:39

Department of State or the DOD,

6:42

you'll talk to the experts. In

6:44

fact, you are often the experts.

6:46

You know, the NSA and cyber

6:49

command. is very much the most

6:51

expert organization around in this sort

6:53

of thing. So I'm sure that

6:55

they get advice from them, but

6:58

they don't go call up the

7:00

French government. I'm not taking on

7:02

the French government, but you don't

7:05

call the French government and say,

7:07

we're noticing this attack on our

7:09

servers. It's working. So there's a

7:12

difference. So what about for like

7:14

our listeners? What can they do

7:16

to create kind of a culture?

7:19

about cyber resilience and so on

7:21

within their organizations. Yeah, and this

7:23

my advice here goes, I'm probably

7:26

not giving advice to everyone who

7:28

needs, I mean, so a lot

7:30

of folks know this, but it

7:33

really does start at the top

7:35

if you're a private organization, but

7:37

a government as well. The leadership

7:39

has to have enough awareness and

7:42

stake and sort of authenticity in

7:44

prioritizing. cyber defenses. And what that

7:46

means is more than just saying

7:49

we have a mission to be

7:51

blah blah blah the most secure

7:53

you know government agency on the

7:56

planet. By the way they do

7:58

say that it's nonsense if they

8:00

don't follow through with listening to

8:03

what the experts are telling them.

8:05

And so when the experts say

8:07

things like the firewall that our

8:10

acquisitions program allowed us to buy

8:12

five years ago isn't enough anymore?

8:14

You don't say, well, we'll start

8:17

planning to do something better. And

8:19

that's, by the way, those are

8:21

five-year plans. Well, attackers move at

8:23

the speed of days and weeks.

8:26

So the acquisition's process is so

8:28

broken for solving these problems. It's

8:30

literally, it's laughable. It's actually laughable

8:33

that by the time someone's actually

8:35

able to get a solution in

8:37

place, it's probably two years old,

8:40

at best. Well, they're already breached.

8:42

They're already breached or what's worse.

8:44

There's already ways around them. So

8:47

it's not like as an attacker

8:49

myself, I don't go and try

8:51

to break the latest encryption algorithm.

8:54

It's usually pretty good, at least

8:56

if it's been open-sourced and analyzed

8:58

in public. What I do is

9:00

I look for the things you

9:03

didn't think about, and I go

9:05

in the open window on the

9:07

side of your house. Right. So,

9:10

you know, cryptography is often the

9:12

excellent lock that can't be picked.

9:14

And yet you've left the window

9:17

open because you didn't think to

9:19

do, you know, background checks on

9:21

the cleaners who are emptying the

9:24

garbage bins. By the way, a

9:26

lot of the garbage, a lot

9:28

of the government space actually does

9:31

think about that. That's not a

9:33

knock. They really do think about

9:35

stuff like that. But you have

9:38

to, so from the top down.

9:40

Listen to the experts. The experts

9:42

say things like, you know, we

9:44

need, you know, we're experiencing this

9:47

kind of threat right now. Our

9:49

own employees. are being fooled and

9:51

then subsequently impersonated by a fairly

9:54

sophisticated large language model attack or

9:56

an AI or a machine learning

9:58

enabled pattern is finding its way

10:01

in through our authentication systems. Like,

10:03

okay, you don't then call up

10:05

the acquisitions people and ask them

10:08

to figure it out because it

10:10

will take them five years before

10:12

they buy it. You have to

10:15

say, I understand my fact model,

10:17

I am seeing risks to our

10:19

systems, I'm going to fix them

10:22

right now. So that takes leadership.

10:24

The second thing is training. So

10:26

the DOD, for example, is staffed

10:28

primarily by 18 to 25 year

10:31

olds. So they don't come in

10:33

with a lot of experience in

10:35

making these systems secure. They have

10:38

to learn that on the job.

10:40

So you have to train them

10:42

and you have to think about

10:45

turnover as well. And this actually

10:47

applies in the rest of the

10:49

industry too. You just have to

10:52

think about turnover. You hire in

10:54

a new person at $120,000 a

10:56

year to do an important security

10:59

analyst job. That's great. They probably

11:01

don't know how to secure your

11:03

systems yet. So you have to

11:06

train them. And unfortunately they might

11:08

get hired by Amazon for 150K

11:10

in six months and then they're

11:12

gone. You've got to train somebody

11:15

new. So design the systems to

11:17

do sort of continuous training and

11:19

build the training into your systems.

11:22

And then the third thing I'll

11:24

say is that cyber response security

11:26

in general is a team sport.

11:29

You're bringing together many different sources

11:31

of information. So there's a whole

11:33

bunch of great like platforms, XDR

11:36

tools, security analysis capabilities. It'll say

11:38

this is what we see. We're

11:40

seeing these kinds of anomalies. We're

11:43

seeing this kind of trace. We're

11:45

getting information from an ISAC or

11:47

whatever. It feeds into the system.

11:50

What's the system? Where do your

11:52

people actually go to? do their

11:54

work. And so they need a

11:56

platform to go and work in.

11:59

How do I, let's say we're

12:01

at a manufacturing, a major manufacturing

12:03

site and our alarm start going

12:06

off and it appears that the

12:08

process management technology that's running our

12:10

factory or plant is gone awry.

12:13

We're under an attack. But we're

12:15

in a cloud. We don't know

12:17

exactly what's happening. We have to

12:20

figure it out. And we're not

12:22

even all there physically in the

12:24

same place. A lot of us

12:27

work remotely these days, or at

12:29

least we're not in the office

12:31

at 2 AM when this thing

12:34

happens. Where do your people go?

12:36

Well, they go to a secure

12:38

collaborative workflow platform where they can

12:40

talk to each other and then

12:43

they can integrate those data sources

12:45

and they can run a structured

12:47

workflow to say, oh, we've got

12:50

a procedure for this. And the

12:52

18-year-old who you hired last week,

12:54

who doesn't know anything yet, who

12:57

happens to be the one on

12:59

deck, says, ah, I need to

13:01

run the manufacturing flight, sort of

13:04

IT system is doing this. What

13:06

do I do? Click the big

13:08

green button, start the play, start

13:11

a channel to talk to people,

13:13

invite folks into the channel, notify

13:15

people who need to know, grab

13:17

the artifacts from your analysis tools.

13:20

create an audible record of the

13:22

things that you've done, and just

13:24

follow through as you deal with

13:27

the incident. So, you know, as

13:29

I said, leadership, training, and then

13:31

a tool to actually bring your

13:34

people together to make it work.

13:36

You know, you can't, in the

13:38

world of security today, and kind

13:41

of protecting the crown jewels, right?

13:43

I mean, data secure, you can't

13:45

escape it right now. It's a

13:48

really curious time with the exponential

13:50

creation of data, how do you

13:52

secure it, but also how do

13:55

you balance that with effective incident

13:57

response. Yeah, I would. say it's

13:59

not really a balance because it's

14:01

not an either or. It's not

14:04

that we are going to only

14:06

respond. That would be bad, right?

14:08

That's not efficient. Our files are

14:11

wide open and we'll spend all

14:13

day. No, we have to actually

14:15

secure it as well. So you

14:18

kind of have to do both.

14:20

But when I advise on a

14:22

situation, I would always start off

14:25

with, yes, the sky is following.

14:27

Your hair is on fire and

14:29

your staff are running around screaming.

14:32

Okay, understand. By the way, it

14:34

will be that way next week

14:36

too. Let us think about first

14:39

though, and this is if I'm

14:41

not trying to sell a security

14:43

product. So don't have my vendor

14:45

hat on. I have my advisor

14:48

hat on. Do you really understand

14:50

your threats? What is your threat

14:52

model? What is a reasonable threat

14:55

model for your organization? Because you

14:57

don't have unlimited budget to buy

14:59

all the tools. Even if you

15:02

did, you need to buy or

15:04

hire a ton of people to

15:06

operate them. So start off with

15:09

deciding how high up you need

15:11

to get in terms of security

15:13

before you start buying tools. Tools

15:16

are not the answer, right? And

15:18

understanding of the things that you're

15:20

likely to have to protect against

15:23

is the start. So, and again,

15:25

another good example, let's say you're

15:27

a consumer. consumer entertainment platform manufacturer.

15:29

Do you need to worry about

15:32

a nation-state attack hacking your systems?

15:34

Probably not. Maybe if you're Apple,

15:36

you do. Actually, I'm sure Apple's

15:39

got really excellent security. But if

15:41

you're some smaller vendor, it's not

15:43

have sort of global importance. By

15:46

the way, Apple does. So they

15:48

have to be really, really good

15:50

at this stuff. But if you're

15:53

someone else, you say, all right.

15:55

Yeah, we're not worried about North

15:57

Korea. you know, breaking into our

16:00

systems. You know, we're, so we

16:02

don't need to air gap everything

16:04

and do a background check on

16:07

our employees three times a year.

16:09

We don't need to do that.

16:11

We do need to do this

16:13

though, right? So we have compliance

16:16

requirements, we have reporting requirements, we

16:18

have, you know, HIPAA and various

16:20

other capabilities, you know, we have

16:23

personal information, have customer information, we

16:25

might have to comply with GDyPR

16:27

if we've got customers in Europe.

16:30

So you do have to get

16:32

up to that standard. But before

16:34

you just go shelling out money

16:37

is understand what you need to

16:39

do until you design the security

16:41

to do that. And then when

16:44

it comes to developing your incident

16:46

response, you tune that to the

16:48

threat model. No sense sitting there

16:51

looking for an army coming over

16:53

the hill if you're never, you

16:55

know, if you're, or no sense

16:57

designing a Navy if you're landlocked,

17:00

right? If you're just never going

17:02

to see that threat. And then

17:04

you have to also make that.

17:07

incident response program adaptive. Because what

17:09

will happen is eventually it'll tell

17:11

you what your threats are. You'll

17:14

be able to go back look

17:16

and say what's happened to us

17:18

over the last six months and

17:21

probably some really interesting things will

17:23

pop out like oh we didn't

17:25

realize that. We're actually getting attacked

17:28

in a way that we didn't

17:30

expect. And then that should inform

17:32

your budgeting for what your security

17:34

tools look like. So a good

17:37

example would be we decided to

17:39

let our employees use their own

17:41

BIOD laptops. And then it turned

17:44

out that since the laptops were

17:46

crossing the corporate boundary because we

17:48

gave them all the VPN so

17:51

they could get in and do

17:53

certain things. It started, we didn't

17:55

have a perimeter anymore. It also

17:58

turned out that our own networks

18:00

got used for file sharing. Right,

18:02

because our employees left their file

18:05

sharing applications on and all of

18:07

a sudden, right, we've got some

18:09

problems. So you would learn from

18:12

analyzing what the threats actually look

18:14

like. You buy integrated security systems,

18:16

so XDR, extended detection and response

18:18

platforms, buy that. first and foremost

18:21

by the collaboration platform the integration

18:23

one that has your people working

18:25

together and you know I'm dealing

18:28

with this issue what are you

18:30

doing I'm seeing this pattern great

18:32

can you give me the artifacts

18:35

great we've seen this before let's

18:37

look at the archives that we've

18:39

seen this last week we've got

18:42

an active response dealing like so

18:44

putting all those tools together and

18:46

and realizing that while you can

18:49

do automated response and sort of

18:51

continuous risk assessment, it's very much

18:53

requiring a human in the loop

18:56

on that. Because, you know, machine

18:58

learning and AI tools are great

19:00

for identifying things. They're not great

19:02

for really prioritizing them in context.

19:05

They should be, and I think

19:07

eventually they will be, but they'll

19:09

also send off a huge number

19:12

of false positives. So your humans

19:14

have to get involved in saying,

19:16

yeah, that's, you know. Okay, our

19:19

vending machines are getting hacked, but

19:21

we don't care about our vending

19:23

machines. They're still working for us.

19:26

So, but if instead it's your,

19:28

you know, it's your, you know,

19:30

CFO's personal laptop or work laptop

19:33

that's always under attack, that's a

19:35

different matter. So, so I come

19:37

back to thinking about like your

19:40

point here of how, you know,

19:42

the bad guys can basically have

19:44

infinite resources and, and, and, and.

19:46

And your comments too about how

19:49

you have to balance that, what

19:51

do you think there were the

19:53

main things that are holding organizations

19:56

back on appropriately defending themselves? Yeah.

20:00

I think that sometimes it's information

20:03

overload. It's very complex environment. There's

20:05

a lot going on where maybe

20:07

getting a lot of false positives

20:09

out of the tools that we

20:12

do have. And it can sort

20:14

of become overwhelming and that your

20:16

security team, if you have one,

20:18

hopefully you even have one, which

20:21

your security team is so busy

20:23

putting out fires that they can't

20:25

look at the big picture. And

20:28

I as a security practitioner sort

20:30

of feel for this problem because

20:32

I've also run a company before

20:34

and unfortunately you do have to

20:37

think about the budget and good

20:39

security people are expensive for a

20:41

reason. So, you know, and just

20:44

as advice to those organizations that

20:46

can't afford a full-time 200K a

20:48

year security expert, yeah, you're going

20:50

to need to outsource to an

20:53

MSSP. And that's probably really good

20:55

use of funds. So you're getting

20:57

basically a fractional expert, in fact,

20:59

what's even better. You're getting 20

21:02

fractional experts who know all the

21:04

things that you don't have time

21:06

to figure out. So yeah, so

21:09

it's that sort of information overload.

21:11

The second one I mentioned before

21:13

is the skills gap. Even if

21:15

you did have a full-time cybersecurity

21:18

professional, maybe they're expert in Windows

21:20

systems, but they're not expert in

21:22

mobile devices. or they're not expert

21:25

in Max, or they're not expert

21:27

in servers, or they're not expert

21:29

in networks. Right there, there's five

21:31

different subject areas that you can't

21:34

be expert on them all. So

21:36

there's that skills gap, training again,

21:38

support for the folks who are

21:40

doing the work. It helps, it's

21:43

necessary, but it probably, if you're,

21:45

and I've worked for, you know,

21:47

small private equity owned companies, yeah,

21:50

we never had enough money. Right?

21:52

To solve these problems. And then

21:54

the money had to go back

21:56

to pay for the death that

21:59

the private equity guys had taken

22:01

to buy the business right so

22:03

so do the do the best

22:06

you can and don't get hacked

22:08

it was kind of here's your

22:10

budget good luck we'll see you

22:12

next quarter when it's time to

22:15

send us a check so you're

22:17

saying hope is a strategy yeah

22:19

balance balance balance hope I have

22:22

another I have another approach I

22:24

have another approach if it was

22:26

up to me yes And I

22:28

hate to do this, you

22:30

guys, but we've come to the

22:33

end of today's episode. Please

22:35

come back next week as

22:37

we pick up part two

22:39

of our conversation with Bill Anderson.

22:41

And until next time, stay safe.

22:44

Thanks for joining us on the

22:46

To the Point Cybersecurity Podcast,

22:48

brought to you by Force

22:50

Point. For more information and

22:52

show notes from today's episode,

22:54

please visit forcepoint.com/podcast. And

22:57

don't forget to subscribe and leave

22:59

a review on Apple Podcasts or

23:01

your favorite listening platform.