WEBVTT

1
00:00:51.210 --> 00:00:51.960
Sean Gallagher: Hello everyone.

2
00:00:53.250 --> 00:01:02.940
Sean Gallagher: My name is Sean Gallagher. I am the former information technology editor  at Ars Technica. We call it "emeritus" or "at-large" because I've escaped.

3
00:01:04.110 --> 00:01:06.090
Sean Gallagher: Today we're going to be talking about

4
00:01:07.200 --> 00:01:18.210
Sean Gallagher: Finding certainty in IT when the world is uncertain and I'd like think Dell Technologies for sponsoring this panel. We've got a great panel lined up.

5
00:01:19.530 --> 00:01:22.890
Sean Gallagher: Near and dear to my heart, and all in from the information security community,

6
00:01:23.670 --> 00:01:36.660
Sean Gallagher: First we've got Ed Skoudis, who's a SANS fellow and instructor, he founded Counter Hack, a company focused on penetration testing. He also needs a team that builds the annual SANS holiday hack challenge and its 20th year. How's it going, Ed?

7
00:01:36.960 --> 00:01:38.160
Ed Skoudis: Very good. It's great to see you, Sean.

8
00:01:38.160 --> 00:01:43.980
Sean Gallagher: Okay. Also joining us is Katie Moussouris, the founder LutaSecurity and a  veteran of the vulnerability disclosure wars.

9
00:01:45.180 --> 00:01:51.630
Sean Gallagher: The former security strategist at Microsoft and former chief policy officer at Hacker One.

10
00:01:53.220 --> 00:01:53.700
Sean Gallagher: Welcome.

11
00:01:55.710 --> 00:02:08.250
Katie Moussouris: Thank you so much for having me.
Sean Gallagher: And last but not least we have Marcus Carey the creator of the "Tribe of Hackers" security book series and a 20 year veteran of the cybersecurity realm.

12
00:02:08.610 --> 00:02:17.880
Sean Gallagher: Having worked in penetration testing, incident response, and digital forensics with federal agencies, including NSA, DIA, and DARPA. How you doing today, Marcus?

13
00:02:18.600 --> 00:02:20.430
Marcus Carey: Hey, thanks for having me. Glad to be here.

14
00:02:23.220 --> 00:02:35.940
Sean Gallagher: And again, wanted to thank, Dell Technologies for putting this together and having all of you join us as well. So it's been an interesting past six months or so.

15
00:02:36.990 --> 00:02:42.000
Sean Gallagher: And work has sort of been redefined for everyone now.

16
00:02:44.040 --> 00:02:45.660
Sean Gallagher: I guess that's a safe way of putting it.

17
00:02:46.920 --> 00:02:54.720
Sean Gallagher: So, a lot has happened in the course of that over the past six months with everybody going remote, many companies having all their employees remote.

18
00:02:55.200 --> 00:03:09.450
Sean Gallagher: We've had some pretty serious ransomware attacks and breaches and some other security issues, fairly serious security issues that popped up as we've been trying to fix things, and a lot of others waiting in the wings.

19
00:03:10.650 --> 00:03:29.340
Sean Gallagher: So, what I want to start off with is discussing what has fallen apart in lockdown, and what do companies need to do to triage the problems that have emerged as they rushed to support employees working remotely. Anybody want to kick that off?

20
00:03:31.410 --> 00:03:32.430
Ed Skoudis: Here, I'll go ahead and start it.

21
00:03:33.120 --> 00:03:43.710
Ed Skoudis: You know, for decades, we built our networks with these firewalls around them and all of our sensitive stuff inside, and we tried to keep, you know, the attackers on the the outside.

22
00:03:44.100 --> 00:03:55.110
Ed Skoudis: COVID kind of put everything in fast forward, right? So we've seen this evolution of distributed networks, moving to the cloud, all that kind of stuff, remote work. Work from home.

23
00:03:55.710 --> 00:04:01.200
Ed Skoudis: VPN. We've seen that gradually over the years but six months ago they push fast forward and now—

24
00:04:01.950 --> 00:04:05.460
Ed Skoudis: There really is no perimeter. Much of your data is in the cloud.

25
00:04:05.850 --> 00:04:17.520
Ed Skoudis: Most of your workers, their primary IT is themselves at home, and they're using it to get access to your environment. So everything's been turned inside out, really, and we have to completely revisit how we do security for it.

26
00:04:18.000 --> 00:04:21.060
Ed Skoudis: So I mean, that that's that's the fast-forward trend that we've seen.

27
00:04:23.100 --> 00:04:29.790
Sean Gallagher: Katie—got anything add to that? I mean, obviously, from, from a standpoint of what your vulnerabilities are

28
00:04:30.900 --> 00:04:34.080
Sean Gallagher: when you put everybody working from home it adds a whole new layer to that.

29
00:04:35.040 --> 00:04:48.540
Katie Moussouris: It sure does. So one of the things that I think has affected a lot of us with families is that suddenly, you know, we've got our kids doing online schooling and unless they had a high enough powered device to connect on their own,

30
00:04:48.960 --> 00:05:00.030
Katie Moussouris: often the interim strategy was getting them one of yours. And then suddenly you're having to manage multiple, you know, different user configurations, security lockdown.

31
00:05:00.300 --> 00:05:07.710
Katie Moussouris: And then what I noticed was that the schools didn't have a solid policy on what they were doing in terms of recording,

32
00:05:08.100 --> 00:05:16.470
Katie Moussouris: storage of those recordings, protecting those recordings. So I had this whole thing where I basically for the first phase of remote learning,

33
00:05:16.830 --> 00:05:24.780
Katie Moussouris: I had my kids, you know, with their cameras off. Mandatory from me. Because I was like, look, I can't, you know, I don't know where they're putting this stuff.

34
00:05:25.230 --> 00:05:34.470
Katie Moussouris: And then the second thing, you know, was fortunately we didn't have to share devices here, but I know that that is an issue—not just bandwidth access to bandwidth for education, for people,

35
00:05:34.740 --> 00:05:39.000
Katie Moussouris: but access to equipment, and dedicated equipment—and how does that change, you know, the fact that,

36
00:05:39.270 --> 00:05:46.500
Katie Moussouris: you know, before it used to be BYOD. And then you're letting your child play with your work phone—and that could be, you know, a security issue if they're downloading,

37
00:05:46.800 --> 00:05:54.900
Katie Moussouris: you know, crapplications and games that can introduce security vulnerabilities. Now it's additional devices for a lot of households. And I think that's something that,

38
00:05:55.380 --> 00:06:06.270
Katie Moussouris: I think that enterprises, who not only need to grapple with the realities that you need to make time for people who have family obligations, because our family obligations have all changed now.

39
00:06:06.660 --> 00:06:14.430
Katie Moussouris: And it's not just women who should be absorbing these these new family, or the new heavier family obligations, you know, in this co-working space.

40
00:06:14.730 --> 00:06:26.790
Katie Moussouris: But that organizations have to take the security posture into consideration when they are thinking about their workers and their workers families and what technology stacks need to be simultaneously supported.

41
00:06:27.240 --> 00:06:42.690
Katie Moussouris: And I'm lucky that you know my kids school allowed the cameras off—some schools are very adamant cameras had to be on. I don't know what I would have done, you know, as a security and privacy professional, of what I would have done if, you know, if they hadn't allowed that option.

42
00:06:43.020 --> 00:06:59.610
Sean Gallagher: Yeah, I've already read of a couple of incidents with— involving kids with schools, where there was disciplinary action because of things that were regarding whether the kids were on video, or things that were in background on video—kids were eating on video and got disciplined. That's, that's kind of interesting—

43
00:07:00.720 --> 00:07:06.870
Katie Moussouris: So my particular— my particular scenario that I was facing is that I have an open floor plan.

44
00:07:07.470 --> 00:07:14.160
Katie Moussouris: And so online learning was happening. I didn't know, you know, I kept asking the school if they're recording these things or not, whatever—

45
00:07:14.550 --> 00:07:23.400
Katie Moussouris: I have to do sensitive security work calls. And if you recall my company was helping Zoom during the thick of the pandemic, you know, the big—

46
00:07:23.640 --> 00:07:32.610
Katie Moussouris: they— cases were spiking in COVID, cases were spiking at Zoom. So we were brought in to help flatten the curve and I of course I had to have sensitive conversation. So guess what?

47
00:07:33.000 --> 00:07:39.600
Katie Moussouris: My office, for sensitive conversations, became what I call "The Swearin' Garage." I would go down to the garage.

48
00:07:39.990 --> 00:07:47.010
Katie Moussouris: And that is where we conduct a lot of my, a lot of my business. And I've even brought my laptop down there. And so we're just dealing with all of these

49
00:07:47.280 --> 00:07:54.930
Katie Moussouris: different considerations of, you know, you always hear about "don't talk about company secrets in the elevator," or out to lunch? Well, we don't go out to lunch anymore.

50
00:07:55.230 --> 00:08:10.290
Katie Moussouris: And most of our houses don't have elevators. But now we need to watch our mouths where, you know, our business conversations may be leaking into some other adult's household with their child on the Zoom. So there is an eavesdropping scenario for you.

51
00:08:11.130 --> 00:08:16.800
Sean Gallagher: Marcus. What are you seeing in this regard? I mean, this sounds like, you know, the penetration testing—this sort of

52
00:08:17.190 --> 00:08:29.640
Sean Gallagher: penetration testing takes a whole different meaning when you're penetration testing your employees at home and things like that, in terms of their access. What are you seeing as far as some of the gaps and how people are doing policy right now to secure things?

53
00:08:30.750 --> 00:08:38.040
Marcus Carey: Well, so, since I joined ReliaQuest— ReliaQuest, actually, we help a lot of big companies monitor networks and so

54
00:08:38.970 --> 00:08:45.270
Marcus Carey: what happened is typically over the, you know, last 10 years or whatever, people have been monitoring networks.

55
00:08:45.780 --> 00:08:54.720
Marcus Carey: And networks are then monitored in a particular fashion, which assumed that most of the traffic was coming, you know, from the— Ed mentioned this before,

56
00:08:55.320 --> 00:09:02.340
Marcus Carey: in a classical enterprise you have firewalls, you're going out of the network. And so that's a whole different traffic flow

57
00:09:02.760 --> 00:09:12.720
Marcus Carey: from what we have now, because what we have is we have everybody coming out from outbound to inbound through firewalls, and then it depends on the configuration,

58
00:09:13.080 --> 00:09:22.440
Marcus Carey: stuff is going back out network. So it's double traffic and most network monitoring situations. And if you think about Splunk licensing and all this other stuff—

59
00:09:22.950 --> 00:09:32.940
Marcus Carey: And so it's a whole— it's like their enterprise changed overnight, and that's gonna be— that's gonna, we're gonna have to recalibrate a lot of things. You're gonna have to rethink compliance.

60
00:09:33.420 --> 00:09:43.650
Marcus Carey: You're going to have to rethink of penetration testing. Some people didn't have enough computers to give to everybody, so some people are using home PCs. Can you pen-test the home PC?

61
00:09:44.040 --> 00:09:55.800
Marcus Carey: What's the rules on that? Can you, you know— and even from a legal aspect, a lot of things change on people are using their own home network versus using corporate network.

62
00:09:56.340 --> 00:10:05.790
Marcus Carey: So it kind of changed the game and people are still catching up. It also— for a lot of companies that have PCI requirements and all kind of other requirements,

63
00:10:06.510 --> 00:10:21.810
Marcus Carey: now, people are going to be having information outside certain enclaves where they used to didn't have it, and it's just totally changed up the game. It's like, you know, it's like shaking up something and just dropping all the bits on the floor.

64
00:10:22.560 --> 00:10:27.090
Sean Gallagher: Yeah, I mean, there seems like there's a lot of resistance to cloud in some companies, because of

65
00:10:27.480 --> 00:10:36.360
Sean Gallagher: the concern over control of data, and now it seems like we've got everybody pushing to get the cloud, and on demand IT stuff. I mean, it seems like

66
00:10:37.290 --> 00:10:48.450
Sean Gallagher: some of the best ways that people have done to mitigate the problem of people having to us home PCs and things like that is using things like software as a service, and putting everything in browsers, at least having control over it that way.

67
00:10:49.890 --> 00:10:58.830
Sean Gallagher: Do you think the cloud piece equally complicates and solves some of the issues around compliance?

68
00:10:58.920 --> 00:11:09.750
Ed Skoudis: I personally think cloud can make things better and is generally doing that, especially for small and medium businesses because you can have these large, very professional organizations with a lot of smart people,

69
00:11:10.140 --> 00:11:14.970
Ed Skoudis: running the clouds and helping to secure things better than maybe some smaller organizations are able to afford.

70
00:11:15.390 --> 00:11:27.600
Ed Skoudis: But at the same time, it adds a lot of complexity. And, you know, we always talk about "the cloud." And when people think of that, they think of, "Oh, there's the primary cloud my organization uses." Maybe it's AWS, or maybe it's Azure, maybe it's Google.

71
00:11:27.930 --> 00:11:38.490
Ed Skoudis: I'm trying to encourage people to say "the clouds," because your organization might be primarily associated with one—you got 90% of your cloud data in wherever say AWS 

72
00:11:39.090 --> 00:11:49.260
Ed Skoudis: Instances, but you probably also have an additional cloud or two, and those are the ones that you don't think about so much and maybe aren't utilizing their appropriate configuration security.

73
00:11:49.590 --> 00:11:57.030
Ed Skoudis: So doing a cloud inventory, I think, is really important for organizations, especially large ones, because you're probably using clouds, not just one.

74
00:12:00.030 --> 00:12:01.080
Sean Gallagher: Katie?  Marcus?

75
00:12:04.800 --> 00:12:06.330
Katie Moussouris: Marcus, you can go if you've got something.

76
00:12:08.400 --> 00:12:11.400
Marcus Carey: I'm trying to be patient. You know I can talk all day.

77
00:12:14.160 --> 00:12:14.280


78
00:12:16.530 --> 00:12:27.540
Sean Gallagher: Just gonna throw throw into that that also, you know— so, a personal experience. I have a friend who's working from home now, and he works at a company where all of their IT was in-house.

79
00:12:27.570 --> 00:12:37.620
Sean Gallagher: They had moved a lot of people into Terminal Server. And so, those people are able to get online and through a VPN and use Terminal Server—

80
00:12:38.220 --> 00:12:38.910
Katie Moussouris: —sort of—

81
00:12:39.480 --> 00:12:40.320
Sean Gallagher: over the line but

82
00:12:40.350 --> 00:12:44.760
Sean Gallagher: There were applications that they had that were tracked on desktops, or like things like

83
00:12:45.510 --> 00:12:58.920
Sean Gallagher: Access databases that had vital corporate information in it, still running on a desktop database on a machine that, inside the office— access to that, they had to do all sorts of special VPN stuff from to get in and it's really, really janky.

84
00:13:00.510 --> 00:13:15.810
Sean Gallagher: How much do you think that this is going to push people towards more cloud-oriented digital tools to try and get things done instead of getting them— getting them off of the old Office environment, off the old Office Suite environment and doing things that are important.

85
00:13:17.070 --> 00:13:19.020
Katie Moussouris: Well, I mean these things are cyclical, right?

86
00:13:19.080 --> 00:13:20.130
Katie Moussouris: There, you know—

87
00:13:20.250 --> 00:13:36.360
Katie Moussouris: it was thin client, thick client, thin client, thick client. You know, it's— it's cyclical. And I think that, you know, there are a lot of factors that go into it. But, I mean, one thing— I had actually wanted to say something about your last entry in the concept.

88
00:13:37.950 --> 00:13:42.600
Katie Moussouris: And that is that one thing I remember my good friend  Nate Warfield saying—

89
00:13:43.620 --> 00:13:49.140
Katie Moussouris: —I hope it was Nate Warfield who said this, he is a good friend—but I remember hearing, after WannaCry,

90
00:13:50.520 --> 00:14:02.970
Katie Moussouris: you know, obviously they're telling everyone, you know, "Please, get rid of SMBv1!" Right? Patch it, get rid of it, etc. Don't expose it to the Internet. And what was interesting was that after WannaCry,

91
00:14:04.080 --> 00:14:18.120
Katie Moussouris: they were finding that a lot more internet exposed SMB 1 was showing up. Why? Because a lot of default cloud images were still just being pumped out that way. So I think there is a lot of

92
00:14:18.570 --> 00:14:31.380
Katie Moussouris: misunderstanding about whose responsibility is it, exactly, to secure, you know, your cloud infrastructure. And as Ed was saying there, are multiple different configurations—what is cloud?

93
00:14:31.680 --> 00:14:43.680
Katie Moussouris: And I think, you know, smaller organizations may be lucky if they, you know, choose an all-managed, you know, type of solution, but if they think they have an all-managed solution and they end up with SMB 1, you know—

94
00:14:44.340 --> 00:14:58.830
Katie Moussouris: —butt-naked on the internet!—then they're pretty much suffering from what we saw as a worldwide trend where people thought, "Oooh, if I move to the cloud, I won't be vulnerable to worms like WannaCry," and you actually saw a spike in vulnerable systems exposed to the Internet.

95
00:15:00.240 --> 00:15:09.930
Sean Gallagher: Yeah, I've been SHODAN-hunting a bit, and I've seen a lot of that. Also RDP, Remote Desktop Protocol—lot of that hanging out on cloud systems.

96
00:15:10.950 --> 00:15:12.900
Sean Gallagher: That probably shouldn't have it going on.

97
00:15:14.400 --> 00:15:29.220
Marcus Carey: Yeah— yeah, I see it, but I think overall, I do— everything is going to continue to move in the cloud direction. A lot of people are moving to Office 365. A lot of people have been using Google Suite or whatever the name of it is now.

98
00:15:30.300 --> 00:15:39.900
Marcus Carey: So I think that the people are— that's going to be the continuous trend, because now that's taken a burden so much off of traditional organizations.

99
00:15:40.290 --> 00:15:47.550
Marcus Carey: Also, now I don't have to do an Exchange server—now I don't have to do that. So it's actually easier and probably more secure if you went to the cloud.

100
00:15:48.210 --> 00:15:54.450
Marcus Carey: If you think about a big picture— One of the funny things is, Katie mentioned this very cyclical.

101
00:15:54.960 --> 00:16:05.730
Marcus Carey: I think that over, over the time back when I first started in computer stuff, you had to back everything up. And we backed everything up because everything was so unreliable.

102
00:16:06.210 --> 00:16:15.480
Marcus Carey: But over time, what's happened is systems are so vulnerable— I mean, systems are so reliable now, you know, you don't ever have to turn your computer off. You don't ever have to turn a server off.

103
00:16:16.050 --> 00:16:22.680
Marcus Carey: And we got used to that. And what happened with ransomware was, what's crazy about it, is it exposed the fact that we

104
00:16:23.160 --> 00:16:31.500
Marcus Carey: had stopped doing certain practices. We stopped backing everything up. We stopped doing all this stuff. And funny enough that storage is cheaper than anything now.

105
00:16:31.920 --> 00:16:41.670
Marcus Carey: And so, I think we're going to revert back to, you know, some of the old school stuff like Katie was talking about, where most of the stuff is going to be in the cloud. And we're going to have mostly clients.

106
00:16:43.170 --> 00:16:55.200
Marcus Carey: And we'll start moving away. The people that fare well against ransomware are the people that have outsourced stuff to the cloud. The people that are still running all their servers and stuff internally, are the ones that get hosed.

107
00:16:55.980 --> 00:17:12.330
Sean Gallagher: Yeah, yeah. So— so what degree do you think— and we had a question from an audience member, Louis Pope. How— Has any of this increased awareness among the C-suite about cyber-threats, and has made it easier or harder to get changes made

108
00:17:13.380 --> 00:17:14.310
Sean Gallagher: that are needed now?

109
00:17:16.590 --> 00:17:23.760
Sean Gallagher: In your experience, in dealing with clients, is the C-suite more informed, now they moved home?

110
00:17:24.150 --> 00:17:33.990
Marcus Carey: I'll start this off. I think people were being more more real about cyber threats.

111
00:17:35.670 --> 00:17:44.730
Marcus Carey: Basically, before ransomware, I think everybody was still procrastinating. I think that ransomware is such a threat now,

112
00:17:45.270 --> 00:17:55.950
Marcus Carey: that everybody's getting to "look we gotta do something" mode. And since it's making headlines and you're starting to see management and CEOs be more responsible for this stuff,

113
00:17:56.820 --> 00:18:02.010
Marcus Carey: you have investors in venture capital space. They're asking the questions.

114
00:18:02.550 --> 00:18:12.420
Marcus Carey: You can't— you can't sign a deal with certain companies if you don't have— if you don't have any security in place. So you have to get a security assessment, you're going to have to be compliant.

115
00:18:12.810 --> 00:18:22.320
Marcus Carey: And so I think that— that people are waking up to the fact that, look, this is real. And before we just worried about DDoS. DDoS was a loss in the—

116
00:18:22.980 --> 00:18:29.520
Marcus Carey: Look at the "CIA triad"—I'll make this quick. Confidentiality— confidentiality, integrity, and availability.

117
00:18:30.030 --> 00:18:39.150
Marcus Carey: Availability used to be an issue. "Oh, we can't get to this thing, they're DDoSing us." Right? But now what's— And then confidentiality used to be the deal because, "oh, they leaked the documents."

118
00:18:39.540 --> 00:18:50.070
Marcus Carey: Well, I think that ransomware brought the integrity into play as well. So ransomware does C-I-A. It kills your confidentiality, because people are leaking documents if you don't pay.

119
00:18:50.910 --> 00:19:00.480
Marcus Carey: The integrity of the data is jacked up because it's all encrypted, and it's not available because it's encrypted. So ransomware is the perfect, perfect villain to make everybody started getting securing again.

120
00:19:01.620 --> 00:19:01.800
Ed Skoudis: Yeah.

121
00:19:01.890 --> 00:19:11.700
Ed Skoudis: I agree. It's ransomware, ransomware, ransomware. I mean, the calls that we're getting from customers, they're asking for pen-tests because they want to see how ransomware might get in, which— maybe a pen test isn't the best way to determine that,

122
00:19:11.820 --> 00:19:21.930
Ed Skoudis: nut that's why we're getting calls. We're also hearing from not only the C-suite but boards of directors, because they're reading about the latest ransomware attack every single day and they're saying,

123
00:19:22.200 --> 00:19:31.050
Ed Skoudis: "How can I make sure that doesn't happen to the organization that I have a fiduciary responsibility over as part of the board of directors?" So the boards are now pushing

124
00:19:31.290 --> 00:19:37.800
Ed Skoudis: the CEOs and the CISOs and everyone else, saying: Show me that this isn't going to happen to us. What specifically are you doing?

125
00:19:38.070 --> 00:19:49.500
Ed Skoudis: What are you measurably doing? So I, I do think ransomware— as much as I hate it, I mean, it's nasty stuff, but it is driving security awareness at all levels of the management stack.

126
00:19:51.960 --> 00:20:07.740
Katie Moussouris: And I think the more recent variant of ransomware where they're not just saying, you know, pay us or your, your data is gone—they're saying pay us or your data is going to be exposed. It's like, it's almost, it's a— 

127
00:20:08.160 --> 00:20:18.480
Katie Moussouris: It's a variant, you know, the same kind of, same kind of extortion, but it's like, it's, it's more extortion, it's more "blackmailware" than ransomware. Like, ransomware is you get your loved one back, right?

128
00:20:18.900 --> 00:20:23.520
Katie Moussouris: Into your, your— but this is, really, this is like "expose-ware"

129
00:20:23.820 --> 00:20:34.020
Katie Moussouris: And, you know, they're threatening to dump mail spools and client, you know, client communications and all kinds of secret stuff that your company has been entrusted to keep secret.

130
00:20:34.290 --> 00:20:44.880
Katie Moussouris: And also, you know, who knows what else, you know, is going in, in company email and other communications. So it's become absolutely much more of a wake up call— and Ed, I'm so glad you said

131
00:20:45.270 --> 00:20:53.460
Katie Moussouris: that some of your customers are attempting to assess their risk via pen-test first, which is kind of backwards for when it comes to ransomware prevention.

132
00:20:53.850 --> 00:21:05.640
Katie Moussouris: I see a lot of this with people being like, "We were ransomwared, now we want to start a bug bounty." And I'm like, okay, well, how many dedicated security staff do you have handling vulnerability reports today. And they're like,

133
00:21:06.090 --> 00:21:12.510
Katie Moussouris: "What is a vulnerability report." And I'm like, okay, you know what? We need to take 90,000 steps back.

134
00:21:12.930 --> 00:21:20.550
Katie Moussouris: And work on your process maturity and all these other— all these other areas because you're about to, you know, commit yourself to a

135
00:21:20.970 --> 00:21:27.600
Katie Moussouris: you know, a feature length level distraction, you know, from your story here before you before you can even

136
00:21:28.020 --> 00:21:32.730
Katie Moussouris: begin to handle what would actually prevent you and protect you from ransomware. And I think

137
00:21:33.510 --> 00:21:49.020
Katie Moussouris: Marcus' point about "backups backups backups," that was our mantra, because of the fallibility that we all grew up with. I mean, I remember buying disks and you'd buy them in packs of 10 and expecting a 10% failure rate on the disks. You know what I mean? And, so, yeah.

138
00:21:49.980 --> 00:21:57.030
Sean Gallagher: So what are— With all this in mind, what do you see people doing right right now? What— can you give me some examples of things that people are doing right right now?

139
00:22:00.420 --> 00:22:11.700
Marcus Carey: I think moving to the cloud is one thing they're doing right— And the cloud is ambiguous, as—as Ed said. So people are— I think people are moving some vital services to the cloud.

140
00:22:12.900 --> 00:22:23.430
Marcus Carey: Sales— like for instance like Salesforce— When I talk about this, I think about, the company functionality. So things like Salesforce actually started this cloud movement where you put your

141
00:22:23.550 --> 00:22:23.910


142
00:22:23.940 --> 00:22:32.970
Marcus Carey: All your cloud data, business data in the cloud. And now we're moving email and other functionalities all to the cloud. But what's funny about the whole

143
00:22:33.360 --> 00:22:45.900
Marcus Carey: this current mode that we're in is like— I came from the intel community. Where in intelligence, there's— there's foreign actors that are paid 100% to try to get into our systems.

144
00:22:46.320 --> 00:22:55.890
Marcus Carey: Well, what's interesting about the ransomware thing is there are cyber criminals— There's— that's their day job now. So it's, it's teams of those guys.

145
00:22:56.460 --> 00:23:05.550
Marcus Carey: And it's just like the current, the sales process for any company. First, all you have to have your leads, those people are scanning and doing reconnaissance, they're getting leads—

146
00:23:07.140 --> 00:23:15.510
Marcus Carey: Then they're, they're getting in and then they have a sales process, that's funny enough, is like, oh, the sales process is getting that money out to you.

147
00:23:15.900 --> 00:23:27.630
Marcus Carey: And to close the deal, as Katie mentioned, they're leaking data. So it's just like— it's an organized business, and they're constantly getting more leads by phishing.

148
00:23:27.900 --> 00:23:36.570
Marcus Carey: Just like— just like a regular company sends out unsolicited emails to get leads. That's the same thing they're doing with phishing and spear phishing.

149
00:23:36.960 --> 00:23:45.420
Marcus Carey: So it's—it's the weirdest thing, it's so funny to me. But that's the— that's the world that we're living in, and the best way to protect it, I think,

150
00:23:46.260 --> 00:24:02.970
Marcus Carey: is backups. But I think it's easier to trust the backups to somebody like an Amazon, or Microsoft, or Google, because they got all the storage in the world. And so it's about storage, and being able to recover fast. You're going to get hit—how do you recover?

151
00:24:03.360 --> 00:24:23.310
Sean Gallagher: How about things like this zero trust model, and— and getting and trying to make VPNs less of a bottleneck, and getting people to use— making the enterprise more— you talk about the cloud, but making the enterprise more exposed to the Internet, but using like things like zero trust

152
00:24:24.390 --> 00:24:34.320
Sean Gallagher: to allow people to get into their applications without having to worry about a whole bunch of network security issues. You see that be on the radar of a lot of people? You see people doing that?

153
00:24:34.590 --> 00:24:36.690
Ed Skoudis: Yeah, I mean zero trust is a little buzzwordy, but—

154
00:24:36.840 --> 00:24:39.570
Sean Gallagher: Yeah I know it is, but you know— you got to use a buzzword, because it's—

155
00:24:40.110 --> 00:24:43.950
Ed Skoudis: Right. But it's— it's got some fundamentally really good ideas in it. It's kind of like

156
00:24:44.340 --> 00:24:53.460
Ed Skoudis: micro network segmentation. I mean, some organizations don't segment their networks very well at all now, but pushing that envelope and trying to slice and dice things up so it gives

157
00:24:53.820 --> 00:24:59.160
Ed Skoudis: the— the bad actor minimal ability to move around in the environment—I mean, that's where we want to go.

158
00:24:59.910 --> 00:25:08.490
Ed Skoudis: When it comes to zero trust, yes—making sure that any device on the network isn't just inherently trusted because it happens to be there, but doing authentication and verification—

159
00:25:08.700 --> 00:25:18.870
Ed Skoudis: Tools like IAM solutions and such can go a long way in helping that identifying the user. But, so I do think that's the trend that we want to move toward this so called zero trust thing—

160
00:25:19.140 --> 00:25:25.680
Sean Gallagher: Yeah, well, especially when the network that we're talking about is the Internet and not your corporate network, right?

161
00:25:25.860 --> 00:25:33.360
Ed Skoudis: And it— when you're looking at so called zero trust things you find that sometimes there's just this implicit trust. You know, you try to wring the trust out of it, but it's like,

162
00:25:33.660 --> 00:25:39.360
Ed Skoudis: this machine, because of the way the application was written years ago, it's still inherently trusting that other machine without—

163
00:25:39.390 --> 00:25:42.270
Ed Skoudis: So you gotta be careful with it. But I do think it's a good trend.

164
00:25:42.660 --> 00:25:58.500
Sean Gallagher: So that, I think— And that sort of goes back to something else I wanted to hint at. We've got time to deal with here as well. So the application model, totally flipped upside down, now, right? We have to— applications going to be built a different way for this environment?

165
00:26:01.020 --> 00:26:02.430
Sean Gallagher: How do you do app security in this world?

166
00:26:03.300 --> 00:26:13.110
Katie Moussouris: Well, I think that one of the key things that has— luckily, it was already gaining significant momentum before the pandemic and the remote workforce situation happened, 

167
00:26:13.500 --> 00:26:23.790
Katie Moussouris: but, multifactor authentication! This is one of the, you know, one of one of the key things to enable in all of these applications that we've got there, and, you know, I know it took a while for multiple of

168
00:26:24.150 --> 00:26:32.580
Katie Moussouris: the larger companies, you know, the Googles and Microsofts and all those to start offering support for multifactor authentication to the masses, but

169
00:26:32.910 --> 00:26:43.020
Katie Moussouris: every single application that you can that you can push your users to enable multifactor, that's going to be so much so much help in terms of limiting

170
00:26:43.440 --> 00:26:58.590
Katie Moussouris: what an attacker can get to, especially if they've done, you know, a phishing attack etc., gotten credentials— just stopping them and being able to utilize that. And I think it's been positively trending towards wider deployment. And wider awareness.

171
00:26:58.800 --> 00:27:07.710
Sean Gallagher: So in the time we got left—because we're running down a little bit—I want to make sure we hit this question, which is— We've had a couple of questions about this. 

172
00:27:08.430 --> 00:27:16.320
Sean Gallagher: What you need to do now with skills, to prepare yourself for what may be a permanent work from home or a semi-permanent work-from-home environment.

173
00:27:16.830 --> 00:27:24.360
Sean Gallagher: Both in security and in IT in general, I mean, if we move to this whole cloud environment, we move to supporting devices at home,

174
00:27:24.690 --> 00:27:41.820
Sean Gallagher: move everybody using devices that they've got in their home, and move away from corporate managed desktops for everybody— What does that change about how we do, what the skills we need to maintain security, and what do people need to brush up on or move into going forward,

175
00:27:42.960 --> 00:27:45.810
Sean Gallagher: to, as the UK government is saying, "retrain for cyber"?

176
00:27:48.120 --> 00:27:49.650

177
00:27:50.190 --> 00:27:53.220
Marcus Carey: I'll start— I'll start this one so—

178
00:27:54.720 --> 00:28:13.320
Marcus Carey: I think that, that it's never a good time to have a pandemic, but I do believe that we are, we were set up pretty well. And this is this is coming off some of the stuff Katie just talked about. We have way faster bandwidth than we ever have, in most places. There's been more cloud,

179
00:28:14.370 --> 00:28:27.360
Marcus Carey: there's MFA— multiple, you know, MFA stuff, phone apps to do stuff. There's tons of stuff that we have available, and if this happened 10 years ago, we would have been in a worse place, I believe.

180
00:28:28.380 --> 00:28:43.110
Marcus Carey: So I think that— that that's great. And from a, from a job perspective— and I look at this is like as— and I mentor a lot of people, and I hope a lot of people get skills and skill up and all that—

181
00:28:44.130 --> 00:28:45.570
Marcus Carey: I think we're hitting a true

182
00:28:46.830 --> 00:28:47.880
Marcus Carey: what I would say

183
00:28:49.020 --> 00:28:55.440
Marcus Carey: The international workforce now is a threat to everybody. So I would, I would say that—

184
00:28:56.940 --> 00:29:03.660
Marcus Carey: This right here— the reason why outsourcing didn't work in the past is because there was a lot of hangups and all that stuff.

185
00:29:04.200 --> 00:29:13.530
Marcus Carey: I believe that this is going to— This is going to make it from an IT and security perspective, it's going to be a global competition for jobs and roles to fill.

186
00:29:14.130 --> 00:29:23.640
Marcus Carey: And so I just think you just have to— you're gonna have to learn cloud, it's not going anywhere. You might want to— back in the day, people were doing Cisco certs and all that.

187
00:29:24.060 --> 00:29:31.020
Marcus Carey: And Microsoft certs. Now, you might want to do an AWS cert. You might want to look at how, you know, Amazon,

188
00:29:31.860 --> 00:29:40.710
Marcus Carey: How, I mean Azure, how that's different. So you need to skill up, because people at the end of the day, that change is a bit different.

189
00:29:41.220 --> 00:29:52.080
Marcus Carey: Some of the traditional stuff still matters— networking and all that stuff. But you need to understand how the cloud works, and how those infrastructure-as-a-service things work.

190
00:29:53.100 --> 00:29:54.150
Sean Gallagher: Katie, you got anything to add to that?

191
00:29:57.000 --> 00:30:06.480
Katie Moussouris: No, my mute button did. Um, no—I mean, I would agree with everything that Marcus was saying. I think that, you know, going into our current environment, we need to stay nimble.

192
00:30:07.200 --> 00:30:14.640
Katie Moussouris: I think everybody on this call is of a certain age, no offense, guys– we're all on the same cohort here—so we've been through these cycles before.

193
00:30:15.030 --> 00:30:23.850
Katie Moussouris: I think that everyone who is new, that this is the first time that they've kind of encountered a ground shift in the way computing is done and the way work is done,

194
00:30:24.300 --> 00:30:32.850
Katie Moussouris: with regards to computing, stay calm. There are tools and best practices out there for you. There are trainings, etc. that can help your users.

195
00:30:33.180 --> 00:30:39.840
Katie Moussouris: And, you know, enable all of these new security controls that have come into vogue especially things that will limit

196
00:30:40.200 --> 00:30:50.670
Katie Moussouris: and help curtail attackers who gain a foothold, because attackers will gain a foothold. They absolutely will. So just understand that and roll with the punches. Stay calm, hack on.

197
00:30:51.570 --> 00:30:53.340
Sean Gallagher: Ed, gonna give you the last shot at this.

198
00:30:53.520 --> 00:30:59.760
Ed Skoudis: Hey, thanks. I appreciate that. So one of the things that I love to do myself in building skills, and that I recommend to other people to do,

199
00:31:00.000 --> 00:31:09.900
Ed Skoudis: Is CTFs—"capture the flag" events. There's so many good ones out there. There's a website that I'm not in any way affiliated with, and it's free, it's called CTFtime.org

200
00:31:10.320 --> 00:31:20.520
Ed Skoudis: Which is just an inventory of hundreds of different capture the flag events that are available for free. It's a great way to build skills, a great way to meet friends and have some fun, especially during times of lockdown.

201
00:31:20.730 --> 00:31:26.610
Ed Skoudis: So I'd encourage people to stay fresh, and look for CTFs with these emerging technologies, because people are building them now.

202
00:31:27.000 --> 00:31:38.730
Ed Skoudis: Um, so I would encourage people to to play some CTFs, build their skills, and have some fun. Don't think you're going to be a rock star right out of the gate, but build gradually over time. And I think you're gonna have some fun with them.

203
00:31:40.050 --> 00:31:49.350
Katie Moussouris: The space program needs more than astronauts, right? You can't get a rocket into space with only astronauts. So let's just be holistic about the workforce.

204
00:31:49.380 --> 00:32:06.450
Sean Gallagher: That's a good point. I mean, and on the point of CTFs, I'll add that, you know, I— I've found myself humbled greatly a couple times recently doing— last time we did "capture the packet," and— things that I thought I knew that I then got toasted on—

205
00:32:07.620 --> 00:32:09.480
Sean Gallagher: But learned a lot and feel good about it.

206
00:32:11.220 --> 00:32:19.620
Sean Gallagher: I think that's all we've got time for, but I really appreciate you all joining us today. Thanks to Ed, Katie, and Marcus for a great panel.

207
00:32:20.520 --> 00:32:33.900
Sean Gallagher: And I look forward to talking to you all in the real, non-digital world at some point in the near future. Again, thanks again to Dell-Tech for for sponsoring this, and thank you all for your questions.

208
00:32:34.800 --> 00:32:42.900
Sean Gallagher: Didn't get a chance to answer all of them, I know, but we will try to follow up with you if we can. Thanks and have a great day, everybody.