INCH360 Panel: Cloud Security: Exploring the Latest Trends and Challenges in Cloud Security and Systems Architecture

Welcome to the Cyber Traps podcast.

Today we have a very
special episode for you.

I am your host, Jethro Jones.

We will be talking about the
Inch 360 conference that took

place in Spokane, Washington.

This conference is a must attend
event for cybersecurity folks here in

Spokane, Washington, and it was a great
opportunity for me to connect with

cybersecurity folks here in Spokane and
learn about a lot of things that are

going on in the world of cybersecurity.

Right now, this episode is one of
the sessions from the conference.

I hope you enjoy it.

This session is titled Cloud Security:
Exploring the Latest Trends and Challenges

in Cloud Security and Systems Architecture

My name is Brant.

I am the regional CIO for
MultiCare Health System.

Uh, I oversee IT activities here
in the Inland Northwest region.

Largely Spokane, Spokane Valley,
Deaconess Hospital, Valley Hospital,

and more recently Yakima Memorial
Hospital in the center of the state.

Although I'm not focused exclusively on
InfoSec anymore, I did spend the first

part of my career, uh, leading the charge
against the bad guys, uh, for a healthcare

payer company, the tech sector, and
a little bit in the grocery industry.

So, um, I'm gonna jump right in and
all I'm gonna do is shout out names

and I would like to ask our panelists
to just give a quick introduction of

why you're here and the great knowledge
and experience you're gonna bring.

So I'll kick it over to my
friend Brent right here.

Just to let everybody know, my name is
Brent, not Brandt, though we do sing.

Hi, Brent Clements, VP of Product
Engineering for Vega Cloud,

a real local cloud finance
management platform, uh, company.

Uh, so very happy to be here at the
second annual Cyber Security Conference.

It's awesome to see the local
community grow, uh, not only

from a cybersecurity perspective,
but also general tech as well.

Uh, my background in security,
I started in security years ago.

I used to be a white hat hacker.

Um, I transformed that into application
modernization consulting where

obviously there had to be a bunch of
security consulting as part of that.

Um, and then today, um, we build in,
um, security in everything we do because

we do deal with a lot of financial.

Data from enterprise customers.

So nice to meet everybody.

Awesome.

Thank you Brent for joining us.

Vinesh.

Hello folks.

Good afternoon.

Again, nice to be here and to get
involved with the local community.

Uh, I'm Vinesh.

I'm a Cyber Security Engineer at Google.

Uh, and my role is
normally incident response.

My colleagues will say usually when I'm
around, it's like, oh, oh, what's wrong?

Today it's not one of
that, at least up to now.

Uh, and I'm also an engineer
in our DDoS protection teams

and our malware research teams.

Awesome.

Thank you for joining us.

My new friend, Nick.

Hi, excuse me.

Hi, Nick Marizzi.

Um, I'm about 30 years in
building high tech businesses,

the last 10 in cloud security.

Um, if we know about the words
like CASB, and SSC, and SASE,

and ZTNA, these kinds of words.

These are all words that have been created
in the last 10 years to solve problems

we had no idea about 10 years ago.

So, I'll share a little
bit more on that in a bit.

Awesome.

And rounding out our panel, we have Deb.

Hi, good afternoon, Deb Wells.

from BECU and I am a senior manager
there for cyber security engineering.

Before that, I was a full time professor
at Central Washington University.

And before that, I know I'm really old.

I was 21 years in the
United States Air Force.

So thank you, Heather, for the
tribute to our fallen comrades and

during World War II and December 7th.

Anyway, great to be here.

Thanks.

Awesome.

You guys, do you want to sit down?

Do you want to scoot the chairs back?

We'll turn it into a little circle.

Um, so the cloud's been
around for a while.

We haven't figured out, right?

Right?

You guys don't have struggles
with cloud security, right?

Um, so in preparation, admittedly, I've
been out of the game a little while.

I thought, let's see
what's going on in cloud.

So I looked up the IBM data breach report.

What's going on with cloud?

82 percent of breaches.

These include data stored in the cloud.

Misconfigured cloud is the third
most common attack vector behind

phishing and compromised credentials.

And having migrated to the cloud is
the fourth biggest impact to additional

cost associated with a breach.

So cloud, still.

Matters.

And we haven't figured it out yet.

So we're gonna ask some questions
today to see what we can do

to get a little bit better.

So I'm gonna start with Nick.

Cloud's not new.

What has changed in the last 5 to
10 years that we're still talking

about it as an InfoSec thing?

Well actually, I actually might
say that cloud is kinda new.

Um, so AWS launched in about 2010.

Uh, Google and Azure followed
pretty closely after that.

Um, the internet came really in,
in form in com window, right?

1993 we started to really see it.

So, calling, call it 30 years of the
internet, call it 15 years ish of cloud.

Um, and about maybe 6 months ago I sat
in front of a guy named Ashim Shadna.

Hashim is a legendary investor, uh, he
was an original Bell Labs guy, so he's

a networking guy by, by upbringing.

And Hashim put three, put one slide
on the wall and it had three circles.

Those circles were cloud,
network, and security.

And he said even today, those
cloud, those three circles

haven't created a Venn diagram.

He said we're still really early.

So the first thing that I'm going to
tell you is that Although we feel like

we've been doing this a long time,
we're still really early in this.

Um, only maybe 15 years, um, and
so I'll kind of tell a little

story about the still early.

Eight years ago I joined
a company called Sky High.

It was a CASB vendor.

How many people in the room
are familiar with CASB?

Okay, actually, maybe, I saw maybe 20%.

I see a sales opportunity, Nick.

Yeah, yeah, yeah, well definitely
there's a sales opportunity, um, but

it's more like we're still educating.

If only 20 percent of this room
knows what CASB is, CASB came

around in, call it 2012, 2013.

Um, and CASB is essentially
a service that secures.

Software as a service, like
Salesforce or Workday or Dropbox.

These kinds of services.

Internet bound traffic.

Um, that company got bought by McAfee.

And you'd say, why did McAfee
buy a company like that?

And McAfee owned the
legacy SecureWeb Gateway.

How many people are familiar with
the SecureWeb Gateway in the room?

About the same number.

So, a secure web gateway is the
inline controls to inspect traffic.

Whether that traffic is inbound or
outbound or to the internet or private.

We want to inspect it for bits and
bytes, ransomware, malware, data loss.

When you combine an inbound, uh, uh,
an inline control like a secure web

gateway with a CASB control for the
internet, you actually start to see

what they call SSE, Secure Service Edge.

Has anybody heard of that term?

Secure Service Edge.

So these, this happened eight years ago.

They started cobbling this stuff together.

Um, and so what I just want to
impose on you is we're still early.

The second thing that's, I think,
very different is we actually, I would

say today, we know what we're doing.

Um, the road the last eight years
for me as a sales slash technical

guy that had to sell it and then
technically deliver it is I'm bloody,

and I'm bruised, and I'm bumped.

Um, my customers are bloody,
and bruised, and bumped.

Um, those who adopted early day
technologies to solve cloud security

challenges, they got it done.

I would say that today they say
they did a good job, but the

process of getting there was messy.

It's because they didn't know what
they were doing, they were guessing.

And all the vendors, all the manufacturers
of security products didn't know what

they were doing, so they were guessing.

And so You're saying you lied to me, Nick.

Yeah, I did lie to you, yes.

Just so you know, we bought some
products from Nick when I was working

at a former employer, and we implemented
that stuff and it was cool, but I think

it's kind of And it works, it works.

It does work, it does work.

It just took a lot of work
to get it to work then.

And so what I'll say today, so if you
compare then to now, which I think

was the question, it works today.

The services are purpose built.

So the legacy vendors, even though
they look like they're new vendors

because you never heard of them,
who were built before cloud, those

types of vendors, they were guessing.

Their services are clunky.

It works, it gets the job
done, but it's clunky.

All the, the, what I call cloud
borne services that have come kind of

2017, 2018, 2019, these services are
purpose built because we knew what

the problems were at that point and we
purpose built them for the problems.

So, the good news is only 20 percent of
the people in the room raised their hand.

Those 80 percent who haven't done it,
you've got a really good chance of

not getting bumped and bruised and
bloody in the process because It works

now and you can do this really well.

The services get the job done.

Um, and then the last thing that I'd
say has shifted massively like, like

complete different world today is that we
used to solve problems in cybersecurity,

meaning a problem was identified.

We'd go buy some technology.

We'd go fix the problem.

We'd now manage that new service.

And manage it alongside the
10 other, the 20 other, the 50

other services that we manage.

And now what's happening is we're
actually not doing that anymore.

Customers, my customers are not doing
break, fix, find a problem, fix a problem.

They're actually doing, everything
they're doing is all about business value.

User experience and,
and improving security.

So you have to, you have to
actually improve the business.

while you deploy new
cyber security products.

And if you do that, the cyber
security products actually

really deliver for the company.

And so business value is driving
the security conversation.

User experience, meaning
improving the user experience.

I don't have to log on
to three different VPNs.

Um, I'm not boomeranging my traffic
to hit a firewall that's, you

know, halfway across the country.

It's hitting the internet.

Firewall that's close to me.

So my, my user experience goes up.

And then lastly, lastly, in that
process, because I'm closer to the

user, I can actually deliver more
online ready security controls.

I don't have to wait to get it.

It doesn't, my user
experience doesn't go down.

So those are the three big things
that have changed I'd say in the last.

Awesome.

I saw Deb make, uh, uh, an
expression during, is there

something you wanted to pile on?

No, I just was in awe.

I think that was beautiful because it
is clunky, it was clunky, and you know,

there's still a lot to be said for the
education piece of it when it comes to it.

To the cloud and how do I protect the
cloud and the cloud's kind of scary to me.

It's not like a hardware that
I'm right in there looking at.

That's the way I always look at
it from, from my vantage point and

especially from a my, uh, professor.

I guess vantage point is, you
know, don't be scared of it.

You have to embrace it.

You have to understand the foundations
of cybersecurity and how to protect might

not be the same as we had before with belt
suspenders and all these other things, but

you still need to have the foundation so.

I was all in your, you know, space, Nick.

Awesome.

Um, so one thing we should talk
about, which happened over the

last couple years, so I'm going
to tee this up for Brent first.

Um, more people work from
home than they used to.

A lot more people.

What are you seeing in terms of
shifts either in architecture,

approach, use, either good or bad?

with this massive shift of people
out of the office and connecting from

home, Starbucks, the vacation house
in Boca Raton, whatever it might be.

So, uh, my view is that remote
work has been around for years,

tens of years, Twenties of years.

Tens.

Tens of years, Twenties of years.

Um, back in when I was growing up,
um, it was Unix terminals, right?

Um, so you had a remote, uh, huge
Unix server, you had a terminal and a

In a, uh, in a cafe or a university,
uh, office or what have you and you

still have the same problems you have
today as you had back then, right?

And so I think some of the
trends we're seeing is, um,

again, the move to the cloud.

And the cloud, the various CSPs like AWS,
Azure, GCP, they've built in controls

in some of their remote desktop, uh,
technology to enable us to put those

controls in place, that security in place.

Um, I think also it comes
down to policy, right?

Um, I'm a huge governance, uh, proponent.

So, um, my background is also
in, in governance and policy.

And one of my biggest things is,
again, uh, with any new technology

or any technology that affects
both on site employees as well as

remote employees, uh, ensuring that
your policies are in place, there's

education, um, those sorts of things.

Yeah, I love that.

I don't know if we'll have time to dig
into it, but, um, kind of going back to

what Deb said and what you just said.

Removing the barriers for people
to do stuff right and making

it way harder for people to do
stuff wrong is a huge win, right?

Um, and sometimes it feels draconian
when you sort of limit how people

can interact, but from a security
perspective, um, a huge win.

It, it, it really comes down to, as a
security professional, you know, I've

struggled with this, uh, CISOs, CISOs
struggle with this, security professional

struggles, which is, again, you Putting
in those, like you said, those, those

controls, but still enabling your,
your employees to work effectively.

And that's, it's, it's a, it's a,
it's a, it's a hard balance sometimes.

I think it always is.

Does anybody here have iHeart Governance
bumper stickers, because I feel

like those need to be handed out.

Yes.

To every person everywhere, because
governance, governance sinks you, right?

You can have the best tools in the
world, but if you're not doing the

right things with them, it doesn't work.

Let's talk about bad stuff happening.

Vinesh, I think you might have
some insight into where people

might be making some mistakes.

Stakes in how they are either setting
up or using their cloud services.

Okay,

boy, where do I start?

So how long do you have, right,

? I mean, when I, when I look back, uh,
and I do a fair bit of auditing, uh,

with the customers and others as well.

Sometimes I try to find patterns
just to wrangle them into like some

simple meaningful ways I can wrap
my head around all this happening.

Most often, the case it's
basics as, as Deb said.

Uh, credential leaks, and one
example, one story which has played

itself many times is a developer.

He or she, for all the good reasons,
a service is starting up, just dumps

all the config to make sure the service
is connecting to prod, not test.

And in there, there's a credential,
there's a database URL, it goes

into a log file, that log file
ends up in different places.

Repeat that, because there are a
lot of people here who need to hear,

Don't dump your config file with
the prod connection credentials.

Wait, we're not supposed to do that?

So, but, but it's, it's some of those
basic, I call the hygiene, and um,

if you heard some of the, the things
that Nick said, that was reinforced

as well, is we've got ourselves into
this masterful world of And then, of

course, it's about looking at disease.

Like, you know, we're fighting disease.

We are finding cures for disease.

And then we become a master of sickness.

And there is this entire world,
a few good professors had to, you

know, drill that into me that you
need to think of turning into, like,

uh, an aspect of digital well being.

Like, what is healthy?

What is good hygiene as opposed
to just focusing on the, the

things that are going wrong.

So it's credential leaks.

It is misconfiguration.

It is Lack of separation of controls.

These basics, I would say, if you just
eliminate that class of issues in itself,

would just get rid of so many other.

So you're saying it's
basic security hygiene.

Yeah.

I actually want to give everybody
else the opportunity to answer this

question because I think the best way
to learn is when you screw something up.

And if anybody's had exposure to
somebody else who screwed something

up and can share those stories
with us, I would love to hear more.

Deb, do you have anything you want to add?

Maybe even a specific instance, but
we won't name names or companies.

Yeah, well, no, I don't have any
of those, because I use such great,

you know, CASB products, and I
use, we have such great governance.

No, we're always, we're always
striving to get better, and

that's the biggest thing, right?

You always strive to get better, and
you always try to, you know, don't

repeat history, although it sometimes
repeats itself, as you all know.

But, um, Always, I guess, um, I don't
have any real examples about that

except, you know, once again, learn from
what's been going on and in the past.

So you want to, you don't, because you
don't want to repeat that or you want

to say, Hey, maybe we should check that.

And I think the thing that resonated with
me was the governance piece of it, because

you talk about governance is so important.

And it's one of those, it's not as,
can I use the word sexy sometimes?

It's pretty boring.

It's not very sexy, right?

It is the antithesis of sexy.

It doesn't have flashing lights or
a shiny front, like a server that

you might stick in your data center.

Yes, or in something like that.

It's so important and so if you can
just kind of start getting your heels

into the governance piece of it that
and it comes to the BYOD I think that

one resonates with me when it comes
to cloud and comes to work remote work

and and things like that is just have
some guardrails around it because by

golly people are going to test you.

You'll even probably have people
in your own org in your own

team or something that's testing
you but have those guardrails.

And, uh, and, and use the good
cyber hygiene and digital wisdom

when, when doing things, so.

Awesome.

Nick, anything to add?

I mean, it's so teed up for me, I,
I, I gotta, I gotta bite on it, um.

I, I, I tried the softball, um.

I actually, yeah, yeah, this
is a, this is a softball, um.

This is actually the hack of the decade,
so the hack of the decade, and this

is my quotes, so you probably won't
find it in the internet, but I say

the hack of the decade is the third
party contractor VPN access onto a flat

network that hasn't been micro segmented.

Their purpose is to get to this
application and the next thing you know

they're everywhere on that flat network.

And we call a VPN a security service.

But really all that a VPN is is a
network access control solution.

It doesn't deliver any security.

And we have to change that.

I believe.

That it's my job to actually,
to make the VPN go away when

we're talking about security.

We don't want to let people
on the network anymore.

The network is a risky place, right?

That's where the crown jewels sit.

Keep them off the network.

All traffic should be outbound.

No traffic should be inbound.

If you're having inbound traffic
and you haven't segmented

your network, you're done.

You will be hacked.

You will be ransomwared.

Your data will be gone.

Target.

You name them, go read it.

VPN hack, Target.

That was a third party
contractor on a flat network.

And, and so all I say is that
you get your VPN for free.

Attached to an ELA from a major vendor.

All of you in this room get it for free.

And that's why we continue to use it.

Hundred percent.

Free service attached to an ELA and we
say it's a security product and it's not.

That's probably what
I'll have to say to that.

That's awesome.

Brent, do you want to add anything?

'So, I don't know if you've heard
a common word here, it's people.

Uh, people are the biggest
problem when it comes to security.

Um, my example of this, I
actually worked for Capital One,

uh, during the, um, AWS breach.

I don't know if you guys are familiar
with it, but it's since she was.

A, um, staff member of, of AWS had
access to our creds at Capital One

and they were able to modify S3 and
get some, uh, essentially admin level

privs to all of our environments.

So, um, you know, that could have
been prevented by, uh, adding

a couple different controls.

So again, I go back to our original
statement, which is people.

And I said something a
little bit earlier as well.

It comes down to a couple things.

First of all is basic security comes down
to good background check so that may not.

Catch everything.

There's anger of people, you know,
people get disgruntled, right?

But it also comes down to education.

One of our biggest things at Vega is
on a monthly and a quarterly basis,

we are continuously educating, right?

We're doing, we're running
scenarios almost monthly with

people, fishing exercises, those
sort of things to get people to

do those behavioral change things.

That will force people to understand,
hey, I'm not doing the right thing.

So to me, the biggest, uh, the biggest
challenge with any type of breach

is when it comes down to people.

Because technology will always
be there, and we can put the best

technology out there, but humans
are always going to be the problem.

I agree humans are the problem.

Humans are the problem.

Anybody else?

Show of hands.

People are the problem.

Oh, come on.

That's why we're getting AI.

That's why we're getting chat bots.

That's why we want bots, right?

People, people, so,

Okay, I'll tell, I'll take a
little moment to be a speaker for

a second and not the panelist.

Um, In my career doing some InfoSec
work, I've had people look at me with

a very honest, straightforward face and
say, Our employees make great decisions.

And I said, I work in healthcare now.

Let me prove to you that
people make horrible decisions.

Go spend some time in an emergency
department and see what sorts of

things people put in their body.

Right?

Really bad decision makers, okay?

So, um, yeah, and this goes
back to what we talked about.

Make it super easy to make the right
decision and make it really hard.

to make the wrong decision.

Because people will always
make the wrong decision.

And, a lot of times it ends up bad.

I want to give the audience a chance
to ask some very specific questions.

So I'm going to pause, and see if any
brave soul wants to raise their hand,

Okay, I'm going to repeat the question.

I'm going to do my best.

You give me a thumbs up if I got it.

In a post quantum computing world with,
um, we'll say the injection of AI, what

are the repeatable, consistent, and we'll
say effective things we can do to continue

to successfully protect the cloud?

Did I get it?

You want me to take a stab at that?

I mean, I don't think I can come in
here and talk too much about, you know,

qubits and, you know, what is quantum
decryption is I think the term of the day.

But once again, with the new technologies
that are coming out, the biggest thing

that I feel What is to learn it, you
know, as best you can, and learn the,

uh, what the bad actors or the nefarious
individuals are going to use it for.

Whether it be AI, I did a speech before
on Ying and Yang of ChatGPT and deepfakes.

You have to get better than them and
you have to be on top of it because

if you just rest your laurels on the
old days of cyber security, defense

in depth, you know, getting and
using VPNs to get into the network,

you're going to be behind the curve.

You've got to get up front.

You've got to say, okay, so they're going
to use AI or they're going to use some

sort of quantum computing to get in.

I hope and pray that our vendors
are putting that into their tools.

I know that for us, we are putting a
lot into AI governance because of, you

know, the whole technology, but it's
one of those things you have to be

able to counter it with itself almost.

Does that, I mean, I don't know, that's
kind of my stab at that question and

maybe my illustrious counterpart's got it.

Anybody else want to add?

I see Brent picking up his mic.

He's ready to go.

Yeah, so as my, uh, my daddy used
to say, what's old is new again.

So, quantum computing, uh, I was in high
performance computing for a while and,

you know, AI has been around for a while.

Um, I was doing neural networks at
Rice University 20 years ago, right?

And, which, if you don't know,
neural networks is using AI to map

similar to the very brain, right?

So, AI has been around.

So, I think it's, it's a lot of
the same things you're doing today.

Like you said, get ahead of it, right?

It's, it's always going to be that,
that battle, that yin and yang

with, you know, ad research, right?

And I keep going back to, and I want
to hone in what you asked about,

which is how do you, how do you, um,
resolve the fear that your users,

that people might have, right?

It comes again down to education, right?

Doing now, teaching what AI,
it comes down to teaching what

people, teaching what AI is, right?

Teaching, or telling them and teaching
them what they can and can't do.

As an example, right?

General AI today, your chat
GPTs of the world, right?

That's going to lead to
a lot of data leakage.

It's going to lead to a lot of IP leakage.

Um, if you're in a vendor, a software
vendor, you have developers that want

to go out and try the newest cool tool
that can help me do my job, right?

You want to, again, add those controls,
add that governance, add that education,

teach them, but also enable them, right?

Give them opportunities.

So, um, doing things like, as
part of your security program.

Evaluating partners that have AI
technology and in your contract make

sure that they have those same controls
in place that you expect, right?

Set a high standard for your
vendors and your partners.

Lawyers can be your best friend.

Yes.

Yes, and And yeah lawyers
are your best friend.

Yeah, I have a very good friend.

I should actually introduce you to his
name is Brad Frazier He works out of

Boise, Idaho and resonated with me forever
It's all academic until you get sued.

Yes, and It's a hundred percent right
and the reality is it doesn't matter

how nice your vendor is or what kind of
bunch lunch They bought you or whatever

like when things go south the only
thing that matters in the contract.

Well guess what?

Like, this is all new, I think, to
some of our points, this concept of

AI and who has to do what to protect
things, um, lawyers will be your friend.

Binesh, did you want to
add anything to this?

How, how do we, how do
we fight the good fight?

I, I'm just going to restate what
the others said and look cool.

That's the right way to
go last and wrap it up.

Try to look cool.

Uh, like, you heard the terms, like,
you know, education, get better at it.

And one of the ways I usually
articulate this when I'm speaking with

others is just get good at software.

And the way to think about it is, like,
we've conducted so many studies now.

Like, before the, this panel gets
done, if you have a vulnerable asset

in the internet, it's compromised.

All it takes is that, that much time
for someone to find it and exploit it.

But the scary part is not even that.

It is, once something is found,
all it takes is 45 seconds for an

adversary to make it productive.

And then I turn around and ask the
question, I'm going to ask you to

make a release of software, not your
prod, just your dev environment.

Can you beat that 45 seconds?

Usually the answer is no.

And if our adversaries are that good
at exploiting software, exploiting

software, like, we should be better than
them if we have to keep up at the game.

Right?

So it's, no matter what technology
is always going to move,

it's going to keep evolving.

We just have to be an expert at it.

As good as the adversaries are.

Do you want to add anything, Nick?

I'll wrap it up.

So, what I heard, and I'll summarize
how my simple brain processes it.

It's still all the same
fundamental problems.

The tools are slightly different.

What I think we have to get better at, and
I think I had conversations with both you

and you about this, we gotta get faster.

Right?

We can't take 9 months or
12 months to figure it out,

we gotta figure it out in 3.

And that's where, probably, getting
the right kind of support from your

leadership to invest, and understand,
to be educated enough that they know,

yeah, this is the right way to go
and, by design, not treat symptoms.

But address the fundamental problems,
which are probably like architecture

and governance and people, um,
to get where we need to go.

Can I add one thing?

Yeah, go for it.

So, any security professional in here,
um, actually the one thing that has

benefited me in my career, in my life,
and in winning the security argument from

a top down perspective, learn to present.

Learn to have an elevator pitch, which
means to explain what your problem is,

what the value of doing something is.

Because we all know that
security becomes an afterthought.

So, get good at being a politician.

So that you can sell your ideas,
sell your, uh, sell your needs, so

you can secure, uh, your company
and your data and your people.

Great advice.

Do we have any other folks?

Yeah, go for it.

Setting up a by design secure
architecture, technologically

speaking, for their organization.

And where can they go to get the right
resources to educate themselves so that

they understand why that's important.

Did I get it?

At the right value for them.

Value is an important word.

Um, so that's an awesome question.

Um, so I used to actually do
small business consulting as well.

So this is near and dear to my heart.

The first is look at your vendors.

Um, all the cloud vendors provide secure
architectures that you can replicate.

They even provide you, as an example,
in GCP, literally a click button

ability is to deploy these secure
architectures, secure infrastructures,

with all the various things in place.

Is that, is that the, the final step?

No, right?

Um, there's also many
open source products.

I don't want to negate any of the vendors
here, but there's num tons of open

source products out there, solutions.

The government provides a ton of things
from CISA, the NSA, those sort of things

that provide you all the various policies.

Um, and also, you know, as you're
building your organization, you can look

at bringing in consultants such as, um,
uh, part time CISOs and those sorts of

folks that can actually help you build
your security posture, uh, going forward.

So that's my thoughts.

Yeah, I, what I would say is outsource it.

Number one, to that, because that
person needs to focus on his core

business, or her core business.

The selling, the building, the three
other things you mentioned there.

Um, and the difference today versus
ten years ago is there's a There's

a ton of those types of providers.

So you can actually almost buy MSSP
services the same way that maybe

you might buy, uh, a Jersey Mike's.

Am I going to get a Jersey Mike's
or am I going to get a Subway or

am I going to get a Togos, right?

That's kind of where we are now.

The MSSP market is evolved and it's, and
it's here to support the SMB because the

SMB doesn't care about cyber security.

They care about making
their business perform.

That's what I would say to that.

Did you want to add something, Deb?

No, I think that, you know, the
government does have the NIST, the ISO.

There's a lot that's out there.

You don't have to recreate the wheel.

Just, you know, and you might, you
know, try cyber security as a service.

I mean, everything is as a service
these days that you can use.

That's the same as all you
said with the, you know, get

some consultants to help you.

You're not alone, though.

That's the biggest thing.

And, you know, I would, you know,
learn from other people's mistakes.

You probably I already know that about
me, that, you know, try to read what's out

there and say, eh, I don't wanna do that.

But,

and I see a hundred plus people
in this room who might be able

to help answer a question or
point you to someone who could.

So a challenge to everybody during the
break is go introduce, introduce yourself

to someone you don't know, and at least
explain who you are and what you do, and

how you might be able to help each other.

Any other questions?

This is going to be our last question.

So I'm going to summarize.

From a research and development
standpoint, how do we shift from

being reactive to proactive?

Vinesh, you go first.

We made eye contact.

Uh, let me start.

And, uh, it's actually a
deep and a profound question.

Because part of it has to do, deal with
unlearning what we've been doing always.

And the reason I say that is, one of
the ways to tackle that switch from

being reactive to the master of disease
to one of health would be first, how

do you know you're doing a good job?

We should be able to answer that question.

And in cyber security, often the
answer is, if nothing happens, now

how do you measure nothing happens?

So you see, cyber security is that field
where there are these paradoxes, right?

And it's, the paradoxes are real
because cyber security is a very

hard problem in technical words.

Some people call it the NP hard problem.

And those problems pose themselves
with a certain set of characteristics.

Some characteristics are, I don't
know what a good solution is.

But if you give me a good solution, I can
immediately tell you if it's good or bad.

And that's reinforcing the
behavior of being reactive.

So one way is to understand what we
call the Leading indicators or defining

something that's going to give you that
early warning sign and then track yourself

on those measures in addition to all the
other things that we have normally to do.

So that's partly education, partly
enablement, and this the shift from what,

how we've been doing things all along.

That's like one, the, the other
one is, I would say we have to get

to a grips with the, the world of
convergence, which is happening.

What do I mean by that?

Uh, like, traditionally, cyber security
is you defend your network, you define a

perimeter, you establish something's safe
zone, and you touch something, you bless

it, you go through your checklist, it's
all checked, and then you don't touch it.

Because when you touch
it, it means change.

And change means risk.

Right?

That's, that's been philosophically
a way of how we've approached

the problem that has to change,
uh, to get to this, uh, state.

And, for example, I told you
how the bad actors are able

to, like, exploit software.

Why?

You know, software has very
two important characteristics.

Low cost to change, meaning I
can make a change very easily,

and low cost to distribute.

I can get it at the speed of
electrons, basically, wherever I want.

But it's very expensive
to operate and maintain.

Historically, we've been optimizing
ourselves for the weakness of software.

For the, for the, uh, because it's
very hard to operate and maintain.

And we squander away the
benefits of software.

The adversary is exploiting software
using the benefits of software.

So we ourselves should
shift into using software.

So for example, rather than, uh, uh,
not changing your server, let's say

your servers expire every three days.

Even if an adversary was to compromise
you, they have to re compromise you,

they have to recognize since again,
they'll have to Know your IPs, know

your names, I mean we floss every
day, we take a shower every day, do

a digital floss, a digital shower.

So these are some counterintuitive ways
of how you can grapple the, grapple with

the problem and then get to the state.

And I would say that, and I'm not
demeaning any of the planning and the

organization and the structure and the
architecture and the workflows and the,

and the building the clean process, but
We also heard that, I think, Finesh,

you said it, is that how do you manage
when the The threat is changing every

single moment and every 45 seconds
you've got to do something different.

The only way you can really
manage that is through reaction.

So it's sort of like the
concept of the pucks moving.

How am I going to get there?

And so what I would say is you have
to build both sides of this pyramid.

It's not just build the architecture
and build the workflows.

It's build the architecture,
build the workflows, and then

build the IR response process.

So that you have the So you can
respond quickly and deal with it.

You're gonna.

Cause you're gonna deal with it.

Cause you're gonna.

Yeah.

It's, it's, it's, it's sort of the,
I, I think it's, it's different than

what I'm so used to in my old days in
networking and data storage, you know.

You, you sort of like configure it and
you make it work and then it works.

But cyber security, you do that and then
three days later somebody figured out how

to hack it and now you need to fix it.

But nothing really broke.

So it's just, it's a tricky
dilemma we're in, for sure.

Learn how to react.

Alright, I think we're gonna
officially get the hook here.

So I'm gonna ask you guys to
give a round of applause to our

amazing panelists for their time.

And great brains.

And we will jump to the next session.

Creators and Guests

INCH360
Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.
INCH360 Panel: Cloud Security: Exploring the Latest Trends and Challenges in Cloud Security and Systems Architecture