Cyber Crime Junkies

Zero Trust, SMB & National Security. INTEL CTO Exclusive.

May 13, 2024 Cyber Crime Junkies-David Mauro Season 4 Episode 61
Zero Trust, SMB & National Security. INTEL CTO Exclusive.
Cyber Crime Junkies
More Info
Cyber Crime Junkies
Zero Trust, SMB & National Security. INTEL CTO Exclusive.
May 13, 2024 Season 4 Episode 61
Cyber Crime Junkies-David Mauro

NEW! Text Us Direct Here!

Don't miss the video interview for details: https://youtu.be/-G7hbLGDK9o

Steve Orrin, Federal CTO for Intel, discusses secrets inside zero trust and r latest cyber security concerns. He is a recognized security leader and public speaker. Steve has orchestrated projects for federal government agencies on Security and AI. Steve is a key advisor in emerging technologies to the Public Sector, Defense, and Intelligence communities.

Key topics: latest cyber security concerns, Global Cyber Security Strategy, zero trust small business and national security, zero trust and national security, zero trust in critical infrastructure, zero trust in supply chain, zero trust in small business, secrets inside zero trust, how us cyber security strategy effects allies, driving change in cyber security today, zero trust in cyber security today


For more: CyberCrimeJunkies


Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Show Notes Transcript

NEW! Text Us Direct Here!

Don't miss the video interview for details: https://youtu.be/-G7hbLGDK9o

Steve Orrin, Federal CTO for Intel, discusses secrets inside zero trust and r latest cyber security concerns. He is a recognized security leader and public speaker. Steve has orchestrated projects for federal government agencies on Security and AI. Steve is a key advisor in emerging technologies to the Public Sector, Defense, and Intelligence communities.

Key topics: latest cyber security concerns, Global Cyber Security Strategy, zero trust small business and national security, zero trust and national security, zero trust in critical infrastructure, zero trust in supply chain, zero trust in small business, secrets inside zero trust, how us cyber security strategy effects allies, driving change in cyber security today, zero trust in cyber security today


For more: CyberCrimeJunkies


Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Zero Trust, Small Business and National Security. INTEL CTO Exclusive Interview with Steve Orrin. 

 For more see www.cybercrimejunkies.com and our Youtube channel/ @CyberCrimeJunkiesPodcasthttp://www.youtube.com/@cybercrimejunkiespodcast

Steve Orrin, Federal CTO for Intel, discusses secrets inside zero trust and latest cyber security concerns. He is a recognized security leader and public speaker. Steve has orchestrated projects for federal government agencies on Security and AI. Steve is a key advisor in emerging technologies to the Public Sector, Defense, and Intelligence communities.
 

 

Key topics: latest cyber security concerns, Global Cyber Security Strategy, zero trust small business and national security, zero trust and national security, zero trust in critical infrastructure, zero trust in supply chain, zero trust in small business, secrets inside zero trust, how us cyber security strategy effects allies, driving change in cyber security today, zero trust in cyber security today, latest cyber security concerns, most effective cyber security strategies, effective ways to reach zero trust, zero trust security model for national security, ways to use zero trust today, global security and zero trust, national security and zero trust, understanding zero trust, zero trust crash course, real life zero trust and national security, zero trust in real life, real life zero trust, zero trust real life example, zero trust real life examples, understanding zero trust today, how to use zero trust for small business, ways to leverage zero trust for small business.

 

 

[00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top leaders from around the world and sharing true cybercrime stories to raise awareness. But first, a huge thank you to all of our executive co-producers who subscribed to our Prime membership and fueled our growth.

So please help us keep this going by subscribing for free to our YouTube channel and downloading our episodes on Apple or Spotify podcast so we can continue to bring you more of what matters. This is Cybercrime Junkies and now the show.

Well, good afternoon everybody. Welcome to Cybercrime Junkies. I am your host, David Morrow. In the studio today is my illustrious and always positive co-host, [00:01:00] mark Mosher. Mark, how are you? Hey, David, how are you? I'm really excited about today's episode. This is gonna be a lot of fun. I too a lot of good material.

While it is common that you and I are not the smartest guys in the room, this today will certainly one of those shining examples. Yes, yes. So we're joined by federal CT O for Intel. Steve Orrin welcome to the show. Thanks David and Mark. It's a pleasure to be here today. Yeah, and for those that may not have an any idea of who Intel is, if you use a pc, you're using components that are part in manufactured in part buy intel.

They're one of the global, really think tanks and consultative, leaders in the technology space and have been for over 50 years. Mr. Orrin is a recognized security leader, a public speaker. He's orchestrated and executed projects for the federal government customers on security.

AI [00:02:00] inferencing and edge ir. He serves as a key advisor and subject matter expert in emerging technologies, providing guidance of the public sector, the defense, and the intelligence communities. So we are really honored to have you here, Steve, so thank you. Thank you so much. First let's start off, you know, how did you, as you were going through school and then beginning the, the, your career, in technology, how, what led you to the cybersecurity space?

Can you walk our listeners through that? Sure. David, it, it's an interesting story. Going back to when I first started, looking at, you know, what did I want to be when I grew up, you know? When I pick a direction in college, my background, I, I enjoyed the sciences, was a hacker as a kid, and at the time, in the, in late eighties, there really wasn't a career.

, to be had in the security or in the technology domain, I could become a Cobalt programmer. And at that time there were a lot of problems with the, you know, the industry, a glut of programmers. So I went the bio [00:03:00] route actually, and, got a degree in research biology, did some graduate research.

And it just happened that when my, one of my grants had run out and we were, I was thinking about the, the things I was gonna do before starting med school. , a friend of a friend had a idea that he wanted to do something in this internet space that everyone was talking about in the early nineties.

And, he said, well, you, you were a hacker as a kid. You know this stuff and you wanna help. And I'm like, you know what? This sounds like something I could do for a year. Help put some money away from med school. Sure. I, I'll do this for a year. And we're talking 95, 94, 95. Pre Netscape, IPO it was exactly, oh yeah, yeah.

Oh yeah. And I had the opportunity to help found a company that was doing desk desktop security. After three months, I just fell in love. I was all in. I had some really good mentors, both at that company and my follow on. , I like to joke that I suck their brains dry. That's, that's great. People like Bush, NY and others as my mentors to help me get started.

Yeah. And really guide me along the paths. And you know, it took a little while for the, you know, for my family [00:04:00] to recognize that I wasn't just going crazy because, you know, why are you throwing away your medical career here? I could, I can hear the, I can hear the family dinners now. Right? Right. Yes.

Right. You, you're doing this computer thing, it's just a fad. It's go into medicine, it's padd. And what's the security thing like, that's even smaller. Oh yeah. Especially back then, it wasn't even, it wasn't a thing. It wasn't a thing. It wasn't really a thing. Tell you it's, it was the beginning and it was, it was exciting times.

And so I started, my first, you know, did that first company in 95, then started my own company in 98. And, , did a bunch of startups and, you know, I, I considered myself a serial entrepreneur in the cybersecurity space, helping to start the web security market with sanctum XML security with Vega. Did the mainframe security thing with Lock Star.

Mm-hmm. And then got acquired by Intel back in 2005. And, by that little company startup guy inside Intel. Yeah. That little startup intel. That little, that little startup. The little startup. But it's interesting you mentioned that Intel has been at the foundation of technology for [00:05:00] the past 50 years.

And one of the things as a serial entrepreneur and a cybersecurity guy, I found that I, you know, over the, over my career and I've been there now 18 years, I still get to do innovative things on a regular basis. It's great when an larger organization allows those creative licenses to happen.

Right? Exactly. Exactly. And I sort of get to play c t o, you know, in this security, when I was doing the security job, earlier in my career at Intel, you know, with Intel's budget, so I didn't have to go to VCs. That made life a lot. Oh, that makes a whole lot of difference. Right. Yeah. Easier to make an impact.

Exactly. That's, that's phenomenal. So one of the things that has been just, it's been coming up in a lot of episodes lately, and that is, Why is it there's so much focus now on security? It seems it's in the news every day more so than it was even five years ago, let alone 10 years ago. and we know it, A lot of it has to do with the cyber crime industries, productized.

They've gotten organized, [00:06:00] clearly well-funded, but why have so many security solutions over time just failed to protect organizations? And maybe that bodes a diff a bigger question, but what's your, what's your take on what you're seeing on at a macro level? So Dave, I wish there was an easy answer to why security solutions and the security industry continually seems to be, let's call it failing.

I think that the, the part of the challenge is we're looking at it somewhat from a whack-a-mole kind of perspective. Yeah. You have this security problem, solve it with that security product, you have this security problem you solve with that security product. And as we're realizing now, security is a systemic thing.

It's understanding all the different weakness links in the chain, all the different ways an attacker can get in and making the best decisions with a risk-based approach as opposed to, I've gotta just sort of peanut butter my entire enterprise. Right. It, it's, it's really not binary. It's really not. I, and, and I think perhaps that question was a bad question because [00:07:00] it's really not that it's failed, it's a matter of.

Risk, degree. Exactly. And what, what level of risk? It's almost like a dial, like some startups or some entrepreneurs are like, they'll, they'll have that risk dial all the way up maybe, right? Depending on what their startup is based on. And then some other ones that are really worried in manufacturing, let's say, or healthcare, whatever, they're really worried about production going down, they'll start dialing up their security posture more to lower that risk.

Absolutely. And I think what's interesting is even in those risk-based environments where you focus on what are my highest risk things and I apply security to those areas, that realization is that there's still other holes, other gaps in your security posture. And as we've always said in the security industry, we've gotta get it right a hundred percent of the time.

The hacker has to get it right just once. Correct. Yeah. And I think that's that sort of dynamic of. I'm not, I don't wanna say that the security solutions have failed. They probably all have worked for the things they were applied to. Right? [00:08:00] It's the enterprise security of my organization. Did I, did I meet, you know, if I was a C I S O or a cio, did I meet the security bar?

You know, the bar that I've set. Right? And even in those cases, you're never a hundred percent. And that's where you have compensating controls, whether it be disaster recovery, backup and other things. This continuity. Yeah. Yeah, exactly. Because you know, you're gonna get attacked and the question is, how fast did you get back up and running?

Yeah. Or how much data made it out the door? And I think what we're seeing with people transitioning, and again, the cybersecurity framework from NIST really highlighted the need for transitioning from a, you know, let me just do an analysis approach of, well, how, what security tools do I have according to the, you know, the quad chart Azure?

To a risk based approach that can evolve. And I think that was one of the key things that the CSF highlighted is that it's not a point in time. I've got this decision, I pay some money, I get my products and I'm good. It's how's my risk change across time and that I need to adjust my [00:09:00] security controls to meet that ever changing threat landscape.

Yeah, that's, that's, that's really good that, that, well, it's almost like we're a step behi. It feels like we're a step behind is their, their techniques and tactics change. It's, you know, we're chasing what, what the next evolution is of a threat actor, and then, then they change, and then we gotta go chase the next one and know.

So yeah, I don't think it's so much that it. These platforms and tools that we've come out with have. Yeah. I've really failed to, to your point Steve, it's, it's, the threat landscape continues to change all the time. And you're right. What, what's your level appetite for risk Exactly. And how do we, I think one of the things, we're seeing some trends here, and we'll probably bring it up later with zero trust, but I think the other trend to think about is moving away from closing vulnerability gaps to get to actually looking at the overall security and risk environment and really taking out whole areas of risk.

And I think we we're, you know, whether that be certain technologies [00:10:00] that can sort of close whole vulnerability types as opposed to patching individual vulnerabilities. Or even like, and I'll pick on the, the supply chain security as an example. Everyone's talking about SBOM and they're like, well, how will SBOM Save Me?

One thing it gives you is it gives you earlier access to information so that you can start making decisions quicker. And so instead of it just waiting to patch the product that you found out was vulnerable, what controls could I turn on now while I wait for the vendor to patch the product because I know I have a vulnerability and start dialing up my, you know, firewalls or my intrusion detection or my monitoring or locking down services.

And basically what that visibility that, gives you the, chance to get ahead of the curve. And that's why I think the shift we're seeing is looking at your supply chain, looking at how do we change the way we authenticate and authorize transactions. It isn't about, well, I know I have this lateral move vulnerability or have this buffer overflow.

It's how do I take the knees out of the adversary by not giving them the landing zone, [00:11:00] not giving them the six months of window of exposure to log four j gets patched. That's where I think we're starting to see those shifts is moving away from the, I much patch everything, which we should, but to a, how do I close whole areas of, of risk, right?

Yeah. Just it's, it's more impactful. It's, a broader scale, level of protection though. Well you mentioned sbo. Could you elaborate on that for, for the listeners that might, that might not be following things as closely as we are? Sure. And so the SBO is really the convergence of a variety of things coming on.

SBOM stands for software bill materials, right? And what at its core, what it is, is, is a, you know, ingredient list for, for the black box that is the software you're using. Whether that is a commercial product from your operating system or, or application provider or an open source tool or framework you're getting online.

How do you know what's in the box? And you think about it, you go buy a package of cereal, it has a list of ingredients. You know that there's gonna be, you know, rice or wheat and there'll be some corn syrup or whatever you, [00:12:00] and you know, whether there's an allergy to one of those ingredients. So you can gauge your risk.

And if you find out that you're allergic to something, you can identify it. Right? And if something comes out in the future, it says, you know, this chemical or this, you know, red, you know, dye number five has got an issue. You can go look at the package and say, oh, it has dye number five. That's what happened to you more sure.

As a no, no. I had a lot of, I ate lot of paint chips as a child. Yes. That's, turns out it was lead paint too. Who knew? That's, that's, that's what I'm thinking happened. Sorry about that, Steve, we just No worries. No worries. So you think about the software, it's the same idea. It identifies all the key components, their version numbers.

 And information about it so that you have really an itemized asset inventory for your software. Now there's two things that happen. Number one, I have this in my, I can bake better acquisition decisions by doing risk analysis. By looking up what CVEs exist for this software, right? What you know is the history of patching for this software.

So you can get better visibility into what you do before you deploy it, but also for the stuff you're managing. [00:13:00] It allows you to manage the risk by having that knowledge. So in the past, If you had a softer product in your environment and a vulnerability is disclosed in, let's say a component like Log four J or code cov, reality is you have no idea whether your organization is vulnerable until the vendor tells you, oh yes, we have this vulnerability, and oh, here's the patch will come in six weeks or six months, or whatever.

Right. If they even tell you before the patch is ready, or in the case of that Barracuda device where they're like, we can't even patch it. You have to replace it. Exactly. Right. Which just like people in the community were just, they hadn't seen that for before. Yeah. So they're like, wow. Okay. So, and so what SBOM will do is give you that list, but then when you tie it into your, security operations into CVEs, there's a, a format that's been put out called vex, which is a way to validate the vulnerabilities.

Mm-hmm. What that allows you to do is to get that insight so that when the log four J 2.0 comes out as vulnerable, right. Number one, day one, you can check [00:14:00] all of your software. What has Log four J 2.0? Find all of them. Yeah. And even if they're not all vulnerable, because that's what some analysis is gonna be, you can immediately know that there's a potential risk and what extra controls are monitoring during you.

If you know you have, let's say, a web server product with that module, you can, I mean, you can take the draconian mode and just uninstall it. Not everyone has that luxury, right? But you can apply different monitoring. Mm-hmm. Monitor this thing, see if there's additional ports being open, see if there's additional traffic.

If there's new accounts being, you can monitor it. Like because you have this extra information, you can minimize your risk until the patch comes out. And that is a game changer as far as how we apply security controls. Whereas in the past, it's always been that whack-a-mole of vulnerability discovered.

Hopefully you get a patch in time before the exploit is discovered, and then you have to roll out that patch across your organization. This gives you much earlier time to reducing the risk. Why we're doing this now? Well, after SolarWinds and some other, public supply chain [00:15:00] events, there was an executive order.

 MOVEit compromise. Right? That's a recent one. The Biden administration put on an executive order 14 0 28, which had a lot of key key statutes in there about cyber information sharing. One of the key ones was the need for increasing our supply chain security.

Directing key government agencies to come up with standards. So, DHSS i s a has been working with the I T A A to create the SBOM standard and the sub, you know, the formats like S P D F and others that will go into it. And then directing omb. And this is one of the key things actually directing the, the Office of Management budget to update contract language to require SBOs as part of any software that is being acquired by the federal government.

That's a make, that's makes sense thinking right there. Wow. Yeah. So it's not just have a good standard but enforce it. Now here's the best part. The government is a large enough acquirer of software, both open source and commercial, that it drives this [00:16:00] so that the ecosystem, the, the Microsoft, the private sector, the other smaller entities can start to adapt to do that.

And then everyone else gets the benefit. So you have an SBOM that's created because, you know, X, Y, Z company Acme is selling software to the d o d. Well then Citibank or any other bank or any regional bank can request that same SBU cause it's already been built. So the investment was already done this, so it raises the bar across the board.

Yeah. This seems so logical and it seems like, like a, a massive asset inventory that I'm curious what you think, don't you think the non-technical. Decision makers were operating under an assumption that this was already in place to to, to some degree. Didn't they think you guys are running the security stuff?

You know, I'm sure you know what you have, right? You think Although, I mean you can ask any executive do you know what's inside your iPhone or your [00:17:00] entering, they have no idea. Exactly. Nobody has any idea. And that's was true of all software. It's very rare, even in open source that you had the real visibility into all the components.

It's true. Right? And I think a lot of people just sort of assumed, well I, I'll have my firewall will catch that, my antivirus will deal with that. Right. And it won't that's symptomatic. It's not the root cause. Exactly. Now I don't wanna minimize the complexity of that. SBO introduces, these aren't like little text files.

These could be thousand line documents. Right. Cuz most modern software is very complex. Has components that are nested of components. They're supply chains are. Fairly rich and then there's a lot of dependencies. And so, you know, there was a, there's a great, , on GitHub they have an example of a common sbo and it is like 1400 lines long.

Now it's human readable if you so desire, but the real innovation will be where the, the tooling and the, and the asset management and supply chain management and vulnerability management software can apply automated processes for consuming the [00:18:00] SBOM populating databases and, and control matrices with the information.

That's the, the, the key transformation of how do you scale this from a really cool artifact that you'll get a checkbox, yes, I hand you sbo to how do I operationalize it and scale it with an organization, we're gonna need tools and whether that be your existing enterprise management tools taking on this function, you're gonna see a lot of startups that are in the security and the manageability space.

Add SBOM I mean, you already see it throughout most of the industry today, and I honestly think there's gonna be a cottage industry of new startups that are going to, enable you to both consume an operational SBOM integrated into your existing and legacy controls and really sort of take it to the next level.

We'll see a lot of innovation because this really becomes a whole new set of data to operate against. Absolutely. Now that makes, makes sense. That's why I was gonna ask you, because that makes perfect sense that in this vacuum, as this takes off, that it's by its own nature, we'll create those [00:19:00] small niche startups to supply that.

How do you take the data? How do you consume it, and then how do you leverage it all in one space? You know, maybe even a single pane of glass, you know how. So there's, that's, that's gonna be really cool to watch that advance all the VCs watching this episode. Just keep your eye on, on SBOM they're all taking notes.

Oh, really? Yeah. Tell me more about that, Steve. And like the phrase, ai, every startup will have SBOM in their, in their name. Within, its within its charter. Yeah, that's the beginning. We're gonna have AI applied to SBOM in order to be able to better identify risk. We see, oh now we're, now we're cooking with gas.

Yeah. Yeah. I can, I can. So are we seeing it right now? What are you seeing? Like what industries are you seeing mostly in supply chain? So the industries that you'll see, I think where I've already seen commitments publicly from all the major software prevent providers to supply SBOM to their government customers to meet the executive order mandates.

Cuz the nice thing about the executive order, nice thing from a industry security. [00:20:00] Little bit of pain on the vendor is they put a deadline in there. They said, we want to, by the end of the fiscal, we wanna start seeing SBOs on contract they've given someway. Otherwise, you don't get the bid, right? Yeah, right.

Otherwise, you won't get the bid. So there's some grandfathering, there's, you know, again, it's not gonna be draconian, but we're already starting to see the requests come from the, the agencies that are sort of want to be on the, the front end of this asking for SBOs as their software acquisition. So that, that part is driving us forward.

I think what we're starting to see is you go to, like GitHub and some of these open source communities, they've already built not only the SBOM for the, you know, as, as an exemplar, but they're already tools that are being developed to do automated creation of SBO m. So as you're building your open source widget, you can run a tool at the end that will capture the information and publish it in the right format.

So this whole sort of open source ecosystem save a lot of labor coming online to make it easier for developers. Similarly, which is a collaboration between the federal government and industry. Has published guidance targeted at the [00:21:00] developer community, the supplier community, and the customer or the, the consumer of software from an enterprise or government perspective of how to do this not just in, you know, the format, but how to operate, actually operationalize how to build the processes, where the best practices to make this stuff real.

And so those documents have been published over the last year, really helping organizations go look to a collaborative environment. So it's industry, it's government working together to say, okay, this is the standard, but this is actually how you make it work, and how you, you know, some best guide, you know, some best practices and guidance of what to do and not to do.

That's, that's amazing. And so, is this tied in any way to, Jen Easterly's recent comments about how we can't psi psa our way out of this? You know, she, she was, she was talking about how, you know, we, "we can't PSA our way out of, cyber vulnerability." She was talking about how we've gotta, push a little more responsibility [00:22:00] on the private sector to kind of develop that.

Is that kind of tied to this, do you think? So I think the SBO activity, while separate from that conversation, is an exemplar of the kind of effort. Makes sense. That's necessary of, and, and again, it's industry government collaboration. Mm-hmm. And at the same time it's driving sort of mandate, but also driving the, the initiative, why do I wanna do this?

Why I wanna be able to get government contracts. I wanna be able to sell my stuff to the government and I wanna be able to ease my transition, you know, to be able to do that. And at the same time, and also wanna give the vendor better visibility to what's in their products. I can imagine a lot of companies may, you know, individuals in the company may know what's inside the product.

But at the sort of the build or the last phase, do they know all the components that came in before you ever got to the compile? Right. Right. And is it documented anywhere? Like is there a central, is there a central document that actually has everything from start to finish and generally no. Right, because it lives in the [00:23:00] culture or in the minds of the people doing different pieces.

Exactly. Up until now. Exactly. And that's something I think a lot of organizations, big and small will benefit from downstream as they get better understanding. One of the, the use cases was talked about is just getting a better understanding of the licenses that are in these software products.

From a compliance perspective, most large organizations have lots of lawyers and, and working together with software developers to make sure they're doing the right thing. Smaller, medium and startup companies are just trying to get the product out the door. The SVO may be a nice tool to help them keep track of what they've got so that they're not violating a G P L or somebody's commercial third party license.

And again, it's sort of this, secondary value of just having, having that, that artifact list, and the ingredient list with the correlating data, is gonna help in a lot of areas, not just, you know, security. That's, that's amazing. We were talking earlier about, zero trust. I would love to hear your take on some of [00:24:00] the ways that you feel it's been effectively implemented in organizations and where you think it's, it's become a buzzword that is at the, it's contained in a lot of different products and services that are out there.

Yes. Yes. So David, the answer is yes, I've seen both. I think we're at the, you know, the hype curve, if you will, for zero Trust. Exactly. It is definitely, if you went to rsa, I think every booth had zero trust someplace in there. Yep. That's what I was mentioning. That's, I see who you were talking about.

So I, I definitely think that we've, we've hit that critical mass of, it's on everyone's mind. I think one thing to keep in mind is that Zero Trust isn't a product right. Nor is it a technology or even a process. It's a, it's a, I mean, I like to think of it as, as a philosophy, it's an approach to things.

It's how you do everything you've been doing before. Which the other key part of it, actually two key parts. One, it's a journey. It's not a destination. You don't achieve zero trust and then done. It's how do I do my activities [00:25:00] in a zero trust way as I do all the things I'm supposed to do and continually improve?

And the other thing that people may not realize is that this isn't a revolution. It's not like, I'll throw everything out you did before and let's do zero trust instead. It's actually a natural evolution of where, you know, of where we've gotten to in the cybersecurity industry. Mm-hmm. If you think back to the early days, well we, we did things like, you know, sort of specific controls for specific problems, firewalls for networks, antivirus for desktop.

Like we had all these different regimes and they started to get outta hand. And so then we started having things like sim that allowed me to collect the data. I had orchestration so I can actually operate it. Like all these things were stepping stones. The key thing that happened, the two things that started happening, one, when we got to this risk-based approach, so suddenly I needed to think about the risk of my OP organization, my risk appetite, and applied things in a risk fashion so that whether it be the cybersecurity framework from nist, the risk management framework from D O D or any one of the a hundred other ways of going about a [00:26:00] risk-based approach to security, really started to put it in that it wasn't I need a firewall or not.

It's what's the right security for this problem, for my threat at this moment. Understanding that it could change and that shift in mindset set the stage for zero trust. So first step is, can I apply a proper risk protocol and risk framework or matrix to my organization? The other key evolution was understanding a maturity model that it's not about a binary, did I get security or not?

It's how mature is my organization for the controls I can apply? And again, it's the idea of a journey. You take those two things in parallel. When you get to Zero Trust, what? Zero Trust just basically says everything you just did is correct. Now let's just stop trusting everyone implicitly. Right. And that's really at the core of what Zero Trust is, is a set of of mechanisms so that when Mark logs into the morning, he's not just auto trusts it as Mark for every aspect of his transaction.

Mm-hmm. And that, you know, we get back to the idea of defense and depth that evolves. And that's really what [00:27:00] Zero Trust is. It's defense and depth with an idea that you're not trusted, you're not automatically good. Not saying you're automatically bad, but you're just untrusted. And so I need to verify every aspect of is this the right thing to do at this moment?

And then when you, that's the defense in depth with the zero trust angle. And then the risk base means that tomorrow there's a new risk, a new threat, my risk changes, that means my security must change. Yeah. Now without having to go rip out everything you've done with Zero Trust allows you to do in that dynamic environment.

Because I don't trust anyone. I don't have to go and redo my security. If the threat changes changes, you just have to let them in one at a time after it's been verified. Yeah, exactly. And so if my threat level changes, I can apply new security controls. You're already being re authenticated so I don't have to kick you out and start over the next time you come in.

I may have a different level of, of, of security for what you're, you're trying to do. And that's how these things marry together. So I think the key is it's an evolution mm-hmm. Towards this, this new concept. Now [00:28:00] in three years, we'll have another buzzword, cuz that's the cycle we always go through. That's kinda way it works.

Right. But I think what we're seeing is we're looking forward to BLACK HAT this year with the, with with whatever the new buzz is, new buzzword for the next 30 years. Yeah. And let's also face the fact that once zero trust gets, you know, beyond the early stages and starts to get rolled out and scaled.

Mm-hmm. We're gonna identify, there's, you know, the hackers aren't gonna go to, you know, close up shop and become, you know, and, and start, Going legit, they're gonna look not to go after. Yeah. It's not like lock bit green is sitting there going, oh they've got zero trust. We better, we better open up an e-commerce store now.

We actually better shut down these activities. And so what we'll see is zero trust moving from today. It's very focused on, they're called the transactional models. Correct. You know, so I authenticate in to get a file to is similar. Yeah. Is it similar in some ways to like Pam, like privilege access management where like, yeah, you might have authority to do something but we're gonna regulate, you know, this role and this organization can't access all [00:29:00] this other stuff.

Cuz so many organizations, I find, you know, when I think about like some of the recent breaches that have been in the news, okay, yeah. They might have socially engineered them and got access or they might have done even multifactor authentication, fatigue and got access. But once they had control over that employee, they, the ha the threat actors were able to find.

Amazing access that that employee themselves didn't even know. Didn't even know that they had. Yeah. And so it wasn't configured right in the first place. They, they were, there was way too much access given to it was very horizontal. Yeah. Is that we need, is that zero trust. Exactly. We need to take away that implicit trust.

Exactly. In employees or in, in, by the way, everyone focuses on the human right. I need multifactor authentication for all my users. Entities are just as much to a part of the story. Software applications are mostly autonomous. Now they, they may be operating on behalf of a query that you did, David, but that web server querying that database may not have your credential even.

They [00:30:00] may just have a token associated with an authentication event that happened two hours ago. That's part of why the zero trust has to go even deeper than just users is not implicitly trusting. Well, the web server's inside, so it must be secure. The database is inside so it must be secure. It's shifting that whole conversation.

Interesting. Oh, yeah. Yeah. So it's not even a, so not even trusting certain systems to speak with other systems and access other systems, you need to verify those as well. Yeah. And one of the things, you know, and this is a conversation I have pretty often with CISOs and CIOs in the government space they often ask, well, you know, you've, we talk about the ZERO TRUST

it's in the mandate, I gotta do it. Where do I begin? And everyone immediately jumps on the multifactor because that's something tangible. I can buy, I can, I can put tokens on everyone's hands. So that's, that comes in a box. I know how to do that. Yeah. We know how to do that. It can't be sophisticated if we, if we know how to do it.

Yeah. If, if Moher and I can figure that out. One of the things I, I recommend is as another set of controls that are really [00:31:00] powerful in the zero trust world is network segmentation. Micro segmentation, right? Micro segmentation. Like getting beyond the big areas of, of, of domains down to very small knowable sections.

So I can apply security controls, policy and access in and out. For very small areas so that when something does get compromised and it invariably will, mm-hmm. I'm really limited the scope of that lateral movement to one system, one small group of systems. And then you marry that with another concept that I talk about, which is called threat canaries.

What's so a lot of what's, so a lot of organizations have, you know, a variety of history of, of systems. They have laptops that may be anywhere from one to five years old. They may have software operating systems that are legacy or not updated all the time because of certain compatibility issues. And what a threat canary is, is you take a modern like state-of-the-art system with all the security controls on it, all the, the virus, the intrusion detection, all the different sensors turn to 11.

You put it in that VI environment, [00:32:00] not as a honeypot. You give it to somebody, you give it to a developer, you give it to a secretary, you give it to an executive in that domain, or you put it underneath that database and you turn all the dials to 11 and it becomes your canary in the coal mine for that micro segment.

Okay. And that way Oh, I see what you're saying. And that way, if something does get compromised, you don't have to wait till it, ex, ex fills out of that environment to have a sensor go off. And so it's, it's almost like deception together is really how you get ahead. That's almost like a, the, the deceptive movement, right?

Like, that's almost like an element of deception where they would decept I'm not decepting, I'm actually giving you, like, think about it, if I gave, if you gave your your top developer the best laptop you could buy, with all the security controls turned to 11, they're doing real work and not, you're not deceiving anyone.

He's actually gonna developing it. She's developing code and loading it to get right and everything else. But behind the scenes, you've got a system that's not legacy, that's not old opening system that has all the sensors. So when a [00:33:00] malware tries to access that, or a hacker who's on one, one of the other systems in that micro segment tries to jump over.

His It's gonna, it's gonna pick it up. Exactly. Gonna pick it up. And this, one of the reasons why this is important is that very few organizations have the budget to wipe out everything and start over. Mm-hmm. So it's very hard to say, well just go upgrade all your hardware, upgrade all your software, get the latest patch version for everything.

We know reality isn't there and it, even if I had that budget, it take me six, you know, two years to do that more just to build it out. Yeah, exactly. But being able to pick one system in each of those micro segments and say, this is gonna be my perme, you know, my, my, my sensor, if you will. And it's not a, as a honey potter or deception, just sort of hanging out weight.

Cuz if it's not doing anything, it's gonna get bypassed cuz they're, they're know that. But if it's the system that's actually doing fun stuff, they're gonna want to try to tack it. And that will be your early, early warning system if you will. So mirroring those two things together, so obviously multifactor that has to happen, but microsegmentation with [00:34:00] active sensors in those segments, that gets you really far down the, the, the beginner's path.

On your journey towards zero trust. Everything else then has becomes, you know, operational management, visibility, you know, like a lot of the more mature things that take time to do. And this way you have a good baseline to build off of. So how is this is excellent. That, and that the threat canaries was, I love that concept and, and I you you're seeing it implemented in, at the federal level when people are, are beginning to mature on their journey toward exactly, toward, toward towards zero trust.

What do, what do SMBs do, you know, in, in the SMB space when they don't wanna think about security, right? They wanna like have their manufacturing, they're building auto parts for cars. They wanna just do their business, but they're getting these attacks and they want their company not to go under, they want not to be in the news.

They want not to have [00:35:00] their production shut down from a massive ransomware attack. Like what do, can. How realistic is it for them to con to begin on the journey of Zero Trust? I believe personally that they can, and they should. It's just a matter of how do they do it. Like would you, would you suggest, you know, begin with smaller things like multifactor authentication or incident response planning, like some tabletops or something like that?

So, it's a good question, David, and I think it, it's a, a little bit of, of what you just said and a a little bit more SMBs aren't gonna have the budget or the infrastructure necessarily to deploy a lot of tools and a lot of management and they're gonna have a very small cyber team, if any. Right. One thing they can do is, you know, they're often, they're using managed services, whether it be cloud hosting, even their security is often managed by somebody else.

Mm-hmm. Requiring that those managed providers provide them with the zero trust capabilities in those clouds in that managed service. And they can, by the way, all [00:36:00] the cloud providers are gonna have tools and things in there to provide zero trust. So if you've outsourced a lot of your IT operations, cuz you are too small to have a, a dedicated team, you can get it doesn't mean you don't get zero trust, you can get it from your hosted providers.

You just have to ask for it. And similarly, it's interesting and, and, and at the level that balances turning the dial down to the point where they're comfortable with the risk but it doesn't interfere with production. Right. Risk management. Exactly. Making a risk determination. What is the risk to my organization?

It's, you know, availability, threat, you know, it's all those things. Mm-hmm. And applying the right controls for your environment. It doesn't mean that a small regional bank has to have the same level of security as a, as a global bank. That being said, they're both targeted. So this is, this is an opportunity number one, leveraging hosting providers and cloud providers to provide you those as a service capabilities at a, a cheaper rate than building it out yourself.

Mm-hmm. Following the best practices. Cuz by the way, for the [00:37:00] banking industry, the banking ISAC is gonna have best practices. Right. That they can adopt. They don't have to start from square one. Mm-hmm. And then one thing we've seen in a lot of these com, you know, sort industrial, you know, the industry and vertical communities is, and this goes to that other point that Easterling was pointing out better information sharing.

Right. And so, oh yeah. What we've already seen the benefit of, of the large banks sharing with the smaller banks. The smaller banks get the benefit of all the TTPs and all the information that the big banks with all their sensors can see. The big banks got a really interesting side benefit from those early information sharing and IOC sharing activities.

Many of the hacker groups would beta test their tax. Those small regional banks. That's what I was, I was about to ask you. Oh yeah. And what they, so when, once they start screwing the other direction, they know they don't have the, the exactly funding to have all of the defenses and they don't have their own internal SOC team and all the threat hunters and all that.

And so they can target them first. And that's learned what they were doing. [00:38:00] And so what the large banks were able to get is early indicators from the, from the regional banks. And they were then able to start to lock down those things well in advance. So the collaboration was actually mutual. One of the studies that was done, they, they did an a pilot experiment to share cross-industry, so banking to healthcare.

 And again, they saw this really interesting dynamic where stuff that was happening in the banking community would eventually make its way over into healthcare. And so the healthcare community got, got that benefit of seeing things that had started as a, you know, targeting banks. And then on the flip side, a lot of the, the attacks that we're looking at and research that was being done on medical devices or on, you know, the, called the OT systems, right?

Banks, you think of banks as being all it, but ATMs are ot, right? And so are a lot of other aspects of their operations. And so again, there was some really good collaboration of understanding the threat landscapes that they were, that were very much popular in the medical device industry. And only just coming to the financial [00:39:00] services operational side of the camp.

So I think one of the things that the executive order and Easterly and others are really highlighting is we need more of that. We need more information sharing cross industry, government to industry. Because the tools and technologies are great, but if we are not doing a good job of communicating mm-hmm.

Amongst ourselves, we're, we're doing all the disservice. Absolutely. We have to, of course, create a safe environment for doing that. You don't want people getting sued cuz I, I exposed that we had been, you know, somebody had been attacked and similarly, you don't want to have someone be able to use that against you and, you know, and, and the court of public opinion.

And so, well, and I, and I think that's an important part here, right? Because some of the hesitation in the past has been litigation risk liability, right? They don't want to say, here's how we were exposed, or here's how. We can be exposed because then it could open them up to public scrutiny as well as civil liability.

Exactly. And so there's been mechanisms [00:40:00] put in base to help protect from a liability protection. Yeah. Safe harbors, especially in the, the cyber information sharing, vulnerability disclosure requirements. Mm-hmm. They have there, there are provisions in there to protect organizations that lawyers can be, you know, get, get at least a, a warm fuzzy on that side.

Mm-hmm. And then the other is that there's industry collaboration and government collaboration groups where you can anonymize the data so that you can expose, hey, this is how they attack. This is what happened. Not necessarily to ABC company or organization. Right. Excellent. Because really the government doesn't need to know that Bank X Y Z was hacked.

They really want to know that it was, you know, fuzzy bear doing this kind of ransomware attack again. Right. And that's the information that's important. And so that having that ability to anonymize the data sets and be able to provide it in a safe place for analysis, and this is again, a good place where a lot of the, the service providers can play a role, a, a single managed security service provider may see hundreds if not thousands of clients systems, of [00:41:00] clients' systems, and be able to aggregate that data to the federal government or to other sharing environments so that you don't, you know, call out any one player as being the one that got host.

Right. Yeah, that's exactly right. Well, and I, it, it seems like that's a lot. Less. It. It seems like that judgment is happening less often now than it did a few years back. A few years back. You know, when certain brands got hit, everyone's like, oh, I can't believe they got hit. And it's become so commonplace that we're all like, can we learn from this?

Exactly. Like what can we learn from this? And let's not blame the internal security team over there because, but for the grace of God, would it be us? Right. So let's, let's learn from this together cuz we're all kind of against the same enemies here. Yeah. And one of the things that was really interesting about the ransomware attacks from a couple of years ago, I mean, everyone talked about capital pipeline and Yeah.

Big in big industrial environment, OT systems affected. Yeah. I thought that the most interesting one [00:42:00] from a, from just understanding the change in our environment was jbs ah, the meat packing out of Australia. Yeah. Cause there are two things you can learn from that. Number one. There is no industry that is immune from being attacked.

Right. Because let's face it, me pecking is not necessarily the sexiest industry. No. That not something that would be on the list, you would think. No, exactly. Yeah. The other side of that is that just how reliant every aspect of our lives is on digital technology. Yeah. Meat packing had to shut down because there was a ransomware attack on their systems.

That means any aspect of our lives could be affected. So it really raised the bar of everyone is vulnerable and a target and it is important that no in, so no C I S O or ccio or even C can say, well, my company does isn't important, or We're not high enough profile. Right. Or our, our, we have no, we have no secrets that anyone can steal.

Everyone is, we're all part of this. And once you make that that leap that we're [00:43:00] all together in this environment of threat, it makes it a lot easier to start thinking, well, we should start sharing with each other so that we can. Get better. Cause let's face it, the adversaries are sharing information, they're learning from, from each other.

Absolutely. They're collaborating. Mm-hmm. We're only doing ourselves as an industry and as, and as a, as a world economy, a disservice from not doing better collaborations on the mitigations and on detection. Yeah. Well, and you have affiliates that work for several different Cyberg Greens, right? Yeah. Like one single affiliate can work for Lock Bid and Black Hat and all these other ones.

Right? Exactly. Whichever, whichever model will work that that week is the one that they're gonna get paid by. Interesting. So interesting. So a couple things come to mind. One, we've talked to several people from across the pond going east like the uk, and they talk about the difference between cultures and the difference between like the America's view of our personal data compared to like the [00:44:00] UK's view and, and the people their view it as a fundamental human right.

Here in America, we, we've had just, just a few years ago, we would meet with people, you know, mark and I are in the Midwest, so we meet with business owners all the time. We heard that phrase so often that we're not, we're not concerned about security. Like they wanna do the minimum amount because they're not gonna target us, and now they're not gonna come in.

And that has changed to where it's almost like, well, I'm sure they're gonna hit us, but it probably won't be that bad. Like, that whole journey, you've got backup that, that realization is slowly coming, but it's, it's not fast enough for their own benefit. Yeah. What, what, what are you seeing? Like, you, you see things across, you know, you do things involving allies and all of that.

Like what are you seeing. In terms of, do, do you, do you recognize any cultural difference on the value of the way we perceive our own data? It is, it is interesting and I [00:45:00] don't think it's any one particular thing that led to that, you know, that dichotomy. I think partly in, and we saw this early in the industry, a difference between the security measures that the EU and the UK were taking versus what we see in America.

Right. Some of that had to do with the liability protections, right. If your credit card was compromised in the EU you were on the hook for what it got used for back in the day. Yeah. In US you had a $50 liability. Interesting. Okay. Protection, which sounds like a good thing. Yeah, it's a good thing. I don't wanna get hit for every time my, my credit card gets hacked.

Sure. The flip side is, is that I really don't value my credit card that much other than the pain it is to go switch it out of all my accounts that are using it. Oh, that's a good point. From a personal level, that's a great point. We don't have the same oh my God. If my data gets out there, what's gonna happen?

Cuz the, the pain is minimal. Similarly, when we look at it from a perspective, you know, of the EU having the gdpr, but it really behind that the, we are gonna protect data, we're gonna have sovereignty of [00:46:00] data across the, the EU countries. We didn't, we don't have that in the states. I mean, it's, we're all the United States and we just expect everything's gonna be protected and that's somebody else's problem.

Mm-hmm. The EU took a very forward-leaning view of how, you know, did the data, right, the idea of a right to privacy. And that led to things like the right to forget and the right to, you know, the control that they wanted to put in. Right. We never saw that, you know, we've had a couple of states come up with data privacy requirements and reporting requirements but it was never done at the federal level.

And so again, you don't have the same regulatory environment. You're gonna get different outcomes. The flip side, you can always tell you someone could be really, really concerned. About a hacker getting their personal information, but they'll give it all away on the social media platform. Well, I was just about to say it.

A lot of this even came to fruition in the hearing over TikTok, right? Yeah. Because they were, they were talking about it, and they were so aghast by what TikTok was doing, and yet we don't have regulations like [00:47:00] GDPR here. No. Right. And it's like, well, and, and other social media platforms are kind of doing the exact same thing that TikTok was doing, and they don't have as good of an algorithm, which is why TikTok is winning.

And then the issue, right? And then the issue is, is well, you know, there's China, so you know, there's just natural suspect for, for valid reasons, right? Mm-hmm. So yeah. It's so interesting. Yeah. Because we, we sit here and curate our lives on social media much more so than they do overseas. Exactly.

And I think that, that, those are contributory factors. Mm-hmm. And I think also, mm-hmm. You know, again, it's one of those good thing, good news, bad news parts. You know, we're, we're very right, very forward leaning on our capitalism that each company is gonna do what it needs to do to, to win. And anything that you, any additional regulation you put on it, it's gonna stymie innovation, which is true in certain respects.

But again, what that leads you to is that it's, I expect the company to protect my data. Right? And when they don't, you get upset. But really, how many people have left [00:48:00] x, y, z bank or whatever retail store because their data was compromised, right? You just don't see the mass exodus. So the, the, the, at the end of the day, one of the things that when you look at sort of what changes.

Security in a large organization or small is when the, the, the, their, their customers use their money where they're, you know, to, to make a decision, to, to push a policy or push a a, a priority. Well, it's true, right? Because, because at the end of the day, when you work for a company, you're not working for the company, you're working for the customer's money.

Exactly. Right. And, and so when customers leave because they lose trust, That they're not gonna lose their confidential information and ruin their credit score. Like we always talk about, like, at the end of the day, security is, I wanna be able to buy a jacket without it ruining my FICO score. Can we do that?

If we can manage that, I love your brand. Yeah. Right. Like if we can do that one simple thing, then that's a good thing. But some organizations don't value the, their own data and then it [00:49:00] jeopardizes us who just wanna buy a jacket and not get, not have 10 years of having to fill out a bunch of forms when we're buying a house or whatever.

Right. And having to say, no, that wasn't me and that wasn't me, and all this other stuff. Right. And rebuilding your credit score. Cuz that's a, that's something that will drive you to never do business with that organization again. Exactly. And I think we've also hit a little bit of fatigue. I mean, you can't go a week without a major data breach.

I know. It, it, it becomes noise almost. Yeah. Yeah. And then, and then it loses its impact come desensitized to it. Yeah. I used to have a slide where I had like every major compromise or data breach with a, you know, like the article. And for about six months I did a pretty good job of trying to keep everything on one slide and I just gave up.

It was, yeah, we used to be able to talk about two, have a slide big enough. Yeah. A bigger slide mark. Yeah. Mark and I have done the security awareness trainings for over a decade, part of InfoGard and stuff. And we, we've, you know, we used to talk about Target and we used to talk about Equifax and you know, like poster child and what [00:50:00] not to do if you're breached and stuff.

There's so many now it's just like, what are you guys, what, what would be most relevant to you? What story do you want to hear? Pick an industry and we can tell you pick an industry. We've got, we've got a million of em here. Right. That's, and I think one of the things that's lost in a lot of the noise is that many of the organizations that are getting breached.

Had what we would call industry best practice in cyber hygiene. Mm-hmm. They, they had the firewalls, they had security tools. Yeah. They had the alerts. And oftentimes it comes down to one of two things. They had the systems that would've detected it, but no one, either no one was watching or they weren't configured correctly.

So, exactly. Timing. Again, it's the blinking light going off and no one's there to catch it. It's alert, fatigue, alert or, or, or configuration. Right. Yeah. They don't have, they might have FireEye, but they don't have the automatic remediation set or whatever it is. Right. And that, I think that's one of the things, you know, when I'm talking to CIOs, I, I, the, the joke I use is that you'd much rather automate the security, fix the patch and break the CEO's email for 30 minutes.

[00:51:00] Yes. Then have another data breach. Yep. And that's the, the mentality. And this again, zero trust is only an aspect of it. The other piece is automation. Cuz the only way you scale, whether it be zero trust or supply chain security or any of these other concepts, is if you can automate. Most everything that I call the stupid stuff.

And I'm not saying that anyone's job is stupid, right? Right. But 80% of what you do could be automated. And then you can take your small cyber team, which you're never gonna have enough people to patch everything and focus them on that, that threat hunting or on that 20% hard problem or fixing that one server that you can't automate because it's so legacy, it needs handholding.

Right. And by do, turning on automated process to push out patches, to close vulnerabilities, to flip on firewall rules and make that get the human out of the loop faster, a closes vulnerability quickly, but B frees you up to go focus on those harder problems, which is that other area where they got in through something that no one thought about.

And that's because no one has time to go think about those other areas. Yeah. [00:52:00] No, that's, that's really insightful. I love, I love that. I love that perspective. And then honestly, then you can focus on. Building a security culture cuz then you can harden the people, you can focus on training the people and bringing, you know, everybody, every brand has a culture, everybody.

And yet they'll do security awareness when they onboard. And then maybe once, once a year. Once, once a year. And then maybe there's an email on Tech Tuesday where nobody knows whether anybody's read it or whether it's resonated or whether they've read it that Tuesday. And that will actually change behavior cuz it resonated with them three months later.

Yeah. Like there's, there's, there's no, it needs to be on ongoing and everything else because even with the automation, it's still gonna, it's still gonna fall down when we let them in. Yeah. Because we're not trained or we, we don't know what, what to look for. Yeah. And so, David, one thing I would, you know, like there's a, there's been this mentality that we need to make every [00:53:00] user a security guru.

Yeah. That's not gonna happen. And actually much trust if we just is actually saying is that you shouldn't have to. Right. If we really had, once we get, let's say far enough down that marathon journey of Zero Trust, a user could click on the link every morning. Right. And, and they wouldn't do anything eventually get affected for a second in order that malware may even download.

But if I've really built my Zero Trust enterprise to the, the, the means that we're talking about that malware would actually not be able to do anything. And so like, and I quote my my, my, my mentor Bruce Nyer, you know, let them click on the Dancing Pigs cuz they will click on the Dancing Pigs every time.

Yep. And if environment doesn't just implicitly trust things, then that dancing pigs that is a malware won't be able to get its foothold. And that's where we need to get to. Right. And what Zero Trust is a start on. I would agree. And yet we still are dealing with 90, 90% of all the organizations still don't even have the fundamentals in place.

Yeah. And so, I love that because [00:54:00] that's where we need to get, in the meantime, we still have to train people not to click on the dancing page. Absolutely. We still get, don't click on the dancing. We still have to, we still have to find the needle in the haystack and just, no, when you see that, don't do that.

Oh, I didn't know like, oh, okay. Let's explain. Ah, you shouldn't because the other systems aren't in place. It's not automated yet. Yeah, right. For, and I'm, I'm talking like in the SMB space. Mm-hmm. Absolutely. And, and the thing, you know, there, there are some really cool services. I know we do it and others do it, where you get the, you know, like every once in a while everyone gets a little, a phishing, you know?

Oh yeah. The, the test phishing service. Oh yeah. We, we, we, we provide those to clients. It's absolute wonderful. Absolutely. And I think the thing that really trains people isn't the, you know, little pop-up window that says, oh, you got Phish you should have done. Right. It's when you have to sit through an hour of training because of it.

Oh yeah. I guarantee you that changes behavior fast. I'll tell you, David, remember we had the one client that actually wrote it into their HR policies. If there were x number of failed phishing attempts, you know, that they [00:55:00] clicked on within a quarter or whatever the timeframe was. There was, there was some consultation to sit down with HR and leadership, and there was a discussion about why, like, why do you keep clicking on this?

I will tell you, I will tell you, and this is a true story happened today. I got one right and it was, there was nothing more exciting than. I see one and it looks really good. It was a good one. Mean it's right from, it was a really good one. It was right from our expense system. It looks so real. Like there was no red flags on there.

And I thought about the context and I'm like, I haven't even done my expenses for June. Like I have no reason to be getting this. So I sent it off and the head of our expenses said, this is not us. Like, thank you for not clicking on that. I'm like, wow. I'm like, I felt so good noticing that. I'm like, see, this is, it's, you know, there's like a motivation.

I'm like, now I don't have to sit in an hour class. Like, this is great. I don't have to get a call from HR to get call to send some letter warning, [00:56:00] dude, why are you working from Starbucks again? There you go. Like, don't, don't do that. Right. So Steve, thank you so much. This is, oh, this was great, man. Thank you.

This is so much insight was telling. Really? I was telling Mark, just like y you're you, the where you sit in your experience, it's so impactful for our listeners and for for, for Mark and I to, to, to hear about. And I, and I really agree and like I really, I really value that that view that once we can get organizations up that journey toward, towards zero trust and increase automation, that the other parts really will kind of begin to get us to where we can have shields that matter up.

Right, exactly. Yeah. I really buy into that. So that's phenomenal. It was good stuff. Steve, any, what, what is, what is coming up next for you? Is there, are you, are you speaking anywhere our, our listeners can come see you. What else do you have coming up? In the near future. [00:57:00] So I think the, the, the things that I'm doing I'll be speaking at the MIT CDO O IQ conference coming up in July talking about AI and some of the impacts both from a security and from a just enterprise perspective, what we need to do better on.

Mm-hmm. If anyone wants to find me, I will be at Black Hat Defcon this year, says, come by and we'll have a drink. I'm happy to talk to anyone. Excellent. It'll be a fun time there getting back to that. Now that Covid is over and we can start going places again. Yep. That's fantastic. So yeah, looking forward to it.

That's, that's outstanding. Well, Steve Orrin, thank you so much for joining. I hope this is not the last time we talk, cuz I would love after hearing your your presentation on, on ai, we could have done an entire episode. That's, I've got a whole list of questions. Yeah, we, we, we really do. Because, because the, the responsible use of it.

Mm. The, the, the looking, the, you know, there's so much there and it just is changing every single day. So again, Steve Oren connect with them on LinkedIn check 'em out. We'll have your [00:58:00] information in our show notes. So we encourage everybody to follow you and learn. So thank you so much.

Thank you, mark. David, thank you so much, David. Oh yeah, sir. Thanks Steve. Look forward to next time. Talk soon.

Well that wraps this up. Thanks for joining everybody. Hope you got value outta digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify podcast so we can continue to bring you more of what matters.

This is Cybercrime Junkies and we thank you for joining us.