In this episode, Patricia Muoio, Ph.D., Partner at SineWave Ventures and Former Chief of Trusted Systems Research Group, National Security Agency, sheds light on the cybersecurity technology landscape and emphasizes the need to develop technologies that are attack agnostic. Some of the questions driving the discussion include: a) what progress has been made in the development and use of cybersecurity technologies? b) What does it mean to be attack agnostic? c) how near or far are we from taking the burden off people trying to protect themselves from different cyber attacks? and d) the ideal government and industry partnership model to develop innovative solutions.
Time Stamps
02:34 -- How about sharing with listeners some professional highlights?
04:12 -- I'm really intrigued to learn about your career trajectory, considering that you got your doctorate in philosophy, so was it on the liberal side of things?
05:35 -- What's your assessment of the cybersecurity technology landscape?
08:12 -- During our planning meeting, you said, "we need to be able to develop technologies that are attack agnostic." Please expand on that.
12:50 -- While you're saying that it doesn't matter how the hackers get into your system, wouldn't I want to know how they are conducting the attack to be able to prevent it from happening in the future?
14:54 -- If I'm a developer listening in on this conversation, what should be some focus areas for new technology development? And if I'm a consumer of these technologies, how should I approach cybersecurity governance?
27:23 -- Will there ever come a day when I could be as carefree as possible, and click on anything I want, knowing that there is technology that will not allow the perpetrators to exploit that and do damage? Will we ever get to that world?
31:57 -- What is your assessment of the government-industry partnership?
38:19 -- Please share some final thoughts and key messages for the listeners.
Memorable Pat Muoio Quotes/Statements
"I think that many problems like endpoint protection, network segmentation, authentication, encryption are essentially solved. There are technologies that do these kinds of things and do them well."
"I think where a lot of the work needs to be done is making these technologies work together and work appropriately for the system in which they are used."
"We need to be able to develop technologies that should be attack agnostic."
"What it means to be attack agnostic -- you stop attackers from getting in, you stop them from moving around, you stop them from getting out, exfiltrating your data, or encrypting your data, executing their payload in any important way. And the details of how they choose to do them, the shape of the malware they choose to execute simply doesn't matter. What matters is that these actions can be identified in the system and stopped in a more general way."
"Users ought to know when less is more."
"I think people need to be careful to understand when risks that sound very very different in their effect, are actually the same in their cause, and that their solution space needs to address the causes and not the effects."
"As these technologies develop, as people become more comfortable with the notion of self- protecting self-healing systems, we will be able to take some of the burden of the users."
"Understand solutions that are based on your system, and not concentrated on what the attack looks like; but what is my system and more importantly, my business workflows, what do they look like, and build solutions that protect them, and not solutions that are based on external threat conditions."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. The discussion today will focus on
Dr. Dave Chatterjee:cybersecurity technologies, and the significance of government
Dr. Dave Chatterjee:and industry partnerships in developing these technologies.
Dr. Dave Chatterjee:Some of the questions driving our discussion are: what
Dr. Dave Chatterjee:progress has been made in the development and use of
Dr. Dave Chatterjee:cybersecurity technologies? What does it mean to be attack
Dr. Dave Chatterjee:agnostic? When developing cybersecurity technologies, how
Dr. Dave Chatterjee:near or far are we from taking the burden of people trying to
Dr. Dave Chatterjee:protect themselves from different types of cyber
Dr. Dave Chatterjee:attacks? And how significant is the government and private
Dr. Dave Chatterjee:sector partnerships when it comes to dealing with current
Dr. Dave Chatterjee:and future cyber threats? I'm delighted to have as my guest
Dr. Dave Chatterjee:today, Dr. Pat Muoio. She is Partner at SineWave Ventures.
Dr. Dave Chatterjee:Pat is an expert in matters of cybersecurity and computing,
Dr. Dave Chatterjee:vetting the technical viability of emerging technologies. She's
Dr. Dave Chatterjee:had a 30 year career in the intelligence community in a
Dr. Dave Chatterjee:variety of technical and leadership positions. Pat has a
Dr. Dave Chatterjee:bachelor's degree from Fordham University, and a Doctorate from
Dr. Dave Chatterjee:Yale. Pat, it is so delightful to have you as a guest today.
Dr. Dave Chatterjee:Welcome!
Pat M:Thanks a lot, Dave. I'm really happy to be here. Looking
Pat M:forward to the conversation.
Dr. Dave Chatterjee:Fantastic! So before we jump into the
Dr. Dave Chatterjee:details of our discussion topic, how about sharing with
Dr. Dave Chatterjee:listeners, some professional highlights?
Pat M:Sure! So I've had a varied career. And in my time at
Pat M:the Agency, I worked in a number of computing analytic and
Pat M:cybersecurity roles, ending up in the research part of the
Pat M:organization for the last third of my career, working on hard
Pat M:problems in those areas. In my last position in the Trusted
Pat M:Systems Research group, we investigated secure operating
Pat M:systems, mobile security, mobile phone security, formal methods,
Pat M:we tended to do the kinds of research that individual
Pat M:companies can't afford or the lead time is so long that you
Pat M:need somebody to do the foundational work before
Pat M:companies can pick up on it and start making money. Since then,
Pat M:I did some consulting work with NIST for a while on
Pat M:cybersecurity framework and a number of other issues, cyber
Pat M:physical systems security, and so on. And then I joined
Pat M:SineWave, which is a early stage venture fund, concentrating on
Pat M:enterprise technology that can help entities that haven't been
Pat M:using information significantly in their business processes to
Pat M:become more information driven. And the government certainly
Pat M:fits that characteristic, as do a number of industrial segments,
Pat M:and so on. And I've been with SineWave for about eight years
Pat M:now, and really scouring the technical landscape for
Pat M:interesting technologies, again, in the areas of cybersecurity
Pat M:computing and analytics.
Dr. Dave Chatterjee:Fabulous! In fact, I'm really intrigued to
Dr. Dave Chatterjee:learn about your career trajectory, considering that you
Dr. Dave Chatterjee:got your doctorate in philosophy, so was it on the
Dr. Dave Chatterjee:liberal side of things?
Pat M:So the philosophy that I did I my, my education was in
Pat M:the area of phenomenology, which is about learning about what's
Pat M:essential, or what what really matters about things by
Pat M:considering the context in which they live and the accidents that
Pat M:you can observe about them. And so it really is a way of looking
Pat M:for the the essential gist of a matter and coming to understand
Pat M:reality in that way. And I think that's been a central theme of
Pat M:all my work throughout the agency and I have is this
Pat M:ability to sort of cut through what's accidental and get to
Pat M:what matters. The other thing that was a strong concentration
Pat M:in logic, which tends to go hand in hand with some
Pat M:phenomenological stuff. And so that, again, was a thought area
Pat M:that really stood me in good stead in my very varied career.
Pat M:I feel very fortunate because I got some really exciting
Pat M:technical opportunities that one typically wouldn't associate
Pat M:with a philosophy degree and was able to really become what I
Pat M:consider myself a technologist. Now, despite the fact that I had
Pat M:probably the least technical degree also,
Dr. Dave Chatterjee:I'm glad you said what you said, because
Dr. Dave Chatterjee:I know many listeners will be inspired to hear that. In the
Dr. Dave Chatterjee:past episodes, I've had discussions with other experts,
Dr. Dave Chatterjee:and many of them have been very vocal about the importance of
Dr. Dave Chatterjee:drawing people from different fields. Cybersecurity does not
Dr. Dave Chatterjee:have to be the monopoly of the technocrats and by technocrats,
Dr. Dave Chatterjee:we normally associate them with the computer scientists or
Dr. Dave Chatterjee:computer engineers. It's a pretty large field, and it could
Dr. Dave Chatterjee:benefit from a variety of intellects, it could benefit
Dr. Dave Chatterjee:from an eclectic perspective. So that's, that's truly
Dr. Dave Chatterjee:fascinating. Getting to the discussion on the state of
Dr. Dave Chatterjee:cybersecurity technologies, progress is being made in a
Dr. Dave Chatterjee:variety of areas from authentication to behavioral
Dr. Dave Chatterjee:analytics, blockchain, manufacturer usage, descriptive
Dr. Dave Chatterjee:(MUD), which associates with IoT devices. I'm interested in how
Dr. Dave Chatterjee:you size up the progress. Where do you see the strengths? Where
Dr. Dave Chatterjee:do you see the gaps? What's your assessment of the cybersecurity
Dr. Dave Chatterjee:technology landscape?
Pat M:So I think there are many excellent component
Pat M:technologies, I would actually even say, a sufficient set of
Pat M:component technologies to build strong cybersecurity solutions.
Pat M:I think that that many problems like endpoint protection,
Pat M:network segmentation authentication, encryption are
Pat M:essentially solved. There are technologies that do these kinds
Pat M:of things and do them well. Yet, there's still number of
Pat M:breaches, the breaches rise with the investment in cybersecurity
Pat M:in some sense. And that is not causal. But but and you still be
Pat M:wondering why if there are these basic fundamental sound building
Pat M:blocks, the solutions are not as robust as we would like. And I
Pat M:think what's really lacking is the ability to architect these
Pat M:components into a solution to understand again, what matters,
Pat M:what needs to be guarded against what needs to be in in the
Pat M:internals of the system, and how to make these things usable.
Pat M:There's a lot of guidance about the controls you have to have in
Pat M:place, and there's 128 of them, or whatever. And people have a
Pat M:hard time finding their way through these lists and lists of
Pat M:things to a solution, a reasoned solution that works in their
Pat M:space. And I think that's where a lot of the work needs to be
Pat M:done, is making these technologies work together and
Pat M:work appropriately for the system in which they are used.
Dr. Dave Chatterjee:Interesting. Very interesting. So while while
Dr. Dave Chatterjee:we were going through our planning meeting, you made a
Dr. Dave Chatterjee:very interesting yet poignant statement. You said that, "we
Dr. Dave Chatterjee:need to be able to develop technologies, that should be
Dr. Dave Chatterjee:attack agnostic." I'd love for you to expand on that. And
Dr. Dave Chatterjee:because I know listeners would love to hear that perspective.
Pat M:Yeah. And I think, again, talking to why stuff has not
Pat M:worked as well as we would have hoped to date. Part of this is
Pat M:due to the fact that a lot of the development of technologies,
Pat M:and particularly the selling of technologies, is centered around
Pat M:threats, scaring people about threats, figuring out what
Pat M:threat is where, advertising this particular piece of
Pat M:technology to deal with this particular threat, and so on.
Pat M:And what that does is it creates this marketplace with a
Pat M:gazillion pieces of tech in it, each of which does many of which
Pat M:do just niche little things. And the user is really has no great
Pat M:understanding of which of those attacks are likely for them. How
Pat M:severe are those attacks? is this the only solution against
Pat M:that attack? is something else I'm already doing as a side
Pat M:effect addressing this particular attack? and so on. So
Pat M:when you concentrate on the attack on the externals of the
Pat M:system on what's coming at you, it's a much more confusing space
Pat M:and one that is difficult to get confidence that you're really
Pat M:covering the waterfront. If instead you take an attack
Pat M:agnostic approach and you look at technologies that you can
Pat M:deploy internal to your system to make your system impervious
Pat M:to attack no matter what that attack happens to look like, you
Pat M:can have much better success. So for example, you're worried
Pat M:about an attacker getting into your system and moving around to
Pat M:get from a compromised user space, for example, to a space
Pat M:where they can do some damage to your system in terms of stealing
Pat M:data or encrypting data or whatever. And so you think about
Pat M:what are the technologies that enabled me to stop anyone from
Pat M:moving around, it doesn't matter what exact movement method
Pat M:they're picking. What matters is if they're moving in a way that
Pat M:you don't want, that your system does not authorize, they should
Pat M:be stopped, right. And so there you deal with things like micro
Pat M:segmentation, you can deal with some Zero Trust kinds of policy
Pat M:driven solutions, where what it simply stops lateral movement,
Pat M:regardless of its accidental characteristics. And again,
Pat M:since you asked me about philosophy, this is a very
Pat M:phenomenological approach, right? You stop the essential
Pat M:thing, which is movement rather than the accidental thing. Using
Pat M:this means to get around. And it becomes very important, you can
Pat M:see this with access control, right? There's all of this
Pat M:anti-phishing technology, phishing is a huge threat. And I
Pat M:think we'll probably talk about it later, I think we're going to
Pat M:talk about how humans can interact with these
Pat M:technologies. But anyhow, phishing is a big threat. And
Pat M:you want to stop that, you want to stop people from stealing
Pat M:credentials via phishing, but it's also the case your
Pat M:credentials can be stolen by password guessing, they can be
Pat M:stolen by web scraping, they can be stolen in a bunch of
Pat M:different ways. And what you really want is to stop the bad
Pat M:guy from using credentials, regardless of how they stole
Pat M:them, right, they read them off my sticky note, regardless, you
Pat M:want to be able to stop them from using credentials in this
Pat M:simple mechanisms, like two factor authentication, which
Pat M:means you stole my password. Now, you also had to have stolen
Pat M:my phone, if you want to use that password effectively,
Pat M:because the two factor authentication would require
Pat M:that additional means. So there, you're not looking at phishing
Pat M:as the method you're looking at the fact that via phishing,
Pat M:someone stole credentials, and you can stop stolen credentials
Pat M:from being effective in the system. And this is what it
Pat M:means to be attack agnostic, you stop attackers from getting in,
Pat M:you stop them from moving around, you stop them from
Pat M:getting out, exfiltrating your data, or encrypting your data,
Pat M:executing their payload in any important way. And the details
Pat M:of how they choose to do them, the shape of the malware they
Pat M:choose to execute simply doesn't matter. What matters is that
Pat M:these actions can be identified in the system and stopped in a
Pat M:more general way. Long there, but
Dr. Dave Chatterjee:no, I think it's very interesting. Thanks
Dr. Dave Chatterjee:for sharing. As a follow up, while you're saying that it
Dr. Dave Chatterjee:doesn't matter how the hackers get into your system, wouldn't I
Dr. Dave Chatterjee:want to know how they are doing something to be able to prevent
Dr. Dave Chatterjee:it from happening in the future? Or am I missing a point here?
Pat M:Well, I think you need to know it, if you're a security
Pat M:company that are making solutions that would stop it in
Pat M:the future. I think you need to know it, if you're a government
Pat M:that's analyzing these things, to understand this data threat,
Pat M:perhaps do forensic activity to find bad guys and stop them. But
Pat M:as an average user, say, you knew a malware took this
Pat M:particular form, and what could you do differently, right? If
Pat M:you had a technology that would be effective against that
Pat M:particular form of malware, you would have deployed it. Because
Pat M:it's an unpredictable when the malware is going to come at you.
Pat M:If you don't have a technology that deals with that particular
Pat M:shape of malware, you're you're then have to fall back on using
Pat M:these attack agnostic methods that don't care what its shape
Pat M:was. So you might want the knowledge, I don't know for
Pat M:reporting to management or but in reality, if there are no
Pat M:knobs in your system that you can turn using this information,
Pat M:what's the point of having the information, there's nothing you
Pat M:can do to change your response to the threat? Because, you
Pat M:know, the particulars of the threat?
Dr. Dave Chatterjee:Okay, that that helps. I guess I was
Dr. Dave Chatterjee:approaching it from the perspective of a developer of
Dr. Dave Chatterjee:solutions,
Pat M:correct? Yeah, correct. There, you do need to be aware
Pat M:of what's going on in the world. And one of the things that's
Pat M:actually different about my role in SineWave compared to my role
Pat M:in the government, is my focus has really switched from how is
Pat M:cybersecurity from the consumers point of view rather than from
Pat M:the developer's point of view? And that's been a different an
Pat M:interesting change in thinking.
Dr. Dave Chatterjee:Interesting, and I think this is a great
Dr. Dave Chatterjee:opportunity to to share with both the user and the developer
Dr. Dave Chatterjee:community, some words of wisdom, for instance, if I'm a developer
Dr. Dave Chatterjee:listening in on this conversation, what should be
Dr. Dave Chatterjee:some focus areas to develop new technologies? And say, I'm a
Dr. Dave Chatterjee:consumer of these technologies, how should I approach
Dr. Dave Chatterjee:cybersecurity governance? And I know these are very broad
Dr. Dave Chatterjee:questions, I'll let you take it whichever way
Pat M:a couple of paradigms or topic areas that I think have a
Pat M:lot of promise that if I were developing technologies, at this
Pat M:point, I would be concentrating in those areas. I think Zero
Pat M:Trust is a hugely important insight, a concept that's been
Pat M:around forever. But now, computation is quick enough that
Pat M:you can actually readily carry out the kinds of activities
Pat M:needed to make sure that if somebody's coming into your
Pat M:system, they're supposed to be and that when they're in your
Pat M:system, they're doing things that they're supposed to have
Pat M:access to. So I would, I think there are many exciting Zero
Pat M:Trust technologies ranging from the network layer, up through
Pat M:the application layer. And I think that area is really
Pat M:important, and is an attack agnostic in the way I think it
Pat M:ought to be. The other thing that's exciting to me is Context
Pat M:Aware security, as we were less mature in our understanding of
Pat M:security and security policies, we often had to make decisions
Pat M:that were sort of all or nothing, there was no nuance to
Pat M:the execution of controls, security controls on our system.
Pat M:And that led to some unfortunate situations, there was the
Pat M:Facebook hack, where they were down for many, many hours
Pat M:because their security controls made it difficult for their
Pat M:resilience people to come back in and bring the system back up.
Pat M:And and so when you have these very draconian black and white
Pat M:choices, it's the only ones available to you can often be
Pat M:problematic. So I think, Context Aware security where you can be
Pat M:much more nuanced in what you allow, and why, looking at more
Pat M:features to determine whether this activity is one you want to
Pat M:permit or not, I think that's very important as well. And I
Pat M:think over time, as we start having more machine to machine
Pat M:communications that we want to secure, for example, we're going
Pat M:to need the policies to really be robust enough to handle
Pat M:operational situations that aren't always the same, and that
Pat M:black and white doesn't always work for it. I think there's
Pat M:still some, the hardware layer is always I don't know, seems
Pat M:always to be the least covered in most people's investments in
Pat M:cyber. And in some sense, that's problematic, because the more
Pat M:foundational you are, the better. In some face, I think it
Pat M:kind of makes sense because hardware attacks are often close
Pat M:access and beyond the realm of many over the wire hackers, and
Pat M:so maybe they're not so important for the average user.
Pat M:I think blockchain and AI this I'm a little ambivalent about
Pat M:blockchain, I think it has a lot of promise for data provenance.
Pat M:Unfortunately, I haven't seen it been used yet in a way that
Pat M:delivers on that promise, I remain optimistic that it will
Pat M:end up being an important part of our solution space, but I'm a
Pat M:little worried as to why it's taking quite so long to find its
Pat M:way. There's some stuff as a consumer that I would in general
Pat M:worry about, for example, a lot of people are selling behavioral
Pat M:analytics and AI and they're selling it in language that
Pat M:makes it sound like the decisions that come out of these
Pat M:systems are one you can rely on and act on. And what's not often
Pat M:spoken about or well understood with cybersecurity artificial
Pat M:intelligence, is that artificial intelligence is probabilistic,
Pat M:at best, right? It can be completely right, it can be only
Pat M:right to a certain percentage. And in some percent, some cases,
Pat M:those percentages are quite high. But in some percentage
Pat M:cases, they're really not. And when people want to take actions
Pat M:on these probabilistic measures where the confidence measures
Pat M:are not clearly understood or displayed by the technology, I
Pat M:think you can get into some very, very bad situations. I've
Pat M:seen some insider threat situations in particular, where
Pat M:people use these probabilistic approaches and say, Oh, this guy
Pat M:has been coming in late at night or he's printing from an unusual
Pat M:printer and stuff like that. And then they start opening security
Pat M:cases on these individuals and can be quite life disrupting
Pat M:when it turns out the probability of those things
Pat M:meaning you are a spy or meaning you are a hacker is in the 70
Pat M:percents right? So it's going to be wrong a lot. And I think as
Pat M:we start doing these more disruptive actions based on
Pat M:these conclusions, we have to be a little more careful that the
Pat M:people taking these actions really understand the confidence
Pat M:in those kinds of conclusions. So for that reason, I'm very
Pat M:leery of many of the behavioral analytics and AI technologies
Pat M:that are coming out now. The other thing that I think
Pat M:consumers or users need to think about is, what are they shaped
Pat M:like, right? Do they can they have if the technology assumes a
Pat M:security operation center, and they don't really have people
Pat M:that can look at all of this data and make sense of it,
Pat M:that's not a technology they should buy, right? If the
Pat M:technology assumes a level of expertise in their own company
Pat M:that they don't have, they should not be looking at those
Pat M:technologies as things they should deploy. And it may be
Pat M:that the other solutions are simpler, but they they are more
Pat M:appropriate to use in their setting, because the chances of
Pat M:error are much, much lower because they match what the
Pat M:company is structured as in what their security knowledge
Pat M:consists of. So I think and then the final thing I want to say on
Pat M:this is users ought to know when less is more, there are a number
Dr. Dave Chatterjee:great insights. And you've shared so
Dr. Dave Chatterjee:many things that I'm excited about. So I want to pick up on a
Dr. Dave Chatterjee:of partial technologies, things that address this or that
Dr. Dave Chatterjee:few things and share my two cents. First, you're so right,
Dr. Dave Chatterjee:individual cybersecurity problem. And the thought as you
Dr. Dave Chatterjee:that there's so much out there by way of technology solutions.
Dr. Dave Chatterjee:buy a bunch of them, and then magically, they all work
Dr. Dave Chatterjee:And we are getting swamped and inundated with new names for new
Dr. Dave Chatterjee:together to come up with a holistic solution, but they're
Dr. Dave Chatterjee:types of attacks. And it is very hard for even for reasonably
Dr. Dave Chatterjee:working together is often problematic. And the holistic
Dr. Dave Chatterjee:sophisticated professionals to organize these different types
Dr. Dave Chatterjee:solution often still has gaps. And the individual problem may
Dr. Dave Chatterjee:of attacks under categories and try to see the big picture like
Dr. Dave Chatterjee:be actually solved by something else. So for example, ransomware
Dr. Dave Chatterjee:how would I map these attacks, to the different types of
Dr. Dave Chatterjee:is malware with an encryption payload rather than a steal your
Dr. Dave Chatterjee:vulnerabilities and the tools associated with the
Dr. Dave Chatterjee:data payload, if you had strong malware protection, you don't
Dr. Dave Chatterjee:vulnerability. There has been some mapping, I'm privy to that,
Dr. Dave Chatterjee:need additional ransomware protection, because the problem
Dr. Dave Chatterjee:but it is very, very confusing. It is very technical. And when
Dr. Dave Chatterjee:with ransomware is that malware got into your system, and that
Dr. Dave Chatterjee:somebody is buying or investing in new technologies, and there's
Dr. Dave Chatterjee:it shows to encrypt rather than steal, doesn't mean you need
Dr. Dave Chatterjee:gonna be people who will not have this kind of a background,
Dr. Dave Chatterjee:something different to fix it. And so I think people need to be
Dr. Dave Chatterjee:or may not afford to have the expertise to filter through what
Dr. Dave Chatterjee:careful to understand when risks that sound very, very different
Dr. Dave Chatterjee:the vendors are offering. There, the suggestion that I have, and
Dr. Dave Chatterjee:in their effect, are actually are the same in their cause, and
Dr. Dave Chatterjee:I think it is in sync with what you're saying is let the vendors
Dr. Dave Chatterjee:provide you in writing, what their solutions can't do. What
Dr. Dave Chatterjee:that their solution space needs to address the causes and not
Dr. Dave Chatterjee:they are not promising. And how is that significant or
Dr. Dave Chatterjee:the effects,
Pat M:I want to add to what you just said, which I agree with
Pat M:insignificant from their assessment of the company and
Pat M:talking about company assessment, you're so right when
Pat M:100%. And I think it's particularly interesting when
Pat M:you said just don't keep buying technologies because your
Pat M:competitor has them. You should have them you read about about
Pat M:we're going into sort of an enterprise that already has
Pat M:it, understand your organization understand your needs, it goes
Pat M:back to technology 101. Like, again to quote you, you said
Pat M:significant cybersecurity investment, ie some of these new
Pat M:less is often more I couldn't agree with you more, and the
Pat M:world of general technology implementation. I like to share
Pat M:technologies, some of the zero trust, for example, actually
Pat M:my perspective that if possible, you're better off investing in
Pat M:one or two platforms as opposed to having 1520 different
Pat M:render obsolete a ton of the stuff that people have already
Pat M:solutions because now it becomes a coordination challenge
Pat M:coordination nightmare, a maintenance nightmare. So the
Pat M:bought, and enable you to take a fresh look at your architecture
Pat M:extent to which you can simplify your solutions the extent to
Pat M:which you have greater clarity on what do you mean by
Pat M:cybersecurity defense in the context of your organization.
Pat M:and perhaps jettison a number of tools you have in your
Pat M:And once you have that clarity, evaluate the vendors evaluate
Pat M:the solutions, see what fits best. And finally, it's not
Pat M:inventory. One of the things I worry about is that CISOs don't
Pat M:enough just to buy the tools, look inwards and see is the
Pat M:organization ready. From a from a people standpoint, from a
Pat M:do that often enough, they don't look at their system and say,
Pat M:process standpoint, you will agree that going back to the
Pat M:people process technology framework, they all need to fit,
Pat M:All right, now that I have this other opportunity, this thing
Pat M:you can have a great technology, but you don't have the right
Pat M:process, you don't have trained people end result is not going
Pat M:can go away. They're afraid to look like they made a mistake if
Pat M:to be great. So to find that balance requires some planning
Pat M:requires some reflection require some thought, as opposed to just
Pat M:falling for a pitch. So that was great, you covered a lot of
Pat M:they argued for this $300,000 piece of technology, and now
Pat M:very, very interesting and important ground. So moving along.
Pat M:they're saying, well, we can get rid of this 300,000 piece of
Pat M:technology, people would then say, Well, why did you make me
Pat M:buy it in the first place, it's only been two years, because
Pat M:what's the issue here? And so I think we need to get a different
Pat M:kind of technical integrity and the decision making on this
Pat M:space, realize the space is evolving and realize that
Pat M:revisiting and changing is not indication of error, and that we
Pat M:need to be brave enough to just do that.
Dr. Dave Chatterjee:Absolutely. You have to manage expectations.
Dr. Dave Chatterjee:From a CISO standpoint, that means you have to be able to
Dr. Dave Chatterjee:educate, inform socialize your leadership team and prepare them
Dr. Dave Chatterjee:for what you just said that yes, I might come to you asking for
Dr. Dave Chatterjee:money to invest in certain technologies. But do remember
Dr. Dave Chatterjee:that it's quite possible that in a matter of a year's time, or
Dr. Dave Chatterjee:even less, these technologies might be obsolete. And we might
Dr. Dave Chatterjee:have to think about investing in something else. That's the kind
Dr. Dave Chatterjee:of world we live in, it's a kind of an informed risk that we need
Dr. Dave Chatterjee:to take. I think the word here is informed risk. Yeah, because
Dr. Dave Chatterjee:like you said, just like with AI solutions, there is a
Dr. Dave Chatterjee:probability involved. Similarly, with human decision making, we
Dr. Dave Chatterjee:are making decisions based on the information that we have, as
Dr. Dave Chatterjee:long as we've made a reasonable effort to get our arms around
Dr. Dave Chatterjee:the issues and make informed as opposed to chaotic, impulsive,
Dr. Dave Chatterjee:reactive decisions. I think we are a little better of I don't
Dr. Dave Chatterjee:know if we have this one ideas approach, an ideal solution. But
Dr. Dave Chatterjee:I think the message that I'm picking up from you cutting
Dr. Dave Chatterjee:through the technical aspects of it, is you have to be very
Dr. Dave Chatterjee:deliberate, you have to be very thoughtful, you have to involve
Dr. Dave Chatterjee:the technocrat as well as the business person. So offer both
Dr. Dave Chatterjee:the perspectives and then look at it from a holistic
Dr. Dave Chatterjee:standpoint, develop an integrated view, as opposed to a
Dr. Dave Chatterjee:siloed approach to things. So moving along to a question that
Dr. Dave Chatterjee:is very close to my heart. I imagine a day, and I'm sure many
Dr. Dave Chatterjee:do. Where humans don't have to worry about knowing the do's and
Dr. Dave Chatterjee:don'ts. Will there ever come a day when I could be as carefree
Dr. Dave Chatterjee:as possible? And click on anything I want, knowing that
Dr. Dave Chatterjee:there is technology that will not allow the perpetrators to
Dr. Dave Chatterjee:exploit that and do damage? Will we ever get to that world?
Pat M:So I am optimistic that technologies exists are under
Pat M:development that will enable the system to take care of itself,
Pat M:even in the face of user error. Now that said people should
Pat M:always be responsible and don't Don't be, yeah, don't be
Pat M:foolhardy. But I think it's unreasonable to say all right,
Pat M:let's do fishing training. So people will recognize that this
Pat M:is a fish Should a message. Phishing training is not all
Pat M:that successful, attackers get more and more clever about
Pat M:making messages look like legitimate messages, people are
Pat M:often in a hurry, the boss wants this now, and they're not going
Pat M:to stop and parse the the front line to make sure it's a L and
Pat M:not a one. So I think it's unreasonable to put the burden
Pat M:of reducing fishing on fishing education, I think there are
Pat M:technologies that can do that parsing for people, and so on
Pat M:and so forth. But apart from that, as I spoke earlier, if you
Pat M:architect your system in a way that even if the credential is
Pat M:stolen is not useful, the fishing won't be as problematic.
Pat M:And there's there's lots of things that talk again, about
Pat M:zero trust technology that even if somebody got in, they can't
Pat M:move around, or they get in, they're recognized as bad, and
Pat M:they're stopped from executing. So So I think there are going to
Pat M:be technologies that let the system protect itself, I think
Pat M:part of what we need to do is stop expecting the user to be an
Pat M:element in that protection. And we have to stop thinking that
Pat M:there has to be humans in the loop, roll these security
Pat M:decisions, and get comfortable with the notion of the system
Pat M:protecting itself. And not that every security block that every
Pat M:action block needs to have a human okaying it so long as the
Pat M:human is in the loop like that, then we will have technologies
Pat M:where this has been protect itself, because there'll be this
Pat M:time lag in which bad things happen. And and you can't
Pat M:overcome that. So I think yes, as these technologies develop,
Pat M:as people become more comfortable with the notion of
Pat M:self protecting self healing system, we will be able to take
Pat M:some of the burden off the users. And now we should
Pat M:certainly take the blame off the users. But it just doesn't it
Pat M:doesn't make sense. It's it's hard to think that that putting
Pat M:them at fault, does you any good.
Dr. Dave Chatterjee:True, very true. You want to be able to
Dr. Dave Chatterjee:take the human element out to the extent possible. Otherwise,
Dr. Dave Chatterjee:it's a never ending problem. Because you can train you can
Dr. Dave Chatterjee:make people aware, but then people will forget, and then you
Dr. Dave Chatterjee:have to retrain. So the extent to which, like you said, we can
Dr. Dave Chatterjee:develop self healing systems, self correcting systems, self
Dr. Dave Chatterjee:fixing systems, whatever the appropriate word is, which is
Dr. Dave Chatterjee:where I think a lot of development is taking place as
Dr. Dave Chatterjee:well. I think that would be a welcome. Welcome improvement,
Dr. Dave Chatterjee:welcome change. So from the standpoint of technology
Dr. Dave Chatterjee:development, it is a given that you want the best resources
Dr. Dave Chatterjee:involved, if you just left it to the private sector, they would
Dr. Dave Chatterjee:innovate, often to the detriment of society. That's where
Dr. Dave Chatterjee:government comes into play rules and regulations come into play
Dr. Dave Chatterjee:to lay some ground rules. At the same time, the government is
Dr. Dave Chatterjee:able to do things that the private sector cannot, what is
Dr. Dave Chatterjee:your assessment of the partnership, in terms of where
Dr. Dave Chatterjee:we are and where we should be?
Pat M:So I think it's interesting that because there's
Pat M:a lot of new initiatives in terms of public private
Pat M:partnership in place, and and certainly the awareness of the
Pat M:need for this kind of interaction is heightened these
Pat M:times where it seems to be working well as in what I would
Pat M:call forensics situation, something happened. And the
Pat M:government helps the private sector figure out what happened,
Pat M:what are the characteristics of that attack? How could they
Pat M:prevent it, and so on. And I think that's important
Pat M:collaboration and a fairly effective collaboration, then
Pat M:the government could disseminate warnings or papers that describe
Pat M:these conditions, and so on the flip. The downside of that,
Pat M:though, is that's a very attack centered way of working. And as
Pat M:I said earlier, I think that that way of working is really
Pat M:long for the world. And I think for the security community, that
Pat M:collaboration is viable and important. I think for the user
Pat M:community, that collaboration doesn't have as much impact.
Pat M:Another type of collaboration that I'm quite familiar with is
Pat M:such collaboration or development collaboration. I
Pat M:think that's usually important. As I stated in passing earlier,
Pat M:the government is often in a position to do research, that's
Pat M:longer term where the payoff is more uncertain, where you don't
Pat M:need to get to a bottom line to revenue and within three years,
Pat M:the industry just can't do and I think recognizing the enabling
Pat M:ways for the that government investigation to translate
Pat M:effectively into the private sector is very, very important.
Pat M:I think there are initiatives to involve academics or commercial
Pat M:people in actual government research. And I think those
Pat M:provide some transition paths that are quite valuable. And I
Pat M:applaud that and think there needs to be much more of that
Pat M:there are activities to have government employees embedded in
Pat M:companies to learn how the problem looks from the
Pat M:commercial point of view. And similarly, I think that kind of
Pat M:research and development collaboration is extremely
Pat M:important. One of the issues that I was involved in and, and
Pat M:and changing my mind about actually is the issue of
Pat M:government guidance for normal for for enterprises, or small
Pat M:medium businesses or users of any type. And the government is
Pat M:very, very smart and knows a lot about that guidance, and has a
Pat M:lot of processes in place to get good input from commercial
Pat M:sector. On that guidance. The NIST framework, for example, had
Pat M:many conferences in which people collaborated on what this
Pat M:guidance should look like, and what are the controls that
Pat M:matter? And and what are the levels that make sense. And I
Pat M:think it was greatly enriched by that commercial involvement in
Pat M:its formulation. However, the government has fairness
Pat M:requirements, and requirements that keeps them from from saying
Pat M:anything that will block innovation, that leaves that
Pat M:guidance at quite a high level. So I think the NIST framework is
Pat M:right. But for many people, it's kind of difficult, if not
Pat M:impossible, to actually use to, to help them making concrete
Pat M:decisions. So I think there's a step, a collaboration step
Pat M:that's missing from the statement of the initial and
Pat M:that, and again, for the fairness reasons, and you can't
Pat M:stop collaboration reasons. That's right, you don't want
Pat M:this to come out with saying, for control number three, you
Pat M:need to need Joe Schmo has encryption mechanism, because we
Pat M:know it works, because that's giving Joe Schmo an unfair
Pat M:commercial advantage. And that's saying that the only thing that
Pat M:will work here is encryption. And if some new method comes out
Pat M:in the future, that will work just as well as encryption, it's
Pat M:proscribed wouldn't meet the sort of standard and guidance.
Pat M:So you have to keep these things in a way where you allow for the
Pat M:inclusion of new technologies into comply with the standards,
Pat M:even when you have not yet imagine those new technologies
Pat M:and to avoid picking winners. So that leaves this this
Pat M:translation space, that I think in the formulation of the
Pat M:framework, this was the lead and the commercial people provided
Pat M:contributions, perhaps as this other stage where the commercial
Pat M:people, the various industry segments, interpret that
Pat M:guidance and make it more consumable for individuals. So I
Pat M:think a government it certainly has the expertise and the
Pat M:wherewithal to think seriously about these problems in a
Pat M:foundational way. But then getting that foundational
Pat M:understanding translate into pragmatic solutions is a place
Pat M:where both in terms of tech transition and interpretation of
Pat M:guidance, I think some work is needed. Yeah, I guess I'll stop
Pat M:there.
Dr. Dave Chatterjee:sense. It makes a lot of sense, you've
Dr. Dave Chatterjee:again touched upon many points. And as you were speaking, it
Dr. Dave Chatterjee:kind of dawned on me, that we're really talking about, and it's
Dr. Dave Chatterjee:probably a bit of a philosophical note, we talked
Dr. Dave Chatterjee:about this important tension, between complexity and
Dr. Dave Chatterjee:simplicity, to solve problems of the magnitude that we are
Dr. Dave Chatterjee:dealing with in the cybersecurity space. These are
Dr. Dave Chatterjee:complex problems that often require complex responses.
Dr. Dave Chatterjee:However, the communication of it, like when you say, the
Dr. Dave Chatterjee:prescriptive part of it, to be able to filter down what needs
Dr. Dave Chatterjee:to be done contextualize it. That's another skill set that is
Dr. Dave Chatterjee:so important. Because what's the point of making 112 guidance or
Dr. Dave Chatterjee:recommendations about controls? Some people will just look at
Dr. Dave Chatterjee:the enormity of it and will just say, Well, I don't think I have
Dr. Dave Chatterjee:the time to go through it. I'll just go and hire somebody and
Dr. Dave Chatterjee:get them to give me some quick suggestions, or what are the
Dr. Dave Chatterjee:basic things I can do to protect my organization, I don't have
Dr. Dave Chatterjee:the time to go through those 115 guidance or recommendations. So
Dr. Dave Chatterjee:that's where we need some expertise to help contextualize
Dr. Dave Chatterjee:the recommendations. And I know that CISOs and CIOs play that
Dr. Dave Chatterjee:role. They get the details and then they filter through it and
Dr. Dave Chatterjee:then they try to implement what makes sense. So that's kind of
Dr. Dave Chatterjee:my two cents. We are coming to the end of our session here.
Dr. Dave Chatterjee:I've been really enjoying it. So that's too bad that we have to
Dr. Dave Chatterjee:call it for today. But I'd like to give you the opportunity to
Dr. Dave Chatterjee:conclude the discussion with some final thoughts, some key
Dr. Dave Chatterjee:messages for the listeners.
Pat M:Yeah. So I guess and you you were coming at this, I think
Pat M:in the comments you just made and comments you made earlier,
Pat M:when it comes down to it. Really what matters is that people
Pat M:think critically about their system and their problem space
Pat M:and their solution space. And it, yes, there there are ways in
Pat M:which their situation is similar to others. But there are ways in
Pat M:which their situation is different from others. And they
Pat M:need to not get caught up in marketing. So much as in a
Pat M:decision making process that's driven by an understanding of
Pat M:what they do, and what they need to protect, and what their
Pat M:system is structured like, what their skill levels are, and
Pat M:really thoughtfully choose their solutions, with that
Pat M:understanding of their starting point in mind. I think this
Pat M:return to understand solutions that are based in your system,
Pat M:and not concentrated on what the attack looks like, but what is
Pat M:my system and more importantly, my my business workflows, what
Pat M:do they look like, and build solutions that protect them, and
Pat M:not solutions that are based on external threat conditions, I
Pat M:think there's a lot of promise, despite the fact that there are
Pat M:still a number of breaches, I think the technology has come a
Pat M:long way. And people are are beginning to think, to be much
Pat M:more security aware. It's a big disparity between where
Pat M:enterprises are at and where small and medium businesses are
Pat M:at. And so the ecosystem can have a lot of bad things
Pat M:floating around in it, just because a lot of users are just
Pat M:simply not security aware at all. There's no security,
Pat M:hygiene in huge parts of the ecosystem. I certainly see the
Pat M:interest in using security solutions moving way down to
Pat M:smaller and medium sized businesses. And I think that
Pat M:will actually be a big help too, and that the whole ecosystem
Pat M:will be healthier, as more and more of the users begin to
Pat M:become security aware.
Dr. Dave Chatterjee:Fantastic. That was terrific. Thank you
Dr. Dave Chatterjee:again for your time. And as I said, I look forward to many
Dr. Dave Chatterjee:more future discussions with you.
Pat M:Excellent, thank you very much, and I really enjoyed it.
Dr. Dave Chatterjee:A special thanks to Pat Muoio for her time
Dr. Dave Chatterjee:and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.