Artwork for podcast The Cybersecurity Readiness Podcast Series
The State of Attack Surface Management
Episode 3020th July 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:47:03

Share Episode

Shownotes

With increasing digitization and the use of cloud-hosted assets, managing attack surfaces continues to be a major challenge. A recent survey report on the state of attack surface management (ASM) finds security teams drowning in a flood of legacy and ineffective tools with limited discovery capabilities. The need for ASM platforms with advanced digital asset detection capabilities is revealed in the survey findings. David Monnier, Team Cymru Fellow, sheds light on the latest ASM platform capabilities and discusses the implementation challenges and success factors.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-30-the-state-of-attack-surface-management/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information System at the Terry College of Business,

Introducer:

the University of Georgia. As a Duke University Visiting

Introducer:

Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast series. Our discussion today will revolve around the

Dr. Dave Chatterjee:

state of attack surface management. David Monnier, Team

Dr. Dave Chatterjee:

Cymru Fellow will share his thoughts and perspectives on

Dr. Dave Chatterjee:

this very important subject. Another highlight of our

Dr. Dave Chatterjee:

discussion today will be the findings from a very interesting

Dr. Dave Chatterjee:

research study that focused on the state of attack surface

Dr. Dave Chatterjee:

management. But before we get into all those details, I'd like

Dr. Dave Chatterjee:

to take this opportunity to welcome David and have him share

Dr. Dave Chatterjee:

with all of us some highlights of his professional journey.

Dr. Dave Chatterjee:

David, thanks for being on the podcast.

David Monnier:

Thank you, David, thank you very much for inviting

David Monnier:

us on to talk about our study. So it's always a pleasure to

David Monnier:

come on. Some background about myself. So I'm, I'm from the

David Monnier:

United States. In the Midwest, I had started my career.

David Monnier:

Originally I was in the US Marine Corps worked as a

David Monnier:

noncommissioned officer there. But when I got out of the Marine

David Monnier:

Corps, I got into working with technology, just out of

David Monnier:

coincidence of funnily enough, a computer breaking that I ended

David Monnier:

up fixing, and discovering I had some natural talents, I ended up

David Monnier:

going to work for Indiana University, working in high

David Monnier:

performance computing. And from there moving on to their

David Monnier:

security office working as a security engineer for them,

David Monnier:

basically looking after all the campuses around the state. And

David Monnier:

then shortly after that, I was invited to help come start the

David Monnier:

research and education, networking, ISAC, which is an

David Monnier:

executive ordered set of organizations largely geared

David Monnier:

around kind of specific industrial sectors. In my case,

David Monnier:

it was research and education, networking, there are also like,

David Monnier:

financial sector there are itI sec, and so on. But ISAC is an

David Monnier:

Information Sharing and Analysis Center. So you could think of it

David Monnier:

as groups of people working together to share threat

David Monnier:

intelligence. And then after that, I was invited to join Team

David Monnier:

Cymru where I've been here for about 15 years. Presently,

David Monnier:

working as a Fellow, but periodically helping to spin up

David Monnier:

new teams for us and identify new product needs and things

David Monnier:

like that. But I've been practicing for, I think it's 27

David Monnier:

years now, something like that.

Dr. Dave Chatterjee:

Well, we're delighted to have you on the

Dr. Dave Chatterjee:

show. And thanks again for your service. So David, before we

Dr. Dave Chatterjee:

launch into talking about the various findings, and I find

Dr. Dave Chatterjee:

them very interesting. To set the motivation, the context for

Dr. Dave Chatterjee:

the research study, it's a fact that the attack surfaces are

Dr. Dave Chatterjee:

evolving, the more digitized we get, the more we go to the

Dr. Dave Chatterjee:

cloud. And the hackers are not sitting idle. They're constantly

Dr. Dave Chatterjee:

getting more innovative with their techniques, tools,

Dr. Dave Chatterjee:

approaches. So it's a moving target for organizations to stay

Dr. Dave Chatterjee:

on top of things, I find it almost hard to believe that

Dr. Dave Chatterjee:

organizations can be ahead, but if they can, more power to them.

Dr. Dave Chatterjee:

So what was the motivation? What led to this very important study

Dr. Dave Chatterjee:

that y'all conducted?

David Monnier:

Well, very much like you said, so we've been

David Monnier:

working, Team Cymru, we've been threat intelligence supplier to

David Monnier:

the industry since our inception. It's how we began our

David Monnier:

business, we used to kind of boast that we were the best

David Monnier:

security company no one had ever heard of, because our research

David Monnier:

and efforts went into other people's products. So if you're

David Monnier:

familiar with a company BASF we don't make antivirus. We make

David Monnier:

antivirus better, we don't make firewalls, we make firewalls

David Monnier:

better. You know, this type of slogan, if you remember their

David Monnier:

advertising back in the day. And that was really the core of our

David Monnier:

business and we observe miscreant activities every day.

David Monnier:

It's a byproduct of our analysis efforts. It's a byproduct of our

David Monnier:

interest in understanding how the internet is used by society.

David Monnier:

We happen to feel that the internet is probably one of the

David Monnier:

greatest creations mankind has ever developed and we were

David Monnier:

looking at kind of how the security world was moving

David Monnier:

towards this notion of attack surface management, where they

David Monnier:

were kind of blending a few types of technologies together,

David Monnier:

which you could think of as your vulnerability scanning, your

David Monnier:

asset discovery. And those things were coming together. And

David Monnier:

we felt there was an obvious and useful connection for us to be

David Monnier:

able to add threat intelligence to it. And threat intelligence,

David Monnier:

you know, when you think of it in terms of, of defense, a lot

David Monnier:

of people often just think it's, you know, lists of bad IPs or

David Monnier:

things like that. But in reality, it also is, if you turn

David Monnier:

it around, it's also lists of IPs of yours, that might be bad.

David Monnier:

So when you think of like reputational data, and things

David Monnier:

like that, so what became obvious to us is, you know, if

David Monnier:

you're doing attack surface management, wouldn't it be great

David Monnier:

to know what attacks you may have already been subjected to?

David Monnier:

And, and to that end, what devices that you already own,

David Monnier:

that may already be compromised? So kind of taking, you know,

David Monnier:

that idea of knowing how bad things already are to decide,

David Monnier:

you know, is this a system that I should patch? Or is this a

David Monnier:

system that I need to completely rebuild, because it's already

David Monnier:

been compromised. And we saw that obvious need from an

David Monnier:

intelligence perspective. But then as we started to look at

David Monnier:

ways that we could apply it to kind of the existing

David Monnier:

marketplace, we realized that kind of none of the other

David Monnier:

products that were out there, were approaching ASM the same

David Monnier:

way we were, they were very much looking at things, most people's

David Monnier:

tools seemed very much geared towards, here's your IP, here's

David Monnier:

a problem it has, here's something you should do about

David Monnier:

it. But without really giving the people the ability to

David Monnier:

highlight which IP or what device let's let's use the term

David Monnier:

device, actually, because the devices just happen to use an IP

David Monnier:

address. But But what devices on the network are most critical to

David Monnier:

your operation, you know that these tools in the marketplace,

David Monnier:

they didn't really have a way to highlight which ones were most

David Monnier:

important. And the devices themselves couldn't really tell

David Monnier:

you, which was important. So we also sat down and said, Okay, if

David Monnier:

you were going to look at ASM, what's the key value piece

David Monnier:

there, and what we concluded was that risk understanding the risk

David Monnier:

to your business needed to be a piece that was part of it. So

David Monnier:

what we've approached ASM as, is the traditional sense. But what

David Monnier:

what we have attempted to bring to the market as a new offering,

David Monnier:

is the application of intelligence on top of that,

David Monnier:

with kind of user definable values for the assets as they're

David Monnier:

discovered.

Dr. Dave Chatterjee:

Okay, thanks for sharing. So just to

Dr. Dave Chatterjee:

let listeners know, that, as far as the methodology and and

Dr. Dave Chatterjee:

participant demographics go, the study was commissioned on March

Dr. Dave Chatterjee:

14 2022. 440 security practitioners were surveyed in

Dr. Dave Chatterjee:

the US and Europe, the survey was conducted online via

Dr. Dave Chatterjee:

Pollfish using organic sampling. All respondents work on their

Dr. Dave Chatterjee:

company's security team. And all these organizations are using an

Dr. Dave Chatterjee:

attacks surface management platform. Their industry

Dr. Dave Chatterjee:

representation is also pretty broad, ranging from finance to

Dr. Dave Chatterjee:

IT to military and defense, among others. The team size

Dr. Dave Chatterjee:

varied relatively little from less than 10 to over 30. So

Dr. Dave Chatterjee:

David, would you like to add anything to that from a

Dr. Dave Chatterjee:

methodology and participant demographic standpoint?

David Monnier:

Well, we had originally considered making it

David Monnier:

split into, you know, additional slices. So to differentiate, for

David Monnier:

example, between practitioner and executive, not that

David Monnier:

executive practitioning isn't practitioning of a sort, but we

David Monnier:

thought it might be useful to split those out. But in the end,

David Monnier:

what we found actually was that kind of the bulk of the world

David Monnier:

really isn't divided up that way, it's only kind of the

David Monnier:

biggest companies that have those kinds of separations. So

David Monnier:

when you think of the folks that took the time to fill out the

David Monnier:

review for us, many of which are most of which I should say,

David Monnier:

really knew what they were talking about. So to kind of

David Monnier:

give you that, you know, value of of what their answers mean,

David Monnier:

these are the people who roll up their sleeves every day, and

David Monnier:

actually have to reach into the problem and do something about

David Monnier:

what they find, you know, not just run the tools, but

David Monnier:

oftentimes, these were the folks in particular, those smaller

David Monnier:

teams, those less than 10 people teams, they were often the same

David Monnier:

person who, who helped manage, you know, the patching program

David Monnier:

or, or who helped manage their inventory systems and things

David Monnier:

like that. So value wise, these people's opinions are not

David Monnier:

speculative that they are the practitioners who were largely

David Monnier:

responsible for making things happen based on the findings.

Dr. Dave Chatterjee:

Okay, good to know. Good to know. So let's

Dr. Dave Chatterjee:

discuss some of the finding. There are several interesting

Dr. Dave Chatterjee:

findings, not sure how much time we'll have to go over all of

Dr. Dave Chatterjee:

them. But we can definitely cover some. The first one that

Dr. Dave Chatterjee:

I'd like to talk about is the biggest reason organizations

Dr. Dave Chatterjee:

implemented ASM is to increase the visibility of Shadow IT in

Dr. Dave Chatterjee:

the enterprise, I think this is very significant, if you would

Dr. Dave Chatterjee:

expand on this and also describe what Shadow IT means to the

Dr. Dave Chatterjee:

listeners.

David Monnier:

Sure, absolutely. So, you know, Shadow IT is a

David Monnier:

side effect, more or less of what you could think of as

David Monnier:

necessary growth. So organizations oftentimes have

David Monnier:

disparate teams that are spread out in function, but you know,

David Monnier:

typically working towards the same goal, you know, keep the

David Monnier:

company open, keep the company in business and so on. But what

David Monnier:

ends up happening is, as needs change, in particular needs in

David Monnier:

the scope of being able to spin up new infrastructure very

David Monnier:

quickly, and things like that. A lot of companies don't, don't, I

David Monnier:

don't know what the right word is, I don't want to say don't

David Monnier:

like to, because obviously, they would, they would prefer to do

David Monnier:

it the right way. Um, but a lot of companies find that like

David Monnier:

policy around asset controls, hinder or stifle innovation. And

David Monnier:

then whether it's real or not, whether that's true or not, you

David Monnier:

know, we can't really speak to that I'm sure that some kind of

David Monnier:

psychology of the human work experience, but in actual

David Monnier:

practice, though, with with certainty, organizations are

David Monnier:

hesitant to, you know, have to talk to the IT team, let's and

David Monnier:

let me use a practical example. So you have a software

David Monnier:

development team who has the need to work with some temporary

David Monnier:

data, they don't want to work with data from some live

David Monnier:

production database. So they need to set up, you know, a

David Monnier:

secondary, you know, temporary database. And these folks, you

David Monnier:

know, oftentimes will spin up an instance in a cloud, or, you

David Monnier:

know, maybe some new VM even within their infrastructure, but

David Monnier:

they'll spin it up, they'll put data for use in that, and then

David Monnier:

they'll make use of the project, right? Well, if your main IT

David Monnier:

team is unaware that someone on the development team has done

David Monnier:

this, you now have an asset that is not under centralized control

David Monnier:

isn't, but the organization itself isn't aware of it. And

David Monnier:

it's full of, of data, you know, and presumably, if you're

David Monnier:

spending the time to develop software to interact with that

David Monnier:

data, that data must be important. And we read about

David Monnier:

this all the time you read about so for example, Amazon S3

David Monnier:

buckets, right? There are these virtual storage instances that

David Monnier:

people can spin up very quickly and put information and for

David Monnier:

various purposes, right. But it's think of it as file

David Monnier:

storage. And there are tools that you can, you know, you

David Monnier:

could pull up your favorite search engine and put in and

David Monnier:

look for, you know, Amazon S3, open bucket finder, or

David Monnier:

something. And you'll see almost every day that there are people

David Monnier:

who have left these instances open, so meaning no

David Monnier:

authentication, and anybody in the world could identify it,

David Monnier:

download the data and do something with that. So this is

David Monnier:

kind of the traditional understanding of Shadow IT

David Monnier:

right, it's these things that get stood up that people may not

David Monnier:

necessarily wholly know about. The organization itself may not

David Monnier:

be completely aware of. And the reason why it's such a big issue

David Monnier:

to folks is precisely the example I gave data ends up

David Monnier:

getting exposed this way. And not just, you know, random data,

David Monnier:

who we're talking often legally regulated data, you know,

David Monnier:

whether it be personally identifying information, whether

David Monnier:

it be health records, whether it be financial information, I

David Monnier:

mean, all kinds of stuff gets leaked out this way. So our

David Monnier:

intention for this with asking folks that was to see if our

David Monnier:

capability, how much effort we should really apply to doing

David Monnier:

this Shadow IT identification, because it's not easy, right?

David Monnier:

How do you how do you help somebody find something they

David Monnier:

didn't know they had? It's not an easy problem. So that was the

David Monnier:

reason for us to ask. We saw how many data exposure notifications

David Monnier:

go out. If you ever noticed, by the way, those are never

David Monnier:

discussed, described as breaches, which if you think

David Monnier:

about it, it's it's kind of interesting, the choice of words

David Monnier:

that people use around those, but those, quote unquote,

David Monnier:

exposures do add up to a great deal of loss, both in terms of

David Monnier:

productivity, but you know, every time PII personally

David Monnier:

identifying information is exposed, there's a lot of times

David Monnier:

where there's government regulatory components on there

David Monnier:

where you have to go notify people, or perhaps even a

David Monnier:

company has to now provide credit monitoring or identity

David Monnier:

monitoring, you know, based on what type of data was that was

David Monnier:

exposed. So those kinds of costs were very, very real. And so

David Monnier:

that we weren't surprised to hear that so many people

David Monnier:

considered Shadow IT to be such a big problem.

Dr. Dave Chatterjee:

Yeah, I mean, doesn't surprise me either

Dr. Dave Chatterjee:

because as as you discussed, Shadow IT gets formed, gets

Dr. Dave Chatterjee:

created because certain divisions, certain parts of the

Dr. Dave Chatterjee:

organization wants to get certain things done. And for

Dr. Dave Chatterjee:

whatever reason Central IT is not able to respond in time or

Dr. Dave Chatterjee:

as per their expectation so, and for other reasons as well. But

Dr. Dave Chatterjee:

that creates a problem in terms of data exposure, and you really

Dr. Dave Chatterjee:

cannot defend effectively if you don't know where all your

Dr. Dave Chatterjee:

vulnerabilities are, where or where your data is residing,

Dr. Dave Chatterjee:

where your applications are residing. So it's great to know

Dr. Dave Chatterjee:

that there is a high level of sensitivity towards towards this

Dr. Dave Chatterjee:

challenge. And one of the capabilities of ASM should be to

Dr. Dave Chatterjee:

increase the visibility of, of Shadow IT. So that's, that's a

Dr. Dave Chatterjee:

very significant finding. Moving along, another finding that got

Dr. Dave Chatterjee:

my attention, which is not surprising, but it it validates

Dr. Dave Chatterjee:

the fact that more and more applications and infrastructure

Dr. Dave Chatterjee:

are in the cloud, and which is what 75% of your respondents

Dr. Dave Chatterjee:

said, but what is interesting to me is the statement here in the

Dr. Dave Chatterjee:

report, which says "ASM, which stands for attack, surface

Dr. Dave Chatterjee:

management, is critical for all organizations, regardless of

Dr. Dave Chatterjee:

their cloud adoption, but should be an even higher priority for

Dr. Dave Chatterjee:

tracking and managing the attack surface for cloud hosted assets.

Dr. Dave Chatterjee:

So I guess my question for you, David, is, and you obviously

Dr. Dave Chatterjee:

have a better understanding of the evolution of the ASM

Dr. Dave Chatterjee:

platform, over the years have they have they enhanced their

Dr. Dave Chatterjee:

capabilities to better monitor cloud hosted assets? Is that

Dr. Dave Chatterjee:

what's been the trend?

David Monnier:

Well, you know, unfortunately, not really. A big

David Monnier:

component to this is kind of the discovery problem. And how most

David Monnier:

vendors choose to remedy this is either by IP space, so IP

David Monnier:

addresses, Internet Protocol address that people use to be on

David Monnier:

the internet, they are defined and issued out typically, as

David Monnier:

network address space, you'll get a range of IP addresses, or

David Monnier:

they will tend to classify their assets based on namespace, which

David Monnier:

typically is in internet terms would be something like DNS,

David Monnier:

where DNS, you put in your domain name, let's use an

David Monnier:

example, you know, foo.com. And as you add things in the form of

David Monnier:

subdomains, or host names to that, in theory, they start to

David Monnier:

become discoverable. Where the problem with cloud computing

David Monnier:

comes in is, you know, when you license your ASM product, you're

David Monnier:

not going to go out and license a product for and I'm not trying

David Monnier:

to pick on AWS here. But Amazon's AWS services, one of

David Monnier:

the world's largest and most popular cloud hosting services

David Monnier:

in the world, but you're not going to go license an ASM

David Monnier:

product to scan the entirety of their IP space, is just not

David Monnier:

realistic. So you have to know your IPs. And again, it goes

David Monnier:

back to this problem of you know, how will you know, which

David Monnier:

are yours. In our case, we also well, we work with IP addresses,

David Monnier:

obviously. But in our case, we because we are an intelligence

David Monnier:

provider, we see a great deal of information already, in

David Monnier:

particular IP, IP space, as well as namespace. But we also see

David Monnier:

things like certificates and keys and all this kind of

David Monnier:

additional metadata that the internet kind of operates on. So

David Monnier:

we saw it as kind of an an easy evolution to help do these

David Monnier:

discoveries that nobody else really had. Because the other

David Monnier:

products are requiring the user to know in advance all of their

David Monnier:

things. Shadow IT by definition means you don't know that you

David Monnier:

have some of this. So you know, it's an approach, frankly, that

David Monnier:

starts off already hindered. So what we how we change this as we

David Monnier:

look for, you know, other instances, and other examples

David Monnier:

that we've identified through our other threat, exploring and

David Monnier:

threat hunting efforts that appear to be related to other

David Monnier:

people's organizations, and we try to highlight those kinds of

David Monnier:

datasets to better inform the discovery model.

Dr. Dave Chatterjee:

Okay. Thanks for sharing. Moving along

Dr. Dave Chatterjee:

to another interesting finding, which states that 23% of the

Dr. Dave Chatterjee:

respondents said that identification of rogue or

Dr. Dave Chatterjee:

unclassified assets is the most valuable capability that ASM has

Dr. Dave Chatterjee:

provided their organization. I guess my question here is, you

Dr. Dave Chatterjee:

know, shouldn't this be obvious? Shouldn't that be what an ASM is

Dr. Dave Chatterjee:

supposed to be doing?

David Monnier:

Yes, it certainly is exactly what ASM should be

David Monnier:

doing. And and I think this highlights the shortcoming that

David Monnier:

I just described, right. So the reason why only 23% of them said

David Monnier:

that their application of of ASM in their workplace was that

David Monnier:

effective at discovering those things is because the rest of

David Monnier:

the respondents, you know, the remaining 77%, they are clearly

David Monnier:

limited, because the only thing that ASM knows about are the

David Monnier:

things they already know about. So if you already know about it,

David Monnier:

it's unlikely for something to be rogue or unclassified. Right?

David Monnier:

So this kind of static discovery approach, this is the fruit that

David Monnier:

comes off that tree, when you take a non dynamic approach to

David Monnier:

understanding assets in a very dynamic environment. That is

David Monnier:

what I would call modern, you know, computing, you're going to

David Monnier:

end up with low numbers like that, because the rest of them,

David Monnier:

their tools probably just don't identify rogue devices. And

David Monnier:

that's an unfortunate side effect. Again, this was one of

David Monnier:

the motivations that led us to to create a product for the

David Monnier:

space.

Dr. Dave Chatterjee:

Okay. Now, you know, some of the findings

Dr. Dave Chatterjee:

speak to the challenges of deploying and implementing ASM

Dr. Dave Chatterjee:

platforms. And these challenges range range from lack of

Dr. Dave Chatterjee:

integration with existing platforms, the amount of

Dr. Dave Chatterjee:

training that's required. And also I found it interesting,

Dr. Dave Chatterjee:

where organizations where the respondents said that they feel

Dr. Dave Chatterjee:

that the current platform has become more of a legacy. So my

Dr. Dave Chatterjee:

question to you is as follows When an organization is

Dr. Dave Chatterjee:

investing in an ASM platform, they know fully well that at

Dr. Dave Chatterjee:

some point, it will move towards becoming obsolete. I don't know

Dr. Dave Chatterjee:

if obsolete is the right word, but what steps should an

Dr. Dave Chatterjee:

organization take, should the security analysts, the security

Dr. Dave Chatterjee:

professionals take, to ensure that their ASM platform is

Dr. Dave Chatterjee:

performing at a satisfactory level?

David Monnier:

Well, I think the initial steps are are

David Monnier:

introvertish. Introvertal steps right? So you have to ask

David Monnier:

yourself, Do I know everything about my network? Do I know all

David Monnier:

of the devices I have? And if that answer isn't an absolute

David Monnier:

certain, yes. Which a hint to the listeners, It isn't. Then

David Monnier:

you have to approach the tool sets as am I going to have a

David Monnier:

tool that's going to show me things I didn't know to know.

David Monnier:

And that, in my opinion, is the killer feature, way more

David Monnier:

important, in my opinion, is discovery, then even say, the

David Monnier:

vulnerability management and discovery component, right?

David Monnier:

Like, if you don't know, to know, then you won't, won't get

David Monnier:

any benefit from it. But if you do discover something that's on

David Monnier:

your infrastructure that you didn't realize was there, or

David Monnier:

that is your system is reliant on, because there are a bunch of

David Monnier:

non system concerns as well. Like, for example, you know,

David Monnier:

every is every person's network, they get onto the Internet by

David Monnier:

way of a set of internet service providers. And what about the

David Monnier:

safety and reputation of those folks? You know, if your tool

David Monnier:

can't tell you that your DNS hosting provider has a poor

David Monnier:

reputation, or that your internet service provider, you

David Monnier:

know that the IPs around your IP services are bad. If it's not

David Monnier:

able to show you these kinds of things, then it suggests that

David Monnier:

you are probably working with something that is, frankly, like

David Monnier:

I said, antiquated of some sort. But frankly, let's use the word

David Monnier:

static. And if it is static, I think in the information age,

David Monnier:

that should be a huge red flag to you. That if this tool

David Monnier:

doesn't teach itself to some degree, and I'm the operator is

David Monnier:

responsible for informing this, that I probably have a tool that

David Monnier:

is not future proofed? Not that our any tool is completely

David Monnier:

future proofed, right. But there are certain methodologies that

David Monnier:

can help assure a future proofed capability. And this kind of

David Monnier:

dynamic discovery is absolutely one of those capabilities. But

David Monnier:

in the end, I think practitioner, or decision makers

David Monnier:

need to ask themselves, how much is this tool teaching me that I

David Monnier:

didn't already know. And I'm not talking about you know, that you

David Monnier:

have a vulnerability on some device you already knew you had.

David Monnier:

I mean, how much infrastructure is it really exposing to me that

David Monnier:

I didn't know before? And even inadvertently, you know, if,

David Monnier:

like I said, maybe someone plugged in some new device on

David Monnier:

your network. If it's not at least catching those types of

David Monnier:

things for you, then I would say you have an older tool,

Dr. Dave Chatterjee:

Right, makes sense. And I'm glad you

Dr. Dave Chatterjee:

mentioned about the self learning capability. So to what

Dr. Dave Chatterjee:

extent is AI being used to enhance the functionality, the

Dr. Dave Chatterjee:

capabilities, of these ASM platforms?

David Monnier:

So in our case, we're not really using AI. Not

David Monnier:

that we're against AI per se, but we didn't really see a great

David Monnier:

need for it per se, relative to machine learning and machine

David Monnier:

learning sense, you know, where there's a human who is, I guess

David Monnier:

suggesting, to the system, what it should be doing, as it's

David Monnier:

doing it, as opposed to AI where they become somewhat autonomous,

David Monnier:

you know. So, in our case, though, is a great deal of what

David Monnier:

I would call machine learning, where as assets are discovered,

David Monnier:

we look at kind of the nuance of that asset, both from a service

David Monnier:

level from an IP level, and then from like, what the operating

David Monnier:

system looks like, think of it as a very signal focused view,

David Monnier:

internet signal that is, and we use what's discovered to kind of

David Monnier:

inform the next level of discovery. So for example, if we

David Monnier:

discovered a new, you know, domain within your namespace,

David Monnier:

say, you know, again, using this foo.com example, but let's say,

David Monnier:

yesterday, you didn't have www.dev.foo.com. And today,

David Monnier:

we're seeing that name being looked up in passive DNS data,

David Monnier:

we know that you have some new asset out there somewhere, and

David Monnier:

can then start to go looking for it. And that type of informed

David Monnier:

learning is precisely how we approach this, but it's a

David Monnier:

continuous thing, you know, what happens 24 hours a day, we

David Monnier:

continuously learn about the surface of the internet as a

David Monnier:

whole, for that matter. But in particular, you know, of the

David Monnier:

asset tools for folks. And then those assets, as we kind of

David Monnier:

learned from them, we go to look for similarities. And we say,

David Monnier:

Okay, what's just like this, but maybe, you know, isn't

David Monnier:

previously known. And we show you, hey, here's these potential

David Monnier:

things that we think might be related to you. And we let the

David Monnier:

the individual decide like, Oh, this is related to me, or Oh,

David Monnier:

no, this isn't me, but sure looks a lot like me. Maybe this

David Monnier:

is a phishing site or something, you know, there are other

David Monnier:

approaches and other outcomes aside from your own attack

David Monnier:

surface, you know, that you can discover using the kind of

David Monnier:

machine learning metal method that we use. But I don't know

David Monnier:

that AI will ever totally get there for what it's worth.

David Monnier:

Because I, I still think that when it comes to ASM, the human

David Monnier:

component is required, like aI won't know the difference,

David Monnier:

unless you share with it all of your client configurations, AI

David Monnier:

won't know the difference, for example, between your primary

David Monnier:

active directories host and some dev Active Directory host. So,

David Monnier:

they will both appear to be running the same services. But

David Monnier:

you as the human know that one of them has your actual users,

David Monnier:

and maybe another one has dummy data. So you can prioritize and

David Monnier:

say, Ah, this IP, this host, this asset, is my actual Active

David Monnier:

Directory directory server, whereas this other one is not.

David Monnier:

So don't show this as a high risk show this other one as the

David Monnier:

high priority asset. And for that reason, I don't know that

David Monnier:

AI will ever really fill in in this role. But we'll see.

Dr. Dave Chatterjee:

Okay, good to know. So talking about the

Dr. Dave Chatterjee:

human component, and in this discussion, we have been talking

Dr. Dave Chatterjee:

about attack surfaces, more from a physical standpoint, devices,

Dr. Dave Chatterjee:

and so on, so forth. How about humans as attack surfaces as

Dr. Dave Chatterjee:

very vulnerable attack surface? What are your thoughts about,

Dr. Dave Chatterjee:

you know, you know, are we doing better in terms of securing that

Dr. Dave Chatterjee:

very vulnerable attack surface? Can tools help us secure that

Dr. Dave Chatterjee:

attack surface? What are your thoughts?

David Monnier:

Well, I hate to be a naysayer. But things aren't

David Monnier:

getting any better there, it seems. If you look at the SANS

David Monnier:

survey comes out every year, if you look at the US government's

David Monnier:

breach report, or Verizon, they they publish a report any of

David Monnier:

these reports, if you go look at them continuously, for the last,

David Monnier:

you know, I mean, since forever since these reports have been

David Monnier:

produced, the number one compromised source is still

David Monnier:

stolen credentials. And the number one method for that is

David Monnier:

still some type of phishing, or some type of social engineering

David Monnier:

still, so nothing seems to really be changing there. The

David Monnier:

tools and the tactic techniques being employed to gain access to

David Monnier:

this type of information, haven't really needed to change

David Monnier:

much, because the human element is still you know, largely the

David Monnier:

same. And I say this all the time, until listeners who may

David Monnier:

have heard me on any other podcast or may tune in who or

David Monnier:

who happened to listen to ours, probably have heard me say many

David Monnier:

times, but we still work and live in a world where everything

David Monnier:

is kind of magic. And the majority of people who are

David Monnier:

relying on technology, still have absolutely no idea how it

David Monnier:

works, and therefore can't really spot things when they

David Monnier:

aren't correct, right. And for the longest time, vendors tried

David Monnier:

to implement methodologies like if you recall, you know, It was

David Monnier:

always look for the lock icon in your browser window and make

David Monnier:

sure that that's always there. And so miscreants just started

David Monnier:

to put a block of the locked lock icon right on in the

David Monnier:

content of a phishing effort. And people would say, Well, I

David Monnier:

saw the lock, so I figured it was safe. And here we are. And

David Monnier:

I'm not talking about fools here. I'm talking about, you

David Monnier:

know, Board members and C-level operators and decision makers,

David Monnier:

you know, around the world, in the largest companies in the

David Monnier:

world, the most capable, most successful people in the world

David Monnier:

still fall victim to this stuff. So unfortunately, I just don't

David Monnier:

know that any of that can be changed, either, you know, where

David Monnier:

we move to these concepts like zero trust, or you look for the

David Monnier:

behaviors of of specific devices and try to key on that. But

David Monnier:

realistically, by the time you're keying in on a behavior,

David Monnier:

it may already be too late, right? So the stolen credential,

David Monnier:

the credential reuse, so you know, what, however you want to

David Monnier:

call them, there's variations of, of the methodology, the

David Monnier:

attack, but they all come down to an imposter, if you will.

David Monnier:

That still turns out to be, you know, if not, number one, top

David Monnier:

three, year after year, way, way back, I remember when it was a

David Monnier:

tax where like buffer overflows were the primary method, and

David Monnier:

people were, you know, looking for at the software stack, for

David Monnier:

what waves to gain entry. And then along the way, somebody

David Monnier:

figured out that we don't even need to talk to machines, talk

David Monnier:

to the people, and that people will just give you access to the

David Monnier:

machines. And that hasn't changed. And unfortunately, I

David Monnier:

don't know that it will change. We look to incorporate that type

David Monnier:

of intelligence, though, into our ASM to let folks know, you

David Monnier:

know, when they have account level risks that are there,

David Monnier:

we're looking to add that capability as well.

Dr. Dave Chatterjee:

Awesome. That's awesome. Yeah, I think

Dr. Dave Chatterjee:

that's a very difficult challenge when you're trying to

Dr. Dave Chatterjee:

secure every individual that works for an organization,

Dr. Dave Chatterjee:

whether it's through training, or whether it's through some

Dr. Dave Chatterjee:

some some sort of technology. So that's, that's a very big hurdle

Dr. Dave Chatterjee:

to overcome. But anyhow, moving along, so we've had the chance

Dr. Dave Chatterjee:

to discuss some findings that I found significant or

Dr. Dave Chatterjee:

interesting. Are there any others? Or is there anything

Dr. Dave Chatterjee:

that you'd like to address that you found interesting, or

Dr. Dave Chatterjee:

something that surprised you all?

David Monnier:

Well, one of the things that surprised us, I

David Monnier:

think, was something that I touched on at the beginning of

David Monnier:

our conversation here, we were kind of surprised that we that

David Monnier:

we weren't able to just apply intelligence to kind of the

David Monnier:

tools that were already out there, we thought we thought it

David Monnier:

would be it would be possible for us to like find someone we

David Monnier:

could kind of go with our typical business model, which

David Monnier:

was being intelligent supplier, we were kind of surprised to see

David Monnier:

that none of the offerings out there really met what we felt

David Monnier:

were what you would want in the marketplace as the, you know, as

David Monnier:

the consumer. And we were surprised that by that because

David Monnier:

we weren't in the space. You know, there were already lots of

David Monnier:

expertise in the space. There's a lot of people out there who

David Monnier:

already have these types of tools, but they weren't seeing

David Monnier:

the problem the same way we were. And we're not totally sure

David Monnier:

why that is. I'm not, you know, proposing were geniuses or

David Monnier:

anything like that. In fact, I can assure you we're not. But it

David Monnier:

was interesting to us as intelligence practitioners, how

David Monnier:

we saw the world as opposed to say, security practitioners. And

David Monnier:

when you think about ASM, you think attack service management,

David Monnier:

you automatically think in terms of security, but really what if

David Monnier:

you really think about it, ASM is an intelligence tool. ASM is

David Monnier:

is being self aware is some type of self aware intelligence

David Monnier:

capability that you then key on to other capabilities to the

David Monnier:

backup. So as you learn something new, aka as your

Dr. Dave Chatterjee:

Another question that comes to mind

Dr. Dave Chatterjee:

intelligence increases, you then have some action to do. So

Dr. Dave Chatterjee:

perhaps it's vulnerability scan this device, perhaps it's

Dr. Dave Chatterjee:

updated inventory management component, perhaps it's disable

Dr. Dave Chatterjee:

the switch port that the device is plugged into, if you can,

Dr. Dave Chatterjee:

because it wasn't plugged in there yesterday. And it's, you

Dr. Dave Chatterjee:

know, not an authorized device. But any way you look at it, and

Dr. Dave Chatterjee:

regardless of the outcome, that initial step really is an

Dr. Dave Chatterjee:

intelligence step. And that was kind of surprising to us. And I

Dr. Dave Chatterjee:

think it's a side effect of like I said, our approach has been

Dr. Dave Chatterjee:

for lack of a better term intelligence applied to

Dr. Dave Chatterjee:

security, as opposed to security applied to asset management. And

Dr. Dave Chatterjee:

so because we kind of approached it from that step back, I think

Dr. Dave Chatterjee:

we came up with different what I would call killer features, you

Dr. Dave Chatterjee:

know, for something if we were going to make it and then the

Dr. Dave Chatterjee:

end result when we went out looked to see, you know, to make

Dr. Dave Chatterjee:

sure there was really nothing out there like it and discovered

Dr. Dave Chatterjee:

there wasn't. We were kind of surprised by that. Because like

Dr. Dave Chatterjee:

I said, we were you know, I wouldn't say we're late to the

Dr. Dave Chatterjee:

party, but we definitely weren't first people in the ASM space.

Dr. Dave Chatterjee:

based on attack reports that are published in the media, where

Dr. Dave Chatterjee:

So that was kind of a surprise to us.

Dr. Dave Chatterjee:

often times organizations are accused of not promptly reacting

Dr. Dave Chatterjee:

or responding to alerts that they receive from various types

Dr. Dave Chatterjee:

of monitoring tools, technologies, service providers,

Dr. Dave Chatterjee:

various types of intelligence sources. So, going back to this

Dr. Dave Chatterjee:

platform, the ASM platform, which obviously is there to help

Dr. Dave Chatterjee:

organizations have a better understanding of their attack

Dr. Dave Chatterjee:

surfaces provide advanced warning. Now, have you all

Dr. Dave Chatterjee:

thought of a feature whereby, you know, there is some kind of

Dr. Dave Chatterjee:

a logging that certain alerts certain notifications went

Dr. Dave Chatterjee:

unheeded, or went unresponded? Or there is a, there's a way of

Dr. Dave Chatterjee:

notifying multiple personnel just to make sure that this, the

Dr. Dave Chatterjee:

signal doesn't get go unheard? Or do you see my question from

Dr. Dave Chatterjee:

where I'm coming?

David Monnier:

Yes, absolutely. And we have, so we're not trying

David Monnier:

to reinvent the wheel at every turn. So an AR capability, we

David Monnier:

have, obviously, incorporate the idea of external API's so that

David Monnier:

you can trigger to, you know, specific systems, or if nothing

David Monnier:

else, at least, have the notion of roles or groups within the

David Monnier:

tool so that if a specific category of event happens,

David Monnier:

notify a specific group of people. Exactly. Yeah, of

David Monnier:

course, those capabilities are there. But what we really think

David Monnier:

is one of the key differentiators, at least for

David Monnier:

our approach is this ability for individuals to prioritize assets

David Monnier:

themselves, so that you're not, so that you're not required to

David Monnier:

react to every "high or critical event," because you know, not

David Monnier:

every device is created equal, not every service is equal. And

David Monnier:

frankly, there's only so much time in the day. And if you have

David Monnier:

to pick between defend the mothership or defend a rowboat

David Monnier:

out in the dock, you know, you're going to defend the

David Monnier:

mothership, hopefully. So your tool, if it's not aware that is

David Monnier:

going to be that's going to be a problem. So we've approached

David Monnier:

them in the terms of both communication level, tuning,

David Monnier:

group and role tuning. And then also asset prioritization tuning

David Monnier:

as well.

Dr. Dave Chatterjee:

Fantastic, because that's been one of my

Dr. Dave Chatterjee:

concerns, one of my pet peeves, that if you have access to all

Dr. Dave Chatterjee:

this intelligence, access to all these tools, you must have a

Dr. Dave Chatterjee:

good governance system in place where you're paying heed to the

Dr. Dave Chatterjee:

alarms that are being raised. Talking about governance, this

Dr. Dave Chatterjee:

is my final two part question to you. Okay. So let's say an

Dr. Dave Chatterjee:

organization decides to buy or invest in a new ASM platform, as

Dr. Dave Chatterjee:

we all recognize that just investing in a tool is not good

Dr. Dave Chatterjee:

enough to extract the maximum value from it. There is a people

Dr. Dave Chatterjee:

aspect to the implementation, there's a process aspect to the

Dr. Dave Chatterjee:

implementation. So if you had to make recommendations to

Dr. Dave Chatterjee:

potential buyers, or investors of this platform, what does it

Dr. Dave Chatterjee:

take to prepare the organization, so they can

Dr. Dave Chatterjee:

effectively use such a platform, what would you say?

David Monnier:

I have a very simple answer to your at least

David Monnier:

the first part there, and that is the will to do something

David Monnier:

about it. You mentioned compliance, regulatory typically

David Monnier:

is that you know, these kinds of policy concerns are usually what

David Monnier:

drive people implementing ASM solutions. And those external

David Monnier:

drivers are rarely effective motivators, in fact, there are

David Monnier:

whole own entities and organizations that carry

David Monnier:

adequate insurance to pay the fines for non compliance,

David Monnier:

because they wholly expect to be out of compliance because they

David Monnier:

consider the compliance component, a burden. So the

David Monnier:

first thing that I propose is that be willing to do something

David Monnier:

with the findings, you know, don't approach ASM as a

David Monnier:

something that you have to do because someone else said so.

David Monnier:

But recognize that someone else said so because what you do is

David Monnier:

important to the world, to society, to people, you know,

David Monnier:

perhaps even you know, to relatives and things like that.

David Monnier:

I mean, and think of the impact of what happens if you turn this

David Monnier:

thing on and discover that you have something bad going on? A

David Monnier:

lot of people are hesitant to turn on a tool like ASM because

David Monnier:

they know what's going to come out the other side is going to

David Monnier:

be something they're gonna have to do something about. And I'm

David Monnier:

not saying that people are lazy, but I will tell you that only

David Monnier:

bodies in motion tend to stay in motion, I think is the is the

David Monnier:

adage, right? So if bodies aren't in motion to begin with

David Monnier:

going and getting an ASM tool isn't going to set them in

David Monnier:

motion at all. So my number one advice to anybody considering to

David Monnier:

go down the path of implementation of ASM is one be

David Monnier:

willing to do something that you find but number two, be willing

David Monnier:

to actually use it because it's going to make your job easier,

David Monnier:

it's going to make your life easier. And kind of taking the

David Monnier:

ostrich, you know, head in the sand approach that doesn't help

David Monnier:

anyone. And like I said, think of the people using the service.

David Monnier:

Think of why it is that you're running the service to begin

David Monnier:

with. Think of those people think of that money, think of

David Monnier:

you know, whatever is the driver, but think of that stuff

David Monnier:

and ask yourself, how important is this to everybody? And how

David Monnier:

willing am I to keep it working and keep it going, and ensure

David Monnier:

that willingness is present and communicated to all of your

David Monnier:

staff, you know, if you have people, maybe as this tool turns

David Monnier:

out work to do, if you have a bunch of other people there that

David Monnier:

are going to have to be doing the actual work, make sure that

David Monnier:

they understand make sure they are all bought in. But I know

David Monnier:

that's a silly answer to a technical question, because it's

David Monnier:

not technical at all, if you will, the answer is not

David Monnier:

technical at all. It's it's human will. So sorry, that was a

David Monnier:

very verbose thing to what I had warned was going to be a simple

David Monnier:

answer, but simply have the will to do something about it.

Dr. Dave Chatterjee:

Well, I think that's a very sound

Dr. Dave Chatterjee:

advice. It's a very wise answer. And that's what most

Dr. Dave Chatterjee:

organizations struggle with. It's the softer side of things

Dr. Dave Chatterjee:

that organizations struggle with more than the harder side of

Dr. Dave Chatterjee:

things, not trying to suggest that implementing technology

Dr. Dave Chatterjee:

effectively is any easier, but providing the appropriate

Dr. Dave Chatterjee:

governance, around technology implementation around leveraging

Dr. Dave Chatterjee:

these tools can be equally if not more challenging. And I want

Dr. Dave Chatterjee:

to reiterate what you said about having the will having the

Dr. Dave Chatterjee:

commitment. In my book on Cybersecurity Readiness: A

Dr. Dave Chatterjee:

Holistic and High- Performance Approach, one of the top

Dr. Dave Chatterjee:

cybersecurity success factors, which I share in the context of

Dr. Dave Chatterjee:

the framework that I propose is the top management commitment.

Dr. Dave Chatterjee:

Another related factor is creating and sustaining a

Dr. Dave Chatterjee:

We-Are-In-Together culture where everybody gets involved. This is

Dr. Dave Chatterjee:

just not the SOC team that can make miracles happen. Everyone

Dr. Dave Chatterjee:

has to play their role. So taking this example of the

Dr. Dave Chatterjee:

attack surface management platform, obviously, specialists

Dr. Dave Chatterjee:

will be running this platform, and they have to be adequately

Dr. Dave Chatterjee:

trained. Because if you don't have good training, you can't

Dr. Dave Chatterjee:

get most out of these platforms. But then, as you mentioned, when

Dr. Dave Chatterjee:

you get those that feedback, and I love what you said,

Dr. Dave Chatterjee:

oftentimes, we don't want to probe in a certain direction, or

Dr. Dave Chatterjee:

we don't want to invest in certain things, because we don't

Dr. Dave Chatterjee:

want to know what we don't know. You can go with it in many

Dr. Dave Chatterjee:

different ways. I don't want any further education, because that

Dr. Dave Chatterjee:

will enlighten me on my lack of awareness, right? Absolutely. So

Dr. Dave Chatterjee:

so here we go in the context of ASM, you are investing in it

Dr. Dave Chatterjee:

because you truly care. Because you truly want to do your part

Dr. Dave Chatterjee:

in trying to secure as best as you can, we all understand that

Dr. Dave Chatterjee:

you cannot secure everything and that you will never be in a

Dr. Dave Chatterjee:

situation where your systems can't be compromised. But you

Dr. Dave Chatterjee:

know, putting your best foot forward and doing everything you

Dr. Dave Chatterjee:

can, and constantly monitoring these devices constantly making

Dr. Dave Chatterjee:

sure you have an oversight team, you have a incident response

Dr. Dave Chatterjee:

team or why by whatever name, you may want to call this team.

Dr. Dave Chatterjee:

Bottom line, again, it boils down to asking yourself, the

Dr. Dave Chatterjee:

fundamental question we've invested in this platform, are

Dr. Dave Chatterjee:

we making full use of it? Are we getting what we wanted from it?

Dr. Dave Chatterjee:

And if there is a deficiency, what is it? And how do we

Dr. Dave Chatterjee:

address it? So that kind of active proactive approach is so

Dr. Dave Chatterjee:

so critical. So David, we're running out of time, I'd like

Dr. Dave Chatterjee:

you to share some final thoughts.

David Monnier:

Yeah, so much of what we've said today, probably

David Monnier:

sounds somewhat elementary to folks. And I'd ask everybody to

David Monnier:

kind of consider why that is, like, why does something so

David Monnier:

obvious, or seemingly obvious, you know, once it's explained to

David Monnier:

you, why is it still so rare? And why is it? Why is it's not

David Monnier:

happening in broader scale? And we should ask ourselves these

David Monnier:

questions, because we are the people who are the solution,

David Monnier:

right? Even if we're just the user, we can go ask the provider

David Monnier:

and say, Hey, why are you why are if you're not doing this?

David Monnier:

Why Why aren't you and start to kind of apply that, you know,

David Monnier:

upward pressure and everything that we're doing, because, like

David Monnier:

I said, we're all reliant on technology, this is not going to

David Monnier:

go away. I mean, barring some type of Corona event where you

David Monnier:

know, we have a sun flare, knock everything out, you know, we're

David Monnier:

we're in this for the long haul, you know, capitalism alone is

David Monnier:

going to drive things towards lower cost solutions. I mean,

David Monnier:

that's just that, that's the direction of that energy. And if

David Monnier:

we're not looking at it as an I don't, I'm not trying to paint a

David Monnier:

dire picture. But if we don't I paint it as a very, very serious

David Monnier:

component of our entire existence, I fear that we're

David Monnier:

going to miss something. So when it is that, you know, someone

David Monnier:

comes along and kind of upsets a space, arguably, as we have with

David Monnier:

these new capabilities, we should ask ourselves, why why

David Monnier:

why is that? And? And if that was like that, what more could

David Monnier:

we be doing? And of those, what more's, how many of those things

David Monnier:

are unknown. So like, if you're out there, and you have an idea,

David Monnier:

you think like, oh, man, you could even then go add on to X,

David Monnier:

Y, or Z, share that idea, or start up in a solution, because

David Monnier:

frankly, the world needs it. We're getting more and more

David Monnier:

reliant on technology, more and more of our whole life, data

David Monnier:

wise, is stored electronically. And for us to be such so reliant

David Monnier:

on something that's seemingly under constant attack and

David Monnier:

continuously growing, and just, you know, out of hand, we should

David Monnier:

be asking, you know, is everything being done that we

David Monnier:

could, and I don't mean just asking of ourselves, but like I

David Monnier:

said, we should be asking the people that we take services

David Monnier:

from, you know, what are you doing to secure my things that

David Monnier:

you, you know, have possession of? So I know, again, that's

David Monnier:

kind of, you know, the lofty answer, but I think it really

David Monnier:

does, it comes down to mass participation, like you said,

David Monnier:

it's that we can do attitude, it's absolutely critical. We're

David Monnier:

all subject to the technology. So let's at least make it work

David Monnier:

to our will. And that's, that's what I think would be a bright

David Monnier:

future. And if everybody got involved, including just every

David Monnier:

user, so absolutely,

Dr. Dave Chatterjee:

Absolutely! Well, David, this was great.

Dr. Dave Chatterjee:

Thanks for your time, for your insights, I know the listeners

Dr. Dave Chatterjee:

appreciate it.

David Monnier:

Thank you Dr.

Dr. Dave Chatterjee:

A special thanks to David Monnier for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube