Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Why cybersecurity is broken and time is the enemy
0 Playsin 12 hours
Why do your friends and parents still get breach notification letters from companies they’ve never heard of?
John Watters aka “The Cowboy” joins the show this week for a hard look at information security. In the early 2000s, he built iDefense from a bankruptcy buyout into one of the most influential threat intelligence companies in the world, pioneered responsible disclosure before the term even existed, and has watched the attack surface evolve from nation-state espionage into something that hits your credit card at a restaurant on a Tuesday.
His answer to the breach question? The industry's been losing the clock. Attackers can move from target selection to exploitation in days. Defenders are still operating in weeks. And the gap isn't closing, not by a long shot. If anything, it's widening.
This conversation goes from the living rooms of people who've stopped trusting cybersecurity to the boardrooms of Fortune 500 CISOs who still can't explain their third-party risk exposure in plain English. We talk time compression, threat intelligence architecture, the AI arms race that only one side seems to be taking seriously, and the uncomfortable truth about analysis paralysis in a field where the cost of inaction is terminal.
John's closing advice to defenders: automate yourself out of a job before someone else does it for you.
That one's worth the price of admission alone.
Mentioned:
This is How They Tell Me the World Ends, by Nicole Perlroth
Recommended
Transcript
AI in Cybersecurity: Attackers vs. Defenders
00:00:00
Speaker
There's a lot of analysis paralysis with defenders right now. The attackers are embracing AI at every turn. They don't give a shit about compliance or rules or regs or budget. They know they can make more money with it than they can without it.
00:00:12
Speaker
And defenders are evaluating the hell out of this because they don't want to make a wrong decision. When you've been around as long as I have, every decision I make is wrong. I'm just not sure how much. And I hope it's just a little wrong, but I might be a lot wrong. This isn't of course correct, but I'm making a decision.
00:00:29
Speaker
Because you can't create velocity without decision velocity, you know, at this deal. So I encourage people, when in doubt, freaking roll. Go.
Introduction of John Waters: A Cybersecurity Pioneer
00:00:47
Speaker
This is Bare Knuckles and Brass Tax, the tech podcast about humans. I'm George K. And I'm George A. And today our guest is John Waters, a towering figure in cybersecurity circles. If you've ever read Nicole Perloth's much-valley-hood book, This Is How They Tell Me The World Ends, which is amazing. He has a whole chapter about him. He's called The Cowboy. and we dig into why that is from his early days doing vulnerability disclosure all the way to the future edge of AI. But most importantly, this time around,
00:01:22
Speaker
We really try to ground the discussion and what it means for business and what it means for you, the listener, who is far too often the recipient of breach notification letters. Dude, I got to nerd out. Like, I'm just like, listen to this guy. I'm like, oh, Jesus Christ. You're like, you're the reason why my career exists, you know, because yeah if if there's no CTI, i'm so I'm still a sock monkey and maybe I'm a level three or something at this point. So...
00:01:49
Speaker
Oh, no, man. I'm so appreciative that John came out here. He's such a cool dude. And, ah you know, there's a lot of really good practical advice and a lot of really good um ideological thinking on how to actually handle security operations and enterprise security. So I hope i hope people really pay attention and and listen this episode episode a few times because there's some good lessons learned.
00:02:07
Speaker
Yeah. Stay tuned for paradigm shifts, one throat to choke, and what you got to do to keep a job in the AI future.
Cybersecurity Failures: Who's Responsible?
00:02:20
Speaker
John Waters, welcome to the show. Thanks, George. Good to be here. All right. So, John, we're going to come out of the gates pretty hot and heavy because that's the only way we know how to roll. But the average person, ah my mom included, has received, you know, several breach notification letters probably from their bank, their insurance company.
00:02:42
Speaker
Oh, my God. Their kid's school, their doctor. And and these... are often not small organizations with no resources. Sometimes they have limited resources, but some of these institutions are spending real money on security.
00:02:56
Speaker
So what are you going to say to the lay person, that what we call civilians, ah who have basically concluded like cybersecurity is just like a shrug and like, I don't know what they're doing with my data and I don't think any of this is actually working?
00:03:13
Speaker
Well, I'd say they're s flat rights. You know what I mean? I mean, we haven't certainly proven to the world that cybersecurity is effective. i mean, we're what we're doing is spending a lot of money to try to mitigate the pain, you know, but the data is lost every day. Creds are lost every day.
00:03:33
Speaker
People's PII is lost every day. ah So it's it's ah um it's it's kind of an epic failure of an industry that we all participate in and love, which is weird. You know, you think, why why do you love a job that you're so bad at?
00:03:48
Speaker
and And I kind of look back and say, well, what would it look like if we did nothing? And holy mackerel, so that's hard to even envision. So from my perspective, we're we're lucky to be in a society where these large institutions that do have the resources are the ones that for the most part are responsible for any losses that we suffer.
00:04:09
Speaker
So when when our banks are popped and our credit cards are abused and and somebody you know goes into one of our online payment platforms and steals funds, we get made whole.
00:04:21
Speaker
yeah we're not We're not the only... country in the world that does that, but there's an awful lot that don't. And the victim is actually responsible and they don't have the resources to protect themselves. So um i I would say, yes, you're right.
00:04:34
Speaker
You haven't done a good job as an engineer protecting your data. um But by the same token, we're in a good society that the people that have the resources make us make us whole. Before I turn it over to George, I think one of the most challenging things is having to describe to either my family or my friends when they get the breach notification, it often comes from some software provider that they've never
The Role of Third-Party Vendors in Data Breaches
00:05:00
Speaker
even heard of. And they're like, is this a scam? Like they'll send me photos of the letter and they're like, I don't know if this is real. And I'm like,
00:05:09
Speaker
probably this is just a provider that's used by something else you have. You know, it's like it's so opaque to them, like where the problem is.
00:05:20
Speaker
um So anyway, that's just an aside rather than a question. Yeah, no doubt. And people's data everywhere. i mean i mean, I can't imagine if if if we all sat here today and tried to enumerate how many different companies have access to our driver's license number, our credit card date, our birth date, our mother's maiden name.
00:05:43
Speaker
I don't even know where to start. I mean, it's gotta be thousands, tens of thousands, hundreds of thousands. Yeah. Yeah. Per person. So we there's so many ways to gain access to it.
00:05:54
Speaker
It's a pretty amorphous attack surface to try to protect, you know? So, um, I understand why it's been out there. It's, it's, it's a kind of an impossible task. Yeah, I think ah from from my point of view, my my struggle with it when I try to do like any kind of lobbying or advocacy for it within, you know, political circles, some of it Ottawa when I deal with folks who are, you know, leadership positions, but they're not really technical.
Cybersecurity as Unconventional Warfare
00:06:21
Speaker
They understand risk, like they understand the sentence you're saying, but until a negative personal consequence happens as a result of that data compromise, it's just not real to them. So you can say, yeah, your data is out there. But like, yeah, my data is out there all the time. I don't give a shit.
00:06:35
Speaker
Right. Cause like nothing's happened. My life isn't ruined until it's ruined. Right. um But I digress. I have first of all say it's a pleasure to meet you. ah I ah personally was really excited about this because in my own career, like I converted from a signals intelligence analyst with the army to a sec ops and a CTI specialist. And I made my bones doing CTI. That's how I managed to kind of fly up the rank so fast.
00:06:59
Speaker
So I really, really respect the work you've done as a pioneer and as as a business leader. So it's a pleasure to talk to you. as I had to run out there. I got a fanboy a little bit. But I got to tell you, you know, you've you've been in the industry since before most people, you know, even knew what a CISO was.
00:07:16
Speaker
So ah walk us back to the beginning at Eye Defense. What did you see forming then that most people were still blind to? i mean... i'm I'm a common sense guy, you know? I mean, I came out of the finance world and got into the cyberspace looking for an investment theme and thought cyber had secular tailwind forever and was inefficient as hell it's in the late 90s. And the as i was looking for common gaps that existed. And what really but really crystallized in my head and catalyzed after September 11th is we're entering into an age of unconventional warfare.
00:07:55
Speaker
And cyber is going to be a domain of that warfare. So you got to learn from people that have been in the fight the longest, which is really the military, you know, with your background in the intelligence community. So I studied it and, you know, in DOD, you know, we were spending 10% of our total DOD budget on intelligence to understand the adversary. So we knew how to fight the fight and fight effectively and use that intelligence advantage to drive operations.
00:08:22
Speaker
And then I looked at the commercial sector that was entering into the same domain of warfare. And they had no clue about the adversary. it was all fighting it. I got to stop there too, because I still made this argument today.
00:08:35
Speaker
When I talk to people who are not veterans, and I talk about the cyber theater of operations, no one knows what I'm talking about. And I'm like, no, no, it's it's actually warfare. Like, if you hack another country on behalf of your government, that's an act of war.
00:08:50
Speaker
And people just don't get that. That's right. And, and, you know, it's, it's, it happens every day in every country in the world for the most part
John Waters' Early Cybersecurity Journey
00:09:00
Speaker
right now. So it's, it's, it's a, it's very well known and understood today.
00:09:05
Speaker
and when I got in the industry with iDefense back at that initial access point, I had tracked them since they founded in 98 and I had spun off on my own in 99 from a family office I was running.
00:09:17
Speaker
And, uh, got to know the team and understand the market a little bit. And it really was a market. I mean, it was, they were they were just flinging emails at people about bad stuff happening around the world. and And I had an opportunity in 2002 to buy the company out of bankruptcy for 10 bucks.
00:09:35
Speaker
So I did. and and I actually went in with the second management team thinking they could run it. I had never intended to run a company.
00:09:46
Speaker
And like all of us that have been in the cybersecurity industry for a while, this is certainly a theater of passion. You know, you you don't go into other industries and find the amount of passion you find in this industry. There's something about it. It's a cult.
00:09:59
Speaker
It's some shared dysfunctional DNA that we all have. And I certainly found it inside myself pretty quickly. And then we launched this zero-day discovery program. We're buying zero-day vulnerabilities from all over the world starting in August of 2002.
00:10:17
Speaker
And then it was amazing um of what effect a little company could have on an emerging industry. and And we were able to effectively create responsible disclosure and hold the software vendor's account.
00:10:32
Speaker
And this is before the days of throwing parties and bug bounties. I mean, when you called Oracle and say, hey, there's a flaw in your software that creates this opening that exposes all of our customers to it, you know, they thought you were the devil.
00:10:46
Speaker
You're not asking for anything. You're not asking for money. You're just trying to help them get it fixed so you can protect your customers. It was amazing that first journey into cyber in that 2002 to 2005 space.
00:10:59
Speaker
And it was funny, I was just on the phone with Gartner analyst earlier and I said, I'd love to find John Pescatori because he was your analyst back in 2003 that bet me a six pack of beer that the cyber intelligence industry would never be bigger than ten million dollars total TAMP.
00:11:20
Speaker
And two years later, Defense was at $10 million dollars just in one little company. So he owes me a six pack if I ever see him around. That's right. That's going to be avoiding the streets of San Francisco and Las Vegas for sure.
AI's Impact on Cyber Attack Speed
00:11:36
Speaker
So in some of your talks, you have used the phrase time compression. Can you unpack that ah for us? Because on the surface, I know I juxtapose this with what I started, but we do have organizations that have full-time SOCs. They have a lot of tools. They got data. As you said, threat intel has been a growing industry. They have intel feeds.
00:11:59
Speaker
So talk about time and compression and and where defenders are losing on time. So think think of you have to have some symmetry between the the timeline of an attacker and the timeline of a defender.
00:12:14
Speaker
And, you know, today an attacker can leverage AI to conduct reconnaissance against the target and build a full scope picture of their entire environment, their supply chain, every bank shot in, all the creds around those suppliers that may be exposed, where they can find an SSO connection in and effectively gain direct access into a target through a bank shot attack vector called a third party.
00:12:42
Speaker
And they can do that leveraging AI literally in minutes. We do it every day. and The reconnaissance timeline used to take months, quarters, and against a hard national security target, years.
00:12:59
Speaker
You know, to conduct that full reconnaissance so you understood what the target's topology looked like so you could build a bespoke capability that could execute and maintain a durable advantage against that target.
00:13:11
Speaker
Today, it's become much easier and way more accelerated in the reconnaissance phase. And then once they build the reconnaissance, rather than going to a toolkit of, oh, here's the 50 attack methodologies that I use that are well-documented by the 391 cyber intelligence companies out there, I'm gonna spin up a new and novel attack capability specifically built to target that company based on the reconnaissance work I've done. Now you got a patient zero situation where they've never seen anything before, there's nothing to react to. And and the time compression from
00:13:49
Speaker
ah target selection to target reconnaissance to capability development to execution has gone from months, quarters, and sometimes years to days and weeks. There's still time.
00:14:05
Speaker
But if you look at the process timeline on the back end of that with customers, From the time an intel provider finds a new and novel source of collection to the time they go through their curation process of creating an intelligence product with analysis, they deliver it into a customer, they synthesize it with all their other intelligence feeds into their tip, they integrate into their SEM with all their alerting from all their detection layer,
00:14:32
Speaker
And they do some sense making to figure out where there's a marriage and what's important amongst all that noise to find the signals. And then they go down several pathways of building hunt scripts and building detection rules and prioritizing patching and doing things with configuration, all these other things they do.
00:14:51
Speaker
The today's modern way of intelligence led security and something gets implemented. It's weeks So the defenders operating in weeks from the time there's an intelligence finding, the time there's a counter threat action and the attackers operating well within that envelope.
00:15:11
Speaker
but Can I, can I, can I push back for a sec though? I said the hot seat today, right? So I I'd say you are correct. Very much correct, especially with like agent based threats. But I find that the more,
00:15:25
Speaker
The more successful high probability attack vector is actually like the human user. I find human error at social engineering and and now like phishing, phishing, deepfake, that seems to be the the easier, more successful path because again, the security tooling market, like i I get what you're saying and and I agree with you. like As a CTI guy, like I agree with you, but there is really good security tooling out there and if you do stick with architectural fundamentals,
00:15:56
Speaker
And, you know, if you are utilizing a secure SDLC and you're utilizing good methodology, it is not easy to ah break into an organization surely on a technical break. It's hard to brute force. It's hard to do code break. at some point, a human being has to screw up for you to get in.
00:16:19
Speaker
And i just... does that play into your calculus or are you purely looking tech to tech based compromise? No, I'm not. I'm not. It's a very good point. Thanks for bringing that up.
00:16:32
Speaker
I'm not looking strictly at tech to tech compromise, although i am strategically laying the framework for what I believe will be tech to tech compromise in a short number of years.
00:16:44
Speaker
So ah the the thematic, if you think of This timeline of the way we run Intel-led security today versus what it looks like in an AI paradigm is how you go from the edge of collection to risk determination all the way through circumventing all of the decision logic to where a customer can validate your risk determination.
00:17:07
Speaker
and then it gets routed exactly into the system of record you're gonna take an action in and validate the ah the operational ah efficacy of that action and greenlight So long term, I think you're gonna have to have some the summit some linearity between threats and counter threats you know that happens fast. you know We're not there
The Overlooked Risk of Third-Party Compliance
00:17:30
Speaker
today. So what we're looking at and to to completely corroborate what you're talking about on the on the human and the Luke,
00:17:37
Speaker
is we're looking at third party risk. A, it's the last bash, you know, security where every CISO hates their program and it's completely compliance driven.
00:17:51
Speaker
And there's nothing they can do about it. There's no threat component to it. It's basically posture scoring masquerading as risk scoring. And so I got two things to ask. So first thing, um a good CISO friend of mine Canada named Mike Mello, he's one of our, probably one of our top CISOs in the country here. He recently put out a post talking about how TPRM is a joke.
00:18:11
Speaker
It's actually a waste of money. it It doesn't really exist. That's something we get into later. I just want to shout out Mike for making that because it's a pretty good hot take and I love it that he said it. ah But what i want to ask you is if an attacker can move from target selection to exploitation in hours and a defender's decision cycle takes days, what has to actually break before organizations accept that the current model doesn't work?
00:18:37
Speaker
Yeah, that's, that's a, pain, you know, I mean, when do you get a pain threshold that finally creates enough of a sphincter tightener where there's a problem that, that commands budget?
00:18:50
Speaker
And right now, I mean, people are so accustomed to pain. this as being normal and acceptable loss and acceptable risk and acceptable pain and and all the CISOs of condition, the aborts, and oh, it's just a matter of whether or not we're going to get breached. It's just a matter of when, you know, all that kind of conditioning that's gone on.
00:19:09
Speaker
Prepositions failure is the norm. and And I think we're going to enter into a elbow of the curve over the next couple of years where the pain will grow fast to where it's going to get on intolerable. And I think, and I referenced back to the third party risk. Well, the third party risk could always be the last bastion of compliance led GRC. Nobody likes their program and CISOs could kind of head and sand it and put some, ah you know,
00:19:41
Speaker
somebody on it yeah and maybe even try to get it out their organization. The breaches through third parties doubled in the last year and it's now 30% of all breaches involved with third parties. People are like, wow, now I got to do something about it and look at this as core cyber defense, not some compliance problem.
00:20:01
Speaker
and And this is one of the very few problems in the industry seeking a solution. There's a bazillion solutions looking for a problem. There's that many problems actually looking for solution.
00:20:13
Speaker
That's pretty high on, yeah.
00:20:17
Speaker
So anyway, that's the that's the third party risk piece of me. And what we do on it, we're just straight up on the threat side. We're not doing any any posture monitoring or scoring. All we do is we correlate all of our intelligence holdings against your third parties and provide a set of alerting that are stringed together.
00:20:34
Speaker
to where it starts off with you know credentials that have been popped of your third parties, some contextualization to see if anybody likely has admin rights of those that were popped. Moving into was a web shell installed in your environment.
00:20:48
Speaker
you know So if you've a web shell installed, what system, what time, what date, even to where an IT t guy can do something with it. you know And then, okay, Axis was sold in, or they've been ransomware there was a breach. you know So it's it's all tracking the compromised progression of your third parties to where you can get left of boom and which sometimes might be right of boom for them is still left to boom for you. Oh, does like that' ah that's a really good point. Yeah. Yeah. so So that's where the third party piece is the first part that I wanted to begin to demonstrate the the context and the proof point.
00:21:24
Speaker
You can go from the edge of collection from an Intel perspective to a risk determination you have a risk by virtue of this third party, you know, having a compromise, you know, position.
00:21:38
Speaker
And then we are putting timestamps on everything we track with the third parties. So if we go collection, we hand it to a third party, they've actually mitigated the risk. And let's say it takes three days.
00:21:50
Speaker
Within a year, I can say, hey, on average, your third parties are remediating from the edge of collection to the time they counter a threat in three days. How long do you think it's taken you?
00:22:02
Speaker
yeah and then so then have that come to market at the same time the pain is sufficient to the world to change their process.
00:22:12
Speaker
I wish we could take this episode as a physical object and beat every vibe coder in the side of the head with it.
00:22:22
Speaker
It's like ah going back to the idea of ah solutions in search of a problem, John, there every time I see... some tooling to help automate vendor questionnaires. I'm like, we're we're just making the dumb stuff faster.
00:22:42
Speaker
Like it's not, like here, it's like ah we're accelerating the posture theater, but we're not like, but Now we just, we can use AI to tick the boxes rather than like, why why don't we solve the problem?
00:22:55
Speaker
Yeah, mean, it's a faster way to an irrelevant outcome. But yeah, I mean, because again, back to what I said with all my friends who get these notification letters, when you Google the name of the company in Breach, you find out it's some like random...
00:23:13
Speaker
ah highly vertical specific payment processing software and they filed note of Breedist breach to like the attorney general in Maine or something, right? Like that's where you it and you're like, oh yes, I don't know, this thing that you have an account with apparently uses this software and that's what got popped. So that's why you get this letter in the mail.
00:23:35
Speaker
Yeah, it's an automated questionnaires. that That's just killer. I mean, You know, I was i literally the Dallas CISO, Fortune 500 CISO was with last week. He's probably be in your event next week. ah Good guy. And we're going through it and his deputy was there in the meeting and we so you know showed him the kind of the the threat intelligence, you know, threat detection response for third parties. Right. Now i look at this as just part of your ecosystem.
00:24:00
Speaker
right So how do you protect your ecosystem? And you got an Intel program, you got a bunch of Intel feeds, you got all this Intel guys, they're just looking at yourself, which is now 70% of the problem. i And what are those guys doing about the other 30%? And if there's no real efficient way to deal with that, we create a solution to actually provide a threat detection and response capability for the entire ecosystem.
00:24:22
Speaker
you know So it's a compliment to your own internal team to cover that bigger you know ecosystem third parties. And his deputy said, well, it'd be a lot easier you partnered with like Security Scorecard or BitSight or you know one of these other guys in that core third party risk.
00:24:37
Speaker
And I said, look, here's the deal. It's already the bastard child of every security program. There's tiny budget in GRC and people hate every nickel that's in it. They're trying to beat everybody up for to get more for less.
00:24:50
Speaker
I said, so I don't really want to go fight for that budget line when this is really core cyber defense. And then the CISO said, he's exactly right. If there's two bucks that I got in my GRC bucket, I'm giving these guys a buck 95 and I'll give the other guys a nickel.
00:25:08
Speaker
Because the value is in actually proactively leaning into the problem rather than hiding behind this historic you know risk scores that nobody believes has any correlation with likelihood of breach.
00:25:24
Speaker
After the break, we'll talk with John about what needs to change from a corporate culture perspective, how we think about security, what we are protecting in terms of people's data, and we get into what security practitioners need to do the AI future with respect to their jobs.
00:25:43
Speaker
And his advice might surprise you.
Cultural Inertia in Cybersecurity Operations
00:25:49
Speaker
We would be remiss if we did not bring up, of course, you are mentioned in Nicole Perlos' amazing book as the cowboy. Like, that's the moniker she gives you. Not an accident, I'm sure. um But what you're speaking to is sort of like industry culture inertia, right? It's like...
00:26:08
Speaker
you sort of establish this way of doing things and then it gets sort of mired in like, this is the way we've always done things. So we talk about sort of the people process technology, Trinity, and then we have a lot of heavy up on the tech part.
00:26:21
Speaker
Yeah. What do you think needs, who do we need to grab and shake in terms of like changing the this cultural paradigm, this idea of what you're saying of like, why are you doing these things to get to an irrelevant outcome rather than, know,
00:26:37
Speaker
chasing the stuff that might actually make the business safer. I mean, yeah the reason why I'm not in the first party risk business right now, selling to direct customers, any kind of Intel program like I did before with countermeasure strategies and all the stuff for them is because it requires them to change the way they do business ay to be successful in a modern, a modern wave. I view we're entering in the third wave of security. Yeah.
00:27:06
Speaker
So you think the first way of security was Symantec and McAfee and Trend and Checkpoint firewalls and IDS and AV and all that kind of stuff.
00:27:16
Speaker
Then you moved into the second wave that was, you know quote, sec gen, you know, second gen. You had the whole CrowdStrike and Palo Alto and FireEye and all next gen that was, you know, XDR and, you multi-threaded alerting and finding signals in the noise at line speed and, you know, quicker remediation, proactive blocking versus alerting. We're entering into the third wave. And then the third wave of AI,
00:27:42
Speaker
um on this entire problem set, AI-enabled adversaries, you can't do the same exact things the same exact ways, just do them faster.
00:27:53
Speaker
So what I've seen is everybody doing exactly what you just talked about. We got all these people sending out questionnaires. Let's have an agent that does the same thing better. Right. Oh, I got an idea.
00:28:05
Speaker
Let's use AI to help us triage alerts you know at the top of the SEM funnel so we can reduce the L1 burden and we can automate some of the alert triage. And then we'll hand it over to this organization and we can make them a little faster.
00:28:21
Speaker
And I hear some of the Intel guys say, I got an idea. We'll give them this TTP, but we'll actually create the hunt script for them so they can automate how they hunt. you know, when they get the intel, assuming that's still there once it goes through their tip, you know, it gets to them and goes into the process.
00:28:40
Speaker
But it's all the same process, the same people. They're just trying to get a little more efficient or even way more efficient. It's each step of the same process. And I don't believe that's going to be effective.
Younger Security Leaders and Innovation
00:28:53
Speaker
So i'm i'm kind of I'm kind of hiding outside that world for now, waiting for the pain to get commensurate with a realization that they need to change the process and reimagine how you defend in an AI world versus trying to automate components of the process to do the same thing faster.
00:29:13
Speaker
In your conversations, have you detected any change generationally? You know, um'm I've quoted it multiple times in the show, but Max Planck said, science advances one funeral at a time, right? You just have to wait for previous generations and thinking to sometimes either die out or retire.
00:29:31
Speaker
Have you encountered maybe younger security leaders or, you know, like we've talked to people who are sort of founding this idea of GRC engineering, like getting down into the code rather than they're trying to like change it from the inside out. I don't know if there's a different energy at ah at a different energy. I mean, I know this guy got like no patience for the old stuff.
00:29:53
Speaker
One big company, CISO, Toronto, that works for a large Canadian company, one of the largest, and he is the only guy that sees sees the field the same way I do.
00:30:13
Speaker
And it's how do you go from the edge of collection to make risk determination fast and route it through an eugenic AI system directly into counter threat operation that's automated. And how do you automate every step and circumvent all the ways of doing business?
00:30:30
Speaker
Forget the way you do business. Whiteboard the whole thing out. How are you going to combat fraud? How are you going to combat you know identity take over? are you going combat all these problem sets? And how do you leverage it speed? And he's trying to build as close to a line speed approach as you can.
00:30:47
Speaker
um and and if people don't do that, I just think there's, I don't think the old, I don't think the old approach is going to work quite, quite candidly.
00:30:58
Speaker
So that, that guy is on his game. And i was like, hey, man, and didn' I didn't say this to him, but we'll give you our shit it's just to work with you. Could you bring your stuff together, man? I'd love to work with you on this journey. you know And and um you the last time I saw a huge elbow in the curve, having been around in this industry a long time, was in the Great Recession. And in the Great Recession,
00:31:24
Speaker
I had just launched iSight, launched it in 2007, we're going into 2008. And who were the first movers in Intel? Banks. You could not get a bank's attention to save your life.
00:31:38
Speaker
Remember the president of a money center bank that we were working with had to sign off on a travel for an executive vice president to fly to Dallas to a summit we were having. The president of ah the one of the top five banks in the world.
00:31:54
Speaker
It's like, wow. And you'd say, hey, we got this thing, you're losing a billion dollars and you know all this fraud and we can help you dramatically attack that problem set. And they said, we wrote off 50 billion last week.
00:32:05
Speaker
and ah And a bad portfolio of loans. We'll probably write off another 50 next week. You can't get anybody's attention for 500 million because they so much pain in other places. And if you look at the cybercrime losses, it spiked and turned straight up into the north up to the Northeast um in 2008 and 2009. And in 2009, it surpassed narcotics as the most profitable trade for organized crime.
00:32:32
Speaker
you know, as reported by the FBI, that elbow happened right then. And then it kind of normalized in 2014, 13, when everybody got back on the game, you know, and and fight the fight. I think we're going to see a big, a big spike in the curve right now.
00:32:47
Speaker
And it's going to be financial losses. It's going disruption to businesses, catastrophic, you know, day to week old kind of disruptive events.
00:32:59
Speaker
And I'm certainly not a fan of what I envision. That's a that's a scary, scary world.
Intelligence-Driven Risk Management in Cybersecurity
00:33:06
Speaker
But um I'm just trying to build a solution that I can intersect that problem when people realize it exists. Nobody thinks it exists yet.
00:33:14
Speaker
so I will do a jack in the box when it does and say, here's a solution end to end from Intel all the way to the operational edge.
00:33:24
Speaker
Yeah, it's just, it's tough, right? Like I fight the same fight with you because like i always talk about intelligence-driven security. That's kind of how the principle I built my program on is, you know try to proactively find TTPs and campaigns that are emerging, right And so the way that I like to do it is I still copy the old army playbooks where, you know, folks who speak different languages to go sit in the forums in the threat actor's language of choice.
00:33:50
Speaker
and go actually interact with them and group them into thinking that, hey, and you like recorded feature is the same thing with their NXX group. like They're all just a bunch of foreign analysts that are like former and NSA or former CIA. yeah And they're all just, that's it, right?
00:34:06
Speaker
I still think because, again, we're not completely fighting against ah robotic threats or agent threats. It's still a human being that ultimately controls it. It's still human intent that still drives what the threat is.
00:34:19
Speaker
The human layer still has to be put into account. And that's why i think you like we're not I think we have to have a better compelling narrative to sell intelligence. And I hate to say because you know folks like you and me and George as well, it's it's plainly obvious. Does it need to be sold?
00:34:35
Speaker
But for people who all who don't live in this security world or whatever, like they don't understand it. And because they don't understand it it's like you're telling them this thing and it sounds scary. You were talking to a non-technical CEO or board member.
00:34:48
Speaker
But you're like, no, no, I'm trying to tell you this this thing that you're laughing at or rolling your eyes at, it could ruin your entire business. And you're not, because you don't take it seriously, you're going to be in no position, no matter how good your brief response is, to do anything about it.
00:35:05
Speaker
And I want to go back to something you said earlier. You came into this industry from finance, right? So bankers, trust, capital markets, investments. Does that background change how you see risk?
00:35:16
Speaker
Because most people in the security game came up through pure IT. t But I think you are born into risk. For sure. I think there's a differentiation. Yeah.
00:35:26
Speaker
yeah I mean, risk is a probability of a negative impact. Right, so that's really all it is. So in financial terms, it's easy, quantifiable, and there's a bazillion models out there to quantify what the risk is of some put spread on a certain stock or commodity. So you can create an investment scenario and you got risk parameters and you can you can calculate value at ah at risk and probabilities at the edges across all of it based on historical training of data and all kinds of things.
00:35:56
Speaker
You enter into the cyber world, it's the same thing, right? What's the probability of impact based on conditions precedent? And the conditions present are, to your point, George, what did I just think of a threat register.
00:36:09
Speaker
What are active threats against the organization that could cause real consequence if unmitigated? And then of those threats, which ones have the highest impact if left unmitigated to the lowest impact?
00:36:22
Speaker
And how do I allocate my limited scarce resources of budget dollars against the highest impact threats first? And then I work my way down so you can buy down the most amount of risk per dollar invested.
00:36:35
Speaker
which defines you as a very business savvy CISO. Well, let me ask you this then. So threat register versus risk register, right? What do you think is the better sell for the board?
00:36:47
Speaker
yeah well, I think of of threat minus your compensating control equals residual risk. And it translates into business risk when you incorporate the impact.
00:37:00
Speaker
Now, of those, threat intensity is knowable. The effectiveness of a compensating control is you know expert guessable.
00:37:12
Speaker
The impact is knowable, bigger than a bread basket, bracketed, not the dollar amount. The probability is not knowable. It's X.
00:37:24
Speaker
So the way I've always talked to folks, once you can get people to say, look, threat is noble. We got threat intensity here. Compensating controls are noble. We've got a weak compensating control against this.
00:37:35
Speaker
Impact is noble. This is a high impact issue. We've got a weak compensating control against a high intensity threat. What's the probability of being executed against this? Today, it's X.
00:37:48
Speaker
What does it look like a year from now as we check track the threat environment? Threat environment is intensifying. The tools and techniques they're using are becoming more new and novel.
00:38:00
Speaker
It's rendering our compensating controls even less effective. The probability is higher than X. The 2X, 3X, 4X, it went up. So I'm just telling you I can't tell you it's a 42 percenter.
00:38:14
Speaker
but it's a hell of lot higher than it was when we sat here last year based on these factors. And if you if you can simplify it down to say, here's the top 10 or top 15 or whatever that the business can understand, then you can have a business-like orientation and converting you know cybersecurity chaos and complexity into simple understanding risk terms.
00:38:41
Speaker
Because i believe risk is the language that bridges the communication chasm between security and the board. Yeah. Yeah. Nice. Now you sell it. That's it.
00:38:54
Speaker
Yeah, really it really is. And and if you go if you go to the board and say, need more money because the bad guys are coming, they'll go, okay, well the bad guys were coming before they'd be coming again. It's not going to work. You got to say, look, the probability of this bad thing happening used to be pretty low.
00:39:09
Speaker
It just became pretty high. Why? Well, we used to have you know DDoS mitigation up to 100 gig, and now there's a storm of 200 gig DDoS coming on a horizon. All of our competitors are getting hit.
00:39:22
Speaker
The net effect of us, I've already talked with the business, is going to be a million dollars a minute. The probability that's happening, high. What can we do? It's an extra million bucks to increase our DDoS mitigation to 200 gig.
00:39:36
Speaker
We're safe for now. Okay, do it. No, that's nice. That's the best discussion you can have. So we started this by talking about what the average person thinks when they see cybersecurity or rather what they think cybersecurity is not doing for them. Yeah. We got pretty deep in the
Advice for Innovating and Automating Defenses
00:39:58
Speaker
weeds.
00:39:58
Speaker
We've mentioned detection logic all the way to risk register. So we sort of touched end to end, ran up and down the court inside the field of cyber. But as we round to home here,
00:40:10
Speaker
What would you say to these, you know, daily users of technology, right? We cannot move through the world without names and passwords. We, ah you know, we can try to get everyone to use a password manager.
00:40:27
Speaker
Maybe it's going to work. Maybe it's not. I guess I'm trying to I want to conclude with either a message to defenders about what they are really defending, people's data, or or what do you want to say? So what would you like to say either to the defenders or the lay audience?
00:40:43
Speaker
I think for the the lay audience first, I would say appreciative that you live in a country to where you're made whole if you lose money. Even if you did something stupid, you know even if you're using your your first name plus an exclamation point as your password,
00:41:00
Speaker
You know, you still get made whole. That's a good thing. Now let's flip into how do you make yourself take this personally now. You don't want to get at. You don't want to be an easy target.
00:41:11
Speaker
Turn off your computer at night. Otherwise, it's being used to affect cybercrime against your buddies. is If your laptop's up, somebody's leveraging that infrastructure. That's one.
00:41:21
Speaker
Two is don't use the same card that you card swipe in a restaurant for all of your online payments. Have one card that only lose use online and don't use it anywhere else.
00:41:34
Speaker
That's your dedicated online payments. Have a different card for the pain in the ass recurring payments that you make because even your online payments one's probably going to get popped. that you pay your utility bill through, your tax advisor bill, your 10 recurring bills that are a pain in the ass to go change the credit card number when it gets popped, use one card for that that you'd never use anywhere else.
00:42:02
Speaker
So if you're gonna have cards, try to have them purpose-built to where you limit your exposure um and just and try to be part of the solution rather than part of the problem. Because right now,
00:42:13
Speaker
to your point, the weakest link are individuals or her enablers of of crime and and co-conspirators on their own demise in some ways, you know, just by some of their activities. And there's some simple ways to to kind of reduce their their likelihood.
00:42:30
Speaker
To defenders, Automate yourself out of a job before you get automated out of a job. What I mean by that is find a more productive way to use your time by leveraging technology to automate the repeatable parts of what you do.
00:42:45
Speaker
Use your creativity to create something new and novel that you can do that can really move the edge in defense. And go focus your efforts on that. And now you've got a one plus one equals two with one person on the payroll.
00:43:00
Speaker
You say, I've automated the former me. I'm now doing this cool thing that's going to really move the needle in terms of helping us manage risk for the company. And then automate that. And then use your creativity to go to the next level.
00:43:14
Speaker
I love that. I love that. I love that because it it is trying to light the fire under their ass to not, again, just do the same thing faster, right? Like inov innovate a stepwise function in yeah addict defense.
00:43:30
Speaker
they yeah They have control over their outcome. If they just sit there and watch their job get automated away, even in business, and when I look at business, let's assume I've got some legacy product that's got really nice market share and nice fat margins.
00:43:44
Speaker
And there's new competitors that are going to come in and offer a solution that's way cheaper, you know, way easier to buy, way easier to deploy, way better results. I can sit there and hold on to my legacy business or I could say it's going to get cannibalized anyway, so I might as well cannibalize it myself.
00:44:04
Speaker
RIP Blockbuster. it oh Cannibalize it yourself. So I would say the same thing applies to these defenders. Automate yourself. Nobody's better to automate what you do than you.
00:44:17
Speaker
And now you're part of the solution. You're not going to sit there and just whine about the reality of change. First of all, want to what you're saying, really good advice. i hope people listen to this because that's really, really sound logic.
00:44:29
Speaker
um I've heard myself saying very similar things to deaf ears or people just rolling their eyes at me my entire career. So thank you for validating me because I'm just that weirdo.
00:44:40
Speaker
So thank you. You're really successful. Like I'm weird, but you're cool. So like, thank you. This is awesome. And um I think one of the biggest things is, you know,
00:44:51
Speaker
I wish that people would learn the old saying, adapt and overcome, because I think people are so scared. Like people aren't losing their job because of AI automation. People are losing their jobs because companies overhired and they don't know how to manage payroll and they don't know how to manage staff and they don't know how to manage P&L.
00:45:09
Speaker
AI has nothing to do with it. I'll tell you this. In my experience, George, and you know, we talk about this all the time, a i fails because people don't understand the manual processes they're trying to automate. So there's no ROIs. Don't tell me AI took your job because most AI is failing.
00:45:26
Speaker
So that said, I just want to say thank you for, for preaching truth because this is kind of why we do the show. Yeah. Yeah. Thank you very much. I mean, if there's, if there's one thing I can leave you with, with defenders, people at home and everything and else, for the guys that are trying to do something about the problem,
00:45:43
Speaker
There's a lot of analysis paralysis with defenders right now.
Embracing AI: Risks and Rewards
00:45:47
Speaker
The attackers are embracing AI at every turn. They don't give a shit about compliance or rules or regs or budget. They know they can make more money with it than they can without it.
00:45:56
Speaker
And defenders are evaluating the hell out of this because they don't want to make a wrong decision. When you've been around as long as I have, every decision I make is wrong. I'm just not sure how much. And I hope it's just a little wrong, but I might be a lot wrong. This one, of course, correct, but I'm making a decision.
00:46:13
Speaker
Because you can't create velocity without decision velocity, you know, at this deal. So I encourage people, when in doubt, freaking roll. Go. little Make a decision. And that'll help the defenders get pace and put some risk out there.
00:46:27
Speaker
The risk of doing nothing is terminal. You will be out of a job if you just keep on doing the same thing over and over again. So it's ah it's ah it's a good lesson for a lot of these guys that have an opportunity be part of the solution.
00:46:38
Speaker
Well, John, thanks so much for the time. we really appreciate it. And we hope to run into you soon. Yeah, look forward to it. Next time you're town, we'd love to connect. We'll make it happen. All right, you take care.
Key Takeaways for Cybersecurity Professionals
00:46:52
Speaker
All right, listeners, leaving you with some questions to take forward. My question is mostly around technologists and what John said here at the end, which is automate your job before you get automated out of a job, which I took to mean lean into the innovation, make those decisions, and figure out how to automate the parts so you can level up to the next more creative thing to defend at the edge rather than just do the same shit different day faster.
00:47:29
Speaker
When you are running an enterprise or you are contributing to a blue team defending an enterprise, your greatest risks are two things. One, your own employees and two, your supply chain.
00:47:40
Speaker
So think to yourself, Where does the real risk lay? And are you acting on building a risk register or a threat register? Because that kind of flip in thinking could be a difference between you saving your organization and your career and you ending up being just another headline.
00:48:05
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:48:18
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.