Episode 42

Useful Technology Should Be Attack Agnostic

In this episode, Patricia Muoio, Ph.D., Partner at SineWave Ventures and Former Chief of Trusted Systems Research Group, National Security Agency, sheds light on the cybersecurity technology landscape and emphasizes the need to develop technologies that are attack agnostic. Some of the questions driving the discussion include: a) what progress has been made in the development and use of cybersecurity technologies? b) What does it mean to be attack agnostic? c) how near or far are we from taking the burden off people trying to protect themselves from different cyber attacks? and d) the ideal government and industry partnership model to develop innovative solutions.


Time Stamps

02:34 -- How about sharing with listeners some professional highlights?

04:12 -- I'm really intrigued to learn about your career trajectory, considering that you got your doctorate in philosophy, so was it on the liberal side of things?

05:35 -- What's your assessment of the cybersecurity technology landscape?

08:12 -- During our planning meeting, you said, "we need to be able to develop technologies that are attack agnostic." Please expand on that.

12:50 -- While you're saying that it doesn't matter how the hackers get into your system, wouldn't I want to know how they are conducting the attack to be able to prevent it from happening in the future?

14:54 -- If I'm a developer listening in on this conversation, what should be some focus areas for new technology development? And if I'm a consumer of these technologies, how should I approach cybersecurity governance?

27:23 -- Will there ever come a day when I could be as carefree as possible, and click on anything I want, knowing that there is technology that will not allow the perpetrators to exploit that and do damage? Will we ever get to that world?

31:57 -- What is your assessment of the government-industry partnership?

38:19 -- Please share some final thoughts and key messages for the listeners.


Memorable Pat Muoio Quotes/Statements

"I think that many problems like endpoint protection, network segmentation, authentication, encryption are essentially solved. There are technologies that do these kinds of things and do them well."

"I think where a lot of the work needs to be done is making these technologies work together and work appropriately for the system in which they are used."

"We need to be able to develop technologies that should be attack agnostic."

"What it means to be attack agnostic -- you stop attackers from getting in, you stop them from moving around, you stop them from getting out, exfiltrating your data, or encrypting your data, executing their payload in any important way. And the details of how they choose to do them, the shape of the malware they choose to execute simply doesn't matter. What matters is that these actions can be identified in the system and stopped in a more general way."

"Users ought to know when less is more."

"I think people need to be careful to understand when risks that sound very very different in their effect, are actually the same in their cause, and that their solution space needs to address the causes and not the effects."

"As these technologies develop, as people become more comfortable with the notion of self- protecting self-healing systems, we will be able to take some of the burden of the users."

"Understand solutions that are based on your system, and not concentrated on what the attack looks like; but what is my system and more importantly, my business workflows, what do they look like, and build solutions that protect them, and not solutions that are based on external threat conditions."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. The discussion today will focus on

Dr. Dave Chatterjee:

cybersecurity technologies, and the significance of government

Dr. Dave Chatterjee:

and industry partnerships in developing these technologies.

Dr. Dave Chatterjee:

Some of the questions driving our discussion are: what

Dr. Dave Chatterjee:

progress has been made in the development and use of

Dr. Dave Chatterjee:

cybersecurity technologies? What does it mean to be attack

Dr. Dave Chatterjee:

agnostic? When developing cybersecurity technologies, how

Dr. Dave Chatterjee:

near or far are we from taking the burden of people trying to

Dr. Dave Chatterjee:

protect themselves from different types of cyber

Dr. Dave Chatterjee:

attacks? And how significant is the government and private

Dr. Dave Chatterjee:

sector partnerships when it comes to dealing with current

Dr. Dave Chatterjee:

and future cyber threats? I'm delighted to have as my guest

Dr. Dave Chatterjee:

today, Dr. Pat Muoio. She is Partner at SineWave Ventures.

Dr. Dave Chatterjee:

Pat is an expert in matters of cybersecurity and computing,

Dr. Dave Chatterjee:

vetting the technical viability of emerging technologies. She's

Dr. Dave Chatterjee:

had a 30 year career in the intelligence community in a

Dr. Dave Chatterjee:

variety of technical and leadership positions. Pat has a

Dr. Dave Chatterjee:

bachelor's degree from Fordham University, and a Doctorate from

Dr. Dave Chatterjee:

Yale. Pat, it is so delightful to have you as a guest today.

Dr. Dave Chatterjee:

Welcome!

Pat M:

Thanks a lot, Dave. I'm really happy to be here. Looking

Pat M:

forward to the conversation.

Dr. Dave Chatterjee:

Fantastic! So before we jump into the

Dr. Dave Chatterjee:

details of our discussion topic, how about sharing with

Dr. Dave Chatterjee:

listeners, some professional highlights?

Pat M:

Sure! So I've had a varied career. And in my time at

Pat M:

the Agency, I worked in a number of computing analytic and

Pat M:

cybersecurity roles, ending up in the research part of the

Pat M:

organization for the last third of my career, working on hard

Pat M:

problems in those areas. In my last position in the Trusted

Pat M:

Systems Research group, we investigated secure operating

Pat M:

systems, mobile security, mobile phone security, formal methods,

Pat M:

we tended to do the kinds of research that individual

Pat M:

companies can't afford or the lead time is so long that you

Pat M:

need somebody to do the foundational work before

Pat M:

companies can pick up on it and start making money. Since then,

Pat M:

I did some consulting work with NIST for a while on

Pat M:

cybersecurity framework and a number of other issues, cyber

Pat M:

physical systems security, and so on. And then I joined

Pat M:

SineWave, which is a early stage venture fund, concentrating on

Pat M:

enterprise technology that can help entities that haven't been

Pat M:

using information significantly in their business processes to

Pat M:

become more information driven. And the government certainly

Pat M:

fits that characteristic, as do a number of industrial segments,

Pat M:

and so on. And I've been with SineWave for about eight years

Pat M:

now, and really scouring the technical landscape for

Pat M:

interesting technologies, again, in the areas of cybersecurity

Pat M:

computing and analytics.

Dr. Dave Chatterjee:

Fabulous! In fact, I'm really intrigued to

Dr. Dave Chatterjee:

learn about your career trajectory, considering that you

Dr. Dave Chatterjee:

got your doctorate in philosophy, so was it on the

Dr. Dave Chatterjee:

liberal side of things?

Pat M:

So the philosophy that I did I my, my education was in

Pat M:

the area of phenomenology, which is about learning about what's

Pat M:

essential, or what what really matters about things by

Pat M:

considering the context in which they live and the accidents that

Pat M:

you can observe about them. And so it really is a way of looking

Pat M:

for the the essential gist of a matter and coming to understand

Pat M:

reality in that way. And I think that's been a central theme of

Pat M:

all my work throughout the agency and I have is this

Pat M:

ability to sort of cut through what's accidental and get to

Pat M:

what matters. The other thing that was a strong concentration

Pat M:

in logic, which tends to go hand in hand with some

Pat M:

phenomenological stuff. And so that, again, was a thought area

Pat M:

that really stood me in good stead in my very varied career.

Pat M:

I feel very fortunate because I got some really exciting

Pat M:

technical opportunities that one typically wouldn't associate

Pat M:

with a philosophy degree and was able to really become what I

Pat M:

consider myself a technologist. Now, despite the fact that I had

Pat M:

probably the least technical degree also,

Dr. Dave Chatterjee:

I'm glad you said what you said, because

Dr. Dave Chatterjee:

I know many listeners will be inspired to hear that. In the

Dr. Dave Chatterjee:

past episodes, I've had discussions with other experts,

Dr. Dave Chatterjee:

and many of them have been very vocal about the importance of

Dr. Dave Chatterjee:

drawing people from different fields. Cybersecurity does not

Dr. Dave Chatterjee:

have to be the monopoly of the technocrats and by technocrats,

Dr. Dave Chatterjee:

we normally associate them with the computer scientists or

Dr. Dave Chatterjee:

computer engineers. It's a pretty large field, and it could

Dr. Dave Chatterjee:

benefit from a variety of intellects, it could benefit

Dr. Dave Chatterjee:

from an eclectic perspective. So that's, that's truly

Dr. Dave Chatterjee:

fascinating. Getting to the discussion on the state of

Dr. Dave Chatterjee:

cybersecurity technologies, progress is being made in a

Dr. Dave Chatterjee:

variety of areas from authentication to behavioral

Dr. Dave Chatterjee:

analytics, blockchain, manufacturer usage, descriptive

Dr. Dave Chatterjee:

(MUD), which associates with IoT devices. I'm interested in how

Dr. Dave Chatterjee:

you size up the progress. Where do you see the strengths? Where

Dr. Dave Chatterjee:

do you see the gaps? What's your assessment of the cybersecurity

Dr. Dave Chatterjee:

technology landscape?

Pat M:

So I think there are many excellent component

Pat M:

technologies, I would actually even say, a sufficient set of

Pat M:

component technologies to build strong cybersecurity solutions.

Pat M:

I think that that many problems like endpoint protection,

Pat M:

network segmentation authentication, encryption are

Pat M:

essentially solved. There are technologies that do these kinds

Pat M:

of things and do them well. Yet, there's still number of

Pat M:

breaches, the breaches rise with the investment in cybersecurity

Pat M:

in some sense. And that is not causal. But but and you still be

Pat M:

wondering why if there are these basic fundamental sound building

Pat M:

blocks, the solutions are not as robust as we would like. And I

Pat M:

think what's really lacking is the ability to architect these

Pat M:

components into a solution to understand again, what matters,

Pat M:

what needs to be guarded against what needs to be in in the

Pat M:

internals of the system, and how to make these things usable.

Pat M:

There's a lot of guidance about the controls you have to have in

Pat M:

place, and there's 128 of them, or whatever. And people have a

Pat M:

hard time finding their way through these lists and lists of

Pat M:

things to a solution, a reasoned solution that works in their

Pat M:

space. And I think that's where a lot of the work needs to be

Pat M:

done, is making these technologies work together and

Pat M:

work appropriately for the system in which they are used.

Dr. Dave Chatterjee:

Interesting. Very interesting. So while while

Dr. Dave Chatterjee:

we were going through our planning meeting, you made a

Dr. Dave Chatterjee:

very interesting yet poignant statement. You said that, "we

Dr. Dave Chatterjee:

need to be able to develop technologies, that should be

Dr. Dave Chatterjee:

attack agnostic." I'd love for you to expand on that. And

Dr. Dave Chatterjee:

because I know listeners would love to hear that perspective.

Pat M:

Yeah. And I think, again, talking to why stuff has not

Pat M:

worked as well as we would have hoped to date. Part of this is

Pat M:

due to the fact that a lot of the development of technologies,

Pat M:

and particularly the selling of technologies, is centered around

Pat M:

threats, scaring people about threats, figuring out what

Pat M:

threat is where, advertising this particular piece of

Pat M:

technology to deal with this particular threat, and so on.

Pat M:

And what that does is it creates this marketplace with a

Pat M:

gazillion pieces of tech in it, each of which does many of which

Pat M:

do just niche little things. And the user is really has no great

Pat M:

understanding of which of those attacks are likely for them. How

Pat M:

severe are those attacks? is this the only solution against

Pat M:

that attack? is something else I'm already doing as a side

Pat M:

effect addressing this particular attack? and so on. So

Pat M:

when you concentrate on the attack on the externals of the

Pat M:

system on what's coming at you, it's a much more confusing space

Pat M:

and one that is difficult to get confidence that you're really

Pat M:

covering the waterfront. If instead you take an attack

Pat M:

agnostic approach and you look at technologies that you can

Pat M:

deploy internal to your system to make your system impervious

Pat M:

to attack no matter what that attack happens to look like, you

Pat M:

can have much better success. So for example, you're worried

Pat M:

about an attacker getting into your system and moving around to

Pat M:

get from a compromised user space, for example, to a space

Pat M:

where they can do some damage to your system in terms of stealing

Pat M:

data or encrypting data or whatever. And so you think about

Pat M:

what are the technologies that enabled me to stop anyone from

Pat M:

moving around, it doesn't matter what exact movement method

Pat M:

they're picking. What matters is if they're moving in a way that

Pat M:

you don't want, that your system does not authorize, they should

Pat M:

be stopped, right. And so there you deal with things like micro

Pat M:

segmentation, you can deal with some Zero Trust kinds of policy

Pat M:

driven solutions, where what it simply stops lateral movement,

Pat M:

regardless of its accidental characteristics. And again,

Pat M:

since you asked me about philosophy, this is a very

Pat M:

phenomenological approach, right? You stop the essential

Pat M:

thing, which is movement rather than the accidental thing. Using

Pat M:

this means to get around. And it becomes very important, you can

Pat M:

see this with access control, right? There's all of this

Pat M:

anti-phishing technology, phishing is a huge threat. And I

Pat M:

think we'll probably talk about it later, I think we're going to

Pat M:

talk about how humans can interact with these

Pat M:

technologies. But anyhow, phishing is a big threat. And

Pat M:

you want to stop that, you want to stop people from stealing

Pat M:

credentials via phishing, but it's also the case your

Pat M:

credentials can be stolen by password guessing, they can be

Pat M:

stolen by web scraping, they can be stolen in a bunch of

Pat M:

different ways. And what you really want is to stop the bad

Pat M:

guy from using credentials, regardless of how they stole

Pat M:

them, right, they read them off my sticky note, regardless, you

Pat M:

want to be able to stop them from using credentials in this

Pat M:

simple mechanisms, like two factor authentication, which

Pat M:

means you stole my password. Now, you also had to have stolen

Pat M:

my phone, if you want to use that password effectively,

Pat M:

because the two factor authentication would require

Pat M:

that additional means. So there, you're not looking at phishing

Pat M:

as the method you're looking at the fact that via phishing,

Pat M:

someone stole credentials, and you can stop stolen credentials

Pat M:

from being effective in the system. And this is what it

Pat M:

means to be attack agnostic, you stop attackers from getting in,

Pat M:

you stop them from moving around, you stop them from

Pat M:

getting out, exfiltrating your data, or encrypting your data,

Pat M:

executing their payload in any important way. And the details

Pat M:

of how they choose to do them, the shape of the malware they

Pat M:

choose to execute simply doesn't matter. What matters is that

Pat M:

these actions can be identified in the system and stopped in a

Pat M:

more general way. Long there, but

Dr. Dave Chatterjee:

no, I think it's very interesting. Thanks

Dr. Dave Chatterjee:

for sharing. As a follow up, while you're saying that it

Dr. Dave Chatterjee:

doesn't matter how the hackers get into your system, wouldn't I

Dr. Dave Chatterjee:

want to know how they are doing something to be able to prevent

Dr. Dave Chatterjee:

it from happening in the future? Or am I missing a point here?

Pat M:

Well, I think you need to know it, if you're a security

Pat M:

company that are making solutions that would stop it in

Pat M:

the future. I think you need to know it, if you're a government

Pat M:

that's analyzing these things, to understand this data threat,

Pat M:

perhaps do forensic activity to find bad guys and stop them. But

Pat M:

as an average user, say, you knew a malware took this

Pat M:

particular form, and what could you do differently, right? If

Pat M:

you had a technology that would be effective against that

Pat M:

particular form of malware, you would have deployed it. Because

Pat M:

it's an unpredictable when the malware is going to come at you.

Pat M:

If you don't have a technology that deals with that particular

Pat M:

shape of malware, you're you're then have to fall back on using

Pat M:

these attack agnostic methods that don't care what its shape

Pat M:

was. So you might want the knowledge, I don't know for

Pat M:

reporting to management or but in reality, if there are no

Pat M:

knobs in your system that you can turn using this information,

Pat M:

what's the point of having the information, there's nothing you

Pat M:

can do to change your response to the threat? Because, you

Pat M:

know, the particulars of the threat?

Dr. Dave Chatterjee:

Okay, that that helps. I guess I was

Dr. Dave Chatterjee:

approaching it from the perspective of a developer of

Dr. Dave Chatterjee:

solutions,

Pat M:

correct? Yeah, correct. There, you do need to be aware

Pat M:

of what's going on in the world. And one of the things that's

Pat M:

actually different about my role in SineWave compared to my role

Pat M:

in the government, is my focus has really switched from how is

Pat M:

cybersecurity from the consumers point of view rather than from

Pat M:

the developer's point of view? And that's been a different an

Pat M:

interesting change in thinking.

Dr. Dave Chatterjee:

Interesting, and I think this is a great

Dr. Dave Chatterjee:

opportunity to to share with both the user and the developer

Dr. Dave Chatterjee:

community, some words of wisdom, for instance, if I'm a developer

Dr. Dave Chatterjee:

listening in on this conversation, what should be

Dr. Dave Chatterjee:

some focus areas to develop new technologies? And say, I'm a

Dr. Dave Chatterjee:

consumer of these technologies, how should I approach

Dr. Dave Chatterjee:

cybersecurity governance? And I know these are very broad

Dr. Dave Chatterjee:

questions, I'll let you take it whichever way

Pat M:

a couple of paradigms or topic areas that I think have a

Pat M:

lot of promise that if I were developing technologies, at this

Pat M:

point, I would be concentrating in those areas. I think Zero

Pat M:

Trust is a hugely important insight, a concept that's been

Pat M:

around forever. But now, computation is quick enough that

Pat M:

you can actually readily carry out the kinds of activities

Pat M:

needed to make sure that if somebody's coming into your

Pat M:

system, they're supposed to be and that when they're in your

Pat M:

system, they're doing things that they're supposed to have

Pat M:

access to. So I would, I think there are many exciting Zero

Pat M:

Trust technologies ranging from the network layer, up through

Pat M:

the application layer. And I think that area is really

Pat M:

important, and is an attack agnostic in the way I think it

Pat M:

ought to be. The other thing that's exciting to me is Context

Pat M:

Aware security, as we were less mature in our understanding of

Pat M:

security and security policies, we often had to make decisions

Pat M:

that were sort of all or nothing, there was no nuance to

Pat M:

the execution of controls, security controls on our system.

Pat M:

And that led to some unfortunate situations, there was the

Pat M:

Facebook hack, where they were down for many, many hours

Pat M:

because their security controls made it difficult for their

Pat M:

resilience people to come back in and bring the system back up.

Pat M:

And and so when you have these very draconian black and white

Pat M:

choices, it's the only ones available to you can often be

Pat M:

problematic. So I think, Context Aware security where you can be

Pat M:

much more nuanced in what you allow, and why, looking at more

Pat M:

features to determine whether this activity is one you want to

Pat M:

permit or not, I think that's very important as well. And I

Pat M:

think over time, as we start having more machine to machine

Pat M:

communications that we want to secure, for example, we're going

Pat M:

to need the policies to really be robust enough to handle

Pat M:

operational situations that aren't always the same, and that

Pat M:

black and white doesn't always work for it. I think there's

Pat M:

still some, the hardware layer is always I don't know, seems

Pat M:

always to be the least covered in most people's investments in

Pat M:

cyber. And in some sense, that's problematic, because the more

Pat M:

foundational you are, the better. In some face, I think it

Pat M:

kind of makes sense because hardware attacks are often close

Pat M:

access and beyond the realm of many over the wire hackers, and

Pat M:

so maybe they're not so important for the average user.

Pat M:

I think blockchain and AI this I'm a little ambivalent about

Pat M:

blockchain, I think it has a lot of promise for data provenance.

Pat M:

Unfortunately, I haven't seen it been used yet in a way that

Pat M:

delivers on that promise, I remain optimistic that it will

Pat M:

end up being an important part of our solution space, but I'm a

Pat M:

little worried as to why it's taking quite so long to find its

Pat M:

way. There's some stuff as a consumer that I would in general

Pat M:

worry about, for example, a lot of people are selling behavioral

Pat M:

analytics and AI and they're selling it in language that

Pat M:

makes it sound like the decisions that come out of these

Pat M:

systems are one you can rely on and act on. And what's not often

Pat M:

spoken about or well understood with cybersecurity artificial

Pat M:

intelligence, is that artificial intelligence is probabilistic,

Pat M:

at best, right? It can be completely right, it can be only

Pat M:

right to a certain percentage. And in some percent, some cases,

Pat M:

those percentages are quite high. But in some percentage

Pat M:

cases, they're really not. And when people want to take actions

Pat M:

on these probabilistic measures where the confidence measures

Pat M:

are not clearly understood or displayed by the technology, I

Pat M:

think you can get into some very, very bad situations. I've

Pat M:

seen some insider threat situations in particular, where

Pat M:

people use these probabilistic approaches and say, Oh, this guy

Pat M:

has been coming in late at night or he's printing from an unusual

Pat M:

printer and stuff like that. And then they start opening security

Pat M:

cases on these individuals and can be quite life disrupting

Pat M:

when it turns out the probability of those things

Pat M:

meaning you are a spy or meaning you are a hacker is in the 70

Pat M:

percents right? So it's going to be wrong a lot. And I think as

Pat M:

we start doing these more disruptive actions based on

Pat M:

these conclusions, we have to be a little more careful that the

Pat M:

people taking these actions really understand the confidence

Pat M:

in those kinds of conclusions. So for that reason, I'm very

Pat M:

leery of many of the behavioral analytics and AI technologies

Pat M:

that are coming out now. The other thing that I think

Pat M:

consumers or users need to think about is, what are they shaped

Pat M:

like, right? Do they can they have if the technology assumes a

Pat M:

security operation center, and they don't really have people

Pat M:

that can look at all of this data and make sense of it,

Pat M:

that's not a technology they should buy, right? If the

Pat M:

technology assumes a level of expertise in their own company

Pat M:

that they don't have, they should not be looking at those

Pat M:

technologies as things they should deploy. And it may be

Pat M:

that the other solutions are simpler, but they they are more

Pat M:

appropriate to use in their setting, because the chances of

Pat M:

error are much, much lower because they match what the

Pat M:

company is structured as in what their security knowledge

Pat M:

consists of. So I think and then the final thing I want to say on

Pat M:

this is users ought to know when less is more, there are a number

Dr. Dave Chatterjee:

great insights. And you've shared so

Dr. Dave Chatterjee:

many things that I'm excited about. So I want to pick up on a

Dr. Dave Chatterjee:

of partial technologies, things that address this or that

Dr. Dave Chatterjee:

few things and share my two cents. First, you're so right,

Dr. Dave Chatterjee:

individual cybersecurity problem. And the thought as you

Dr. Dave Chatterjee:

that there's so much out there by way of technology solutions.

Dr. Dave Chatterjee:

buy a bunch of them, and then magically, they all work

Dr. Dave Chatterjee:

And we are getting swamped and inundated with new names for new

Dr. Dave Chatterjee:

together to come up with a holistic solution, but they're

Dr. Dave Chatterjee:

types of attacks. And it is very hard for even for reasonably

Dr. Dave Chatterjee:

working together is often problematic. And the holistic

Dr. Dave Chatterjee:

sophisticated professionals to organize these different types

Dr. Dave Chatterjee:

solution often still has gaps. And the individual problem may

Dr. Dave Chatterjee:

of attacks under categories and try to see the big picture like

Dr. Dave Chatterjee:

be actually solved by something else. So for example, ransomware

Dr. Dave Chatterjee:

how would I map these attacks, to the different types of

Dr. Dave Chatterjee:

is malware with an encryption payload rather than a steal your

Dr. Dave Chatterjee:

vulnerabilities and the tools associated with the

Dr. Dave Chatterjee:

data payload, if you had strong malware protection, you don't

Dr. Dave Chatterjee:

vulnerability. There has been some mapping, I'm privy to that,

Dr. Dave Chatterjee:

need additional ransomware protection, because the problem

Dr. Dave Chatterjee:

but it is very, very confusing. It is very technical. And when

Dr. Dave Chatterjee:

with ransomware is that malware got into your system, and that

Dr. Dave Chatterjee:

somebody is buying or investing in new technologies, and there's

Dr. Dave Chatterjee:

it shows to encrypt rather than steal, doesn't mean you need

Dr. Dave Chatterjee:

gonna be people who will not have this kind of a background,

Dr. Dave Chatterjee:

something different to fix it. And so I think people need to be

Dr. Dave Chatterjee:

or may not afford to have the expertise to filter through what

Dr. Dave Chatterjee:

careful to understand when risks that sound very, very different

Dr. Dave Chatterjee:

the vendors are offering. There, the suggestion that I have, and

Dr. Dave Chatterjee:

in their effect, are actually are the same in their cause, and

Dr. Dave Chatterjee:

I think it is in sync with what you're saying is let the vendors

Dr. Dave Chatterjee:

provide you in writing, what their solutions can't do. What

Dr. Dave Chatterjee:

that their solution space needs to address the causes and not

Dr. Dave Chatterjee:

they are not promising. And how is that significant or

Dr. Dave Chatterjee:

the effects,

Pat M:

I want to add to what you just said, which I agree with

Pat M:

insignificant from their assessment of the company and

Pat M:

talking about company assessment, you're so right when

Pat M:

100%. And I think it's particularly interesting when

Pat M:

you said just don't keep buying technologies because your

Pat M:

competitor has them. You should have them you read about about

Pat M:

we're going into sort of an enterprise that already has

Pat M:

it, understand your organization understand your needs, it goes

Pat M:

back to technology 101. Like, again to quote you, you said

Pat M:

significant cybersecurity investment, ie some of these new

Pat M:

less is often more I couldn't agree with you more, and the

Pat M:

world of general technology implementation. I like to share

Pat M:

technologies, some of the zero trust, for example, actually

Pat M:

my perspective that if possible, you're better off investing in

Pat M:

one or two platforms as opposed to having 1520 different

Pat M:

render obsolete a ton of the stuff that people have already

Pat M:

solutions because now it becomes a coordination challenge

Pat M:

coordination nightmare, a maintenance nightmare. So the

Pat M:

bought, and enable you to take a fresh look at your architecture

Pat M:

extent to which you can simplify your solutions the extent to

Pat M:

which you have greater clarity on what do you mean by

Pat M:

cybersecurity defense in the context of your organization.

Pat M:

and perhaps jettison a number of tools you have in your

Pat M:

And once you have that clarity, evaluate the vendors evaluate

Pat M:

the solutions, see what fits best. And finally, it's not

Pat M:

inventory. One of the things I worry about is that CISOs don't

Pat M:

enough just to buy the tools, look inwards and see is the

Pat M:

organization ready. From a from a people standpoint, from a

Pat M:

do that often enough, they don't look at their system and say,

Pat M:

process standpoint, you will agree that going back to the

Pat M:

people process technology framework, they all need to fit,

Pat M:

All right, now that I have this other opportunity, this thing

Pat M:

you can have a great technology, but you don't have the right

Pat M:

process, you don't have trained people end result is not going

Pat M:

can go away. They're afraid to look like they made a mistake if

Pat M:

to be great. So to find that balance requires some planning

Pat M:

requires some reflection require some thought, as opposed to just

Pat M:

falling for a pitch. So that was great, you covered a lot of

Pat M:

they argued for this $300,000 piece of technology, and now

Pat M:

very, very interesting and important ground. So moving along.

Pat M:

they're saying, well, we can get rid of this 300,000 piece of

Pat M:

technology, people would then say, Well, why did you make me

Pat M:

buy it in the first place, it's only been two years, because

Pat M:

what's the issue here? And so I think we need to get a different

Pat M:

kind of technical integrity and the decision making on this

Pat M:

space, realize the space is evolving and realize that

Pat M:

revisiting and changing is not indication of error, and that we

Pat M:

need to be brave enough to just do that.

Dr. Dave Chatterjee:

Absolutely. You have to manage expectations.

Dr. Dave Chatterjee:

From a CISO standpoint, that means you have to be able to

Dr. Dave Chatterjee:

educate, inform socialize your leadership team and prepare them

Dr. Dave Chatterjee:

for what you just said that yes, I might come to you asking for

Dr. Dave Chatterjee:

money to invest in certain technologies. But do remember

Dr. Dave Chatterjee:

that it's quite possible that in a matter of a year's time, or

Dr. Dave Chatterjee:

even less, these technologies might be obsolete. And we might

Dr. Dave Chatterjee:

have to think about investing in something else. That's the kind

Dr. Dave Chatterjee:

of world we live in, it's a kind of an informed risk that we need

Dr. Dave Chatterjee:

to take. I think the word here is informed risk. Yeah, because

Dr. Dave Chatterjee:

like you said, just like with AI solutions, there is a

Dr. Dave Chatterjee:

probability involved. Similarly, with human decision making, we

Dr. Dave Chatterjee:

are making decisions based on the information that we have, as

Dr. Dave Chatterjee:

long as we've made a reasonable effort to get our arms around

Dr. Dave Chatterjee:

the issues and make informed as opposed to chaotic, impulsive,

Dr. Dave Chatterjee:

reactive decisions. I think we are a little better of I don't

Dr. Dave Chatterjee:

know if we have this one ideas approach, an ideal solution. But

Dr. Dave Chatterjee:

I think the message that I'm picking up from you cutting

Dr. Dave Chatterjee:

through the technical aspects of it, is you have to be very

Dr. Dave Chatterjee:

deliberate, you have to be very thoughtful, you have to involve

Dr. Dave Chatterjee:

the technocrat as well as the business person. So offer both

Dr. Dave Chatterjee:

the perspectives and then look at it from a holistic

Dr. Dave Chatterjee:

standpoint, develop an integrated view, as opposed to a

Dr. Dave Chatterjee:

siloed approach to things. So moving along to a question that

Dr. Dave Chatterjee:

is very close to my heart. I imagine a day, and I'm sure many

Dr. Dave Chatterjee:

do. Where humans don't have to worry about knowing the do's and

Dr. Dave Chatterjee:

don'ts. Will there ever come a day when I could be as carefree

Dr. Dave Chatterjee:

as possible? And click on anything I want, knowing that

Dr. Dave Chatterjee:

there is technology that will not allow the perpetrators to

Dr. Dave Chatterjee:

exploit that and do damage? Will we ever get to that world?

Pat M:

So I am optimistic that technologies exists are under

Pat M:

development that will enable the system to take care of itself,

Pat M:

even in the face of user error. Now that said people should

Pat M:

always be responsible and don't Don't be, yeah, don't be

Pat M:

foolhardy. But I think it's unreasonable to say all right,

Pat M:

let's do fishing training. So people will recognize that this

Pat M:

is a fish Should a message. Phishing training is not all

Pat M:

that successful, attackers get more and more clever about

Pat M:

making messages look like legitimate messages, people are

Pat M:

often in a hurry, the boss wants this now, and they're not going

Pat M:

to stop and parse the the front line to make sure it's a L and

Pat M:

not a one. So I think it's unreasonable to put the burden

Pat M:

of reducing fishing on fishing education, I think there are

Pat M:

technologies that can do that parsing for people, and so on

Pat M:

and so forth. But apart from that, as I spoke earlier, if you

Pat M:

architect your system in a way that even if the credential is

Pat M:

stolen is not useful, the fishing won't be as problematic.

Pat M:

And there's there's lots of things that talk again, about

Pat M:

zero trust technology that even if somebody got in, they can't

Pat M:

move around, or they get in, they're recognized as bad, and

Pat M:

they're stopped from executing. So So I think there are going to

Pat M:

be technologies that let the system protect itself, I think

Pat M:

part of what we need to do is stop expecting the user to be an

Pat M:

element in that protection. And we have to stop thinking that

Pat M:

there has to be humans in the loop, roll these security

Pat M:

decisions, and get comfortable with the notion of the system

Pat M:

protecting itself. And not that every security block that every

Pat M:

action block needs to have a human okaying it so long as the

Pat M:

human is in the loop like that, then we will have technologies

Pat M:

where this has been protect itself, because there'll be this

Pat M:

time lag in which bad things happen. And and you can't

Pat M:

overcome that. So I think yes, as these technologies develop,

Pat M:

as people become more comfortable with the notion of

Pat M:

self protecting self healing system, we will be able to take

Pat M:

some of the burden off the users. And now we should

Pat M:

certainly take the blame off the users. But it just doesn't it

Pat M:

doesn't make sense. It's it's hard to think that that putting

Pat M:

them at fault, does you any good.

Dr. Dave Chatterjee:

True, very true. You want to be able to

Dr. Dave Chatterjee:

take the human element out to the extent possible. Otherwise,

Dr. Dave Chatterjee:

it's a never ending problem. Because you can train you can

Dr. Dave Chatterjee:

make people aware, but then people will forget, and then you

Dr. Dave Chatterjee:

have to retrain. So the extent to which, like you said, we can

Dr. Dave Chatterjee:

develop self healing systems, self correcting systems, self

Dr. Dave Chatterjee:

fixing systems, whatever the appropriate word is, which is

Dr. Dave Chatterjee:

where I think a lot of development is taking place as

Dr. Dave Chatterjee:

well. I think that would be a welcome. Welcome improvement,

Dr. Dave Chatterjee:

welcome change. So from the standpoint of technology

Dr. Dave Chatterjee:

development, it is a given that you want the best resources

Dr. Dave Chatterjee:

involved, if you just left it to the private sector, they would

Dr. Dave Chatterjee:

innovate, often to the detriment of society. That's where

Dr. Dave Chatterjee:

government comes into play rules and regulations come into play

Dr. Dave Chatterjee:

to lay some ground rules. At the same time, the government is

Dr. Dave Chatterjee:

able to do things that the private sector cannot, what is

Dr. Dave Chatterjee:

your assessment of the partnership, in terms of where

Dr. Dave Chatterjee:

we are and where we should be?

Pat M:

So I think it's interesting that because there's

Pat M:

a lot of new initiatives in terms of public private

Pat M:

partnership in place, and and certainly the awareness of the

Pat M:

need for this kind of interaction is heightened these

Pat M:

times where it seems to be working well as in what I would

Pat M:

call forensics situation, something happened. And the

Pat M:

government helps the private sector figure out what happened,

Pat M:

what are the characteristics of that attack? How could they

Pat M:

prevent it, and so on. And I think that's important

Pat M:

collaboration and a fairly effective collaboration, then

Pat M:

the government could disseminate warnings or papers that describe

Pat M:

these conditions, and so on the flip. The downside of that,

Pat M:

though, is that's a very attack centered way of working. And as

Pat M:

I said earlier, I think that that way of working is really

Pat M:

long for the world. And I think for the security community, that

Pat M:

collaboration is viable and important. I think for the user

Pat M:

community, that collaboration doesn't have as much impact.

Pat M:

Another type of collaboration that I'm quite familiar with is

Pat M:

such collaboration or development collaboration. I

Pat M:

think that's usually important. As I stated in passing earlier,

Pat M:

the government is often in a position to do research, that's

Pat M:

longer term where the payoff is more uncertain, where you don't

Pat M:

need to get to a bottom line to revenue and within three years,

Pat M:

the industry just can't do and I think recognizing the enabling

Pat M:

ways for the that government investigation to translate

Pat M:

effectively into the private sector is very, very important.

Pat M:

I think there are initiatives to involve academics or commercial

Pat M:

people in actual government research. And I think those

Pat M:

provide some transition paths that are quite valuable. And I

Pat M:

applaud that and think there needs to be much more of that

Pat M:

there are activities to have government employees embedded in

Pat M:

companies to learn how the problem looks from the

Pat M:

commercial point of view. And similarly, I think that kind of

Pat M:

research and development collaboration is extremely

Pat M:

important. One of the issues that I was involved in and, and

Pat M:

and changing my mind about actually is the issue of

Pat M:

government guidance for normal for for enterprises, or small

Pat M:

medium businesses or users of any type. And the government is

Pat M:

very, very smart and knows a lot about that guidance, and has a

Pat M:

lot of processes in place to get good input from commercial

Pat M:

sector. On that guidance. The NIST framework, for example, had

Pat M:

many conferences in which people collaborated on what this

Pat M:

guidance should look like, and what are the controls that

Pat M:

matter? And and what are the levels that make sense. And I

Pat M:

think it was greatly enriched by that commercial involvement in

Pat M:

its formulation. However, the government has fairness

Pat M:

requirements, and requirements that keeps them from from saying

Pat M:

anything that will block innovation, that leaves that

Pat M:

guidance at quite a high level. So I think the NIST framework is

Pat M:

right. But for many people, it's kind of difficult, if not

Pat M:

impossible, to actually use to, to help them making concrete

Pat M:

decisions. So I think there's a step, a collaboration step

Pat M:

that's missing from the statement of the initial and

Pat M:

that, and again, for the fairness reasons, and you can't

Pat M:

stop collaboration reasons. That's right, you don't want

Pat M:

this to come out with saying, for control number three, you

Pat M:

need to need Joe Schmo has encryption mechanism, because we

Pat M:

know it works, because that's giving Joe Schmo an unfair

Pat M:

commercial advantage. And that's saying that the only thing that

Pat M:

will work here is encryption. And if some new method comes out

Pat M:

in the future, that will work just as well as encryption, it's

Pat M:

proscribed wouldn't meet the sort of standard and guidance.

Pat M:

So you have to keep these things in a way where you allow for the

Pat M:

inclusion of new technologies into comply with the standards,

Pat M:

even when you have not yet imagine those new technologies

Pat M:

and to avoid picking winners. So that leaves this this

Pat M:

translation space, that I think in the formulation of the

Pat M:

framework, this was the lead and the commercial people provided

Pat M:

contributions, perhaps as this other stage where the commercial

Pat M:

people, the various industry segments, interpret that

Pat M:

guidance and make it more consumable for individuals. So I

Pat M:

think a government it certainly has the expertise and the

Pat M:

wherewithal to think seriously about these problems in a

Pat M:

foundational way. But then getting that foundational

Pat M:

understanding translate into pragmatic solutions is a place

Pat M:

where both in terms of tech transition and interpretation of

Pat M:

guidance, I think some work is needed. Yeah, I guess I'll stop

Pat M:

there.

Dr. Dave Chatterjee:

sense. It makes a lot of sense, you've

Dr. Dave Chatterjee:

again touched upon many points. And as you were speaking, it

Dr. Dave Chatterjee:

kind of dawned on me, that we're really talking about, and it's

Dr. Dave Chatterjee:

probably a bit of a philosophical note, we talked

Dr. Dave Chatterjee:

about this important tension, between complexity and

Dr. Dave Chatterjee:

simplicity, to solve problems of the magnitude that we are

Dr. Dave Chatterjee:

dealing with in the cybersecurity space. These are

Dr. Dave Chatterjee:

complex problems that often require complex responses.

Dr. Dave Chatterjee:

However, the communication of it, like when you say, the

Dr. Dave Chatterjee:

prescriptive part of it, to be able to filter down what needs

Dr. Dave Chatterjee:

to be done contextualize it. That's another skill set that is

Dr. Dave Chatterjee:

so important. Because what's the point of making 112 guidance or

Dr. Dave Chatterjee:

recommendations about controls? Some people will just look at

Dr. Dave Chatterjee:

the enormity of it and will just say, Well, I don't think I have

Dr. Dave Chatterjee:

the time to go through it. I'll just go and hire somebody and

Dr. Dave Chatterjee:

get them to give me some quick suggestions, or what are the

Dr. Dave Chatterjee:

basic things I can do to protect my organization, I don't have

Dr. Dave Chatterjee:

the time to go through those 115 guidance or recommendations. So

Dr. Dave Chatterjee:

that's where we need some expertise to help contextualize

Dr. Dave Chatterjee:

the recommendations. And I know that CISOs and CIOs play that

Dr. Dave Chatterjee:

role. They get the details and then they filter through it and

Dr. Dave Chatterjee:

then they try to implement what makes sense. So that's kind of

Dr. Dave Chatterjee:

my two cents. We are coming to the end of our session here.

Dr. Dave Chatterjee:

I've been really enjoying it. So that's too bad that we have to

Dr. Dave Chatterjee:

call it for today. But I'd like to give you the opportunity to

Dr. Dave Chatterjee:

conclude the discussion with some final thoughts, some key

Dr. Dave Chatterjee:

messages for the listeners.

Pat M:

Yeah. So I guess and you you were coming at this, I think

Pat M:

in the comments you just made and comments you made earlier,

Pat M:

when it comes down to it. Really what matters is that people

Pat M:

think critically about their system and their problem space

Pat M:

and their solution space. And it, yes, there there are ways in

Pat M:

which their situation is similar to others. But there are ways in

Pat M:

which their situation is different from others. And they

Pat M:

need to not get caught up in marketing. So much as in a

Pat M:

decision making process that's driven by an understanding of

Pat M:

what they do, and what they need to protect, and what their

Pat M:

system is structured like, what their skill levels are, and

Pat M:

really thoughtfully choose their solutions, with that

Pat M:

understanding of their starting point in mind. I think this

Pat M:

return to understand solutions that are based in your system,

Pat M:

and not concentrated on what the attack looks like, but what is

Pat M:

my system and more importantly, my my business workflows, what

Pat M:

do they look like, and build solutions that protect them, and

Pat M:

not solutions that are based on external threat conditions, I

Pat M:

think there's a lot of promise, despite the fact that there are

Pat M:

still a number of breaches, I think the technology has come a

Pat M:

long way. And people are are beginning to think, to be much

Pat M:

more security aware. It's a big disparity between where

Pat M:

enterprises are at and where small and medium businesses are

Pat M:

at. And so the ecosystem can have a lot of bad things

Pat M:

floating around in it, just because a lot of users are just

Pat M:

simply not security aware at all. There's no security,

Pat M:

hygiene in huge parts of the ecosystem. I certainly see the

Pat M:

interest in using security solutions moving way down to

Pat M:

smaller and medium sized businesses. And I think that

Pat M:

will actually be a big help too, and that the whole ecosystem

Pat M:

will be healthier, as more and more of the users begin to

Pat M:

become security aware.

Dr. Dave Chatterjee:

Fantastic. That was terrific. Thank you

Dr. Dave Chatterjee:

again for your time. And as I said, I look forward to many

Dr. Dave Chatterjee:

more future discussions with you.

Pat M:

Excellent, thank you very much, and I really enjoyed it.

Dr. Dave Chatterjee:

A special thanks to Pat Muoio for her time

Dr. Dave Chatterjee:

and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.