DtSR Episode 380 - Gadi Tells It Like It Is

Automatic TRANSCRIPT

They say they say we should have known. Embed Saudi down down into this. It's time I again the venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir and now please welcome your guides sides this adventure. James Jordan and the white rabbit's burrow good morning good afternoon and good evening friends and colleagues. Welcome down the secure ever to yet another edition another riveting riveting edition of the down the security hole podcast as Raff Riding Solo today. James is out there somewhere doing the real life thing and I have with me me a as a longtime friend A Guy from the industry that you all probably should know We've got a lot of ground to cover so let's get right to it As I said I'm I'm I've got somebody with me that Trying to get him get his butt on his podcast for a bit Sold in that in that note Welcome Gadi Hey. Hey Hey all right so All the way over the other side of the pond tells who you are in what what you what you do all right well first of all thank you for bringing me on the podcast. I appreciate that and actually pretty excited about about because I think this is normal with spent together in a few years yes except for except for a few years ago where That was kind of fun. Yeah Yeah Yeah. As long as we don't necessarily walk into the show it's pretty fun all right to tell the people who you are. Yeah so hi everybody. I'm ready I'm I am basically a security professional working security kind of my life I guess I started a teenager but I was under defensive side. We just got a lot. I suppose I've been a C.. So at the Israeli government interact operation. And I've had a startup I worked with beatable. UC developing next first generation Forgive the buzzword models and services and I figured didn't want to buy next generation Soviet consultant. I've worked worked with a lot of things in this industry but honestly that's one side of what I do which ended just a couple of months ago when I left my start up C. Metro after six years. Wow and now looking for whatever else I'm going to do next. And then on the other side of my career I guess the community trust groups information sharing trying to take care of the Internet infrastructure and people working groups stuff like that which I find pretty important to me personally and every once in a while you sleep right yes. I'm not sure about what time zone I mean nearly never but I do sleep once in a while occasion Asian I just got back from the US where you had a you. You running a conference in Austin you WanNa tell us a little about that. Oh I would love to tell you more about my conference. Yeah so it's not really my conference it's more of a community conference Several names we like a little bit of chaos. It says the name art into science it has a name a conference for Defense and actually also school confessed on defense because it doesn't really work but it sounds pretty good top in the last week in Austin and it was the fourth year a little bit about the conference so years ago we were all everybody mix. We're kind of frustrated with security conferences references and we decided we could do something different but we didn't know exactly what it started at the desk on where I was sitting down for for drinks with. Stephen's JOE WILBANKS and Steve Oriented sound with the guys and people went came back They'll be calling. was there many others and throughout the day. Dave Cross eight hours and some drinking just like to say we created a model trying to figure out whether the basics of the basics the basics guy in the first principle security and we just. It's so much fun you know. I've known so many people in this industry or just frustrated going to work every morning trying to figure out what to do because we know we're GONNA lose and it's not that what we do doesn't matter it's not every control we could play several scripture on. Doesn't actually help but when it comes down to it we know we're fighting asymmetrical engagement and that is the bad guys. Want is hard enough. They're GONNA win and one of the things things. That frustrated us was that security conferences were essentially about the talker. You know putting dot stucco pedestal. If you wanted to do something about the fence you head to hide it in a way behind a an offensive kind of facade or you wouldn't be any kind title St the same case today. Even though a lot of conferences opened up the defensive truck now it's still the case. Yeah let's face it right the the things that make the headlines The things that get you Interviewed and onstage in and and and you know getting is all the cool like what made what what made all the headlines a few years ago right a bunch of a bunch of guys stunt hacking jeep in the middle of the expressway. The main thing. So that's an example I give I can hear about the jeep being attack which is pretty cool for fifteen minutes but then what. This industry is more than just about headline. It's about getting something done what I want to get something done so honestly if I can get people were now whether there are two years in the industry a month in the industry or forty years in St to do something about that because this leads into another issue which is we have professionals in this field but we another professional field if you want to implement even two sectors indication tomorrow. They're going to open up a discussion on liked liked board and start drawing. We don't have these best practices in place. We don't have the design other place mostly. You don't know things don't exist. We don't do it as an industry and let's let's frustrating for me personally as everybody because I. This is something that I try tackling One one job ago that every new C. so comes in and starts effectively from scratch trying to implement every skewed professional tries to implement their own security controls. As if it's it's never been done before it's not the technology's college is not there. It's not that the knowledge isn't there says that we haven't figured out a way to as you just said create those patterns and share them effectively so that people simply implement had a big list Korea creative and share them so creating them about kind of so it might claim is that we are doing art. We'll filling science and I would like to get to that science park but if we could start even by methodology would you they can things repeatable. It'll be amazing. Yeah what we're trying to get there with With things like operational playbook but It's still it's still pretty tough chop I mean everybody's still develops their own you know. Look me up a little bit frustrated we all are and then start moving toward the solution so for example there are many people out there the festive side people and I would say looting people who don't have information. I was one of the the people who start what's called trust groups and information sharing groups online and know that there were things before. We don't get me wrong and the thing because we are overconfidence compartmentalizing. We're over secretive and you can blame. These things will suffer for it but the Internet might suffer for for it but so many people do anything formation. How do we get into them? You know in whose Alvin and three four. The antivirus industry was still pretty much. Not The virus industry as opposed to security industry and they were guarding information. Like crazy the ethics of the time demanded even doesn't matter if you're a huge company like let's say Cisco or check going you're not the antivirus company. Therefore you D. I you know if you touch a virus malware if you try to analyze it your black that was kind of Ethics of the time and everybody needed information people got it was the year of the war. Three I was fighting people for people to recognize you know botnets exist exist but do something about that and honestly just opening up a mailing list putting people on try to start discussing discussing these do things and getting things done defensive whether it's an idea or whatever it is just doing something at the time that would use some form of the ability and control helped a lot too nowadays if you look at threat intelligence and hunting permission. Isn't it out there and people need it. So how do we get them on. The other end trust books do not want to let more people people in even though they have processes in place to vet them because the larger trust grows the more trust is lost and eventually just emigrating lenient style to a new trust and yet another group and yet another. That's another problem. We had an public conference. Where most of these in for this is where the discussions this formation shirt CL- close circles if probably the conference would allow us to filter people in learn to trust them as well as video? You know the talk and give me formation up there with another thing we wanted to do. So I I get it but this is the the the counter argument of course. Is that if you if you let. If you're not careful you let in the bad guys know exactly what you'll be doing. And when and how how much you know. And they'll change their tactics right that nothing I agree. But that's that's A. It's a valid counter argument to that which makes us hold trust concept really difficult. There's been in what like eight. Ten companies have tried to address information sharing and and essentially operationalize building the tools the concept of trust circles. I don't know that any of them have been real successful because we we're not there yet absolutely and you know the interesting thing if you look at the Internet governance Another counter claritin for that. You can see That people talk about what's easy usually people don't do a good job up there. But they talk about privacy talk about first of all they talk about. I can because I couldn't Steve Croker when I let let venting some decade ago essentially said if people don't know Steve Croker he's one of the guys who invented the Internet growth. RC won a lot of other things. And it's very very good guy. So essentially said Daddy. I understand your frustration and understand where you're coming from Semantically said that that'll work. What do I said I think? In many cases you're blaming other people blame I can because it's there there's really an internet governed by the out there. That's where things around domain name. That's where people concentrate so much the same on information sharing and yes. Many of these companies did not succeed. But what did succeed in the only thing that actually protect the Internet Internet today an essay only big duck duck in the second and to only actually has governance out there. Today is volunteers network operators. Aren't they virus researchers reverse engineers Fist administrators whatever. Some people from law enforcement get together in unofficial circles and talk to each other and try to defend these. It's just volunteers most of us. Let's be honest. Didn't sign up to be interim government any government than we are not with us right now going. These are the only thing everybody can agree to. That's bad let's take the download stuff that doesn't example but I want to move forward from oldest us and say where it came down to it. You decided to quit. The conference appears go I just met with Mike Johnson with the time whether the salesforce Ben went away now he's closely mostly and he said you know just want the conference for defense and that would start to track their the philosophy truck could be called management or strategy. But we just feel because when we talk about their. Let's talk about this first principles we all. We've all been in discussions back. But let's actually modeled things. Let Chris Wayne Works. Let's push to art and design and build the knowledge base of security. There's so many things out there. Let's make sure number one. We find them. We build states where people to create new ones and present them as as well as put them out there in an RC. Like four. And that's what we're starting to do now. On the fourth year on the philosophy and on the operational track the goal is stories like no telling us about the industry. No San Suu quotes. All we want you to do is come in share with us. What's you show? Show us how we can replicate what is new or old and essentially what happened. Is that people go to conferences in there. Used to getting the three ideas and the conference in our goal is essentially a signal to noise ratio. We want every talk. Give you three to ten. And that's what we have achieved and and I'm very proud of that. So they're calling. I is Free Austin every January and honestly extremely proud of the community and Work Bacon the conference when a huge bank comes to you and says I'm going to skip black. I'M GONNA get kicked off. This is back so I can bring my entire themes this conference. I'm just happy with it. So that's pretty amazing. That's what we're doing over there. I know you don't have a lot of You can't believe this early people Bush the senior wise. If they say you're doing a good job but sometimes somebody comes along with the accompaniment it's not necessarily direct and you think that too hard because you need that energy yeah right well I mean this is it. It's not getting one of these things started. This is far from trivial. Let's face it. I didn't start alone. There are many others involved through. Neil you Mike Johnson. Randy vaunted amazing work around all of this even just us out there in You know Kimberly Price. There's so many people involved. Joe Mentioned Steve Just endless people. People see this as their own home and if they want to do something with the conference if you just do it. It's a platform. We don't really stop them or just tried to enable people. Yeah yeah that makes sense. I mean that kind of stuff definitely makes sense. Would you think that I mean. Look with the industry's been around almost close to twenty five years formerly right right. I will say mid late nineties one INFOSEC really started becoming a thing like RFP's discovery of SQL. I was back in ninety. Eight I would argue that maybe two three years maybe two years before that security was word people Infosec people start using but Well we can also go back all the way through the orange books you know and go to stuxnet Or you know what I I actually have A. I think I have a date for winter. Industry really started a little people have been doing accent. The seventy s and even the forties right and. I think that they is something that I I used to think. It's a marketing the honestly but ABC One report. When that came out? I think I just looked at it as I said. Yeah obviously decide the first abt report targeted targeted doc reports out there but no. That wasn't the same that changed everything. When you had a serious report about true nation states attacks and again daily two thousand there was rain and so on? I'm having that report in hand. It was insane number one you could show something that's printed unreal. Number two is really information about the attack. Doc Wasn't just hidden remembering thousand six or seven when I was a pc a friend of ours wanted to come on the stage because he didn't cover The attack with uh-huh did the forensic work on and we essentially kicked him off stage so we don't get in trouble with the FBI how he was kind of old behind closed doors and a and seven hundred four changed everything even on to the doctors. Seeing pictures of people behind the attack seeing the building there was insane and that are being able to present that to the board to back up. What you're saying just like last week there was Microsoft benched Tuesday thing and being able to get an NSA a press release saying this is serious and being able to show that to the board is you go and make your case for resources to and you know time from it patch. Everything was was insane so for me. The industry started probably in the seventies. Then the nineteenth. We started getting working around this in larger ways as you say but I actually been today today one report. Tavistock yes sucks. abt One brought the hype. And that's what Mandy it was really good at And then abt one and I think brought the reality right and I think I would add a different date To this to the important days 'cause stuxnet was important but it always felt like it was something that was like out out there like. Oh you know it's nations going to you know cyber war but I think what made it real was the Saudi Aramco when suddenly overnight a half a company's IT infrastructure was wiped out. Oh Yeah I couldn't do business right 'cause now you've got the CFO the the people people that are don't have tech jobs necessarily suddenly going. Wait you mean. I can't come to work in process. You know quotes INVOICES MRS I can't set I can't do anything I can't get into the building with the batteries that yes it was after more who are dates number one as as a Sony. Actually wasn't national Geopolitical front and more than that people went to work in the morning and saw black screens. I remember this one article all the discussed that he's like. Forgive me for going on for a second but West Point and I've never been to west point so I'm talking out of hearsay. Essentially they used to teach for example Local leaves lieutenant which is amazing other than starting with an introduction of every single doctor in the book like most of the books there but they stopped because he only looked at the strategic level. It didn't consider the soldier and the time of day interested in why that's important but we the only thing everybody talks about the strategic Asta but I found an article where people were quoted. Think thank you come to work in the morning and screens or black. Do we still have a job. Our bank accounts safe. They'll just above the cup and another one was was probably equifax. Because that's when we actually saw in having four actually in front of our eyes saw sea level people and CEO's losing doing their jobs that happened before that scale. Yeah yeah although I look at Sony from a from a maybe not such a positive light because insecurity we've been saying for for a long time like at some point this major events gonna come along it will really wake everybody up and everybody's GonNa notice and were suddenly going to get budgets and we're GonNa get to do everything we wanted because that one events is going to destroy everything right and Sony happened happened and that was the event like it was supposed to be the the line in the sand. Where attackers destroyed everything? The people got fired company basically went out of business and everything like wait a minute though it it did because the worst case happens right. The the prosthetic prophetic worst case that all the Ip was out all the healthcare information payroll information and emails and private communications nations and movies and everything was out and yet the company survived. So now how do you go to your boarding go if I don't get enough budget we're we're GonNa be you know we're going to get everything will be gone. It'll be will disappear and Gil Young but Sony still. They're like you know when you look at governor if we go to the management level role for a second actually can be useful and it can be used so I have a friend who works for a bank and he built this entire threat. Assessment model most models in the world still use risk and controls. is they're basically the ignore the environments you know if I have controls surfing and it's part of my score in an environment the peasants database kind of silly or having the risk without looking at the threat actors and threats generally and then connecting to impact maybe doing Virtual dentists between the control they have in their maturity and the potential attack dice like mitre that actual. That's right actors they could use. I'm going on a tangent. The thing is if you where Sony and you looked at all the different threats in the world and you presented wanted them to the board and said this could happen. Or here's my maturity model. Here's the measurement of how I'm going home. I'm doing I'm getting better. Something like that's happened. You'd be able to say you know. So here's how I deal with this response. Unfortunately steal the best control we have thing is in the industry. And I'm not talking about Sony. They actually had an amazing see. So recall John Mooney it was a cfo and senior VP dill and he stayed after the incident and effect on another dungeons going cursive for a moment when we say in the industry that many so stay for eight months a year and a half and leave very quickly. I found that the best actually stay for years in the industry. It's not true but closing American going back when Sony happened. We Saudi Aramco happened. which are two examples of us? We were all shocked. They'll just because of the actual impact impact Maersk with another one of those if you have Trojan horse on the computer people with expecting to steal. Hey do whatever you want with the computer and destruction and you know he's just another relevant tool for this here we just because we haven't seen as much we didn't really give much attention in our in our corporation. Yeah I mean I I love I Lo- conversations. Do you know John Stephen Probably Yeah so John John Threat Modeling Guy Right. He's an upset and he's now adviser and he's a he's an exact Because he grew up too but He taught me the importance of threat. Molly I've talked to him over the years a bunch of times. One of the things that we always come back to is is is the is the stuff that you're trying into do on a defense proportional to the to the attack and a resultant outcome right so are you are you trying to Are you trying to defend against a threat. That will likely never come at you or are you trying to are not even thinking about threats that are there every day and my example for this. This was hardly hardly man spectrum meltdown. Right now. Those two those two One right after the other. Those were those were a big deal right. Processor loophole essentially or a cheap function. That was discovered that could create some very serious havoc now. Now if you if you paid attention like let's let's put aside the fact that every idiot now decided that we needed to have a theme some theme music some artwork a website site. You know like for every vulnerability like that's his dumb. Let's let's say that but but those were very real very real vectors right but but when they hit it seems like every single information security official lost their collective dang minds because suddenly they. Everybody felt felt like this was their biggest threat every time something big gets announced this is my biggest threat. I must drop everything I'm doing and in my analysis assist and granted. I'm not the smartest guy in the world but I've been through a few things in my analysis the biggest problem that heart bleed and the at meltdown inspector keep going back. Hartley spent spectrum meltdown presented for the average Enter midmarket to lower enterprise even enterprise as an SM be out there. Security professional was that it was going to ultimately cause a lot of panic and the bigger threat I think was was to it operations people because it was the patch was eventually going to cut their CPU capabilities. They're gonNA it's GONNA cut their processing power right by was it was nineteen twenty percent or something like that. That's a bigger threat than the actual attacks I think could ever be to the threat models of your average enterprise because most people would like the complexity of the damn attack there. Nobody would most of them were. Were ever never going to see it. Much less have to worry about how to detect it and prevented. Are you saying that. We're affected by the news Thuds based industry. I guess let me tell you something sure with. You actually started talking earlier about my friend at the bank and I kinda went ten dungeons in Eric grossly fashion so awesome so you made this analysis about a specific threat and there was a little money spent on it then eventually he said let's check the impact. Then the impact was twenty eight thousand doors. So why are we spending so much on this now with comes down to reputation but you know this entire shadow of ours and many chuck in the industry. The frustration comes the frustration. I talked about earlier and earlier. I spoke talk about. They're going to succeed anyway. But I would like to change it up working on this model where I'm trying to prove to the future that we're right in a way If you think about the industry I've been there many times. Sure you have as well. We're Cassandra we claim to the future and anti. I used to take that personally. We used to say. How do I change this out? I run and do this. I'm convinced people and I took a step back at some point when I started Becoming I think less technical and more into philosophy side. Let's say and said should they actually listen to us. You know in the nineties when I jumped up and down forget me. Meanwhile shorts that went before the congress I believe or stand up in nineteen ninety. One Nation states are going to attack the United States over the Internet and he was left out. I've being there you've been there. I came up. I was there for Boston. It's I was there for. Hd was there for so many things you were there for so many things all of us for station and my I understand today is they. Were right tonight so let me let me break down. Okay interested. No crash so Oh just now okay. So she on the following you are one of many many people in an organization that you're one of many stickle there's an organization. You are not a the neighbor your cost center which I see many of us make the mistake off as security professionals staying at cost center and number two. You believe what you do or sees. He's the most important thing in the world which is the second mistake we do. We don't really wait and look and say what else is going on. What is the context for these Asian? They'll just in risk ask the business. What where we going in the future? What are the risks? Are we dealing with What should come I? Can I say this later instead of opening a front or just giving up doc on every single issue and that's kind of From my experience but maybe some other things but I try to. How can we do this differently? I knew and and you knew in the nineties. Cyber whatever we call back and then we hate Wertheimer and then cyber became what we do but cyber we're going to be big GONNA be huge and we have to do something now and we know for a SEC and these under under cybersecurity and many other sub topics and industries sub threat for specific breath. We knew this was going to happen but we couldn't convince people and I said they're people kind of in my mind. I said people graph off the longer you wait on spending on cybersecurity and does gruff kind of goes way up on the Y axis. The less you're going to be able to impact and these are like exponential terms alberic. Mix Germs even just the time You know unless you're going to be able to impact security. If you wait a year you'll be able to do much much less than in cybersecurity. We say if only they deal. That's right which is really going to help us But also I have to spend that much more so the graph is insane. I said Easter case in history when people leave and there is in Israel in the late ninety thousand the government Leeson's It was not easy. Trust me governmental Eastleigh sent and they created a organization to look over critical infrastructure with guidance around on cyber security information security and they didn't do much but they did they said you know what should they have invested more no from there to see you making point of view. Maybe they wouldn't even invested in this but they did and that's pushed Israel further along along the curve will secure at all then it could. How can we go to decision makers in other things we we see today and convenience and just just small adjustment and I look at the history of security and he's going to be very inaccurate and you can look at the mainframe the meaning computer the peacekeeping heads to the cell phone rfid now we have Drone we have is starting to come up robotics and we say every single one of these started if we go all the way back to the mainframe extremely really invested in Belgrade existence who were then there and We just dropped it windows. Dos started with the what the famous story about Bill Gates by operating system from correspondent for Fifty K.. Right we just drop all technology and we start from scratch continuously and you know what we have a lot of economic incentives and we want to get to markets we building an MVP. Maybe we don't have time or funding to the security. We don't even think about it. You know what we shouldn't I truly believe I maybe betraying younger self as security guy. But we shouldn't that said it's what point we convince people know starting visiting the security a little bit so valuable later we'll never mark sacks disagree but really we're never going to change changed the Ip right but if we came back in the eighties and said wait. Wait wait this thing. Now that we have built something could have been interesting. So I've been working on deductive model and I believe inductive models but I can't i. I can find a way to do that way. Look at all these industry and look for proof point. When was the first of all nobility that came out in academic surcharge research when was crime using disclose when did military or intelligence just started using extreme? Wendy they huge warm. Come up and all these points for all of these sheldon didn't happen for any of them but when it comes down if we can prove this proof points we can reduce what I call the Lifestyle the buddy told the body counts really if we're going to face before people accept things and today my Main Gripe is run imbedded medical devices you know we need to be careful against. We need to know author speak with business terms but they still are made mainsail sales in the industry. Unfortunately and I look at buddy count and say okay so a meal and a half three million pacemakers a year. I don't remember the number I don't even if it was accurate when I saw it. Forgive me but yeah if we can go and create a warm around that. When these things are over the operating over the Internet wireless wireless sometimes depending on what you're talking about? If insane man it's completely insane and when I talk about the two thousand seven for example people talked about this before me right. I I said guys please. I wasn't The or desperate remember right now and people camp and I said look guys. I'm GonNa Talk to you about science fiction. I love that's fiction. Let's talk about medical devices. And let's move on to talk about the and people talk about this without saying this the got laugh or people will just dismiss them because because looking into the future is hard. So that's court they weren't on so these modal and building about these points if I can come to the decision makers in different industries and say what happened in other industries you know maybe a little bit. Maybe I'll be successful or not. There's another successful but I don't know exactly how it happened. And that's the fire and Notre Dame. I think I'm sorry I just woke up. And I'm a little bit We see from my flex their fire in front with the Church so as far as the first time and there are used to these happenings therefore they already have trees planted over by where they can use them to rebuild and stuff like that so it was pretty cool. So that's something. I am pretty pretty serious about right now But he's a long term project. Anything you know driving uppishly wall trying to convince people to do that but it's one of the things I'm kind of playing with. Yeah listen I I'm with you man. I think I think so. This is another one of the other trends that I think was fight that it bugged me that we finally Seem to get collectively distanced from was I felt like in the early nineties. It was all about. How do you know do whatever you can write? It was complete chaos cause we were just trying to evolve and try to stay relevant like two thousand to two two thousand twelve. It was really about kind of this chaotic version of evolution. And I've gotTA talk coming up on this Shortly on a Webinar. But it was like this I feel like it was kind of we call chaotic evolution so it was attackers. Were trying things defenders. Were trying things. Nobody actually had evidence for whether any of it did anything but we could create a big bang and go look. We made a big bang and then somebody would go. Yes so what And then defender would go. Well I planted. I did this thing. So therefore You Know Your Big Bang didn't work and then you'd ask the question of is it because it didn't work or is it. Because I I you got lucky or is it because I I'm not good enough and nobody could answer that question. And then like I think to me the the market was Saudi Aramco when when we went from simply lobbying inconveniences conveniences at each other right disabled like Sony was a big one but I think I think to me Aramco was the big one where suddenly we went full nuclear clear Pardoned upon we went we went destructive and then at that point it was like okay. You know it just got real But the entire time we're struggling to decide aside and and have any kind of Conversation real evidence based conversation about attack or defense. That wasn't just fun. Base to come back. Acted this topic because I I'm an evidence based Guy Right. I grew up in in in in security And then quickly transitioned into you like the the prove it the business side chain so I I grew up with where in in my career where somebody said prove that what you just did protected me and you'll and most of us would say while you just have to take my word for it but that's not good enough in a you know a in a in a million employees company so you have to show evidence and so I'm looking at our industry and going okay. We have a million in different tools out there which one of those is actually effective. How effective is it? And what is it effective against. There's guys there's no and there's not really good answers for its twenty twenty where we're basically twenty. I'd say twenty five years into this and we still don't have good answers. We just continue to try and a lot of it's dumb lock right and a lot of it is attackers simply They get what they want. We don't notice Or they a we get lucky or unlucky or combination thereof. What do you think nuts? I think you're not not enough. I mean first of all talking about this and I do have a couple of things to say I would like to say the Sun will rise tomorrow and things will be okay and we'll come together and solve the problem because we always have and always wheel. I believe personally cheer So we did a good job. We go to work and we are frustrated but we do a good job and we reduced cost with you know when when fishing started and people didn't really know what's going on yet We're all on the mainland. We stuck in some friends of mine for Iraq said. Yeah we can convince our Boston. We're learning the money because they didn't know to say we're preventing loss or reducing loft look to learn in business but I would think what you said even make it more expensive gene. We are educated from a young age as security professionals accept sub par results. We don't even know to us for for better for example recently ended my enterpreneurial tenure and and working as a vendor and we expect vendors. We expect our tools. We expect our monitor's to come up and say here are alert here are events and we tried to get more or we try. Watch your show less because we can send much better when it comes down with what people from the street when I told them what I did said was. Why aren't aren't you showing me the doctors? Why don't you catching like no? No no you don't understand. This is not how security works in. You know what they were right we have you know. I'm not saying there at least for this. We don't expect our vendors or solutions or whatever. It is useless. Words Solution George home doesn't mean that we don't but back on topic Kinda warm that we don't expect our vendors to catch docker. We don't expect their vendors. gave his truth threatening intelligence Feed during useful but often indicates indicator the compromise. What about knowing who is after me? What about knowing what they're using? How about expecting to catch zero days? I don't care how it's done right now. We expect our vendors to deal with tone. Maybe a little bit more a little bit. Maybe we don't come and say I expect you to deal with this or after a zero day as as exploited. And they're in expect. You still useful. Expect you to steal give me volume. The industries built to expect mediocre result. And that's what we build mediocre. I don't think it's easy to build those. I'm not throwing stones. I I'm just saying that's not cool. That is one of the reasons I started my startup beyond trying to create an economic shift by moving to targeted talkers. Instead of doctors. Doctor keep changing and trying to shift the economics around so stuck for example. When stuxnet came out there was coding? It was twelve years old. Now imagine you running that operation or running that unit or whatever it is that bill suck and he walks Sunday. Twelve years of your perations needs to be reviewed to see your another. The risk of were running your yourself in so many places in your intelligence sources can still come in and operations can still go on and so on and so forth. That is going to McDonald's right. They're losing tool and of course there's been a blue ocean in Baras than I gave a talk about observing. AP threat such a Buzzword but and this state nation level a threat actor evolution through the opposite failures because most of our reports are just about here is what the malware looks like. We don't even look at a strategic because because we don't know what it is and I have to deal with it but to bring together. My Gripe with the world right now is about the basics and I can't say that I'm right or I'm sure of myself like with other things but I believe this but I want to be clear about this relief. The basics are important the basics our control. We should do when it comes. It does with nobody out. There doesn't want to basically there is always going to be something we need to do. And that's the basics but it's kind of like education when people say they don't know what to do or listen to education which the control that notice the Kiro breach often immediately. Everybody goes to say Oh. They didn't do their basics. My God that already there is always going to be another Ottoman admin or CISCO CISCO username password thing. There's always going to be another vulnerability to find the patch. There's always gonNA be shadow. It huge companies. You try to secure them before you say that and now with these basics already we need to get things in our networks environments armaments actually do work and as we always speak of innovation. But we'RE GONNA we're not to build to handle innovation we're just not doing it That's that's my belief but more than that even if we're not willing to accept the basics are useless too extreme for a minute and it's my right then we need to accept the basic change and the basics are more strategic than technical. But I always condemned. Yeah you know I'm with you and I I gotTa tell you we're we're we're about close out of time here because we could. This could be a conversation for another couple of hours. This whole basics concept You know I swear if I hear one more person say just do the basics. I'm going I'm just going to quit and go. Do go be a bartender somewhere. Because it'll just be easier Basics basic well. I'll add to that before we before we log out of this but I I so I used to work journal. I remember the size and sheer scale of the problem. When we look at at the time so early two thousands? How do you get to? What's what's a good end state if you're going to be patching a critical bug what's a good percentage to get to and everybody would say one hundred percent that right? We looked at it in in our division. Said you get to eighty five percents you are frigging rockstar right so just do the basics. A six shot up. I'm with you like stop. It's not that simple but we but look the flip side of that is we have to do better. Like we can't just simply say where I couldn't do it. Sorry we have to do better I hear you on that. There's always going to be a CISCO CISCO ADLEMAN Hadman but really I mean we see. We got that something I think. That's worthy of our effort in terms of minimizing. 'cause I know there will always be I I can tell you. There will always be exotic zero day attacks. That chain seventeen vulnerabilities together with the right moon phase and get you that one exploit that will own the world world. There's always going to be one of those lurking somewhere you sign on so many things that don't work we'll wait. I know but there's gotta be a way to eliminate the Admin Admin open password openness three buckets open. You know this way. Why don't we accept that? They're there and build security except that I mean okay so maybe we attacked both those dreams at once. Because I don't think giving up on either hi there is okay so continue to be with. You shouldn't give up on these things extreme but let me give you an example from a cod and philosophy tracks when you came with a model. Well I mean I would love to talk about my models but we're at the time so let's just quickly talk about news and hope I don't butcher. It came up with a really cool modal cold the model and essentially says resilient Liam Right. It's about as well. Let's be honest here but it could be something useful. The way you approach is he speaks about pets and kettle and essentially intially. A pet is something we something as a part of the family we care for the pet we feed the path we take you to the doctorate and take tens of thousands of dollars to try and get be well when sick and that's like a computer that we spend a lot of time on and Probably should've now on the other end and this is really uncomfortable. Give this analogy but of cattle or sheep. Let's say because I don't want to offend anybody out there about coutts shift shipping sick I'm sorry and it's all bad but you know what we Gillick and we're replacing the immediately so even if you look at justice up time how many computers out their pets where they could be kettle where we can do something much much quicker occur because the business runs faster than talkers. We don't and if we look at docker. If you look at the cloud we can be much much faster now and we should enable do something but anyway. That's wakeup. It called coffers other whatever you know about. Let's take these little. Let's push the Argenta Science. Let's do new things. Create new frameworks on the truck Iraq. So that we can do security better there are solutions out there. And sometimes their technology for example. What I did was cyber deception which another discussion for another time perhaps And why solve what I did want to failure industry industry and then we have pushing the strategy the management aspect and we can do these things until we ever perfect because let's be oughta securities about compensating controls. If we had a solution we wouldn't be putting controlling place. Yeah all right well. Let's let's let's do this again because we we We are definitely on time but There's much more to be had. I think I think a rant about the basics or lack thereof is Is In our future guys. Hi thanks for being on the show man. It's been it's been a lot of fun man. Thanks for having me I appreciate it. And he in case somebody wants to find you on the socials How do they How they they find you to find? God I've Ron you just look excellent. All right folks. Thanks for listening. This has been another down to secure rabbit hole. podcast with my guests Jodi ever on guy that's been there seen that done some staff and On to the next We wish you luck in in your next endeavor my friend. Thank you very much. Have a good one. I folks thanks for listening many more coming up for you but I hope you enjoyed this one and we will We'll see you another time. Another place another down on the security effort whole podcast is we've played out on another down. The security ribbon whole episode. This owed we'd like to encourage you to chat with our hosts and guests using the twitter Hashtag Pound D. T. R.. Please check out the show catch up on any episodes. You may have missed and subscribes. Don't miss a few episodes. Our website is white. Rabbit Dot net. W One two three R A C dot net so on behalf of genes good bucks. We'll see you soon on another down the security.

Coming up next