Jack Rhysider, Host of Darknet Diaries

Darknet Diaries x Juniper Networks Twitter Spaces

Industry Voices SecurityTrending
Jack Rhysider Headshot
Image is a title slide from this podcast. It includes the headline, “State of Security with Darknet Diaries & Juniper Networks.” There are three circles on a green background and inside the circles are the headshots of the host and two guests. The host, Jack Rhysider, is wearing glasses and a dark hoodie reminiscent of a possible cybercriminal. Juniper Networks logo is in the bottom left corner and the Darknet Diaries logo is next to it. There are small black dots scattered on the green background.

Listen: The latest trends in cybersecurity from two Juniper experts 

Hear from Juniper Threat Labs’ Mounir Hahad and CISO Drew Simonis as they talk with Jack Rhysider of Darknet Diaries about trends in cybersecurity and how they work to keep Juniper and customers safe from threats now and in the future. 

Show more

You’ll learn

  • What keeps Drew Simonis and his peers up at night 

  • A real-life example that shows how complex it can be to avoid security breaches 

  • What’s effective and what’s not when it comes to dealing with ransomware 

Who is this for?

Security Professionals Network Professionals

Host

Jack Rhysider Headshot
Jack Rhysider
Host of Darknet Diaries 

Guest speakers

Mounir Hahad Headshot
Mounir Hahad
Head of Juniper Threat Labs, Juniper Networks
Drew Simonis headshot
Drew Simonis
Chief Information Security Officer, Juniper Networks
Transcript

0:01 hello i'm jack reciter host of darknet diaries an investigative cyber crime podcast this is a recording of my live

0:08 twitter spaces hosted with drew simonis and munir hahad of juniper networks like

0:13 this video if you're interested in more content like this and tell us what you think on social media you can find more

0:19 from me at darknetdiaries.com or on twitter at dark diaries enjoy

0:25 so you know something i think about a lot is what what is it what does it take for us

0:31 to be secure and some stuff that it kicks around in my head is maybe it's the users it's the user's fault if the

0:38 users were more of you know smart they would we'd all be more secure but is that it maybe the

0:45 police could do their job a little better if they arrested all the cyber criminals then we'd have no problems

0:50 with security right but no wait maybe it's the vendors the vendors if they've created secure products and none of us

0:57 would have any problems with security or you could look at it as a policy makers they could do some things to

1:04 make us all secure as well and what i want to think about today is you know what all of these people are

1:09 the ones who help make us secure and i specifically want to focus on vendors

1:15 and policy makers today in this space because they're the ones who are staying ahead

1:21 of emerging threats and keeping their ears to them to the ground listening for what's

1:27 coming out and you know the the threat researchers are going to bubble that information up to the leaders and those

1:32 leaders might be in your company or government officials and i think it's fascinating to look at

1:38 how that particular aspect works so in this space with me here today is the chief information security officer

1:45 and the head of threat research from juniper networks now um just about me you know a lot of

1:51 people know me from the podcast dark knight diaries but to make that i have to know a lot about i.t

1:56 and security threats so that's not something that i do the research myself these are what i rely on

2:04 are people who are researching this and security leaders in the space and so

2:09 that's what um that's what this twitter space is about i'm going to be chatting with two security leaders from juniper

2:15 networks and with that said i do want to make it clear that juniper is sponsoring my time

2:20 for hosting this event and they're also sponsors of my podcast but when they asked me to do this i was really excited

2:26 about it because i have actually been a security engineer before i was a podcaster and so i was in

2:32 my my hands were in firewalls a lot specifically in juniper firewalls srx's

2:38 and i even got some juniper certs like the gncis sec but if you're not aware of what juniper

2:45 is they help organizations build threat aware networks to keep attackers at bay

2:51 so that business critical traffic can travel across the wire properly and they do this by making firewalls cloud

2:57 solutions management tools and their aim is to secure every point of connection from cloud from client to

3:04 cloud and it's amazing for me to look at where i've come because there was a time when

3:10 i was an engineer and i actually took a trip to sunnyvale and drove to juniper's offices in silicon valley and just stood

3:15 outside their buildings gazing at the size of them and now here i am with my own vanity url

3:21 on their website juniper.net slash dark net resolves it's it was made just for me

3:27 and um now i get to interview their cso so i just never expected this in a million years and i'm just honored to be

3:33 part of it so with that bit of uh intro out of the way i want to introduce my two guests

3:39 drew simonis chief information security officer of juniper networks and munir

3:44 hahad head of juniper threat labs which is the independent research arm of juniper and by the way this space is

3:51 being recorded and you'll find those links in my twitter account after the event so drew manir um thank you for joining

3:59 me today thank you for having us hey good morning very excited to be here so let's start

4:05 out with just hearing more about your roles what is it like being the cso

4:10 and also working in threat intelligence today

4:16 well i i would say from the perspective of of being a cso

4:21 we've faced a tremendous evolution in the role over the last just over the last couple of years as as companies are

4:29 doing more and more with digital transformation as as technology is more important not just to the economy but to

4:36 society as a whole uh you know the bad actors out there are finding ways to take advantage of our

4:42 reliance on this technology and so our domain the securing of that technology has really risen to the fore

4:48 in a way that that we've long i guess we've long expected but but

4:55 you know maybe weren't quite as ready for uh based on what you see in in the in the world today you know with a lot

5:01 of exposure a lot of uh a lot of compromise is still occurring so the very high intensity very high

5:08 pressure um and and the challenge is significant you know we we always are

5:14 striving for more resources we're always striving for more mind share uh

5:19 people trying to get the attention from the right people in the right places uh

5:25 trying to leverage services uh like what when here helps to deliver and the reality is that

5:32 we have to have good understanding good good understanding of the adversary their capabilities their intent and how

5:39 that intertwines with our own operations so what do we have that they are likely

5:44 to want uh do we have the controls in place that they are likely to to uh be

5:50 be blocked by um and and so you know it's a it's a

5:55 constant battle as as evolution occurs both in the business process

6:00 and in the uh in the technology landscape and in the attacker's capabilities and desires so uh fast

6:07 paced fast moving um a lot of pressure i guess would be the the some of that

6:13 i i concur with that i mean drew definitely has the hot seat on this one so while drew is it's kind of focused on

6:20 securing juniper cyber assets my role is to try to protect all of our customers and that's including drew by

6:27 the way who is uh honestly one of my favorite customers and he's my favorite customer because he's just a text

6:33 message away and he gives me access to all the data i need sometimes you know i can't just go to our customers at random

6:39 and just say hey could you please give me access to your whole network because i need to investigate something or

6:45 validate some theory i can't do that but with drew i can see the one thing that people don't realize is that

6:52 drew has um carte blanche to go and provide himself with any kind of tool capabilities he can get from anywhere he

6:58 wants he's not bound to use in juniper products but he does and he keeps me in check because he goes you know what

7:04 munir if your products efficacy drops i'm dropping you too and i'm gonna buy something else from someplace else

7:10 fortunately that hasn't happened and uh you know it's a great relationship to have uh with uh withdrew and that helps

7:17 me a lot because it gives me real-time data from an actual large company's traffic and it

7:24 kind of gives me a model to work with when we're looking at the threats um the defensive methods that we put in place

7:31 and uh and and thinking about what's next to come so i i really appreciate that collaboration that i have with drew

7:38 another you work with juniper threat labs how does that operate

7:44 uh well you know juniper threat labs is actually a combination of three things that's not typical in in this industry

7:52 you look at a lot of different companies they would have threat research separate product development separate etc i have

7:58 the advantage of having all three things under under one roof the first one is

8:03 just the threat research which is kind of the awareness and being able to see what's happening out there in the wild

8:09 making sure we're ready for cyber attacks uh making sure our customers are protected that's one the second one is

8:15 just the development team so i have a development team dedicated to building the detection methods that go into our

8:23 products whether they're on premises or in the cloud or anywhere in between it doesn't matter so i own the efficacy of

8:28 that of that detection technology and the third one and it's definitely not the

8:34 least we we have the security operations team that's constantly monitoring what's

8:40 happening with our own detections across our customers um telemetry and the idea

8:45 behind it is we're here to monitor for things that you know either spike or things that are unusual or things that

8:53 honestly we might have missed and that information is fed back into either the development team especially when it

8:59 comes to things like machine learning you know you have we build models those models tend to fluctuate over time so we

9:05 have to keep an eye on that and and it also goes back to research you know sometimes we hear about something that

9:10 you know we just haven't thought about in the past so it goes back to the research team and we have to figure out

9:15 proofs of concept what did we miss how can we make it better how can we uh

9:20 block it right away how can we future proof it so this is like the three pronged

9:26 approach to doing uh work within threadless very interesting um so drew you know being the cso it sounds

9:35 it sounds nerve-wracking to me kind of like um like a new parent

9:40 or you just don't know if you're doing enough to keep everyone safe right you just it's just like ah am i doing enough

9:46 and there's always something in the back of your head and it's hard to sleep as a new parent um do you what keeps you up

9:52 at night as a cso or what's top of mind for some of your peers

9:58 oh it's a good it's a good comparison uh well everything everything keeps me up

10:04 uh uh my my peer group myself we're nervous people um very anxious i think uh

10:11 because we have uh 10 20 30 40 000 children and all of them are uh often

10:18 doing things that they ought not to be doing and so we have to worry about the decisions of

10:23 of of a large group a very large family um and so so

10:29 you know we have to do that in an environment where there's more and more scrutiny uh customer scrutiny uh uh

10:36 executive scrutiny board member scrutiny regulator scrutiny uh shareholder

10:41 scrutiny like everybody is paying attention to what we're doing these days and uh that that adds to the pressure

10:48 you know and so so you're right you've got to be comfortable that the decisions that you are making

10:55 are the best decisions that you can make a given all of the uncertainty that you

11:01 face i i think that's that's probably one of the key things that differentiates the ciso from from uh

11:07 maybe a security practitioner who's who's maybe not so seasoned or is aspiring right uh to be a season it's

11:14 living in that comfortable gray area that you described um and and being able to go home at night and know that it

11:20 might be a wrong decision but given what you had in front of you it was the best you could make um but but if you're asking sort of what

11:27 are the what are the what are the key things besides that um i think the challenges that i face are around talent

11:34 uh first and foremost you've got to have the right people on the bus and and you've got to be able to hire

11:40 people and retain those people and keep them engaged and that's difficult all those things are difficult because you

11:46 know take all the complexities of covid and working from home and add on to that the this ever

11:52 changing technology landscape i alluded to earlier and the pressures of the role uh so it's a burnout factory for a lot

11:59 of people and uh and that's a shame and we work really hard to alleviate

12:04 that pressure uh prioritization to the point you made did i make the right decisions um do i have the right insight

12:12 to make those decisions or do i avoid analysis paralysis uh so i

12:17 can make a decision without having a complete view of the landscape that's that's an important one too and

12:24 then execution um you know so so i've got the right people i'm focused on the right things i'm

12:29 prioritizing the right areas uh am i executing fast enough uh and to the right quality to be in front of the

12:36 adversary and to really be solving the problems before they creep up uh and damage the business's ability to

12:43 be successful so i think those are the three things talent prioritization execution would be the things i'd worry about most

12:49 for anyone just joining us welcome have a seat please stay i'm having a conversation with drew and munir from

12:55 juniper networks drew is their chief information security officer and munir is the head of juniper threat labs and

13:02 this space is being recorded in case you missed something gentlemen this is a question i got from a follower uh what's the stupidest thing

13:10 that has caused a problem or a breach and maybe drew i'd like to hear from you first

13:16 well you know not the stupidest but but i think it's illustrative of how complex

13:21 avoiding breaches really can be it's a silly story um but uh a prior job uh i won't say where when

13:29 but we had an executive who who essentially fished himself

13:35 and and the the story is that as as you may or may not know executives have a lot of emails sent out from them

13:42 uh but not by them uh and so this individual went into their mailbox saw a

13:47 message from them and said you know oh i wonder i wonder what i'm talking about today like what

13:53 interesting topic am i endorsing or supporting across the company um and followed the links to see and and

14:00 lo and behold it was a fishing uh a fishing message uh spearfish to him uh

14:05 or something along those lines and so you know he saw the silliness in it but

14:10 but i think that the real illustrative part is that it is difficult even for like you can fall for a message that you

14:16 know is fake uh or or not necessarily from you and as the attackers get better

14:22 and better at what they're doing it is increasingly difficult for people to spot genuine phishing messages or sorry

14:29 genuine email messages from phishing messages uh or genuine websites from

14:34 impersonating websites and and and and so so in that in that story is the kernel

14:40 of it's really hard for everybody to not fall victim to some of these very sophisticated attacks

14:46 um that are increasingly easy for people to pull off yeah drew it's funny as you're saying

14:52 this reminds me of another very similar story and and maybe this one is even funnier because i i know somebody who

14:59 who was actually part of building and a campaign within their own organization

15:05 for uh you know the anti-fishing campaign so this is uh one of those educational

15:11 uh things that companies do they sent you an email once a quarter or something and you know they make sure that you're

15:16 not clicking on the wrong links so this particular person was part of the team

15:21 that was putting together the uh the the campaign and uh they were constantly complaining

15:27 that hey past campaigns are so easy to spot let's make it a little bit more realistic and sure enough they wanted to give it a go

15:34 and uh they built that that messaging and the day before the campaign uh he

15:40 actually received an email saying hey tomorrow we're sending the campaign be on alerts you know uh you know just

15:46 let's see what happens the very next day unfortunately because of various circumstances he personally fell for it

15:54 unbelievably you know it's one of the things i remember he was telling me that um you know he he looked at it on his phone

16:01 instead of uh on his desktop client and you know on your phone certain things disappear like you don't see the

16:08 email of the person you just see a name the links are relatively difficult to see even if you see something in there

16:14 you have to know that you need to do a long press and wait for it and then you see a preview and all kinds of things go

16:20 wrong on a phone so he actually felt for it because of the circumstances i guess what this

16:27 kind of drives the point of some many attacks are actually very easy to

16:32 spot fortunately a lot of these people sending phishing emails do not understand or speak english very well

16:38 but some of them can get really really sophisticated and it's very hard to see

16:43 and i have to admit there's there's one thing i personally do not like in what we're doing about it these

16:49 days you see a lot of these url rewrites for example that uh you know certain security tools email security tools

16:56 would tend to replace an actual url with uh another url that goes through some

17:01 pre-processing before it lets you through now for probably more than 90 percent of people

17:07 that's a great thing to have but for some of us who understand how to look at a link

17:12 it's it's annoying to be honest it also it also circumvents the training

17:19 we've been giving people for years right that you look at the link and decipher it and now you you so so now we're

17:25 relying on technology rather than the training and i don't know which one is better i i guess you know 90 of the time that's

17:32 the right call i think we should rely on technology a little bit more than people i i'm just personally annoyed because i

17:38 would prefer to rely on myself even though i mean looking at the url may not necessarily be the end-all be-all well

17:44 that's right with the with the way the attacks are evolving you know that you can be sent and and there's what frames

17:50 on frames and and so you you're going what do you think is a real sight and and may in fact be that real sight and

17:56 and and or the real sight's been compromised so it's more like a watering hole attack than so

18:01 the attackers are so they're always one step ahead of us in terms of circumventing

18:07 everything we do everything we've trained people and then they're like well i'll just take this and switch it by five degrees and and

18:14 now everything you did was needs to be redone that's that's the fun part of our job i think keeping up with

18:19 that who would have thought they'd get us through captchas before we get to a fishing site

18:25 yeah it makes me wonder we put all these uh you know major security checks in place and then it just gets

18:31 circumvented it's sometimes it just seems all for now because it's there's just an easy way around it

18:38 so um you've got your finger on the pulse of pretty much what's going on in the threat landscape today

18:44 what are you seeing as some of these big trends or major attacks that you've been seeing in

18:50 the last year that businesses should be worried about you know be because i look at uh

18:58 customers across the spectrum it's actually hard to believe that uh people are not gonna have their own

19:04 opinions as to what bubbles up to the surface i can tell you look i'm seeing a trend here but for some vertical that's

19:11 not going to be the trend for them it's something else that they're worried about so for example if you're uh in

19:16 defense industrial base you're probably thinking industrial espionage is trending up but if you're in the energy

19:22 sector or critical infrastructure you're probably more worried about acts of sabotage that are trending up uh but

19:30 when one thing everybody will agree on is that ransomware has become the threat

19:35 to counter you know it's so we used to deal with ransomware just like a one-off but now it's uh really commoditizing

19:43 uh it's it's become service um i don't know i don't want to draw you know go

19:48 too much into parallels but if you remember mail spamming used to be like that as

19:54 well it started by being the work of one person having to do everything from building mailing lists

20:00 building mailer miller bots and identifying open relays etc etc

20:05 to the point where every piece has been outsourced you would buy the mailing list from someone you will lose a botnet

20:12 from somebody else and maybe purchase an exploit kit if you're looking at infiltration

20:18 so the same thing is happening with ransomware and it's making it more of a business than anything else you you will

20:25 buy a target list from somebody if you're interested in particular vertical you will put together somebody else will

20:30 put together actually the infection chain for you and you don't even have to handle customer support somebody else

20:37 will do it do it for you and same thing for the payment and in all of that the attacker that

20:43 you're trying to protect against is hidden behind layers and layers of human shields

20:48 so that's uh that's kind of what i'm seeing as a big trend especially that you're not dealing with just somebody

20:54 who's encrypting your data i mean we kept telling people backup data put it in offline but these days the exfiltration business

21:01 with people taking away your data has made it a little bit more uh difficult to counter and

21:08 the latest trend is really about going after the victims i don't know if you've heard about that

21:13 what is it like a mental health hospital i think somewhere in europe they not only they uh encrypted all the data

21:21 for people that were there but because it was readily available in clear text data

21:27 they exfiltrated it and they started going after the patients themselves i mean imagine they were basically telling

21:32 them hey uh here's the transcript of all your conversation with your therapist you either pay us 200 euros or we're

21:39 going to publish this online that that's really a terrifying trend for uh yeah

21:44 that yeah yeah well i was going to say that you know to

21:49 to meniere's point sorry an object um when you when you hear about these

21:54 things even the way people speak about this these days is very service and industrialized uh when people talk about

22:01 the second and third order ransomware extortion vehicles you know they speak

22:06 them as features like the nine out of ten ransomware packages have these features supported

22:13 right so it's it's so it's so much like buying a just imagine like you don't

22:18 have to have technical skill anymore you just have to have a credit card and the desire to make uh

22:24 what got was ridiculous amounts of money i think there was a report the other day that the the

22:29 the bitcoin wallet for one of these big ransomware things uh was leaked and it

22:34 had billions of dollars in bitcoin in it so this is not like i'm going to make a

22:40 couple grand this this is potentially for these criminal gangs i'm going to make a few billion dollars yes

22:45 so i'm near you can see kind of these attacks happening but drew you've got this

22:51 vision into how organizations are responding to these kind of attacks and how do you think they're doing

22:56 what's what's been effective and what's ineffective at dealing with ransomware

23:01 well it is an area where um we could do a lot better as an industry uh

23:08 the the reality that i see is that people tend to be solving yesterday's problems tomorrow

23:15 there's still not the level of executive buy-in across the corporate world that

23:20 we need to have and threat intelligence is valuable but not everyone's consuming

23:26 it and the threat intelligence is not yet at a level of sophistication where uh where we can get really accurate

23:32 future predictions team that up with uh what you were talking about where our controls sort of

23:39 can be so easily circumvented and that's another reality right i mean people will

23:45 choose how to behave and their adversaries will understand how they're

23:50 making those choices easy example is cvss scores for vulnerabilities many

23:56 companies prioritize 7 and up because those are critical risk well recently attackers have been starting to

24:02 weaponize three and down because they think nobody's paying attention to those patches and and maybe

24:08 they're right so so there's always this this this reactive nature that we really

24:13 need to find a way like right now the best we hope to do is react fast uh

24:19 automation orchestration we look at that we're like okay let's let's bend the curves down to seconds and minutes

24:25 rather than days and weeks but but the real uh uh uh i i guess uh ambitious

24:32 goal is to how can we get in front of those threats so instead of yesterday's problems tomorrow we're solving

24:37 tomorrow's problems today that's that's something we really need to be working on getting better about as an industry

24:44 you know i really i i'm really curious on what your what your thoughts are on open source software in the enterprise i

24:50 mean we had heart bleed bug in 2014 which was a major vulnerability in open ssl and this year we had log4j

24:58 which is another major vulnerability in open source software now open source is usually made by

25:05 volunteers and they put their code out there for free for anyone to download and this is a question either of you can

25:10 answer but how do you feel about taking this volunteer driven free software and

25:16 using it in the enterprise yeah i'll take a first step at this drug

25:21 because my team does actually use open source software you know it's uh i think that question

25:28 of whether we should or should not be using open source software that ship has sailed uh it's it's everybody's doing it and i

25:35 don't think there is any way of going back because there's just no point in reinventing the

25:41 wheel no matter what you think we're still in a chase between the good guys

25:47 and the bad guys in this space so the faster you can turn around a new detection method the better you are protecting all your

25:54 customers and therefore reusing what's already out there is an absolute must

26:01 now you have to understand though that when it comes to using open source software it comes with

26:07 strings attached and these are not necessarily the licenses what i'm talking about here is your ability to

26:13 buffer that software update and and be able to patch it in heartbeat because what what do we usually see

26:20 open source software is out there being used by millions of people next thing you know there's some sort of uh

26:26 supply chain type of uh vulnerability and they get in there they put a bad update and

26:32 if you've automated downloading this uh this update from github then you're probably in a lot of trouble

26:39 so you need to make sure that you're not making these kind of mistakes and you're doing some sort of due diligence and you

26:45 have a process by which you have your finger on the pulse on what is being

26:51 discovered around those um those packages now if you're any company of a

26:57 decent size you probably have hundreds literally hundreds of open source packages that you're using in your own

27:03 product so keep an eye on them is not something that you can do manually you have to have in place some sort of a

27:10 method and a system that keeps track of what's being talked about regarding those packages and be ready to uh to

27:18 patch i think it was fascinating when uh log4j came out i think some of the quicker ones to patch were video game

27:24 companies that were using it and some of the slower ones to patch were deeply embedded tools like it tools and

27:31 stuff that have you know six layers down and that's where that's where the open source software is

27:36 and to fix update that is nobody really remembers how that even got there so

27:41 yeah i really agree that you have to be if you're going to be using this you have to be able to update it in there

27:47 drew i see some of these organizations using um

27:55 threat intelligence feeds and we're going to switch to threat intelligence feeds for a second um

28:01 the thing is well so what a threat intelligence feed is it's typically a list of ip domains uh or ips or domains

28:08 that are kind of a list of bad actors and what they've done um and you can use this list to compare it to the traffic

28:15 going on in your network to see if it's malicious or not um but the thing that i can't figure out

28:20 is when is a company ready to implement a threat intelligence feed

28:30 well it it it it really comes down to what you want to get out of it um

28:35 you said something really key in that question what they have done

28:40 uh so so these kind of feeds are all retrospective they're they're certainly valuable right

28:47 you don't want to be caught victim to something that that is is well known and where you

28:53 should be having your guard up a little bit more um so so integrating those

29:00 and you know sometimes they're hashes for files sometimes they're uh they're like you said um uh block lists

29:08 sometimes they're uh there there are other types of indicators but uh

29:13 you've got a lot of ability in your technology these days to ingest those almost like sort of custom signatures

29:20 for intrusion detection and prevention systems or on your desktop or whatever

29:25 um as far as organizational readiness it to me comes down more to maturity of the list and

29:32 maturity of the tool set how much do you trust those things uh to to rely on them to start blocking you

29:38 know like processes from starting or files from installing or whatever uh if

29:43 you have the confidence that you're not going to disable your your business instead of the attacker do you have a

29:49 process to deal with bad things from a productivity perspective should they occur uh those are some important

29:56 considerations but but the reality that that i see is that that you they have

30:02 another use that is far more powerful which is to help inform you about that

30:07 potential future back to my point about uh pivoting from from solving retrospectively to being more proactive

30:16 learn from those signatures and and try to use that data set to drive a an attacker

30:24 perspective in your security organization so this is how the attackers were behaving

30:30 maybe they got caught like maybe this domain's been taken down i don't know but what how would we have been exposed

30:37 to that what would we have done if we were trying to prevent that and use those those things almost like exercises

30:44 to drive your own control development and make sure that you're monitoring

30:49 footprint is is established adequately so that you can see if your controls are breaking down or being broken down

30:56 that's that's a challenge i think for a lot of people but it's a way that intelligence can be even more useful

31:02 than just just sort of blocking attacks from the past is informing us about what future

31:08 attacks might look like and how they might show up in our own organization

31:14 yeah that's true that also comes in the form of those threat intelligence reports right drew that you guys can uh

31:19 can consume there are a number of uh companies out there that actually provide really rich um you know threats

31:26 intelligence reports but when it comes to feeds by the way what whatever drew said in terms of making a decision

31:33 he's not alone in making that decision and that's kind of a little bit my role to help all the csos out there to make

31:40 that decision a little bit for them sometimes to be honest um our products can ingest intelligence feeds that we

31:47 curate that we build sometimes and all our customers take advantage immediately

31:53 of that threat intelligence without them having to think about it twice but that whole problem of

32:00 understanding this threat intelligence feeds how can you use it safely and how you shouldn't be using it that kind of

32:06 falls on me and my team right because you have to know that threat feeds come in two flavors the

32:11 ones you understand and the ones you don't and what i mean by that is do you understand how it was put together

32:18 because having that information can inform you on how you could potentially use it if you take for

32:24 example like a feed that has a bunch of ip addresses that are supposed to be bad well what if one of those ip addresses

32:30 happen to host thousands of domains and that happens quite frequently as a matter of fact you

32:36 find one bad domain on one ip next thing you know that ip shows up in some some

32:41 threat feed what do you do with that you can't really block that ip you better not block that ip otherwise you're

32:46 blocking a whole bunch of other legitimate domains so that kind of information is is really

32:52 important but in general you know even myself as you know a head of threat labs i am not

32:59 alone in this um there's a number of organizations uh one of which we are

33:05 part of called cyber threat alliance which is awesome at doing threat intel sharing and that means we're pretty much

33:13 leveling the playing field when it comes to threat intelligence a lot of the companies that are part of

33:18 this cta alliance they decide to compete on products and services and capabilities but not on

33:25 threat intel that's way too important no no single one of us can defend

33:31 everybody against all threats but if we pull our resources together at least in

33:36 sharing threat intelligence then we have a better chance and by the way we do that on pretty much

33:41 on near real time basis and that's that's been great to be honest with you that's interesting

33:47 yeah there's a funny story my website darknetaries.com often gets blocked by some threat intel feeds

33:53 um not for having hacker content but because my hosting provider is known to serve ads and so it just gets added on

34:00 some block ad block lists uh i guess this is an example of an open

34:06 source threat intelligence feed um and so yeah and so i guess munir what do you think about open source threat

34:12 intelligence feeds used in enterprise

34:17 well i would say the exact same thing you have to understand how they were built you have to know how it's built

34:23 if it's built using honeypots for example and the source ips that you find in there are the ips of

34:30 some scanners chances are you're going to block some legitimate software i've i've heard many times this story where

34:36 some company buys a tool to do internal scanning and next thing you know that

34:41 that particular tool gets blocked and they cannot do that job why because it showed up in some thread intelligence

34:48 feed whether it's open source or not is a different story but most of the time it happens to be

34:54 open source you have to understand how these feeds are built so that you can safely use them and the

35:00 key word is safely you cannot just shoot yourself in the foot just because you don't know where the intelligence came from so for me uh

35:08 part of studying the value and the uh the value add of a thread intelligence

35:14 feed when it's open source is specifically going into studying things like what is the popularity of each one

35:21 of the ieps in in those feeds and that's actually a decent indication as to

35:26 how much trouble are you setting yourself up down the road if you decide to use that threat yeah it's it is funny

35:32 that you gotta you gotta look to see how it applies to you because i had a customer once that was sharing some

35:38 threat intel with us and um and i was looking at it and they're like yeah we're having a lot of trouble from

35:44 this one ip here it's it's really giving us a lot of problems and i look at it and it's a it's a private ip 192.168.20.20.

35:51 and i'm like well if we would have blindly added that into our threat until and said oh block all this from you know

35:59 happening then we would have been in trouble yeah and and i do get similar questions

36:04 too you know sometimes our customers come to me and they're like hey we'd love to have this threat feed embedded

36:10 into your product you know i look at it i'm like there is no way i'm gonna i'm gonna approve that kind of a thing but

36:16 the comeback is look you really like it i'm gonna give you the option to add it to your own installation your own device

36:23 your own cloud but you're not going to impact everybody else with your decision you like it great use it but i'm not

36:29 going to be behind it drew um i think a lot of people look at cso as sort of the pinnacle of the

36:36 security field on how far you can go up the up the ranks do you look at it that way and um

36:43 how can you do you have any um suggestions on how people can reach that if that is your goal

36:51 yeah therapy love therapy i think

36:56 it certainly is the pinnacle of part of of the security story i mean just just

37:02 as any career field has a senior general manager uh a role right but i i really

37:09 think one of the wonderful things about security is that it's such a big tent career field like it's not a job right i

37:16 think that's first and foremost it's a career field uh with a lot of very specialized

37:22 disciplines some of which uh pay more i know penetration testers who make far

37:28 more than csos do and and are in far more demand you know we're talking seven

37:33 figure plus individuals here that get to set their own hours and uh and really

37:39 pursue their own interests in terms of hacking and puzzle solving and and the

37:44 like so so you could say that that some of these people are at the pinnacle and and and that's true you know you've got

37:50 deeply technical jobs forensics analysts uh for example which

37:56 which have such specialized skills uh which could be at the pinnacle of of the

38:02 of the field so so on the technical side i think there's a lot of opportunity for different peaks uh and pinnacles to be

38:10 found on the administrative side you know you've got just as many opportunities for people

38:15 with soft skills who or who want to pursue a more person oriented

38:21 nature of the field whether that's awareness and training whether that's compliance whether that's risk

38:27 management um or or a number of other areas you know so

38:32 it doesn't have to just be i'm a technician and and you see csos from both sides

38:38 you know some companies like a compliance background uh some companies like a technical and engineering and

38:43 architecture type background so there's opportunities to find your mastery of the domain or to

38:51 leverage your background to pursue a more general management type role

38:56 i would just say that if people want to pursue the cso it shouldn't just be because of the

39:02 title it should be because they have a genuine interest in developing the talent and

39:08 dealing with the organizational change management and some of those more political dimensions of the job because

39:15 if you're just pursuing it because you think it's the highest on the wrong or highest rung on the ladder

39:21 you're going to fail because it is a very people-oriented role you've got to manage the talent and

39:28 the growth and provide opportunities for people and make sure that everybody is taking

39:33 advantage of those opportunities and and so it becomes in some way not even a security job

39:38 anymore because it is more of a general management job particularly the bigger your

39:44 organization gets the less time you spend making security decisions and the more

39:49 time you spend relying on your experts to make those decisions and your job is to make sure you've got the right experts in place so that's that's the

39:56 only caveat i'd say is that like any any senior role you know you you start moving away from the function and into

40:03 that general management domain and you still have to be fond of deprivation right true yeah you don't

40:11 mind if you have some bags under your eyes those are badges of honor i you know i i really like what you said

40:17 there but uh you know this thing is a career field it's not really uh it's not

40:23 really a job you know i i kind of uh i look at it even from a broader perspective for me cyber security is

40:29 really a calling first it's not an employment opportunity i i would make one simple exclusion out of that is the

40:35 offensive sidebar which is a little bit special but other than that uh you know yeah you can you can find people with a

40:42 ton of technical skills uh but that's not what you should be looking for it's talent that you're looking for because you need to have a

40:49 certain detective mindset and and and be able to persevere when when you're facing difficulties in analyzing

40:56 something i think for me that's that's key plus you know of course this space is moving so fast with

41:03 everything that's changing whether it's operating systems changes the applications coming on board

41:08 all the vulnerabilities that are out there the myriad of ways that an attacker can can put together a campaign

41:15 this means when you're looking for a career in this space you really have to be one of those

41:21 people who are constantly updating their skill set whether it's trainings go and attend conferences and etc

41:28 even getting some certifications but i wouldn't really pin it to oh you know i'm going to have some

41:33 certifications and i'm going to go up the ladder and i'm going to end up a cso if that's your goal you're probably not

41:39 starting well that's really helpful thank you i think personally i think one of the most

41:44 important skills to have when dealing in the i.t field is the ability to deal with a set of

41:51 unknowns and not being afraid um like like getting on the command line and

41:57 just be knowing like i don't know what command to type here i mean even a google search sometimes it's like well

42:02 what can i put in here i don't know what i'm allowed to do what you're not and just being able to

42:08 fail at that screw that up but try again and realize like okay it's not so bad if

42:14 i mess up a command or two and having that comfortability of knowing that you're you're probably

42:20 going to fail but it's okay and knowing that you don't know what's going on and

42:25 that's okay too i think just being able to navigate that dark and scary place i think is probably a very important

42:32 skill that's not talked about as much that's true you definitely have to be

42:38 comfortable with that it's uh you know quite often we run into situations where we have to quickly assess a particular

42:44 threat like you know we hear like everybody else of things sometimes in the news sometimes it's in

42:50 closed channels you know like specific forums for cyber security professionals we hear about something

42:57 and you need to go and find out whether your particular products are vulnerable

43:02 and for me in particular i need to find out if our products are capable of detecting and blocking that particular

43:08 threat everybody seems to be talking about but nobody's giving you the details so you have to get in there you

43:14 have to figure out what application is involved maybe try to get your hand on a copy of that application try to

43:20 reproduce the scenario that you've barely heard about it's relatively difficult and you're

43:25 doing all of that under tremendous time pressures because every day or every

43:31 hour for that matter that you're not up to speed on what's happening these are potential attacks that are uh

43:38 going on out there and maybe customers would be unprotected against those attacks so yeah you're right we're not

43:44 gonna know everything that's impossible we have to be comfortable with just diving in

43:50 and getting things done all right uh drew i want one last question from you and uh

43:55 that is what's the from a cso's perspective what are what are the three most critical

44:01 areas you think organizations should be focused on investing in today

44:07 oh so so for organizations i i think they they need to be fast right we

44:13 talked about the the aspirational goal of getting in front of the problems we're not there yet but we definitely

44:19 need to be working at machine speeds uh attackers are leveraging more and more

44:25 automation more and more intelligence you know when you're talking about these smart fishes a lot of these fishes are

44:30 built on with ai that is studying your linkedin profile your resume your your

44:36 post on facebook and so on and so forth and so super duper targeted and super effective as a result so we've got to be

44:43 uh just as sharp in terms of how we respond to these things so automation orchestration

44:50 um is is a key one i think organizations need to invest in metrics and reporting

44:55 as well uh we're moving more and more into a world to prove it uh show me and and and kind of uh less of blind faith

45:03 and ignorance really where where people didn't understand security enough to ask good questions now they're starting to

45:10 understand it and they want to see proof they want to see evidence and and i guess part and parcel to that

45:16 one would be uh culture uh integrity inclusion diversity um

45:22 i think that's really important because uh it is the decisions of thousands of people that we have to really protect

45:29 against not all of the attacks in fact many of the attacks that you see in the news started with an employee making a

45:37 mistake and so creating a culture where people recognize that they're responsible for

45:42 their decisions and their actions and that they're supported in making good decisions that's important and and

45:48 having uh that viewpoint i talked earlier about having the hacker's viewpoint um you're not gonna get a

45:55 diverse set of viewpoints if you don't have a diverse set of people in your organization and so having people with

46:00 different backgrounds from different cultures with different viewpoints is is really an important step towards being

46:08 able to see problems from different angles and the more angles we can see them from the more likely we are to see

46:14 a solution to that problem wow gentlemen this has been illuminating to me and helpful i hope it's been helpful to the

46:20 people listening to and everyone you should be following drew and munir and juniper because these are some leaders

46:26 in the space that i'm i'm following and picking uh lots of good information out of um so guys thanks for taking the time

46:34 with me to chat today but i want to end by just wrapping up some of the things i've learned from this

46:40 my biggest takeaway is that ransomware is still a major threat to businesses which is kind of surprising to me you

46:46 think we we'd have this wrapped up and cleaned up by now but nope it's um it's

46:51 you know criminals are incentivized and they're making money doing this so they're just going to keep doing it as long as it's paying them

46:57 the second takeaway is that open source software can have critical vulnerabilities but it

47:02 just needs to be important to be able to update it uh if it's in your environment and it's

47:08 in all of our environments there's no way of hiding it anymore or avoiding it

47:13 and the third takeaway i got out of this was uh companies can improve their as

47:19 they as they improve their security uh maturity they can implement um threat

47:24 intelligence feeds which can help them get even more eyes into what's going on in their

47:30 network it's kind of hard to see what's what's actually happening there but a threat until feed can really help at a

47:36 certain level and i just want to remind everyone that this conversation was recorded and it's available on demand

47:42 as soon as this is over you'll see it on my twitter account and you can also learn more about juniper threat labs by visiting

47:50 threatlabs.juniper.net and if you like this and want me to do more events like this let me know this is the first time

47:56 but it doesn't need to be the last one and uh oh one last thing the other day i

48:01 was typing on my keyboard and out of nowhere one of the keys popped off and

48:06 that's the story of how i lost control alright everyone thanks for joining have

48:11 a great rest of your day thank you for having us thanks jack it was great

Show more