Darknet Diaries x Juniper Networks Twitter Spaces

0:01 hello i'm jack reciter host of darknet diaries an investigative cyber crime podcast this is a recording of my live

0:08 twitter spaces hosted with drew simonis and munir hahad of juniper networks like

0:13 this video if you're interested in more content like this and tell us what you think on social media you can find more

0:19 from me at darknetdiaries.com or on twitter at dark diaries enjoy

0:25 so you know something i think about a lot is what what is it what does it take for us

0:31 to be secure and some stuff that it kicks around in my head is maybe it's the users it's the user's fault if the

0:38 users were more of you know smart they would we'd all be more secure but is that it maybe the

0:45 police could do their job a little better if they arrested all the cyber criminals then we'd have no problems

0:50 with security right but no wait maybe it's the vendors the vendors if they've created secure products and none of us

0:57 would have any problems with security or you could look at it as a policy makers they could do some things to

1:04 make us all secure as well and what i want to think about today is you know what all of these people are

1:09 the ones who help make us secure and i specifically want to focus on vendors

1:15 and policy makers today in this space because they're the ones who are staying ahead

1:21 of emerging threats and keeping their ears to them to the ground listening for what's

1:27 coming out and you know the the threat researchers are going to bubble that information up to the leaders and those

1:32 leaders might be in your company or government officials and i think it's fascinating to look at

1:38 how that particular aspect works so in this space with me here today is the chief information security officer

1:45 and the head of threat research from juniper networks now um just about me you know a lot of

1:51 people know me from the podcast dark knight diaries but to make that i have to know a lot about i.t

1:56 and security threats so that's not something that i do the research myself these are what i rely on

2:04 are people who are researching this and security leaders in the space and so

2:09 that's what um that's what this twitter space is about i'm going to be chatting with two security leaders from juniper

2:15 networks and with that said i do want to make it clear that juniper is sponsoring my time

2:20 for hosting this event and they're also sponsors of my podcast but when they asked me to do this i was really excited

2:26 about it because i have actually been a security engineer before i was a podcaster and so i was in

2:32 my my hands were in firewalls a lot specifically in juniper firewalls srx's

2:38 and i even got some juniper certs like the gncis sec but if you're not aware of what juniper

2:45 is they help organizations build threat aware networks to keep attackers at bay

2:51 so that business critical traffic can travel across the wire properly and they do this by making firewalls cloud

2:57 solutions management tools and their aim is to secure every point of connection from cloud from client to

3:04 cloud and it's amazing for me to look at where i've come because there was a time when

3:10 i was an engineer and i actually took a trip to sunnyvale and drove to juniper's offices in silicon valley and just stood

3:15 outside their buildings gazing at the size of them and now here i am with my own vanity url

3:21 on their website juniper.net slash dark net resolves it's it was made just for me

3:27 and um now i get to interview their cso so i just never expected this in a million years and i'm just honored to be

3:33 part of it so with that bit of uh intro out of the way i want to introduce my two guests

3:39 drew simonis chief information security officer of juniper networks and munir

3:44 hahad head of juniper threat labs which is the independent research arm of juniper and by the way this space is

3:51 being recorded and you'll find those links in my twitter account after the event so drew manir um thank you for joining

3:59 me today thank you for having us hey good morning very excited to be here so let's start

4:05 out with just hearing more about your roles what is it like being the cso

4:10 and also working in threat intelligence today

4:16 well i i would say from the perspective of of being a cso

4:21 we've faced a tremendous evolution in the role over the last just over the last couple of years as as companies are

4:29 doing more and more with digital transformation as as technology is more important not just to the economy but to

4:36 society as a whole uh you know the bad actors out there are finding ways to take advantage of our

4:42 reliance on this technology and so our domain the securing of that technology has really risen to the fore

4:48 in a way that that we've long i guess we've long expected but but

4:55 you know maybe weren't quite as ready for uh based on what you see in in the in the world today you know with a lot

5:01 of exposure a lot of uh a lot of compromise is still occurring so the very high intensity very high

5:08 pressure um and and the challenge is significant you know we we always are

5:14 striving for more resources we're always striving for more mind share uh

5:19 people trying to get the attention from the right people in the right places uh

5:25 trying to leverage services uh like what when here helps to deliver and the reality is that

5:32 we have to have good understanding good good understanding of the adversary their capabilities their intent and how

5:39 that intertwines with our own operations so what do we have that they are likely

5:44 to want uh do we have the controls in place that they are likely to to uh be

5:50 be blocked by um and and so you know it's a it's a

5:55 constant battle as as evolution occurs both in the business process

6:00 and in the uh in the technology landscape and in the attacker's capabilities and desires so uh fast

6:07 paced fast moving um a lot of pressure i guess would be the the some of that

6:13 i i concur with that i mean drew definitely has the hot seat on this one so while drew is it's kind of focused on

6:20 securing juniper cyber assets my role is to try to protect all of our customers and that's including drew by

6:27 the way who is uh honestly one of my favorite customers and he's my favorite customer because he's just a text

6:33 message away and he gives me access to all the data i need sometimes you know i can't just go to our customers at random

6:39 and just say hey could you please give me access to your whole network because i need to investigate something or

6:45 validate some theory i can't do that but with drew i can see the one thing that people don't realize is that

6:52 drew has um carte blanche to go and provide himself with any kind of tool capabilities he can get from anywhere he

6:58 wants he's not bound to use in juniper products but he does and he keeps me in check because he goes you know what

7:04 munir if your products efficacy drops i'm dropping you too and i'm gonna buy something else from someplace else

7:10 fortunately that hasn't happened and uh you know it's a great relationship to have uh with uh withdrew and that helps

7:17 me a lot because it gives me real-time data from an actual large company's traffic and it

7:24 kind of gives me a model to work with when we're looking at the threats um the defensive methods that we put in place

7:31 and uh and and thinking about what's next to come so i i really appreciate that collaboration that i have with drew

7:38 another you work with juniper threat labs how does that operate

7:44 uh well you know juniper threat labs is actually a combination of three things that's not typical in in this industry

7:52 you look at a lot of different companies they would have threat research separate product development separate etc i have

7:58 the advantage of having all three things under under one roof the first one is

8:03 just the threat research which is kind of the awareness and being able to see what's happening out there in the wild

8:09 making sure we're ready for cyber attacks uh making sure our customers are protected that's one the second one is

8:15 just the development team so i have a development team dedicated to building the detection methods that go into our

8:23 products whether they're on premises or in the cloud or anywhere in between it doesn't matter so i own the efficacy of

8:28 that of that detection technology and the third one and it's definitely not the

8:34 least we we have the security operations team that's constantly monitoring what's

8:40 happening with our own detections across our customers um telemetry and the idea

8:45 behind it is we're here to monitor for things that you know either spike or things that are unusual or things that

8:53 honestly we might have missed and that information is fed back into either the development team especially when it

8:59 comes to things like machine learning you know you have we build models those models tend to fluctuate over time so we

9:05 have to keep an eye on that and and it also goes back to research you know sometimes we hear about something that

9:10 you know we just haven't thought about in the past so it goes back to the research team and we have to figure out

9:15 proofs of concept what did we miss how can we make it better how can we uh

9:20 block it right away how can we future proof it so this is like the three pronged

9:26 approach to doing uh work within threadless very interesting um so drew you know being the cso it sounds

9:35 it sounds nerve-wracking to me kind of like um like a new parent

9:40 or you just don't know if you're doing enough to keep everyone safe right you just it's just like ah am i doing enough

9:46 and there's always something in the back of your head and it's hard to sleep as a new parent um do you what keeps you up

9:52 at night as a cso or what's top of mind for some of your peers

9:58 oh it's a good it's a good comparison uh well everything everything keeps me up

10:04 uh uh my my peer group myself we're nervous people um very anxious i think uh

10:11 because we have uh 10 20 30 40 000 children and all of them are uh often

10:18 doing things that they ought not to be doing and so we have to worry about the decisions of

10:23 of of a large group a very large family um and so so

10:29 you know we have to do that in an environment where there's more and more scrutiny uh customer scrutiny uh uh

10:36 executive scrutiny board member scrutiny regulator scrutiny uh shareholder

10:41 scrutiny like everybody is paying attention to what we're doing these days and uh that that adds to the pressure

10:48 you know and so so you're right you've got to be comfortable that the decisions that you are making

10:55 are the best decisions that you can make a given all of the uncertainty that you

11:01 face i i think that's that's probably one of the key things that differentiates the ciso from from uh

11:07 maybe a security practitioner who's who's maybe not so seasoned or is aspiring right uh to be a season it's

11:14 living in that comfortable gray area that you described um and and being able to go home at night and know that it

11:20 might be a wrong decision but given what you had in front of you it was the best you could make um but but if you're asking sort of what

11:27 are the what are the what are the key things besides that um i think the challenges that i face are around talent

11:34 uh first and foremost you've got to have the right people on the bus and and you've got to be able to hire

11:40 people and retain those people and keep them engaged and that's difficult all those things are difficult because you

11:46 know take all the complexities of covid and working from home and add on to that the this ever

11:52 changing technology landscape i alluded to earlier and the pressures of the role uh so it's a burnout factory for a lot

11:59 of people and uh and that's a shame and we work really hard to alleviate

12:04 that pressure uh prioritization to the point you made did i make the right decisions um do i have the right insight

12:12 to make those decisions or do i avoid analysis paralysis uh so i

12:17 can make a decision without having a complete view of the landscape that's that's an important one too and

12:24 then execution um you know so so i've got the right people i'm focused on the right things i'm

12:29 prioritizing the right areas uh am i executing fast enough uh and to the right quality to be in front of the

12:36 adversary and to really be solving the problems before they creep up uh and damage the business's ability to

12:43 be successful so i think those are the three things talent prioritization execution would be the things i'd worry about most

12:49 for anyone just joining us welcome have a seat please stay i'm having a conversation with drew and munir from

12:55 juniper networks drew is their chief information security officer and munir is the head of juniper threat labs and

13:02 this space is being recorded in case you missed something gentlemen this is a question i got from a follower uh what's the stupidest thing

13:10 that has caused a problem or a breach and maybe drew i'd like to hear from you first

13:16 well you know not the stupidest but but i think it's illustrative of how complex

13:21 avoiding breaches really can be it's a silly story um but uh a prior job uh i won't say where when

13:29 but we had an executive who who essentially fished himself

13:35 and and the the story is that as as you may or may not know executives have a lot of emails sent out from them

13:42 uh but not by them uh and so this individual went into their mailbox saw a

13:47 message from them and said you know oh i wonder i wonder what i'm talking about today like what

13:53 interesting topic am i endorsing or supporting across the company um and followed the links to see and and

14:00 lo and behold it was a fishing uh a fishing message uh spearfish to him uh

14:05 or something along those lines and so you know he saw the silliness in it but

14:10 but i think that the real illustrative part is that it is difficult even for like you can fall for a message that you

14:16 know is fake uh or or not necessarily from you and as the attackers get better

14:22 and better at what they're doing it is increasingly difficult for people to spot genuine phishing messages or sorry

14:29 genuine email messages from phishing messages uh or genuine websites from

14:34 impersonating websites and and and and so so in that in that story is the kernel

14:40 of it's really hard for everybody to not fall victim to some of these very sophisticated attacks

14:46 um that are increasingly easy for people to pull off yeah drew it's funny as you're saying

14:52 this reminds me of another very similar story and and maybe this one is even funnier because i i know somebody who

14:59 who was actually part of building and a campaign within their own organization

15:05 for uh you know the anti-fishing campaign so this is uh one of those educational

15:11 uh things that companies do they sent you an email once a quarter or something and you know they make sure that you're

15:16 not clicking on the wrong links so this particular person was part of the team

15:21 that was putting together the uh the the campaign and uh they were constantly complaining

15:27 that hey past campaigns are so easy to spot let's make it a little bit more realistic and sure enough they wanted to give it a go

15:34 and uh they built that that messaging and the day before the campaign uh he

15:40 actually received an email saying hey tomorrow we're sending the campaign be on alerts you know uh you know just

15:46 let's see what happens the very next day unfortunately because of various circumstances he personally fell for it

15:54 unbelievably you know it's one of the things i remember he was telling me that um you know he he looked at it on his phone

16:01 instead of uh on his desktop client and you know on your phone certain things disappear like you don't see the

16:08 email of the person you just see a name the links are relatively difficult to see even if you see something in there

16:14 you have to know that you need to do a long press and wait for it and then you see a preview and all kinds of things go

16:20 wrong on a phone so he actually felt for it because of the circumstances i guess what this

16:27 kind of drives the point of some many attacks are actually very easy to

16:32 spot fortunately a lot of these people sending phishing emails do not understand or speak english very well

16:38 but some of them can get really really sophisticated and it's very hard to see

16:43 and i have to admit there's there's one thing i personally do not like in what we're doing about it these

16:49 days you see a lot of these url rewrites for example that uh you know certain security tools email security tools

16:56 would tend to replace an actual url with uh another url that goes through some

17:01 pre-processing before it lets you through now for probably more than 90 percent of people

17:07 that's a great thing to have but for some of us who understand how to look at a link

17:12 it's it's annoying to be honest it also it also circumvents the training

17:19 we've been giving people for years right that you look at the link and decipher it and now you you so so now we're

17:25 relying on technology rather than the training and i don't know which one is better i i guess you know 90 of the time that's

17:32 the right call i think we should rely on technology a little bit more than people i i'm just personally annoyed because i

17:38 would prefer to rely on myself even though i mean looking at the url may not necessarily be the end-all be-all well

17:44 that's right with the with the way the attacks are evolving you know that you can be sent and and there's what frames

17:50 on frames and and so you you're going what do you think is a real sight and and may in fact be that real sight and

17:56 and and or the real sight's been compromised so it's more like a watering hole attack than so

18:01 the attackers are so they're always one step ahead of us in terms of circumventing

18:07 everything we do everything we've trained people and then they're like well i'll just take this and switch it by five degrees and and

18:14 now everything you did was needs to be redone that's that's the fun part of our job i think keeping up with

18:19 that who would have thought they'd get us through captchas before we get to a fishing site

18:25 yeah it makes me wonder we put all these uh you know major security checks in place and then it just gets

18:31 circumvented it's sometimes it just seems all for now because it's there's just an easy way around it

18:38 so um you've got your finger on the pulse of pretty much what's going on in the threat landscape today

18:44 what are you seeing as some of these big trends or major attacks that you've been seeing in

18:50 the last year that businesses should be worried about you know be because i look at uh

18:58 customers across the spectrum it's actually hard to believe that uh people are not gonna have their own

19:04 opinions as to what bubbles up to the surface i can tell you look i'm seeing a trend here but for some vertical that's

19:11 not going to be the trend for them it's something else that they're worried about so for example if you're uh in

19:16 defense industrial base you're probably thinking industrial espionage is trending up but if you're in the energy

19:22 sector or critical infrastructure you're probably more worried about acts of sabotage that are trending up uh but

19:30 when one thing everybody will agree on is that ransomware has become the threat

19:35 to counter you know it's so we used to deal with ransomware just like a one-off but now it's uh really commoditizing

19:43 uh it's it's become service um i don't know i don't want to draw you know go

19:48 too much into parallels but if you remember mail spamming used to be like that as

19:54 well it started by being the work of one person having to do everything from building mailing lists

20:00 building mailer miller bots and identifying open relays etc etc

20:05 to the point where every piece has been outsourced you would buy the mailing list from someone you will lose a botnet

20:12 from somebody else and maybe purchase an exploit kit if you're looking at infiltration

20:18 so the same thing is happening with ransomware and it's making it more of a business than anything else you you will

20:25 buy a target list from somebody if you're interested in particular vertical you will put together somebody else will

20:30 put together actually the infection chain for you and you don't even have to handle customer support somebody else

20:37 will do it do it for you and same thing for the payment and in all of that the attacker that

20:43 you're trying to protect against is hidden behind layers and layers of human shields

20:48 so that's uh that's kind of what i'm seeing as a big trend especially that you're not dealing with just somebody

20:54 who's encrypting your data i mean we kept telling people backup data put it in offline but these days the exfiltration business

21:01 with people taking away your data has made it a little bit more uh difficult to counter and

21:08 the latest trend is really about going after the victims i don't know if you've heard about that

21:13 what is it like a mental health hospital i think somewhere in europe they not only they uh encrypted all the data

21:21 for people that were there but because it was readily available in clear text data

21:27 they exfiltrated it and they started going after the patients themselves i mean imagine they were basically telling

21:32 them hey uh here's the transcript of all your conversation with your therapist you either pay us 200 euros or we're

21:39 going to publish this online that that's really a terrifying trend for uh yeah

21:44 that yeah yeah well i was going to say that you know to

21:49 to meniere's point sorry an object um when you when you hear about these

21:54 things even the way people speak about this these days is very service and industrialized uh when people talk about

22:01 the second and third order ransomware extortion vehicles you know they speak

22:06 them as features like the nine out of ten ransomware packages have these features supported

22:13 right so it's it's so it's so much like buying a just imagine like you don't

22:18 have to have technical skill anymore you just have to have a credit card and the desire to make uh

22:24 what got was ridiculous amounts of money i think there was a report the other day that the the

22:29 the bitcoin wallet for one of these big ransomware things uh was leaked and it

22:34 had billions of dollars in bitcoin in it so this is not like i'm going to make a

22:40 couple grand this this is potentially for these criminal gangs i'm going to make a few billion dollars yes

22:45 so i'm near you can see kind of these attacks happening but drew you've got this

22:51 vision into how organizations are responding to these kind of attacks and how do you think they're doing

22:56 what's what's been effective and what's ineffective at dealing with ransomware

23:01 well it is an area where um we could do a lot better as an industry uh

23:08 the the reality that i see is that people tend to be solving yesterday's problems tomorrow

23:15 there's still not the level of executive buy-in across the corporate world that

23:20 we need to have and threat intelligence is valuable but not everyone's consuming

23:26 it and the threat intelligence is not yet at a level of sophistication where uh where we can get really accurate

23:32 future predictions team that up with uh what you were talking about where our controls sort of

23:39 can be so easily circumvented and that's another reality right i mean people will

23:45 choose how to behave and their adversaries will understand how they're

23:50 making those choices easy example is cvss scores for vulnerabilities many

23:56 companies prioritize 7 and up because those are critical risk well recently attackers have been starting to

24:02 weaponize three and down because they think nobody's paying attention to those patches and and maybe

24:08 they're right so so there's always this this this reactive nature that we really

24:13 need to find a way like right now the best we hope to do is react fast uh

24:19 automation orchestration we look at that we're like okay let's let's bend the curves down to seconds and minutes

24:25 rather than days and weeks but but the real uh uh uh i i guess uh ambitious

24:32 goal is to how can we get in front of those threats so instead of yesterday's problems tomorrow we're solving

24:37 tomorrow's problems today that's that's something we really need to be working on getting better about as an industry

24:44 you know i really i i'm really curious on what your what your thoughts are on open source software in the enterprise i

24:50 mean we had heart bleed bug in 2014 which was a major vulnerability in open ssl and this year we had log4j

24:58 which is another major vulnerability in open source software now open source is usually made by

25:05 volunteers and they put their code out there for free for anyone to download and this is a question either of you can

25:10 answer but how do you feel about taking this volunteer driven free software and

25:16 using it in the enterprise yeah i'll take a first step at this drug

25:21 because my team does actually use open source software you know it's uh i think that question

25:28 of whether we should or should not be using open source software that ship has sailed uh it's it's everybody's doing it and i

25:35 don't think there is any way of going back because there's just no point in reinventing the

25:41 wheel no matter what you think we're still in a chase between the good guys

25:47 and the bad guys in this space so the faster you can turn around a new detection method the better you are protecting all your

25:54 customers and therefore reusing what's already out there is an absolute must

26:01 now you have to understand though that when it comes to using open source software it comes with

26:07 strings attached and these are not necessarily the licenses what i'm talking about here is your ability to

26:13 buffer that software update and and be able to patch it in heartbeat because what what do we usually see

26:20 open source software is out there being used by millions of people next thing you know there's some sort of uh

26:26 supply chain type of uh vulnerability and they get in there they put a bad update and

26:32 if you've automated downloading this uh this update from github then you're probably in a lot of trouble

26:39 so you need to make sure that you're not making these kind of mistakes and you're doing some sort of due diligence and you

26:45 have a process by which you have your finger on the pulse on what is being

26:51 discovered around those um those packages now if you're any company of a

26:57 decent size you probably have hundreds literally hundreds of open source packages that you're using in your own

27:03 product so keep an eye on them is not something that you can do manually you have to have in place some sort of a

27:10 method and a system that keeps track of what's being talked about regarding those packages and be ready to uh to

27:18 patch i think it was fascinating when uh log4j came out i think some of the quicker ones to patch were video game

27:24 companies that were using it and some of the slower ones to patch were deeply embedded tools like it tools and

27:31 stuff that have you know six layers down and that's where that's where the open source software is

27:36 and to fix update that is nobody really remembers how that even got there so

27:41 yeah i really agree that you have to be if you're going to be using this you have to be able to update it in there

27:47 drew i see some of these organizations using um

27:55 threat intelligence feeds and we're going to switch to threat intelligence feeds for a second um

28:01 the thing is well so what a threat intelligence feed is it's typically a list of ip domains uh or ips or domains

28:08 that are kind of a list of bad actors and what they've done um and you can use this list to compare it to the traffic

28:15 going on in your network to see if it's malicious or not um but the thing that i can't figure out

28:20 is when is a company ready to implement a threat intelligence feed

28:30 well it it it it really comes down to what you want to get out of it um

28:35 you said something really key in that question what they have done

28:40 uh so so these kind of feeds are all retrospective they're they're certainly valuable right

28:47 you don't want to be caught victim to something that that is is well known and where you

28:53 should be having your guard up a little bit more um so so integrating those

29:00 and you know sometimes they're hashes for files sometimes they're uh they're like you said um uh block lists

29:08 sometimes they're uh there there are other types of indicators but uh

29:13 you've got a lot of ability in your technology these days to ingest those almost like sort of custom signatures

29:20 for intrusion detection and prevention systems or on your desktop or whatever

29:25 um as far as organizational readiness it to me comes down more to maturity of the list and

29:32 maturity of the tool set how much do you trust those things uh to to rely on them to start blocking you

29:38 know like processes from starting or files from installing or whatever uh if

29:43 you have the confidence that you're not going to disable your your business instead of the attacker do you have a

29:49 process to deal with bad things from a productivity perspective should they occur uh those are some important

29:56 considerations but but the reality that that i see is that that you they have

30:02 another use that is far more powerful which is to help inform you about that

30:07 potential future back to my point about uh pivoting from from solving retrospectively to being more proactive

30:16 learn from those signatures and and try to use that data set to drive a an attacker

30:24 perspective in your security organization so this is how the attackers were behaving

30:30 maybe they got caught like maybe this domain's been taken down i don't know but what how would we have been exposed

30:37 to that what would we have done if we were trying to prevent that and use those those things almost like exercises

30:44 to drive your own control development and make sure that you're monitoring

30:49 footprint is is established adequately so that you can see if your controls are breaking down or being broken down

30:56 that's that's a challenge i think for a lot of people but it's a way that intelligence can be even more useful

31:02 than just just sort of blocking attacks from the past is informing us about what future

31:08 attacks might look like and how they might show up in our own organization

31:14 yeah that's true that also comes in the form of those threat intelligence reports right drew that you guys can uh

31:19 can consume there are a number of uh companies out there that actually provide really rich um you know threats

31:26 intelligence reports but when it comes to feeds by the way what whatever drew said in terms of making a decision

31:33 he's not alone in making that decision and that's kind of a little bit my role to help all the csos out there to make

31:40 that decision a little bit for them sometimes to be honest um our products can ingest intelligence feeds that we

31:47 curate that we build sometimes and all our customers take advantage immediately

31:53 of that threat intelligence without them having to think about it twice but that whole problem of

32:00 understanding this threat intelligence feeds how can you use it safely and how you shouldn't be using it that kind of

32:06 falls on me and my team right because you have to know that threat feeds come in two flavors the

32:11 ones you understand and the ones you don't and what i mean by that is do you understand how it was put together

32:18 because having that information can inform you on how you could potentially use it if you take for

32:24 example like a feed that has a bunch of ip addresses that are supposed to be bad well what if one of those ip addresses

32:30 happen to host thousands of domains and that happens quite frequently as a matter of fact you

32:36 find one bad domain on one ip next thing you know that ip shows up in some some

32:41 threat feed what do you do with that you can't really block that ip you better not block that ip otherwise you're

32:46 blocking a whole bunch of other legitimate domains so that kind of information is is really

32:52 important but in general you know even myself as you know a head of threat labs i am not

32:59 alone in this um there's a number of organizations uh one of which we are

33:05 part of called cyber threat alliance which is awesome at doing threat intel sharing and that means we're pretty much

33:13 leveling the playing field when it comes to threat intelligence a lot of the companies that are part of

33:18 this cta alliance they decide to compete on products and services and capabilities but not on

33:25 threat intel that's way too important no no single one of us can defend

33:31 everybody against all threats but if we pull our resources together at least in

33:36 sharing threat intelligence then we have a better chance and by the way we do that on pretty much

33:41 on near real time basis and that's that's been great to be honest with you that's interesting

33:47 yeah there's a funny story my website darknetaries.com often gets blocked by some threat intel feeds

33:53 um not for having hacker content but because my hosting provider is known to serve ads and so it just gets added on

34:00 some block ad block lists uh i guess this is an example of an open

34:06 source threat intelligence feed um and so yeah and so i guess munir what do you think about open source threat

34:12 intelligence feeds used in enterprise

34:17 well i would say the exact same thing you have to understand how they were built you have to know how it's built

34:23 if it's built using honeypots for example and the source ips that you find in there are the ips of

34:30 some scanners chances are you're going to block some legitimate software i've i've heard many times this story where

34:36 some company buys a tool to do internal scanning and next thing you know that

34:41 that particular tool gets blocked and they cannot do that job why because it showed up in some thread intelligence

34:48 feed whether it's open source or not is a different story but most of the time it happens to be

34:54 open source you have to understand how these feeds are built so that you can safely use them and the

35:00 key word is safely you cannot just shoot yourself in the foot just because you don't know where the intelligence came from so for me uh

35:08 part of studying the value and the uh the value add of a thread intelligence

35:14 feed when it's open source is specifically going into studying things like what is the popularity of each one

35:21 of the ieps in in those feeds and that's actually a decent indication as to

35:26 how much trouble are you setting yourself up down the road if you decide to use that threat yeah it's it is funny

35:32 that you gotta you gotta look to see how it applies to you because i had a customer once that was sharing some

35:38 threat intel with us and um and i was looking at it and they're like yeah we're having a lot of trouble from

35:44 this one ip here it's it's really giving us a lot of problems and i look at it and it's a it's a private ip 192.168.20.20.

35:51 and i'm like well if we would have blindly added that into our threat until and said oh block all this from you know

35:59 happening then we would have been in trouble yeah and and i do get similar questions

36:04 too you know sometimes our customers come to me and they're like hey we'd love to have this threat feed embedded

36:10 into your product you know i look at it i'm like there is no way i'm gonna i'm gonna approve that kind of a thing but

36:16 the comeback is look you really like it i'm gonna give you the option to add it to your own installation your own device

36:23 your own cloud but you're not going to impact everybody else with your decision you like it great use it but i'm not

36:29 going to be behind it drew um i think a lot of people look at cso as sort of the pinnacle of the

36:36 security field on how far you can go up the up the ranks do you look at it that way and um

36:43 how can you do you have any um suggestions on how people can reach that if that is your goal

36:51 yeah therapy love therapy i think

36:56 it certainly is the pinnacle of part of of the security story i mean just just

37:02 as any career field has a senior general manager uh a role right but i i really

37:09 think one of the wonderful things about security is that it's such a big tent career field like it's not a job right i

37:16 think that's first and foremost it's a career field uh with a lot of very specialized

37:22 disciplines some of which uh pay more i know penetration testers who make far

37:28 more than csos do and and are in far more demand you know we're talking seven

37:33 figure plus individuals here that get to set their own hours and uh and really

37:39 pursue their own interests in terms of hacking and puzzle solving and and the

37:44 like so so you could say that that some of these people are at the pinnacle and and and that's true you know you've got

37:50 deeply technical jobs forensics analysts uh for example which

37:56 which have such specialized skills uh which could be at the pinnacle of of the

38:02 of the field so so on the technical side i think there's a lot of opportunity for different peaks uh and pinnacles to be

38:10 found on the administrative side you know you've got just as many opportunities for people

38:15 with soft skills who or who want to pursue a more person oriented

38:21 nature of the field whether that's awareness and training whether that's compliance whether that's risk

38:27 management um or or a number of other areas you know so

38:32 it doesn't have to just be i'm a technician and and you see csos from both sides

38:38 you know some companies like a compliance background uh some companies like a technical and engineering and

38:43 architecture type background so there's opportunities to find your mastery of the domain or to

38:51 leverage your background to pursue a more general management type role

38:56 i would just say that if people want to pursue the cso it shouldn't just be because of the

39:02 title it should be because they have a genuine interest in developing the talent and

39:08 dealing with the organizational change management and some of those more political dimensions of the job because

39:15 if you're just pursuing it because you think it's the highest on the wrong or highest rung on the ladder

39:21 you're going to fail because it is a very people-oriented role you've got to manage the talent and

39:28 the growth and provide opportunities for people and make sure that everybody is taking

39:33 advantage of those opportunities and and so it becomes in some way not even a security job

39:38 anymore because it is more of a general management job particularly the bigger your

39:44 organization gets the less time you spend making security decisions and the more

39:49 time you spend relying on your experts to make those decisions and your job is to make sure you've got the right experts in place so that's that's the

39:56 only caveat i'd say is that like any any senior role you know you you start moving away from the function and into

40:03 that general management domain and you still have to be fond of deprivation right true yeah you don't

40:11 mind if you have some bags under your eyes those are badges of honor i you know i i really like what you said

40:17 there but uh you know this thing is a career field it's not really uh it's not

40:23 really a job you know i i kind of uh i look at it even from a broader perspective for me cyber security is

40:29 really a calling first it's not an employment opportunity i i would make one simple exclusion out of that is the

40:35 offensive sidebar which is a little bit special but other than that uh you know yeah you can you can find people with a

40:42 ton of technical skills uh but that's not what you should be looking for it's talent that you're looking for because you need to have a

40:49 certain detective mindset and and and be able to persevere when when you're facing difficulties in analyzing

40:56 something i think for me that's that's key plus you know of course this space is moving so fast with

41:03 everything that's changing whether it's operating systems changes the applications coming on board

41:08 all the vulnerabilities that are out there the myriad of ways that an attacker can can put together a campaign

41:15 this means when you're looking for a career in this space you really have to be one of those

41:21 people who are constantly updating their skill set whether it's trainings go and attend conferences and etc

41:28 even getting some certifications but i wouldn't really pin it to oh you know i'm going to have some

41:33 certifications and i'm going to go up the ladder and i'm going to end up a cso if that's your goal you're probably not

41:39 starting well that's really helpful thank you i think personally i think one of the most

41:44 important skills to have when dealing in the i.t field is the ability to deal with a set of

41:51 unknowns and not being afraid um like like getting on the command line and

41:57 just be knowing like i don't know what command to type here i mean even a google search sometimes it's like well

42:02 what can i put in here i don't know what i'm allowed to do what you're not and just being able to

42:08 fail at that screw that up but try again and realize like okay it's not so bad if

42:14 i mess up a command or two and having that comfortability of knowing that you're you're probably

42:20 going to fail but it's okay and knowing that you don't know what's going on and

42:25 that's okay too i think just being able to navigate that dark and scary place i think is probably a very important

42:32 skill that's not talked about as much that's true you definitely have to be

42:38 comfortable with that it's uh you know quite often we run into situations where we have to quickly assess a particular

42:44 threat like you know we hear like everybody else of things sometimes in the news sometimes it's in

42:50 closed channels you know like specific forums for cyber security professionals we hear about something

42:57 and you need to go and find out whether your particular products are vulnerable

43:02 and for me in particular i need to find out if our products are capable of detecting and blocking that particular

43:08 threat everybody seems to be talking about but nobody's giving you the details so you have to get in there you

43:14 have to figure out what application is involved maybe try to get your hand on a copy of that application try to

43:20 reproduce the scenario that you've barely heard about it's relatively difficult and you're

43:25 doing all of that under tremendous time pressures because every day or every

43:31 hour for that matter that you're not up to speed on what's happening these are potential attacks that are uh

43:38 going on out there and maybe customers would be unprotected against those attacks so yeah you're right we're not

43:44 gonna know everything that's impossible we have to be comfortable with just diving in

43:50 and getting things done all right uh drew i want one last question from you and uh

43:55 that is what's the from a cso's perspective what are what are the three most critical

44:01 areas you think organizations should be focused on investing in today

44:07 oh so so for organizations i i think they they need to be fast right we

44:13 talked about the the aspirational goal of getting in front of the problems we're not there yet but we definitely

44:19 need to be working at machine speeds uh attackers are leveraging more and more

44:25 automation more and more intelligence you know when you're talking about these smart fishes a lot of these fishes are

44:30 built on with ai that is studying your linkedin profile your resume your your

44:36 post on facebook and so on and so forth and so super duper targeted and super effective as a result so we've got to be

44:43 uh just as sharp in terms of how we respond to these things so automation orchestration

44:50 um is is a key one i think organizations need to invest in metrics and reporting

44:55 as well uh we're moving more and more into a world to prove it uh show me and and and kind of uh less of blind faith

45:03 and ignorance really where where people didn't understand security enough to ask good questions now they're starting to

45:10 understand it and they want to see proof they want to see evidence and and i guess part and parcel to that

45:16 one would be uh culture uh integrity inclusion diversity um

45:22 i think that's really important because uh it is the decisions of thousands of people that we have to really protect

45:29 against not all of the attacks in fact many of the attacks that you see in the news started with an employee making a

45:37 mistake and so creating a culture where people recognize that they're responsible for

45:42 their decisions and their actions and that they're supported in making good decisions that's important and and

45:48 having uh that viewpoint i talked earlier about having the hacker's viewpoint um you're not gonna get a

45:55 diverse set of viewpoints if you don't have a diverse set of people in your organization and so having people with

46:00 different backgrounds from different cultures with different viewpoints is is really an important step towards being

46:08 able to see problems from different angles and the more angles we can see them from the more likely we are to see

46:14 a solution to that problem wow gentlemen this has been illuminating to me and helpful i hope it's been helpful to the

46:20 people listening to and everyone you should be following drew and munir and juniper because these are some leaders

46:26 in the space that i'm i'm following and picking uh lots of good information out of um so guys thanks for taking the time

46:34 with me to chat today but i want to end by just wrapping up some of the things i've learned from this

46:40 my biggest takeaway is that ransomware is still a major threat to businesses which is kind of surprising to me you

46:46 think we we'd have this wrapped up and cleaned up by now but nope it's um it's

46:51 you know criminals are incentivized and they're making money doing this so they're just going to keep doing it as long as it's paying them

46:57 the second takeaway is that open source software can have critical vulnerabilities but it

47:02 just needs to be important to be able to update it uh if it's in your environment and it's

47:08 in all of our environments there's no way of hiding it anymore or avoiding it

47:13 and the third takeaway i got out of this was uh companies can improve their as

47:19 they as they improve their security uh maturity they can implement um threat

47:24 intelligence feeds which can help them get even more eyes into what's going on in their

47:30 network it's kind of hard to see what's what's actually happening there but a threat until feed can really help at a

47:36 certain level and i just want to remind everyone that this conversation was recorded and it's available on demand

47:42 as soon as this is over you'll see it on my twitter account and you can also learn more about juniper threat labs by visiting

47:50 threatlabs.juniper.net and if you like this and want me to do more events like this let me know this is the first time

47:56 but it doesn't need to be the last one and uh oh one last thing the other day i

48:01 was typing on my keyboard and out of nowhere one of the keys popped off and

48:06 that's the story of how i lost control alright everyone thanks for joining have

48:11 a great rest of your day thank you for having us thanks jack it was great