EP 40 – The Identity of Things

[00:00:00.000] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:23.010] – David Puner
IoT and OT devices are everywhere, from homes and offices to factories and power plants. They enable us to communicate, collaborate, automate, and optimize processes and services, but these interconnected devices are notorious for their firmware and software vulnerabilities tied back to weak credentials and inadequate identity security practices. Unaddressed IoT risks threaten consumer privacy, sensitive enterprise data, and even public safety. More than 99% of organizations expect to face an identity-related attack in the next year, and more than half of them say it will be related to their digital transformation initiatives such as cloud adoption or legacy app migration.

[00:01:12.000] – David Puner
How can we protect our IoT and OT devices from these attacks? How can we ensure that only authorized users and applications can access them, and how can we manage the complexity and scale of these devices across our networks and supply chains? Today’s guest, Brian Contos, has spent a lot of time thinking about questions like these. Brian, as you’ll hear, has done lots of things in the security space over the course of his career. He’s been a CISO and a CSO. He’s written books, he’s a podcast host. Who isn’t? He’s a security company entrepreneur, and he’s currently the Chief Strategy Officer at Sevco Security, an asset intelligence company.

[00:01:56.760] – David Puner
Befitting a guy who’s worn so many hats in the security world, Brian and I have a wide-ranging conversation that covers topics including IoT and XIoT, and how identity figures into the enormous puzzle. Here’s my conversation with Brian Contos.

[00:02:13.790] – David Puner
Brian Contos, Chief Strategy Officer at Sevco Security. Welcome to Trust Issues. How are you today?

[00:02:20.590] – Brian Contos
Hey, David. It’s great to be here. Very excited.

[00:02:23.340] – David Puner
Are you beaming to us today from San Francisco, California?

[00:02:27.120] – Brian Contos
I am. It’s not so sunny California today, but still great to be out here.

[00:02:32.820] – David Puner
Great. Well, thank you for joining us. By way of background, you’ve been in the security space for over 25 years. Among other things, you’re an entrepreneur, author, and podcaster. We will talk a little bit about the podcast in a bit, but to start things off, how did you get into the cybersecurity business and what’s the ride been from that entry point until now?

[00:02:56.650] – Brian Contos
Well, it’s been a great ride. It’s a fantastic industry, and I’m very blessed to have joined it when I did back in the very late 1990s. I was actually in college and I got recruited to work for DISA, the Defense Information Systems Agency. Very quickly I just got thrown into it. I was into security and hacking, leading up into that. I was actually part of a couple of hacker groups. We called ourselves HACKS, the Hardware and Computer Knowledge Society. Weren’t really hackers.

[00:03:26.720] – David Puner
That was a college club you were in?

[00:03:27.910] – Brian Contos
That was a college club, yeah. That led to that first job. After I graduated from college, I moved to São Paulo, Brazil, and I took a job with Bell Labs and got to work all throughout Latin America for a few years. I didn’t speak Portuguese. I didn’t speak Spanish. It was completely not the right fit, but it was the best time. It was a great way to learn the industry and just grow up, basically.

[00:03:54.480] – Brian Contos
After that, I really just started getting into startups. I got approached by Amit Yoran, Grant Geyer and Tim Belcher, really luminaries in the industry that said, “Hey, we’re going to start this MSSP called Riptech. Do you want to be part of it?” I’m like, “Sure, why not?” I moved from Brazil back to California. We built up Riptech. It was great. It was one of the first MSSPs. We eventually sold it to Symantec.

[00:04:19.010] – Brian Contos
After we did that, I joined this very small company in the back of what looked like a dentist office in Sunnyvale, California. No customers, no real product, no revenue. It was called ArcSight. We built up ArcSight, took that public. We sold it to HP. At that point, I had the bug. I was like, “This is all I want to do now for the rest of my career.” I wrote a couple of books-

[00:04:42.370] – David Puner
I’m picturing the office from Better Call Saul when that started. Is that accurate?

[00:04:46.750] – Brian Contos
Yeah, with the huge desk where you can’t open the door. It probably wasn’t too much better than that behind a nail salon. I met a lot of great people. I was there for about seven years through that process, and I wrote some books and built up my career. I became a CISO before we went public and before we sold, but then after that, I just kept it rolling. I joined Imperva, then McAfee Labs. I ran emerging markets for McAfee Labs, so I went to 50 countries in one year, which was nuts. I don’t suggest that. Solera Networks. Then my last company was Verodin. We sold Verodin to Mandiant and then to Google.

[00:05:31.920] – Brian Contos
Actually, a lot of the same people I did that company with, we had built ArcSight together. Through the years, I stay with a very similar group. Then, as you mentioned earlier, I’m on the board of a company called Phosphorous, which is an XIoT or IoT security company. I’m currently the Chief Strategy Officer with Sevco, which is an asset intelligence company. That’s the nickel tour.

[00:05:54.310] – David Puner
Great. Thank you. That was an excellent tour. I’m going to look forward to asking you a little bit about XIoT in a moment, but first, what did being a CISO back in 2005, 2008, what was that role like compared to current-day CISO role?

[00:06:15.450] – Brian Contos
It was interesting. There were some of the backend operational components that you might expect any CISO to have regarding security and governance, although things like PCI and Sarbanes-Oxley and HIPAA weren’t as common. Some of those weren’t even quite around at that point. They were just starting to come to be, but a lot of what I was doing, and it was very similar to what I do today, which is being on the front line, working with other CISOs, working with other security leaders in the field, understanding what their points of pain are, and sharing their stories with other CISOs and just collecting these stories and these best practices and lessons learned and what worked and what really, really didn’t work.

[00:06:59.130] – Brian Contos
Then not only trying to fold that into the company I was with, like ArcSight, for example, to make sure we have a better solution, but also what I did operationally. How can we make our organization more secure? It’s very interesting. It’s almost like being a CISO, but at the same time, you’re always working with other CISOs to figure out how to improve and get better, which is a unique situation because CISOs go to events and they have different groups and they get to interact.

[00:07:24.810] – Brian Contos
That was actually part of my job that I had to do that. It was a very fun process and a very interesting way to learn the roles and responsibility of what a CISO is by working with some of the best CISOs in the industry every day.

[00:07:38.150] – David Puner
Really interesting. In your current role as Chief Strategy Officer at Sevco Security, one of the things that you’re focused on is asset intelligence. What is that and why is it important now?

[00:07:51.520] – Brian Contos
It’s such a loaded term. It’s like cloud security or AI. It could mean a million things to a million different people. The way I like to talk about asset intel is, think of it in four dimensions: length, breadth, height, and time. When I say length, what I’m talking about are asset types. This is really important because these are, of course, a laptop is an asset or a virtual machine, but so is a vulnerability, so is application, so is a user. Identity is really an important part of that. That’s length, the asset types.

[00:08:25.610] – Brian Contos
Breadth are the locations. I care about stuff that’s on-prem. I care about stuff that’s in our data center. I care about if it’s in the cloud, someone’s using it from home, or someone’s at Starbucks, so asset location. All my types, all my locations.

[00:08:39.410] – Brian Contos
Then we get into height. Height is where it gets really interesting when we’re talking about asset intel because what it really comes down to is what we call presence and state. I want to know if CrowdStrike is there. I want to know that Automox is there. I want to know that I have an identity management solution there. It’s important to know the presence of the security controls, but it’s equally important to know the state.

[00:09:03.000] – Brian Contos
Well, that CrowdStrike is N-2. It’s a couple of versions too old, or Automox hasn’t communicated with the management console for this device in over six months, or this user shows up in Microsoft Active Directory, but we also show that the administrator on these 50 other machines that we’re not sure they should be the administrator on. All these little sticky bits that connect that, that’s the correlation. It’s a bit like sim was to events and logs as asset intelligence is to assets. It’s collection correlation.

[00:09:37.950] – Brian Contos
The final piece is time. Of course, I want real-time information. I want to know that David was on 10.1.1.1 yesterday, and that device has these security controls, has these vulnerabilities. I also want to know that, well, who was on that device three months ago? Because of DHCP, it might not have been David, it might have been somebody else. I need to know all that relevant information.

[00:10:01.580] – Brian Contos
Again, I think of asset intelligence in four dimensions: length, breadth, height, and time. All your asset types, your locations, the details, and the real-time and historical data. That’s what I mean by that. That’s what Sevco focuses on in terms of asset intelligence for our customers.

[00:10:17.430] – David Puner
Based on your explanation there, it seems that it is intrinsically entwined with identity.

[00:10:24.810] – Brian Contos
Oh, gosh, so much so. Again, when you talk about assets to people, I think we all default to it’s a thing, it’s a laptop, it’s a server. Maybe some people today would think of it’s a cloud asset or virtual machine. Yes, it is. They’re absolutely right, but identity is so much a piece of that. Identity management solutions, privileged access management solutions like PAM, tools like CyberArk, for example, anything in that realm, even Microsoft Active Directory and other directory-type services, those are just a wealth of data about users. If you’re just looking at device information without user information, you’re missing a huge piece of the puzzle.

[00:11:04.300] – Brian Contos
It’s hard to do critical analysis and do any type of correlation, anomaly detection, pattern discovery, temporal or volumetric analysis if you don’t have identity as a piece of that asset puzzle. One hundred percent, all day long, every day of the week, identity has to be a critical piece of your asset intelligence solution, or else you’re simply not looking at the entire puzzle.

[00:11:28.220] – David Puner
What is XIoT, and how does it pose identity security challenges?

[00:11:34.560] – Brian Contos
Just like asset intelligence, there’s another loaded term. What’s all this mean? XIoT stands for-

[00:11:42.340] – David Puner
Extreme IoT?

[00:11:44.140] – Brian Contos
Yeah, extreme. It should be extreme. It’s the extended internet of things. There’s really three categories, and they’re pretty simple categories, and I think they’re pretty intuitive. The first one is what we generally think about when we think about enterprise IoT: digital door lock, a voice-over-IP phone, a security camera, a printer, all of these things that aren’t what we would consider traditional computers.

[00:12:08.870] – Brian Contos
At the end of the day, they’re all running Linux, or most of the time they’re running Linux Ubuntu, or they’re running BusyBox or Android, which is just a Linux derivative. They’re little Linux servers running around. We find that most organizations have somewhere between about three to five per employee. A 10,000-person company has between 30,000-50,000 XIoT devices, or about twice as many than they think. It’s always about twice as many than they think they’re going to have. That’s enterprise.

[00:12:40.070] – Brian Contos
Then the other part of XIoT, these are network devices: your wireless access point, your network-attached storage, your load balancers, your switches. Again, these are our purpose-built devices. Those usually run BSD for their operating system.

[00:12:56.350] – Brian Contos
Then the final one, and this is a little bit more specialized because not all organizations have these. A lot of organizations in oil and gas, power and energy, transportation, water, and many other what we call critical infrastructure groups have OT devices or SCADA devices, some people call them. These are PLCs, programmable logic controllers, for example. These are essentially digital assets that control physics.

[00:13:20.170] – Brian Contos
A device that’s running a real-time operating system like VxWorks, it’s going to control flow or voltage or pressure, and it’s used in batch manufacturing or discrete manufacturing or agriculture. They’re doing these very specific things. Again, they’re purpose-built.

[00:13:35.540] – Brian Contos
What all these things have in common, from this device controlling a dam to your wireless access point to a printer, is that they’re purpose-built firmware and hardware. A printer is usually not a camera, and a camera is usually not a digital door lock. They’re purpose-built. They’re network-connected almost always, I would say probably over 99% of the time, even on the OT world, even the old monolithic stuff that was around before the internet has been retrofitted. A lot of them are running protocols like DNP 3.0 or Modbus or Serial over Ethernet in addition to TCP.

[00:14:13.760] – David Puner
What would be an example of one of those monolithic devices?

[00:14:18.680] – Brian Contos
Something that might be controlling the Hoover Dam, for example. These are very specialized devices, and they work really well. A lot of the times they’re quite old. They’re running Windows NT 4.0, which has been end of life for, what, 15 years. I actually see that in the field.

[00:14:36.410] – Brian Contos
The last thing that they have in common, in addition to being network-connected, purpose-built hardware and software, is they cannot run traditional endpoint security. There’s no CrowdStrike or Cylance or McAfee running on these tools. There’s no local firewall or IPS. There’s no anti-ransomware solutions. They’re just there. They’re little Linux servers, and there’s a lot of them.

[00:14:58.560] – Brian Contos
It’s an extremely target-rich environment for attackers, both cyber criminals and nation-states, to go after these devices. Oftentimes it’s not to go after the device for the sake of the device, although sometimes that is the case, especially if they want to spy on you through a camera or unlock a door. But it’s using those devices to then pivot to IT assets to maintain persistence, to evade detection, to exfiltrate data, and maintain persistence really well because people generally aren’t monitoring, and they’re certainly not securing these XIoT devices.

[00:15:33.530] – Brian Contos
That’s what Phosphorous really focused on, which is discovering these devices and then securing them, rotating passwords, patching them, hardening them, managing those certificates. It’s a really great technology. I’m very happy to be on the board there. It’s also very complementary to what Sevco does in terms of asset intelligence because guess what? XIoT is another asset type, just like an identity, just like a laptop, just like a virtual machine.

[00:16:03.650] – David Puner
It sounds like you’re talking about thousands upon thousands of potential IoT-connected Achilles’ heels of some sort.

[00:16:12.620] – Brian Contos
So much so. I hate throwing stats out because by themselves, they don’t generally mean too much, but I can tell you this. At Phosphorous, we’ve analyzed millions and millions of devices across multiple geographies, multiple industries, multiple device types. In general, what we find is 50% of all the devices are running default passwords, XIoT devices. Go back to my other statement that there’s about three to five per employee.

[00:16:38.830] – Brian Contos
I’ve got a company with 10,000 people. I’ve got 50,000 XIoT devices. Again, remember, these are just little Linux servers most of the time. I’ve got 25,000 Linux servers that had a default password that will take me all of three seconds to Google to figure out what that password is. The other 50%, the password might have been changed at the time it was installed, where somebody showed up with a ladder and a drill and mounted a camera to a wall. Nobody ever fixed it. The other part is they’re all running end-of-life firmware. Same reason with the passwords, nobody ever updates or patches them.

[00:17:15.090] – Brian Contos
If you’ve got 25% of all your devices are end of life, what’s that come with? Vulnerabilities. About 70% of these devices, 70% are writing level eight, nine, or 10 CVSS scores, which is the highest level of risk. Generally what eight, nine, and 10 means is a remote attacker with little to no skill can take control of that device remotely and get administrative access.

[00:17:43.270] – Brian Contos
Again, if you think about these being little Linux servers, they have all the same capabilities. You can upload data, you can download data, you can use it to access other systems on the network, you can make API calls. It’s a massive risk. The bad guys know it. They’re like, “Well, why should we waste our time hacking laptops and servers and this or that when there’s 25,000 devices that you’re not even watching that we can get on and then use that to get into all your other assets?” That’s a big problem, and that’s certainly one of the things that Phosphorous is solving.

[00:18:15.110] – Brian Contos
Then if you mesh what Phosphorous does with what Sevco does, now you’re not just looking at XIoT, but you’re looking at the entirety of all your asset types, and again, bringing it back, which also includes all your identity management solutions as well because identity is just as important to that equation as it is just for non-XIoT assets.

[00:18:34.310] – David Puner
To switch over to building security startups, which you’ve been involved in, as you had mentioned earlier on in the conversation, and taking multiple companies through IPOs and acquisitions, what are some of the common security considerations when companies go public or merge?

[00:18:53.900] – Brian Contos
There’s so much that has to be done. In fact, I’ve worked with companies very large, not for these companies, but I’ve worked with them and their security solutions. They tell me sometimes they acquire companies at a rate of two or three a month. They might not be massive companies they acquire, but you see a lot of that in the tech space. You see it in retail, you see it manufacturing. There’s a lot of that going along.

[00:19:18.740] – Brian Contos
Some of the things that really you have to look at during these types of acquisitions are: first of all, you’re going to do an inventory of what types of critical assets we have. I’m talking at this from the perspective of just a security practitioner. Of course, there’s lots of other things to consider, but if I have this group has checkpoint firewalls and this group has Palo Alto and this group has Cylance and this group has CrowdStrike, and you have to inventory all this information to find out what do you have, how it’s protected.

[00:19:50.320] – Brian Contos
Well, the problem is that we notice in most organizations is, chances are they don’t really have their hands around this. They’re not really sure how many devices they have. They know that they bought 10,000 licenses of a certain product, and they know they have that installed some place. If you log on to CrowdStrike, it will tell you what CrowdStrike is protecting.

[00:20:09.350] – Brian Contos
CrowdStrike doesn’t know about Active Directory. Active Directory doesn’t know about CrowdStrike. They don’t know about Auto [inaudible 00:20:14]. They don’t know about their PAM or identity solution.

[00:20:19.020] – Brian Contos
In a lot of these cases, when you’re going through these acquisitions, these mergers, a big part of it is considering we have to figure out what we’ve got. We have to figure out how it’s secured. What have we paid for? Are there any type of financial gains we can have by combining our licenses or moving what you have over to us? That’s a big problem because at the beginning of this process, nobody knows anything. They simply just don’t know what they have.

[00:20:43.930] – Brian Contos
Even the acquiring company, generally speaking, doesn’t really have a good grasp of this. All that to say this, a lot of this boils down to simply understanding what’s in your environment and being able to instrument that. If you are going through acquisitions of other companies, you can quickly ascertain what they have and how will that fold into your equation. It seems like a very simple idea and a very basic concept, but this equates to months and months of manual labor.

[00:21:09.080] – Brian Contos
It could equate to millions and millions of dollars. It could equate to delays and the organizations actually merging and being effective. That’s just one of probably thousands of little checkboxes you have to look at, but it’s something that I see time and time again. At the end of the day, people simply don’t know what they have and they really don’t know how it’s secured.

[00:21:26.890] – David Puner
At the end of the day, is determining what they have helpful in heightening security in this merger process, maybe inadvertently?

[00:21:37.350] – Brian Contos
It is. When you’re talking about security… I’ll just use an example. Take CIS. You’ve got the CIS standards and there’s NIS standards and you’ve got PCI and you’ve got all these different regulations and mandates out there, almost all of them. The very first items that they mentioned you have to do when you do security. It always defaults to the same thing. Know what you have, know what’s deployed, where it is, what’s it’s running. Do I have 100 devices or 1,000? Do I have 2,000 licenses of EDR? If I do, how have they been deployed? It’s really just having that initial inventory.

[00:22:19.690] – Brian Contos
The Center for Internet Security, I mentioned CIS earlier, step one and step two of their framework is specifically about hardware and software inventory. It couldn’t be clearer. If you look at PCI, PCI does the same thing, asset inventory, asset management, visibility into what you have, or from an IT perspective, it’s called observability, same thing. It’s all about knowing what you have.

[00:22:44.580] – Brian Contos
Once you know what you have, then you can take those next steps to incident prevention, incident detection, incident response, alerting, all these other types of things that you care about. You can’t really do any of those effectively unless you really know what you have. Again, it’s the most intuitive thing in the world, but to execute on that intuition historically has been really challenging, especially to do it at scale in an automated way, in a way that considers today very ethereal devices like cloud assets that might get spun up and spun down just every few hours.

[00:23:19.680] – Brian Contos
It’s a dynamic world and it’s a dynamic issue, but it’s something that if you can get in front of, it makes everything else you do in security that much better. Not just in security, but ITOps as well as GRC.

[00:23:31.680] – David Puner
Once we’re past the mergers and the acquisitions, how hard is it for businesses who are committed to security to not let security protocols impact the efficiency of their businesses?

[00:23:42.400] – Brian Contos
That’s another one. You might be in a situation where the company you acquired has a far stricter security posture. It’s much more security savvy than the acquiring company, and trying to determine what can we do to affect the goal. Usually the mission of a bank isn’t generally to be the most secure bank in the world. The mission of a hospital isn’t supposed to be the most secure hospital in the world. These might be things they’re concerned about, but it’s not their business mission. Security becomes a little bit secondary.

[00:24:12.870] – Brian Contos
Take a hospital, for example. They’re just great examples, healthcare providers. They generally don’t have massive budgets juxtaposed to what you might see in a government agency or a financial services company. They’re doing a lot of things. They have the same risk, but they have a smaller staff. Every dollar that they’re putting into security is a dollar they can’t put into a new MRI machine, a PA, a doctor, whatever the case might be. They have to be very careful.

[00:24:42.070] – Brian Contos
A lot of these healthcare providers start off on a negative because they’re not allowed to refuse care. They’re usually starting as a deficit because if somebody comes in hurt, of course, they have to help them regardless, and they may or may not get paid for that, but it’s the right thing to do. They start from this negative balance. Not the case in a bank. You can’t usually go to a bank and withdraw money, at least legally, unless you have money to withdraw. Healthcare providers are a little bit different.

[00:25:07.910] – Brian Contos
It’s actually taking a step back from the technology and looking at what the business mission is, and understanding how can security actually be an enabler to what that business mission is? That’s sometimes a contrarian thing to think about because a lot of people historically have thought about security as the Department of no. All they do is try to stop things and they have to be paranoid. There’s some of that for sure.

[00:25:33.090] – Brian Contos
Security can actually be an enabler. If security is very highly operationalized and it’s effective, then you can actually do things more quickly. You can more quickly embrace that mergers and acquisition. You can more quickly release that application to your customers. You can more quickly add people to a new environment that’s going to be far more effective for their patients to leverage, whatever the case might be.

[00:25:58.620] – Brian Contos
In these environments, again, we were talking about X-IoT earlier, there’s a ton of those X-IoT devices in these environments. There’s a ton of IT devices. There’s proprietary devices that have to just be managed through a license with an MRI company, a vendor that says, “Oh, don’t touch this. Don’t patch it. Don’t secure it. You’re paying us $30,000 a year to take care of it. We’re not going to patch it either, but if you try to do it, it’s going to break the warranty.” You have all these considerations to take care of.

[00:26:26.920] – Brian Contos
I would say step out of the tech bit for a while. Step back and say, what are we actually trying to do? What are our short, mid, and long-term goals, and how can security act as an enabler for that? Still, you need to worry about ransomware and all the bad things that all the bad people want to do to you, of course, but you can also take the time to be a little bit more strategic and plan ahead.

[00:26:50.640] – Brian Contos
That’s really what these things are about. Just don’t have your security teams tactically fighting fires all day long. Have enough resources in place where some folks can be thinking long-term and strategically, and then enabling your organization to be more effective and more efficient. That’s really what security should really strive to be, is an enabler for the company.

[00:27:11.640] – David Puner
Beyond strategic, are there any particular characteristics of the leaders or companies or industries that are doing all of this particularly well?

[00:27:21.490] – Brian Contos
It’s sad to say this, but it’s actually the case is individuals and organizations that have been through the wringer. If they’ve gotten hit by ransomware, if an entire security team has been let go because of an incident that occurred that they got blamed, once you’ve been through something like that and you’ve got the battle scars, your next time around, you don’t let those things happen.

[00:27:47.310] – Brian Contos
The organizations that I see that are actually pretty much on the cutting edge are organizations that had to learn some hard lessons at some point. I wish we would all be able to learn from other people and say, “Okay, this bad thing happened to them. Let’s make sure that doesn’t happen to us.” I don’t think that’s how humans work. I think bad things happen to us, and then we learn as opposed to learning from other people’s mistakes. Go through the war, get the scars, you’ll probably be better off for it the next time around.

[00:28:16.350] – David Puner
As someone who’s business-minded as well as security-focused, how do you look at the balance between security and efficiency or productivity?

[00:28:25.010] – Brian Contos
I think that was definitely the case a couple of decades ago. You had to jump through all these hoops to get things done, but today the efficiencies aren’t too bad. Let’s just take something very simple, passwords. In the old days, people would just… If the device even required a password, they’d write it down on a sticky note, or they’d use that same password everywhere.

[00:28:44.710] – Brian Contos
They’re using it for their bank, they’re using it on their laptop, they’re using it for their kids’ accounts for some games, whatever the case might be. Very bad practices. There certainly weren’t uppercase, lowercase, special characters, and numbers. They were password, maybe password with one.

[00:29:00.920] – David Puner
Password 1.

[00:29:03.960] – Brian Contos
Now you fast forward to today, we still have passwords, but we have multifactor authentication. I don’t even know what my password is on so many of my solutions because I use a password manager, and it’s some crazy 50-character nonsense. If somebody came up to me with a gun and said, “What’s your password to your Gmail account?” I literally have no idea.

[00:29:27.120] – Brian Contos
Furthermore, if I’m using that, I don’t even know the password, and then maybe I have an app or a text message that will say, “Just authenticate. Type in this five-digit or six-digit code that comes across.” That has put us so far ahead of where we were 20 years ago, and it’s something so basic, and I think it’s easy.

[00:29:48.360] – Brian Contos
I don’t think it’s a lot of extra work for people to take these steps to make sure they’re using a password manager, they’re using multifactor authentication. It adds maybe a couple of seconds more to your process, but it also streamlines the process and makes it a little bit better. Now, we can expand beyond that. That’s a very simple example. That’s a user-consumer perspective.

[00:30:09.450] – Brian Contos
If we look at automation, automation really has changed a lot of what we do for network security as well. Back in the day, your SIEM, your security information event management solution, would collect log data and event information, some human would correlate it and run some rules and get a result and respond.

[00:30:28.250] – Brian Contos
Well, nowadays that still happens. The SIEM will collect it, but in automated way, it might be tied into an incident response system like a source solution. That source solution can automatically or semi-automatically respond. It can say, “Hey, we’ve got to block this user, or we’ve got to take this device off the network, or make some type of change.”

[00:30:47.320] – Brian Contos
With these solutions, if you want to block a user, if you want to take a device off the network, if you want to leverage a network access control solution to segment them or whatever case you want to be, a lot of this now is completely automated. You can automate these things based on a lot of logic, and even AI now is starting to be tied into these things. The bad guys are using it as well, but as are the good guys.

[00:31:16.000] – Brian Contos
It’s a nice situation where we talk about security being the land of no and being this thing that inhibits productivity. I’d actually argue today, in most cases, if you’re leveraging automation and you’re doing it well, and you’ve taken all those other steps we talked about earlier, it can actually be highly effective. It can make the experience for your users better. It’ll be improved. They’ll be more secure.

[00:31:39.830] – Brian Contos
At the same time, the way they go about doing business will be much simpler. Single sign-on, for example. I don’t have to have all these credentials. It’s another very simple example. Again, I do feel like we’ve passed that bump now where security is actually enabling and not just slowing things down.

[00:31:59.390] – David Puner
To hook on to AI, which you just mentioned, generative AI, of course, is a subject that’s been getting tons of attention this year. As we steamroll into 2024, when this episode comes out, probably it’ll be the end of November, beginning of December, what stands out to you about 2023 and cybersecurity and identity security? What surprised you? Where do you think we’re heading as far as trends or any predictions you may have for 2024?

[00:32:29.710] – Brian Contos
It’s always an arms race between the people defending the network and the people trying to attack it. That network, I’m using that as a very broad term, could be the cloud, could just be someone’s laptop. AI is giving the advantage to both groups. Who’s going to embrace it more quickly and which tools are going to be available to them to leverage? Again, part of that arms race, which has always happened in security. I think AI is just going to add a little bit more fire to that or a lot more fire, potentially.

[00:33:02.260] – Brian Contos
Some of the things that I thought we would have solved, to be honest by now, are basic blocking and tackling. As we talked about before, asset intelligence, being able to know about and secure all of the devices within my environment, being able to mitigate ransomware, stop phishing attacks. These are all things that are still happening. They’ve been happening for several years, and they’re probably going to continue to happening in the years to come.

[00:33:29.480] – Brian Contos
The problem with AI is, I think, cybercriminals, nation states, sometimes they’re the same people. Cybercriminals by day, nation-state actor by night. They’re going to have these advanced tools, sometimes nation-state funded, military-grade tools to leverage all those same attacks that we’ve talked about before, the phishing scams and malware distribution and black hat search engine optimization and DDoS and ransomware, all these things we’ve been talking about forever, but now they’re taking advantage of AI.

[00:34:00.670] – Brian Contos
I think in particular, the phishing scams are going to get a lot better. I think people are able to deepfake very cheaply and at very high quality this conversation. Maybe I’m not even who you think I am at this point, those types of things.

[00:34:14.590] – David Puner
Are you?

[00:34:15.520] – Brian Contos
I don’t know.

[00:34:16.830] – David Puner
Okay.

[00:34:17.520] – Brian Contos
Who knows?

[00:34:19.470] – David Puner
Because if I’m proving who I am by solving 2 times 1, and that’s enough to say, “Okay, you’re a human being.” When it gets a lot more complicated with these really, really realistic deep fakes and AI, other replications of voice and whatnot, how is that going to be possible to prove who you are?

[00:34:41.980] – Brian Contos
Once AI is smart enough to read a CAPTCHA or look at these eight grids and tell me which ones have a stop sign in them. I don’t think we’re that far. I think AI is going to get pretty fast pretty quickly. Actually, there was a study that I read where they enabled an AI to basically try to bypass some CAPTCHAs. What it did was it actually signed up for a service telling people that it had a disability and said, “Hey, can you read this for me? I’m unable to process this.” They said, “Absolutely.” It learned how to be a little bit evil, which was interesting. I think at that point you have to unplug it.

[00:35:20.660] – David Puner
Yeah, good luck with that.

[00:35:21.870] – Brian Contos
You hear about all these little stories that are happening with AI and we’re not 100% sure how it figured it out, but all I can say is this. I go to the same security conferences, probably a lot of your listeners do, and walk any floor and the buzz is all about AI. It’s all AI and ML. I can guarantee you on the other side of that, if you’re on the dark web and you’re a cybercriminal, you’re looking for tools and you’re looking for ways to compromise organizations and extract value, those same conversations are happening. Again, it’s that arms raise.

[00:35:59.470] – Brian Contos
Well, I think we’re going to be experiencing all the same things we have over the last decade or more. Now we’re going to see AI injected into this, which means that the security vendors and the solutions are going to have to be able to mature to mitigate that. Because the threats that we’re going to experience over the next three years, we haven’t really fully grasped what they’re going to be yet because we haven’t started to see them in the wild.

[00:36:21.370] – Brian Contos
There are some proactive steps being taken to say what we think might happen, but we can’t predict everything. I think we’re going to be… There’s going to be some interesting things that occur. Hopefully, again, the security vendors are able to embrace AI in a quicker and more holistic way than the attackers will to mitigate those threats, knock on wood. Let’s hope that that’s what happens.

[00:36:44.080] – David Puner
A way to keep your finger on the pulse of those trends, of course, to continue to listen to Trust Issues in 2024, but also the IoT Security Podcast, which you’re the co-host of and is powered by Phosphorus Cybersecurity. How is that going? Where can people find it? How does hosting a podcast measure up to other things you’ve done, like being a CISO or a chief security officer?

[00:37:11.550] – Brian Contos
Well, first of all, you can find the X-IoT Security Podcast on all your favorite podcatchers, so Spotify, Apple, Google. Also, you can just go to phosphorus.io and you can see the full listing. It’s a podcast that I co-host with John Vecchi, who’s absolutely amazing. It’s really a great experience because, again, pretty much my entire career has been, at least partially, customer-facing. In the field, working with people, hearing what’s working, what’s not, their points of pain.

[00:37:44.120] – Brian Contos
This is a great way to do that in a new medium and getting out to more individuals. Maybe not everybody can come to RSA or Black Hat to hear me give a talk, but anybody can download a podcast and go, “Oh, that sounds like an interesting topic,” or, “That’s a great guest. I’d love to hear about that.” We’ve had some really interesting guests over the years.

[00:38:01.910] – David Puner
Well, I know. CyberArk’s resident is transhuman. You had him on recently.

[00:38:05.840] – Brian Contos
Yeah, that’s a great example. Here’s a person who has a body filled with little computers, essentially, to help him do everything from start his car and unlock doors to pay at credit card machines. Probably since we’ve last spoke, he’s got some more. That’s an area that’s really interesting because now people are becoming IoT devices.

[00:38:31.700] – Brian Contos
Right now, we’re definitely at the frontier days of this. There are special use cases, and it’s hard to find somebody to actually do some of these because sometimes it has to actually be done by a doctor, but in some cases, it’s done by people that do piercing, so which one requires which. I guess it’s not very well regulated, is the best way to say it. [crosstalk 00:38:53].

[00:38:53.430] – David Puner
Glenn is a pioneer, that is for sure.

[00:38:56.210] – Brian Contos
Yeah, he’s a pioneer, but I can see as this evolves, somebody has something to… It’s a bionic-man idea. I can see better, I can hear better, I can jump higher, I can run faster. Who knows what type of augmentation we’re going to have in the future? We’ve got that happening and robotics and AI, and all these things are coming together at the same time.

[00:39:20.180] – Brian Contos
Our conversation 10 years from now might be completely different, living in a completely different world. After talking to Len, I’m hoping it won’t be dystopian because I always think of Blade Runner when I talk to Len. Let’s hope that that’s not the case, and we mature as a society and we’re able to handle this technology. Because right now, our technology is outpacing our ability to handle it by a couple of ticks.

[00:39:48.420] – David Puner
Brian Contos, thank you so much for coming on to Trust Issues. Really appreciate it. Really great stuff and look forward to catching up with you again sometime down the road.

[00:39:57.920] – Brian Contos
Thanks so much, David. It’s great being on the show.

[00:40:08.580] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcast. Let’s see. Oh, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it, are comments. Our email address is [email protected]. See you next time.