メインコンテンツに移動
Background image

A Look Back: To The Point in 2021 with Eric Trexler and Rachael Lyon

Share

Podcast

About This Episode

Welcome to the end of To the Point in 2021 episode where Eric and Rachael recap highlights from guests throughout the year hitting on the key topics that dominated the headlines including Log4Shell, Sunburst, Colonial Pipeline, ransomware growth trends, the Biden Executive Order of May 12th, Zero Trust. 

They also look back on many award-winning books published in 2021 such as by NY Times’ Nicole Perlroth, Sheera Frenkel and Cecilia Kang. Finally, they share a preview of 2022 topics to come including the cryptomixing, the metaverse, Web3, and more.

Podcast

Popular Episodes

      Podcast

      A Look Back: To The Point in 2021 with Eric Trexler and Rachael Lyon

       

      [01:03] It Has Been an Incredible Year for To the Point in 2021

      Rachael: Welcome to this week's special year-end edition of To the Point podcast.

      You think about all the stuff that's happened this last year. All the amazing guests that we've had will break these things down for us, so we understand what's going on. How do you prepare for things? It's been an incredible year. Thinking about what the year ahead is going to bring is exciting and daunting all at the same time.

      Eric: We started on show 114 on January 21. And all through COVID, of course. We did 50 shows. If you average it to 40 minutes per show, it's about 2,000 minutes of content. 33 and a third hour, so somewhere north of 30 hours worth of content. I was comparing it with the different themes that we've seen over the years. Some organizations out there, companies, but also publications have done a year in reviews. What do you think the big themes are?

      Rachael: I'm going with ransomware because that's probably one of my favorite topics ever.

      Eric: Not Price is Right, Family Feud, that'd be the number one. Most people in the world would say ransomware than actually get the reference to Family Feud.

      Rachael: I love that show. Well, I think Colonial Pipeline. Of course, the executive order that the timing of those two things together was quite interesting.

      Eric: The executive order of May 12th on cybersecurity.

      Rachael: I'm going to have to throw in a little Zero Trust. I don't know if it's going to be in the top three of that Family Feud ranking, but in the top five to seven, maybe?

       

      Zero Trust Is Taking Off

      Eric: Depending on who you ask. I know in the government space, Zero Trust is really taking off. It's like AI machine learning. It’s really hard to understand even what it is, but everybody's talking about it. When I talk to my commercial counterparts and friends, they aren't seeing Zero Trust as much. I actually had a briefing.

      We were at a trade show this month, at the Doda Show in Phoenix. They said Zero Trust is this new thing. Here's what it's about. They were briefing the industry and everybody else. I was like, "Huh. Okay." So we've had Chase Cunningham, Dr. Zero Trust on the show, probably three or four times.

      Rachael: My first show when I joined the podcast was Dr. Chase Cunningham.

      Eric: He's always great, but we know Zero Trust originated around the 2010 timeframe. I'm like, "Okay. So we're missing by a decade, 10X. Let's go with it. That's fine." But Zero Trust is big. What else?

      Rachael: Everything old is new again.

      Eric: You're missing a big one.

      Rachael: Well there's that little thing that happened. Was it a slurgate or what was it called?

      Eric: It was like UNC2524. Sunburst. The other 452 names.

      Rachael: That was a big one. You know, I have to say, I really enjoyed our discussion with the SolarWinds CEO.

      Eric: Sudhakar. What a great conversation.

      Rachael: Truly a masterclass in leading through crisis and just transparency and everything he did. Of course, having Chris Krebs on, that followed our conversation many weeks later and his company.

       

      How It Came Together for To the Point in 2021

      Rachael: SolarWinds was their first client at the Kreb Stamos Group. Seeing all of that, how it came together and that Sudhakar has really been on this mission to share the information, to educate. Frankly, I was inspired because these things happen and come through as well as they have, and working with employees and the culture and communication. It makes you stronger in a lot of ways when you do it right.

      Eric: Talk about going to the source. That was episode 155, October 19th, 2021. It's about 48 minutes long. That one's more family-friendly. We're not going as deep into tech or anything. If you're driving in the car, you may pull that up if your spouse is with you or something and not be like, "Oh, here we go. Another deep, dark, cybersecurity, tech conversation we're having." To me, that was very human. That was a great show to listen to if you haven't heard it. There were a lot of them.

      Rachael: There were so many of them.

      Eric: The other one though, we had Sheera Frenkel from Facebook. I would not listen to that family-friendly style.

      Rachael: There's some bleeping out.

      Eric: The F it, Ship it with Sheera Frenkel episode 149, September 7th. I'd say check that out also. That's pretty good if you have a Facebook user or you are one.

      Rachael: Especially what's transpired since her book came out, the book with Cecilia Kang. All this came out with the whistleblower and all the things. It's such a great read and looking at both sides too, the policy side as well. It reinforces how journalists are so important.

       

      How They Tell Me the World Ends

      Rachael: It's wonderful to see the work of folks like Sheera and Cecilia and of course, Nicole Perlroth. We head on over the summer on June 8th talking about her book, This Is How They Tell Me the World Ends.

      It doesn't feel like it was that long ago. It's been so exciting to see the recognition that she's getting for that book. She recently won an award through Financial Times, recognition and it's so well deserved. That was 10 years in the making. It was just a lot of work but so insightful and presented in a way that everyone can understand. That's always our problem with security.

      A lot of times it's so dense and hard to navigate. It's like reading Log4j coverage. I needed to sit down in a quiet room and really concentrate on some of it, and I was so appreciative of Nicole. The way that she wrote these concepts, you can actually wrap your head around and understand the gravity of them.

      Eric: The journalists and the authors are always such great interviews. What Nicole and David Sanger in the crew at The New York Times are doing, they really do put it into layperson's terms. So you can understand it. I'm in the industry. I find it interesting.

      Rachael: I also wanted to call out the Editor-in-Chief of SC Media that we had on, Jill Aitoro. I love that episode and I highly encourage everyone to follow Jill's writing. Every week she's putting out these fantastic stories and breaking events, things that you absolutely need to be aware of. It's really critical reporting and every single article I save. She's just doing such great work over there as well.

       

      [09:24] The Best Part of To the Point in 2021

      Eric: The show was great. The best part was the Chris Krebs' episode, I put out on LinkedIn. I put out a comment on how to pronounce CISA. And I put a capital C, hyphen SA. C-SA, which is exactly the opposite of the way they want us to pronounce it. I remember it was like this dyslexic moment or something where I knew what I wanted to say and Jill corrected me.

      Full public forum in LinkedIn and anybody who knows me. I love that. Like, "Hey, you're wrong, fix it." It's like, "Oh, s**. I'm wrong." Oh, sorry. There we go. "I'm wrong. I'll fix it." And I did. I thank Jill and I love that. So huge respect for what Jill and the team are doing.

      Rachael: She was a two-part episode for those playing at home. So March 30th and April 6th. That was also early in my time joining the podcast this year. So I feel very fortunate. Such a great group of folks, a lot of laughs. I have to say, Greg Crabb talking about the one night in Bangkok was just awesome. And then folks like JAGS at SentinelOne. 

      It was the Moonlight maze making it into the international spy museum, a hologram and all the work that he'd done on that. I'd never even heard of that until we had him on. So all the learning and the history here that points to the things that we're seeing today and the attacks and the wild we're seeing today. Having someone who's so steeped in the history and understanding of it and being able to connect the dots, is so important as we look at how we fight this thing ahead, as well.

       

      A Long, Tough Year

      Eric: We covered all the major topics you spoke of pretty well. I'd personally give us an A and I'm a pretty tough grader. But it was a long, tough year in cybersecurity.

      Rachael: So much happening.

      Eric: In COVID 19.

      Rachael: I thought 2020 was going to be tough the first year of COVID, but To the Point in 2021 was crazy. It was like 2020 on steroids, with all the cyber activity and all the shifts we saw. Of course ending in the year with this Log4j, Log4Shell thing that apparently is going to be with us for many years ahead. We haven't even seen the decimation it could possibly cause.

      Eric: Dr. Richard Ford said it’s probably the most significant cybersecurity risk he's seen in his career.

      Rachael: Richard’s been in the industry for quite a while. I'm not going to put a number to it, but for someone of his ilk to say that with all that he's worked on in security, it's a pretty substantial statement. It definitely should cause one pause if only they really understood, the layperson, what Log4j and Log4Shell actually do and what that threat poses.

      Eric: It will not get a lot of press exactly. I asked you as director of communications and then you schooled me afterwards, that's not your title. So let's correct that formally right now. As a former director of corporate communications, external and internal. I asked you about how much play you thought the Log4Shell challenge would get. My perspective is very little, especially compared to Colonial Pipeline and SolarWinds, it's just not sexy.

      Rachael: How do you make apache open source stuff sexy? I don't know that those two necessarily go together, but that's the problem we have.

       

      What Impacts People

      Rachael: People steeped in the industry are keeping them up at night. The average person's like, "But I can still get my burger delivered. I can still watch Disney Plus on the weekend and all the Marvel movies. So I'm not really inconvenienced. "I think I'm good. I'm not going to worry about it."

      Eric: We're on a pipeline. Big one. We may not have fuel. You rush to get some fuel. That impacts people.

      Rachael: It does. Had it happened in Texas, I got to tell you when those things happen. There's people with the pickup trucks, the big pickup trucks that we have in Texas. Literally with the plastic trash cans, the 80 gallon or whatever, ginormous. They’re filling it up in the back of the pickup truck, an open trash can with gas. Then they just drive off down the freeway with the trash can. Not covered or anything, either. You just strap it in the back of a pickup with a trash can full of gas.

      Eric: But speaking of Texas, winter of '21, you had the ice storms. Now imagine if that were a cyber attack.

      Rachael: It would have failed.

      Eric: Same exact outcome.

      Rachael: The problem is, nothing changed. That's what's astounding to me. Nothing was done to fix that grid. So should something happen again, here in the next few months, I have a lot of concerns.

      Eric: I'm betting insurance rates are going to go up.

      Rachael: Will insurance cover these things? It's like cyber insurance. It's very hard to get these days.

      Eric: Did your insurance in Texas go up? I know you have two houses, Austin and Houston. Did the insurance go up on either of them as a result of the winter storms?

       

      Every Interaction With To the Point in 2021 Was Excellent

      Rachael: I've been really fortunate. I use USAA though. Shameless plug. They're amazing for anybody that can get USAA.

      Eric: They're the greatest. Do you want to talk about a customer service company?

      Rachael: Always. I've been with them for 15 plus years. Every interaction is just excellent.

      Eric: I have no idea if they're even a customer of ours. But personally, I was talking to them today. They were great. So insurance hasn't gone up. Nothing's changed. Luckily it wasn't a cyber attack. But honestly, if it were a cyber attack or just meteorological attack, it really doesn't matter. People don't have the services they need. That was all over the press. Just like Colonial Pipeline, probably the biggest press got to the president of the United States. The executive orders came out as a result of it.

      Rachael: That's the question now. Colonial Pipeline though, an impetus for other utility companies, privately owned, to make significant changes. Until it happens to you, you just keep rolling the dice. I know there's government mandates and regulations and all those things.

      Eric: The government mandates and regulations will drive the change. Do I really think there will be change though, based on what happened to Colonial Pipeline? Remember they had that posting open? I bet they still haven't filled that. Or maybe there was a brave soul.

      Rachael: We were talking about supply chains. There's the gas and the utility supply chain, which is terribly inconvenient. But we also saw, they call it tractor hackers, like JBS the meat company. You're starting to see the food supply chain, being a target of our attacker friends, not friends.

       

      [17:33] The Year Ahead

      Rachael: That's going to be an interesting one to keep track of in the year ahead, as the things that become more inconvenient and disruptive. We've only scratched the surface there.

      Eric: If somebody disrupts normal human activity, normal human behavior, especially in a first world country, a democracy, a first world country that is a democracy, that will get a lot of publication, a lot of press. And a lot of attention as we saw with Colonial Pipeline. If you have something like Log4Shell come out, I'll be predictive here or historical.

      You look at the OPM breach, which was a catastrophic breach of very sensitive information. We don't know the tangible linkage between effect and impact. I don't think that people really pull that together. We're too busy. There's too much going on. I don't think it's a major perceived issue.

      Rachael: There's too much information coming at us and too many things happening. These terrible things happen all the time. How do you focus on one? It's like prioritization. We talked about Richard Ford. You have all of these critical priorities. How do you even stack rank those when they all are seemingly equal in needing to get done and funded?

      Eric: It just goes by the wayside. So by the way, what is your new title? Just so I can correct that in public, on the air.

      Rachael: Senior director of corporate marketing now. We talked about this last year, which has been chock-full of activity and amazing guests. As we look at the year ahead and new things that we are thinking about on the horizon, we were talking about this before, this whole metaverse thing. We're going there. That and web 3, which I'm still trying to wrap my head around.

       

      The Security Challenges

      Eric: I'm going to call it web 3.0, just to date myself.

      Rachael: There's the whole second life thing that we can point to as the precursor to the metaverse. But as we look at the metaverse and as it gets stood up, let's say, it’s likely business applications will be the first ones that come to fruition. But what are the security challenges? There's commerce happening within the metaverse.

      It's likely with cryptocurrency or things like that. But it seems like it's opening this whole new universe, metaverse of potential, hotbed attacker activity. I don't know enough about it. But I would love to find a guest or two or three, who could talk to us about what that holds ahead.

      Eric: You took me back to my MBA days. We had a class and one of the projects was to projectile all the benefits, opportunities, and risks around 3G. So obviously, I'm dating myself a little bit since we now have 5G out. I spent a lot of time thinking about it, working with my group. But for me it was like, "Okay, from a society perspective, you don't get a ton of change. What changes is the velocity, the speed that you can do things."

      Obviously, cell phones have gotten faster, iPads, tablets, whatever. Anything connected via cellular is much faster as a result of 4 and 5G, LTE before that, 3G. We were on 225 back in those days when I was in school. I would say the attack surface expands. But the idea of an adversary wanting to go after treasure, looking at the opportunity and the risk level doesn't really change.

       

      The Strongest Bond for To the Point in 2021

      Eric: It's an expanded attack surface. We're doing more online. I am certainly not a web 3 expert, but it'll just be a more expansive, more open web 2.0 experience. So if we're dealing with avatars, that's a problem.

      Rachael: The whole thing we heard during COVID, you're hiring these new employees, having never met them in person. Who knows the person on Zoom is the person that you actually hired?

      Eric: But I don't think a lot will change. At the end of the day, as we're starting to get back into the office, that direct human to human connection, that social interaction that has been there since the beginning of time is still the strongest bond. I can't imagine putting on my headset, the Oculus Rift.

      We loaned it out and it never came back and I'm not getting the Oculus Rift 2. I can't imagine doing that at a dinner party with you and recording the podcast or just talking to you. Why would I do that when you're there? Now I would do it, maybe when I'm trying to blow an hour of time and do something.

      Rachael: You just had some time to kill.

      Eric: I went to a Van Gogh show where they used a VR headset. You walk through like a Van Gogh world. It was cool because it was cool. I'd rather walk through Yosemite though, without anything between me and reality, maybe that's just me. So we'll see what happens.

      Rachael: You could fall off the side of a mountain.

      Eric: Well, hopefully if you don't have a headset on, you're taking precautions. You're not going to be falling off mountains.

       

      Reality Versus Virtual Reality

      Eric: But there's also Yosemite Valley, the valley floor, you really can't fall anywhere other than onto your ass. But my point being, I'd rather deal in the real world and maybe I'm just old. I remember vividly my first trip to Yosemite. We took the kids.

      They kept comparing it to video games and they wanted to play video games. That was before iPhones and everything. They still had video games, but that's what they cared about. I'm like, "Guys, nature's all around you." Fortunately, my kids have come through that. They do appreciate nature more than video games except for the youngest one. He's still in it, but reality still beats virtual reality.

      Rachael: But for how long? That's the question.

      Eric: My gut says forever, but we will see more and more augmentation with VR, with web 3. As things like commerce become more capable, the attack surface will increase. We will have more risk and more to worry about. Remember the old days when people were afraid to do online banking? Similar concept.

      But most people do online banking at this point. Now we've got multifactor authentication, which most people use. We did learn this year that you only use it when it's convenient.

      Rachael: Don't tell people that. Now they're going to start knowing.

      Eric: The more things change, the more they will stay the same. We will still in '22 and beyond have good people and bad people in the cyber world. We’ll have an ever-growing need to protect systems and capabilities and things. But this is still life.

       

      [26:14] How Crypto Mixing Works

      Rachael: It surely is. I have to say on my wish list, additions for next year, I would love someone from one of those crypto mixing firms to come and explain to us how those work. I'm absolutely fascinated. When you think of the metaverse, is crypto mixing a function of that? Does that become the new bank? I don't know.

      But there's so many of these things that are coming online. We're hearing about more now, but it's really not clear implications, longer-term. Are they only for nefarious reasons? Do they actually have broader consumer applications as we look at currency changing?

      Eric: So let's make that happen. It's coming.
      Rachael: If you're at a crypto mixing company, we'd love to have you on. Happy to have you on anonymously, however you're comfortable. We'd love to have that conversation.

      Eric: You also wanted to get into the mind of an attacker. You wanted somebody anonymously to speak with us who had obvious credibility on what it's like to be on the other side. That would be great. I don't know how we'd pull that off but I would love to see that.

      Rachael: Someone wants to share their thoughts. I'm sure they have a lot of interesting observations of things that people aren't doing. Which are pretty obvious that keep the door open for them to walk through. I'm sure there are a lot of fun examples of how we make it easy for them.

      Eric: Drop a note if you're interested to [email protected]. Drop her a note that you're interested. Please don't remove her identity, erase anything, take all of her cash. We're all trying to just do our part here.

       

      To the Point in 2021 Went by So Fast

      Rachael: We'll give you some airtime. We'll be very excited to do so.

      Eric: I'd like to hear how the cyber executive order is transforming not just the government, but also commercial companies. We'll see a lot more. Right now, they're focused on XDR and logging and everything else. But I'd like to see how that changes things and how they weave Zero Trust into there. I'd love to see some modernization across the government. They're trying, but it's just so slow. But it was a good year. This is your first year with the show.

      Rachael: It is. It went by so fast, too.

      Eric: Glad you did it.

      Rachael: I feel fortunate. We had so many great things to talk about. We're never wanting for things to talk about.

      Eric: That's the beauty of this industry.

      Rachael: I get to talk to you every week. All these amazing guests and absolutely, I'm looking forward to next year. Bigger, badder, better.

      Eric: A lot more is coming in 2022. What we would like is more subscribers. We've got a ton, but we want more. We're always looking for more. We'd love subscriber feedback. Drop us a note on LinkedIn, subscribe, leave us feedback and comments. We're on pretty much every platform out there.

      Rachael: It's easy to find us.

      Eric: Apple Podcast, TuneIn, Stitcher, Google Podcasts, Spotify, you can get us on RSS feeds, you name it. You can go to the website and download the show.
      Rachael: You can even come to our website.

       

      Ending the COVID Marathon

      Eric: We're going to finish this COVID marathon off hopefully pretty soon. Let’s get back to business and doing what we like to do with people, with humans.

      Rachael: I don't know that COVID's going away, but we'll live with it. Isn't that the latest, the endemic thing, but we will be back in the office, at some point. It'll be hybrid. Hybrid is the way of the future.

      Eric: We'll keep making shows.

      Rachael: Maybe one in person, we'll record here in the coming weeks or months. Do you know this?

      Eric: Well, we were going to an RSA, but it just moved. So maybe we'll do June.

      Rachael: Still sales kickoff.

      Eric: We'll figure it out. We have to go and end the year on a high note. Sorry we didn't fix all of your cybersecurity problems and concerns. We'll do better next year. We will continue to strive to bring interesting and compelling content. But give us feedback, please.

      Rachael: A big thanks to all of our listeners. It's great to have you out there. We appreciate the feedback and of course greatly appreciate the subscriptions. So don't forget, if you're going to give a year-end gift to somebody, smash that subscription button. Give the gift to To the Point podcast. So until next time, next year, be safe.

      Featured Episodes