[00:27] Hot Security Topics on People’s Mind

Rachael: I'm Rachael Lyon here with my former co-host Eric Trexler, who's now Senior Vice President of US Public Sector at Palo Alto Networks.

Eric: I've really missed the show and you and the former hurt.

Rachael: I know. We miss you too. You're welcome anytime, of course. Petko and I love having you on. And I'm sad that Petko couldn't make it this time. He's on vacation. But I think we're going to have a nice little chat, a little walk down memory lane and all the good things.

Eric: And you had some amazing shows. I listened to the one most recently, actually. I guess, it was a little while ago, with Maria Roat. I've listened to a few since then. It was a phenomenal interview. I was so envious that I wasn't there for that show. Maria's great. Just the human component that she brought, you pulled out of her, that was a great interview.

Rachael: I really enjoyed having her on. I would love to have her back. We've been talking about that because there's just so much to dig into, too. With her career and just so many great discussions still to be had.

I think now that we're at the end of '22 going into 2023, there's just so much on people's minds, Eric. I think this looming recession thing is having people thinking about, is it going to happen? How long is it going to last? And for those in the industry, you hear a lot of talk about cyber is a very resilient industry.

The Real Problem We Need to Look At

Rachael: But for the companies that are facing recession and security with skills gaps, talent shortages, and having to make the most with less, there's a lot for them to have to think through how they navigate ahead, Eric.

Eric: And I think one of the things we've talked about it a ton together on the show was the workforce and how many people are available. I think they're still over 500,000 jobs in America alone. (ISC)² did a report. I don't have it in front of me, but I think it was 4.7 million jobs out there. Shortage of 3.4 million today. So I don't think any coming economic downturn, whether it's a formal recession or not, is going to break cybersecurity's workforce challenges or address them. Fix them maybe is the better way to look at it.

I think it's going to be a real problem for a long time. And I think it's something we really need to look at because as the economy turns, I think we will see more adversarial activity turn to mechanisms. To more easily pull cash out of free economies. I think you've been talking for a couple of years now about the loss of the risk and the downside and the loss being the third largest economy in the world behind the US and China. What was it? $3.5 trillion, I think, is your data stat.

Rachael: Currently. And then I think in the next few years, it'll be something like 7 or 10. It's astounding how fast it's going to grow.

Eric: Yes, those are the losses.

The Adversary Is Incentivized

Rachael: That's straight-up cost and losses. And I was reading this article in Venture Beat. But during the last recession, the FBI reported there was a 22% increase in online crime between 2008 and 2009. As we know, cyber criminals love to take advantage of crises or moments and times. So there's a lot of likely incentivization.

Eric: No, they're incentivized. The adversary is incentivized. The crazy part of cyber is if you can't find a job where you live, you can get on your computer. You can go to the library's computer or an internet cafe. And you can reach into somebody else's town or a village or company and monetize some assets. I think we're seeing that with the increase in ransomware. I think it would be foolish to suggest that ransomware will decline at some point in the foreseeable future. We're going to continue to see bad people try to monetize. That's the sad part of the industry. And we don't have enough people, as we've said on this show for years. I think it's been five years, and obviously, the problem began before the show started. But yes, we don't have enough people.

Rachael: At all. And you know ransomware is one of my favorite topics.

Eric: It is.

Rachael: And I was looking at some stats before we got on the call. Kaspersky reported that targeted ransomware attacks almost doubled in the first 10 months of this year compared with the same period of '21.

Why Schools Are Always Hit by Attacks

Rachael: And I keep reading. And now that you're in the US public sector and state and local, I'm curious, why the schools? School after school after school are getting hit with these attacks. Is just because they're easy pickings and they're going to pay?

Eric: Yes, they're easy. And why not? So we have a group. And I promise not to make this a sales play. But we have a team called Unit 42 that does a lot of incident response. They're a lot of organizations out there that are like them. They're very good at what they do from what I've seen, though. And 70% of our incident response cases over the last year, I pulled some data. Because I know I was talking to you about this, have been ransomware and business email compromise. So phishing and the like. And we're seeing a massive upswing on things like smishing, SMS phishing. We're seeing a lot.

So 70%, though, of the work that we're doing on an IR case tends to be around ransomware and business email compromise. And the other thing, when we're getting called in, it's usually after the fact. The victim has received the ransom note. Their files have been encrypted. They've had problems, and we're trying to help them. I don't think that's abnormal in the space. I think that's across the industry. That's what's happening. When an IR firm is brought in, it's because somebody had an issue, not because they were trying to be preventative. Now, we do see a little preventative, but it's crazy.

Hot Security Topics Could Be Addressed by Automation

Eric: And this is just our data, so your mileage may vary. If you look at somebody else, their data may vary. We are seeing an average of 28 days of dwell time, loitering time. I'm walking around your house, Rachael, looking for your jewelry and your money and everything else for 28 days. Before you notice and call me. How crazy is that if you run a business? You don't know the adversary is there for 28 days, then you know. It's crazy.

Rachael: I guess it does gel, though. When we look at the targeting, we're seeing more and more of the schools. But also, I was reading some article, just small businesses. Some of them are feeder companies into larger organizations. Because they don't have the staff. Or, let's say, a more sophisticated security setup because why would anybody hit them? You're starting to see increased attacks on them.

And again, I was reading this really interesting article talking about prevention. As you look at the recession, your resources, all those things, doubling down on preventative measures. How do you keep them out?

Eric: So I've been doing a lot of thinking over the last year maybe. Maybe a little longer. From my perspective, it used to be automation. We need to drive to automation. If you turn to the industry, if you go to RSA, guarantee this year you'll see it again. It's machine learning and whatever your definition of artificial intelligence is, MLAI. You'll see it. We've talked about it on the show over and over and over again. It's really bothered me.

[09:31] We Have to Drive Simplicity

Eric: You and I have had personal conversations about this. We've talked about it on the show. And I think if you want to stick to AI and machine learning, I think it's got to be a people-first approach. Complimented by process, by technology, and then complimented by workforce improvements. Both of your employees but also your cyber defenders. But I think there's another component that I've spent a lot of time on lately. It's more than just automating.

And really, the covering of the state and local and education space has really opened my eyes. Because the feds just throw money at the problem. We have too many tools. We have so many tools out there, depending on your survey. You'll see surveys that say companies have an average of 45 cybersecurity tools, 76 cybersecurity tools, over 100.

I've had conversations with others in the industry at major companies. I've talked to Petko about it. If you have more than 10, 15 tools, you're basically a cybersecurity integrator. And I think the complexity of the environment is something that is really harming us on our largest organizations.

We've got to drive to simplicity. This isn't a, hey, go buy company X or anything like that. It's really you've got to consolidate your tools. You've got to look at outcomes. We've talked about that for years.

It's rare that you see customers talking outcomes. They tend to talk about tools, RFQs, RFPs, RFXs, whatever it may be. They come out looking for CASB or a software web gateway. Or now we get zero trust, which is all over the map. But rarely do you see things come out saying, "I want this business outcome."

State, Local, and Education Have Fewer Tools to Handle Hot Security Topics

Rachael: It's interesting. It's like treating the symptoms but not the underlying problem in a way-ish.

Eric: So I've been doing a lot of thinking, again, and I'm not there yet. But I think it really comes down to incentives, as most things in this world do. What is the incentive of the endpoint team to work closely with the network team? As things come together, what is the incentive of somebody who's built a career on firewalls?

They've built a career on network security in the firewalls to go and talk to their peer across the lane in the SOC. Or on the endpoint and say, "Hey, we've got a problem here. We are no longer defending the organization in the way we intended. It's not working. Let's find a better way of doing this." So SOC automation and things like that are great talking points, and I think we'll get there. But we've got to see some walls come down. We haven't seen that right yet in the business.

Now, I told you I've learned some things over the last couple of months. From a visibility perspective, one of the things I've learned is state, local, and education customers don't have as much money as the federal government typically. They have fewer tools.

Rachael: Yes. Having worked at the city of Houston, I can 100% attest to that.

Eric: They have fewer tools. We were dealing with a customer a couple of weeks ago, a mid-market customer. They had a firewall. It's a town government. And the school system had a firewall, and they were looking at using those firewalls together for failover. High availability active-active failover, which is a really advanced concept.

Why State and Local Education Customers Are More Efficient in Tackling Hot Security Topics

Eric: But they're trying to work together because they don't have tools. Now, the breakdown is they don't have people either. They don't have administrators, so who's going to administer this very complex environment? And that's where the automation machine learning common tool sets and things I do think come to play.

But what the observation I'm seeing is state and local education customers have fewer resources. Whether that's money, human capital, whatever it may be, time. And they tend to be more efficient than the federal government in many ways. Which is the greatest integrator on the planet in my opinion. I'm seeing the differences where they have fewer tools. They have a better capability in many cases.

Rachael: Well, it's a good thing in a way, right?

Eric: Well, they're talking, right? So if you're on the other side of the fence and I'm on my side and I'm endpoint, you're network. We've never worked together very well. Well, guess what? If we're both or we don't have the resources or we have to compromise because we can't buy 50 tools, the odds of you and I working better together are higher.

Rachael: We're now incentivized.

Eric: And I'm actually seeing that in real life. The incentivization is there. We’re on the federal side, here's your $3 million budget. Go out and buy a technology X. Who cares what it is? I will go do that. And I rarely have an outcome in mind other than I have this budget that I have to spend by the end of the fiscal year. We're going to start this program. Maybe we're doing VPN replacement, we're going to wrap it in zero trust. We'll go about a SASE type of categorized product. But why are we doing it?

[15:08] The Notice of Funding

Eric: Well, because we have to get off of VPN because we have too many remote workers. And I know I'm stereotyping. I'm generalizing, but my observation is we're not looking at it in the context of the greater picture for the organization, the agency, whatever it may be. So state, local, and education are more effective at that. It's pretty cool.

Rachael: So there was the $1 billion cybersecurity grant program that was announced.

Eric: Oh, the NOFO. The Notice of Funding.

Rachael: Yes. It's targeting these groups. And I'm just curious, have you come across any folks that have applied for these funds or looking to implement them? And what's been the thought process, if you've had any of those interactions?

Eric: So a ton, and I think it's a really good program in the way that it's going to put $1 billion I think it's over five years. It's going to put $1 billion into the state and local organizations. I think it's 60% has to be given to a local organization, so state, local, tribal, territorial. And they had to have their responses in by November. I forget the exact date. It was November of '22. So the responses are in for year one. And many people were able to do that, and many weren't. I think it's a really good thing in general. But what we want to see is integrated cyber, in my opinion.

Hot Security Topics Include Ransomware

Eric: We want to see them spending the money on things that they need to fill gaps. To get the right capabilities, whether that's workforce, technology, whatever it may be. Not just to spend the money. So I believe it's five years they get to roll out. I suspect the government will plus that up at some point. There was a lot of activity around ransomware.

When we talk about outcomes, one of the things that we observe in the business is ransomware is massive. I gave you some stats. You've mentioned stats. We've had them on the show. We are seeing an orientation because it is debilitating. If you have a school system that gets hit by ransomware, kids aren't going to school. They aren't learning. Their private information is released to the public. Now you've got lawsuits. You have craziness happening.

The other thing we see is it doesn't just start there. So the insurance organ company will come in. The law firms come in. The incident responders come in, but you're talking about a school board in many cases. You're talking about a superintendent of schools. Depending on the size of school, they have somewhere from zero to very little experience in cybersecurity.

Same thing we're seeing in healthcare. Same thing we're seeing in our state, local, tribal, territorial organizations. It's not like CISA is on staff for these individuals. Okay, here's the playbook you're going to run. Here's what you're going to do and everything else.

So we do see CISA and the FBI engaged. We see law enforcement engaged, but they tend to be more understanding of what's going on. They will give some guidance, but they're not running the show. Where in the fed space, we see a lot more direct engagement.

The Reality That America Face About Hot Security Topics

Eric: So the $1 billion should be a very, very good thing for these organizations to really put a focus on cybersecurity. Because today, the budgets that they have and the capabilities are not where we need them to be compared to the capabilities of the actors.

Rachael: No, not at all. It's very underfunded, as we know with a lot of schools, teachers buying their own supplies and buying supplies for kids. And so you can imagine on the back end what that means for security investments and other things. You have to prioritize. It's nice that there's an outlet now to get some funding to help them shore up defenses. Because it's so critically needed.

Eric: Who was your favorite teacher in school? Who was it? Come on, give me a name.

Rachael: It is actually my journalism teacher, Marjorie Comstock. Yes, she was awesome.

Eric: How would Ms. Comstock do running the cybersecurity defensive program for the school system?

Rachael: She was really smart. I think she could actually figure it out pretty quickly.

Eric: But it would impact her ability to teach you journalism, which that's your career. And that's the type of thing that we're seeing. How would she do if the superintendent came and said, "Ms. Comstock, we have a breach. I've heard there's ransomware in the school, and I can't get into any of our systems. All of our systems are locked out right now. We have this note saying we have to pay 20 Bitcoin or whatever it may be." What would Ms. Comstock do? That's the reality we face in America in many of our schools and governmental organizations.

Is There a Mechanism to Share Feedback?

Eric: And that's where I think the NOFO really will help. Will there be waste? Absolutely. Will there be things that don't happen? Absolutely. But you can get things. You can get capabilities such as incident response retainers. You can get consulting from organizations that tell you where to focus and what your outcomes should be.

If you're Ms. Comstock and you don't know, you might have the ability to get some guidance and help from the experts across the industry. From that perspective, I think it is a really good thing. But we have a long way to go as an industry. I think the industry has to do a lot more. We see a lot of opportunity for industry to step up to.

Rachael: There's a lot on the best practices sharing too. With NOFO, when you do get funds? Was there a mechanism to share feedback or outcomes as part of that funding that could be shared to the broader state and local networks? Or am I making that up?

Eric: And what do you mean by that?

Rachael: Well, I don't know why. I think maybe I was reading an article, and maybe one of the hopes was that coming out of this as you get funding and start implementing projects that there's an amazing opportunity to share these learnings with other folks in state and local district networks. So they may be looking at trying to get funding in year two. That could help them shape whatever program they're trying to execute. Because I think there are annually these national get-togethers for these folks, where they do share best practices.

[22:16] How North Dakota University Helped in Handling Hot Security Topics

Eric: So there definitely are. There's Educause for the education sector. There are definitely conferences and programs where they can share. The other thing we've observed, you'll see these loose consortiums being set up by the state and local governments. University of Nebraska is a great example. The CIO has brought together the entire system in other schools to share information, share best practices, work together. They'll do things like buying volume buys in order to help the dollar go further. You're seeing organizations like the state of North Dakota has a joint SOC. Essentially, that they're trying to open up at the state level so that they can share information across state governments.

And there's a lot of grassroot effort. But it's really hard to get 50 states together or school systems. So in these locations, people know each other. They get together. We have a tremendous number of people who are dedicated to this space that have worked through their whole careers. So they know a lot of people. They work really well together in both official and in unofficial capacity that helps the dollar go further, helps their capabilities go further. And it's really exciting to watch the way they do some things.

Who would think that North Dakota would be pulling 12-plus states together in a joint regional SOC? So when they're seeing a ransomware incident or they're seeing something or somebody is, they can share that type of information. That's pretty cool to me. But President Biden isn't telling them to do that. There's no executive order telling them to do that.

Sharing and Helping Each Other Goes a Long Way in Fighting Hot Security Topics

Eric: Congress is going to mandate things like breach reporting and things like that. But really sharing and helping each other, that's the America I know and love. And we're seeing a lot of that, which is good.

Rachael: I agree. And I'm sure a lot of it's out of necessity. If you have to figure it out on your own in a lot of ways, then you get creative and scrappy. That's where these great networks start forming. I love to see that.

Eric: You do. Ms. Comstock, right? She probably steps up and works on cybersecurity for the school system because she has maybe an interest. And she cares. She knows those students and she knows her fellow educators. She knows the parents. She's been in that community her whole life. And you see this at the state, local, tribal, territorial level.

People are directly impacted by what they do and don't do as it relates to cybersecurity. It's really rewarding to watch. This is their home. At the federal government where I've spent a good bit of my career, you think about a state. Pick your state wherever. It's one of 50. You have a lot going on. You probably don't even have responsibility for protecting anything at the state and local level. And you're putting something in place for maybe your agency. But these people, this is where they live. They go to the mall with these people. They go to dinner with them. So it's family. It's pretty cool to watch the American ingenuity, I guess I might call it.

Is There an Opportunity for Leapfrogging?

Rachael: I love the scrappiness. And the other thing I think a little bit about with this group is, is there an opportunity, and this may be very aspirational, for any leapfrogging to happen in using these funds? Meaning there were a lot of countries that were late to integrating, let's say fiber telecom, years and years late. But when they did, they ended up leapfrogging some other developed nations.

Because they were starting off with the latest and greatest, whereas those that have had the fiber for a while, it was buried. It was old. It was antiquated. You have to dig it up to replace it. Is there some opportunity like that here, or is that just too farfetched given the starting place?

Eric: I think so. I hope so. It should be an unprecedented opportunity because of the funding that is coming down that they would've never gotten otherwise to say, "Hey, okay, we have money. What would we do? And what are we worried about? What outcome do we want? What are we protecting against?" Most of the time, a lot of time, it's ransomware. How do we do that? Now, I think there is a component on industry. If you go to, what is it, cyberseek.org. I think. Momentum Cyber.

They show all the vendors in every given segment. Not all of them. They show dozens and dozens of vendors in every given segment. Last I saw, there were more than 4,000 companies in cybersecurity.

What We Need to Do to Be Ahead of Hot Security Topics

Eric: We as an industry need to see some consolidation, some rationalization. Because if you're Ms. Comstock and you're handed a bunch of money or you're on the local town council and you're the lead, if you will, for protecting the county government or the town government, whatever it may be, from ransomware, where do you start?

You've been in the business a while. We've reported on this for years on the show. Where do you go? Which vendor do you go to? Which consulting firm do you go to with your money ready to make a decision? To make the best decision you can? I think the industry really needs to see some consolidation and I think we might see some. I don't know how much with a potential downturn in the economy. We're already seeing it in the stock market. Cybersecurity, tech, stocks, you name it, are coming down.

I'm also seeing in the business companies are exiting due to the strong dollar. They're exiting south in Latin America. And they're exiting markets where the dollar makes them uncompetitive and consolidating their resources. They're conserving capital, where a year or two ago, we'd go create a group. Somebody would go create a group and spin off a new idea and see if it worked or not. We're going to see some more rationalization there.

But I do think the industry needs to do a better job of providing answers to desired outcomes. Because in any category, you can probably find 10-plus vendors that you could talk to today. So we need some platforms. And zero trust is good.

There’s a Lot of Work to Do to Combat Hot Security Topics

Eric: But at the same time, it's certainly not defining go do this for the Ms. Comstocks of the world who just want to protect her students. Or they just want to protect the town water supply. So it's cool stuff. But IOT, OT, I don't know if you've talked about it on the show. I may have missed it, about software, bill of materials, secure supply chain. We talked about it with SolarWinds. I think that might have been two years ago now, right? Secure by design. So how do we make these products more secure coming out of the gate? How do we help people protect their varied environments? There's a lot of work to do.

Rachael: No, agreed. It's not like there's a cyber solution starter kit for ransomware and you can just go drop it in and you're good to go.

Eric: Wouldn't that be great?

Rachael: I'd be amazing. We got an idea. I think we've got a million-dollar idea.

Eric: I don't know how to monetize that one. But it is a dual-sided problem. We have customers who don't have the resources to do what they need to do. That's the world we live in. And then we have the industry that hasn't done a great job of providing answers to customers. I hope that we see a drive to more of a platform and capabilities-based approach. Where there's some standardization so that the Ms. Comstocks of the world, quite frankly, can say, "Okay, here's what I'm trying to do here. These are the five tools I need for the school system. And I have a high assurance that we will be protected from the following things."

We Have to Secure Our Connections for Protection from Hot Security Topics

Eric: "And when the adversary does get through, this is how we're going to handle it."

Rachael: That would be nice. So when we think about all this, where does the SASE play, do you think, for these people?

Eric: So I think as we see more users go to wherever, where we might've called work from home, but really it's work from everywhere, work from anywhere, we have to secure those connections. And the old VPN home run back into the business doesn't work. It doesn't scale. It's inefficient. Many people are going to go around it with shadow IT.

So as more and more workloads move to the cloud, I'd be interested to see somebody saying that that will decrease over time in the near term. Maybe in a generation or two, we'll see a new model in security. We saw it with mainframes, and then we went to open distributed systems. And then we come back a little bit with the cloud, but the cloud's massively distributed.

I think that concepts like SASE are important. Because you have to have that security as your users are connecting to Amazon, Microsoft, Google, whatever it may be. And a lot of times, what I've observed over my career is we don't have that. If they're connecting, they're just connecting. Dropbox, boom, connected. IT doesn't know about it. Ms. Comstock has no clue. And you're doing your work from wherever you are. Could be home, could be Croatia. Could be wherever. And there's private data there. Super critical. SASE, super critical. What do you think?

Rachael: Well, I think anything that can help make it a bit more easier to navigate the security waters and particularly covering the essential bases, I think, is important.

[33:02] We Need the Ability to Inspect

Rachael: And how do you simplify but, to your point, also find some semblance of standardization, commonality. We talk a lot about one agent and one policy to rule them, all those things. But at the end of the day, simplifying it and make it easier to deploy and manage, I think that's going to help a lot of those smaller companies. It will start getting at least the essentials infrastructure covered. And that seems like there's a huge need out there to get that moving forward.

Eric: You need that visibility, the ability to inspect. We think it's so critical here. And as you drive out zero trust, so things like lease privileged access, continuous trust verification, the continuous security inspection, protection of all data. Which you and I have talked about. Security on the apps, people are going to connect from anywhere, everywhere.

You have to have that accessibility from a security perspective on everything they're doing. No matter who they are, no matter where they're connecting from. No matter what they're connecting to and no matter what they're doing. You've got to have that visibility, the analysis, and the ability to then take corrective action if you're a bad person. Or you're accessing something you shouldn't or you're trying to do something, maliciously or unintentionally you're trying to do something. The business should know about it. It should be automated. It should lock it down.

Rachael: Now, you mentioned zero trust, which everybody loves this word.

Eric: Sorry about that. They go hand-in-hand. SASE, zero trust, they're not technologies. They go hand-in-hand.

Rachael: Sure. But we've heard so much about zero trust. It sounds like this savior, if you will, of things. But are people talking enough about maybe the cons of it?

People Are Now Looking for Identity

Rachael: We know the pros and the opportunity it brings in implementing zero trust strategies. But for smaller organizations that perhaps are less sophisticated, there are elements of zero trust that can be a little complicated sometimes. Segmenting users in different accessibility permissions or what have you. Are people talking enough about that?

Eric: Of course not.

Rachael: And how could a smaller organization overcome these things?

Eric: No, but zero trust if it gets people thinking. If it gets them thinking. So one of the things that I think we've observed in the industry is from a zero trust perspective, identity. Most people 5, 10 years ago weren't talking about identity. You had an account somewhere, and that was what you had. But now people are really looking at identity.

Who are you? And from that, we're then looking at, what should you be able to do? What are you trying to do? How do you want to do it? I think there's some components. If you ask Ms. Comstock to come up to speed on zero trust and use zero trust principles to protect the school system, I think it's going to be really difficult for her. But in her research, she will learn things such as identity protection, data protection, user protection, application protection. She'll probably learn about the principles.

There’s an Opportunity to Learn from Hot Security Topics

Eric: You can break it down into other areas like SD-WAN or zero trust network access and learn things that may help you understand where to start. And there's no prescriptive manual. Or maybe we should say there are too many prescriptive manuals if you go to NIST or you go to the federal guidelines now.

Rachael: There's a lot out there.

Eric: Right. And then you go to industry. So maybe there's too much. But I do think there's some opportunity to learn. And if you can translate that into what your organization or business needs, that's a really good thing. We're seeing a lot of people look at zero trust network access. Again, least privileged, protection of data, security at the app level, constant inspection, constant verification, validation that you are who you say you are.

That's a huge step beyond, "Oh, I don't know. That's just a connection to Dropbox that went through the firewall. I don't know. Or did not go through the firewall because I'm working from a laptop from home, a work issued laptop." So just think having these discussions while zero trust isn't something you buy, it is something I think you can buy into. And we can advance security somewhat. And we're seeing that.

Rachael: I like that because they are critical concepts. And if you're educating yourself, it definitely gives you a more holistic thinking of how you need to be tackling the issue.

Eric: If we went back ten years before zero trust was really big. And I know Dr. Chase Cunningham and his peers would say, "Wait a minute, it's been around since, what, 2010." 12 years, fine.

Zero Trust Has Elevated the Discussion on Hot Security Topics

Rachael: Something like that.

Eric: But we weren't really talking about it at scale five years ago. And you wanted to research what do I do to protect my organization. A lot of it would come down to technologies. CASB was just coming out. You were looking at AV. You were looking at sandboxing. And that's the way you would learn. I think zero trust, the concept, has elevated the discussion a bit in the right direction. Which is a very good thing for the industry.

We still have too many vendors. And we don't have enough good answers. We don't have enough funding. We don't have enough practitioners. But we're having a higher level discussion, similar maybe to the board. Five years ago the board wasn't talking about cybersecurity every meeting. They're probably more likely to talk about that right now. So we're seeing a maturity increase and maturization in the industry at multiple levels, which I think is a good thing.

Rachael: I know. Always discussion and information sharing are critical. I want to be mindful of time since you are a guest, but I did have one final question. And it's a big one, though. So my favorite topic of cyberwar as well. And as the conflict in Ukraine continues, I think I was reading recently that NATO just ran like a cyber exercise. I forgot how many participating countries. But they're taking this very seriously. They're seeing this escalating conflict, and it's been what the physical and the cyber elements of "war" happening in Ukraine and what that spillover could look like.

Do Cyberwars End?

Rachael: And NATO is trying to get prepared but also deciding when do you step in, as you know. As this becomes more of a reality and goes on, what does that mean in terms of, do cyberwars end? And if not and we're going to be under threat of spillover because maybe you support Ukraine and the Russian cyber army is not happy with that and want to execute attacks. It seems like the landscape is changing and getting a little more scary even with these elements that you just can't control when you have cyber army signing up to help and are sympathetic to a cause.

And it can easily escalate to physical attacks. A cyberattack could lead to a physical attack. We're getting in such a scary area here ahead, Eric, in geopolitical tensions. How do we manage all of this ahead, I guess? I think Ukraine's become this microcosm of probably what's to come perhaps.

Eric: That's a lot to take in for one question. I'll do my best. Luckily, we know each other very well. I would say, one, I think we've seen in Ukraine that kinetic trumps cyber pretty much all the time in many ways. It's easier to blow up a transfer station than to try to take it offline. Especially in a less connected country or a country where they have the ability to go more physical. Just more antiquated tools and the like. And the Ukrainians are pretty good at defensive cyber operations too.

Rachael: Yes, they are.

Kinetic Will Trump Cyber

Eric: And they many times understand the same languages. So kinetic will typically trump cyber, I think. And I think we see a lot of focus on the kinetic. This war has been going on for over 10 months now, 300 and some days. And I think what you see is similar to cyber. If you're following it, you almost become numb to some level. A couple of observations, though. I was reading something yesterday. There was an S300 Ukrainian air defense missile that landed in Belarus. There was a big formal protest and uprising on that.

We had a similar type of activity hit Poland a couple of months ago. I think it was October where there was actually a loss of life. So Ukraine was trying to defend itself from an air attack. From everything I've read publicly available, it appears that a missile body landed in Poland and one in Belarus this week. Or maybe it was last week. And there's a big outcry, but you don't see the same type of outcry when you have cyber spillage like we had Viasat at the beginning of the conflict. So there's a numbness there also.

As you were talking about it, the word resiliency kept coming to my mind. I wasn't sure exactly where you were going with the question, but it was like this is a resiliency question. This is going to happen. We've already made it more of a norm than an anti-aircraft missile landing in a foreign country by accident. Cyber spillage, whatever you want to call it, is real. And it's almost accepted at some level. So that's where I think resiliency comes into place. We know it's going to happen.

[44:10] Resiliency Is the Component

Eric: We saw the ineffectiveness due to, I think, a lot of coordination issues and some other things in the February 24th kickoff. From what we've seen, very little time to prep the objective from a cyber perspective. Even though the Russians have been doing it for years. I think what you will see is the adversaries will learn. They will take more time. They will better integrate in the future. It is an absolutely real issue that we need to contend with.

I still see things like weapon systems and platforms going out with very little to limited considerations around cybersecurity. It's something we're going to have to just contend with, we're going to deal with. Resiliency is the impact or the component I would focus on.

If half your systems come off of offline because of a cyberattack, how do you perform your function, your mission with the other half? If for whatever reason ships can't launch planes, what do we have? How do we plan for that? And the military is really good at that. We spent a lot of time on the show, and I know we're wrapping up. State, local government, not as well prepared. Federal government outside of the military, not as prepared as we would like. The military, better, but not where they would want to be either.

So we have to deal from a resiliency perspective. How do we continue mission based on some degradation of capability? Because I think it's going to happen. I don't know. You agree? Disagree?

Rachael: No, I think as you're talking, I was thinking about this too. And I think we've had a couple of guests even mention this.

Cyber Is a Key Component

Rachael: I guess at the end of the day, is it so different than just another cyberattack, right? You still have to have security. And you still have to defend your organization. You still have to keep critical data in. So it's just standard operating procedure now for your business. Whether it's spillage out of a Ukraine conflict or just like we always talk about. A 16-year-old in their basement just surfing for some dollars and trying to find a way in. Either way, you still need to secure yourself.

Eric: You do. And I think we've seen for decades now vulnerability scanning from the inside. Where's the vulnerability in software code? Am I patched? Am I whatever? But one of the things we should be focusing on is attack surface management. The ability to look from the outside in. What does my organization look like from an adversarial perspective? You and I have talked about tabletop games, war gaming. What happens when the adversary gets in? How do we continue mission?

I don't think we spend a lot of time there as organizations, federal, state, local, commercial, you name it. So there are things we could and should be doing. Because despite what we observed in the Ukraine-Russian conflict, I think you'd be hard-pressed to find people that would say cyber would not be a part of a future conflict.

Rachael: It has to be.

Eric: It doesn't have to be, but I think it would be. Those are tools available.

Rachael: It seems part of the modern arsenal. Cyber is a key component of the different levers at your disposal if you're trying to make an impact somewhere.

We Need to Hunt More

Eric: So I think the debate would be around the level of effort. The potential impact of cyber activity.

Rachael: And if you can call on cyber armies, though. If you can get enough people on your side to volunteer to help you.

Eric: Maybe. I remember the show we did. I forget the gentleman's name, on the cyber army. It would be very interesting to see how the cyber army is holding together today and the effectiveness of the Ukrainian cyber army. What we haven't seen in the conflict is either side really make a lot of progress from a cybersecurity offensive perspective.

I do think we'll see that in the next conflicts going forward between nation states. To what extent, don't know. But why not understand what the adversary can get access to, what they can see? Why not war game some things out and deal from a resiliency perspective? How do we continue keeping the lights on or defending this airspace or whatever your task may be in a cyber contested environment?

Those are things I think we could do very effectively. We just don't spend enough time there. Dmitri Alperovitch, going back to winter, I think, 2020, we don't hunt enough. Why aren't we doing more hunting on our networks for cyber activity? I gave you the stat. We are seeing 28 days median dwell time. I don't know. If you hunt more, would you have found that in 11 days? And would that have made the difference?

Awareness and Resiliency

Eric: I honestly couldn't tell you in any specific or even generalized cases. But my gut says the sooner I can get somebody out of my house, the less they can take, steal, or damage. So I'm not sure if I answered your question, but resiliency, that's the word I'd end on.

Rachael: It's a question and a comment and an observation all rolled into one. I think there are definite longterm implications there that we just don't know what those are. And in some ways, though, the heightened awareness of this may get more organizations accelerating their security transformations and trying to get their house in order in the near-term versus just I'll wait and see and hope they don't find me approach.

Eric: I think ransomware has been more effective at it.

Rachael: Yes, that's a good point.

Eric: As we create awareness, whatever that may be. Your local school system next county over had a ransomware attack that debilitated them. Or Colonial Pipeline or you were in a board meeting, whatever it may be. I think awareness, we've come a long way as an industry, both the customer side and the vendor side from an awareness compared to where we were. Now, the costs have gone way up, so that makes sense to me. But I do think awareness is a big one and then resiliency. This is here to stay. There's no silver bullet, and criminal activity will always be there.

Rachael: That's right because crime pays, Eric, apparently

Eric: $3.5 trillion in losses. I think that's a pretty good payout.

Rachael: That's not too bad.

Eric: And it's easy, and it's low risk.

Let’s Hope for Good Progress Against the Adversary

Eric: Right. And if you're a nation state and before you launch kinetic capabilities, you spend a couple of weeks prepping the objective, what's the real cost? You get dragged into the UN and told, "This is bad behavior. We need you to stop"? Honestly, if your intent on invading a country, I think the cost, the risk, is relatively low.

Rachael: It is. You're probably not going to jail.

Eric: So lot of incentive, not a lot of risk. Unfortunately, it's a lot of opportunity for the industry and a lot of vulnerability for the world. Rachael, I know we're at the end of our time, but it is always awesome talking to you. And I do miss you and the show.

Rachael: I'm so glad you made it. I hope you come back. I know you're busy over there at Palo Alto, but I do hope we can get you back from time to time.

Eric: Well, here's hoping to a great 2023 and a better than 2022 was. Hopefully, we make some good progress against the adversary.

Rachael: I feel like we've said that every year the last three years.

Eric: Yes, we do. Who is it? Bruce Schneider, I've quoted him frequently. We're getting better, but we're getting worse faster.

Rachael: All opportunity, though. It just creates more opportunity for all things. So to all of our listeners, thank you for joining us this week. And thank you again, Eric, for joining us and coming back for a visit.

Eric: We like people to smash the subscribe button. Even though I'm not looking at the data and the stats anymore, subscribe, leave comments, please.

About Our Guest

 

Eric Trexler joined Palo Alto Networks in September of 2022 and oversees the US Public Sector business.

Most recently, Eric Trexler was the Vice President of Sales, Global Governments and Critical Infrastructure at Forcepoint. Eric was responsible for Global Go To Market operations to include all components of sales, sales enablement, and field and product marketing. While at Forcepoint, Eric’s team doubled the size of the business over a five year period to nearly $400M in annual sales and strategically moved a large part of the
business to the Public Cloud.

Eric has nearly 30 years of experience in technology across the public and private sectors, including Department of Defense, Civilian, and Intelligence communities, along with International governments. Eric has combined his sales savvy and technical skills with practical knowledge of leadership fundamentals to solve global cybersecurity issues for his customers and the business.

Prior to Forcepoint, Eric was the executive director for Civilian and National Security Programs at McAfee (formerly Intel Security). Earlier in his career, Eric worked at Salesforce.com, EMC, and Sybase. He spent four years as an Airborne Ranger with the U.S. Army specializing in communications. Eric holds a Master's Degree in Business Administration and a Bachelor’s of Science in Marketing from the University of Maryland
at College Park.

He was the co-host of the award winning “To The Point Cybersecurity” podcast with over 200 weekly episodes covering various cybersecurity topics, and he regularly writes bylines for cybersecurity and national periodicals.