Kevin Montalbo

Welcome to episode 50 of the Coding of over cocktails podcast. My name is Kevin Montalbo and joining us from Sydney. Australia is  Toro Cloud CEO and founder David Brown. Hi David. Hi, Kevin. And our guest for this episode is a seasoned cybersecurity technologist and expert with over 18 years of extensive experience in cybersecurity R and D. He got his phd in cybersecurity from the International Institute of Information Technology in Bangalore in applied cryptography and threat Intelligence. He is co inventor of five US patents in the areas of cloud SS DN and NFV security. He's also the author for several rest API security live projects for Manning, which will be having a giveaway off on our Toro Cloud Twitter account. So make sure to stick around for that. Joining us today for a round of call sales is Doctor Sachan Dara. Hi, Shashank. Great to have you on the show.

Sashank Dara

Hi, Kevin. Hi David. My pleasure being here.

David Brown

Nice, nice to have you join us. Thank you for joining us today. Let's jump straight into it. We all know that cyberattacks have been increasing in their frequency and sophistication. Um Do you have any statistics on what it's costing organizations on a global basis?

Sashank Dara

Yep. So it's quite unfortunate to see that the cyberattacks can be devastating for organizations. And fortunately, we are having more data points off it to emphasize the need and spread awareness. So in a recent study, the average total cost of a data breach increased by nearly 10% to 4.24 million. The highest ever recorded. Wow,

David Brown

that's the, that's the average cost for an organization is that,

Sashank Dara

that's an average cost.

David Brown

Yes.

Sashank Dara

And, and see the aftermath, around 60% of the small companies closed within six months of being hacked. Now, the first order is the monetary loss. The second order is the number of people losing jobs,

David Brown

right. So obviously with a cost like that, as you say, many small business wouldn't be able to deal with such a significant cost. So they're, they're closing, people are losing their jobs that's costing an average of $4 million for a cyber attack. So we must be talking about many billions of dollars per per annum on a global basis. So I guess, you know, we had lots of challenges over the last 18 months with COVID and we had this huge transition to companies working remotely, accessing their networks remotely um online communication has that resulted in a net increase or decrease in security related issues for organizations.

Sashank Dara

So definitely transitioning to remote working has increased exposure to cyberattacks. So let's take a brief pause here and understand what the remote working challenges are itself. Then we can get to the impact on the organizations due to cyberattack, right? So when overnight the lockdowns happened, then it teams had numerous challenges in transforming their work practices to remote working. So employees had to work with any devices at their home, meaning lesser or no controls before the it teams could procure and send their new laptops or desktops so that they can work from remote remote, remotely from their homes and suddenly it teams had to expose their internal networks, internal applications or public internet to otherwise well protected within their corporate network. This is why a very poor VP configurations or by our cloud services and such like, right. So services that are never exposed before, are suddenly exposed to the internet with mediocre or poor configurations. And third point is haphazard adoption of cloud services. Everyone wants to move to the cloud because of these transformations in in in the in the overall environment with little or no expertise, this resulted in numerous misfires, right? So the the myth is that cloud is secure, but the reality or the fact is cloud security is a shared responsibility model where the organizations adopting the cloud are also equally responsible for the services they're using. And of course,

David Brown

that's a good point because you know, we use public cloud providers ourselves at Toro and and the networking and configuration thereof is is largely your responsibility. So they provide the infrastructure as a service. But the way you configure that service is totally up to you. So you're seeing that a lot of people don't have the expertise to configure those services and are resulting in security vulnerabilities in the in the applications they're deploying to the cloud.

Sashank Dara

Absolutely. And there's 1/4 important point here, pandemic themed fishing campaigns. People are under extreme pressure due to the pandemic itself and the moment you see campaigns related to donations, campaigns related to fake news campaigns related to somebody something happened due to due to pandemic in the context of deploying fishing campaigns. Yes. So already people are emotionally charged up due to this pandemic and they are, they are gullible to more clicking the URL S that they should not be opening at all. Right. So due to these factors, remote working, due to pandemic also, I also impacted the speed of response. What happens if in case of an attack, how do it teams remotely respond to such attacks? This increases the time to identify and contain the data breaches? OK. At organizations with greater than 50% remote work adoption, it took an average of 300 days to identify and contain the bridge

David Brown

300

Sashank Dara

days, 300 days,

David Brown

the issue was long gone. After 300

Sashank Dara

you can see the gravity of the situation here. Even the people are impacted the workforce, the ID teams that are working around the clock to upkeep of the systems are impacted due to pandemic, right. So all this has compounding effect on identifying and containing a data breach.

David Brown

Yeah, that makes a lot of sense. Um I guess the the it teams weren't prepared to deal with these kind of situations with these remote working and, and as you say, access, accessing their data over public networks and remote VPN connections and, and those devices which they didn't have control of people are using their own computers and laptops. Um ha has maturity grown since then. Are you finding that the it teams are now better equipped to deal with these situations?

Sashank Dara

So I would say both. Yes and no. Ok, so yes, because in the last 1.5 year, definitely there are a lot of lessons learned. Almost every organization's business continuity plans, disaster recovery plans, remote working plans are being tested to the maximum. Ok. But smaller and medium organizations who cannot afford for such kind of a business continuity or disaster recovery kind of infrastructure, they need to rein themselves innovate how they can continue their businesses despite these harsh conditions.

David Brown

Mhm. So what are the most common challenges that companies are facing today with cybersecurity? is it any particular style of attack which they're, they're facing?

Sashank Dara

So defense in general, cyber defense or in general Agnes is modern, modern attacks is in general hard, I mean, under normal situations itself, defense is quite hard on top of it. The way modern businesses are operating, say things like remote or hybrid working. Hybrid working makes it much more complex by the way, remote working has its challenges, but hybrid working has much more complex. et in order to protect haphazard adoption of the club, lack of expertise makes all these things much more complex. OK. So secure the infrastructure from cyber attacks. things like how do you identify all these assets. How do you know which is a company asset, whether it is a software asset or a hardware asset? How do you identify their cyber hygiene? As, as we said, things like the laptops and desktops at home are also immediately got connected to the internet and started using for work. How do we know the hygiene of those systems? How to identify these gaps and risks on a continuous basis? How to ensure that adequate controls are there? How do we prioritize? So all these are the challenges. Hm,

David Brown

where, where are the attacks coming from though? Are they coming from um vulnerabilities in firewalls? Is it coming from security vulnerabilities in in these um devices which are like coming inside the internal networks through that hybrid working environment? Is it the phishing attacks? Where, where are we seeing that, that the majority of these attacks?

Sashank Dara

So let me put this into two broad categories. OK. The first category are the bad people continuously scanning the entire internet, the Attackers trying to see where is the loophole, whether there are any insecure versions of Softwares being exposed, whether there are any remote desktop protocol being exposed or whether poorly configured services exposed. And you know, um this set of people who are continuously scanning the internet trying to identify the weak points in the infrastructure. The other set of people are targeted attacks. These are very, very difficult to combat the targeted attacks. Understand they don't go after everyone. They, they, they have a limited set of organization types or industry types they want to go after. Right. For example, they find loopholes in healthcare systems. They know that healthcare systems are vulnerable due to pandemic or they know that the power sector or they know that the public infrastructure, the government infrastructure, they are targeting such sectors and going after them to identify who they, who are the people working there. What kind of roles they are? Can we do a spear fishing, targeted emails to them, either pandemic or non pandemic themed? Um because there are a lot of new age attacks on social engineering and especially targeting people like say CEO fraud or business email compromise and these kind of things, these are attacking the human minds and the gullibility of people in order to get into their networks. So those are the two broad things the and both are equally dangerous.

David Brown

I'd like to talk about the um management of within an organization and how we're dealing with cyberattacks from a management and board perspective for that matter. Let's start off with the Chief Information Security Officer. What, what's the role of this position? Yeah.

Sashank Dara

So the CIO or CIO depending upon where, where you come from in the world. So the Chief Information Security Officer is a, is a, is executive responsible for the organization's overall information and data security. It's, it's a senior group that needs both technical and business secure and he has he or she has different responsibilities. But, but I would say it's, it's a very senior position who will try to bridge the gap with the, with the C SUITE executives and board members and downstream with the I teams ensuring the overall cyber security of the organization. Ok. So the CIO has different responsibilities like the cyber risk and cyber intelligence to keep abreast of the developing security threats, helping the board understand potential security problems that may arise from either acquisitions or big business moves and the overall security architecture and operations. It could be planning, buying, rolling out security, hardware software, making sure the IP and network infrastructure is designed with best security practices in mind, the security program management and governments, for example, keeping ahead of security needs by implementing the programs and projects that mitigate these risks and ensuring the compliances, the regional and global regulatory compliances from a cyber perspective are being aer. So these are different responsibilities of the CIO

David Brown

and you mentioned that um CIO is either reporting senior management and or potentially the board. So the the this is this, these topics are increasingly being discussed at a board level. How are boards getting involved in cyber risk management?

Sashank Dara

That's a, that's a very, that's a very good question. So on one hand, there's a rise of cyberattacks and subsequent losses. Um On the other hand, both needs to understand whether their organization can get attacked as well. So, in the last few years, especially cyber risk management became an essential in the overall enterprise, risk management for the organizations. OK. And the board is more interested to know that is our organization. Cyber resilient are the cyber practices fully aligned with our risk appetite? That's very important to see that because each organization has an appetite of how much risk they can take and how much investments they can do in the, in the, in the cyber. And are you planning and forecasting appropriately for that particular sector? That's again, very important that in their sector, are they able to forecast appropriately? And what's the biggest, biggest cyber threat? Is it, is it external, is it the nation states Attackers? Is it, is it random Attackers on the internet or is it from the internal insiders depending upon their industry type? and, and the nature of the business, the threats vary, the degree of the impact varies. So, so these are the couple of questions that they'll be interested to know, to know from the C Suite executives. And the CEO role is to provide this data points to the board.

David Brown

Can you share with us some of the key risk management pillars that it security teams alongside the board? Should have in mind when it comes to cyber security.

Sashank Dara

So as I was saying, the cyber defense is hard. But let me break it down into four simple pieces so that teams can understand what are those pillars, risk management pillars. So it all boils down to four steps. OK. First, you need to identify what are all assets that are used to conduct business. It could be office given assets, it could be laptops, desktops, servers, business services in the cloud on premise. Um whether there are personal devices where you know the phones and things like that and because if we don't understand our asset landscape, we cannot protect. Ok, we don't know what all to protect. So asset management and classification. So once we identify these assets in the same step, we need to classify them. How important these assets are, what kind of data or what kind of services they're accessing? Does it have customer data? Does it have intellectual property? Does it have financial data and such like so that the the asset management classification of the first bucket, the second bucket or the second pillar, I would say the first pillar is asset management classification. The second pillar is identifying the cyber hygiene of these assets like continuous assessments. What are these assets like? What do they, what do they run? What are the operating systems? What are the packages packages? Libraries are there any gaps in the configurations? Are there any known weaknesses? And what are the risks that are emerging from such gaps? So, identifying the cyber hygiene is important. The third one and the most toughest one is prioritize, prioritize and prioritize obviously, with the given time, resources, energies and mental bandwidth and resource bandwidth, we can only address few of such gaps. Now, in those fewer ones, how do we get to the first top 10% or 20% of the issues that we need to prioritize and solve? So that's, that's a very complex piece. But there are recent advances and we can use advanced technology to prioritize. And the fourth one is, how ready are we, how fast we can act whether it is remediation, whether it is response for those risks that we have identified. So to summarize the four pillars are asset management and classification, identifying the cyber hygiene of these assets, prioritizing these gaps, remediation and response for the side effect. So the I would say these are the four important pillars for a continuous management of risks.

David Brown

Hm It's interesting because you didn't mention for example, process human process. So I understand that some of the large scale attacks we've had recently has been where they've got an employee click on some an email, phishing email for example. And and they've they've given away a password and provide unknowingly access to some internal systems for a data breach So how, how important is education and business process within the organization?

Sashank Dara

That's a, that's a very good question. So these four pillars which I have just mentioned cannot be solved with technology alone. OK. We need to have the right people awareness, you need to have the right processes in place and direct technology. It's a combination of people process technology that will enable all these four pillars to work efficiently with

David Brown

the challenges associated with distributor networks, remote working. Um and the expectation that customers and business partners have this real time access to data. I'm imagining that we need there, there's so much data flowing in and out of the organization through these remote workers and business partners and customers. How can we would need to use automation to, to create some sort of prioritized list and response to these to these risk events? So how can we manage and mitigate risk through automation?

Sashank Dara

So as you said, the faster the it teams can respond and remediate the vulnerabilities, the high likely that it reduces the impact of cyber attack. So that's where automation plays a very, very important role. OK. Now, if you break things down that are fully automated, they can be semi automated, they can be manual. Those are the three buckets I would think of when it comes to automation. OK. So both fully automated and semi automated ways. For example, how do we automatically push policies? How do we patch systems. How do we you know alter certain rules. How do we isolate certain devices? How do we push firewall rules? All these come under this bucket of automation needs. OK. So whether it needs to integrating with the existing controls, whether it is building those glue components that can interact with different components or even getting or buying the products that can that has api s exposed. For example, it becomes very, very important to take a strategic decision for the it teams to buy or purchase products that are integrative with the ecosystem rather than silos and, and drops. Ok. But that said we can automate only the tactical issues. We have to be very, very clear here. Only the tactical issues like patching systems and pushing policies can be automated, but strategic gaps will still be manual that needs careful thinking, planning and executing strategic mitigations and strategic controls. And while planning for automation, it's very, very important for the businesses to avoid business disruption. The security team says that hey, block this sport because it is insecure. Now, the ID team can go and block it but there could be a business distraction saying that hey, there's a ecommerce service that is earning revenue, it is suddenly blocked. No. So care should be taken that in case of business disruption, there should be enough tooling that we have necessary measures in place to roll back them as well. Understand what is the strategic measure there, maybe move to more secure service and things like that and then roll it back. So automation is key, both semi automated, fully automated measures are needed. And in case something goes wrong, you need to have measures to roll them back as well and redeploy them with a better approach. Hope this helps.

David Brown

Well, as I understand it, you, you have co-founded a company called Second Eyes a few years ago and you're building next generation systems for automated intelligent I risk and compliance management. So can you run us through some of the specifics our solution like yours would help facilitate this.

Sashank Dara

So, thanks for asking that. Um So when, when we started the start up, second A um there are numerous problems especially in managing these risks, ID risks. There were, there were point products. Um There, there are a lot of data flowing in and there is, there is no way for the customers and organizations to put them all in some context and understand what it is like and get the big picture. That is where the four pillars I just described a couple of minutes ago, we as a start up. we are building cutting edge algorithms and A S A solution, a super simplified S A solution, the software solution, software service solution to automate as much as possible. Both from asset identification, identifying the gaps, contextualizing them and prioritizing them and automating them as well. So that's a, it's a full suite where and irrespective of which assets they are managing. before us, there were point products like say web risk identification or mobile app, risk identification or cloud risk identification kind of, but that's simply overwhelming for the U in order to stitch it all together. Right now, we are pioneers in the space in order to while building the holistic platform for both automating the it risk management and also adhering to global and regional compliances. Hm

David Brown

It, it sounds like you're right at the edge where companies need you most with an average cost of $4 million a year. Um I, I wish you well and III I know you are doing well and I I wish you well with your endeavors. Second eyes. So Shank, thank you for joining us today. How can the people listening to our podcast, follow you on social media and the blogs that you write?

Sashank Dara

So, yeah, I'm on linkedin and Twitter. the same name as there are no pseudonyms that I use on the internet. So it's easy for finding there

David Brown

to find it.

Sashank Dara

Yeah, it's, it's a shank la. So I'm just a few clicks away if you want to follow, catch up. Have these interesting conversations been in this domain for a while. So I'm extremely passionate about this. So, yeah, feel free to reach out. I'll be happy to share my knowledge or learn from you as well.

David Brown

And your publisher Manning has generously offered us to give away some of your um guides that you've written with them. So the listeners will be promoting those on our social media platforms and our blog thereafter. So, thank you for your time today.

Sashank Dara

Thank you very much, David and Kevin. I really enjoyed the discussion.

Kevin Montalbo

Hey, listeners, hope you had a wonderful time listening to that episode. For those who stuck around. We've got a special surprise for you. We're giving away access to Sarras latest live projects on Manning Jason Web Token Authentication for API S and secure API S from web application attacks. Simply follow us on Twitter at Toro Cloud like and retweet our contest post. The winners will be chosen and contacted via DMS. Good luck. As always let us know your thoughts in the comment section from the podcast platform you're listening to also, please visit our website at www.torocloud.com for a transcript of this episode as well as our blogs and our products. We're also on social media, Facebook, linkedin, youtube, Twitter and Instagram, talk to us there because we listen, just look for Toro Cloud on behalf of the team here at Toro Cloud. Thank you very much for listening to us today. This has been Kevin for coding over cocktails. Cheers