Darknet Diaries x Juniper Networks Twitter Spaces
Listen: The latest trends in cybersecurity from two Juniper experts
Hear from Juniper Threat Labs’ Mounir Hahad and CISO Drew Simonis as they talk with Jack Rhysider of Darknet Diaries about trends in cybersecurity and how they work to keep Juniper and customers safe from threats now and in the future.
You’ll learn
What keeps Drew Simonis and his peers up at night
A real-life example that shows how complex it can be to avoid security breaches
What’s effective and what’s not when it comes to dealing with ransomware
Who is this for?
Host
Guest speakers
Transcript
0:01 hello i'm jack reciter host of darknet diaries an investigative cyber crime podcast this is a recording of my live
0:08 twitter spaces hosted with drew simonis and munir hahad of juniper networks like
0:13 this video if you're interested in more content like this and tell us what you think on social media you can find more
0:19 from me at darknetdiaries.com or on twitter at dark diaries enjoy
0:25 so you know something i think about a lot is what what is it what does it take for us
0:31 to be secure and some stuff that it kicks around in my head is maybe it's the users it's the user's fault if the
0:38 users were more of you know smart they would we'd all be more secure but is that it maybe the
0:45 police could do their job a little better if they arrested all the cyber criminals then we'd have no problems
0:50 with security right but no wait maybe it's the vendors the vendors if they've created secure products and none of us
0:57 would have any problems with security or you could look at it as a policy makers they could do some things to
1:04 make us all secure as well and what i want to think about today is you know what all of these people are
1:09 the ones who help make us secure and i specifically want to focus on vendors
1:15 and policy makers today in this space because they're the ones who are staying ahead
1:21 of emerging threats and keeping their ears to them to the ground listening for what's
1:27 coming out and you know the the threat researchers are going to bubble that information up to the leaders and those
1:32 leaders might be in your company or government officials and i think it's fascinating to look at
1:38 how that particular aspect works so in this space with me here today is the chief information security officer
1:45 and the head of threat research from juniper networks now um just about me you know a lot of
1:51 people know me from the podcast dark knight diaries but to make that i have to know a lot about i.t
1:56 and security threats so that's not something that i do the research myself these are what i rely on
2:04 are people who are researching this and security leaders in the space and so
2:09 that's what um that's what this twitter space is about i'm going to be chatting with two security leaders from juniper
2:15 networks and with that said i do want to make it clear that juniper is sponsoring my time
2:20 for hosting this event and they're also sponsors of my podcast but when they asked me to do this i was really excited
2:26 about it because i have actually been a security engineer before i was a podcaster and so i was in
2:32 my my hands were in firewalls a lot specifically in juniper firewalls srx's
2:38 and i even got some juniper certs like the gncis sec but if you're not aware of what juniper
2:45 is they help organizations build threat aware networks to keep attackers at bay
2:51 so that business critical traffic can travel across the wire properly and they do this by making firewalls cloud
2:57 solutions management tools and their aim is to secure every point of connection from cloud from client to
3:04 cloud and it's amazing for me to look at where i've come because there was a time when
3:10 i was an engineer and i actually took a trip to sunnyvale and drove to juniper's offices in silicon valley and just stood
3:15 outside their buildings gazing at the size of them and now here i am with my own vanity url
3:21 on their website juniper.net slash dark net resolves it's it was made just for me
3:27 and um now i get to interview their cso so i just never expected this in a million years and i'm just honored to be
3:33 part of it so with that bit of uh intro out of the way i want to introduce my two guests
3:39 drew simonis chief information security officer of juniper networks and munir
3:44 hahad head of juniper threat labs which is the independent research arm of juniper and by the way this space is
3:51 being recorded and you'll find those links in my twitter account after the event so drew manir um thank you for joining
3:59 me today thank you for having us hey good morning very excited to be here so let's start
4:05 out with just hearing more about your roles what is it like being the cso
4:10 and also working in threat intelligence today
4:16 well i i would say from the perspective of of being a cso
4:21 we've faced a tremendous evolution in the role over the last just over the last couple of years as as companies are
4:29 doing more and more with digital transformation as as technology is more important not just to the economy but to
4:36 society as a whole uh you know the bad actors out there are finding ways to take advantage of our
4:42 reliance on this technology and so our domain the securing of that technology has really risen to the fore
4:48 in a way that that we've long i guess we've long expected but but
4:55 you know maybe weren't quite as ready for uh based on what you see in in the in the world today you know with a lot
5:01 of exposure a lot of uh a lot of compromise is still occurring so the very high intensity very high
5:08 pressure um and and the challenge is significant you know we we always are
5:14 striving for more resources we're always striving for more mind share uh
5:19 people trying to get the attention from the right people in the right places uh
5:25 trying to leverage services uh like what when here helps to deliver and the reality is that
5:32 we have to have good understanding good good understanding of the adversary their capabilities their intent and how
5:39 that intertwines with our own operations so what do we have that they are likely
5:44 to want uh do we have the controls in place that they are likely to to uh be
5:50 be blocked by um and and so you know it's a it's a
5:55 constant battle as as evolution occurs both in the business process
6:00 and in the uh in the technology landscape and in the attacker's capabilities and desires so uh fast
6:07 paced fast moving um a lot of pressure i guess would be the the some of that
6:13 i i concur with that i mean drew definitely has the hot seat on this one so while drew is it's kind of focused on
6:20 securing juniper cyber assets my role is to try to protect all of our customers and that's including drew by
6:27 the way who is uh honestly one of my favorite customers and he's my favorite customer because he's just a text
6:33 message away and he gives me access to all the data i need sometimes you know i can't just go to our customers at random
6:39 and just say hey could you please give me access to your whole network because i need to investigate something or
6:45 validate some theory i can't do that but with drew i can see the one thing that people don't realize is that
6:52 drew has um carte blanche to go and provide himself with any kind of tool capabilities he can get from anywhere he
6:58 wants he's not bound to use in juniper products but he does and he keeps me in check because he goes you know what
7:04 munir if your products efficacy drops i'm dropping you too and i'm gonna buy something else from someplace else
7:10 fortunately that hasn't happened and uh you know it's a great relationship to have uh with uh withdrew and that helps
7:17 me a lot because it gives me real-time data from an actual large company's traffic and it
7:24 kind of gives me a model to work with when we're looking at the threats um the defensive methods that we put in place
7:31 and uh and and thinking about what's next to come so i i really appreciate that collaboration that i have with drew
7:38 another you work with juniper threat labs how does that operate
7:44 uh well you know juniper threat labs is actually a combination of three things that's not typical in in this industry
7:52 you look at a lot of different companies they would have threat research separate product development separate etc i have
7:58 the advantage of having all three things under under one roof the first one is
8:03 just the threat research which is kind of the awareness and being able to see what's happening out there in the wild
8:09 making sure we're ready for cyber attacks uh making sure our customers are protected that's one the second one is
8:15 just the development team so i have a development team dedicated to building the detection methods that go into our
8:23 products whether they're on premises or in the cloud or anywhere in between it doesn't matter so i own the efficacy of
8:28 that of that detection technology and the third one and it's definitely not the
8:34 least we we have the security operations team that's constantly monitoring what's
8:40 happening with our own detections across our customers um telemetry and the idea
8:45 behind it is we're here to monitor for things that you know either spike or things that are unusual or things that
8:53 honestly we might have missed and that information is fed back into either the development team especially when it
8:59 comes to things like machine learning you know you have we build models those models tend to fluctuate over time so we
9:05 have to keep an eye on that and and it also goes back to research you know sometimes we hear about something that
9:10 you know we just haven't thought about in the past so it goes back to the research team and we have to figure out
9:15 proofs of concept what did we miss how can we make it better how can we uh
9:20 block it right away how can we future proof it so this is like the three pronged
9:26 approach to doing uh work within threadless very interesting um so drew you know being the cso it sounds
9:35 it sounds nerve-wracking to me kind of like um like a new parent
9:40 or you just don't know if you're doing enough to keep everyone safe right you just it's just like ah am i doing enough
9:46 and there's always something in the back of your head and it's hard to sleep as a new parent um do you what keeps you up
9:52 at night as a cso or what's top of mind for some of your peers
9:58 oh it's a good it's a good comparison uh well everything everything keeps me up
10:04 uh uh my my peer group myself we're nervous people um very anxious i think uh
10:11 because we have uh 10 20 30 40 000 children and all of them are uh often
10:18 doing things that they ought not to be doing and so we have to worry about the decisions of
10:23 of of a large group a very large family um and so so
10:29 you know we have to do that in an environment where there's more and more scrutiny uh customer scrutiny uh uh
10:36 executive scrutiny board member scrutiny regulator scrutiny uh shareholder
10:41 scrutiny like everybody is paying attention to what we're doing these days and uh that that adds to the pressure
10:48 you know and so so you're right you've got to be comfortable that the decisions that you are making
10:55 are the best decisions that you can make a given all of the uncertainty that you
11:01 face i i think that's that's probably one of the key things that differentiates the ciso from from uh
11:07 maybe a security practitioner who's who's maybe not so seasoned or is aspiring right uh to be a season it's
11:14 living in that comfortable gray area that you described um and and being able to go home at night and know that it
11:20 might be a wrong decision but given what you had in front of you it was the best you could make um but but if you're asking sort of what
11:27 are the what are the what are the key things besides that um i think the challenges that i face are around talent
11:34 uh first and foremost you've got to have the right people on the bus and and you've got to be able to hire
11:40 people and retain those people and keep them engaged and that's difficult all those things are difficult because you
11:46 know take all the complexities of covid and working from home and add on to that the this ever
11:52 changing technology landscape i alluded to earlier and the pressures of the role uh so it's a burnout factory for a lot
11:59 of people and uh and that's a shame and we work really hard to alleviate
12:04 that pressure uh prioritization to the point you made did i make the right decisions um do i have the right insight
12:12 to make those decisions or do i avoid analysis paralysis uh so i
12:17 can make a decision without having a complete view of the landscape that's that's an important one too and
12:24 then execution um you know so so i've got the right people i'm focused on the right things i'm
12:29 prioritizing the right areas uh am i executing fast enough uh and to the right quality to be in front of the
12:36 adversary and to really be solving the problems before they creep up uh and damage the business's ability to
12:43 be successful so i think those are the three things talent prioritization execution would be the things i'd worry about most
12:49 for anyone just joining us welcome have a seat please stay i'm having a conversation with drew and munir from
12:55 juniper networks drew is their chief information security officer and munir is the head of juniper threat labs and
13:02 this space is being recorded in case you missed something gentlemen this is a question i got from a follower uh what's the stupidest thing
13:10 that has caused a problem or a breach and maybe drew i'd like to hear from you first
13:16 well you know not the stupidest but but i think it's illustrative of how complex
13:21 avoiding breaches really can be it's a silly story um but uh a prior job uh i won't say where when
13:29 but we had an executive who who essentially fished himself
13:35 and and the the story is that as as you may or may not know executives have a lot of emails sent out from them
13:42 uh but not by them uh and so this individual went into their mailbox saw a
13:47 message from them and said you know oh i wonder i wonder what i'm talking about today like what
13:53 interesting topic am i endorsing or supporting across the company um and followed the links to see and and
14:00 lo and behold it was a fishing uh a fishing message uh spearfish to him uh
14:05 or something along those lines and so you know he saw the silliness in it but
14:10 but i think that the real illustrative part is that it is difficult even for like you can fall for a message that you
14:16 know is fake uh or or not necessarily from you and as the attackers get better
14:22 and better at what they're doing it is increasingly difficult for people to spot genuine phishing messages or sorry
14:29 genuine email messages from phishing messages uh or genuine websites from
14:34 impersonating websites and and and and so so in that in that story is the kernel
14:40 of it's really hard for everybody to not fall victim to some of these very sophisticated attacks
14:46 um that are increasingly easy for people to pull off yeah drew it's funny as you're saying
14:52 this reminds me of another very similar story and and maybe this one is even funnier because i i know somebody who
14:59 who was actually part of building and a campaign within their own organization
15:05 for uh you know the anti-fishing campaign so this is uh one of those educational
15:11 uh things that companies do they sent you an email once a quarter or something and you know they make sure that you're
15:16 not clicking on the wrong links so this particular person was part of the team
15:21 that was putting together the uh the the campaign and uh they were constantly complaining
15:27 that hey past campaigns are so easy to spot let's make it a little bit more realistic and sure enough they wanted to give it a go
15:34 and uh they built that that messaging and the day before the campaign uh he
15:40 actually received an email saying hey tomorrow we're sending the campaign be on alerts you know uh you know just
15:46 let's see what happens the very next day unfortunately because of various circumstances he personally fell for it
15:54 unbelievably you know it's one of the things i remember he was telling me that um you know he he looked at it on his phone
16:01 instead of uh on his desktop client and you know on your phone certain things disappear like you don't see the
16:08 email of the person you just see a name the links are relatively difficult to see even if you see something in there
16:14 you have to know that you need to do a long press and wait for it and then you see a preview and all kinds of things go
16:20 wrong on a phone so he actually felt for it because of the circumstances i guess what this
16:27 kind of drives the point of some many attacks are actually very easy to
16:32 spot fortunately a lot of these people sending phishing emails do not understand or speak english very well
16:38 but some of them can get really really sophisticated and it's very hard to see
16:43 and i have to admit there's there's one thing i personally do not like in what we're doing about it these
16:49 days you see a lot of these url rewrites for example that uh you know certain security tools email security tools
16:56 would tend to replace an actual url with uh another url that goes through some
17:01 pre-processing before it lets you through now for probably more than 90 percent of people
17:07 that's a great thing to have but for some of us who understand how to look at a link
17:12 it's it's annoying to be honest it also it also circumvents the training
17:19 we've been giving people for years right that you look at the link and decipher it and now you you so so now we're
17:25 relying on technology rather than the training and i don't know which one is better i i guess you know 90 of the time that's
17:32 the right call i think we should rely on technology a little bit more than people i i'm just personally annoyed because i
17:38 would prefer to rely on myself even though i mean looking at the url may not necessarily be the end-all be-all well
17:44 that's right with the with the way the attacks are evolving you know that you can be sent and and there's what frames
17:50 on frames and and so you you're going what do you think is a real sight and and may in fact be that real sight and
17:56 and and or the real sight's been compromised so it's more like a watering hole attack than so
18:01 the attackers are so they're always one step ahead of us in terms of circumventing
18:07 everything we do everything we've trained people and then they're like well i'll just take this and switch it by five degrees and and
18:14 now everything you did was needs to be redone that's that's the fun part of our job i think keeping up with
18:19 that who would have thought they'd get us through captchas before we get to a fishing site
18:25 yeah it makes me wonder we put all these uh you know major security checks in place and then it just gets
18:31 circumvented it's sometimes it just seems all for now because it's there's just an easy way around it
18:38 so um you've got your finger on the pulse of pretty much what's going on in the threat landscape today
18:44 what are you seeing as some of these big trends or major attacks that you've been seeing in
18:50 the last year that businesses should be worried about you know be because i look at uh
18:58 customers across the spectrum it's actually hard to believe that uh people are not gonna have their own
19:04 opinions as to what bubbles up to the surface i can tell you look i'm seeing a trend here but for some vertical that's
19:11 not going to be the trend for them it's something else that they're worried about so for example if you're uh in
19:16 defense industrial base you're probably thinking industrial espionage is trending up but if you're in the energy
19:22 sector or critical infrastructure you're probably more worried about acts of sabotage that are trending up uh but
19:30 when one thing everybody will agree on is that ransomware has become the threat
19:35 to counter you know it's so we used to deal with ransomware just like a one-off but now it's uh really commoditizing
19:43 uh it's it's become service um i don't know i don't want to draw you know go
19:48 too much into parallels but if you remember mail spamming used to be like that as
19:54 well it started by being the work of one person having to do everything from building mailing lists
20:00 building mailer miller bots and identifying open relays etc etc
20:05 to the point where every piece has been outsourced you would buy the mailing list from someone you will lose a botnet
20:12 from somebody else and maybe purchase an exploit kit if you're looking at infiltration
20:18 so the same thing is happening with ransomware and it's making it more of a business than anything else you you will
20:25 buy a target list from somebody if you're interested in particular vertical you will put together somebody else will
20:30 put together actually the infection chain for you and you don't even have to handle customer support somebody else
20:37 will do it do it for you and same thing for the payment and in all of that the attacker that
20:43 you're trying to protect against is hidden behind layers and layers of human shields
20:48 so that's uh that's kind of what i'm seeing as a big trend especially that you're not dealing with just somebody
20:54 who's encrypting your data i mean we kept telling people backup data put it in offline but these days the exfiltration business
21:01 with people taking away your data has made it a little bit more uh difficult to counter and
21:08 the latest trend is really about going after the victims i don't know if you've heard about that
21:13 what is it like a mental health hospital i think somewhere in europe they not only they uh encrypted all the data
21:21 for people that were there but because it was readily available in clear text data
21:27 they exfiltrated it and they started going after the patients themselves i mean imagine they were basically telling
21:32 them hey uh here's the transcript of all your conversation with your therapist you either pay us 200 euros or we're
21:39 going to publish this online that that's really a terrifying trend for uh yeah
21:44 that yeah yeah well i was going to say that you know to
21:49 to meniere's point sorry an object um when you when you hear about these
21:54 things even the way people speak about this these days is very service and industrialized uh when people talk about
22:01 the second and third order ransomware extortion vehicles you know they speak
22:06 them as features like the nine out of ten ransomware packages have these features supported
22:13 right so it's it's so it's so much like buying a just imagine like you don't
22:18 have to have technical skill anymore you just have to have a credit card and the desire to make uh
22:24 what got was ridiculous amounts of money i think there was a report the other day that the the
22:29 the bitcoin wallet for one of these big ransomware things uh was leaked and it
22:34 had billions of dollars in bitcoin in it so this is not like i'm going to make a
22:40 couple grand this this is potentially for these criminal gangs i'm going to make a few billion dollars yes
22:45 so i'm near you can see kind of these attacks happening but drew you've got this
22:51 vision into how organizations are responding to these kind of attacks and how do you think they're doing
22:56 what's what's been effective and what's ineffective at dealing with ransomware
23:01 well it is an area where um we could do a lot better as an industry uh
23:08 the the reality that i see is that people tend to be solving yesterday's problems tomorrow
23:15 there's still not the level of executive buy-in across the corporate world that
23:20 we need to have and threat intelligence is valuable but not everyone's consuming
23:26 it and the threat intelligence is not yet at a level of sophistication where uh where we can get really accurate
23:32 future predictions team that up with uh what you were talking about where our controls sort of
23:39 can be so easily circumvented and that's another reality right i mean people will
23:45 choose how to behave and their adversaries will understand how they're
23:50 making those choices easy example is cvss scores for vulnerabilities many
23:56 companies prioritize 7 and up because those are critical risk well recently attackers have been starting to
24:02 weaponize three and down because they think nobody's paying attention to those patches and and maybe
24:08 they're right so so there's always this this this reactive nature that we really
24:13 need to find a way like right now the best we hope to do is react fast uh
24:19 automation orchestration we look at that we're like okay let's let's bend the curves down to seconds and minutes
24:25 rather than days and weeks but but the real uh uh uh i i guess uh ambitious
24:32 goal is to how can we get in front of those threats so instead of yesterday's problems tomorrow we're solving
24:37 tomorrow's problems today that's that's something we really need to be working on getting better about as an industry
24:44 you know i really i i'm really curious on what your what your thoughts are on open source software in the enterprise i
24:50 mean we had heart bleed bug in 2014 which was a major vulnerability in open ssl and this year we had log4j
24:58 which is another major vulnerability in open source software now open source is usually made by
25:05 volunteers and they put their code out there for free for anyone to download and this is a question either of you can
25:10 answer but how do you feel about taking this volunteer driven free software and
25:16 using it in the enterprise yeah i'll take a first step at this drug
25:21 because my team does actually use open source software you know it's uh i think that question
25:28 of whether we should or should not be using open source software that ship has sailed uh it's it's everybody's doing it and i
25:35 don't think there is any way of going back because there's just no point in reinventing the
25:41 wheel no matter what you think we're still in a chase between the good guys
25:47 and the bad guys in this space so the faster you can turn around a new detection method the better you are protecting all your
25:54 customers and therefore reusing what's already out there is an absolute must
26:01 now you have to understand though that when it comes to using open source software it comes with
26:07 strings attached and these are not necessarily the licenses what i'm talking about here is your ability to
26:13 buffer that software update and and be able to patch it in heartbeat because what what do we usually see
26:20 open source software is out there being used by millions of people next thing you know there's some sort of uh
26:26 supply chain type of uh vulnerability and they get in there they put a bad update and
26:32 if you've automated downloading this uh this update from github then you're probably in a lot of trouble
26:39 so you need to make sure that you're not making these kind of mistakes and you're doing some sort of due diligence and you
26:45 have a process by which you have your finger on the pulse on what is being
26:51 discovered around those um those packages now if you're any company of a
26:57 decent size you probably have hundreds literally hundreds of open source packages that you're using in your own
27:03 product so keep an eye on them is not something that you can do manually you have to have in place some sort of a
27:10 method and a system that keeps track of what's being talked about regarding those packages and be ready to uh to
27:18 patch i think it was fascinating when uh log4j came out i think some of the quicker ones to patch were video game
27:24 companies that were using it and some of the slower ones to patch were deeply embedded tools like it tools and
27:31 stuff that have you know six layers down and that's where that's where the open source software is
27:36 and to fix update that is nobody really remembers how that even got there so
27:41 yeah i really agree that you have to be if you're going to be using this you have to be able to update it in there
27:47 drew i see some of these organizations using um
27:55 threat intelligence feeds and we're going to switch to threat intelligence feeds for a second um
28:01 the thing is well so what a threat intelligence feed is it's typically a list of ip domains uh or ips or domains
28:08 that are kind of a list of bad actors and what they've done um and you can use this list to compare it to the traffic
28:15 going on in your network to see if it's malicious or not um but the thing that i can't figure out
28:20 is when is a company ready to implement a threat intelligence feed
28:30 well it it it it really comes down to what you want to get out of it um
28:35 you said something really key in that question what they have done
28:40 uh so so these kind of feeds are all retrospective they're they're certainly valuable right
28:47 you don't want to be caught victim to something that that is is well known and where you
28:53 should be having your guard up a little bit more um so so integrating those
29:00 and you know sometimes they're hashes for files sometimes they're uh they're like you said um uh block lists
29:08 sometimes they're uh there there are other types of indicators but uh
29:13 you've got a lot of ability in your technology these days to ingest those almost like sort of custom signatures
29:20 for intrusion detection and prevention systems or on your desktop or whatever
29:25 um as far as organizational readiness it to me comes down more to maturity of the list and
29:32 maturity of the tool set how much do you trust those things uh to to rely on them to start blocking you
29:38 know like processes from starting or files from installing or whatever uh if
29:43 you have the confidence that you're not going to disable your your business instead of the attacker do you have a
29:49 process to deal with bad things from a productivity perspective should they occur uh those are some important
29:56 considerations but but the reality that that i see is that that you they have
30:02 another use that is far more powerful which is to help inform you about that
30:07 potential future back to my point about uh pivoting from from solving retrospectively to being more proactive
30:16 learn from those signatures and and try to use that data set to drive a an attacker
30:24 perspective in your security organization so this is how the attackers were behaving
30:30 maybe they got caught like maybe this domain's been taken down i don't know but what how would we have been exposed
30:37 to that what would we have done if we were trying to prevent that and use those those things almost like exercises
30:44 to drive your own control development and make sure that you're monitoring
30:49 footprint is is established adequately so that you can see if your controls are breaking down or being broken down
30:56 that's that's a challenge i think for a lot of people but it's a way that intelligence can be even more useful
31:02 than just just sort of blocking attacks from the past is informing us about what future
31:08 attacks might look like and how they might show up in our own organization
31:14 yeah that's true that also comes in the form of those threat intelligence reports right drew that you guys can uh
31:19 can consume there are a number of uh companies out there that actually provide really rich um you know threats
31:26 intelligence reports but when it comes to feeds by the way what whatever drew said in terms of making a decision
31:33 he's not alone in making that decision and that's kind of a little bit my role to help all the csos out there to make
31:40 that decision a little bit for them sometimes to be honest um our products can ingest intelligence feeds that we
31:47 curate that we build sometimes and all our customers take advantage immediately
31:53 of that threat intelligence without them having to think about it twice but that whole problem of
32:00 understanding this threat intelligence feeds how can you use it safely and how you shouldn't be using it that kind of
32:06 falls on me and my team right because you have to know that threat feeds come in two flavors the
32:11 ones you understand and the ones you don't and what i mean by that is do you understand how it was put together
32:18 because having that information can inform you on how you could potentially use it if you take for
32:24 example like a feed that has a bunch of ip addresses that are supposed to be bad well what if one of those ip addresses
32:30 happen to host thousands of domains and that happens quite frequently as a matter of fact you
32:36 find one bad domain on one ip next thing you know that ip shows up in some some
32:41 threat feed what do you do with that you can't really block that ip you better not block that ip otherwise you're
32:46 blocking a whole bunch of other legitimate domains so that kind of information is is really
32:52 important but in general you know even myself as you know a head of threat labs i am not
32:59 alone in this um there's a number of organizations uh one of which we are
33:05 part of called cyber threat alliance which is awesome at doing threat intel sharing and that means we're pretty much
33:13 leveling the playing field when it comes to threat intelligence a lot of the companies that are part of
33:18 this cta alliance they decide to compete on products and services and capabilities but not on
33:25 threat intel that's way too important no no single one of us can defend
33:31 everybody against all threats but if we pull our resources together at least in
33:36 sharing threat intelligence then we have a better chance and by the way we do that on pretty much
33:41 on near real time basis and that's that's been great to be honest with you that's interesting
33:47 yeah there's a funny story my website darknetaries.com often gets blocked by some threat intel feeds
33:53 um not for having hacker content but because my hosting provider is known to serve ads and so it just gets added on
34:00 some block ad block lists uh i guess this is an example of an open
34:06 source threat intelligence feed um and so yeah and so i guess munir what do you think about open source threat
34:12 intelligence feeds used in enterprise
34:17 well i would say the exact same thing you have to understand how they were built you have to know how it's built
34:23 if it's built using honeypots for example and the source ips that you find in there are the ips of
34:30 some scanners chances are you're going to block some legitimate software i've i've heard many times this story where
34:36 some company buys a tool to do internal scanning and next thing you know that
34:41 that particular tool gets blocked and they cannot do that job why because it showed up in some thread intelligence
34:48 feed whether it's open source or not is a different story but most of the time it happens to be
34:54 open source you have to understand how these feeds are built so that you can safely use them and the
35:00 key word is safely you cannot just shoot yourself in the foot just because you don't know where the intelligence came from so for me uh
35:08 part of studying the value and the uh the value add of a thread intelligence
35:14 feed when it's open source is specifically going into studying things like what is the popularity of each one
35:21 of the ieps in in those feeds and that's actually a decent indication as to
35:26 how much trouble are you setting yourself up down the road if you decide to use that threat yeah it's it is funny
35:32 that you gotta you gotta look to see how it applies to you because i had a customer once that was sharing some
35:38 threat intel with us and um and i was looking at it and they're like yeah we're having a lot of trouble from
35:44 this one ip here it's it's really giving us a lot of problems and i look at it and it's a it's a private ip 192.168.20.20.
35:51 and i'm like well if we would have blindly added that into our threat until and said oh block all this from you know
35:59 happening then we would have been in trouble yeah and and i do get similar questions
36:04 too you know sometimes our customers come to me and they're like hey we'd love to have this threat feed embedded
36:10 into your product you know i look at it i'm like there is no way i'm gonna i'm gonna approve that kind of a thing but
36:16 the comeback is look you really like it i'm gonna give you the option to add it to your own installation your own device
36:23 your own cloud but you're not going to impact everybody else with your decision you like it great use it but i'm not
36:29 going to be behind it drew um i think a lot of people look at cso as sort of the pinnacle of the
36:36 security field on how far you can go up the up the ranks do you look at it that way and um
36:43 how can you do you have any um suggestions on how people can reach that if that is your goal
36:51 yeah therapy love therapy i think
36:56 it certainly is the pinnacle of part of of the security story i mean just just
37:02 as any career field has a senior general manager uh a role right but i i really
37:09 think one of the wonderful things about security is that it's such a big tent career field like it's not a job right i
37:16 think that's first and foremost it's a career field uh with a lot of very specialized
37:22 disciplines some of which uh pay more i know penetration testers who make far
37:28 more than csos do and and are in far more demand you know we're talking seven
37:33 figure plus individuals here that get to set their own hours and uh and really
37:39 pursue their own interests in terms of hacking and puzzle solving and and the
37:44 like so so you could say that that some of these people are at the pinnacle and and and that's true you know you've got
37:50 deeply technical jobs forensics analysts uh for example which
37:56 which have such specialized skills uh which could be at the pinnacle of of the
38:02 of the field so so on the technical side i think there's a lot of opportunity for different peaks uh and pinnacles to be
38:10 found on the administrative side you know you've got just as many opportunities for people
38:15 with soft skills who or who want to pursue a more person oriented
38:21 nature of the field whether that's awareness and training whether that's compliance whether that's risk
38:27 management um or or a number of other areas you know so
38:32 it doesn't have to just be i'm a technician and and you see csos from both sides
38:38 you know some companies like a compliance background uh some companies like a technical and engineering and
38:43 architecture type background so there's opportunities to find your mastery of the domain or to
38:51 leverage your background to pursue a more general management type role
38:56 i would just say that if people want to pursue the cso it shouldn't just be because of the
39:02 title it should be because they have a genuine interest in developing the talent and
39:08 dealing with the organizational change management and some of those more political dimensions of the job because
39:15 if you're just pursuing it because you think it's the highest on the wrong or highest rung on the ladder
39:21 you're going to fail because it is a very people-oriented role you've got to manage the talent and
39:28 the growth and provide opportunities for people and make sure that everybody is taking
39:33 advantage of those opportunities and and so it becomes in some way not even a security job
39:38 anymore because it is more of a general management job particularly the bigger your
39:44 organization gets the less time you spend making security decisions and the more
39:49 time you spend relying on your experts to make those decisions and your job is to make sure you've got the right experts in place so that's that's the
39:56 only caveat i'd say is that like any any senior role you know you you start moving away from the function and into
40:03 that general management domain and you still have to be fond of deprivation right true yeah you don't
40:11 mind if you have some bags under your eyes those are badges of honor i you know i i really like what you said
40:17 there but uh you know this thing is a career field it's not really uh it's not
40:23 really a job you know i i kind of uh i look at it even from a broader perspective for me cyber security is
40:29 really a calling first it's not an employment opportunity i i would make one simple exclusion out of that is the
40:35 offensive sidebar which is a little bit special but other than that uh you know yeah you can you can find people with a
40:42 ton of technical skills uh but that's not what you should be looking for it's talent that you're looking for because you need to have a
40:49 certain detective mindset and and and be able to persevere when when you're facing difficulties in analyzing
40:56 something i think for me that's that's key plus you know of course this space is moving so fast with
41:03 everything that's changing whether it's operating systems changes the applications coming on board
41:08 all the vulnerabilities that are out there the myriad of ways that an attacker can can put together a campaign
41:15 this means when you're looking for a career in this space you really have to be one of those
41:21 people who are constantly updating their skill set whether it's trainings go and attend conferences and etc
41:28 even getting some certifications but i wouldn't really pin it to oh you know i'm going to have some
41:33 certifications and i'm going to go up the ladder and i'm going to end up a cso if that's your goal you're probably not
41:39 starting well that's really helpful thank you i think personally i think one of the most
41:44 important skills to have when dealing in the i.t field is the ability to deal with a set of
41:51 unknowns and not being afraid um like like getting on the command line and
41:57 just be knowing like i don't know what command to type here i mean even a google search sometimes it's like well
42:02 what can i put in here i don't know what i'm allowed to do what you're not and just being able to
42:08 fail at that screw that up but try again and realize like okay it's not so bad if
42:14 i mess up a command or two and having that comfortability of knowing that you're you're probably
42:20 going to fail but it's okay and knowing that you don't know what's going on and
42:25 that's okay too i think just being able to navigate that dark and scary place i think is probably a very important
42:32 skill that's not talked about as much that's true you definitely have to be
42:38 comfortable with that it's uh you know quite often we run into situations where we have to quickly assess a particular
42:44 threat like you know we hear like everybody else of things sometimes in the news sometimes it's in
42:50 closed channels you know like specific forums for cyber security professionals we hear about something
42:57 and you need to go and find out whether your particular products are vulnerable
43:02 and for me in particular i need to find out if our products are capable of detecting and blocking that particular
43:08 threat everybody seems to be talking about but nobody's giving you the details so you have to get in there you
43:14 have to figure out what application is involved maybe try to get your hand on a copy of that application try to
43:20 reproduce the scenario that you've barely heard about it's relatively difficult and you're
43:25 doing all of that under tremendous time pressures because every day or every
43:31 hour for that matter that you're not up to speed on what's happening these are potential attacks that are uh
43:38 going on out there and maybe customers would be unprotected against those attacks so yeah you're right we're not
43:44 gonna know everything that's impossible we have to be comfortable with just diving in
43:50 and getting things done all right uh drew i want one last question from you and uh
43:55 that is what's the from a cso's perspective what are what are the three most critical
44:01 areas you think organizations should be focused on investing in today
44:07 oh so so for organizations i i think they they need to be fast right we
44:13 talked about the the aspirational goal of getting in front of the problems we're not there yet but we definitely
44:19 need to be working at machine speeds uh attackers are leveraging more and more
44:25 automation more and more intelligence you know when you're talking about these smart fishes a lot of these fishes are
44:30 built on with ai that is studying your linkedin profile your resume your your
44:36 post on facebook and so on and so forth and so super duper targeted and super effective as a result so we've got to be
44:43 uh just as sharp in terms of how we respond to these things so automation orchestration
44:50 um is is a key one i think organizations need to invest in metrics and reporting
44:55 as well uh we're moving more and more into a world to prove it uh show me and and and kind of uh less of blind faith
45:03 and ignorance really where where people didn't understand security enough to ask good questions now they're starting to
45:10 understand it and they want to see proof they want to see evidence and and i guess part and parcel to that
45:16 one would be uh culture uh integrity inclusion diversity um
45:22 i think that's really important because uh it is the decisions of thousands of people that we have to really protect
45:29 against not all of the attacks in fact many of the attacks that you see in the news started with an employee making a
45:37 mistake and so creating a culture where people recognize that they're responsible for
45:42 their decisions and their actions and that they're supported in making good decisions that's important and and
45:48 having uh that viewpoint i talked earlier about having the hacker's viewpoint um you're not gonna get a
45:55 diverse set of viewpoints if you don't have a diverse set of people in your organization and so having people with
46:00 different backgrounds from different cultures with different viewpoints is is really an important step towards being
46:08 able to see problems from different angles and the more angles we can see them from the more likely we are to see
46:14 a solution to that problem wow gentlemen this has been illuminating to me and helpful i hope it's been helpful to the
46:20 people listening to and everyone you should be following drew and munir and juniper because these are some leaders
46:26 in the space that i'm i'm following and picking uh lots of good information out of um so guys thanks for taking the time
46:34 with me to chat today but i want to end by just wrapping up some of the things i've learned from this
46:40 my biggest takeaway is that ransomware is still a major threat to businesses which is kind of surprising to me you
46:46 think we we'd have this wrapped up and cleaned up by now but nope it's um it's
46:51 you know criminals are incentivized and they're making money doing this so they're just going to keep doing it as long as it's paying them
46:57 the second takeaway is that open source software can have critical vulnerabilities but it
47:02 just needs to be important to be able to update it uh if it's in your environment and it's
47:08 in all of our environments there's no way of hiding it anymore or avoiding it
47:13 and the third takeaway i got out of this was uh companies can improve their as
47:19 they as they improve their security uh maturity they can implement um threat
47:24 intelligence feeds which can help them get even more eyes into what's going on in their
47:30 network it's kind of hard to see what's what's actually happening there but a threat until feed can really help at a
47:36 certain level and i just want to remind everyone that this conversation was recorded and it's available on demand
47:42 as soon as this is over you'll see it on my twitter account and you can also learn more about juniper threat labs by visiting
47:50 threatlabs.juniper.net and if you like this and want me to do more events like this let me know this is the first time
47:56 but it doesn't need to be the last one and uh oh one last thing the other day i
48:01 was typing on my keyboard and out of nowhere one of the keys popped off and
48:06 that's the story of how i lost control alright everyone thanks for joining have
48:11 a great rest of your day thank you for having us thanks jack it was great