WEBVTT 1 00:00:00.000 --> 00:00:02.580 Tom Field: Hi, there. I'm Tom Field. I'm senior vice president 2 00:00:02.580 --> 00:00:05.490 of editorial with Information Security Media Group. Taking a 3 00:00:05.490 --> 00:00:08.820 look at the Q4 cybersecurity outlook, I am joined today by 4 00:00:08.820 --> 00:00:11.970 Tom Kellermann. He is the newly appointed senior vice president 5 00:00:11.970 --> 00:00:15.300 of cyber strategy with Contrast Security. Tom, always a pleasure 6 00:00:15.300 --> 00:00:17.280 to see you. Congratulations on your new role. 7 00:00:17.640 --> 00:00:18.630 Tom Kellermann: Appreciate it, Tom. 8 00:00:19.980 --> 00:00:22.440 Tom Field: So let's start here. You recently joined Contrast 9 00:00:22.440 --> 00:00:26.490 Security about a month ago. What was the draw for you to this 10 00:00:26.490 --> 00:00:28.770 role? And how would you describe the mission? 11 00:00:28.000 --> 00:00:31.900 Tom Kellermann: Yeah, so VMware is a fantastic company. And 12 00:00:31.900 --> 00:00:34.540 Carbon Black was a fantastic experience. But I really wanted 13 00:00:34.540 --> 00:00:37.390 to work for an organization that was on the cutting edge - 14 00:00:37.450 --> 00:00:40.930 cutting edge specific to how offense can inform defense. And 15 00:00:40.930 --> 00:00:44.320 what I mean by that is, I saw a dramatic increase in application 16 00:00:44.320 --> 00:00:47.080 attacks and attacks against APIs, which adversaries have 17 00:00:47.080 --> 00:00:50.440 been using tile on top when I was at VMware, and I'm 18 00:00:50.440 --> 00:00:52.960 recognizing and appreciating, as you've heard me, say for a long 19 00:00:52.960 --> 00:00:55.600 while now that, essentially, the digital transformation of 20 00:00:55.600 --> 00:00:58.450 corporate America is being hijacked to attacks against the 21 00:00:58.450 --> 00:01:01.570 supply chains. These attacks are targeting not only software 22 00:01:01.570 --> 00:01:04.750 development, but integration and delivery infrastructure. And so 23 00:01:05.350 --> 00:01:09.880 given that I was always someone who was amazed by the work of 24 00:01:09.880 --> 00:01:14.410 the pioneer of OWASP, Jeff Williams, I came across Contrast 25 00:01:14.410 --> 00:01:16.720 and spoke to Jeff and I realized that I wanted to be his right 26 00:01:16.720 --> 00:01:21.220 hand man, and really help folks shift left of boom and allow 27 00:01:21.220 --> 00:01:24.370 themselves to defend in real time against application 28 00:01:24.370 --> 00:01:25.090 attacks. 29 00:01:25.420 --> 00:01:27.430 Tom Field: Really, API isn't new endpoint, right? 30 00:01:27.760 --> 00:01:30.790 Tom Kellermann: Yeah, that's a fact. And it's nothing new for 31 00:01:30.790 --> 00:01:33.820 that matter. But I think there's too much trust placed in API's, 32 00:01:33.820 --> 00:01:36.970 and there's too much trust placed into development 33 00:01:36.970 --> 00:01:39.580 environments, which really necessitate kind of continuous 34 00:01:39.580 --> 00:01:42.100 monitoring. One of the things I've always said is, you know, 35 00:01:42.100 --> 00:01:45.760 continuous monitoring must go beyond just production and 36 00:01:45.760 --> 00:01:48.430 operational environments, but extending the development. 37 00:01:49.180 --> 00:01:51.640 Tom Field: If we thought people lacked visibility into their 38 00:01:51.640 --> 00:01:53.200 endpoints, how about their APIs? 39 00:01:53.600 --> 00:01:56.120 Tom Kellermann: Yeah, to say the least. 40 00:01:56.600 --> 00:01:58.280 Tom Field: Tom, what would you say you learned from your 41 00:01:58.280 --> 00:02:01.070 experience at Carbon Black, and then VMware after the 42 00:02:01.000 --> 00:02:03.829 Tom Kellermann: So Carbon Black was an amazing ride. And really, 43 00:02:01.070 --> 00:02:01.730 acquisition. 44 00:02:03.888 --> 00:02:07.071 I loved working for an organization that was singular, 45 00:02:07.130 --> 00:02:10.430 focused on one element of cybersecurity, and I love that 46 00:02:10.489 --> 00:02:14.085 and then I was obviously blessed to be part of VMware through 47 00:02:14.144 --> 00:02:17.739 acquisition. But VMware had five priorities and cybersecurity 48 00:02:17.798 --> 00:02:21.217 being one of them. And I really needed to get back to that 49 00:02:21.276 --> 00:02:24.635 singular priority. But what was interesting about being a 50 00:02:24.694 --> 00:02:28.467 VMware, where they do take their own internal cybersecurity very 51 00:02:28.526 --> 00:02:32.180 seriously, and they have shown great commitment to things like 52 00:02:32.239 --> 00:02:35.834 the JCDC and others, is that the greatest concern for VMware, 53 00:02:35.893 --> 00:02:39.548 much like the greatest concern for most corporations should be 54 00:02:39.607 --> 00:02:42.849 the construct of island hopping, they didn't want their 55 00:02:42.907 --> 00:02:46.503 infrastructure to be used to attack their constituency in any 56 00:02:46.562 --> 00:02:50.334 way, shape, or form. And one of the biggest challenges that they 57 00:02:50.393 --> 00:02:53.694 and many other corporations face is, you know, the whole 58 00:02:53.753 --> 00:02:57.348 construct of rugged code and, and frankly, you know, meantime 59 00:02:57.407 --> 00:03:00.885 to remediation, is taking far too long. Because scanning is 60 00:03:00.944 --> 00:03:04.539 essentially ineffective and so, context has become paramount. 61 00:03:04.598 --> 00:03:08.253 And also, I think it's important that for me, as someone who's 62 00:03:08.312 --> 00:03:11.848 been in cybersecurity for 23 years now, I need to be part of 63 00:03:11.907 --> 00:03:15.149 a more nimble, smaller organization from 40,000 to 450. 64 00:03:15.208 --> 00:03:18.509 It's really my sweet spot. I need to be able to move and 65 00:03:18.568 --> 00:03:22.281 focus on my customers and help the organization grow. And in my 66 00:03:22.340 --> 00:03:25.876 role here, it's really specific to creating the strategy and 67 00:03:25.935 --> 00:03:29.413 operationalizing the strategy for both the financial sector 68 00:03:29.472 --> 00:03:32.950 and the government sectors globally, for Contrast Security. 69 00:03:33.700 --> 00:03:35.620 Tom Field: Maybe a smaller team, that's a huge mission. 70 00:03:36.590 --> 00:03:38.600 Tom Kellermann: It is a huge mystery, particularly when, you 71 00:03:38.600 --> 00:03:42.740 know, we have I would say, you know, three of the top five 72 00:03:42.740 --> 00:03:46.670 financial institutions, two of the top five telcos, three of 73 00:03:46.670 --> 00:03:50.720 the top five healthcare providers, you know, two of the 74 00:03:50.720 --> 00:03:54.050 largest tech companies were being customers of ours, and we 75 00:03:54.050 --> 00:03:56.390 have an obligation to them to not only improve our 76 00:03:56.390 --> 00:03:59.450 capabilities, but to be their trusted advisor as they deal 77 00:03:59.450 --> 00:04:02.960 with an onslaught of application attacks and API attacks. 78 00:04:03.110 --> 00:04:05.810 Tom Field: Now, speaking of which, we started this year 2022 79 00:04:05.810 --> 00:04:09.110 under the shadow of Log4j, which sprung on us right before 80 00:04:09.110 --> 00:04:13.160 Christmas last year. And here we are today. What concerns you 81 00:04:13.160 --> 00:04:16.850 most about the state of code security, as we sit here on the 82 00:04:16.850 --> 00:04:18.290 cusp of Q4? 83 00:04:19.500 --> 00:04:20.850 Tom Kellermann: You know, frankly, scanning is 84 00:04:20.850 --> 00:04:23.820 ineffective. There is insufficient context, 85 00:04:23.820 --> 00:04:27.270 insufficient groundtruth. You know, application security must 86 00:04:27.450 --> 00:04:30.990 be continuous at least from running from inside the 87 00:04:30.990 --> 00:04:34.020 application itself, which allows you to see vulnerabilities 88 00:04:34.020 --> 00:04:36.120 without guessing, right? You need to be able to see 89 00:04:36.120 --> 00:04:38.550 vulnerabilities in development and directly measure them 90 00:04:38.880 --> 00:04:41.760 against attacks in production. And you must, frankly, treat 91 00:04:41.760 --> 00:04:45.870 every vulnerability as a potential attack. And also the 92 00:04:45.870 --> 00:04:49.440 velocity of change requires that you discovered zero days in 93 00:04:49.440 --> 00:04:53.520 libraries and frameworks as well. So you need to really kind 94 00:04:53.520 --> 00:04:57.060 of conduct continuous monitoring across those environments. And I 95 00:04:57.060 --> 00:05:01.650 think also we should be remiss to forget that we need to employ 96 00:05:01.680 --> 00:05:05.100 intelligence, runtime protection. It's an imperative 97 00:05:05.100 --> 00:05:08.940 to eliminate entire classes of attacks so that your developers 98 00:05:08.940 --> 00:05:12.450 can really focus on what's important and be shielded from a 99 00:05:12.450 --> 00:05:16.500 classes of attacks, as described by OWASP for years that are 100 00:05:16.500 --> 00:05:17.340 still viable. 101 00:05:17.970 --> 00:05:20.190 Tom Field: We learned 10 months ago that most enterprises aren't 102 00:05:20.190 --> 00:05:22.680 prepared to do that. I don't think that they've gained great 103 00:05:22.680 --> 00:05:23.730 maturity overnight. 104 00:05:23.000 --> 00:05:27.020 Tom Kellermann: No, and obviously, you know, there's 105 00:05:27.020 --> 00:05:29.960 this whole regime change that's occurring. Obviously, developers 106 00:05:29.960 --> 00:05:34.940 have become much more important and critical to organizations, 107 00:05:34.940 --> 00:05:39.260 whether they hire themselves or they outsource that development 108 00:05:39.260 --> 00:05:41.810 process. But we need to understand also that, you know, 109 00:05:41.810 --> 00:05:44.960 geopolitical tension has recent tipping point and more and more 110 00:05:44.990 --> 00:05:50.300 nation-states and cybercrime cartels understand the ubiquity, 111 00:05:50.300 --> 00:05:53.960 the interdependencies of developers and development at 112 00:05:53.960 --> 00:05:57.110 writ large. Which is why for the last two years, you know, really 113 00:05:57.110 --> 00:05:59.840 been the years of the zero day, and which is why you're seeing 114 00:05:59.840 --> 00:06:04.640 more systemic attacks possible, like Log4j, which could have 115 00:06:04.640 --> 00:06:07.340 been prevented had you been able to protect in runtime. 116 00:06:08.030 --> 00:06:11.360 Tom Field: Geopolitical tension - Tom, right after the start of 117 00:06:11.360 --> 00:06:14.600 the year, Russia attacked Ukraine. What would you say 118 00:06:14.600 --> 00:06:17.960 we've learned about cybersecurity offense in 119 00:06:17.960 --> 00:06:20.510 wartime. It's first time we've seen it on such a stage. 120 00:06:20.000 --> 00:06:22.849 Tom Kellermann: It is and you know, it began January 13, where 121 00:06:22.911 --> 00:06:26.690 the DEV family of destructive payloads were unleashed against 122 00:06:26.752 --> 00:06:30.222 the world. And as a result, you really saw unprecedented 123 00:06:30.284 --> 00:06:34.063 information sharing by the Five Eyes, correspondingly through 124 00:06:34.125 --> 00:06:37.842 the JCDC to batten down the hatches and defend against these 125 00:06:37.904 --> 00:06:41.621 pernicious attacks, whether it's the disruptive payloads are 126 00:06:41.683 --> 00:06:45.338 being unleashed, or the new forms of botnets. They're being 127 00:06:45.400 --> 00:06:48.870 used as platforms to distribute those payloads. And just 128 00:06:48.931 --> 00:06:52.587 recently, Noberus, as discovered by Broadcom, was unleashed 129 00:06:52.649 --> 00:06:56.118 against the world. Quite interesting, purposely built in 130 00:06:56.180 --> 00:06:59.402 Rust, to go after critical infrastructure, using two 131 00:06:59.463 --> 00:07:02.809 different encryption algorithms on even four different 132 00:07:02.871 --> 00:07:06.526 encryption methodologies to obfuscate themselves, it's from 133 00:07:06.588 --> 00:07:10.429 defenders. And at the same time, you saw the sabre-rattling by 134 00:07:10.491 --> 00:07:14.456 Mr. Putin, vis-à-vis the threat of using nuclear weapons. And we 135 00:07:14.518 --> 00:07:17.863 need to understand that every time we see that type of 136 00:07:17.925 --> 00:07:21.952 sabre-rattling, there's a direct cyber manifestation of that. And 137 00:07:22.014 --> 00:07:25.670 frankly, just yesterday the Ukrainian warning about attacks 138 00:07:25.732 --> 00:07:29.325 against critical infrastructure in the West, and then it's 139 00:07:29.387 --> 00:07:33.104 obvious that the Russians have sabotaged the gas pipeline to 140 00:07:33.166 --> 00:07:37.131 Europe within the last 36 hours. I think that we're going to see 141 00:07:37.193 --> 00:07:40.414 a dramatic escalation as Russia's gloves are off and 142 00:07:40.476 --> 00:07:44.070 whether or not they use a tactical nuke. They will attempt 143 00:07:44.132 --> 00:07:47.663 to use a tactical nuke in cyberspace is my perspective on 144 00:07:47.725 --> 00:07:51.504 this. And so we've been lucky. It's been great, unprecedented 145 00:07:51.566 --> 00:07:55.531 information, sharing tremendous leadership across the Five Eyes, 146 00:07:55.593 --> 00:07:59.310 both from the U.S. to the U.K., etc. But we need to keep our 147 00:07:59.000 --> 00:08:02.930 Tom Field: Now, you made me think of that old video that 148 00:07:59.372 --> 00:07:59.930 guard up. 149 00:08:02.930 --> 00:08:06.170 they play of the NFL coach saying they are who we thought 150 00:08:06.170 --> 00:08:09.230 they were. Is Russia who we thought they were? 151 00:08:10.890 --> 00:08:13.710 Tom Kellermann: Yes. I don't think they were expecting the 152 00:08:13.710 --> 00:08:18.000 level of coordination. I don't think they were expecting the 153 00:08:18.030 --> 00:08:22.920 implicit information sharing and the forward leaning defensive 154 00:08:22.920 --> 00:08:25.740 posture of NATO and the Five Eyes. I also think they 155 00:08:25.740 --> 00:08:29.580 underestimated the capacity of the Ukrainian cyber defenders to 156 00:08:29.580 --> 00:08:34.350 defend themselves to maintain resiliency against the attacks. 157 00:08:34.590 --> 00:08:38.790 And I think they underestimated Cyber Command and her NATO 158 00:08:38.790 --> 00:08:43.620 allies' capabilities as it relates to disrupting their 159 00:08:43.620 --> 00:08:48.390 efforts, disrupting their forums, disrupting the ephemeral 160 00:08:48.390 --> 00:08:51.420 trust that exists between cybercrime cartels and cyber 161 00:08:51.420 --> 00:08:54.450 spies. Now that they've recognized that, I think they've 162 00:08:54.450 --> 00:08:57.360 learned to appreciate that and their OpSec is getting better. 163 00:08:58.320 --> 00:09:01.860 But still, we're not the ones launching destructive attacks 164 00:09:01.860 --> 00:09:06.360 against them. And for that matter, perhaps, if a 165 00:09:06.360 --> 00:09:09.720 significant systemic destructive attack is successful against 166 00:09:09.720 --> 00:09:12.600 critical infrastructures in the U.S., Cyber Command should 167 00:09:12.600 --> 00:09:14.280 probably take its gloves off. 168 00:09:15.330 --> 00:09:17.670 Tom Field: Okay, we talked about offense. What have we learned 169 00:09:17.670 --> 00:09:19.950 from Ukraine and its cyber defenders? 170 00:09:21.490 --> 00:09:23.800 Tom Kellermann: Yes, like I just said, they've been incredibly 171 00:09:23.800 --> 00:09:27.190 resilient. They've benefited dramatically from intelligence 172 00:09:27.190 --> 00:09:30.970 provided by NATO and the Five Eyes. They've done a great job 173 00:09:30.970 --> 00:09:34.630 of defense of in-depth, suppressing intrusions in real 174 00:09:34.630 --> 00:09:38.680 time, and really putting pressure and pain on the 175 00:09:38.710 --> 00:09:43.090 operational security of the cyber warriors of Russia. That 176 00:09:43.090 --> 00:09:46.870 being said, you know, they're short staffed or undersiege. And 177 00:09:46.870 --> 00:09:50.740 they're operating in a war zone primarily. So they can only hold 178 00:09:50.740 --> 00:09:53.680 up for so long, I would say, particularly when you're seeing 179 00:09:53.710 --> 00:09:57.970 much more cooperation and collaboration, and even 180 00:09:58.000 --> 00:10:02.350 distribution of traditional weaponry from China and Iran to 181 00:10:02.350 --> 00:10:05.680 Russia. It's inevitable that will correspond into cyberspace 182 00:10:05.680 --> 00:10:06.310 as well. 183 00:10:07.260 --> 00:10:09.000 Tom Field: So we're 10 minutes into this conversation. I 184 00:10:09.000 --> 00:10:11.040 believe we haven't talked about ransomware yet, I don't think 185 00:10:11.040 --> 00:10:13.380 we've talked about China, haven't talked too much about 186 00:10:13.440 --> 00:10:17.070 software supply chain security. As we do head into this last 187 00:10:17.070 --> 00:10:21.780 quarter of 2022, what are the cyberthreats and the threat 188 00:10:21.780 --> 00:10:23.910 actors that give you the most concern? 189 00:10:23.000 --> 00:10:25.905 Tom Kellermann: Yeah, the threat actors, specifically Sandworm, 190 00:10:25.967 --> 00:10:29.552 APT28, APT41. Most concerning to me is Sandworm and APT28. 191 00:10:29.614 --> 00:10:32.828 Sandworm because of their desire, and because of the 192 00:10:32.890 --> 00:10:36.537 historical precedents they've set with launching disruptive 193 00:10:36.599 --> 00:10:40.246 payloads and attacks. APT28 because of their desire and the 194 00:10:40.308 --> 00:10:43.831 nature in which they island hop and they could distribute 195 00:10:43.893 --> 00:10:46.984 destructive attacks from compromised environments, 196 00:10:47.046 --> 00:10:50.693 compromised applications, etc. APT41 because they're wicked 197 00:10:50.755 --> 00:10:54.340 good. And they also appreciate island hopping and they may 198 00:10:54.402 --> 00:10:58.111 already be in systems, you got to root them out. In terms of 199 00:10:58.173 --> 00:11:02.067 attacks, you know, I predict two phenomenon of concern, I think 200 00:11:02.129 --> 00:11:05.034 another untrusted deserialization vulnerability 201 00:11:05.096 --> 00:11:08.619 will be introduced to the world, which will have everyone 202 00:11:08.681 --> 00:11:12.699 essentially putting out a forest fire that's been set by whatever 203 00:11:12.761 --> 00:11:16.470 rogue nation state unleashed that arsonist, and then I think 204 00:11:16.532 --> 00:11:20.241 a major public cloud will be compromised, and as a result, a 205 00:11:20.303 --> 00:11:23.702 rogue nation-state will systemically island hop through 206 00:11:23.764 --> 00:11:27.164 that environment and deliver wiper payloads against the 207 00:11:25.580 --> 00:11:32.300 Tom Field: We've talked about code security. Where do you see 208 00:11:27.226 --> 00:11:29.390 constituency of those environments. 209 00:11:32.300 --> 00:11:33.710 our biggest defensive gaps? 210 00:11:35.480 --> 00:11:37.610 Tom Kellermann: Well, I think there's too much emphasis on 211 00:11:38.120 --> 00:11:40.520 SBOMs, frankly. They're important, it's important to 212 00:11:40.520 --> 00:11:43.580 know what's in the code, I get it. But there is not enough 213 00:11:43.610 --> 00:11:48.500 import or focus on the capacity to intelligently provide runtime 214 00:11:48.500 --> 00:11:52.370 protection. Runtime protection is here to stay. Forget the 215 00:11:52.370 --> 00:11:54.410 issues with latency, particularly as it relates to 216 00:11:54.470 --> 00:11:57.290 .NET environments, Java environments, Node environments, 217 00:11:57.290 --> 00:12:01.460 etc. You need to appreciate that you can stop entire classes of 218 00:12:01.460 --> 00:12:04.820 attacks. And if you want to solve for attacks, like 219 00:12:04.820 --> 00:12:07.580 untrusted deserialization, there's only one way to solve 220 00:12:07.580 --> 00:12:10.550 for that. In addition to that, again, I think I would just 221 00:12:10.550 --> 00:12:13.760 bring it back to continuous monitoring - continuous 222 00:12:13.760 --> 00:12:18.140 monitoring must be occurring, obviously, in perpetuity in 223 00:12:18.140 --> 00:12:22.190 those development environments. And we need to reduce MTTR - 224 00:12:22.190 --> 00:12:25.250 meantime to remediation. Right now, on average, you know, it's 225 00:12:25.250 --> 00:12:28.790 in the weeks, we need to get less than a week, at a minimum, 226 00:12:28.820 --> 00:12:32.750 hopefully and within 48 hours, because the velocity of change 227 00:12:32.750 --> 00:12:35.870 really requires that you discover those zero days in both 228 00:12:35.870 --> 00:12:37.310 libraries and frameworks. 229 00:12:37.610 --> 00:12:39.530 Tom Field: Sounds like you're not a fan of nutritional labels 230 00:12:39.530 --> 00:12:41.090 when there's poison in the container. 231 00:12:41.780 --> 00:12:46.370 Tom Kellermann: You know, well-said. Good joke, Tom. You 232 00:12:46.370 --> 00:12:48.560 know, it's important to have nutritional labels, but 233 00:12:48.560 --> 00:12:51.050 something must be done to it, you know, remediation, but the 234 00:12:51.050 --> 00:12:54.710 vulnerability must be remediated frankly. Don't just tell me it 235 00:12:54.710 --> 00:12:57.260 exists because you've included the ingredients. 236 00:12:58.250 --> 00:13:00.110 Tom Field: Tom, we're approaching the Biden midterm. I 237 00:13:00.110 --> 00:13:04.010 suppose you've heard that in Colorado. How would you say this 238 00:13:04.010 --> 00:13:07.220 administration has fared in prioritizing cybersecurity. They 239 00:13:07.220 --> 00:13:08.450 certainly garnered headlines. 240 00:13:09.470 --> 00:13:11.720 Tom Kellermann: Yeah, you know, compared to previous 241 00:13:11.720 --> 00:13:15.290 administrations, I give them an A minus. And I think there's 242 00:13:15.290 --> 00:13:18.470 fantastic leadership. I think there's still challenges with 243 00:13:18.710 --> 00:13:22.640 resources and specific authorities. But they've been 244 00:13:22.640 --> 00:13:26.870 fantastic. And I tip my hat to their efforts. And I just hope 245 00:13:26.870 --> 00:13:29.180 that they're given greater authority and greater resources 246 00:13:29.450 --> 00:13:32.630 to really enhance the economic and national security of the 247 00:13:32.630 --> 00:13:36.470 U.S. and empower our allies to fight the fight with those four 248 00:13:36.470 --> 00:13:40.430 rogue nation states as we are dealing with a cyber insurgency. 249 00:13:40.880 --> 00:13:42.650 Tom Field: Now that's the second part of it. How do you counsel 250 00:13:42.650 --> 00:13:44.900 this administration to proceed in this next two years and I 251 00:13:44.900 --> 00:13:46.130 know you get that opportunity. 252 00:13:46.870 --> 00:13:48.970 Tom Kellermann: Allow the Cyber Command to proportionately take 253 00:13:48.970 --> 00:13:52.150 its gloves off in response to destructive cyberattacks or 254 00:13:52.150 --> 00:13:55.930 attacks against you know, under Geneva Accords, industries that 255 00:13:55.930 --> 00:13:59.650 will be rendered be off limits from attacks like health care, 256 00:13:59.650 --> 00:14:04.120 etc. Really empower the federal government to mandate and 257 00:14:04.120 --> 00:14:07.210 provide resources to state and local governments as it relates 258 00:14:07.210 --> 00:14:10.480 to their cybersecurity postures. When if there's a lack of 259 00:14:10.480 --> 00:14:14.380 resources really lean in on follow the money and forfeiture, 260 00:14:14.380 --> 00:14:17.500 improving forfeiture laws and anti-money laundering laws to 261 00:14:17.500 --> 00:14:20.560 forfeit the virtual currencies associated with cybercrime, 262 00:14:20.950 --> 00:14:24.460 cyber espionage and child pornography and use those funds 263 00:14:24.490 --> 00:14:28.390 explicitly for critical infrastructure protection in the 264 00:14:28.390 --> 00:14:33.700 U.S. from cyberattack and then most importantly, do more, yes, 265 00:14:33.700 --> 00:14:36.910 challenge the industry more. Challenge the industry really 266 00:14:37.150 --> 00:14:41.440 beyond SBOMs to instrument continuous application security 267 00:14:41.440 --> 00:14:45.160 testing, to instrument runtime protection in those things that 268 00:14:45.160 --> 00:14:47.710 they've developed that could become a systemic threat if 269 00:14:47.710 --> 00:14:49.870 compromised by these nation states. 270 00:14:50.560 --> 00:14:53.020 Tom Field: Tom, two years ago was SolarWinds at the holidays. 271 00:14:53.050 --> 00:14:57.100 Last year was Log4j. As you're watching us head toward this 272 00:14:57.130 --> 00:15:00.130 2022 holiday season, what do you look out for? 273 00:15:01.750 --> 00:15:05.470 Tom Kellermann: Yeah, like I said, Log4j part two, part 274 00:15:05.470 --> 00:15:08.500 three, it's inevitable that's going to occur any day. Now. 275 00:15:09.220 --> 00:15:12.640 That type of attack is something that could be widely systemic 276 00:15:12.640 --> 00:15:17.200 and create systemic cascading effects across our 277 00:15:17.200 --> 00:15:20.020 infrastructure. But again, more to my point that I raised 278 00:15:20.050 --> 00:15:24.460 earlier, I have serious concerns about public cloud security, I 279 00:15:24.460 --> 00:15:27.370 have serious concerns about serverless security. I have 280 00:15:27.370 --> 00:15:31.150 serious concerns of what an adversary could do not just 281 00:15:31.150 --> 00:15:34.360 breaking into those types of environments, but misusing those 282 00:15:34.420 --> 00:15:38.050 environments, those platforms to attack their constituencies with 283 00:15:38.050 --> 00:15:41.260 destructive payloads. And so we need to pay close attention to 284 00:15:41.260 --> 00:15:44.950 that. We need to do much more in the area of serverless security, 285 00:15:44.950 --> 00:15:48.550 and we need much more in the area of anticipation of that 286 00:15:48.550 --> 00:15:51.520 type of attack that type of island hop from the cloud. 287 00:15:51.910 --> 00:15:53.530 Tom Field: How will you be spending your time between the 288 00:15:53.530 --> 00:15:56.560 financial services sector and the public sector? 289 00:15:56.000 --> 00:15:58.040 Tom Kellermann: So I'm laser focused on developing the 290 00:15:58.040 --> 00:15:59.750 strategies for both sectors globally and how we will 291 00:15:59.780 --> 00:16:05.570 interact with the sectors, how we will assist those sectors, 292 00:16:05.570 --> 00:16:08.450 how we would share information with those sectors, not limited 293 00:16:08.450 --> 00:16:11.180 to just you know, go to market, but more importantly, with the 294 00:16:11.180 --> 00:16:14.930 regulator's or interactions where the standards bodies, also 295 00:16:14.930 --> 00:16:18.050 how we're supporting our clients in both of those sectors, how 296 00:16:18.050 --> 00:16:20.960 we're empowering them with visibility and ground truth. And 297 00:16:20.960 --> 00:16:24.440 newfangled means to protect themselves from a surge of 298 00:16:24.440 --> 00:16:26.540 application attacks and API attacks. 299 00:16:26.850 --> 00:16:28.710 Tom Field: Sounds like we can see a lot more of you in DC. 300 00:16:29.620 --> 00:16:32.680 Tom Kellermann: I hope to, it is my hometown. It's been a long 301 00:16:32.680 --> 00:16:34.600 time. I need to get back there ASAP. 302 00:16:34.840 --> 00:16:36.580 Tom Field: You'll back there playing volleyball on the Mall 303 00:16:36.580 --> 00:16:37.180 before long, 304 00:16:37.660 --> 00:16:39.070 Tom Kellermann: Please, I hope so. 305 00:16:40.660 --> 00:16:42.220 Tom Field: Tom, pleasure to catch up and I look forward to 306 00:16:42.220 --> 00:16:43.330 seeing you again one day soon. 307 00:16:43.900 --> 00:16:44.950 Tom Kellermann: Thank you so much for having me. 308 00:16:45.790 --> 00:16:47.140 Tom Field: Again, we've have been talking to Tom Kellermann. 309 00:16:47.200 --> 00:16:50.020 He is senior vice president of cyber strategy with Contrast 310 00:16:50.020 --> 00:16:53.200 Security. For Information Security Media Group. I'm Tom 311 00:16:53.200 --> 00:16:55.630 Field. Thank you for giving us your time and attention.