WEBVTT 1 00:00:00.330 --> 00:00:04.800 Anna Delaney: Hello, I'm Anna Delaney, director of productions at Information Security Media Group. 2 00:00:05.520 --> 00:00:11.220 As organizations around the world move into the next phase of remote work, the hybrid model, what 3 00:00:11.220 --> 00:00:16.590 are the security red flags to be aware of? Well with me today to share advice to heads of security 4 00:00:16.620 --> 00:00:21.510 on how they should reassess their security infrastructure in these times, this former CISO of 5 00:00:21.510 --> 00:00:27.510 the NSA, Chris Kubic. Who is now CISO of cybersecurity firm Fidelis. Thanks for joining me, 6 00:00:27.510 --> 00:00:28.020 Chris. 7 00:00:28.860 --> 00:00:30.270 Chris Kubic: Morning. How are you today? 8 00:00:30.570 --> 00:00:34.680 Anna Delaney: Very good. So Chris, tell us about your role at Fidelis. 9 00:00:36.010 --> 00:00:39.730 Chris Kubic: Well, I have a I have a couple of a couple of different roles. You know, obviously as 10 00:00:39.730 --> 00:00:45.790 a CISO, I'm responsible for the internal security of our of our networks at Fidelis really just 11 00:00:45.790 --> 00:00:51.700 assessing the security of our products and helping the team to grow particularly with the background 12 00:00:51.700 --> 00:00:58.570 that I have. I have a lot of good insights into cybersecurity. So... So I work on that as well as 13 00:00:59.380 --> 00:01:04.030 spend quite a bit quite a bit of my time just working customer outreach types of things, working 14 00:01:04.030 --> 00:01:09.760 with our sales teams, with some of our customers on their security architectures. 15 00:01:10.740 --> 00:01:14.640 Anna Delaney: And so in what ways do you draw on your former experience at the NSA in your current 16 00:01:14.640 --> 00:01:15.060 role? 17 00:01:16.290 --> 00:01:20.820 Chris Kubic: Well, it's very easy to draw on and actually, you know, what I found is, you know, 18 00:01:20.820 --> 00:01:26.700 working at a large government agency is not that unlike working for a large corporation, you know, 19 00:01:26.700 --> 00:01:33.240 the same kinds of challenges, particularly when it comes to cybersecurity, you know, you know, large 20 00:01:33.240 --> 00:01:39.810 complex enterprise infrastructures and, you know, I think a lot of the commercial industry is 21 00:01:39.810 --> 00:01:44.220 struggling with a lot of things we struggled with in the government, how do you, how do you sort of 22 00:01:44.250 --> 00:01:49.140 have overall visibility of everything that you're responsible for from a cybersecurity standpoint, 23 00:01:49.140 --> 00:01:55.890 and how do you effectively manage that network from a security standpoint and, you know, keep the 24 00:01:55.890 --> 00:02:02.760 security up to date and and be able to detect, you know, attacks against that infrastructure. So so 25 00:02:02.760 --> 00:02:08.010 it's really not a whole lot different. Certainly, working in the government, just from a cultural 26 00:02:08.250 --> 00:02:11.760 bureaucracy standpoint is a little different than commercial industry, things tend to move a lot 27 00:02:11.760 --> 00:02:15.810 quicker in commercial industry, but I think the challenges are largely the same. 28 00:02:16.860 --> 00:02:21.390 Anna Delaney: So Chris, we're entering this new phase of remote working, this hybrid model. What 29 00:02:21.390 --> 00:02:25.500 are the new threats that this hybrid model poses for organizations? 30 00:02:26.920 --> 00:02:31.150 Chris Kubic: Well, I think there's a, you know, a couple of challenges when we move in the hybrid 31 00:02:31.150 --> 00:02:35.260 model. And just just to be clear, that, you know, you know, what we're talking about there is, you 32 00:02:35.260 --> 00:02:44.650 know, you know, we, you know, rushed to get a lot of capabilities in place when the COVID-19 virus 33 00:02:44.650 --> 00:02:50.800 started taking effect and, you know, move to work at home for hybrid, you know, I see that we're 34 00:02:50.800 --> 00:02:56.230 going to continue to be working at home largely, you know, into next year. But however, you know, 35 00:02:56.230 --> 00:03:00.580 some companies are starting to talk about return to the office. Some have started to return some of 36 00:03:00.580 --> 00:03:06.670 their employees to the office. And so so this hybrid model is, you know, essentially, where you 37 00:03:06.670 --> 00:03:11.740 have, you know, part of your workforce in the office, probably a large portion of your workforce 38 00:03:11.740 --> 00:03:17.950 still working at home. And for the folks in the office, you know, it could be critical folks that 39 00:03:17.950 --> 00:03:22.030 need to be there every day that support operations, but more likely, it's kind of a 40 00:03:22.030 --> 00:03:27.880 rotating group of people, you know, coming and going into the office, you know, maybe they're 41 00:03:27.880 --> 00:03:33.010 working shifts or, you know, lots of different ways that you kind of divide up but you know, the 42 00:03:33.010 --> 00:03:38.200 overall goal there is to reduce the population at the office in order to maintain social distancing. 43 00:03:39.220 --> 00:03:43.900 So, so I kind of view that most people will be rotating the the employees in and out of the 44 00:03:43.900 --> 00:03:48.520 office, giving everybody an opportunity to come into the office if they choose. So I think the big 45 00:03:48.520 --> 00:03:54.580 challenge there is, and it kind of depends on what your work at home security architecture looks 46 00:03:54.580 --> 00:04:01.090 like. But you know, I think a large a lot of the larger corporations have sort of the traditional 47 00:04:01.090 --> 00:04:08.380 VPN-based security model where, you know, folks working at home have a corporate laptop, and, you 48 00:04:08.380 --> 00:04:12.130 know, certainly there'll be, you know, sort of traveling back and forth with that laptop into the 49 00:04:12.130 --> 00:04:16.750 office. So, so I think the new challenge there is you have, you know, you have devices that have 50 00:04:16.750 --> 00:04:22.420 been on work at home networks, you know, much more exposed to the internet than they are when they're 51 00:04:22.420 --> 00:04:28.300 in the corporate infrastructure. And so you're now bringing those potentially, you know, compromised 52 00:04:28.300 --> 00:04:32.530 devices and plugging them into your corporate network again, so, so I think people need to be 53 00:04:32.530 --> 00:04:38.920 prepared to, you know, for some potential incidents there, and they need to ensure that they 54 00:04:38.920 --> 00:04:44.350 have, you know, good internal monitoring, some sort of, you know, network detection and response 55 00:04:44.350 --> 00:04:49.150 capability, they can monitor the internal traffic of their network, because most security 56 00:04:49.150 --> 00:04:53.680 architectures are built to really monitor the traffic coming and going from the internet. And in 57 00:04:53.680 --> 00:04:58.600 this case, you basically have plugged in a device behind that internet boundary and could expose 58 00:04:58.600 --> 00:05:04.240 your corporate network. So, so I think that's the biggest challenge there. I think another challenge 59 00:05:04.270 --> 00:05:11.410 is, you know, particularly, you know, as folks who worked at home a lot of the corporate data that 60 00:05:11.440 --> 00:05:17.320 probably sat in corporate repositories, you know, has now kind of migrated out to the endpoints for 61 00:05:17.320 --> 00:05:22.000 people working at home, so they can work offline, etc. So, so I think one of the challenges is how 62 00:05:22.000 --> 00:05:26.320 do you corral that data now and sort of get it back under the corporate controls that you had in 63 00:05:26.320 --> 00:05:31.660 place, ensure that you maintain that corporate record and that you're appropriately protecting 64 00:05:32.050 --> 00:05:38.470 your you know, sensitive information, your your intellectual property, etc. And then I think this 65 00:05:38.470 --> 00:05:44.290 is also another challenge is, you know, I don't see work at home going away anytime soon. So, you 66 00:05:44.290 --> 00:05:48.370 know, as I mentioned earlier, a lot of people rush to get architectures in place for work at home 67 00:05:48.370 --> 00:05:53.950 expecting they were going to be there for a month or two. I think for the long haul, it's a good 68 00:05:53.950 --> 00:05:58.870 opportunity to kind of step back and reevaluate those work at home architectures to maybe 69 00:05:58.870 --> 00:06:04.810 reinforce them a bit and and put in place a more robust architecture for the long haul. If that 70 00:06:04.810 --> 00:06:05.770 hasn't already been done. 71 00:06:06.839 --> 00:06:12.059 Anna Delaney: Well, on that point, what are the remote work security infrastructures that that 72 00:06:12.059 --> 00:06:14.609 could be harmful to this new way of working? 73 00:06:16.850 --> 00:06:21.680 Chris Kubic: Well, maybe I'll I'll flip that around a little bit and say what are kind of the 74 00:06:21.680 --> 00:06:28.970 important things for work at home environment in order to secure it? And, you know, I think there's 75 00:06:28.970 --> 00:06:33.080 a lot of different architectures out there. So it's hard to say anything universally about, you 76 00:06:33.080 --> 00:06:37.190 know, what, what type of work at home architecture is in place, but, you know, I think they kind of 77 00:06:37.190 --> 00:06:43.640 fall into two major camps. You have one set of, you know, one architecture where you have a 78 00:06:43.670 --> 00:06:48.080 corporately-managed infrastructure. What I mean by that is your corporate IT team is managing the 79 00:06:48.080 --> 00:06:53.450 endpoints whether those are you know, laptops that you have deployed to your employees, whether that 80 00:06:53.450 --> 00:06:58.040 is a virtual desktop infrastructure that your corporate team manages that your remote employees 81 00:06:58.040 --> 00:07:02.870 are remoting into but you know, the bottom line there is it's corporately managed, it's monitored 82 00:07:02.870 --> 00:07:08.750 by your IT team, you can put in place, you know, endpoint, you know, security capabilities, you 83 00:07:08.750 --> 00:07:15.860 know, antivirus, antimalware, those types of things. And, more importantly, you have, you know, 84 00:07:15.860 --> 00:07:19.910 a experienced corporate IT team that it can manage those devices, if there's a problem with the 85 00:07:19.910 --> 00:07:24.770 device, they can kind of reach out and, and understand what might be going on with that device 86 00:07:24.770 --> 00:07:29.210 and kind of bring it back into a secure state. But I think there were plenty of people that didn't 87 00:07:29.210 --> 00:07:33.500 have the luxury of putting that architecture into place. So they have architectures that are either 88 00:07:33.500 --> 00:07:39.080 using, you know, personally owned devices or mobile devices for their remote access for their 89 00:07:39.080 --> 00:07:44.240 employees. And, and for those folks, you know, that that's much more challenging because you have 90 00:07:44.240 --> 00:07:50.510 no kind of control over those endpoint devices. And you're kind of relying on your work at home 91 00:07:50.510 --> 00:07:57.080 employees to secure that infrastructure, which can be quite challenging. So, so I think, you know, 92 00:07:57.230 --> 00:08:01.580 you know, where you can move to an architecture where you have corportately-managed devices so 93 00:08:01.580 --> 00:08:08.240 that you maintain that control and sort of insight into what's going on on those end devices. And 94 00:08:08.240 --> 00:08:11.240 particularly can can protect that sensitive data that's out there. 95 00:08:13.310 --> 00:08:17.480 Anna Delaney: So you mentioned some of the challenges for CISOs, how can they get ahead of 96 00:08:17.480 --> 00:08:19.910 these new risks and manage the changes? 97 00:08:21.280 --> 00:08:27.490 Chris Kubic: Well, I think the good news is, you know, when COVID-19 initially hit, everybody was 98 00:08:27.490 --> 00:08:34.300 scrambling to put in place solutions. I mean, even for the companies that had work at home solutions 99 00:08:34.300 --> 00:08:40.720 for their, you know, Salesforce, etc, you know, remote employees. You know, even those folks 100 00:08:40.720 --> 00:08:44.260 probably didn't operate at the scale they needed to to support all employees. So everybody was 101 00:08:44.260 --> 00:08:49.840 scrambling to some extent to either scale up their existing architectures or, you know, the 102 00:08:49.840 --> 00:08:52.930 unfortunate folks were folks that didn't have anything in place at all, so they were scrambling 103 00:08:52.930 --> 00:08:59.680 to get something in place. So, you know, I think that the good news is, you know, I think that the 104 00:08:59.800 --> 00:09:04.120 the return to the office is going to be a slow, gradual thing. So we have a little more time to be 105 00:09:04.510 --> 00:09:12.460 thoughtful as CISOs and kind of how to make sure you know how to do that securely. And, you know, 106 00:09:12.460 --> 00:09:17.320 it's not quite as much pressure to make the the overnight changes that we had to make when 107 00:09:17.320 --> 00:09:22.780 COVID-19 initially hit. So I think it'll be a more gradual, more thoughtful, kind of return to the 108 00:09:22.780 --> 00:09:23.350 office. 109 00:09:24.900 --> 00:09:29.550 Anna Delaney: Any tips for how they can they can get ahead and make make use of that time? If it is 110 00:09:29.550 --> 00:09:32.490 gradual? What should they be prioritizing now? 111 00:09:32.840 --> 00:09:36.890 Chris Kubic: Yeah, so I think I already mentioned one of the key things and that is, you know, you 112 00:09:36.890 --> 00:09:40.880 need to be prepared for when people will start returning to the office and start, you know, 113 00:09:40.880 --> 00:09:47.030 bringing back those devices that were in kind of a hostile environment. You know, particularly for 114 00:09:47.030 --> 00:09:50.630 the folks that don't have a corporately-managed infrastructure, if you have folks that were 115 00:09:50.630 --> 00:09:55.250 working on personally owned devices, you know, they're going to want to return to the office and 116 00:09:55.250 --> 00:09:59.990 have access to all the data and files they've been working on over the last couple of months. So it's 117 00:10:00.020 --> 00:10:04.370 you're now bringing data off of personally owned devices, which you know, has a higher risk of 118 00:10:04.370 --> 00:10:10.430 being malicious data. So how do you safely reintroduce that into your office environment? So, 119 00:10:10.970 --> 00:10:14.450 so I think that's where they, you know, kind of have the time and can get ahead of things is to 120 00:10:14.450 --> 00:10:19.280 really think through what are those operating procedures for how, you know, people returning to 121 00:10:19.280 --> 00:10:24.290 the office should you know deal with their it, you know, not not unlike, you know, any type of health 122 00:10:24.290 --> 00:10:28.700 checks you're going to do when people walk into the office, you need to have an IT health check, 123 00:10:28.790 --> 00:10:33.500 check as well to make sure that the devices that they're bringing into the office spaces don't 124 00:10:33.500 --> 00:10:39.380 compromise your internal network. And then I you know, I mentioned, you know, having the ability to 125 00:10:39.410 --> 00:10:44.450 internally monitor your networks, if, if all of your security defenses are at the boundary, you 126 00:10:44.450 --> 00:10:49.220 know, now's a good time to get some internal monitoring in place. And by the internal 127 00:10:49.220 --> 00:10:53.090 monitoring, I'm talking to, you know, what's kind of referred to as the east-west traffic, the stuff 128 00:10:53.090 --> 00:10:56.900 that's moving you know, kind of laterally through your networks to be able to monitor that traffic 129 00:10:56.900 --> 00:11:02.270 so that if you do you know, have an employee return with a device has been compromised, you're 130 00:11:02.270 --> 00:11:06.890 able to detect that compromise quickly before it can spread to other devices within your network. 131 00:11:08.660 --> 00:11:14.660 Anna Delaney: Chris, from your perspective, where are the gaps in the technology in the management 132 00:11:14.660 --> 00:11:15.110 of it? 133 00:11:17.250 --> 00:11:22.440 Chris Kubic: Well, the good news about cybersecurity is, you know, there's there's lots 134 00:11:22.440 --> 00:11:29.910 of gaps that we're all working towards. You know, it's a challenging problem space and continually 135 00:11:29.970 --> 00:11:38.370 evolving challenge, you know, problem space. You know, I think, you know, some of the gaps are and 136 00:11:38.370 --> 00:11:43.260 we're starting to see a lot of focus on some of the cloud-based architectures and things like zero 137 00:11:43.260 --> 00:11:49.650 trust architectures. So I think there's still a lot of gaps in that space. You know, we were 138 00:11:49.650 --> 00:11:56.700 moving away from the traditional corporate infrastructure where, you know, it was it 139 00:11:56.700 --> 00:12:01.410 completely internal infrastructure managed on your own servers with a nice boundary to the internet, 140 00:12:01.710 --> 00:12:06.420 you know, more and more companies and even government organizations are taking advantage of 141 00:12:08.070 --> 00:12:14.760 cloud-based services, you know, Software as a Service, you know, and linking those into their 142 00:12:14.760 --> 00:12:20.010 internal architectures, so the data is no longer constrained within your data centers within your 143 00:12:20.010 --> 00:12:25.470 corporate infrastructure. So, you know, and then I think just as to improve, you know, business 144 00:12:25.470 --> 00:12:32.040 operations and customer experience, allowing a lot more customer access into your infrastructure, to 145 00:12:32.040 --> 00:12:40.740 provide online services. So, so that boundary's gotten kind of, you know, less clear, let's call 146 00:12:40.740 --> 00:12:48.720 it as to kind of where you place your security and where you defend your internal network. So, you 147 00:12:48.720 --> 00:12:52.230 know, that's where a lot of these newer architectures are focused on, you know, supporting 148 00:12:52.230 --> 00:13:00.180 cloud-based services, whether that's, you know, SASE, CASB, zero trust. They're all kind of going 149 00:13:00.180 --> 00:13:04.560 after the same thing I have, you know, I have data that's distributed all over the place, how do I 150 00:13:04.560 --> 00:13:09.330 kind of manage that data and control access to that data? And really understand what is the 151 00:13:09.330 --> 00:13:15.000 sensitive data that I have? And and you know, control, you know, be a little more rigorous in 152 00:13:15.000 --> 00:13:20.880 how you control access to that data. So I kind of see those as the big challenges moving forward. 153 00:13:21.240 --> 00:13:28.410 I'd say another challenge is, and it's one that we've been focused on, you know, at Fidelis is, 154 00:13:29.190 --> 00:13:34.740 you know, that the security operations personnel are just completely overwhelmed right now with the 155 00:13:35.460 --> 00:13:39.780 amount of data that they're getting, the number of alerts that they're getting, and a lot of those 156 00:13:39.780 --> 00:13:47.700 alerts tend to be false positives. And so, so how do we build, you know, more confidence in the 157 00:13:47.700 --> 00:13:52.230 alerts that we're providing to our security operations, folks? How do we provide the context 158 00:13:52.260 --> 00:13:57.210 around those alerts so they can better understand, you know, whether that alert is something that is 159 00:13:57.240 --> 00:14:03.810 important, you know, high risk and needs to be prioritized over other alerts that they're saying. 160 00:14:04.140 --> 00:14:09.720 And then I think the other kind of piece of that is just better integration across the security 161 00:14:09.720 --> 00:14:14.850 technologies. You know, a lot of security operations personnel are dealing with, you know, 162 00:14:14.850 --> 00:14:20.160 systems that have been deployed over many years. A lot of them are point solutions, they're not well 163 00:14:20.160 --> 00:14:25.320 integrated together. So how do you get that integrated picture of what's really going on in 164 00:14:25.320 --> 00:14:31.230 your infrastructure? And at Fidelis we call that, you know, train visibility, how do you understand 165 00:14:31.230 --> 00:14:36.780 the totality of what you're being asked to defend? How do you have appropriate visibility to that, 166 00:14:37.050 --> 00:14:42.690 you know, overall infrastructure to understand where the the highest risks are coming from? And 167 00:14:42.690 --> 00:14:47.760 then how do you prioritize the alerts associated with those risks so that the limited security 168 00:14:47.760 --> 00:14:52.650 operation personnel can focus on those highest risk things? So I think you'll see a lot more 169 00:14:53.100 --> 00:14:57.480 integration moving forward. I think that's kind of realized across the industry that we need better 170 00:14:57.480 --> 00:15:01.500 levels of integration and that's something we've been really pushing hard for at Fidelis. 171 00:15:02.850 --> 00:15:07.200 Anna Delaney: And finally, Chris, what are the technologies you find particularly encouraging to 172 00:15:07.200 --> 00:15:08.610 address today's concerns? 173 00:15:10.340 --> 00:15:18.500 Chris Kubic: Well, you know, certainly, you know, you see a lot on, you know, analytics, machine 174 00:15:18.500 --> 00:15:23.390 learning, artificial intelligence, artificial intelligence. So I think those are all, you know, 175 00:15:23.390 --> 00:15:30.980 very encouraging promising technologies. You know, I, you know, despite what you read, I think it's 176 00:15:30.980 --> 00:15:37.190 still early in the rollout of those technologies. I think there's still some smoke and mirrors 177 00:15:37.190 --> 00:15:44.420 associated with that, but making good progress on developing, you know, artificial intelligence and 178 00:15:44.780 --> 00:15:50.930 machine learning algorithms that can really focus on more of the behavior-based threats, 179 00:15:51.890 --> 00:15:56.540 environments and getting away from signature based which you know, they have a series of figured out 180 00:15:56.570 --> 00:16:04.100 you know, good ways to defeat signature-based types of detections. So I think those are very 181 00:16:04.100 --> 00:16:11.600 promising, you know, and all of those technologies lead to improved confidence in the alerts, 182 00:16:11.600 --> 00:16:17.330 something that I mentioned earlier and the ability to automate a lot of the security processes which 183 00:16:17.330 --> 00:16:22.370 once again, when you have overtaxed security personnel, anything you can do from automation 184 00:16:22.370 --> 00:16:23.810 standpoint is a good thing. 185 00:16:25.400 --> 00:16:28.880 Anna Delaney: Well, Chis, thank you so much for your time today and thank you for your insights. 186 00:16:29.150 --> 00:16:31.580 Chris Kubic: Okay, great. Good chatting with you. 187 00:16:32.510 --> 00:16:35.210 Anna Delaney: For Information Security Media Group, I'm Anna Delaney.