Ep. 5 – Securing SLED: Cyber Challenges and Resilience
Steve Rivera, CRO @ Logically
Craig Bowman, Sr. Director of Federal @ VMWare
July 24, 2023 | 41 mins
Welcome to episode 5 with Steve Rivera and Craig Bowman talking about threats and insights into protecting local and federal government, and education from evolving threat actors. Stay protected in today’s threat landscape with advice and insights from leaders in their fields.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
- Significant cyber risks for SLED orgs and mitigation strategies
- Nation-state actors & the evolving landscape of cyber warfare
- Safeguarding virtual environments against insider threats
- Recommendations to enhance critical infrastructure resilience
- The top three actionable steps for SLED cybersecurity
Securing SLED: Cyber Challenges and Resilience with Craig Bowman – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.
This is Logically Speaking.
STEVE RIVERA
Today’s guest is Craig Bowman, and I’m very excited about Craig joining us. Craig is a senior director at VMware’s Federal Division, and previously Craig and I worked together at Verizon, where he was the vice president of advanced services, providing strategy, engineering support, secure cloud initiatives in the public sector. Craig speaks internationally about cybersecurity. He’s briefed congressional officers, senators, Olympic committees, and international defense leaders. Craig, thank you very much for joining us. I’m hoping that you could share a little bit more about your history and experience in cybersecurity, because I know you’ve got an illustrious career. So, you can start there and share a little bit about your experience.
CRAIG BOWMAN
Sure. Steve’s good to see you again. So, I think people come to the industry differently, obviously. For me, it was a long time ago, so I’m much older probably than I look. When I got into the industry, I graduated back in the early 90s. Cyber was not really a big thing. The internet, where it didn’t come about until 1996, that’s when the Telecommunication Act was signed, and a little project called DARPA becomes the internet. And yes, Al Gore actually did have something to do with it, believe it or not. He was a young senator that introduced the bill. So I was actually talking to, I was actually talking to Vince Cerf, and Vince was the one who filled me in on the impact that Al Gore actually had by introducing the bill that made the internet possible. So, I was a little surprised. I didn’t realize that he had as much to do with it as I thought.
Anyway, so I started off with the US government. So, I was asked to join the Department of Defense in a very specific area that at the time it was all standalone computers and coaxial cables. Cybersecurity was really about securing printers and photocopiers. It sounds ridiculous, but that’s that. I mean, that was it. And from an offensive perspective, it was very much how do you get into the physical building? How do you get into the physical building and have access? And that’s, you know, Kevin Mitnick has written a whole book about how in the early days he used to get in by socially engineering people. So that was cyber. And then as many of us young people do as you’re moving along in the IT field, you from networking to software development, and then suddenly cyber becomes a thing as we begin to realize that adversaries are coming after our computers. And so then you sort of get into cybersecurity and start learning about cyber as you go along. But there wasn’t this sort of formal training that we have now in colleges that you go take a course and get a degree in that just didn’t exist. So we all of mine was OJT directly working for folks and figuring it out as I went along. That’s how I got into it.
STEVE RIVERA
Yeah, I know you and I have similar kind of paths into cybersecurity. I kind of stumbled into it. And back in the same timeframe in the nineties, and I remember when it was MCI at the time, WorldCom talking about writing TCP of the TCP IP, and that was kind of his contribution. And I remember we sound like two old guys, but we do, you know, stepping into cybersecurity just kind of deploying firewalls, Raptor firewalls at the time that eventually Symantec ended up buying.
CRAIG BOWMAN
Hey, Steve, I had to tell you we are old just to let you know. We are a bunch of old guys. You may not think about it, but we are.
STEVE RIVERA
But it’s so interesting because you then see the evolution of an industry, right, and you look back and you start to see these changes. So I’m interested to know your opinion, especially in the sled space, how they’re handling this kind of ever-changing, ever evolving threat landscape. Right. This is an area that our listeners sometimes are challenged with. So with your experience, how do you see what’s your opinion on how that sled market is addressing the ever changing landscape?
CRAIG BOWMAN
State and local education. All right. So that’s a really good one, actually. I didn’t know you were going to go sleds. That’s a good one. So, it depends on the state. I was fortunate enough, as you know, at Verizon to cover all of state and local. And I am very much a hands-on person. Steve, as you know, I was traveling a lot, I was on an airplane a lot to all the different states. And the state has a very different set of problems. If you look at Mike Dent in Fairfax County, Virginia, for instance, and he was just on my podcast recently, you know, his challenge is that this area is becoming the next Silicon Valley. And so, he has to create a cyber trust around the infrastructure that is at the same level as what you would expect from big tech companies. That is a very different challenge than if you go to California and you go to like Eli Owen, who’s running the emergency response team for all of the forest fires and all that stuff. So, you know, we don’t have the sort of natural disasters in Virginia that Eli has in California. And so how do you protect those two different environments is very different. You know, in the case of, you know, in the case of Mike Dent, it’s about just sort of traditional endpoint detection, firewalls, all the things that we as a company do. But then when you get out into California, you know, it’s very much edge devices, low bandwidth, unpredictable networks that they’ve got to account for and plan for. And that’s not something that I think the average citizen kind of thinks about, you know, when you’re in California, you know, if communications goes down and gets hacked during a natural disaster, people actually die or they could be left, you know, stranded to where they can’t survive. And so, they’ve got to think through all of that very differently than like Mike Dent does.
And then you go to university areas. And when you talk to the universities, you know, they have an interesting challenge in that their customers or their quote, quote, employees, the students are incredibly transient. So, they come in, it has to be BYOD. So, they’ve got to account for all kinds of devices and configurations. They’ve got to protect those things. And then within four years, you know, every year, a whole new tranche comes in and every four years, the accounts that they started with are terminated are gone as the students graduate and move on. So, state and locals got a very different footprint. And so, when I look across it, I would say, am I seeing trends? Oh, and there’s one other which is infrastructure. So globally, I think when we saw the infrastructure bill introduced, it gave the states an opportunity to really look at our critical infrastructure. Our critical infrastructure for years has been neglected by the country in general. We see it in our roads and our bridges, and our water treatment facilities and all those things are power grids. And I think that from a nation state actor perspective, when we look at the sort of like the individual small hackers going after university or something, that’s annoying to the university. But the big hits are going to be when, let’s say, Russia decides that they want to retaliate for what’s going on in Eastern Europe. Or you know, there are worse adversary, which is China. If they decide to come after us, they’re going to be coming after us from a core infrastructure perspective. They want to take down our financial institutions, our critical infrastructure, our government and our defense. If they can destabilize the economy, that will have a bigger impact on the citizen’s willingness to support our US government in any kind of in any kind of tit for tat thing going on overseas. So, they’re going to, they’re going to come after us and our infrastructure is woefully neglected. So, I’m hopeful that the infrastructure bill will be used to shore up some of those weaknesses.
STEVE RIVERA
Yeah, you brought up a couple of really interesting points that I wanted to kind of hone in on universities first. So you know, the environments in universities oftentimes want to be more collaborative and less restrictive. In your opinion, how does that kind of play into this, you know, addressing the cybersecurity challenge? How do you recommend that they navigate that versus locking down systems and reducing collaboration, but universities traditionally want to be more open, be more, you know, sharing of information and data? How do you envision that kind of delicate balance?
CRAIG BOWMAN
Yeah, I think the universities are doing a fairly decent job because they’ve got some new tools at their disposal, which make it makes it easier. They move most of their stuff to the cloud. And by jettisoning a lot of their infrastructure to cloud providers, it allows them to consolidate some of their initiatives and to, and to focus areas of attack from a cyber perspective. The challenge there is that the consumption cost is often higher than, than it could be traditionally if they have a high capacity student base and they were running it on prem. But the fortunate thing for universities is that they can pass that cost back to the student. And that’s why we see our tuition so high, or part of it, right? And part of it is that some of that cost is being passed back. And so students are basically paying, or parents of students are paying for their kids to be able to bring their own device to access things and not to have a bad experience in how they interact with the universities. The universities can rely on cloud infrastructure and pass that cost back to the students. I think that the weaknesses, the weakness areas are going to be when there is a sort of complacency to believe that because you’ve moved to the cloud, you are therefore secure, which is not the case. It’s through application development. Those weaknesses in the way the apps are being developed and being deployed and being consumed, that’s going to be the weak area for the universities. If they’re not focused on that. If they think that, hey, we’re running in Microsoft and so therefore we’re secure, we’re using all the Microsoft apps. It’s the moment that they leave those Microsoft apps and they’re interfacing with those apps, with apps they’ve developed, that API security and vulnerabilities are going to be introduced to the entire ecosystem.
A lot of CISOs and CIOs know that, but a lot of application developers don’t think it. I know how it is today because I don’t write code. I don’t throw code around like I used to, but when I was developing, I was never measured on the success of my security posture of my application. I was measured and rewarded on how quickly I could deliver the features of my software. Then it would go through some kind of a process that somebody would check for vulnerabilities, but nobody rewarded me for developing good security. So, application developers, it’s not the key thing to think about.
STEVE RIVERA
Yeah, no, it’s a really good point because when I started as a database programmer and I worked for a major pharmaceutical company, we were doing clinical trials over the internet pretty much without any encryption. And now that would be unheard of, but yeah, you’re right. We were more concerned about accessibility, ease of use, the user interface and security wasn’t even an afterthought. You also mentioned critical infrastructure, how that’s often neglected. So, some of our listeners are in that space, right? Critical infrastructure, utilities, municipalities that are providing those services. What recommendations would you give just as a baseline? Is there something that you’ve seen to help them begin that crawl, walk, run in terms of cybersecurity?
CRAIG BOWMAN
First of all, look at the infrastructure bill. I mentioned it before. We have to get funding. Right now the biggest challenge that people running water treatment facilities, power facilities, dams, all of those things, they just lack funding. It’s not like they don’t want to do it. It’s just that they don’t have the money to do it. A lot of the systems that these critical infrastructure systems were built on run on really old versions of windows, for instance. And they can’t run on the new version in some cases. They simply won’t run. And so they’re stuck with, we can’t get off. We’re on unsupported versions of operating systems. And the cost to change that is very high. And that’s not the majority. A lot of them are using standard software that’s from big companies that modernize and all that jazz and stuff.
But the other thing is that just the people that run the actual facilities are not cyber security experts. A lot of times they’re required to do IT, but they’re not really IT professionals. It’s not a knock on them. It’s just that just like you and I grew up changing printer cartridges, a lot of them don’t have to do it every day. And so as a result, they do things to make their lives easier that unfortunately introduce risk into the environment. I was on a case not too long ago with critical infrastructure where somebody had stood up a relay so that they could access it from home because a lot of times they’re called in at night to do things with the infrastructure and they just simply found it burdensome to get in their car and drive to the office and have to log in. And so they set up a relay and a closet that allowed them to get into the system. And those kinds of things, there are other ways of doing it now that can be used once the infrastructure has been modernized. But that was the only way they could have the ease of use. And in the moment they did that, it introduced unbelievable vulnerability where somebody remotely could come in and control our critical infrastructure. So I guess in the old Verizon days of the data breach investigation report, we would call that human error. Right. Right. Miscellaneous, I think is where they put it. You can’t fix stupid is what we used to say.
STEVE RIVERA
Oh, man. That’s great. No, you’re absolutely right. Hey, let’s shift a little bit and think about looking back on your career. What’s the biggest cybersecurity risk that you’ve seen? You just talked about one that seemed rather egregious but look back on your career. What’s the biggest one that you’ve had to address or you’ve seen over your career?
CRAIG BOWMAN
I’m going to flip the question on you. How about the biggest risk I see today? As fast as for me is almost like who cares because the new risk is more significant.
I think that question, by the way, Craig, but okay.
All right. Well, maybe a couple of books. So I think yeah, we’ll do, we’ll do sort of past to present. I think that endpoint detection was always the biggest one. We, you know, the moment that all of us got these devices, that was the biggest like, yeah, we just didn’t account for it properly. The mindset of people, so this is the past, right? The mindset of people that by downloading McPhee or Symantec, that that was somehow going to protect everything. Great companies, by the way. I mean, both of them are fantastic, you know, fantastic companies, but the reality is that, you know, they, all those companies were scrambling to kind of fill the gaps of the device. The devices came out long before we could adapt to the new threats that were going to be coming after them. That was the biggest risk I saw, endpoint detection.
And with that comes the combined two-factor authentication, right? We did not adapt tow factor authentication or multi-factor authentication quickly enough, let alone two factor. So many people, you know, multi-factor is not even a question. So anyway, that’s what I saw what that was the biggest risk is how do we adapt quickly to an expanding footprint. I think as I look forward, the biggest challenges and worries that keep me up at night and I still work with the U.S. government is in two areas.
One is that we must, by function of how we have to operate to make our government safe and to do more work, we’re going to be pushing data further and further out to the edge. So we see words like sassy and edge computing and things like that. What that means is that, you know, the old methodology of our castle and moat firewalls protection, endpoint detection and those kinds of things are simply going away as we begin to move our trusted assets out of that castle wall and store them all over the place. That is going to be a huge threat to us because most of the scorecards and the evaluations that we’ve been doing have been under the understanding that we can create this cocoon and put all of our protected stuff in there and create ways of monitoring behavior within that environment. And then suddenly we start putting things in the cloud and then we go, okay, now we can do a CASB and now we can do, you know, let’s just do the same thing there with a CASB in between and okay, we got that. But that’s not the future of IT. The future of IT is literally the data is moving closest to who’s consuming it almost on demand. That is a very heterogeneous and amorphous sort of environment. And so that is going to be something that most IT and security professionals simply are not prepared for. They’re not trained for. They’re old guys like us that, you know, we’ve got to go back to school. Young people will get it because they’ll be coming out of school and that’s what they’ll be learning, but they have no experience. So they’ll lack the historical knowledge with all this great new knowledge. And so somehow we’ve got to kind of merge those together. And our adversaries are going to take advantage of it for sure.
The number two, I think, and this is going to be critical is quantum computing. And I think that when people hear about quantum computing security risk, they don’t quite understand what the problem is. AES-256 encryption is not something that can be easily broken even with quantum computers. So people say quantum is going to break encryption. It’s not really going to break AES-256 in any meaningful way within my lifetime. What it is going to do in a few years is going to be able to break the keys that we use to open AES-256. Now why does that matter? Well, it matters because we know that our adversaries are beginning to harvest our encrypted data today. So the documents that we’re sending over the public internet that we are encrypting that we believe are secure, our adversaries are literally taking it off the wire and storing it because they know in a few short years they’re going to be able to open all of those documents. And so the big threat there is not only the documents that we’re storing today and transferring over the public internet, but also we’ve developed our entire ecosystem with keys that we believe are secure than a few years or not. The moment that they break or we discover they have the ability to open those documents, Steve, we’re going to have to retrofit all of our software, all of it. And that is going to be a very, very long process. And so how do we build new software capabilities today that allow us to move the form of encryption that we’re using to a new form quickly? And we’ve got to get our software developers to start building that into the software now so that when quantum becomes reality, they can push a button and instantly change all of the software that they’ve built to enable that new encryption and all of our networks have to be able to respect it as well. And so if we don’t start making that change now, they’re going to break the holy grail and then we’re going to be reactive and we’re going to be behind the eight ball trying to meet that new threat. That’s kind of my biggest sort of like, oh, shit moment.
STEVE RIVERA
Yeah, no, it’s pretty frightening to hear that they’re harvesting encrypted data knowing that they’re going to be able to break that encryption. So that in and of itself is, like you said, kind of like, wow, that’s actually happening. What’s the reality though of developers being able to retrofit in a timely fashion? It almost senses, I’m going to date myself, but it almost sense like why to K, right? This whole kind of fear of something breaking that will have a cascading effect that will break other things downstream. So our folks, our software providers prepared for this, are they preparing for it or is this something yet to take room?
CRAIG BOWMAN
No, it’s a good question. Yeah, I mean, so internal at VMware, we have a project that a young guy from Australia, Hayden, if he listens to the podcast, I called you out. So, he’s phenomenal. He’s working on that project now. And so it’s basically for him, he’s built like a sidecar kind of encryption key service that our software can call into and instantly replace so that you don’t have to go through and write all the code. And it’s more than just a concept. He has a working pro and we’ve been demonstrating it and all that. It’s not really a product we sell, but it’s a technique and a methodology that we are working towards in anticipation of this. We’ve been told that out of all of the demonstrations, like when we demonstrate this to the government, because again, we’re not trying to sell it to them, but they’re interested in how we’re doing it. They always tell us that we appear to be much further along in our maturity level of making it a reality than what they’ve seen elsewhere. So, this young, I say young kid, he’s not a kid, but a young man, he’s much younger than me that’s working on this is truly talented. And when you see him open up a whole bunch of code and hit a button and instantly can see all of the encryption change out across the software, it’s a pretty impressive demonstration. So yeah, I think people are doing it. I think that when you have the funding to do it, it’s easy. But when you don’t, how do CIOs decide that they’re going to allocate funds to this? Maybe they just wait for companies to come out with products and then they buy the product and then they tell the software companies to, or their software developers to implement it. I don’t know. Right now, it’s more on the R&D stage than anything else.
STEVE RIVERA
Got it. You know, you touched on nation state actors and I wanted to ask you about your, how you think the concept of cyber warfare is going to evolve over the next couple of years. I know that, you know, you’ve got some experience in offensive and defensive capabilities, but how do you think that’s going to have an impact on international relations, global stability, kind of moving forward in this idea of cyber warfare? Do you have any thoughts around that?
CRAIG BOWMAN
It’s a whole different podcast. Do I have thoughts on it? Yeah, I do. (00:24:32 – 00:27:24) You know, this is going to be a politically charged, I guess, response. So, to be clear, this is not a political statement in any way, shape, or form. Anybody that knows me knows I’m right up the middle on politics. The reality is that we have to treat cyber as we do the Department of Defense. And every American, regardless of your political position, should be thinking that way. If you like, you know, knowing that your financial institution is going to be there to give you funds when you need it, then you need to be more understanding of a more offensive and aggressive government in the area of cyber. Because remember, there are adversaries who do not have any rules about coming against us. But we have a huge amount of rules about what we’re allowed to do because of our free country. And that’s a good thing. And I think it keeps government in check, and I am a big supporter of that. But at the same time, a lot of our citizens, I think, you know, resist any interaction between commercial industry and government where it comes to national security. And I think that that is hindering our ability to protect citizens from nation state actors. And I’ll give you a perfect example. When Edward Snowden walked out with all of those documents, many of the relationships, you know, that that were made very public. And you know, there were companies that said, we’re not going to do business with the government. Employees went on protest and, you know, all these things. It severed a very critical need and relationship between commercial industry and the U.S. government, where there was collaboration and cooperation to make sure that the government could respond and protect our critical infrastructure, our financial institutions, all of those things. And we lost a lot of that because of this, you know, you know, enemy of the state came out, right? And we watched the movie of Will Smith and the big evil brother and all that. And all those things came together at about the same time. And so we’ve lost some of that public-private cooperation. And that is what we’ve got to get back. If we, you know, if we don’t start having more cooperation between the commercial industry and government, then government can’t be effective, 100% effective at defending. And the commercial industry is then going to have to take the responsibility of putting more and more money into protecting the assets as almost like their own independent country, because they’ve sort of put their arms up and said, government, you know, go away, we’ll take care of this. Well, with all due respect, there is no company that can take on nation-state actors. There isn’t. It’s only through the cooperation of commercial companies and the U.S. government that we have any chance of taking on a nation, the funding of a nation like China, where they don’t have rules to come against the United States, United States best interests. That’s my opinion.
STEVE RIVERA
Yeah, no, that’s great. Because you talk about nation-states that don’t adhere to the same kind of, dare I say, moral code that we have here in the United States in terms of privacy, in terms of the way that we treat our citizens. And yet we’re trying to compete on a battlefield with different kind of moral codes. And it seems to me that it’s pretty obvious that we will restrict ourselves from acting in certain ways, and yet, you know, our adversaries don’t. And so it’s almost like an uneven playing field.
CRAIG BOWMAN
It is. And you know, I think you and I are saying the same thing, I’m not in any way suggesting that we lower our moral standards, right? It’s there are ways in which we can collaborate and cooperate. That I think that are fair, that protect the Constitution and privacy. There are a lot of things that would never change in the way that we’re doing it, because I don’t want the government looking in on my stuff and, you know, all that. But I think there are ways that we can collaborate and share information even more that we lost over the last 10 years that is critical for our government to have, you know, to have the what they need in order to protect our businesses. And I think that, you know, it’s not a huge pendulum swing, but it is we need to get more back to where we were, I think.
STEVE RIVERA
So, I want to talk a little bit about insider threat. You mentioned Snowden. It was a recent Air National Guardsman who also, you know, shared sensitive data or got access to sensitive data. Do you have any insights or thoughts on how mid-market companies and SLEDs specifically can protect against that insider threat and how to address that? You know, what seems to be more damaging than from outside?
CRAIG BOWMAN
Yeah, so one of the cases we were on, it was actually the CTO that was leaking information to the lawyers of a company that there was a lawsuit involved in. And he was going to go work for that other company, which is why he was leaking information. You know, when I look at how we, you know, when we were brought in and how we investigated and all those things, it’s a tough one, depending on who the insider is to protect. And that’s why it’s really important to have the right tools to look at behavior. You know, you know, when we think about the old days, and I use this analogy, firewalls and virus protection and all those things, think of it as like your front door, you open the front door, and if you had a list of all bad guys that you could look at the person at the door and look through the book of a bad guys and say, oh yeah, that’s a bad guy, I’m not going to let him in. Right. The days of that being the way that people attack is just gone. The chances of the person walking up to the door that’s going to be in your known bad guy book is not really who you’re worried about. You’re worried about, you know, the person that you were hanging out with at church, that you don’t know is a bad guy, that you invite them into your home, or the person that’s coming in through the window, not through the door. So those are the kinds of attacks that we have to worry about, and that’s a behavioral discussion. It’s not an identity discussion. And so, when we look at the tools that monitor behavior, just look at, you know, this is about VMware, it’s not a sales pitch, but it’s just an observation. Virtual machines are the same as sort of physical machines. And while we put firewalls in front of physical machines, what a lot of people don’t do is look at the behavior between virtual machines sitting on that same box.
In fact, I could count on, you know, both hands, or maybe two sets of hands, the number of customers that actually monitor the behavior between virtual machines. They do monitor between physical devices, but not between logical devices. And since most of our environment is going to a virtual environment, whether it be through VMware, or through Hyper-V, or through cloud, or software defined, everything is going to virtual. And yet our security companies and our security personnel are not designed to look at the behavior between virtual environments until they transcend to a physical environment. Once they move to physical, everybody’s good with that, right? Put it on the front of the physical device, we’ll monitor behavior, no problem. It’s in between all these layers that nobody’s watching. And that’s where you pick up odd behaviors. Now, I’ll give you this example. We have a massive Postgres database. We call it Green Plum. And it’s a, the only real massive advantage to it is that we can massively distribute this Postgres database to attack really complex data problems. And so when we run cyber data through it, we can run PETAs of cyber data through it. It will look at every bit of cyber data and it says, hey, we expect this behavior to happen from this device when it goes to this device through this device. And when it doesn’t, we can match it against our bad guy lookup. Hey, we’ve seen this before, this behavior. We know it’s probably this. And then it can analyze was it that, and we can give it a sureness like it’s 80, 90%. Yep, we were right. That’s what it was. That’s not what’s interesting. Everybody does that.
What’s interesting about the algorithms, and it’s like, we’re just running AI algorithms against this data set through this Postgres database. What’s interesting is when you get down to the bottom, and this guy named Siva on our team, he’s an engineer, he’s an AI ML expert. He goes through and he shows you at the bottom, there is these really small percentage ones of, hey, we have no idea what these are, but we know the behavior is not matching any known behavior of a bad guy we’ve ever seen. And so it’s varying from that, and so suddenly that becomes the zero day exploits that we’re looking at. And so it’s only through AI, it’s not really AI, it’s more machine learning against a massive data set that we’re able to get down to these anomalies that he then says, these are the ones that I’m interested in. All these up here will go to the SOC, they’ll have a playbook against it and they’ll run it. It’s these down here that from a VMware perspective on our network, we’re going, hey, wait a second. Why is this not matching the behavior that happens 99% of the time or 80% of the time? So that’s how we’ve got to sort of, I think, start looking at how we attack this problem.
STEVE RIVERA
Yeah, no, that’s great stuff. I appreciate you sharing that. Hey, I want to kind of shift here as we conclude. What are some of two to three things that you would recommend that our state, local, educational listeners, government listeners should do today that you’re seeing are the most impactful when it comes to securing their data, securing their critical infrastructure.
CRAIG BOWMAN
Okay, so I’m going to start with the basics and people, I hate when I get on these podcasts and people give like the obvious things that we should be doing, but the reality is when you look at the data breach investigation report, it’s just a great piece of research for multi, I mean, we came from Verizon, so we’re biased, I know, but the reality is, I mean, you know this, Steve, we take, we, sorry, Verizon, Verizon takes data and they give it to data site, I know, right, you’re laughing. Do you still say we when you talk about Verizon?
STEVE RIVERA
I do make that, but we were there a long time, right?
CRAIG BOWMAN
Yeah, it was, and all the executives over there, they’re probably thinking, these guys bleed Verizon. So the great thing about the way the team did it over there and my hats off to them is that they take all the data, they pump it to data scientists who are not cyber experts. So because they’re not cyber experts, they only analyze the data for the data’s sake and every year it comes out that there’s the same trends, right? So it doesn’t, it shouldn’t surprise you that some of my recommendations are going to be the things that we still continue to not do well. So obviously things like training our people because there’s lots of human mistakes, those kinds of things, you know, training around email and how to not open attachments and all that stuff. It still remains a primary way that, you know, phishing remains a primary way that malware gets into our environments. So you know, from a CISO perspective, you can do web isolation, right? You can apply tools that break that executable code before it gets into your network. And so there’s lots of products out there that do it, Mac, V, Symantec and all that jazzy stuff.
Enterprise, you know, detection response, EDRs or endpoint detection response. So EDR is critically important. To me, it’s the table stakes. If you’re not doing EDR, you know what? You deserve to get hacked because, you know, that to me is you need to be looking at the behavior on your endpoints to be sure. I think that those two and then, you know, multi-factor authentication, those are the three basic things you have to do.
And then I think looking forward, what I would say is most of the environments that we are putting in today, I talked about edge pushing to the edge, everything is going to be software defined. It’s not today, but I can guarantee you it will be. So, all networks will be running on a control player with gateways and endpoints that are communicating through that control. Everything will be software controlled. And so, as an organization, we need to start looking at how do we enable individuals on endpoints to have access to the data. And I’ll share with you, Steve, the way kind of we do it a little bit internally at VMware. I won’t give away too many secrets. But, you know, on our devices, it’s all BYOD. And then we have company issued things as well. So I’ve got a company issue computer, but then I have my personal iPad and my personal cell phone, because I don’t want to carry two phones around. And so we have soft tokens on our devices. So if I want to access an application, it will require me to authenticate using my RSA soft, and then I can do that and it will automatically authenticate through an app. The moment I go from sort of basic access, so if I’m using Outlook or Office or those kinds of things, there’s just the basic RSA token. The moment I go to an application, like an HR application or things that may have, I then have to go through an application control layer. So, we actually have a workspace product, a company that we acquired. And so all of our applications are trusted applications that we only can launch from this security environment. And that allows me then access one layer further so I can access certain kinds of data from my personal devices. None of that data is stored locally. It’s all kept inside the confines of mothership.
And then lastly is I then on my company-issued device, I can actually get through, and not only that, but actually through my personal device, I can get through a workspace desktop. So we have something called Workspace One that allows me to actually visualize entire environments but through an interface where I’m not actually getting the data. I’m interfacing with the data that’s on a server somewhere in the cloud. And so based on the kinds of data that I’m accessing, it just automatically makes me, it requires me to go – and I don’t know I’m doing it – it literally is, I click on an app and it opens and it looks like I’m in the app, but behind the scenes, it’s doing all this stuff to isolate my device from the data. So that if I’ve done something stupid on my personal device, downloaded some software that I really like, like Angry Birds from China, you know, that it’s still not going to have the ability to get into VMware, you know, critical, critical data. So I think that’s what we’re going to have to do. You know, the government has come out and met with us many times to sort of look at how we’ve done our zero trust, because we did zero trust. We almost had all of it implemented before zero trust was even a thing. And that’s why we made some of the acquisition acquisitions that we made was actually to move it and so we could use it internally as well.
STEVE RIVERA
That’s great stuff. And Craig, thank you for laying that out. So you mentioned training, tools to break the executables, endpoint protection, multi-factors and moving to that software defined kind of structure. And thank you for that, because I think that that’s really incredibly valuable. And I think about this market segment, those are the areas that are most impactful. So thank you for sharing that. Thank you for your time.
That’s all for this episode. Make sure you take time to listen to our next episode of Logically Speaking and stay cyber-first and future-ready.