Disinformation Campaigns, Resiliency and Attack Trends with Simon Gibson

Hello, everyone, and welcome to our show. With us, we have Simon Gibson, a Principal Security Architect at Navy Federal Credit Union. And behind us, we have this amazing lava lamp wall, which is our wall of entropy of sorts. Hello, Simon. Welcome to the show. Hi, thanks for having me. First, before we begin, why don't you give us a bit of your background? Because you've worked through several years in different organizations in Internet infrastructure, from ISPs to different perspectives. So give us a little bit of your background, please. Right. I, you know, I kind of found my way into security working at Winamp and Shoutcast. And we were working on streaming media and how to secure that. And that's kind of how I sort of intersected with systems and writing software and security. So that was kind of the intersection of those. And from there, I went to Verisign and spent about a year as a system architect. And then from there to Bloomberg, where I worked for about 10 years in New York. And I was their first, I was their first, technically, I was their first CISO. So this was sort of in 2009 before there really was a CISO role, right? There was a need for it, but nobody really had it identified. We knew we needed to monitor traffic. We knew we needed to have insight into what was traversing the network. We knew we needed insight into privilege escalation and lateral movement and all the things that MITRE has sort of now quantified really well. But, you know, at the time, it didn't exist. And so we built that stuff out. And it was a little bit on, you know, honestly, a little bit on gut and a little bit on, you know, if we're going to get breached, what are the things we have to worry about? It's a combination. In the past few years with all of these projects, what has surprised you the most in terms of evolution through time? That's a great question. I am going to say the active measures campaign in the election. And I know that's not a popular, you know, everybody has their own politics, right? But there is a very forward facing active measures campaign against the United States has been going on for a long time. That means attackers attacking during those moments of elections? Well, or just spending years and years convincing people that, you know, social media and what they were seeing, you know, the truth wasn't truth. And then convincing people that, you know, they can trust things that they couldn't trust and things that were trustworthy and trustworthy institutions were reliable, or sorry, or were unreliable things that we need, we couldn't rely on anymore. And so there was this confusion. And I think that that is kind of what really that was the biggest tectonic shift I felt. And that was sort of around the election. What I find interesting there is, of course, mobile brought social media to new people all over the world with that, and that's 2010, mostly 1112, like when it became big. And with that came news through social media, people getting news from there, most people don't realize that that's also security, like trust in institutions, trust in what is true, is quite important. And conspiracy theories are very old. But now they can spread out in a different way, right? That's the main difference, potentially. Yeah, Winston Churchill Crowe, he says that a lie makes its way around the world before truth puts its pants on, you know, and people, I think, have a natural, we want to gravitate towards sensationalism. And I think in the management of that was very tricky. You know, and it just seemed like such a great thing. We had email, we had social media, we had the last mile figured out companies like Cloudflare did such a good job in kind of bridging that endpoint to the user. Things were reliable, things were stable. When I started in the Internet, every, you know, you if you worked in security, you had to know everything because everything broke, DNS broke. BGP broke. BGP, routing broke. Yeah, everything broke. And so you didn't know what was broken. Was it a route? Was it, you know, who knows? Was it a domain name? And so, as the Internet matured, things became more based in their stack. People, you know, you talk to somebody now, they work on the front end of the stack. They work on the middle end of the stack. They work on the front end of the back end of the stack, right? And that's where they live. In specific things. Yeah, exactly. And in the beginning of the Internet, that wasn't there. You know, you had to kind of know all of it to be good at security. And I found that fascinating. I love that. And then I felt really pushed back and take it off guard, kind of by sort of what had happened psychologically with social media. Why do you think most people don't realize that that's a security issue too? Oh, yeah, yeah. Because they think, oh, that's just how we get the news. That's how society evolves. They don't think of security. Great question. You know, I don't think people understand how much work goes into, you know, how much work the New York Times or the Washington Post does to fact check, right? And then I don't think there's a way to assert an identity. So on Twitter, we have like blue checkmarks that asserts you're so-and-so, right? At least before. At least before, right? We don't have a way now to take that assertion and have it be portable. I'd like to see a portable piece of assertion that says, you know, I am asserting this to be true, based on all these other things. So a little bit like clout, but not really something that's as gameable. I would love to see that. And I think we're going to get there. I think we're on the way to that. I think we're still... I was really hoping to see it this year, but I think it's still a few years off. Thinking about this year, we're at RSA right now. It's happening here in San Francisco where we're at. And what are the trends that you're seeing out there? The trends both for challenges, attacks, but also opportunities. One of the things we're working on where I'm at at Navy Federal is the ability to look at all of our tools holistically and try and understand, do we have too much coverage in one spot and not enough coverage in another spot? And are we paying too much? Like, do we have five tools that do the same thing and no tools to do the one thing that we need? Is there a way to measure that holistically based on the attack signatures that we see? So based on the techniques, tactics, and procedures that attackers use, if we run that against all of our cyber tool staff, are there gaps? And if so, if there are gaps, what can we do to mitigate them? And if we can save some money, great. And if we can improve our security, great. And can we measure that empirically? So when we go to ask for money, we really are thoughtful about the tools we're buying. We're not just buying every tool. And I think one of the things I'm seeing at RSA is, is that as a upcoming trend, I still think that's a year or two away probably, but more generally. Yeah. Yeah. But I do think that that's something that, you know, people, people, it isn't the question of having blank checks to just write money. It's really finding the talent to run the equipment. You know, can you find the right people? You know, it's always a cost of opportunity. I have 20 people, and I can either sell product with 20 people, or I can secure product with 15 people and sell product with five people. Whatever, you know, whatever, whatever the, whatever the balance is, how do I make the best use of my opportunity cost? And I think that's starting to tighten up based on SRSA. There's advantages there in efficiency, spending less money, but also, is there an advantage in cybersecurity in terms of making systems more resilient to breaches? A hundred percent. And I think that's something people don't talk enough about, is resiliency is so important. You know, can you suffer an incident and still function? Can you still serve the customer and you still be up, even if you're operating in a degraded state? And I think we do a great job at measuring confidentiality, integrity, and availability, but how do we measure the resiliency component? I don't know. I don't see that being measured well. Now that could just be that, and to be fair, I did take a few years off of cybersecurity. I did take a little bit of a sabbatical for a few years to just, just kind of refresh. It could be that there is more resiliency. I've definitely seen a level of maturity in the space that wasn't there four or five years ago. The space has most definitely matured considerably. Your work, you do security architecture, mostly thinking about things. What is the thing about your work that you think is really relevant that most people don't realize? Well, I think, you know, security, it's easy to say no, right? Now, you know, your password's weak. You're not using the right VPN. And then by the time you compound all these things, suddenly it takes you an hour and a half to log in, right? And so now we've just wasted opportunity on this, right? So how do we get you doing business as quickly and securely as possible? I think the analogy I heard is security is like brakes on your car. If you didn't have brakes, you wouldn't go five miles an hour because you couldn't stop. You'd just go slow all the time. You can have a McLaren and you wouldn't go over five miles an hour. So security gives you the pump the brakes at 90 miles an hour and make that turn. Makes sense. And in a way, there's also opportunity there. There's this saying where it's not if you're going to be attacked, it's when. So what happens after you're being attacked? Preparing that with less problems if you're being attacked is the way to go, right? 100%. And that's the resiliency component, right? And I think there are a lot of companies out there working on it. I talked to a company called Mimic and they just can't understand why ransomware works so well. And there really should be a way to tell that your files are being encrypted and stop it before the entire data set that you have at a hospital or whatever it is, is completely encrypted. I just think they think that this is a very tractable problem that they're trying to solve. So I've seen these sort of, I don't want to say big, dumb security issues because ransomware is pretty thoughtful. So it's not necessarily that, but I think there are ways to intercept problems that we've had that we can do smarter. And I think I've seen that at RSA this year. In a way, of course, everyone is speaking about AI. Maybe that'd be just because it's cool or maybe because they're worried or there's opportunity. How do you see AI in terms of enabling attackers, but also in the protection realm? Right. I mean, I think I see it. So here's one of my favorite things I've always thought about when an attacker wants to attack you, they don't need a book of conference room. They don't need to get anybody's permission. They just open their laptops and they start building a rat they're going to send into your network and drop. Meanwhile, defenders, they have to get conference rooms, permissions, budgets, people's, get everybody in a room, build the infrastructure, make sure they're secure. And I think AI right now, I think, to be honest with you, especially regulated industries are concerned about what people are putting in AI because now they're leaking information that's potentially proprietary. So I don't know how AI is going to be taken advantage of from a defender side, the way attackers are doing it. So I think there's a little bit of asymmetry, asymmetrical benefits for the attackers with AI right now. You spoke there about trying to find, to not encrypt when attackers are trying to encrypt something to avoid like ransomware. Maybe machine learning in that sense is a way to go, right? Potentially, 100%. If there is a way to bring machine learning in, that won't necessarily let it outside of your environment. So it's almost the opposite. Everybody's moving to the cloud. Well, now I've got a bunch of information that I don't want anybody to see. So AI suddenly poses this challenge where it's diametrical to cloud sassy and all the things that we've been hoping will be the next generation thing. Suddenly, if all my information is in a cloud, I want to know it's 100% secure and it's encrypted and that the data at rest problem is solved and that it's quantum proof to the lava lamp problem. Do I have quantum entropy around stuff, right? In a way, the US is one of the countries that's most attacked. Attacks are coming from a lot of companies. The Internet is big in the US. In what way the US is having a role in the cybersecurity realm and making it better in a sense? I haven't been outside the US. It's a little bit unfair because I haven't really looked. I haven't been to Mexico. I haven't been to Japan. I haven't been to Hong Kong, who was doing great years ago. But I will say that the challenge and the VC money and the focus is here, for sure. But I wouldn't be a fair comparison just to be honest with you because I haven't been out there. But thinking of the future next few years, where do you see the cybersecurity area going in terms of how would it look like in a few years? Can you predict something? I would love to say that there is a way to create an assertion that says this piece of data can be traced back to its owner. This assertion is what you're reading is probably true because there are these four or five things that prove it to be true. Blockchain tried to do that a bit, right? A bit, yeah. And I think that there are some really good certs out there. So I think it's Norway has a great cert, Japan has a great cert. And I wonder if there will be more. First is just fantastic. I wonder if there just won't be more cooperation with the computer emergency incident response teams that people will start to get a little bit less worried about sharing their secret sauce and more we really should just start combining these things because at the end of the day, this just affects everybody. Absolutely. Thinking in the Internet in a more broad sense, what would for you be a better Internet? Like a wishlist for the Internet for the next few years? Yeah, I think that assertion thing would be amazing. I think if I could assert- Bring trust. Anonymously, yeah. I don't even have to prove I'm me and you can't look up my information, but I can anonymously make an assertion that you can trust this piece of information, right? I think that would change. That would just be such a game changer. Absolutely. I mean, I think that's the main one. I'm sure there's more because I can feel things in the back of my mind bubbling, but right now they're not coming. Just to wrap things up, looking at the past few decades, what has surprised you the most in this area? In a way that not on cybersecurity, but in general, on the Internet specifically, the path that was taken really? I think the lack of understanding of trading convenience for security. People are much more willing to trade. I'd much rather just have my pizza show up than know my pizza's poison, right? It'll be fine. Convenience is really important. Convenience, yeah. So people put that in first, right? I think we trust that what we're getting is trustworthy and we put our convenience over whether or not we measure the state of the trust of it. I think we assume that if something is untrustworthy, it will automatically sort of in a capitalistic kind of market way, wash itself out, right? If something isn't doing well, it'll naturally just sort of degrade. And I don't know if that's true. I think there's enough room inside of those to put little enhancements that will keep those non-trustworthy things just there enough. In check. Yeah, exactly. And people aren't going to notice. And that's a wrap.