Legends of Tech: Episode #23

Good afternoon, good morning, good evening everyone. Welcome to episode 23 of Legends of Tech.

Today I am super pumped to have this guest. His name is Dr Chris Peiris. He's currently the Cyber Security Advisor at the Department of Defence in Canberra.

Chris was previously with Microsoft and Avanade Australia as the Director of Cyber Security.

He's a passionate cyber security professional and has assisted many Fortune 500 customers to unblock security cyber security blockers to enable large digital transformation power projects.

As a former Asia-Pacific and Japan Cyber Security Lead, he has assisted creating government -wide secure threat management frameworks in Taiwan, Singapore, New Zealand and Australia.

He has also created an incident response security operations center, cyber fusion center, advisory services and threat intelligence capabilities to build cyber security capabilities across Asia -Pacific and Japan.

Chris's experience in building large-scale cyber fusion centers led the leveraging private cloud, hybrid cloud and public cloud protection and detection service providers around the world.

His current passions are quantum -proof cyber cryptography, polymorphic ransomware and Zero Trust architecture.

That's a that's a tongue twist, isn't it Chris?

Chris is also an author and has 24 years of experience around the world.

Please welcome Dr. Chris Peres. Thank you. Nice.

Thank you. Thank you very much. Glad to be here. Thank you, Chris, for the opportunity.

No dramas at all. Well, mate, how is everything in Canberra? Well, it's a beautiful sunny day today.

So we had a bit of rain, but, you know, it's it's great.

So, you know, we've been blessed with good weather and hopefully a bit of cricket on the weekend also.

Fantastic. So you're a bit of a cricket fan, are you? I am.

I am. So, you know, it's funny enough to I know we're talking about technology, but my life actually started in Australia as a cricket player.

That was my first job.

Yeah. So I was a migrant. I was born in Sri Lanka and Colombo. This is the 80s and the early 90s, for example.

And I'm not sure if you guys are aware of there was a civil war going on for Sri Lanka for 30 odd years and everyone was affected, as well as my family.

So I came here to Australia, to Melbourne as a student, and the only job I could find was playing cricket.

I actually got paid 75 bucks a game.

So how did you go from cricket into cybersecurity? Oh, look, it's a it's an interesting story.

Look, first of all, me being in IT is an accident. And second of all, me being in cybersecurity is an accident.

Let me expand on it. So look, I like I said, I when I when I migrated here, I spoke very little English, frankly.

My mother tongue is Sinhalese, which is very different. And so I never had informal English education, if I can say.

So when I came here as a student, I didn't really have any qualifications to enter into tertiary education.

The only the amount of marks I had to get into university was for Bachelor of Business Accounting, frankly.

So I remember turning up to what used to be Caulfield Institute of TAFE, which is a Caulfield campus for Monash University today, if you're familiar with Melbourne geography, that is.

So I rocked up to F Block, which is one of the very old buildings in CIT.

And I was filling out a form for Bachelor of, enrolling in Bachelor of Business Accounting.

And there was a and I was told, and I didn't really understand all this, I was told in order for you to do the degree, you have to have a minor being enrolled.

So I said to them, what is a minor?

And they said, no, there's a thing called this computer science thing, you could do computer programming, you could, you know, do as a minor.

And, and I don't know, maybe I'm showing my age, Chris, this is probably before your time.

Back in the 80s, there was this thing called MS -DOS and Microsoft DOS and basic programming language, it used to be before the C++ and Java and things like that.

So I was lucky enough to do a basic course, you know, earlier.

So I had some knowledge of programming.

So cutting a big story short, I ticked that box saying I'm going to do computing as a minor.

So then once I got into it, I started enjoying it more, you know, C, C++ programming.

I got heavily into coding those days. This is the late 80s, early 90s I'm talking about.

And I remember this thing called the Internet was taking off and it was talking about it.

And just to share with you this bit of a romantic flavor here too.

So my girlfriend was actually in the US, I was trying to figure out how to connect with her because we didn't have the money to, you know, there's only phone calls these days.

There's not even email, if you remember.

So somebody told me in IT, this is SMTP protocol and HTTP protocol and work out something called the Internet.

So you can send, you know, free emails to your loved ones overseas.

So I got into it and there was my IT. Cutting a story short, on a serious note, I was very lucky.

I was to be in the position when, especially at Monash University around 95, 96, if memory serves me correctly, there was an initiative by Microsoft that they realized this Internet is coming and they need to change everything from client server architecture to Internet distributed architecture.

So they were revamping their platforms, something called .NET framework.

I'm not sure whether you guys are aware of it, but .NET is the foundation of the windows operating system, essentially, which is built for multiple vans and Internet technologies, as opposed to client server point to point technology, which was calm those days, if you remember, going back a few years.

So what people may not know is actually some of the initial research for .NET framework was actually done through Monash University and Melbourne University in Australia.

And there was a project called the Mono project that I worked on, which started my association with Microsoft that's been going on for what, 25 years.

Thank you.

So anyway, it's a long, I don't want to take up too much of time. I love the story because I must say we must be the only industry or one of the only industry in the world where we've come, you know, we fell into IT or we did a course that led us to somewhere else.

We met someone that did something. So your story is fascinating.

So growing up as a kid, did you ever have technology in your mindset?

No, I mean, to be honest with you, growing up in a third world country, I didn't, we didn't even, we didn't have a 386 computer to be frank with you.

The only 386 or 286 computer, if you, and probably the viewers may be scratching their head.

286 is way before the Pentiums and all that stuff. Only people who had that was, like I said, small, my school had a, like a computer course.

I had like three, four computers and we had 286s and 386s there.

And that's the only time that we got exposed.

I mean, my family did invest in a computer a little bit later, but, you know, we didn't really have much resources, frankly.

Yeah. Yeah. Fair enough.

No, I find it fascinating because, you know, even myself, you know, I got into technology through, you know, a random way, but I guess I grew up in the 80s.

So for me, it was all about, you know, video games and, you know, thinking around computers, but I always find it fascinating to use everyone's background.

I mean, the fact that you've, you know, you immigrated to Australia, you're playing cricket, you started, you're studying business, and then you signed up for a, for a computer course is quite fascinating.

So when you, when you went from, I guess, what you were studying to computer science, what was that transition like?

And how, I guess, how did you approach that part? Was it a difficult transition or was it something that you just picked up naturally and sort of ran with?

Yeah, look, I think there was something that was natural to me. I found something that I'm passionate about, because anyone who's into coding, you know, basically working with IT, it's a bit of a, frankly, it's a bit of an addiction, to be honest with you.

You know, I remember staying up most nights just with coffee and just, you know, plugging away, coding in C++, etc.

So it just became a lifestyle more than anything else.

And to me, it was a, and again, I don't want to, you know, spend too much time, you know, the coding aspect, but I'm always fascinated by the people in IT, you know, it's a disruption part.

I mean, I didn't really understand that back then in my younger days, you know, I did for fun, but what we were doing was we're disrupting the business models that was going ahead.

And what we were doing was people and process was changing because of that disruption.

And that's what's happening today for the last 20 years. So to me, that's a fascinating journey.

So, you know, simple things like, like I said before, so in order to call your loved ones from overseas, we had to pick up the phone and we had to, those days was more than a dollar a minute or something like that from memory was very expensive calling overseas.

And the fact that when we invested, I remember spending a lot of time on voiceover IT, once we got IP to work, we did a lot of research simply because the driver was we just want to call the people we love, you know, and that actually drove a certain behavior, creativity, it's disrupting those business models when it comes down to it.

That is the everlasting impression to me as IT people standpoint to society.

Yeah, it's a definite evolution, disruption, all that.

So how did you now, you know, fast forward a little bit, not a few years later, how did you get into cyber security?

Yeah, yeah.

So again, that's, again, it's another accident. So if I can, if I can start off from where I left off earlier, so I got into some of the coding from a university perspective, but working in Microsoft.

That actually led me to some really interesting projects like, for example, Commonwealth Bank.

So I spent a lot of time doing the Commonwealth Bank securities.

You may know comsec.com.au, for example, I was one of the very first architects who built that very first version back in the late 90s.

And then the ComSea platform that the Commonwealth Bank uses today, even for security was I was part of doing that, you know, implementation for them.

And so I was more of a, you know, more of an architect, doing big projects.

I joined Microsoft as a full time employee, the early 2000s, spent some time in Redmond.

And, and also then came back here. And, and I was working mainly because I'm based out of Canberra.

I have this long association with Department of Defense, frankly.

And around 2005, 2006, if you remember, Microsoft was going through a really bad patch when it comes to security with the SQL blaster, and all kinds of zero days happening, etc.

So simply the government and Department of Defense specifically came to us, I was one of the consultants, and then this is your technology, Microsoft, you know, and we are getting issues here.

Can you do something about this? So that was the brief. And that actually started this chain reaction of getting into security.

But, you know, cutting a big story short, what it comes down to, because is, you know, we not just as in all of Microsoft, there's multiple parties, you know, there's a very big investment, I must say from a book for many other organizations afterwards, and I've been a partner with other organizations.

But frankly, I haven't seen any organization, such as Microsoft, roughly, they put about $1 billion a year, just for research on security, basically.

So that is a very big commitment.

Back from those mid-2000s. So essentially, what we did was we reengineered the whole Windows platform from ground up.

And what we end up doing is essentially make the whole Windows platform, the sensor, essentially.

So what happens is, like, you know, being in the industry, what a lot of threat vectors are all about is, you know, they use what we refer to as a rootkit.

And for the listeners who don't know what a rootkit is, it's just a combination of proven attack vectors, bundled together, because from an adversary threat actor perspective, what they care about is one single way to get in, but they don't know which way to go.

So what they do is they package all these things together, in a rootkit, and they execute this rootkit.

So usually, there's about 700 to 800 different attack vectors in a single rootkit, usually.

And you just need one to execute for them to find a backdoor.

But if you think it through, and I'm not giving away too many secrets here, but if you think it through, remember, by executing this one single rootkit, you're creating a lot of noise in the underlying fabric, right?

So in order for one to succeed from 700, 699 should fail. So that actually creates a lot of noise in the background.

So that's what we use. We use that methodology to re-engineer the Windows platform to capture that noise, so we know we are under attack, so we can actually take some preventative strikes, for example.

So it's funny enough that, I don't know whether you've heard of a product called Windows Defender ATP, and that was the very first implementation of Defender ATP, back in 2006, 2007.

So yeah, so that's how I got into cyber. Then I was privileged enough to then work with many defense organizations in many countries around Asia.

So Singapore, Taiwan, especially Taiwan, I helped them build the whole government-wide security framework, the defense framework, which was quite exciting.

I spent a few years doing that around Asia and U.S. Then I did a bit of, then came back and did, I was doing some of the IREP assessments, if you remember.

So IREP is a creation platform in Australia, where in order for any agency to use IT capability, it has to be assessed through an IREP framework, especially when it comes to cloud computing.

So I was helping about 100 plus services to be IREP certified for protected, for unclassified and protected.

So that was a great experience too.

So yeah, so that's been the journey so far, Chris.

So yeah. Just a question I've got. So you've worked with cyber, I guess, sorry, defense organizations across different countries.

When you look at their priorities, are they similar or are they different depending on which country you operate in?

Look, defense, to be honest, it is quite simple, frankly. If you want to distill the ethos of any defense organization is to support the warfighter, simple as that.

In one line, support the warfighter and everything is secondary, if I can say.

But at the same time, that actually introduces some very unique challenges when it comes to defense intelligence.

Because when you support the warfighter, which basically means you're going to go and get the best submarine out there.

And that submarine comes with their own IT system. Then you go and get the best jet fighter out there.

And that jet fighter comes with their own IT system. So none of these systems are standard based, because they're done through very specific military contractors.

And by definition, they don't want to do standards, because that's a security risk by itself.

So it is an interesting area to be. I see banking, open banking standards, manufacturing is open banking standards, logistics is open standards.

So if anything, they're coming closer and closer together, if I can say, with open standards.

But unfortunately, defense, I'm not saying they're getting apart, but they haven't really made much progress in the last 15 years.

They have fancy weapons, but all those fancy weapons come to this proprietary technology, which is not open.

Yeah, I can imagine. And I guess now as I guess as time progresses forward, I guess are the efforts now being, you know, we talk about physical defense, military, army, has, I guess, has the attitude of the priority changed to more of the cyber centric defense challenges that we're facing?

Yeah, look, you're right, certainly we are moving from that parameter security, you know, defense is very, I'm not talking about just defense here, defense general worldwide.

So like I said, I've been privileged to work in US defense bases of most of Asia.

Key ones, and they have that parameter security, you know, mindset.

So they're certainly moving away from them.

And I've seen and this is just a trend. I'm not saying it's happening.

This is the trend. You know, five years ago, defense was still defense intelligence are very particular about having their own data centers in their own, you know, own data center, data center locations, and their own people just doing it, you know, just physical security.

But now they're slowly getting into more of the hybrid cloud, in some cases, the public cloud.

In some cases, like for example, at AWS and Microsoft, especially in the US, I'm not sure whether you're aware of it, but this is again, not a trade secret.

They have what we call sovereign data center.

So essentially defense have dedicated data center on premise, or sorry, as in country apologies, not on premise, in country.

Because the biggest problem, one of the biggest problems with any classified defense intelligence is the data sovereignty.

So citizen data stays within the shores of the country, and it doesn't go anywhere else.

That's by legislation. So there are several, you know, but I think I see the trend happening.

You know, they're certainly open to look into the value proposition of the cloud computing capability.

But I still think it's a journey and we're only scraping the top, frankly, there's huge, huge potential for organizations such as defense, not just defense, homeland security, so home affairs in Australia, for example, Intel agencies, ASIO, SD, etc.

There's a huge potential still that they can leverage on platforms.

Yeah, absolutely. And I think that, you know, there is a clear parallel between the technology shift being perimeter based now to anywhere, protection anywhere and everywhere.

But just from a national security point of view, as well, we've, you know, we've pivoted to that sort of area as well.

I mean, yeah, it's one thing trying to protect the physical assets physically.

But now, you know, we're hearing undercurrents of, you know, cyber threats to take out infrastructure at a technology level.

So it's quite fascinating. Certainly, Chris, certainly the nation state part, you know, we can talk about the assets and the hardware part, the T4 security data centers and etc.

What is clear is that, you know, the nation state attacks has skyrocketed.

Just to give you some context to the viewers.

And again, my information is probably a year old or 18 months old.

I remember when I was doing some cyber defense operations center work for Microsoft, we looked into some of the, you know, again, all the time when I was in Microsoft, we were getting tangled up with NSA and CIA and all kinds of stuff, which is to be honest with you, it's just noise, frankly, there's no back doors.

I can tell you in my, in my teams and all the stuff we did, there was no back doors and this and that to the technology.

And I'm pretty sure that's the case for other CSPs also, frankly.

But the point I'm trying to make is when it comes to nation state attacks, one time we worked out, if you put the developers available in the all top five IT companies at that time, so the Google, the Microsoft, the Facebook, you know, etc, Apple, and I can't remember the fifth one, Oracle, I think, so top five developers, we came to a figure around quarter of a million to 300 developers, you know, basically cutting code, if you like.

But if you and I'm not going to name names here, if you look at one of the biggest threat actors from a nation state perspective, we figured out that point, they were investing double that people 600,000 people just dedicated, bringing down the defenses of other nations.

So, so it is a fascinating area to be in. And if I just digress to cybercrime, you know, the latest report, say I was doing a presentation the other day, by 2021, by the end of next year, they're estimating the global impact of cybercrime will be in the vicinity somewhere around 6 trillion US dollars.

All right, that is a big number.

And a lot of people don't even understand or comprehend how big that is.

But if you put in the context, if cybercrime is a country by itself, it is the GDP of cybercrime, the country is only smaller to the United States of America, and China.

So it will be the third, third largest country GDP, that cybercrime will be in the world.

So just to give people some context, so it is that big, and the organized crime behind it as astronomically gone, you know, it's, you know, it's very sophisticated, they got their own supply chain, they hire their own, you know, you can have work for hire for cybercrimes now.

You know, I think we offline, we had a quick chat about, you know, service attacks.

Now, you can pay someone 100 bucks a day with the SLA, the service level agreement to get that capability into your, your, your ecosystem and bring down your competitor, for example.

So anyway, so sorry to digress, but it's a very fascinating nation state in cybercrime.

Yeah, definitely not digressing, because I think everything's part and parcel.

And I think there's just so many things to think about.

It's like, you know, what sort of what area do you pick on? So it's just fascinating to get, I guess, a different perspective of, you know, you know, I work, I work on the vendor side.

So we have a very different viewpoint of the world.

And it's a very, I guess, multitude of different things that we need to viewpoint.

But I guess, from your perspective, again, you've got a different view, different level of experience and different background.

And I think that's, you know, it's really important that I think, as a, as an, I guess, as a sector that we, that we communicate and be open around what's happening in the world.

And we share our experiences and our different knowledges around that, I think it's super important.

Now, just on the, I guess, on the learning side of things, you know, when you look at, I guess, your career and what you've done, are there any specific lessons that you've learned in your travels?

And I guess, have you passed on any specific lessons in your, in your world as well?

Yeah, look, I've been a bit lucky, Chris, because, you know, I've always had a, I mean, interesting thing about me is I always had my academic career path parallel to my professional path.

So that's something I consciously did. And and probably, you know, that that goes into my book writing and publishing and stuff like that.

So, and that's something lessons learned, as in, I would like to encourage others to do, because some people, they just go to university to get a degree, just to get a job, and they never come back, or they, you know, officially stop learning from an academic perspective.

But if you can put, if you can have like a one foot in both cams, I think it works certainly for me.

So I'm not saying it's going to work for everyone.

But I quite enjoy the teaching part of it, I quite enjoy the research part.

And, and it feeds off each other, that my academic career and my professional career, I guess, lessons learned perspective, I mean, look, what I've learned, and I've been lucky enough to work in, you know, multiple parts of the world, fortune 500 companies, the requirements are usually the same, frankly.

And, and what we have, what we're noticing is, you know, what used to happen is security used to come right at the end of any project or discussion.

And that's why there wasn't much focus on it.

And there was all these zero day attacks, and all these loopholes in the system.

But what with cloud computing, what's happening is the shift to the left, if I can say, is basically means identity and security, actually, the very first things to be done, which is great, right.

So that is a key lessons learned, I think, for us for the industry that and, and our industry cybersecurity is just going to grow and grow and grow.

So as a heads up, I think it's estimated what 3.5 million jobs are outstanding in the in the cyber security space around the world.

So there's a huge demand for professionals out there.

So certainly, our work is going to grow more and more. So concentrate on now someone's acquiring some of that skills as lessons learned, from my perspective.

But I think, on a general term that can touch on everyone, and the older I got, I think I tend to listen more.

And especially now, especially now, in our industry, when we're doing an incident response, for example, so I've been I used to run the incident response team earlier, it's a very stressful situation.

For a lot of people, you know, you're almost guaranteed, if you use a scissor, you're going to get fired.

If there's an incident, and then you're trying to stop the bleeding, if I can say, and you're trying to get everything together, you're trying to get the right communications to the upper management and board.

So in that situation, you've got to be very empathetic. And you have to listen.

I think you have to have a sense of calmness. So those are some of the professional lessons learned, from my perspective.

Yeah. Perfect. Dr. Chris, I don't want to cut you off too early.

And I really think we need to have a second session, because we haven't even scratched the surface yet.

And I don't want to get you into a topic where I have to cut you off, because we do have about a minute to go on the session.

But yeah, I'd love to have you back on the show again in the future as well.

But before we leave, I'd love to, is it, you know, is there a piece of advice you can give either to people doing academia, or even people, professionals, that you'd like to give before we before we cut it off?

Yeah, look, I think that's a very key important point, Chris.

So so look, I get this question all the time from my students, etc.

So just very quickly, the key advice I want to give you is, you know, a lot of people think cyber, cyber security and cyber crime and all this stuff is very complicated and very technical.

Yes, there is, you know, I've done that part.

But let me tell you, that's only five to 10% of the work we do.

But there's all this compliance work, for example, maybe an accountant, the great thing that I had was my business knowledge and, and the, and the ideas of risk mitigation, auditing, there's a lot of compliance rules out there, guys, guys.

So you know, go for those, you know, don't get sidetracked with the technology.

So that's number one. And get certified, please get certified. There's great, great courses available.

There's great university in Australia, places like RMIT, places like University of South Australia, places like University of Canberra that I teach, for example.

So get get territory education, and also get industry qualifications, for example, CISSP is a key industry qualification.

If you're looking for some other courses, when it comes to threat hunting, the SANS Institute, SANS, US Institute has some great courses.

So get certified. And finally, if you can get a get a security clearance, having security clearance is quite vital to do some of the advanced workloads.

So they'll be my my key, you know, key messages to our colleagues out there.

Beautiful. Dr. Chris, thank you so much for your time today.

I really appreciate it. I look forward to catching up with you in a couple of weeks and look forward to having you back in the segment.

Thank you, Chris.

Thank you for the opportunity. See you later. Bye bye. Thank you.

Bye.