Protecting Small Businesses in the Digital Age With Chris Petersen From Radicl

Show Notes

Ever wondered how a degree in accounting could lead to a thriving career in cybersecurity? Join us as Chris Petersen shares his riveting journey from Colorado State University to becoming a cybersecurity expert. Initially hesitant to dive into engineering, Chris leveraged his minor in accounting information systems and a golden opportunity at Price water house to pivot into IT. His story underscores the importance of adaptability and seizing opportunities, offering invaluable insights for anyone contemplating a career shift in the tech industry.

Small and medium-sized businesses (SMBs) in critical sectors often find themselves in the crosshairs of cyber adversaries. Chris and our hosts dissect the pressing cybersecurity challenges these businesses face, especially those in the defense industrial base. Learn about Radical's mission to democratize enterprise-level security through cloud technology and AI, making it affordable for vulnerable companies. We also discuss how upcoming regulations mandating third-party cybersecurity assessments could change the landscape, ensuring that contractors handling sensitive information are adequately protected.

Finally, we tackle the evolving threats in the defense industry and the necessity for advanced threat detection and attribution. Chris offers an insider's perspective on the methodologies employed to counteract these sophisticated attacks. We also delve into the controversial topic of a national digital ID system, debating its potential to combat identity fraud and deep fakes while navigating the intricate balance between security and privacy. This episode is packed with critical information and actionable insights, making it a must-listen for anyone invested in the future of cybersecurity and digital identity.

https://radicl.com/

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Navigating Career Paths in IT
• 13:22: Cybersecurity Challenges in Small Businesses
• 22:40: Enhancing Cybersecurity for Small Businesses
• 30:14: Advanced Threat Detection and Attribution
• 47:07: National Digital Identity Verification Solution

Transcript

Speaker 1: 0:53

How's it going everyone? So, before we dive into the episode, I really want to say thank you to everyone that is listening in, that's tuning in, that's enjoying this content and getting value from it. I really love that. That's why I do it following the podcast, and I really want to encourage you to please follow and subscribe the podcast on whatever platform you are listening or viewing this on. It really helps out the podcast, it helps out the algorithm, it helps more people hear this content that you already find helpful and that they hopefully will as well. So, if you go ahead and subscribe or follow the podcast on any platform that you're listening on and please share it with your friends, that'd be great. All right, thanks everyone. Let's get into the episode. How's it going? Chris, it's great to have you on the podcast. I'm really looking forward to our conversation today.

Speaker 2: 1:53

Yeah, thanks, Joe Great to be here.

Speaker 1: 2:10

Yeah, absolutely so, chris. You know I start everyone Great to be here time. You know I remember when I was making that jump and all that I needed to hear was that someone else did it from a similar background, so that I could tell myself, like, hey, this is possible. You know, this is something that I can actually go down and achieve. So what's your story? You know what made you interested in IT. What made you, you know, go down this path IT. What made you go down this path?

Speaker 2: 2:38

Yeah, I mean I guess I had a pretty non-traditional, circuitous route to cybersecurity, certainly, and even IT. I graduated from Colorado State University with an accounting degree. I had wisely chosen to get a talent and trade for a minor in accounting, information systems. That was, I'd say, one of the you know a few good sources I met in college but that ended up serving me well. So I managed to get done at Pricewaterhouse. There's a pretty good story behind that. You know got into a really good firm and they kind of I got into a really good firm. I got there because of that concentration. They needed somebody to help them deploy clients for technology or place a mainframe application. They said, hey, you're accounting, you've got systems, we'll train you and see if you can do this.

Speaker 2: 3:30

And it turned out I was pretty good at it. So I did that for about a year. So I got trained out of paper stuff that quick and learned on the job. Um, staying in training that paper stuff that quick and learned on the job and um, and then actually I went back to the evangel auditor for a year, found out that wasn't really all that appealing to me and then learned about their it audit practice and began to pursue that and that's next time, I think got me more into the into the audit side and more the IT side, and that then kind of really propelled me more along the IT and cybersecurity path and again those softwares and tooling to try to automate things that I wanted to automate, and I had an act for that as well on the software side. And you know, I think just those early experiences, just you know, being asked to go learn, get your stuff out, and being presented with the opportunity to go throwing hand in technology, is what really shaped my career.

Speaker 1: 4:29

That's really fascinating. You know, when you were getting your degree, did you see that specialty or that focus of information systems as the future? You know, did you see that and say I could see, you know, computers and IT systems becoming a thing in the future? I'm going to go down this route, or was it kind of more happenstance?

Speaker 2: 4:51

Yeah, I mean it was. You know a little bit of both. I mean I'm kind of. I mean I was always. I always I was definitely a high-leverager. You know technology. I sat around computers and things like that when I was younger. So I was a very more advanced tinkerer than most and I chose accounting because, honestly, I was too lazy to do all the hard work in engineering. I started at CSU and as an engineering major and I got another top two and three. It's like, oh my gosh, this is going to be a lot of work. I'm going to have to get to the bottom of the study, um, and then I said I, I went to Cali, dats, I do I, but I did this kind of, I think, saw a little bit of the right in the wrong in terms of system was going to be and technology was going to be driving the future economy and the future of business. I did make a choice to go pursue that concentration for that reason and I had to take care of my technology.

Speaker 1: 5:54

Oh yeah, when I was in college I had a friend that went down the engineering path. I think it was like the mechanical engineering path and you know he would talk to me about, like the math classes and the physics classes that he'd have to take and, like man, like I enjoy calc one, but I don't know if I enjoy, like you know, five steps above that. Um, it's, it's. It's an insane amount of work and I feel like it's really hard to kind of figure out what that work is going to be like until you get into it. But it's just, it's an insane amount of work. You're nonstop studying.

Speaker 2: 6:31

You are. Yes, it's a different level of you know, especially when the schools, at least CSU, they put you know, especially when the school, at least CSU they put you know, they kind of weed out when we farted by having physics at 8 in the morning, and so if you're willing to get up at 8 in the morning and go do physics, you probably shouldn't be pursuing engineering, and so that did also help to weed me out. Yeah, yeah, thinking back back I can't my boys watch this episode. That's not good.

Speaker 1: 7:03

I'm saying too much yeah, thinking back, it was uh, that is interesting. The all those hard classes were pretty early in the morning too. For for my uh program, you know, I tried to go pre-med at first, right, so you have to take, like chemistry and physics and you know, calculus and all all those fun classes and all the hard ones were in the morning. It seemed like 8 am, 7 am, there was no breaks. I think that that helped. That definitely helped.

Speaker 2: 7:34

Weed me out now that you bring that up, I think that definitely helped I think it's deliverance probably smart, right, it's kind of like what if you're not willing, you know, now to go do this, you know, yeah, like four more years of this.

Speaker 1: 7:45

So you know, buckle up right, yeah, if you're not willing to do it now, then you're definitely not going to be willing to do the hard stuff when we actually get to it yeah, that's right, it's a lot of sense.

Speaker 1: 7:57

Did, uh, did you kind of you know, talk to me about that opportunity of being handed you know new things to figure out? Right, were you? Were you nervous, were you going through imposter syndrome at the time? Because I remember when I was, you know, handed new things to figure out for myself, I felt like I was you know an imposter. Surely, in this project they're going to figure out, I'm not the person that they should have hired, you know, and I'm going to be shown the door and things like that. Right, did you go through something similar or not?

Speaker 2: 8:33

Yes, yes, in multiple different ways, you know for sure. I mean we just started. I mean I was showing up this down. When you work for a firm like pricewaterhouse people, you know the expectations are pretty high, um, and you know, I think it's like I kind of had an interesting path in there, but so I I had kind of overcome that through my great along, you know, or a firm like that, and so I had a bit of, I'd say, insecurity or imposter syndrome for a while until I dug down my feet in an early phase. But yeah, I mean, yeah, I really loved about that experience and some of this was because the field was very new.

Speaker 2: 9:14

You know, it audit, edp audit, it security it was a version you built on an IT audit. There really wasn't internet security at that time. I was kind of right there when IT audit was becoming internet security and Cork America was connecting their networks to the internet or thinking about doing that, trying to figure out is this a good idea or not? Hey, there's a thing called a firewall. Should we get a firewall? So I was kind of there at that time and and so I was often asked to go in and assess things or figure stuff out. You could do an database security assessment or application security assessment or a junk fulls review and like, here's your list of things to go look at. There's something else put down before you and some structure there, or we don't have that yet. And go to Barnes Noble and go buy a book and figure it out and show up the next day as an Oracle audit expert. And so I have to go do those things and go on the fly, read, learn and try to go show up with some printed people who were doing things like Oracle DBAs, as that was their job and profession.

Speaker 2: 10:24

So it was a lot of pressure. I guess I was pretty good at picking things up pretty quickly and synthesizing knowledge and they had to account for it. But yeah, there's a lot of times it was their right and going in just not knowing if somebody could call my bluff and just be like, hey, yeah, you're, you really don't know what you're talking about. It's pretty clear, let me, let me school you up. But yeah, often, even when they knew that, yeah, yeah, a lot of you know people are best only kind of know like, yeah, you're so figured stuff out yourself and you're, you're doing a job, so there's also some grace given yeah, that's a.

Speaker 1: 11:02

it's an interesting skill to have and develop.

Speaker 1: 11:06

Right is being you're being paid for to be the smee, but you're not really the smee, yeah, and you're trying to figure things out, right, and you can kind of get by with using the right words, using the right terminology and whatnot right.

Speaker 1: 11:21

But when it comes to hands-on keyboard technical perspective, you may need a little bit of assistance and whatnot. And it's an interesting environment, right, because I remember when I was starting to go, you know, on client calls to different federal agencies I mean I was early on in my career, I didn't know what, I didn't even know Trying to be the SME in that environment. I mean you have the guy wrote the vulnerability scan software that you're using right there at the desk and you're saying you at the desk and you're saying you know contradicting things and it's, um, it's definitely a learning experience. Did you, do you look back at those skills that you, you know, learn working under that pressure and do you think that it benefits you now? How? How has it benefited you or changed your mentality towards you know, adverse conditions and new problems that are coming up in the modern world within your new you know company and role?

Speaker 2: 12:28

Yeah, I mean it definitely saved me. I think it helped install me high, you know, high self-efficacy, you know kind of notion that I just had. I believe I can figure stuff out, and so I was forced to do that and I did. I think, just generally speaking for people early in their career, I think just that philosophy of figure it out, there's so much, there's so much, there's never a better resource of knowledge and intelligence like there is today. And so, you know, be curious, go learn, figure stuff out, just be willing to just go out there and take a risk as well, push the envelope. But yeah, for me I think that instills a lot of high self-advocacy and also just the notion of what's been figured out, I figured out.

Speaker 2: 13:22

And I've been a lifelong learner in my profession. Through all those other jobs that I had, I was always being pushed forward in roles I wasn't really qualified yet to do and always, you know, being in competence and the same thing that I, you know, found the, you know found the law rhythm, and you know that was every single year being pushed to to grow and to scale and to pick up new skills, whether the technical side or leadership side, managerial side, strategy. Um, you know, it was just and you have to figure stuff out. Now I'm doing that same thing in Radical as well and it's fun. It's challenging, stressful at times. You know you're not just doing the things. You know in a beer every day and some great stress, and some days the stress gets to me more than others, but I'm always glad that I continue to grow and learn.

Speaker 1: 14:15

So talk to me about Radical. You know what do you guys focus on? What's the area of expertise within the security world?

Speaker 2: 14:36

the defense industrial base and US critical infrastructure.

Speaker 2: 14:40

That's the fundamental goal, that's the mission, and for us, we're going about that by trying to secure the S&B segment.

Speaker 2: 14:50

Companies, under-clad employees, these companies that serve defense supply chains, serve critical infrastructure, they are being actively targeted by nation state threats, atts, I believe a lot of them are lightly you know, actively compromised. And because this is this is nation state espionage, it's also, it's also cyber warfare and it's posturing and it's preparing for future conflicts. And these companies, they're involved in it. They typically have not had the defensive arsenal and capability set to actually defend themselves against that classic adversary due to cost and complexity. So we're trying to bring a very advanced, more like enterprise, big bank-grade cyber security defenses to this segment. And so for us, that is, you know, managing their attack surface, shrinking it across time, and then it's also handling their threat detection and its response capabilities, making sure that press don't go on scene, on the art scene they can investigate and also any damage to its response very, very quickly, and trying to do all of that in a way that's easy for them to consume and a price point that they can actually afford to pay.

Speaker 1: 16:15

Yeah, it's a fascinating area because it's often not even looked at, not even thought about. You know this, uh, these really small, tiny companies that don't have the budget to pay for you know a solution like crowd strike or splunk right or whatever it might be. Uh, you know how are they protecting themselves because you know they, they may be a small business and they have one or two government contracts and those one or two government contracts might be designing, you know, the radar system for a nuclear sub. It's, it's interesting what the government will trust with smaller businesses, you know, to do for them and it makes sense why they do it. Right, you kind of want to disperse out these different systems and have different manufacturers and different R&D processes and whatnot.

Speaker 1: 17:10

But at the same time, it does open you up to risk, because I remember actually reading an article where, you know, the FBI identified that, you know, a foreign adversary was infiltrating the power grid via a small business.

Speaker 1: 17:26

It was literally this guy and his wife, you know, owned and ran this business and he would go out and work on the power grid at a substation that was, you know, nearby his place of residence. Even, right, it's in the middle of the country in the middle of nowhere, you know, like Montana or something like that, right, and they identified that, you know, the country's power grid was being infiltrated by this small business. Well, this guy doesn't know anything about cybersecurity. Like, when the FBI showed up at his door, he was confused as to, you know, like, how is this even possible? You know, like, I bought a laptop from Dell it was a new laptop, I don't know what to tell you I hook it up Like this is what I do, and, um, you know, he couldn't even he couldn't even wrap his head around what it was that was going on. And so it's a, it's a sector of the market that, in my, is often overlooked, you know, in terms of cybersecurity, but it's a place where we're probably the most vulnerable.

Speaker 2: 18:26

Agreed, yeah, and I've, you know, I've been concerned about that for a long time and that's been, you know, past the mind, especially that you know it was also the impetus for starting LogRhythm as well, kind of that same concern, but, yeah, it's overlooked. It is overlooked. I think it's overlooked in terms of the vendor side, you know, because the challenge with this market is it's hard to make money there, right. And as for us, the tunnel challenge that we have, I think we can do it because technology has evolved in a way where we can get to a solution that can be affordable and also high quality, based on cloud and AI and just the modern tech situation. But in the past that hasn't been possible. So, from the vendor perspective, they have often been overlooked.

Speaker 2: 19:17

The government has not been overlooked and they've been very concerned for a while. It has various clauses, key clauses. You know C-724, I mean a key one, where they're supposed to comply with the J-171, which is a pretty rigorous compliance framework. The challenge has been there's not been enforced of it. And there's self-reporting and companies can self-assess every three years and there's a score, or a score is not necessarily really evaluated in terms of their ability to contract currently, and so there isn't an economic incentive to invest in cybersecurity where it hasn't been. One is coming with the cybersecurity and material modification process, where that will actually be a compliance methodology that will have teeth and independent third-party assessments and that will hopefully level the playing field so that all companies need to invest the appropriate resources to actually be secure if they're handling what's called full-time information recouping, which is the near-sensitive stuff that the government must make sure gets protected.

Speaker 2: 20:34

So there's been focus on it. It's just the challenge has been government moves slowly, um, there's no enforcement model and these are small companies. They've got businesses to run, they've got employees to pay and they're already working on narrow margins and and so they can't. You know, they can't justify to spend the size of security because no economic benefit. Um, and others could just say I'm not going to spend it and therefore I'll underbid you on price, right. So what CEO's going to say I'm going to allocate 5% of my budget to cybersecurity when CEO is not going to do that, or competitors? Now everything I do is more expensive than that, and so it's kind of an economic model that is, I think, broken right now. That is ultimately driving the underspend and underdelivered side room assignment.

Speaker 1: 21:27

Yeah, that makes sense. Was there an experience you know previously in your career that you know kind of opened you up to this whole problem within the sector?

Speaker 2: 21:42

well, I mean, you know. I mean I'm a patriot. I never served myself in the military. My grandfather served, my dad served and I, you know I love our country. You know the country is not perfect. We've got things to go work on, as does every nation, but I believe it's a great nation and once you protect it. And so that's really the root of it. It's me wanting to help serve my nation through the skills that I have, the talents that God's given me.

Speaker 1: 22:26

Yeah, that's so fascinating, right? Because it's fascinating because, you know, at one point in time, right, I wanted to go into, like, the federal sector and work for different agencies and whatnot. It never panned out for me for one reason or another, right, like there's a million reasons why you can be disqualified from these processes. And it was always so very frustrating to me, right, because I was told at one point in time oh, you're too young, you got to wait until you're 30, right, and my response was you do understand that, like, I'm literally willing to hop on a plane to go to Afghanistan right now. Like, right now, if you tell me where to show up, I'll go, but when I'm 30, I'll probably have kids, I'll probably be married, there's no way I'm hopping on that plane. Use me now.

Speaker 1: 23:16

It never really panned out, for one reason or another, probably for the better, I guess. But it's interesting for me to see how people you know get into this world, right, because you're kind of in a quasi space where you're where you're kind of, you know, one foot in one world, one foot in the other world, and you're trying to help both worlds, I guess yeah, yeah and yeah, I mean, indeed, I think, people in cyber security generally.

Speaker 2: 23:46

I mean it's kind of, you know, it's cops versus robbers, a little bit right. It's it's kind of good guys versus bad guys, and so I think a lot of the citizens feel we're in it because you know we want to help protect and and, by the way, get back, um, if there are. There are adversaries and threats out there that they're seeking, but you are, whether Whether that's at a nation state level or it's ransomware that might jeopardize a family-run business that's been around for 100 years. 10, 20, 100 employees, other paychecks None of that's good. I think a lot of folks in this industry care about that and want to just get in. You're getting away of those, those threats how?

Speaker 1: 24:30

so how are you able to create a solution that is cost effective for these smaller businesses to use? That, you know, provides, uh, these advanced capabilities? The reason why I ask is because I'm over here, I'm looking at my CrowdStrike renewal and I mean it's an arm and a leg right and they offer similar stuff, but it's not geared towards smaller businesses. I remember when I was working for a much smaller company, somewhere around 50 people, and we had government contracts, I I guess very naively, you know approached my, my vp saying, hey, we should get something like crowd strike on our machines. And you know whatnot. He looked at the pricing. He's like, hey, this is like double our it budget. You know, like we can't do this yeah, now that is.

Speaker 2: 25:22

That is a fundamental challenge. So so part of it is we are CrowdStrike partners, we work with CrowdStrike and CrowdStrike has programs that align for the SMB. So that helps us out, helps the customers out. But I think it turns out in this particular site and it starts with one, yes is making it easy. The ads can be easy to adopt, rapid to adopt, and part of that is we can't assume that they've got a bunch of people on their team who want to spend time doing security or even IT, and so we've got to take it off their plate. And that's part of what we've built. And so we've built a platform that allows us to become seamlessly their security operations team as well as our compliance operations team, so we have an compliance side as well, and so through our platform, we are able to drive their tax service management process right. So we are scanning for vulnerabilities on their behalf, identifying configuration weaknesses. We're doing security awareness training. We're just delivering all of that to them through our platform and I'm helping them just over time on the ASM side, shrink the attack surface, where all they have to do is just pass the things we tell them to pass across time and we can dole that out in bite-sized chunks so we're not overwhelming them.

Speaker 2: 26:48

On the front side, we're the ones that are monitoring anything that CrowdStrike would tell us about. We're also pulling other data from sources like OPCD Plotter, google Workspace and running our own text analytics against it. If we see something, we triage it, we investigate. If there's an incident, we then manage the response process. We pull the customer in if we need to for our platform by tasking them to do certain things with clear guidance, and in SMBs, that person is being tasked off an MSP we use running their IT. Our platform allows us to task either the MSP or the internal IT and also keep their CEO or CEO in front of everything going on, and so that's how we've approached this. It's kind of this platform-led delivery where we can become that team seamlessly, high transparency, where very quickly it's in place. I mean we go and employ within a day, we're collecting data, we've got visibility and we're monitoring and we're beginning to identify vulnerabilities and beginning to work on our plan to shore those up across time. And the reason we can do that more affordably than in the past is we know a lot about security analytics.

Speaker 2: 28:11

That's Mike Akron. I'll honor them. My co-founder is my brother. He was 25 there. We know a lot of platforms allow us to better use data, both for detection as well as workflow automation. Us to better use data, both for detection as well as workflow automation. As you can imagine, we're building a lot in our backend platform that allows us to unleash the potential of data. It also allows us to unleash the potential of AI as well, to then increasingly automate things that humans have to do today. That is the technical side of how we get to a hyper-efficient scale that allows us to have a very affordable price point. Ultimately, ai is taking over more and more of the things that have to be done. It had to be done by a human operator.

Speaker 1: 29:05

Yeah, that's really interesting. It seems like that's probably the only way that you can really penetrate into this market and really help them out is to being able to augment a huge portion of that IT responsibility for that company. That makes a lot of sense. Have you, out of curiosity, for that company? That makes a lot of sense? Have you, you know, out of curiosity, have you seen an increase of either attacks or type of attacks against you know, some of these smaller companies in correlation to other world events, right? So you know I'm thinking of, you know, different tariffs that might be imposed on China or the Ukraine war that's going on, right? Did you see an increase of these kinds of attacks? Even you know preliminary attacks, right? Because? I ask because before Russia invaded Ukraine the second time here, you know, months beforehand they were attacking Ukraine and, you know, trying to cause different havoc with different cyber attacks before an actual kinetic attack occurred.

Speaker 2: 30:10

Yeah, yeah, I mean it's hard. I say empirically that we have seen an increase in frequency. We have certainly seen an increase in the targeted tactics. Have certainly seen an increase in the targeted tactics. One of the things that we do, because we're a defense industry base, is we tie into various intelligence channels and we have noticed tactics that are emerging that are being used by various agency actors to target and penetrate this class of company. We go then hunt for any IOCs for those given tactics, and that's one thing. We have seen more emergence of more recently aroused geopolitical events. I think that will only continue.

Speaker 1: 31:07

So I think that will only continue. So I think one major question that the industry is facing is you know, once you've been breached or attacked in a certain way, how are you going to ensure that the attackers are out of the system? Is there a way that you could potentially walk me through how that happens, like how you can, you know, provide some sort of clarity around that, because that's even a difficult question for me and I'm in the industry. But a friend of mine who was a director at a company said that they were recently breached and and his first question to me was how do I know that they're even gone? You know, like I don't know right, and it's a difficult question to answer.

Speaker 2: 31:54

It is, and so, yeah, we are doing this. It's not always possible, but if we are able to identify a certain tactic or a tactic that is either successful or unsuccessful, that we might need to manually hunt for on an occasion, we can take the learnings from actually an active incident or a precedent and we can instrument those learnings in detection rules and CrowdStrike is a very capable detection engine on the endpoint and so we develop our own bespoke traffic detection rules that will leverage the intelligence gained through threat hunting or incident response efforts, and we'll do the same in our own proprietary detection pipeline, which is analyzing other forms of data, to take this visibility beyond the endpoint. So that's a big part of what we strive to do whenever possible is we have a step in our sequence called free critical resiliency, and so in our workflow, in our virtual SOC, resiliency is where we take those learnings and we would try to put things in place. That would be that would trigger. If you ever saw that same tactic you know employed again, or a similar indicator emerged in the environment that might point to that threat did leave something behind Because that's a challenge is these very advanced threats.

Speaker 2: 33:33

If they are allowed to get in and stay in, they will leave behind backboards that might awaken six months, nine months later, and it would be hard to suss out if they go live again. But the things that we learn, though, can at least help us maybe find an indicator that starts to peak in, or peak in a peak. There it becomes actively concealing environment.

Speaker 1: 33:59

Hmm, are you potentially at this point with enough data and I'm not saying that you have enough data or anything like that, right, but when you see an attack occur in an environment and you get it out of the environment and you're creating those rules, are you able to potentially even adjust the attack parameters and say, oh okay, they might tweak it like this if they try again, or they may adjust. You know this thing over here. Whatever it might be, are you also making those adjustments up ahead to make future attacks even more significantly difficult for the attacker? Or maybe I'm just spitballing and right like I don't know what I'm talking about.

Speaker 2: 34:46

Yeah, no, when possible we will. So we're generally trying to detect the general tactic and patterns we might observe in data that would indicate that that tactic is in use versus a very specific IOC which across time might change or might be different in a different environment. And so that we're trying to those. Rules are trying to build more on a tactic level which should be broader in nature and allows to detect a similar method of attack in going forward, regardless of the environment or the specific technical details of the instance of that attack yeah, that makes sense.

Speaker 1: 35:37

Well, have you potentially seen different tech attributes, right, or methodologies that that kind of correlate to a nation-state actor, the?

Speaker 1: 35:46

The reason why I say this right or ask this question is because you know a lot of the times when a report's released about reports, release about an after action event, right, a breach happens of some, some, some you know situation and they always tend to leave out you know the attributed nation states that they believe it came from or anything like that. And in security, you know, I still feel like there's different techniques that Russia would use versus the US or versus China or versus Iran. There's different methods of doing these things and these different nations. They have different priorities and different attack methodologies. Right, like where Russia will just hack into the power grid and, like you know, blatantly take over your screen and move your mouse around. Right, like they did in 2014, where the US isn't known for doing that as much. They're more from the passive, gather the intelligence and then use it at a later time. Are you able to see those sorts of attributes as well to these attacks?

Speaker 2: 36:59

Yeah, yeah, I think the reality is a nation state, or really any threat actor, is only going to work as far as they need to. So they're going to start with more highly automated attacks and tools, things that are taking advantage of commonly known, you know, weaknesses and vulnerabilities. If that doesn't, you know, work, then they're going to start to go more specific and maybe start launching some more targeted phishing or phishing, you know, CFD type campaigns to see if they can, you know, use or make a mistake campaigns to see if they can, you know, either make a mistake, and if that doesn't work, then they might begin to deploy more. You know novel tactics right, and you know so. And this is where nation-states, you know, have more wherewithal because you know and they're nation-states from the practice of harvesting zero days They've got teams of very smart users who will scour through open source code repositories or take closed source systems and try to find weaknesses in those systems that can be exploited at a later point in time as a zero day. They hold onto those dearly. They don't want to let those go in the wild unless they absolutely have to. They'd only be employed against a highest-value department. Once they're used, eventually it'll be discovered, then you can build a rule of signature going forward.

Speaker 2: 38:36

That is where the detection analytics becomes much more sophisticated and complex and really is where things like anomaly detection come into play. When we think about how we look for signs of a threat actor in an environment. There's the things that we know to go look for because we threat actor in an environment. There's the things that we know to go look for because we observed them in the past. These things are all now chronical and great repositories like Envire Attack Framework, which is a fantastic resource, but there are these more novel attacks. There's also now Living Out the Land, which is also the merchant technique of a nation-state or advanced threat actor. They're not going to use tooling or techniques that would be detected by Kraus-Fried or other detection technology. They're using PowerShell, which might already exist on the system, and using that under credentials that they've compromised through other means, and so you know those things become harder to detect because they're using tools in the environment, using accounts that they've got access to and they're blending in.

Speaker 2: 39:51

And that is where anomaly detection then plays a role, where really the only way you can suss that out is by identifying shifts in behavior, shifts in behavior for an account or a collection of accounts tied to a user, or shifts in behavior of a process on a system or a system in general and how it interacts with other systems.

Speaker 2: 40:17

And that is hard to do well without having a false alarm factory, but that is where you get on the very vamp side for detection. Anomaly detection needs to play a critical role and the challenge with anomaly detection is that you need a lot of people traditionally to do that well, because you're going to fire off a lot of alarms that somebody needs to go investigate because the false positive anomalies currently and historically have been very high. It's hard to differentiate between an anomaly of an account, which is a user just shifting their normal behavior to an account that is actually under the control of a threat actor. Those two things are hard to differentiate in data analytics and that is for us a big area of innovation as far as going forward is the anomaly section layer as we continue our roadmap on the path towards nation-state threat resiliency.

Speaker 1: 41:22

Yeah, that is. It's a really it's a really challenging area, right. We're kind of moving into this place where we're getting so advanced, you know, the defenses are becoming so advanced that the attackers are coming out with, um, you know, like things that you would just never think of as attack factors and as methods of compromise, right, and it's always interesting for me to kind of see where this is going. You know, and you know for you as an expert in the field, where do you see this evolving to right? Where do you see this evolving to right? Where do you see potentially, the threat actors evolving to to counteract a anomaly detection system? And then what are the protections that could even come into play in the future of, you know, addressing those risks?

Speaker 2: 42:15

yeah, I'm gonna hit. Sorry, it's hard to know for sure where it's going to go, but yeah, ai is certainly going to, you know, increase an important role in it. From you know just the ability to better synthesize engineering type attacks, whether that's through, you know, through email or text or voice, or right, I mean you can bring me a phone call so that sound like your mom or their dad, um, asking them for information, for help, because that can voices cannot be stolen that image or a video, something that they love, you know, and yeah, and in in harm's way and suss that out as fraud or fraud, or so you know we're going to see, you know, that class of attack on the social and human, you know side of things. Uh, and then you know things, and then AI is also going to be used to accelerate the pace of finding weaknesses in software vulnerabilities and also to exploit them from an automation perspective, and so there's just going to be an accelerant and an enablement factor across all attack vectors, and the same then needs to be seen on the defensive side as well.

Speaker 2: 43:20

I think the challenge is that the offensive side faces the defensive side, and so there'll be some catching up to do on the defensive side. That's why I've personally always been a huge believer in really just threat detection and incident response, because I just think you know you can never. The threat actor will always have motivation. They will typically be ahead of the defensive mechanisms that can be put in place from a prevention perspective and you just have to be able to detect, you know, these indicators of compromise responsible because you know, because a motivated threat will get through. And so for us on the defensive side, I think it's really going to be looking at how can the advancements in AI and machine learning help us better synthesize the data that we now have access to there's so much information now that we can require about IT infrastructures and environments how we better synthesize that to understand when we see meaningful shifts in that environment and to pull them out with increasing accuracy.

Speaker 2: 44:30

Ai should play a profound role in the evolution of anomaly detection and the accuracy of anomaly detection. Anomaly detection and the accuracy of anomaly detection. It also should play a profound role in helping to guide and augment human security operators, be that security co-pilot type ability that helps them to make better, more informed decisions or even predict and suggest the course of action to take in a given scenario or condition and eventually do it for them. That's the ultimate place we need to get to is that AI is actually making the end-to-end determination of that's a novel attack. That system's compromised, that account's compromised along with the 10 others, and the AI is empowered and able to disable those accounts, that system, without compromised, along with the 10 others, and the AI is empowered and able to disable those accounts and build a GNS system without any human being involved.

Speaker 2: 45:24

You know that is the pace we need to get to from a defensive perspective. That's going to take years of innovation to get there, because it needs to be completely trustworthy. You can't have an autonomous agent, an entity in your environment that is beginning to change the IT infrastructure on the fly based on what it's observing, if you do not absolutely trust it, because ultimately, business rules out of a risk. You have to run your business, and so you know, mississippi Gold H, ours. We see ourselves as an AI platform. Ultimately, how do we evolve the platform to the point where that AI becomes more independently you know sent is not the right word but you know, more independently, empowered to take actions without a human operator being in the loop, with increased frequency?

Speaker 1: 46:24

It seems like it's going the AI route on both ends, where attackers are going to be using AI to mimic someone's voice that you trust and know, to mimic you to gain access to your accounts and things like that. On the other hand, we have to evolve as well and develop ai to, you know, identify those other rogue ais. Right, it's a interesting, you know it's a. It's an interesting time because we're like right at the very beginning where we're starting to see like computers versus computers in a very real, tangible way yeah, it's, yeah, it's a real problem.

Speaker 2: 47:07

I think you know I look I'm not.

Speaker 2: 47:10

You know, politics aside, you know, you know, I think there's a, there's a, there's a, there's a very strong argument now for some kind of a national digital ID system and, almost like NASA public key infrastructure where people's you know, you know digital identity can be verified.

Speaker 2: 47:26

You know, and we need to get ahead of this in some way so that when I send something or my image is included, you know, is this part of a picture, part of a video where my voice is recorded, is part of a picture, part of a video where my voice is recorded, that can be cryptographically signed in some way and be verified as actually being me and to me. Like you know, I'm not being on my cryptographic knowledge, but you know, pci-extra, which was when I was back in cryptography, could have a role to play here. But one way or another, I think if we can't get on top of being able to actually verify that the current center entity in an image or on voice or in communication is actually who they are, it's going to be a bit of a wild and scary ride. And the security side, it's going to be a bit of a wild and scary ride. And the security side it's going to be hard to address.

Speaker 1: 48:27

Yeah, that's an interesting problem. Slash solution, right. I've thought about that digital identity verification before and just as a security professional, right it.

Speaker 1: 48:41

It makes me nervous yeah because then I started thinking of okay, well, how can that be used against me? How can it be potentially stolen and, you know, impersonate me? Right, because that will. That will shift the focus of you know nation states, which unlimited resources, and if they just say, hey, we're going to break into this database, no matter what, you know, we're going to find it, we're going to get all the information from it, it's really it's almost more of a you know matter of time until they do it, rather than they'll never do it. Right, but at the same time, we need something like that to kind of get ahead to provide the privacy and the identity verification of people on social media, of people over email and things like that. So it's an interesting problem. I almost feel like there's no right answer right now, at least I don't know, maybe for myself, right, maybe I'm too, maybe I'm too too on the negative side, I guess it's a tough one.

Speaker 2: 49:43

My views have changed. I mean, it's 20 years ago. No way I want that, because I haven't gotten that kind of insider information. But I think for me is, um, I, yeah, I, I would fashion myself a pragmatist and you know, in most things, and the reality is now there is no more privacy, um, yeah, and, and so we've already lost privacy.

Speaker 2: 50:03

Privacy's gone right. I mean, it's just that, you know. You know, it's just, our information is in the hands of various companies google, apple, microsoft's, um, they know a ton about us. And then there's the dark web and what's out there about us, and so that you know the notion of privacy I don't think it's real anymore anyway, and we also have the protections and benefits that would come along with something like a, some kind of digital ID or at least ID verification system, and there are ways to do this cryptographically, which is still your oscocate person, you know and have some privacy method, the mechanism, built into it. That's not my area of specialty, but I believe there is a, there is a solution, you know, to at least address the deep fake fraud that is coming and the voice fraud that is coming and all the things that are coming where people's images and voices and likenesses can be used for malicious purposes. It is a very, very challenging problem, technologically and socially. It's probably one we're not going to see a solution to anytime soon.

Speaker 1: 51:23

Yeah, definitely Chris. Unfortunately we're at the top of our time here. The 50 minutes or so really flew by. It was a very interesting conversation. I really appreciate you coming on. I really enjoyed it.

Speaker 2: 51:38

Yeah, I think it's nice to recover a lot of fun areas, so thanks for having me on as a guest.

Speaker 1: 51:46

Yeah, absolutely so, Chris. Before I let you go, how about you tell my audience where they can find you if they wanted to reach out, and where they can find your company?

Speaker 2: 51:55

Yeah, I mean, I think really the best way is to go to our website, radicalcom. That's radical without the W-A-R-I-D-I-C-L awesome.

Speaker 1: 52:08

Well, thanks, chris. I really appreciate it and I hope everyone listening enjoyed this episode. Bye everyone.