00:00:00] Stan Wisseman: It snowed here last night, Rob. It did. Wow. We had a huge rainstorm. I mean, it was raining all day and last night it just poured and I woke up not expecting to see white. You know, I mean, granted, it was just a dusting, but it was so like, still, yeah, I was like, I didn't realize I'd gotten that cold. So anyway, kind of surprising.
[00:00:19] Rob Aragao: We had our first dusting probably about, I think a week or two ago. And what we had tonight, well last night, was high winds, heavy rain, and then one of those things in the middle of the night, power goes out, the kind of alarm sensor's going off, and then you hear, like, we have a couple of these vases out in front of the door for, you know, Christmas decor and whatnot, and then you hear, you hear like a boom, boom, and it's like, those things just went down, there's a wreath that hangs in the door.
[00:00:45] Did they break? Did they break? They thankfully, they're made out of like a heavy plastic material, so thankfully, yeah, they didn't crack or anything like that. Man, what a storm! It was heavy. It was heavy. And the thing was, the winds got up to about 60 miles per hour, so it [00:01:00] was, yeah, it was intensive last night.
[00:01:01] I'm just happy it wasn't snow.
[00:01:05] Stan Wisseman: And I said we had snow, but it was like a dusting, so, but it was still a shock.
[00:01:10] Rob Aragao: Do I see a little, like, stocking, Christmas decor hanging off the back there on the guitar there, yeah? Yeah,
[00:01:16] Stan Wisseman: yeah, so I have you know, tried to, anyway, yes, I, I have. Try to put decorations up in the house.
[00:01:23] I haven't done lights outside or gotten a tree yet, but I'm getting started so, you know, I had all these boxes from my old house of all these decorations, right and So I was going through the boxes and I I culled through okay. I don't need I have like three boxes of stuff I'm ready to donate. I have them in the car Yesterday got together with the kids here in Richmond and I was telling Amy and Sarah and I was like, hey You know, I, I got a lot of stuff I'm gonna donate, you know, from the Christmas stuff.
[00:01:52] I culled through it. It's like, Amy looks at me, you are not donating a thing until we look at it. No, I don't think you want any of this. Don't donate [00:02:00] anything, dad. We've got to look at it before you throw it away.
[00:02:03] Rob Aragao: There could be memories in there. You don't know how each of them, you know, feel about things.
[00:02:06] Oh, come on.
[00:02:08] Stan Wisseman: Please let it go. Let it go. Anyway. All right, let's get to
[00:02:13] Rob Aragao: it. Welcome everyone to another episode of Reimagining Cyber. Rob and Stan here, we got a great discussion on the topic of data security, but before we do that, Stan, you're fresh off of an event last week and wanted to kind of just get your thoughts on how things went overall.
[00:02:28] Stan Wisseman: Yeah, hopefully it was the last trip I have to take this month. So as we're wrapping up the year I was down in Texas, had the opportunity to, to visit our, our Dallas office. And then drove down to Houston for the cyber security event. I love the way in which they are, the, the cyber security summit down in Houston.
[00:02:50] And that's the one to go to then apparently, apparently I love the fact that they make it so pronounced. And so I had a presentation down there and, and one of the topics, this is [00:03:00] nothing new, but it was a really good panel, I thought on ransomware. And it is the pain point that everybody's concerned about.
[00:03:09] There is. No silver bullet. It is likely that bad actors are going to attempt to lock up your data and extort money from you. And, you know, the technique now is also the one two whammy of not only encrypting your data, but also extracting that data, extricating that data out of your environment and blackmailing you with that as well, saying we'll release this data if you don't pay.
[00:03:39] And so it is a one two whammy. And one of the things that they, they, they talked about obviously is, is the need for backups. But to have a, a tiered storage, storage strategy for your backup architecture, you know, the, the fact that if one of those layers gets compromised, [00:04:00] You, you may have the ability to back up from a previous layer.
[00:04:04] Now, now granted, the other concern is making sure that you, you, the bad actors are aware of what you're trying to do, right? And so they, they are, they're looking at compromising your backups. They're looking at, you know, they may have. Had the dwell time in your environment to get into your, your backup cycle.
[00:04:25] So you have to be conscious of the fact that some of these backups may be corrupted. But when you, when you think about the tiers, you have the, the, the high frequency access tier. This is the most susceptible to ransomware, right? But then you could have offline or air gapped. Right. Tiers. And, and these are the ones that are disconnected from your network and could be like in the old days, tape backups or some kind of removal drives.
[00:04:49] Something that enables you to have confidence that if you are infected, you can take this air gap backup and restore. And if you think about some of the [00:05:00] recent attacks like poker stars and move it those that had these air gap systems. We're able to restore without having to pay a ransom. And then you could leverage cloud.
[00:05:11] You know, there are a number of different things you can do. But I think that was a very valid point in this day and age that you need to not be assuming that your approach today is going to be adequate for tomorrow. You need to be really looking at how to architect in today's, you know, honestly, very active threat environment in this context of ransomware.
[00:05:34] Rob Aragao: Yeah, no, that's, you know, That's a great lead in also into the topic of data security that we want to kind of delve into today, right? Because, well, because if you think about it, that whole situation is very difficult, but one of the elements that's really important in this whole thing is, is understanding really what is the sensitive data for the organization, right?
[00:05:57] And that could range from, of [00:06:00] course, it could be Customer information, right? Patient information, depending what vertical you're in your own intellectual property. There's all sorts of different types of data, but it comes down to really understanding. What it is before you even figure out to kind of point out and search where it may actually exist.
[00:06:17] Right? We did a was it 2 months or so ago? And I think it was, we did a webinar with Forrester and this was the whole topic. It was really actually the Forrester had just come out with their wave on the data security platform market space. So, so I was able to speak with with the analyst there, Heidi Shea on the topic and the key element of it always centered back to.
[00:06:37] The technology capabilities are there to help the program around data security, but many kind of misstep right out of the gates because they try to just kind of launch the technology out there to do what they think is kind of the work for them without having the front end of kind of what I say, the equation taken care of, whereas let's go have these conversations.
[00:06:58] We need to. What [00:07:00] the different business stakeholders because the relative information sets or data sets that they have are different from their peers and the other business units, for example, and they didn't understand kind of what should they be looking for? So kind of create that almost catalog of the data elements, the sensitivity of those data elements to then begin that process of actually leveraging some technology.
[00:07:20] Stan Wisseman: and get agreement on what should be done to protect the different levels of sensitivity. You know, it's one of those things, you know, so I have a flashback to my days when I used to support the Defense Department, and they have a very well understood classification system. They do, yes. I mean, so you have confidential, secret, top secret, SCI meaning compartmentalized, and you, you, in that world, You can have an accreditation to op authorization to operate your system.
[00:07:57] And the most [00:08:00] simplistic approach is, well, whatever the highest level of data that's being processed, you need to apply the controls to protect the entire system that way. Sort of like a, a peanut butter approach of, all right, if you're processing top secret, your assumption is your system is top secret.
[00:08:18] And therefore the controls that you, you need to have in place for a top secret system Are applied and so the, the, the motivation to go to multi level security was it's a lot of work to apply all those strict controls onto everything and so the value of multi level was okay, well, if I can say that. All these systems are unclassified or all these components of the system are unclassified.
[00:08:46] I don't have to apply that same rigor to those systems. Yeah. And you take this to the business world. If you are not doing the, the, the, the classification of your data and the categorization, you sort of have to assume [00:09:00] that system high approach. Yeah. Are you really gonna apply the, the, the, all the protections that you need?
[00:09:07] To protect that, you know, IP that you have and that one or two systems because you haven't done the work to figure out where that IP is exposed. Right. So, I mean, it's one of those things that's like either you go all in and it may be simpler if you really don't have the ability to get a handle on where your data is in your environment and the sensitive data is and you sort of have to assume as the security side.
[00:09:32] All right, the business isn't doing the work. I guess I need to go ahead and assume. That is, you know, exposed
[00:09:38] Rob Aragao: everywhere. Right. Right. You know, it's it's one of those factors where a lot of these kind of drivers for the organizations to actually do something in this space around data security. Really, data discovery, classification, and then security data has been around privacy regulations that we've been seeing, right?
[00:09:56] You see the breaches occurring and they're like, okay, we need to take some action. I'll tell you, the one [00:10:00] we've talked about recently and actually goes into effect here very shortly on December 18th is the the SEC ruling. Right. And how many conversations I've had recently where the, the organization is saying, Hey, we actually need to really understand what we have for data because of the SEC cyber ruling.
[00:10:17] Right? And, and so that interconnection point of again, here's another kind of hammer that's getting, you know driving that nail into the need to do this is, is helping, is helping move this thing in the right direction.
[00:10:27] Stan Wisseman: No, I do think the, the, the action that you take. Varies as far as, okay, you understand where your sensitive data is.
[00:10:37] Going back to your, your, your first point, if your policy indicates that access controls are sufficient, then make sure you apply those. I mean, and, and, and you have to do reviews, and it's going to be a continuous review because things change so rapidly. That, that, that the access controls to that sensitive data are applied appropriately, and that you are [00:11:00] validating on a continuous basis that they are.
[00:11:03] If you are, In some kind of compliance situation like PCI data and you have to tokenize that data. Then there are plenty of solutions that can help you with that, including ours. Right? And then encryption, you know, again, back in the day, we had this perception of the firewall and the crunchy exterior protecting your environment.
[00:11:24] Once you were in, you were a trusted user and your data was accessible to those that had that kind of access within the perimeter. I think with the threat landscape today, you can't have that assumption. You've got to change that model to a defense in depth, including encryption for your most sensitive data.
[00:11:41] No, for sure,
[00:11:42] Rob Aragao: for sure. I mean, again, we have all these different environments, the multi cloud environments, the cloud data warehouses, where does this data exist? But I want to go back to the point that you just called out, which is extremely important. I've seen way too many times where the organization maybe has kind of the beginning stages of a discovery and classification program.
[00:11:59] [00:12:00] underway, let's say, but then, you know, as they're identifying this data, you kind of call it out. What, what, what actions are you taking in this data? Right. And that's lacking. And it's, you know, it's just the way kind of in the marketplace, there's been some, some capabilities that have been out there to help them with the discovery, but then they're kind of like, now it's up to you.
[00:12:19] You go figure out to do something with something else as a solution to help you. But, you know, What it does, honestly, is it presents great opportunity for organizations in many facets. One is, as they're going through that exercise of discovering what's actually out there, they're uncovering so many kind of these, you know, secrets, if you will, out there, that they didn't realize existed.
[00:12:39] This application still exists. This
[00:12:42] Stan Wisseman: data
[00:12:43] Rob Aragao: is still sitting out there. Why? Right? It might have been through M& A activity and they've pulled it in and just basically said, well, let's just let it run. What does that do? That's another level of risk for the organization.
[00:12:55] Stan Wisseman: So clean up and clean up and clean up.
[00:12:57] Rob Aragao: And so going through that process of the [00:13:00] discovery phase, understanding that these things actually exist out there is an opportunity, right? For them to be able to pull back and say, okay, I can reduce my risk, of course, but also reduce my costs associated to that data being out there. Nevermind.
[00:13:12] Unfortunately, if we got breached, then that data is actually part of what got breached, right? Shame on us for that.
[00:13:16] Stan Wisseman: I view this sort of like toxic data. I mean, data is not being used by the business units, but it's still there, it still resides, and may still have sensitive data in it. To your point, the threat actors don't care.
[00:13:27] Oh, no, of course not.
[00:13:29] Rob Aragao: They've got what
[00:13:29] Stan Wisseman: they need. Right. I mean, and, and also, honestly, that also could be that the controls that you normally would be putting in place in those, those systems or that data repository aren't there either because you weren't focused on it, but it's still active, it's still resonant in your system.
[00:13:44] I think another, another thing that came up in the conference last week, of course, probably in your event as well AI. And the, the, the challenge in this context is the potential to. Ingest [00:14:00] information into your models that's sensitive and you don't necessarily want the AI models to be exposed to that data or be using it.
[00:14:11] You want it to be anonymized and that cleansing activity is becoming more important as these business units rush to the market with different AI solutions or leveraging AI in their. way of becoming more efficient. And I think the, the other aspect of this, which is not necessarily a security issue, but I think it's very important, is bias.
[00:14:34] And understanding that the, the data that you're feeding into your AI could create biases. And again, to some degree, that is understanding what that data is to make sure that you are not by default, creating a bias because you haven't thought through. What's being ingested. Yeah.
[00:14:54] Rob Aragao: So it's interesting you bring that up because yes, the event I attended actually my talk was on AI and it was [00:15:00] basically entitled amplifying cyber security with AI.
[00:15:02] And it was just genuine, like here's what we're seeing out there as an actual kind of work that we're doing right within our own business. But the use case you just discussed is, is one that is like very important. I, you know, you talk about clients that kind of refer to as the sanitized data within the large language models that you're using, right?
[00:15:19] Because it is, it's, it's a major concern. The bias aspect is, is a critical concern. We can kind of start. With looking at it from a sensitive data, because we know how to do that. Right? But now that next level of how do you understand really where, you know, it is biased or not is going to get to be really interesting.
[00:15:36] We should actually do a whole kind of episode on the AI topic relative to, you know, these areas of what can we really do today? And what are the gaps that we're seeing at this point in time? That may be starting to look, you
[00:15:48] Stan Wisseman: know, that flashback I had about my days supporting the DOD, which was. Back in the eighties reminds me that we've gone through this transition and what we call what we [00:16:00] do, right?
[00:16:00] It was initially was called computer security and then it went to information security or information assurance And then now we call it cyber security. Mm hmm. I think that transition has Helped I guess us forget sometimes that we really are ultimately trying to protect that information We call it cyber security, but we're really that that Name you know, that terminology of information security, information assurance nails it a bit better because we are trying to ultimately in our organizations, our enterprises, protect our data and.
[00:16:43] That takes many different facets. It's a multi faceted problem. And, and we don't want to lose sight of that.
[00:16:50] Rob Aragao: No, that's a, it's a good point. It does take us back to the reality that it's all about the information. Right. And how do we actually protect that data, that information. Data is part of that, but there's other [00:17:00] elements that are part of what the information set is all about.
[00:17:02] So, very interesting, Stan. Good discussion on the topic of, in essence, data security. Data, you know, it takes us obviously kind of through that life cycle of Really discovering the data, classifying data, kind of the governance aspect, the controls aspect you discussed as well, and then how we actually secure it.
[00:17:18] So I hope our listeners. Learn something new from today's discussion. We always love talking about, you know, different topics that are of course, interesting. We think this is one that's very, very hot right now in many discussions. There's a lot of drive behind it, as we mentioned in some regulatory actions that are being in effect at this point in time.
[00:17:35] But again, Stan, always good talking to you and keep that holiday cheer going, my
[00:17:39] Stan Wisseman: friend. I'll try. Take care, Rob. Take care.