[00:00:31] I'm Stan Wisseman. I'm joined by my co host, Rob Arago, and Rob, we're going to do a bit of a retrospective on 2023 and looked at how it has potentially impacts or give us an idea of what's to come in 2024. Yeah. And I, I I'll start, you know, again, it's another bad year as far as the, the, the number of incidents and breaches, I think 30 percent increase is what I saw.
[00:00:57] How about you? Thanks.
[00:00:58] Rob Aragao: Yep. Saw the same thing. And you're right. It's [00:01:00] just like one after the other, right? It's, it's more targeted, uh, you know, entities out there more and more ransomware, of course, as well.
[00:01:08] Stan Wisseman: Now, there are some that had a, a multiplicity kind of impact, like the, the move IT or move it data breach.
[00:01:17] I mean, that impacted thousands of organizations and, you know, that. Was cross sector as well. Um, you also had the octave breach, right? That impacted a lot of different organizations. And I, and I think we, we certainly are going to continue to see ransomware as a, um, a continued, um, trend as, as people as a, as a threat actor, see value and extorting.
[00:01:45] Funds out of organizations.
[00:01:47] Rob Aragao: Agreed. I think, you know, not picking on Okta by any means. Right. We never pick on anyone that's been breached. I just look at the situation there as, um, one that's kind of, you [00:02:00] know, very dependent, meaning that there's a lot of different organizations, public and private. That, you know, rely on a common kind of platform, um, for certain things that they need, right?
[00:02:11] And in this case, you know, with single sign on as an example, and a lot of those interconnections, uh, then become serious concerns of vulnerabilities that can be taken advantage of potentially, right? And you see this kind of, you know, jump from 1 entity to the other entity. So I think, you know, there needs to be a bit of a, Okay.
[00:02:27] Look back on seeing how we can actually be better at layering our different types of security controls where we're not so maybe dependent on one platform that then it causes this kind of ripple effect throughout industry and some of these types of situations that we've seen in the past are going to continue to get
[00:02:41] Stan Wisseman: worse.
[00:02:41] Well, I think it's also related to another. Type of attack that we're seeing that started again with solar winds couple of years back and log for J is that, you know, software supply chain and being able to have a handle on what's in your environment. So, when a [00:03:00] 0 day or when an attack like this happens, you're able to respond quickly and and again, you know.
[00:03:06] Not picking on a particular vendor like a SolarWinds, but all vendors are possible targets, um, that trust relationship or the access provided to a solution like a SolarWinds was a juicy target for the threat actors. In this case, China, right? Um, to take advantage and mentioning China. I mean, one of the things that I think we're going to have to be looking at is, is the enhanced or increased activity of nation state actors.
[00:03:35] Yeah,
[00:03:35] Rob Aragao: definitely. Definitely.
[00:03:36] Stan Wisseman: We've, we, we, we speculated before the Ukraine's Russia war about, um, cyber war, and now we're seeing it. We're, we're actively seeing, uh, uh, you know, provable cyber war occurring and the attacks on critical infrastructure and, and, and, and, and all the different sectors. [00:04:00] And I think as, as potential escalations go up with Iran.
[00:04:04] Um, who is a, again, uh, increasingly skilled, uh, threat actor on this, on this stage. Um, they could be launching additional attacks against U. S. infrastructure as well as, um, those in Europe. And so I think, you know, we need to have a enhanced nation state threat intelligence and, you know, actual coordination.
[00:04:29] On the, on the cyber defense side, we already do some of this, but I just think it's going to have to be much more proactive.
[00:04:36] Rob Aragao: Well, I think that the reality of the threats are much more prominent, right? The, the, the examples you mentioned, um, are Are now reality. So we're at that point now where it definitely needs to be much more kind of focused upon.
[00:04:51] And listen, Iran is an absolute threat. I mean, we had an episode on the topic of Iran and their cyber capabilities now quickly. They're maturing. Um, [00:05:00] I don't know. I think it was probably over a year ago at this point in time. And, um, you know, the, the examples are occurring again, relative to what we've seen with the, the Ukraine and Russia conflict.
[00:05:10] So, critical infrastructure, we talk about it, right? It was part of the executive order. If we kind of go way back to, I guess, even last year when it came out from the Biden administration. Um, we just need to continue to see much more emphasis on. our critical infrastructure capabilities of controls, uh, from a security perspective, and the, the level of threat intelligence that we're actually gathering, right?
[00:05:31] And, and being able to be more precise on how we can actually, you know, protect our environments from being attacked. Uh, it's, it's more critical than ever before.
[00:05:39] Stan Wisseman: Yeah. I, I, I don't know if this would be something we'll see in 2024, but it would be, I don't, I don't think it's outside the possibility that at some point we start.
[00:05:49] Looking at cyber diplomacy and some kind of international law about, uh, you know, the norms, uh, are for state behavior in [00:06:00] cyberspace, you know, and can, can we, you know, you know, codify what like a equivalent to an arms control agreement, uh, or, or cyber non aggression packs. Um, again, I'm not sure who would take point on that, because let's face it, the United States is very active in this as well.
[00:06:18] Um, and they wouldn't necessarily want to have guardrails on what they can and can't do against their perceived enemies. But at the same time, um, this free reign without any kind of perception of what, um, which potentially trigger kinetic. Response is, is, you know, because is that sustainable, you know, um, so switching, switching from the threat side of things and talking about regulations, um, right, you know, we, we also had the beginning of the year or March timeframe.
[00:06:52] I think President Biden's executive order on cyber security. And that, you [00:07:00] know, had a focus on zero trust architecture, software supply chain, putting the onus on, you know, the suppliers of software, a number of different aspects of that, and other regulations also are influencing things, right? You did some pieces on the SEC cyber rule.
[00:07:15] Rob Aragao: We did quite a few actual, um, episodes when you think about it on regulation, right? We did. I think two on SEC basically right at the beginning of the year and then one here recently because at the end of 2023, it obviously went into effect in the middle of December. We did also
[00:07:32] Stan Wisseman: think it was episode 69, right?
[00:07:35] Rob Aragao: I think so. Yep. And we also did some things around what we're seeing with cyber resiliency relative to the EU Act. So a lot going on in this two directives. Right. The evolution of that and become a reality in this year, 2024, um, regulations again, just another area that we're going to continue to see more and more of.
[00:07:53] And we haven't even touched upon some of the, um, proposed regulations and frameworks we're seeing around AI and the
[00:07:59] Stan Wisseman: [00:08:00] implications there. And we just had the episode just to tie the knot off on the regulations on the NIST2 directive with Bjorn. Um, Yeah. So speaking of AI, it was, it was what December, January timeframe that the, generative AI, the chat GTP, hit the public as it were.
[00:08:22] Um, and what a year, right? I mean, there's been a comparison out there for those that were talking about Oppenheimer and the movie that was a blockbuster this summer. Um, how that movie, which represented like the beginning of the nuclear age. We're sort of like that in that stage right now with AI
[00:08:49] You know we experienced, I think this year, the landmark year associated with realization that we can do so much with AI [00:09:00] iin many different use cases. Right. And in the context of cyber, we can adopt AI to help us be more efficient and automate things and be able to discern a lot more, um, as far as our threat actors that are targeting our organizations, but also the threat actors are leveraging it.
[00:09:16] You know, deep fake technology, um, advanced phishing attacks, there's an arms race that's going to be going on and it's going to get ugly. It is, it's a
[00:09:27] Rob Aragao: double edged sword, right? And, um, I think what's interesting is when you do look back to the, the hype.
[00:09:33] December 2022, which at GPT and then what's happened over the past year in 2023, it it's really interesting to think about. We've been doing AI for so long now that we put it right. We put this interface in front of it to be able to actually engage and have a conversation with the generative AI. Um,
[00:09:51] Stan Wisseman: this is what we did.
[00:09:52] We did. Didn't we do that episode back with Stefan Jow back in April? Yes, that's right. We did.
[00:09:58] Rob Aragao: We did that. I [00:10:00] actually forgot about that one. We did. And, and, and he, he was talking about again, how long it's really been going on. And, uh, and this was again, more of, I guess, the consumerization and it's, it's good though, right?
[00:10:10] Because now people become much more intrigued and want to learn. And, and the aspects of that back to your point about cybersecurity is, you know, we're realizing where there are benefits that we can apply generative AI into making people that much more efficient. In dealing with different types of security issues, what's interesting, Stan, I was looking back at, um, kind of the themes, if you will, of episodes that we cover this year and it kind of fall into three buckets.
[00:10:36] And basically, it's just what we talked about. it's been about a lot of, you know, the ransomware type of events that have happened out there. Breaches were covered as part of that conversation, but then the day was really a lot of kind of that ransomware topic. We talked a heck of a lot about regulations from many different facets, and we also touched upon shockingly AI.
[00:10:54] Right? And when I was thinking about going into the new year, I mean, you talked about cyber diplomacy. You talked about [00:11:00] cyberspace. I mean, those are some big potential items. I feel it's just going to be a lot of the same, you know, the evolution of more and more regulation, definitely more and more learnings on what's happening with AI and how it's going to impact cyber from both ends, as you mentioned, um, a unfortunately, much, much more ransomware
[00:11:18] Stan Wisseman: taking place.
[00:11:19] Another issue that's related that we've talked about over a couple of years, uh, as a sort mitigation strategies around cyber insurance. Yes. And I, I think that is another area that's going to get increased attention from the executives as they try to mitigate risk of a breach, um, for the organization, but also it's getting to be more difficult to qualify because the risk insurers, underwriters are looking for controls to be in place before they take their risk of insuring you.[00:12:00]
[00:12:01] Rob Aragao: Well, one of the things that's happened I've started seeing it happen, I should say, with cyber insurance is some CISOs kind of leveraging. What the under is pushing back on them back to their conversations with the board as to what they actually need to put in place to get the investment. Right? So there's the good and the bad.
[00:12:19] Um, they really, really tightened the screws on a lot of the changes that have happened over the past year. Um. We'll see what happens this year, but it probably will get even tighter. But again, it could be used as a lever to help them in their cyber programs.
[00:12:33] Stan Wisseman: And, and I, and I think that's a, a wise thing to do.
[00:12:35] I mean, just, just like you would take advantage of, uh, an internal audit finding as a way of driving an initiative internally, um, you, you want to take these requirements and drive maturity and improvements in your environment. I don't know if there are other things you want to highlight for 2024?
[00:12:57] I think [00:13:00] that, the unfortunate thing is that threat landscape is going to get worse. Right. But the. The promise is, and again, going back to AI, that if we can, you know, automate and integrate in some of these, um, capabilities, we may be able to keep up with the Joneses and keep up with the threat landscape a bit more effectively.
[00:13:28] Um, it's just a matter of, of how quickly can we move versus the threat actors who are also leveraging that technology.
[00:13:35] Rob Aragao: Well, that's exactly it. It's, it's a race. It's a race because again, we, we, we both have the tech, right? And it's, it's just, it's just an in. And get there quicker. So I, I do believe the good guys are going to become much more efficient.
[00:13:46] Um, but again, it's just, it's, it's a tough battle. So we shall see how it goes in 2024.
[00:13:52] Stan Wisseman: Now, now just switching over to, you know, 2024 and what we have in store for the podcast, we're going to continue to do a weekly cadence and [00:14:00] we invite you as listeners to suggest topics and guests that you think that we should have on the podcast.
[00:14:08] Um, we do have some great guests already lined up. And, um, hope that you are, are getting benefit from this and, and enjoying it. Um, but we're, we would love to have your feedback as to other topics that we haven't hit upon, or if you think we're, we're neglecting something. So please, uh, speak up and share it in our comments.
[00:14:29] Excellent. Until
[00:14:29] Rob Aragao: next time, Stan.
[00:14:31] Stan Wisseman: Hey, thanks, Ralph.[00:00:31] I'm Stan Wisseman. I'm joined by my co host, Rob Arago, and Rob, we're going to do a bit of a retrospective on 2023 and looked at how it has potentially impacts or give us an idea of what's to come in 2024. Yeah. And I, I I'll start, you know, again, it's another bad year as far as the, the, the number of incidents and breaches, I think 30 percent increase is what I saw.
[00:00:57] How about you? Thanks.
[00:00:58] Rob Aragao: Yep. Saw the same thing. And you're right. It's [00:01:00] just like one after the other, right? It's, it's more targeted, uh, you know, entities out there more and more ransomware, of course, as well.
[00:01:08] Stan Wisseman: Now, there are some that had a, a multiplicity kind of impact, like the, the move IT or move it data breach.
[00:01:17] I mean, that impacted thousands of organizations and, you know, that. Was cross sector as well. Um, you also had the octave breach, right? That impacted a lot of different organizations. And I, and I think we, we certainly are going to continue to see ransomware as a, um, a continued, um, trend as, as people as a, as a threat actor, see value and extorting.
[00:01:45] Funds out of organizations.
[00:01:47] Rob Aragao: Agreed. I think, you know, not picking on Okta by any means. Right. We never pick on anyone that's been breached. I just look at the situation there as, um, one that's kind of, you [00:02:00] know, very dependent, meaning that there's a lot of different organizations, public and private. That, you know, rely on a common kind of platform, um, for certain things that they need, right?
[00:02:11] And in this case, you know, with single sign on as an example, and a lot of those interconnections, uh, then become serious concerns of vulnerabilities that can be taken advantage of potentially, right? And you see this kind of, you know, jump from 1 entity to the other entity. So I think, you know, there needs to be a bit of a, Okay.
[00:02:27] Look back on seeing how we can actually be better at layering our different types of security controls where we're not so maybe dependent on one platform that then it causes this kind of ripple effect throughout industry and some of these types of situations that we've seen in the past are going to continue to get
[00:02:41] Stan Wisseman: worse.
[00:02:41] Well, I think it's also related to another. Type of attack that we're seeing that started again with solar winds couple of years back and log for J is that, you know, software supply chain and being able to have a handle on what's in your environment. So, when a [00:03:00] 0 day or when an attack like this happens, you're able to respond quickly and and again, you know.
[00:03:06] Not picking on a particular vendor like a SolarWinds, but all vendors are possible targets, um, that trust relationship or the access provided to a solution like a SolarWinds was a juicy target for the threat actors. In this case, China, right? Um, to take advantage and mentioning China. I mean, one of the things that I think we're going to have to be looking at is, is the enhanced or increased activity of nation state actors.
[00:03:35] Yeah,
[00:03:35] Rob Aragao: definitely. Definitely.
[00:03:36] Stan Wisseman: We've, we, we, we speculated before the Ukraine's Russia war about, um, cyber war, and now we're seeing it. We're, we're actively seeing, uh, uh, you know, provable cyber war occurring and the attacks on critical infrastructure and, and, and, and, and all the different sectors. [00:04:00] And I think as, as potential escalations go up with Iran.
[00:04:04] Um, who is a, again, uh, increasingly skilled, uh, threat actor on this, on this stage. Um, they could be launching additional attacks against U. S. infrastructure as well as, um, those in Europe. And so I think, you know, we need to have a enhanced nation state threat intelligence and, you know, actual coordination.
[00:04:29] On the, on the cyber defense side, we already do some of this, but I just think it's going to have to be much more proactive.
[00:04:36] Rob Aragao: Well, I think that the reality of the threats are much more prominent, right? The, the, the examples you mentioned, um, are Are now reality. So we're at that point now where it definitely needs to be much more kind of focused upon.
[00:04:51] And listen, Iran is an absolute threat. I mean, we had an episode on the topic of Iran and their cyber capabilities now quickly. They're maturing. Um, [00:05:00] I don't know. I think it was probably over a year ago at this point in time. And, um, you know, the, the examples are occurring again, relative to what we've seen with the, the Ukraine and Russia conflict.
[00:05:10] So, critical infrastructure, we talk about it, right? It was part of the executive order. If we kind of go way back to, I guess, even last year when it came out from the Biden administration. Um, we just need to continue to see much more emphasis on. our critical infrastructure capabilities of controls, uh, from a security perspective, and the, the level of threat intelligence that we're actually gathering, right?
[00:05:31] And, and being able to be more precise on how we can actually, you know, protect our environments from being attacked. Uh, it's, it's more critical than ever before.
[00:05:39] Stan Wisseman: Yeah. I, I, I don't know if this would be something we'll see in 2024, but it would be, I don't, I don't think it's outside the possibility that at some point we start.
[00:05:49] Looking at cyber diplomacy and some kind of international law about, uh, you know, the norms, uh, are for state behavior in [00:06:00] cyberspace, you know, and can, can we, you know, you know, codify what like a equivalent to an arms control agreement, uh, or, or cyber non aggression packs. Um, again, I'm not sure who would take point on that, because let's face it, the United States is very active in this as well.
[00:06:18] Um, and they wouldn't necessarily want to have guardrails on what they can and can't do against their perceived enemies. But at the same time, um, this free reign without any kind of perception of what, um, which potentially trigger kinetic. Response is, is, you know, because is that sustainable, you know, um, so switching, switching from the threat side of things and talking about regulations, um, right, you know, we, we also had the beginning of the year or March timeframe.
[00:06:52] I think President Biden's executive order on cyber security. And that, you [00:07:00] know, had a focus on zero trust architecture, software supply chain, putting the onus on, you know, the suppliers of software, a number of different aspects of that, and other regulations also are influencing things, right? You did some pieces on the SEC cyber rule.
[00:07:15] Rob Aragao: We did quite a few actual, um, episodes when you think about it on regulation, right? We did. I think two on SEC basically right at the beginning of the year and then one here recently because at the end of 2023, it obviously went into effect in the middle of December. We did also
[00:07:32] Stan Wisseman: think it was episode 69, right?
[00:07:35] Rob Aragao: I think so. Yep. And we also did some things around what we're seeing with cyber resiliency relative to the EU Act. So a lot going on in this two directives. Right. The evolution of that and become a reality in this year, 2024, um, regulations again, just another area that we're going to continue to see more and more of.
[00:07:53] And we haven't even touched upon some of the, um, proposed regulations and frameworks we're seeing around AI and the
[00:07:59] Stan Wisseman: [00:08:00] implications there. And we just had the episode just to tie the knot off on the regulations on the NIST2 directive with Bjorn. Um, Yeah. So speaking of AI, it was, it was what December, January timeframe that the, generative AI, the chat GTP, hit the public as it were.
[00:08:22] Um, and what a year, right? I mean, there's been a comparison out there for those that were talking about Oppenheimer and the movie that was a blockbuster this summer. Um, how that movie, which represented like the beginning of the nuclear age. We're sort of like that in that stage right now with AI
[00:08:49] You know we experienced, I think this year, the landmark year associated with realization that we can do so much with AI [00:09:00] iin many different use cases. Right. And in the context of cyber, we can adopt AI to help us be more efficient and automate things and be able to discern a lot more, um, as far as our threat actors that are targeting our organizations, but also the threat actors are leveraging it.
[00:09:16] You know, deep fake technology, um, advanced phishing attacks, there's an arms race that's going to be going on and it's going to get ugly. It is, it's a
[00:09:27] Rob Aragao: double edged sword, right? And, um, I think what's interesting is when you do look back to the, the hype.
[00:09:33] December 2022, which at GPT and then what's happened over the past year in 2023, it it's really interesting to think about. We've been doing AI for so long now that we put it right. We put this interface in front of it to be able to actually engage and have a conversation with the generative AI. Um,
[00:09:51] Stan Wisseman: this is what we did.
[00:09:52] We did. Didn't we do that episode back with Stefan Jow back in April? Yes, that's right. We did.
[00:09:58] Rob Aragao: We did that. I [00:10:00] actually forgot about that one. We did. And, and, and he, he was talking about again, how long it's really been going on. And, uh, and this was again, more of, I guess, the consumerization and it's, it's good though, right?
[00:10:10] Because now people become much more intrigued and want to learn. And, and the aspects of that back to your point about cybersecurity is, you know, we're realizing where there are benefits that we can apply generative AI into making people that much more efficient. In dealing with different types of security issues, what's interesting, Stan, I was looking back at, um, kind of the themes, if you will, of episodes that we cover this year and it kind of fall into three buckets.
[00:10:36] And basically, it's just what we talked about. it's been about a lot of, you know, the ransomware type of events that have happened out there. Breaches were covered as part of that conversation, but then the day was really a lot of kind of that ransomware topic. We talked a heck of a lot about regulations from many different facets, and we also touched upon shockingly AI.
[00:10:54] Right? And when I was thinking about going into the new year, I mean, you talked about cyber diplomacy. You talked about [00:11:00] cyberspace. I mean, those are some big potential items. I feel it's just going to be a lot of the same, you know, the evolution of more and more regulation, definitely more and more learnings on what's happening with AI and how it's going to impact cyber from both ends, as you mentioned, um, a unfortunately, much, much more ransomware
[00:11:18] Stan Wisseman: taking place.
[00:11:19] Another issue that's related that we've talked about over a couple of years, uh, as a sort mitigation strategies around cyber insurance. Yes. And I, I think that is another area that's going to get increased attention from the executives as they try to mitigate risk of a breach, um, for the organization, but also it's getting to be more difficult to qualify because the risk insurers, underwriters are looking for controls to be in place before they take their risk of insuring you.[00:12:00]
[00:12:01] Rob Aragao: Well, one of the things that's happened I've started seeing it happen, I should say, with cyber insurance is some CISOs kind of leveraging. What the under is pushing back on them back to their conversations with the board as to what they actually need to put in place to get the investment. Right? So there's the good and the bad.
[00:12:19] Um, they really, really tightened the screws on a lot of the changes that have happened over the past year. Um. We'll see what happens this year, but it probably will get even tighter. But again, it could be used as a lever to help them in their cyber programs.
[00:12:33] Stan Wisseman: And, and I, and I think that's a, a wise thing to do.
[00:12:35] I mean, just, just like you would take advantage of, uh, an internal audit finding as a way of driving an initiative internally, um, you, you want to take these requirements and drive maturity and improvements in your environment. I don't know if there are other things you want to highlight for 2024?
[00:12:57] I think [00:13:00] that, the unfortunate thing is that threat landscape is going to get worse. Right. But the. The promise is, and again, going back to AI, that if we can, you know, automate and integrate in some of these, um, capabilities, we may be able to keep up with the Joneses and keep up with the threat landscape a bit more effectively.
[00:13:28] Um, it's just a matter of, of how quickly can we move versus the threat actors who are also leveraging that technology.
[00:13:35] Rob Aragao: Well, that's exactly it. It's, it's a race. It's a race because again, we, we, we both have the tech, right? And it's, it's just, it's just an in. And get there quicker. So I, I do believe the good guys are going to become much more efficient.
[00:13:46] Um, but again, it's just, it's, it's a tough battle. So we shall see how it goes in 2024.
[00:13:52] Stan Wisseman: Now, now just switching over to, you know, 2024 and what we have in store for the podcast, we're going to continue to do a weekly cadence and [00:14:00] we invite you as listeners to suggest topics and guests that you think that we should have on the podcast.
[00:14:08] Um, we do have some great guests already lined up. And, um, hope that you are, are getting benefit from this and, and enjoying it. Um, but we're, we would love to have your feedback as to other topics that we haven't hit upon, or if you think we're, we're neglecting something. So please, uh, speak up and share it in our comments.
[00:14:29] Excellent. Until
[00:14:29] Rob Aragao: next time, Stan.
[00:14:31] Stan Wisseman: Hey, thanks, Rob