Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
Welcome to the cybersecurity and cloud podcast.
0:05
The podcast where we learn from cybersecurity experts, how to stay safe,
0:09
private and secure on the cloud and in code CS CP is hosted by Francesco sip alone your
0:16
cybersecurity friend with a passion for all things cyber
0:19
and sharing stories of other professionals with you.
0:22
This episode is brought to you by the generosity of phoenix.
0:25
Security limited phoenix helps startups and enterprises solve complex software security,
0:30
supply chain visibility by leveraging the
0:32
power of correlation and contextual ization,
0:35
discover how phoenix security helps.
0:38
Isso and security engineers act fast,
0:40
prevent burnout and implement dev sec ops at the speed of cloud phoenix security,
0:46
correlate contextualize
0:48
and act on risk with one click, let's dive in.
1:02
Hello everyone and welcome back to the cybersecurity and cloud podcast,
1:07
this is your host Francesco and this is probably the
1:11
last last episode that we do in 2022 is 29 of
1:17
December 2022 we're almost on the end of the years
1:21
but we managed to squeeze in a last episode with chris
1:23
Hughes and it's an absolute pleasure because we chris we've
1:27
been interacting a lot of linking teasing each other over a
1:30
number of topics and we said you know it's the time
1:33
to come on the show and do a proper episode.
1:35
So chris, thank you very much for coming on the show.
1:39
Chris is uh is a consultant to direct robot via and it's been in Air force previously,
1:45
so it's very heavily involved with a lot of us
1:48
regulation around storm and around cybersecurity and the U.
1:52
S. Has faced a lot of change in late and today
1:56
in the episode we're gonna dig in and explore this.
1:59
But before digging in in the exciting topic of storm and software
2:03
supply chain chris tell us a little bit more about you,
2:06
how did you start? -- How did you get us to the point where you are -- today?
2:10
Yeah definitely. I'm happy to give you some background.
2:13
I start off active duty Air Force you know prior to
2:15
that I always had an interest in computers and technology but
2:18
got joined the Air Force and and got put in the
2:20
cybersecurity and at the time I didn't really realize the opportunity.
2:23
You know you're just a young kid you know.
2:26
Uh And and then like I started really taking an interest
2:28
in it because it was fascinating career field and like I've
2:30
never stopped you know I did four years in the Air Force and then I've been a federal employee with the U.
2:35
S. Government twice once with the Navy doing cloud and deficit cops.
2:39
And you know cyber security for them. And then also with an organization known as G. S. A.
2:44
The General Services Administration which probably isn't too familiar for many.
2:48
But like if you've heard of Fed ramp, I was part of the Fed ramp team reviewing cloud services coming to
2:52
the you know us federal market there as a security to me.
2:56
Uh And then you know worked at a couple different industry organizations in the D. O.
3:00
D. Space, you know on the software factories and things
3:03
like cloud and kubernetes and containerized environments and
3:05
all those kind of things for like Space force and Air force and so on.
3:09
Um and then ultimately just you know, decided to give it a chance myself and you know,
3:13
co founder acquia where I'm at now with a
3:16
couple of partners and you know doing cybersecurity consulting
3:18
in the in the public sector but also a little bit in the commercial but definitely mostly U.
3:22
S. Public sector focused and uh you know I mean outside that like you mentioned,
3:26
I'm really active on linkedin. I host a show myself called Resident cyber and I'm
3:31
pretty engaged with groups like cloud native Computing Foundation,
3:34
Cloud Security alliance for example have
3:37
contributed to several white papers and publications
3:39
with them and yeah just really
3:41
passionate about all things cybersecurity honestly.
3:44
And there isn't a new article regulation that comes out and
3:47
there is a whole competition of who can write a vlog before
3:51
that and I really appreciate that because I think it is
3:54
pushing everybody out to the edge to actually write even faster.
3:58
Yeah there's I mean there's some awesome people out
4:00
there to put out a lot of great information that I read that you know folks that you know you and I know like walter Haddock and such.
4:06
So sometimes you know I enjoy writing and and for me learning like
4:10
I like to read something and write about it while I'm reading it.
4:12
So like if something new comes out, I like to try to quickly get an article out there and try to push other people,
4:19
you know, but it's all, it's all in good fun honestly.
4:22
Yeah, I think, I think it's a good,
4:24
it's a good point and it's a good competition to actually write even faster and quicker,
4:29
but maybe back in the day, um
4:31
you know what, what made you decide to actually engage this into a full on career?
4:37
You know, you started in cyber, you start going more into cyber and then,
4:42
and then as a full on question, how did you saw the regulation and the industry changing?
4:48
Especially in the, in the federal space of late?
4:52
Yeah, I mean for me, for me initially it was, you know, just kind of happenstance,
4:55
like I said, I got put into cyber, I was in the Air Force, I got out and uh you know,
4:59
kind of just stuck with it just because it was easy to find a job doing what I did in the military.
5:02
Um and then I saw like the economic opportunity
5:05
that the career field has a great career field,
5:07
you know, a lot of good job stability. It's, you know, it's very high demand for example,
5:11
and I was always really interested in it and then, you know,
5:13
I got married and started a family, I have four young kids and once I started having kids like, you know,
5:19
my motivation to work harder to learn to grow.
5:21
You know, my career just took off from that point
5:23
and I've never stopped working hard since then.
5:26
Um, and as you mentioned, I think we're definitely seeing like an evolution of the regulation in this space,
5:30
you know, in our, in our environment, in the public sector.
5:33
You know, we've always had things like Nist and uh, you know,
5:35
risk management framework, Nist 853 and and you know, think of Nist 871 for defense,
5:40
industrial base and then see mm see that people are talking about a lot now,
5:44
thinking about, you know, not just software supply chain but supply chain risk management in general,
5:49
you're under your suppliers. That was a topic that's gotten a lot of attention as of late and then, you know,
5:54
obviously software supply chain, you know, it's not necessarily a new topic.
5:58
You know, you can date new google.
6:00
Actually had white paper recently, they started like an incident from 1980 you know,
6:04
for something where the United States did something
6:06
that Russia with software and it's like, wow, this issue has been around for a long time,
6:10
but it's gotten more and more attention I think is, you know,
6:13
we've seen open source adoption kind of accelerate and go, you know, go crazy,
6:16
everyone's using open source software. Most modern applications are made of open source
6:20
software and I think people are realizing like,
6:22
you know, I think prototype for example, had a study showing that in the last three years
6:26
it's like a 742% increase in software supply chain attacks.
6:30
So malicious actors are definitely paying attention.
6:32
And now I think that's making organizations regulators, you know,
6:35
the industry pay attention and try to respond to this
6:38
brilliant. And I think I saw as well and an almost change in that, but I saw the US taking,
6:44
I mean with the change of command in caesAR,
6:48
a really strong stand in the software supply chain and that's
6:52
when the whole industry kind of start paying attention on O.
6:56
S. S and in general on the software supply chain and start to bring with stone and the
7:01
new regulations on Stone with with I think was the 22 01 or zero to that.
7:08
They brought out the whole topic of vulnerability management,
7:11
but not just in infrastructure, but across the software security lifecycle that really, really break the cars.
7:18
Um, and, and change the paradigm on,
7:21
you know, this is something that we need to pay attention now.
7:23
And, and you know, when there is a regulation behind it,
7:27
the whole public and private industry stopped paying attention.
7:30
That's, that generated the the whole debate and topic. Um,
7:36
and as you rightly say that it's not a new thing, I mean software,
7:40
we've been writing software since forever, but right now we've been really paying attention to it.
7:46
So what do you think was that was the kind of singularity that make
7:51
everything change and us really paying attention
7:54
now to solve the supply chain attacks.
7:58
Yeah, I mean I think like we've talked about the momentum has been slowly growing.
8:01
There's been folks like josh Corman, if you're familiar with him,
8:04
who was kind of warning about this issue almost a decade ago,
8:07
uh you know in the medical device community for example.
8:09
But there's no arguing that, you know solar winds and the fallout from that
8:13
thousands of organizations that impacted kind of like,
8:16
you know, precipitated the whole follow on executive order.
8:18
Uh you know things executive order on cybersecurity,
8:22
which had an entire section section four dedicated software supply chain security.
8:25
Uh And then out of that came a whole slew of activity
8:28
where you had organizations like nice producing a new version of S.
8:32
S. D. F. To secure software development framework O. M. B.
8:35
Office of management and Budget. Now kind of dictating that all suppliers selling software to
8:40
the federal government start to attest to align with S.
8:42
S. D. F. Providing things like S. Bombs.
8:45
And then you had, you know organizations like N. T. I. A.
8:48
Where you had dr alan Freeman and folks, you know,
8:50
working on these s bomb working groups, you know, two or three years ago uh you know building that interest,
8:55
building that maturity around S bombs with their working groups with industry.
8:59
And then of course he moved over to cisa and kind of has kept up that, you know,
9:03
that momentum since then. So I think, you know, definitely solar winds was kind of the watershed moment,
9:08
I think from an attention perspective and then
9:10
the cyber street executive order and all the,
9:12
all the activity has come come after that.
9:15
And as you mentioned, like, you know, I think regulation is gonna has and will continue to play a big part in this.
9:19
Like, you know, without regulation forcing the issue,
9:22
suppliers are not necessarily incentivized to provide
9:24
this information that transparency and many,
9:27
you know, I've been really focused or interested in the economic factors of cyber.
9:31
Many consider cyber to be a market failure.
9:33
They said, you know, regulation is required for the, for things to change.
9:37
Um, and I think it's, you know, it's hard to argue with that because if we just leave it up to the industry,
9:42
they're not going to necessarily provide this information. Why why would they, you know, just put some additional risk or scrutiny.
9:47
So, yeah, I think, I think we're definitely seeing a lot of changes
9:51
And security resolve doesn't seem as a massive cost.
9:55
So if there isn't a regulation behind it, there isn't a business justification to a ship with a bomb in particular.
10:01
I think attack of one of the big topic
10:05
in cyber that is the asset management in general.
10:07
That is a huge debated and often avoided topic in,
10:12
in cyber or in generally 90 is not even a cyber problem.
10:16
And I think this bone kind of industry has now brought to the topic a problem that is like,
10:22
what do we do with, what do we do with this asset and you know, asset of asset and who used those assets?
10:28
So I think it has opened the Pandora box around asset management in
10:32
-- the supply chain and known what's your thought -- around it?
10:35
You know, I think you're spot on, like, you know, I've been writing and talking about this recently and just
10:39
digging in and reading reading a lot about it, looking back across my own career, you know, uh,
10:43
asset inventory has been a best practice for a long time.
10:46
You think of black sands, critical controls, critical controls, hardware, software,
10:50
asset inventory has been around for a long time and
10:52
we've always sucked at it and it's always been difficult,
10:55
you know, and then you bring in like, you know, the modern environment with the open source software, you know,
10:59
you have managed service providers, cloud service providers, you know,
11:01
software delivered as sas you know, software is increasingly complex and most modern environments and uh, you know,
11:08
you look at like S bomb as you mentioned now, you kind of open that Pandora's box of,
11:11
you know, it's not just like one app, it's all these components that are involved in the app and then
11:15
you have all your dependencies and your transitive dependencies and it just,
11:18
you know, it's a it's a very complicated issue.
11:20
Yeah, we and we kind of just had been burying our head in
11:23
the sand or ignoring it and pretending it didn't exist and now,
11:25
you know that the light is on the issue and there's no ignoring
11:28
it now and organizations are really starting to try to grapple with like,
11:31
okay, how do we how do we get our hands around this? How do we understand like what our software supply chain
11:34
is our components that we're using if we're a supplier,
11:37
you know, what are we using our software for consumer,
11:39
what's in the software that we're consuming? What are the vulnerabilities associated with that?
11:43
So it's kind of open that Pandora's box like you said.
11:46
Yeah, I totally agree. And
11:49
I think after this bomb, there will be a whole,
11:52
like you've wrote a really very important article about the SARS
11:57
platform and this bowman who depend on on the dependency that
12:01
is kind of on the topic as well of softer supply
12:03
chain but on on chaining fundamentally talk party supply chain,
12:07
there is there's a whole debate of
12:11
who depends on what from a software perspective, but in general,
12:16
and I think going forward is even gonna be
12:18
more because of being more attack around them.
12:23
What do you, what's your thought about why the Attackers focused on more
12:27
on the softer side of things rather than in the
12:30
infrastructure didn't get better at infrastructure and defending infrastructure assets
12:36
and or have been been ignoring completely the softer aspect.
12:40
Yeah, it's actually uh it's a very hotly discussed and debated topic, you know,
12:44
there have been some claims, you know, even by organizations like O N D and I,
12:48
which is the office Director of, what is the Director of National Intelligence in the United States, for example.
12:53
You know, they kind of stated that, you know, organizations as organizations get better at doing the basics, the fundamentals,
12:59
you know, Attackers have gone upstream for example, but then again,
13:02
if you look at the headlines, you know, we still have fishing, we still have,
13:05
you know, lack of M. F. A. So we're still very bad the fundamentals as an industry it seems.
13:09
But if you look at it from the attacker's perspective, like, you know,
13:12
they can target you as an individual organization or they
13:15
can target your supplier and have a casket across hundreds,
13:18
thousands of consumers downstream,
13:20
uh and they may do that indiscriminately just, you know, whoever we get,
13:23
we get whoever the consumers are, or they may look targeted,
13:26
li like say solar winds and say who's using that.
13:28
Okay, great, we want to get to them, let's let's target the supplier and then have that downstream impact, you know,
13:34
on to the consumers downstream that we know are using them,
13:37
I think it's kind of like uh you know, it's just an efficiency thing, you know,
13:40
if they can see that it's way more efficient to target a supplier and have that cascading impact across the industry thousands,
13:46
you know, of, of consumers versus targeting a single organization.
13:49
So it's just an efficiency thing, an economy of scale thing from a malicious actors perspective.
13:54
And then also I think they've realized like as an industry,
13:57
we just have really poor supply chain risk management
13:59
practices and so why not take advantage of it?
14:02
You know, they're always looking for the most efficient way to carry out their goals,
14:06
you know, so they just kind of have taken advantage of that reality.
14:09
And I think you brought up a topic that really fascinated me that nowadays,
14:13
attacker and and individual group works as a business.
14:17
So they look at the unit of economics and what the smallest number of,
14:22
of lines of code that can produce, They're gonna hit the majority of the masses.
14:26
And I think they talk
14:29
-- y more than blue team -- does.
14:32
Yeah, no, I mean, your, your your spot on, like the, you know,
14:35
malicious actors are organized, cybercrime is becoming very mature.
14:39
You know, it's, it's a massive industry that generates a lot of revenue for, for,
14:42
you know, like malicious actors around the world. You know, whether it's organized nation states doing it for purposes like that or just,
14:47
you know, crime groups doing it to make revenue and profits.
14:51
Um and as you said like they're gonna look for the most efficient way to do that,
14:54
you know, you know, for all the hype of you know uh you know,
14:57
things like uh advanced quantum resistant, you know,
15:00
encryption for example like those kind of things like you know yes that exists,
15:03
but they're gonna look for a more efficient like you know, they don't have M.
15:06
F. A. Or they have like a poor password, you know, hygiene for example, they didn't match,
15:10
they didn't patch known vulnerable software that has a patch available for like four years now,
15:14
you know, like just take advantage of the most efficient thing they can um you know,
15:18
it's just easier and makes more sense for them. This episode is brought to you by the generosity of phoenix
15:24
security limited phoenix helps startups and
15:27
enterprises solve complex software security,
15:29
supply chain visibility by leveraging the power of correlation
15:33
and contextual ization phoenix platform connects to your repositories,
15:38
scanners and cloud correlates all the information and provide it's you with a
15:42
prioritized list of vulnerabilities that need to be addressed.
15:45
First discover how phoenix security helps
15:48
ISOS and developers remove friction and maximize
15:51
the use of deV sec ops professionals
15:54
at phoenix dot security phoenix security correlate
15:58
contextualize and act on risk with one click
16:03
No and I totally agree and I think I was reading the other day,
16:07
an article about the fact that 76% of ransomware
16:11
is leveraging vulnerability of more than two years old?
16:15
So it's it's not like zero day is not as quantum encryption breaking.
16:20
I mean it was a cool topic to discuss about
16:22
but it's like again attacking on the basics and I think
16:27
Maybe on on the topic that you brought,
16:29
we haven't been paying a lot of attention on software supply chain
16:34
or in general software security and if you consider even always,
16:39
always been around just 20 years.
16:41
So we haven't had any standards or any kind of way to agree among us as an industry
16:47
on what software is. And then on the flip side we had a lot of c so that comes from traditional, you know,
16:53
fouling and securing service or software wasn't really
16:57
their thing or maybe in their agenda,
16:59
you know how you grow structure,
17:01
the way how you structure your security strategy and your cybersecurity strategy,
17:05
what do you think about that? No, I think you're you're spot on.
17:09
And and you know, I actually talked to marker fi you know
17:12
from the foundation and he talked about how long
17:14
they've been around but how many problems we still
17:16
have as an industry at the basic level. Um and then you talked about, you know like that,
17:20
I think software supply can actually present something unique.
17:23
You talked about like it's been two years, you know, two year old vulnerabilities,
17:25
that sectors taking advantage of. Another unique thing about software supply chain attacks is like, you know,
17:30
how long have we heard just patch? You gotta patch right.
17:33
What happens when the patch is actually that the attack vector is poisonous?
17:36
So now you're like finding the best practice that could compromise you.
17:39
So that's a very difficult dichotomy there if your suppliers patches compromised.
17:44
Um, and as you said, like, you know, coming from different backgrounds depending on the organization, you know,
17:48
the city. So the industry that they're in, you know,
17:50
the focus on software supply chain may not be there.
17:52
They may be looking at security from a different angle around,
17:54
you know when it comes to like you said software verse traditional security,
17:58
you know this this modern ecosystem that we have of a P.
18:00
I. S and SAS providers and open source software
18:03
consumption a lot that's new to you know,
18:05
security professionals or at least organizations haven't
18:07
necessarily always paid attention to that stuff. But it's rapidly growing.
18:11
The industry is changing so much so fast that you know,
18:14
a lot of these things are just simply new. We haven't matured as an industry to address them quite yet.
18:18
Right? And I think you share you share the attack surface the other day
18:22
of software supply chain and if you compare that to mother an attack,
18:28
those are completely two total different way to attack.
18:32
If you better to attack fundamentally organization.
18:36
So softer supply chain attacks are totally
18:39
new breed and methodology and technique.
18:43
I think if you come from an infrastructure, you you struggle to get ahead of the curve and and understand
18:50
how a library has the same name of another library co fundamentally
18:56
match or be a vulnerable to your organization versus, you know,
19:00
you have a vulnerable service, a lot of security,
19:02
traditional security for relate to the vulnerable server, They don't relate to
19:07
a repository somewhere or an account takeover or things like that.
19:11
Yeah, I think you're you're raising interesting point.
19:14
I've been talking a little bit about it's like, you know, we see the big push for zero trust for example, but if you look at zero trust,
19:19
at least how it's typically discussed, it's very network centric architecture centric to the organization.
19:24
You know, our endpoints are authentication, you know,
19:27
all those kind of things about the architecture, uh,
19:29
and you may be securing all those things and doing, you know,
19:31
doing those things right. And then look at like open source
19:34
software consumption and you're just voluntarily pull
19:36
things in that you have no understanding of the pedigree,
19:38
the provenance who contributed to it.
19:41
You know, if it's secure or not, if it has vulnerabilities,
19:43
so you may be doing all these things right from an architectural perspective and then you just voluntarily pulling things in with,
19:48
you know, you're just implicitly trusting things when
19:51
you think about software supply chain, which is kind of anti pattern for zero trust.
19:55
Um, so yeah, so it's a new paradigm in a way of thinking about
19:58
things that we just historically haven't done as an industry.
20:01
No I agree. And I think maybe back in the back in the podcast where we discussed with walter on
20:09
are we still silent as an industry to think where
20:13
you run software and what and how you build software.
20:16
So you still have the debate between software security folks that
20:21
things in a specific way and infrastructural cloud security folks.
20:24
I see things in a complete way. So are we still looking at software in
20:27
a compartmentalized way versus full stack way?
20:32
Yeah I think it definitely could be argued you know and I've you
20:35
know I kind of like you I started off in traditional I.
20:37
T. And then you got into the cloud and things like that and
20:41
you know I'm not a big fan of like you'll hear arguments
20:43
of cloud is less secure than on prem or cloud is more
20:47
secure than on prem and this simply doesn't work like that.
20:50
There's a lot of factors that play the supply, the maturity of supplier.
20:52
You know for example me self hosting something is
20:55
not going to be in comparison to like say git hub that's used by millions of people and
20:59
has a massive organization of security expertise behind it.
21:03
You know there's a lot of factors that contribute to whether something is secure now it's
21:06
just it's not so black and white there's a lot of gray in their nuance in there
21:12
and maybe a question for you. So what do you think is,
21:20
well, as a security industry, what what do you think we're facing in the next probably couple of years?
21:27
Yeah, it's a good question. We have a lot of, we have a question.
21:31
Yeah, we have a lot of problems, you know, it's, it's,
21:34
we're coming up on 2023 as you said, it's a prediction season and you can look around
21:37
and see a lot of great predictions that, you know, a lot of these things are true or will likely be true.
21:41
We have a lot of problems, but you know, looking at where we're headed,
21:44
I think that we have a lot of maturing to do around how we look at the software supply chain.
21:48
You know, we have great things and efforts underway.
21:50
Like you talked about like S bomb, of course we have to kind of competing standards there, S P D X and cyclone dX depend,
21:56
you know, we'll see how adoption of both those go, how organizations go about,
22:00
you know, not just producing S bomb, but like what do I do with it now?
22:04
You know, like how do I, how do I aggregate all of these and look at them across the enterprise that
22:07
I have and and understand and make informed
22:09
decisions around risk and procurement and acquisition,
22:12
how do I better get my suppliers and understand my suppliers suppliers.
22:16
So it's just a very, you know, we have a complex problem set ahead of us with a lot of things to mature around.
22:21
I think as you said like it's a new new paradigm for us in a lot
22:25
of ways around security and there's a lot of things that we need to figure out,
22:28
mature as an industry still and then that's that's all great. But
22:34
it's a very complex topics and we struggle a lot to
22:37
actually bring the whole organization together along on the security journey.
22:42
And now we're facing kind of a singularity where we have
22:47
augmenting the complexity of what we deal with
22:50
for the nature of software that is complex.
22:53
How do we translate all this complexity to
22:57
a business decision makers and need to decide,
22:59
okay, and invest X amount to actually keep on building my software secure,
23:05
keep on running my organization securely.
23:09
So how do we shield the organization to the amount
23:12
-- the sheer amount of complexities that all this -- has?
23:17
Yeah, I like I like the word that you use, I think you use the word shield the organization.
23:20
I think it's like, you know, to an extent it's kind of securities responsibility
23:23
to abstract away a lot of the complexity.
23:26
Like, you know, we shouldn't be expecting the border business
23:28
leaders to be cybersecurity experts for example.
23:31
And that's where I think, you know, think of things like risk quantification if you look at how we communicate risk,
23:35
it's almost all qualitative, it's very subjective,
23:38
it's based on your gut instinct and experience and it doesn't really, you know,
23:41
we haven't really done a great job of mature how we communicate business risk and dollars,
23:45
you know, and communications that they understand as a business uh you know,
23:49
we have great books like how to measure, you know,
23:51
cybersecurity risk from folks like Doug Hubbard that came out many
23:55
years ago and then there's already a version two coming out.
23:57
But if you look at the industry like we have fair and we have things like that,
23:59
but they're not really adopted very well in many organizations are
24:02
not implemented at scale that I've seen in the industry.
24:05
So I think as as an organization or as an industry, in terms of cyber,
24:10
we again need to mature how we communicate with the business,
24:12
putting things in the business terms, you know, you you often hear about the sizzle having a seat at the table and need
24:17
to speak the language of the business or the business speaks dollars and cents.
24:21
So we need to, we need to put that risk in that kind of terms so that they understand it,
24:25
the implications of it and can make, you know, risk informed decisions about it.
24:28
We shouldn't expect them to be security experts
24:30
and they're not gonna understand the software supply chain
24:33
when when we as a as a profession are still getting our hands around it ourselves,
24:37
you know? Right. So translating fundamentally the whole traditional problem,
24:43
attack vector and vulnerability and into probability of exploitation and
24:47
to impact and the probability of that impact to happen.
24:50
Those are terms that fundamentally any business minded person can relate to and can
24:56
understand into move risk and do something about it like mitigate risk with dollar.
25:01
Yeah. Yeah, I mean you're you're using the terms that like you know,
25:04
I think back to a decade ago or more when I took like C.
25:06
I. S. S. P and there was a likelihood and probability
25:09
of exploitation and and likelihood of occurrence and
25:12
like no one ever really talks about those
25:14
things for some reason in the practical world,
25:16
you know like we just you know knew me and others have talked about a lot on linkedin is like,
25:20
you know, we talk about CVS s based scores and so
25:22
very but there's no context or nuance behind it,
25:25
like is it actually exploitable? How likely is it to be exploited if there is an exploit available?
25:29
What's the maturity of the exploit is a proof of concept, you know,
25:32
is it is it known to be exploited if you look at like resources like cisa has their known
25:36
exploited vulnerability list for example or you have things like
25:39
E P S s starting to grow and mature,
25:41
you know to see what's the probability that this vulnerable will be exploited and then understand
25:46
like organizationally what kind of factors do we have in place to mitigate the risk,
25:49
you know what's our environment set up our our configurations in place that may
25:52
make this vulnerability exploitable or not even
25:55
exploitable and totally irrelevant for us now.
25:57
So those are things that we need to really get down to the bottom of.
25:59
But that all takes a lot of time, energy and effort to get you know kind of flush those details out.
26:04
So it's a it's a tough challenge. No I totally agree. And you know that's that's my pet peeve.
26:09
That's that's the thing that I talk
26:12
about because I've been I've been in finance organization for long and
26:16
that's that's all they want to talk about you know raise quantification,
26:19
investing X. Amount of money to actually explore X. Amount of opportunity
26:23
and you know business people don't talk vulnerability, don't talk cyber,
26:28
they talk money and money against money.
26:30
So I think I've seen the paradigm shift a lot around context realization,
26:37
cyber risk quantification but I still haven't seen I've seen a
26:40
lot of talk about it but I've seen a struggling adoption.
26:44
What do you think? Yeah no I mean that's actually my experience as well as like I said
26:49
like there's you know great great material out there and cyber risk quantification,
26:53
we need to speak the language of the business. You know they have things like fair and
26:56
the risk institute and other things like that.
26:58
You know when we hear probability like E. P. S. S and so on and and putting things in the
27:02
business term and quantifying it to dollars and cents.
27:05
But as an industry, I I haven't seen that at scale in any large organization.
27:09
Uh at least in my personal experience,
27:12
you know that I've run into in the public or private sector quite yet.
27:14
You know, some people have had pilot programs or efforts to try to do that,
27:17
but I haven't really seen it done at scale quite yet.
27:19
And I think it's uh it's got to be a hill that we climb if we're gonna move past,
27:23
you know, being siloed and being part of the business,
27:25
the part of the leadership team communicating in
27:27
business terms and understand how we can, you know, communicate with our peers,
27:31
-- we need regulation around it. -- Yeah, exactly.
27:35
Maybe that's another factor that drives you know,
27:38
forcing us to communicate in those terms and
27:40
actually quantify things and and you know put those
27:42
metrics out there because otherwise maybe we continue to
27:45
go on as we have doing qualitative subjective,
27:47
you know, assessments and kind of speculation.
27:50
I agree chris we're coming to a close and
27:53
we have a brilliant tradition in the show that is
27:56
not live on a doom and gloom like we always do inside but live on a positive note.
28:00
So in your opinion,
28:03
how has the industry changed or what is the positive sign that that
28:08
we start seeing and to leave fundamentally audience on a positive note.
28:12
Yeah, I think while we've talked about a lot of the challenges and problems,
28:16
you know, I think the fact that we're even talking about
28:18
these is a good sign cause there's been years, like it's not as if the use of open source
28:21
software or software supply chain as a concept is new.
28:25
We just simply didn't address it previously as an industry.
28:28
And so we're seeing a lot of momentum from groups like links, foundation,
28:31
open ssf since, you know, the federal Government, the United States,
28:33
we're seeing european regulations start to come out
28:35
around software supply chain suppliers s bombs.
28:38
So we have a lot of great momentum underway. Same thing on the cyber risk quantification.
28:42
We're seeing a push for, you know, having cyber expertise in the boardroom from groups like sec, for example,
28:48
I think we're moving in the right direction and and
28:50
we have a lot of problems ahead of us, but that's also exciting.
28:53
We have a lot of things we get to solve and tinker with and try to, you know,
28:55
try to solve as an industry as professionals
28:57
and that makes me interested and engaged and,
29:00
you know, I hope everyone else's along on the journey
29:02
and excited as I am about the opportunity. Absolutely.
29:05
I've seen, I've seen the problem shift and I'm and I'm super excitable,
29:09
what's after con, but if if folks want to follow more about the
29:14
US set of regulation of what you talk about,
29:16
where they can find more about you. Yeah, I mean for me, I'm super active as I said on linkedin, you know,
29:21
just find me at chris Hughes, I think it's at resilient cyber on linkedin is my kind
29:25
of guy you are l and then same thing on twitter,
29:27
although I don't really use twitter too much. It's it's a little bit different than Lincoln in a different world.
29:31
Um but that's that. I also have a sub stack I started a couple months ago where I talk about these topics,
29:36
you know, on a weekly basis. It's resilient cyber dot substack dot com.
29:39
And then I have resilient cyber the podcast as well.
29:42
Um and I'm happy to connect and chat with anybody, anyone about all these topics.
29:46
You know, I'm always learning myself and looking to learn from others
29:48
and and pass along what I learned as I said,
29:50
we're all in this together. So I'm definitely open to chat with anyone.
29:53
Fantastic chris thank you so much for coming on the show and everybody, you know,
29:58
there is a ton of material out there, put your organization towards adopting.
30:03
I'm more mature maybe surface because it can make you more reputable and
30:08
more solid even before regulation comes around because then you'll be prepared.
30:13
Yeah, I mean we always talk about like just a closing note, we hear about like,
30:16
you know, shifting security left, this is the opportunity to do that,
30:19
wait instead of being reactive waiting for regulation
30:21
to come along and then kind of encourage you to do these best practices or things that we're seeing emerge as you know,
30:26
things that we should be doing, get ahead of that curve.
30:28
You know, if we know we need to start quantifying cyber risk, we need to start talking about software
30:31
supply chain security as an organization or business
30:34
now is your opportunity to get in there and start doing those kind of things.
30:37
Fantastic. Thank you very much Chris for coming on the show and everybody
30:40
stay safe out there and I wish you everybody fantastic 2023.
30:44
Thank you. We hope you enjoyed today's episode.
30:53
Please leave us a review on Apple podcast and post it on social media,
30:57
tagging cybersecurity cloud podcast for a chance to win a $100 amazon gift card,
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More