Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Music.
0:11
The following is a conversation with Ray Heffer, field CISO for the Americas at Veeam Software.
0:16
Before joining Veeam, Ray built a career over two decades specializing in cybersecurity,
0:21
infrastructure, and cloud services.
0:24
His journey includes pivotal roles at VMware where he honed his expertise in
0:28
virtualization and cloud computing. This background equipped him with a unique blend of technical skills and strategic
0:35
insights, making him a respective voice in the cybersecurity community. community.
0:40
This is the Sound of Tech to Come, a Veeam podcast.
0:44
Well, Ray, you've been at Veeam for just over a month now, I think.
0:48
So firstly, give us a little bit of a background about your journey to becoming
0:53
the field CISO for the Americas at Veeam.
0:56
Yeah, I'll try and keep it short. It's funny, security for me really started in the mid-90s.
1:03
We didn't even call it cyber cybersecurity back then you know this was this
1:07
was the heyday of the matrix coming out in 1999 and
1:10
all that cool stuff but you know i remember as a
1:14
unix admin security wasn't even top of
1:17
mind and then i moved into a public sector organization where i
1:20
got hit by the i love you virus and i was an it manager
1:23
at the time and this was a small organization we didn't
1:26
have a cso or security manager you know i wore all
1:29
those hats but these were the days where i had a
1:32
firewall and antivirus on all the workstations and
1:35
some web and email filtering and it was
1:39
interesting that that that cyber security incident that
1:42
virus i dealt with by adding an email
1:44
filter but you know this is where it all started for me and it
1:49
was even in those early days i learned the importance of things
1:52
like user education you know again throughout
1:55
the heyday we you might remember this there
1:58
was a video that went viral and viral in those days meant.
2:00
Email right it wasn't social social media and there's this video
2:03
of this guy sat in a cubicle on his keyboard he gets angry
2:06
and he smashes his keyboard across his monitor i still
2:09
see it today i still see it today you still see it
2:12
in the very 90s thing but people used to just click stuff
2:15
and he said something else then they used to just click on whatever they received
2:18
in the email and but look where we are today
2:21
it's crazy but it's funny because it was
2:24
after that i moved to an internet service provider and
2:27
i started getting involved in pen testing okay and talking
2:31
about the matrix you know i was using tools like nmap and those tools
2:34
you know the 90s early 2000s are still used today and yeah you know pen testing
2:40
i had a mentor and he introduced me to that and i really really got the bug
2:45
ironically i joined the government regulator so doing a lot around iso 27001
2:50
and itil which is a big part of what i focus on now.
2:54
And ironically, it was that role that took me away and ultimately led to me
2:59
joining VMware and took me away from security for a little bit.
3:01
I joined VMware in 2011, moved to the US in 2016, and here I am,
3:06
just to speed through that. Speed it up. I had flashbacks, actually, when you were talking about those early
3:12
days of security and around that timing. I think my first security product as such was ISA Server 2000.
3:19
Oh, yeah. And I was in control of that server, right? And it was so raw back
3:24
in the day, like the stuff that, you know, you could see and get away with.
3:28
And it was crazy, man. We were, I remember we were messaging,
3:31
we were looking at desktops, we were looking at email, we were looking at when
3:35
MSN Messenger first came out, you could basically see people's conversation.
3:39
Oh, yeah. Things about memories. Yeah, you could see people's messages in clear text.
3:43
Sometimes I didn't want to see what people were talking about,
3:45
but that's another story. But it's just crazy to think in those early days the level of security was was was was so.
3:52
So raw people knew that you still had
3:54
security was a thing but it's it's so different today where now
3:58
the industry is is is so established it's it's
4:01
the thing that everyone talks about in the last three to four
4:04
to five years specifically around ransomware and cyber security
4:06
and and being ready zero trust which is which is
4:09
in your sort of wheelhouse but maybe i do want to
4:12
go back to vmware because i think it's important to understand obviously
4:15
we're here you're new at vm people probably don't know much
4:18
about the role we'll talk about the role at vm
4:22
shortly but maybe take us through that journey in vmware from being a virtualization
4:27
admin and then getting back into the security focus part of the role and your
4:31
last title at vmware was was field cso as well right yeah it's the same same
4:36
role as it well that's actually yeah it's a good point because Because, you know,
4:40
I joined VMware in 2011 as professional services and, you know,
4:43
I was involved in a very interesting project.
4:46
Security was still a big part of that. You know, you couldn't deliver an architectural
4:50
design without having security baked into that.
4:54
But I'll tell you something, actually, it was around 2016, soon after moving
4:57
to the US from the UK, that I was working with, I was in the cloud provider program.
5:03
So cloud providers, not, I'm not talking about the big public cloud providers,
5:07
but there's the smaller ones are using VMware technology to deliver their services.
5:12
And in our team, we had cloud strategists.
5:16
There was Marwan, JP, who else in Patrick, if they're listening,
5:20
I know these people, I mean, that was my world, right?
5:22
I mean, that's how you and I kind of know each other as well, to a certain extent through the, the, that platform, the cloud provider program
5:29
and what I was doing in there. But, uh, that's what I knew about you anyway. So, yeah, there you go.
5:33
It's a small world at the end of the day. It is. And be honest, you know, I was an architect, you know,
5:39
I was, I think I was on the path to becoming a principal.
5:41
I got that in 2018, but working with these guys, this was, oh,
5:46
six, seven, eight years ago now.
5:49
I was looking at them and thinking, wow, you know, I love what they're doing
5:52
because the VCDX, actually I should mention that I got the VCDX at VMware,
5:56
which is the VMware certified design expert, but that approach is applied to an architect.
6:01
And it really is looking at the business. What are the business outcomes?
6:05
Let's gather the requirements for the business and then ultimately deliver an
6:09
architectural design based on those requirements.
6:12
But looking at the strategists, I was thinking they were so business outcome focused.
6:16
This is where I want to go, but I didn't put that together with
6:19
the security piece until you know a few years later so
6:22
they were like my my catalyst that spark in the
6:25
early days but i wanted to get back to security i ended up
6:28
i did go to aws i came back to vmware i
6:31
was in a dev sec ops role for a few years on the tanzu team but ultimately it
6:37
accumulated to the role i'm in today and and you know very thankful to be part
6:41
of that journey with vim now yeah because as we've talked about before and and
6:45
people listening would know that this is a new frontier for Veeam.
6:49
And the messaging obviously shifted a little bit towards the end of last year
6:52
when we looked at radical resilience. And really, you know, releasing our first 12.1 release that we released was
7:00
the first one that had very specific security-focused features and functionalities,
7:05
right? And that was the top-line messaging. So, you know, this role obviously has been born out of that.
7:10
And there's no doubt that in our space, you know, Within the broader ecosystem,
7:15
security plays a massive part. Data protection is one component of that. And I think you're pretty much in that.
7:22
So what do you see the field CISO role being within Veeam in the context of
7:28
a data protection company? Yeah.
7:31
Yeah, that's an open question there, because within Veeam and outside of Veeam,
7:36
I think people see it as different roles. Outside of Veeam, I'm getting so many messages on LinkedIn thinking I'm the
7:41
CISO for Veeam, and I'm not. You know, CISO is focusing on security for the company.
7:46
A field CISO, I would actually label this as a cybersecurity strategist.
7:51
You know, going back to the cloud strategist I said I worked with back in the
7:54
day, this is a cybersecurity strategist role.
7:57
Role so unlike filled cto i'm
8:01
not focused on going deep into a product but
8:04
more focused on the executive audience within
8:08
our customers and ultimately you know that that is the cso and
8:11
if you look at what they need to do to be successful you
8:15
know many cso's will have to present to a board of directors and you
8:18
can't you just can't go to a board and start talking
8:21
about you know these are the features of 12.1 we've
8:24
got inline malware detection and yara rules and
8:26
all this great stuff but i've got to translate that
8:29
so i think that's a key essence of my role is translating that
8:33
into metrics and kpis things
8:36
they're measured on help them be successful so they can take that to the.
8:38
Board and also communicate that to the team yeah
8:42
you mentioned you know that the fact that you're not the
8:44
cso as such right and we had gil vega on the
8:47
show um in october for cyber security month and yeah
8:50
what he does is crazy is it was an intriguing actually
8:53
one of my most favorite podcast that i've ever done across the
8:56
board right and talking with him and getting all and getting all the insights
8:59
from him about his his journey towards being the
9:02
cso of him what he does in the company right and you
9:05
probably don't want that sort of pressure just at this point you know like there's
9:08
tons of pressure on in that particular role but i think to that point what i'm
9:13
gonna say is that you made a really good point about going in and talking to
9:17
these cso's in companies to basically help them strategize about what they can
9:21
do best to help their company survive survive an attack or be resilient.
9:26
Before an attack happens and how you then recover from an attack after that.
9:29
Because my working theory, and I think I told Gil this back in October,
9:34
was that it seems to me like unless you're a seasoned CISO who's gone through
9:39
the ranks like Gil has over the years and kind of earned his stripes.
9:45
A lot of the CISOs that we're seeing being elevated into this role are not traditionally
9:50
strong in that area or their level of experience isn't that strong because it
9:55
is a fairly new position as such in terms of what it gets.
9:59
So is that the challenge that you have actually going into these companies at
10:04
VMware? And obviously you've been doing this for a month now at Vane.
10:07
Do you think that's a challenge, is educating these people who might not be ready for this?
10:12
It's interesting. I would have said yes, even just a few months ago.
10:15
And the recent experience I had, which was I went in very daunted, a bit nervous.
10:20
I'd just come back from Canada. Canada huge event by CyberX as
10:23
a field CISO forum there's around 600 CISOs in
10:27
the room that I'm doing a presentation to as a fireside chat
10:30
and you know that that's you know scary stuff
10:33
right and I went in with this idea in my head that you know these are all going
10:37
to be way more experienced than me and you know why would they listen to me
10:41
after that session and talking with a number of them I was actually quite surprised
10:45
how many CISOs were new into the role and I actually saw some of of this at VMware and the,
10:51
do you know the number one question I got, and I've had this before was,
10:55
you know, I mentioned NIST cybersecurity framework, and I can talk more about
10:58
that in a moment, zero trust, you know, you pick it, there's hundreds of frameworks
11:01
out there, but the question was, how do we get started, where do we get started?
11:05
They find that quite overwhelming. So we can go in, we can always assume that there's all these CISOs out there
11:11
like Gil, who've got tremendous amount of experience, but actually out there
11:15
with our customers, that's not always the case. Yeah, and I think that was my point. So I think you're confirming my theory
11:21
in that, yeah, it's such a new position and a new role and something that's
11:25
kind of coveted from the outside.
11:28
And then a board or a business or an executive team will say,
11:32
hey, we need a CISO, let's get one without really understanding what that means.
11:36
And then they'll pull someone in without understanding what it actually needs
11:40
and how they need to facilitate that role. So I think, or go for it. yeah oh i was going to say what i also see is they
11:46
all promote the security engineer you know that's been with the company a long
11:50
time the problem there is they technically they're great.
11:53
But they don't have the business focus business side of it yeah yeah i was going
11:58
to actually earlier i'm going to say a joke about a cto and a cso walk in a
12:01
room which also is tied into a englishman and australian as well but i'll leave it i'll leave
12:06
i'll leave that alone but it's an interesting it's an it's an
12:09
interesting sort of demarcation and
12:12
we've had some good conversations i know you've been working with the other field
12:15
ctos and the ct and the regional ctos in veem
12:18
to work out you know the engagement that we do
12:21
have and it's very complementary in a way in fact
12:24
it is it is complementary right so i'm really kind of interested in how you
12:30
know we've we've got these roles we've got one in amea we've got you in in america's
12:34
and then we've got one i don't think it's been filled yet it might have been
12:37
filled last week i'm not sure but i don't I still think it's not been filled
12:40
in APJ and how effectively,
12:42
you know, we can work together to actually tag team to tell the whole story
12:47
at that business outcome level. Because I think that's the biggest thing that, you know, we can do now is go into these events.
12:55
We can go have these fast side chats. We can go talk to the companies at these
12:58
levels and have the different level of conversation and still be successful holistically.
13:03
And I think that's part of this strategy of getting these roles in place.
13:07
Is that kind of the way that you see it as well?
13:10
Yeah, absolutely. And the reason I think we need those regional-filled CISO
13:14
roles, you know, I cover the Americas. And, you know, if I was to make my own job title up, I'd say I'm an America's
13:19
cybersecurity strategist. You know, let's put it there. I like that.
13:22
We've got there we'll have one for apj we have one for europe and the reason for that is,
13:26
frameworks and and regulations vary so much you know when i speak to my my counterpart
13:31
in emir andre he's talking about what's happening in europe and i should know
13:36
i i'm i come from the uk but i've been in the us long enough that i he's teaching
13:40
me stuff about all the nis not nist but nis you know there's different frameworks
13:45
there's different regulations. So we've got that focus but on the other side of.
13:49
It one there's three things i typically talk talk about with
13:52
a CISO you know the first one I'll actually focus
13:55
on here is the strategic integration of data protection
13:58
and instant response and you're asking about what we
14:01
help with with that one what we
14:05
are seeing when I say we we've got the Veeam data protection trends
14:08
report out 2024 you want and other
14:11
trends analysis reports to highlight this as well
14:14
that there's this gap between IT operations and
14:17
the security teams and you know instant response and going
14:21
going back to the security teams you know well established
14:24
and well run well oiled whatever you want to call
14:27
it sock team they're going to have instant response playbooks
14:30
they're going to be doing tabletop exercises where they
14:33
run through a ransomware event and if they've really got it nailed they
14:36
won't be doing that in isolation they'll be bringing in hr and
14:39
finance and other parts of the organization but that's
14:42
the problem you don't always see that so it operations are like
14:45
the afterthought yeah when it happens i
14:48
mean again you gotta it's when not if if they
14:52
haven't run through those scenarios and you know you
14:54
might see behind me i'm a bit of a nerd i like fantasy fiction so i always
14:57
liken this to dungeons and dragons and us yeah
15:00
those scenarios but it is just that if you have fun
15:03
with it use it as a collaborative effort in your organization
15:06
relationship building internally in your organization and also
15:09
bring in third-party vendors as well i think that
15:12
really strengthens your whole overall security posture
15:15
so that was number one yeah number two i mentioned is grc.
15:19
Governance risk management compliance mastering that and and the security frameworks
15:25
it goes back to that question i often get asked is where do we get started my
15:29
answer is always just just pick a framework yeah nist csf it's it's only 700
15:34
pages No, I'm joking. It's 52 pages.
15:36
And if you cut off the table of contents and the title page and everything,
15:41
you're down to like 40-something pages of stuff to read.
15:43
It really isn't heavy. You can get through that in an evening.
15:47
And I'd say just pick a framework and stick with it. And then the third one,
15:50
which is the third part of the role I have here, is this proactive ransomware
15:55
defense recovery readiness.
15:58
And that's probably where I will then start crossing over and handing off into
16:02
a field CTO, because that's where I talk about.
16:05
All the capabilities we have with early threat detection, inline malware detection.
16:09
We have four eyes security. That always makes me smile because if you remember
16:13
the movie War Games. I do love it.
16:16
80s. I love this stuff. Right at the beginning, there was the nuclear missile launch. Two keys.
16:21
Yeah. Every time I think of that, I think of that. You know what?
16:24
That's exactly what I think about when I think of four eyes.
16:27
We should have actually called it 2K. It would have fit a lot better, I reckon. Or call it War Games.
16:31
Yeah. Yeah. The War Games thing. Yeah. but it's that's that was a cool little feature and actually to be
16:36
fair we've been adding little bits and features and functionalities like
16:39
that even before 12.1 i mean there was little
16:42
things like mfa which which seems like table stakes type of features but we
16:47
just didn't have them before you know basically auto log off for the console
16:52
other bits and pieces like that so these little security features and functionalities
16:56
that we've added along the way i've just continued to to strengthen the product,
17:00
which is a very strong, you know, backup and recovery product and got all the
17:04
other bells and whistles. And so now we're just tagging on all these little important checkboxes,
17:08
which in this day and age, especially we need if we're going to be successful
17:12
out there doing business and protecting people's livelihoods through data protection.
17:17
Yeah, absolutely. It's funny, you know, obviously ransomware is going to be
17:21
the number one topic, you know, whether you like it or not, it is what's driving
17:27
all of this is happening. And in fact, where I was originally from in the UK, you know,
17:31
coastal town near Brighton, there was, uh, I don't wanna mention names,
17:35
but there was a ransomware attack on a local, uh, utilities company just last week. Right.
17:41
And it's interesting to look at that because you can look at this sort of the
17:46
typical template for our ransomware attack.
17:49
You pay the ransom. There's things like double extortion, by the way,
17:51
where this actually happened with them.
17:54
They paid the ransom. I believe they got a decryption key to decrypt the data.
17:59
And one is your data going to be in a good state afterwards is the question.
18:03
But even then, they leak your intellectual property.
18:06
And this is why I'm actually so passionate about this. they're leaking personally
18:10
identifiable information PII so it's the IP and the PII.
18:14
Which is why I do this in the first place I'm a huge privacy guy but
18:17
let me talk about that another time but oh well actually just
18:20
just to put some some flavor on that uh Ray's got a
18:23
brilliant podcast which is it's kind of fresh isn't it it's it's
18:26
the lockdown podcast I'll link to it in the notes but it's great
18:29
oh thank you I I really like the way that you structured it and
18:32
yeah I mean if I was coming into it without knowing you I'd
18:35
go a very tinfoil hat type of a guy right like he's he's
18:38
really big on his security right and identity protection
18:41
but i do some crazy stuff but it is
18:44
it is but i think it's great i think it's well worth a listen as well because
18:48
i think more of us if we're even like 10 as much as as what you talk about i
18:53
think we'd all be better off right yeah and even that's hard you know in the
18:56
u.s why for example why is there not a default credit freeze on everybody because
19:01
with the credit agencies i don't know what it's like like in Australia,
19:03
but we've got the main credit reporting agencies.
19:07
You can go to that and get all sorts of information on people,
19:09
and typically it ends up with junk mail and things in the post.
19:13
If you do a credit freeze, it blocks a lot of that. But it's also used by identity thieves.
19:18
Which is a big way where people get in.
19:22
I know that on Facebook alone, I've been hit about four times in the last couple
19:27
of months by an account that appears to be my auntie in Malta.
19:30
And every time, I know it's not her because I know now that somehow her account
19:37
and her profile has been targeted multiple times.
19:40
But my mum nearly got done by that because it was like, oh, it's her sister.
19:44
You know, it was basically one of those ones where you go, hey, sis, I've met this guy.
19:49
He's saying that if we put €1,000 into this account, we're going to get €10,000 back.
19:54
And my mom goes, well, this is awesome. I'm going to do it.
19:57
And it's a good thing that she was at home when she was talking about that because
20:01
I just looked at the conversation.
20:03
I looked at the tone and the style of the writing. I said, that's not your sister.
20:07
And then I said to her, ask her a question about something that only you would know when you grew up.
20:13
Like, tell her about, ask her about what street you grew up in and that sort of stuff.
20:16
And, you know, straight away it was like, oh, sis, you know,
20:19
why are you asking me that? And it's like, get rid of that right away.
20:22
You know what I mean? It's scary. Very. So, Clancy, you're an AI guy.
20:25
I do like to dabble lightly. Yes, I am dabbling lightly.
20:28
So, I've got a question for you then. There was an incident here in the US where
20:33
the congressman had a call, supposedly from his son, and it was a deepfake voice clone of his son.
20:40
And long story short, he had to pay some money to get his son out of jail.
20:45
Wasn't really there. He went very public with this. What are your thoughts there?
20:48
Because this is scary stuff. What you're describing there, the next evolution of that. it's scary like i
20:53
think there was an incident that happened even a few weeks ago,
20:56
where a financial controller of a
20:59
company he was he was actually actually no what it
21:01
was was the financial control of a certain company was
21:04
on a zoom meeting but it wasn't him it was a deep fake of him and he
21:07
was telling all of his accountants to basically pay these these
21:10
debitors or these creditors now and just do it now and even
21:13
though they were asking like should we really do this it was like yep get
21:16
it done get it done it was all deep faked and they ended
21:18
up losing some multiple of millions of dollars
21:21
worth of company funds through it right and
21:24
they had no idea that it was a deepfake so you're right it's
21:27
super scary and i mean open ai only in the last week have released a new technology
21:33
or haven't released it but announced a new technology where you can generate
21:36
up to a minute of video based on a prompt and oh yeah i've seen that it's crazy
21:41
right where we're at but just think about that in the wrong hands i mean.
21:47
Just having what we had last year with the generative AI capability to code
21:51
and to make your code better and even for someone who wasn't a good coder to
21:54
create something that could encrypt something like an S3 bucket with these.
22:00
Now, if we've got the capability to deepfake with a sentence, that's even more scary.
22:05
So, we're entering some really scary times when it comes to that.
22:09
But I think to that point, it's just part of the natural evolution of technology and where we're at.
22:15
We have to embrace it but we have to embrace it
22:18
from all sides and that means businesses need to
22:21
also embrace it from all sides which also means embracing a
22:24
data protection strategy a cyber security strategy to
22:28
make sure that when you are hit you can recover from it right so i think people
22:33
like you and i and and companies like vim all this technology is coming out
22:37
it's even more important to leverage us basically absolutely i'm a huge believer
22:42
in that you know this but what Take what's used on the offensive and use it for defense.
22:47
I do this in my privacy world. There's something called open source intelligence
22:50
or OSINT, which is more of an investigative thing.
22:54
But I use defensive OSINT. What information can be found there on me,
22:58
then I'll use those techniques to block it.
23:02
But going back to the AI thing, it's funny.
23:04
Is it called SORA, Open AI SORA? Yeah, I think it's something like that.
23:08
I was trying to remember what it was, yeah. It's funny. When I looked at that the other day, it says they they're opening
23:12
up just for red teamers so security folks and movie
23:16
directors i think well my hobby is cinematography and
23:19
i'm in security so maybe i've got a chance of getting access
23:22
but it's ai does concern me just want to touch on ransomware again because i
23:27
i took on a challenge the other night to write some ransomware using chat gpt
23:34
and it took me one evening and i have an encryptor and a decryptor and an https
23:39
listener i've actually got. It's not on my GitHub, so please don't go looking for it, but it's on my GitHub.
23:47
But I just want to highlight that that would work. You have to manually execute
23:50
it. It would encrypt everything on your machine. It sends the key over HTTPS to a listener.
23:55
So it's very difficult to extract the key because it's not on disk or it's never written to disk.
24:02
And there's a decryptor. But when we're looking at what's actually going on
24:05
out there, there's Lockbit, there's Conti, Blackbasta.
24:09
There's all these different groups. But what's actually happening is these are ransomware as a service providers.
24:14
Providers lock bit 3.0 i had
24:17
a look into this to get access you know
24:20
we often just dust this off oh you know script kiddies
24:23
now can go to this ransomware as a service and and off
24:26
they go they don't have to have any knowledge you've got to deposit one bitcoin
24:30
which is like fifty thousand dollars at the moment it is just to get access
24:34
you've also got to prove that you know again reminds me of the matrix prove
24:38
who you are you're a hacker you know show us what you've done show us your forum posts, your breaches.
24:45
There's a level of entry and entry requirements to even get access to LockBit.
24:50
When you do, it's vastly different to what I created with ChatGPT.
24:54
This is a SaaS service, there's a commander control, there's support.
24:59
It's crazy. It's a real organization. When I talk about people like that,
25:04
well, it is illegal, but they're a business, they're an enterprise,
25:08
and they're doing great business. Right that they're thriving i talked about this last year
25:13
a little bit when i was doing some security roundtables in anz
25:16
talking you know around this topic and people
25:19
were amazed that these groups had you know
25:22
help desks that would ring up and oh yeah and help you right and i
25:25
think a lot of people probably people are more educated now maybe
25:28
in the last six months about that happening especially at certain levels but
25:31
the majority of people if you go and tell that story like you just did they'll
25:34
go get out of here man that's that's crazy stuff like ransomware is
25:37
a a service that's what it is but to your
25:40
point the people that are getting access to that need to be some pretty malicious guys
25:43
to start with right so you already know they're pretty bad bad
25:46
guys if they're getting access to that for sure
25:49
yeah for sure and you know they've got criminal backgrounds you
25:52
know that you know the the ransomware as
25:55
a service operators they're getting like a 20 cut you know
25:58
they're making a fortune from this but this is i think where we start crossing
26:01
over the level of sophistication you know it's far beyond what i can knock up
26:06
with chat gpt even though i've got a functional ransomware ethical simulation
26:10
yeah i'm not going to obviously use it but there's just far beyond that and i think it opens up this.
26:18
And I'm just thinking openly here, nation states have that level of sophistication.
26:22
And this is what concerns me. Things like LockBit, Conti, they come from adversaries, you know,
26:27
Russia, Iran, North Korea.
26:30
And I just think we're going to see more of that. And the other thing that concerns
26:35
me is AI is very interactive at the moment. You know, we ask it to do something, we get it back.
26:40
When it starts to perform actions and we can say.
26:43
Hack this website or perform a ransomware and it does it for you,
26:47
that that's then really scary yeah i you know
26:50
what it's funny without giving away what i'm
26:52
working on for vmon it there's a little bit of that as
26:56
well like turning just a two-way conversation into
26:59
something that's actionable and saying hey like you know
27:02
in in a good way though in in for good you.
27:05
Know get me the get me the version of a server um
27:09
okay it's server x go online and check
27:11
if there's a recent update for it okay there is
27:14
now i want you to stop all backup jobs take a backup
27:17
of the config and then patch it patch the server
27:20
and in theory that could work
27:23
right so if you take that which is
27:26
really using ai for efficiency and and kind
27:29
of natural language way of interacting with platforms that
27:33
in a negative sense in bad people's hands holy moly
27:37
that's that's that's it's it's scary to the next level i
27:39
mean yeah i mean we could we could talk for hours on on this particular
27:42
subject in terms of the threat landscape that is out there
27:45
today day that's evolving more and more and but
27:48
i think the good thing that you that you mentioned is that as one
27:52
side evolves so does the other and i think
27:55
that's where we come into play as as a company it's where veem works with our
27:59
ecosystem partners with our great security partners to be able to offer a end-to-end
28:04
solution to you know mitigate protect and then recover i think that's that's
28:08
what we're going to get to hey i just want to finish with a couple of questions around.
28:14
Which is related to that actually, you know, Veeam and a lot of backup companies
28:18
have tried to or have pivoted to security as a messaging, you know, first.
28:24
And I think Veeam's still, you know, pretty much at its core a backup and recovery
28:28
company that talks about that, you know, first and foremost.
28:32
And obviously, we're releasing more and more features to, you know,
28:36
help in that cybersecurity space, which is what you have to do.
28:38
How have you found that coming into, you know,
28:41
from VMware in that world to the backup world as a security professional and
28:48
trying to look at the interlock that's happening and the sort of blurring of
28:52
the lines between data protection and security?
28:55
Yeah, it's interesting as an outsider in a way, you know, I look at vendors
29:00
and they're touting zero trust in these frameworks and I look at it with skepticism
29:05
and, you know, I'm going to critique it.
29:08
What I really love, what we are doing at Veeam is not just taking that as this
29:13
marketing ploy and, you know, all of our products are zero trust certified or
29:18
whatever you want to put on there. What we're actually doing is you know it's actual capabilities but it's almost
29:24
like a an extension of zero trust so that there's i mentioned cisa you know
29:29
this is cyber security infrastructure, security agency in in the us i might have
29:33
butchered that acronym but cisa they have a zero trust maturity model and there's
29:37
five pillars here so you it starts with the the user the device they're using
29:42
the application on that device the network and then data at the end and And
29:46
often what we see with customers is they're on a zero-trust journey.
29:51
And this could apply to any other framework, but let's just take zero-trust as an example.
29:55
And they will get so far and stall, hit a brick wall, because if they work with
30:00
a vendor, that early momentum stops.
30:03
So by the time they get to data, it stalls. But even the framework itself,
30:06
it refers to NIST and other frameworks.
30:08
Works but i think for us we've got this amazing opportunity to
30:12
really educate not just customers but i'm talking
30:14
about the cyber security industry of the
30:18
zero trust you know that extension into recovery because you know at the end
30:22
of the day it's going to happen and if paying the ransom isn't going to get
30:27
you the decryption key and even if it does get you the key if it gets you a
30:30
clean restore that's unlikely too because typically you get this janky script
30:35
and it It doesn't work properly. You've got to bring in other instant response companies to work with you.
30:40
If you've got an immutable backup that can't be touched, it goes back,
30:44
you know, the CISO will know about this, the CIA triad, confidentiality,
30:48
integrity, availability, if you've got a backup that's integral,
30:51
it hasn't been touched. It's not being messed with.
30:54
Then you've just cut through all that other nonsense because you can then restore.
30:58
And ransomware groups, they are going to target backups. You know,
31:01
that's, and that's another thing that this ransomware as a service does automatically.
31:05
It's looking for backup targets. It's crazy.
31:09
Yeah. And who's, and who's the number one data protection company in the world? That's us.
31:13
That's Veeam. And that's why we're getting targeted more and more.
31:15
I think it's, it's, it's, it's not a surprise that, you know,
31:18
when, when competitors go, well, Veeam's getting targeted quite well.
31:20
No, of course, because we have the biggest numbers out there,
31:23
right? So that's kind of the way that it works. I think that's actually interesting as well because in the data protection report
31:29
last year, I don't know the specific number, but I remember that you really
31:32
want to get down to not paying the ransom and being able to recover your data in its entirety.
31:39
I think that's the whole trail, right? So not paying the ransom and getting all of your data back.
31:44
And from memory, the percentage of that that people were able to have a combination
31:50
of that was only about 10 to 20%. So, Veeam's mission really in life is to make that 0%.
31:56
Like everyone is basically getting their data back through a validated recovery
32:02
without paying the actual ransom as well. So, that's where we have to be.
32:07
Hey, quickly, zero trust as a sort of word, as a vibe, as a marketing thing.
32:13
How are you looking to take that zero trust message and apply it to yourself
32:19
when you talk to customers and partners and other CISOs in your role?
32:24
Yeah. So I think a number of things is education around it.
32:27
You know, so often, and I hear this from other CISOs, I hear,
32:30
oh, zero trust, it's just another form of least privilege. It's just another
32:34
name for least privilege. That's what I would have thought, actually, if I was talking about it as an
32:39
uneducated individual, that's how I would basically describe it.
32:42
Yeah, and don't get me wrong. Least privilege is a core component of zero trust, but it's not the only thing.
32:48
And if you look at the core premise, it's never trust, always verify.
32:52
So you can apply it to, I mentioned DevSecOps earlier, you can apply it to that.
32:56
Imagine a developer, they're at their keyboard. Are you going to trust the code
33:01
they're committing to the Git repository is secure?
33:04
No, you're going to do checks at that point. So then it's committed.
33:07
Are you going to trust the images they're using for containers are secure?
33:11
No, you're going to have a secure container repository. So that can fall into it as well.
33:16
It's not just about, you know, privileges and having, you know,
33:19
the least amount of minimum leave required permissions.
33:23
You've got to expect every single step, which is why CISA have those five pillars,
33:29
by the way, you know, from the user all the way to the data,
33:31
every step and everything in between is verified every time.
33:35
You know, a great example of this, multi-factor authentication.
33:38
Authentication it might be seen okay checkbox we've got
33:41
that but look at how that functions we've seen cyber security incidents where
33:45
this thing this thing called mfa fatigue where developers i won't mention names
33:50
that they were spammed constantly until one of them it just takes one hits approved
33:56
by mistake and it depends on the implementation of multi-factor authentication,
34:01
but it just takes that one to get into the organization yeah so zero trust allows
34:06
you to look at your technology as well and go, okay, could that happen?
34:10
So I'm a big fan of it, but some vendors, not us, but some vendors do,
34:15
I think, overmarket it and make out you just, you know, it's almost a joke in
34:20
the cybersecurity industry is, oh, zero trust. We just need to put this appliance in and turn it on. Hey, we've got zero trust.
34:25
Well, it doesn't work like that. It's also people and processes.
34:29
And I think it's going to have to continually evolve, you know,
34:32
all the stuff we talked about with AI and deep cloning of voices and video now.
34:37
Yeah it's it's it's certainly not ready for that
34:40
yet but it's i'd be interested to see how it evolves uh yeah
34:43
well hey thanks for being on i think it's been a really we could
34:46
have probably chatted and maybe you know we'll look at having
34:49
some sort of side series of of this particular over the next 12 months or even
34:54
as as you continue your journey here at veen because i think it's just fascinating
34:58
talking about the stuff i think other people want to hear it as well because
35:00
you've got tons of stories tons of experience and i think it's a really good
35:04
introduction to the world of the field, CISO at Veeam Software.
35:08
So looking forward to working with you and your team.
35:11
And I think it's going to be a real advantage for Veeam in general to have people
35:17
like yourself with your level of experience now working for the good guys.
35:21
So hey, thanks. Thank you for having me on. That's okay.
35:24
No worries. Until next time, we will catch you on the Sound of Tech to Come,
35:29
a Veeam podcast. Thanks for being on the show, Ray.
35:33
Music.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More