Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Subscribe to the Get Cyber Resilient show today
Host Garrett O’Hara sits down with Damien Lewke, Systems Engineer at Palo Alto Networks, to chat about the huge volume of current cyber threats and also some hot topics including: hype vs practicality of machine learning and AI, tech consolidation trends, data lakes vs data graveyards, and big game hunting - hackers collaborating to attack big organisations.
#getcyberresilient #cyberresilience #ML #AI
The Get Cyber Resilient Show Episode #9 Transcript
Garrett O’Hara [00:00:00] Welcome to another episode of the Get Cyber Resilient podcast. This week I'm joined for a fascinating conversation by Palo Alto's, [Damian Lewke 00:00:16]. Damien is a systems engineer over at Palo Alto and has worked at CrowdStrike previously. During the next 25 minutes, we get through quite a lot. We talk about machine learning and artificial intelligence where they're actually useful versus where the hype is. We talk about the rapid change out there and the huge volume of threats that's being experienced.
We talk about the benefits of data lakes and compare those two data graveyards, tech consolidation and the trends that Damian is seeing. We talk about Soar and where he thinks they will go and maybe we dropped the S for security from Spar Systems. And lastly, we talk about big game hunting. So that idea that attackers are now collaborating to attack organizations. I will apologize. There's a couple of puffs during the recording, but otherwise, hopefully you can just sit back and enjoy the conversation.
I'm joined today by Damien Lewke and Damien is a guy who I met at a conference event a couple of months ago now, probably about six months ago. We were both speaking there and we've kind of struck up a friendship since then. And um, yeah, thought it'd be really interesting to have a chat today about cyber resilience. I think what your career has done so far, uh, fits in perfectly with that. So maybe it's a good starting point, Damien. First of all, welcome along here, but if you wanted to kinda just run us through where you are today, how you got there, that's probably a good starting point.
Damien Lewke: [00:01:28] Yeah, absolutely. So thanks again Garrett for having me today. It's a pleasure to be here. A little bit about me. So I work as a systems engineer here in Sydney, Australia for Palo Alto networks. Prior to that, spent about three years at CrowdStrike, which is an endpoint security company. But, uh, before that and before cyber resilience was, was the primary focus of my career. I actually spent a few years as a nuclear weapon systems engineer at, uh, Northrop Grumman out of Los Angeles.
Garrett O’Hara [00:01:54] Wow. That's pretty, pretty full on.
Damien Lewke: [00:01:55] Yeah.
Garrett O’Hara [00:01:55] You need to be fairly resilient in those kinds of facilities I'm assuming.
Damien Lewke: [00:01:59] Oh, absolutely. And in fact I'd say some of the challenges that we see today as you implement cyber resilience at scale Northrop Grumman already was dealing with, um, you know, back in the day when you build these sophisticated systems and weapons, you kind of want to make sure that they aren't hackable or at least not as vulnerable.
Garrett O’Hara [00:02:16] Definitely can imagine that. Then you've moved over from the US fairly recently, actually, right? About two, three months ago, probably?
Damien Lewke: [00:02:21] You're right on the money. Yeah. But two months ago today actually.
Garrett O’Hara [00:02:24] And how does it feel like obviously the, there's better coffee here, I'm going to call it.
Damien Lewke: [00:02:27] Mm-hmm [affirmative].
Garrett O’Hara [00:02:28] Um, but in terms of the cybersecurity industry, like what, what's the differences?
Damien Lewke: [00:02:32] That's a great question, Garrett. You know, I'd say from a cyber security and maturity perspective, uh, a lot of the organizations are the same. A lot of the conversations you tend to have are pretty similar at a high level. But what I do find interesting here is that there is a disparate level of maturity where a few organizations are incredibly focused, they've built out a cybersecurity strategy and plan, they're focused on risk management. And then there are a lot of folks who want to get mature, want continue that security journey but just aren't quite sure how to do it. So I say that gap is greater here. Um, but the desire to change the desire to be secure and stay secure is exactly the same.
Garrett O’Hara [00:03:10] Yup. Yeah, I've definitely seen that. And actually talking to some of the Gardener analysts a little while ago and one of the comments, one of those guys made is that actually the US looks at the AST and some of the publications they produce things like, you know, their paper on the [demark 00:03:24] recently.
Damien Lewke: [00:03:24] Mm-hmm [affirmative].
Garrett O’Hara [00:03:25] For them, they're almost seen as the gold standard in terms of like, you know, security practices and protocols or-
Damien Lewke: [00:03:29] Mm-hmm [affirmative].
Garrett O’Hara [00:03:30] ... or effort. So, um, yeah, I definitely, I think there's a lot to be proud of here in Australia.
Damien Lewke: [00:03:33] Mm-hmm [affirmative].
Garrett O’Hara [00:03:34] Um, like one of the things we've talked a lot about, um, given that we have beers occasionally [laughs] and this can't get away from, from the the jobs that we do.
Damien Lewke: [00:03:42] Of course.
Garrett O’Hara [00:03:42] Um, but we kind of joke about, you know, machine learning and artificial intelligence and you know, our gigs, if you mentioned those, certainly when you're talking to people who were looking at buying new platforms or investing in something new, you get raised eyebrows, people that are like, "Oh, really? You're gonna mention the AI, ML thing again?" And but they're, they're really critical. Right? So, um, like what do you see as the kind of important security use cases do?
Damien Lewke: [00:04:06] Yeah, absolutely. Um, and it's, it's a great point. Uh, oftentimes the terms AI and ML are used interchangeably and in fact, I'd like to first say that they're not. Um, obviously machine learning is a, a subset of what we view artificial intelligence to be, or the potential for artificial intelligence to be in cybersecurity. And the key use cases I see with machine learning, it's really all about, uh, separating the wheat from the chaff in terms of the right data that you should be looking at. And then some of the specific use cases are based around, um, baseline understanding malicious behavior.
Garrett O’Hara [00:04:39] Mm-hmm [affirmative].
Damien Lewke: [00:04:40] Again, you see adversaries using OS native tools to bypass traditional security measures. But then also the iteration from if you looked at both, um, endpoint as well as network security, trying to identify similar features without needing to have a huge database of signatures to say whether or not a particular file that's being run or brought into your network is or isn't malicious. So it's all about really just building into finding these classifiers. So what is good or what should be good. And then if you're not sure how severe you'd like to be in preventing something from, from actually coming in.
Garrett O’Hara [00:05:15] Yeah. And you can sort of dial it up, dial it down. Right? But I suppose in a way, we've moved away from a world where signatures will ever be enough. Right? Things change so quickly that, you know, as much as we hate AI, ML as kind of terms and you know the raised eyebrows-
Damien Lewke: [00:05:28] Mm-hmm [affirmative].
Garrett O’Hara [00:05:29] ... there really isn't any other way to deal with the, just the rapid change and the, the huge amount of stuff happening. Right?
Damien Lewke: [00:05:34] Yeah. Oh, absolutely. Um, for that point, I, I read an interesting article last week where, I mean, figures vary from time to time or your source, but it was 925 million new samples of malware were found last year. So if you boil that down to days, that's 375,000 new files, new threats that you need to stay on top of in 24 hours. And-
Garrett O’Hara [00:05:55] That's a lot [laughing].
Damien Lewke: [00:05:57] Exactly. And who has that kind of time? Um, moreover you slip up once, right? Someone doesn't keep that database updated and you know, you just, you only gotta be right once to get in.
Garrett O’Hara [00:06:08] That's the problem. Right?
Damien Lewke: [00:06:09] Mm-hmm [affirmative].
Garrett O’Hara [00:06:10] So on the, on the flip side, like where do you see AI and ML, overhyped because let's be honest, like it does happen.
Damien Lewke: [00:06:16] Mm-hmm [affirmative].
Garrett O’Hara [00:06:16] When do you see that happen?
Damien Lewke: [00:06:18] So, I honestly, I see it in a way that vendors can position their solutions in the sense that they view AI and ML as the be-all-end-all. This is all that matters when it comes to building a security solution. Um, it is a very useful key, but I would always recommend, right, whenever you're looking at security to focus on this idea of both defense and depth. So, making sure your network, your endpoint, your cloud workloads are secure but also breadth. So not relying on AI and ML to be the one thing that stops everything. But also of course, leveraging other tools, skill sets and the right people to, uh, to make sure that you're safe.
Garrett O’Hara [00:06:54] And people like, so that, that is a common theme we hear these days-
Damien Lewke: [00:06:58] Oh, yeah.
Garrett O’Hara [00:06:58] ... and in a bunch of different ways. Um, one of the things we've been talking about recently is the kind of the, the value you can get from integration with other platforms.
Damien Lewke: [00:07:06] Mm-hmm [affirmative].
Garrett O’Hara [00:07:06] So for example, as a platform, we integrate with you guys in Palo Alto.
Damien Lewke: [00:07:09] Mm-hmm [affirmative].
Garrett O’Hara [00:07:10] And, um, like the, the things we're looking to do there is reduce the amount of time that people have to spend doing things.
Damien Lewke: [00:07:16] Mm-hmm [affirmative].
Garrett O’Hara [00:07:16] And one of the big issues on SOC and security operation centers is really the amount of time wasted on false positives and chasing dragons. You know, there's nothing there at the ends or are chasing smoke really. Um, AI, ML helping a lot with that?
Damien Lewke: [00:07:32] Um, absolutely. So actually you pointed out this idea of false positives and I think a really gate, great use case from a SOC perspective is to apply AI and ML to help prioritize alerts based on severity and criticality. So what do I need to look at and what recommended steps based on the data that these engines have been collecting, can I take, as a SOC analyst? Ultimately you will always receive an alert that you have to investigate, but make sure that you investigate it the right way and the right amount of time, uh, to prevent that incident, that alert from becoming an actual breach. Which of course is everyone's worst nightmare when it comes to security.
Garrett O’Hara [00:08:09] And then that's it, where he can't get away from chasing the false positives.
Damien Lewke: [00:08:12] Mm-hmm [affirmative].
Garrett O’Hara [00:08:12] Because if you get a wrong once and it turns out actually it's not a false positive-
Damien Lewke: [00:08:15] Mm-hmm [affirmative].
Garrett O’Hara [00:08:16] ... and yeah, it's game over. Right? And I saw a stats, I can't remember the company that did this survey, but there's a pie chart where they look at the, the, the rate of false positives.
Damien Lewke: [00:08:25] Mm-hmm [affirmative].
Garrett O’Hara [00:08:26] And it's astonishing. Like most of the time it seems like SOC analysts are spending, it's chasing things that actually don't turn out to be anything and they're expensive and it's not, it's not cheap to hire security analysts.
Damien Lewke: [00:08:36] Yeah. I actually think, kind of bringing it back to your original point, where do you think AI and ML are overhyped?
Garrett O’Hara [00:08:41] Mm-hmm [affirmative].
Damien Lewke: [00:08:41] I think by being too reliant on these technologies, you can in fact create a higher likelihood of false positives, right? If you're looking at the wrong data, same issue. So, and it's, it's terrible to see and the terrible to hear, right? Because people are trying to do jobs and the right technology might be in place, but of course it takes a certain nuance to actually tailor it, understand it based on your own environment and the threats that you are seeing.
Garrett O’Hara [00:09:05] You, uh, you're speaking my language.
Damien Lewke: [00:09:07] [laughs].
Garrett O’Hara [00:09:07] I think one of the things that we so often see in this world is the bit where, uh, there's a new approach-
Damien Lewke: [00:09:13] Mm-hmm [affirmative].
Garrett O’Hara [00:09:13] ... something like the Soar technology. Amazing. But people forget the bit where you have to dial it in to a specific environment.
Damien Lewke: [00:09:18] Yes.
Garrett O’Hara [00:09:18] And also be realistic about the time to kind of realize value from that approach.
Damien Lewke: [00:09:23] Mm-hmm [affirmative].
Garrett O’Hara [00:09:24] Um, and it's a huge, huge problem. Um, definitely would see that. Um, so pivot maybe a little bit, but can you run us through what a, a data lake is? Kind of like something you guys do a lot of?
Damien Lewke: [00:09:34] Yeah.
Garrett O’Hara [00:09:35] Or use a lot of?
Damien Lewke: [00:09:35] It's a great question. I think it's important to, I read an interesting article actually, uh, earlier, uh, earlier last week about the difference between a data lake and a data graveyard. So that only basically is a repository, uh, typically hosted in the cloud. So you've got, AWS S3, Microsoft Azure, different, different places, Google Cloud, uh, where you can host this data. But basically it's a repository of both formatted and unformatted data. So metadata, telemetry that you're getting from your different environments and then format it.
And typically what happens is once you have that data, you do something with it and you have a data lake or you do nothing with it and you have a a data graveyard. And one of the important things is once you have this repository of information and actually doing something about it, iterating it, transforming it in ways that benefit you and your organization as well as you can.
Garrett O’Hara [00:10:25] Mm-hmm [affirmative].
Damien Lewke: [00:10:26] Again, back to that point of understanding your environment, normalizing everything. I think the way that you keep that data Lake nice and blue and algae free is to continue to use and reuse and manipulate the data as well as you can. And then of course leverage the right technology to help you do that.
Garrett O’Hara [00:10:41] And, and so with those technologies, what are the kind of benefits you'd see flow out from a well-kept algae free, uh, data lake?
Damien Lewke: [00:10:48] Yeah.
Garrett O’Hara [00:10:49] Maybe with some like parasols on the side of the Lake and some, [inaudible 00:10:53], uh, long island ice teas at the swimmer bar?
Damien Lewke: [00:10:55] Well, [inaudible 00:10:57] that maybe some standup paddle boarding [crosstalk 00:10:58].
Garrett O’Hara [00:10:59] There you go.
Damien Lewke: [00:11:00] Um, so absolutely. I'd say there are a few key technologies you can leverage and ways to keep that current. So the first is to continue to ingest new data. And as you filter through what you view to be, uh, valuable or unvaluable back to this whole idea of separating the wheat from the chaff, continue to refine that data set based on the use cases that you're looking for. Um, so the first thing I would say is not all alerts are bad. Um, you don't want to miss one, but as you start to train whatever analytics engines are in the data lake, so that's typically that the key use case we've seen security is refine that data.
And then also as you collect new and different forms of data based on reordering your environment. So what I see on the network, uh, versus what I see in my cloud, if it's private, public, whatever the environment might be versus the endpoint. Different types of data, different ways of using it. Um, but trying to see both from what you can do as an organization as well as the right vendors. And they're actually a lot of really cool open source projects that are coming out there too-
Garrett O’Hara [00:12:02] Mm-hmm [affirmative].
Damien Lewke: [00:12:02] ... um, to develop the right solutions based on this idea of, again, what use cases benefit your environment best, right? If I work in utilities, um, the threats I'm going to deal with are very different than if I'm in media. There will of course the crossover, but again, it's taking that data and manipulating it as well as you can.
Garrett O’Hara [00:12:19] Yep.
Damien Lewke: [00:12:20] Um, and there is no silver bullet right there or I would never encourage people to choose point products for everything. But of course as you look for what's best suited to your environment and what you're looking at, um, choosing the right vendor, the right technol- technology approach to, uh, to address that.
Garrett O’Hara [00:12:37] And outcomes will be things like correlating threats that come in, in different sort of vectors.
Damien Lewke: [00:12:41] Mm-hmm [affirmative].
Garrett O’Hara [00:12:42] So you could look at something like an, uh, you know, a web security platform versus email versus maybe an endpoint or Yuba type platform where you can.
Damien Lewke: [00:12:49] Absolutely.
Garrett O’Hara [00:12:49] Yep, yep.
Damien Lewke: [00:12:50] So actually one example you could use there is if you have say an air gapped environment. So someone sticks in a USB stick, or a Stuxnet and something starts behavioring, they're behaving very erratically. Um, that's going to be one correlation and analysis technique. Whereas if everything is hosted in the public cloud, you need to be far more concerned about, uh, process, injections and different applications opening up different things at different times. You know, I'm not going to be worried about notebook opening up internet Explorer and downloading file if nothing is talking to the internet, but I am in be very scared if my centrifuge starts spinning faster than it should.
Garrett O’Hara [00:13:23] We probably should be. You got Centrifuge man, you've, you've got, you've got everything. Um, so I mean it kind of leads on, I suppose the idea of tech consolidation.
Damien Lewke: [00:13:32] Mm-hmm [affirmative].
Garrett O’Hara [00:13:32] Um, it's a huge thing. We've been talking about it for probably 18 months, two years-
Damien Lewke: [00:13:36] Yeah.
Garrett O’Hara [00:13:36] ... something that's come up with, uh, with our customers.
Damien Lewke: [00:13:38] Mm-hmm [affirmative].
Garrett O’Hara [00:13:39] Um, what are the trends that you're kind of seeing in terms of tech consolidation at the moment?
Damien Lewke: [00:13:43] Um, absolutely. So it's, it's a great question. Um, and we can talk about it in a few different areas, Gartner, just to find this new, uh, this new market sassy-
Garrett O’Hara [00:13:53] Mm-hmm [affirmative].
Damien Lewke: [00:13:53] ... if you've heard about this.
Garrett O’Hara [00:13:54] I have.
Damien Lewke: [00:13:54] So an interesting idea there, right? It's not just focused on, uh, what a Caspey was or um, different technologies or your, your public cloud. It's now integrating everything. So it's more focused, and in general, I would actually say kind of taking a step back, you look at endpoint security, network security and cloud security. Tech consolidation is happening because customers care about outcomes.
Um, there are shops that of course, combine the best of breed and have a team of 50 men and women who can work all these point products. But quite frankly, especially as you scale, that's very, very difficult to do. And what I see from a tech consolidation perspective is it's just because customers care about outcomes and because the right technology is needed to protect a particular environment, do you need to combine?
So the example I would use coming from my CrowdStrike days would be the idea of EPP. So endpoint protection. So for the longest time, right? For 25 years, it was any virus, right? It was this idea of stop that files. But what has happened in the past two, three years is they've realized that the technology needed to detect and respond. So endpoint detection and response as well as what was EPP. So, endpoint protection have in fact been, excuse me, have in fact been combined to produce what's called an endpoint protection platform. And back to that whole idea of tech consolidation. Platforms are becoming the right way for customers to do this because new capabilities will need to arise as threats become more and more advanced.
Garrett O’Hara [00:15:19] Yup. Yup. And uh, like one of the areas you see that is I suppose Soar technologies for, you're bringing in your feeds from lots of different places and then introducing also, not just the consolidation of, and that is data more than technology I suppose.
Damien Lewke: [00:15:34] Mm-hmm [affirmative].
Garrett O’Hara [00:15:34] But then orchestrating actions or automating things out of those, sort of Soar plays.
Damien Lewke: [00:15:39] Yeah.
Garrett O’Hara [00:15:39] Um, that's, that's huge at the moment.
Damien Lewke: [00:15:41] Mm-hmm [affirmative].
Garrett O’Hara [00:15:41] Like most organizations we're talking to are either doing it already or they've got a plan to do it.
Damien Lewke: [00:15:46] Yeah.
Garrett O’Hara [00:15:46] It almost reminds me of O 365, two years ago, three years ago, you know?
Damien Lewke: [00:15:50] Yeah [laughs].
Garrett O’Hara [00:15:50] Everybody was like, you aren't there, but we actually have it on our roadmap. We're going to... And they would have a date in mind and it tends to be that Soar kind of feels like that at the moment. Um, what do, what do you think the evolution will be in the next 12 to 18 months?
Damien Lewke: [00:16:03] Um, that's a great question and it's funny 'cause I was actually speaking with someone about this last week. So what's great about Soar and Soar Technologies, right? The ideas, you have these playbooks. So of course you're going to tailor whatever steps you need based on a playbook. Much like in sports, if you're familiar with the idea. Certain time of game you're going to orchestrate a certain play. But of course you're going to still need to take some form of action as a human.
So the first iteration I see is vendors who are really leading the space have integrated a way to interact. So to really orchestrate with other analysts. So you're not just afraid that you're pushing the big red button and suddenly you blue screen all your devices. There needs to be an accountability check.
Garrett O’Hara [00:16:40] Yep.
Damien Lewke: [00:16:40] And the next iteration, this is really interesting to me, is lopping off the S from Soar-
Garrett O’Hara [00:16:47] Mm-hmm [affirmative].
Damien Lewke: [00:16:48] ... and having just orchestration and response. So again, this idea of there are security specific use cases, but there are also ways of using orchestration automation and response in other tech stacks. Um, or leveraging lessons learned from security to do something. So I've, I heard a really interesting example of someone who's used a Soar playbook to order pizza, for example. Um, now I'm not saying-
Garrett O’Hara [00:17:12] How does that work?
Damien Lewke: [00:17:13] [laughing] Can we get it? But, it is interesting because you'll start seeing issues related to say organizational security.
Garrett O’Hara [00:17:19] Mm-hmm [affirmative].
Damien Lewke: [00:17:19] So an employee gets terminated and to prevent data leakage, although that is traditionally a HR operation perspective or, or usually that falls into that bucket, integrating that into, "Okay, well now let's look at the DLP ramifications of this." Make sure they're not sending emails to their personal email address with file attachments. So think the next iteration is not building that into just security, but seeing where security can be applied across the organization.
Garrett O’Hara [00:17:46] And I'm just stuck in the whole pizza-
Damien Lewke: [00:17:49] Yeah. No, me too.
Garrett O’Hara [00:17:50] My brain just went up there and haven't come back to the security conversation at all.
Damien Lewke: [00:17:54] That's good.
Garrett O’Hara [00:17:54] Um-
Damien Lewke: [00:17:55] But olive, uh, olives or anchovies. What do you want?
Garrett O’Hara [00:17:57] Uh, definitely not anchovies. Definitely olives.
Damien Lewke: [00:18:00] All right.
Garrett O’Hara [00:18:00] And as much as I can get. Pineapple also, which I know is controversial sometimes.
Damien Lewke: [00:18:04] Oh.
Garrett O’Hara [00:18:04] I like the pineapple.
Damien Lewke: [00:18:05] No, I'm with you there.
Garrett O’Hara [00:18:06] Yeah.
Damien Lewke: [00:18:06] Sweet and salty. It's perfect.
Garrett O’Hara [00:18:08] Yeah. It's the way to go. Um, so yeah, like there's, there's a lot of, of stuff. You guys do oversee, um, SoarTech platforms-
Damien Lewke: [00:18:14] Mm-hmm [affirmative].
Garrett O’Hara [00:18:15] But what are the sort of good use cases or outcomes you've seen in terms of, uh, Palo Alto?
Damien Lewke: [00:18:20] Yeah, absolutely. So we of course, uh, acquired this company Demisto, um, earlier this year. Phenomenal technology and we've really been able to integrate Demisto's platform from an orchestration and response capability into, into our technology stack. So, uh, very helpful, um, but, but really good use cases [inaudible 00:18:40] phishing.
Garrett O’Hara [00:18:41] Yup.
Damien Lewke: [00:18:41] So obviously there are remediation steps that need to happen. So when you get an email, you know, someone does the thing that they showed, they paid attention to their security education. So they forwarded to a phishing inbox and they're like, "Hey, we're kind of, we want to be sure that if this is suspicious that we, we do a proper thing." And what we've been able to see with Demisto and these use cases is actually being able to integrate our sandboxing capabilities, our endpoint protection capabilities to analyze whether or not the attachments are, aren't malicious, uh, using orchestration and automation to rasterize emails to actually take screenshots so you're not clicking any links or making anything dangerous. And then putting all of that data into something that you can manage by the cloud.
Garrett O’Hara [00:19:21] Mm-hmm [affirmative].
Damien Lewke: [00:19:21] So, you can just log in with your, your login and actually see all the data you need to about the event. And then when it gets to that critical point where it's, "Hey, Mr. and Mrs SOC analysts, please take action." They can make that informed decision. So yeah, no really cool use case with a spear phishing.
Garrett O’Hara [00:19:39] Very, very cool. You mentioned last time, we had a beer, this, this idea of big game hunting.
Damien Lewke: [00:19:44] Hmm.
Garrett O’Hara [00:19:46] What is it? Can you run me through it again?
Damien Lewke: [00:19:48] Big game hunting. So, [inaudible 00:19:50] threats exist. Um, we all run into that working in security. But big game hunting is this idea that large organizations, uh, national, state e-crime or hacktivists have instead of deciding to go their own way, a la Fleetwood Mac, um, have decided to come back together and uh, they'll actually work together in tandem with one another. So a really good example that I like to, I like to use, um, just because I've experienced some of this firsthand in my own career, having customers struggle with some of this-
Garrett O’Hara [00:20:19] Mm-hmm [affirmative].
Damien Lewke: [00:20:20] ... is, um, mommy spider. So mommy spider and the emo tat loader. So, basically what they do is it's a, it's a loader as a service and basically they say, "Hey, we've got this technology. Um, we know that you're looking at these folks, hire us as a service and then you can put whatever, whatever type of malware or exploit toolkit you'd like within this loader. So we'll get you in, we'll team up together and reap larger financial rewards." That's, uh, actually for that point, it's interesting what you see is this idea of onesy, twosy ransomware counts of 100 bucks. That's by far going away.
But when you look not just here in Australia, but across the globe, there are more tailored and targeted attacks that we see with these big game hunting ideas about the pounds there are 250, $500,000, a few million dollars. Um, the makers of Dam Crab ransomware actually claimed last month that they've made over $2.6 billion, are therefore considering retirement. Which, um, I mean if I had $2.6 billion I might, too.
Garrett O’Hara [00:21:24] Definitely.
Damien Lewke: [00:21:25] But I wouldn't want to get it that way.
Garrett O’Hara [00:21:27] Yeah, it's interesting. It's sort of a, little bit like, uh, being a pickpocket versus being part of the Oceans 11 crew. Right?
Damien Lewke: [00:21:33] Exactly.
Garrett O’Hara [00:21:33] So you're going to go after the big ones.
Damien Lewke: [00:21:35] Mm-hmm [affirmative].
Garrett O’Hara [00:21:35] Um, so yeah, interesting to see this tech consolidation, but then on the, on the bad side of things, you know, people are getting together to, to do their, to their bad work also. Um, so what keeps you awake at night?
Damien Lewke: [00:21:47] Oh, what keeps me-
Garrett O’Hara [00:21:50] In terms of cybersecurity? Obviously you're partying and having a good time, but [inaudible 00:21:49] cyber security.
Damien Lewke: [00:21:53] Yeah. So, um, what keeps me awake at night? That's a great question. For me, it's two fold. Uh, the first is the fact that back to this point of a data lake and the idea of defense in depth, but breadth is that there are humans on both sides of a cyber attack. Uh, we tend to focus on the victim because oftentimes it's vendors. That's, that's our customer.
Garrett O’Hara [00:22:15] Yep.
Damien Lewke: [00:22:15] And that of course helps revenue, all that, all that jazz. But I think what's, what keeps me awake at night is that they're incredibly sophisticated, driven, smart, not just individuals, but organizations who as they see this technology consolidation as they see these new use cases can in turn, anticipate what they're going to come up against, um, and are highly nuanced and orchestrated. Um, so what keeps me up at night is, is just ensuring that we as an industry stay vigilant and transparent and focused with one another to ensure that we, we remember, although we do, obviously we care about the customer, we also need to be cognizant of who we're up against. Because they are just as motivated or just as driven. And if they weren't successful-
Garrett O’Hara [00:22:59] They wouldn't be doing it.
Damien Lewke: [00:23:00] They wouldn't be doing it. Exactly.
Garrett O’Hara [00:23:02] Yeah. I mean, on that, one of the things I like about it, if it's maybe the thing that makes, helps me go sleep at night-
Damien Lewke: [00:23:07] Mm-hmm [affirmative].
Garrett O’Hara [00:23:08] ... is the collaboration that I see within our industry, which I don't know was even a thing two or three years ago.
Damien Lewke: [00:23:12] Yeah.
Garrett O’Hara [00:23:12] Even longer ago. Um, where you see at a conferences where all the vendors are talking to each other, they all integrate with each other. There's this kind of, not [inaudible 00:23:22] like a bit of a spirit of, "Hey, we're actually in this together." And I think that was either [inaudible 00:23:26] like conference theme one of the years. Um, so where do you get the information that you need to do your job? Like, where do you go to find out what's happening, keep yourself informed?
Damien Lewke: [00:23:37] Absolutely. So a few, so the first is podcasts. I know we've discussed a few, so of course your local leanings and Risky Business is a great one. Uh, I'm a big fan of The Cyber Wire. Uh, so a few of those podcasts, Hacking Humans, if you're interested in social engineering and batch [inaudible 00:23:53], they know there are bad guys on, on the other side too. Um, I'd also say just Google alerts, right? So if you're, if you're interested in a particular industry or that's a focus for you and your customers, uh, just having that come up. So I try to spend between 60 to 90 minutes a day and listening and reading as much as I can. Um, sometimes more, uh, at the, [laughs] at the loss of sleep and therefore, uh, my run cycles don't always get happy. So maybe that's what keeps me awake at night is just trying to stay informed.
Garrett O’Hara [00:24:22] Well, you told me the last time we had a beer that, uh, you had gone home after a pretty big night-
Damien Lewke: [00:24:26] Mm-hmm [affirmative].
Garrett O’Hara [00:24:26] ... and proceeded to watch security videos on YouTube.
Damien Lewke: [00:24:29] [laughs].
Garrett O’Hara [00:24:29] So like that's dedication if I've ever heard it.
Damien Lewke: [00:24:31] That's very true.
Garrett O’Hara [00:24:33] Um, what conferences do you go to and, and like, why do you choose those ones? And, and given that you're fairly new to Australia and might have a US, uh, flavor to this, but either ways.
Damien Lewke: [00:24:43] Yeah, absolutely. So, um, here in Australia specifically, uh, conferences, so EISA big proponent of that. And Gartner. So with Gartner, obviously you have a few different flavors. Uh, the first is of course I, from, from a high level, the IT symposiums are always great. Um, I've been to the ones both here as well as back in the States. I think that's more important from, um, from a high level landscape overview, understanding the new technologies, the new ways that people are going to approach digital transformation and cloud migration and all of these big buzz words that are also very important because a lot of people are having to figure out how to do that and who best to do it. Um, the risk and it summits are great, um, obviously from, from Gartner as well. And then, um, I'm a big believer in, uh, some of the smaller, localized ones.
Garrett O’Hara [00:25:31] Yep.
Damien Lewke: [00:25:31] So there were several that, uh, being from San Francisco I went to in, in the Bay area in particular. Uh, and then partners, back to that. Uh, it's not so much a conference, but whenever technology partners put on events, I think it's, it's good to go because it's back to that idea of we're all in this together.
Garrett O’Hara [00:25:46] Yep.
Damien Lewke: [00:25:46] So having, having perspective into how all of these technologies are working together and the value that provides people is, is really important.
Garrett O’Hara [00:25:57] Awesome. And then last question. So if you had a magic wand or maybe genie-
Damien Lewke: [00:26:01] Mm-hmm [affirmative].
Garrett O’Hara [00:26:01] ... and you could sort of rub the little lampy thing and the genie pops out and gives you one wish, like what is the wish you'd make for cybersecurity?
Damien Lewke: [00:26:10] Transparency. 100% transparency. And I'd say it's transparency in both education and capability. So, the first is educating just the general populace. So, helping people understand security is no longer an IT discussion. It's a business discussion. And there are serious ramifications if you're not secure, not just in business, but at home. Um, my mom, I was on traveling New Zealand in March. My mom got a ransomware enabled macros word document sent to her with a spoof email by my dad because it was US tax season. And she called me being like, "Hey, Damien, this is super weird? I don't mean to interrupt, interrupt you, but can you check this out?"
Garrett O’Hara [00:26:48] Mm-hmm [affirmative].
Damien Lewke: [00:26:48] Um, we were able to do some basic checks 'cause she knew that enabling macros is never a good idea. But if she didn't have a son who works in cyber security who talked about this stuff, um, she might not have done that.
Garrett O’Hara [00:27:01] Yep.
Damien Lewke: [00:27:02] Uh, from the vendor side, I think transparency of capability in the sense that every customer's journey is different. And based on what they're trying to do, the technologies that they need to leverage to be successful may not always be uniform. And I think it's very easy to get into an us versus them conversation instead of remembering, again, let's be transparent with the customer about what they can do, what requirements they have in order to provide them with the right solution. I know that's very altruistic, but, uh, at the end of the day, [crosstalk 00:27:28] I think it's important.
Garrett O’Hara [00:27:29] Yep.
Damien Lewke: [00:27:29] Keep people educated and keep yourself honest.
Garrett O’Hara [00:27:33] So, for what it's worth, it's probably the theme that I've seen when I asked that type of question.
Damien Lewke: [00:27:36] Mm-hmm [affirmative].
Garrett O’Hara [00:27:38] Every single time nearly comes back to some version of an altruistic view of the world.
Damien Lewke: [00:27:41] Mm-hmm [affirmative].
Garrett O’Hara [00:27:43] And most people have talked about protecting grandmothers and you know, it's always the people, um, I suppose why we, why we do this thing.
Damien Lewke: [00:27:48] Yeah.
Garrett O’Hara [00:27:49] Um, we've pretty much run out of time. So I just wanted to thank you again for taking the time to, to come and talk today.
Damien Lewke: [00:27:54] Mm-hmm [affirmative].
Garrett O’Hara [00:27:55] Um, really loved the, uh, the insights and uh, given your kind of broad experience, um, think really valuable, hopefully for the audience as well. So thank you for, uh, joining us today, um, Damien Lewke from Palo Alto.
Damien Lewke: [00:28:05] Well thank you very much, Garret. It was my pleasure.
Garrett O’Hara [00:28:09] And there you go. Damien Lewke from Palo Alto talking us through lots of different things. But the thing that I think will stick out of my mind is the Soar playbook to order pizza. Folks, thank you so much for listening. Hope you enjoyed that interview and I look forward to catching you on the next episode of the Get Cyber Resilient Podcast.