Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepher and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my cohost, John Knepher. John, hi.

Jonathan Knepher:
Hi, Rachel. How are you doing?

Rachael Lyon:
I'm doing well. I'm doing well. You know, I love to watch TV. I love streaming services. And I was dying to ask you, particularly for today's conversation, it's a little prescient. Have you been watching the Apple TV show Prime Target at all?

Jonathan Knepher:
I have not, but you'll have to tell me all about it.

Rachael Lyon:
Okay. I will. And, you know, the premise and I think today's, guest will have a lot lot of thoughts on this and its validity, but it's a mathematician, you know, getting his PhD in Cambridge or something like that, and he's close to cracking the code on on primes and the implications of that are stirring international conspiracy. People are out to get him because he's gonna crack the code on primes and what that means for encryption. It's very, very dramatic. I don't know if it's true at all, but it made me really wanna learn more about prime numbers. So with that, we'll go ahead and and jump into introducing today's guest. I am so excited to welcome doctor Bill Anderson.

Rachael Lyon:
He is principal product manager at Mattermost, where he drives innovation across sectors, including AI, quantum cryptography, and secure communications. He's also the founder of Oculus Labs and has deep experience in the defense and intelligence communities. Welcome, Bill.

Bill Anderson:
Thank you. Thanks for having me. It's great to be here.

[01:59] Cyber Resilience: A Common Dilemma with Unique Challenges

Rachael Lyon:
So let's kick off with a fun, fun question here. Looking at, you know, DISC, right, defense intelligence security and critical infrastructure organizations, how are they defining cyber resilience today? And and is this significantly different than the approach commercial organizations are taking?

Bill Anderson:
It's not too different, but what you know, the the the focus is on national security critical infrastructure for those DISC organizations. So their their main difference would be that they have to think about a very, very highly capable adversary, a nation state that might be trying to subvert, you know, our electricity supply or break into classified networks to steal things for various reasons. And it's not that commercial doesn't have that problem too. Some elements of commercial do. If you're if you're a bank, which we actually consider critical infrastructure, by the way, but, you know, if you're a bank, of course, very, very dedicated people are willing to spend almost unlimited amounts of money in order to drain unlimited amounts of money from the bank. So it there there's a there's a cost reward sort of, equation there. But in the government space, you know, defense intelligence in particular, there's a lot of benefit to adversaries in in executing these same kind of attacks. And they're infinitely valuable depending on how on how you set your your metrics.

Bill Anderson:
And so, when we're designing systems and defense and response for them, we have to think it's possible that there will be no holds barred in going after this information. And so we have to get creative, which, by the way, unfortunately, isn't always the case in the approach that our governments take. But we should be thinking the worst and planning for the worst. The downside, I've been in this space a long time. They don't always do that. And we've actually seen the result of of some of those failures of imagination, of bureaucracy, of the horrible slow acquisitions process, of waste, of inefficiency, of laziness, we see it. And and, unfortunately, I as I said, I hope that didn't sound too negative, but I've I've also been selling technology to government for, like, twenty years. So, you know, I've got a few scars.

Bill Anderson:
So but the, you know, the approaches, the things that they do, the technologies that they buy are actually largely the same. If it's good to protect, you know, Bank of America, it's probably good to protect, Department of State. And and so there's a lot of commonality in security vendors, selling the similar technologies. The way it then gets applied, is the same. The way that it's maintained is a little different. And there's a lot more scrutiny in in management not that they don't again, not that they don't do it in industry, but there's just more of it. The the other thing that's maybe a little bit different is around collaboration. So, in the commercial space, there are these, groups called ISACs, ISACs, information sharing something.

Bill Anderson:
I don't know what it stands for. So there'll be a, you know, a health ISAAC, a financial, industry ISAAC. There's probably a dozen of them or so. And and those are really great organizations in that they collaborate with each other. So they'll set up an org that everyone can trust even though, let's say, a 20 banks who might be competitors wouldn't Right. Share other information. They will share patterns of behavior that they're seeing. And that goes up to the sort of central group, and the group says, hey.

Bill Anderson:
We're seeing this kind of attack, this kind of threat on these Midwestern regional banks. Probably all the other regional banks need to know about this because it's going to follow and and go see them. Government can't do that as much. There there is some information sharing among close allies, but, there isn't as did you just this unfortunately, the way that the international game is played, allies who are not super close allies might also be the ones who are attacking us, for their own reasons. So there's a little bit of competitive pressure there to say, yeah, we maybe we won't tell everyone we're experiencing this right now because by telling them, and, unfortunately, I I I worked closely with folks in the intelligence agents or industry for a while. I, you learn that your questions actually reveal a lot about your situation and and your knowledge, and so you really you really don't wanna reveal what's going on. So that's one of the big differences. You know, if your department of state or the DOD, you'll talk to the experts.

Bill Anderson:
You in fact, you are often the experts. You know, the NSA and Cyber Command is very much the most expert organization around in this sort of thing. So I'm sure that they get advice from them, but they don't go call up, the French government. Yeah. You're saying I'm not picking on the French. But you will call the French government and say, we're noticing this attack on our servers. The French go, great. It's working.

Bill Anderson:
So there there's a difference.

[07:21] Building a Culture of Cyber Resilience

Jonathan Knepher:
So what about for for, like, our listeners? What what can they do to create kind of a culture, about cyber resilience and so on within their organizations?

Bill Anderson:
Yeah. And and this my advice here goes I'm I'm probably not giving advice to everyone who needs it. I mean, so a lot of folks know this, but it really does start at the top. If you're a you know, private organization, but a government as well, the leadership has to have enough awareness and stake and sort of authenticity in prioritizing cyber defenses. And what that means is is more than just saying we have a mission to be blah blah blah, the most secure, you know, government agency on the planet. By the way, they do say that. It's nonsense if they don't follow through Yeah. With listening to what the experts are telling them.

Bill Anderson:
And so when the experts say things like, the firewall that our acquisitions program allowed us to buy five years ago isn't enough anymore. You don't say, well, we'll start planning, to to do something better. And that's by the way, those are five year plans. Well, attackers move at the speed of days and weeks. So the the acquisitions process is so broken for solving these problems. It's lit it's laughable. It's actually laughable that by the time someone's actually able to get a solution in place, it's probably two years old at best. Well, those they're already breached.

Bill Anderson:
They're already breached or what's worse, there's already ways around them. So this is not like as an attacker myself, I don't go and try to, break the latest encryption algorithm. Right. It's usually pretty good if at least if it's been open sourced and analyzed in public. What I do is I look for the things you didn't think about, and I go in the open window on the side of your house. Right. So, you know, cryptography is often the excellent lock that can't be picked. And yet you've left the window open because you didn't think to do, you know, background checks on the cleaners, who are emptying the garbage bins, by the way, by the way, a lot of the garbage, a lot of the, the government space actually does think about that.

Bill Anderson:
That's not an, that's not an. They really do think about stuff like that, But you have to so so from the top down, listen to the experts. The experts say things like, you know, we need we're, you know, we're experiencing this kind of threat right now. Our own employees are being fooled and then subsequently impersonated by a fairly sophisticated, large language model attack or an AI or a machine learning enabled pattern is finding its way in through our authentication systems. Like, okay. You don't then call up the acquisitions people and ask them to figure it out because it will take them five years before they buy it. You you have to say, I understand my threat model. I am seeing risks to our systems.

Bill Anderson:
I'm going to fix them right now. So, so that takes leadership. The second thing is training. So, the DOD, for example, is staffed primarily by 18 20 five year olds. So they don't come in with a lot of experience in making these systems secure. Right? They have to learn that on the job. So you have to train them, and you have to think about turnover as well. And and this actually applies in the rest of the industry, too.

Bill Anderson:
You just have to think about turnover. You hire in a new person at, you know, a 20,000 a year to do an important security analyst job. That's great. They probably don't know how to secure your systems yet, so you have to train them. And, unfortunately, they might get hired by Amazon for 150 ks in six months, and then they're gone. You gotta train somebody new. So design the systems to do sort of continuous training and build the training into your systems. And and and then the third thing I'll say is, that cyber resilience, cyber response, security in general is a team sport.

Bill Anderson:
You're bringing together many different sources of information. So there's a whole bunch of great, like, platforms, XDR tools, security analysis capabilities that'll say, this is what we see. We're seeing these kinds of anomalies. We're seeing this kind of trace. We're getting information from an Isaac or whatever. It feeds into the system. Right. What's the system? Where do your people actually go to do their work? And and so they need a platform to go and work in.

Bill Anderson:
How do I, let's say we're our, you know, we're we're at a manufacturing, you know, major manufacturing site and, our alarms start going off and it appears that the process management, technology that's running our factory or plant, is is is gone awry. We're under an attack. But we it's we're in a cloud. We don't know exactly what's happening. We have to figure it out, and we're not even all there physically in the same place. A lot of us work remotely these days, or at least we're not in the office at 2AM when this thing happens. Mhmm. Where do your people go? Well, they go to a secure, collaborative workflow platform where they can talk to each other, and then they can integrate those data sources, and they can run a structured workflow to say, oh, we've got a procedure for this.

Bill Anderson:
And the 18 year old who you hired last week, who doesn't know anything yet, who happens to be the one on deck says, ah, I need to run the manufacturing plate, flight, sort of IT system is doing this. What do I do? Click the big green button, start the play, start a channel to talk to people, invite folks into the channel, notify people who need to know, grab the artifacts from your analysis tools, create an audible record of the things that you've done, and just follow through as you deal with the incident. So, you know, as I said, leadership, training, and then a tool to actually bring your people together to make it work.

Rachael Lyon:
You know, you can't in the world of security today and and kind of protecting the crown jewels, right, in in communications, right, I mean, data's secure. You can't escape it right now. And and so it it's it's it's a really curious time with the exponential creation of data. How do you secure it? But, also, how do you balance that with effective incident response?

[13:59] Handling Information Overload and the Skills Gap

Bill Anderson:
Yeah. I would say it's not really a balance, because it's not an either or. It's it's not that we are gonna, you know, only respond. That would be bad. Right? That's not efficient. Because then the we know our our files are wide open, and we'll spend all day. No. We have to actually secure it as well.

Bill Anderson:
So you kinda have to do both. But but when I advise on a situation, I would always start off with, yes. The the sky is falling. Your hair is on fire, and your staff are running around, you know, screaming. Okay. Understand. By the way, it'll be that way next week too. Let us think about first, though and this is if I'm not trying to sell a security product.

Bill Anderson:
So I don't have my vendor hat on. I have my advisor hat on. Do you really understand your threats? What is your threat model? What is a reasonable threat model for your organization? Because you don't have unlimited budget to buy all the tools. Even if you did, you'd need to buy or hire a ton of people to operate them. So start off with deciding how high up you need to get in terms of security before you start buying tools. Tools are not the answer. Right? An understanding of the things that you're likely to have to protect against is the is the start. So and, again, another good example.

Bill Anderson:
Let's say you're a, you know, a consumer, consumer entertainment platform manufacturer, do you need to worry about a nation state attack, hacking your systems? Probably not. Maybe. Maybe if you're Apple, you do. Actually, I'm sure Apple's got really excellent security. But if you're some smaller vendor, does not have sort of global importance, by the way, Apple does. So they they have to be really, really good at this stuff. But if you're someone else, you say, alright. Yeah.

Bill Anderson:
We're not worried about North Korea, you you know, breaking into our systems. You know, we're so we don't need to air gap everything and do a background check on our employees three times a year. We don't need to do that. We do need to do this, though. Right? So we have compliance requirements. We have reporting requirements. We have, you know, HIPAA and various other you know, we have personal information. We have customer information.

Bill Anderson:
We might have to, comply with GDPR if we've got customers in Europe. So you do have to get up to that standard. But before you just go shelling out money, is Right. Understand what you need to do until you design the security to do that. And then when it comes to developing your incident response, you tune that to the threat model. No sense sitting there looking for an army coming over the hill if you're never, you know, if you've or no sense designing a navy if you're landlocked. Right? You're you're just never gonna see that threat. And then you have to also make that incident response program adaptive because what'll happen is eventually it'll tell you what your threats are.

Bill Anderson:
You'll you'll be able to go back, look, and say what's happened to us over the last six months. And probably some really interesting things will pop out, like, oh, we didn't realize that. We're actually getting attacked in a way that we didn't expect. And then that should inform your budgeting for what your security tools look like. So, a good example, would be we, we decided to let our employees, use their own BYOD laptops. And that would probably not a great idea if you just get a security. Right? And and then it turned out that since the laptops were crossing the corporate boundary because we gave them all a VPN so they could get in and do certain things, it sure turned out we didn't have a perimeter anymore. It also turned out that our own networks got used for, file sharing.

Bill Anderson:
Right? Because our our employees left their file sharing applications on, and all of a sudden, right, we've got some problems. So so you would learn from analyzing what the what the threats actually look look like. You buy integrated security systems, so XDR, extended detection and response platforms, by that first and foremost, by the collaboration platform, the integrated one that has your people working together and and, you know, I'm dealing with this issue. What are you doing? I'm seeing this pattern. Great. Can you give me the artifacts? Great. We've seen this before. Let's look at the archives.

Bill Anderson:
Oh, we've seen this last week. We're we've got an active response dealing like, so putting all those tools together, and and realizing that while you can do automated response and sort of continuous risk assessment, it's it's very much requiring a human in the loop on that. Because, you know, machine learning and AI tools are great for identifying things. They're not great for really, prioritizing them in context. They should be, and and I think eventually they will be. But they'll also send off a huge number of false positives. So your humans have to get involved and say, yeah. That's, you know, okay.

Bill Anderson:
Our vending machines are getting hacked, but we don't care about our vending machines.

Jonathan Knepher:
Right.

Bill Anderson:
They're still working for us. So, but if if instead it's your, you know, it's it's your, you know, CFO's personal laptop or work laptop that's that's always under attack, that's a different matter.

Jonathan Knepher:
So so I come back to thinking about, like, your point here of how, you know, the bad guys can basically have infinite resources and and and your comments too about how you have to balance that. What what do you think though are the main things that are holding organizations back on appropriately defending themselves?

Bill Anderson:
Yeah. I think that sometimes it's information overload. It's a very complex environment. There's a lot going on. We're maybe getting a lot of false positives out of the tools that we do have. And it can sort of become overwhelming and that your security team, if if you have one, hopefully you even have one, but your security team is so busy putting out fires that they can't look at the big picture. And I, as a security practitioner, sort of feel for this problem because I've also run a company before. And unfortunately, you do have to think about the budget, and good security people are expensive, for a reason.

Bill Anderson:
So, you know, and and just as advice to those organizations that can't afford a full time 200 k a year security expert, yeah, you're going to need to outsource to an MSSP, and that's probably really good use of funds. So you're you're getting basically a fractional expert. In fact, what's even better is you're getting 20 fractional experts who know all the things that you don't have time, to figure out. So, yeah, so it's that sort of information overload. The second one I mentioned before is the skills gap. Even if you did have a full time cybersecurity professional, maybe they're expert in Windows systems, but they're not expert in mobile devices or they're not expert in Macs or they're not expert in servers or they're not expert in networks. Right? Like, right there, there's five different subject areas that you can't be expert on them all. So there's that skills gap.

Bill Anderson:
Training again, support for the folks who are doing the work. Is it it it helps. It's necessary, but it probably if if you're and I've worked for, you know, small private equity owned companies. Yeah. We never had enough money. Yeah. Right? Yeah. To to solve these problems.

Bill Anderson:
And then the money had to go back to pay for the debt that the private equity guys had taken to buy the business. Right? So, so do the do the best you can and don't get hacked. That was kinda right. Here's your budget. Good luck. We'll we'll see you next quarter when it's time to send.

Rachael Lyon:
That's fantastic. So you're saying hope is the strategy then? Yeah.

Jonathan Knepher:
Is that balanced balanced hope?

Bill Anderson:
I have another I have another approach. I have another approach if if it was up to me. Yes.

Rachael Lyon:
And I hate to do this, you guys, but we've come to the end of today's episode. Please come back next week as we pick up part two of our conversation with Bill Anderson. And until next time, stay safe.