Cyber Resilience: Making it a Reality
In today’s dynamic threat landscape, cyber resilience is no longer an abstract concept but a critical strategic goal for enterprises. A robust cyber resilience framework is critical to protect your organization from ever-evolving cyber threats. But the challenge lies in translating theory into practice, making it tangible and measurable.
In this session, Cohesity’s Dale “Dr. Z” Zabriskie shares invaluable insights and practical strategies to move your organization beyond theoretical discussions and to implement actionable cyber resilience measures. Key Takeaways:
- How to make cyber resilience tangible and measurable
- Practical tips on how to implement the right policies, processes and controls
- Why the human layer is one of your most important lines of defense
Transcript
Will Townsend:
So we’re in day three for the Six Five Summit, and I have the pleasure of speaking with Cohesity. The company’s been around for over a decade, and it’s focused on data, cyber and business resiliency. And joining me is Dr. Z. Dr. Z, you’re the America’s Field CISO for the company.
Dr. Z:
That’s great.
Will Townsend:
Great. So Dr. Z, how are things going?
Dr. Z:
Things are going really well. I’m having an enjoyable but enlightening time, traveling around talking with customers and seeing how they’re trying to respond to the threats and the challenges out there. It seems like it’s never been so overwhelming for a lot of organizations. The fear of ransomware is still out there, and a lot of organizations are taking steps, very serious steps within their groups to ensure that they’re ready to respond accordingly.
Will Townsend:
Well, that’s a great segue into our first topic, and I want to talk about cyber resilience and how do you make it tangible for organizations as well as measurable? Well, I’ll tell you what, data protection couldn’t be more important with the rise of generative AI concerns around data leakage, the data that’s used to train these large language models. And that really leads me to my first question, and it’s like, how do you make cyber resilience tangible and measurable in today’s new age?
Dr. Z:
Yeah. The conversations that I’m having with customers and groups is helping them understand that, “Okay, you’ve got the idea of replication, a functional A to B, I can do that. I can prove that. You have the function of my backups are good, my checksum looks good.” But then on top of that, we start talking about things like disaster recovery, which brings more people and process and things in play, to the point now with attacks like ransomware with the concerns around AI and such, the business has to think of it as, “How can I respond to different events?”
We have a lot of attacks. Last year, ransomware was over a billion dollars paid. The statistics continue to show how rampant that is, but it could be a natural disaster. It could be the well-meaning stupid person. It could be anything that brings a system down that affects the IT organization of keeping the revenue-generating clock running.
Will Townsend:
Sure.
Dr. Z:
Right. That’s their job. That’s their one job. And so the idea of replication has to expand to the idea of keeping that business running. And that is when we pull in not just the infrastructure team, but the security team, the legal team, the finance team, the HR team.
Will Townsend:
These are all critical stakeholders when it comes to the notion of data protection.
Dr. Z:
Exactly. And so what I ask customers a lot is say, “Can you define a minimal viable company? So if you were totally down, what would you bring them first? What data does that include? What systems does that include? What people need to be part of that process?” To help the technology folks realize they have to get out of maybe their blinders and what they do and understand the impacts of what the business needs to continue to operate.
Will Townsend:
I mean, it’s truly a team sport. You have to have all these stakeholders involved because if you only involve one or two, I think you’re going to miss what’s required. And the attack service just continues to grow, when you look at what’s happening in OT environments that have traditionally been unconnected. Now, IOT is coming in to drive manufacturing automation and that sort of thing when as we’re seeing a lot of reshoring of manufacturing and it presents a really unique challenge for organizations. And so I’d love to get your thoughts on what are some practical tips to implement so that you focus on the right policies, processes, controls, and procedures.
Dr. Z:
Historically, the security team has written a policy and basically thrown it over the fence and said to infrastructure or whatever, “Here’s what you have to comply with.”
Will Townsend:
Deal with it.
Dr. Z:
Right, exactly. They become the department of, “No, and here’s what you have to do, and don’t bug me about it. Just make it happen.” And that’s the barrier that has to break down so that those plans, those discussions have to be very comprehensive for the organization to understand these are the threats, these are the things, these are the risks that we’re looking at that we need to be aware of and take into consideration, should this occur, how are we going to make this happen?
So when an event occurs, and again, it could be anything but especially an attack of some kind, the first thing that breaks down is communication, often because a crisis plan that you’ve written and you’ve planned and you’ve tested, sits on a SharePoint server that you now can’t get to and you don’t have… “So what was Bob’s phone number?” And the out-of-bounds type of communication process needs to be somewhere on a piece of paper that somebody-
Will Townsend:
Well, I just going to say, I mean, do you need to print it off?
Dr. Z:
I mean, yeah, absolutely. I mean, we do need to think about that.
Will Townsend:
Sure.
Dr. Z:
So the first step is making sure that you can communicate out-of-bounds with whomever you need to. And it might include law enforcement, it might include legal or partners. It depends on your business model. It might include your franchisees. It depends on how you’re doing business. And so those are the first things to look at is number one, can we communicate? As I mentioned them, is the minimal viable company. Everyone has to-
Will Townsend:
I like that. Minimal viable product. Minimal viable company.
Dr. Z:
Exactly. And everybody has to agree on that because when crisis happens is really hard to get consensus.
Will Townsend:
And everyone’s frantic and covering their butts.
Dr. Z:
The seesaw gets thrown under the bus.
Will Townsend:
Which is unfortunate, but that usually is what happens.
Dr. Z:
It is, unfortunately, it’s true. And so really bringing people together and saying, “What are we going to do?” We’ve said, we get so tired of hearing, “It’s not if, but when.” Sure. Attacked. Right? But we say it for a reason. clichés got to be clichés for a reason.
Will Townsend:
Sure.
Dr. Z:
And so you have to stop thinking about stopping everything. So as a security professional, you can’t do that, number one. So what is the most important thing for you to protect? And then you have to understand how can we recover what is response and recover all about? That has got to be the focus for organizations.
One of the things I’m spending a lot of time with this first half of the year is going into organizations and running a ransomware resilience workshop where we put them through a scenario and we bring people in and we say, “Okay, you’re the CEO, you’re the CIO. You’re the head of HR or PR,” or whatever. We give them a promotion for a short period of time, and we say, “Okay, you’ve been attacked,” and it’s a very immersive experience, and the hacker talks to you and you have to respond. And it’s like choose your own adventure type thing. And based on your responses, certain things happen. And what people learn early on is they become very impotent. They become without ability to do much or negotiate or control. And that really opens their eyes. And then the second thing that, and probably the biggest thing that they come away with is they say, “You know what? When we are talking about this in our groups, we do not have all the people in the room. We need to broaden out that discussion.”
Will Townsend:
Include all those stakeholders like we were speaking to before.
Dr. Z:
Exactly. Yeah. But that’s hard to do because we get so tech-minded about my process.
Will Townsend:
That it’s the responsibility of NetOps or SucOps, and you’re not thinking about HR and legal and all the rest of it.
Dr. Z:
And that’s what we’re trying to do, is to give visibility. And AI is just a component of that, visibility into your data, both production and secondary data so that you know exactly what’s in your data. Do you have malware floating around somewhere? Have you been backing that malware up for the last X number of days? What’s your hygiene?
Will Townsend:
What’s your security hygiene, basically?
Dr. Z:
Yeah, exactly.
Will Townsend:
Okay.
Dr. Z:
But organizations need that type of visibility because the IBM puts out a really good report, cost of a data breach report. Last year, they said the average time that malware is present, the average time to determine that there’s been an incident is the way they put it, is 240 days.
Will Townsend:
Wow. That’s way too long.
Dr. Z:
It is. It’s way too long. And then you’ve got another three or four months of recovery after that. So you can spend the better part of a year dealing with an incident. And when you look at it from a data perspective, you’ve got malware, you’ve got anomalies, you’ve got things floating around in the air that you have backed up multiple times. So we’re all about saying, “Look, here it is. We find it for you. We give you the ability to remediate, to work in concert with all of the security technologies that you have in place.” You have a very strong set of APIs that allow organizations to do that. So that in and of itself is helping to break down those barriers between the IT and the infrastructure and the security teams big time.
Will Townsend:
So we’ve really been talking about the human element, and you mentioned stupid people, and when you look at ransomware and you look at how that propagates, a lot of times it’s socially engineered. So I’m just wondering from your perspective, you’ve mentioned a few things on what Cohesity does to sort of empower the human element to be more defensive. But are there some other considerations that organizations should be thinking about when focusing on the human element of this equation?
Dr. Z:
I’ll ask, organizations will say, “How many individuals in your group have high level admin access to your systems? Whether it’s an authentication system or it’s the cloud resource? How many?” And I don’t even let them answer. I give them the answer. The answer is too. Too many.
Will Townsend:
Too many.
Dr. Z:
Because it evolves. Our organization’s evolved where somebody says, “Hey, we need to run this new project, and so I need his access to Okta or whatever.” “Oh, okay. Okay, that’s fine.” And then we forget about the fact that Bob just got that access. And so that really needs a hard look to say, “What’s the role and does that really require that kind of access?” So we become lax often in our management of access to tools, and that starts to just spread the attack surface.
Will Townsend:
Well, what I also see too in organizations are orphaned applications and orphan systems that are allowed to remain, be dormant, and then they become weaponized because a bad actor finds a way to get in and infiltrate that. So what can organizations do? I mean, to have that level of visibility, oftentimes it’s very, very difficult, especially a large enterprise that has hundreds of SaaS applications and systems, and some of it is legacy, some of it is modern. I mean, any recommendations on how organizations can manage that infrastructure?
Dr. Z:
So it comes back to blocking and tackling. We talk about this all the time. What’s the default password? Change it from admin or password. We still see that.
Will Townsend:
It’s not 1, 2, 3, 4,
Dr. Z:
Not, 1, 2, 3, 4. It’s like, my son came up with HotPantsMovieBuffet. I thought that was a great password.
Will Townsend:
Number one, you won’t forget. Very creative.
Dr. Z:
And nobody can guess it and you’ll never forget it. So to change that type of stuff, there has to be a continuous auditing process in that world to understand, have we done those basic hardening processes? Password organizations are working to go passwordless.
Will Townsend:
And a lot of companies, like you’ve got Cisco with Duo.
Dr. Z:
Yeah, Cisco’s a good example.
Will Townsend:
That’s sort of the direction that a lot of infrastructure companies.
Dr. Z:
And so that now puts a lot of another layer of security in there, said, we don’t have that human element so much. Capital One just went through this, and I listened to them at the Executive Security Action Forum this week, kind of outlined their experience of doing it. It was really fascinating, and they had a lot of humans that were getting up in arms and everything. But when people understand the ramifications of their actions, and I’m not saying that they’re trying to be bad, it’s just that we’re kind of lazy, right? We’re all lazy. We just kind of want-
Will Townsend:
We get into line at time, we get desensitized to everything.
Dr. Z:
But you look at the last year’s Caesars and MGM.
Will Townsend:
Oh my goodness.
Dr. Z:
You mentioned the social thing. I think the term ransomware, we could even argue is a misnomer, because often there’s no ware, there’s no malware, there’s no software. Case in point is MGM, right? Someone impersonated an individual that gave them high-level Okta access, and then that gives them high-level Azure access. So basically, if you’re a gamer, they basically were in God mode running around MGM’s infancy.
Will Townsend:
Moving laterally, disabling keys to rooms, shutting down the casino. I mean, think about just the opportunity costs to MGM potentially the patronage they’re going to lose over time. Because I saw some of those pictures. I mean, there were hundreds of people in life that couldn’t even get into the room, couldn’t get on the elevator. It was madness.
Dr. Z:
And it just totally goes against our normal expectations of things. The impact is so far beyond what we think of is that, “Well, I can’t log in somewhere.” So we have to be diligent in things like how do we manage passwords? The multi-factor authentication, the role-based access control. These are the basic building blocks that organizations need to apply and will also apply in the AI space, in the use of AI. If people are scared to death to open it up to everybody, well then let’s take a pragmatic approach to it. Let’s apply the rules that we use around access to other tools, to the use of AI, and that will help reduce that threat surface as well.
Will Townsend:
I agree. And you mentioned MFA. One of the statistics that I’ve read is that 30% of organizations don’t even employ multi-factor authentication, which that’s frightening. I mean, that should be the first thing that an organization consider.
Dr. Z:
We did a ransomware workshop, and they publicly stated a number of months ago that their networks see 45 billion hits a day, and they’re on record of saying that. And it’s just like, “Yeah. So how do you do that?” One of the guys in the room, when we went through this exercise, you could just see kind of the light coming on, and he literally said, he raised his hand and made a comment, “I get it now, I get it,” to understand why we put these controls in place. Because even as a security professional who has a pretty good high level of responsibility at that organization, he was like, “I got to do this again. Got the MFA and blah, blah,” the fatigue.
Will Townsend:
It’s the friction.
Dr. Z:
And he just like, “I’m not going to complain anymore.” No, unfortunately, they didn’t have to go through a real exercise for him to…
Will Townsend:
They went through your workshop. Yeah. Well, Dr. Z, thank you for sitting down with the Six Five media. It’s been a really, really insightful conversation, and I just want to let our viewers know, continue to tune in. We’ve got a lot of great content this week. And if you’d like this video, please hit the button and subscribe. But thanks again, Dr. Z.
Dr. Z:
My pleasure. Thank you.