This Week in Enterprise Tech Episode 569 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
0:00:00 - Lou Maresca
On this week enterprise tech. Mr Brian Chief, mr Chris Franklin, join me back on the show today, and today we're going to talk about cybersecurity skills gaps. How are organizations actually bridging this divide and missed a rapidly evolving threat landscape? Get it into that Plus. Get ready for a exclusive segment with Mike Sarr. He's CEO and founder of Track D and also a former NSA engineer. You will shed some light on the often conflicting realms of operational efficiency and cybersecurity. You definitely should miss it. Why on the set? Podcasts you love from people you trust. This is Tweet.
T-W-E-T. This is Tweet this week enterprise tech, episode 569, recorded November 10th 2023. Are your patches tracked? This episode of this week enterprise tech is brought to you by ITProTV Now. Aci Learning. Aci's new solution in-sites assists in identifying and fixing skill gaps in your IT teams. Visit goacillearningcom. Slash, tweet. Tweet.
Listeners can receive up to 65% off an ITPro Enterprise solution plan after completing their form. Based on your team's size, you'll receive a properly quoted discount, tillered to your needs. And by Powell Alto Networks. Their zero trust for OT security solution can help your business achieve 351% ROI over five years. To learn more, find the link in the show description or visit powellaltlenetworkscom. And by Thanks Canary. Canary tokens are a quick, painless way to help defenders discover they've been breached by having attackers announce themselves For 10% off and a 60 day money back guarantee. Go to canarytools. Slash Tweet and the code. Tweet and the how to hear about us box.
Welcome to twilight this week in enterprise tech to show that it's dedicated to you, the enterprise professional, the ITPro and that geek who just wants to know how this world is connected. I'm your host, lewis Morrezka. You're guys with the big world of the enterprise. Okay, guys, I'm going to bring in the professionals and the experts on a very own Mr Curtis Franklin, principal analyst at Omdia and the man who has always has the pulse of the enterprise. Curtis is always great to have you back on what's been going on for you this week.
0:02:24 - Curt Franklin
Oh, we are in the middle of writing a bunch of stuff. I've got lots of end of year reports coming do, big data, assets, the analysis of those assets, talking about a few companies, just more analysis than you can shake a stick at. And it's a good thing, because we do have the end of the year roaring down upon us. Lots of good stuff. And I tell you what it's looking like. 2024 is going to be every bit the exciting ride that 2023 has been.
0:02:58 - Lou Maresca
That it will be that way. Great to have you back, Curtis. We also have to welcome back our network expert all around tech, Mr Brian G Chebert. I hear that you have survived Maker Faire.
0:03:10 - Brian Chee
I have just barely. I do want to have a tech tip for our viewers. Don't forget, just because Wi-Fi is ubiquitous, every time someone joins a Wi-Fi network there is a bunch of encryption and decryption that's happening behind the scenes. That is CPU load somewhere. So if all of a sudden you've been measuring CPU and life is good and you're just a normal day, and then suddenly you have, say, two, three, four, five, a thousand guests, that is a much, much bigger CPU load on your infrastructure. So keep that in mind when you're trying to do calculations on what will fit on your core.
0:04:04 - Lou Maresca
Well, thank you, chebert. We'll definitely have to get into some of that stuff later. But, coming up on the show, we're also going to tackle the skills gap in cybersecurity. There's really an intimidating challenge for a lot of organizations worldwide, so we'll definitely talk about that and also get ready for an exclusive segment with Mike Starr, ceo of Track D and also a former NSA engineer. Mike will shed some light on the often conflicting realms of operational efficiency and cybersecurity, how they go together and often actually offer some pretty unique insights there as well. So definitely stick around. Lots more to talk about there, but we also have to get into this week's news blips. Let's go ahead and do that.
Well, folks, this US Cybersecurity and Infrastructure Security Agency has identified a significant vulnerability in the service location protocol, or SLP as known, and added to its known exploited vulnerabilities catalog. Now this high severity flaw catalog does. Cve 2023-29552 has a CVSS score of 7.5, and it actually poses a substantial threat to network security across numerous organizations. The SLP protocol is actually enabling systems on a local network to discover each other and communicate. It actually has been identified by as a compromise and has a ton of vulnerabilities. Now it allows unauthenticated remote attackers to register services and use spoofed UDP traffic to actually launch denial of service attacks with a potentially massive amplification factor here. This vulnerability was disclosed earlier this April by cybersecurity firms BitSight and CureSec, and its details of its exploitation are still being unraveled. However, bitsight has warned that this flaw could be weaponized to stage DOS attacks with a high amplification factor, posing a significant threat to targeted networks and servers.
The concern here is not just about the scale of the attacks, but also about how the ease in which relative under-resourced threat actors can actually exploit this vulnerability to cause extensive damage. Given the severity of this issue, cisa has mandated federal agencies to actually implement necessary mitigations by November 29. Now these measures include actually disabling the SLP service on your systems and operating systems, especially untrusted networks, to actually protect them against this amplified DOS attack. Now for the broader IT and enterprise community, this serves as a stark reminder of the ever-evolving cyber threats that are out there. It's also a significant security risk that requires immediate attention. So organizations or advice actually go out and patch vulnerable devices urgently and consider other safeguards like intrusion detection and prevention systems to mitigate the risks with the vulnerabilities. Now this situation underscores the importance of proactive cybersecurity measures, really in the era of digital threats, as they become more sophisticated and more widespread.
0:06:54 - Curt Franklin
Speaking of evolution, this week one of the hottest new technologies was hit by one of the older, more reliable attacks, as OpenAI's chatGPT was struck by good old-fashioned DDoS activity. According to an article on Dark Reading, the company attributed recurring disruptions to a DDoS attack, resulting in high error rates in both the API and chatGPT itself. According to their statement, chatgpt itself, all OpenAI API services, labs and playground were affected. Researchers quoted in the article said that there are a couple of possible reasons for an attack like this. One is to lower confidence in the generative AI service. The other is to mask data exfiltration activity, something that's a real concern given the vast amounts of data that engines like chatGPT require to build their models. It's somewhat ironic that OpenAI has fallen victim to the attack, since DDoS attacks have become more sophisticated and, ironically, often use AI to add further sophistication to the botnet attack modules. The outages come following OpenAI's recent milestone of surpassing 100 million weekly active users, which it revealed at its first in-person event on Monday of this week. During the event, the company also introduced its most powerful AI model, our GPT4 Turbo, and unveiled a feature enabling users to create personalized versions of chatGPT. Now, while OpenAI hasn't yet commented on who's behind the attacks.
Hacker group Anonymous Sudan claimed responsibility for the DDoS attacks via its Telegram channel. The group, which taunted the company during the outage in another Telegram post, cited OpenAI's cooperation with Israel as one of the motives and claimed the AI is also used to develop weapons. Anonymous Sudan, also known as Storm1359, was founded in January and is primarily motivated by religious and political causes focused on launching cyber attacks against any country that opposes Sudan, which includes the United States. After Telegram initiated a suspension of Anonymous Sudan's primary account, the group launched DDoS attacks against Telegram. The activists are believed to have ties with Russian hacking group Kilnett, and researchers considered it a real possibility that it's not actually operating out of Sudan, but out of somewhere a little further north.
0:09:44 - Brian Chee
I would like to thank Dark Reading and some folks at Ernst Young for a really interesting set of surveys. The headline on this is Gen Z Millennial Workers are Bigger Cyber Security Wrists Than Older Employees. That was enough to really catch my notice. So the article goes.
A new survey shows Generation Z and Millennials younger workers who have grown up as digital natives are surprisingly more careless about their employers' cybersecurity than their senior Gen X and Baby Boomer colleagues. According to an Ernst Young LLP's 2022 Human Risk and Cyber Security Survey, although 83% of workers in the US report understand their company's cybersecurity policies, younger, gen Z and Millennial workers are less likely to comply with them. For instance, 48% of Gen Z and 39% of Millennial employees confess to being more cautious with their own devices compared to their work-issued devices. They also admitted to widely disregarding IT updates, reusing passwords for personal and professional accounts and accepting browser cookies in far greater numbers than Gen X or Baby Boomer workers.
Quote this research should be a wake-up call for security leaders, ceos and boards, because the vast majority of cyber incidents trace back to a single individual, according to Tappin Shaw, ernst Young America's Consulting Cyber Security Leader, said in a statement there is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise. So apologies to my students and their peers, but having grown up with pop-ups and such, you've become sadly more susceptible to just clicking on risky ads and pop-ups, while the old-timers, aka the old farts, are less trusting of this new technology. So mileage may vary and I'm sure this characterization is only partially correct, but something to take notice.
0:12:28 - Lou Maresca
This week, a new cybersecurity threat has emerged, targeting the very foundation of software development. Recent findings by a cybersecurity firm, checkmarks, have unveiled a highly invasive malware strain ingeniously concealed within developer tools. Since January, eight developer tools have been compromised, each harboring a hidden payload with extensive malicious capabilities. This malware, which has been downloaded thousands of times in the past eight months, poses a severe threat to software integrity and developer privacy. The most recent tool, dubbed PyAuthGood, masquerades as a legitimate obfuscation tool designed to protect developers' code from reverse engineering. However, its true purpose is far more sinister here. Once executed, it grants attackers near complete control over the developers' machines. Capabilities of this malware are actually pretty alarming and extensive, ranging from extracting detailed host information to setting up a keylogger, capturing screenshots and even rendering the computer anoperative. The level of ossification and intrusiveness of these payloads are really unprecedented. Each tool, while unique, shares common functionalities like the ability to download additional malware and steal sensitive data. The choice of targeting Python developers, often working with sensitive or even proprietary code, further amplifies the risk, and so all eight tools share a naming convention, starting with PyAuth, which is actually in a calculated attempt to mimic legitimate obfuscation tools. Now these tools are downloaded primarily from the US, china and Russia, signaling a widespread impact there. Now the revelation is not just a standalone incident, but part of the continuing trend malware actually infiltrating open source technologies. Here it serves as a stark reminder of vulnerabilities that exist within the software supply chains. For those who are concerned about the potential risk, it's a vice to search through and for any of the tool names and related indicators on their system. Well, folks, that does it for the blips next up the newsbites. But before we get to the bites, we do have to thank a really great sponsor of this week, enterprise Tech by our friends at ITProTV, who's now called ACI Learning.
94%, think, listen to this. 94% of CIOs and CISOs agree that attracting and retaining talent is increasingly critical to their roles. Now, with today's IT talent shortage we're going to talk about a little bit later as well it's more important than ever for your team's skills to be current. 87% of companies say they actually have skill gaps in their employees. The challenge of accessing your actually IT staff skills is really overwhelming sometimes, but it doesn't have to be. Aci Learning now offers insights a revolutionary skills gap analysis tool to assure you that the training you're providing is actually working. In a quick one hour assessment. Aci Learning's insights will actually allow you to not just see, understand and fix the skills gaps on your IT team. This is the solution IT managers have been waiting for Now. With insights, identify specific skill gaps in your employees and see where your team's weaknesses lie. Pair your team with personalized training. Blanket training waste money and time. We all know that Experiences offer detailed solutions, support and strategy by issuing recommendations and training plans for individuals and your whole entire team as well. Compare results against other organizations so you know where you stand. You can even test skills and close the gaps with practical labs that allow trainees to focus on the skills they need most. Now. Aci Learning helps you retain your team and entrust them to thrive, also investing in the security of your business. More than 7,200 hours of content are available out there, with new episodes added daily. Aci Learning stomps its competitors with a 50% higher completion rate than the rest. These are the training solutions your business has been really waiting for. Future-proof your team and company with insights from ACI Learning. Visit goacillearningcom Twitter. Twitter listeners can receive up to 65% off an IT Pro Enterprise solution plan after completing their form. Based on your team's size, you'll receive a properly quoted discount tailored to your needs. We thank ACI Learning for the support of this week in Enterprise Tech.
While folks say it's time for the News Bice, on this week's News Bice, we're going to focus on the critical issue facing cybersecurity sector, that's, the skills gap. We've talked about it a little bit before, but this industry group called ISC Square estimates the gap being at 3.4 million professionals worldwide. To me, it's a very daunting challenge that can't really be resolved solely by the influx of graduates from higher education. The call is really for broader recruitment strategies, tapping into related professions and individuals with aptitude and relevant soft skills that are actually out there. The Global Cybersecurity Outlook 2023 report by the World Economic Forum highlights a different reality that we're seeing here.
Individuals are contending for talent in the same limited pool that's out there, potentially threatening really the viability of security incentives and initiatives. This competition can lead to a transient cybersecurity workforce. That's a lot of churn in that workforce, with professionals frequently changing jobs, which is really detrimental to both the individual's career growth as well as organization and their security. The issue is really complex. There's just a push to bring non-skilled applicants into the sector. A UK government report actually warns of this risk. In fact, it found that 22% of cyber sector companies employ staff lacking necessary skills and 44% of those job applicants fall short technically. This skills deficit leads to unfulfilled roles and unmet business goals. The heart of the problem lies in this really specialist nature of many of the cybersecurity roles that are out there, such as forensic analysis and penetration testing.
Recruiting high potential individuals without the required background can be a slow process. We all know that Sometimes it takes months to get people in, taking years to actually upskill the necessary standards that are required out there. Now training emerges as the key solution here we actually just talked about in our ad, but yet organizations really hesitate, sometimes because of the volatile market. However, the industry data suggests that professionals seek certifications primarily to enhance skills and stay current, not necessarily to switch jobs. Now, cybersecurity is definitely a demanding field. We all know that it's requiring really ongoing qualifications and really commitment to safeguarding data. Now, as we are encouraging aspiring professionals out there, it's really necessary for them to continue their education over and over over a period of time continue learning.
Now I want to bring my co-ospect in, because this is a big topic across the industry. We all know that, with the ever-evolving cybersecurity landscape, it's a big deal. It's a big deal for organizations because they have to put a lot of effort and a lot of funding into it. So does the employees. I want to bring it to you guys, just throw it out there. Just the question. First, obviously it makes sense to consistently bring in people from all different backgrounds, but, like this article points out, there's that initial tax you have to pay. You have to bring them up to speed on the not only the technology but also the necessary skills that they need, and if they don't necessarily have that background, it could cost even more. So is this a? What do you guys think? Is this something that we'll continue to see, or is this something that they're going to start targeting specific people with specific technical backgrounds?
0:20:15 - Brian Chee
Actually, I want to jump in and do a mini rant. I ran into the buzz saw that is negotiating with a large organization's human resource organization and their attitude was that as long as you have the right buzzwords, you qualify and they let you in the door. And I get deluged with people to interview that really have no clue. I actually asked one kid name a layer three device, and this is for a network specialist position and they couldn't name a layer three device Very frustrating. So here's, here's what I'm fighting, and I've had to hire lots and lots of people.
Most HR groups and this is even before we start getting into who we're going to hire HR groups don't differentiate quality of education. I actually tried to put in a stipulation into my required required qualifications that they be from a nationally accredited university or demonstrated experience, and the HR group said no and I asked them flat out so that means a kid with a diploma from a diploma mill is just as valuable from someone that went to an Ivy League school and the answer was yes. So I think that's one of the things that you need to fight with your organizations making sure that the training is equivalent. Just because someone has a degree doesn't mean they necessarily have experience, and it doesn't necessarily mean that the quality of the education is worth the paper it's printed on.
0:22:11 - Lou Maresca
Make sense, make sense. How about you, curtis? How do you feel about this?
0:22:15 - Curt Franklin
Well, I want to thank you for choosing a topic that is one of my major focuses of research for this year and next year. So thanks for that. The basic problem, as we've seen, is that there is a skills gap, depending on who you talk to, of somewhere between 350,000 and 500,000 people. That's the gap between the number of existing and anticipated openings for trained cybersecurity professionals and the number of existing trained cybersecurity professionals. And every professional training organization that you talk to, if they are being honest, we'll tell you there is no way to train that many people. It just isn't possible. So what do you do?
We've seen the rise of managed security service providers MSSPs. Smaller companies, especially, are turning to MSSPs to handle their security requirements. In this way, you have one company's worth of professionals that handle a number of companies. So this is one way of dealing with it. Another way that we're seeing it being dealt with is through the use of generative AI. Generative AI isn't replacing cybersecurity professionals. What it is doing is enhancing their skills. So it's taking, say, a tier one analyst. For those not in the business, it's the first level individual, the people who tend to spend their working lives combing through device logs and network logs and it turns them into a tier 1.5 analyst so that when they do see something that seems suspicion, it is more likely to be an actual issue and they can pass it on to the next year with more context.
Now we're also seeing a lot of training going on and you're starting to see companies that train groups, like CyberAry, for example, that are behaving as not only training firms but employment firms. So they're telling companies looking to hire hey, if you will sponsor people and help pay for their training, regardless of their background, when they finish, you can hire them and we, cyberary, will guarantee their readiness to agree with this. If they're not ready to work, you don't have to pay us, and that's a powerful incentive to make sure that the certification is actually reflecting on what they need to know. So there are a bunch of things going on here, and we haven't even started talking about this mobility that you mentioned. The one thing that's interesting there are companies that don't want to train cybersecurity professionals because they think they are training their competitors' employees, but a number of different studies show that cybersecurity is much lower in that kind of post-training mobility than many other industries like, for example, healthcare.
0:26:01 - Lou Maresca
I think you bring up a really good point here.
I'm going to go back for a second because I've actually witnessed something similar going on in the industry. New technology and tooling definitely is helping to augment people's roles and really sometimes support the skills gap out there. Obviously, you talked about the generative technologies, these large language models supporting this. I see it in not only code, but I also see it in managing services and infrastructure, being able to pick the needles out of the haystack there, and I think that's a really important thing for people to actually use as learning tools to bridge the divide and build some skills that are out there. But I think, brian, I want to bring this back to you because obviously, being an educator, it's more important not only to use the tools and the content that's out there, but also have experienced individuals training those people. Does it make sense for organizations to maybe bring in consultants and people to help train their people, not only to them to now using tools, but kind of using all these three things together that would help them get to where they need to be?
0:27:02 - Brian Chee
I actually like all of the above. The sad fact is, just because you're a tenured faculty member doesn't make you a cybersecurity expert not by a long shot. I am a very, very big fan of public-private relationships, where you have people that are in the trenches working with the kids to give them some practical experience and, speaking of which, we actually have our guests frantically writing. I bet you he's got some really interesting comments. Mr Starr from Track D, you've obviously got some opinions and you've been in the trenches. Let's hear your two cents.
0:27:47 - Mike Star
Yeah, I've never been accused of not having an opinion, and a strong one at that, but I completely agree with Curtis.
I think that I'm not super bullish on AI it's kind of a hot take, especially in its current form but I do think that ChatGBT is an absolutely amazing tool to accelerate learning for any topic. One of the things that's really interesting is to be really good at Googling. You have to understand enough about the topic to write good Google searches. You don't need that with ChatGBT, or you need a very smaller set of expertise to understand that and generate a generic enough prompt to answer some questions about a particular topic and get enough keywords to form a good Google search. And I think that ChatGBT is fantastic at doing this and will help accelerate, potentially even pass the 1.5 tier. As you continue to have a stronger mastery around a particular topic, you can prompt ChatGBT more and more specifically, and as you get better with ChatGBT, you can get more and more out of it. So I think that Curtis is an amazing point and maybe one that is not super obvious to everybody Makes sense.
0:29:10 - Lou Maresca
I think one last thing I want to throw out there is I've seen with a lot of people, a lot of organizations they're not only using tools like this, but they're also looking for a very specific set of skills that people are focused on, specific things like whether it's infrastructure related or it's data exfiltration or it's data auditing, that kind of thing and obviously tools can help augment this. But the question is, where can companies go to dip into skills like that? Like, obviously, Mike, you worked for the NSA, so you are familiar with having people with particular set of skills, right, but is there a place where they would go to find people with that type of skills?
0:29:54 - Mike Star
It's a really hard one and I think that Israel has done a fantastic job at this. You mentioned the NSA. Unid 800 is the corollary for Israel and they get conscribed for two years as really citizens and when they're in 8,200, if they've qualified for it they get trained on all kinds of cool technologies, doing fancy cyber training, and when they get out, the difference between the US and Israel is that Israel has set up largely a mechanized way to support 8,200, former 8,200 unit members to go start businesses and start startups and help them get funding or fund them, and, as a result, they have just a fantastic set of cyber professionals. Yeah, curtis.
0:30:50 - Curt Franklin
No, I was going to absolutely agree with you that that's something where we're lacking. I know that our friends over in the UK do something similar where, on a number of their technical military positions, when they have completed their military training and done their service, they come out with the equivalent of a professional engineer license so that they are ready to be employed in the civilian sector. We don't do that. We don't consider military experience and training at the same level, and I think that is a dramatically missed opportunity on our part. Now, our government does have free training for people in government sectors and veterans, and it does provide certification, but it's something that the veterans have to seek out and have to do in addition to their normal training for their role in the military. So I agree, if we consider this as a country to be an issue and recent statements by the White House and by various members of Congress indicate that we do then we should be willing to take these proactive steps to get these experienced, trained individuals into the civilian workforce.
0:32:19 - Brian Chee
I'd like to make a comment about that. I've had a direct involvement with several students from Sweden, from the Philippines, even from Bosnia. Every single one of those countries have taken a proactive step towards trying to fill the cybersecurity skills gap. Now the American government this is an open comment to my Congress critters you folks have had such a hands off. I want to be so politically correct that I have to be even handed. And if I can't help absolutely everybody under the sun, every single one of my citizens, I'm not even going to risk introducing a bill.
Wrong, If we can get even a half a percent of the US citizen, kids of college age, maybe an associate degree or a four year program, a half a percent involved, at least with some decent cybersecurity education. Maybe it's an elective class, Maybe it's an entire string of classes, Maybe it's an actual degree program Just dive in, Give it a shot. Come on the US government. We spend millions and billions of dollars on all kinds of things, but yet we're not really spending on cybersecurity outside of the military. You're ignoring a very, very large talent pool well, potential talent pool. Let's invest in that.
0:34:10 - Lou Maresca
We're going to talk more with our guest, mr Mike Starr, so you have tracked the ingest in a moment. Before we do, we do have something that I think another great sponsor of this week in Enterprise Tech, and that's Pal Alto Network. Pal Alto Network offers ZT for OT without all that trauma. Keeping operational technology secure and running smoothly is a really tall order. It's enough to make even the coolest operations director wake up with NightSwitch. Now you can have a peace of mind with Zero Trust OT security. Zero Trust OT security delivers comprehensive visibility and security for all OT assets, networks and remote operations. The Pal Alto Network solution provides exceptional OT protection with more than 1,100 app IDs for OT protocols, 500 plus profiles for critical OT assets and more than 650 OT specific threat signatures supported. It provides best in class security while simplifying OT security management, and it sees and protects everything in the network and it automates threat detection while implementing Zero Trust across all operations. Get better with the most comprehensive platform to detect, manage and secure OT assets. Learn how the Pal Alto Network Zero Trust for OT security solution can achieve 351% ROI over five years. Learn more find the link in the show description or visit palaltonetworkscom. That's palaltonetworkscom, and we thank Pal Alto Networks for their support of this week in Enterprise Tech. Thank you Well, folks, it's my favorite part of the show.
We actually get to bring in a guest to drop some knowledge on the twi. Right Today we have Mr Mike Starr, ceo and founder of track D. Welcome to the show, mike. Thanks so much for having me. Guys Appreciate it Absolutely. Now we've we have a large spectrum of experiences in our audience. We have the entry level people all the way up to the CEOs and CISOs out there. Can you maybe tell us a little bit how you got started in tech and the journey through tech and what brought you to track D?
0:36:12 - Mike Star
That's a long story and I'm known to ramble and I got a warning before we started about rambling. But the way that I really got into my background started off in network engineering with CCNA course, which is a Cisco certified network associate kind of academy and we talk about, like, how do you get people skilled in things? And this was this was my. My first opportunity to do so was either take a pre calculus course in high school or go do some computer weird with a CCNA thing, and I said the one, the one with the computer, sounds far easier and far cooler. And so that started this, this journey for for me back in 2006. And specifically found a very tiny undergrad university, suny Alfred. That hat was a Cisco certified academy and got exposed to the Northeastern's Colleges Cyber Defense, competition and those two things, networking and security kind of like, smashed together and I've been pursuing that at I don't know million miles an hour ever since. That's why I don't have any hair. That's right, we're all.
0:37:29 - Lou Maresca
I actually saw in your in a little bit of your bio that you actually went to SUNY. Is that right?
0:37:33 - Mike Star
I did yes, SUNY Alfred, really tiny school.
0:37:37 - Lou Maresca
That's the. Is that the one over in Buffalo area?
0:37:40 - Mike Star
It's about an hour and a half directly south of Rochester, so if you're to dry like like, draw like a triangle you should use to live in Albany in this, in this connected area.
0:37:50 - Lou Maresca
Oh yeah, swimming at SUNY is that's fantastic, cool. Well, you know, I think obviously we have lots to talk about here, but I think one of the biggest things is we often hear about the competing priorities between you know, it operations and, of course, cybersecurity teams. So I wanted to start out with just how you, you know, based off of some real world scenarios that you're seeing out there, how does this kind of play out in organizations and how can they ensure that they have some security robustness there?
0:38:18 - Mike Star
Yeah, it's really interesting comment there's. There's an example of this might be the weight between operational risk versus mitigating cybersecurity. Risk is deploy a bunch of firewalls everywhere. What does that entail? Right, just patch all your turn MFA on everywhere and you know, at the best case scenario, people are just the those that are making those edicts are ignorant of the operational risk and at worst, they just they don't care.
And so when you, when you ask somebody infrastructure IT to you know just, can you just include patching these thousand servers, or even 10 servers or five during an existing maintenance window, you say, well, we have a mop, there's standard operating procedures that went through a change control board, like we can't just throw in, not, not to mention like, if, if things break, then well what? Maybe they miss a Tinder date, maybe they miss their daughter's recital, or dinner with their wife or spouse or whatever it is Like. Essentially, you're, you're potentially asking them to disrupt their life. And so this understanding that there's operational risk associated with mitigating cyber risk is is the start to bridging the gap between security teams and IT infrastructure teams.
0:39:41 - Lou Maresca
So, building on that, there's a little bit, because we talked about this in our bite. Obviously, there's a significant gap in human understanding of some of these errors and issues that are out there. How do you think the friction between what you call operational efficiency and some of the security measures issues and it increases with likelihood of, you know, human error, and how do both the IT operations teams and cybersecurity practice help with that?
0:40:08 - Mike Star
How do we reduce human error?
0:40:11 - Lou Maresca
Yeah, I mean it increases over time, right the more and more challenges that we have out there. There's a likelihood of more and more human error, and it's going to impact both both teams. How do you think that you know the friction between those two? Things make it worse and how can they organizations make it better.
0:40:28 - Mike Star
Yeah, makes it, makes it worse, it makes it's like a lack of context, makes is the the main source of frustration between these two teams.
And when security says, can you just do your damn job and patch or deploy the firewalls or add a rule, and IT is like, yeah, do you have a damn ticket?
I've got 14,000 other ones and you know the executive suite's breathing down my neck for whatever new thing. It just enables people to well, it allows for people to not care and be flipping with with what are probably, if you assume positive intent, probably well intentioned requests backed by, you know, normal human frustration. And so if, instead of assuming negative intent or throwing, throwing a request over over the field and just ignoring the the other things that a operator needs to do, either on the security side or the IT side, and attempt to understand where they're coming, from, what, what's driving the security team to be so pushy about a particular vulnerability, or from this, from the securities team side, like what, what else is on the IT's plate? What discovery work can I do that might otherwise help them make a decision? As maybe they can patch this today, maybe they can make this firewall rule approval because it's less risk, etc. And so I guess the answer is just context, where I'd like treat humans like humans.
0:42:02 - Lou Maresca
Right, right. So you talked a little bit about having a little bit of a mindset shift, a little bit for each side of the organization to think about more about how people are handling this. Obviously, there's a tremendous amount of pressure that IT teams and cybersecurity teams are having. What do you think can help reduce that pressure? Maybe that will help them understand their jobs a little bit more, what, what can happen there.
0:42:23 - Mike Star
That's really hard. Reduce the like, reduce the pressure, really it's, it's. It's a high pressure job. There's. There's a lot at stake, and I would argue that security and IT folks aren't really compensated to care about the fundamental thing that they're they're actually protecting, and that's the business operations. Right, like, what is the underlying business impact for whatever the hell you're trying to do? How does the support or detract from the from, from the business?
And often, though, those doers, if you will, the bottom of the pyramid like they don't get, they don't have that context, and so they're doing as best they can with with little to no insight. Or, again, context and so really comes from the top. If, if the CEO doesn't care about cyber, doesn't care about infrastructure, then why would the CISO, cfo, vp of infrastructure, sre, it admin, what like? There's no point. And if there's so there's no directive from the top that actually mandates, and not only mandates like some caring about this thing, but actually like doing something about it, putting in some kind of implementation, saying, hey, here's a training, here's some additional context.
I mean, we do this at tracks. There's almost nothing across the team that we share, that I don't share with the team to make sure that we have context when we get users telling us that, hey, this is, even though it's our baby and it's maybe it's an ugly thing. We work towards that. If, if we have to pivot which we're a startup, so we pivot all the time and I know it's frustrating. People are 90% done with a feature and like, oh, we got to stop and work on this, giving them the context, like they might still be frustrated and they might still hate me for that for that minute, but at the end of the day, if you understand the fundamental mission and it's much easier to get motivated. And if you're, if that mission doesn't motivate you, then find find a mission that does.
0:44:12 - Lou Maresca
Right Now you again. We talked a little bit about the mindset shift and thinking about why is this security professional asking me to patch this thing? And you know, obviously I've worked with a lot of organizations out there and a lot of their leadership asks for people to be data driven. Now how do you think data being data driven can they really help make better decisions here, both on both teams and maybe even across different parts of the organization?
0:44:37 - Mike Star
I think so this this is a big buzzword of that that I struggle with quite a bit. It, you know, tract was founded out of rage and really like this is. This is pretty much everything that drives me is is rage and data driven decisions is a great bias to attempt to push something that you have a data on or you have a particular opinion and you put a bunch of data to prove that that opinion is the right thing. And so, while I think that if you can have empirical data to drive a decision, you have to check to make sure that or validate somehow and I have opinions on this as well but you have to validate that the data that you're using is in fact a, a an unbiased picture of the thing that you're trying to do. If you have the same data on it and a security group has the exact same data, they can construe and say, hey, this firewall rules not gonna, or firewall rules not gonna negatively impact our security posture, sorry, the IT person or some business unit requesting a hole in a firewall. Meanwhile, security could pull the exact same data and say, by enabling, you know, egress 443 HTPS, right. You say, well, this is, this is gonna enable.
C2 begins from malware, which is probably true. But also, if you blocked all egress HTPS out of your your, your company, you'd be doing nothing. And so, right like there's, there's like these, these man, super extreme points that people like to make with, with, with data driven decisions. You see them marketing all the time. Really, to understand, like is data, are you making the right decision? Given a set of data is like where'd your data come from? What biases are in it and really, what's your ultimate goal?
0:46:34 - Lou Maresca
We have lots more to talk about. We're going to talk about vulnerability management, we're going to bring my co-hosts back in, but before we do, we do have to thank another great sponsor of this weekend at Rise Tech, and that's Thanks Canary. Simply put, canary tokens are tiny little tripwires you can drop into hundreds of places. They follow the Things Canary philosophy trivial to deploy, with ridiculously high quality signal. There's a little room for doubt. If someone's really nefarious browse as a file share or open to sensitive looking document on your Canary, you'll immediately be alerted to the exact problem. Now Thanks.
Canary's founding team has a background in offense, but has prioritized defensive thinking in developing their devices. Their Canary's teams is uber conscious of customers trust in their product and it takes extensive measures to ensure their devices do not pose any additional security risk out there. Canaries are designed to be secure by using memory, safe languages and sandboxing. The architecture ensures that no critical network secrets are stored on the Canary themselves. To maintain security, canaries are not allowed to be dual homed or span VLANs, as it could give attackers access to jump across networks. Now Thanks, canary has put immense effort into ensuring they don't introduce new vulnerabilities into customer networks. If a bird can let off just one warning before it's owned, it's lived up to its namesake and it's earned its keep out there. Customers have the option to actually break the back end authentication link to prevent things staff from accessing their console. Additionally, a third party assessment commends the security design of the platform and software stack implemented by Thanks Hardware. Vm and cloud based Canaries are deployed and loved on all seven continents.
Go to canarytools slash love and see for yourself all the genuine customer love to Thanks Canary. Visit canarytools, slash twit and for just $7500 per year, get five Canaries, your own hosted console, upgrade, support and maintenance. If you use code TWIT and how to hear about a box, you'll get 10% off the price for life. Thanks Canary adds incomparable value. But if you're unhappy, you can always return your Canaries with their two month money back guarantee for a full refund. However, during all the years twit has partnered with Thanks Canary, their refund guarantee has never been claimed. Visit canarytools slash twit and the good twit and the how to hear about a box, and we thanks Thanks Canary their support of this week in enterprise tech. Well, folks, we've talked with Mike Sarr. He's CEO and founder of Track D. We're talking about security, vulnerabilities, training staff. I do want to bring my co-host back in, because they have been chomping at the bit behind the scenes here and want to ask some questions. Who's going first, gbert?
0:49:18 - Brian Chee
Well, I've been listening to what you did. I've also been perusing your website. I do like the chameleon, by the way, but I do a lot of work with small businesses and charities and my absolute number one frustration is oh my God, your workstation is two years out of date. Well, we don't have an IT person. Well, what I'd like to do is let's go and get in. So the description I got given off your website is Track D. Well, track is delivering a modern patch management platform with a twist, in addition to a robust suite of conventional patch management functionality, from vulnerability correlation to quick and easy. It says a lot of really good things. The part that I like the best is I work with a lot of organizations that don't have enough staff to thoroughly test patches. You have a community of where you anonymize the data so that you can get feedback on patches before you commit. Could you tell us about that community and what drove you to create this, other than Rage? Well, I guess Rage was a big one. Rage drives me on this topic too.
0:50:44 - Mike Star
Yeah, really, I'd been sitting on a data center floor patching internet routers and I was like man, I really hope that my BGP sessions come back up, my IP sec tunnels come back up. And, man, if I cross my fingers, exactly one of our marketing guys likes to say, like, give you confidence so you can uncross your fingers and have peace of mind, which is really lame, which is why we don't let him say it, but it's kind of that mantra is, if I had known of just one other person that had a similar configuration to me, upgrading from one version to the, from the version I'm on to another version, and it didn't break there, then maybe I'd have more confidence that it wouldn't break mine. And this is exactly what the premise of Track is is you know, what we found is that people, when they're going to fix their their or apply software updates is they're crossing their fingers hoping it won't break their shift. So we tell you how it's broken other people before you apply it to yours.
0:51:40 - Brian Chee
Well, you're telling about routers and, obviously, pcs. What kinds of platforms do you guys support in your system?
0:51:49 - Mike Star
Yeah, right now we support just what we call agent installable devices. So think laptop servers, VMs, anything running an operating system. We support every major operating system except for macOS. Right now that comes out in Q1. And right now we're focused on operating system patching. This is a big gap. The likelihood that that operating system patches will break your is the highest. But, most notably, less than 2% of patches are actually ever rolled back and we have anecdotal evidence. We have a couple thousand data points now that asserts that this is actually true. We have zero rollbacks or disruptions reported across the patches that we, that our users, have deployed so far. And again, a couple thousand versus hundreds of millions of patches that are deployed is very, very small data point. But we've been in market for about six months now and it's what? Five, six patch Tuesdays. We got one coming up next week and in no issues yet. So cool.
0:52:46 - Brian Chee
Yeah, my rage is walking into a place and they tell me we did the patch and my system's locked up now. So, Mike, thank you. But you know, I see I see Kurt stroking his beard, which gives me a real good indication that he's got some great questions he'd like to ask.
0:53:11 - Curt Franklin
Yes, the beard stroking is always a dead giveaway. Well, I'm curious about what? Well, one of the issues that I talk about a lot and that I research a lot is risk quantification. In other words, it's one thing to say, we've got this risky situation, Just how risky it is it. And when it comes to things like patches and updates, not all patches are created equal and not all vulnerabilities are created equal, and that's why we have things like CVSS scores and all that. So how does track D, or track whoever you are, how? How do you quantify that risk in order to make sure that the most critical patches get the highest priority?
0:54:12 - Mike Star
Great question. I will clear the air on how to pronounce the name of the company. It's either it's tracked or track D, it doesn't matter. But typically what we find is it is named after the, the moniker of the Linux daemons, the little D after something, because we do run in the background of your endpoints. But if you call it track D, you're probably a UNIX nerd, and if you don't, you're probably not. We love you anyways.
The question that you ask is how do you, how do you quantify your patching? The most important vulnerability? And the interesting point that I like to make here is that risk-based vulnerability management is largely and the reason it's largely is been in market for almost 10 years, if not longer, and we've got. We're in a worse state than we were when we started. Now we're getting more vulnerabilities are being disclosed and blah, blah, blah. But if risk-based vulnerability management actually worked, we would be getting better, not worse. And so what's really interesting here is we focus on CVSS, score, epss, kev. Maybe those are the things. Those things are important, but by themselves they're meaningless.
The only reason people don't patch is because they don't want to disrupt their lives. No one can answer. Will this break my? And there's empirical data, and now we talked about data driven decisions. Now, this is, of course, self fulfilling in this case, but less than 2% of patches are ever rolled back, and so this is an acknowledged bias.
You can attempt to do some research on this to validate this claim or not, but even with less than 2% of patches ever being rolled back, you're not going to play Russian roulette with your critical systems, and so the way that we're approaching this, the solving of this, this problem, is by providing a way to quantify what, what you're afraid of, and then essentially turning that into what safe means to you.
And so, if it's 10,000 other people have patched that thing. There's a less than 2% global fail rate across the track platform, and your test infrastructure has 100% success rate will then auto patch, and so what I think the metric makes. The metric to us and this is what tract is founded on is the metric for patching isn't which vulnerability is the most likely to be exploited today, because that's the metric that's being used is which one is being being exploited today, which one has weaponization today, which one's making more, the most money for the malicious actors today, but which vulnerabilities have patches that have demonstrated zero operational risk to your company and forget about, like not quite forget about, but understand that you can auto patch most of most of the updates that come out. And when you can't, because there is some operational risk that deviates from the threshold you set, well then we'll let you know and you do those during a maintenance window or put compensating controls around them. That's our take on how to solve for vulnerability management.
0:57:23 - Curt Franklin
Okay, so in your answer which was a great answer by the way it did, it covered a lot of territory, but in doing that, it also was a great illustration of why this whole notion of risk is complicated.
0:57:38 - Mike Star
0:57:40 - Curt Franklin
Now this is not a not a simple thing, and even the question of whether my organization should spend money on patch management or take our finite resources and spend them on some other mitigation. So do you find that you are getting involved as you talk to customers in these questions about? You know, if I spend X amount of dollars on this patch management solution, will it give me? Why? Dollars of enhanced risk abatement? You know, do you? Do you find yourself? I mean, do you find yourself in all of these? And there are so many glorious frameworks out there there's NIST and fair and, and you know 20 others but do you find yourself in these conversations about larger risk issues and being a part of that total risk management discussion?
0:58:49 - Mike Star
The short answer is yes, we find ourselves in these conversations. What's interesting, though, is our platform has been built from the ground up to to tackle both vulnerability management and patch management in a single platform. Now, there are a handful of, there are hundreds of vendors on in the space, and there are a few notable ones that have both patching and vulnerability management components, but they started with one of them and tacked on another, built by different product management teams, etc. We built it from the ground up to do both at the same time, unifying or allowing for for security teams and IT teams to share context in the same console. So, as a security person, I see what I care about, but it's in the context of the IT person. So it's enables us to start having more collaborative conversations, and nearly every account we have on the platform has both an IT person and a security person as a user on the platform, and what that allows for is this facilitation of a collaborative conversation, versus one that that's just filled with consternation. So I think that what's really another another cool component about our platform is that it's right now, it's completely free. We don't have a premium tier of the product, and the reason is because we want to take the data, we want to collect this data about patching experience and share with everybody else. So as you patch, it benefits others and as others patch, it benefits you. And to Brian's point, where he works with a bunch of nonprofits and those with no budgets finding and fixing your vulnerabilities that is, scanning for vulnerabilities and deploying those patches will be free on the track platform forever across all operating systems that we support. So that's a thing we say all the time, it's a commitment we have to the security community.
For those that don't have the financial abilities like large financial institutions, you're not left out to dry in the proverbial cyber landscape anymore. You can go on to our website, download, download agents unlimited and see your cyber risk immediately and start patching it. So I think that the the ROI conversation is an interesting one, but it's it's not the only thing that matters. And again, like you can put 50, you could pay premium for a patching tool. You can pay 10 cents per agent for a patching tool, but the thing that's actually going to drive the needle forward in reducing your cyber risk in any tool not just patching, but in in phishing resistance, in credential theft is is building tools that are are built for human behavior and understanding that both IT and security are.
One cares about cyber risk, one kind of cares about operational risk. And if you don't have a shared goal and I'll make an aliking this, this to like product, market, product or, sorry, marketing teams and sales teams if their goals aren't aligned, they're always going to be pointing their fingers at one another. We see this all the time. It's the same thing with security and IT. If you can't point them in the same goal, then then we're doomed to continue to fail.
1:02:22 - Lou Maresca
Well, thank you, mike, and unfortunately our show is running a little low on time. Some amazing wisdom, so thank you so much for being here. I want to give you maybe a chance to tell the folks at home we talked a little bit about go to our website. Where's track these website? How can they get started, how can they get involved and maybe even download your services?
1:02:38 - Mike Star
Yeah, absolutely Go to trackcom. That's the website and if you're interested in getting started, you can go to trackcom. You can shoot me a note, might get trackedcom. Hit me up on LinkedIn and the great thing is that you don't need to do any any research beforehand. You can log in less than five minutes to account creation, to your first remediation.
1:03:00 - Lou Maresca
Well, thanks again for being here. We appreciate your time.
1:03:02 - Mike Star
Absolutely. Thanks for having me. It's great time.
1:03:05 - Lou Maresca
Well, folks, you have done it again. You sat through that are out of the best staying enterprise and IT podcast in the universe. To definitely tune your pod catcher to try it. We want to make sure we thank everyone who makes this show possible, especially to my amazing cohost. Very well, mr Brian Chee Cheever. Thank you so much for being here. Workup people find you, maybe get in touch with you, maybe find out what you're doing this week.
1:03:27 - Brian Chee
Probably working with Victor, unfortunately bleeping our guest. Anyway, I still use Twitter, which is now called X, which I still say is one of the dumbest name changes I've ever heard of. I am a dv and E, t, l, a, b, advanced net lab, and I'd like to share all kinds of ideas. People have been throwing all kinds of questions at me. I'm also cheaper. It's spelled C, h, E, e, b, e, r, t. At twittv. You're also welcome to use twight at twittv and, as a tease, because December is one of those really slow months, it's hard to get guests, we're going to do a experiment and because it's my ex-student, I get to twist his arm.
One of the really, really big comments we've had from a large number of our viewers is you would like us to go into a lot more detail. We want deep types is almost it's almost a ubiquitous request from almost every comment I get Not all but close, so we're going to try it. One of the lesser understood but very commonly used technologies on the internet is domain name services. We're going to get together with one of my ex-students, joshua Kuhl, and his co-author, ross and I can't remember Ross's last name and we're going to do three episodes in a row, diving really, really deep into DNS and try to pull away the curtain on talking about security issues, implementation issues. Basically, we're going to go past present and future of DNS and hopefully you folks like it.
1:05:27 - Lou Maresca
Good forward to it. Thank you, jeeva, for being here. We also thank our very own Mr Kurz, franklin Kurz. Thank you again for being here. What's coming up for you? What can people?
1:05:36 - Curt Franklin
find your work. Well, I'm writing my trends to watch for 2024, just published on Omnia, so I'll be writing a little bit about that, probably over on LinkedIn, where you can follow me at Curtis Franklin. I will also be publishing some things at dark reading. If you go to darkreading, slash omnia, you'll find what I write there as well as what my colleagues write, and I tend to be on some of the social platforms. I will admit I am on X very little these days. You can find me most of the time on LinkedIn at Curtis Franklin. You're welcome to follow me on Facebook or I'm looking hard at threads trying to decide whether that's going to be a useful network, and in the meantime I'm always on Mastodon where I'm KG4GWA at mastodonsdforg. Find me any of those places, send me a message. I always love to hear from members of the Twiatt Riot.
1:06:52 - Lou Maresca
Thank you, curtis. We also have to thank you as well. You're the person who drops in each and every week to get your enterprise goodness. We want to make it easy for you to watch. Listen to Kitchup on your enterprise at IT News. You should go to our show page right now twittv slash twiatt there you go. You'll find all the amazing back episodes, the co-host information, show notes, guest information. But more importantly, there are, next to those videos there, those helpful subscribe and download links.
Support the show by getting your audio version or your video version of your choice. Listen on any one of your devices or any one of your podcast applications, because we're on all of them. So definitely subscribe and support the show. Plus, we might also hoard. We also have club twit. That's right. It's a members only ad for you podcast service with a bonus twit plus feed that you can't get anywhere else, and it's only $7 a month. That's right. Not only do you get exclusive access to our podcast, but also some great things that come with it. There's only discord server. Plus, you can chat with hosts, producers. There's lots of discussion channels on there. There's amazing special events. Definitely check those out. Lots of fun stuff, lots of channels. So definitely join club twit. If you're part of that fun, go to twittv. Slash club twit. Now they also offer corporate group plans as well. It's really great way for your entire team to get access to all of our ad free tech podcasts, and the plan start with five members at a discount rate of just $6 each per month and you can add as many seats as you like there. It's really great way for your IT departments, your developers, your tech teams, your support teams to stay up to date with all of our podcasts. Just like that regular membership. You can also join the twist to twit discord server as well, and they get that twit plus bonus fee. So definitely check out club twit. Of course, they also offer family plans. It's $12 a month to get two seats. You can add more seats $6 each per month. So definitely check out club twit. Really great way to keep on top of everything and also be part of the movement there.
I want to thank everyone who makes this show possible, especially to Leo and to Lisa. They continue to support this week at Enterprise Tech each and every week and we can do the show without them, so thank you for their support over the years. Of course, thank you to all the staff and engineers at TWIT and, of course, thank you to Mr Brian Chi one more time. He's not only our co-host, but he's also our amazing producer and our tireless producer. He does all the show bookings and the organizational stuff behind the scenes, and we really couldn't do the show without them. So thank you, chibert, for all your support and, of course, thank you to the editor for today, because they're going to cut out my mistakes. So thank you very much. First, thank you to our technical director, mr Ant Pruitt. He's also on a great show called this Week in Google as well, and what's going on this weekend on TWIT for you?
1:10:24 - Ant Pruitt
Okay, mr Lou, normally I do hop on here and plug some stuff for myself, but I got to tell you, do we need to have a moment with Mr Chi? This man started out the show yelling about some students and was on fire and raging and then he ended the show saying how he's going to twist this one student's arm for our DNS segment. Mr Chi, are you okay, sir, Are?
1:10:51 - Brian Chee
you good. No, no, no, no, no. Being able to abuse your students is a perk right.
1:11:00 - Lou Maresca
Says the retired guy yeah.
1:11:02 - Ant Pruitt
I'm not sad enough for any of your courses, sir Wow.
1:11:07 - Brian Chee
I got a really great story. My students and I helped do some fiber optic repairs at the Hilton Hawaiian Village in preparation for the Western Governors Association conference. As a reward we got to go to the banquet. I know my kids were starving, but I was just talking, having great time talking to the governor of Colorado, and they just sat there. They were waiting to see who would pick up the fork because they had no idea what fork to use. So we arranged with Hilton catering. We did a grilled cheese sandwich lunch for my students, but with all the china, all the silverware and all the glasses, just so they could learn what stuff to use, all the things they don't teach in public schools in America. But I learned because I went to a parochial school. You are just. You are one for the ages.
1:12:10 - Lou Maresca
My man that's all I'm saying Thanks. Lou. Thank you guys. Well, speaking one for the ages. Until next time. I'm Lewis Beresca just around here. If you want to know what's going on in the enterprise, just keep twiet