Securing at Scale Building Resilient Defences for a Growing Digital World: Rajiv Gupta
Show transcript [en]
thank you for coming again today um my name is harinder as many of you know probably from yesterday and probably previous years um I uh start with apologizing like you know kind of yesterday we we ran out of the food uh yesterday calculations was like you know kind of M calculations didn't work yesterday we always kind of uh think 70 people 70% people going to show up but 95% turnout was great so thank thank you next year we will fix it so we yeah it's a good problem to have yes uh but uh like apologies required because some people didn't like you know kind of get the food so we fixed today so you we not going to run out the food
so um so uh again I'm going to run the uh like you know quickly through the um you know slides uh code of conduct I I we didn't get any uh complaint yesterday today so thank you very much for that your professional behavior um if you find any uh questions related to anything find someone like me like you know in a blue t-shirt and they will answer questions for you uh surve please respond back to the like you know the survey to how we can improve yes I agree food we need to improve on but definitely this is one of the bides that uh provide kind of the warm food um I'm I'm not because we are Edmonton and and
Edmonton is the best right [Music] so uh we going to have um three talk tracks uh as you know uh you attended uh like you know um yesterday as well um Workshop we have two workshops running uh by Megan and Adam McMath um in I will I will I will explain in the later slides but we have two workshops running uh CTF uh we running two ctfs um you already did the breakfast so and um I hope you enjoyed um lunch 12:30 to 1:30 and then there is a crypto challenge if you didn't do yesterday there's still time to do today on the badge uh thank you to our sponsors uh gold sponsors thank you this is not uh
like you know we were able to make the decision quickly to increase is the food you know just like you know because of you thank you very much uh Optive Z scaler po Alto we are gold sponsors uh silver sponsors M&P Kips epic uh Glass House systems convolt net scope and Long View thank you very much and then uh bronze sponsors CGI Cisco and recorded future uh the CTF sponsors are NCL security innovation hack 5 and TCM SEC um thanks to hacker Weare to make this school badges so as you know the uh in the pick main floor track one um you are sitting in then CTF and sponsors are in uh Atrium uh pick uh build production um
productivity and Innovation Center second floor uh track 3 is in 232 and track 2 is in 233 uh next time I'm going to switch because 232 make and sense like a little bit better but um um as you can see on the maps if you want to go to track 2 233 and track 33 and 232 and workshops on uh uh pick 2 3 4 so um now we have like you know Community Partners uh Diana initiative anyone is here from Diana initiative TDI okay Nicole the best volunteer we have in Edmonton um so she is she runs the din initiative you probably saw her uh like you know helping you with the registrations so um they host a annual
diversity driven conference in Las Vegas uh during hacker summer camp uh that is committed to helping all under represented people in information security so if you want to attend a really cool event this is one of the uh events outside of uh Edmonton uh University of Calgary so is there any representative from UFC no okay uh so University of Calgary uh continuing education is partnering with the uh bside admon to provide high quality educational opportunities for lifelong Learners regionally and globally thereby empowering people and transforming communities for a better future
isaka um okay I'm going to speak about them as well so isak admon chapter um most of uh uh people I saw in like already a member of isaka chapter but if you're not it's a really nice uh chapter they do monthly events um really informative sessions uh maybe you Google isak admon chapter so and join uh is there any in secam man we have to be better organized next year uh incam is a non-for-profit organization founded in 2017 the suggestion of national research Council Canada and uh uh inm uh brings together key players in cyber security ecosystem and play uh the role of intermediat between organizations that have cyber security needs and those what have the
solution yac is Donald here I saw Donald render you want to speak for y no so I I am also a yac member Y is a slack group basically um I was one of the earliest members from 2016 um it's a local volunteer uh community-driven um um like you know information security focused group really cool group like you know you can put any uh question there there will be a answer from someone if you want to sell anything related to security or network there are buyers you're going to find there uh so it's really really cool group I would uh recommend everybody like if you are um uh like you know member of information security group or you want to be uh like
you know pursue a career in information security y.ca is a really cool way to like you know start knowing your community basically in admon I2 so Cherry okay finally we have someone good morning everyone uh we are from ISC to Alberta chapter hope I'm audible now okay so my name is Cherry and I'm with my colleague Karen here we are representing isc2 Alberta chapter here isc2 I guess everyone knows a little bit about it we uh isc2 provides education certifications in information security and our main goal is to connect cyber security in business and provide in whole Alberta so there are various certifications provided by ic2 like cissp C sslp ccsp hcpp there is one program run by I2
Alberta safe and secure online if you want please check our website anyone can request this for it's for parents Guardians for children and everyone there are few in-person events that were conducted by I2 last year there were two networking events and there was a very one cool seminar series run in kodia University by Dr Aslam and Mr Shan Thompson there was one ISC to Alberta chapter as well in kodia University uh we are a proud members of bides Adon since Inception in 2018 and proudly supporting besides Calgary as well so if you want to know more of or want to be a member of it please visit our website thank you so much thank you
Jerry okay uh we left vies yesterday so we're going to do keep them stage uh shvi please come so good morning everyone okay so most of you already aware of our book here no okay sorry okay so my name is svi I'm representing VIIs western Canada uh here and uh I'm one of the founding and present board member and we have Puja and Chantel here from the board and we also have so many volunteers here supporting us okay so we are so excited to introduce you to VIIs western Canada uh this is stands for women in cyber security and V is a global organ ganization dedicated to advancing and empowering women in the cyber security
field it was founded with a mission to create a supportive Community where women can connect learn and grow in cyber security field so visis offers incredible opportunities for networking mentoring and professional development uh whether you are a student just started your career or your experienced professional VI is provid Prov resources conferences and workshops to help you advance in your cyber security
career one of the things that makes Wiis unique is its focus on creating a diverse and inclusive cyber security Workforce by fostering a culture of inclusion Wiis not only helps women succeed but also strengthens the Wiis western Canada affiliate is a community of western Canada women interested in cyber security so our affiliate covers the region albera British Colombia sasan U hukan and Northern Territories as a visis affiliate our group organizes uh activities and events which promote recruitment retention and advancement of women in cyber security so if you're passionate about cyber security and want to be a part of community that supports and uplifts women in the world we encourage you to get involved with vus
we believe that everyone is unique in their own way and having a cyber security Community a strong cyber security Community definitely matters so we uh we encourage you to join us and support us thank you thank you Puja and chent so lastly I would like to say a big thanks to bites committee to providing us this opportunity and requesting all of you to support VIIs uh I know we all experienced a professional here so try to find the way how we can support and encourage the newcomers into Cy SEC we know we need lot of Pap into cyber security so I request you all to join us to support New Commerce and VIIs western Canada thank
you thank you shvi Puja and Shentel um so with that I like to welcome our MC for the morning will um pentland U so will it's stage is yours awesome thanks harender good morning everybody um how we doing all right all right um good morning so I heard yesterday was really really good I unfortunately the flight was super delayed but uh it sounds incredible um that the 500 people attended so really excited and I think day two here is another very exciting day to continue um to continue continue with the momentum um I'm will pen and I'll be your MC for the morning thank you harender for the opportunity I didn't know you were a
risk T taker like this but um you know uh I also realized how popular you are so this is a a really awesome opportunity to to to be up here today um and yeah I basically uh just want to make sure that everybody is aware of what's happening this morning so at first we'll have our keynote speaker and then we'll start to track one here in the main room and then there's two other tracks as her vender mentioned as well um so starting off this morning with a bang we've got reie gupa Gupta who's the head of the uh Canadian Center for cyber security um I'd like to start with the ceso uh for Alberta Martin who wanted to
do a quick um overview no okay so we will I will do a quick overview so the Canadian so basically the Canadian Center for cyber security or the Cyber Center is mandated with protecting all of Canadian cyber security space along with um critical infrastructure and the government as a whole so very excited to have Mr Gupta here today um to give a bit of background in his early days uh he was a software engineer in the Telecommunications sector before moving into the public sector um once entering government he has implemented a number of achievements over the course of his career from being responsible for security architecture guidance to supply chain and Cloud risk assessments for the
government of Canada to implementing a cyber security risk mitigation framework for the telec communication sector um his leadership then grew into the director general of cyber defense capabilities overseeing the development of operation of sensors threat Discovery analytics and autonomous defense Technologies used to protect the government of Canada networks industry so without further Ado I'd like to uh please give a warm welcome to Mr Rie
kupta all right good well super happy to be here nice big audience so well done in getting everyone together I mean this is really what cyber security is all about people getting together sharing ideas it is a big community and that's the only way to really uh you know solve the challenges that we have ahead of us so reie GTA I'm at the Cyber Center hopefully how many people have heard of the Cyber Center in this room right on so majority really important but message number one that I really have is you know the Cyber Center is out here we were created in October 2018 so still relatively new and growing every single year I mean cyber security
as a profession wasn't around when we all started well when I started anyway you know 30 years ago in Hightech so this is something new um what i' would like to say is that cyber Center is under CSE the communication security establishment so if you don't know what csse is it's responsible for foreign intelligence cyber operations in foreign space and then the Cyber Center which is the technical Authority for cyber security as well as information assurance so for us information assurance means a lot of things and in those words and that's really Crypt so when you look at the cryptographic systems that we run we've been doing this since World War II so really important to us we started as Cod makers
and code Breakers and all of that you know military equipment all the satellites all the tanks all the airplanes everything we do in the in theater and and these sorts of things that's all underpinned by Crypt crypt is the essential layer for cyber security it's your confidentiality and your integrity uh of all your all your connections and that's near and dear to our heart so we have a really big cryp program that we do and that's what we call information assurance in terms of the technical Authority for cyber security government of Canada a lot of advice and guidance so if you've seen our website it's almost hard to find everything there and that's something we're trying to trying to solve in many
ways but we almost have a document on pretty much anything that's out there um but certainly happy to hear your feedback in terms of what's missing in that space and how to get this information to you better right that's really one of our important messages lots of info how do you consume it in a really really useful way um I think the thing that really separates us as a cyber center from other countries around the world is that we're Hands-On so we are the government security operations center for the government of Canada so this is 100 plus departments that we're monitoring on a daily basis so we basically eat our own dog food we live it every single day a
thousand plus incidents on the government side per year and I think it was like 1,200 for critical infrastructure is what we dealt with last year so busy every single day seeing real incidents responding to real incidents having to defend ourselves from really every threat actor that's out there because the government is a pretty good Target you know we have the state sponsored threat actors cyber criminals and pretty much every all the activists that are out there that want to do something against government see a lot of it and that's really what informs All Our advice and guides when we were created in 2018 um we came from a security and intelligence organization so no one really knew who
we were so one of the big things that we wanted to do was you know how do we communicate with Canadians so we started with our national cyber threat assessment and it wasn't just you know talking about the landscape was it's like what do we see is going to happen in the next two years so we can actually tell Canadians where we think the world is going going so you can actually make the right risk-based decisions um we've been doing that every couple years so 2018 2020 the last one was 2022 and that was look forward into 2023 and 2024 I'm still going to be covering those off but we just finished drafting our look for
the next two years as well so I'll go a little bit into that space without you know leaking exactly what we'll be putting out in October but really uh you know over the past few years we've really changed the threat surface I mean the pandemic made everyone work from home you used to have a perimeter around a network and that was great you had a Gateway and then you know that's how kind of how your network worked and then you added Cloud so the perimeter changed a bunch and then you got a lot of remote connectivity everyone started working from home um basically your Ingress egress to your networks changed and your threat surface changed greatly depending
on whether you had managed devices or unmanaged devices so um definitely changed for Defenders but also changed a lot for for attackers as well in terms of thread actors um everything getting connected right so 5G pretty much here in Canada um internet of things everything being connected you look at industrial Control Systems all the sensors that are out there um all the autonomy basically there's huge efficiencies to be gained by connecting a lot of your operational systems to Big analytic Platforms in the cloud um it's kind of irresistible to folk but that also changes your threat surface as well systems that should never have been connected to the internet are now connected to the internet and maybe not with all the
controls they really need right so definitely kind of a a robustness gap in that space a cyber crime really ramping up from cyber criminals used to have to you know make their own tools and and be able to operate them now it's just a big ecosystem that I'll talk a bit about as we go um one that's really important and actually becoming even more important and we saw that during the pandemic as well is supply chain and we saw that even recently with you know crowd strike and others vendor concentrations are really critical we don't even identify we don't have the understanding as to what those concentrations are in our networks until something happens that
visibility is super important but also the robustness of the different levels of our supply chain is incredibly important you might think that that initial you know service that you're actually getting is of a certain level but what are the other 18 levels below that that are differing levels that you don't understand right so um very important to really understand that thread actors understand that and often there's a one to many return on investment so if you're looking at compromising a service provider it might give you a thousand targets if you're a thread actor um so these bigger service providers are becoming targets of opportunity where different thread actors will actually provide more level of effort to actually
get a bigger return on investment I mean we've seen you know Microsoft compromised a couple of times in the past year but not unique in the world anyway this is you know this is happening against all big players out there um geopolitical comp competition in cyberspace this is something where countries you know the the the battle lines aren't drawn exactly the same in cyber as they are with Kinetic and other types of military activity so because the Norms haven't been established countries think they can push the boundaries as to what's acceptable in cyberspace I mean things that we would see you know in terms of even intrusions into critical infrastructure well that would be a crime if it was done
physically but with cyber it's kind of great it's still a crime but very hard to prosecute right um and countries think they can get away with that so um certainly we're seeing a lot of pressure um but also that kind of blurriness in terms of what the lines are does put us at risks be because the Norms haven't been properly established and the last one I'll talk about is um the internet right I mean standards in general people around the world you standards bodies govern our Technologies and this is what we've lived over the years standards got created and we build Technologies to suit them technology manufacturers Drive the standards as well as do countries
um what do we want the internet to be in the future right so that gets determined by by standards bodies do we want a free and open you know information sharing platform which is what it was originally created do you want something that's more interested in surveillance and and uh censorship right which the internet can also be used for but that actually influences technical standards and it actually influences some of our values and you know cultural norms as well so important for us to understand so some key judgments from a couple years ago I'll stretch them you know going forward and certainly they they're all true and and all of our judgments underneath there are true as
well um most of our actually almost everything that we've predicted over our our cyber threat assessment since 2018 have been pretty accurate um ransomware is a persistent threat to Canadian organizations and we predicted that would be the primary threat ransomware has grown basically in every level across Canada and in our partners as well what we have seen is a sophistication of ransomware thread actors you know changing their techniques as they go it used to be you know you encrypt the services so that people could couldn't use their services then it changed to double extortion where uh data would be stolen and then extortion would be applied to say hey we got to leak the data as well as actually
returning your services a ransom would be asked for in Bitcoin or some other sort of digital currency um but we've seen the ecosystem really grow right I mean uh ransomware as a service now you have like money laundering Services mixers that are out there so you put a certain digital currency and and you can blend it into many others just to make sure law enforcement will never be able to find these you know you see like access as a service you can buy access to different organizations fishing as a service buying fish kits um pretty much it's all out there you don't even have to be a software developer or even a cyber criminal you just need a
criminally minded business person to be able to put it all together and then run your business from some kind of Safe Haven Country where prosecution isn't going to get you and that's the reality as well is that a lot of these cyber criminal groups operate out of you know former Soviet States or other states where really um the pro the probability of prosecution is is almost nil moving into you know critical infrastructure um and this kind of ties into the the point after for it as well in terms of state sponsored thread actors CI is a is a target right when it was you know 10 years ago was all about intellectual property theft was a lot of
what we saw well critical infrastructure wasn't necessarily the first Target for intellectual property theft when you get to ransomware and other sorts of like money focused criminal activity critical infrastructure is an amazing Target because it can't afford to be down so any downtime costs the organization money so it's a target for criminals they want to make money they're going to be motivated by money and that's what's going to to prioritize their efforts so there's no sector that's really safe in that space any sector that can actually be compelled to pay up a ransom is really what will be targeted and criminals are amazingly adaptable to exactly what makes money and what doesn't also um I'll just tie this into
the state sponsored thread as well um in our previous assessments we'd always said that state sponsored threat actors were looking at critical infrastructure in Canada doing reconnaissance against them we knew this and potentially prepositioning but we always said there is no risk of disruption in the absence of actual hostilities that was a a key judgment that we had always made um over the past two years and the past year in particular we've changed that judgment and saying that you know there could be disruption happening and we have seen an example where State aligned groups actually tried to disrupt critical infrastructure in Canada right through exposed OT infrastructure so we have the evidence to prove it as well um so this
is really a change in judgment um you would have also seen more recently some of the Vol typhoon Publications that had come out of Microsoft and the United States government as well um we had put out papers as well in conjunction with our allies on this and this was really PRC prepositioning on critical infrastructure in the US so once again changing our judgments as to what to really look for um we talked about risk earlier before this presentation started but cyber security is really about risk management understanding what those risks are and this is where the risk space is going is to actually you know disruption of critical infrastructure a point that we had uh
you know a couple years ago and it's certainly just grown um threat actors are trying to divide and disrupt us a big part of this was you know misinformation disinformation Mal information all of those are just growing um more and more I guess impactful in our lives on a daily basis you're seeing that with elections it's kind of the year of Elections this year um Canada might be you know this year or next year a big us election coming up as well but certainly we've seen you know the Trust In Democratic institutions being eroded and being intentionally eroded in many ways right with this misinformation um that's why it's super important for everyone to be good
consumers of information understanding that what you're reading needs to be curated needs to be judged you know by each person and that's a it's a muscle we're all going to have to develop in in Democratic Society and you know fueling I guess misinformation is we tied that to uh what the next point is in terms of disruptive Technologies so part of this was really um you know driving misinformation through algorithms understanding social media algorithms but also social botn Nets right so you can have botnets that actually drive false information from a very small number of you know seeds of information this is what you're actually consuming on a daily basis so not hard to do and
unfortunately very impactful in terms of driving false messaging into society in terms of disruptive Technologies the two that we had highlighted in uh 2022 AI particularly llms and uh Quantum Technologies as they're coming certainly had a big impact and we will uh continue to talk about them in the upcoming slides so just a little bit about the Cyber Center um we are the National C right so the res search ca for the registered search for Canada we as I said take in over 1,200 incidents last year from critical infrastructure in addition to another thousand plus from federal government um work very closely with our provincial partners that that are here as well um very important for
us work with u Municipal governments as well and then critical infrastructure Partners right across uh Canada as well some through bigger associations like Telos we've had a long-standing association with in the seac the cyber security technical uh advisory committee so that's basically Telos getting together and and working together to solve cyber security problems do the same thing with the banks and more recently are doing the same thing with the energy uh sector here built out of Calgary really and the Canadian Gas Association and and Enbridge were the two that actually kicked it off but really good representation in that group so pretty amazing to see these communities coming together uh to be able to work can you hear me now right on thank
thank you and sorry awesome yeah so you know really important for us to work closely with these different groups and um and very good a couple of the other things I'll talk about is we have you know for clients we have you know several thousand registered with us so as you become a partner of the Cyber Center we send out like alerting systems right so we get feeds and feeds of threat intelligence we kind of vet that but we will actually send alerts out to your organization not just basically on threats that we see to your organization but also things like exposed vulnerability so the next vulnerability comes out we'll do a scan of Canada and
actually notify people of these things in advance um very important and then if we understand if you're compromised right after that we'll notify you of that as well so something that we do on a regular basis and then on a monthly basis we'll wrap these things up and put them as kind of summarized scorecards that give you an idea to what we've seen for the month I'll talk a bit more in detail of some of the other services that we've done um but basically what we built is uh based off some of the things we do in the government of Canada very high level uh set of services that we have I mean you can
reach out to us anytime cyber. gc.com please don't hesitate if you report an incident to us from your organizations we're not compelled to release that information to anyone so it's confidential we keep the information trusted um our job is really just to help you and that's why we're there right so um please don't hesitate to reach out we've seen many many incidents and we can certainly offer advice and guidance to help and then we can go to the next level to things like even like log analysis or even pushing out a an incident Handler to your site and the the far extreme of that is actually deploying our own tools that we use on government but we try to not do that and
we need different authorization for that plus a request from the organization and it used to has has to be pretty much impactful uh to the government of Canada there's a whole process to to Canada as a whole there's the whole process for that but that's as far as we've gone and we have done that um certainly engaging critical infrastructure I've talked about that um cryptographic equipment Assurance is really important I'll talk a bit about that when we get to Quantum as well but just for interest we do run the cryptographic module validation program so if you ever look at fips approvals on on on products for for Crypt we run that with the US so it's
nist and and ourselves that actually run that program and certify all the labs that do that testing so it's a piece of what we do in that space standards and certification are pretty important in terms of raising the bar um defending government networks that's what we do um that's where we kind of learn a lot of what we do we have almost a million sensors now on government products if you call that maybe EDR um we built that before EDR was around so that was uh really it but it's more of an xdr ecosystem that I'll talk a bit about and then of course information sharing and this is where I'd love to have feedback
as well you know we put a lot of different products uh and hopefully get that into your hands in a timely way but uh really interested in terms of how we can actually create more value for all of you for the information that we do have so a little bit about sensors and I'll talk a bit about an incident I didn't put a slide in there but I thought I'll talk about the most impactful incident that we had uh this year on government um but really how we defend the government this used to not be shared publicly but we have more recently put this into our our public documentation uh this started in 20 n
2009 2010 we started doing network-based sensors really monitoring traffic in the not to the government of Canada as a big ecosystem uh we started building what we called host based sensors back in 2011 2012 now it's called EDR um that's what it is we realized that putting the network data together with the host Bas data was pretty much Essential for finding any advanced threats um just so you know when we turned on our Network sensors in in 2010 for shared services Canada which is the big Network it took us about two weeks to figure out that the government of Canada was owned by a state sponsor threat actor at that time so really good return on investment
almost immediately and that's why we've invested in the program and pretty much all of the nation state uh compromises that we found on the government of Canada has been through this ecosystem um Cloud uh 2018 we went to cloud-based sensors obviously a 77 institutions that's really hundreds of Tendencies we monitor all of that it all comes back to one big data Lake and we run lots of analytics against that it's really what we think is necessary in the the new era of looking at threats is really bringing all that data together into one spot then running comprehensive analytics against it and as you get to more like compute power and gpus and llms that's really the model that you're going to
need to find uh threats and then uh you know we've looked at you know how to how to shift you know Network sensors into the cloud we have other sensors that I haven't listed here and uh but that's really the ecosystem that we built also of interest and I think will be interesting to Future talks is we used to build our own analytic tools but now there's so many amazing open source platforms that are out there um that we have pretty much an open source analytic platform so I think maybe as a future talk we'll have someone do a deep dive on that because we'd like to share the tools that we build when we can and uh and that would
be one of them as well so uh I'll get into that a bit more so maybe just on this slide I won't talk too much about this but I will talk about one incident that we had that I probably think you you'd all be interested in um I think it was called Arcane door by Cisco in April uh but this was an incident that we had in January I don't talk about any specific Department we if you report incidents to us we won't talk about you either this is really what we do but we try to share the information that's related to them and in this case here you've heard about Edge devices being exploited all this year it's kind of the
year of exploitation of edge devices these are the devices that are supposed to keep you safe but for some reason we've seen almost every major vendor of edge devices compromised so you know this is a this is a worry and it should be a worry for all of us and that you know that technology is supposed to be that security Gateway into your organization is actually the entry point for thread actors so in this case here Cisco wrote A Blog on this so I'm happy to to mention it but we had found this ourselves in a in January really exploitation of the edge device two zero days used to actually get two different implants onto the actual router or
running in your router almost impossible to find U modifi the log so that you wouldn't even see any of their activity in the log so they had full control over the logging system able to selectively choose traffic to be roted back to another uh host so basically right from the edge of your network selecting traffic and sending it to wherever was wanted um and also anti forensic techniques baked right into the rotor itself right so this is all showing very detailed and I guess in-depth understanding of how to actually do this to an edge device um with also some amazing capabilities for actually grabbing information so we were lucky that we found it to be quite honest but
the sensor Network allows us to be able to find these sorts of things whereas I think most organizations would never be able to see this so flagging it as a risk right on the edge a lot of data transits those things I mean this is where you know all your users kind of connect through in terms of your remote access so um I would raise this as as something really important and kind of a worrisome Trend that we've seen in terms of the different compromises of or the different vulnerabilities that we've seen in Edge devices over the past year um if you wanted to read more about it Cisco Tellis did write a really good
blog on it they did credit the Cyber Center as well as Microsoft and some other partners in terms of getting all the information together and looking at the infrastructure from around the world um but these are the types of collaborations that we need and I think the one thing I'd like to flag from that example is collective defense right so this is something that we found we were able to start pulling the thread we talked to a technology vendor they were able to pull the thread they talked to another technology vendor they pulled the thread to figure out what's going on in the world they gave some information back to us we put that together they
wrote a good blog that informs the public they improved their software um so kind of dedication all around a lot of hard work to find a really Advanced threat but in the end even the infrastructure was shared for people to block we wrote a cyber flash on it in January shared it with our partners um so that's kind of the way it works uh in terms of trying to get the information from whatever we find into the hands of not just our direct Partners but also tech companies around the world to make sure that we're upping the the level of the products that are out there so one thing I'll talk anyone here heard of assembly
line good so some people have heard of it so this is basically something we had started writing in a Innovation Workshop that we run at the Cyber Center called Big Dig and it was this came out of big dig one and WR big dig 14 so I'd say it was about 14 years ago that we actually wrote this for the first time we had the problem on the government of Canada of how do we analyze files at scale we had some really smart malware reverse Engineers but as you know they're few and far between and you can't really scale them that well so how do we actually get all the smart things they do on a daily basis into an automated
framework to be able to process millions and millions of files and we do process almost 10 million files a day through this platform so um this is something that we built up and then decided to open source which was a big step for the Cyber Center and CC we hadn't open sourced anything we did this about four or five years ago and uptake has been amazing right from around the world we have amazing partners are actually dedicating you know giving us really good contributions uh runs in gcp AWS and azer as well so uh I would say that you know if you're going to build something processes files don't do that grab the open source and and build off
of it as a community we can all build different plugins and extend the uh the the capabilities of this sort of product uh basically highlights delineates everything according to the miter attack framework so lots of things built in already and I have a couple of slides that I'll just go into a bit more but really the point today was you know the sharing these things are important democratize the things that we have and that by working together we can actually uh you know give ourselves a leg up in terms of what we need to be able to do in terms of uh the other things that this does do I'll just skip ahead to to
maybe this slide Dynamic analysis as well so a lot of Open Source components but the other thing is sharing of ioc's which we do we have a intelligence uh thread intelligence feed that shares a lot of those actionable ioc's and you know tens of thousands of them a year but ioc's are ephemeral and in that case if you look at you know DNS or IP addresses and these sorts of things um getting into things like yo rules are really important as well right those consistent signatures that allow you to actually find threats or you know or cata that we have in there as well um very important to us we're trying to plug you know how do we get past you
know your your basic first level ioc's and into the things that really catch the ttps that the thread actors are using and the last one I'll mention there is Sigma right so we try to compile everything into Sigma Sigma is way of describing a behavior that or a threat threat TTP basically or a threat technique that a threat actor uses that can actually be absorbed into a multiple different platforms so it's kind of a platform agnostic way of describing a behavior so if we all did that we'd be able to share our knowledge a lot better so these are the things we're trying to plug and this is what we use in assembly line as well and maybe the other thing
I'll plug just on this as well is that Yara we were sharing and this is really great you know we're sharing Yura rules which is a way of finding malicious files on your operating systems but or or through file analysis but what we found is that not all Yara rules are being written the same way so we're going to have to like we're having to reformat all people's really good Yara rules before we could even use them so we created a standard so we do have a standard on Yura that's in our GitHub as well so the more people use that the easier it is to share so another thing I will plug in that space and then the
last thing is that uh you know there's Dynamic analysis in there as well so as you get your first level let's say it's an email attachment or a piece of malware they'll go out to the internet pull down the second stage and the next stage just analyze those a bunch of unpackers these sorts of De opusc modules built in as well so no shortage of capability but you know it's an opportunity for us to all use the same platforms and then keep building so so they get better so so the other thing that we did with assembly line is that not everyone has the capability to go and install it in your own cloud environment which we
understood but if you become a partner of the Cyber Center we actually host an instance as well so this helps us but it also helps you so even from my cell phone right now I could take a sample file push it off into malware G.C it'll analyze it it'll break it down give me the full results it runs it through a bunch of different you know antivirus a bunch of different Yara rules a bunch of different modules it'll unpack it do a lot of analysis and give you all those results so if you're a partner of ours you can actually just log into this portal scan your files gives you instant feedback but we also get a sample of
that file as well so that's important for us and it's also shared amongst the community so if you're finding something malicious then you have a good opportunity to actually you know like help the whole ecosystem by sharing that information so just an example of who we shared it with so far you know uh cities provinces uh territories and CI partners are using this actively as well as the federal government in terms of sharing those files and the numbers are growing as I mentioned as well and in terms of just assembly line some pretty big players around the world that have adopted this platform so um some good Tech development in that space the last tool that I will talk
about here that we shared is one that is more of a problem for us but will be become a problem for many of you as well with different sources of information so people always looked at you know I think the first thing I will say is that if you look at thread actor techniques like living off the land or the compromise of edge devices or the usage of anonymization networks which is really what we're up against against nowadays those are much harder to find through your typical alert based uh Sims and other sorts of systems that you might have in your networks so really you need multiple different sources of information and Telemetry bring that all
together hopefully you have centralized logging that's step one but knowing what to actually log is really important as well to find any of these techniques so we're putting a guide out saying hey here's your guide to centralized logging these are the threat these are the logs that you should have as a minimum in all of your environments to be able to find the threats and then if you're actually collecting logs from a bunch of different sources we found that you know we don't necessarily need some of the the technologies that are out there so we built an open source platform called howler that'll actually aggregate all your alerts um brings them in really closely you can actually you know tag
them and label them in really useful ways and really what we're building here is the foundation for being able to yes it's a centralized repo of alerts but with all the necessary labels so that you could easily apply in an llm in the next couple years and really start to Cluster these things so that hey these 17 alerts that came from very disparate sources are actually all related to the same incident and you're going to have your models actually being able to Cluster these for you so um once again open source um really been pushing this for about a week now and had some really good industry traction already in terms of folk that are like msps that have to
aggregate logs from different areas um they're saying hey this is a great solution for us so um we'll see how it goes I think I will skip uh this one um but once again these are maybe things we can bring back to bsides and have the actual developers come and talk to you guys about it to to hear the feedback that you would have so something that is probably really important to all of you right now there's a lot of talk on AI um we've been doing ml for decades really in the in the Cyber Center in D csse um I think we put our first no human the loop ml algorithm that blocked malicious DNS uh
back in 2018 so we've been doing this for for a bit of time but right now llms are have really made a big difference we've kind of Incorporated on our cyber defense data and integrated into an llm environment only since December of last year and just in that I guess nine months now we've seen ridiculous progress in terms of what is capable so I'm going to share three examples of what we've been able to do interested in hearing other examples of what people are doing with llms in the space because I didn't talk directly about AI but certainly you know threat actors will be using it but that's why it's so important that you know cyber Defenders
are actually taking full advantage of what's out there um with the amazing capabilities that are there so the first one I we looked at tools like you like a assembly line which was you know our malware analysis well there's only so many reverse Engineers that can actually go and analyze malware and the results themselves are often fairly you know obtuse as well in terms of understanding exactly what all the different tools turn out for you so what we have now is an assist assistant for assembly line that'll actually summarize in English or or French basically your understanding of you know what the malware actually did you know this malware will you know create a mut Tex it puts these files on
dis it'll connect to this infrastructure it just summarizes it fairly quickly but at the same point in time you can then ask it questions you know so you don't have to actually dig into Assembly Language and actually figure out what it's doing you can actually just say oh does it do this does it do that so it's a very different interface for the analyst and it brings analysts up to a certain level right off the bat we all talk about skills and you know ridging the Gap to what people can do in terms of analysis this is where we see llms actually playing a big role in terms of you know how do we get all your
analysts up to a certain level where they can really interrogate the data that you have another one that we have is um basically our analytic platform uh that we've been running it's if people are is anyone familiar with like jupyter notebooks and python or jupyter notebooks yeah so it's very powerful tool for being able to analyze data more of a data scientist type of interface but something that we actually have standardized on de facto for our environment but in terms of having to query that it's once again quite a barrier of entry from any of your analysts so how do you actually get that done and accessible to everyone that's there well we applied Ai and that way
you don't have to write python to actually query your data anymore you can actually just ask questions natural language so getting there but the results once again are are pretty amazing in terms of just being able to you know ask a question and then the SQL queries or the python queries in the back are all avisc you don't you don't have to deal with them as an analyst so gets everyone to a certain level and the last one seems kind of obvious but it's really interesting from us I mean on I I kind of opened by talking about all the advice and guidance that we have on the website I actually use Google to find
stuff on our own website just to figure out where the documents are but really what we did is we said well how do you actually just understand and synthesize all of the advice and guidance we have so you can just ask it simple questions so we baked all of our advice and guidance into into our model and we created like cyber GPT is what we called it in this in this case but it was just for fun um but really you can just ask questions now of all your advice and guidance and say hey I would like to how would I actually you know Implement zero trust in this type of environment and it'll actually explain stuff back to you
from the advice and guidance that we have or you can actually say explain multiactor authentication to a 5-year-old child and it'll actually change what that output is to the right wording of how you'd actually want to explain it so real opportunities here like I said it's just really a matter of seven or eight months but some really amazing uh steps forward in terms of what we're able to do in this space and there's a bunch of challenges but maybe just the two of the ones that I would say are are are really important is how quickly things are changing like what's changed even since December is crazy in terms of what's available out there you can't even keep up with all
the developments and all the releases so you almost need a whole team of people understanding that this is what's coming out and then you have to take advantage of it so um something to keep in mind as you actually go down this journey and then challenges and testing as well if you test software you usually know if something works or something doesn't with AI you get an answer you just don't know the veracity of that answer and whether you can trust it or not so it's a very different way of how how do you make sure that this is you know open for a for public consumption at this point or not um you have to change your test
methodology shifting to to a disruptive technology um Quantum technology so becoming more and more real right I think that you know you have the the first set of quantum computers that are out there but what is really the threat and what are we worried about so in Crypt we will talk about what's a cryptographically relevant quantum computer and for that we'll say like a cryp that's a computer that's actually sufficiently powerful to break the current cryptographic algorithms that we have in play today crypto is based on hard math problems so you creat some math problem and say well this problem is so hard it's going to take 50 years for many computers to try to break so
who cares if people break it in 50 years right so that was kind of the math that went into the cryptographic algorithms particularly for key exchange that's really what's what's worried here um quantum computers can run very different sorts of algorithms for example a Shores algorithm that can actually break those types of hard math problems very quickly so things like key exchange algorithms which are super important can now be broken very quickly but should you have a cryptographically relevant quantum computer which raises the risk of really collect now and break later so if you're to store a bunch of data that's encrypted right now and you're able to get a quantum computer 5 10 years from
now you'd be able to open it up because you'd have sufficiently powerful computer that's really the risk that you're looking at um so if you're looking at your own organizations you would say well what data do I really care if someone was to open up once they got a quantum computer and that's the the the data that you should probably be most interested in at this point what you'd want to do as an organization now is uh new algorithms are out so nists approved those we've worked with nist and other countries in terms of actually vetting the math behind these algorithms um but really what they have to do now is make it into the supply chain so
first of all you get the approval of the algorithms then you get the standardization of the products so those VPN concentrators and the other types of products every every product that basically uses encryption will have to churn its algorithms so the challenge for all of you is really you know what encryption is being used on my networks which ones might be vulnerable to Quantum so the asymmetric key exchange algorithms and then how should I prioritize my turnover of equipment over the next few years as you know Quantum resistance and algorithms actually get baked into products they're not there yet they have to go through a standardization process but in the next couple years you're going to see you
know new new appliances and new software packages that are quantum resistant and you're going to have to you know life cycle the equipment that you have to make sure that uh you're actually Quantum resistant moving forward so it's really a plan now sort of effort and the way to do it is to understand the cryptographic inventory on your networks people struggle just having an asset inventory of their networks so you know going that next level to understanding what's your cryptographic inventory is really where we need to get to so you can understand what's really at risk and what's not but really plan now um and figure out how to build that cryptographic inventory and there's
tools coming out that are able to to help with that as well so I think I talked a bit about uh that process um in terms of how to transition across Quantum the product validation we play a role in that in the crypto module validation program and the last thing I'll say about that is yes it's important to have the right algorithms but implementation can be vulnerable as well that's why it's so important to wait for the standardization of the cryptographic actual modules in the products and looking for that that brand so just shifting into like you know what the Cyber Center does in a year um this is probably something that none of you maybe understand or or know
and I'd love to to share that so defending the government we have those almost million sensors that are there we defend on a daily basis we also have autonomous defense so as we find things that are actually malicious we have algorith to run we block it we block pretty aggressively um up to 6.6 billion things on a regular basis blocked on the government of Canada on a daily basis um and then different layers of other blocks that happen so really important to actually just block the threats whether it's anywhere in the kill chain is is really what we target with different analytics that are running um one thing that I'd like to plug as well
um as a nation has anyone heard of Canadian Shield so we got a few um so this is protective DNS for Canada for free right so we had partnered with s at that time the Canadian internet registry Association and they said you know they created a they had a DNS firewall but they said because we're not for profit we're willing to you know give this out to Canadians for free just to help you know this is a philanthropic effort so we said hey we're happy to share our threat intelligence feed with you for free as well if it'll benefit all Canadians so I just wanted to plug this I have it on my phone um cyber Center is
the oneway you know set of information they get thread intelligence feeds from aami as well not just the Cyber Center but but if you put that on your phone you have three options you can put on your home router as well um option the first option is really just Sovereign DNS so your DNS isn't leaving the country so pretty important you know at least you know that you have some some privacy there in terms of who's looking at your your your web traffic the second one is security so that's where those threat feeds actually come in and'll Block anything in those threat feeds so right away you actually have that first layer of protection and it's free so
free for your household I put it on my my home router as well um we're the only country that I know that actually has free protective DNS for the country if you want it so um it would be pretty uh pretty good thing to have and the third one is kind of a a family uh friendly setting as well which kind of uh filters uh inappropriate content has nothing to do with the Cyber Center that's a sir's solution in that space but those are the options that you have and I would recommend it just in terms of personal protection and household protection as well uh the numbers there almost 300,000 users with 500 million blocks in the
last year in terms of things that it's blocked so making some progress but would love to see that in the m the getting to ransomware one of the things that we've done is we get calls from organizations that have been ransomware gigantic organizations smaller organizations it's it's incredibly like distressing to see like the the situations that these organizations are in when they've lost Communications or they've lost their data they're not sure what to do um this is a big problem and if you haven't lived it then it's a it's certainly something you don't want to live to be quite honest and we've lived it many times over with many many different people different organizations in Canada
so what we tried to do in this space as well is like great to help people recover but that's really not the space we want to be in we want to be in the prevention so we put out a ransomware Playbook and lots of advice and guidance but that really relies on everyone doing you know the right things and the basics which is super important but we've also started doing is using analytics to figure out you know what do we know about the ransomware actors that are out there and what is that how do we know when they got the first stage of malware into a network because it's a series of stages to actually get to the point
where they can actually encrypt your data and extort organization so we've been able to get into that stage one and understand the early stages of ransomware not just in Canada but to other partners as well and since uh for last year we had over 250 pre- ransomware notifications organizations where we knew the first stage of ransomware was in the organization we knew what computer it was on we're able to tell them they were able to get back to us and say yeah we've removed uh the the computer doesn't always happen that they get back to us but we try our best um but this is really important to us right so we can actually just you know
prevent even one Ransom where it's a big deal when you look at the price tag for an organization but getting to 250 for a year was a really big outcome for us and what I didn't say here there's another set of hundreds that we've sent to other countries as well I think 250 to the us as well in terms of organizations that would also have impact on Canada as well so um pretty important work that we're doing um and hopefully that continues but certainly investing more in terms of Shifting left and getting the the pre- ransomware notifications out there sharing with our partners is something that I want to to talk about as well um really um when you get into things
like securing AI or just sharing thread information what you will see from us as well is a lot of joint Publications so really important for us to put out common and consistent advice and guidance so you're not getting seven different documents from seven different countries you know why spam everyone with all this information so you'll see a lot of co- sealed documentations like Vol typhoon was one um securing AI was another we just Tred to get consistent advice and guidance or consistent thread information out and you'll see like one document written by you know one five eyes partner or even broader than that with other countries included but a bunch of different seals from all the
different countries that are there that have all endorsed the product and have maybe contributed some kind of evidence to that product as well so um something to look out for and we've done that 14 times in the past year I mentioned earlier 2,200 almost incidents is what we deal with in a year it's so it's a that seems to be the number almost 2,000 CI partners that we work with so a lot of traffic a lot of friends in Canada and growing so so super important to us but then like what happens if you've actually engaged with us well then almost on a weekly basis we're sending out cyber flashes things that we're seeing that partners are
shared with us we anonymize the information in there but we say hey this is what happened to in Canada or to some of our partners and we try to get that into your hands typically at a you know a TLP Amber or some type of restricted set of information depending on how we got the information if it's public then we'll share it publicly to make sure the broadest audience actually gets the information um and then we have no shortage of threat assessments and uh and guides Publications as well which are very important talk a little bit Innovation I don't know how we're doing on time so I'll be interested in knowing that because I'd love to hear hear some was
it 30 minutes okay good so then I'll make sure I'll leave at least 15 20 minutes for questions um Innovation is really important this event is really important in terms of getting people together and talking about Innovation uh big dig is one that we started on the classified side uh as I mentioned we're on Big Dig 14 so 14 years ago we started doing this in terms of cyber defense um bringing in five eyes Partners at that time there wasn't a huge community of cyber Defenders 14 years ago so we had to bring in the the experts that we could find work together on really difficult problems and then the the outcomes that we had from those
types of workshops were amazing getting people dedicated to just doing you know Innovation analytic effort on real data over two weeks the the productivity is still you know out outs surpassing anything else that we have from deliberate other planning efforts as well um geek week is the one that I I really wanted to plug for all of you it kind of started a bit later than big dig but we realized hey collaborating with other governments was really fantastic but collaborating with industry was really really important as well so we started geek week in 2014 and have you know been running it every year since which is amazing it's grown we capit at about 300 participants because that's
all we can really host in the Cyber Center but the demand is far beyond that and once again it's an innovation Hands-On Workshop where we pick really keyy themes um they're not all proposed by us people write abstracts in that we have the big cloud service providers we have a lot of the security service providers we have Telos from around the world Banks from around the world um and really mix up the teams people get to work together and the outcome here is that everything that's actually produced in this event is shared with the community so we're trying to democratize everyone's knowledge and make sure we're bringing everyone up to a certain level um and we've certainly benefited from
all the the skill and talent that come to these events as well and you get a fancy t-shirt like the one I'm wearing this is from the last uh the last geek week as well in terms of some of the outcomes of of geek week um created our national victim notification system that I I mentioned earlier this is basically taking in threat feeds and sending out notifications to Canadian organizations uh you know we had like Demar tracking which really important I think many organizations have implemented but if you want to stop fishing Dem Mark's probably step one in terms of protecting your brand um then we had uh honeypots right deception technology so this is one
where we could actually emulate vulnerabilities it was in a package so hey if you want to emulate certain vulnerabilities super important for us to understand who's exploiting what vulnerability a vulnerability that's released is really important but once you know someone's exploiting it we we act very differently as a cyber Center in terms of notifying people because you know this there's real damage to be done at that point if you can emulate it and understand what's going on in the world really important so this is one that we built and it's been taken on by some pretty huge companies in the world in terms of using it so lots of uptake in the products but these are things that
we're inviting people to across Canada to help you know build the collective effort and you know crowdsourcing is an amazing way of getting all the good ideas together um maybe I'll leave it there but uh certainly some other elements in terms of just the internet of things you know um getting into you know intelligence like self-driving vehicles and some of these other things as well we have really good partners that bring cool new technologies that we wouldn't normally have access to and you get to KCK the tires on them and understand what the upcoming vulnerabilities are of some of these you know Cutting Edge connected Technologies very important for us to understand that and then key to the Cyber Center as well
as Partnerships um a long-standing partnership is with the security and intelligence community in the 5is that dates back to World War II um very close and you certainly feel that and working I came from the private sector Telecom moving into the Sni Community it was amazing to see that kind of collaboration it really surprised me um so that's step one lots of benefits to Canada in that relationship but Canada certainly provides a lot of really good information to that group as well and a lot of good technology when you get across sectors has got a pretty good ecosystem coming together um we have like eak for energy we have some representatives in the audience from eak
here today so really nice to to see you here as well um that's just a year old but you know this is an opportunity for experts from the same Community to come together and share all the common threats that they're seeing so everyone's kind of at the same level it also gives us the opportunity if we see a certain threat to reach out to one organization share it all at once so everyone's at the same level and we're not missing anyone seock is the same thing for Telecom it's been around for a long time and we've certainly they work closely with seag um sifter is a digital resilience uh so it's kind of a new form
that brings in a lot of different tech companies um if you are not playing that space cfrg is the financial resiliency group so not sure if people know that these exist in Canada but it's a broader than Banks it's a our financial resiliency and then we have you know Martin here but uh basically the NP getting all the provinces together super important great Community right and certainly the provinces have been coming together and great leadership shown by amazing folks that have really uh you know shown a lot of initiative in terms of getting that Community together and building a a really collaborative environment so a big progress made in in the last couple years there
certainly and then caar it's just out of Interest part of the iww international watch and warning Network 16 to 18 countries so sharing information with us on a daily basis Paxon Indo Pacific we just joined that a couple of weeks ago um they had a big conference that's getting another idea as to what threats are happening in a different part of the world seert Americas North and South America um part of that so all those countries are part of one group where they share information on a daily basis and then of course we're going to be looking to see how we can actually build kind of another cyber defense Collective you might have heard of the jcdc in the
United States The Joint cyber defense Collective we've created the CCDC in Canada now um we also work very closely with the jcdc in the US to make sure we're aligned with siza in the US and in terms of information sharing so we'll be building that out in terms of you know how do we actually make sure that we have you know mobilized the entire security and intelligence kind of providers or the security service providers ERS in Canada and we're on the same page so if you have something to share we can get into the hands with those providers in a very easy way and of course that would bring in you know a lot of the the big Tech providers as
well that can have a really big influence on Canada in terms of uh you know being able to address threats so I talked about some of these already I talked about Canadian Shield I the last one I will talk about in this was really um fishing just other collaborative projects we can do uh 7726 have anyone's heard of that SMS so so really if uh you get a submission email you can forward that on to 7726 it'll go to the Telos the Telos will strip any privacy related information out um and then share that with the Cyber Center we run them all through a big analytic environment determine maliciousness strip out the malicious URLs um if
they're impacting government we can take them off the internet so they're not impacting anyone uh we also did that for health during covid as well because we didn't want you know people you know people benefiting from health related scams during the covid pandemic so we actually just took them down and off the internet had the permission to do so but otherwise government has taken off otherwise we just take those malicious URLs feed them back into our threat feed and share it back to all of our partners as well so 7726 for smishing send it off the Telos are the first line of defense and then they share it with us for for collaborative uh takedowns and
mitigation after them and then I will maybe just end with uh all the cyber security advice and guidance so if you're looking for something I mean we we we work very closely with you know we align ourselves closely with the nist guid in the United States we put out advice and guidance and pretty much any kind of upcoming uh you know basically effort that you would need to secure your system so lots of information there don't hesitate cyber. gc.com
is to meet can you please harmonize so we've worked with siza in the United States uh they have their cyber performance goals we created our cyber resiliency goals as well that we'll be putting out I I don't want to you know get too far ahead of it but coming out in about a month and a half and that's really just harmonizing some of these goals for critical infrastructure with our us counterparts knowing that critical infrastructure in North America really does run north south and we want to have consistent guidelines and and guidance right across that border so um look for those to be coming out I think they're really good for step in terms of
firming up our critical infrastructure um and uh please visit the website and then if you're really just looking for advice and guidance on a personal level you know family members these sorts of things we have our public awareness campaign called get Cyber safe with lots of good tools toolkits things you can use in your organization so you don't have to recreate them yourselves you know how to like look out for fishing how to secure social media how to secure your devices accounts things that you're you know you you'll want to use around your house they're already there so please reuse them and happy to hear feedback on on all of those but the real message here is you
know you know reach out to us we're here to help we're building Partnerships we know that it's a collective effort right across Canada to make sure that we're actually upping our cyber security um lots of different ways to get in touch there um our GitHub is there as well if you're looking for any of that software that I've talked about and from there we have different ways of reaching out to the actual software developers to guide you through installs or to answer any of those technical questions that uh that uh you'll need to understand if you're actually looking to deploy any of these things so I'm happy to share this information as well so I'll leave it
there but thank you very much really happy to see such a big group here and and happy to answer any
questions thank you thank you Rajiv uh quick questions from my well it might not be a quick question we'll see National thread blog so this is something that we brought up at the national level um each of our organization at this point in time whenever we Face a threat whether it's denial of service attack or a particular threat actor trying to penetrate our systems we usually block the IP within our organization so the threat actor can't reach us anymore but they'll usually move on to the next Target which very often happens to be another of the companies that are in this room we had had a conversation nationally about potentially doing what Australia is doing so so definitely a rigorous set of
criteria to block an IP address or a threat actor definitely a good governance process would have to be put in place no doubts there but is this something that the federal government would be uh considering at this point in time the potential for National thread blocking yeah so really good question I mean you know why does everyone have to block the same IP when you can take care of it in one spot the closest thing that I've seen the federal government doing is really the crtc botnet kind of consultation so they put that out for consultation and was the ability for the crtc to basically test the Telos to to block exactly this so we'd be blocking
on the Telco perimeter with a rigorous set of you know criteria uh we have been involved in that consultation process and I think that um it's still in the works so it hasn't been kind hasn't gotten to the point where it's manifested in any kind of real program yet but that is underway and in consultation with the crtc I said is the Telo regulator for information in Canada um probably being a good home to make that decision right um CSC would certainly have technologies that could contribute to that and there's many different ways of blocking I would say as well so it's a really important discussion for us to have as we get into this you know a much more
kind of hostile and contested world how do we protect ourselves as a nation and really it's Collective defense and there's many organizations that are involved in doing that whether it's a cloud service provider or a Telco um there's bgp syn holing as another way of doing it right there's different sorts of techniques but the only organization that I've seen that would have the power to maybe do that is the crtc as part of I said and they have that first consultation out so we'll see how that goes see if it lands with like an approval and then I know that we were asked in that consultation you know what could you provide in terms of threat
feeds and and who would be that curator of what to block right that's one of the big questions there as well like you said it needs a rigorous regime we don't want to censor information in Canada we want to make sure it's free and open but we obviously we don't want to expose Canadians to this block why does everyone have to do it themselves um so we'll see where it lands but I think it's still a growing area but a good question so thank you
I can hear you no I think we're recording as well okay there we there we go hi um so there really seems to be no shortage of either open source or paid intelligence feeds for anyone to ingest who is interested in it but the difficult part has been operationalizing that data what would you recommend for something like that yeah so operationalizing thread intelligence is a big deal right and it's it's complex and and not necessarily straightforward we take in over a 100 thread intelligence feeds that's not even including you know classified Intel and these sorts of things um so it's not for the faint of heart I would say that and they're not all created equal either
right you can't just just take a feed in and start blocking it there could be a lot of false positives and you don't really know how to vet it I would stay start small with some of these feeds right test them out and but you do need some kind of vetting we did something a little fancier on our side that we almost we we used like an analytic to figure out you know what would happen to if we were to block something going back two weeks of data to try to predict the business impact right so before we actually block it so we have an automated vetting so we kind of run it past historical data and then we say hey
this is good to block or it's like no this is going to be a false positive and it gets kicked right out um not everyone can just run an automated type of process like that unfortunately but you do need a CTI team right you need someone that actually curates this that actually vets the the veracity of the actual indicators this feed is quite trustworthy this is how we can use them um but it's work as well so that's what it is we we scale through automation that's what we had to do but we also block for 100 departments so we have the the ability to build the automation um but that's really it you it takes
work um what advice would you give to students who are aspiring to work for the csse so really good question we are recruiting as there you know most most cybercity firms out there so it's amazing to see students here uh we have a couple of different career guides on our website where we hire a ton of people is our Co-op program co-op programs have been kind of our lifeblood in terms of getting people into the organization we have a really low attrition rate so our attrition rate is I think somewhere around 4% with over 2% being retirement so when people come in they tend to stay forever almost I've been here 18 years and I spent a decade
in the private sector beforehand um but definitely getting in at the Co-op level but certainly apply we're looking for all kinds of skills in in terms of cyber security it's not just a computer scientist anymore there's a a big range of folks that we're hiring we have an amazing like EDI effort as well that it's becoming quite a diverse organization um so really that whole breadth but certainly our website is the recruiting tool um and our Co-op program has really paid dividends for us so if you have a co-op term applied to csse it's but otherwise the website and reach out to us and we're always happy to hear from you hi Rajiv myself Prashant from
Enbridge and and thank you for such a great presentation I know CGA has some conversations with ccs on that topic just curious on the uh you talked about defensive Collective uh gcdc is one one mechanism like that uh on the offensive capabilities I mean I don't know how much you can share on that but the takedown of botn Nets the take down of uh ransomware group something which sometimes you know the US government goes after try to you know uh destabilize those those networks or those sources anything on the Canadian side where uh there is some that that kind of capabil being looked at so really good question I didn't dive into it at the beginning but under the csse
Act created in 2019 we have signals intelligence we have foreign cyber operations defense of cyber operations and then technical Authority for cyber security and information assurance so signals intelligence Gathering Intel for the country to fuel our operations foreign cyber operations and defens of cyber operations in foreign space not in Canada entirely what you're saying we do do those we don't talk about them sometimes we give high level numbers in terms of what we've done but incredibly active growing and funded by the government of Canada so we have some very skilled folk in that space and that's the very nice thing about being at csse having all three of those mandates in one organization makes you
incredibly agile in terms of what you can do we can see something happen in Canada get the signals intelligence for exactly why it happened and who it happened and who might be doing it and then have the foreign cyber operations capability to take action without telling Canadians unfortunately right so yes we have that capability yes we do stuff yes we work with our partners as well in those partner operations but uh we're certainly not forthcoming with details in that space But we do we do do it Canada is working hard at that I see hi there um you mentioned Miss and disinformation and certainly um there's been a lot of controversy around blocking that type of information um you
know certainly certain in covid there was some important voices that were silenced um and some information's come out since how is it that we can do it as cyber Security Professionals ensure that there is still that ability for Divergent voices to be be heard while blocking the amplification the use of tools Bots Etc and and uh blocking the information it's just it's like that whole you know better to let you know a thousand people walk free than have one guilty person go to jail kind of situation yeah I think you described it well right I mean we're a cyber security organization so we point out some of those techniques that are being used some of you know the AI you know
synthetic content generation where you can you know generate content so easily that it's believable so those are that's the manifestation of the problem we are a free and open Democratic Society and we want free flow of information so you know we don't we're not the regulator of information on the internet and we never want to be we're cyber security and that's what we'll tell people to do we'll tell people about the threats we'll tell people that foreign cyber threat actors are actually deliberately using these techniques to sew misinformation and we can even give examples of you know these some of these things that are happening but uh there's a you know a variety of answers there
that are all fairly complex but I mean we always start with you know education of people knowing that you have to be a Discerning consumer of information nowadays don't believe what you're reading go to multiple sources what are the ways that you can actually produce that and use your own judgment that's probably the most like liberal way of doing it I mean I'm not a a regular information but that's kind of what we say right you really have to you know do that second guess on most of the information you are and be a very discerned consumer at the same point in time we do want to share the things that you've said as well this is what's
happening these are the technologies that are being used there is synthetic voice there's synthetic video there's these social botn Nets amplifying false narratives they are happening Non-Stop and there are countries actually trying to do this on a regular basis important to recognize how do you use that that yourself while consuming information is something that you know occurs in the brain and people have to you know put that lens on while looking at information in the absence of other sorts of things like water marking and you know validating you know Providence and these sorts of things that are going to take a bit longer although there are efforts by by companies in terms of doing that so yeah it's an evolving
landscape with no immediate solution sorry right over here was time a question for you is there how can you leverage this Federal organization here to change the attitude in I would say in Banks and insurance so if you go to report fraud to your bank they don't care they'll just write it off to insurance or your insurance will cover something it seems like whenever you report an actual fraud case it's not dealt with there can you have any leverage to like enforce teeth on some of like legislation or you know a standard that way um you know no so I'll talk about what we can do and then I'll talk a little hypothetically about some other things
but you know from from our point of view in terms of enforcing standards that's like Banks or other critical infrastructure that's in terms of protecting their infrastructure and we're waiting for c26 and other Regulators to regul regulations to come out right now banks are pretty well regulated for cyber as well so there's lots of kind of cyber secur regulations in terms of that protecting their own data when it gets to fraud and I think you're almost speaking to incentives right so like when something happens what's the incentive to actually take action on something or just to pay out a claim or to let it happen um what we've seen in cyber security is kind of a a
mismatch in Market incentives I mean even if you look at everything that's on there if you put out a flawed software product I mean whose problem is it really when someone gets compromised don't see the liability um really the onuses on most operators to go and Patch the product right so it seems like the costs are being incurred by not the real originator of the problem it's an emerging market so I don't think the market forces have really evolved to the point where they're regulating the own Market you know and you look at that in terms of liability in terms of Regulation and legislation just in terms of you know return on investment um there's a lot of these things that have
to work themselves to out and if they don't then you know governments will will be stepping in to do different things not our organization we're not policy we we're cyber security um but even like Financial type organizations to figure out you know what is the real liability where does it lie and then some of what you said as well as the difficulty in terms of prosecution for some of this fraud as well is that many of these you know these cber criminals occur you know they they're existing in areas that aren't actually open to law easy law enforcement right they're outside the the bounds of what can really be prosecuted and kind of these safe havens which we flagged as well so
yet another type of you know how do you shift the incentives on this to make sure that they're forced out of the marketplace that's a huge effort that I think is slowly happening insurance is a really important one we've seen insurance companies have pretty significant loss ratios when they first started insuring for cyber security then they lose money and they change what they do so that maybe that's where the market is kind of working and you know there you see some of the the Cyber insurance policies changing but they're slowly evolving so it's a whole evolving Market where the incentives are still shaking out and not yet fully determined okay I have a question um so
like cyber Center is like mostly focus in OTA like you know do you have any plan to kind of move to some kind of like you know one as a headquarter and then pral offices like you know one in Alberta BC I don't know you're doing it or not but like secretly but kind of um is is there any plan like that so super important right I mean one of the things that we wanted to do is become a National Organization I mean we work very closely with the provinces and territories we want to build this Federation but we also want to know people in each of the areas we've been you know traveling a lot I've been to
Calgary quite a bit in the last year I've been here in Edmonton and all over the country and you saw Sammy traveling a lot you've seen others traveling a fair bit we have just recently I will say opened a pilot in Montreal so our first kind of step to opening a different organ different uh uh location for us so we're kind of going through the logistics of how that's going to work making sure we know how to do this as an organization and then yes we do have plans to to go to the rest of Canada and it would be amazing right because there's nothing like that having someone in the community meeting all the
people like you look at the community that's been built here fantastic knowing each other is really important and I I totally appreciate your question and that it's important to have that presence particularly you know when you got a federal government sitting in Ottawa of course they're in Ottawa how do they get to the rest of Canada it's a big country so um it's important to us we've taken step one and and looking to pursue that hi um I have a question over here sorry uh first I wanted to say thank you for the harmonization for compliance you had kind of noted that uh having to deal with different compliance Frameworks it's pretty awesome that at least
there's a someone who's taking this with a sense of Sanity uh given how many Global requirements there are uh but my question was more around the open- source aspect of things uh f closure I'm from Red Hat so open source is by bread and butter um a lot of governments Industries Etc look at open source still with a certain amount of risk uh it's a little bit riskier to use to say proprietary software I noticed uh and I think it's super cool because I didn't know you did as much open source as you do so I'm really excited to kind of dig into some of this but what is your view or say like the Canadian government's view on
open source in terms of usability risk uh Etc well I mean you can make the argument a multiple different ways as you can see we're fans of Open Source right and open source leaves itself open to scrutiny and whatever security you want to apply to it so that's our argument for open source it's transparent whereas other vendors aren't right so you can say hey it might not have the same software development team that others have testing but at the same point in time with some of the vulnerabilities we've seen from Clos Source vendors it makes you wonder what testing goes on there as well so I would say that open source for us is totally legit and also provides
this transparency and inspection that we think is important is one of the elements that we see in supply chain security to that I would also say that you know the internet runs on open source software you know we saw Heartbleed a long time ago we seen open like op SSL all these sorts of things all of these vendors leverage open source as the core of what they really run and these are multi-billion dollar organizations I don't know how much of that money from vendors really flows back into the testing and development and life cycle of the open source software that they rely on so that's another one where those Market incentives and the way the world Works
doesn't necessarily seem to make sense in some way software has grown up over the past four decades or so um but open source is the fabric of the internet right and fabric of cloud environments if you look at what's in there um as as you know well right so um for us we think it's very important maybe there's an opportunity for us you know you're looking at llms you're looking at where we're getting into vulnerability discuss Discovery and automation I think it's a having the transparency of code and the ability to bang against it with analytic tools and and vulnerability Discovery processes is a is a good opportunity and transparency is always appreciated so there hi there can you tell us more
about the Cyber incident reporting uh when we might be obligated to report something especially outside the government and critical infrastructure space and what sort of assistance you provide so amazing question thank you very much we want to hear from people because first of all it lets us help you and second of all you know we will anonymize the information and what we can share we'll always ask you first we want to share with everyone else as well to make the whole Community stronger right and so very important to us so um we're not a regulator ourselves so that's another thing I want to flag we're here to help you from a cyber security perspective where're regulation
comes in is like depending on what sector you're in you might have regulatory obligations for that particular sector for that regulator but the overarching regulation that's coming in is Bill c26 an act respecting cyber security cyber systems critical cyber systems protection act and that's going to be a schedule with some named critical infrastructure operators and they will be obligated to report to the Cyber Center so we're still going to as soon as that act comes through or if it does we will be like interviewing people so we'll have a couple years in in terms of assessing what we'd really want in that mandatory incident reporting because we have seen mandatory incident reporting from a number of different
elements from North America and others that have created different kinds of pressures on organizations to report something immediately whereas we know that it takes a bit of time to actually understand what the real manifesta like what the magnitude of an incident is so we want to be reasonable and what that is um but really for those that subset of organizations that are required to submit there will be a mandatory incident report with some agreed upon uh content and that would be shared with the regulator as well for the four regulated sectors federally which are Telecom Finance energy and transportation anything beyond that that we were to work together if we were mitigating an incident wouldn't have to
be shared with the regulator from us as a as a cyber Center because we're there here here to help and if you share logs or something else that's our property and that's what we' work with but other than that there's no regulatory oblig obligation to report to the center it's voluntary that's why we want to show value so we want to work with you and those are some of the services that you asked about so right off the bat you know we'll ask you you know what the type of incident is our knowledge you might say a ransomware strain we might have seen that 10 times that week you know what I mean so we might know a lot
about it we might know what to look for we might share some indicators back that we'd seen that other people have shared say hey have you looked for this have you looked for this others that had the same ransomware also found XY and Z on their networks right so we try to give you that information initially if it really grows and you're in a bad situation then we do have that opportunity of you know sending someone out there like an inant responder some organizations do need that structure because they haven't lived in incident and you know the the planning maybe was a was not as comprehensive as it might have been so we'll send someone out help
them out or sometimes they could just use the extra hands because these are big big challenges and and we can send someone out or we can send an expert in forensics or or something like that to augment the team um that's the next level um also in in terms of some incidents if they're more significant we do have a log intake service that is a request from you so we can actually stream logs into our processing framework um we do that few like not super often but if it's significant enough we can do that and then the very last edge of that is really um you know sensor deployment which is under Federal ministerial authorization and a request
from the organization which we have done for critical infrastructure in terms of really serious incident but that's where we bring all of our Tech and automated analytics and and really that's a significant effort and only happens very rarely um but other than that going through for the incident but also looking at remediation right so if we look at it we look at root cause and we say by the way here's a good way of mitigating this in the future so we tried to go through the whole life cycle with you and then maybe sign you up if we haven't signed you up already and then typically that starts with kind of a an assessment survey finding the
strengths and weaknesses and and and highlighting the the best places to kind of invest in to to lock yourself down from a threat perspective so we don't just respond to the intin we try to help you prepare for the next one as well and then you'll hopefully be on our list for cyber flashes and thread indicators and all those other things from there on um have you looked engaging with the internet exchange Canada and what the United
States so you mean like that this like the S internet exchange points and yeah y yeah so we work with s there's 11 like in Canada now there used to only be a couple so that's good first of all we got some diversity in there and some some resiliency so SRA was really a kind of a an initiator for all of that so we do work with them and work with some of the Telos that are located there as well so that's in terms of sharing thread intelligence and and uh making sure that they're as secure as possible as well yeah all right
Related talks
44:49
45:38
32:14
40:05
29:06
52:07