Building Cyber Resilience in the Face of Cyber Attacks

all right so I'm going to just go right along with where Michelle was going I mean this you couldn't have planned it any better I mean really truly so but I'm going to start off with my Captain Obvious slide maybe all right well we're going Manuel here thank you Captain Obvious cyber is the new Disaster by the way hope is not a strategy it's not a matter of if but a matter of when and I know we talk about that all the time but I will tell you that cyber attacks are not a technology problem be the first one to tell you that we've got the technology we've shown that we've got technology on top of Technology on

top of Technology the problem is it doesn't all function together it ends up giving us a false sense of security and that false sense of security leads to a larger attack surface thank you Ed craft who runs our Enterprise data protection business in western Canada for this little tidbit last night this came out on the 24th everybody knows what's going on trust me I'm I'm from Chicago we got a lot going on there too but everybody knows what's going on the threat has been made but the same threat was made when Canada supported Ukraine with tanks we see where this is going cyber isn't just about the ransoms of the world I mean it and it's not an easy

thing to attack no pun intended if it was easy we would have figured it out by now and well I wouldn't be here but understanding the threat starts the process and in understanding how we resolve it so I use miter attack this is all third party there's no Dell commercials in here whatsoever this is all third party information I start with miter attack the Bad actors they start with reconnaissance and resource development they build through they gain that initial access they execute they persist they escalate privileges they evade defenses that's a big one when you look underneath the tactics under miter attack there's 192 techniques and 401 sub techniques just in the Enterprise systems alone

then you also have a mobile and an industrial control side of it as well once they get past the defenses now we've got credential access and here's the first assumption you need to make if they have credentials they own you they're not going after the credentials that are going to steal somebody's cat photos no offense to the cat photos they own you at that point they go through and discover when we talk cyber recovery we talk about that destructive level event whether or not they give you the ability to buy your way out of it is not really doesn't matter that's just offering a ransom the damage is done but if they are going after that destructive level event the

first thing that they're going to go look for is any means you have to be able to recover they want to disrupt that they're going to go after that directly or indirectly the second thing they go after is the indirectly ad DNS switch configs load balancer settings host and build tools we can go through the list the things that make the network work third thing critical applications but more importantly the data on those applications because that's the valuable parts that they're going after somebody brought up move it earlier I think it was IBM I was here for the last two sessions IBM brought up move it earlier move it had no destructive attack whatsoever they got

in they got their data and they got out and that's what they were ransoming they didn't take down down anything they said hey guess what I got this and now we've moved on from move it by the way did anybody hear that and think I like to move it move it I like yeah there's your earworm for the day um we've moved on from that now we're talking about MGM and Caesars by the way everybody knows Caesars got hit too right except they didn't do destructive level event Caesars paid MGM didn't and I've been dealing with that on the side it's a beautiful concept so they get in they do that Discovery they move laterally they collect they

establish command and control they exfiltrate and then boom attack is launched impact is actually what merer calls it I put attack is launched average dwell time 204 days IBM brought up ponymon cost of data breach that's from 2023 this year inside of that dwell time that is information security and data protection together find the problem before it becomes one but ensure data survivability after the fact by the way these slides will be made available after the fact it's cyber recovery and the goal of cyber recovery is to take an event that could potentially last weeks or months and bring it down to a matter of days if not better and Michelle did a great job of kind of talking about how

that works and I'll talk a little bit more about it here in a minute we have a lot of things that are out there right now that we can focus on the biggest thing is okay great by 2025 the industry is going to spend 175 uh 1.75 trillion doll on cyber security Bad actors are going to get 10.5 trillion little disparity there you know they're getting 10.5 for our 1.75 spent we talked about the cost of a data breach we talk about the fact that we need need to translate cyber risk to operational costs if you look at what's going on obviously c26 is a big one I'm in the states we all work together at some

level or another hey at least you guys have a full-blown privacy policy we're still working with a patchwork at the end of the day though what comes out of sisa is quickly adopted or at least modified and adopted by Canadian authorities in a lot of instances look at what the securities Exchange Commission just did they've now assigned risk responsibility to the board of directors what is the board of directors care about that's it they care about the money they don't care how the sausage is made they only care about how it tastes and if it's actually working and then you've got the 70% of cyber crime is caused by third party attacks or human error people are always

going to be the weakest link in the chain But ultimately when we look at it what is cyber resilience here is the nist definition if you're going to pull anybody out you might as well pull out nist it's the one everybody looks to anticipate withstand recover from and adapt not quite five like n cyber security framework but it follows that same path identify protect detect respond recover and by the way there is a six metric coming out and I'll get to it here in a little bit govern in N cyber security framework 2.0 which the draft is out and available for commentary just throwing that one out there but ultimately when it comes down to it cyber resilience is an

outcome and I will make the argument all day long it starts with operations like I said before we've got technology we can throw as much technology at it as we want no problem I got this problem great throw that at it I got this problem great throw that at it problem is it's made the environment itself very complex and very hard to manage if we understand the goals of the business the goals of the organization we can then build the technology to those goals and objectives it actually gives us a path the shortest distance between two points is a straight line if you don't have that map you're doing this you're going all over the place and

that's where we waste money to G today's security Paradigm is broken expanding threats fragmented products not only magnify that complexity but also lead to false security this is an integrated security and resiliency approach notice it starts at the top with unified risk management strategy business controls and unified policy management Frameworks we've got Automation and orchestration we've got visibility and analytics so we have proactive security operations the more we do here the better it is to combat those threats later because I can tell you I speak to two50 300 customers a year their number one goal is listen I got too many false positives coming in I don't have time to deal with all this I I'm seeing stuff every where I

don't have time to deal with all this so I'm just going to mute that button what happens when you walk through the parking garage somewhere and there's a car alarm going off you keep walking same basic concept the noise has gotten so bad you just ignore it now well what's the one that's going to get you because they only have to be right once so putting in the proactive operations filtering out the Clutter is a big step in the right direction but then you've got to have a resilient architecture devices and infrastructure and that points to be honest with you to zero trust zero trust is not a marketing term please help me I'm I'm so tired of

hearing the term oh zero trust this and zero trust that and zero trust this and zero trust that zero trust is actually a referenced architecture n has one we on our facilities we use the US Department of Defense their zero trust architecture but it's more than just that we also have to have operational control and this is from a Canadian Bank in their 10K their public 10K it's published but I'm still not going to tell you who the bank is they're the sixth largest bank in North America Google away but you can see board of directors corporate governance risk audit human resource ources chief executive officer Security executive team senior executive team all the way through but behind it

is internal audit covers everything and by the way they've identified their 10 biggest risk factors to the business that strategic credit Market operational model Insurance liquidity Capital adequacy legal Regulatory Compliance and conduct although that could easily be four and the last one there is reputational we can assign a Cyber attack to seven of 10 of those instantly liquidity oh I just got hit with a Cyber attack how am I going to get money how am I going to give money things along those lines this is the model we're seeing moving forward and This lends itself to what the Securities and Exchange Commission in the US just came out with and is now rules for publicly traded

companies in the US of which this bank is publicly traded in the us as well as Canada and other countries it's no longer all about Speed and Agility I've got this problem I'm going to throw this at it I got this problem I'm going to throw this at it keep repeating that it's now about information how fast can I get it how fast can I act on it and can I do that faster than the Bad actors that are trying to get to me that's what we're dealing with now the UDA Loop was originally done when they built the F14 since we were talking about jet Jets earlier too when they originally built the F14 they basically looked at their

adversarial across the landscape when it came to fighter jets and they packed everything into that F14 that they possibly could to overcome any objection that they would have up in the air it's not quite the same obviously we're seeing it with the F35 somebody made that comment earlier it's not quite the same anymore cyber security itself is a $200 billion doll industry with over 3500 different companies and some of them overlap the fragmentation is the problem we have so many choices and you know Michelle did a great job of talking about okay uh our friends at Gartner did this and and IC did this and you know all these definitions of things that we look at all the time and then you've got

your vendors coming in and hey we at Dell are guilty just as much as anybody else saying hey buy this widget and it'll do this buy this widget and it will do this we're changing that thinking consolidating security vendors is where it's important for starters this is where we start more vendors equal more complexity in today's threat landscape requires a new approach you can no longer have silos within an organization you got your on-prem teams you got your Cloud teams over here you got your SAS teams over here you got your database teams over here and everybody's kind of doing their own thing and infosec isn't talking to anyone we know that that's usually what

happens but we go a little bit further than that and we talk about the budgets that are wasted due to an overabundance of tools this was an article out of Forbes Magazine last August so it's just about a year old now 53 % of those surveyed feel that they've wasted more than half of their cyber security budget what's the number one concern for everybody in the room I don't have the money I don't have budget I don't have resources what if we could rightsize this model and get you money budget and resources using monies that have already been allocated 43% say they're number one challenge in threat detection and Remediation is too many tools I'm being

told to go left right backwards forwards jump up and down 12 times on one foot while barking like a dog or a big dog if you can name the movie It's it starts with zero trust referenced architecture this is the dod's referenced architecture there are others out there this is the one that Dell is basing our stuff on Seven Pillars of across the user the device the application the data the network environment the Automation and orchestration and visibility and analytics Seven Pillars underneath those Seven Pillars are 45 different controls and I'm not going to go through all of them but there's your 45 different capabilities underneath each one of those pillars correlating things together taking

actionable intelligence from different sources across the landscape and being able to make Intelligent Decisions about the health of your environment finding that problem before it becomes one or giving yourself a higher probability to do so proactive takes away from the reactive makes the reactive much more easier to deal with another one that all the vendors love to talk about immutability hey lock down your data create a worm the other word I don't like is air gap by the way create a mutability lock it down well a mutability does not necessarily mean it's invulnerable and again it's one of those generic terms but it's the responsibility of you to understand what everybody means and in fact Gartner even

agrees with me on this one a mutability is used differently by different vendors Devil's in the details just because somebody says something is immutable does that meet a certain definition I was on the phone earlier today with a healthc Care Organization out of California we need to meet our insurance requirements okay what are your insurance requirements well they require immutability for starters okay what's their definition of immutability I don't know well how am I supposed to meet a well it's IM mutability it's you know where's your Line in the Sand what a mutability is does my application sit on an ESX ihost that the esxi host can actually be taken out is it on a Windows box a Linux box

where are the other vulnerabilities that play a role in all of this how immutable truly is it those are the questions that need to be asked so we talked about information security we talk about immutability from a data protection perspective but I'm here to tell you good enough is not good enough I will tell customers all the time plan for the worst hope for the best and whatever you think the worst is take it two steps further because I'll tell you I could probably take it four steps further based on the things that I know I've seen it they go in they brick Hardware well how are you supposed to recover to Hardware that's been

bricked last time I checked we had a little bit of a supply chain issue here over the last couple of years how are you even supposed to get a new server better hope you got something somewhere because otherwise you're not coming back the average recovery and containment period of a cyber event is 73 days the goal of cyber recovery is time bringing an event that could last weeks or months down to a matter of days if not better data protection is great for data survivability information security is there to try to find the problem before it becomes one but you've got to use that properly to give yourself the best chance ultimately it takes an offline

copy of data because now it becomes data availability in fact this is price Waterhouse they did an independent post incident review I would encourage everybody to read it when you get the slide deck the link is on the bottom there's links on everything that I do offline backups or backups that are verified as inaccessible to attackers with full control of production it remember I said that they get credentials and they own your environment there is the full control of production it oh I'm going to just VLAN my my data protection off well great trust me they've already reconfigured six other vlands they'll get you that one too oh I'm going to put a firewall in front of it life will be good well

guess what they got past four other firewalls over here they own the environment plan for the worst hope for the best all critical systems data and inform infrastructure including core it the things that make the network work the barebones you need to put Humpty Dumpty back together again oh yeah you also need your critical applications what we call it we call it minimum viable operations what does it take to get back up and on your feet and that decision is made by operations and once operations makes that decision you align the technology to the services that they need to have to establish minimum viable operations and if the blast radius is bigger guess what you've done other things before to

ensure you still have data availability but the first thing you need to do is reestablish your connectivity and I actually I've got an example of what we do from an irr perspective incident recovery and response stronger resilience better outcomes you could have basic data protection great I get hit potentially months to come back okay well now I'm going to add a mutability but if they take out my core environment I can't get to my data let alone have an environment to recover it to now I've got to do some rebuilding before I can actually do this now we've gone down to weeks what if we build that isolated environment with just some Basics well at least now I can start

doing restores instead of rebuilds again this is all about time it's what it comes down to and time is money I can do some restores I don't have to rebuild but what if I've got minimum viable operations and I can stand things up in a in a sandbox environment maybe even create a Lifeboat because let's say Hardware gets bricked let's say the authorities come in let's say your insurance company shows up and by the way they want to get all their forensics off of your production environment before you turn it back on again well my corporate mandate is I need to be back up within 48 Hours within 24 hours within 12 hours within whatever it's going to take them five

days I can't touch my environment plan for the worst hope for the best how far down that path do you need to go and to be honest it then becomes a cost benefit analysis what does incident response truly look like so we again I'm trying not to make this a Dell commercial but leverage our resources we have our own incident response and Recovery team we're responding to about 10 to 14 attacks every single week today that's up from six a week a year ago but we follow the same five phased approach with 10 steps phase one we got to figure figure out what the heck is going on and that is steps one through four phase two is

step five and that's threat hunting and Analysis we got to figure out okay now we know what's going on we got to figure out what we're dealing with phase three steps six seven and eight now that's containment and eradication not only do you have to have a clean copy of data but you got to clean you got to have a clean environment to recover it to if you don't have both of those you're going to reprop the event phase four hey guess what we finally get to start recover recing we don't start actual recoveries until phase 4 step 9 of 10 and then we do all the cleanup we document this is root cause analysis

time things along those lines hopefully folks take the intelligence and they actually change their behaviors because once they've been there once trust me they know they can come back if you don't take those corrective measurements identify protect detect respond recover I would add another one repeat it's kind of the way it goes down we did a study with a lot of our customers this one was very interesting what if I knew I was going to get hit with a ransomware event a malware attack catastrophic malware attack where they offered me the ability to buy my way out of it that's a malware or that's a ransomware attack in 30 days what are the 10 things that I would change

today it's an interesting list vulnerability assessments based on Center of Internet Security top 18 gee the resources are out there acquire contingency equipment for incident response just in case I lose servers or I don't have access to my production environment for an extended period of time Implement manage detection response I know it's one of those acronyms MDR but Implement manage detection and response develop deta detailed incident response plan I got asked on a call earlier today said okay well now I need to know how fast can I recover I said I get to give my favorite answer it depends it's also my most frequent answer it depends well what does it depend on two things how big is the blast radius how

bad was the damage of the attack number two how well do you execute the incident response plan by the way the incident response plan is not a Dr plan it is a Dr plan on steroids because you're going to have 97 different groups of people doing 192 different things simultaneously all with their hair on fire and most of those people do not deal in technology you're going to have risk and compliance you're going to have legal you're going to have SE Suite you're going to have PR you're going to have HR going to have a lot of people involved that all need to be doing other things well while you're working on the environment itself that is the incident

response plan there's several different resources that you can leverage first one that I bring up and and please use whatever you would like but use something first one I bring up it actually comes from our cyber security and infrastructure Security Agency part of Department of Homeland Security in the US those are the folks that coordinate with Canadian New Zealand UK Australia you name it they all talk cpgs cross- sector cyber security performance goals now keep in mind every one of these that you're going to look at not 100% of this applies to you that's where you make the determinations when you go through it at an operational level that operational level includes risk and compliance it

includes legal those are where those conversations happen not every single one of those applies to everybody the one that I personally like because it is more of a collaboration you can see the Cy controls V8 mappings all the different things that they pull from over here on the right hand side critical security controls it's a road map it's a guide it's there to help so you don't have to take the blue pill and jump down the rabbit hole that I do on a daily basis by the way you notice I don't talk about individual attacks I will tell you it's kind of worthless to talk about individual attacks because they're all different I always say if Ford and GM

timely news got hit simultaneously you'd have two different outcomes because their information security is different their data protection is different and their cyber recovery strategies are different you would get two completely different outcomes even if it was the same group with the same software two completely different outcomes so just the fact that you know okay MGM Caesars we can talk about all of them obviously I'm well aware of things that have happened a little bit closer to home I was involved in those conversations I would think I was the second phone call from Linda give or take help we can talk about these all day long but what happened to them you might already have mitigated or maybe

not ultimately CIS control security or critical security controls a great reference point and then as I said before 2.0 is out the draft is out we are now well we're a little bit further than here than the summer 23 we just moved to fall a couple of days ago but there is that additional piece in the framework govern and govern especially for publicly traded companies is going to hit board level responsibility we all saw what happened to Uber ciso and the ciso from uh our friends at solar winds just got his subpoena we're going to see it again they're going to hold people responsible moving forward there's actual teeth in it so how do I get

started first step take what you got and reduce the risk don't add anything else please don't add anything else take what you got and reduce the risk first and foremost realign and consolidate security for better Intelligence on average Enterprises have 45 different security controls in place you're getting information from 45 different places how are you consolidating that to make Intelligent Decisions it could just be as simple as that data protection best practices ensure data survivability yes that includes a mutability understand what the vendor means but it also includes protecting the where that data lives and what it lives on those are important building an initial Vault take your Basics you can put a sniffer out on

the network you've got the list of all your switches your routers all the things that you need to make a network work great let's make sure those configs are getting backed up and they're getting isolated that way you got them just in case and you already know what databases or erps or whatever else you might need to return back to operations let's get that data into that vault as well let's make that data available because recovery begins with availability and I encourage everybody get an incident response and Recovery retainer I don't care who it's from there's a lot of them out there but at the end of the day those are the folks that bring order to chaos because

they deal with this all the time they know what to do they know how to direct people worst case scenario and this does direct from a relatively local attack if you can't cut a PO who's coming to help they're not going to take an IOU on the back of a napkin if you can't cut a PO who's coming to help you well if you've got somebody on retainer at least you've got help that's important next develop the plan to restore operations that starts with business impact analysis operational based identifying that minimum viable operations the the dependencies that go along with it building that runbook as well as all the other details of what everybody else needs to be doing

simultaneously PL uh test it test it again test what you just tested muscle memory makes it better but let's say you get it down to a five-day but business needs it at one day well now we can look at ways that we can automate put clean rooms in and orchestrate and move things along faster but you can't speed up something you don't have so you need the plan first ultimately at the end of the day today is not the same Michelle did a great job of of putting that in the last session if you were here for it she really did I was oh Beyond impressed the threat landscape is challenging and is evolving even before

that with our friends at IBM talking about AI how it can be used for bad how it can be used for good the threat landscape is evolving and changing the known exploited vulnerability catalog that that cisa cyber security and infrastructure and Security Agency maintains just went over a thousand records by the way they added over 750 records in two years started at 237 they just went over a thousand by the way the thousandth vulnerability that needed to be corrected you know those little owl um conferencing units that was the vulnerability turns out they have a high deployment rate in the US federal government who knew You' have thought it would have been Microsoft or Cisco or

Dell or somebody else no was owl little tools techniques talent to secure while maintaining operations that's the big part you have to do this the right way as I told somebody earlier today take three steps back to take four steps forward is kind of where we're at today we need to go back and take a look at ourselves do a better job from the beginning plan the work work the plan otherwise if when something happens it's not going to be pretty with that questions I think I've got five left yes I just he was just getting ready to pull out the five on me anybody questions comments concerns how are the Oilers going to do

this year go Hawks sorry I had to do it yeah you guys have McDavid I've got Bard uh I noticed you didn't have cyber Insurance on your slides uh where do you see that industry going and as cyber going to be an insurable risk in the future oh boy there's the million doll question so some of the biggest out there Lloyd's um oh uh Zurich they've already said they're going to start shutting that business down there's only so many times you can reassure something last time I checked insurance companies are in the business of collecting premiums they're not in the business of making payouts so that's why you have exclusions things along those lines that's why you have uh uh you know

I've got to meet 50,000 or 100,000 or 200,000 the problem with the insurance company and cyber insurance is they don't know what the heck they're talking about and they will continue to use generic terms until they know better and when they use generic terms it opens them up for claims there was one in the state's uh mes used to be the snack division of craft this one hits home for me they were hit by W to cry Zurich North America is their insurance company they filed the $100 million claim against uh to zerk North America and Zer North America said nope that was a nation state attack it's in your exclusions list we considered it an

act of War because it came from a nation state that's excluded they went to court as everything does they settled nobody knows what they settled for but this is the environment we're getting into cyber insurance is not not going to make you whole take healthc care as an example regulatory fines and penalties and civil lawsuits alone on personally identifiable information is going to cost you five to seven times more than the cost of a cyber incident itself trust me insurance is not paying you back for that that's outside of their purview that's outside of their scope they're not paying you back for that that's the problem good okay other questions I will be here I will be at the VIP

session later tonight but I will be running around here we don't have a booth to promote or anything else along those lines thank you very much I do appreciate the time and the opportunity oh we got one we got one that's thing hey sorry sorry for that folks go for it uh last question so I'm a defense specialist and intelligence of our team so I think this presentation is perfect and very awesome so I just going to go back a little bit more in the slides there was zest there that's a overabundance of tools oh yeah and number of you know complexity of vendors so is there a healthy line where we can like play upon and you know stay there

because I know when it comes to defense on depth sometimes tool a won't be able to catch what tool b or tool C can yep right so just your professional uh opinion on this and so is there a hard and fast rule no there never is a hard and fast Rule and I went by that slide I'll deal with that later um there is not a hard and fast rule but what I would say is you look at the operational risk that the company is willing to absorb that's the hard and fast rule as long as you're maintaining that level of risk mitigation that they are looking that they are willing to accept that's your hard and fast rule it could take 10

things it could take 20 things the the other part of it is is make sure you you are Gathering that information together to make better informed decisions you can't keep taking the noise from everywhere and dealing with it there's there's not the resources available we know about the the skills Gap and everything else that goes along with it so thank [Applause] you