 The three pillars are still valid today. Processes, people, and technology. You know, if you have weak processes, you have huge gaps. If you have unintegrated technology, you have huge gaps. If you don't have the right skill sets for your people, you have huge gaps. Hi, this is your host Sophan Bhatia and welcome to another episode of TO4. Let's talk and today we have with us once again Steve Winterfell, advice you see so at Akumaya and I'm looking forward to another exciting discussion today, Steve, great to have you again on the show. Yeah, I enjoy this. I'm glad to be here. Thank you for having me. And today we are going to talk about a recent report from Databracks that shows, you know, of course cyber attacks leading to IT downtime, data loss. Last time you and I said, don't we talk a lot about ransomware, you know, the report that Akumaya came from. So it's going to be like, when we look at security, there is not one, you know, it's a very wide, the bandwidth is so wide, you know, how bad actors will exploit anything or something. It's a big topic. But before we go into the broader topic, just like, let's look at this report. And, you know, when you saw the report, were you like, oh, this is happening? Or like, yes, we expected that kind of things to happen. When I was the CSO for Nordstrom Bank previously, I owned disaster recovery and business continuity. And really it is true. You know, you have hardware fails at 21%, you have cloud outages at 12%, natural disasters at 5%. And those are things that happen. And you lose your physical asset and then you need business continuity. You need operations to keep your business going while you restore that technology. And I think the difference here is resiliency talks about the fact that I have an active adversary, a thinking adversary trying to take me offline. And so, you know, they may do it with a denial of service and there are multiple types of denial of service. And that's a short period of time, a disruption. There are ransomware, which is a serious loss of access. We've seen, you know, and so I think, you know, 10, 15 years ago, there weren't a lot of cyber outages that truly could put a business at risk, that you may go out of business, but now it is. And so it really is not a surprise. We are seeing this driven to forces to take more actions. Can you talk about what is, especially as I said earlier, it was not the case. Now cyber attacks can lead to downtime and data loss. What is the reason? We have a couple of things. You know, the first is our environments are so complex. And so if you have data in a third party, if you're dependent on a third party, if you have data out in a cloud, it's transformation. And so, you know, when we see a growth rate in let's say something like API attacks, a huge growth rate change there, it's because we're moving to APIs. That transformation is there. We see things like abuse of legitimate users, harvesting customer data, shadow IT, rogue APIs and those classic attacks. And all of this is leading to hackers having a motivation to get revenue off of this. You know, they're stealing data through abuse. The classic attacks could be gaining access to X-FIL data, but really we're seeing more and more where we're actually having them completely take us offline. And that is where we get into this, you know, what I call this flash to bang. You know, when you hit with ransomware or DDOS, if you see a flash of lightning and you count five seconds, that's one mile away. So a flash, 15 seconds, three miles away. You know, DDOS and ransomware, the flash to bang is zero. There's no getting ready. You're just suddenly not working. And if you look at, you know, your own recent report of, you know, state of internet report discussed, you know, kind of attacks, what are the industries? Of course, every industry is susceptible, you know, or risk, you know, it doesn't really matter, you know, if you are under attack, if your services are down, if there's data loss, you know, you are affected. But there are a lot of industries which are mission critical or very sensitive, financial can be one, healthcare can be one. So talk a bit about what kind of industries that you see are more susceptible or more prone to these kind of attacks and also more vulnerable. We put out multiple of these research reports state of the internet. We do some of them on topics like API or ransomware, we do others that are more industry-focused, commerce or financial services. And this one is around financial services. And so what is interesting exactly what you said, when I need access to my wealth, when I wanna get access to my money, it could be critical, it could be life-changing. If I'm running a business and I can't pay my employees, again, huge. And so this is what is financial services. So it's banks, it's insurance, it's capital markets, it's trading, it's FinTech. So this broad category, what we looked at is we said, you know, first of all, talking to my CEO or talking to my leadership, they're asking me questions from the board like, where does our industry compare to other industries? And I can say, well, you know, the top most attack are probably things like high tech and commerce and gaming. You know, what, and you know, we're always probably in that top three. In fact, you know, I would say last year and this year, phishing, we were number one, financial services were number one attacked. DDOS last year was number two, this year financial services was the most attacked. And last, we were third in APIs in this year, you know, behind other groups in APIs. But then within financial services, the board's gonna ask, well, where does my business rate to the others? And their banking was the most hit. So some of this is understanding is our risk portfolio appropriate? How much should we invest? Because how heavily were we attacked? When we look at some of these threats, do you see a pattern where they are limited to specific regions or they're like global? Because sometimes incentives are also different for bad actors. Absolutely, and different business models. And so, you know, we often find by industry, by region, different changes. So, you know, if we looked at something like, what is driven for, let's say, attacks, most API attacks, well, it would be within Europe or EMEA, it would be the UK. Within APJ or that area, it's Australia. And so, sometimes it's the country that's most attacked. Other times it is, you know, we said, fishing may not be the most attacked here, we're in a different region, it is the most attacked. One of the biggest changes we've seen over the last two or three years is this shift towards DDOS moving. So, the US used to be the most attacked for denial of service, and that's gone over to the EU. And we see a lot of that, we believe driven by the war in Ukraine. We see some, you know, threat actors that are almost moving over to what I would call a privateer to harken back to the days of sailing. You know, a pirate ship could be commissioned by a government to become a national asset and a privateer. We see criminal groups now with political motivation. So, again, business model and legislation, you know, all of this, we see legislation like Dora coming out. And that is a digital resiliency act coming out of the EU. And that's gonna be driving, you know, going back to that first topic we covered, legislation is now gonna be driving some of the activity around resiliency. Going back to the point of, you know, these new kind of attacks, one more technology that is very, very hot these days, which is Genitive AI. How do you see Genitive AI is going to either enable, you know, bad actors because it has so many capabilities, especially if you're talking about social engineering and all those things is what are your thoughts on Genitive AI from the perspective of being used for attacks or being used for defense? We have to remember Genitive AI is simply one of the three disciplines within artificial intelligence designed to tell you what the next most likely word is. And so, you know, it doesn't tell the truth. It doesn't lie. It generates a probability factor for a word. And so if you are running a security operation center and you wanna reach out into do some research in your private large language model of all your policies, I think it'll be great. I think it's very helpful. It's letting people to be more responsive to quickly gain knowledge there. I think eventually we'll be tying that into some of our automation. I think there's some real potential for the defenders to get better information faster. You know, we've been using machine learning for a long time. We're doing great things with that. I expect to see us continue to drill down there for private on the security side. On the threat side, I think it's gonna make one discipline much easier to make revenue on. And that's business email compromise. I think they can, you know, go out and use this to create a better social engineering engagement. We've seen a branch of this where they're getting actually reinforcing what telephone calls and, you know, almost getting into that deep fake area where they're creating a much deeper richer social engineering experiment. What kind of new emerging threats that you're seeing which are still, you know, at a very budding stage of surface, they have not like, you know, taken over where you're like, hey, these are the new generation of attacks that we are not prepared and they are coming. HTTP DDoS attacks just came out. We have server-side request forjury is coming out. We're seeing a lot more in moving back towards technical attacks. We're seeing more innovation there of hackers paying for zero days. And so we kind of have this constant shifting back and forth. I will tell you that I think, you know, that we have constant stressors on access to talent. We have constant stressors around federated legislation. You know, if you're a global company and even if you're not keeping up with all the changes in legislation, that's a constant challenge, how we're doing that. The bigger things I'm seeing is, you know, we're taking more and more effort to get deep visibility in complex environment. I have stuff in the cloud. I have stuff on-prem. I have stuff using a function as a service or serverless. I have, you know, third parties. How do you get visibility across all that? And how do you minimize dwell times? Kind of a long answer, but those are some of the stressors I see us dealing with next year. And then we look at some of the stressors. Some can be technical, technological, but some can be purely people and cultural. We talked about that last time also, but I want to once again talk about it, that technology is easy part. People, culture is difficult part. How much do you see cultural changes are also responsible for this? We have been talking about DevSecOps for so long, ship-left movement, but in reality, companies, they don't have resources or they don't have mindset to actually do that. The three pillars are still valid today. Processes, people and technology. You know, if you have weak processes, you have huge gaps. If you have unintegrated technology, you have huge gaps. If you don't have the right skill sets for your people, you have huge gaps. And one of the things that drives a lot of this is what you said is culture. And I talk into a lot of my peers, you know, a big part of the culture now is how do you develop and maintain a culture with a hybrid workforce, a predominantly remote workforce, you know, people coming in a few days, such a distributed, you know, multinational workforce. I think culture is getting harder and harder for us to actually manage. And then that, within that culture, developing cyber evangelists, cyber champions, teaching that culture of a risk that manages the risk appetite we want within our culture, those are phenomenal challenges. And I see us continue to work on those through a lot of collaborative ways. But yeah, those, I agree are fundamental. The interesting thing, the culture and I may be wrong, you can correct me, is that sometimes the right technology, right tools can bring the cultural changes that are needed within industries because, you know, they enable that, they empower that kind of, you know, communication cooperation with organizations. If you look at Akamai, talk a bit about how do you folks not only offer tools to organizations to protect themselves, but also sometimes you feel like, hey, you know what, through these tools, through these processes, did you also bring the cultural change that is needed within those organizations? We spend a lot of time, first of all, making sure that our tools are able to adapt to your risk appetite. So, you know, when we provide you capabilities, first of all, we've heard from our customers, you don't just want a tool, you want us to give you a tool and say, I will run the tool, second option is I want you to bring engineering hours to help me optimize the tool. Third option is I want you to manage the tool and for me to give you guidance and governance on how you manage the tool. But the next part is how much friction do you want between you and your customer? So our tools are also designed to make sure, you know, if you want less risk, lower fraud, but a little bit more friction, you can set that within the perimeters. If you want a higher customer experience, then I think those are the cultures that we want to be able to support. And then the last conversations like this, putting out our blogs, putting out our state of the internet reports, we want to tell you what we see your peers doing, what we see the threat doing, and engage you in a discussion of how do you think about risk? How are you going forward with this is where I would say most of our work is. Before we end this up, last thing I want to ask is that what advice do you have to other CISOs to not only security teams, but in general developers team, because we talk about the whole shift left movement and developers, we are focusing a lot on developers again, so that they can at least ensure that they are well prepared for attacks. For me, I think, you know, two things, one, on the developer side, we love to build. And when I build something, I'm very proud of it. And it's hard, but I need to pause and say, how will people abuse this, misuse this and break it? And so as a builder, I need you to design in, how am I going to audit this? How am I going to do access control? How am I going to do an investigation to find out how people are abusing this? Those are critical things, so don't be evil, but think evil on the developer side. And then on with my peers, I continue to have discussions where it's more about minimizing dwell time. How do I have visibility? How can I interrupt their attack sequence before it's complete? And so you see more of a shifting towards lateral movement detection, looking for rogue APIs, being able to technically enforce that discipline that we need. So yeah, again, visibility really is the watchword and situational awareness is a goal. I'm asking you though, hey, what kind of thing they should do? There may be a lot of things that they should not do. What are those? They're like, hey, these are nays, you should never do those things. On the developer side, really, I think what you shouldn't do is why we have the OWAS top 10. So if you look out, we have the OWAS top 10 for webpage, the OWAS top 10 for APIs. We now have the OWAS top 10 for large language models. We have so many people making the same mistakes that we've published what the most common ones are. So when you want to know what you absolutely shouldn't do, I think the OWASP is a fantastic opportunity to go look at it. On the CISO or the leadership side, I don't think you should allow complexity. I really think we need to move away from complexity. Fewer vendors, better standards, better integrations. As you move forward, figure out, not do I need a new tool, but can I re-optimize current tools? Can I use current vendors? How can I reduce complexity would be my advice on that side? If you talk about organizations whether they're big or small, if you look at developers, once again, if they work on big companies or smaller companies, they do want to dip their toes in new technology. They don't want to be left behind. They do want to know where the word is heading and how prepared they are. At the same time, maintaining what is stable and not taking risks, how should they maintain the balance there? We have betas for new products all the time. So we're in that same boat of we have some customers that are want to be involved in a new product, want to be involved in shaping things. Others want to know when it's mature and ready for mainstream. I think part of that goes back to our earlier discussion about culture and risk. And so if you have a culture where you think innovation is going to give you an advantage, then great. If you have a culture or a business model where you just think it's cool, but it's not giving you an advantage, it's not really changing your risk portfolio. That's when I would urge caution. But it's very true that I think this kind of goes back to culture and risk appetite. Steve, thank you so much for taking time out today and talk about this as we discuss an interesting topic. And I would love to have you back on the show. I feel that we should start a regular monthly show to talk about cybersecurity. But I really, really appreciate your insights and thoughts. Thank you. I always enjoy this conversation and thanks everybody for listening. Have a great day.