 Welcome to Commvault Connections, my name is Dave Vellante and we're going to dig into the changing security landscape and look specifically at ransomware and what steps organizations can take to better protect their data, their applications and their people. So you know, cyber threats continue to escalate. In the past 19 months, we've seen a major shift in CISO strategies, tactics and actions as a direct result of the trend toward remote work, greater use of the cloud and the increased sophistication of cyber criminals. In particular, we've seen a much more capable, well-funded and motivated adversary than we've ever seen before. Stealthy techniques, like living off the land, island hopping through the digital supply chain, self-forming malware and escalations in ransomware attacks necessitate vigilant responses. And we're super pleased today to be joined by Dave Martin who's a global chief security officer at ADP. Dave, welcome, good to see you. Thanks for having me today. Yeah, it's our pleasure. Okay, let's get right into it. This is a great topic. I mean, ADP, we're talking about people's money. I mean, it doesn't get more personal and sensitive than that, maybe healthcare, but money's right there in the priority list. But maybe you could start by telling us a bit about your role at the company, how you fit into the organization with your colleagues like the CIO, the CDO, maybe describe that a bit if you would. Yeah, absolutely. So we're somewhat unusual in both structure and we, one of the ways is we're a, I have a very converged organization. So my responsibility extends from both the physical protection of kind of buildings, our associates, travel safety through fraud that we see in attempted enough products all the way through to a more traditional chief security officer in the cyber space. And the other thing that's a little bit unusual is rather than reporting into a technology organization, I actually report into our chief administrative officer. So my peers in that organization are legal compliance. So it's a great position to be in the organization. And I've had various different reports during my career. And there's always a lot of debate in with my peers about where's the best place to report. And I think I always come back to, it's not really where you report, it's about those relationships that you mentioned. So how do you actually collaborate and work with the chief data officer, the CIO, kind of the head of product, the product organization and how do you use that to create this, kind of very dynamic Andrew Falls to defend the threats we face today? Yeah, now, so let's just want to clarify for the audience. So when you talk about that converged structure, oftentimes, if I understand what your point is, that the network team might be responsible for some of the physical security or the network security, that's all under sort of one roof in your organization. Is that correct? So a lot of the controls and operations, something like firewalls is out in the CIO organization, but the core responsibility and accountability, whether it's protecting the buildings, the data centers, the data in our applications, the kind of the back office of all the services that we use to deliver value to our clients and kind of the same things that everyone has, the ERP environments, all of that, the protecting those environments rolls up to 19 from an accountability government perspective. Got it, so I mean, as I was saying up front, I mean, the acceleration, we all talk about that acceleration, that compression, the force march to digital and that solar winds hack, it was like a stuck net moment to me because it signaled almost this new level of ex-escalation by cyber criminals and that had to send a shock wave through your community. I wonder if you could talk about it at a high level, how did that impact the way that CISOs think about cyber attacks or did it? Well, I think we're very used to watching the outside world kind of adversaries don't stand sale, our businesses don't stand still, so we're constantly happening to evolve. So it's just another call to action, how do we think about what we just saw and then how do we kind of realign the controls that we have and then how do we think about our program going forward that we need to address? Yeah, so we've seen, when we talk to other CISOs, your colleagues, they tell us we've made a big sort of budget allocation toward endpoint security, cloud, identity access management and obviously focus on a flatter network and of course ransomware. How have you shifted priorities as a result of the last, the pandemic, 19 months? Yeah, definitely seeing that shift in the necessity of working from home and thinking about what tools that we need to get to our associates to really make them successful and then also keep the integrity of our data and the availability of our services in that new model. And so we've made that shift in technology and controls reinforced a lot of things that we already had. One thing thinking about that supply chain change that we saw out of SolarWinds is thinking about ransomware defense prior to that was very much around aligning the defenses within and the perimeter of the network within the cloud environments. And now we're really thinking about where do I outside that environment? Where do I exchange files from? What connectivity do I have with partners and suppliers? What services do they provide to support us as an enterprise? And what's gonna happen if they're not there at a minimum, but then what happens if they have some kind of attack that can actually drive some of this malware and spread into the network or via some of those file transfer? Make sure we really sure it up the controls in that area but the response is a key part of that. How am I gonna react when I hear from even a client we're a very customer service focused company we want to do whatever we can to help and the instinct of one of our frontline associates hey send me that Excel file, I'll take care of it. So now yeah, we still wanna help that client through but we wanna think through a little bit more before we start sharing an office file back and forth between two environments one of which we know to be vulnerable. Right, that's interesting what you're saying about the change and just focus on the perimeter to the threats within, without, et cetera. Because you don't even need a high school degree or diploma to be a ransomware attacker these days you could go on the dark web and if you're a bad person you can hire ransomware as a service if you have access to a server or credentials you can do bad things and hopefully you'll end up in handcuffs but that's a legitimate threat today which is relatively new in the way in which people are escalating whether it's crypto ransoms, et cetera really do necessitate new thinking around ransomware so I wonder if you could talk a little bit more about the layered approach that you might take the air gapping be interested to understand where Commvault fits into the portfolio if you will. Sure, and really it's thinking about this in depth you're not going to be able to protect or recover everything so really understand first of all that what is most important to be able to maintain service what data do you need to protect and have available armed with that now you can go through the rest of the cybersecurity framework that may think you're doing the best for prevention for detection and response in that area and then kind of really interesting when we get to the recovery phase both from a Commvault perspective and in many attacks where we really want to focus on prevention but ultimately we're likely to see a scenario even in some small part of our environment where some kind of attack is effective and now we're back at that recovery step and we don't want that to be the first time we're testing those backgrounds we don't want to be the first time that we figure out that those backups have been on the network the whole time and they can't be used for recovery so partnering with everyone in the environment it takes a village to defend against this kind of threat getting everyone engaged the experts in each of these fields to make sure that we're thinking they understand this threat and how real it is and what their role is going to be in setting up that protection and defense and then come that dark day that we all hope will never happen when do you need them? What do you need them to be doing so that you can get back to a restoration and effective operation point as soon as possible? Yeah, I hope for the best plan for the worst so a big part of that is education and of course the backup corpus is an obvious target because everything's in there but before we get into sort of the best practice around that I wanted to ask you about your response because one of the things that we've seen is that responses increasingly have to be stealthy so that you don't necessarily alert the attackers that you know that they're inside is that sort of a new trend and how do you approach that? Yeah, I mean it's always a balance depending on the type of data and the type of attack as to how you can violent and sweat and obviously you have to be able to protect the environment protect the integrity of the data and then also balance against kind of tipping off the attacker which can potentially make things worse so always a conversation depending on the different threat type that you're going to have to go through and it really helps to have some of those conversations up front to have tabletops not just at a technical level and make sure you're walking through the steps of response to make it as seamless and quick and effective as possible but also having that conversation with leadership team and even the board around the kind of decisions they're going to have to make and make sure that wherever possible use scenarios to figure out what are some of those actions that are likely to be taken and also empower some teams it's really important to be able to act autonomously and quickly you don't want to be at 2 a.m. kind of looking for for the CEO or kind of the executive team to get them out there to make a decision some of these decisions need to be made very quickly and very effectively and you can only do that with empowered up front and sometimes even automated processes to do them. Dave, describe what you mean by tabletops I presume you're talking about top-down view versus sort of being in the weeds but add some color to that please. Yeah, definitely it literally is kind of getting everyone around the table and at ADP at least once per year we actually get the full executive team together and challenge them with a scenario making sure that they're working through the problem they know what each of their roles are at the table and lucky to have a fantastic leadership team we're actually very practiced we've done this often enough now that they really pull apart really hard problems and think about what their decision is going to need to make so come that dark day if it ever does they're not kind of challenged by their never thought they don't they've understand the technical background why they're being asked to make the decision they're the limitations of what their response is making. So a lot of people in process goes into this always the case but let's talk a little bit about the tech I mentioned the backup corpus is an obvious target before what are some of the best tech practices in terms of protecting whether it's that backup corpus, other data, air gaps maybe you could give us some guidance on that front. Sure, we're not going to be able to protect everything so focus on those favorite children is the best advice up front to think about the critical components that enable you to bring things up easy to go focus on that critical data and that most important app that everyone in the company understands but all of that and cannot even start if you don't have the foundation the network's not up and running the authentication is not up and running so it's good to go focus some elements and practice that technical tabletop setting how do you go through recovering an active directory forest back to a known trusted state because that's one of the foundations you're going to need to build anything else back up. On the backup side is make sure that you don't use the same credentials that your backup administrators use every day make sure there's only the smallest number of people have access to be able to control the backups. If at all possible and in Commvault and many backup solutions now make sure they're using a second factor of authentication to be able to get into those systems and also make sure that some of the backups that you have are kind of offline, air-gapped, can be touched and then also think about the duration you talk about the attack is being very smart in the term and they know how enterprises prepare and respond so think about the how long you're retaining and where you're retaining some of the backups not just incrementals to be able to fully restore a system basically from them at all from their side. And you're using Commvault software to manage some of this capability, is that right? I'm sure you have a bevy of tooling. Yeah, we have a wide range of tooling but yeah, there's certainly a Commvault one. And somebody said, a consultant said to me the other day you know Dave, I'm thinking about advising my clients that their air-gap process should be air-gapped in other words, they should have a sort of a separate remote removed from the mainstream process just for extra protection. And I was like, okay, that's kind of interesting but at the same time then do they have the knowledge to get back to a low RPO state? What do you think about that approach? So the challenges of any kind of recovery and control design is like making sure that you're not making things overly complex and introducing other issues and also other exposures if you're moving out of your normal control environment where you have a 24 by 7, 365 set of monitoring the more creative you get, you perhaps are in danger of kind of having control erosion and visibility being lagged to that other state. But it is really important to think about even at the communication level is in this kind of attack you may not be able to rely on email kind of teams or the common services you have. So how are you actually going to communicate with this village it's going to take to recover to be able to work through the process? So that's definitely an area that I would advocate for having offline capabilities to be able to have people react, gather, respond, plan and control the recovery even though the main enterprise may not be currently functioning. I wonder if I could pick your brain on another topic which is zero trust prior to the pandemic. A lot of times people would roll their eyes like it's a buzzword but it's kind of become a mandate and people are now talking about eliminating credentials to talking about converging identity access management and governance and privilege access management. I mean, what are some of the sea changes you see around so-called zero trust? Yeah, I think kind of zero trust has become that kind of call to action buzzword that these concepts that are embodied in a zero trust journey are ones that have been around for forever and least privilege. And it's how we think about, you can't go buy a product that I'm just implemented zero trust. How do you think strategically about where you take your starting point and then go on this journey to kind of increase the various tools that start to limit improve the segmentation not only from a network standpoint, from a service standpoint to an identity standpoint and make sure you're embracing concepts like persona so that you start to break up the, you may not get to zero trust anytime soon but you're able to get less and less trust in that model and to think about it in many different worlds. Think about your product access if you're a service provider company like we are as well as kind of the internal employee context. So there's many elements, it's a complex journey. It's not something you're gonna buy if the shell can go implement but it's one that you're gonna have to, again, partner with those other stakeholders that you have because there's user experience and client experience components in this journey. Some of which are actually quite positive. You mentioned passwordless as one of those components of the journey. Certainly something that actually is a better user experience and also can offer a better security and freedom from the traditional passwords that comes a lot to hate. Dave, I know you're tight on time but I got two more questions for you. One is, what is the CISO's number one challenge? Wow, it's getting in a slate. No, it really is. Just staying current with that business environment, that threat environment and the available tool sets and making sure that we're constantly working with those partners that we keep describing to chart that course to the future so that we're, this is a race that doesn't have a finish line. The marathon gets a little bit longer every year and it can bring my peers on and making them understand that it's easy to get fatigued and say, I thought we were done when we finished this initiative. It's just keeping everyone's energy up and focus on a very long time. One A in that question, if I may, is many organizations lack the talent to be able to do that. You may not. You may have a firmer, but the industry as a whole really lacks the skills and the talent and really, that's why they're looking to automation. How acute do you see that talent shortage? It's definitely there and I think it's important to realize that kind of the back to that village concept, everybody has a play here. So what as a smaller available talent for me at the security industry is, we've really got to be that call to action. We've got to explain why this is important. We've got to be the consultants that have lead brew. What changes are we going to need to make to be successful? It's tempting to say, oh, they'll never do that. You know, like we've got to do it ourselves. We will never be successful and just being the security team that tries to do everything. It's bringing everyone along to the journey. And part of that is just going to be this constant socialization and education of what they need to do, why it's so important. And then you really will build great partnership. My last question is kind of been keeping a list of Dave's best practice. So obviously the layered approach, you want to get to that NIST framework. There's a lot of education involved. You got to partner with your colleagues, the tabletops, executive visibility. So everybody knows what their role is, kind of the do your job. You've got to build zero trust. You can't just buy zero trust off the shelf. And so that is my kind of quick list. Am I missing anything? I think that's pretty good. And then just in that partnership, this is a tiring, kind of hard thing to do and kind of just bringing everyone along. They can help you do so much, especially if you explain to them how it's going to make their product better. How it's going to make their client experience better. How it's going to make for the CIO, the internal associated experience better that this isn't just about adding friction into an already challenging environment. You know, like frontline healthcare workers, the SecOps pros, heroes, day to day, you don't necessarily hear a lot about the work they're doing, but Dave, we really appreciate you coming on and sharing some of the best practices. And thank you for the great work that you guys are doing out there and best of luck. Thanks for the exchange, it's been a pleasure. All right, and thank you for watching everybody. This is Dave Vellante for theCUBE. Keep it right there.