 Hello, and welcome to IBM's Beyond Firewalls, Resilience Strategies for All, focused on the importance of cyber and data resilience. I'm Rob Streche, managing analyst with theCUBE Research. Today, I'm joined by two experts in the field, really excited to have you guys on here, Jeff Kroom, IBM Distinguished Engineer and CTO, IBM Security Americas, and Christopher Vollmar, who is the Storage and Data Resilience Architect worldwide for IBM Canada. Thanks for coming down from the Great White North. Thanks very much. Thanks for coming up from North Carolina to join us here today. My pleasure. You know, I think what is a lot of fun about this, and it's Cyber Resilience Month, and you know, I think everybody kind of used to be called backup month or something like that, and I think it's much better to have a fuller description of what companies are really dealing with from a cyber perspective and a big piece of that is, again, everybody's dealing with it. It's not just the big names, but there have been some big names and there is really a cost to cyber resilience and not doing it right or being hit over and over again. What do you guys feel about that? What is the cost? Let's kind of start at the endings of the story of the cost of it and let's work backwards from that. Sure, the cost of doing it wrong, IBM has been running this report called the cost of a data breach. We actually contract with a third party organization to do it so that we get really independent results and we've run this for 18 years. So we've got a large empirical base of data. We've interviewed 3,000 people from 500 organizations, so this isn't like just cherry picking. And one of the things that we found for this most recent report, average cost of a data breach worldwide is about four and a half million dollars per incident. Now that's even throwing out the really large data breaches because they would end up skewing the results but that's what it looks like. In the US, it's roughly twice that. So the cost of not doing it right is really substantial. Yeah, I mean we heard, you know, again with the MGM being in the news and everything, that one was a hundred million, at least. And I think, again, some of us were actually down there and couldn't check into our hotel rooms until 2 in the morning. Yeah, so I think, again, when you start to look at it, it's also, what can organizations do to prepare? Everybody's at kind of a different place in their cyber resilience journey. Where should they start? What are the things that they should do to really understand their attack surface and start to get that covered? Well, one thing that came from that report is that the most significant way to cut the cost of a data breach was organizations who had an extensive use of AI and automation. They saved on average 1.76 million off of that 4.5 million. That was the most significant way to cut the cost of that data breach. And if you start thinking about it, we're really very early days of AI use in the cybersecurity space. So I would expect that number is only going to rise as we go forward. Using automation makes a big difference. Using AI going forward can make potentially an even bigger difference. So tooling and leveraging that as a force multiplier can definitely benefit the good guys. Yeah, and I think again, it's not just the big companies that can benefit from that. It's the medium size, the small companies, especially if you don't have a security organization or a storage organization that is really tied tightly to an organization that has the tooling there. I think that actually brings you up a level as well. It's an up-leveler to that. But again, we'd be remiss if we didn't talk about the infrastructure and storage and the role that infrastructure and storage play in this. What are you seeing from that side of things? Well, and to your point of where do I start and how do I make it accessible for everybody? Part of that is just integrating the security and the storage, integrating infrastructure and security teams together. Whether that be a storage team or the team is covering all the parts of the infrastructure, tying it into the security part of the organization. They kind of look at that, what's my foundational layer? How do I get steps to data resilience? This is the kind of thing we'll talk about. How do I get the first foundational layers? How do I integrate those two teams? And that's for a lot of the customers we're working with right now, that's the first step in their journey is, I've got a security team and they know what they're doing, but have they tied in with what infrastructure and where the data lives on the storage platform and how do I pull those two together? Because during that data breach, if I've had a data corruption, a malware, a ransomware, something like that, how do I bring clean copies of the data back? But I got to start with, I got to pull those two teams together so they're actually working in lockstep. Yeah, but are copies even enough? I mean, what are people need to do from a storage perspective to protect the data? Because that really, when you see these cyber actors, bad actors going after this stuff, a lot of times they're going after this storage to do that. What can people do to really take that and take it to the next level, I guess you could say? We look at it from a couple of different ways and I'd say that yes, copies are important and you want to build immutability into your strategy of copies. Whether that be on the primary storage devices, whether that be on the secondary and backup storage devices, I probably want to build immutability into both and I probably also want to be able to build capability to take snapshots, copies on both environments and that way I've got immutability even if bad actors do get in, they're going to try and delete things. I've got immutable copies to work with and I've got copies now in both primary and secondary and my DR, I can then start to look at, okay, well, how do I validate for good data? How do I find, how do I use those copies proactively maybe even to validate for good data, certainly reactively? But if I can get to a proactive level of, hey, I've got copies in my primary, I've got copies in my secondary, how can I start testing those to make sure that if something does happen, I have the ability to do rapid recovery. So it's kind of working my way up through those steps to think about how do I get there and how do I get to a point where I can recover rapidly and then take advantage of things like automation, right? Because pulling one thing back is something but pulling an entire farm back is entirely different, right? Right, yeah, I mean, and I think that's the big thing is you're not just pulling one thing back when you have to recover an infrastructure, it's got to pull everything back for the most part and to some point in time and you need to know that the stuff hasn't been hiding in there. And I mean, to that kind of point, there's the kind of the CIA triad and I don't mean like central intelligence agency here and you guys really talk to that framework and it's importance in how it actually brings the two different organizations together. So why don't we kind of tell people what it is first off and then show and try it? This is fundamental, just basic blocking and tackling when it comes to security. It's the CIA triad is confidentiality, integrity and availability. Those are the three things that we're trying to accomplish in cybersecurity always. And if you look at a new environment, this is what you should look at. What are my requirements for confidentiality so that only the authorized users can see the information if it's sensitive? What are the requirements for integrity? That is that the data hasn't been tampered with. It can be trusted in. And then the requirements for availability that it's available to the people that it's supposed to be available to when they need it. So it's CIA and you look at how you do those things and in fact, even though we sort of think of this as a security thing, you can see very clearly there's a storage aspect to every one of those three aspects of the CIA triad. Yeah, I mean like confidentiality, integrity and availability, those are like the core of what you need, right? Core of trying to bring back a business. And to your point about being able to bring back an environment, we look at things like how do I build out the minimum viable company, right? What's the minimum things I need to do to be a company that functions, right? If I'm a financial institution, I have to trade. I gotta do banking. And then the idea of that CIA triad, it absolutely fits in everything we do with storage and with data is being able to know where my conventionally governed in material or my PII type of data. How do I make sure that's available? How do I make sure the integrity behind it, whether it's in my copies or in my backups is available for me to be able to start pulling back at any given moment, whether that's be proactively checking it for corruption or reactively being able to check it and then bring it back into your environment at a bad event. Want to think about all three of those things and how they relate back into a storage environment, right? Really, the validity of it. Absolutely. Again, is a big piece of how you understand that yes, it's known good, right? And I think that to me also, authentication and authorization is a huge piece. And that's how a lot of the social engineering people are targeting that and trying to leverage that. And that's how the MGM thing went. And everybody knows that. But when you start to look at how you build that in to make sure that there's no one set of keys to the kingdom kind of thing, when you're looking at this across storage and the rest of the infrastructure, how do you also look at data validity? I think that to me is one of the ones that has to be a key to what people are trying to do is that known good copy or that known valid that people can get at. How is IBM helping really your customers with that part of it? Well, I'd say from our perspective, at least in storage is being able to do that kind of ability, proactive checking, right? So if I've got, I can make copies of the data and I can do it on my primary systems. I can do it on my backup systems. They're both immutable. And then I can I proactively promote them into someplace, whether it's a clean room or a safe room or a vault or something. But can I move them into a place that I could then do proactive testing against, right? And to that idea of it's accessible for anyone, right? So from the base storage systems all the way, the really big storage systems, how do I make those copies, promote them into a place that I could test for validity, a bunch of tools, right? Whether it's tools we bring, tools our customers bring, a bit of both to be able to do a valid checking of things. And then know that I've got it ready to go, saying, okay, I've got my catalog of good clean copies that are this current, this current, this current. You can then drive to things like automation to be okay, if something's happened, I know this is the steps I'm going to drive through. I might integrate up into like a SOAR environment and be able to drive the automation to say, as security is getting the environment ready for me to come back in, I already know my clean good copies because I've done scanning, I've done integrity checking, I've done any number of different checks to make sure that those things are available. But doing it on something like a primary storage system for us as a differentiator, as well as being able to do it in a backup environment is for us a differentiator as well, I'd say. Yeah, and I would say that, you know, again, obviously, I mean, encryption's been around for quite some time, but again, that playing into the validity of it and the integrity of it has to be a big thing that you're seeing, and again, it was a big thing. I was at one of the cloud providers and people would leave their buckets open and you know, not encrypted and stuff like that. Are you seeing that people are really just by default using encryption finally and what they're doing? Not as much as I'd like. In fact, if you think about ransomware as one of those use cases that really stresses both the cybersecurity and the storage sides of the house, because if you think about ransomware as a particular attacks, there's really two main types of ransomware attacks. One is the, I've got your data and I'm not gonna give it back unless you pay me. The other is I've got your data and I'm about to give it to everybody else. Now that second one, the best protection against that is good encryption. If the attacker says, I've got your data, I'm about to give it to everyone else and you say, well, but it's strongly encrypted, have at it. Well, then you don't worry as much. On the first one, I've got your data and I'm not gonna give it back. Well, then that's where you want the good backup, the immutable backup. And Chris mentioned that before and immutability. I mean, that means that your backup can't be changed. It's not sufficient just to have a backup out there because if someone puts ransomware on your system and it starts encrypting all your files, you will also encrypt all your backups as well. And then you have nothing to recover with. So an immutable backup will be one that it was a, it shows a point in time and it won't be modified. So when the attacker in that case comes to you and says, I've got your data and I'm not gonna give it back, then you say, guess what? I've got my data too. You can go get lost. So, again, there's security technology and storage technologies that come together. And to me, there's no end where one starts and the other begins. They're both just related to each other constantly. And to your point about, or Jeff's point about basic blocking and tackling, that's where I'm starting to see customers. How do I build out that design where I'm actually encrypting things at the application layer? And that brings in the challenge of, okay, I need to sit down and actually do the key management, but also I'm able to encrypt things in the storage device. Where do I place that? But then how do I build a governance around it? And that idea of how do I actually understand what I've got encrypted, where it is, all of that is accessible again to kind of everybody, right? It is, hey, I can only do encryption if I'm a really, really big shop. It's all the way through. I've got the ability to do it and it's not necessarily as cost prohibitive as you'd think. It's one of those simple basic blocking and tackling you can do to protect the data and protect the environment, right? Yeah, no, I think that makes sense and I think you actually roll into the next question that I have for both of you, which is where do you get started? I mean, NIST is moving to 2.0. It's in draft now and being reviewed and things like that. Where should people start? Where should they really look at? Because again, some companies, the security entire security group is a person or two people, hopefully, and at least more than one. But, and the storage might be a storage admin and you or the storage admin who wears multiple hats, or the VM admin and the container admin, their DevOps and all of that. So where should people start? Is NIST a good place for them to start? Where would you suggest? Sure, the cybersecurity framework is the specific NIST standard you're referring to that is very comprehensive in telling you what are the things you need to have in running a security program. So it's a very good place to start. If you think about it, NIST, that cybersecurity framework is based on the CIA triad. So it all starts with that and then we expand it, okay? So this is like a further expansion, a further explanation of what it means to do CIA. And then from there, there's individual technologies and architectures and things like that that we can do. Another thing that I think you overlay on top of all of that are zero trust principles. The idea that you assume the system has already been breached. A lot of people have said to me, zero trust is not so different. That just sounds like a lot of vendors talk about this, but this is not new. It's just defense in depth. It is, but it's more. Because if you assume that your systems, the bad guy is already in them, the way you design the security is very different. If you were thinking about how do you secure your home, you might build in perimeter-based controls like a fence, a lock on the door, a security camera, an angry dog inside the fence, okay? This is how you're keeping the bad guy out. But if the bad guy's already on your sofa right now, watching TV, eating your food, then none of those countermeasures made any difference at all. So we tend to focus on the perimeter and we assume things that are not always true. So that implicit trust is the thing that comes back to bite us. We need to design security from the inside out. Assume each one of the components has been breached. Now what? So if I do that, then, and by the way, that's not an unreasonable thing to assume because going back to that cost of a data breach report, it turns out it's on the order of 200 days that it takes on average for an organization to realize that they have been breached. So, and then another 70 some odd days for them to contain that breach. So you're looking at about 300 days, the better part of a year, that the bad guy has been in there doing damage before you realized that in fact, there's somebody, again, think about this, if the bad guy was living in your home for 200 days before you realized, and then it took you another 70 days to get him evicted, I mean, that would be nuts. That's the average. So this is why we've gotta have better, more forward thinking, more preventative type of controls and assume breach. Once you assume breach, then you know, I'm gonna have to recover because the system is never secure. It's always varying degrees of security, which means if the system can be hacked, I need ultimately an ability to recover from that attack. And that's why to me, there's no separation between security and resiliency because the system has to be resilient because it will be attacked. Absolutely. Yeah, and I think on the storage side because you're at the data, right? And you see things like high IO, that going to something that has been dormant for, you know, ever, and that may be a signal of encryption taking place and things like that. Where do you see people starting as well? Well, I'd say even to that point, we take it a step further inside the admin flash system. We're doing things like inline data corruption detection, where we're actually looking and sampling at IO going, does this meet certain parameters that actually might be a pattern of the data is being encrypted as a real time thing as the IO is hitting the system. So we're taking that even one that step further. To your point about where to start, and I'll do a yes and to kind of what Jeff said around NIST is like NIST is a really good place to start. I think NIST is looking at that because it actually, if you put the lens over it that both security and storage work together to what Jeff and I do every day now, it is, you know, even from the identified detect, protect, all of those places have places that storage and security can augment each other. And then to your other question about where do we start? A lot of customers work with us. We have something called a cyber resiliency assessment. And that cyber resiliency assessment isn't, you know, it isn't pervasive, it isn't, hey, I'm dropping tools in the environment, it is a good two hour discussion based structure that will come back with recommendations. Say, hey, these are some of the principles you could look into. These are some of the approaches you could look into. And that cyber resiliency assessment kind of helps drive out, well, if I look at towards 2024, right? What's my priorities for the next year? We've got customers that are, you know, I have, I do my VMware, I do my storage, that's me and I have Jeff over here is doing security. The two of us sit down and actually go through this kind of, you know, discussion based structure that we've got for the cyber resiliency assessment that gives us some priorities we could collaborate on for next year. And I think, you know, from the small to the big, that gives me at least a place to start. And then say, okay, well, what pieces can I pull together? And we based it around that NIST framework so that then you can use it as a jumping off point. Yeah, and I think, again, for folks who are looking to get at it from a, hey, we don't know where to start, we don't know what's going on and we have never even done a tabletop exercise or something like that. Getting in the room is a good first step. Absolutely. And, you know, the fact that there's no cost to this assessment and things of that nature is even better. I think that to me is such a fantastic place to start because I think when you start, you know, going around the, you know, NIST wheel and stuff like that, you don't have to be the largest company, right? I mean, you could start small. It's not like intergalactically. I think that's the advantage of NIST is that it's pretty simple to read. I mean, even I can read it not being a security guy and, you know, understand it. Well, and I think you even raise a really good point is it can be intimidating for us and infrastructure to sit down and look at it like, what are all these pieces going? But this has done a really good job of maybe democratizing that kind of information and making it approachable for everybody who isn't, has a security background and you can sit down and look and go, okay, these five steps, now there'll be six one as the 2.0 versions coming around. They all make sense. All right, now, and then to extend your point, if I'm sitting beside the security person in my organization, I can ask them, hey, what does this mean? How does this relate to you? And as they give the answer, you'll probably start to think, oh, that's how it relates to me. So, you know, to your point of, even if it's three or four people sitting in a room doing like a tabletop conversation, that part and we drive it say through that cyber resiliency assessment. So I'd be unfunded to your point. It becomes, hey, I can do this type of thing and it doesn't have to be, I need 15 people and they got to show up with like five cases of tools and we're gonna be here for two months. It's how do we make, how do we use things that make sense to work together and then we get to learn off each other. And that I think has been an interesting adventure for both of us is we're actually learning off of each other on a regular basis because now we're doing way more collaboration than we did 18 months ago. Sure. And that cybersecurity framework, if you look at the whole thing, it can be intimidating because there are so many things. It's very complete and comprehensive. It doesn't mean you have to do all of it on day one. Whatever you pick an area and you start to improve in that area then you pick another area and start to improve and you do this stepwise refinement until you get closer and closer toward the goal because the one thing I heard a long time ago that really stuck with me is that if you're satisfied with your security, so are the bad guys. So we have to always be improving in that. Yeah, that makes total sense. And I think that's a great place for us to kind of leave off. I think, again, providing a lot of content to everybody out there and good places for them to start and think about how they really up their game during this cyber resilience month that we're in here and really take those next steps because I think it's so important for people to just, you got to start somewhere. You got to, you know, sitting idly because the bad guys aren't, that is for sure. So I want to thank you both for coming on board here and being on theCUBE with us, you know, you're now alumni. So congratulations, Jeff and Christopher. Really appreciate you being on here and thank you all for visiting here and watching this and stay tuned for more episodes. Also, for more information, go to the resources tab. A lot of the things that we talked about, the YouTube videos and some of the reports and things of that nature and the resilience audit, we're going to have links to those in the resource tab below. So be sure to check that out. And also, remember, you can stay up to date on all things cyber and data resilience by visiting silkenangle.com. And thank you for watching this episode of IBM's Beyond Firewalls, resilience strategies for all on theCUBE, the leader in high tech enterprise analysis and coverage. Take care.