 This is JSA TV, the newsroom for tech and telecom professionals and JSA radio, your voice for tech and telecom on iHeart radio. I'm Jamie Scott of Kataya and on behalf of my team here at JSA, welcome to our monthly virtual roundtable series. We are bringing together top thought leaders in our industry talking about topics important to us in our monthly virtual roundtable series available right here on JSA TV YouTube channel as well as on JSA radio, the only tech and telecom podcast series currently available on iHeart radio. These monthly roundtables lead us right up to our on-site CEO roundtables at our industry networking event, the telecom exchange. Next one up is November 14th of the 15th, 2016 at the Montage Beverly Hills right here in sunny Los Angeles. More information is at thetelecomexchange.com. Hope you can join us there. And today's topic also one we're discussing in November at telecom exchange, network security in 2016 and beyond. And it's certainly a topic worthy of our interest. It's been gaining a lot of attention on our social media boards as well as at many water coolers and businesses across America and globally. Also a hot topic right in the movie theaters with this weekend's release of the movie Snowden. So with all this excitement mounting, let's get started. Welcome to our live audience who's joining us here today. And thank you also to those who are watching on demand. This roundtable is brought to you on our JSA video platform, which allows our panelists to log in virtually from anywhere around the world. And today we are spanning the Atlantic Ocean with our speakers coming in from London as well as rural Virginia. So thank you Pinnacle for our partners for helping us with this video feed. And let's go ahead and get started. I am honored to introduce our guest moderator, Mr. Ronald Gruya, as a friend of mine. He's the director of emerging telecoms at Frost and Sullivan with 18 plus years of telecom industry expertise at Frost and Sullivan as well as Nortel Networks. His expertise covers NGN transition like SDN and NFV, telco 2.0 like next gen value added services, as well as examining the enterprise of the future. So you see IVR apps and of course an interest in cybersecurity, which makes him the perfect moderator for today as well as in November at our telecom exchange CEO roundtable on cybersecurity as well. And I should mention Mr. Leon Cooperman of Zed Edge panelists here today will also be joining us speaking on cybersecurity at telecom exchange. So this is definitely a great start of a conversation that is well worth our attention. Ron, thanks for being with us today and please go ahead and do us the honors of introducing our expert panelists. Thank you, Jamie. Thank everybody. It's a pleasure to be here with you today. I wanted to thank JSA for the opportunity and it's a pleasure and honor to be here. We have a very talented group of panelists. So what I'm going to do is sort of just quickly introduce them and let them each talk a little bit about themselves and their companies and what it is that they're doing. So I'm going to try to go around the horn. So we have first Nick Russo, CTO of host.net, Leon Cooperman, CTO of Zed Edge, and Jason Cook, who's the Chief Information Security Officer at BT Global Services. So gentlemen, thank you for being here today. It's a pleasure and honor to have you. So how about if we allow you each to give a brief intro about yourselves and your companies as what you do pertaining to security in particular. Thank you. Hi, my name is Nick Russo. I'm with the CTO for host.net. We're a Florida-based ISP data center. We have collocation facilities, virtual server hosting, and some managed services such as managed firewalls and business continuity services. Awesome. Hi guys. Great to speak to everyone today. My name is Leon Cooperman. I'm the Chief Technology Officer for Zed Edge. We're a cybersecurity firm specializing in web application security. We help our customers secure one of the most prevalent ways of delivering applications to the world today, which is through the web. And it's a growing and major concern as much more of the world's transactional business is happening over the internet. This is a key channel for security. And happy to be speaking about the topics we have on back today. And this is Jason Cook from BT. As Ronald said, I'm the regional CISO for BT in the Americas here. And in particular just want to highlight BT's experience in this space. BT's been running as a telecoms company now for 170 years, you could say. And at least 70 years of that, we've been running a very efficient, effective cybersecurity and physical security practice that has to be as several thousand now consultants and security experts in. And we cover all aspects of physical and cybersecurity as you'd expect us to do if we're protecting our customers across 180 countries now I believe is the very latest statistic if you look at all of our partner links that we have. So looking forward to this conversation. Thank you. Thank you everybody. Well, it's fascinating. It's great. I think we have a very good representation here from a host on that zanage, which, which is an interesting company that does enterprise class bot detection, well application firewall, etc. And Jason certainly BT global services, which insecurity has a very rich history, right? I understand going all the way back to World War two and was as the British forces were trying to crack the enigma machine. And I know you had brilliant scientists working there like Alan Turing, etc. So it must be really, I think we have a great panel here. So let's, let's start with, with the first question. I know it's a hot topic. And it's often talked about a lot. Internet of Things. And I know, you know, when people talk about some of the market restraints for Internet of Things market to flourish, the two topics that brought up, you know, interoperability and security. So you have so many things that are being connected quickly. How, how will increase the risk for cyber security in your view. So maybe let's let's start with with Jason and then go to Nick and Leon. Certainly, we think about cyber security in particular. And traditionally, we as an industry for many, many decades, you could say, I've been looking at tech, the network, tech to our sort of usual assets around data centers and not key offices. And we are at a genuine inflection point now, the way technology is rapidly changing. There are so many devices being launched now. So the Internet of Things is, is real. It's not something that's coming. It is here. You look at anyone's shopping list, buying any gadget, this technology enabled all sorts of things from clothing to health care items, etc. And that's just in the consumer space before you even look at industry. And unfortunately, even though there's the greatness of releasing all of that technology, which is enhancing people's lives, things are going at a pace. There's no standards whatsoever in that, in that space. A friend of mine has released a paper called the Internet of Dangerous Things, Brian Fite, and that really talks about the clash of how standards are just so behind in that space. And, and really, you need to look at things quite differently because if we try and approach security around the Internet of Things in the same way that traditionally we've approached security, then really we're going to be behind the curve even more so that we are now. You look at some great examples of what I call a cluster of things that are now connected to the Internet. The connected cars are a great example of that. It takes what five plus years for a car to go from a design to actually hit in the road. And at that time, just look at the last year or so, how many cars have been hacked famously. And then those brands have had to recall those cars because the last thing they were thinking about when they were excitedly releasing a cluster of Internet of Things was security. The company that's out there that's thought about security in that context and hats off to them is Tesla. They've had the same issues and vulnerabilities and everything else that all the other companies that have released connected cars have come to. But Tesla have at least thought about it in the context of we need a rapid way of releasing a patch update because everyone at the end of the day is still going to be affected by some form of vulnerability. And so hats off to them. They've at least approached that with a let's think about security in the future of how we're going to manage things securely in that context. Thank you. Thank you. Okay. Yeah, that's that. That was a great insight. I saw the recent Tesla hat. Nick, maybe you could elaborate further. Sure. Yeah. And I totally agree, Jason, especially with Tesla, they have the ability to to push out updates to their cars in almost real time. They push out updates to 150,000 cars in a matter of days without having to recall the cars. Yeah, and the sad fact about the Internet of Things is that most of the devices that are being introduced don't have security in mind. They have their functionality as their first priority, not necessarily the security of the device. And with every device out there, every type of device, there's going to be some kind of vulnerability just inherit to the device no matter what it is. And I'm sure the bad guys are going to find them very quickly and be able to take advantage of them. We don't want to get into a situation where we have to pay someone a ransom to be able to drive your car or to use your stove or your fridge. Sure. I've seen even hacks like MCUs at video conferencing units inside some enterprises could actually be hacks. And people could actually see what's going on inside an enterprise or even in a home environment like baby monitors also being hacked, which is, again, they're notably for not having security and so many vulnerable points. Okay, Leon, maybe you could contribute some. Yeah, absolutely. And I think when you look, if you do a query of chief security officers in the industry and you ask them what their number one concern is, and we'll keep some up to that, it's going to be all of these devices that are connected, as Jason pointed out, not designed for security. Automotive was a great example because if you look at the automotive design, the way that the devices within a car are communicating with one another, they're built on this arcane bus system that was designed in an 8 bit environment many probably 20 plus years ago. And that same bus was leveraged for IoT communication and Internet connected device was just placed on that bus. It's a great example, as Jason pointed out, of design coming first and security is not coming at the very tail end, if at all. So the first time I kind of saw an IoT attack from web application perspective, there was a couple very interesting ones a couple years ago. One of the things you have to realize about the design of these devices, the cheapest and fastest way to get an IoT device to market is to take a standard Linux distribution and put it out there and put a wrapper around it and all of a sudden you've got many Linux machines running your drop cans or not drop cans but your video cameras, you've got them running your refrigerator, IRT capabilities and so forth. Well the problem with that is if you're not thinking about it from a security perspective, it's an extremely vulnerable environment. So we have situations where refrigerators were sent sending spam email and a botnet of a specific type of refrigerator was collected by attackers to send spam. The same thing is true from a denial of service perspective. Think about when you, a DDoS attack or distributed denial of service is essentially a set of users, a bot connecting to a web site or a network. Well how amplified is that when you're talking about not tens of millions or hundreds of millions with billions of devices. It's almost overwhelming. So we really have to get a handle on this and Ron to your point, we can't necessarily solve this with pure human analysis. There has to be a bigger overarching thing here and I'm sure we're going to get into some of the solutions as we talk to it with the rest of the panel. But it's a very significant problem that's approaching kind of an epidemic scale as these devices come online. Thank you. Thank you Leon. So let's start with you for the next one. So I guess my next question will be talking about what are some of the threats that you see coming in the months ahead or perhaps further down the road years ahead. You know, what are some of the trends or things that you're seeing? I think from our own perspective we have seen actually last year was the year of the hacks of healthcare industry and I know healthcare industry has all those compliance things like HIPAA. And despite that, you know, there's been a lot of hacks that happened last year and there's a lot of value that's being placed on personal health records, even more so than financial it seems. Maybe with that, I'll start with you. What are some of the things that you're seeing and then we'll go with Jason and then finish with Nick. What are some of the short term and longer term threats? Yeah, it's a great question, Ron. So I think there's kind of a duality of threats that we're seeing. First, from a human element perspective, the phishing attempts and social engineering attempts that are being designed by really professional hackers have become much more sophisticated. So Ron, to your point, when a criminal organization gets hold of those health care workers, what does it really give them? And you can't really trade off of somebody's health status essentially, but it does give them an amazing correlation into an individual. And if you're trying to steal somebody's identity, there's nothing better than understanding health history and the sort of providers that an individual uses and payment methods that they use and so forth to get into their social life, if you will. So from a social engineering perspective, this is a great threat. And more so, it's more cute because the level of attack and sophistication is increasing much faster than social awareness of these types of attacks. So we as a society are completely numb to the fact that we need to have basic security standards in our home and in our personal lives. And that basic awareness is just not there. And we have a challenge to educate our society. The second real threat we see is more from more of a technical perspective. The malware and root kits are becoming extremely sophisticated. And we just analyzed one very interesting instance through a honeypot where the malware and the root kit in this particular case understood in which environment was running and was capable of camouflaging itself. So when you try to run it in a root kit exploiting lab environment, it would stop working. It would say, oh, I know someone is trying to insect me. I am hands off at the moment. But then when you got into a real PC or in a real environment, it would come right back online. So this dynamic intelligence nature of malware is increasing and it's complex to battle. So there's kind of a duality of threats that we see both in the social engineering and on the technical front side as attackers get more sophisticated. I'd love to hear the next and Jason starts on those. Yeah, I mean, on that one, I absolutely agree. Leon started to touch on a point. BT just released a report. It's meant to be a bit of a teaser really to think about things differently. We use the phrase rethink the risk. In all the conversations I have with anyone around security, very few people are actually thinking about who is the enemy? How are they acting? How are they behaving? What are they looking at? And what you find is if you look in there, especially in the cyber criminal world, which is where a lot of all of the attack is coming from, that the collaboration that they have in that space is pretty good. If only organizations and cultures and countries and others could collaborate to the way that cyber criminals are collaborating, we would actually be on the step with them or in fact the step ahead of them rather than in catch up mode as Leon was intimating there. And if you think genuinely about that inflection point that we now have in the context of technology, we talked about the car there, but just think about healthcare space with the amount of phenomenal devices that are coming out that are embedded into people now that can help monitor people so you don't have to be living in some sort of ICU, but you can live a level of life outside of a hospital. And that's wonderful. But at the same time, no one is really looking at how to secure it. And so the threat landscape in that context has gone up. So at the moment, they have ransomware about your records, but certainly in the very not too distant future, you're going to have ransomware about, hey, I'm going to turn your hearing aid off. I'm going to switch off some other device like a pacemaker in your body, et cetera. And the technology there is there already. It's how it can be used and then unfortunately how it can be exploited. So I think we're going to see as well that even though the threat surface is changing radically because of this type of technology coming in, the way that the attacks are happening, pretty much the same approaches that we're seeing already, but just a far more level of collaborated control and focus and sophistication from the cyber criminals in this context. That's a great point of collaboration, Jason. You guys have ever been in a black hat, a chat channel essentially. They are highly communicative and globally distributed and well educated, I have to say. So you're absolutely right. And they don't have the challenge of more boundaries with different countries and how they operate and how they trade on information or anything else. They're single-mindedly focused in leveraging anyone that's vulnerable in that space. If we actually look at the last 20 years worth of hacking and security, the challenges have really been the same. We've always had social engineering, insider threats, weak passwords, vulnerabilities in the operating systems and the applications, exposed ports and whatever else. Those threats have always been there. The challenge now is that, as we've mentioned, with the Internet of Things, is that there's just a lot more devices and the attacks are becoming much more sophisticated than they were before, making them much harder to detect and much harder to block. Other than that, I agree with Leon and Jason that the threats that are out there now are just so sophisticated that I don't think our traditional tools that we're using are going to be able to detect and block these threats. That's a great point on traditional tooling. One of the key issues there that we see is really the use of encryption and strong encryption by hackers. PGP and HTTPS, TLS, are very good for privacy of individuals. But when attackers are using those same shields to prevent defense, this is a great example, Nick, to your point of the sophistication and where we're lacking in some areas and the balance between privacy and security. Ron, just one point that Jason made on collaboration. A great example from yesterday, our friend Brian Krebs was attacked in the site. He was attacked with the largest, now the largest attack that the Internet has ever seen, over 600 feet of this per second. And that was not an individual attacker because we know that any individual group out there has less than that kind of capacity. That was a clear example of Brian upsetting that community significantly enough that they all got together in a collaborative attack. After they got into jail, of course, on bail. But that was a great example of Jason's point of significant collaborative efforts. I think what you're going to see in that context is you're going to see businesses. I mean, you're already seeing announcements by different governments. The UK government has made some announcements just recently about being far more proactive in taking what they call a more offensive posture in cybersecurity, investing a lot more around the intelligence and the analytics around this and how they monitor so they can essentially go upstream, as it were, to kind of proactively defend on a tax hit. And if you're seeing that coming from government and from large organizations, enterprises working on that one, then you're going to see obviously a shift in how the cyber warfare is going to happen out there, most certainly. Another thing is I think a lot of people just don't care. They don't care about security because security and convenience are really inversely proportional. So people just aren't taking the care. They're not getting educated. And I think a great deal of the threats out there are social engineering attacks, including the everyday ransomware that we're seeing. They're just people that are getting tricked into clicking links or downloading applications and installing malware on their computers. I think this is a great segue to my next question. I think we have time maybe for a couple more. So I'll ask this one and then one to conclude. Since you already talked a little bit about social engineering, I was thinking about the human element as sometimes being the weakest link. So I was thinking back in the mid-80s, there was that book by Clifford Stoke, all the Kukuzai that was talking about the famous Hanover Hacker, and how some of those UNIX sysops were just never changing the default password from the UNIX systems. The Hanover Hacker was not really a very sophisticated hacker, and he was able to get access to sites like Whitesand's Missile Range, which was on Millinat. And the sysop there forgot to change the default UNIX password from Mr. Roots, allowing the Hanover Hacker to get in there. And you say, well, but that's run. That's from the mid-80s. And I was just thinking more recently, the Busefer Hacker, the Romanian Hacker that hacked into so many systems, he was also not very sophisticated. So that's proof that this is still working. And then, of course, on top of that, through social engineering, our famous Celeb Hacker was Kevin Mitnick, who relied a lot on that technique. So what do you think? How can we address this with some good hygiene care? Maybe I'll start with you, Nick, and then we'll go to Leon and Jason. As far as the human element goes, I think education is going to be number one. People have to know when they're being tricked. And you mentioned Kevin Mitnick. I know that he has a company called Know Before that specializes in training users and also doing periodic penetration testing to make sure that these people are not getting tricked into downloading or going to malicious links. So I think that's really all you can do when it comes to the human element, but any good security is going to be multi-layered. And we've known that for centuries. So protect your users. Of course, you're going to have your anti-spam. You can have your web filtering. You're going to have your prevention systems, your antivirus systems, the computers are patched. Your applications and data is backed up and your IP reputation and so forth. You lost attack prevention. Those are all part of a complete security solution. Thank you. Okay. Let's go with Leon and then Jason. Sure. Yeah, Nick, you're 100% on that education is this kind of education and awareness of understanding how to communicate. I'm personally a very big advocate of trying to figure out how we can get the world to start using encrypted email with verified identities and signatures. I mean, if you look at the average person and I bet you encrypted email has less than that half a percent penetration in the world. And all of this critical communication that we're doing is just basically out in the wild for most attackers to intercept. That's a very good spot for us. And one of the things that I think the telcos and larger ISPs such as BT have a real challenge is that they're managing so many network devices in their field, in their homes, essentially for home service. Those home users are probably the most vulnerable because they just don't have the background. They don't have the capabilities. They don't have the want and need to protect themselves. The telco industries really is going to be helping us lead that battle in helping not only with education and awareness, but also providing some tooling for the home user because let's face it, all of these IoT devices, where are they going? Other than in industry where there's going to be capability and budget to protect those devices, they're coming in the home and that's why you see them hacking for cameras and many other types of devices. Jason, maybe you could say something about the human element. Absolutely. I think actually if you look across the industry and just look across the world really, I think we're taking a step backwards. There's a couple generations of younger folks now that are so much more comfortable using technology, changing their devices, hopping around from one account to another. The way they share their information is so different perhaps to the other generations that we've got. I actually believe we're taking a step backwards in that context. People say, what happened to me on one level, not really caring about what they share or having the sort of sensitive calibration there to understand what they share and the impact of what they could share that could impact their personal life. So I do believe we're all, we've got a step backwards there that needs to be addressed. I think that's as a result of the things that you will see from communication companies like BT is that duty of care that we want to step up and then providing more protection in the services that we've got to essentially balance that out. Not only that, but also if you were to come to one of BT's labs, you'll see quite a lot of sophisticated cyber companies working with BT in finding ways of trying to acknowledge that, I wouldn't say naivety, but that lack of appreciation around personal security that people have and trying to find ways of as a result stepping up the level of protection that we can provide for people in the services that we've got. So you're absolutely going to see that, like BT. And it's funny as well, if you think of the human element, BT launched all a while ago now and it's a very busy practice for us, an ethical hacking for connected cars, which is why I mentioned it. Very much a cyber focused practice, but we still are an ethical hacking, pen testing practice where we actually send people physically into meetings that customers have or buildings that they have, and you'll be absolutely amazed even for companies that you've recognized their brands where you think, oh, they've got a level of security at the physical layer. And when that convergence of physical and cyber has come in, at the moment, so many organizations have not addressed that gap. And as a result, literally let people walk in still to exploit that, hence the meek-knit comments and others, which is so relevant. And what we're finding is that sometimes it's a real slap in the face to wake people up to, hey, we just said someone walk in and pick up some very sensitive meat material information from your organization that they've had that wake up. And even then, they've had that wake up. As time moves on, they still have to be able to express that. So we're still on the edge of what is going to happen and how are people going to address this type of gap in the cyber and physical security space going forward, because I think the traditional ways that we're approaching it are still not going to be satisfactory to the new technology and other things to address that. Okay, great. I think we're coming closer to the top of the hour. So I'm going to ask a final question. If I could please ask you to just keep it a little bit short. I know it was a very entertaining chat. And I really enjoyed it. But maybe, Jason, I'll stay with you and then go to Nick and Neon. I just wanted to know what do you see as the future of cyber protection? If you think a little bit more futuristically, like three to five years out, so maybe if you could please keep your answers succinct so we could go around the horn. Thank you. Jason, start with you. I think you're going to see quite quickly, actually, at the board level for many enterprise organizations, someone very specifically labeled with the security remit, you're already seeing that emerge in a number of larger organizations. And that's specifically top down to drive security in a far more controlled way because organizationally you need all the people, all the processes and the technology to be leveraged together. And the other area that I mentioned earlier was if you look at organizations today, they're going to take more proactive business approach, take it almost an offensive approach to cyber security there. That really means that they're going to live their game in leveraging technology and intelligence gathering, in leveraging analytics and the big data space that sits behind that, as well as also really lifting to the level of monitoring that they're able to do. And especially as you see the convergence with physical and cyber security coming together, that's actually going to be disruptive play in actually defending against many of the cyber security attacks that we see coming up. Okay. Great. Okay. Nick, maybe we could go to you and finish with Leon. I will say that the future, I don't think that the tools that we have now are going to really be relevant in the future or as relevant. We can't rely on the traditional all-in-a-virus software that we've been using. I think we've got to take the human elements out of it as much as possible, and design security solutions that don't depend so much on the person being tricked. And again, going with a multi-layered approach, we're going to have to put in as many layers as possible, covering every entry point into the network, into the home, into every device that we can. I'll rely more on encryption to factor authentication through that people are who they say they are. And just generally just be more aware and more educated of what is happening in the world with cyber security. The things that we can do right away is make sure that we're not using the same passwords over and over again. Use a password manager like LastPass so that if someone does get your password, they don't have the password for everything that you've ever logged into. Right. Okay, great. Okay, Leon. Yeah, I think Nick makes a great point. Removing human elements out of cyber security defenses is going to be a critical factor in the next several years. We see that trend significantly increasing. There are a lot of firms like ours that are applying machine learning in our artificial intelligence so that we wouldn't have to do all of that and kind of think at a higher level of thought. And Jason makes a great point on physical security. If you look at how easy it is to walk into anyone's office and plug in a USB stick into any computer on a run that I'm going to have to just launch your malware for you. I mean, that physical element that barrier needs to be created so we have to think politically about it. And I think that is happening in the industry. We are overwhelming, but I think that the tide will change and the economics will be such that, you know, the good guy has to win in the end and we're on the right side of the equation. Excellent. Thank you. Thank you. Thank you, gentlemen. It's been very, very exciting and I learned a lot. And thank you, Ron, for moderating our roundtable on network security. Thank you to our esteemed panelists, Mr. Jason Cook, BT Global Services, Nick Russo of host.net and Leon Cooperman of ZenEdge. Thank you, gentlemen, for your thoughtful insights on the security challenges and opportunities that lay before us. Ron and Leon, we also look forward to hearing you live shortly at the CEO roundtables on cyber security at Telecom Exchange LA, November 15th at the Montage Beverly Hills. Thank you, audience, for joining us. If you want to see this and other monthly virtual roundtables on demand, go ahead and check us out both virtually and at Telecom Exchange. So that's jamiescotter.com or thetelecomexchange.com. And if you'd like your C-level to be featured right here next time, go ahead and email us pr at jamiescotter.com. Thank you, everyone, for tuning in to JSA TV, the newsroom for tech and telecom professionals, and JSA Radio, your voice for tech and telecom on iHeartRadio. Until next time, happy networking.