 This is Yoho Sapin Bhartiya and welcome to your for newsroom and today we have with us Steve Winterfeld Advisory CISO at Akamai Steve. It's great to have you on the show. It's excited to be here. Thank you Yeah, and today we are going to discuss the latest Akamai's state of internet report as you're discussing before the interview Start that you folks, you know, of course come up with a lot of reports throughout the year And security is becoming very important topic, especially after the whole cloud adoption is no longer Someone else's problem is no longer an afterthought. I mean, at least that's what we talk about You know, it's moving in developer spy plan is becoming a priority So this is what we talk about but since you know This is the area. This is your strength I want to hear from you when you look at his security in today's bird Do you see in reality it has become, you know, a kind of Priority it is no longer someone else's problem is no longer, you know an afterthought Well, I will tell you that, um, you know, security is in the boardroom. We're having discussions At the board level about, you know, what is our cyber risk appetite? That's a specific term within the financial security Or the financial industry that the security auditors are asking in and so yeah, it's starting at the at the very senior levels And then as we get down more and more of us are starting to be involved with it every day You know, when I talk to developers, you know, it is a matter of how do I develop hooks so they can pull in security capabilities As part of the pipeline when I'm talking to, you know, people that are in startups They're trying to figure out how they can be a startup and be secure and not lose all their IP right away. So, you know, security is becoming fundamental and we see so many examples of where it's compromised every day That that, you know, we're here at Akamai. We want to share some best practices and lessons learned Which is why we put out reports on, you know, api security ddos and Uh, somebody industries would put out a commerce report in a financial services report and ones like this, which is on a ransomware Thanks for, you know, of course sharing, uh, the the state Um, where, you know, security is today. Uh, now let's talk about these reports As you said, you folks keep do a lot of reports, but let's talk about the state of the internet report talk about the idea the driver Because some of these reports not only just help us gain insight But they also help us prepare to help our customers how they can secure them So let's talk about the the the whole idea of this report One of the things that we are asked by our customers is, you know, what are my peers doing that i'm not that that's doing well What's happening in my industry or what's happening in my region? Uh, and is it unique from others? And so, you know, that's why a lot of our reports we're able to since, you know, we see we're an international company We have customers across every time zone We have customers in every industry And so what we want to do is we want to say these are best practices these are lessons learned And this is a trend we're seeing, you know, we're seeing a trend of In this case, you know, let's say We went and we looked at, you know, 90 different ransomware groups. We studied Victims across different groups and we studied a time period of almost two years It was 20 months total and as we looked at all that we want to come back and make recommendations How should you be thinking about protecting it? Should you shift resources based on how the threat is shifting their attacks? And so those are kind of the things that, you know, as as we protect against The edge and internal and we have, you know, a threat hunting team on our segmentation We have shadow hunting team on apis. We have Uh security operation center for d d us. So we see so many lessons learned. We just wanted to share those Can you share some highlights or when you folks do report you have been in industry for so long that you're like, hey, yeah This is what is happening. So you do know beforehand and then sometimes sometimes there's some other finding we're like, oh, okay That's what so talk about, you know, some some surprising elements and some that you're expecting that this is the trend in the security Or try this space. So there were a couple aha moments that, you know, I was just like, wow, I just didn't It doesn't necessarily surprise me, but I didn't see that one or I didn't see that one, you know, coming that quickly So one of the things for me was, you know Ransomware is based on extortion So there are basically three models out there that are trying to to do that old extortion racket where, you know You got to pay me or something bad will happen and and the first thing they want to do is DDoS extortion, you know Pay me or I'm going to take your site offline. Nothing to do with this report. The second extortion is I'm going to encrypt all your data so you don't have access to it So operationally you're shut down And this is a hard one because you know, I talk about the flash to bang and if you've never heard of that If you you see a lightning strike every five seconds you count before you hear the thunder That's one mile away So, you know that flash to bang if you lose credit cards It could be six months if you get hit by all your your data is locked up and you're operationally shut down You are immediately in crisis mode and it's public And then the last thing is they're they're holding your data hostage They're stealing the data and saying, you know, we'll sell it back to you And so as we think about this these are traditionally we think about You know somebody coming in spreading throughout the network X filling data And it's all been through, you know, hacking the people You know coming in through social engineering software and this year we saw a shift to zero days You know the they are actually the the hackers are are developing zero days They're paying bug bounties to other hackers to bring in zero days and we're going back to more technical attacks You know, you think about things like go anywhere and move it You know, these are are not trying to break in and and these are great attacks from the hackers point of view because they scale I break into one point and I get access to multiple customers And it's also changing the economy is getting much more complex You know, I may be a hacker that just gets initial access somebody else may be a hacker That, you know, does the actual ransomware somebody else may do the data x-fill, you know, it it is You know ransomware is a service almost and it's also very lucrative market and also sometimes low-hanging fruit Let's just talk about ransomware specifically The fact is that the way we Create run manage software has changed over time The whole culture around it has also changed How have you seen the methods of attack by ransomware? They have also changed Which once again based on your research as you said, you know, it's becoming more tech It can be social engineering. There are so many ways attackers, you know target They're of course targets How you have seen it changing evolving where you're like, of course to be honest with you These are some of the smartest people on the globe, you know, as linus once said, you know, these are smart people We want them on our side not on this. So so talk a bit about how have you seen the evolution of These attacks. They're smart and they're innovative, you know, they're constantly changing So they may focus on a specific industry that they know is more likely to pay So let's say healthcare or critical services may be more likely to pay a ransomware attack And and we may focus on, you know, scale trying to go in and do automated attacks And and where we saw here is 143 percent increase In zero day attacks. So just launching malware then that malware will break in versus, you know, trying to send you An email. So somebody sent me an email and and they said, hey, steve You know, go to this website and you can get a new Frisbee for disc golf, which is my passion. Well, I'm I'm going to go to that site click get my free frisbee They're never going to send it to me, but they will download that malware. That's how they used to do it And now they're less dependent on the person and able just to directly attack which allows them to to scale faster These days we talk a lot about generative AI, of course chat gpt is there Do you also see that or you're already seeing that some of these attackers are also using some of the generative AI technologies For the attack or you're not seeing that is happening yet. Obviously our tools use AI more machine learning than generative AI But across these, you know, I'm I'm seeing Those tools being used for both good and bad and so on the generative AI side I think that's really going to have a big impact on business email compromise More so than ransomware It's going to allow people to to quickly in and more effectively Convince people to you know wire money or to do something like that So I do see that approaching quickly. I see versions of deep fakes and versions of that voice AI Where they're able to mimic being used again for business email compromise and I think eventually we'll see more of that in the ransomware or general breach categories But yeah, I think that is going to be a powerful tool And as you were earlier saying that most of these were like, you know, zero vulnerability. Also when we look at You know ransomware I think encryption is they encrypt, you know, as I said, you said, you know, it could be network It could be your whole data that was their, you know, preferred model Is that still the case or it has changed a bit? Well, and what you've seen is You know, it's a two-phase model. So they they want to pay days And so originally it was coming in encrypt and we'll give you a key Now it is coming in You know spread be able to encrypt everything but while you're spreading And and making sure you're able to shut everything down Excelling data. It could be contractual data customer data Something that they don't want to have go public And so once you've you've gotten that then you hold that data hostage and we're seeing that more and more companies Are are having them focus on that and I have to assume That hackers focus on where they can make more money And so we're seeing this shift to data being held hostage as the focus over encryption um, and even to the point where They're going to go to your customers and say, hey, you know bank x Is your bank We took all their data You need to call bank x and tell them to pay us so we don't release your data So they're actually going to the the second order victim And telling them to go back to the the victim and sell them Hey pay these ransomware people so they don't get our data out Which I think again going to to innovation is great It makes me sad that we're in this world. But yeah, it's kind of where we're seeing this shift As you work with your customers and when you work on these reports and of course getting a lot of insights What kind of Awareness are you seeing there where organizations, you know They are like aware of that. Hey, there are these kind of risks or they just wake up only when they are actually attacked So I will say that you know Situational awareness visibility is a holy grail. We're all looking for that. We're all trying to figure that out But but the one thing that was kind of another aha moment for me was As you're dealing with an attack as you're focused on mitigation and recovery Other organizations other criminal organizations are more likely to come in and attack you So we saw that it's six times more likely to experience a secondary attack Within three months of the initial attack. So I feel like, you know, if I just got through a big breach You should give me a chance to rest. But that's not the reality It's almost like as you're dealing with this crisis You need to have part of your team focused on the next group trying to break in Because it is constant and and that to me Really means we need to relook at our playbooks. We need to rethink Because having been involved in in some incidents like that you get very myopic focused you're you're focused on this one crisis and I think we have to train ourselves to Not only focus on the current crisis but look for the next upcoming attack And that's a perfect segment of my next question, which is that uh, you talked about playbook, of course We don't have time for you to share the whole playbook. But uh What advice you would have for organization and also you said, you know myopic view because in the security space is very the popular No night lamp, you know, you're looking where you expect problem will happen But as you said, you know, the good guys as I say, the the bad guys have to be right only once And as a good guy you have to be right all the time. That's the big difference So so talk about what advice you have for organizations that not only they once they get the pin the target on the back They will be attacked again and again and again But is there something that they can do culturally or practice wise? That will at least offer them a greater level of protection And that's why I like to talk about the cyber kill chain And if you go something like the mitre attack framework The top of that attack framework all the steps are reconnaissance gain access Execute your payload, you know Set up command and control If you stop any one of those you're going to break the chain of attack And so I'd like to think they have to get it right multiple times to be successful And we have opportunities to stop them. And so how do we do that? You know, the first is understand understand your attack surface You know, make sure that you minimize your attack surface and then be looking both north south and east west You know have internal segmentation and visibility internally. So as they try to spread you detect that Next is, you know update your playbooks Make sure they're validated through exercises You know, it's it's incredible that that you go through if it's a tabletop if it's a technical exercise You get leadership expectations, right? You know who's involved those playbooks have to be validated And almost quarterly would be be, you know, if you have a quarterly exercise, you'll get through all your critical playbooks You know, next We we have these indicators of compromise, you know, it might be coming through dns It might be coming through, you know warab trap You need to really kind of do a gap assessment and say How am I able to monitor outbound traffic? How am I able to monitor internal data flows to discover indicators of compromise? The next is kind of a different one You know, it's the traditional Cyber hygiene. Are you patching? Are you doing security training? Those basic things that we should be doing and finally outside of the security team Work with your legal team because we're seeing more and more laws come out that says If you live in this state or if you live in this region It is illegal to pay a ransomware or you have to notify if you do or You know, and so make sure your legal team is plugged into the regulations in that environment So you don't do something inadvertently. That's not not within the law I also want to talk about one thing more which is I think important in the talk to security is also culture Can you talk about I mean you did touch on that but Why is also important for companies to kind of build a culture from top down? So because security doesn't become an isolated problem It as you said it will take your company down immediately Your brand is tarnished. Of course, your customers can also get compromised So is it also a good idea to build a culture within organizations so that it's not a deaf-sake-off problem You know, ultimately culture each strategy for breakfast every day And so, you know, if you if your culture is not one That you expect everybody to be responsible for understanding the risks they're taking Then they're they're going to be aggressive. And so I don't want security blocking. I don't want security stopping But I also want everybody thinking about it and You know, it's that integrated security at the beginning of a project that works You know, it's it's that culture of I I'm starting something so I I'm reaching out to the right security people and and I think if you don't have that culture And you're trying to bolt on security at the 11th hour. It's never going to work So yeah, I can't say enough about, you know security advocates or You know security experts being embedded throughout the that Just critical. So enable your Enable everybody to understand that that risk when it comes to security depending on how you talk to It is intimidating complex and as the land escape is evolving as you said It is overwhelming for customers, you know users to all the time focus on security and be worried about it I feel that they should focus on writing business application focus business adding business value Can you talk about you know, how of course? companies are like akamai help them once again to to Continue to focus on what they are good at doing And kind of remove some of these burdens at the same times They should also not, you know, be totally isolated from the real world Is so they have to maintain a balance between keeping themselves updated awareness should be their education should be there at the Same time leaving them at the time their developers they can focus on Their core jobs. Listen, I'm insecurity is my focus and I can't keep up I mean, I'm constantly someone will say did you know and I'm like no and it came out six months ago. And so It is overwhelming. And so the first thing I would encourage people to do is how do you learn? Are you going to subscribe to podcasts or some great podcast out there? Are you going to get some some news feeds? You know again, you know great news feeds are the the classics bruce schnire brian krebs those kind of people that that you just want to trickle in because you're gonna it's going to keep your Continuous learning going enough insecurity that that you're not falling too far behind um Some critical vendors. Uh, IBM. We were just part of an IBM report. We're part of the Verizon data breach report every year. We put out our own reports. So Pick some of the vendor reports you like But then don't forget our other there. You know here in the united states. We have A department of homeland security puts out advisories um, you know, maybe go to infregard or owasp or some of these security focus groups and become a member of them And then, you know, finally the the bigger ones, you know, uh, you know, watch a video on the mitre attack framework watch a video on Uh, the owas top 10 for api attacks And if you just kind of make it enough of yours like 10 of your time is Involved with this side. I think that's probably the practical answer for me Steve thank you so much for taking time out today and of course share great insights about security And as you folks, you know, keep coming up with these reports I would love to have you back on the show because security is, you know, as you said, you know, Things are changing and there is always something happening. So I would love to have you on the show again But I'd really really appreciate your time today. Thank you. Thanks I look forward to coming back and I encourage people to to go and download the the state of the internet reports in our blogs and And we're looking forward to collaborating on security