 From around the globe, it's theCUBE with digital coverage of Dell Technologies World. Digital experience brought to you by Dell Technologies. Hey, welcome back, everybody. Jeff Frick here with theCUBE. Welcome back to our ongoing coverage of Dell Technology World 2020, the digital experience. I'm coming to you from Palo Alto. It's a digital event just like everything else in 2020. But we're excited to have our next guest. I think he's coming in all the way from Atlanta, Georgia. He's Jim Schuch, the director of cybersecurity and compliance practice at Dell Technology. Jim, great to see you. Thanks, Jeff. It's quite the title there. Thanks for getting all that out. I have a big post-it note, so that's very helpful. But it's actually kind of an interesting thing because you have compliance and cybersecurity in your title. And it's this interesting relationship between compliance as a motivator of behavior versus you need to go a lot further than just what the compliance says. So I'm curious if you can talk about that relationship between, yeah, we need to be compliant and we need to follow the rules but you need to think a lot bigger than that. Yeah, definitely. I mean, there's so many different standards out there and requirements. So typically what we'll see on the regulatory side is very much a minimum baseline and leading the way as usual in the cybersecurity space will be financial and healthcare organizations. That's particularly true in the U.S., but pretty much globally, at least on the financial side. So they'll set some baselines. A lot of industries don't really have many. And so what we look at many times is just general risk to the business. And of course, if you're a publicly traded company that might trigger some SCC requirements or other things like that. But again, we really look at those requirements as minimum baselines and you have to work up from there based on the organization's risk profile. Yeah, yeah. And we see that too with privacy and a whole bunch of stuff where traditionally the regs and the compliance kind of lag where the technology is and where the market's moving. So let's, before we get too deep into it, let's talk about the COVID impact because obviously a huge thing in security, a light switch moment at mid-March when everybody had to work from home so suddenly your attack surfaces increase exponentially. People are working out of home environments that you don't necessarily know what's going on there or who's going on there, the shared networks with the spouse and the kids and everybody else. But now we're six, seven, eight months into this. This is something that's going to be going on for a while and even the new normal will have some type of a hybrid relationship with an increased level of remote work. I don't want to say work from home but it's really work from anywhere. So I wonder if you can share your thoughts about how things have transitioned from what happened in mid-March, taking care of your own business and your own people to then taking care of your customers and the emergencies that they had. But now really thinking in terms of more of kind of a long-term fundamental shift in the security profile that people have with all their data and information. Yeah, gosh, it's been really interesting. I think organizations have done an amazing job when you think about the things that they've had to get done just really overnight. So a lot's been written about the pandemic and you mentioned Jeff too, really that expanded threat surface. All of a sudden you've got people working from home, there wasn't enough VPN capacity, a lot of places. I talked to some organizations, employees just took their desktop off of their desk and brought it home. So it wasn't really ready to work at a remote location but organizations really adapted well to it. Meanwhile, that was opportunity for the criminals and they've taken it. But Jeff, one of the things that I think about too is to an extent this is the new normal, not necessarily the work from home, but the shift that's going to consistently happen in cybersecurity, things change. The criminals are really smart, they adapt. So that was work from home. What's the next thing going to be? There's IoT, there's remote devices, there will be some vulnerabilities. We just have to get used to this pace and continue it unfortunately. Right, right, right. Yeah, it's always a little bit of a cat and mouse game, right? And then one of the other trends that we're seeing, I don't know, maybe more visibility or maybe higher profile is the ransomware attacks, right? So we've seen kind of this really interesting continuation of different types of security threats between just the local kid who's just trying to do it because it's fun versus competitive stuff where people are trying to take out their competitors versus nation states and nation states being kind of driving these attacks. But the ransomware we've seen before, but it seems to be increasing in frequency, maybe we're just hearing about it. What's special about ransomware as a specific type of security threat? So I started this practice about five years ago and at that point, ransomware was just barely a blip. It was really about destruction. And the way that we talk about it in the cybersecurity spaces, there's this triad, these three components of our data that we're trying to protect. So one of those is confidentiality and that traces back to the attacks you're talking about. That's when somebody steals your data. You don't want them to do that. That breaks the confidentiality of the data. And that's really where the cybersecurity controls kind of grew up around that. You didn't want credit cards or intellectual property, healthcare information, and that's still a problem with ransomware, they're affecting the availability of the data or the integrity of the data. And those are the other two prongs that go with confidentiality. And so these attacks, that's why they feel different. They're impacting your ability to access the data, which in many cases can shut a business down. You know, there have been headlines over the last couple of months, some businesses that really were closed off or components of their business that were shut down. And it's because they didn't have their data or their systems, and then eventually they either found a way to recover them or perhaps many cases of speculation as they paid the ransom to get the data back. Right. And of course the problem with ever paying a ransom is that you don't necessarily know you're going to get the data back, that you may just be encouraging them to hit you again. So paying the ransom is not necessarily the best solution. And then in talking about this thing turns out that in fact not only may it not be the right solution, you may be breaking the law. This is a pretty interesting thing. I had no idea that there's really laws dictating, you know, I guess responding to a criminal threat. What, where does that go? What's that from? Yeah, that's, we've talked about this for a while, but it wasn't until about two weeks ago that some information was released from the Department of Treasury. So the idea here is that every, not every country, many countries, the US among them have lists of countries and organizations that you can't do business with. So essentially a prohibited or sanctions list. And as it turns out, many of the ransomware bad actors, and Jeff is actually real name of one of them, Evil Corp. It sounds like a movie or a book, but that's one of the ransomware bad actors. They're on those lists. So if you get attacked by an organization that's on the list and you pay them, you've now completed a transaction with a prohibited entity and you're subject to potential sanctions. There was a lot written about this being a new law or the US came up with this law and that's not the case. The laws have been on the books for a while. It was the Department of Treasury kind of issuing some guidance, just nudging people, hey, by the way, you shouldn't be doing this. And some of the research I've done, a lot of countries have these laws. So while it's just the US that came out with this advisory, which was very public and certainly a big wake up call, these laws exist in a lot of other countries. So organizations really need to be prepared for what they're gonna do if they get hit with a ransomware attack, not really counting on paying the ransom for the reasons that you said, plus it may be against the law. And just to make sure I understand you, it's against the law because you're effectively doing business by having a financial transaction with one of these prohibited either organizations or they're in a prohibited country. Completely. That's correct. It's mostly about the organization. And then an interesting component of this and we won't get into too much of the weeds on the legal side, but the law is actually a strict liability. So that means it doesn't matter whether you knew or should have known that the entity was on a prohibited list. The mere fact of having that transaction makes you libel. And then the way that the regulations are written, you can't get someone else to do your dirty work for you. So if you are facilitating that transaction anyway, you may be running afoul of those laws. Jesus, one more thing to worry about where you're trying to get your business, you're trying to get your business back up and running. But specifically with ransomware and why it's different. I mean, there's been business continuity planning forever. You guys have backup and recovery solutions. There's so much effort around that. What's different here? Is it just because of the time in which you have to respond the availability of those backups to come back and get in production? What makes ransomware so special from a business continuity perspective, besides the fact that you're not allowed to pay them because it might be breaking the law? A lot. You hit on a couple of things there. So we've known forever that with DR, disaster recovery, one of the major things you're doing there is you're replicating data quickly so that if you lose site A, you can pop up at site B. With ransomware, you're replicating the corrupted data. So you lose that. With backups, the bad guys know, just like you mentioned, that if you have a backup, you could use that to recover. So they are more frequently now gathering their credentials and attacking the backups. So many cases we see the backups being deleted or otherwise destroyed. And that's really where we have focused with our power tech cyber recovery solution is creating an extra offline, air-gapped copy of the most critical applications that's not going to be susceptible to the attack or the follow-up attack that deletes the data. So let's jump into that a little bit in a little bit more detail. So this is a special solution really targeted as a defense against ransomware because of the special attributes that ransomware, I guess threatens, threatens, or the fact that they also go after your backup and recovery at the same time, knowing you're going to use that to basically lower the value of their ransom attack, that's crazy. Yeah, they're smart. These attackers are smart. There's billions of dollars at stake. I think organizations like Evil Corp estimates are they could be making hundreds of millions of dollars. So they're not even small businesses. They're almost industries unto themselves. They have advanced tactics, they're leveraging capabilities and they have products essentially. So when you think about your production data, your backups, your disaster recovery, those are all in environments that they're not accessible on the internet, but that's where you're doing business. So there is access there. There's employees that have access and the bad guys find ways to get in through spear phishing attacks where they're sending emails that look like they're from somebody else and they get a foothold. Once they have that foothold, they can leverage that access to get throughout that production environment. They have access to that data and they delete it. With cyber recovery, what we're doing is we're creating a vaulted environment that's offline. They can't get there from where they are. So they can't get access to that data. We lock it down, we analyze it, we make sure that it's good and then this happens automatically in day over day. So you've always got that copy of data. If your worst case scenario develops and you lose your production environment and that happens, you've got this copy of data for your most critical applications. You don't want to copy everything in there that you can use to actually recover and that recover capability, Jeff, is one of the pillars of a cybersecurity structure. So we focus a lot, kind of like you said before, what's different about these attacks? We focus a lot on protecting data and detecting bad guys. This is the recover capability that is part of all these frameworks. Right, so there's a lot to unpack there. Before we get into the recovery and actually why don't we just start there and then I want to get into the air gap because that's a great thing to dig in. On the recovery, what's kind of your targeted SLA? Is it based on the size of the application? Is it based on a different level of service? I mean, what is the hope if I buy into this solution that I can get my recovery and get back into business if I choose not to pay these guys? What does that kind of look like? So most of the time we're providing a product that our customers are deploying and then we have some partners that will deploy it as a service too. So the SLAs may vary, but what we're targeting is a very secure environment and you can look at how it's architected and think about the technologies. If it's properly operated, you can't get there. You can't get to the data. So the points that we're really looking at is how frequently do we want to update that data? So in other words, how much data can you afford to lose and then how long will it take you to recover? And both of those, you can leverage the technologies to shorten those up to kind of your requirements. So loosely speaking, the shorter you make the time, may cost you a little bit more money, a little bit more effort, but you can tighten those up pretty much to what your requirements are going to be. Right, right. And then let's talk about air gaps, because air gaps mean something very, very specific. It literally means classically, right? An air gap, there is a space in between these systems until electrons learn how to jump. They're physically separated, but that's harder and harder to do, right? Because everything is now API based and everything is an app that's based on a bunch of other apps and there's calls and everything is so interconnected now. But you talked about something specifically, you said an automated air gap, and you also said that we're putting this data where it is not connected for some period of time. So I wonder if you can explain a little bit more detail, how that works, how it's usually configured to reintroduce an air gap into this crazy connected world. Yeah, it's kind of going backward to go forward in a lot of ways. When we're careful about the term, we'll use the term logical air gap, because you're right, Jeff, an air gap is, there's a gap. And what we're doing is we're manipulating that air gap in a way that most of the time that data, our safe data, our vaulted data is on the other side of the air gap, so you can't get there. But we'll bring it up an air gap, we'll logically enable that air gap so that there is a connection which enables us to update the data that's in the vault, and then we'll bring that connection back down. And the way that we've architected the solution is that even when it's enabled like that, we've minimized the capability to get into the vault. So really, if you're a bad actor, if you know everything that's going on, you might be able to prevent the update, but you can't get into the vault unless you're physically there. And of course, we put some controls on that so that even insiders are very limited in what they can do if they get inside the vault and the APTs, the advanced persistent threats, people who are coming from other countries, since they're not physically there, they can't access that data. That's good. So it's on, it's off, but it's usually off most of the time so the bad guys can't get across there. Yeah, and again, it's important that even when it's on, it's a minimal exposure there, so you think about our triad, the confidentiality, integrity, availability, we're blocking them from getting in so they can maybe do a denial of service type of attack, but that's it. They can't get into break into the vault and break things and destroy the data like they would in production. Right, right. I want to shift gears a little bit, Jim. And I've gone to RSA, I think for the last three or four years of faculty, I think it was the last big live event we did in 2020 before everything came to a screeching halt. And one of the things I find interesting about the security industry is it's one of these opportunities for a co-opetition within the security industry that even though you might work for a company that competes with another company, there's opportunities to work with your peers at other companies, so you have more of a unified front against the bad guys as well as learn from what's going on with some of the other people so you can learn from the attacks at their surfacing. There's an interesting organization called Sheltered Harbor that I came across and do research for this. You guys have joined it. It was basically, it looks like it was built around 130, this article was from earlier in the years, probably growing, it's from February. 130 participating financial institutions which collectively hold 72% of all deposit accounts and 71% of all US retail brokerage assets. This is a big organization focused on security. Dell joined not as a financial institution but as a vendor. I wonder if you can share what this organization is all about, why did you guys join and where do you see some of the benefits both for you as well as your customers? Yeah, there's a lot there, Jeff. I've been part of that process for a little bit over two years and kicked it off after we identified Sheltered Harbor as an organization that we wanted to work with. So as you said, founded by some of the banks and credit unions and other financial institutions in the US and what's unique about it is it's designed to protect the US financial system and consumer confidence. It's not actually designed to protect the bank. So of course that's an outcome there if you're protecting consumer confidence then it's better for the banks, but that's really the goal. And so it's a standards-based organization that looked at the problem of what happens if a bank gets attacked? What happens to the customers? So they actually came up with a specification which follows so closely to what we do with cyber recovery. They identified important data, they built requirements, not technologies, but capabilities that a vault would need to have to protect that data and then the process is to recover that data if an event occurred. So we talked to the team for a while, we're very proud of what we've been able to accomplish with them as the only solution provider in their advisory program and the work that we've done with the PowerProtect cyber recovery solution. We have some more news coming out, I'm not permitted to announce it yet, it's pretty soon so stay tuned and it's just been a really great initiative for us to work with and the team over there is fantastic. Right. So I just wondered too if you can share your thoughts as the role of security has changed over the last several years from kind of a perimeter based point of view and protection and walls and firewalls and all these things which has completely broken down now to more of an integrated security approach and baking security into your data, to your encryption, to your applications, your access, devices, et cetera. And really integrating security more into the broader flow of product development and delivery and how that's impacted the security of the customers and impacted professionals like you that are trying to look down the road and get ahead of the next kind of two or three bad things that are coming. How's that security posture really benefited everybody out there? I think it's a really difficult problem that we just keep working at and again, we don't have a goal because if we're targeting here the threat actors, the bad actors are going to be here. I was reading an article today about how they're already the bad actors are already employing machine learning to improve what they're doing and how they target their phishing attacks and things like that. So thinking about things like security by design is great. We have millions, billions of devices. And if we start from the ground up that those devices have security built in it makes the rest of the job a lot easier. But that whole integration process is really important too. I mentioned before the recovery capability and protect and detect. If you look at the NIST cybersecurity framework has five pillars that have capabilities within each one and we need to keep focusing on our capabilities in those space. We can't do one and not the other. So we do multi-factor authentication but we need to look at encryption for our devices. We need to build from the ground up. We need to have those recover capabilities. It's just kind of a never-ending process but I feel like one of the most important things that we've done over the last year partly driven by the changes that we've had is that we're finally recognizing that cybersecurity is a business issue. It's not an IT issue. So if you're digital and your assets are digital how can you confine this to an IT group? It's the business, it's risk. Let's understand what risk is acceptable, cover the risk that isn't and treat it like a business process that it is. That's great. Because I always often wonder if you think of it as an insurance problem then you're going to be in trouble because you can't just lock everything down. You got to do business and you always think of the ships are safest at harbor but that's not what ships are built for. You can't just lock everything down but if you take it more of a business approach so you're measuring investments and risk and putting dollar amounts on it then you can start to figure out how much should I invest in security because you can't spend 100% of your revenue on security. What is the happy median? How do you decide and how do you apply that investment where it's kind of a portfolio strategy problem? It is and that's one of the areas that again my five years in building the practice we've seen organizations start to move to so you want to protect your most important assets the best and then there are things that you still want to protect but you can't afford the time, the budget the operational expense of protecting everything. So let's understand what really drives this business. If I'm a law firm might be my billing and document management systems and healthcare it's an electronic medical record and manufacturing it's the manufacturing system. So let's protect the most important things the best and then kind of move down from there. We have to understand what those systems are before we can actually protect them and that's where the business really needs to work more closely and they are with IT teams and with the cybersecurity teams. Right and like I like a lot of big problems, right? You got to break it down, you got to prioritize you got to start just knocking off what's important and not get so overwhelmed by trying to protect everything to the same degree that's just not practical and it's not a good investment. That's exactly the case and there's the ongoing discussions about shortage of people in the cybersecurity space which there are but there are things that we can do that to really maximize what those people do get them to focus on the higher level capabilities and let the tools do some of the things that the tools are good at. Right, so you triggered one last point and we'll wrap on this but I'll give you the last word. As you look forward to things like automation and to things like artificial intelligence and machine learning that you can apply to make those professionals more effective and automate some stuff. How do you see that evolving and does that give you big smiles or frowns as you think about your use of AI in ML versus the bad guys that they have some of the same tools as well? They do and look, we have to use those to keep up. I'll give you an example with power tech cyber recovery. We already use AI and ML to analyze the data that's in our vault. So how do you know that the data is good? Well, we're not gonna have somebody in the vault looking through the files. By leveraging those capabilities we can give a verdict on that data and so you know that it's good. I think we have to continue to be careful that we understand what the tools are and we deploy them in the right way. We can't deploy a tool just to deploy on it because it's hot or because it's interesting. That goes back to understanding the systems that we need to protect, the risks that we can accept or perhaps cover with insurance and the risks that gosh, we really can't accept. We need to make sure that the business continues to operate here. So I think it's great. The communities have really come together. There's more information sharing than ever has gone on and that's really one of our big weapons against the bad actors. All right. Well, Jim, thank you so much for sharing your insight. I think your job security is locked in for the foreseeable future. We didn't even get into 5G and IoT and never increasing attack surface and sophistication of the bad guys. So thank you for doing what you do and helping keep us safe, keep our data safe and keeping our companies running. Thank you for the opportunity. Alrighty. He's Jim, I'm Jeff. Thanks for watching The Cube's continuous coverage of Dell Technology World 2020, the digital experience. Thanks for watching. We'll see you next time.