00:00hi everyone welcome to the a 6nc podcast
00:02today's episode is one of our shorter
00:04one voice bytes based on a longer
00:06presentation that was delivered recently
00:07at our tech policy summit in DC general
00:10partner Martine casado who has long
00:12worked in the world of security from his
00:13days and nights at the Lawrence
00:15Livermore National Laboratory and
00:16Department of Defense working with the
00:18intelligence community to later serving
00:19as general manager at VMware of the
00:21networking and security business unit
00:23Martine shares a twist on a typical
00:25conversation around cybersecurity
00:26because at the end of the day it's
00:28really just security and physical
00:30security is where it's at I've given a
00:32lot of security talks and I've seen a
00:33lot of security talks being given and
00:35they all kind of follow like roughly the
00:37same formula that's by the way this is
00:38going back until like the late 2000s
00:40it's all something of the following
00:41which is like we don't know what we're
00:42doing the bad guys are getting worse
00:44like our defenses aren't keeping up and
00:46you know we're like kind of heading to a
00:48digital Pearl Harbor so you go critical
00:50infrastructure and we're connecting more
00:51things and it's like the end of the
00:52world and yadda yadda yadda right you
00:54know I know you were 13 years later and
00:57like we're still standing and things are
00:58fine and things are progressing and so
00:59forth and so what I really want to do is
01:01I want to kind of have a different type
01:03of discussion here and two I want to
01:04acknowledge cybersecurity is an issue
01:06for sure and like as a civilization as a
01:10society we're trying to understand what
01:12it means certainly as a legal system
01:13we're trying to understand what it means
01:15but the reality is we kind of have it
01:17handled to like business is growing like
01:19we're actually doing a pretty good job
01:21of standing off attacks we do see
01:23attacks and we're able to recover really
01:24on top of a lot of these things but I
01:26want to highlight why we're in a great
01:28position to keep track of that
01:29sophistication and get on top of it and
01:31then I actually want to flip the
01:32discussion a little bit and saying you
01:33know what cyber security really is just
01:35security these days right like I know
01:38that we like to like kind of myopically
01:39focus on the notion of cyber but the
01:41reality is anytime you look at security
01:43you have to look at cyber assets that's
01:45look at physical assets you have to look
01:46at human assets and I actually think
01:49that we're in a great position for cyber
01:50to have a very very positive impact on
01:53physical security so I want to move
01:54there so I used to run networking
01:56security for VMware as of a year ago and
01:59so we ran all networking security and I
02:01worked with a guy named Tom Korn who's
02:03the chief security officer of RSA and so
02:06together we actually went through a
02:07whole bunch of recent attacks and we
02:09canonicalized them to to give a sense of
02:13Tac looks like and I think this provides
02:15a great framework of like what the
02:16challenges are and if you want like some
02:18high-level thought about how cyber has
02:21evolved I would say it's the following
02:22it's like what used to be kind of in the
02:24domain of nation-states is now fairly
02:26routine that's it that's a way to think
02:28about it so like listen we've been
02:29dealing with these types of attacks for
02:30a long time they certainly don't look
02:32very different than what I saw 15 years
02:33ago but now you actually see them kind
02:35of out commonly I would say that
02:37actually we've got some pretty good
02:39mechanisms for finding and stopping
02:41attacks but this has kind of moved us
02:43into a new area of cyber security so if
02:45you want to look forward I'd say here's
02:47the trends that we're seeing going
02:48forward that's just a dealing with
02:50security overload and that's is that now
02:53we have so many boxes and so many
02:54mechanisms and so few trained security
02:57professionals I would say you know what
02:58we're pretty good on the mechanism side
03:00and we're pretty good at understanding
03:03the problem but we've got this massive
03:04dearth in like how you can understand
03:07all of these alerts and how you
03:08understand all of these messages and so
03:10forth and the problem is particularly
03:12acute at the Security Operations Center
03:15so the way that many of these companies
03:17that many large companies work or the
03:19government works is you know everybody's
03:21doing their business you've got all of
03:23these boxes there that look for alerts
03:25and when those alerts happen they come
03:26back to an operation center then you
03:27have people looking these operations
03:29center but from an industry perspective
03:31the amount of like alerts that they get
03:33and the amount of boxes they can deploy
03:35in the amount of clue that's needed is
03:36much much higher than our ability to
03:38respond so again why I think we've got
03:40good mechanisms and good technologies
03:42our ability to actually consume them is
03:44hampered and so I think we're in this
03:47era that we need to like create kind of
03:48like the self-driving Security
03:49Operations Center that like at a macro
03:52view if you want to look at kind of
03:53what's driving a lot of security
03:56investment in security movement is that
03:58so here's the good news the good news is
04:00like over the last decade this is
04:03exactly the types of problems we've got
04:04a really good at especially from like
04:07the consumer internet companies right
04:09we're really good at managing large
04:10amounts of data we're certainly good at
04:12AI and automation and we're very good at
04:14actually handling you know lots of very
04:17distributed components so in look like
04:21very particular about what we're seeing
04:22as far as the emerging trends so again
04:24if I was to encapsulate where the
04:27is the attack got much more
04:29sophisticated the actual industry
04:31responded I think in a very positive way
04:33for every part of the kill chain but now
04:36we're kind of in this proliferation of
04:38responses and now we're starting to see
04:40this massive simplification start
04:42happening so you see companies that are
04:44like you know attacking the problem from
04:46like a big data problem like we're gonna
04:47look at all of the alerts that we can
04:48possibly can and create a giant funnel
04:50and only pop out the ones that are
04:51important we're definitely doing like
04:53the user behavior where you're taking
04:55like AI to try and understand normative
04:58behavior for users is a big one of
05:00course automation which is you've got
05:02people in security operation centers
05:04that are hunting and trying to figure
05:05out what's going on it turns out you can
05:07automate a lot of that or at least scale
05:08out a single user I don't believe you'll
05:10ever replace the security automation
05:12engineer but you can certainly automate
05:14a lot of the tasks that they do and
05:16scale them out and then we've also very
05:19very good at creating global
05:20abstractions we're very very good at
05:21building systems that are Google size or
05:23Amazon size or Facebook size which
05:25allows you to take kind of these
05:26high-level security ideas and
05:27proliferate them through an entire
05:29deployment so I know this is very very
05:31high level but I just wanted to give you
05:33an idea of like when we look at trends
05:34and what we fall in the security
05:35industry our goal is not I mean at this
05:38point like they necessarily new
05:40mechanism new type of firewall but like
05:43how do you make what we have fully
05:44consumable all right so I want to shift
05:48gears here and talk about how I'll
05:51actually software I think is making the
05:52world a safer place and so the more I
05:54look at security demand the more we look
05:56at security the more it seems that cyber
05:58security is security and I said this
06:00before and what I mean by that is let's
06:01say that you were gonna do a security
06:03operation outbound like you're gonna go
06:04break into something and I gave you a
06:06dollar to to fund that operation with
06:09like how much that dollar you think
06:11you're gonna actually spend on cyber so
06:15my my contention is probably not a lot
06:16right I mean you'll spend it on like
06:18physical assets you'll spend on an
06:19internal assets you'll spend it on a
06:21bunch of stuff and some of it will be
06:22cyber so cyber to me is just one part of
06:24an outbound operation often if you look
06:26at attacks that happened in the cyber
06:28world it's one of many things that that
06:30happened and so more and more we're
06:33seeing that the cyber problem is
06:34becoming the physical security problem
06:36but again good news is I think actually
06:38we're able now to apply cyber concepts
06:41world and actually improve physical
06:43security and meaningful ways the oldest
06:45physical access mechanism on the planet
06:47is a key right it probably hasn't
06:49changed in 3,000 years you've got some
06:51set of atoms like this you know physical
06:53thing that's hopefully none for jabal
06:54that will uniquely fit into a lock and
06:58then only that that holds it can open it
07:01and it has all of the problems we should
07:03if you give it to somebody else then
07:04they have access you can't take it away
07:06from them unless you physically take it
07:07away from them you never know when it's
07:08used you don't know they can delegate it
07:10etc I mean like like physical access
07:13control is incredibly crude and and
07:15cyber versions of access controls are
07:17very sophisticated so in the cyber rule
07:19for a file for example I know exactly
07:20who's accessing it I can tell when they
07:22can access it I can tell how they can
07:24access it I can say you can read up and
07:25not write it etc and so what we're
07:27seeing now for example is concepts
07:29around the cyber world like
07:30sophisticated access being applied to
07:33physical access control like even smart
07:36locks at homes you can say like listen
07:37you know this person can only access it
07:39two days a week this person I'm gonna
07:41revoke their access you know log every
07:43time anybody access said no delegation
07:45and so forth so that's just an example
07:47of how we're seeing the cyber world and
07:50cyber concepts impact the physical world
07:52I kind of want to reset the conversation
07:54broadly around security and I think
07:55actually the bigger influence is not
07:57that Oh like Internet of Things were all
07:58connected we're all going to die I think
07:59the actually the bigger trend that's
08:01going on is that cybers potential for
08:03impacting physical security is
08:04unbelievable I mean we've had these
08:06epochs in physical security in the past
08:08that totally changed the game that
08:09created misalignments whether it's like
08:11the dissolution of all states or whether
08:13it's airplane flight I actually think
08:15we're gonna see like a very similar in
08:16this alignment that happens because of
08:19what we're able to do with these things
08:21and you know what I think that's gonna
08:22require all of us to like rethink all of
08:24our strategies and really think all of
08:26our tactics and I actually think we as
08:29an industry certainly we as a society
08:33should think about those implications as
08:36much as we get worried about kind of
08:37think the lone hacker on our
08:39infrastructure and so with that thanks