No Trust for the Wicked

Season 01 // Episode 04

With guest Dave Lewis.

Guests

Details

This episode was original streamed on Thu, 20-May-2020 to multiple platforms. You can watch the streams (along with the comments) on-demand on:

Report card with check marks showing progressTranscript

[00:03:00] Rik: Good afternoon, good evening, good morning. Welcome back to Let's Talk Security. We have another fantastic guest for you today.

I was just ... During that countdown there, I was just checking my phone. And I realized that we have some pretty strong, competition. We're broadcasting live at the same time as the, UK Prime Minister giving the regular, pandemic update.

So some of you may be watching us on, on catch up. So for, for YouTube people, welcome also. For the rest of you that are joining us live you will obviously get to see, Dave's fantastic, karaoke rendition of Killing in the Name of, that's the song he chose.

I'm not responsible for the lyrical content. It was totally Dave's choice. But of course, as usual, if you are watching us on catch up, we have to remove that for copyright purposes.

[00:04:57] Our guest, Dave from Duo security, has a long and storied history in, in information security. We have a lot to talk about.

So let's get on with it. Dave, good afternoon, I guess? How are you doing?

[00:05:10] Dave: Yeah, just under the wire, yes. I'm good. And yourself?

[00:05:13] Rik: I'm, I'm, I'm well. I'm curious how, how it's been dealing with, dealing with a lockdown in, in, in the Great White North, in the frozen tundra of the Great White North.

How was that?

[00:05:23] Dave: Well see, in Canada we're used to being locked up during the winter. You know-

[00:05:27] Rik: [crosstalk 00:06:30]

[00:05:27] Dave: ... At least they have critical services open, such as, you know, the LCBO, which is where we get our wine, and so on and so forth, so that keeps us, you know, sane.

[00:05:35] Rik: Yeah, so that's, that's part of, critical national infrastructure in Canada, I believe.

[00:05:37] Dave: yeah, absolutely. It's right next to the coffee shops, and the donut shops.

So, you know, we, you know, we know how to take care of ourselves.

[00:05:44] Rik: Very good. Now you and I, we've had, or I've had the pleasure ... I don't know what it's like meeting me.

[00:05:50] Dave: [laughs].

[00:05:50] Rik: But I've had the pleasure of meeting you. All right?

[00:05:52] Dave: Likewise.

[00:05:53] Rik: It must be awful meeting me, I think. I wouldn't want to do it. I've had the pleasure of meeting you, I think, only once though, at an event somewhere in Scandinavia, if I remember rightly.

'Cause Mick [inaudible 00:07:05] was there as well.

[00:06:01] Dave: Yeah. That ... Yeah, that was the only time we actually got to spend any time hanging out at all.

[00:06:05] Rik: That's what I thought.

[00:06:05] Dave: and that was in Stockholm, yeah. But we've run into each other at other events, but it was just sort of like, "Hey." And then gone. [laughs].

[00:06:11] Rik: Yeah. Yeah, but we actually had some time to sit down and chat. And, you were at the time, you were not with Duo yet, right?

[00:06:19] Dave: That's correct, yeah.

[00:06:19] Rik: Yeah.

[00:06:19] Dave: I was with another firm at that point. We hadn't lost the floor.

[00:06:23] Rik: But one of the, one of the things that ... 'Cause p- previously you were with Akamai.

And now you're with Duo, who have now become part of Cisco, so it's kind of a, a, just a small part of what I s- called your long and storied history, in that, that brief intro there. One of the things, certainly that Akamai and Duo/Cisco

...I'm just going to call it duo, because Duo-

[00:06:43] Dave: Yeah.

[00:06:43] Rik: ... Now are part of Cisco. And Duo/Cisco is far too long, so I'm sticking with Duo.

[00:06:47] Dave: Right. Yeah.

[00:06:48] Rik: one of the things that, that you have in common, in terms of messaging and areas of focus, is, this idea of zero trust security.

[00:06:57] Dave: Yeah.

[00:06:58] Rik: Right? I certainly see messaging from Akamai about zero trust. I know that it's kind of the core of what, of what Duo is about.

It was a, it, a concept that originated, with Forrester, as an architectural concept. But my feeling is, and t- you know, shoot me down in flames if, if you think I'm wrong.

That's what I'm here for. My feeling is, that it's a term that has been adopted, let's use that word, by marketing departments, and PR departments quite strongly recently.

And I think the net result of that, as with many [laughs] other terms in our industry, is a lack of clarity about what we're actually talking about.

[00:07:39] So I wanted to ask you first and foremost, from your perspective, from Duo's perspective, what is zero trust all about?

What are we actually talking about when we talk about zero trust security?

[00:07:50] Dave: Well yeah, so it goes back even further than that. So they had the Jericho Forum back in about 2003, 2004. Came out with a paper on de-perimeterization.

And that really was the first stake in the ground. Although I've been told there was something along those lines at DEFCON one. I haven't found the actual data for that particular talk, but-

[00:08:10] Rik: Right.

[00:08:10] Dave: ... It is ... I, I have been told as much. So it's about reducing risk. And it's not about blinky lights, it's not about, "Here, buy this product and everything'll be magically solved."

It's about doing all of those core fundamental things right that we should've been doing for the last 25, 30 years.

And if you are new into the space in the last couple of years, I apologize for being an old curmudgeon, but I've been around this block a few times, so.

[00:08:32] Rik: Yeah.

[00:08:33] Dave: Zero trust is a marketing term in many ways, but it did a great service when it was coined ... It was John Kindervag back in 2010.

When he coined that term at Forrester, it got people to pay attention. It got people to start going, "Oh, wait a minute, maybe this is something we should be doing?" And I was like, "You think?" [

[00:08:51] Rik: laughs] You're thinking, "It's something you probably should've been doing for about a decade."

[00:08:55] Dave: yes, at the very least. Because a lot of these things aren't really rocket surgery at all. You're looking at dealing with user-management.

You're dealing, making sure you have networks on segmentation. You make sure the, the vices that are attaching to your network are the ones that are supposed to be there.

None of this is new. None of this is ... If this is new to you, then, I do apologize, this should be old-hat at this point for all of us, unless you've been freshly minted into this career space.

[00:09:24] Rik: So why, why did somebody ... Why was there a, a knowledge gap, or a practice gap, or ... Why was there a reason?

Why did that term need to be popularized, in order for things to change? What, what was the roadblock?

[00:09:39] Dave: Oh, honestly, I had not ... In retrospect I can look back at it and go, and say, "All right hindsight 20:20, yes I understand at this point."

At the time I didn't recognize it, because I was so deep in the weeds, but we as security practitioners have, and still do, have a bad habit of chasing the next shiny thing. You know, it's sort of like, "Oh, well this is something I should be looking at."

Or you have, you know, a CSO, or a CEO, or whatever it happens to be, walk into your office with a magazine that they read, saying, "Is this something we need to be worried about?"

And then you spend the better part of the next 48 hours trying to show, him or her why this isn't an issue.

[00:10:13]we do a lot of running around with our hair on fire. And approaching it in, you know, what was coined zero trust, or trusted access, or whatever you want to call it, is about putting your arms around it and doing it in a cohesive fashion.

It's the lather, rinse, repeat that we tend to skip past because, you know, we know we should be brushing our teeth, but ... That tired analogy of the toothbrush.

We really don't see it as essential, because it's not the sexy thing that we want to be taking care of, you know? It's like logging, people don't want to look at logging, but it is absolutely crucial.

[00:10:47] Rik: It, it's crucial to a lot of functions that you want to layer on top it, effectively, right? You don't do incident response without logging for example.

You don't so threat hunting without logging.

[00:10:55] Dave: Yeah.

[00:10:55] Rik: It's kind of a, a base, a base service that you need. It, it seems to me that the, the Jekyll to, to zero trust's Mr. Hyde.

God, I'm coming out with all kinds of stupid expressions today. That's just another one for the list. And something that people used to do before, is trust but verify.

Are they mutually exclusive?

[00:11:19] Dave: no. I mean you, you are ... It depends on what the risk appetite in the organization is. If you are making, you know, teddy bears, or you're making centrifuges, your risk profile is going to be markedly different.

So you really have to approach things from the perspective of, what is the risk appetite for your organization? What are your fiduciary responsibilities to your org? And then backtrack from there.

So there's a lot of heavy lifting you need to do before you talk to any of us vendors. You want to make sure you know what you're trying to secure before ...

Like, we're happy to help, but you got yo do your homework before you come talk to us.

[00:11:53] Rik: So, t- the other thing, and I'm going to move on shortly, but you know, I've got nagging questions too.

And the, the other thing ... And actually this gives you a, a chance to, to plug your stuff, which I'm sure your, your employer would be grateful for. But it's an honest question.

[00:12:08] Dave: Yes.

[00:12:09] Rik: I like Duo. I use it. I like it a lot. Why is it so different?

[00:12:15] Dave: Well this, goes back to the core, foundation that was laid down by Doug Song and Jon Oberheide when they started the company.

They wanted to approach it from a phrase that I will steal liberally from them, of democratizing security. It's about making it as accessible and easy to use for the Luddite as it is for a technical person, while accomplishing a secure aspect.

Like, for example, my 75 year old mother can use Duo, and she does. Whereas PGP ... Absolutely love the tool, don't misunderstand me for a second.

I love the tool, but it was written by engineers for engineers. I will never expect somebody who is non-technical to be able to use that without a great deal of heavy lifting.

Whereas with Duo's MFA solution, it's pretty self explanatory.

[00:13:02] Wendy Nather, my boss, she likes to use the version, of the story of the spoon. You know, infants in- instinctively know how to use a spoon. It is a design issue.

So if we are designing security products that are going to be easy to use, and effective, then we're helping to extend our perimeter and extend our security overlay in such a way that we're enabling these people to become champions of security.

[00:13:29] Rik: What, what I've noticed, while, while, infants may instinctively know how to use a spoon, they don't seem instinctively to know where their mouth is. That's the thing.

[00:13:37] Dave: I can't ... Yeah, see that's the part we can't help with. I've been through that twice. They're very good at finding their forehead, their eyes, and various other-

[00:13:44] Rik: Yeah. Yeah, I'm, I'm going through that right now.

[00:13:49] Dave: [laughs].

[00:13:49] Rik: [laughs]. And the, so the other part of your, job role you're, certainly your title anyway, at, at Duo, is that you're advisory CSO.

And actually I was toying with a couple of different titles for this particular, episode of season one. And my alternative for No Trust for the Wicked, which I ended up choosing because, if you haven't ever listened to New Model Army, you should listen to New Model Army, just saying.

No Rest for the Wicked is a great album. But the alternative, was I Don't CSO Good. Because your other role is…

[00:14:22] Dave: [laughs].

[00:14:22] Rik: ... Advisory to C- [laughs] It, I thought it was pretty good. But it got-

[00:14:26] Dave: That's a good one. That's a good one.

[00:14:26] Rik: ... Vetoed by, by my much wiser, wife. I Don't CSO Good, because the other part of your role is advisory CSO.

[00:14:33] Dave: Yes.

[00:14:33] Rik: and I know that you have track record in there, which, which we'll get onto and talk about, later anyway in the CSO space, so to speak.

What ... Who needs an advisory CSO? What, what do you bring to the table? Wh- why has that become part of your role?

[00:14:48] Dave: well, it, it started as a role that for all intents and purposes I created when I was at my last job at Akamai. And, by no means take 100% credit for that at all, but I built it into what now I do for Duo/Cisco is, you know ... Ah, who needs it?

Anybody who is willing to share information. And understand, and grow. And I'm not saying that from the perspective of I, I know everything, 'cause I certainly don't. But I can help facilitate conversations.

I can share from my experiences, and the things that I did wrong in my 20-odd years of being a defender. I'm, you know, I made [laughs] a fair share of mistakes and, you know, being able to share these stories with each other to network.

[00:15:30] And another thing that I'd like to do a lot is, we do these CSO round tables, where we'll get to, you know, small group of CSOs together, and we will share stories.

And the biggest takeaway that I always find is very successful, is getting them all to share information with each other, contact information that is-

[00:15:45] Rik: Right.

[00:15:46] Dave: ... So that they stay in touch with each other. And I, I say to them quite simply, "I'm not in sales, but, you know, if you want to do me a big favor, do this. Because I find that we are stronger when we are together."

[00:15:57] Rik: And you, you must, like you say, you, you've 25 years or so of experience, a, a bunch of different roles across that time, like any of us who've been around that long.

You, I'm sure you see, you see two things. You see w- the new challenges, what's happening now that's new and different, and you see what have we consistently failed to get right? The perennial problems that a CSO faces. And I'd like to talk a little bit about both of those.

Maybe, maybe let's talk about the perennial stuff first. Because I know from my own experience that I'll show up at events and I'll, you know, they'll ...

There's this long agenda that has a title and, and I've provided a, a description of what I'm going to talk about.

[00:16:41] Depending on what I'm talking about, I may get comments from attendees, along the lines of, "Why are you going over the basics again? We want to know about the, the, you know, the most skilled APT, the, the, the, the sexiest zero day ..."

New shiny stuff, like you spoke about earlier on. And for me, there's already a good reason why we revisit the basics, because it's the basics that are to blame for the majority of the, the breaches and problems that we continue to see.

[00:17:08] So from a CSO perspective, not from a, me perspective, but from a CSO perspective, what are those perennial problems?

And maybe of you've got some insight, why are they so hard to fix? Or why are they not fixed?

[00:17:21] Dave: You, it ... Yeah, the, it, it dep- Well, see obviously your mileage with marry ... Marry? Again, your mileage will vary from one organization to the next. I- it ...

A lot of it has, you know, goes back to the old tenets of, you know, head count, having budget, having the ability to execute on these things.

[00:17:39] Rik: Exactly.

[00:17:39] Dave: How much of your money are you sinking in to annual maintenance fees for various security products in your organization? I remember when I was a defender, one of the things I ...

This vendor who no longer exists, so I will happily talk about this, is like, "Oh, we just want to install this one little agent on all your systems." And I said, "All right. How much CPU does it take?"

"Oh, it takes about 20% CPU utilization." And it's like, "Excuse me?"

[00:17:59] Rik: Right, [00:18:00] yeah.

[00:18:00] Dave: In addition to all these other things that we have running on there. And, they couldn't quite understand why I asked them to leave.

But that just it is ... In a CSO role, you are managing the risk. You're managing to, you know, enable the business to get their job done safely and securely. You aren't necessarily a hands-on technical person.

And a lot of folks out there that are relatively new in the field may not fully understand that a lot of this is, you know, death by spreadsheet, when you are a CSO.

And having the ability to have these conversations with other CSOs in the or- in, in your vertical, or in the wider audience, is great because you can share and lean on each other with these stories, be- to help build yourself, because you can't keep on tops of everything.

[00:18:45] Rik: Yeah. For sure.

[00:18:46] Dave: And especially with this accelerated landscape of wor- you know, being remote employees now. It has taken everything that we held near and dear to our hearts and amplified it to the factor of N. Where, you know-

[00:18:59] Rik: Because the reason I was talking, I was talking about when I ... The other half of the question was, you, you know, what are the new problems? Obviously some of it's pandemic-related.

[00:19:07] Dave: Yeah.

[00:19:07] Rik: And you've mentioned already remote working is definitely one of them. I would probably throw in there, cloud adoption acceleration, is probably a bunch of plans for cloud.

Whether that's Software as a Service, Office 365, whatever it my be, that has been accelerated.

[00:19:20] Dave: Yeah.

[00:19:21] Rik: or whether that's actually deploying, critical systems in cloud environments.

Maybe that's container adoption, or even, you know, serverless depending on how, how advanced, the, the software build environment is for that particular company.

What kinds of new problems ... It's interesting actually, referring back to what you were saying about, it's death by spreadsheet, and they're not necessarily all former practitioners.

[00:19:46] Dave: Mm-hmm [affirmative].

[00:19:47] Rik: that must play into when, when it's a technical agenda that get ac- accelerated, which is effectively what's happened in this odd period that we're living through now.

What kind of problems does that surface, organizationally, and personally for someone in a CSO-type role?

[00:20:03] Dave: personally for a CSO-type role, if they're non-technical, there is that stress level.

There is, you know, that concern of not fully understanding, or grokking the situation. But if they have the ability to have smart people working for them on their team, that can be, you know, lay the issues out clearly and concisely, they're, you know, there to enable their CSO.

Whoever he or she may be, they will need to be armed accordingly, because, you know, they have to go champion for the organization, they have to go champion for their team to get budgets and all that sort of thing.

[00:20:33] Rik: Yeah.

[00:20:34] Dave: So if they have the right information, that's key. So you have to hire smart people to help you with that. I always love to use the phrase, "I like to be the dumbest person in the room, because then I'm always learning."

It's a challenge for any role like that, because when I sat in that seat for two years at a power company, I learned very quickly that if I wanted a friend I had to buy a dog.

And I really should've invested in Kevlar, because it always felt like somebody was gunning for me.

[00:21:02] Rik: Yeah, you ... So, that's, that's been another interesting question, 'cause CSO a role has really risen in prominence, or maybe even only really properly existed, let's say, for 10 years?

[00:21:16] Dave: Yeah, that's fair.

[00:21:17] Rik: and what struck me as being a really interesting question around the CSO role, per se, is the reporting line.

[00:21:26] Dave: Mm-hmm [affirmative].

[00:21:26] Rik: So, I'd love to hear your take on who should a CSO report to and why.

[00:21:32] Dave: Well, it's usually frowned upon to have the chickens reporting to the fox.

[00:21:36] Rik: Yeah.

[00:21:36] Dave: But, far too often I see the CSO rolls out to the CIO.

[00:21:40] Rik: Yeah.

[00:21:41] Dave: And it's sort of a curious, you know, s- set up. But I have actually seen a shift with a lot of, companies are now having that, function roll up to a chief risk officer in a lot of cases.

Or the chief financial officer, which your mileage might v- vary as well, but it- it's really good in that regard because you are then separating it. So you have some sort of delineation between the two groups.

Because, you know, everybody is there to make sure that g- work is getting done safely and securely, but if you have the people that are trying to make sure that you're safe and secure reporting to you, and your budget, your bonus structure and all of that is on the line, then it sort of can skew the results.

[00:22:20] Rik: Yeah, my, my problem with it was always that if you have the, the person who's effectively responsible for pointing out a security issue with some deployed technology, reporting to the person who ostensibly was responsible for, choosing that, or commissioning that technology, there's a clear conflict of interests, right? You, you-

[00:22:41] Dave: Yeah.

[00:22:41] Rik: If someone reports up and says, "Hey, this project, this big project that we decided to do has really increased our risk level because X, Y, Z."

Then there may be a temptation for the person who commissioned that project to underplay, downplay, or even hide that risk, which obviously isn't going to be good for the business.

[00:22:57] I love your suggestion of the, of reporting to a chief risk officer. Do you think that's a, a role that, is gaining in importance, within enterprises?

[00:23:07] Dave: It- it's something that I have see more of, in the last three to five years than I had historically.

I hadn't really seen a lot of that in the past, but with the advent of things like GDPR and things to that effect, it's driving more of the conversation towards, stewardship of data and accountability, so that is, driving the risk conversation more so than may have historically been done.

[00:23:30] Rik: Mm-hmm [affirmative]. Do you think CSO's a reporting to the board type position, or not, shouldn't be?

[00:23:35] Dave: y- you know what? A, a ... I have gone back and forth on that many times. I've seen a lot of companies where they had great success with it, and other organizations where it just flat out didn't work.

[00:23:48] Rik: Yeah.

[00:23:48] Dave: And they, that was ... But that was typically because it was somebody with the, the antiquated notion of, "I'm the flaming sword of justice," and how do we get to know? And that's always been a fractured notion.

[00:23:59] Rik: Yeah, yeah. For sure. Being, being the department of No was, almost a standard approach to security for quite a long time, and there's a lot of people, I think, who found it hard to break out of that, mindset of not being the department of No, but being the department of How, I suppose, is maybe a better, phrase for it.

[00:24:15]you ... I think the last time you presented at RSA was in, in the US anyway, was 2018. Is that right?

[00:24:24] Dave: Maybe. [laughs].

[00:24:26] Rik: Yeah. I think, I don't know.

[00:24:26] Dave: yeah.

[00:24:26] Rik: You didn't do one last year in the US, right?

[00:24:28] Dave: No, not last year, yeah.

[00:24:30] Rik: Yeah, so you did one in 2018 about security debt.

[00:24:33] Dave: Yes. That was-

[00:24:34] Rik: which is, another fantastic concept. Definitely something which has been picking up traction recently, and as a result something that is potentially being misused by people who haven't done enough reading.

So I wanted to give you a chance, to clarify that as well. Security debt is a, a very nebulous concept, I think, and it seems to have a lot of different meanings to a lot of different people. Is there a core definition?

[00:25:01] Dave: Yeah. There ... Well for my core definition, it is anything that you have accepted the risk for but have done nothing to mitigate.

One c- particular company I worked at, we had accepted the risk on various different, security issues within the organization. By the time I arrived at the organization, some of these has been festrating and ... Not festrating, [laughs] festering, rather, for about a decade.

[00:25:21] Rik: Both. Choose both. T- both correct.

[00:25:23] Dave: Yeah. [crosstalk 00:27:47]

[00:25:25] Rik: Frustrating and festering.

[00:25:26] Dave: [laughs]. And it was, it was absolutely maddening. And they're like, "It's okay, we accepted the risk."

And then I, I just can't help but think of the Host Unknown video where they said ... Accepted the Risk video. But this does nothing good, because it adds, what I like to refer to as compound interest over time.

You have a problem that has been introduced that ... Sure you've accepted the risk, you say, "You know, we're willing to live with this."

But as new software patches come out, as new, applications are rolled out, this problem can grow over time. And Heartbleed is really an interesting example of this because-

[00:25:58] Rik: Right.

[00:25:58] Dave: ... While it was an unknown at the time, the problem was there and it did grow over time.

The thing that frustrates me about it now is that if you do a quick s- search of Shodan for, pick a country, you'll get X number of results of Heartbleed instances that are still there. And what are we? Like six years out? Five years out now?

[00:26:18] Rik: And it, and it's not just Heartbleed, right? That's an example that you could've-

[00:26:22] Dave: Yeah.

[00:26:22] Rik: ... Picked among many other, I guess.

[00:26:23] Dave: Yeah.

[00:26:24] Rik: you know, WannaCry being a- another great example that, that illustrated, technical debt, security debt, right?

[00:26:30] Dave: Yeah.

[00:26:30] Rik: That was abusing a protocol that really shouldn't have been in [laughs] widespread use anymore anyway, and certainly shouldn't have been that widely exposed. It shouldn't...

If people were not finding themselves at this level of debt, then events like that wouldn't have been anywhere near as widespread as they were, I guess, right?

So that's kind of the, the, the lesson. That's, that's why security debt's a bad thing. So how do you deal with it?

[00:26:54] Dave: you know what? It, it really is making sure that you're tracking the risks in your organization effectively, and making sure that you're figuring out a way to get to end of the job of how you're going to remediate that.

You can't just accept it, wave the magic wand, and hope that the auditors'll leave you alone, you really have to have a cohesive plan on how you're going to get to end of job.

[00:27:12] When I was at Akamai, we had a great, absolutely great way of tracking those risks and making sure that they got done. And sure, some of them took a very long time to remediate, but there was always a plan in motion.

Very much the same thing as with the organization I'm at now. At Duo, we make sure that we address all of these things, and that we are taking care of them, so that they don't fester and grow.

Because if you p- have a problem in your organization and you leave it alone, and then all of a sudden you have a cascade failure because it is then used in conjunction with something else that happens to come out.

[00:27:43] Rik: Interesting.

[00:27:44] Dave: or we forget about them and somebody doesn't.

[00:27:47] Rik: It's, it's interesting because it ... You know, the textbook answer about risk, is that you have nominally three ... I've said nominally far too much in this particular episode.

[00:27:58] Dave: [laughs].

[00:27:58] Rik: No more anomalies. You have three, strategic directions you can take when it comes to risk. Which is mitigate, accept, or offset, right? You do something about it, you pay someone else to take the risk for you, or you accept the risk.

But what I feel like I'm hearing from you, is that accept the risk is not an acceptable strategy [crosstalk 00:30:54] should do.

[00:28:21] Dave: Not from a ... Yeah, a tactical solution, at times, yes. Strategic, no. You can't let these things, fester on the vine for years on end.

[00:28:31] Rik: Yeah, I had a great example of that. And, and I can talk about it too, because, this company doesn't exist anymore either.

A former, employer of mine, they were a very big company, they went by the name of EDS. They were acquired a long time ago.

[00:28:44] Dave: [laughs].

[00:28:44] Rik: And I remember when I started there, one of my first jobs was to create my password, for the, the corporate network.

[00:28:53] Dave: Yep.

[00:28:54] Rik: and the password policy that popped up on the screen when I, when it came to create the password said, you know, "It must be, more than eight characters and contain, and contain, and not contain ..."

And it wasn't a great policy but it was not the worst I've ever seen. So it was kinda okay. So I typed in my proposed first password. Error. Tried retyping the same one. Error. Thought, okay, maybe there's a special character that I wasn't warned about that's not acceptable.

Tried a different one. Error.

Went to find a colleague who had been there longer so that I, [laughs] so I could get some advice about well, you know, why am I, why am I erroring out here. "Oh, no, it has to be exactly eight characters. I know it says more than, but it must be exactly eight characters”

[00:29:34] This is EDS, right. Who, who are building s- security architectures for, for big government and global organizations.

And, the, the reason for that, and this is why it's relevant in technical debt, is that there was a backend system underlying all of the, the, AIN stuff, that, that had to have an eight character password.

So no matter what else they had layered on top of it, as the company had grown and, and, built customers, and, you know, acquired responsibilities, there was something way deep in the back end that stopped an evolution of that security policy.

And that's, you know, that's technical debt in a nutshell, I guess, right? Or security debt in a nutshell.

[00:30:12] Dave: Yeah. And then here I am thinking, "Well, is there a way to escape the password and then put a dollar bang at the end, because that sounds like a mainframe?"

[00:30:20] Rik: [laughs]. It, yeah, it was definitely a mainframe somewhere deep, buried deep within the authentication, architecture.

Another ... I'm going to ask you about something else and I don't even know if I'm allowed to ask you. But I know you're the kind of guy who'll just tell me if I'm not allowed to ask you.

[00:30:33] Dave: Yeah.

[00:30:33] Rik: Or you'll just tell me you don't want to answer the question. You were a director at (ISC)2?

[00:30:37] Dave: I was, yeah.

[00:30:38] Rik: For one term I think?

[00:30:39] Dave: Yeah, one term, yeah. And then I rolled off, yeah.

[00:30:42] Rik: Three, three years, right?

[00:30:43] Dave: yes, yeah. Three years.

[00:30:44] Rik: being a director there, that means that you are, or were, a member at the time, I guess?

[00:30:52] Dave: Yeah.

[00:30:52] Rik: from a, so from an insider's perspective, did being a director at [ISC]2 change your view on the certification industry, or the way that it approaches its potential, customer base?

Or its use, or value, or anything, basically? Did you learn anything from that experience?

[00:31:09] Dave: yeah, I, I did. And there was a lot of good to come out of it that I have not ... I'll be honest, I haven't kept tabs on it since I left.

But, like, one, like, one slide I demanded that we had produced was call- they actually called it the Dave slide, w- showed a breakout of where, their fee- or the dues, AMF, sorry, would go.

So if you had ... At the time it was, I think it was US$85, it would ... It broke out exactly how that money got used. So that was one of the things I saw as a positive, as well as adding term limits to a director. So you didn't have directors sitting on there for 14+ years.

[00:31:44] Rik: Yeah.

[00:31:45] Dave: Because it was suppose to be there for the membership, you know, from my s- poi- from my point of view, from this point in my career, I don't put of, lot of value in credentials. And I don't mean that in a negative way.

[00:31:59] Rik: Mm-hmm [affirmative].

[00:31:59] Dave: I mean for my, for where I am at this point, it doesn't, have a value add for me.

[00:32:04] Rik: Sure.

[00:32:04] Dave: If you're somewhere, someone new in the field and you're looking to show some sort of, you know, bona fides, whatever that certification happens to be helps to show that you have a, a requisite based amount of knowledge to s- you know, be at the table.

There are some organizations that refer to is as the gold standard for whatever their certification is. Let's be realistic, it shows that you have a basic common body of understanding, and we can build from that point.

[00:32:30] Rik: Yeah, it's a baseline, not a gold standard, right? That's [crosstalk 00:35:26]

[00:32:33] Dave: Ab- absolute- yeah. And I've always maintained that. And l- yes it does have a lot of benefit for somebody who's new in their career, because so many organizations'll say, "We need this certification, we need that certification."

[00:32:44] Rik: Yeah.

[00:32:44] Dave: so there is value, from one person to the next. Some people may not ascribe to that, and that's fine. You know what? That's the beauty of choice.

[00:32:51] Rik: Yeah. I think I'm, I'm in same boat. I mean I definitely ... I got my, CISSP many, many years ago. I was working, actually still back at McAfee back then.

A long time ago. Because they, they had decided that they wanted all the people who were in my, job function, which was tech support-

[00:33:09] Dave: Mm-hmm [affirmative].

[00:33:09] Rik: ... To be, CISSP accredited. So that, that was great. And it was great for my employer, 'cause they could proudly promote that as a baseline for anyone who was in, you know, in their tech support.

It's a selling point, I guess for their customers. It was, but it was great for me. I, I definitely got value from it as an individual, because my academic background had nothing to do with this industry, and I totally ended up here, by accident.

Because, because I spoke two languages was the, my, my main qualification for ever getting involved in this industry. 'Cause, and then I was on a, a European tech support help desk, 'cause I was ... I knew a bit about computers, and I could speak English and French.

That, that's kind of how I got in.

[00:33:50] Dave: [laughs].

[00:33:51] Rik: And I think back then, when, when that was the case ... This was, early '90s.

[00:33:55] Dave: Mm-hmm [affirmative].

[00:33:56] Rik: Early to mid-'90s when my career started. Ni- yeah, '94. You know, there wasn't an academic background path that you could've followed that was s-

[00:34:05] Dave: Yeah.

[00:34:05] Rik: ... Specifically relevant. There was maybe computer science. But, you know, back when I started, you still had a choice about whether you were using, TCP/IP or IPX/SPX, or, AppleTalk, or Token Ring, you know, there was no ... nothing had coalesced around anything. Now you know that-

[00:34:22] Dave: Yeah.

[00:34:22] Rik: ... You're probably not using cables. If you are, it's Cat 5, and the only protocol you're going to find on there is TCP/IP, you're not going to find any DEC LAT for example, and no, no VMS, i- at the back end.

All, all, all ... Something that used to be very heterogeneous has become homogenous. So there was no particular educational path, so those industry certifications were very useful.

[00:34:43] Dave: Yeah.

[00:34:43] Rik: And I think they still serve a great purpose for people trying to get into this industry who didn't follow an academic route.

[00:34:51] Dave: Oh, I agree completely. 'Cause I, I mean I went completely non-traditional. My degree is in archeology and classical studies.

[00:34:57] Rik: Right,

[00:34:58] Dave: You know, it's like, I can tell you all about Etruscan art. [laughs] but-

[00:35:01] Rik: 'Cause you have a better degree than me, that's for sure.

[00:35:04] Dave: [laughs].

[00:35:05] Rik: I wish I'd studied archeology, that would be fantastic. [crosstalk 00:38:18]

[00:35:08] Dave: Yeah, that was more, that was me snapping.

[00:35:10] Rik: Oh, yeah.

[00:35:10] Dave: Yeah, and, and now there's programs all over the place, which is amazing because these were, you know, options that weren't available at the time.

So, yeah, certification absolutely does give you that aspect where you can train. And you can go from being a chef to, you know, working in security. And that transition is, is possible.

[00:35:29] Rik: Yeah.

[00:35:29] Dave: Yeah, like, when you and I got started, it was literally throw it against the wall, see what happens. [laughs].

[00:35:33] Rik: Yeah, totally.

[00:35:33] Dave: I mean I managed a To- I was part of a, team that was managing Token Ring for a bank. And it was like, I, I ... It's just s- surreal to think back to those days. [laughs].

[00:35:43] Rik: Yeah. I, I started my career working for a company ... It's still around actually, they just don't do the stuff that I was working on anymore, called Tectronics.

[00:35:52] Dave: Oh, I know them, yeah.

[00:35:54] Rik: they're, they're still around in test and measurement business, I think. When I joined, they were doing test and measurement, which was their traditional core business.

They were also doing, ex-terminals, and color printers. And, and TV production products, but that was totally different. So my, my starting point was ex-terms and, network printers.

Hence all of the, the focus on, network captures, protocol analysis. Looking at RFCs and wondering why people didn't build things that complied with them. That was a huge part [laughs] of a learning curve. It was fantastic.

So we said before Duo you were with Akamai.

[00:36:28] Dave: Yeah.

[00:36:28] Rik: Akamai is a huge window on the web.

[00:36:33] Dave: Oh, yeah.

[00:36:33] Rik: Right? In terms of what they do. What did you see?

[00:36:36] Dave: [laughs]. Wow. The, the funny thing was is when we did the state of the internet report when I was there, I was one of the contributors on that.

The amount of data we had, we literally didn't know which way to go because there was so much to look at. As an overlay to the entire internet you, you see a lot of attacks, a lot of traffic.

The data was absolutely marvelous to look at. And when I look at, you know, what we had at that point, and then I look at something like shadowserver.org now, where it's a, you know, a non-profit that's doing roughly the same type of, work, it's-

[00:37:09] Rik: Yeah.

[00:37:09] Dave: ... Amazing to see how much ... And, just absolutely stunning to see the kind of things that people out there are trying against various targets around the internet.

[00:37:17] Rik: So that, that's kind of the one of the standouts for you is the, the visibility of different,

[00:37:21] Dave: Yeah.

[00:37:22] Rik: ... Targets and attack techniques in, in ... Well, so you must've been doing big data before most of the rest of the world was doing big data. Is that fair?

[00:37:31] Dave: Yes. Never really called it that, but yeah.

[00:37:34] Rik: Wh- what were, what were you doing? How were you dealing with such a volume, ... You know, I, I, I get, a view on that from the ki- the volume of data that, that we deal with at Trend Micro in terms of, you know, threats, detected threats blocked.

Whether it's IP addresses, domain names, machine learning, files, vulnerabilities, and ex- associated exploits. All of that, you know, it's a big volume.

So I kind of have an idea, but, I'm curious that ... 'Cause Akamai saw, has a very, had a very different, has probably still, a very different view on the web.

[00:38:02] Dave: Yeah.

[00:38:03] Rik: To one that a traditional security company has. How were you dealing with those volumes of data.

[00:38:09] Dave: [laughs]. Well a lot of home-built systems. In that, th- the systems that were being used to do all the login analysis were built in-house.

There was nothing you could buy off the shelf. And it was all designed to scale, because that's the whole business model for Akamai.

[00:38:25] Rik: Right.

[00:38:26] Dave: So if you knock out an entire zone in the network there, it would just be picked up by another part of the network.

And it was absolutely stunning to see how resilient it was to ... E- like, e- attacks were not as much of a problem as Black Friday, or things like that, where you saw a huge spike in online traffic of shoppers, or, you know, viewing something like the Super Bowl online.

The- the amount of data that was involved there was absolutely stunning.

[00:38:57] Rik: Yeah, it's, the ... You're, you're used to dealing with, with those volumes of data.

And, and I suppose the, the, the employment history that you have, and the, the roles that you've fulfilled, and the different views you've had on the challenges that, that people have faced probably were a part of the reason behind the founding of the, Open Cert, in, in Canada?

[00:39:23] Dave: Well-

[00:39:23] Rik: Is that a thing?

[00:39:24] Dave: That, that, it, it still exists.

[00:39:26] Rik: Yes.

[00:39:27] Dave: it is limping along in a, in its current form. But it d- it does still very much exist. That actually started with a couple of my friends grousing on Twitter about the incumbent and the lack of coverage they were providing for Canada at large.

And they had, you know, $156 million budget, and there really wasn't a whole lot to be seen as to what they were providing. And so we started this volunteer organization ...

Now, we contribute to the DBIR at one point. That's t- to my knowledge the only Canadian company that's ever done that.

[00:40:00] Rik: [laughs].

[00:40:00] Dave: [laughs] and, unfortunately then, you know, jobs, children, all that sort of thing, so it just, it limps along in its, current form.

Which is oddly enough something that I keep meaning to return to, to start up again, but, you know apparently there's only 24 hours in a day.

[00:40:16] Rik: [laughs]. What's the mission? Why, why was it created in, in the first place? The, the t-

[00:40:20] Dave: [crosstalk 00:43:49]

[00:40:20] Rik: ... National cert for Canada.

[00:40:22] Dave: Yes. Yeah.

[00:40:23] Rik: Obviously. So, what, what were you adding over and above?

[00:40:26] Dave: The idea there was to provide, a level of, information sharing for the wider audience because that body was targeted spec- specific- yeah, try that again, specifically to critical infrastructure and things to that effect.

As opposed to, the everyday citizen.

[00:40:41] Rik: Yeah.

[00:40:41] Dave: And we were able to help, manage a few security incidents that were not cu- critical and infrastructure related.

And we were able to contact the right people and get it then, the job. So we acted basically as an intermediary, at the time.

[00:40:53] Rik: And, and, like, when I was looking at the website, recently, it looks like you were offering services not just to enterprises, but also to individuals. Were you not worried about scaling?

[00:41:03] Dave: We hadn't thought that through at the time, I'll be completely honias- honest on that one. Scaling was not something that we safely wrapped our heads around.

[00:41:11] Rik: Yeah.

[00:41:11] Dave: but, I'll be honest, and it's not something that we have pursued in the last year or so.

But we did collect a lot of data, we did have a lot of reports come in. And we were able to process pretty much all of them actually.

[00:41:23] Rik: But you heard it live right here, he wants to, he want to revive it Canada.

[00:41:29] Dave: [laughs].

[00:41:30] Rik: so you-

[00:41:30] Dave: I also want to play in the-

[00:41:31] Rik: ... You're welcome to make a thing of it.

[00:41:31] Dave: I also want to play in the NBA, but you know, 5'7", not happening.

[00:41:34] Rik: [laughs] You mean that not going to happen? You've got years ahead of you. Oh, a- and I meant to mention, the, the gloriousness of your, or your beard-

[00:41:41] Dave: Well-

[00:41:41] Rik: ... In the introduction. And I just realized that I'd forgotten it. So it's glorious, piece of facial hair, and my congratulations. Is that a, is that a, a lockdown, project?

[00:41:51] Dave: No, this actually started about two years ago. Well, the beard's been around forever.

[00:41:54] Rik: Right.

[00:41:55] Dave: But it usen't to be like that. And then I let it go. It got down to about an about that long, and then the wife said, "Yeah, no, we got to do something about this."

[00:42:04] Rik: [laughs].

[00:42:04] Dave: but, you know, I needed some growth in my life, so I figured, you know, this was one way to do it.

[00:42:07] Rik: That's the easy way to get it, right?

[00:42:09] Dave: Yeah, exactly.

[00:42:10] Rik: I think I'm possibly the only person, in this country anyway, ... I don't think globally, but the only person in this country who doesn't care that the hairdressers aren't open yet.

[00:42:19] Dave: [laughs].

[00:42:19] Rik: Everybody else seems to be really, really worried about it.

[00:42:21] Dave: [laughs] They didn't even-

[00:42:22] Rik: I can't say that I've noticed.

[00:42:24] Dave: It's absolutely mind-boggling to see how people are obsessing over this. And, and it varies from country to country as ... But, like, really? A haircut?

[00:42:33] Rik: Yeah.

[00:42:33] Dave: Okay.

[00:42:34] Rik: There's, like, other priorities, right?

[00:42:35] Dave: Yeah, like not dying.

[00:42:37] Rik: Yeah. So I just, we're, we're coming up close to the hour, and I wanted to give you a chance, at the end here to, to have a look forwards. It's, it's great talking about where you've been, what you've done.

[00:42:49] Dave: Mm-hmm [affirmative].

[00:42:50] Rik: and how that's contributed to who you are and what you do now. But I'm really interested in, in forward looking. Because it's so muddy, and it's so difficult ...

You know, we hear a lot of things right now particularly related to the pandemic about how society is changed forever by this, how enterprise and the way that we work is changed forever by this.

New challenges have arisen. Not just pandemic-related, but in general terms, what do you see in the security landscape, and maybe talk about some of the, the reasons why, for the next five years as being the, the really pressing issues? What do people have to solve?

[00:43:28] Dave: They have to solve ... For, first and foremost, is going back to the democratization of security.

We need to make it easier for folks to use this sort of stuff, especially if we do continue on with remote workers in the scale that we're looking at now.

[00:43:43] Rik: Do you think we will, have that change?

[00:43:43] Dave: there's various organi- well some companies have actually done that. Like Twitter and, I believe Facebook was another one who have extended their work-from-home policy indefinitely.

So at, at least in some iteration, yes, there will be more than we saw previously. So you want to make sure that you're providing these folks with tools they can use that are easy to use, and effective.

Because not everybody is technically-savvy. And if we're not giving them tools to do their job safely and securely, we are causing another problem, and potentially opening another exposure in our environment, right?

[00:44:14] Rik: Yeah. You know, one of the things that struck me recently, I was having, conversations, with colleagues and peers, related to architectural changes, behavioral changes, and technology changes to do with working from home.

[00:44:26] Dave: Mm-hmm [affirmative].

[00:44:26] Rik: when I said I was working for, for McAfee, actually I was working for Network Associates as they were called. [crosstalk 00:48:21]

[00:44:31] Dave: Oh, yes, I remember that.

[00:44:32] Rik: In the PGP division, not in the McAfee division.

[00:44:36] Dave: [laughs].

[00:44:36] Rik: so that, when you mentioned PGP earlier on, I had a little chuckle to myself. One of the, the products that, that I was working on at the time was, of course, the PGP VPN client.

[00:44:47] Dave: Mm-hmm [affirmative].

[00:44:48] Rik: And one of the thing that we used to talk a lot about to the people we were giving tech support to was something called split tunneling.

[00:44:55] Dave: Yeah.

[00:44:56] Rik: and it became apparent, and I think this is one of the things that we do as an industry that's really bad.

We do as individuals, and it becomes a collective industry thing, that's really bad, is we neglect to pass on the benefit of our experience as effectively as we could.

The ... You experience so many things, you learn so many things. The things that, that you end up finding are, you know, classifying as basics, you begin to assume that everybody else knows, and everybody else knew, so you don't need to tell anyone.

And then all the good stuff that you learned at the beginning of your career, which is still relevant, never gets passed on again, and, and gets forgotten.

[00:45:37] So when I started to have conversations with people about working from home and I was raising the, the risk of split-tunneling a, a VPN, and saying it's really not, not a clever thing to do.

So if you are going to be providing a VPN to all of your staff that are working from home, make sure that when they're signed in, there is no split tunnel. They don't have a local home network route out to the internet, plus a VPN route into your organization and then out to the internet.

And I was amazed that it ... I'm not saying it'd been forgotten about in its entirety, but many, many people weren't even thinking of that as a risk.

[00:46:10] Another thing that, that showed up for me, relatively recently is a really old thing that we used to call, banner grabbing. You know, when you could turn that into a service and, see what banner comes back in order to, to gain-

[00:46:22] Dave: [crosstalk 00:50:19] right.

[00:46:22] Rik: ... Intel about your, your target.

[00:46:25] Dave: Yeah.

[00:46:25] Rik: No one talks about it, and it becomes a risk again. And do you think that's something that happens in our industry over and over? That the old becomes new?

[00:46:33] Dave: We do have a really bad habit of not capturing lessons learned and sharing them accordingly.

[00:46:37] Rik: Right.

[00:46:37] Dave: like I try to share stories from my past on, you know, writing articles on, like, Forbes, and CSOonline and things like that, and Daily Swig.

But unfortunately, there's no cohesive, you know, source of truth for what we all collectively do. But, lu- luckily these days we're seeing a lot more people are sharing this information.

We're seeing a lot more blog posts, we're seeing a lot more papers being done. So there is a shift towards, you know, articling all of this that we've gone through.

And hopefully that will change over time as, you know, we keep tubthumping for people to share information with each other. I'm hoping that this will take.

[00:47:15] Because I mean, look at, you know, the legal, profession, we look at the medical profession, they have the lather, rinse, repeat nailed to a science.

I mean it's absolutely fantastic to show how they can take their lessons learned from 100 years ago, and they are, are be able to share them today.

[00:47:31] Rik: Yeah.

[00:47:31] Dave: I, I hope that we can collectively get better at that.

[00:47:34] Rik: Yeah, absolutely. So one, one last question then for you. I tweeted a couple of days ago, because I was feeling emotional. I do that sometimes.

[00:47:42] Dave: [laughs].

[00:47:43] Rik: About my, what I think is my greatest lesson from the, the, the unprecedented period that we're living in right now. What's, what's your greatest lesson?

What has, what has lockdown pandemic, the global situation, what has it taught you that you'll never forget?

[00:48:00] Dave: The one thing that has really hit home for me, is that we as security professionals have to make sure that we are enabling business ...

And when I say that, I mean individuals who have never been home office before. To do it in a successful fashion. Because overnight, we have, you know, millions of people are suddenly working from home.

We have to make sure that we're giving them the tools to do the job safely and securely. We want to make sure that they have the ability to reach out and ask for help if there's something they just flat out don't understand.

You know, in the past, they'd be in an office, they'd walk down the hall and ask a question. We have to make sure that we as security professionals are there to help answer these questions.

[00:48:38] We may think they're questions that are in d- inane, but honestly, for them, this is a real pressing issue.

And we want to make sure that we are there to be, you know, a sober second thought.

[00:48:50] Rik: Very cool. That's a superb, positive message to end on. Dave, I just want to thank you, personally and on behalf of all the people that have been watching, in various time zones all around the world, and all of the people who are going to watch us on catch up.

Again, I'm sorry that, that we had remove, Dave's karaoke. You really missed something there.

[00:49:07]Dave it's been a fantastic, interesting, enlightening, and fun conversation. More than I had hoped for.

And, and just thank you very much for joining us.

[00:49:16] Dave: Thank you very much for having me, and, everyone be safe out there.

[00:49:21] Rik: There you go. These ... Every single time I do this, it's incredible. It just, it just flies by. I have a, another two guests lined up in this season, with the possibility of a third.

I'm gonna make some contact there and find out what's going on. I am so grateful to you for spending the time with us, whether you're doing that live, or whether you're watching these, on, on YouTube, or on, trendstalks.fyi, where you can find all of the, the past episodes of #LetsTalkSecurity, and #LetsTalkCloud all archived, trendstalks.fyi.

[00:49:55] Dave was fantastic, passionate, personal, and another word that begins with P, which is all one can ask fr- from a, from a, from an interviewee.

Thank you so much for joining us.

We hope that you will join us again next week, same time. I've been Ron Burgundy. You stay classy San Diego.