Introduction (00:21) You're listening to KBkast cyber Security podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:36) Joining me today is Chad Skipper, global security technologist from VMware. And today we're talking about VMware's latest annual global incident response threat report. We will be linking the report in the show notes. So Chad, thanks for joining and thanks for making time. Chad Skipper (00:52) Hey, thank you KB, appreciate the time. It's a pleasure to be here discussing some of these statistics and areas that we're seeing out there. Karissa (01:01) Yeah, most definitely. So I want to start with the key findings from the report. Now, ransomware actors incorporate cyber extortion strategies. So in a number of reports that I read and people I bring on the show, ransomware is definitely on the rise. Talk to me a little bit more about this. And what does this mean specifically? Chad Skipper (01:19) Yeah, so let's talk a little bit more about that. So these groups have really transformed from traditional aims of ransomware into something even more sinister. You know, you talked about cyber extortion. In other words, criminals no longer simply want to get a ransom, but they're really staging multilevel campaigns to progressively extort their victims. In this report, we saw that nearly 60% of respondents experienced a ransomware attack in the past twelve months, as these prominent, let's call them cyber cartels, continue to extort organisations through double and triple extortion techniques. Now, in the survey, it revealed one quarter of all ransomware attacks included some type of double extortion techniques. And these double extortion techniques include things like a blackmail, data auctions and name and shame. And in fact, we're seeing in some aspects the exfiltration of that data first before they even ransom, so that they can sell that data on the dark web in the black markets, as well as try to get the ransom from the victim itself. In other areas. The triple extortion, we're seeing where they'll take that data and they'll look at the data and understand from that data your partners that you might be working with or your customers, and then they'll go extort your partners and your customers as well. Chad Skipper (02:51) So we're seeing all kinds of different types of tactics around the extortion capabilities of these thread actors that we're seeing out there in the public. Karissa (03:00) Okay, so walk me through multilevel campaigns. So how many levels are there? Or it depends obviously. What does it sort of typically look like from your experience? Chad Skipper (03:09) Let's talk about that and we'll talk about the levels of which they gain that access we're seeing that the penetration is either coming in two ways one, they're trying to get the end user to interact with something malicious or number two, they are using stolen credentials or some type of exploits to get into some type of workload. So that's the very first stage that we're seeing from that campaign. Then what's happening is once they're getting into that area. They'll stay and they'll discover and from that discovery capabilities. They'll begin to target which systems that they want to go after and they're beginning to utilise common ports and protocols within the customer's organisation and we can talk about that later on them moving laterally inside to where they end up landing on a system and from there. The next part of that is some type of ring on access Trojan that allows me to get my wares on that system and then from there they'll exfiltrate that data out and then they'll end up ransom. So those are the different type of stages that we're seeing in this multilevel of those campaigns that are progressively getting worse within the organisations. Karissa (04:24) Yeah, that's super interesting because as I sort of alluded to before, ransomware is on the rise across multiple reports that you read. Why do you think that that's the case, though? Is it just a lot easier to do? People will hand over the money? I mean, I've seen it so many times across the globe, mind you, not just here in Australia, but it just seems to be the increase is like a hockey stick, right? It's quite intense. So I'm curious to know why do you think that's the case, from what you're saying? Chad Skipper (04:52) Well, I tell you this. Of the financial security leaders that we interviewed for this year's Bank House report, which was released in April, of those who were breached by ransomware, 63% paid the ransom. That's why, you know, cast a wide net and get paid in almost two thirds of the time. That's a reason of this continual going on. But furthermore, we saw custom malware in one third or basically 20% of the attacks. When you see custom malware, those typical antivirus software might not have the capabilities to detect the behavioural anomalies such as those malware posts. Also further on today's threat actors continuously look for methods of evading and counter incident response. Now, these techniques are things like I want to reset your password, others are I'm going to use trusted software. We call this living off the land and this is where they hide within the noise of your own ports and protocols. We're also seeing things like manipulating timestamps that went up 62% from 58% last year and this allows the attackers now to move around inside a network and it makes it even more difficult for the IR teams to detect their activities and also the evasiveness of it. Chad Skipper (06:20) The adversaries are also going after the IR teams themselves where the responders said that we're seeing the adversaries target our responders in 33% of the time, or they're going to tamper with the agents and 28% of the time, or they're going to try to monitor that inbound communications from that IR team. So those are some areas from that perspective, but, you know, like I said, when they're going to get paid two thirds of the time and we continue to see these evasive tactics implemented via malware, including things like I want to cheque the disc size, or I'm going to, you know, stall against their analysis in an environment. I'm going to do things like checking for particular product names to see if those product names are in there, and if they are, I'm going to get out of that area. I also see this as adversaries are using these evasion tactics as a means of discovery too, to really try to get a sense of where they are in an evaluation environment and if so, aboard. For instance, threat actors are checking for the presence of certain keyboard drivers. And if certain keyboard drivers are found in the system, they're trying to compromise, they'll immediately import their malicious activity. Chad Skipper (07:42) This is maybe trying to find out where they are geographically in the world. And our teams need many different capabilities here to be able to understand the detectives of each techniques that we're seeing in the forefront. Karissa (07:55) Okay, I want to get into paying the ransom. Now, I've spoken to a range of people about this. They've all got different views. I want to hear your view, but I'll then explain, start the scene a little bit for you and then I'd love to get your thoughts on it. So for example, I interviewed another gentleman a few weeks ago. He's representing Isaka and was about a report that I sake released as well. And he was sort of saying, in his experience, when he's going and looking at a company because it's very expensive to hire security practitioners, he was sort of saying, you know, I may look at a situation and it may be just easier to pay the ransom rather than bringing in all these people that cost a lot more to get it back. He said, sometimes even the adversary will even tell you how they got in as an additional cost. Apparently. Then I've also heard people say, yeah, well, you shouldn't pay the ransom. A lot of people say that, of course. And then I've even heard other people saying, yeah, but if you pay the ransom, you're actually then funding like human trafficking, drug mules, you know, criminal syndicates. Karissa (08:49) So, I mean, it's a tricky one to answer, but do you have any answers? Because myriad of people say many different things and I just want to sort of get a good barometer here. Chad Skipper (08:59) Yeah, it's a lose lose. It's a lose lose and it's situational for everybody. I would always edge on understanding the situation, but I would always edge on not paying the rental. You've got to shore up your vulnerabilities anyway. You should have backups. I know a lot of times that doesn't happen, but at the end of the day, it's a loose, loose. I would edge on not paying the ransom, showing up my vulnerabilities, to not become a victim of that again. Karissa (09:27) Yeah, most definitely. Because I think when you're in that scenario, especially as a customer and you can't do things or you're freaking out because you've got your board of directors on your back or whatever the case may be, they're just thinking about themselves in that moment, about, we've got to get back online, we've got to get our data back, we've got to be able to keep operating. So they're probably not thinking beyond, if I pay these people, what does that money then go towards? So I think that it's more an awareness piece of, yes, of course you're in a terrible situation, but you're also fueling these people to do it again, like you were saying before, they double down. Yes, right. Chad Skipper (10:00) They doubled down after that. So that's another aspect of it. If I pay, they know I'm willing to pay. Therefore, I'm going to not only continue to find other avenues inside your organisation, my peers know that you just paid, so my peers are going to go after you in that organisation as well. So now you're opening up to further attacks from those threat actors peers, because they know that you've paid in the past and the likelihood of you paying the future is fairly high. Karissa (10:27) So in your experience, have you ever seen a customer continuously paid ransom because of this exact scenario that maybe they pay once ransom and then they let their buddies know and then all of a sudden there's a few others in there trying to do the same things, they know that they're going to pay it. Have you seen that type of behaviour happen? Chad Skipper (10:44) I have seen behaviours happen to where an organisation was forced into a situation to where that, yes, they were penetrated by multiple, let's call them cyber ransomware cartels, and had to pay multiple ransom. Yes. Karissa (10:58) Wow, okay. How do you sort of handle that situation? As a security practitioner yourself, what are your thoughts on that? Chad Skipper (11:06) It really comes back to finding the vulnerabilities, shoring up those vulnerabilities within your organisation and moving forward with a game plan that says, look, there's hygiene first. There's many different ways in which you can provide from a hygiene perspective, but since these guys are very evasive, you have to put defensive measures in place where it gives you visibility right into what I would call every packet and every process, because security is a data problem. The more data that we have, the more visibility that we have, the better off we are in detecting these anomalies and these threats that are out there. If you can't see it, you can't protect it. And so that's what I encourage a lot of companies out there is to get that cyber hygiene in place and shore up your vulnerabilities. Karissa (11:57) Great point. Great point. So I want to move on to something in terms of APIs. Now, I don't know whether you've been following the news here about live show in Telco. There's still speculation about the specifics of what happened, but they are talking about an API. So I really want to get into this and understand some of the insights captured from the report that APIs and the new endpoint representing the new frontier for attackers. So what's happening here? Chad Skipper (12:24) Yeah, modern applications, right? That's what's happening when the vast majority of traffic is internal and the backbone of that traffic, or API calls adversaries are going to notice. And in this particular survey, we saw that nearly one quarter of about 23% of the attacks now compromised API security as these platforms emerged as promising new endpoints for those thread actors to exploit. Now, that is a major reason why. Now in those is SQL and API injection attacks as well as the distributed denial of service attacks. But in the case that we're seeing today, that's exactly what we're seeing is from a modern application scan standpoint, containers and Kubernetes APIs being the backbone is why we're seeing an uptick in what we see those API facts. Karissa (13:21) Wow. Okay. So what can people do? I mean, it's a bit of a hard question to answer, like, it's a bit of a detailed response to really get into the specifics, but maybe it's just at a high level, what can people do because of what's happened in the market, especially in Australia, to reduce a lot of these API related attacks? Chad Skipper (13:39) Yeah, that really comes down to the API security. You really need to enable both the developers and the security teams to gain really a comprehensive understanding of when, where and how APIs are communicating. Even across your multi cloud environment. Web API security is challenging because of the multi cloud workloads make up that API usage, which makes us more vulnerable. So let's talk about what companies can do to reduce those API related attacks. Number one, API discovery and observability. Again, like I told you earlier, said earlier, you can't protect what you don't know about or what you can't see. So, as internal and external APIs proliferate tools are necessarily help reduce the complexity of those API related attacks. Now, many are implementing API gateways and API portals to make it easier to manage those APIs. So that's one area. Another area is post authorization API, what we call threat detection and response. So attacks and breaches are increasingly being perpetrated in this post authentication and the authorization phase of the API. So we need to look deeper within that API data payload. So in there we can look at threats within the application and the API data payload as an example. Chad Skipper (15:14) You got to understand that traffic and what that API payload is, is this PII data, is this phi data, is this HIPAA data? And if there's any difference in that data, you would want some type of anomaly to come up and tell you, look, we're seeing different types of flows and different types of data in those flows that we are normally seeing. Another one is identify and correct the vulnerabilities within the organisation to protect that entire API lifecycle from planning to development, to test to production. You've really got to understand those vulnerabilities and take a look at those vulnerabilities from that perspective. Other areas we've talked about this, the interest talked about this in the past. Provide EndToEnd encryption, use authentication and authorization as well. And finally, I would talk more about baselining for anomaly detection for your normal situations. I say normal in a lot of cases. APIs are fairly, what I would say, consistent in what you're seeing within the API aspects. So if you can baseline those APIs and then provide some type of machine learning or anomaly detection, then you're going to be able to see these anomalous behaviours such as data flows that should not be happening, access from a different geographical location and then last route request or an API gateway significantly. Chad Skipper (16:44) That's going to help us from that perspective. And I say last, I'll say last this one last time. Service mesh utilise, the service match. This really connects application workloads, micro services, the APIs and the data inside that east west pattern. So that gives us the ability to leverage the infrastructure, the logic and the rules to route those API requests and can increase the security of those large deployments within those multiple APIs. Karissa (17:15) Thanks for sharing that. Do you think, Chad, that APIs just go under the radar a little bit? People can't just forget that. Oh, you should probably look at that. Should probably look at protecting that as well. Is that like a common thing that you see? I mean, it's probably not intentional. I hope not, but it could just be something that gets overlooked. Chad Skipper (17:32) Well, that's a good question. We've heard digital transformation. As we go through the digital transformation transformation. And as we begin to embrace this multi cloud and as we see the proliferation of containers and the Kubernetes. Then naturally what comes with that is this progression now towards what I'm seeing more and more of how do we begin to secure the inner workings of the application. How do we begin to secure the inner network of all of these applications? So I think it's becoming more and more mainstream as we further move into this multicloud arena. Karissa (18:14) Yeah, and I guess you got to your point before around Des and the security team to cooperate a bit more and have an open dialogue. It's not necessarily a silver bullet, but do you think if there was more cooperation between these teams, perhaps it reduced a lot of these attacks? Chad Skipper (18:30) Well, absolutely. When there's more cooperation between your devs and ops your development as well as the security pertaining to It and the operations, the toddler that you are within that organisation, the better off that you will be. Collaboration is always key. Karissa (18:45) Do you have any advice for devs ops or SEC DevOps or whatever you want to call it? Because it's something that people often talk about in the space and, I mean, it seems easy on paper, like, oh, you just go and collaborate with other people, but it's a hard task to do. So do you have sort of any high level advice for people that want to sort of get closer with the development team as well as their security team? Chad Skipper (19:07) Absolutely. Get involved in their Iterative process, get involved in the scrum, get involved in the daily stand ups, get involved in understanding the business outcome of that particular application. And I've seen that very successful with companies that I've talked to is where their CSO. They're CSO organisation. They have dedicated individuals that understand the nature of the business as well as what it needs to secure the underlying applications and they're involved in the daily development of those applications and provide consultative services on. Karissa (19:43) Look. Chad Skipper (19:44) If we go down this route. We need to address these vulnerabilities or it's a risk. Right, these vulnerabilities are a risk. And then also brings in the ability to understand the architecture and look deeply at the code and see if there's any underlying vulnerabilities in that code as well, such as buffer overflows and those aspects. But that's what I've seen to be successful is get involved in the daily scrum, the daily environment, the daily development environment, and understanding the business value there, and then try to steer the ship from the most secure process that you. Karissa (20:17) Can I just ask, why would security people not be involved? Chad Skipper (20:23) Why would they not be involved? Karissa (20:25) Yeah. Is it because they don't think about it or they can be bothered? It's not like it sounds obvious, but what you're saying makes sense. Right. I'm just curious just to know why this isn't happening as much as it should be or could be. Chad Skipper (20:39) That's a good question. I don't really know the answer to that, to be honest with you. It sounds natural to me when I talk to organisation of including your CISO, your CSO organisation and your development efforts from the very beginning. So what I find that this continues to happen is it surprising? No, but it's something that's why I bring it up. That's why we bring it up in this call. It's something that we hope that we concede in the ongoing development organisation to include your security speed through your development process. Karissa (21:14) Yeah, I absolutely hear what you're saying. Like, it does seem more obvious and it seems like the thing that people should be doing. But yeah, a lot of people, it doesn't happen or they don't think about it or perhaps no one's informed them the way that makes sense. For their organisation or they don't have the resources, for example. So I think that's a really good point to raise because, yes, it does seem like the thing to do, but it does get overlooked and hopefully with the show that we're talking about today could close that gap. But I want to sort of move on a little bit more now and talk about a lateral movement which was seen 25% of the attacks in the report and that lateral movement is the new battleground. So what do you mean by the term battleground? Or what is the term that's Breen coined? What does that mean specifically? Chad Skipper (22:03) So if we go back and take a look at the history of where we've been from cyber security to perspective, naturally it started at the end point, right? At the end point. So a lot of focus on the end point. I'm not taking away focus from the end point and then there's focus at the edge. So it's all about, okay, you know, north, south, ingress egress to that end point and what's missing or what has been missing and now that we have technology to give us visibility is once I get that initial access, threat actors are staying inside the organisations hundreds of days without being detected. So the new battleground is once I gain that initial access, what are they doing once I'm inside of that organisation? EastWest internal flows, right? Once the attacker is in, the question you got to ask yourself is can you see it? Not just on the end point, but what it's doing throughout the network as it discovers, as it moves laterally to other devices to ultimately exfiltrate data and then ransom? The thing is, if you can't see it, you can't protect it and that's why we call this the new battleground. Chad Skipper (23:17) It's getting visibility into every packet and process within your multi cloud, right? So as an example, we saw 25% in this survey VMware. Kentucksa, that's our threat intelligence cloud showed that in April and May alone, once a threat actor gained initial access and 44% of the time they were able to move laterally once inside. Now, once inside, in 80% of those cases they only island hopped mean I'm only hopping to device to device. They only island hop to two to three devices in the time. Which means that these threat actors are acutely focused on where they want to move to next. They're hiding the reason I would say it's a new battleground is because they're hiding in the noise of the customer's common forts and protocols. As an example, they're using Remote Desktop Protocol RDP, just like a user administrators do to log in remotely once they have creds. They're using pass to the hash over Kerberos to gain access laterally to another machine and they're using Sabbath service to laterally move malware to adjacent systems or remote access Trojans to adjacent systems. Now, RDP, Kerberos and Samba are common protocols being used inside, within the organisations. Chad Skipper (24:48) And all of this is really EastWest or internal lateral movement. The question it becomes is based on all your RDP sessions, what, hundreds, thousands, millions of RDP sessions that are going on in some organisations? Can you detect the five anomalous RDP sessions that that threat actor is using to move laterally within your organisation? And so that's why we believe within the multi cloud giving inside EastWest, that lateral movement, detecting that lateral movement and those anomalies is that new battleground in order to help reduce the dwell time of those thread actors inside the organisation. Karissa (25:32) Just to press a little bit more. So once they're inside, are you sort of just saying that typically Domain is 80%, they just then island hopping and they're just sort of getting to where they want to go, typically? Or what about the other 20%? What are they sort of doing? Chad Skipper (25:45) Yeah, that's a great question. The other 20% are really testing out the environment. They're moving laterally, 40, 60, 70, 80 different devices as they're trying to get a better understanding and bearing of that infrastructure. So the last 20% is where they really get involved and start moving within the organisation. But the first 80% is really targeted. I'm going to be in there and I'm just going to target those two to three devices. Karissa (26:18) So just to confirm, the 80% are sort of moving yeah, let's call it, they're moving a bit slower and they're taking their time, whereas the last 20% are moving at more of a velocity at a rapid speed, is that correct? Chad Skipper (26:31) You can position it that way. They are discovering and moving more. The latter 20% are definitely penetrating and moving more laterally and using an island hopping across many different systems throughout the latter 20% of that number. Karissa (26:46) So we focus on the 20% for a second. So the 80% is sort of for a specific reason. They're looking for something specific. What are the 20% looking for? Just to see what they can get their virtual hands on. Chad Skipper (26:57) I have to go deeper into the data. A lot of that, again, is from what we're seeing on the lateral movement, is using those common ports and protocols. So in most cases, what they're looking for is IP. They're looking for something to exfiltrate outside of the organisation. That is what they're looking for. What can I make money off of and then move from device to device to device to device, looking at that device to determine if that is something there that's monetized. Karissa (27:27) So I mean, the 80 and the 20%, that's calling two buckets. Obviously, they're both worrying because they're in there, regardless. Which one have you had to wait? Is more worrying the 80% because they're sort of taking it slow and steady, taking their time, looking for something a bit more specific that may be of a lot more value, would you say, or is that not the case? Chad Skipper (27:47) I wouldn't put it in perspective of which one is worth looking for, which one is not worth looking for. I would position this as no matter if it's the 80% or the 20% that we talked about, whether they're moving to less devices, I wouldn't say slower, I would say to less devices versus the other one moving to more devices. The fact of the matter is they're using common ports and protocols to do that. And the question then becomes, how are you going to detect those anomalous movements over things like RDP, over things like Kerberos, over things like Samba? Right, because that's exactly what's happening. Karissa (28:25) Okay, I'd like to talk about deepfake. This is a big one, it's wild, it's pretty scary. I've spoken about this a few times on the show as well. Some of them are really well done, hard to detect, and as further report, this is on the rise. So what does this then mean for businesses? Chad Skipper (28:49) Yeah, so generally speaking, we've seen these attacks break down as follows, right? So deep fake, both audio and video are being used to manipulate humans. Now there may be confusion generally in the media eyes of what constitutes a deep fake, but that being said, they generally bucket any synthetic human interaction as that deep fake. I'm not aware of any good detection techniques other than the human right to detect these in the wild. Generally what we're seeing is these are being used to facilitate wire transfer fraud as well as trick administrators It folks into things like password research. I have colleagues on my team where this has been confirmed by a many incident response folks that they have met with over the last several months. I would say this at scale, detecting deepfakes video is somewhat problematic. There's been work done at Facebook and Google. But that being said, the detection mechanisms or the detection methods really are looking at. What I would say right now is a lower data set of deep tech videos. And so with that lower data set, it becomes very difficult to break down and get really good detection capabilities. So the key takeaway here is right now you've got to educate and you've got to speak with your financial and It staff first. Chad Skipper (30:26) They need to know how this is happening, they need to know what to look for. And there also needs to be an understanding between if these things happen, what is the process that I go through in order to determine if this is indeed a deep fake? Karissa (30:43) Okay, there's a lot of things going on in there that you said okay, I want to start with you said at the moment there's not really any good detection techniques. You think there will be? Well, hopefully, but how soon? Chad Skipper (30:55) Let me explain it this way. Machine learning, right? It's going to take machine learning to be able to understand these feedbakes. And with a machine learning, you've got to have a data pool. You've got. To have a significant data set in order to train that machine learning. I haven't seen a significant enough data set and I'm not in the know enough. Right. There might be something out there, but I have not seen a significant enough data set in order to actively train a machine learning model to detect a sensitive side. Fake human voice, a sense aside, fake video. I haven't seen anything there just yet. Now technology is technology. I have a firm belief that yes, in the future we will be able to detect these types of things. I just haven't seen any good detection techniques out there today. Karissa (31:50) Okay, well thanks for being honest with that one. I think that yes, it's not an easy one to answer because we don't have all the answers. If you were to educate people now and they are worried about okay, we've got to educate our staff, what would be the top things that you would do? And you mentioned something before, what do you look for? So you mentioned like saying if you look at something like these are the things that you typically know. That wasn't a deep faith for example. So can you sort of explain maybe like the top couple of steps that you would take as an employee perhaps that executives can educate their staff on to ensure that they are not full Invictive of an attack. That's quite sophisticated. Chad Skipper (32:28) Yeah, I would suggest that the organisations really take a look at what I would call SOPs or standard operating procedures. Build your standing operating procedures around the way that we see these fakes happening. In some cases that you get a phone call. Right. And there are certain things that you do not want to instantiate over a phone call. That's a wire transfer. You just don't want to take a phone call and it sounds like so and so and it seems to be so and so, but you don't want to necessarily take that on a phone. So do something like a two person integrity TPI where it says okay, now I've breen asked of this wire transfer who's my second person integrity, two person integrity TPI in order for me to validate that this is a wire transfer that I want to happen. So it goes back to my military days. That's what I just said. CPI two person integrity. That's an aspect of it. Standard operating procedures. That's an area that I would focus on from that perspective from a voice or somebody calling you directly for those types of wire transfers. The video right now, the ones that I've seen, there's been some good videos, but there are tricks of that. Chad Skipper (33:36) Then you've seen maybe the voice is not accurate with the lips. Right. That becomes very difficult. If you have any questions whatsoever, I would take the Zero trust model and say, you know, maybe trust verify and you want to double down and verify. Karissa (33:52) It's a very good point. I think for someone like myself that I've done a lot of podcast episodes, I do a lot of videos stuff, so I'm just using myself potentially as an example of that. That is worrying. Do you think that we'll get to a stage in the future where we can't tell who's the real Chad like, it's so sophisticated, it's so good. Seems like Chad talks like Chad. The vernaculars like Chad. It's actually in fact deep fake. Do you think it'll be that sophisticated? And of course, when you're going to that level, like you said, the lips match with how people are talking. That's quite involved, quite sophisticated. A lot of time is spent on that. So do you think it will get to that level and will we be in a stage where we become almost delusional around who is the real Chad by this stage? Chad Skipper (34:44) I haphazardly joke about this with my colleagues, but we're kind of living in somewhat of the skynet age, right? Skynet from terminator. You can see evidence of that in a lot of the technologies that we see and unfortunately there's always going to be the dark side of technology and unfortunately, yes, I foresee this being a challenge for us in the future. I mean, if you take a look at some of I don't have it on me right now, but I do believe there was the FBI released something on a deep fake not too long ago on wire transfer frauds and seeing a significance of that on the rise. So yes, I unfortunately see that we're going to see further advancement here in defeat. Karissa (35:41) So in terms of what we spoke about today, chad, do you have any sort of closing thoughts, final comments? Especially because of your role at VMware as global security technologist, what would be your summary and key takeaways for people after today's interview? Chad Skipper (35:58) Yeah, from a multi cloud perspective, as we get into the multi cloud, I've got a few things that might help. You want to focus on workloads holistically. Antivirus is not enough. You need to understand the inner workings of that workload instead of keeping them out of the network. So understand, focus on your workloads holistically and understand exactly what those are. Number two, inspect in band traffic. This is east west traffic that we talked about. Do not assume that all east west traffic is safe once it's gone past the perimeter. Modern attacks exceed by distinguishing themselves as legitimate It ports and protocols. Another one I would really start talking about is we need to begin to think about integrating multiple detection technologies, your NDR and your EDR as an example. Detection Response Technologies employs this real time on the endpoint, seeing every process and it's the same time on the network, seeing every packet. Bringing together your endpoint telemetry and your network telemetry can really provide visibility into the blind spots and help you connect the dots across that attack chain. Seeing everything from initial access to lateral movement all the way out to Exfiltration. And then lastly, I would say conduct continuous threat hunting offence informs. Chad Skipper (37:27) Defence security teams should assume attackers have multiple avenues into their organisation, and threat hunting on the network, as well as the biases can help security teams detect behavioural anomalies as an example and really understand their networks better. Karissa (37:45) That was excellent. Appreciate it, Chad. I really loved this conversation. I think it's been informative. It was to the point, and I believe that our listeners will take a lot of your amazing insights today. So thanks for making time and thanks for joining the show. Chad Skipper (38:01) All right, thank you very much. Karissa (38:03) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. Introduction (38:14) This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercsec.com to connect today. Karissa (38:24) If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI dot digital. This podcast was brought to you by KBI Media, the voice of cyber.