Matt Preswick [00:00:00]:
Everyone has to be security conscious. You know, we’re all in that same team and to facilitate this is for security and application teams to be cohesive and more importantly, like on the same team, the security team are not there to make your life difficult. So it’s about coming together and having that shared source of truth. And then more importantly, security then becomes that internal expertise engine, the consulting function with an organization to say, hey, we’ve got all these best practices for you to do. We don’t need to hand hold it. We don’t need to wave the stick around, but we’re here if there’s something that you really need to escalate.
Karissa Breen [00:00:47]:
Joining me today is Matt Preswick, principal solutions engineer from Wiz. Wiz is the company that everyone has been talking about, including myself. A few interesting comments about this company is their approach to cloud security drove Wiz to a 100, 000, 000 AIR in 18 months. Today at 3.5 years old, Wiz has 350, 000, 000 in revenue, a 12, 000, 000, 000 evaluation and recent round of funding reaching 1, 000, 000, 000, making it the world’s fastest growing cybersecurity unicorn. So today, we’re discussing democratizing cloud security. Will security become the enabler to AI usage? So, Matt, thanks for joining, and welcome.
Matt Preswick [00:01:30]:
Thanks, Karissa. Good to be here.
Karissa Breen [00:01:32]:
So you guys are the company that people are talking about, which is why I wanna get you on the show. So let’s maybe start with your thoughts then, Matt, on democratizing cloud security. Like, what do you what do you sort of mean by this?
Matt Preswick [00:01:46]:
Yeah. It’s it’s an interesting 1, that, you know, for giving kind of potential marketing, or or, industry cliches, democratizing cloud security is a really kind of important, kind of change in dynamic when it comes to to cloud security. So the the way I kind of, like, talk through it is ultimately, like, the way cloud is being adopted, broadly is in some way, shape, or form democratized. Developers have the ability to spin up their own machine, start to play around, use open source technologies. It’s much easier for a developer or application team to just stop tinkering, playing around. So my view of democratizing cloud security or security in general is kind of following that similar philosophy. If developers and and engineers are, you know, self servicing and and creating their own applications, we should also have that self-service nature of security. They shouldn’t need a security, practitioner to be kinda waving and stick to them and saying, hey, guys.
Matt Preswick [00:02:43]:
You’ve gotta patch this or fix this. They should be able to get that information to say, hey. You might have done this a little bit insecurely. Here’s how to fix it, and there shouldn’t be any of that kind of conduit of of the security team. And then on top of that, obviously, the security team then comes a, you know, broader strategic governance over the top to help escalate when when those, developers and engineers might not know, you know, the specific risk that they’re introducing, and they can be that kind of subject matter expert in that part. So broadly speaking, Karissa, the idea of democratizing security or cloud security is the ability for those that own the applications or infrastructure to be able to self remediate, self patch, self kinda contain risks as they, occur in in their cloud environment.
Karissa Breen [00:03:28]:
Yeah. So, Matt, you interesting point around, you know, self remediate. Do you need sort of better because at the end of the day, like, you know, no 1 to your point around wants to be, like, you know, waving the stick saying, hey. Like, you made a mistake or something like that. Like, I’ve been in security teams before. Sometimes a little bit better to mark your own homework than someone else marking it for you, would you say?
Matt Preswick [00:03:47]:
Obviously, everyone’s kind of somewhat aware or or experience the potential cultural friction that happens with developers and infrastructure and security. You know, that’s that’s no secret. And I think there’s an element of, you know, lacking context, but on both sides of of those teams. So I think the ability for for develop like, no developer wants to maliciously introduce bad code or or bad, configuration. You know? There’s just a a potential ignorance around not knowing that they’ve done it, not knowing what the practice is that they need to be following. So the ability to self remediate, it removes that potential friction that’s introduced when you’ve got them on telling you what to do and telling you kind of how to do things better. So I I view self remediation and and self-service particularly for, you know, the base level, the simp stuff, you know, the the classic you know, everyone makes these kind of it just turns into a culturally more synergized, operation. And then more importantly, from a business value perspective, you’ve got much faster velocity.
Matt Preswick [00:04:42]:
You know, when you’ve got developers that have the ability to remediate in a fast time, focus on building securely, and therefore be able to ship faster. And then when you’ve got them spending time on security, they’re they’re having the most tangible reduction in risk in terms of when they’re spending time outside of developing and optimizing their their application. So that’s 1 of the other broader benefits of going down that self remediation path is essentially you’ve got it integrated, the security in in a security mindset in terms of development.
Karissa Breen [00:05:11]:
So I’ll ask a really basic question because, I mean, I speak to a lot of people on the show, but just generally in the market would be, what do you think people sort of get wrong about cloud security?
Matt Preswick [00:05:22]:
Yeah. It’s a it’s a great question. I think there’s a few elements to it. 1, like, obviously, cloud security has introduced, like, a lot of powerful, you know, mechanisms for organizations to move faster, develop faster, you know, be agile in the in the way they operate. And it’s obstructed a lot of, you know, on prem philosophies that I don’t wanna say are redundant, but certainly less relevant. And so a lot of people like, the fundamental thing that I see is transferring a lot of the on prem security mindset, philosophies to cloud. That’s 1 element. And then more importantly, looking at cloud security as a 1 dimensional problem.
Matt Preswick [00:05:59]:
So in other words, cloud security is how I’ve configured my cloud services only. Like, that’s just fundamentally not true and then vice versa. You know, cloud vulnerabilities are just CVEs on my machine. It’s seldom that you see a cloud risk or a cloud, incident that is involving a single dimension of risk. In other words, you know, it’s very rare that 1 CVE on a machine is the only element that that’s led to the to the potential breach. And, obviously, Australia’s had our fair share of cloud related breach in the past couple years, and not 1 of them are a singular misconfiguration or a singular CBA, but a combination of them. And I think that changing in philosophy of of our organizations to understand, it’s like having 1 firewall port open is not gonna be the thing that brings you down. It’s gonna be that plus a misconfiguration, plus a CV, plus a, you know, an identity that’s highly privileged, all those in combination is the actual risk in the cloud.
Matt Preswick [00:06:56]:
So I think that’s 1 fundamental misinterpretation or misunderstanding that that I see when people are thinking about cloud security.
Karissa Breen [00:07:03]:
So just going back to your point, you said there are a lot of, you know, security philosophies in in terms of on prem. What are they?
Matt Preswick [00:07:10]:
The kinda I used to work in a kind of more network security, which was applicable for both on prem and and cloud. But 1 of the things that that they would do is, you know, you’ve got your perimeter. You’ve you’ve got your kind of moat around you, and and regardless of if you configured your VMs on on the inside to be you know, you haven’t patched them appropriately or you might not have, you know, you might have some, like, host misconfigurations and things like that. At least you had the assurance that from a perimeter perspective, you’ve got everything locked down. You’ve got a firewall that you could be so specific about what people can what could be inbound and outbound. You had that reassurance that, yes, we might not have, you know, the cleanest operation inside of the castle, but we know our walls are pretty locked down. So I think that’s a philosophy that I see many organizations going to the cloud thinking that you can have that maintained you. Like, another 1 is, you know, internal reconnaissance on prem when when you’ve got an Brett actor moving laterally is really, like, you know, typically a longer exercise than what we see in the cloud.
Matt Preswick [00:08:07]:
You know, they’ve actually got to work out and investigate. Okay. How can I jump from here to here? I see this in an internal IP. In the cloud, internal reconnaissance is easy because all of the a application like the API endpoints for a cloud service, they’re publicly documented. So what we see as soon as they’ve broken that first part, they run a script that says, okay. I wanna see all these permissions that I know that AWS or the other clouds provide. I just wanna see what which ones I get a success back. So it’s a much faster time from initial access compromise versus what we see on prem.
Matt Preswick [00:08:40]:
So in other word, the detection and response focus that we see in in on prem, where you say, okay. Let’s wait till something malicious happens and respond to it, has shifted a little bit in cloud. Like, we have to go to a preventative standpoint because and and a mitigation of blast radius because once they break in, it’s so fast from from when we say mission accomplished.
Karissa Breen [00:08:59]:
Okay. So there’s a few things in there that which is interesting I wanna get into a little bit more. So going back to the on prem sort of side of things, what do you think rattles your traditional on prem, hardcore fans of that sort of model? Like, because, yes, I am sort of seeing that your traditional deal is sort of moving more to a cloud mindset, etcetera, but there’s still some people out there on social saying, like, absolutely not, like, you know, on prem forever. Like, what are your sort of thoughts on that?
Matt Preswick [00:09:25]:
Yeah. I I think the main component there is that, like, you know, fundamentally, it’s almost like moving your environment. You you you’re going into a public sphere, right? You don’t have the lock and key in the in the basement of the building with a data center that that you can, you know, have physically guarded. You can pull out a, you can pull out the cable in the particular port of physically, if something’s really being compromised, you’ve got that completely abstracted. I think those types of general architectural changes is is something like that. Many engineers, particularly security practitioners will just be like, you know, there’s an element of control that you have on prem comparatively to what you have in cloud, just from that physical standpoint. And that’s kinda like there’s the, objective view of that. And and, it is obviously like an emotional view of, like, I I literally can see my machine.
Matt Preswick [00:10:12]:
And if it’s, you know, if it’s about to compromise and there’s a, there’s there’s malware that’s propagating, I can physically turn the thing off. So I think that’s 1 fundamental element that, that irks people about moving to cloud. And I think, the extra like, obviously, there’s huge benefits with going into the cloud. I think the other broad 1 is the is the the new paradigm or new domains that the cloud is kind of powered, which is obviously identity. It’s we don’t just have network as a perimeter anymore, which you do on prem. Identity is is that kind of second layer of perimeter when it comes to the cloud. And, obviously, it’s a whole new domain. It’s a whole new, like, landscape.
Matt Preswick [00:10:46]:
It’s essentially like a new supply chain risk, I suppose. So, you know, there’s an upskilling. There’s a there’s a knowledge area that needs to be, upskilled for for many on prem. So I’m I’m sure that those those elements would be a reluctance points for organizing.
Karissa Breen [00:11:01]:
You you made a great statement around having the control, which I get. Right? But then as I sort of zoom out of your statement there, is, like, how much were working today? Like, when I started working, like, 15 years ago, like, there was no 1 working from home. Like, there was no laptops. There was none of that. Like, you had a desktop at a desk, came in. You went at that time. You had control over your people from, like, a security point of view. Right? But now it’s like, you know, you may not even see an employee that works there for, like, 10 years because they’re in some remote place that you just never see them anymore.
Karissa Breen [00:11:30]:
So I feel like the control by default has sort of already been lost a little bit because the people aren’t coming into the office like they did back in the day. So isn’t it just sort of a natural progression that we’re moving this way and losing the control if you wanna call it like that?
Matt Preswick [00:11:46]:
Yeah. Yeah. I think with any of these evolutions, Karissa, that there’s always gonna be that kind of, you know, reluctance to do it, but the the trains left the station here. There’s kinda no going back. The the obvious benefits of of moving cloud are there. The, operational kind of efficiency and then development velocity that you can gain in this is it’s too good to kind of hold back. So I agree that and and from what I say in in the market, we in Australia and New Zealand, for example, is, most organizations are either fairly heavy in the cloud, accelerating very fast in their migration, or certainly having, like, pretty core strategic initiatives to be moving to the cloud primarily for those reasons.
Karissa Breen [00:12:27]:
To go back to your comment before around, it’s faster to do internal reconnaissance. So would you say most people sort of understand that, or is that again something that perhaps people get wrong about it? Like, you mentioned before, like, you write a script, hey. Here’s everything. Like, that’s a a lot quicker process than perhaps an on prem sort of approach.
Matt Preswick [00:12:44]:
Yeah. I think people still fundamentally misunderstand, a lot of the cloud native type Bretts that we’re seeing. A lot of the fundamentals are the same, of course. You know, break in, get to the sensitive data, you know, the the high the, the the high level stages of an attack, you know, whether you follow, like, the classic NIST stages of an attack, they’re still all there. But the methods or the how of what threat actors are doing has fundamentally changed. They’re they’re leveraging the cloud native endpoints and services. They they know how to navigate them efficiently. Cloud keys, you know, and secrets, these are all mechanisms that we’re seeing threat actors use.
Matt Preswick [00:13:22]:
And then you start to layer in AI. And I’m not talking about, like, AI driven threat actors that are that are kind of enumerating things, but just knowing how to, like, potentially compromise AI models and do our isolation breakouts and things like that, threat actors are aware of these. And so once again, fundamentally, the the the stages and objectives are more or less similar, but the mechanisms have changed quite a lot. And therefore, our security strategies from a preventative standpoint need to shift a little bit as well. So I think in terms of market, like, obviously, there’s a there’s a lot of good knowledge around it. I think people became much more cognizant of it, because of the amount of cloud native breaches that we’re seeing. When you kind of like think of from the attacker’s perspective, what’s more likely if you’re kind of doing the, you know, the ROI of like, where are we going to spend our time trying to compromise doing an on prem environment and spending, you know, months months, like trying to sneak in in, move laterally and and kinda compromise? Or do we just go to the public domain and just start doing absolute brute force across all these IPs that we know are part of cloud services, and then we know what to do once we get in. It’s in my view, and I you know, not to oversimplify it, but you you can see why that’s a much easier target for them versus, you know, you know, legacy on prem environments.
Karissa Breen [00:14:38]:
Okay. So you mentioned before cloud native threats. What are they? Can you expand on that a little bit more so people are sort of a little bit clear on what you mean by that?
Matt Preswick [00:14:45]:
Yeah. Cloud native threats, in my view, is is essentially threats that are targeted or attack pods that are targeted typically to cloud environments. So these are involving not just like network, classic network application, compromises, but using the cloud domains, particularly, from a compromise. So I’ll give you an example. So, like, I think it was, like, quite similar to, like, the Capital 1 breach. You’ve got a potential exposed API. They compromise that machine. They use a cloud access key.
Matt Preswick [00:15:19]:
They compromise that key and they understand who owns that key, that user and, you know, you’re obviously familiar with the concept of identity and I am within cloud. This is kind of like the new domain in terms of where connections happen between services and and resources. So what would happen is they’ll identify this key. They’ll they’ll they’ll work out who owns this key. And the key is just for for those that aren’t aware. These are the particular mechanisms for, like, an SSH key. If I wanna if I wanna connect an SSH into 1 of my VMs in AWS, for example, I’ll have a key that I’ll use to access that, and then I might not have any high permissions organically. But within the cloud, there’s really nice mechanisms like in AWS, like the idea of assume role.
Matt Preswick [00:16:02]:
I’m gonna impersonate another role to give me admin permission, and then I’ll use those admin permissions to quickly, you know, create another machine or create another service or whatever it may be. So what threat actors are doing are essentially, okay. I’ve identified this key. I’ve worked out the, owner of that key. I’m gonna see what that owner of that key can do. They might not organically have any high permissions. I’m gonna see what I can jump. And that’s what I mentioned with that fast internal reconnaissance because all of those API endpoints that you can use in the cloud in AWS or GCP or as a Azure, you’ve got that all publicly documented, and then they can quickly go, okay.
Matt Preswick [00:16:37]:
Oh, this user can assume this role. Okay. What does this role? And this role hey. This role actually is able to create an e c 2. Oh, this one’s able to, you know, delete something. This 1 can access a bucket, for example. So it’s those types of domains when I say cloud native, breaches, which is essentially using the cloud services and mechanisms to move laterally and compromise an environment.
Karissa Breen [00:16:59]:
Okay. I wanna sort of switch gears slightly and talk about your thoughts on you say cloud and AI. And I know AI, you know, that’s a term that people are starting their eyes asides to glaze over. But Pattern AI are tremendous enablers that allow teams to quickly transform everything from development to operations. So talk me through this. So what does this look like? Now I know that I feel like I’ve been talking AI, like, about what about AI on the show. But, again, like, everyone has a different view. Right? So I’m keen to hear yours.
Matt Preswick [00:17:28]:
Yeah. Yeah. Absolutely. So, you know, once again, hopefully, forgive any, buzzwords as I as I go through. AI is a buzzword, but it’s a buzzword with utility, you know, on my potentially other buzzword. So I view and look at people have different opinions. I talked to industry peers around this, and and some kind of feel like it’s, you know, it’s like it’s like cloud again. The developers and engineers are just gonna start playing with it and then ask questions later.
Matt Preswick [00:17:52]:
You know, the classic ask forgiveness, not permission. I actually have an alternative opinion a little bit. Obviously, every organization’s different, but I think because of the kind of rate and velocity of threats and risk we’re seeing, and once again, particularly in Australia, but globally, of course, everyone’s a little bit more aware that, hey. Like, all cool technologies come with inherent risk. You know, it’s kinda like containers and Kubernetes. People went for it first, and they’re like, oh, okay. There’s actually some potential risks that we need to be aware of in terms of setting that up. And then they’ll ask the question after the fact.
Matt Preswick [00:18:23]:
What I’m seeing with AI a little bit is everyone knows the power that it’s got. Everyone knows the potential it’s got. You’ve got boards. You’ve got CEOs saying, I wanna use this, except, hey. Can we make sure we don’t screw this up and introduce risk to the environment? So why I see security being an enabler here for this is because, like, for example, I work with typically, the people I work with in my capacity with is is cloud security teams, cloud infrastructure team, but we have a lot of AI security and data. I actually had a data science team from a organization, an enterprise organization in New Zealand reach out to me on behalf of their security team saying, hey. We really wanna start using things like Benbrock, OpenAI, you know, Vertex AI from the the respective clouds, even, like, other, like, non cloud provider ones like replicate or Hugging Face and things like that. But we’re not sure how to secure it properly.
Matt Preswick [00:19:18]:
We know how to use the data behind it. We don’t have the skill set in here. Can you help us help them understand how what’s the best practice look like for AI? And so we engage with the AI, the cloud team the sorry, the security team who’ve essentially started to say, okay. We really need to upskill in this because once we’ve got the the kind of framework in place, the kind of secure, like, let’s say, pathway for our organization to use AI, then security becomes not just like the the kind of risk reduction engine within the organization. They actually become a top line contributor because of their ability to adopt AI faster in a secure way. They’re they’re the ones that are kinda you know, III read a interesting article the other day, like, the top 4 blockers of AI adoption. There’s legal parameter you know, legal consideration to take into account. There’s privacy consideration.
Matt Preswick [00:20:10]:
And then of the top 4 is security. And if you don’t have the knowledge to to do that security of those AI services and the data are underpinning it, then you’re gonna be much more reluctant in adopting it. So that’s where I say, you know, if I’m leading a security team right now, I would be going up to my kind of board and and and c suite saying, hey, I’ve got the parameters in place. We can start to adopt these for the broader business because I’m comfortable with with our posture around this. So that’s where I see it as an enabler.
Karissa Breen [00:20:39]:
Follow-up question on Havas. Do you think people sort of have the knowledge of AI?
Matt Preswick [00:20:42]:
Broadly speaking, I would say I’m speaking for myself there as well. Such an evolving space. You know, if anyone said to me that I fully understand everything to do with AI, I would be a little, dubious, I would say. Say is people understand the fundamentals. They understand how the outcomes it can present to organizations. And most importantly, you know, from a security perspective that I like hearing is people that are aware of the potential risks being where is the data going and how is the infrastructure being used in our environment. That’s an opinion, of course, but it it is an evolving space.
Karissa Breen [00:21:16]:
Well, people view AI as, like, a double edged sword. It’s like, yes, we need it to be faster, more velocity, you know, reduce costs, etcetera. But it’s like, oh, there’s, like, all these risks and legal and privacy concerns. How do we sort of find the equilibrium by we need to move forward as a society and, you know, get up to speed with AI and understand it, but also be mindful then of the risk. How do we do that effectively?
Matt Preswick [00:21:39]:
Yeah. It’s it’s a good like, I’m I’m an optimist at heart in the sense that, like, I I think the the outcomes of AI, you know, there’s there’s some, you know, doomsday type rhetoric around and things like that. III don’t share that opinion, so much. But more or less, I think the way to to navigate that is to do things in a in a strategic, not completely you know, you’re never gonna have 0 risk when whenever you’re testing anything, but but in a in a reasonable and and risk friendly way. In other words, let’s not just bring in an AI service into our production and start using it as our big data querying set because we just wanna see what it can do. Like, make sure you’re going through the classic you know, some of the classic development philosophies of, you know, proper sandbox testing, UAT, nonproduction testing, and then start to go into production and make sure you’ve got the the appropriate closures to customers that, hey. This is an opt in service to start with. We’re gonna start to use these particular, you know, AI services potentially.
Matt Preswick [00:22:34]:
But, certainly, you don’t wanna get bogged down in in analysis paralysis of, oh, but what about this scenario? What about this scenario? You wanna keep moving forward as you mentioned. So I think there’s there’s always gonna be that healthy balance. I think, once again, this is where you need high levels of collaboration between security and the data and AI teams or whoever’s driving the AI initiatives to say, look, guys. We really wanna enable these services. We really see these outcomes. Let’s not do the reactive standpoint of like, hey. We’ve built something, and then security can see it in whatever system they’re using. Hey.
Matt Preswick [00:23:06]:
You’ve just exposed this and this. You’ve opened up this data or whatever. Security should be early on in the design discussion. They should not be after the fact in terms of when when these applications are being, built.
Karissa Breen [00:23:18]:
So what would sort of happen if companies were like, no. Not really keen on AI. Maybe they’re conservative in their approach. See it as massive risk, and they just don’t adopt it. What do you think sort of happens to those companies?
Matt Preswick [00:23:27]:
I mean, it’s obviously gonna depend on business to business. You know, some there’s probably some business operations that, you know, AI is nice for for periphery services. It’s not gonna help our core business. That’s fair enough. You know? They they don’t need to adopt it. I think it’s each their own. To some extent, I wouldn’t say by any means. It’s kinda like cloud, you know, and and and other more emerge like, and and and other emerging technologies over the last kind of decade or so.
Matt Preswick [00:23:52]:
Just because you haven’t adopted them doesn’t mean you’re gonna fall behind. You could be a classic brick and mortar business that it just didn’t make sense for you. Any company that doesn’t take AI is gonna lose out and be defunct in it by the time. And that’s a great point. Like, going back to, like, the hype cycle around it, essentially gonna be a lot of toil in terms of, wasted, design operations because everyone was so hyped up. It’s gonna solve all our problems. There’s gonna be fundamental business decisions around, you know, this actually is not gonna make a a process more efficient. We’re not gonna get the customer experience that we thought we would.
Matt Preswick [00:24:23]:
You know? The AI AI is actually being detrimental to our customer experience, and and we maybe jumped at this and didn’t do the the the appropriate testing ahead of the time. But once again, it’s really hard to say. I I think it’s just a organization to organization decision, and I’d be focusing on not, like, how cool is this tech, but what’s the actual outcome that, in theory, this would deliver before kind of diving in broad AI, initiative?
Karissa Breen [00:24:48]:
People think like that, though. Like, what’s the outcome? Like, what do we get from this? I mean, it’s a great point. Right? That’s why I sort of, you know, I love running this show. Like, what what do we get from all this stuff? Do you think people just get lost in the technology, the capability rather than well, if we adopt this, what do we sort of what do we get from it? Do you think sometimes as technologists, people like yourself, live and breathe it, perhaps maybe I wouldn’t say get lost, but perhaps, you know, things are a little bit tainted perhaps on your viewpoints?
Matt Preswick [00:25:14]:
Yeah. I think we we’re always at risk of being in the bubble of of our domain. And, you know, whether you’re an engineer or whether you’re, you know, an executive, I think you you’ve got very different views, and you’re you’re obviously kind of, like, the product of your environment. So, like, engineer led organizations might say, hey. This is the coolest new tech. Let’s start playing around with it, and and they spin up some project that doesn’t deliver any you know, without even speaking to a customer, for example. You know, what what what’s the actual customer outcome here? Like, are they are their lives gonna be changed enough for it to justify the bottom line kind of thing? That being said, experimentation, r and d is still, you know, super important for every organization, and and I I understand and appreciate that, you know, you’re not gonna have, like, the defined outcome, when you start when you kick off a project. But I I look.
Matt Preswick [00:26:03]:
I I think it’s a miss a mixed career. So, like, we do all I I primarily work with organizations in in Australia and New Zealand, you know, where we’ve got a team dedicated to to experimenting. They’ve they’re literally spun up to the like, look at emerging technologies, and and that’s great if you’re organization of that scale to do so. But I think if you’re a more lean organization, you’ve got to be collaborative, break out of your silo in terms of, you know, the data and AI team. Hey. I’m gonna talk to security and see if there’s anything that, they may benefit from this initiative that we’re driving. And and then spreading around and saying, do our customers actually need this? Is this gonna make a tangible different top line and, of course, bottom line as well? So, once again, I I it’s a it’s a organization to organization, question. I think there’s a a healthy balance that need to be had, but, I I’m an outcome driven, person typically when when you start to spin cycles on projects that of that magnitude.
Matt Preswick [00:26:55]:
You know what I mean?
Karissa Breen [00:26:56]:
So going back to the knowledge side of things, now I’ve got a lot of people that come and talk to me, and they ask me a lot about, like, you know, AI and security, etcetera, executives. But how can people who perhaps still like, well, we need to get a little bit more knowledgeable on this and start to look into it in a way that makes sense? I mean, I calculated risk. Right? Not just diving headfirst and and seeing what happens. How would you sort of approach people to address that within their company?
Matt Preswick [00:27:23]:
Yeah. 1 of the things, like, I hope I’m not coming across as, like, you know, a fear mongering in terms of AI. The the the beauty of AI in in a lot of ways, fundamentally the kind of going back to my earlier point around, like, cloud, for example, the fundamentals haven’t changed. I had a, executive say to, like, a a CTO say to me the other day effectively, my view of AI is it’s a good opportunity for organizations to say, hey, and particularly security leaders to say to the nonsecurity parts of the business, if we want to, as an organization, adopt AI more, it’s a good opportunity for them to say, hey. Well, let’s eat our vegetables a little bit here. Let’s get the foundational setup of our cloud environment up because once again, as I mentioned, we’re not reinventing the security risks here. I look at AI as just another platform, an extra platform on top where effectively you’ve gotta make sure you’ve got the underlying infrastructure. So you have to have visibility.
Matt Preswick [00:28:14]:
You have to have the, the visibility of the services that you’re using as well as what they’re running on. And more importantly, you’ve gotta have technologies in place that can say, you’ve misconfigured this. This is public. You know? This has a high privilege attached to it. It’s got sensitive data. It’s nothing new that AI is introducing. It’s the fundamentals. So I think these are the kind of, levers that security leaders can can use to help with that AI adoption.
Karissa Breen [00:28:40]:
Okay. So I’m gonna zoom out a little bit more. And as we know, you live in Australia. Now Australia has its fair share of breach in us the last recent years. So maybe talk me through how you’ve seen the threat landscape change. I’m keen I’m keen to get into this.
Matt Preswick [00:28:57]:
Yeah. I mean, Australia, you know, there’s there’s a few themes, I would say, that are kind of coinciding. 1, Australia is, you know, a fairly early adopter, and more and more organizations have significant workloads in the cloud. And with that, there’s obviously a broader attack surface when it comes to cloud related workloads. And as I mentioned earlier in the call, cloud threats, the growth of attacks there is becoming, you know, more or less exponential over the past few years because of that rate of return that attackers can get. You know, it’s it’s 1 simple misconfiguration from developers that that have accidentally forgot to close down an API or to to delete or extract sensitive data. These types of misconfigurations have made it a much easier and target for Australia. In terms of the threat landscape, I think Australia, you know, we’re we’re obviously a, a fairly advanced economy.
Matt Preswick [00:29:49]:
We’ve got, significant organizations here. It’s a very attractive target from both nation states as well as just, you know, classic, hacker groups like we’ve seen, you know, with a with a lot of those significant breaches. So I think just as a general, target from a monetary perspective, Australia and New Zealand are obviously quite high on the list along with the likes of Europe and and the US, of course. In terms of the types of threats, once again, we’re seeing much more organized attacks and very intelligent and cloud aware attack mechanisms as well. So I think that the landscape broadly speaking is we’ve got a attacker base that are very aware out of compromised cloud environments and are very aware of the types of organizations that Australia has and the potential types of impacts that they could have in the industry, I should say.
Karissa Breen [00:30:38]:
So what does it mean for for companies now? Like, as as you know, like, we’re trying to constantly get ahead above the water, do better than the cyber criminals, and, you know, it’s difficult. Right? So now you’re saying they’re more cloud aware, which means that, you know, companies need to be thinking, you know, even faster now again with everything you just explained that things are running a lot with with velocity now than they ever have before. So what does this sort of mean now moving forward? As we’ve talked about, more companies are thinking about, you know, cloud first, etcetera, adoption to it, security within the cloud, etcetera. So what what are your thoughts then on how companies can, you know, ultimately not feel that they’re the victim of, you know, being breached?
Matt Preswick [00:31:20]:
Yeah. And I I think it comes to a a few things. You need to introduce, like, 1, Australia is a large country, but we’ve got a huge skills shortage when it comes to cyber. And that’s cyber generally, then you start to think about cloud security expertise. There’s a big shortage. I think the the government alone has something in the order of, like, can’t remember what the statistic was. It’s it’s in the 1, 000 in terms of skills deficit when it comes to cyber in Australia broadly. I think it was a report from last year or or late the year before post a lot of those significant breaches.
Matt Preswick [00:31:51]:
So we’re not flooded with resources and and expertise locally. We need to go down. And this is broadly, not just Australia, just in the world generally. So you start to think about and the emerging technologies, how many experts are there in Kubernetes security and then AI security. So what that means for me is and and it’s just generally speaking, is we need to have pragmatic security. In other words, really focused on risk and not just alerts in isolation. You know, we’ve gotta be pragmatic about what is the likelihood of this being compromised and what is the impact. And when you have organizations shifting their mentality from, here’s all these alerts, anything that is of a, you know, significant, severity, that that’s a high level priority.
Matt Preswick [00:32:34]:
They they often are 1 dimensional, and it’s kinda goes back to the top of the call when you asked me what what am I seeing in terms of cloud security and the misconceptions is people think cloud risks are 1 dimensional. You’ve gotta be bringing in multiple different points of telemetry to say, okay. This is actually not just a public machine. It’s a public machine with sensitive data. So you’ve got your likelihood and your impact. So pragmatic security means we’re never gonna have a 100% patched environment. We’re never gonna have an environment with 0 CVEs or 0 misconfigurations. There’s always gonna be inherent risk.
Matt Preswick [00:33:09]:
So it’s about prioritizing both our security team’s time as well as the application and infrastructure owners’ time to say, these are the things you need to focus on first because of the fact that these will have the actual most pragmatic reduction in risk. And then the other layer on top of that is because of the impossible, outcome of having 0 risk in the environment. It goes to that preventative measure that I mentioned earlier, preventing the impact of a compromise is imperative for organizations to say, look, we’ve got, we’re always going to have something that might be externally exposed. Let’s make sure that it can’t go anywhere, having the appropriate isolation and segmentation. So it’s about almost preparing as an organization. I don’t wanna have my last line of defense as my only line of defense to respond to an attack after the fact. Let’s be proactive and preventative. And then once you get to that nice benchmark of duration, then I really see a nice theme of and and once again, give the the buzzword of shifting left and introducing the preventative controls in the guardrail, in in a pipeline or in guardrails in the developer’s life cycle.
Matt Preswick [00:34:20]:
Because also there’s a a huge order of magnitude value in doing that earlier than than after the fact. So I suppose the the the broader, answer there is pragmatic outcomes and accepting that you will have risks, but focusing on where the highest ones are.
Karissa Breen [00:34:35]:
Okay. There’s a couple of things in there which is interesting. So why do you think people think it’s just 1 dimensional? Where does that sort of come from, that thinking?
Matt Preswick [00:34:42]:
I think it’s just the, initial generation. So, like, when cloud first, you know, really started, growing in market, the new layer that was introduced was, of course, cloud services. Right? So you’ll pass an IaaS services. And naturally, the first thing that the cloud providers as well as third party providers introduced was, okay. Here, I’m gonna introduce figuration, suggestions for you. Simple things like, hey, you’ve just created a VM in the cloud provider. You’ve got the disk unencrypted. You should encrypt that.
Matt Preswick [00:35:14]:
Similarly, like, hey, you’ve just created an s 3 bucket. Did you know you had that public? You should not have that public. Now often these are, like, inherent little risks, but often what they are is just like it’s a compliance state. So what they would do is and and there’s like the classic example of, you know, a VM with a public IP address in the cloud. You may, you know, you’d be forgiven to think, Hey, this machine is public. That’s actually not necessarily true. So it’s not so much a false positive, but it’s a false rip, Just a compliance view in my opinion. Because what you might have, the the VM might have a public IP, but it might not actually be behind an Internet gateway.
Matt Preswick [00:35:51]:
So there’s no actual exposure. And then you see the broader impact. If you send that to a developer saying, hey. You’ve got a public machine. They’ll say, no. I don’t. It’s not behind any. And then that’s where the friction starts to be introduced a little bit with those teams.
Matt Preswick [00:36:04]:
Whereas if you go down the other path of, like regardless of whether it’s got a public IP, hey. I can prove that this is reachable through the entire infrastructure point. There’s multiple dimensions to that. So therefore, it’s a real risk opposed to that. So I think it’s just a natural evolution to go back to your original question. Why do people think it’s 1 dimensional? It’s because that was the tooling that was first introduced when it came to Platts. How to configure things correctly opposed to looking at the other elements such as, like, what about the identity that’s attached to it? What about the data that it can read? You know, the blast radius, the exposure. So I think it’s just a maturity of the market in changing, from that mindset.
Karissa Breen [00:36:42]:
I’d touch on quickly around the preventative side of things. You’re right. Like, you know, with all the cybersecurity strategy, etcetera, the government’s coming out and saying companies are saying that. The part that gets me, though, Matt, is 1 of the companies being briefed is like, oh, we did everything we we could. Well, obviously, you didn’t because there’s a break. So I’ll be taking it seriously, though. Because anyone can say, I work in media. Right? It’s always gonna be we’ve gotta get the best image out there.
Karissa Breen [00:37:06]:
I can say that because I am asking organizations for statements post their their breaches. Okay? And some of the pushback I’ve had is part that really gets to me is me asking, like, oh, we’re gonna share about, you know, our failures. I’ve asked. People don’t wanna share. So I don’t know where this whole theory is about sharing and letting other people know. That’s false. People don’t wanna talk to me when I’ve asked them the question.
Matt Preswick [00:37:29]:
I’m seeing a shift hopefully in the industry a bit about sharing those best practices, I think. I think people are you know, there’s always gonna be that natural stress and anxiety that comes after a significant breach, and and obviously, no 1 people are reluctant to admit potential fault. Once again, it’s a whether it’s a conscious error or whether it’s an unconscious error that they’ve made, you know, in the fundamental setup of their infrastructure. I tend to agree with you. I think a a sharing between, organization, particularly giving, like and and many organizations have done this well, doing, like, a really clear post mortem of what did we do wrong, and here are the things we learned from it. So while the organizations don’t repeat the same mistakes, I think think would be, great. But it’s a it’s an evolving industry, and and hopefully, organizations, you know, become more comfortable in admitting potential errors and and, you know, the broader industry is better for it. I will say there’s there’s many groups that I’ve joined, you know, whether it’s SISO groups or or general security practitioner groups.
Matt Preswick [00:38:26]:
And often in these, discussions, it really does come quite a healthy conversation of, like, hey. We really screwed this part up. I really recommend doing x, y, and zed. It really helped our operation. So I am seeing particularly in, a lot of the conversations I’m in, Karissa, that that organizations are becoming more willing to share their best practices as well as their potential, thoughts.
Karissa Breen [00:38:48]:
So, Matt, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Matt Preswick [00:38:54]:
I’m really optimistic about the industry. I think certainly across, you know, the clients that I work with in in my capacity at Wizz is I’m seeing a really nice shift of organizations, particularly at that executive level who really need to be the ones kind of driving these initiatives to bring these teams together. Security, you know, everyone’s in security. Everyone has to be security conscious. You know, we’re all in that same team. And to facilitate this, what I’m seeing to be a really healthy way to do it is for security and application teams to be cohesive. And more importantly, like, on the same team, the security team are not there to make your life difficult. So it’s about coming together and having that shared source of truth.
Matt Preswick [00:39:34]:
And then more importantly, security then becomes that internal ease engine, the consulting function with an organization to say, hey. We’ve got all these best practices for you to do. We don’t need to hand hold it. We don’t need to wave the stick around, but we’re here if there’s something that you really need to escalate. So 1 of the things I suppose, just to to summarize is I think that the shift, particularly with cloud and AI, I think, is gonna be a real driver for the type of culture within organizations is for security to be part of those early stage, application and and application infrastructure design cycles. And therefore, they’re gonna be able to build faster with security embedded, meaning that you’ve got a much more efficient way and you don’t have to kind of stop the whole show to patch an incident, but you can prevent it in in in an earlier way. Bit of a broad statement, but I hopefully the the takeaway is that I suppose it is possible. I’ve got many customers that have a really smooth self-service operation where more than the majority of the users of the tool, like, such as Wizz, the majority of us our users aren’t actually in security.
Matt Preswick [00:40:36]:
The majority of our users are actually developers, dev ops, and infrastructure team, so it is possible to take away.
