James Blake [00:00:00]:
Money helps, but it’s also culture, it’s politics, it’s structure, it’s process, it’s skills, it’s retention of your staff. These are all things that contribute to cyber resiliency, and that’s often forgotten.
Podcast Voice-over [00:00:23]:
Target for ransomware campaigns, security and testing.
Karissa Breen [00:00:35]:
Joining me now is James Blake, Vice President, Global Cyber Resiliency Strategy at Cohesity. And today we’re discussing assessing your organization’s cyber resilience. What matters and what matters less. So, James, thanks for joining me and welcome.
Podcast Voice-over [00:00:49]:
Hello and happy to be here.
Karissa Breen [00:00:50]:
Okay, so James, you were supposed to come out here to Australia, but as you mentioned before we jumped on the interview, you’re supposed to be in three places at once. Given your role, given your title, given your background, your pedigree. So let’s start right there. Because of your caliber, what do you believe matters the most compared to what matters the least? When it comes to resilience, there are.
James Blake [00:01:11]:
A lot of things that matter.
Podcast Voice-over [00:01:13]:
I think the most important things that matter because it can’t be put down to any individual component. But the first thing is pragmatism. You can’t go from zero to hero overnight. And a lot of organizations do that.
James Blake [00:01:28]:
They will focus on one element of.
Podcast Voice-over [00:01:31]:
Resilience and then myopically focus on developing that capability to 100% while the rest of the things that contribute to resiliency are complete dumpster fires. That’s the first thing. It’s pragmatism. Like focus on your least mature elements and getting those capabilities up will deliver a much better level of resiliency than myopically focusing on one element. And I think the other thing around resiliency, it’s not something you can buy off the shelf. It’s an emergent capability that you become by doing the right thing. And those things are not just technology, which sounds weird for someone who works for a vendor to say, but it’s also the preparedness of your people, the muscle memory, and also the processes that are built around that technology to operationalize it. So they’re the kind of two things I think, preparedness and pragmatism.
Karissa Breen [00:02:30]:
Okay, so this is interesting. So I’ve had a fair few conversations, especially recent, recently, around resiliency, you know, getting, getting prepared, all of those things. But one of the things you said was interesting is people just get so hyper focused on certain elements. So maybe walk through. What would you say, typically speaking, are Those elements that you often find customers or people in the industry in general focus on.
Podcast Voice-over [00:02:53]:
Yeah, so as an organization cohesive, we focus on overall operational resiliency of it. So we handle BCDR traditional incidents that you can count the root causes on one hand. So they’re slug fire, other weather events, misconfiguration, power loss and equipment failure. That’s pretty much it. But I focus purely on the cyber side. So I can only answer that question on the cyber side.
James Blake [00:03:23]:
And I think there’s a lot of.
Podcast Voice-over [00:03:25]:
Things where people are focusing on recovery and that is probably the biggest issue I see with our customers. Our customers will be approaching us around ransomware and wiper attacks, which of course are the most predominant cyber attacks and the most impactful cyber attacks that you can suffer. But it’s the IT teams on their own approaching us because they perceive it to be like a traditional BCDR scenario and they’re expecting the same kind of recovery time objectives that can be achieved in instant mass restore, switching to a second data center. And the reality isn’t because you’ve got to investigate the incident, remediate the threats, remediate the attack surface before you bring those systems back into recovery. So I think that’s the most important thing is building this shared responsibility model between IT and security and making sure the customer is aware. This is not something your IT and traditional disaster recovery team can handle on their own. So security need to be involved in this. And you would not believe the size of the organizations where sometimes this IT only, recovery only approach is taken.
Podcast Voice-over [00:04:46]:
So I think that’s fundamentally the area that I see more than anything else, organizations really failing in is not taking this shared responsibility model between the two. I think the other areas are, and it’s kind of related to that, is making sure that you’re not just recovering after an attack to achieve that resiliency, that you’re making sure you don’t get re attacked. And the most common thing that we see is people prematurely recovering systems that still have vulnerabilities in them. And a third of all attacks, I think Mandy said it was 34% of all attacks, are now coming in through vulnerabilities. So if you just recover your last vulnerable backup without understanding how they got in, you know, not just the same attacker is going to come back in, but any other affiliate of the ransomware as a service platform that was used to attack you can now come straight back in. And then the other element is if you’re just recovering systems where you were unable to detect or prevent the attack previously. And defense evasion is rife at the moment on ransomware as a service platforms. Most EDR tools can be turned off.
James Blake [00:06:02]:
You’re still going to be blind to.
Podcast Voice-over [00:06:03]:
The reoccurrence of that attack. And then of course Mitre, Attck, there’s 14 stages across that and the adversary is leaving persistence mechanisms and artifacts across all of those different stages. And I think that’s misunderstood by people that think ransomware is a Swiss army knife that does everything of a malware that does everything from getting into encrypting your data, whereas the reality is living off the land identity based attacks. Some of these things aren’t even visible to some security tools that are out there. So I think they’re kind of the areas that I see people mistakenly focus on. And then those, those elements of defense evasion, the fact that you need to remediate those threats and understand vulnerabilities are the areas of weakness in that overall cyber resiliency chain.
Karissa Breen [00:06:58]:
Okay, so you mentioned the word preparedness. So so many people, vendors, et cetera, to make get prepared, we got to be prepared. Preparedness. But what’s your sort of definition or how do you see it? Because I feel like sometimes it’s a, it’s an easy thing to say in terms of get prepared. But then what does that actually mean?
James Blake [00:07:16]:
Yeah, I know, I think, you know.
Podcast Voice-over [00:07:18]:
Most, most vendors, you’ve got to remember.
James Blake [00:07:19]:
I spent 30 years of my life.
Podcast Voice-over [00:07:21]:
Sitting on the other side of the fence, you know, listening to vendor claims and buying products and then, you know, having to spend and invest the time to actually operationalize those products and keep them maintained and integrated. And so a lot of vendors out there will say, well, your preparedness is signing a purchase order. And I’m not a great believer in that. What we should be doing is helping customers achieve, you know, cybersecurity best practices. And there’s some very well established frameworks in terms of cyber incident response and recovery that we can go to, whether it’s the NIST or first or we can use the ones from the UK National Cybersecurity center, or we can use the SAN six step model. What we should be doing is talking about those and where our technology fits in, not talking about our technology and then trying to layer processes on top of the technology. So I spend a large amount of my time talking to customers about how to achieve those best practices with cohesity, rather than talking about the adoption of cohesity. You know, just what our features do independently, the operational relevance of our features to a process and what skills are needed in terms of driving that process and continually maturing.
Podcast Voice-over [00:08:41]:
It is a much more important conversation sometimes. You know, in terms of what we should be focusing on as vendors is helping customers achieve the capabilities to be able to protect their backups because they’re the last line of defense. The ability to then respond to that incident, find those vulnerabilities, find the end to end attack timeline because we can’t recover without doing that. And then finally when we go to recover, making sure we’re remediating those threats before they go in. And they’re the elements of maturity that are often missing in customers that I speak to because they are just skipping straight to recovery. And all those best practice frameworks, none of them start with recovery, they all start with preparedness. You know, having the right people, the right processes. And I think the most important thing is drills.
Podcast Voice-over [00:09:39]:
You know, the ability, the first time you see a destructive cyber attack shouldn’t be the first time you see a destructive cyber attack. The ability to build realistic drills where perhaps a penetration tester takes a end to end line of business application. You clone that line of business application so that the pen tester can go after it in a realistic way without impacting your production systems. And then do everything from getting in, exfiltrating the data which can be masked so it’s not real customer data, to actually encrypting that data. And then you look at what your response process was afterwards in your recovery process and are any attack artifacts left in there? Then you’re testing not just the technology, you’re testing your people, how effective, how quick were they? And also you’re driving that continual improvement. So I think that’s the kind of things that I look at in organizations that highly mature is how can they build a minimum viable response capability and then continue to build on that with continual improvement to make those processes better, the people better, to drive more automation in the technology.
Karissa Breen [00:10:56]:
So James, you say organizations should focus on building resiliency, as we’ve just discussed, rather than absolute prevention. My main question here, James, is isn’t this what companies are already doing? Would you say, well, just look at.
Podcast Voice-over [00:11:10]:
The logos of the organizations that have been hit by ransomware, right?
James Blake [00:11:16]:
I used to work for an organization, I used to be the global head of cyber risk for an organization that.
Podcast Voice-over [00:11:21]:
Spent a billion dollars a year on cybersecurity. We had hundreds of people in our kind of three follow the sun socks around the world. It didn’t stop us having an incident where over 50 million records were exfiltrated. So I think there’s this. Businesses believe that budget and headcount is the determination factor in how protected and how responsive they are. Right.
James Blake [00:11:46]:
So even though organizations are starting to.
Podcast Voice-over [00:11:49]:
Pay lip service to the fact that they need to be ready to respond, I think there are still cultural challenges.
James Blake [00:11:57]:
And sometimes political challenges.
Podcast Voice-over [00:11:59]:
It and security don’t always get on. We’re measured in different ways.
James Blake [00:12:04]:
And so these are causing problems in.
Podcast Voice-over [00:12:06]:
The actual achievable level of cyber resiliency. And I think ransomware especially has focused efforts on building true resiliency along with some of the operational resiliency regulations that have come in already. I mean, the UK and Europe have pioneered this with things like DORA and the Prudential regulatory authority requirements. But we’re starting to see almost every single country around the world starting to drive at least a baseline level of resiliency that’s there. So I don’t believe most organizations have done it.
James Blake [00:12:42]:
And if you look at the spending.
Podcast Voice-over [00:12:45]:
And the budget that’s spent on prevention and detection and then you just walk around Infosec in London or Black Hat or rsa, the amount of vendors that are still promising a silver bullet for prevention and detection, the vast majority of our budgets is still going on that. And then you look at those logos that are getting hit by ransomware. They’re also the logos that tend to be case studies for a lot of EDR XDR vendors. You know, the silver bullets that are out there that promise to be, you know, a one stop shop for being able to prevent, respond and recover from incidents. And having spent 30 years, you know, building security operations centers for some of the largest companies in the world where I’m using 20 and 30 of these.
James Blake [00:13:37]:
Silver bullet products, we still had to deal with a large number of incidents.
Podcast Voice-over [00:13:42]:
You know, I’ve dealt with dozens of incidents over the years as a lead responder. And still at Cohesi, you know, we’ve got a large number of the fortune in FTSE 100 organizations in the world as customers. We’re still dealing with three to four incidents a month, you know, where we’re helping customers recover and respond after incidents, despite the fact that they’ve got these protective and detective controls that are in place.
James Blake [00:14:09]:
So the short answer to your question is no.
Podcast Voice-over [00:14:12]:
I believe organizations on the whole haven’t made that pivot yet, but they’re saying they are.
James Blake [00:14:19]:
And also there’s this fact there’s still.
Podcast Voice-over [00:14:21]:
This over reliance on technology that is just being easily evaded by the ransomware.
James Blake [00:14:27]:
Gangs that are out there in the world.
Karissa Breen [00:14:28]:
Okay, so there’s a couple of things in there that I want to get into a bit more. So you said, are companies out there ready to respond? Given your 30 year background, everything you said, you know, you’re spending a billion bucks on cybersecurity per year. Would you say that companies are in a position, generally speaking, that they are ready to respond on the whole?
James Blake [00:14:47]:
I think no. Let me kind of qualify that a little. One of the things we do as an organization is we do maturity assessments. So we look at about 56 different elements of people, process and technology, so that when we’re advising customers, we can gauge what their baseline is, like, where do they sit. And one of the things that we look at are the five different stages of incident response and recovery that exist across all those best practice frameworks I talked about earlier. And they are largely, you know, preparedness. How prepared are you for an incident? It then goes into identification, and that covers multiple different stages. So that is alerts going to the right places.
James Blake [00:15:33]:
Do you have the right alerting logic and capability? Can you do triage to eliminate those false positives? But then also can you build an incident timeline? Then you look at containment, like how can you contain an incident? Do you have a clean room environment so that you can investigate without eavesdropping and disruption and reinfecting systems? And are your analysts empowered to pull the plug on networks and systems should they become infected? Or do you have to call the CIO and that delay causes another 5,000 machines to be encrypted?
Podcast Voice-over [00:16:11]:
And then finally we look at eradication.
James Blake [00:16:14]:
And recovery is only the last stage. And consistently you will see eradication and containment being the weak spots. So identification is normally not deep enough as well. So regardless of whether the organization is a small and medium enterprise or one of the largest organizations in the world, I’ve seen always the level of operational maturity in the latter stages of identification, the containment and the. The eradication, as always being the poorest. And you’ve got to remember the eradication, typically security investigating, because that said, the main expertise, but the actual eradication, the remediation of those threats is largely down to it. You know, patching systems, removing attack artifacts, restoring configuration files to ones without persistent mechanisms in them, removing malicious accounts and federated authentication providers from SSO configs. So these are all things that we commonly see.
Karissa Breen [00:17:26]:
Okay, so you mentioned something before, around the budget, going around these conferences, seeing all these vendors that predominantly play in the prevention and detection space. Now I know this may be a Bit of a biased question, but would you say that too many companies are focusing the budget in the prevention detection? Now, I’m not saying, hey, it should all be on, you know, business continuity and resiliency and all these things, but do you think that maybe the budget should be spread a little bit more evenly, would you say?
James Blake [00:17:53]:
Oh, I definitely. And again, yeah, having been dropped into organizations that are in the middle of incidents, as a retained incident responder, I look at the investments they’ve made in terms of developing playbooks where and also getting security to even understand the data management technology that that’s in place. It’s poor, right? And it’s not always about budget. So if you think about a data management solution, for instance, like, like a cohesive, we’ve got a copy of the file systems of systems that have been involved in the attack across the entire incident timeline. That is from a forensics perspective, that is an incredible resource. You know, giving your incident responders the ability to time travel across the file systems of the systems that have been pivoted through, that have been attacked. But it’s not used by the security operations team. You don’t have to buy the data management solution.
James Blake [00:18:57]:
Your IT team are already using it. So it’s not a question of budget, it’s more a question of understanding in a world of destructive cyber attacks that things like a backup solution has different use cases. Your CIO has done the difficult job. They’ve already got the data in these platforms as a part of your normal backup and recovery strategy. But often it’s untapped by the security operations teams for things like identifying vulnerabilities, for things like hunting for those threat artifacts or for those file system forensics. A lot of my time is spent into customers that have already bought cohesity. The IT team has and I’m just educating the security operations team on the fact that there’s this untapped resource that they’re not using to improve their level of resiliency without having to spend any more money or deploy another agent, things like that. So that’s my answer there it is not necessarily a budget reallocation.
James Blake [00:20:06]:
It’s more a difference in approach as we stop looking from a walls and moats cybersecurity perspective and we start to look at from a resiliency and a response and recovery perspective.
Karissa Breen [00:20:18]:
Okay, so this is interesting. So as you’re talking, one thing that I’m curious to know and as, as I’ve seen over the years of working in cyber myself and running this show, etc, the Conversation now in recent times has really moved towards the resilience of peas, business continuity, etc. So do you think companies or getting to the stage in their mind where it’s like, okay, yes, we’re going to spend some of the money, resource time, et cetera on the prevention detection because that’s going to help reduce if something were to happen. Something may likely happen, but when it happens, it’s about how do we recoup recover quickly to get back to that, that baseline quicker. Because if it goes on and on and on, I think there was a report somewhere, it’s like 24 days or something. Companies were taken to get back to back to business, which is just way too long in this day and age and how annoyed customers get very quickly when something doesn’t work for even an hour. So is that sort of the mindset, given your global role that people are in where it’s like, okay, some of this is probably going to happen, but we have to be able to recover quickly because then if we don’t, people aren’t going to stick around with us because no one’s going to sit there and go, oh, okay, well I’ll wait for 24 days to see so that you guys are back up and running. Like, don’t you think, James, businesses are going to start going bankrupt, they’re going to start losing money.
Karissa Breen [00:21:35]:
Like it’s just not like the good old days because there’s more competition, people expect more, people complain, probably more because they’ve got the outlets to do that, meaning social media and friends. What does that look like? Because I think that this is a really key thing in terms of shift we’ve seen in cyber, but also businesses in general.
James Blake [00:21:57]:
Yeah, I would also say, you know, in my experience of dealing with ransomware and wiper incidents, by the way, the first one I ever dealt with was in 1989. It was a floppy disk based encryption one. But it wasn’t until, you know, cryptocurrency came along, 2016, that we really saw the growth of ransomware as we do now. I think 24 days is actually, I think organizations are giving an impression of a greater capability because you just got to look at press and there’s an.
Podcast Voice-over [00:22:28]:
Awful lot of organizations which have had.
James Blake [00:22:31]:
Much longer prolonged downtimes. Just look at the attacks on retail in the UK fairly recently that the.
Podcast Voice-over [00:22:38]:
Impacts were longer than 24 days.
James Blake [00:22:39]:
So I think that’s actually probably more aspirational than actually achievable even in some of the larger organizations in the world. And we Got things like the potential.
Podcast Voice-over [00:22:50]:
Regulatory authority in the UK which are.
James Blake [00:22:52]:
Requiring banks to restore critical services within 24 hours.
KB [00:22:58]:
Right.
James Blake [00:22:58]:
Which doesn’t even give you time to contain and investigate properly. So you need a different strategy. So that’s the first part of that question is I think the reality is most organizations, it’s going to be longer than 24 days and especially earlier when I talked about premature recovery. Premature recovery tends to allow reinfection and re attack and that is, you know, the average time organizations that aren’t properly set up to investigate incidents and remediate the threats, they’re getting hit dozen times. So you imagine you promise the business an RTO of the day and you’re 12 days in and you’re still no closer to actually being able to get your systems back up. That, that is the reality. So saying that, you know, going, going to the second part of your question. Yes, I think, you know, resiliency is an aspirational goal that organizations want to achieve.
James Blake [00:23:57]:
But I think the solutions are being bifurcated in kind of two different directions within the organization and they’re not always joined up. So the IT organization as I spoke about earlier, are largely seeing a cyber destructive cyber attack as a BCDR incident. Right. So they are using their playbooks, their recovery strategies and everything that they’ve always done for flood a fire, a misconfiguration where it’s just instant mass restore back into your primary data center if the problem is being resolved or to a secondary data center. And that strategy doesn’t work in cyber attacks because you haven’t investigated the incident. You don’t understand root cause. You may understand the systems that have been encrypted, but that is the least interesting part from a forensics perspective because the encryptor is only deployed, you know, in the last 10 to an 10 minutes to an hour of an attack. And they’re widely deployed.
James Blake [00:25:02]:
I want to know how they got in, how did they evade my controls, what persistence mechanisms have they let down? And you know, the IT recovery based strategy doesn’t work in that, that approach. And then you’ve got security.
KB [00:25:19]:
Right.
James Blake [00:25:20]:
And their approach to dealing with ransomware is largely dealing with it like it’s a data exfil event. So you know, if I go back to my time as a ciso, I used to run Security, one of Europe’s largest software, as a service vendors and all I had to worry about was data theft. And in data theft it wasn’t really theft, it’s the unauthorized disclosure of data, which meant that, you know, I had all the time in the world to investigate the incident because, you know, I still had a copy of the data to run the business. Yes, I’ve got potential litigation from people whose data’s been lost and business partners. I’ve got regulatory fines potentially there and reputational damage. But it’s a sunk cost, right? The damage has already been done by time that I’ve lost the data. Now the difference with ransomware is every second counts because you can’t deliver products and services. So for years, CISOs and heads of cyber risk and heads of security operation have had the luxury of time in terms of investigating those incidents, remediating the threats, because the damage has already been done.
James Blake [00:26:32]:
You know, if your data’s been stolen once, if it gets stolen again, it’s already on the dark web, it’s already out there. The cost is kind of incremental, whereas with a ransomware attack, it’s exponential. Every day, you know, your, your losses from being unable to deliver products and services go up and people going to your competitors go up to your point earlier. So I think the problem is there’s this aspirational thing. We want to build cyber resiliency, but when the pedal hits the metal and the two teams that are responsible for delivering it, the reality is they’re taking approaches which are not right for disruptive cyber attacks. And again, large part my role as someone who’s got got no hair because I’ve dealt with so many ransomware attacks is to go in and kind of educate them on the realities of it. And just to give one example, well, there’s a couple of examples, but being able to get in the building, I rocked up after a wiper attack in the Middle east and we couldn’t get into the building, the physical building, because the door access control systems had been wiped. And there were an awful lot of people who focused their business impact analysis on the, the products and services for the minimum viable company, but they don’t think about the minimum viable response capability before you can even investigate Active Directory, before you can even investigate your exchange environment, how are we going to get in the building? How are we going to communicate with our cyber insurers, regulators, law enforcement, our customers, if you’ve got no email, if you choose to pay a ransom, which I never would do do.
James Blake [00:28:12]:
But how do you get the Mac addresses of the machines to tie them to the asymmetric decryption keys when you see MDB is encrypted? I just find that a lot of organizations really aren’t looking at destructive cyber attacks as disruptive as they really are, because the two teams are taking an approach which was built for the 2010s and again, that’s a large part of Cohesity’s role, is to educate those customers in what the reality is.
Karissa Breen [00:28:43]:
Okay, so I want to get back a step you mentioned before, premature recovery. So what do you mean by that? Because I’m keen to, I’m keen to understand this a bit more.
James Blake [00:28:52]:
Again, when you look at a ransomware attack or wiper attack, they are hugely disruptive in the fact that unlike attacks on the confidentiality of data, you can’t deliver products and services. So there is an incredible amount of pressure coming at you from the opco, the executive board, the non exec board to recover systems. But there is a risk of recovering systems that have attack artifacts in them. So if you haven’t cleaned out all of the changes to configuration files, for instance the malicious accounts that have been added, a very common one these days is overwriting or installing vulnerable device drivers onto systems which give them system level privileges under the operating system, which effectively blinds all edr. So you know, people just go ahead and recover these systems with the vulnerable device drivers, with the extra federated account provider in their SSO configuration and then the adversary is still able to log in even if they’ve rotated passwords because that configuration file has been changed. And people spend all their time looking for malware. And the problem is a lot of ransomware these days doesn’t involve malware. It’s living off the land, it’s identity based attacks.
James Blake [00:30:18]:
So again, these approaches are quite immature in understanding how the attack has manifested itself. And until you can understand how that attack has happened, you can’t remediate the threat or reduce the attack surface. But there is a balance. You can’t spend weeks, months doing that investigation because the business needs to get up and running.
KB [00:30:44]:
Right?
James Blake [00:30:44]:
So the question is there is a pivot point of which more time spent on investigation is going to cause more disruption and losses than the investigation of that incident and potentially bringing a system back up with one or two artifacts on it. And it’s a very difficult case by case basis when you make that decision, that we’ve investigated this enough, we’ve remediated this enough. And it’s one of the reasons when we talk to customers about using a clean room with ourselves, when they finally got a remediation image, we take a copy of that remediation image. So if you have missed something, you don’t have to Go back to square one and start remediating things because there is a chance you’re going to miss something, you know, in this pressure to get systems back up and running.
Karissa Breen [00:31:33]:
So what do you think? Ultimately whatever first comes in your mind when I ask you this question. What is it that customers genuinely miss when it comes to this sort of stuff that we’ve been talking about today?
James Blake [00:31:45]:
Well, I think there’s a focus too heavily on malware. So what they’re doing is they’re scanning systems prior to them coming back to production where they’re looking only for malicious binaries or malicious shared libraries or malicious scripts. The reality of ransomware attacks in 2025 is, you know, the scattered spider esque attacks on UK retail and they’re now starting to focus on insurers. You know, they are using identity based attacks, sim swapping, understanding cloud infrastructures and things like that. So they’re not even deploying malware. The second thing is we’re seeing a lot of living off the land where people are using, you know, PowerShell, they’re even using backup tools, you know, as attack vectors to get into organizations, using your own endpoint detection and response tools to get a command shell distributing the actual encryptor ransomware encryptor using your internal software distribution mechanisms. So I think breaking this mindset that ransomware is this, as I mentioned earlier, Swiss army knife that does everything from getting in to exfiltrating the data and encrypting systems and understanding that these are iterative multi stage attacks that may not even involve any malicious software. And you need to understand this at least at a high level before you recover so that you can remediate the appropriate amount of tax surface and you know, the threats that remain within your systems.
Karissa Breen [00:33:30]:
Yeah, so you mentioned a lot of things as well around the sophistication of tactics and what’s sort of difficult for businesses to defend against and everything that you’re sort of talking about today, like my, I’m like nodding my head and you can’t see me, but I really want to talk through perhaps now there’s the whole profitability for hackers that, that’s growing, that need. Right. And obviously there’s like nation state and all these sorts of things. But what are we sort of getting into now in terms of territory of the sophistication, especially when you start looking at AI and all the stuff that we’re seeing in the market and also the volume of things that are happening. What does this sort of mean now for the industry?
James Blake [00:34:09]:
Well, I mean AI is always a double edged sword, as is any technology. Right. So the move to cloud created attack surface, it created disruption in the way that we deliver security, but it also delivered cloud based security offerings. Right. And the ability to maintain threat intelligence in a central location where everyone can contribute towards it and it can be pulled down in a timely manner. So all of these technologies like AI are a double edged sword. I think the use of AI in attacks is largely overblown vengeance. Again, you know, railing on, on, on the kind of industry that, that I sit within.
James Blake [00:34:50]:
But they talk a lot about oh my God, you know, AI is here now, everything’s going to be, you know, terrible sky is falling, you know, as a way to create FUD to sell their products. And but I think there are things we’re seeing on AI which are causing problems. Not a complete game changer problems, they’re just more effective and efficiency in the attacks. So a classic example of this is ransomware as a service. We went from having hundreds of different individual ransomware groups which could only scale to their manpower. And these are very difficult groups to keep together, you know, and maintain the lid on and things like that. So criminal enterprises are quite difficult structures to maintain. And so we saw them pivot from being groups with the technical expertise and the manpower to conduct the attack to ransomware as a service platforms where those technical experts now built what is effectively a software as a service platform to do everything from gaining initial access to, you know, holding the, the recipient areas where we collect the exfiltrated data, to having the leak site where we can show the customer and manage the, I say customer, the victim stuff we stolen from them and handle the negotiation.
James Blake [00:36:12]:
So that pivot, you know, followed software as a service, they followed that model. And with AI we’re starting to see things like the weaponization of vulnerabilities happen much quicker. So, you know, it used to be phishing was predominantly the way that ransomware had its initial stages. We’d either capture valid credentials or we would have a malicious link or a malicious attachment that the user clicked on. But we’ve seen a pivot now to, you know, 34% of attacks are now targeting vulnerability on Internet edge systems. And they are weaponizing those vulnerabilities by using AI to reverse engineer the patches to identify the vulnerabilities that patches are, you know, remediating. So what we got now is things like Microsoft patch Tuesday and you have exploit Saturday. It’s taken them five days with these AI tools to be able to work out exactly what the vulnerability is.
James Blake [00:37:12]:
Craft an exploit, deploy it on their RAS platform. Now, you’ve got hundreds and thousands of affiliates within five days that can gain initial access through that vulnerability. Now, I don’t know many organizations in the world that can patch in five days. So, you know, it’s an unwinnable battle.
KB [00:37:29]:
Right.
James Blake [00:37:30]:
And then the other use of AI, obviously the fairly obvious one is in natural language processing and the quality of phishing laws, they’ve got much better. You know, you don’t see any generic phishing education platform now talking about, look for misspellings, look for things like that in emails, because they don’t exist anymore. You know, I’ve seen sentiment analysis and profiling of someone’s LinkedIn profiles and their posts on there to build and craft a business email compromise attack that uses exactly the same words and tone as a senior executive within a company. You know, they’re going to that level of sophistication in making sure these, these laws are being clicked on and things like that. So, you know, I think it’s cat and mouse. Always has been 30 years I’ve been doing this. You know, adversary takes one step forward, we take one step forward. Our it takes one step forward, the adversary takes advantage of that.
James Blake [00:38:31]:
It change in their own business models and then we cash up. And it’s what makes cybersecurity exciting and a great place to be.
Karissa Breen [00:38:40]:
Okay, so now I want to slightly shift gears, and I really want to get your thoughts on how companies can understand their own level of resilience. Now, I’m aware that obviously this is a bit more complicated, especially if you’re in a large organization, but how do you sort of know, like, I’ve woken up and now I’m at the stage where I know my resilience posture. How do you sort of determine that? Is there barometer? What does that look like in your eyes?
James Blake [00:39:06]:
I happen to work for a very large organization, and I would get a small amount of time to talk to our CEO because he’s flying everywhere on his G4, you know, around the world, flies in, and he goes, this is when ransomware was first really coming about in 2016, 2017. And he’s like, what’s my level of cyber resilience? And I’m like, you know, it’s X on a CMMI scale, you know, because that’s typically the operational maturity model that I use. And he’s like, that’s great. How quickly can I recover? And I’m like, can’t tell you. And this was a complete Anathema to him. He’s used to people, you know, he knows my rto. I can get my critical banking systems back up in 24 hours. And I’m like, in a cyber attack, you’re not in charge.
KB [00:39:51]:
Right.
James Blake [00:39:51]:
The adversary is. Have they pivoted through three machines or 300 machines? Have they been in three days or three years?
KB [00:39:58]:
Right.
James Blake [00:39:58]:
Unlike the cybersecurity, cyber resiliency discussion in is different because there are so many variables. There are so many variables involved in it that I cannot give you a discrete answer. I can tell you by building our processes, our people and our technology, and integrating and operationalizing and automating, I can make it as small as possible. But the one thing I can’t give you is a definitive answer.
KB [00:40:26]:
Right.
James Blake [00:40:26]:
And I think the problem is boards and senior executives are used to getting definitive answers.
KB [00:40:35]:
Right.
James Blake [00:40:35]:
Whereas I worked for years in military intelligence. We can never give you a definitive answer.
KB [00:40:40]:
Right.
James Blake [00:40:40]:
We give you a percentile chance of something happening. And it’s the same thing in terms of recovery. And just going back to the CEO, his standard answer to any problem is to back an articulated lorry of money on a problem and bury it under money. And I’m like, this is not something you can spend your way out of.
KB [00:41:03]:
Right.
James Blake [00:41:04]:
Money helps, but it’s also culture, it’s politics, it’s structure, it’s process, it’s skills, it’s retention of your staff. These are all things that contribute to cyber resiliency. And that’s often forgotten. So this is, you know, you need someone who’s a heavy hitter in your organization who can talk to the C level executives and give them a reality check. Because it’s really important that they’re prepared because otherwise what will happen is you will have an incident and they will expect systems to be up with 20 within 24 hours or whatever RTO you’ve promised for flood and fire, and they will force you to do that in a cyber incident, and you will have a prolonged outage as you get reinfected and re attacked. So that is the challenge, right? It’s CISOs. For years we’ve asked for a seat at the boardroom. We finally got it.
James Blake [00:42:03]:
And we need to stop talking about technology and we need to start talking about the business and operational processes.
Karissa Breen [00:42:10]:
Yeah, this is interesting. Okay, so, all right, quick question. You said the CEO just wants a definitive answer. Now I get that because they’ve probably got 10 different people that report to them in finance and HR. They just want the quick answer. So I kind of get that, but don’t you find as well. And because I’ve obviously worked in the field myself, when you ask a cyber person, generally speaking, you’ll get this whole long winded answer and you sort of look at them going, well, now I feel more confused about the answer you just given me. So do you think sometimes these executives, these CEOs, these board folks are just like, just tell me, just give me some answer that’s not so long winded and convoluted because I just need to get some indicator? Do you find that as well?
James Blake [00:42:52]:
How do I give an answer to that without alienating a large number of your, your audience? I’ve got a PhD in cybersecurity and I’ve got an MBA. As a CISO, my MBA was far more useful than, than understanding security at myopic and really, really deep level of detail, right? Understanding the business, understanding how they’re motivated, how each member of the board and the executive committee is measured, getting their buy in on everything. This far more important. A CISO in anything apart from a small and medium enterprise is a business leader. They lead up and out. You have a director of security operations that leads down and in, right? And talks about processes, talks about technology. The job of the CISO is to align the and describe in business terms like what we’re doing, the level of risk and everything else. And I find historically I found an awful lot of CISOs have come up through technical roles or operational roles where they’re very focused on the detail and they don’t quite make that transition into being business leaders.
James Blake [00:44:02]:
And so I think that’s the challenge, right? We give metrics, which are terrible number of incidents we’ve seen, like what kind of incidents. And then people putting things like reconnaissance attacks where. Well, they’re not even attacks. Reconnaissance where people are trying the front door knobs, you know, of your business. That’s not an attack. Like what’s the difference between an incident and a breach? And all of these terms are very amalfous. And we use it to scare the business into giving us budget through fear, uncertainty and doubt, whereas we really should be. And this is why I love the way we’re pivoting to operational resiliency.
James Blake [00:44:41]:
We should be a value center for the business. And why do cars have brakes? Cars have brakes so you can drive faster, not so you can stop. That’s a side effect of it. Cars, when we had really ineffective brakes, could only go a certain speed because we couldn’t stop them once we started to have good brakes, you know, we moved from drums to discs to chromatic. We could make faster and faster and faster cars and organizations. And CISOs should really see themselves in this way. You know that. That’s my belief anyway.
James Blake [00:45:16]:
And I’m starting to see a trend, especially in large organizations, with less technical leaders coming up and becoming CISOs and more operational leaders becoming CISOs. And even though they may not understand all the technology, their effectiveness engaging with the business and managing an overall program with an operational capability is much, much higher. And I apologize to any technical CISOs listening to this. I’m not casting aspersions on you, but quite a few of you have made that transition into being good operational leaders and business focused leaders. But there’s still an awful lot out there that are too focused on the technology.
Karissa Breen [00:45:58]:
Yeah, for sure. And I mean, the premise of the show is to improve people and how they do things and to gain that insight from people like yourself. But coming back to your point, just around the CEO, for example, and getting that definitive answer, I also think sometimes it’s not so binary. It’s not like, yes, we’re secure. Oh no, we’re not like this caveat said. It’s like, well, it depends. And if we did this thing we’re supposed to do six months ago, which was part of our roadmap in our program, we work that we haven’t quite hit, maybe it’s a little bit, it’s a bit easier to answer. So sometimes, unfortunately, in cyber security, it’s a lot more complex.
Karissa Breen [00:46:33]:
Right. So maybe people are like, okay, I want to answer your question, CEO, but I need to give you all the details because there’s not such an easy binary, yes, no sort of response. So I also wanted to inject that into this as well because again, there’s, there’s a lot of complexity to this type of stuff. Stuff as you would know. So I think that I do understand where the CEO and these execs are coming from, because they’ve got the other 10 people that they’ve got to lead to get sort of a yes or no answer. And so cyber security is one stream in their head. Right. So I think that once we can get to a position where it makes sense for these people on both sides, we’re going to be able to work more in lockstep.
James Blake [00:47:12]:
I totally agree. I mean, without going down a huge. Another rabbit hole. I’m a massive fan of semi quantitative risk analysis. Doug Hubbard’s book How to Measure Anything in Cybersecurity is an awesome book. I’m a huge fan of Jack Jones and the factor analysis of information risk. Right, which is a semi quantitative method of measuring risk that you can do at three levels of granularity. So your least important assets you do a very cursory kind of risk assessment.
James Blake [00:47:45]:
And your more critical assets you do a deeper level one. But the whole five by five matrix is an anathema.
KB [00:47:51]:
Right.
James Blake [00:47:52]:
It’s what we all use. And even in the largest bank in the western world that I used to work for, we use the five by five matrix, but we are times in likelihood via impact on an ordinal scale together. And you can’t do that, it just breaks math. Right? It’s our fundamental risk analysis process is based on math that doesn’t work. So I’m a greater fan of Monte Carlo simulations which, which aren’t that heavy lift right from where we are today. People think they are, but the same data that you feed into those ordinal five by five models can be used to build semi quantitative Monte Carlo simulations so you can start to build loss distributions. So what you know, are we spending all of our time dealing with these outlier incidents that high impact but not likely to happen, or these low impact incidents that happen all the time? You get a much clearer view of the scootosis of the loss distribution to your critical business functions using these kinds of technologies. And the other thing about that is I’m a great believer in the Prato rule absolutely every.
James Blake [00:49:08]:
It drives everything I do in our consulting services. I want 80% of our customers to be able to take our consulting services, operational consulting services, off the shelf.
KB [00:49:20]:
Right?
James Blake [00:49:21]:
It’s going to be right for 80% of customers. Can’t make it right for 100 because everyone has individual needs. So that’s the skill of the consultant to tweak that 20% of the consulting solution to that particular customer’s needs. It’s the same with technical descriptions of deployment guides. If we try and write a guide that addresses 100% of every possible configuration, our customers have our technical documentation be thousands of pages long. So let’s get a blueprint, an architecture that’s right for most of our customers. Same with the features and things like that. You know, we aim to address the largest percentage of our market.
James Blake [00:50:04]:
And then, you know, the outliers can be addressed with professional services, with consulting and everything else. And we tend to find, you know, we have much better built solutions because we’re not making them complicated and everything else with all these outliers things that customers want. And it streamlines efficiency and effectiveness. So I think you know this 80, 20 rule, we should use it in risk. The things you should address first is where 80% of the risk exists. And when you start to overlay threat loss distributions, you tend to find that is a core number of things that you need to deploy to achieve resiliency. Things like strong authentication, segmentation, they’re all easy things to say and very hard things to do, but they’re the things that really deliver value. And the only other thing I just wanted to say about like building cyber resiliency and I spent a lot of time building roadmaps for customers about what they should do.
James Blake [00:51:02]:
Now, 6 months, 12 months and 24 months is pragmatism. Don’t myopically focus on one link in the chain and get that perfect. Focus on the weakest link of the chain and then get all of the links gradually better. So that continual improvement, pragmatic delivery that you can do every day, not a massive waterfall critical path that you have to rebalance every couple of weeks, you know, because something unexpected came up, just this continual delivery of something that chips away those things that affect your resiliency. They’re the most successful organizations I’ve seen, the ones that take that approach on this big project management, big perfection approach which by time you deliver the security project, the way that the threats happen have already moved on and also the way you deliver it has moved on.
Karissa Breen [00:51:56]:
So James, lastly, do you have any closing comments or final thoughts you’d like to leave our audience with today?
James Blake [00:52:03]:
No, I mean hopefully what the audience have got away today is not all vendors tell you that you buy a product and all your problems are solved, right? That there are those of us which are heavily focused on, on how once you bought the product, how you become successful with the product.
KB [00:52:21]:
Right?
James Blake [00:52:21]:
And I think that’s what vendors should be doing, you know, not always focusing on those new logos and things like that. It’s how do you make customers successful.
Podcast Voice-over [00:52:31]:
With what they’ve already bought and how.
James Blake [00:52:33]:
Do they build the right processes and get the right skills behind and if you’re a cohesive customer, reach out to me. You know, that’s, that’s a part of my role is to help align our products with the operational requirements that customers have, but also help customers align their operational capabilities.
