November 8, 2022

Supply Chain Security & Zero Trust Tech with Ashish Rajan & Shilpi Bhattacharjee

by Hacker Valley Studio

Show Notes

Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, Cloud Security Podcast’s Ashish Rajan and Shilpi Bhattacharjee speak with the Hacker Valley team at AISA CyberCon in Melbourne, Australia. Ashish and Shilpi discuss their respective talks on supply chain security and zero trust technology, SBOMs, and keynote speakers at this year’s Cybercon worth noting for the audience at home.

 

Timecoded Guide:

[00:00] Connecting & conversing at a cyber conference post-COVID

[06:50] Breaking down Shilpi’s presentation on supply chain threats & attacks

[11:45] Understanding the paradoxes & limitations of zero trust with Ashish’s talk

[26:13] Defining & explaining SBOM, or Software Bill of Materials 

[33:16] Noticing key conversations & trends for those who didn’t attend AISA Cybercon

 

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

Shilpi, can you talk about the idea behind the talk you had at CyberCon? 

The inspiration behind Shilpi’s conference talk was supply chain issues. Titling her talk, “Who’s Protecting Your Software in Supply Chain,” Shilpi hoped to further educate and advocate for security in the supply chain process. An estimated one in two companies will experience a supply chain attack in the coming years. Instead of fearing such a statistic, Shilpi hopes her talk inspired further security action to protect our supply chains. 

“One staggering fact that I read is that one in every two companies is going to have some sort of a supply chain attack in the next three years. So, who's going to look after the supply chain? Is it going to be the organization? Is it going to be your third-party vendors?” —Shilpi

 

Ashish, what about your talk at Cybercon?

In contrast, Ashish’s talk was about the triple paradox of zero trust. When talking about and implementing zero trust, Ashish realized many companies don’t implement the cultural changes needed for zero trust and/or only talk about zero trust as a technology process. Zero trust has numerous layers beyond technology, and requires time and major changes in culture and technology to implement in most companies. 

“I feel bad for bashing on finance, marketing, and HR teams. They're all smart people, but if you're going to add four or five layers of security for them, they almost always say, ‘I just want to do my job. I don't really care about this. It's your job to do security.’” —Ashish

 

Where would you recommend starting when it comes to trying to implement the ideas in your respective talks?

When push comes to shove about where cyber companies can start first with supply chain and zero trust, Ashish and Shilpi agree that companies have to discuss business priorities. When company leaders can take the opportunity to look at and understand their cyber hygiene, the next steps might look very different from another company’s tactics. Knowing what a business has is the foundational piece that impacts any new process in cyber. 

“If I were to go back to the first principle of what we do with cybersecurity professionals, one of the biggest assets that we're all trying to protect is data. You can't protect what you can't see, that's the foundational piece.” —Ashish

 

For anyone that wasn't able to make the conference, what is one thing that you would want to share with the audience at home? 

There were a lot of conversations taking place at Cybercon this year. Ashish wants the audience at home to know that cloud native, zero trust, supply chain, and leadership positions like CISOs were the main themes in many talks, panels, and conversations. Shilpi wants those who couldn’t attend to watch out for more talks and conversations about cyber from those outside of the industry to understand that the issues impacting cyber influence the world. 

“I think there's that interest about cybersecurity being more than just a cybersecurity problem. Cybersecurity is not just a technical problem, it's a societal problem, a cultural problem. I very much agree, because a lot of the things that we're dealing with impacts everyone.” —Shilpi

---------------

Links:

Keep up with our guest Ashish Rajan on LinkedIn

Keep up with our guest Shilpi Bhattacharjee on LinkedIn

Listen to Ashish and Shilpi’s Cloud Security Podcast

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

[00:00:00] Ashish: Who. Tech can't be human.

[00:00:14] Ron Eddings: Welcome back to the show. That is a homage to my brother and partner on crime, Chris Cochran. He could not be here today, but I have two amazing guests to kick things off as she's for John and also Shey by the Chary. It is a pleasure to have you two. Let's go ahead and jump in and get the conversation. So we've been, we've been having a lot of fun at Cyber Con so far.

[00:00:35] I got here, started in Sydney, in Australia, and then now we're in Melbourne. What has it been like for you two so far at Cyber Con? 

[00:00:43] Ashish: It's been a lot of conversations. We've actually surprised because this is one of the. Biggest conferences in Australia after Covid, and so a lot more people who had not come out before for some of the smaller conferences, they're all here.

[00:00:56] So I think we had a lot of great conversations on what people are seeing, a lot of conversations about Zero Trust, a lot of conversation with supply chain asset management, and of, funny enough, it was good to be out and just meet people as well. I think outside of the whole technical part, it was really good to just meet a few people and know that, oh, there's a, I.

[00:01:16] We, we go, uh, to meet a lot of people who are just knew us from the podcast, never known them before they come up and hey like, Oh wow, there you go. So, I mean, that was my experience, but I dunno what was 

[00:01:25] Shilpi: yours. Yeah, I think it's interesting cuz I think this is probably the first biggest conference we've attended in Australia and we've had the good luck of attending a lot of global conferences.

[00:01:34] So it's really interesting to see, you know, how the trends are transcending and what the differences really are. Like, how mature different markets are. Are we experiencing the same things? Again, the buzzwords. I think they carry forward everywhere. And I think I, yesterday I gave a talk on supply chain and I think some of the buzzwords are there for good reasons.

[00:01:50] So I think they're buzzwords because we as an industry need to care about. But as Ashish said, it's pretty much the same things that we are talking about. Supply chain, zero trust, asset management, observability, like it's, it's the similar things. But it's a little bit different because the governance in Australia is a little bit different.

[00:02:05] So there's no mandated sbo. Um, you know, there's no GDPR over here. So there's those differences, but the conversations are similar, different scale. Obviously, Australia being a much small economy. 

[00:02:15] Ashish: Sorry, I was gonna quickly say the interesting part also was there were 25. Talks running in parallel. Yes. Oh, yesterday, right?

[00:02:23] Yeah, 

[00:02:23] Shilpi: yeah. Oh, it's all, all the way through the conference, which is the similar scale as rsa. So there's a lot of talks happening. . Yeah. 

[00:02:29] Ashish: And it's almost like you were left confused. Which one should I attend? So you had a few moments where people just said hell came up to you and said, Oh well, To send me the slides and uh, I'll come back to 

[00:02:37] Shilpi: you, which is good.

[00:02:38] There's a lot of great content, but I think, um, it just makes it harder for people to pick, pick 

[00:02:42] Ron Eddings: from them, I guess. So you both spoke at the conference, right? Yeah. Of what my talk 

[00:02:46] Ashish: today. And she's gonna, she's had a conversation yesterday? Yes. Wow. Okay. Nice. So 

[00:02:50] Shilpi: different risk keeping it separate. , but you could 

[00:02:53] Ashish: get off for us.

[00:02:53] So you did a great job kicking it off. So now we're just falling through after 

[00:02:56] Ron Eddings: that. . Yeah. My talk was, uh, really awesome. It was a little nerve wracking for me, honestly. A lot of people that I was speaking to beforehand were saying that things that you do in Australia are completely different than United States, different than Europe, than other parts of Europe.

[00:03:11] So I was like, what is everyone gonna think about SaaS inventory, SaaS management, or people that interested? It seemed like, uh, the first day I was here, I did a lunch and learn in Sydney and everyone was saying they were still on. And I thought that was a little surprising. I'm not sure if that's for many organizations, but these were like financial institutions.

[00:03:28] Oh yeah. Yeah. That, so that makes a 

[00:03:29] Ashish: lot of sense. Yeah. And I think too, what the same fear that has been there in a lot of broader market like Europe and US as well, where the, the trust factor, even though he says zero trust. Uh, the trust verify. Uh, for, from a SaaS perspective, I think I had a conversation yesterday with a CTO of a big, uh, not-for-profit company and they are primarily SaaS like I think.

[00:03:51] So the transition is happening slowly where all the traditional IT svs to know what the internal IT pieces. A lot of people are still going through the same questions when their data center is about to run out. When. Counterparts and colleagues are moving to cloud, they're also wondering, Oh, well I guess if these folks are moving out, what's our justification to be in the data center?

[00:04:12] So they're switching to SaaS, but to what you said, for folks who haven't had the pressure point yet to go, Oh, we need to get outta the data center cause. I still have a 15 year lease remaining. Right? So them like, Oh yeah, I guess I want to use SaaS. But what they are talking about, although in the, at least in the conference we spoke about, is a short shadow IT thing being created by it.

[00:04:31] Right? Because all it takes is Ron to just swipe his credit card and was like, I go, There you go. I put Salesforce going because I want my team to, I don't have to wait the time to wait for my IT to start. The process and wait for two weeks because I need to close this today. Right. Yeah. So that's definitely, there's, So I would probably say people who are saying that they don't know or they don't have any SaaS, it's just that it may be a shadow.

[00:04:54] It just don't know it because how many people know marketing team uses, uh, Facebook, like the G Suite platform, Google, They're all right. So it'd be really interesting, anyone out there who's not doing Google ads as a company. So if you're doing that, you already have a. 

[00:05:09] Ron Eddings: You're just talking about the marketing team.

[00:05:10] Like you still have Canva, you got these Adobe suite of products, really everything. And for me, we, we use Riverside to record the podcast a lot of times. Riverside or Zencaster. Yeah. And those are SaaS apps that you might not really push through your IT team or your security team. It's like. It's $15. I have three users.

[00:05:27] Why am I gonna go through this? What are my role of setting it all 

[00:05:30] Ashish: up? Yeah. Yeah. A hundred percent. I think I, I mean, Aren you seeing the same as well, aren't you? Yeah. 

[00:05:34] Shilpi: I think also something that I think we are becoming a bit more conscious of is, I think being like you are in the cloud, security and the sa.

[00:05:40] Face as well. And I think being in cyber security and cloud security, we forget that there's so many different levels of maturity across the board and not everyone is in the cloud. So I think the words like, you know, the buzzwords like Cs P and different things, like for us, we feel like everybody knows them, but I think, uh, we gave a talk in Amsterdam and also in London recently, and a lot of people in cyber security are still not familiar with those words.

[00:06:02] So there's that different levels of maturity. And definitely in Australia as well. I don't think everyone's that mature yet. They're. Organizations that are really mature, but then there's some that just are not there yet and because they just haven't been exposed to it. So it's really interesting to see.

[00:06:16] And I think us being in cyber security, I think we have to be conscious that sometimes we think, Oh, everyone's speaking the same lingo and we are all on the same board, but it's mm-hmm. it's not the case. You know, Everyone's in a different place. I, 

[00:06:26] Ron Eddings: I wanna hear a little bit about both of your talks. Uh, we don't have to go through, cuz you know, people gotta watch the slides.

[00:06:32] What was, uh, the title and what was the idea of the talk 

[00:06:36] Shilpi: that you had? Yeah, so I gave my talk yesterday, so thank God it's over . Um, so I can be more relaxed about it. But, um, I think it came from, I think at the beginning of the year we were hearing a lot about supply chain and I think initially we just went to a lot of the conferences.

[00:06:50] Thinking, Oh, it's a buzzword and everyone's just using it to like sell products and things. And so we started talking to a lot of experts. Um, and what we started finding out is that supply chain is actually really, genuinely a big issue. So my, it's almost my transition into the fact that I have now started advocating for.

[00:07:07] People knowing more about it. Um, my talk was called Who's Protecting Your Software Supply Chain? So, um, it's that whole concept of who's actually responsible for your software supply chain. Obviously I think everyone's now aware of the fact that it is gonna be an issue. So, one staggering fact that iRead, which I was actually really surprised by, is that one in every two company is gonna have some sort of a supply chain attack in the next three years.

[00:07:30] That to me is really scary. And I read quite a few things. I spoke to a lot of people and it seems like depending on whichever report you read, there's some form of truth to that. So I'm like, that is staggering. Like, you know, that's one in every two companies. So who's gonna look after it? Is it gonna be you as the leader or the organization?

[00:07:48] Is it gonna be your third party vendors? Is it gonna be, you know, the person who's doing the open source tooling, but again, who's maintaining those open source tooling? So it's a really big conversation. And it's just something that I think people need to talk about. Cuz my feeling is as a community we need to address it cuz the nature of supply chain is that everyone needs to own it.

[00:08:06] But with shared responsibility, I think this is something we say quite often is that no one ends up taking any responsibility . So it's about how do we, you know, resolve it. So I go through a lot of tooling, a lot of different initiatives like open ssf, like salsa from. Out. So there's different things that have popped up and how can people sort of, you know, work together as a community, but also with their third parties to address that.

[00:08:26] So yeah, that's kind of the nutshell of it. 

[00:08:29] Ashish: do, do you reckon the uh, opt and uh, na thing that recently happened? That's probably something to do with it as well. Yeah. Maybe that context would be interesting for the 

[00:08:36] Shilpi: audience as well. Yeah, that's right actually. So I don't know if like everyone would be aware, but in Australia recently we had quite a large breach.

[00:08:42] So one of the second largest, um, telecom, telecom provider. Optus has had a breach, uh, where a lot of private data has been exposed. 10 million people, right? Yeah, yeah, yeah. So, um, I think 10,000 I think is like what's been, So 

[00:08:54] Ashish: 10,000 was, so the entire data was 10 million, but the hacker only released 10,000 people's records, and after that they basically backtracked and going, Oh, oh my God.

[00:09:04] Like, I've got the government after me, the FBI after me, . Uh, and so, I mean, obviously that, Or that individual got a lot of hate on the internet as well for being an amateur, but as a individual, like I think we had our driving licenses being exposed as well. And I think the NAB example, So you wanna talk about the NAB example as well?

[00:09:22] Shilpi: Yeah, so I, I think that just those kind of breaches that have, Come up. Um, you know, people are kind of concerned about that in the Australian space as well. So that's really put like sort of that spotlight because I think people are definitely looking at that. Uh, I was surprised, I thought, I started my talk by saying congratulations to everyone for turning up to another software supply chain talk

[00:09:40] Cause there's so many, but people still wanna hear about it. So yeah, 

[00:09:43] Ashish: it's, yeah. I think a worthwhile calling out as well that we have now, we now have a minister for cyber. Yeah. Who 

[00:09:49] Ron Eddings: was also opening up the conference, 

[00:09:51] Ashish: right? That's right. So to elevate at that level, that just means that that's how important it has become.

[00:09:57] Especially after that. She made a, like at the Parliament, she had to make an announcement. Parliament is the of a White House, I guess. But she had to make an announcement about what the opting was about and what they're doing. Like it was a public address at a national television. So you kinda have to imagine how.

[00:10:11] Much importance. Cyber security guard, Like we had our neighbors asking for, Hey, what do we do for our data? Like, I got this email that my passport is exposed. But when you go to a local authority, they're like, Oh, sorry, we can't change your driving lessons because, uh, the, the, because of the overwhelming people coming in, uh, what they decided to do as well.

[00:10:30] Unless you actually have a genuine case of identity fraud, we can't. For how long? No, but that's the thing. Like they don't even know yet. Yeah, they don't even know yet. And I think the, the, the problem is we don't know as a community that my driving lessons, which has been exposed onto this, It can be reused to fraud, like do an identity fraud tomorrow in 15 years because if my driving license doesn't expire 15 years, that's technically 15 years of, and I think the Australian driving lesson number doesn't really change.

[00:11:00] And then you got a new, uh, new license. So it's the same number continuing. So it's basically forever. As long as I don't change, physically, change my number. So, and the authorities don't wanna change it cause there's too much work for them, right? So it's a very interesting time to walk about supply chain and zero trust 

[00:11:15] Shilpi: as well.

[00:11:16] going onto your talk, 

[00:11:18] Ashish: segue my talk I guess. So my talk is about, uh, the triple paradox of Zero Trust. And the idea behind this is, uh, uh, a lot of organizations talking about, hey, we should do zero trust. All for the idea and we are doing a, See, I'm doing a panel next next week about whether it's a hype or a hope.

[00:11:36] My idea behind this is, I kind of like that word. It is a hope that if we walk that path, we would at least be a lot more safer than what we are today. It would at least allow us to wet our third party a lot more. It would also allow us to look at things like as a culture. Zero Trust talks about the whole assume breach culture.

[00:11:54] Mm-hmm. , how many organizations and out there talk about Assume Breach is like a standard across the board. And I, I, I keep, I kind of feel bad for bashing on the whole finance marketing teams and HR teams. They're all smart people. They're all, you know, written, doing the right thing. But if you kind of have the whole.

[00:12:11] 2, 4, 5 layers of security for them. They're almost like, I just want to do my job. I don't really care about this. It's your job to do security. It's not their job, but zero trust angle kind of makes everyone go, Oh, it's Zoom breach. Zoom, breach it, Marketing, Zoom, Breach at finance, Zoom, breach it. So, The, the one of the paradoxes that I talk about is the cultural change that's required to even make it happen.

[00:12:32] Mm-hmm. , Uh, the other one being, a lot of people talk about zero trust as a technology thing, Right. It's actually not a technology thing. It's more like, it's a shift in mindset. It's a, it's a thing which is gonna take you years to get there and to talk about technology. as a technology frontier, we can't even achieve it at the moment.

[00:12:48] So the csa.gov talks about five pillars of zero trust. One of them is data and another one is application network identity. But the one thing that everyone does at the moment, they do great, great job at identity like. I know Ron. Ron has login id great. Logs you in. Yep. Same for us. But it doesn't, it may go to the point of saying, Oh, Ron is in Australia at the moment.

[00:13:09] Why? What is he doing in Australia instead of being in Texas? So I think that dynamic is already there, but if once you start peeling off more layers, the paradox comes at well, Actually technology from a technology perspective, we're not there. I haven't my, I haven't got my data classified to know, is this my personal data and, uh, sorry for bashing Optus again, but if it was like that, did anyone account for how much of that data was really valuable, like from a company perspective?

[00:13:36] So it's, that's the second paragraph. And third one being, which is the final one. Just on the human part, like we may have two companies, a third party that we spoke about earlier, they might wanna work together in, in a world that we live in today, we spoke about SaaS earlier. Yep. Entirely build on the trust concept that I'm gonna pass my data onto the SaaS provider and I'm gonna assume that they will take care of it and do the right thing from their part.

[00:14:00] But the reality of it is also that I'm still responsible for my data. Mm-hmm. , if they get, for lack of a better word, uh, hacked or breached. They're just gonna say, Wow, sorry about that. I've, I'd really tried. And you're like, Well, I'm the one who has to go to the court and talk to explain to all these 10,000 people who data was exposed that unfortunately we lost your data.

[00:14:20] Right? And I'm responsible. So that's the three paradox that I talk about. 

[00:14:23] Ron Eddings: I, I feel like these are all really interconnected, because on one hand you have your supply chain. This is how your software gets made, this is how your processes flow. And then on the other hand, you. The hackers and all the, the breach, you're, you're assuming breach.

[00:14:37] But if you're assuming breached, then how do you treat your supply chain? Yeah. Then you have to almost treat it like it's compromised. I don't, I don't know if many organizations are actually assuming breach. I know that they are like, not trusting as much and saying like, All right, we're gonna verify everything.

[00:14:51] Um, and I feel like two of the pillars of Zero Trust are, you know, being followed. But when it comes to assume, I haven't really seen many exercises that are going on. Assuming that there's a breach before the breach happens. 

[00:15:03] Ashish: Well, it's only happening in the security teams. I just say that. So security teams the only ones, let's resume breach always out, right?

[00:15:09] So it works really well. I think, uh, and this is maybe the shortcoming of our security. Field per se, and I've been a huge promoter of this conversation where, look at how Apple iPhone, I'm sure Android has the same thing as well, but me being an Apple user, they introduced the passport first. Yeah. Uh, single, legit alpha numeric.

[00:15:28] Then they went on to fingerprint. Then they went into face ID people like this was a gradual uplifting of security. If you, if you kind of look at like from a cyber security perspective, and now as a user of Apple, it made my experience super seamless. I don't remember passcode or whatever. I just swiped my phone and just log, logs me in.

[00:15:47] Now, if it doesn't log me in, I'm thinking, Oh, something's wrong with my face. I don't know what I do. I dunno, do I remember wearing glasses? Or where am I wearing a mask? So that is how security should be. Unfortunately anything security that we do in an enterprise space right now, nothing is like that. And I think that's where, to your point about assume breach is, is there, People have the idea, but it's only in security.

[00:16:10] Cause for everyone else, it's a friction. It's not a seamless way for me to, I've logged in, I've done my job, it's verified everything. I didn't even realize time has passed. That's kind of where I think the shortcoming is for, uh, it's gonna be in the security team for as long as we don't make it seamless for everyone else to adopt it.

[00:16:27] Mm-hmm. assume breach is always gonna be only insecure. 

[00:16:29] Ron Eddings: So we have two coins, really three coins here, and one is saying, Hey, we gotta focus on your SaaS inventory. That's gonna help reduce, according to csa, it could reduce up to 63% of security incidents. Yeah. About SAS Misconfigurations. On the other hand, you have to protect your supply chain.

[00:16:47] Mm-hmm. , on the other hand, there's these new strategies and mindsets. Zero trust. Where do you start? Do you start by focusing on your inventory? Do you start by focusing on your supply chain and your like, Really business operations as a whole, like understanding and where security and ownership fits in?

[00:17:02] Or do you just try to apply the security strategy? In my opinion, I would say maybe the zero trust strategy you could start with, but that means everybody has to be on board with it. Yeah. Yeah. I think maybe if you go about it, and I, and I heard this over and over again while at at the conference, at the lunch, and learn that I hosted that it's all about the business requirements, especially in Australia.

[00:17:23] Yeah. We don't tinker around as much as other countries. You're not just looking at vendors or look at vendors, but you're looking at vendors to marry the, the capabilities with That's right. Business outcomes. 

[00:17:34] Ashish: Yeah. Yeah. And I think there's a lot of conversation around a lot of CISOs, being a former ciso, I can say this, that a lot of conversations won't even happen if there's no business requirement for it.

[00:17:44] So the reason why some will come to a Lunch and learn or a table is more than just the free food. Yeah. And the conversation. It's more to the fact that I genuinely have a need. And I am looking at vendors in that space. That's why I'm here. Otherwise, I, at any given point in time, CSO would have a lot, lot more things to look at.

[00:18:01] I definitely feel, uh, it, it definitely is a business requirement driven MO model. Uh, and in not saying that America or Europe doesn't have it, they do have it, but you see pockets of it. You don't see like at a mass level where everyone's doing it. So maybe that's kind of where the difference comes in.

[00:18:16] Yeah, I definitely found that as well. 

[00:18:17] Ron Eddings: So you two are the host of the Cloud Cloud security podcast, which is amazing. I love it, and I would recommend everybody to check it out. You have, I feel like a, a really insightful view of what you can do first, especially when you're lost. So I would love to hear like, what have you heard over the years of just hosting the podcast?

[00:18:35] Like where do people start? We have three different ideas, like where would you recommend to start when it comes to like watching the talks and then even trying to implement, uh, each of these. 

[00:18:45] Shilpi: I think you've really hit the nail on the head when you said it's about the business priorities. I think often when I started having conversations around these things, I used to always think, Oh, can we just give people a prescribed sheet list?

[00:18:56] You know, you've got an organization start with whatever open source, and you know the next thing you do, SaaS management. And then next thing you look at zero's trust. But I think you've said the right thing. It really depends on the business. How big is your business? How much open source are you using?

[00:19:10] Um, how, what are your assets looking like? I think every leader or every organization kind of needs to take a little bit of time to just do that, that initial hygiene, to know where am I sitting and what is my priority. If I'm not really using open source, then that's not really something you need to pay attention to.

[00:19:24] But you know, I've got lots of assets and I need to pay attention there. That's important. Or I've got my assets under control. But you know, overall overarchingly, I feel like I don't know, you know, where the trust is in my organization. So I look at zero trust. So I think when you said it's about those business priorities, I think.

[00:19:39] It's a good idea for everyone to sort of start off with that, just knowing what you have. Um, and then from their work, Cuz as you, you quite rightly said, you know, we've had so many executive orders that have come up in the last few years. Right. Do your s o m you know, do zero trust. And for any leader, security leader out there, it's a challenge.

[00:19:56] It's great. You want me to do all these things. I've only got that much time and resources. A lot of security teams are very under-resourced. And they're constantly trying to fight these breaches that are coming for, and there'll be a log 4G somewhere there. Something else is probably waiting for us, hopefully not in 23 , but that's the nature of a leader's job.

[00:20:13] Um, and how do you juggle those priorities? So I think I would say definitely starting by doing a stock of what your priorities are and then. Addressing those and you know, that's probably the way, um, you can 

[00:20:24] Ashish: start off with definitely knowing what you have is probably the foundational piece. I think it's funny, um, and I remember talking to Nathan from experience as well, and this is before X experience was what it is today.

[00:20:35] And we still were talking about this very basic thing that asset management is one of the hardest thing you can ever think of. Right? As simple as it is that I know, as simple as it is like amigo, I just wanna know what I. And as simple as I said this, it is not as simple as getting, finding that information.

[00:20:53] I definitely found that most of the conversations that I would have is people feel they have an idea. So there there is an angle of, I think I know what I have. It's like what I really have, Like they're two buckets and it's almost like you're always trying to feel confident that yeah, this bucket is what, the only thing this, there's nothing in this bucket.

[00:21:11] But the reality is there's always something growing in here. We spoke about the shadow IT thing earlier for SaaS, right? That's also happening. I have no idea. If someone decides to, like we used to have this thing called, um, there's another popular Australian, uh, cyber security person called Troy Hunt. He has a website called have i been porn.com.

[00:21:26] Uh, so you can get now subscriptions to find out if your entire domain was ever in a breach list. And, uh, if one of, if few of my previous companies, we used to do that as one other thing for employees because what we found in my first company was that people had their. Work, email used for public services, like for Canver.

[00:21:46] Oh, I'm just gonna use at, I don't know, sneak.io, whatever. And so of you're like, uh, shouldn't be using company ID for that. I understand you're using it company stuff, but if you want it, let you go through procurement. Let's do the whole proper channel, do a single sign on. But how many people hand on their heart can say this, that they would not have like small pockets of that in the company.

[00:22:07] It would be really like there, it's like you're searching the internet for finding where have all your employees and the more the number of employees, the bigger the probability. Mm-hmm. that they have not created on something popular. And by the way, they left as well. So what happens then? And like, uh, so we had a lot of scenarios where, , someone who had used their domain was part of the, the breach.

[00:22:29] Uh, we can email from, have I been pawed and going, Oh, by the way, this was, this domain was there in this particular breach that was announced. You should look into it. And nine outta 10 as will find it was a person who left. as well. So you are almost like, Well, I hope they didn't have much data, but I don't know what the data was transferred over.

[00:22:45] Mm-hmm. . So as if I were to kind of go back to the first principle of what we do as cyber security professionals, one of the biggest assets that we are all trying to protect is data. You can't protect what you can't see. That's the foundational piece, unfortunately. Thanks. And now we are in this PO place where I wanna know what it is, but I can't find out easily because my company has acquired few more companies.

[00:23:07] They have their own baggage they're coming up with, and the, the scale and complexity has gotten so, so complex. I guess I lack a better about that. I think the simple answer. Like I'm trying my best is what I hear. Right. That's like, that's how what I answer, I hear for asset management. I'm trying my best

[00:23:24] Ron Eddings: That's all you can do. I mean, it is, It's sometimes scary to realize that you're not gonna be able to find every single thing. No, and what's crazy in today's world, especially through the pandemic and seeing digital transformation, that every SaaS app, every application, whether it's SaaS or. Has integrations.

[00:23:42] There's, there's a marketplace and you connect your, your integrations to maybe your, your workspace applications like Google Workspace. You might connect it to Microsoft, and then that is sharing data. And then that other app that you integrated has a marketplace and you're sending data elsewhere. So like once, once it's out there, it's out there, but it's, it's all about just trying, taking those incremental steps to find what you can find.

[00:24:05] Yeah, 

[00:24:06] Ashish: I, I think, uh, another complex layer. I saw this in a company once. I thought it was really, I was bamboozled by it, where you may have an agreement with you, my B2B client, that I would protect your data, but the SaaS application, me the SaaS provider, I may have other people public logging in. Now that's kind of a gray area, like who owns that?

[00:24:27] Mm-hmm. , like unless you watch, he specifically called in the contract that, Hey, Mr. SaaS provider or ms. SaaS provider, every data of ours, You should protect, but also the customers who sign in or for our side, you should protect them as well. Cause I can technically, as a SaaS provider, well I'm protecting your data, but all this data I can sell, sell that for money.

[00:24:46] Right, Right. I can't control that. And that's a legal thing as well. Do people ask the question in legal department for, Hey, what part of our data is 

[00:24:56] Shilpi: important? It kind of makes me think about, I got a really interesting, uh, question yesterday at my talk. So someone asked me, With the supply chain, Like where does the legal side of things sit?

[00:25:04] And that was to me, and I actually come from a legal background, so it was funny because I said, Look, I can give you the lawyer's answer, which is like whoever has the best evidence in the courtroom. Really? Yeah. And that's the short answer because. At the end of the day, how whoever has done the best paperwork and kind of show that they've done the best due diligence is gonna be the one who's gonna be able to protect themselves.

[00:25:24] So I think there's that legal angle as well, which is like seeping into, you know, all of the zero trust, you know, asset management, you know, does that help you actually, you know, keep the good records and you can kind of say, Look, from my end, I've actually done, I've ticked all the boxes. It's, you know, my third party provider, whoever else.

[00:25:40] So that, I thought that was a, I, I haven't had a legal question asked before, but people are thinking about it because at the end of the day, cyber security is a business and a legal 

[00:25:48] Ron Eddings: problem. So you, you mentioned SBO a few times, we gotta talk about that. Cause I know that you two just took a new opportunity and.

[00:25:55] You're really kind of focusing on the fundamentals, getting back to basics, helping organizations rethink about that classic problem of inventory and, and finding what really matters. So what, what's been new with you? ? 

[00:26:07] Ashish: I think no matter how many times you say Sfor, it's never enough. I think it's like nowadays, I feel no quantization is complete without say using the word 

[00:26:14] Shilpi: Espo.

[00:26:15] Espo, Yes. Um, and I think it was funny because just yesterday I was actually speaking to someone who's. Working on a white paper for S Spam, and it was a conversation we were having to the fact that obviously, you know, it got announced that, you know, everyone needs to have an S spam, especially if you're working with the federal government.

[00:26:30] But since then, what has happened? Like people kind of have a good understanding of what SBO M is. Yes, it's a recipe list. Um, you know, it's a stock of what you have in your software. Yeah. Break 

[00:26:39] Ron Eddings: that out. What is an sbo? Yes. What's the acronym? 

[00:26:42] Shilpi: And uh, . Software bill of materials. Um, and people have explained it in different ways, so obviously a lot of people, uh, compare it to a recipe list.

[00:26:50] I've seen that, you know, little, uh, recipe at the back of your, I think whatever, you buy a packet of biscuits and you've got that right. So I see that you use quite often. Um, but yeah, it's really what's actually going into your software. So, you know what? Um, the different metadata maybe, you know, what are different, Your integrations that you may have.

[00:27:06] So it's everything that makes up your software. I think one of the challenges is obviously it's only as good as someone's record keeping. So if you've asked, you know, your provider to give you an spo, but they haven't really done a really good job of actually keeping a log off what all they've put into that software, it's only gonna be as good as, I guess, their record keeping.

[00:27:23] So that's a bit of a challenge, but also I think what the industry is really keen to know is how are people actually going about. This SBO problem and um, there isn't enough information out there. I feel at least like, cuz I actively do look for it and I'm curious to learn more about it. Um, so we are trying to have more conversations with people.

[00:27:40] How are you actually implementing it? Right? You know, it's great that someone said you have to have it, but how do we actually do it in real life? And it's interesting, those conversations. So I'm really keen, um, when this white paper does come out, um, or hopefully next year, I think, I'm hoping we'll see a bit more context.

[00:27:55] What is, What does it actually mean? You know, we know what it stands for and yeah, we've seen the recipe list, but how are people actually solving it at enterprise 

[00:28:02] Ashish: level as well? I think there'll be stages of it though. I think there would be stages of people who would deploy different versions of Sfor and it could just be as simple as, Well, you would get one list every six months.

[00:28:15] Or you would get one list every month or every year. I think a lot of people also said this, um, from a technology perspective, uh, and culture perspective, there's so much like, I think, I'm gonna use a SaaS example again. Having worked as a CISO before, I know a lot of SaaS providers you work with, they're not as mature in security.

[00:28:32] Leave it all spo, right? So, I mean, as far as like right on the other side of spectrum and you are trying to deal with, hey, you should do m. What is mfa? Right? Do you guys really need it? Like, cuz we, we don't have anyone else asking for it. and you're like, uh, well you're working with the enterprise. So, so, and, but for them as a product, it's like, unless 20 people ask me, I'm not gonna make F MFA cause I'm still getting money from 25 people.

[00:28:57] Yeah, so that is that challenge that we don't talk about. And it's easy for President Barton to come online and I mean, no, no ditch on him. I'm sure he's our technology person, but for him, he is been given advice that, oh, you should ask everyone to do this and uh, it could be a great national service if you do it.

[00:29:11] I think he used the word national, like a contribution to America or something. I'm going, Wow. Like if you actually do this like national. Uh, 

[00:29:18] Shilpi: but I think it's a good start. I definitely feel it's a good start cuz no one was really talking about, you know, like holding your, you know, third parties accountable for what they've actually put in their software.

[00:29:28] So I definitely feel like there's. It's definitely sparked a really good conversation and it's making people think, Oh, actually we are, what is it in my software? I'd probably need to know and yeah, let the other person know as well. Um, but it's about execution now, like, so Australia does not have sbo.

[00:29:42] There's no mandate. The Australian government, if you go to the website, it actually says they encourage something like an sbo, but it's not mandated. Same thing in Europe. There's no actual S bomb, so, but I can see that different governments are actually. Encouragement from it, and they see value in it, but they're not mandating it as much as I think the US 

[00:29:59] Ron Eddings: is.

[00:29:59] So what do you do with Sbam? Like you, you, you gather this list of this recipe of software and you have it stored somewhere. Maybe you're sharing it with organizations who is looking at that and what are they doing 

[00:30:12] Shilpi: with it? Yeah, and that's the exact question I think we are trying to ask everyone, like, how are you actually doing it in your organizations?

[00:30:18] I think at the moment with the maturity where things are at, I think most people are just getting it from their third party, making sure they've got it. I think there is a lot of activity happening in the vendor space, so a lot of vendors are looking at solving 

[00:30:29] Ron Eddings: this, maybe a lot of vulnerability management.

[00:30:33] Activity in there. You might be able to say, Alright, this particular software is vulnerable a lot. What version is running 

[00:30:38] Shilpi: on it? Yeah, yeah, yeah, exactly. So lot of scanning, a lot of vulnerability management. All of those things. There's lots of different products that we are hearing of that are gonna be popping up.

[00:30:46] So I guess 2023 will be a year where we'll see, I, I would be surprised, like if you don't start seeing some specifically, we are gonna solve your s spam. Yeah. Challenges. We are gonna help you identify, you know, what's actually in your software, which one of those components are vulnerable. Have that audit probably ongoing.

[00:31:03] Like there's always room for any, um, any of the softwares to have that continuous monitoring aspect in there as well. Right. I 

[00:31:10] Ashish: mean, you could put a maturity angle to it as well. Um, if you were to put like a maturity scale out there on the very bigness stage on the left, I would probably say just knowing what you have is a great thing.

[00:31:21] Like a lot, as I was tell about the maturity for a lot of third parties you might work with or even internally when you work with, I think I been, we had a lot of conversations. People could not even find who was the owner for a particular application inside. Like even that is a thing. And I'm like, Oh wow.

[00:31:35] So it's not even just finding the asset. You find the asset, but you don't know who the owner is. Getting following that is like for me is like step one for maturity all the way. On the other end is where you have some kind of automation and I think, uh, one of the, uh, product companies, I can't remember the name, but they actually have it on the website, so you can actually see their s o m on website, think it's like whatever website slash smo, and you see the list of everything that they have, which is updated.

[00:31:59] It says the last updated date as well. Uh, I mean, I haven't gone back and checked, but I'm assuming that happens periodically, like every day or every week or every month, or every six. . That's the next level of maturity where it's no longer a conversation. It kind of becomes the same as Hitchy dps. Mm-hmm.

[00:32:16] where it is just that, Well, it is just expected. Right. That's cuz that's the level of maturity we would love to get to and the industry should move towards. Like for people who may be listening in or watching, they can go and go, Okay, am I, how am I, how am I on the scale of knowing what I have versus I have it on my website, my ingredient list or recipe list as you called it, that gets updated every time I change the recipe.

[00:32:38] Right? So that's the two extreme for people who marijuana will wanna think about implementing. It'd be 

[00:32:44] Shilpi: interesting how they solve it for opensource though. . Yeah. Cause it, I feel software has ended up using open source cord. Right. How do you, 

[00:32:51] Ron Eddings: like you live underneath of the hood. It's all open source. It's all, It's all, you know, we're all using a lot of the same things and I think.

[00:32:59] this idea of SBO and like that topic of having the inventory of that is really the next frontier because we're moving more and more into a code first world. Yeah. Yeah. And what I love about this conference is you get to learn about these topics, you get to hear from the experts, and it's electrifying to be back in person.

[00:33:16] I was getting a little stir crazy. I love the virtual conferences, but for anyone, Wasn't able to make it, that wasn't able to be here with us. What is one thing that you would want to share with the audience at home to say, Hey, this is a few of the important things that are actually happening at the 

[00:33:32] Ashish: conference?

[00:33:33] I would probably start by the team that was across the board. Uh, some of the teams that they had was Cloud Zero Trust, and this is the reason I mention the team is because for people who would not have attended, it's always good to kind of see where the market is going and, uh, it's almost like a good zoom out for.

[00:33:49] What should I be focusing on for my next promotion or whatever. So there's a lot of conversations around, uh, cloud native cloud, uh, zero trust, supply chain. A lot of conversations around CISOs and board conversations, which is, I guess it was always been the case anyways, right? But for anyone who's trying to go into that leadership space, there definitely was conversations around that.

[00:34:09] There were some of the common sessions, we spoke to people, they were talking about the whole Russia, Ukraine thing as well. A lot of that . Yeah, there's a lot of that. So there's a, I mean, I guess it's a hot topic, so if you wanted to. Get some insights from, say, what was the Microsoft Threat Intelligence team listening to?

[00:34:23] Some parts of it were exposed during the conversation. So that was kinda like the themes that I saw. Um, I don't know what, what was your thought on that? I think, 

[00:34:30] Shilpi: um, I'm gonna take probably a different lens. So I think it was interesting to actually see a lot of non cyber security people giving talks. So a lot of the keynotes over here, so there was Aaron Brockovich who gave a keynote.

[00:34:42] Um, there was Sally from that movie, Sal. Anyones watched that. Yeah. So I think there's that interest about. Like cybersecurity being more than just a cybersecurity problem. So it was interesting. I was part of the production for a podcast with the person who wrote the book. Um, this is how they tell me the world ends.

[00:34:57] And I think she said something really nice and I think. I'm starting to see a bit more of that in this conference is that cybersecurity is not just a technical problem. She says that it's a societal problem, it's a, you know, a cultural problem. And I very much agree because a lot of the things that we are dealing with, it impacts everyone.

[00:35:13] So that was something different that I, I haven't seen at many conferences. Often it's, you know, all, all the rock stars of cybersecurity that would be there. But it was good to see that, you know, there are other people who are getting an opportunity to share their perspective and why it's important.

[00:35:25] Broader audience and giving us some limelight as well, because I think the broader society needs to know about cybersecurity and be attuned to it. You 

[00:35:34] Ron Eddings: two are a dynamic dual . I love it. Cause Ashish is going deep into like the topics. This is what you need to know. And then you're focused on the accessibility.

[00:35:43] Yeah. Taking that information and sharing it far and wide. Ashish she'll be. Thank you so much for joining us and, and sharing the conversation and just letting us know like what's, what's coming up and also the differences between like how things are done in Australia versus the rest of the world. Cause we all need to see it.

[00:36:00] We all, we go, we can all learn from each other. So with that, we'll see everyone next time. Thank you. Thank you so 

[00:36:06] Shilpi: much.

Keeping Cyber Course Prices Equitable with Kenneth Ellington

November 29, 2022 Hacker Valley Studio

00:00:00