EP. 15 What’s The Best Defense Against Ransomware? With Josh Davies

00:12 - Introduction and Josh Davies' Career Journey

Matt Pacheco
Hello everyone, and welcome to the Cloud Currents podcast, where we explore strategies and technologies shaping the future of cloud computing and cybersecurity. I'm your host Matt Pacheco, and I help businesses understand cloud trends to better help them make decisions about their it strategy. In today's episode, we'll be diving into evolving cybersecurity landscape, how organizations can effectively secure their cloud environments amidst an onslaught of modern threats like ransomware. We're joined by Josh Davis, a seasoned cybersecurity professional and principal product marketing manager at Fortra. A leading provider of managed detection and response solutions, Josh has been on the front lines, working as a security analyst and solution architect before transitioning into his current role, driving Fortra's technical marketing strategy. He brings a wealth of hands on experience across domains like threat detection, incident response, cloud security and more.

Matt Pacheco
In our discussion today, we'll explore topics like bridging the cybersecurity skills gap through managed services, the latest ransomware tactics and SOC's role in combating them, securing hybrid cloud workloads, and the convergence towards extended detection and response XDR platforms. Thanks for joining us today, Josh.

Josh Davies
Yeah, thank you very much for having me, and thanks for that intro. You did me justice. Absolutely.

Matt Pacheco
We try. Well, we appreciate you being on here. We could just kick this off right here by. Can you tell us, walk us through your career journey into cybersecurity.

Josh Davies
Yeah, sure. So I think to start at the very beginning, I had a bit of an unorthodox journey into cybersecurity. I would encourage anybody listening who thinks it's not for them that actually there are a lot of different backgrounds that can get into cybersecurity. So I was in law initially, and I kind of became a bit disillusioned with that pathway. I loved the gray areas of the law, and turns out there aren't that many of them these days, with hundreds of years of case law and kind of well thought out statutes and legislation. But cybersecurity was something I touched on a little bit as I was doing international law pieces, and I found that really interesting, that the challenge of attribution, we know someone's done something illegal, but we can almost never pin it on them.

Josh Davies
And so that was the kind of gray stuff that I loved, and I found myself getting more familiar with. Cybersecurity ended up getting my first cybersecurity role as a security analyst, thanks to a friend who was already in the industry and kind of helped coach me a little bit. I spent a lot of time there doing instant response tasks, kind of being terrified every day initially that I was going to miss an active attack and be the cause of a breach. As I grew into it started to get a lot more confident doing things like threat hunting exercises, tuning, tweaking and modifying the detections that we could catch the things that we needed to catch before moving on to more of the darker side where I stood. Some of my solutions architect work into the marketing space as well as some sales too.

Josh Davies
So I've kind of been on the ground understanding what it's like to be a foot soldier. And when it comes to cybersecurity, seeing active attacks on a regular basis, I mean it was literally every half an hour there was a new compromise to try and deal with working for a managed service provider, which was awesome. And then to actually help businesses try and solve their security challenges, to hear what it teams are struggling with, how they can build security and today and trying to work out, hey, where are you at in your security journey? Are you really immature? You just started out, are you quite mature? And how can we keep pushing you down that? Because security is a journey that never has an end destination. It's endless. Wherever you are on that, there's still a distance to go forward.

03:47 - Roles in Security Analysis and Solution Engineering

Matt Pacheco
How have your roles in security analysis and solution engineering informed your current responsibilities at Fortran?

Josh Davies
Yeah, so as the title says, I got that technical thrown in for the technical product marketing manager and that's really my strength. What I didn't know about marketing initially, I built it up over the years, but I knew all about the technical pieces and I support a lot of existing marketing initiatives, making sure that the language is accurate as it needs to be and responsible. I really don't like when people use the overstate the capabilities. I've seen eliminate risk over the years. I've seen we stop threats and there's some truth in those. But those are absolutist statements are never quite true. Because the attacks, even if you able to confidently block 100% of attacks right now, tomorrow, you can't possibly say that you can't anticipate the attack threats of tomorrow.

Josh Davies
Which is also why I love the industry, because you're always having to be reactive to a certain degree. The attackers always get the first move so they get a bit of an advantage there and we have to react and we have to adapt to the evolving threat landscape without security controls, detections or strategies and quickly things that used to be maybe established, yeah, principles carry on. But I remember as a junior analyst having some of the veterans come up to me and ask, hey, what do you think of this? And I kind of felt completely out of my depth and I was like, you tested me. No, we genuinely want to know what you think of this because this is absolutely new to us as well, and you're going to have a different perspective that's going to help us understand what's going on here.

Josh Davies
So, yeah, hopefully that answers the question.

Matt Pacheco
Oh, yeah.

Josh Davies
Yeah.

Matt Pacheco
It's interesting career progression, too, as a fellow marketer. Awesome.

Josh Davies
Come the other way, haven't I? Not that. Maybe it's the law practice I had that I've always been able to have. A bit of the gift of the gab. Maybe I wasn't the best technically as analyst, but it's a really collaborative role. I work with a lot of great people and I get to share my own experiences, but also their experiences. I love staying abreast of all my colleagues or now friends in different places, as well as to what the latest security developments are, because it's a really collaborative community as it has to be. We all face the same common enemy.

06:01 - Managed Security Services and Ransomware Trends

Matt Pacheco
Excellent. I'll say for the audience, he's really good on a webinar, too. I've seen a few of your recent webinars talking about ransomware and some of your products, and you're doing a good job marketing. So glad to have you on the show and hear about your background and how you got to where you are today. It's awesome. You're probably familiar with a lot of the trends going on in cybersecurity, and.

Josh Davies
I'd like to get into a few.

Matt Pacheco
Of them, the first of which being the skills gap in cybersecurity. We know a lot of businesses are facing challenges when it comes to that. And what are the biggest challenges companies face in hiring or retaining cybersecurity talent?

Josh Davies
Sure. So I think I'm probably the product of the skills gap. The fact that they had to take chances on people without the formal education, went to union, studied computing or something. So, yeah, in that respect, people do have to think outside the box sometimes when they're hiring. If you can kind of get somebody who might not have all the credentials, all the pieces that you want right there, but you have an environment where you can develop them, that's the best way to go. Good analysts thrive on development, self development. The only way, the number one skill for analyst is having that ability to learn quickly and the desire to learn, because if you stagnate, then as we discuss things move on, you're no longer going to be as effective. But the challenge there is.

Josh Davies
When you've got somebody who always wants to move on to the next challenge, you're kind of caught with this, hey, I want them to stay doing the thing that they do so well that I need somebody to be doing for me day in, day out as a security task. But if I keep them there, if I don't challenge them, move them forward, then they're going to look elsewhere because there are so many other opportunities out there. So I think that's the big thing. Hiring is one thing, but then retaining training, making sure you invest in people. Also, there's that big gap between the half trying to train them up. There's usually about six months to get analyst up to speed on your processes and how you do things. So it's really hard to anticipate this.

Josh Davies
Like we need a 24/7 team, but it's hard to anticipate when we're going to have a few people leave us. They might all leave at once. So my top tip for anyone who's looking at kind of hiring security talent, I encourage you to hire security and talent internally, but I'd also encourage you to augment that security team with managed services, somebody who you can trust with doing the daily security task. The kind of bread and butter that phrase scales over to the states, but the standard things that, you know, everyone needs to do every day. So that means that's been taken care of. Somebody is reviewing every single alert that is spat out by the seam or XDR tool that's creating detections.

Josh Davies
And people internally are ready when they need to be ready when it does hit the fan, when there is a critical incident and everyone needs to go into kind of forming war rooms and doing a full incident response capabilities. But it means they're not having to do mundane tasks every day when nothing is going on. And they can focus on more high value, niche bespoke tasks that are more specific to your organization. Things like custom threat landscape reviews, things like looking at all of your tech and saying, how can we evolve our security maturity? How can we harden what we've got so far or implement things like zero trust to kind of make sure we're going to have a better security posture? So I think that's my top tip.

Josh Davies
A combination of both is the best security programs and we see that across the board, whether you're a really small organization or whether you're large enterprises, everyone is looking for that augmentation, that partnership to get the most out of their security program.

Matt Pacheco
Excellent. That gets into my next question. Because I was going to ask, why are so many companies moving to managed security services like a managed partner?

Josh Davies
It's a good question because I think I used to have the conversation with people when I was doing the solutions architect piece of they wanted to do it themselves. They wanted to buy a seam tool and create their own security program and hire a full troupe of staff. And we'd have to educate as to, hey, okay, I get the appeal of that. You want to have full control over it, but you realize how difficult that is, how expensive it's going to end up being, and all those challenges we mentioned with the skills gap and keeping and maintaining analysts, it's tricky. And even if you think you've kind of got it nailed down, do you really know that your security program is as effective as it could be?

Josh Davies
So I think now we've seen that shift, that people aren't asking, should I do it myself or should I manage? I know I need managed help now I just need to know who is the best person to manage myself, my team, or not manage, but support myself, my team, my technology stack, who's got the right threat intelligence, the deep analytics they're going to pick out, and then also the right people who I can rely on, who I can work with on a daily basis. So I think that's why we've seen that step. We've seen a lot of people move into the MdR, managed detection and response space, or any managed services space. Over the last five years, there's been a rapid acceleration from technology vendors, but particularly EDR, endpoint detection, response vendors, adding a managed wrap and starting to build out more capabilities.

Josh Davies
And Fortra or Fortress alert logic. MdR has been delivering MdR for 20 plus years. So were one of the old heads here, the kind of veterans that were being emulated. A lot of the capabilities that we had in things like cloud and things like a server, threat detection and response. But competition is healthy. I think it's great there are so many people in this space right now. It means there's more options, but means that everyone is kind of pushing each other forward to develop for better capabilities or deeper analytics, not just tick box coverage, which is what I see a lot of people doing who don't quite get it. They think, yeah, I can cover a certain type of threat, yeah, but what about evasions? So that's why I think it's great that we're all kind of in this.

Josh Davies
It's a busy space, it's a great space to be in managed security.

Matt Pacheco
Well, it's probably a good thing that it's busy because the threats that everyone's protecting against are growing as well. So having those experts augment businesses, that's, it's a good thing. And then the competition is healthy, too. Which kind of leads to my next group of questions for you on another trend, ransomware. We all hear about it all the time where it's in the news. There's huge ransomware trends. We're seeing the numbers that came out of 2023 and very scary. Very scary for businesses. How have ransomware tactics evolved recently with trends like data exfiltration?

12:24 - Disrupting Ransomware Attack Sequences

Josh Davies
Yeah, that's a great question because I'm going to start by outing myself a little bit because I, at one point, I can't remember a number of years ago, I said, I think ransomware is going to die down. I think we've had enough of it. We know about the encryption payloads and this tax sequence that take to get there. I was wrong. It didn't die down. But the reason it didn't die down is because the definition of ransomware was extended so much as they developed these new techniques. Double triple extortion, which we go into, is how that evolves. It used to be just getting in the network, getting a hold of as many machines as possible, and then deploying a payload that will encrypt the machines basically makes them useless, bricks them, so nobody can actually get on, do their work.

Josh Davies
You think back to the old breaches, things like Travelex, the money exchange. They had to go on pen and paper to exchange money while they were getting assistance back online. But that was about the full scale of the impact. It was taking you offline. You have to kind of, you take a while to build back up. You might pay the ransom, you might not. What we've seen is this increasing sophistication or increasing volume of ransomware actors or ransomware families. And I think that's because people did pay the ransom or they did manage to monetize their access. Right? This is a successful business plan. If somebody gives you a couple of million in bitcoin, you want to reinvest a portion of that to make yourself better. And so what we've seen is real specialization of these ransomware actors.

Josh Davies
Ransomware as a service has been around for a while, but their sophistication, like lockbit, they will market. They write their own marketing pieces of how quick they can encrypt your devices because your time is of the essence. The quicker you can do something, the less time we as defenders have to react and disrupt and contain it. So there's that specification. They work very much like the Conti ransomware group that was, that had their chat logs released. So, yeah, the Conti ransomware group were one of the biggest president probably really active about two years ago. And they, at the beginning of the kind of Russia Ukraine conflict, some of their members were Ukraine. They had quite a big operation. They'd hired people, and they, some of the disgruntled Ukrainians, after Conti declared their support for Russia, released lots of chat logs.

Josh Davies
Which chat logs don't sound too interesting, but actually you got to see the inner workings of how sophisticated this operation was. The fact that they were interviewing people, albeit with cameras off, but they were interviewing with people, and some people were working kind of HR functions. They were being. Holiday was requested by the malware developers, and then HR would deal with it. They did have a high staff turnover. A lot of them kind of realized something was up and maybe thought getting paid in cryptocurrency isn't quite the norm, but that just shows the level of sophistication they're able to get to. And now we're in this point where you've got all these ransomwares as a service. Families who just specialize on building the ransomware software, malware. So that now enables them to do data exfiltration really well.

Josh Davies
They can actually go and search and find sensitive data. So that's keyword searches that if you plug your memory stick in and you happen to have a file on that, it's called passport, they will know that happens. It will pull it straight off, and then they'll go and store it and eventually take it offline. Then what they'll then do is sell it on the dark web or threaten to do so first. So you pay the ransom. That's the second extortion of the double extortion. And if you pay it, they're supposed to give it back. But honor amongst thieves, they're probably going to still sell it, because someone will use that to scam you, or someone will use that to try and hack into your own personal accounts. We've also seen the triple extortion, which is saying, I'm going to go to the ICO.

Josh Davies
So the data protection authorities say, we have this data. They haven't reported it to you yet, so you should fine them for it, because you're supposed to declare within 72 hours of knowing about a data breach. So that's. And then there's even quad extortions, which I've seen some people taller where they just ddos. So DDoS is dispute denial of service. They basically spam your servers to make it really hard for you to actually do anything because they get overwhelmed, they fall over. So there's up to four extortions now, which if we evolve from that single one of just encrypting stuff to the potentially the full four. So that's how it's evolved. That's why ransware hasn't gone away. And because they're specializing in building the ransomware pieces, they don't have to worry about being good at gaining entry.

Josh Davies
They don't have to focus on social engineering or web exploits that gain you initial access into a network. They don't even have to do a lateral movement techniques. Some of them, some of them just give you the final end product. Because in order to ransomware attack, you have to gain access. You have to see where you are, see what you can get a hold of, start to grab user credentials that they've got high levels of privileges, or find another way to move laterally amongst the network, find the data sources that are sensitive for you to take. Find enough machines that if you do encrypt it's not just three machines we gotta redo, it's every single, it's 99% of our state. So now they're partnering instead with people who are good at initial access, people who maybe they're insiders, or maybe they're social engineer specialists.

Josh Davies
They good at chat, GPT, and using spear phishing attacks loads of different ways that people can get in. They then come to you say, hey, I've got access to so and so's organization. Do you want to go half on the ransom with us and you give us the kind of specialist ransomware, malware? They say, yes, and there you go. So this is why it's everyone's problem. If one organization gets compromised and they monetize it, they get more sophisticated and they come for you the next day. Which is why I think fostering collaboration among security professionals, threat intelligence and non security professionals. Just talking about security all the time, no matter who you are exec, down to someone who barely touches a computer, apart from to look at their emails, is really important, because this is a global collective issue.

Matt Pacheco
Wow. Now that you scared everyone listening, what are some key opportunities for defenders within businesses to kind of disrupt these attack sequences?

Josh Davies
When I talked about the attack sequences that happen, and probably the webinar you attended might have been the ransomware attack sequences, because I often hear people say, I want to defend against ransomware and that's like defending against the final action. It's like saying I'm scared of dying at old age and you're currently 25. There are a lot of steps in between to get to that last bit. So what are the steps? Maybe that example isn't great, but what are the steps for you to get to the end point where it is you are fearful of? And you can do things like threat modeling to understand, okay, if getting hold of enough of our machines and getting hold of sensitive data, the things we're trying to stop, those ransomware actors do, let's work backwards as to how they would actually get there.

Josh Davies
What are the entry points? How would they move amongst our network in order to get there? And which is great for us as defenders, right? There are a lot of opportunities for us to actually catch early signs. Signs so early I couldn't even tell you it was a ransomware attack because I don't know what their end objectives are. It's hard to always know what they're going for, especially if you catch it at the first instance and actually disrupt that attack, contain it, so you buy yourself a little bit more time, conduct full investigation in order to determine, okay, how did they get there? What alerts have I got? But also what alerts do I not have? What stuff might be missed by my security controls, my preventive controls, my detections?

Josh Davies
Because technology is great, but even with all the AI piece we have, it still misses stuff and we still need to fill in the gaps as security analysts. So things like threat hunting manual investigations are really important. It means then I can be confident. I've identified ATT and CK, I've got the full scope of it. I've seen how far they've progressed. They didn't get to the end goal, which is great, and we've managed to contain them. Now let's work backwards. How did they get there? How did they do each of the steps? So when I'm advising or deploying remediation pieces, I know that I'm getting the full compromise and not just addressing a symptom. So analogy I like to use there is if I have a headache, you give me a paracetamol.

Josh Davies
I might not have a headache, but what if I have COVID-19 or a brain tumor in there? You haven't treated the underlying cause. So that's why it's really important that we holistically analyze all the data that we have, all the different pieces of our environment, because you might not realize how interconnected these in are people. Attackers gain access to one machine and they instantly pivot off to another one. You might have great security controls on certain assets which you think is security relevant. You might not think about some of them which actually offer legitimate avenues into those critical assets as being that important. So you put them outside of your scope for your monitoring, outside of scope for things like MFA. I still see that all the time that people are, oh, it's too hard. We had legacy systems.

Josh Davies
We couldn't put it on there. We recognize it was a risk. But hey, every asset needs to be covered. Every asset need to have visibility into it, because when I come to doing my investigations, I need to have all the pieces of the puzzle to be able to put that full picture. And there's been a lot of challenges in the industry about with tools that don't address just portions of security. There are so many new security challenges. Every year a new vendor steps up with a perfect solution for that specific challenge.

Josh Davies
The challenge might not be as relevant in a few years time, or you might still have those relevant challenges, but you've got ten different tools doing ten different things for you, and you've got five security analysts who can't make sense of how this data all links up together because it's all in different format or different consoles or whatever. So going back to that skills shortage point and the need for visibility and coverage everywhere, we need to make sure that we do more with the analysts and the resources that we do have. And part of that is by empowering them with the right tools that give, that make things easy, that use automation when automation is going to make my life easier, that have visibility, that I don't have to waste time doing things that are going to slow me down.

Josh Davies
I can just focus on the actual high value tasks that I'm here to do as a security professional.

21:44 - Using XDR, AI/ML and the Cloud for Security

Matt Pacheco
Excellent. And my next question is about the tools. So using security operations centers and MdR.

Josh Davies
How can you use those tools to.

Matt Pacheco
Faster detect and respond to threats like ransomware?

Josh Davies
Yeah, sure. So I think you asked about tools first, you also about MdR. So I'm going to start with the tools piece and then we'll go on to the kind of people and process that the managed bit brings. So there are a lot of tools out there for security monitoring, and there are a lot of tools out there for blocking things as well. And depending where you are on your security journey, obviously blocking threats is the first thing you should be doing. The most obvious threats can be blocked and will be blocked by even antivirus, but encourage EDR things like firewalls.

Josh Davies
Tune up your policies, but understanding that you can't block every threat because if you tried to, you'd block all your legitimate users and you'd have everyone really annoyed at the IT or security team that they can't do their daily tasks and that affects the bottom line, then you have to be able to detect stuff that slips through. Detections are great because we can detect potentially suspicious or malicious instances of compromise and we aren't impacting anybody while we investigate and confirm whether they actually are a compromise. So if false positives where we accidentally think something is malicious when it isn't, are fine when it comes to detection, because we're not impacting anybody until after somebody has inspected it and analyzed it. The false positives people often talk about, hey, let's get filter out as much as possible.

Josh Davies
But for me, the reality is there are necessary evil. If you're not getting enough false positives, you're not monitoring enough. Unfortunately, that has to be an indicator that you are monitoring correctly. But obviously, if it comes too much and you drown in it, boy, you cries Wolf, you're not going to get any value. Tools that can make the right detections have to have visibility into all the right detections, all the right detection telemetry that you're, that they need to make decisions on. So if you're in cloud, we need to be able to pull all the data from the cloud, what's running in the cloud, but also the cloud tenancy itself, how you've configured that. That's very different to how we used to secure data centers. Data centers just secure what's in there.

Josh Davies
You might have some legacy technologies we're able to monitor and pull the information you need from that. You need to monitor not only logs, but also network traffic. So logs are great, but they don't tell all the story. It's kind of like a machine writing its own little diary of what happened to it, but it neglects to tell you about certain things. Network traffic is a lot more honest. It's things flying across the wire, listening to different conversations between machines. I need both of those things to make the right decision. And I also need other telemetry like file integrity monitoring. How is your files change?

Josh Davies
EDR existing can make its own telemetry as well, and make observations on things like processes that are running things like filess attacks, and how attackers are trying to favor using things like Powershell, that it admins normally use them, but trying to use them maliciously. I also need to look at identity active directory, or IAM if you're in AWS. Really, really important. You've probably heard the phrase identity is the new perimeter, and it's been proven true with hybrid, working with cloud and whatever, but we don't always. It's very difficult to actually perform detection as an identity because it's hard to tell what people should and shouldn't be doing.

Josh Davies
But when I get an alert elsewhere, I want to correlate with what the user account has been doing, because if the user account is compromised, I might isolate a host, but they could be moving elsewhere into the organization. So what I need is a tool that looks at all of that. And there are two kind of tools that are best for threat section response. There's SIEM and NXDR. There are some debate over those terms that I'm not going to get into this bit of confusion. Sometimes XDR is better. Some people think seem are better. Good XDR and good Siem are both fantastic. They both can be great. What you want to watch out is for bad versions of each. I think that's why there's confusion. But if you have a C.

Josh Davies
More XDR tool that is able to pull all the sources that you need it for, perform deep analytics on. Actually some make sense of the data that's coming in, because it's too much data forever a human to go through entirely, and empowers me to make the right decisions as analyst by showing me the information that's laterally allowed me to move into other detection sources and then take automated response actions. So I can actually flick of a button, take the containment action I need to buy myself extra time and prevent that attack from spreading. So that's why the tool is so. But I think, yes, XDR is. We at Fortra have just built upon our existing alert logic MdR.

Josh Davies
With Fortra, XDR took that platform and identified where there might have been some slight gaps in visibility, where we didn't have all of the pieces, particularly endpoint. For us, were relying on third party endpoint integrations, but now we have, with being part of Fortra, they had an EDR solution which were able to adapt and improve and then put into the logic side together made XDR. And so now we have this tool which has coverage everywhere, deep coverage everywhere, and it gives us all the pieces we need to make the decisions. And this is still a managed service. We aren't moving away from our managed DNA because, yeah, it's one thing having the tool that can do all the things I just described.

Josh Davies
You can buy an f one car, but if you can't drive it, if you don't have a pit crew, you don't have all the tools to maintain it. It's going to look nice on your drive, but you're not going anywhere with it. So that's how I often describe people in process, that you need to maybe to get you to those outcomes that a tool offers.

Matt Pacheco
Excellent. While we're still on XDR, I'd like to talk a little bit about XDR and security integrations. So you talked about this a little. Almost the convergence of MdR, EDR, NDR, and other security data sources into XDR platforms. What do you see as driving this trend? Why is this happening?

Josh Davies
You probably heard the phrase, we need to break down the silos. And I think that's something that is true everywhere. You break down the silos amongst your different teams in your business that have the same kind of culture, but also break down the silos between your different data sources. I think probably cloud people are moving into cloud. Was that initial, hey, things are very different. I don't want one solution for my on premise and one solution for my cloud. Like I said, identity becoming more and more problems. I think what we've seen is how we used to be able to traditionally just secure the data center, rely on what the servers and network was telling us. We now know that the threats are kind of, our attack surface is much broader.

Josh Davies
They can come from a lot more angles, if you think of a bit of a history buff. And the Roman Empire, how they continually expanded, grabbed more and more territory, eventually got to a point they were so large, they were destroyed by loads of different, all different angles because they had such a big attack surface and they couldn't secure it all. What this is trying to do is recognizing that we have really broad attack surface, that there are more vulnerabilities being discovered year on year than there ever have been in the previous years. So we've got more to secure, and what we have is got more vulnerabilities on it. That creates this problem with a huge exposure in the attack surface.

Josh Davies
So tools like XDR look to kind of wrap all of those pieces together to not offer point solutions, but maybe even pull in point solutions, third party security investments you've made, and pull them into a single location so we can start to make sense of all of the data that all of our different telemetry sources are telling us, and that we can correlate because attackers are smart, right? They aren't noisy. Well, the rubbish ones are. They're the kind of script kiddies are noisy. They're very obvious, you know, when they're there. But good threat actors, nation states especially, advanced, persistent threat actors, but not even that level. They go for, low and slow techniques, they evade detection, they turn off, security controls, they even destroy, data that they leave behind so that you can't find their tracks. And they also try and operate.

Josh Davies
Let's do a little bit of compromise here, a little bit of compromise there, because they're not trying to do huge spikes in activity. They're going to make it obvious that something is going on. So when you've got this, you'll be attacked from all angles. When the attacker is trying to not be too noisy in any one single location, you need something that can look at everything holistically and then start to connect the dots together. Because those individual dots might not look like anything on their own, but when you combine them with three other dots, you've actually got the strong fidelity signs that you are currently under an active attack or under an active breach. And I just remind everyone, I talk about breach and compromises quite a lot. That isn't the end game. It's not game over.

Josh Davies
When you compromise a breach, it's game over. If you don't do anything about it, you have a lot of opportunity to contain it, disrupt it, remediate, and actually never hit the headlines. Nobody might even know you were compromised. I know so many organizations who never hit the headlines. At one point it looked quite bad and actually come out the other side with a much stronger security posture and some real world lessons that you can kind of go and apply. So, yeah, the attitude has gone that you should be shameful to say you were compromised. I think we're moving along away from that. We use words like cyber resiliency now, which isn't just about with the standing attacks, but it's about being able to recover quickly from attacks. And that is where security professionals heads have been for a while.

Josh Davies
And I think that things like I'm seeing compliance legislation, I'm even seeing governments and things like the EU start to mandate quick recovery as part of it, recognizing that compromise does happen and it's okay to be compromised, it's not okay to have a plan of how to deal with it.

Matt Pacheco
A follow up question and how these solutions work. How can artificial intelligence and machine learning techniques aid in these solutions and protecting businesses from these attacks, or helping with the identification of these infiltrations? And breaches.

Josh Davies
Yeah, sure. So AI is very much the buzzword at the moment. And as someone who's in marketing and hates buzzwords, I think sometimes we overstate the capabilities that AI is able to offer. That isn't to say that they don't play a role, but security has been using AI more accurately, machine learning, which is a subset of AI. And really, that's all AI is. It's not actually fully artificially intelligent. We haven't had that general AI where it can completely decide its own things. We are looking at narrow models that are trained on certain data and are told to make statistical analysis of things that have happened previously, and then take action based on previous results. So that's, detections are a huge part of that.

Josh Davies
If we can, things that might be not so obvious to us initially, if we can use a machine to say, hey, let's know if there's spikes of activity here. If some basic one, somebody's logging in from a location, we've never seen them log in before, that could be cause for investigation, but also more complex anomalies that aren't always worthwhile detections, but are worthwhile investigating because we often don't know what we're gonna go and find in those. Anomaly detection, alongside usual correlations and pieces are really important to make sure you have the best detections possible. I've seen machine learning, supervised machine learning, be kind of deployed to replace some of the functions I used to do as analyst. And it's very often wrong. It has to feed into people.

Josh Davies
There's still the need for people to validate what the AI is telling them, but it draws them to something that they should invest it quicker than it would have if it was left people to their own devices. It can also draw us to make our decisions better and quicker by showing us relevant data, pulling stuff that might be linked elsewhere. Anything that could be automated should be automated. And that's really what I see the benefit of AI and machine learning. But also, I think it's interesting if we look at, I've heard some people say defenders aren't using AI well enough because we haven't really seen any huge advances in the same way we've seen from attackers recently. And I kind of dispute that.

Josh Davies
I think that's a kind of that person who says that doesn't fully understand the differences between an attacker's position and defender's position. Attackers are used to being wrong. They're wrong 99 times out of 100, they only have to get it right once. Then they're in and then they can start to kind of be really surgical and careful with it. So using AI for entry is really effective because you can just let it run amok, try things out. Oh, we got lucky and they managed to get me in, passed, shift out loads of phishing emails and one of them was successful. Great attackers can accept that level at that success rate. As defenders, we have this, I guess, burden of accuracy that is a lot higher. We need to be correct 99 times out of 100.

Josh Davies
So we can't let AI just do everything for us because it will make mistakes. Automation does run amok, actually. A lot of business leaders are quite hesitant to adopt too much automation because they've had experiences where it might have knocked everything offline because it thought there was a threat. AI is there to augment and aid the human analysts and human decision makers and make them make better and quicker decisions. We're not at the point, I don't see as being at the point for a long time yet where we can fully rely on AI as fully automated security roles and solutions.

Matt Pacheco
Well put and I agree 100%. Thank you. I want to ask a few questions about cloud security and as it relates to like hybrid multi cloud environments. So this might be a little higher level, but we have a lot of listeners, it leaders, some technical, it leads, always looking for advice on how to secure workloads in the cloud. How can organizations, because we talked about MdR, we talked about EDR, XDR, but those are a lot of solutions. From a strategic standpoint, how can organizations implement the right security controls and governance for those cloud workloads?

Josh Davies
Yeah, absolutely. So to call just a link XDR and MdR to it, that is mainly about the ongoing monitoring of how things are behaving in your environment. Anyone? I'm sure people are familiar with a shared responsibility model. The clouds will secure the pieces, the hardware and the physical area of the stuff they're using. If using platform as a service, they might take on more responsibility. But ultimately, how you use things in the cloud is all up to you and they trust you. You're an adult, they'll let you put the most vulnerable versions up there with loads of holes in it because that's your decision that you want to go do.

Josh Davies
So not only is it about monitoring these things, but also tools like XDR and MdR will actually perform vulnerability assessments, configuration checks, look at best practices so you can understand how you should be building your cloud environment. One thing that's great about cloud and that people, the reason people shouldn't be scared about cloud is, yes, it's different, but actually it's way easier to enact all of the security best practices. You don't have that same struggle of loads of technical debt that you might have built up in a data center. Legacy platforms. Last week I was reading a breach report from the British Library.

Josh Davies
I don't know if you've heard of that over in stateside, but they had a ransomware attack just towards the end of last year, and they're a government organization, or linked to government, and they hold like whole electoral role for the UK and loads of all the texts that we have. So they have been very candid with. Okay, now we're going to share exactly what happened and we're going to point to all of our failings. There was nothing groundbreaking in there. It was very common stuff, things like MFA, they hadn't turned on because they couldn't, the systems were too old. I really commend them for being so candid.

Josh Davies
I don't think we have enough of that in the cybersecurity world, because everyone can learn lessons and connect business impact to when they didn't do things and decided, we'll push it, we'll do it in a couple of years. But interestingly, their cloud environment, which had their HR, their payroll systems on, didn't get compromised at all. That's because they knew the right things to do from security perspective. They just didn't always have the resources or time to go and do it everywhere. So they did it where it was easiest and cloud was where it was easiest.

Josh Davies
And so that's why I'd say if you've got, if you get a security partner or security resource internally, who know what the right things are to do in your cloud environment, how to make sure you only allow the access that is absolutely needed and you don't get lazy and just allow it everywhere, because that will make things work. Yes, but it also makes you unnecessarily exposed. You can take enact that really easily. There are cloud native tools, cloud native recommendations that even advise you when you're building stuff sometimes, hey, are you sure you want to do this? You should do that. So, yeah, cloud is a great environment that allows you to shift security further left, take advantage of the latest technology, things like containers, which can be really modular and agile, and fix vulnerabilities sooner and not rely on.

Josh Davies
Is everything going to break if I have to pack this one piece, then cloud leaders also need to understand that, yes, we want to beg everything left as much as possible. We also need to monitor because we can't anticipate every single threat, whether it's a zero day, whether it's a person making a mistake. Humans are involved in building technologies, in using technologies, in defining how they're going to be used, and that leaves risk for you to be compromised. So it's about having that defense in debt process make yourself your tax surface as small as possible by reducing those misconfigurations and vulnerabilities exposures. Add preventative controls in there where you can get cloud EDR for cloud workload protection platforms. If you can block attack, you should web application firewall really important.

Josh Davies
That's something else that I work a lot with in fortress, the Fortra WAF web application firewall, because web apps are the most compromised assets. I haven't actually read the latest Verizon DbIR, but I bet it's going to tell me that again, it's the most compromised asset because it's the most exposed and it's a real easy avenue into your organization. So having something to protect that like a whack is really important. But then beyond the protection, beyond the kind of mitigation pieces, understand that you need to be monitoring for this in order to be truly resilient. It's not just about withstanding attacks, it's about being prepared to recover from them before it gets to that game over state. Because ransomware, we talked about that earlier, but I don't think I said the timelines.

Josh Davies
I think on average it can go from about 24 hours to five days as the quick ones, but they can also take a lot longer to progress through there. So a lot of opportunities for defenders to jump in and stop it from progressing, because it's not just one thing they need to be successful at a lot of different stages in order to get to that end goal, which means I don't have to catch everything, I just have to catch one before they get to game over and then I can stop them.

Matt Pacheco
I really like calling cybersecurity staff defenders. It's so accurate when you hear about all the threats and all the things that they do that truly are defending businesses. It sounds cool too.

Josh Davies
We've also got the attackers, the cybersecurity professionals who are attackers, who will simulate adversaries to show you exactly where the holes are and vulnerability. So that's why I kind of distinguish, because I've been less on that side. But absolutely, that's a great point too. Once you've done all those things I mentioned test it. Don't let an actual adversary test it. Get somebody either internally or get a managed service provider. Fort you have a few. And we also have cobalt strike, which is the best penetration tool out there, undisputed in my opinion. And that will show is everything that I think I've got going working. Is my service provider actually as good as they say they are? Protest them, prove them and prove it out. And then that's what every organization is doing now, right? It's not.

Josh Davies
It's about that journey we talked about at the beginning. In order to keep moving, pushing forward on the journey, you need to constantly reassess it, even when you think, yeah, we've got everything under control because you probably haven't. And connecting it to actual real world adversary simulation, actual real world impacts, is the best way to show maybe your business, your executives, your business leaders. Here's what would happen if we don't continue developing and moving our security forward. Because here's what they could have done if they were the bad guys and not a good guy.

41:04 - Emerging Cybersecurity Trends and Closing Wisdom

Matt Pacheco
Awesome. So just a few more questions before we wrap up today. Maybe, maybe more positive spin. What emerging we talk a lot about scary stuff, but some of the good stuff. What emerging cybersecurity technologies or trends are you most excited about in the future?

Josh Davies
I think the main thing that I'm excited about is this breaking down of silos and integrating lots of different technologies or solutions. I think we are on the cusp of seeing there's loads of cybersecurity providers, but in the next five plus years, we'll see that shrink massively into a few big providers who are able to actually identify some of the best of breed solutions and kind of make them work together, make them talk together, have meaningful integrations. Right. I'm not talking about one UI that looks and smells the same. I'm actually talking about pieces that communicate to each other, share intelligence with each other, have a shared platform, unified console. That's very much the journey that Fortrav on.

Josh Davies
And I've identified quite a while ago with acquiring the different security companies, and there are a few other companies who are also on this journey who I won't call out by name. I think that's the big journey for cybersecurity. It's hard to say any kind of point solutions within that AI has been very exciting from the attacker side, I think I'm yet to really see the generative AI or the large language modules actually help out defenders beyond making it easier to search data. It's basically just a human like interface for using Google. Hey, tell me about what vulnerabilities you have on this host. That's the only real use case I've seen in defense so far. But ATT and CK also has loads of use cases there. So I do wonder.

Josh Davies
I look forward to seeing how the AI journey develops, but I don't think defense have got a huge amount of pieces right there at the moment. But if I could just expand your question slightly to the biggest trends that I'm excited about, I'd probably have the back of reading that british library report. The fact that people are being a lot more forthcoming with what's happened to them during a compromise, sharing lessons learned, not hiding behind lawyers and PR teams and saying there was an issue. We're going to be really tight lipped and no one's allowed to talk about it because that doesn't help the next victims, that doesn't help everybody else develop their security. And I've said a few times, I'll say it again, it's everyone's problem, right?

Josh Davies
If we try and address this challenge in isolation, even cybersecurity events, we all share threat intelligence amongst each other. We aren't holding on to secret sauce because, hey, we're the only ones who can catch this type of attack. No, we'll announce that we found this way of detecting it and explain how you can do it, because we all, it's the same fight that we're all fighting. And hopefully that trend continues, even when we do have that future of maybe five big security companies. Hope collaboration continues. And I want to see more collaboration amongst organizations as well.

Matt Pacheco
Great answer. Great answer. All right, final question for you. If you can impart one key piece of wisdom to the cybersecurity professionals listening to this podcast right now, what would it be?

Josh Davies
Get everybody involved in cybersecurity, right? It's not just a security team's function, it's anyone with an it hat on. It's also anyone who uses it. So it's everybody in your organization. If you have these conversations early, if you make it fun, if you say, hey, if you were to get to, hey, developer, you're building this application, if someone was to steal the data, how would you do it? Ask them that. Come through this tabletop, simulated exercise. Make it engaging. Because nobody wants to sit down and watch those cybersecurity compliance videos. But actually, everybody actually enjoys cybersecurity when it's explained to them because it is a really interesting, it's almost like it's the future of sign of. Sorry, fumble. Lost the point there. Might need to edit.

Josh Davies
But, yeah, it creates really interesting conversations, and it also encourages everybody to talk about cybersecurity on a daily basis. You might not realize, but the person who might be able to detect your next cybersecurity compromise might be Deborah in HR. And if you've had that conversation beforehand, when something smells fishy to her, she can go and let you know. And also eliminate this type of shame among cybersecurity. Right. As a security analyst. Right. You are, kind of. I grew up, I was in my fresh environment where you were too scared to make a mistake or admit you don't know something. Nonsense. Where you don't know something. It's fine, come up with it and we'll kind of solve that problem. But also, don't pretend that you. Oh, yeah, I knew what I was doing. Yeah, I'm fine with security. It's okay to be wrong.

Josh Davies
It's okay to not know. But if you don't have those conversations, if you are too shamed to report when you think something is going wrong, that's when these small issues turn snowball into the big compromises that we see on the news.

Matt Pacheco
Great advice. Well, it's been awesome having you on here, Josh. Really nice hearing from you and connecting with you on these topics. I learned a lot. I'm sure our listeners learned a lot, too. We appreciate you being here. It's been a pleasure.

Josh Davies
Thank you. Hope I was able to add some positivity at the end where I was painting a pretty bleak picture of how sophisticated the actors are earlier on.

Matt Pacheco
Absolutely. And it's important to know the trends and know what they're doing in order to be able to properly prevent and also recover from these attacks. So I appreciate your. Your insights and your positivity and all the stuff you taught us. We'd love to have you again in the future.

Josh Davies
Yeah. Thank you very much for having me. Appreciate it.

Matt Pacheco
Thank you. And for our listeners, thank you for tuning in. Feel free to subscribe on YouTube or wherever you get your podcast episodes. I'm Matt Pacheco from cloud currents, and see you next time. Thank you.