About Token Security
At Token Security our goal is to teach the core curriculum for modern DevSecOps. Each week we will deep dive with an expert so you walk away with practical advice to apply to your team today. No fluff, no buzzwords.
About This Episode
This episode Max Saltonstall sits down in Manhattan with Quiessence Phillips, Deputy CISO and Head of Threat Management, City of New York and Colin Ahern, Deputy CISO, City of New York.
About The Hosts
Max Saltonstall loves to talk about security, collaboration and process improvement. He's on the Developer Advocacy team in Google Cloud, yelling at the internet full time. Since joining Google in 2011 Max has worked on video monetization products, internal change management, IT externalization and coding puzzles. He has a degree in Computer Science and Psychology from Yale.
Justin McCarthy is the co-founder and CTO of strongDM, the database authentication platform. He has spent his entire career building highly scalable software. As CTO of Rafter, he processed transactions worth over $1B collectively. He also led the engineering teams at Preact, the predictive churn analytics platform, and Cafe Press..
Max Saltonstall 0:00
Welcome to token security podcast. I’m Max Saltonstall from Google, and today, I’m excited to be joined by two special guests from New York City Cyber Command. Quiessence Phillips and Colin Ahern. You want to tell us a little bit about what you do here and what your group is?
Quiessence Phillips 0:13
Sure. So as you mentioned, my name is Quiessence Phillips and I am the deputy CISO for Threat Management within New York City Cyber Command. In particular, we have a few pillars we have our security operations center, your standard detection first line, you also have our computer emergency response team, also known as CERT, focuses on a lot of the response efforts, forensics, etc.
Quiessence Phillips 0:35
We also have a function within direct management called counter direct automation and we focus more on automation, orchestration of efforts, you know for triage etc.
Quiessence Phillips 0:44
Additionally we have cyber threat intelligence function which obviously focuses on cyber threat intelligence. So that’s that’s pretty much my wheelhouse within cyber command.
Max Saltonstall 0:55
Colin Ahern 0:56
I am Colin Ahern and I’m the Deputy CISO for security sciences. That is, you know, all software engineering products and efforts within the Cyber Command as well as security architecture.
Colin Ahern 1:08
So working with city agencies to provide cyber related engineering and application security support. We conduct research and development on cyber security related issues by with and through our university and private sector partners.
Colin Ahern 1:21
And at a high level, the strategic defensive technology systems the city depends on like email filtering, log aggregation, etc. are things that my team designs builds, integrates tests and in some cases operates.
Max Saltonstall 1:36
So we’re sitting here in New York City downtown Manhattan and to summarize you keep all your safe online but it’s more than that too right there’s there’s a lot of different audiences and constituencies So can you tell me a little bit maybe about the scope of t his effort? Because Yeah, it’s easy to think that this is like the way I do a CISOs office in a big company but the company is the city government.
Colin Ahern 2:01
Yeah, for sure. So I think just in terms of some fun facts, the city has an enormous technology footprint. It’s been doing technology for a really long time. The first computer was installed in the mid 60s. So there’s been computing on behalf of city residents, visitors and businesses for 50 years or something.
Colin Ahern 2:23
There’s over 150 separate organizations ranging in size and sophistication from the Office of the mayor’s office of immigrant affairs it does absolutely cutting edge and important work on behalf of at risk populations — to the New York City Police Department, which has 10s of thousands of police officers was protect the city each and every day.
Colin Ahern 2:42
Additionally, we have three slash 16 public IP addresses which is like 196,000 something public IPs, of which many, many, many thousands are active at any one time. So it is a broad and complex landscape.
Colin Ahern 2:56
We have you know, a variety of city services run from data center is owned by the city data center. We operate in collaboration with partners every month, you know, major public cloud provider. So it’s an enormous and large environment. And it’s one that is it has some similarities to other large, complex enterprises. But fundamentally, the city is a service provider.
Colin Ahern 3:17
And the many of those services are provided via technology. And those systems are very large and complicated, you know, to speak very generally.
Quiessence Phillips 3:26
Right. And if I if I can add to that the city alone has over 100 agencies, you can just use that to see like the breath of detection and response that we have within our reach. Also, we have over 400,000 endpoints and if you think about it from a population standpoint within New York City’s is 8.5 million residents and we’re also embarking on these initiatives to provide security for those residents you know i.e. our secure NYC initiative.
Max Saltonstall 3:58
I see your ads in the subway all the time. Bus stops I think on the side of city buses.
Colin Ahern 4:05
I think it’s you know, so we have one in some ways can be can be thought of as an enterprise mission which is to protect, defend, respond and recover from cyber threats against city systems that you know residents visitors and businesses depend on. Also this administration our offices lead on behalf of the City cybersecurity is a public safety issue this administration’s put a flag in the ground or a stake in the whatever saying that your government owes you something to help you lead a safer life online. So that’s kind of the broad policy that we call secure NYC there’s you know, we have to tactics that we’ve debuted under that policy is q mentioned we have a mobile threat detection app, you can go to secure dot NYC and learn more about that.
Colin Ahern 4:45
And additionally, we’re partnering with an organization called quad nine, which is a nonprofit to provide free privacy respecting recursive DNS filtering to all city owned Wi Fi systems. Additionally, the mobile threat detection app is completely on device sends, no data to any other system and is built from the ground up to respect residence privacy, we don’t believe that security and privacy or are orthogonal.
Colin Ahern 5:11
Now we think that you can’t have one without the other. So those are just some of the things that I think are important to mention at the top.
Max Saltonstall 5:18
So with a fairly large ocean to boil, how do you get started? I mean, you’re a fairly young agency compared to the rest of city government. How do you start building this up from scratch when you have such a huge mandate?
Quiessence Phillips 5:29
Sure, well, we don’t want to boil the ocean, right? But starting with foundational security was important for us. So increasing our level of visibility was was one huge mandate for us ability as a team as a group as a group, however, but as I mentioned, with over 100 agencies, you know, having visibility into those networks was important because if we can see it, we can defend it. So foundational security was was a hugely important so getting ourselves to a point to where we had that visibility with step one, skipping all the strategic initiatives, you know, that that we’ve done within the city and still doing from a technical perspective, you know, increasing the level of visibility. also ensuring and Colin can talk about this but ensuring that we had a way to receive all the data from those different agencies are different networks to completely understand the lay of the land to reducing the amount of vulnerabilities within the city and then also to ensure that we had a proper response plan.
Quiessence Phillips 6:33
So working with all of the agencies to ensure that they have personnel who can fight the good fight and then also given our teams the ability to remotely respond to incidents. So, you know, we don’t want to stay in the lane of always having to, let’s say if there is an event to go out to a different burrough to collect the machine to do forensics, etc.
Quiessence Phillips 6:57
So you know, you want to remotely respond wherever we can and this is why we been working on this highly secure responder environment to where we can, we can detect and respond from anywhere. So we don’t have to be physically located here. Nor do we have to be physically located anywhere our agencies are. So developing all of the procedures and processes to be able to remotely respond was hugely important for us.
Colin Ahern 7:25
Yeah, and I think you have to have one of, you know, the kind of three pillars of when we started this journey, focusing on the endpoint, as Q said, you know, really trying to ascertain from a visibility and control perspective, how many endpoints what their posture is, how we can secure them and at least for the environments in which these the data is going into a zero trust zero touch approach you know, we’re we’re big believers in the beyond Corp strategy by which the network you’re on shouldn’t imparts a level of trust into the data or systems in which you’re operating.
Colin Ahern 7:59
You know, we have we’ve done that we’ve built that with the with with Google. So that’s enormously exciting. And then zero touch infrastructure as code. declarative change management. Matching our administrative and technical control posture to ensure that highly secure highly performant a highly reliable nature of the system that we’re building on behalf of New Yorkers is one that we can be very sure how it operates, how it changes.
Colin Ahern 8:25
And just one of the kind of things we wanted to do on behalf of New Yorkers was prove that this could be done in an environment like government and not just in a large quote unquote, sophisticated technology company because I think that our residents demand innovative solutions. And so I think that’s one of the things we wanted to really work on was innovating in the space. On behalf New Yorkers, as Q said, the traditional it the traditional IT security is just not going to work for a city of this scale.
Colin Ahern 9:00
I think our organization is a recognition of that. So not only the latest tools, the latest technologies, the the best vendor partners, but a fundamentally different and innovative approach in protecting, detecting and responding to these threats.
Quiessence Phillips 9:10
Yeah, fundamentally was a huge mindset shift not only for the city. But for many people who have been lifers of city agencies and have done things in a very traditional sense. And as you mentioned, we’re very young and we’re coming in and we’re a team of millennials, we came in with a very different mindset and changing that for a lot of people is not always easy, especially when we have this approach of guilty until proven innocent from a response perspective.
Quiessence Phillips 9:38
You know, if we see bad behavior on a system, We’re shutting it down, or we’re at least containing it so we can do additional analysis you know, so we want to make sure that we have the ability to when we see something we contain it we go in, we can pull off information from that box. So also setting a proper reputation for our group was very important because we don’t want to be looked at as Big Brother, quote unquote.
Quiessence Phillips 10:03
And we want agencies to feel safe, that we have a certain amount of control and that their best interest is always our best interests.
Colin Ahern 10:12
And I think fundamentally, this is about building trust. It’s about building trust in the systems in which our organization uses it respond. It’s about building institutional credibility, because we’re asking people to do hard things where like you said, we’re asking them to in some way either larger small interrupt their day to day lives, their business operations because of something they can’t really see, which is bad people trying to do bad things from the internet.
Colin Ahern 10:38
So I do think that’s we just have to respect the organization in which the kind of the ocean which were swimming while still made, you know, ruthlessly focused on our mission and our mission driven culture. And though our team is growing, you know, a mission focused team rather than a functional team.
So you know for max and you walked in you know, this is the team here on this floor you know different parts of our organization working together day in and day out on the same mission and so that’s one thing that I think we think about institutional culture culture of our organization it’s it’s important to us that we maintain this mission focus I mean the threats frankly i real facing the city. Yeah,
Max Saltonstall 11:23
So Q Can you tell me more about how you went from a brand new organization within this large city government to getting the data and being able to remotely respond to one of these hosts no matter where it sits in the city and the government in the different hundred agencies that you work with?
Quiessence Phillips 11:40
Sure. So part of that is after receiving all of the data to ensuring that we have all the processes stood up internally to where you know we have a set of use cases at least to detect the known knowns or the known unknowns —
Max Saltonstall 11:55
As in this is bad behavior. So I think this toast is compromised kind of use case?
Quiessence Phillips 11:59
Exactly. So, and we have tons of use cases across many different verticals. But if you think about it, you know, whenever something bad does happen, or what, at least what we determined, yeah, you know, we have a certain amount of data at our disposal, we have a good amount of analytics that, you know, we can conduct whenever we do identify something.
Quiessence Phillips 12:23
And using that same approach of guilty until proven innocent, containing that machine, and ensuring that we have the tool sets on those machines to be able to take some type of action. So, and what we mean by containing machine is just like ensuring that it cannot interact with anything else except us, right.
Quiessence Phillips 12:42
So when we do that, we’re not tampering with any evidence, right,
Max Saltonstall 12:46
because shutting it off, we’re saying you don’t get to talk to anybody. So the remediation,
Quiessence Phillips 12:50
Exactly, so we still have the ability to conduct a first level forensics, you know, so we might be looking for things like processes spun off on this machine. Or you know what getting on give me the the latest registry changes, you know so we can make certain calls like that to help us to make better informed decision later you know and then if we need to pull a memory memory image or something like that and we have the ability to do so.
Quiessence Phillips 13:19
And you know, we talked about what what are the scenarios where we would need to do this. So let’s say for example, if something bad happened, and we needed to go in and pull a memory, friends or memory image from a machine, we have a four eyes principal, whereas, you know, this ensures that the agencies understand that we’re not we don’t have the ability to just go into a machine and take some action, it has to go through an approval process, you know, this is fairly automated and we have a system that we built that we call a mechanical automation portal, whereas one analysts would go in and they would say, I want to do these things on this machine. There has to be a ticket assigned to it. They give a description and then somebody else has to approve it. So we have a full audit trail.
Quiessence Phillips 14:00
We also have a full audit trail on all the things that we do on that box, you know. So it gives not only ourselves a level of assurance, but then also the people who the user and the agency where the user sits.
Quiessence Phillips 14:14
So those are just some of the things that we thought about from a strategy perspective, ensuring that we don’t just try to go out and touch everything, but we have a solid use case for everything that we’re doing.
Max Saltonstall 14:27
Colin Ahern 14:27
And I think just philosophically, you know, I think the thing is that bad things are going to happen. Yeah. And Q’s perspective, our perspective is that how can we enable as rapid response to this inevitable bad thing as possible to decrease the both the frequency, magnitude and duration of these inevitable, inevitable, inevitable bad events?
Quiessence Phillips 14:52
That’s a great point, right? Because in any situation, we’re always thinking about one where do we detect it? And if we detected it, you know, let’s say, three quarters of the way in, how could we have detected earlier? You know, not only how could we prevent this, but how could we have detected it within two minutes instead of seven? Right?
Quiessence Phillips 15:14
You know, so we’re always looking to move the needle to the left, you know, and if we don’t have the controls in this world, our gap analysis comes in, we’re always conducting attack, framework testing, etc, to see, you know, how well our defensive controls performing, how will our processes being written, how well our detection and responders detecting to those incidents or events and so consistent improvement, consistent testing is just part of our day to day so we always make sure that we’re doing some type of exercise at least quarterly if
Colin Ahern 15:55
I think behind a simple idea is complex engineering. It’s a relatively simple idea. That a highly secure, highly performant separate responder environment should be available for New York City Cyber Command to do a suite of things.
Colin Ahern 16:11
It’s not easy to build anything. Moreover, what we learned was, these are people. These are organizations with missions and jobs, and it just has to work. So I think it just has to be as frictionless video coming from like a private like a big Tech University. That has to be as frictionless as possible. And that doesn’t mean that it’s not secure. For instance, our highly secure responder environment doesn’t depend on a site to site VPN or an internal network or any of the other things that if you’ve ever deployed a MSSP managed security services provider, you’ve got, you know, battle scars about our data collection mechanisms depend on the internet. They depend enough for, you know, a secure internet connection or 443 connection, but they use daily programmatic key roles.
Colin Ahern 17:00
They are deny first and then allow only specific host of communicate to this environment. So even though we’re talking over the internet, we’re doing it in a beyond corp, zero trust. Yeah, highly auditable manner and that not only increases the reliability of our system additionally makes it easier for these organizations to do what they want to do in any case, which is to enable Q and her team to find the bad things early.
Max Saltonstall 17:29
What has surprised you as you’ve been going about this journey, and especially as you go from, here’s the system we made to now I’m going to actually get it interacting with someone else’s infrastructure.
Colin Ahern 17:41
I think we have consistently underestimated the volume and heterogeneity of the data, we would need to that we would be at issue in this environment
Max Saltonstall 17:51
As in the data that you’re gathering from all of these hosts that you’re projecting? Tell me more…
Colin Ahern 17:57
So when you walk into like this day one your new Cisco, you like kind of get the lay of the land you like events per second is one of this like some metric that you can kind of like it’s easy to grab on to. You think I have this many systems therefore I should have about this many security events security like someone needs to maybe pay attention to respond to okay or I would say if we said we want let’s talk about like decision left decision and Qs and for let’s take a simple example to take this host off the network or not.
Max Saltonstall 18:33
Okay, that’s an event that’s
Colin Ahern 18:35
That’s are like, that’s the decision and there might be a multitude of security of relevant events which go into that decision. When we’re talking about events per second, we’re talking about not the not the like quote unquote, incident or quote unquote, security event. We’re talking about the events that an analyst or automated system used to arrive at the conclusion or recommendation take yourself off the network and there are other use cases as Q said when using this as a simple example.
Colin Ahern 19:03
We thought that are cool events per second this like number of things we we would have to build a system to look at in order to get to the decision we want it to to satisfy our —
Max Saltonstall 19:15
Because your customer and building an automated system to process of these huge amounts of data and then help your humans make good decisions about
Colin Ahern 19:24
We what we need humans to do. It’s like if you’re struggling with machines to do it, you know,
Max Saltonstall 19:28
Centaur chess who ever heard of centaur chess?
Colin Ahern 19:32
The humans in AI is playing is playing together.
Colin Ahern 19:34
So we’re intelligence, augmentation, intelligence augmentation, kind of the like.
Colin Ahern 19:40
Yeah, the thought experiment that thought experiment. The philosophical underpinning of our automation is that together humans and a variety of automated statistical analysis techniques and up to and including machine learning can offer offer dramatically better outcomes than either automated systems by themselves or people by themselves.
Colin Ahern 20:03
In order to do that the events per second we thought might be 30 or 40,000 bits per second, which is a lot with big scope you a lot of hosts. Yeah. And I think we have consistently been consistently surprised by the volume. That is, that is that is an issue. And I think our organization is cloud first. And I think that had we not had a cloud first approach, we would have much slower to delivery on behalf of our residents, like on behalf of this mission, because the lateral scalability that a cloud public cloud provider offers is directly relevant and we have a very fine grained understanding of the business outcome we want.
Colin Ahern 20:47
We have a very good understanding of the use cases and the data elements to satisfy those use cases. But given the way technology systems and networks develop, we continue to learn in real time, the scale and complexity, this environment and being on the public cloud, having horizontal scalability enables us as security and technology professionals to focus on the things we’re good at, which is these first two things and not on these other provisioning infrastructure or no more hard drives, right?
Quiessence Phillips 21:24
It would have not been scoped appropriately. But if we were not cloud first, just because it was it, there’s way more data than we assumed.
Max Saltonstall 21:35
But now, are you able to pull that in, which means your automated systems hopefully can do more with it, because you’re humans definitely can’t actually process all of that data.
Quiessence Phillips 21:44
Yeah, and I think humans are finite, right? Like, we’re not going to continue to grow. The more data that we that we take on is not directly correlated with the number of people that we bring in right.
Quiessence Phillips 21:57
So wherever our systems can do the work wherever our automation can do the work, then we need to take advantage of it to full capacity.
Colin Ahern 22:06
Yeah. And we know we want like in the nerd speak, we want nonlinear returns to scale we want by bringing in more data and bringing out like, we have nyc.gov slash jobs. You know, we have a lot of hiring
Colin Ahern 22:31
We’re gonna marginally although substantially increase our human capital, but we are exponentially increasing the amount of data we’re bringing in. So that rich like an automation, a data centric automation focused security organization is the only one that will achieve the returns we need to achieve for the residents of the city.
Max Saltonstall 22:51
And it sounds like as you’ve structured, this entire group that you’re leading, you’ve got this mix of operations and response. And analysis, we also a lot of software engineering, yes, you can build those systems to handle the huge volume of data that you expected.
Colin Ahern 23:07
And I think the software engineering is it is in service to this mission. But it is to enable this non this horizontal scalability and nonlinear returns to scale. So I think that if you don’t have a to utilize to really gain the most of the public cloud, I think you need to have a software engineering mindset I think that fundamentally assuming that like you can like GUI click buttons your way through this problem at the scale we need to is is not one that we have seen work for us.
Colin Ahern 23:45
What we’ve seen work is rigorous software development practices with a small unified team of security professionals in service of this great mission has provided the, you know, the outcomes we want.
Colin Ahern 24:00
And that is I think what what we’ve learned. What I think we bring to the table is that we’re not just security professionals were technologists and software engineers that are working on this incredible mission.
Colin Ahern 24:12
And it requires, I think the real one of the things about infrastructure as code is that it’s software engineering, like you’re writing code, you’re checking it into get, get, pull it like the way you operate it environment like this, at the scale with the team that we have is that you do it as software.
Colin Ahern 24:33
And I think additionally, we need a high level of reliability. So we have multiple regions we have fail over all these things that would be hugely complicated are complicated enough already in an infrastructure as code public cloud sense but would be made much, much more complicated if you were beat Babu blogging into things clicking buttons to operate that environment like this.
Max Saltonstall 24:56
Yeah, tell me a little bit more about your approach to threat intelligence and how your how you’re getting and then sharing that information with the agencies you work with.
Quiessence Phillips 25:08
Sure so we’re heavy believer in in in intelligence layer response as I mentioned, every all of our work starts with a use case. So from an intelligence perspective not only are we receivers of intelligence but we are also disseminaters of intelligence.
Quiessence Phillips 25:25
As you can imagine, we have a lot of data within our disposal and integrating what we know about bad things and bad people gives us the ability to draw insights from our data.
Quiessence Phillips 25:38
We’re a heavy receiver of intelligence, but at the same time we develop a certain amount of intelligence products and provide those to the different agencies. So if you think about it from a city perspective, there’s many different verticals within the city. You know, you have health care, you have administration, you have public safety, etc. Financial so there’s so many different pillars that we have to consider when we think about this city.
Quiessence Phillips 26:07
So like previously I come from financials and all we had to think about was threat actors and different TTP is related to financials. And that was mostly cybercrime. So, but now we have so many different pillars within New York City, we have to kind of think from a broader brush, broader stroke. So like some of that intelligence products that that we deliver our you know, like in Intel reports for the agencies, but not just generic Intel reports
Quiessence Phillips 26:35
So that’s why all our agencies are broken out within different verticals, because we customize that intelligence specifically for them. There’s enough noise in this industry. And we want them to understand that when they receive a product and intelligence product from us, it’s going to be very customized, and it’s going to be in a manner where they need to do something within their environment. So the way we structured those reports is this is the threat this these are the defenses that we have within the city and these are the recommendations and then we work with them to incorporate their defenses within their environment.
Quiessence Phillips 27:04
A lot of those defenses we have control over. So we already do a good amount. Based on our capabilities, we might review what thread and see like how important it is to this environment. And we can put in certain amount of defense of controls.
Quiessence Phillips 27:27
So we’ll already take that action we’ll provide that information to the agencies and we’ll tell them what they should do on their side. So, yeah, everything, everything is reportable. We are big on documentation. So we through this responder environment as well. We’ve we’ve built the ability to share let’s say, a central platform with a different agency where we’ll be responding and working with them so we can all work together and say a centralized manner.
Quiessence Phillips 27:54
For us intelligence is hugely important and as I mentioned, is just even more about important for us to customize it for those agencies.
Max Saltonstall 28:03
It sounds like a lot of what you have to do is build these alliances, right? and gather gathering allies, both in this sort of central city government apparatus. But for each of those agencies that you’re trying to work with, because they have their own tech staff to some extent, right.
Quiessence Phillips 28:17
Correct. So, and from an alliance perspective, it’s an alliance with many different groups. So not only the agencies but you know, our federal partners, the communities, there’s many ways in were in in which we gather intelligence and then also disseminating it. So when we’re working with the agencies is important for us to collect the intelligence requirements that they have, you know, they know their environments a little bit better than we do, you know, we are not working in somewhat of a silo and we ensure that we work with the agencies which is time consuming, but we work with the agencies to understand their environments, to understand the business operations to understand what is actually important to them.
Quiessence Phillips 28:56
And that information is important for us because context is king. Right. So in that, that is the data that we can then take back into our analytics platform and add additional context. So that can even bubble up the severity of something that we see on our side.
Quiessence Phillips 29:12
Tagging is hugely important to me from a from a content perspective, if we, you know, from a very basic fundamental perspective, if we understand what’s critical, we can tag it as such, you know, and that’ll bubble up the severity from our automation perspective to say, Okay, this happened on this machine, but it also have on this machine. So let’s raise the severity of that because we know that this machine is important.
Quiessence Phillips 29:33
Working with the business is is critical because in many situations, security functions on its own. And we can’t succeed in that manner. Because if you don’t understand the environments in which you’re trying to protect, you’re less likely to do a great job.
Colin Ahern 29:49
Yeah, and I think fundamentally, the city is a service provider. The city exists to provide reliable services to residents, visitors and businesses. That’s what its job is. Our job is to ensure the security and reliability of those systems.
Colin Ahern 30:06
So it’s like we’re in the services to residents business so we’re not in like frankly we’re not even in the technology business really we’re in the security business were in the services the residents business and the technology is a tool to accomplish that mission you get not a thing in itself and I think that’s that is a mindset can be something of a cultural shift but you know we’ve like ruthless we say the word ruthless a lot like a ruthless focus on the business on this outcome which is reliable services for residents.
Quiessence Phillips 30:39
I think is very important for us to keep that at the forefront is that the services for residents because even though we speak in terms of agencies often those agencies provide a service to the residents so our service of the agencies in turn our service that our residents regardless to whether we’re going directly to them through our secure NYC initiative or to them via protection from the of the agencies.
Colin Ahern 31:00
As we look to the future I think that we see the threat landscape changing very dramatically. We see I mean Q kind of intimated we see if you want to we often talk about a matrix in terms of sophistication and nature of the threat so you could have a highly sophisticated threat which is not specifically targeting anyone in particular is we’ve seen the the spectrum of threat kind of increase both in the sophistication that these threat actors have used and in the scale and velocity with which those threat actors are able to affect systems on the internet as a whole and like I said the city has a very large internet presence so even aside from those actors that might or might not be targeting us for any particular reason like all organizations we talked about the legend eternal blue exploit used in the not patchy and wanna cry attacks.
Colin Ahern 32:00
You know, several years ago, you had to have worked in one of probably five buildings on the planet to get access to exploits of that sophistication. Now, you can go on GitHub tomorrow and be is allegedly as powerful as the NSA. So that is just a horse of a different color in terms of the game that is being played from the not just the criminal, non state criminal actors, but the kind of the rest of the threat spectrum or continuum or whatever,
Quiessence Phillips 32:32
which is why intelligence lead response is very important for us. One thing I always think about his behavior like humans, no matter what, exhibit behaviors, yeah, there will be habits no matter what,
Max Saltonstall 32:43
someone’s going to click on that link, no matter how many times you tell them not to
Quiessence Phillips 32:46
Absolutely. Adversaries also have habits. Yeah, right. So if we have an understanding from an intelligence perspective of those behaviors or TTPs, then we can even identify one when that behavior you live in it, but then also when something similar to what is exhibited, and maybe this is where, you know, some of our machine learning come into place within security sciences, whereas, you know, we, as I mentioned, have tons of data at our disposal and we can draw or we can build some type of a baseline to understand what is normal, quote unquote, within our environment and look at deviations from that normalcy.
Colin Ahern 33:29
So I mean, the basic idea is that because we have a data centric public cloud focus environment, we are not limited in the same way that we would be if we had an on premise hardware based environment. So that’s kind of stuff fact. One fact too is that behind the keyboards of all adversaries are other people and other people have behaviors they have skills they have ways of doing things they have likes and dislikes and habits.
Colin Ahern 34:03
We because of our ability to collect at high scale, high velocity, and with a high degree of assurance, this security telemetry, if you can think of it like that, our ability to learn about these adversaries over time increases. And therefore, our ability to inform our Threat Management and incident response workflows also increases over time as long as you’re taking what you’ve learned and bringing it back into your models and analysis. Exactly.
Quiessence Phillips 34:35
And I think and from the taking the barn point because when we speak about adversaries, it doesn’t mean it has to be like some nation state or some script Kitty, etc. Like that adversary can be within this environment, right? Yeah, like that average demonstrating be a user you know, so looking at the data just from that perspective puts us in a better position anyway
Colin Ahern 34:54
And I think the one talking about zero trust zero touch after the first 20 minutes or so of successful quote unquote successful from the adversaries perspective it looks like an insider because like they get access to your network it’s coming out the last flight their privileges they masquerade as highly privileged user like so at some level I think the we’ve seen a lot of movement towards insider threat detection response but all successful security programs shouldn’t be very focused on the actions that are taken in the environment that do or do not meet the business requirements of their our case business units.
Colin Ahern 35:32
Yeah so I think I’m getting to Qs earlier point about being focused on the business and understanding what that means enables us to contextualize these behaviors which might appeal or they might be authorized but they’re not normal but not in the service of this mission.
Colin Ahern 35:47
They’re not it’s an abuse of privileges and that its industry at some level it is indistinguishable from a successful attack is we’re talking about the same thing,
Quiessence Phillips 35:57
Especially if they’re if they’re living off the land. However, going back to the behavior point, if you do see a different type of behavior, let’s say, you know, from one machine to another, that you see this machine interacting with one, that it has an interactive within 60 days, that might not mean that it’s malicious.
Quiessence Phillips 36:16
But it is something for you to look into.
Colin Ahern 36:18
Our organization on behalf of the city will focus on is increasing the surety of our identities that you know, there are these on the systems I think all organizations are undergoing that change. We think that the final Alliance cryptographic reassuring identity is the future and we’re accidentally secure second or second factor we’re actively exploring ways to bring that to the city writ large or on a campaign to make net stat weird so what she’s saying and living off the land is as absolutely like what is occurring as polymorphous malware, these other things kind of have happened and then continue to happen abusing you know power shell. NET stat.
Colin Ahern 37:00
Like these traditional IT management tools, the way systems are run because the atmosphere understand they can become, they can blend in with the woodwork. However, with a data centric automation focused security organization, and one that we move to make these living off the land techniques, harder to do in an unauthorized manner. And then louder, not to say that we don’t like you know, IT systems have to be run. But if we can make draws attention to itself, then we can gain a persistent advantage over these adversaries.
Colin Ahern 37:32
And that is one that I think that as more organizations should take a harder look at not the cryptographic assurance of identity. And I think that and the beyond core and at its heart of beyond Corp style network and beyond Corp future is one in which traditional adversary approaches gaining. Maintaining privilege and moving laterally are not just difficult, but noisy and unusual. Yeah, and those are things that are relatively straightforward for machines to tell a person about and relatively easy for a person to make a decision about.
Max Saltonstall 38:06
Awesome. Thanks very much. Really appreciate your time today. Thank you for having us.