Privacy Policy

Below the Surface – S1E10

Below the Surface – S1E10

00:02:59] Hello, everyone, and welcome to this episode of Below the Surface. I’m your host and we have a great show lined up for you today. However, before we start, I cannot forget my co-host, Stephanie Cavoukian. Welcome, Stephanie.

[00:03:14] Thanks, Darshana. Hello, everyone, how are you doing today? Let us know where you’re tuning in from and how you’re doing in the chat. So the holiday season has officially started. I myself am very excited. In fact, I parked myself right next to the Christmas tree this morning.

[00:03:29] Are you getting ready for the holiday? I am indeed. I love this time of year. Cannot wait. Not sure. I can say I’m quite ready, but the delivery guys definitely come. My new best friend. I mean, I think I see him more than my family, especially during that I that she is going to be very different, but special nonetheless. It’s definitely a special time of year. How about you?

[00:03:51] Yep. Gearing up to stay put with some good Christmas movies. And there’s always some delicious food for the Christmas season, of course.

[00:04:00] But before we get carried away and start talking about our favourite desserts. Shall we carry on with today’s show?

[00:04:06] All right, let’s go ahead and get started.

[00:04:09] Before we do that, a quick reminder that our audience today you can ask questions in the comments section or feel free to just say hello. And again, let us know where you’re tuning in from. It’s always good to get a glimpse into where you guys are located. So also, we’d love to hear your plans for the holiday season and, of course, your favourite Christmas tree.

[00:04:29] Most definitely, or even maybe your favourite Christmas movie. I cannot believe we are on our last episode of the obviously we will, but we will be back next year. We have covered so many topics over the last few months. Make sure you check them out on the Barracuda LinkedIn page. So this one feels like a real nice way to wrap up the.

[00:04:51] So for today’s show, we’re going to be discussing what we’ve seen over the last year, how cyber attacks have changed and more importantly, what we need to keep an eye on for the coming year. And, of course, remote work has been huge this year for all of us. So we’ll get some insights into how we can carry on doing that as securely as possible as well.

[00:05:12] I mean, some really interesting and timely topics should be a really great conversation, so without further ado, I would like to welcome Flemyng Barracudas chief technology officer, but becoming really famous, appearing on CNBC last week. But more importantly, my daughter is super excited to hear Fleming talk today. And of course, as a newbie to the Barracuda family, Synanon, who was the CEO of Ford and now part of the Barracuda family as VP of the Trust Access. Welcome to the show, Flemyng and Sanam.

[00:05:44] Thank you. Yeah, it’s great to be here. Thank you for inviting me back.

[00:05:48] Thank you, Stephanie. Glad to be here.

[00:05:50] We’re so excited to have you both on the show today. And before we get started on the questions that we want to ask you, can you both tell us a little bit about yourself?

[00:05:59] Sure. You know, I can get started first. First of all, I have been with Barracuda for a long, long time and started from 2004 to now. Really, we have seen a lot of changes and transformations and the technology, the products that we go to really kind of make sure we’re helping our customers on their journey is really what we do. So the technology, innovation, building the right products and solutions is really, really key for us. So I’m really glad to be here to talk a little about the current challenges and especially passing this pandemic.

[00:06:38] Yeah, glad to be here. Thank you very much on that. Yeah.

[00:06:43] All right, so I could say a little bit about myself, I’ve been a 20 year veteran of 20 plus at this point, a veteran of cybersecurity started in my late teens as a hobbyist. That’s what it was back in the early mid 90s. Cybersecurity wasn’t really a domain by itself. But then I I’ve been positions on defensive, defending networks on offensive side of the equation, being part of a penetration testing consultancy, but also been through the vendor side, building security, tooling and solutions to protect against all kind of challenges in the cyber domain.

[00:07:18] Some amazing background, and then I kind wait to hear your insights. It’s been a real interesting year in all aspects. So looking at cybersecurity, of course, Fleming, can you tell us some of the key threats and trends that you have seen in 2020, those that really stand out?

[00:07:33] Sure, definitely, I think in twenty twenty, I can’t believe it’s almost over. We’re coming to December now. So if you look at the pandemic, we really kind of drove a lot of unwanted phishing attacks, spear phishing attacks, all the way to ransomware attacks, attacks on health care, various different, you know, I will say, NGOs for the for the bad guys to really take advantage of and build on fear. Obviously, impersonation, including attacking logistics, various different angles they actually applied in their strategy. Unfortunately, not everybody is ready. And we saw a lot of victims. Right. I mean, in the recent days, you probably hear a lot of news. But generally I think it has something to do with people are less prepared working from home. You know, everyone suddenly have to start doing their job at home. And the whole network is obviously could be open season for them, could be for the bad guys. They actually can find ways. So in general, I think Tony, Tony has been really tough for cyber security and making sure your your network, your data are secure is what it’s always on top of our minds, but really carry on to the next year. I think we have to be better prepared. And also that the attacks related to covid-19 will not stop because that life cycle has not ended yet. It’s just coming towards that, I think is the beginning of the end, but it’s not the end yet. So we have to continue to be careful over there. Yeah.

[00:09:16] All right, I could say that home networks are now part of the enterprise that’s AIX surface. It started towards I would say that this trend started towards the tail end of twenty 20. Remote work has already been popular or flexible work. You know, you are a couple of days from home or you travel a lot, you connect from hotel rooms and lobbies and quick access to resources from from a Starbucks when you’re feeling up for coffee. So it’s already been very flexible. But now that with the lockdown’s and the shelter in place, we are all working from home. Therefore, the the home networks started to become a lot more of a tech service and a risk factor for it, for our organisations, for our employers. Right. But if you’re talking strictly about 20, 20, I would say because of the last four years, there’s the social dynamics in not just the United States, but also the rest of the world. There has been a lot of exploitation of social fault lines. Right. You hear about the occasional teenager making a ton of money out of Moldova, selling political t shirts about the UK, Brexit and the United States. So that also become an interesting victor, leveraging social media and the trust chains built around social media to basically use it for phishing attacks, spearfishing attacks, AIX leverage as a is a beachhead into compromising an organisation was the trends that I observed in twenty twenty.

[00:10:45] So the pandemic obviously has changed the way we work, but has also really influenced the attacks themselves. And Fleming, as you were saying, there are plenty of vaccines attacks this year that we’re continuing to see. Did you observe any innovative tax tactics that were used by the attackers that stand out?

[00:11:02] Well, I think one of the key things is how how they actually build up their infrastructure and get access to resources to to mount these attacks. I think the innovation they have, for example, we did a study on a particular botnet and how they interact, how they replicate. So I think they are we’ll talk a little about we have some slides to show. But the key there is that the attacks are not necessarily just purely based on their own resources. They’re looking for places to penetrate them. Once they penetrate, they can actually use reputable environments to actually mount these attacks. And this is why zero trust is becoming so important.

[00:11:49] Like Sanon said, the home networks are could be the entry points to get to your workers, your employees from there. Then they can get to get to data. That’s one thing for sure. And then if they want some quick money, they can do ransomware attack. If they want to utilise your environment to actually make additional attacks as a recomposition, I think that there’s basically unlimited amount of things they can do. Right. So spear fishing going down to, you know, building a botnet that basically infiltrates multiple systems and networks, hiding behind reputable brands and environments, utilising public Cloud the same way the good guys, utilising public Cloud and all of those things are things that we’re concerned about. But they are definitely API for a very modern developer who understands how to utilise the Cloud and utilise whatever resources they can get their hands on.

[00:12:50] And on anything you’ve noticed, particularly innovative this year, right up as far as the Kobe team that’s AIX goes, we’ve seen an interesting approach through out-of-band messaging. I mean, email has always been, of course, critical, but also the solution sets the defensive solutions for email. Security has also been quite robust. We advanced the state of the art in that. But therefore, the attackers we see that are shifting to out of bed messaging such as WhatsApp SMS message, they can purchase an API key to a vendor gateway vendor like Tullio. They can send out these quittin scare tactics and get them to click on things, get them to log in to things or volunteer their credentials or through SMS or exploiting the trust chain that’s already established on WhatsApp. Right. If you convince one person to forward that message to 50 of their close friends, then it starts to propagate very fast. So that was another interesting trend and covid-19 trend that we saw quite a good domain about the highly anticipated vaccine. You send it out as a text message, you send it out as it is a WhatsApp message, and then it’s you see it propagate within the trust chain of friends and family. Targeting, targeting millions of people in one go.

[00:14:08] I mean, by the sounds of it, of the threat landscape is growing immensely, so we’ve looked at 20, 20, looking forwards and on what do you see as key trends for 20, 21?

[00:14:19] Right, I’ll actually tell you a quick anecdotal of my family, right? We’re getting ready for the holiday season and the kids insisted that this year would deploy some Wi-Fi enabled Christmas lights. Right? I mean, as if we needed another IoT on the home network. Really, it was it was a hard sell. But they always win. They manage. So now I had to board this thing, right, as the I.T. person in the house. Right. I have to onboard it. They want to enjoy it. I have to import it. So the first thing I noticed that this application is mobile application is still in my phone. They didn’t really had a very well branded vendor. It might be a fly by night vendor that might disappear in two years down the road or two months down the road. Right. But anyhow, suck it up and install the app. First thing they ask this precise location of my home, OK, I don’t like that, but volunteered it because apparently I use my location to pick up my network name, so they picked up my society. Next question was to volunteer my network password so they can connect those light bulbs into my whole network. So now I guess you’re seeing where I’m going with this, right? There is a vendor out there which I can clearly identify probably some Cloud storage open market to the whole world potentially. Right. It might be in a six three bucket without any protection, has my Wi-Fi network, my home address, precise location and my Wi-Fi password. So what I see is the trend going into twenty, twenty one. If somebody is going to leveraging one of those big data breaches is going to hack into an executive’s home or a critical employee’s home and going to Britain as a lateral move, it’s the term is island hopping. You basically compromised my little island here in my home and up from here using some sort of a site, the site VPN or persist the next list until somebody is going to breach into the company. And it’s going to be a very high profile event. So I believe in twenty, twenty one we’re going to see the first home network island hopping incidents.

[00:16:13] So scary, something anything more to add to that?

[00:16:16] Well, definitely from the point that should not have pointed out, you know, the island hopping concept and where does where does the hacker go is what I’m always concerned about.

[00:16:27] So one of the major reasons working from home it’s actually working is that everyone’s using stops. People are using SaaS applications to do their job. And these massive amount of adoption really means the other end where the SAS is offered has a really powerful infrastructure globally available. So how do we protect those environments? Is one of those things that always on my mind. So finding the root cause of why these attacks happen, where do they want their attacks? I think the adoption of SaaS really created this energy around making sure applications secured. Developers are doing things correctly in the cloud. Are you really connected securely, not just VPN, but within the VPN tunnel? Is there a way to identify any type of threats? So for twenty, twenty one, we need to pay more attention to really security, the infrastructure, your applications, the sites that you are offering, the people who are using your sites to do their job. Right. Let’s say we’re Salesforce, we have application, let’s say we’re Microsoft, we have one drive in SharePoint. All these solutions are really powerful today. And because of that, we need to really protect those folks, therefore, eliminate and root out all the potential botnet and and attackers infiltrate into this environment. Then I have to give credit to Microsoft. They were talking about taking down chip parts and all those things a few weeks ago.

[00:18:02] But if you look at it and they already revived this stuff, it’s in full capacity again. Why? Because they are really hard to to put down. So paying attention to that is something that I really think in twenty, twenty one we need to we need to drive awareness on that beyond just spearfishing attacks and ransomware attacks, but really about how to stop at the root of the problem. Yeah.

[00:18:28] So Fleming, with news of a vaccine and some hope for a better twenty twenty one. How do you think that this will impact the threats we see next year?

[00:18:37] Yeah, I think vaccine, if you look at the attackers, didn’t that never taking a break. It feels like they already got vaccinated or something. They’re always right there. They’re looking for ways to get into the pandemic and continue to utilise fear, trust, even Previti, just to say, hey, you trust me? Look, my message is really, really clean and it’s really trustworthy. I think the attackers are going to continue to utilise that vaccine, really connects with economic recovery. If you think of it right. So so if we are not able to recover properly, I feel like the bad guys are going to take advantage of this vaccine period of the pandemic and really carry on and really try to squeeze out another big payday within this pandemic. But economic recovery comes with stimulus packages and various, I will say, financial help to small businesses and which most of the small businesses might be vulnerable, not beyond just pandemic, but also cybersecurity attacks. Right. So really, I think we need to address that. And continued rising rents and more payments, insurance, cybering, insurance, all these things are unfortunately feeding the bad guys with whatever they need to to to to continue their their campaigns and also really various new attacks that could be very costly to do that to the whole world.

[00:20:12] Got some great point. So what do you think we’re for next year?

[00:20:16] I think the scare tactics around the vaccine, the 5G deployments, you name it all, sort of crazy conspiracies will just go into overdrive. It’s been it’s been lucrative. It’s been working for the attackers, for the for the crime syndicates, if you will. They will leverage ad networks to push out some more of this conspiracy. And once again, since the individual is now an extension of the enterprise of the business. Right.

[00:20:44] Is that any way that they can get to the individual is actually a potential beachhead to literally move into the organisation? Right. So we cannot say that defending the organisation through there is not enough anymore. Right. We work from home. All of us are today connecting from our home offices. So that means that an individual compromise we used to segregate security between consumer and corporate and enterprise. Right. But it’s all one now. It’s all one thing. If you get your employees through these tactics, they can then literally move into your organisation. So so we have to really think about what trust means, what the corporate perimeter means going forward from here. But your individual employee now represents a set of data for the attacker, right? It’s not it’s not just about how much they can extract from their credit card, but how much further they can move into compromising more information.

[00:21:37] OK, I mean, some really interesting points there, and before we get too excited about twenty twenty one and maybe some of the positivity it will bring, I guess we should look at some of the lessons learnt from twenty twenty six and on twenty twenty. Was the year of the MIT working. What lessons can we learn from going to.

[00:21:54] Might work but we definitely need to increase the cyber hygiene around our home networks. That becomes very clear and evident. Right. Most of us might have inherited a subsidised Wi-Fi router from our service provider. We don’t know it’s up to date. We don’t know it’s already running some sort of a botnet. Right. There has been a lot of Wi-Fi router vulnerabilities that were exploited and mass.

[00:22:19] So we have no idea about our employees home networks, which is now an extension of work. Right. It used to be the occasional building work from home or could be check mail kind of a thing. No, no. It’s persistent, right? Every day, all day, in and out, we connect from our home networks and access work, work, work products. Right. So therefore, I would say that the hygiene around home networks or maybe to rethink whether we trust the network or not, is definitely going to be critical to continue on the trajectory of perhaps permanent work from home or long, longer work from home than we’re used to. Traditionally, I would to say couple thing is that the supply chain, for example, under under covered under the lockdown shelter in place when I mean supply chain, we couldn’t ship laptops fast enough to to our employees. Right on board somebody or some organisation has spent a lot of small and midsize businesses had to say, OK, you know what, use your home computer. I’m not able to ship your laptop. Right. I’m not able to on board you like I traditionally do to my own premises employees. So that also bring now these shared computers with your spouse, with your children or into the corporate environment. So, again, the home hygiene, the priority, the unmanaged device hygiene is going to be critical going forward.

[00:23:43] I mean, how about yourself?

[00:23:45] Yeah, I was going to just add a few things, I think I’m going to go a little further than now when he says think about trusting the whole network. I said just to really think about not trusting the whole network at all, because really networking segmentation at home is you’re on the same network, same Wi-Fi as your make the light bulbs and smart devices and those devices really you really have to really understand those devices are not made with all the security elements that that’s needed to operate. So what really is needed is at a device level, think of your own device, bring your own network. Now, this is not the wild’s be right when your network. So you really think about not trusting that network and really applied the policy that matters related to your device, whether it’s on the right patch level, if it’s actually in the right, you got the antivirus installed or got all the right proper things in there to actually qualify access to the applications that you’re providing to employees. And it’s no longer just about VPN connexion building network segmentation, but also if that device or the user is had dropped on their security posture, we should basically block their access application. Access to data should not be available. Maybe one drive should not think. And I think about that just generally, I think by own world, really bring your own network is it’s really dangerous. In twenty, twenty one, we need to rethink how to help our customers because like Sinan’s, that people will be working from home. It will be flexible ways to work on. Some of the tech companies actually have declared maybe a majority of their engineers or whoever are going to work from home, maybe for us indefinitely. Right. And guess what? Engineers and developers and sarees or whoever they are have access to our infrastructure as well. So making the island hopping from real network to be made very easy for the bad guys. So that said, I think I’ll go a little further to make sure I really don’t trust the network, but build a new way of applying security is using your trust.

[00:26:11] So let’s stay on this topic. Phonon, what do you think the future is for remote work? Can we expect more of the same next year?

[00:26:18] I completely agree with Flemyng. I mean, remote work is here to stay. I know personally a large subset of my friends and some even co-workers now making these decisions to move right. They moved to a mountaintop with a gigabit Internet connexion because they made some investment in lifestyle changes because of this, you know, this belief that remote work is here to stay. So I don’t think it’s going anywhere. Even after the vaccine. And we finally got out of this covid lockdown shelter in place and more and more companies are actually pitching remote work as a perk, almost. Right. It’s it’s a plus. They give employees options to have some adjustments, whether they’re comp or some the way that they work during the work hours, whatever it is, they find these flexible arrangements when employees can remain working remotely. I don’t know where that’s going to go in the next three to five years, but certainly in the in the in the foreseeable future, we’re going to have a lot more employees might work. And then you have some companies that actually promote not having an office. Right. Fifteen hundred employees fast growing and employs over one hundred and fifty countries, yet no office. Right. So there’s a lot a lot more of this in Silicon Valley, Bay Area in New York and here companies are open to that. Therefore, you know, just to add on what what Fleming was saying, therefore, we should really have a a shift in our thinking is what is trusted and what is not trusted.

[00:27:42] And perhaps the right way to approach this is that everything is untrusted until it’s verified to be trusted. Right. And when you say verify, it’s not like once in a point in time. No, continuously verified to be trusted because you don’t know the context. Your employee works from one day, another day works from the slopes skiing down somewhere. So you really don’t know what environment, what kind of machine, what kind of device. They’re using our existing sales force to in a hotel lobby computer, which they might be on vacation somewhere. Right. So you’ve got to make sure that everything is Kyocera and trusted. And we really need to change the way that we say, oh, it’s a company owned device, know that that era is gone. We’re really moving into Vilardi beyond bring your own everything, basically.

[00:28:30] Fleming, I heard the same question to you. What do you think the future of remote work is going to be?

[00:28:39] I think very flexible. I would say a lot of the tech workers are very productive. I can see Barracuda Engineering doing great things throughout the pandemic.

[00:28:49] I can tell you every every company is a software company that everybody everybody’s building software, there’s a lot of developers and remote workers is crucial actually, to someone’s point, actually, in California is two to one ratio of people moving out of California versus people moving in. I mean, you just think about it that way. Right. So so that means remote workers here to stay. So zero trust is definitely an important thing. And remember, I’m going to go back to the botnet discussion real quick, because that’s in the old days they utilise your infrastructure, the crypto mining. This is one of the biggest things they used to do. Right. Then eventually they got into DOS attack. I can actually sell my weapons to take down certain websites. But today’s world, they can sell spearfishing, they can do those things, which is low calorie, if you think of it, doesn’t require a lot of compute power. So guess where that compute comes from. So I have a couple of slides I’d like to bring up real quick. So so kind of a pivot from how to think about Spotnitz distribution by time of day. Bots are always active. This, by the way, it’s a great report from our team for Web applications. This is related to our events. Pop protection. Really what it means is that bots are active. A lot of times are managed by humans, actually is active all the way until 5pm. Then they go to dinner and then go to dinner too.

[00:30:23] But my point here is that button that’s today, they don’t necessarily always have to living in powerful environments. They can live in your arm based device, smart device that’s running on batteries in your house. You can give me my Android device, for example. And another step behind this. I can show you a little piece there related to the weapons behind it. Events to that infographics would be great. But the concept there is that within that part you will see API first. The body parts are built with API so they can actually talk to each other. They have command, control, they have their own protocols. They figure out ways to replicate themselves. And just imagine how many lightbulbs you will have in your house, how many smart switches they can be on to a sizeable, I think, weapon people from just having infiltrated people’s homes. So that said, don’t get weaponized by the bad guys know that way to a corporation. It’s even more important if your cloud environment gets weaponized. Guess what happens? Your IP address, your reputable domain can end up on Bloor lists where people will block you from because you are mounting attacks and things like that. So generally speaking, I think it’s really important to pay attention to what you have. And remember, employees can get weaponized because impersonation happens. Just like the Koch attack recently on the vaccine, the Chinese yoghurt impersonated using a fake domain by the real name. Right. But also resources can be weaponized, your home network devices as well as your Cloud environments. So that that is the concern I have for working remotely because more people working from homes, you’re going to have more phone networks. And also they will be using more stats. Guess what? With more stats, you have more Cloud, more power. So, you know, if I’m the attacker, I’m like, wow, this is great. I have all these resources to get it right. So just just tipping point at that point there. I just wanted to make sure people hear that.

[00:32:36] And I mean, I think it’s clear that remote working is here to stay. There’s definitely been an acceleration since the pandemic. And like you said, Fleming and public Cloud and the adoption of public Cloud most of the increase in this time, organisations wanting to be more flexible to the new way of working. What does this mean in terms of security and what are your thoughts here?

[00:32:59] I think public Cloud and more and more specifications Cloud whole success applications are actually good for organisational security, but most importantly for productivity. Right. But unfortunately, they’re also very powerful new technologies that a lot of companies struggle with, configuring them correctly. Right. So this kind of configuration challenge is linked to what might at first look like a trivial security incident, like having open storage buckets that are exposed to the world or having internal resources with public accessible IP addresses. It might sound like, you know, things that we already sold into in the legacy world where you had a DMCA, you put a firewall. No, but now we’re adapting to this new environment with a much more complexities, the more we’re basically, unfortunately, reverting to our old mistakes, like a lot of configuration challenges, even assess application to secure assess application to enable two factor authentication to integrate it with an asset. So to do the permissions and to give the lease privileges to your users. It’s a it’s a challenging it’s a challenging ordeal. So a lot of companies are struggling with that overall public cloud. And this has been great. It’s part of this new digital revolution revolution. But unfortunately, because of the complexity, because of all these additional innovation and tooling around these technologies, we’ve been suffering from suffering from configuration mistakes and big time.

[00:34:25] Also, if you look at the notion that we had this legacy, the definition of the perimeter, right.

[00:34:33] You had the company data centre, you had a DMZ, you have internal resources, you lady one network security technology over another, and you were able to protect everything within that perimeter. However, that got all selected and distributed. Right now we have availability zones in multiple regions. Now we have multi Cloud. You might be getting better pricing from Cloud vendor one versus five under two and then you might split your workloads between those. So now we really need to think about how we can secure in this distributed world through a global policy that spans across these Cloud server providers and assess applications, you know, and that secure them with a understandable, readable, comprehensible global security policy rather than deploying. You know, here is a little point solution is another point solution and try to configure them and try to manage them one by one. You need something that’s a bit more global that spans across your public cloud and set solutions.

[00:35:33] Fleming, I mean, you brought up public Cloud, so what are your thoughts about the security around that?

[00:35:38] Yeah, public Cloud is powerful, but it’s just as powerful for the bad guys and the bad guys are preying on us. So the key here, just like Sanon said, utilising these environments, you’ve got to deal with some security posture, management tools to make sure you don’t have misconfiguration mishaps because the consequences is you can tarnish your reputation. The attacks that happen originate from your environment. So to me, you know, secure connectivity, building a proper you can understand what it means to build as you want and how to measure security within these connexions. It’s not just depend just the IP stack and getting network segmentation, but also understand what’s going going on inside the inside. The connexion is really, really important. This is why we have a solution now making SD-Wan one really easily consumable with Microsoft. We’ve got this thing called Cloud and one making sure if you want to build aski utilise that solution. Leverage Azure Azure has got plenty of data centres. Nobody can be a data centre faster and better than Amazon and Microsoft and these guys. And I think, you know, if you want to build a better connectivity story with security involved, that’s the right approach. And of course, and I think probably Cloud is constantly evolving. So these these configurations are getting harder.

[00:37:13] Know you can be blindsided with the new feature you just forgot. And these are the things that we want to address with the security posture. Management tool. Yeah.

[00:37:24] So Synon building on what Fleming was just talking about, when we think about connectivity, of course, with all of this remote work. We have to kind of maybe change the way we’re thinking about secure connectivity. What are your thoughts on that?

[00:37:36] Right. This notion of persistent, secure connectivity doesn’t really fit with the new reality anymore, right? Because we have a point in time authentication of our users, maybe do a quick post analysis on the device, but then these sessions are usually long lived, right. You might go three hours, so you might go through a taffet, authenticate yourself and then have this two week long session. Right. Therefore, you have a two week window of opportunity for an attacker to use an existing establish connectivity that session to kind of breach and further move into together. Two to your VPC or Venit in the public Cloud or some on prem environment or access to assess applications. So this is long-lived nature of access needs to really transform into more about verifying continuously before granting access. Right. So essentially you can say that there is not a single point of time that I say that I attest to the fact that you’re my user A and you’re my device on all that’s sanctioned by by it. No, it needs to be continuously validated because the context changes all the time. Right. You might be connected from a different wi fi. You might be at a different location. You know, there might be a critical hotfix that you need to deploy on your PC that might expose within that two weeks of the activity window of your organisation to AIX.

[00:39:04] Right. So you might you should be able to say, hey, your device is context is not secure anymore. You need to push this update in unit to install this IoT fix, then grant access again. So we really need to transform our thinking about connectivity. It shouldn’t be persistent. It shouldn’t be a point in time authentication, but continuous authentication and continuous verification and continuous authorisation, whether you can have access to what you need with given this current context that you’re in.

[00:39:33] They said, I’ll carry on a conversation around access and trust, and I guess again from working at home, people using more collaboration tools, which, as you mentioned earlier, is open to all sorts of threats. Can you explain the notion of zero trust?

[00:39:51] Sure, happy to. If you look back, work has been within four walls of the office, right?

[00:39:58] You had a server room with racks, you have your servers and blades and all within the same network that you literally sit in. Right? I mean, that that’s going back to 10, 15, 20 years ago. Even that was the norm. You come to a branch office, the branch offices have connectivity between each other, but everything was within the perimeter. Right then you might have added some additional data centre capacity, but then you will have at least Seline off of some sort or maybe a a some sort of a persistent Cycloset VPN tunnel to do extra computer applications that your company might have. But nonetheless, you are all within this notion perimeter. Right. The two worlds switch to the next slide like you’re within the walls, within the perimeter. Right. And access was all done inside this. Trust the perimeter. So, you know, everything is easy to understand. You can put in a firewall, you can put it in a bit of prevention appliance. You can lay basically network security appliances over that over and over, because you know the ingress. You know where everything is coming in. You know exactly where the openings of your perimeter are, or at least I hope you do at the time. Right. But now a change, of course. Now we work from everywhere it used to be. Maybe that road warrior sales guy that that has to connect remotely. You give this person in line, but now everybody is remote. And now we have also many, many more susceptible occasions, which is definitely not within your perimeter. It’s hosted and maintained and managed by a third party vendor that you trust. Right. So the old assumption doesn’t work anymore. The specifications are not within your corporate perimeter and your employees, especially in this new normal, in this shelter in place. They’re not within the perimeter. So everybody’s accessing remotely. Therefore, they are a potential risk factor. They’re part of your attack surface now, wherever they are through reaching them. A ransomware, for example, can literally move into an organisational network. Right, of your enterprise network, on-premise network or to your Cloud public Cloud and Venus. It can all literally move from your employees wherever they might be. So we really need to change our thinking around this and assume every network that my employees and my even my resources that are connected, my SAS applications, my employees. In this new paradigm, everything is considered untrusted, right? Everybody’s outside the perimeter. Actually, there is no perimeter. Right. So therefore, you need to validate. You need to verify before you grant access. Right. It’s kind of the inverse NSA adage, right? When they say trust but verify, know first verify, then trust. Right. That becomes the new paradigm. Therefore, you can’t kind of abstract away this notion of network. There is no internal network, there is no secret perimeter. Everything is not trusted unless they are verified.

[00:43:00] And then you can connect them together and then you can grant access.

[00:43:06] That’s great, Fleming. Any thoughts on how companies can go about implementing these security checks that someone was talking about?

[00:43:15] Oh, yeah, definitely, I first of all, I totally see the future Wassenaar have described, like everyone is working on their work, but you are accessing the source, but the reality still have some time to get there.

[00:43:29] I understand not every customer is using our sites yet. Maybe they’re using some sites so we could we have solutions to allow you to really ramp up and really kind of get to the point where it’s not have described a world where nothing is trusted but really continuously verified based on your posture, on the endpoint, on a device, on the on the user. So so implementing such thing, it requires a little bit of planning. Of course, the Barracuda has many customers, right. Two hundred plus thousand two hundred thousand plus customers in there. And what we want to make sure is we provide solution to step into the zero trust future and hence why I think that’s why we’re so happy to have and out here with Barracuda, because the solutions we provide today already landed in the customer’s hands and they are already great Cloud nature Cloud centric native. As we go forward, we want to layer on these new features, zero trust based solutions in place. For example, if you already own a Barracuda, Cloud, Jianwen, Firewall, Molcajete, firewall or even crutching when you can activate zero trust as easily as clicking a button. Really kind just deploy. Right. And and one of the nicest thing about that, the solution from Project Access problems now is that it doesn’t use that much battery. Your system will actually be happy. So so the point there is the approach is very unique and therefore make people want to use it so that users are actually enjoying using that solution instead of, oh, my battery is running out. So guess what? I got to plug in somewhere. Right, so he can be in a nice backyard, for example. So that said, really, we have solution in place to get people to the place we want to go. Right. And and it’s really important that Baracoa to continue to invest in this type of solution and the future. So we are positioned in the right place to help every one of those two hundred thousand plus customers to get into their policy management in the future for cyber security protection. Yeah.

[00:45:54] But that’s not, I think, your immediate.

[00:46:05] Give us a sound check bathmat. It’s not I’ll take it away, I can’t hear her, can you guys?

[00:46:12] Now, all right, so time is running out. Guys, unfortunately, this is such a fascinating conversation, we could talk all day, but before we let you go, it does sound like the home network is really the new frontier. Right? I’ll bring in our own networks to work now. So when it comes to security, what advice can you give organisations for the coming year? Not. I’ll let you go for sure.

[00:46:33] I’ll be quick about this. So perhaps consider subsidising some of the very old wi fi hardware, if possible sites and educate your users. Security awareness is critical. Run phishing simulations, whatever is necessary to get them to be more aware is critical.

[00:46:48] But most importantly, I think we really need some new tooling around remote access to remote secure access. So whether this is for internal applications, you know, private or private applications or private data sets or for your applications, you really need to think around new tooling that takes you on this journey of zero trust. Right. It’s not going to happen overnight, as Flemming was saying. But we can get you started on a journey to get you to zero trust or invest in tooling that continuously verify access before granting your employees to access to assess applications and on-premise evaluate the context of IoT the environment, evaluate the device posture. And if everything is conforming, let them have access. Let them get the work done.

[00:47:32] Well, yeah, I think from human to data, it’s the whole chain it has to be considered for cyber security continues to focus on driving awareness training because attackers, like I mentioned earlier, social dynamic, how people connect to each other matters. It’s no longer about corporate. It’s about the individual who is part of the business. Now, all the way to data how to use security data. Are you encrypting your data so the ransomware attack doesn’t come back with, hey, I got your data, I can publish it, you know, things like that, your customer data, because you could be running software that is considered a source that has customer data. So through dance, I think every aspect related to what we do from home and every attack surface needs to be considered. The whole concept of trust based security posture, management constantly and the overall architecture has to really start shifting, doesn’t have to be done, but start shifting. I think the tools that I mentioned to address the home networks and for that, I think that that will be my recommendation to some excellent suggestions.

[00:48:51] Thank you both for coming on. It has been an absolute pleasure to have you both here on the show today. Thank you so much.

[00:49:00] Thank you. It’s wonderful. Thank you. All right. Can you take us out?

[00:49:05] Hopefully you can hear me, I think is Fleming was talking about batteries running out my battery or my efforts ran out at the same time. So thank you so much, Blerick incident. I really hope you all enjoyed today’s show and it has helped prepare you for 20 21 November. You can watch all of our LinkedIn shows from the Baku Derrington page. So now that leads me to say until next time, have a safe journey. And of course, happy holidays the next year.