Dive deep into AI's accelerating role in securing cloud environments to protect applications and data. In each episode, we showcase its potential to transform our approach to security in the face of an increasingly complex threat landscape. Tune in as we illuminate the complexities at the intersection of AI and security, a space where innovation meets continuous vigilance.
John Richards:
Welcome to Cyber Sentries, from Paladin Cloud on TruStory FM. I'm your host, John Richards. Here, we explore the transformative potential of AI for cloud security. As a special treat for this episode, we have a guest host, Dan Deeney, CEO and Co-founder of Paladin Cloud, sits down with Mike Crowe, retired CIO at Colgate-Palmolive. From artificial intelligence to integrating security and DevOps teams, they discuss the top cybersecurity trends you need to know. Let's dive in with Dan and Mike.
Dan Deeney:
I'm Daniel Deeney, CEO of Paladin Cloud. I'm super excited to have Mike Crowe here to join the discussion. Today we'll be discussing top cybersecurity trends and strategies. Mike, let me turn it over to you for an introduction.
Mike Crowe:
Thanks Dan, and thanks for having me today. Hi everybody. I'm Mike Crowe. I am a computer scientist out of the University of Delaware. Early in my career, I had a couple of short stints in software engineering for the defense software industry first and then the healthcare software industry before I landed at Colgate-Palmolive for the next 34 years of my career. All in the information technology organization there, spending the last nine years as the chief information officer.
I retired from my role at Colgate at the end of 2022 and post-retirement, spending some time raising funds for critical pediatric cancer research, as well as, I'm a board member, or advisor, for roughly about half a dozen tech startups as well as a couple of investment firms.
Dan Deeney:
Love the diverse background. All right, let's jump right in. So first key trend I think it would be good to talk about for the audience would be how do you really see the overall threat landscape evolving?
Mike Crowe:
Well, I think that threat landscape is growing ever more complex for multiple reasons. First, as all companies continue along the path of their digital transformation, their digital landscapes are expanding very broadly. We're seeing an explosive number of SaaS applications that people are using. We're seeing companies do more of their own organic software development in the cloud, and that's leveraging open source microservices and open APIs. So the risk surface is really expanding dramatically.
We've got more digital moving parts that people need to be concerned about and protect. We've got a heavily increasing number of applications and a heavily increasing number of identities. I think the second reason it's growing quite complex is the geopolitical instability that we're seeing around the world. With all of that unrest, we're seeing nation states take advantage of an ever-increasing number of identified vulnerabilities, and then whether you think you're a target of those nation states or not, you have potential that you could get caught up in collateral damage from any kind of nation state attack. So it's important to pay attention to those. And then just whether it's a nation state attack or attacks in general, the attacks are just getting more and more complex. So all of this is keeping security teams as well as the adjacent IT teams quite busy.
Dan Deeney:
Yeah, that's right. Yeah, with these increasingly complex threat vectors and attack patterns, certainly it becomes a much more daunting task for CISOs and security teams. What would be an example of a threat that's top of mind for CISOs today?
Mike Crowe:
Well, I don't know if I can speak for all CISOs in all industries, but I can certainly talk about what worried me when I was A CIO, and what worried me were the threats or the attacks that could lead to significant disruption of business operations or significant financial loss to the company. A couple of examples in those spaces would be ransomware, which provides both disruption as well as potential financial loss, and B2B payment fraud. Then, of course, at the root of all of those attacks, they could have all started with the first attack, which would be compromising somebody's credentials, getting into your environment and starting to move laterally. Those were the things that worried me, so I would spend a lot of time focusing on how do we make sure those types of things don't happen to us.
Fortunately, with the innovation happening in space, there were some answers for that and just bringing up a few examples. Area one security was great at making sure it was keeping phishing emails out of your environment. It's now part of Cloudflare.
More recently, a couple of startups that I'm advising, one by the name of Savvy, which has a platform with playbooks for different situations to help security teams. They are great at stopping people from providing their credentials to the bad guys in real time. Another example, another company that I'm advising, TrustMe, is really providing better than ever capability to avoid any fraudulent business to business or B2B payments.
Dan Deeney:
Yeah, those are great examples for sure. Let's talk about AI, that topic that's on the minds of everyone that seems like these days. We've got the emergence of AI powered enterprise applications. So how do we think about securing these applications and data?
Mike Crowe:
Yeah, well, I think with AI and including the emergence of generative AI most recently, it presents both risks as well as benefits to a security organization.
So for now, let me concentrate on the risks, and I think we'll get to the benefits as we go through some more of our chat today, but think back to when prior digital capabilities were developing. Think back to email systems coming to the forefront and personal computers and the emergence of the worldwide web. All of those capabilities were ahead of the industry's ability to protect against accidental or intentional misuse of those capabilities.
Of course then what came along was the emergence of an entire cybersecurity software industry. I think back to those days, and I think that's where we are with AI, generally right now, maybe a little bit over simplistically, but I think that's where we are right now. The capabilities are ahead of the industry's ability to protect against that accidental or intentional misuse. And so we're going to need a whole new branch of cybersecurity capabilities to help us in that regard. They are starting to emerge, but I think that they're going to need to continue to emerge as companies really start to take advantage of these great capabilities.
Just citing one specific example, think about when ChatGPT came onto the market, came on somewhat by surprise to many, with much fanfare and much well-deserved hype, but I think it caught a lot of companies off guard in that they had to think through what are the implications for us, including what are the risks? What's the risk of us leaking some of our valuable data through the use of this capability? What kind of guardrails do we need? How do we protect against the misuse that could come from that capability?
And so what did a lot of companies do right out of the gate? They actually blocked the use of ChatGPT for their employees. One of those companies I talked about before, Savvy and their playbooks, what they were able to do was quickly develop a playbook so that their customers could catch in real time when their employees were about to use ChatGPT, and then they could enforce making sure that the users had the right privacy settings set for that use of ChatGPT. Or they could be proactive about publishing, again, in real time, at that point in time, the policies and the dos and don'ts of the company. So emergence of some good capability, providing those guardrails, which is a much better solution than blocking the capability altogether.
Dan Deeney:
Yeah, that's a great point. Yeah, definitely need those guardrails in place. Another emerging trend that we're starting to see with enterprises and AI powered applications is the use of open source LLMs, like Llama, for example. Any thoughts on the emerging trend of open source?
Mike Crowe:
Yeah, I think for companies that are really looking to take advantage of generative AI in a fast way and in a safe way, the emergence of the open source, the open APIs, is going to be critically important. As I mentioned before, companies have a lot of valuable proprietary data at their disposal that they don't want to just release. So they don't want that to be exposed by use of proprietary LLMs that you would see from OpenAI or from Google or from others.
Rather, they want to be able to create their own private LLM for that valuable proprietary data that they have. Making sure that they're protecting that data while then also leveraging thought, the open APIs to the functionality, to the algorithms, to then be able to produce valuable generative AI applications for both internal and external use. The internal use for helping internal employees with their jobs, with their productivity, and the external use, being able to provide new products and services that they haven't been able to provide before using generative AI to their customers.
Dan Deeney:
That makes sense. So you have all great points for sure. We'll keep monitoring that trend. So yeah, let's shift gears. I mean, one of the key trends that we're starting to see with the increasing threat landscape is that enterprises are looking to beef up their defenses and overall posture. When you think about the full stack applications, data security, cloud security, what are some of the key trends and strategies there?
Mike Crowe:
Well, I think most CISOs, if not all CISOs, have for a long time been adding a large array of best of breed capability into their cybersecurity arsenal and I think that's appropriate. If there's any area today that deserves best of breed deployment, it is cybersecurity, and that's a reflection of the importance. There's just too much at stake. It's a reflection of the complexity in that particular area. And to your point, the complexity continues to grow for the reasons that we talked about before. So more and more solutions are needed.
With that said, deploying all of those different solutions adds complexity for the security team. So I think one thing CISOs are always looking for is how can I simplify? How can I simplify the landscape? But it needs to be simplification without giving up capability. Simplification while you're also advancing the capability and moving the needle forward.
So you could get that simplification from consolidation of capabilities within the industry, but I think more likely today this simplification is coming from additional solutions introduced into the environment that integrate well with the solutions that are already in place, and correlate the data and the signals across all of those existing solutions.
Dan Deeney:
And to that point, when you think about the different signals and alerts, one of the trends that we're starting to see is risk-based prioritization across tools. Any thoughts on that trend?
Mike Crowe:
Well, I think with a lot of what we've talked about so far Dan, the bottom line here is that security teams are busier than ever before and they were too busy to begin with. I think that aspect of prioritization is absolutely key for them and automation behind the prioritization as well. That's what I like about your solution in Paladin Cloud, which you incorporate into the environment. It integrates well with a lot of those existing security solutions that we've talked about. It automates the task of collecting data and signals from across those various solutions. It automates using generative AI risk-based scoring to then give CISOs and their security teams real-time insights on the risks that exist, but more importantly, the priorities that they should be going after. What should they be working on first, second, third? What are the things that could wait because maybe there's some mitigating controls in place?
These are things that probably every securities team is doing one way or another, but in a lot of cases, it may be through manual efforts and that automation that you're providing to get to that prioritization faster and to get to that trust is absolutely key for this increasingly complex environment.
Dan Deeney:
Yeah, when you shift gears to remediation, if you think about, okay, let's figure out the best way to prioritize. And then how do we drive remediation in an efficient way? Automation comes to mind, workflow and processes, in many cases with global organizations or enterprises, you may have a decentralized org structure and different levels and tiers. How do you see that remediation process evolving and what's the role of automation there?
Mike Crowe:
It's a really good follow up question to the previous topic as well, and I think for all the same reasons, automated remediation and automation in general is critically important. Now, it could be in the past that CISOs or some security teams may have been reluctant to let automated remediation just happen. I do think that that is likely changing for a couple of reasons. One, again, for all the reasons that we talked about, I think it's just becoming absolutely necessary.
The second point is that I think the tooling is making it much easier for CISOs and their teams to trust the automated remediation, because the tooling is providing explainability as to why the automation is making decisions that it's making and it's giving the security teams a chance to walk before they run.
We talked about the automation in your platform around bringing the data feeds in and the automation of the analysis and then providing the advice to the security teams, but you also have automated remediation at your platform, if not completely automated, at least giving the security teams a chance with one click, do remediation. That's really important for some of the same reasons that we talked about before.
There's too much work. We need more productivity, we need more tools like that to help the security teams. If I can bring up one more example when it comes to automation, one of the companies I had talked about before, TrustMe, TrustMe, is also integrating into existing enterprise solutions. Not just security solutions, but your ERPs and other enterprise solutions and using APIs to read data where it exists, and then using advanced algorithms, AI algorithms, to detect potential B2B payment fraud in progress and prevent that fraud.
These algorithms are so sophisticated that they are providing either zero, or very few false positives, which in my experience, I think that's really rare, in this cyber industry. So very powerful algorithms providing better protection against B2B payment fraud than ever seen before.
Again, similar to comments before, companies may be handling that B2B payment fraud through manual processes today. What this automation from TrustMe does is it makes that prevention more foolproof and also provides productivity back to, in this case, the financial organization.
Dan Deeney:
Yeah, that's a great example for sure. One of the things that we're starting to see is the emergence of ticketing systems playing a key role, especially with DevOps teams. So we're starting to see Jira, Instances, Jira projects, and any thoughts around how do you streamline through a tool like a Jira, your workflow, and automation there with different teams that are different GEOs?
Mike Crowe:
Yeah, I think that's really important. If you think about most large companies, they're going to be geographically dispersed. Even within a single country, they're going to be between different facilities. But then when you get to large multinational companies, you've got people all around the world, and that can even include parts of the security team, parts of the IT team and so on.
I think you know that when it comes to addressing a threat, an attack, an incident, it's never contained just inside the security team. The actions are never contained just inside the security team. There's a lot of communication that has to go on between teams, between the security team and other parts of IT, as well as teams in the greater enterprise.
And there's tasks to be done that may belong to the security team or may not belong to the security team. So there's a whole coordination that has to happen here in terms of response when you're trying to address these things. And of course, you want all that to happen accurately and you want it to happen as fast as possible because you're trying to burn down that risk. So with all that communication involved with all those different steps that have to happen, a ticketing system like Jira or something else to automate that human workflow is absolutely critical for speed and accuracy.
Dan Deeney:
So shifting gears to organizations, how they're set up and structured, we hear from CISOs that, "Hey, look, we've got a DevOps team that focuses on remediation and fixing things," and the CISO security group generally identifies and tries to prioritize, and we use different tools and dashboards, whether it's application security, data security, cloud security, vulnerability management, lots of different tools and platforms, lots of different lists and priorities. Oftentimes, when they're speaking to their counterparts over in DevOps, it's like, "Okay, well there's 5,000 findings and alerts here that we need to remediate." And DevOps will oftentimes say, "Look, tell me the top 50 that you want me to work on. I don't have any more resources than that." So how do these two teams ultimately collaborate within an organization to help reduce risk?
Mike Crowe:
Yeah, you bring up some really good points there. so first off, it's critically important for the security teams and the DevOps teams to be very tightly integrated today. If that's not the case, then I would say something needs to change quickly, and they have roles to play. The security team, they need to be setting the expectations. They need to be doing the education to the DevOps teams on best practices and the expectations on how things should be done. They also need to be doing the monitoring and the detecting when things are falling outside of those parameters, outside of those policies and risks are starting to emerge.
The DevOps team needs to take all that education seriously, and they need to be responsive to the security team. So they do need to burn down that risk that the security team is advising. Now, you bring up a good point in that they could be feeling overwhelmed for, again, for a lot of the reasons that we've talked about, because they're trying to add capability to the business, and the security team wants to address that long list of things.
So I think an important point for both the leaders of security and DevOps, is to provide the right tooling, and I would say a lot of this tooling exists and continues to emerge, but provide the right tooling for the DevOps teams to get things done the right way from the start. If you provide that capability, then that improves the productivity of both teams, and there's less of that chasing things after the fact. Less of that long list of things to attack after the fact. It's easier said than done, but I think these are key things.
The final thing that I would add about the two teams working together is you need empathy created on both sides of that equation. I think a good way to create that empathy between the two teams is cross-functional assignments. Take some of your DevOps people and put them on a security team for some period of time. Take some of your security people and put them on the DevOps team for some point of time. That really is a great way of each side gaining that empathy for what the others are up against.
Dan Deeney:
Love that idea. Yeah, great idea on cross-functional teams and really generating empathy for sure. I mean, one of the trends that's still early that we see is the emergence of a hybrid bridge team, like a DevSecOps type team. So do you think we'll start to see that role expand and grow in organizations?
Mike Crowe:
Yeah, I think we will see it grow. I do think we'll accelerate that. It's always a tough choice to make when you're talking about making organizational changes and is it necessary to make it organizational change or just have the teams work together? Of course, I've talked about the importance of the teams working tightly together, but one way to do that is through some organizational consolidation as well. I think, in any event, whichever way you go after it, I don't think there's a right or wrong in terms of the approach, as long as you keep the objective in mind. And again, I would come back to, I think the objective you need to keep in mind is that you're trying to improve the efficiency and that productivity of both teams. And you're trying to get to where things are being done right the first time, rather than having to react with remediation after the facts.
Dan Deeney:
Yeah, that's a great point. Yeah, oftentime you see this tug of war where security is focused on risk. DevOps might be more aligned, let's say, with the business unit and servicing and supporting customers, keeping operations, keeping uptime on platforms. Then a lot of times a security issue that requires remediation will impact, let's say the uptime on a web platform, and if there's a risk like a port open to the public or something, it's like, "Okay, well, do we take down our application for a period of time or do we push it to a maintenance window? How do we balance risk versus business continuity and supporting customer revenue generating platforms?" So there's always that trade off.
Mike Crowe:
Yeah, all great examples.
Dan Deeney:
Well, look, I mean, we've covered a lot of material today. It would be great to get your final thoughts overall and any key trends and strategies we haven't talked about or discussed, as we wrap up in the next few minutes.
Mike Crowe:
Yeah, maybe one thing I'll just close with is something that I talk about often. We've talked a lot about different aspects of cybersecurity here today. In my time as a CIO, I studied a lot of reaches across companies and across industries, and one common thread that I always latched onto through all of those studies was that companies often got burned by what they didn't know. They thought they knew everything. They thought they had all the right things in place, but they got burned by something that they didn't know.
Some simple examples, it could have been that they thought everybody had multifactor authentication enabled throughout the organization, but then as they were studying what happened in a particular breach, they realized that there was an exception, and it's the exceptions that kill you. And somebody got their credentials compromised. They started to move laterally through the network. That's what led to problems. Again, just one example.
Another example could be that companies could have thought they had burned down a whole bunch of technical debt and decommissioned systems, and then when they were investigating a particular breach, they found out that a legacy system had been left in place, nobody using it, but it was still up and running. It was compromised, and it was a foot in the door for attackers to get in there. So what I'm always asking is how do we find out what we don't know? Because what we don't know is what's going to kill us.
Now, there are technologies, products, cybersecurity products, that help you with that. We talked about a number of them here today. There's a long list of additional product capability that can help you automate finding out what you don't know.
I think equally, if not more important, is services. If companies are not utilizing these types of services today, I would recommend they do, and what I'm talking about is first class, top-notch, offensive minded, offensive skilled, capabilities to test your defenses and turn them loose on trying to test your defenses.
Don't expect the report to come back clean. If that report comes back clean, I would say you probably need to go find another top-notch firm to redo those tests of your defenses, and don't be afraid to see that report when it comes back. It could be a long list of things, and you could be quite surprised at what you're finding out by going through that exercise, by finding the things that you don't know. It doesn't matter if that's a long list of things.
What matters is the objective of the exercise was for you to find out what you don't know so that then you can systematically prioritize the hottest things to go after and burn down that risk all the way until you've got it all whittled away. Because you want to address those things you don't know before somebody else finds out what you don't know, the bad guys find out what you don't know and use that to attack your environment.
Dan Deeney:
Well, great words of wisdom there, Mike, for sure. Appreciate that perspective and advice and guidance. Look, as we wrap up here, really wanted to thank you for sharing your insights and perspective, Mike, and your experience, so thank you so much for taking the time.
Mike Crowe:
My pleasure, Dan. Thanks again for having me.
John Richards:
This podcast is made possible by Paladin Cloud, an AI powered prioritization engine for cloud security. DevOps, and security teams often struggle under the massive amount of notifications they receive. Reduce alert fatigue with Paladin Cloud, using generative AI, our model risk scores, and correlates findings across your existing tools, empowering teams to identify, prioritize, and remediate the most important security risks. If you'd like to know more, visit paladincloud.io.
Thank you for tuning in to Cyber Sentries. I'm your host, John Richards. This has been a production of TruStory FM. Audio Engineering by Andy Nelson, music by Amit Segi. You can find all the links in the show notes. We appreciate you downloading and listening to this show. Take a moment and leave a like and review. It helps us get the word out. We'll be back May 8th, right here on Cyber Sentries.