I want to introduce our special guest Josh Levs from one side he's the manager and from information assurance he's one of the leaders that don't to airlines and he's going to just talk today and next perhaps are shifting in that your mission think your. He has a certain role so thousands are now in the areas advisory off and on top investigative process and cybersecurity. That will really happen here. Thank you thank you and thank you to all of you for coming out this afternoon I've been looking forward to having this conversation with you and certainly certainly look forward to it. A couple of things before we get started there will be time at the end for questions there's a couple of points in the middle that all ask for some of your input so I definitely look forward to hearing from you the other piece of cyber security is an industry full of acronyms and so something that I'm definitely guilty of is launching into an acronym soup and not explaining what it is that acronyms refer to. If I do that please feel free to raise your hand and tell me because I do want to make sure that it's it's a meaningful conversation. Many of you probably already know this acronyms but I'm certainly willing to to pause. So let's talk a little bit about solving the biggest problems in cyber security. We'll start by talking a little bit about what what you need to go to know going into this conversation. Will talk a little bit about information security a Delta why I'm there and hopefully why it would be somewhere that I hope some of you look to go in the future. We're then really going to launch into the focus of the conversation around what are the biggest problems in information security that's one place or I'm going to want some of your input because I'd like to know what your thoughts are we're going to talk about what kinetic threat is and why you care and then why kinetic threat is going to fundamentally change the way information security works so a couple of things and some of you may already have had to put together these disclaimer slides certainly as you begin to work I'm sure you will have to put together these disclaimer slides. The views and opinions in this are my own they do not necessarily reflect those of my employer the subject matter is constantly changing it is being presented in good faith and to the best knowledge of myself. Who am I I won't dwell on this area. But I do think it's good to have a conversation around the fact that many of us many of us in cyber security started in one place and definitely took a roundabout path to get where we are today. I know it was a perspective that I wish someone had brought to me when I was a student. But just from a high level I hold two bachelor's degrees from the University of Iowa I'm actually the youngest graduate from their college of business I was nineteen when I graduated I hold a certificate in cybersecurity from Georgia Tech's professional education group and I'm currently enrolled at the University of London working my masters I hold a couple of certificates and I've worked in a number of roles ranging from finance at Kimberly Clark through being a developer a D.B.A. an auditor through a number of companies including John Deere Coca-Cola and finally Delta. Probably the more interesting side outside of the resume. I visited six of the seven continents that was really for work cybersecurity I think is one of those interesting fields a lot of times we get caught up thinking about the technology but it is a fuel that impacts things on the ground and so because I went into this field it opened up the opportunity to really see a lot of the world and so I would certainly encourage you if that's an interest of yours this is a field that can open those doors for you. Circled the globe twice. Survived a terrorist attack. And at home I like to dabble in home automation I like to play with raspberry pies and that's something we'll talk about this a little bit further on but something I would really encourage a lot of you today there's a lot of technology out there that's very approachable from an open source standpoint to be able to learn the concepts in a hands on manner and I think this is a few old where it's changing so quickly that one of the best ways to stay up to speed is very much to have that place at home where you can play and when you take down the network for a day or two despite the fact that my wife back there gets a little bit testy with me it doesn't take down the network of your company. So why information security Delta I've bounced around it a few different companies over the years. Why is it that I come back to Delta and why is it that I hope that some of you as you come closer to graduation consider Delta and look at that and I promise this really does tie back to the kinetic threat topic I'm not purely giving you a sales pitch on my company. Delta is a great place to work we fly all over the world those are just the routes purely from Atlanta. But when you look at what I find makes Still to very interesting from a professional standpoint we're a member of the civil and civil reserve air fleet and what that is it's a part of it's a part of our national defense where or when we need to move large numbers of troops whether it's in a time of war or because of disaster recovery many of the civilian airlines Delta included will dedicate a part of our air fleet to help move the troops very rapidly where they need to be. As a result as a result of that and some other activities were considered critical infrastructure and what I found in my time adult is that makes it really a unique challenge that I didn't find it some of the other companies because of the the national security as well as just the very practical impact to how it impacts our nation as a result of being critical infrastructure we participate in aviation I sac. Following nine eleven there were a number of ice acts set up essentially their information security or information sharing groups they share information about everything from information security threats some of the emerging viruses and and threat actors all the way to physical security threats around terrorism aviation has Want to oil house one energy has gone I think there's one thousand sectors off hand. Also a unique challenge and a unique space that I found from my time a delta. Now the kinetic threat because I did promise I would tie it all back to that. Delta's newest generation of aircraft and not just ours airlines in general are called enabled. Enabled aircraft are largely controlled by computers and systems where previously they were composed they were controlled by cables and switches and levers. The newest generation of aircraft are compared to many ways to a data center in the air and I do think that's an accurate. And accurate description in my time adult I've had the opportunity to spend time with their boss and some of the different manufacturers talking about the design and how do you prepare an aircraft to be secure now that you are reliant on the digital systems onboard. Munroe energy is arson is one of our subsidiaries it's an oil refinery. And so it's also in area that participates in the ice ax it's also a part of critical infrastructure and it's also something that most airlines don't have the opportunity to to get involved with but it's led to some very interesting security conversations as we look at Kinetic threat. The last piece and again I won't belabor the point delta tech ops we do maintenance repair aircraft our own as well as others there's a number of government aircraft we even work for other airlines but what I will say about our tech ops facility and this is true of a number of the manufacturing companies that I've worked with as well is that manufacturing maintenance and repair. My my dad my my great grandparents all worked at John Deere and so as a kid I grew up walking through the factories and watching the welders mainly welding tractors together and. When I were to John Deere I would also walk through the factories I was an I.T. auditor at the time and so I looked at security in a number of places including the way we secured the manufacturing computers because today it's a rare sight to see someone out there with a welder in their hand it's a common sight to see someone in front of a computer terminal telling a robot how to weld a tractor. With all of that computer control also comes a risk and so we'll talk more about that as we get into kinetic threat but tech ops is another area that I've enjoyed interacting with adults because it was an opportunity to bring security into a space that is rapidly involved rapidly evolving and that historically has not been. A Delta or it any other company that I've seen a focus of of cybersecurity It's traditionally the realm of mechanical engineers and electrical engineers. I promise I won't read this. Last plug for Delta if you look at our job descriptions particularly from the cyber security standpoint and I can guarantee you'll see this if it's one for my team. We look for people with the attitude that they want to bring it on when they see a challenge we want the people that you want to deal with the problems not the people who just want an easy and easy environment to work in. We want the people who are the best at what they do people who want to drive transformation I don't know if all of you saw the I'm sure you have a few years ago there was a speaker at Georgia Tech who talked I want to build Iron Man. And when I see that attitude I see that attitude amongst Georgia Tech students and I think they very much reflects the attitude of the kind of person that we're trying to build out within our our information security space All right so the piece you've all been waiting for what are the biggest problems in information security and this is where the rest of the slides are my opinion on this so this is where I'd like some of your input on what do you see as the biggest problems and information security insider threat. That's true it's hard to get everyone talking the same language what else inside threat of getting people to talk you're right and we've seen ransomware just in the last few weeks within the city of Atlanta and it was at the Grange there was another suburb you write that's been we're going to talk a little bit about that that's changed a lot of the threat space and certainly as you start seeing the shift from from hacktivism to nation state and some of those actors it's it's a game changer things were simpler a few years ago. And. You're right. You're right all the different devices I know I look back to the days when everyone was just running Windows and it was a reasonably simple design for how you secure it now there was perfect that it was a simpler environment I talked with my peers and they tell me the mainframe days are even easier but you're right today that any number of operating systems any number of form factors maybe I want to Samsung and you want to see in even the overlays making Android different anyone else who is following. Some of these. Problems. Were great. It can be although one of the fun things so the comment was some of these may be solutions and user awareness training may be a solution to social engineering. One of the fun topics as you sit in cyber security circles that people talk about is that user awareness training doesn't work very well. If you look over the last fifteen maybe twenty years we've done and I say we as an industry we've done user awareness training every year we continue to put more money into it we try to make it more interactive you try gamification you try all these different pieces social engineering especially if you look at the rise in data breach report hovers right around fifteen percent every year so you know maybe you would be worse without it but the challenge with a lot of it all agree with you a lot of the things up here are our solutions but whether we're talking you know intrusion detection systems and five years ago we were focused on how quickly can we get the right signatures into the intrusion detection systems as quickly as possible today with polymorphic malware and signatures really just don't work very well so you're right some of them are solutions but some of them are also how do you keep that next generation of technology out there and how do you convince your business people that they need to give you a few million more dollars to upgrade to the new platform when they just bought your new stuff three years ago. But you're right. You can correct all the third party risk when you bring someone in and you know you may trust them you may put them through the right that ING they may have third party attestation reports you may even have the right to audit in some cases although that's becoming more and more rare in the world of cloud but what do you do when they mess up. With me. And. You're right it's never ending and I think that's what makes it interesting I will talk a little bit later on but I think one of the things that makes information security interesting is the fact that it's always changing and if any of us are going to be successful in this business we need to be never changing we need to be constantly learning. Things that probably could be just because his work. Just seems if you've been reading my slides. Now you're right it's a challenge because and again we'll talk about this later on as well so thank you guys. It's a challenge because there's a war for talent today there's a very real shortage of talent within the information security space within the cyber security space and what I refer to a little bit later on there's a war for talented talent because there's also a number of people in the space who. Who are very very skilled and it's hard to get those people. So. Off to make sure no one got into my laptop or of my slides. So what are the biggest problems in information security also just there's been a very real shift from C. to A especially over the last two years what I mean by that we talk about the foundation of information security being the CIA triad confidentiality and take root in availability. You know if I look back seven eight years everyone was very worried about availability it was the early days of the DOS attacks a distributed denial of service and everyone heard about anonymous role SEC took down this website and a number of the financial companies were hit a number of the banks today still are under very common very constant attack from denial of service. There were a number of mitigation technologies that came and so to your point some of these things or solutions the mitigation technologies came in we were better with dealing with the. There are seven attacks were better with dealing with the volume but now it's coming back when you look at it get what three weeks ago they got hit by one point five terabit attack and this was unheard of I remember having a conversation I don't think it was even a year ago which appear of mine and we were talking about some of the different medications that are in place for us and I said you know well I heard a rumor this is right before we learned about some of them are attacks early last year so I heard a rumor someone might be pushing you know getting close to a terabit a second. He told me Don't worry about it if it ever happens it'll take down the Internet don't even worry about mitigating it there will be bigger problems and now we see on a somewhat regular basis we're well north of a terabit and I suspect it's going to continue to grow. We also on the ransomware point I don't know if any of you followed last summer the attacks that are happening it's Maersk. Shipping Giants. They were hit by a huge ransomware attack it shut down I think for their seven lines of business. In they were doing a lot of things on paper and pencil the reason what's app to communicate across the world between their different places to try to coordinate shipments the thing that really stands out about that everyone can tell a story about ransomware everyone's been hit by ransomware and you shut down your computers and restore your back. And it's not good but. When you look at the financial impact or the estimates that Maersk themselves are putting out there the financial impact of their company was larger than the financial impact to target from the breach and so confidentiality is huge we need to make sure we're protecting people's data we need to make sure we're protecting the companies data but when you look at where this is headed. All of a sudden we're seeing a resurgence on the availability side. Now we've talked about C. we've talked about a you know kind of the thing that everyone at least when I have the conversations with some of my peers the. I think everyone's talking about in that to my knowledge we haven't started to see pop up yet is what happens when an attacker starts to go after I what happens when they go after integrity it's bad if the systems are down it can frankly can bankrupt a company if they can take them down for too long it's bad if they release information that's a huge liability it hurts trust. But what happens if you log in your bank and the numbers are wrong. What happens if you try to board a flight and we send you to the wrong place. You know what happens when integrity is is attacked and how do you start watching for that how do you identify it and how do you mitigate it quickly want to happens so I think that's where we are going to see some changes over the next several years but I think we have some very real challenges there the work for talented talent this is where I think you are right it really my slides. We do have a shortage of talent across this industry and it is a very real problem for us. It's also hard to get the very best people that can be a pricing challenge because the very best people command the very best salaries it can also just be a challenge of how do you find them and how do you know who the best person is this is specially since the way the typically industry hires people is you have an hour maybe two hours you sit down of a little conference room and you have a conversation so how do you know if this person really knows their stuff and they're the best that penetration testing or forensics and how do you know if they can just have a really good conversation and six months later you're off looking for talent again. A couple of things a couple of things that we've tried. And so I guess all suggest certainly if any of you do choose to apply to us this is that you're aware of some questions that you'll have but certainly I would encourage you to think about this because someday you'll be leading your own teams and I think this is an important thing to think about we've started to add a technical component and a simulation as often as we can to our interviews because we want someone to actually demonstrate the skill set that they have and so I think that's an important thing to think about walking into an interview you know it's always important to answer the tell me about a time when questions but I also think it's important to be prepared to. To demonstrate technical skills the other question that we like to ask people is tell me about your home network and it tells us two things First it tells us a little bit about what they know hands on for technologies it also tells us do they really have a passion for this because I think information security is different than a lot of other professions it can be a challenge sometimes because it's hard to make it a nine to five profession if you're truly passionate about it but I think one of the things when you talk to someone else will tell me about. Your home network. You know I've had people answer well I have my Comcast router and i Pad. OK Well at least your wireless I guess that's that's something. You know we'll have people that will talk about well I have these five raspberry pies and I set up my own V.M. Ware server and I run all these different V.M. to do my own I.D.'s and there's all the acronyms I was promising earlier. I remember one particular interview it was probably two years ago that still sticks with me we were talking to a recent college graduate she was living with her parents looking for a different job tell me about your home networks Well you know I have my Comcast router my parents won't let me do a whole lot on the network because it's their network and they're afraid I'll break it but I wouldn't have been able Q.O.S. because there are there Netflix is really slowing down my gaming. And so. I would very much encourage you think about that whole network think about how you can share where you've experimented where you've learned and where you develop some of these skills. The last piece and then we'll get into kinetic threat the last pieces enabling change. There's a lot of security teams at companies that worked out I think some people even accuse my security team of this sometimes where they're great at saying you know hey I want to implement this new set now now you can't and the problem is you know the most secure environment we wouldn't be running computers everything is a degree of risk and we're ultimately there to enable the business and whether that business is flying airplanes whether business is refining oil whether that business is manufacturing or marketing and so one of the I think one of the difficult things as a security professional is to become comfortable that there is a degree of risk that's appropriate to the business but also to engage the business and help them understand look if this is where you're trying to get I can help you get there but work with me and I can help people. These pieces in place that it will be secure in some cases it may even work better for you and so I think that's one of the tricky things I know for myself especially earlier in my career it was very easy to get caught up in the technology and the more I was able to start understanding the business side of it and sharing with them if I start saying I.D.S. and I P S and a few of the business they glaze over but if I can explain here's how we can build this into your system so you're not the next target or are you not the next Maersk that helps are it so kinetic. Sure. And. What do you think. That. That's a good question. I say what can I make you the first question when we get to questions OK because I do want to answer it but I think that's one we could talk about for a little while and I do want to make sure I promise I do talk about kinetic threat but you're the first one. Kinetic threat and there's different terms for this I'll be honest it's a it's not new to the industry but it is a young enough space that I don't know that the terminology has fully fully solidified the way we define kinetic threat is a cyber threat that has a physical impact on the physical world and that can be anything from shutting down the cooling system a data center and destroying all the computers all the way to the other extreme of. Well we'll talk about this in a second causing a generator to explode and causing catastrophic damage. Kinetic thread I mean I don't know if any of you guys ever watch the old like the one nine hundred eighty S. movies hackers or war games or everyone talked about kinetic threat and back then it was a concept but it was a concept. What I want to hear today is I do think today this is a very real issue and it's something that is still in its infancy and it's something that we need to address head on as a cybersecurity industry. So what is kinetic threat why do you care and this is why I say this is what we have today. In two thousand and seven project Aurora this was a government sponsored research up in I believe is in Alaska and essentially what it was is it was a proof of concept to prove the kinetic threat existed. With project or they took a very large generator set it out in the middle of all of the snow so it was well away from anyone else and connected control lines that's probably not seen from the screen and connected control lines to it they injected a small piece of code that changed the power phases just slightly and all the power phases you're getting into intellectual engineering concept that is well outside of my expertise but apparently that's very important to the way that a generator functions would happen within a few seconds was just a catastrophic explosion and the generator blew itself into multiple pieces if you if you're ever interested it's actually the videos of it made it out to Youtube and it's fascinating to watch just how quickly the impact was that also the degree of impact that happened. In two thousand and nine this is probably the piece that most of you have heard about it's by far the most famous of any of the kinetic threat attacks in two thousand and nine we had stocks net and stocks no it was targeted at the Iranian uranium enrichment facilities essentially for years the US in a number of other countries had been arguing with Iran about their nuclear ambitions. Everyone was was fighting back and forth Iran we don't want you to do this we're going to put sanctions on you we really wish you would stop no we really mean it this time you know we really wish you would stop going back and forth and the diplomacy. Was certainly not not bringing anything back it may have been slowing things but it wasn't stopping the progression. Unfortunately diplomacy doesn't work it leaves you in a position of of war and there wasn't an appetite for that. Or and so in two thousand and nine there was a virus that was injected into the hands uranium enrichment facility in Iran what this facility did it had a number of centrifuges and it would take and refined uranium and spin it in such a way to make make weaponized uranium material as best as people been able to figure out there was a virus that was on a U.S.B. stick of a contractor. It's worth noting all of the computers that Natanz were aircraft and so we'll talk a little bit later about kinetic threat and how for years air gaffing was the answer that everyone gave and probably the answer that nobody ever actually did but the chance was aircraft. The virus made its way in on a U.S.B. stick that a contractor brought in plugged into the computer and it slowly spread its way across the computer network and ultimately the computer controlled network of these centrifuges. It managed to change the way that the centrifuges work just slightly in the way that all the motors would burn out and so Iran was constantly replacing these centrifuge motors and a lot of the uranium that they were trying to produce was being destroyed in the process because it wasn't being refined correctly they were replacing computers they were replacing centrifuges over and over they're having trouble figuring out why these failures were because something that took it a step further not only was it changing the way they control computers worked it changed the way the monitoring systems worked and so. If any of you in some of your internships or some of your other work have worked in production facilities you know we're very reliant on our monitoring networks that's how we make sure everything is working the way it should be that's how we make sure things are safe so that people aren't hurt this virus just told the monitoring systems don't tell the truth don't tell them what's wrong because it will make it that much harder to figure out why the centrifuges keep failing. Eventually a researcher in Eastern Europe stumbled stumbled upon Stuxnet. It very quickly made its way through a number of security researchers it was analyzed. There still no one has officially taken ownership of it but it is estimated that it set back to the Iranian program by about eighteen months. So that's great we have project Aurora which is a proof of concept someone had a generator out in the middle of the snow with some wires attached to it with stucks net which was some air gap system they were hard to find I mean NO ONE LIKES THE are going to security by obscurity but is it something that we really need to worry about or are all of these computers buried behind fire walls or air gap in and off somewhere that realistically you have to look at a state sponsored attack you have to look at really something pretty nasty to be able to to achieve it. Also in two thousand and nine showed and came out and showed in is a search engine if picks up a lot of things but it specifically designed to pick up the. Peel season I.C.'s those are essentially the. Small computers that do a lot of industrial control I.C.'s is industrial control systems see is programmable logic controller. Specifically designed for that because what they found over the years is that a lot of these are connected to the Internet. Unfortunately a lot of these systems when you look into the manufacturing space and some of that area they are produced by third party companies and brought onto a shop floor or. And over the years particularly before security started to play a more active role in those environments the easiest way to support a computer like that is to give a nice connection to the Internet let the vendor dial in from anywhere in the world they can support it twenty four seven and if there are any operational manufacturing issues you can have everything back up and going your factories in good shape again right away the problem when you plug these into the Internet is showed it can find it other people can find it showed in just a search engine the technology certainly out there but now anyone can go out there and in fact there may be some of your in your computers right now going out there and looking. And you can search by type of device you can search by domain you can search by any number of factors and so all of the sudden any of these in secure devices are there out there they're not hidden. The German steel mill in twenty fourteen since we had a little bit of a quiet period and everyone I think kind of had their fingers crossed on does this mean maybe it's over and everyone gave up and decided maybe we shouldn't touch these and then the German steel mill happened and incidentally I will say there's a quiet period of publicly reported incidents. There's a school of thought that some of these are things that were not. Legally required to be reported and may have been chosen not to be reported the German steel mills actually straddles the line on that so it's a good example in twenty fourteen there was a steel mill in Germany they were they they had hackers get in through their corporate network using a phishing e-mail so one hears about phishing we talk user awareness training someone got into their corporate network they're able to jump the firewall because they did have their production network connected into the corporate network jumped the far wall they started poking around inside of production network and here's what nobody knows and part of this you know I'm sharing the facts that that are available and that have been shared publicly but no one's even completely sure where in Germany the steel mill was because it's been very closely held by the authorities. The thing the thing that has a lot of debate the no one's really sure of is did these hackers get in and start poking around and accidentally create a problem or do these hackers get in and was this a targeted attack were they intentionally created problems. The end result people are in the production network they're poking around they're seeing what they can change they created a catastrophic failure within the steel mill and so they had to fire the emergency shutdown procedures which meant molten metal was still in all the furnace when they were shut down as a result the steel mill was left in operable. I don't know if it was recovered we don't know exactly where it was but we do have some limited information that the German Federal authorities put out. Twenty six hundred forty. This one wasn't terribly malicious but it actually a number a fair amount of this research happened here in Atlanta I'm going to finish if you've heard of Charlie Miller Charlie Miller is a he started or at least became big as an i OS hacker and he started looking at vulnerabilities in in the Apple app store he started looking at ways that he could introduce far abilities into Iowa. Then he got interim from Apple and he was no longer allowed to play inside of their app store so he decided he would go look for something else interesting to work with. He decided he was going to start playing with cars and so he started looking at the Jeep Cherokee specifically and Charlie came back with research that showed he was able to. Remotely control a jeep he could change the steering he could play with the brakes. Jeep fixed it a year later he came back with with another exploit. And so you know these are these are examples these are by no means the entire list of everything that has happened these are some of the most well known examples but I think as you look at some of these and you look at what could this impact be on any of our daily lives what could this impact be at a company where you're going to work or how could this impact a broader group certainly this this is a very real impact in theory different from a website defacement it's very different than a DOS attack and so the world is changing so why will kinetic threat fundamentally change information security. Let's start with the rise of operations technology so most of us when we think about security and we think about our careers we think about information technology the servers the P.C.'s The mobile devices operations technology is the world of the factory floor operations technology is the enabled aircraft operations technology are all of the computers that control an oil refinery and frankly probably control the air conditioning in this building. Couple that with the rise of Io T. where people are starting to introduce this into their homes be at their lights which is their thermostats. The world is changing and computers are suddenly becoming much more pervasive and I think all of you have probably seen seen facilities where you know the main the main internet connection has a label next to it you know in case of hacking unplugged. You know it was simple once upon a time that will just shut down the server will just shut this off but the world is changing. The. Cost and risk of change is also very different in the O.T. and the I.O.T. worlds particularly when you look it at the manufacturing space when you look at aircraft a lot of this area is very highly regulated and in many cases it's very difficult to make a change it needs by off from a regulatory body it which just means it takes longer and you think about patching when you think about vulnerabilities that's not a world where longer is a good thing. It's also very expensive we talked about the shop floor a lot of these systems are proprietary they were custom built for this use that means they're not getting regular updates that means if they were deployed with Windows three one they're probably still running Windows three one unless they need a new computer if they were developed on A.I.X. whatever they're still running on A.I.X. whatever and they're not things that are easily migrated to newer operating systems are not things that are easily migrated to newer technology and so when you look at that within the I.T. space we have the challenge how do we make sure we keep our systems current but for the most part if you live in accounting system you can move it to the new version of software if you can't you can move to a new accounting system you may not be able to put together a new welder that does this very specific function there's also immature capabilities. If I want to solve a problem in the I.T. world I put in a fire wall I put in intrusion prevention I put an end point agent out there I have a set of tools and the set of tools are constantly evolving we talked about how. You know I may need to tell a business I need a few million more dollars because something that I put out three years ago is it's all technology now and I need something new if you want me to protect you. Most of this doesn't exist in the O.T. space and even if it did it may not work there and what I mean by that. You're starting to see you're starting to see Cat five CAT six the network cables that we're used to working with and the networks were used to working with you're starting to see that get introduced out there. You're also seeing a lot of proprietary standards Eric for two nine and sixty nine or two that I work with that there's. Each space has its own I can't go buy a source higher I.D.S. and hook it up to an Eric com link it doesn't work that way it's not communicating over T.C.P. IP and so. The way that I have I've likened this is I've tried to explain it to some of our business partners is if you look at where information security was in the one nine hundred seventy S. that's largely where ot an I.T. Security is today the thing that I would challenge is different is where we had forty years fifty years to mature our capabilities in the I.T. space I don't think we have forty or fifty years to mature the O.T. in the Io T. space. And so probably my what I would challenge each of you and then we'll get to your question and everyone else's question I think another thread is one of the most interesting one of the most challenging parts of what's already a very interesting and very challenging industry and profession and so what I would challenge you is as you look at what you're doing in your classes in your research and as you look at what areas of security you want to move into as you graduate I would challenge you to look for opportunities within the kinetic threat space right so I promised I would answer your question first. And I don't know if my last statement answered your question or if you have. A place. OK it's. Just. Getting to the things that we'll just. Shock you to thank you security and I. Think. It's a good church so here's here's my opinion. I think one of the things that Georgia Tech does an excellent job with is really equipping people with with a high degree of technical capability and as I look at the different areas within security the different people that I work with. There's technical parts of security and there's non-technical. And I'll qualify this with I don't know the specifics of any of these programs so I don't mean this negatively towards any of these programs they could all be excellent but as I look at where the needs are within security. I can train a governance person I can take a business person and teach them how to do governance and in fact especially someone with an accounting background has a lot of those foundations it's just a different language that Hawk-Eye T. versus finance controls. It's much more difficult for me to teach an incident responder or a forensics person or penetration tester. Or frankly security engineer and so. You know again my opinion I really value people that come out very technically prepared because that's a much more difficult skill set for me to find. Also qualify that and the one other piece and this is the challenge for most of the technical people that I hire is finding someone that's able to communicate even today with other I.T. people. That also has a useful skill. Yes. You. Might. Say. Well. Well. So I think the question is you know a challenge when we work with our partners within the business is that they can still choose to do something that's not secure or they may not want to use the secure solution so what does that mean to the security person who then ultimately is working in that environment at a fair. OK. So I know I just said I can teach a governance person this this actually is very much a governance question. It's very difficult to get the technology behind security correct with that being said governance is really where it meets the business and so what's what's important and this this is an art as much as a science. What's difficult is to talk to a business person and help them understand here's why you should give me two million dollars to do this. What I will say is the request for two million dollars is ultimately competing with a number of different groups so for example. Legal will have requirements based on confidentiality based on G.D.P. are based on different regulations within the legal space repeat I I. It's in the security space supply chain has requirements in the vendor space. All of us need to make the case to the business for why they should do it. From a security standpoint the way you do that is you make the case around risk. What I've seen I've worked in environments that are are on all different parts of the scale when it comes to maturity within security I think the hardest way to make this case is when you have an immature security program. Because all you really have at that point is us for fear Fear Uncertainty and Doubt if. You know what we could be the next fill in the blank Here's what it could cost you well what's the likelihood of that it could happen. I think and this is where it's an art as much as a science this is where security continues to move the company along the spectrum to make them more mature because the more you're able to quantify your risk in business terms So for example here's the five systems that if they went down I could no longer run the business and if they were down for three weeks we'd be insolvent or. All of the sudden if I can say Look hey the likelihood of this thread hitting this system is five percent or even say it's high vs medium vs low. I can make a much better case to the business and so it's frustrating because it's a long path and it's not easy to get there and it's a step along the way. But ultimately you know I think the challenge is you help explain to the business as effectively as you can why they need security. Ultimately you recognize it's a business decision. And ultimately you help them understand the risk that they may be accepting. I hate to question. It but I look he does them. I think. In. The country it'll. Be read to them. In a huge media. Churn. So the first question is is the more I bought. And are you looking for my opinion of effective it is or not. How to solve it. So the more I bought and it is. We could spend an hour talking about the more I bought my body as background it took a number of Io T. devices a lot of these are our consumer routers but there are other Io T. devices that are a part of it as well and it uses their combined bandwidth to do well up until just this last attack the largest DOS attacks that we've seen. And basically the theory behind it is you know you can have five five really big connections do a detox attack or you can have five thousand or five million little tiny ones each contributing a little bit if anything the five thousand or the five million become even harder because they're coming from so many different places that the way you mitigate that becomes much more difficult. I think the near term solution is since most of these or since to my knowledge everything from coming out of Mariah's of volumetric attack it's all based on the the amount of traffic it's able to generate I think you really focus on your volumetric mitigations and what I mean by that is a lot of the crowd the cloud scrubbing services. The you know there's been debate on could we have the ice piece begin to start doing mitigation when they see fracture packets and things like that moving through the. Networks. I think that may get there I think there's a price to pay with that and you're also asking them to do some additional services versus simply pass traffic as it comes through and it's not directly a part of the net neutrality debate but I do think there's an aspect to it because you're asking them to inspect the traffic and manipulate the traffic based on what they see. I think the long term solution and I think we're probably a decade away from it is. I think we do an extremely poor job and I'm saying that as an industry of securing home Internet connections. You know I remember you know a few years ago it was a big jump that you don't just plug your cable modem directly into your P.C. and then everyone got wireless routers because they wanted Y. five and then the S.P. started taking those in and. I know my home and I want to tell you which one it is because I'm sure they'd be upset with me but I called them because their device was not working. In first had to have a whole conversation where we had to establish that their device was not working but. They they said well you know OK we're going to remote in we're going to we're going to look around this a bit don't worry we promise we won't look at anything else on your network. You can connect into my network in my school don't want to have a firewall there so you won't connect anything else on my network but. I think ultimately we need to look at how are we managing these devices and maybe it's auto updates may be I'll be honest I've not worked in an environment that manufactures those so I've thoughts but I probably don't have the expertise of someone that does but I think we need to change that so that we're those become less vulnerable and they're probably a ties to the broader I.O.T. space. You'd one of the question maybe. What's the solution. So I think kinetic threat I think we're in the one nine hundred seventy S. when it comes to kinetic threat. I think our challenge is how do we do fifty years. Worth of development in a year or five years or ten years how do we pull that in as much as we're able. I think so there's people in the space who will debate with me on this I actually think the fact that we're starting to see kind of standard network components get introduced into the kinetic threat space is a good thing it's a trade off because as you introduce standard networking as you introduce standard servers and Linux and Linux is huge in that space as you start introducing that in you no longer have security by obscurity and I know there's a number of my peers who will argue with me and say well if nobody knows how this works the nobody can do any damage everybody's happy and I told them that I talked to two people at Georgia Tech who seem to do a good job of figuring out how things work even though they don't have a manual for it. I think the more we move these to standards and I think the more that. Against seeking for me not for my employer I I I'm a huge proponent of open standards I think the more we move through that the more we can leverage some of the existing technology if we can't leverage these this thing technology we can leverage the existing concepts and build that out so it applies that space. But I think we have some hard years ahead of us. But how is your approach different departments that may not be well versed from Asia through from security. Tell I guess the choice of ration where would be the same age but at the same time not confuse them because Europe is terms of you know. So I'm glad you asked that's actually my specific team within information security that's a big part of what we do. So I work at a large organization eighty thousand some odd employees probably double that once you take into account contractors third parties all the different. I have a team of four people not including myself each of my people is assigned to several different. Vice presidents with an I.T. and what their job is and each of those vice presidents in turn is assigned to a part of the business each of my people is assigned to be the many see so and understand what does this president need how do I address their security needs and how do I give them what they need for security. We also have a program where we engage every division we have twenty I'll be honest with you it depends on whether you ask H.R. you ask one of the other groups but we have twenty some odd divisions. We also have a program where we bring in a representative from each of those divisions we meet with them at least once a month although we're starting to see that communication happening more and more often we share here's everything that security's working on that we think you'd be interested in and then we ask them what are you hearing because what we're what we discover is a lot of times the business hears things sometimes that are true sometimes it's not true oftentimes it's somewhere in the middle hey we're going to show off the Internet well we're probably not going to show off the internet maybe we're going to you know we're going to block a malicious site. So that communication has really helped us I think if I were to boil it down into a short answer which I'm not usually good at doing. I think what you do is you try to break the program into pieces and that way you're able to talk about what matters that specific group that specific person. Because you know. Right many of them I thought are. Very. Very. Bright. Guy. When you come across. Their profile. And. You. Know how to build the face of the. Now. You're right that are. Out. And. You know I don't know that that any company I've worked at can say we are one hundred percent consistent especially coming out of the audit space it's always a challenge I think first because no one wants an audit come it. But also because without it come it's come work and so and we're it with work typically requires budget. You know I can tell you the theory is that we try to assign it as close to the business need as possible so if this was ultimately driven by an H.R. system that was put in securely for whatever reason then a Charles Miller should own this and they should work with their I.T. partners to resolve it. I also think is kind of is as you indicated no company that I've worked has that theory been one hundred percent followed. I'll let you know once I figured out. All right. Anyone else. Sure. I was you. Who monitors the cybersecurity guy. Internal Audit does play a role. In actually and there's a whole theory of the three lines of defense the first being the business the second being security the third being internal audit. Intro out it is very much a value partner and they do keep us honest. I do think there's also a degree of you know in today's world a lot of the monitoring is based around some form of log collection and it could be logs it could be net flow but some sort of collection of here's the activity that's occurred previously and in automated analysis around what occurred. From what I've seen. The important thing to do is to structure the right rules and there. And then where it starts to get tricky is to make sure that if I'm the person doing the monitoring directly that it at least has visibility to my leadership or ideally I do not have visibility to it I also think as we look at a lot of today's monitoring technology it's limited in its ability to deliver that I think that's something over the next two to three years we're going to see a lot more of you talked about insider threat earlier that's become a huge focus area and you're seeing more and more developed in the behavioral analytics space and kind of shifting the view of security from how do we protect the server to how do we protect this person. I think you're seeing the technology start to get there I think we're we're not really being. And when I say we again the industry I think we're a couple years from that really being a mature state. Like it was all about. Yes people need to learn governance in this in their career. Now or. By government or it's a small. Girls. That. I think some of that question is. So the question is how how quickly should people learn governance how important is it that they do so I think some of that depends on what role you want to play and what I mean by that. If you give me a highly technical forensics person and all they want to do in their careers forensics they want to sit there in an image hard drives and tear me apart and look for evidence. I think they can do that with a limited understanding of governance I do think knowing the strategy can help them be more effective but I don't know that it's necessarily one hundred percent core what I will say is as you start to move into more of a leadership role. All I think understanding governance is foundational. Both from the standpoint of understanding that at some point the business will accept some risks and we have to help educate them but it's appropriate that they will as well as when you start looking at where am I going to take my department or my division to make sure that what we're delivering is effective. You need to make sure you're aligned with that enterprise strategy. You know one of the one of the examples that I saw really at the last couple of companies that I've been at that I think is going to be really interesting to see the way that it plays out over the next probably twelve months. Everyone for the last everyone in a broad sense in the last two three four years has been very focused on big data how do we use big data and better serve our customers how do we use big data and better manage our suppliers how do we how do we use big data. Now in May G.D.P. Our Takes off G.D.P. ours the European privacy law. How do I have big data better serve my customers better manage my suppliers better work with my employees and also respect everyone's privacy. I think that somewhere where that understanding of governance to make sure that efforts are aligned is important. So I think my short answer is the more technical you remain. The less critical it is that you learn governance but I also think it will limit you if you don't I think the more you understand governance the more effective it allows you to become in the more doors that it opens for you. Yeah I'd be happy to. Share with you these days by part of it there are. More of your thoughts. I want to ask you what is one piece of advice that you would give us to take this information in light slower if you are very wise and made it so that we can do our best work sure that our visions here. You know good question those so the question is how the how can we take some of this and apply it to our lives to make sure that we're secure what I would say from the standpoint of kinetic threat one one challenge in that space is that by and large we all have technology around us every day and by large we don't think about it. I remember I was working for for a company that had a large skyscraper in town and we were talking about kinetic threat and it's times where you know we're not big manufacturing we're not this we're not that so what could the risk be to us it's well it's a good question because all of our executives said on the top floor. What happens when the computer that runs the elevator shuts off and won't come back up and our executives have to walk twenty some odd stories every time they want to go to and from their office. So I think I see that anecdotally I guess what I would probably challenge is look at where computers impact every day look at where that kinetic threat could come in and then whether it's in the audit role and I know. So a lot of a lot of our focus started actually when I was in audit doing an audit around kinetic threat and then it created interest from other parts of I.T. in the business to start exploring that space more you know it highlighted it it created the visibility so particularly when you're sitting in the chair of the auditor I think it's a unique space to be and it is. As a space that I very much enjoyed and I think it's a space really able to highlight things where others within the company may be very focused on their day to day problems their day to day issues and I think sometimes you're in a position to take a step back and say well if you thought about this risk and oftentimes that will drive a lot of motion in the space. Yeah so and thank you to everyone I appreciate you taking the hour to be with me very much appreciate you putting up with me talking for an hour so thank you.