Adam Myers:

So hello and welcome to our podcast, Tales from the CyberLab. My name’s Adam Myers and I’m the Sales Director here at CyberLab and I’ll be your host for today. Joining me is Milad from Guardsix. Welcome.

Milad Aslaner:

Hey, Adam. Pleasure to be here.

Adam Myers:

Yeah, great to have you. Can you maybe just explain a little bit about your role and what you do on a day-to-day basis?

Milad Aslaner:

Sure, with pleasure. I’m the Chief Product Officer over here at Guardsix and you could say I use my 20 years-ish of experience in cyber security having started as a practitioner myself to build products and services that help defenders to detect and respond to cyber threats as they happen in their environment together with my team.

Adam Myers:

Amazing. Yeah. And we’re going to talk a little bit about geopolitics today. So I guess Milad, to set the foundations, how has the evolving geopolitical landscape changed the cyber threat environment for organisations? And I guess what feels materially different now compared to a few years ago?

Milad Aslaner:

What is fascinating in our industry? Every year the vendor community pops up with their predictions. Actually, they first start with their lookback of the year and it typically along the lines of “look how horrible the world was.” And then they give a prediction to the next year, which is “look how worse it will get”. Unfortunately, that’s the reality that many of us are facing though. So if I look into the threat landscape, there’s four themes that I see. The first one is identity-led compromises. So identity is the access into the battlefield. And what is important I think for us to be aware there is attackers don’t break in necessarily anymore like they used to. They log in. They find their credentials, they find the identity details. And as simple as said, they log into the environments. The second one is persistency and stealth operations. Someone very famously once said, “it’s not a matter of if, but when”. So it’s the mindset of assume breach, assume you are already compromised, you’re already breached and you will find patterns around that. These are slow and stealthy attacks, quiet, high context operations that are designed to be undetected by nature. Third one would be attacks are becoming more disruptive and propagating attacks itself. So the impact is the objective for many of these large scale attacks that we are seeing. And when they happen, they’re typically very fast moving, high impact, and often also coordinated with real world events. And that is especially true when you look into some of the activities we are seeing from Russian threat actors that are working quote unquote hand-in-hand together with the military arm. We are in the brick of a hybrid warfare there. And I guess the fourth major theme that I see is just like we as defenders are looking for ways to incorporate new technologies and all the acronyms that are existing there from large language models to GenAI and all that stuff. Well, attackers are not waiting either. Attackers are also doing the same and we start seeing the first signs and evidences of AI-based attacks in the world.

Adam Myers:

I think with that, the role of AI is probably making things larger on scale so we can push that even more. And with things like military grade tools that you probably see in geopolitical scenarios, it’s like you said, it goes hand in hand with the hybrid warfare at the same time, but the tooling is obviously a lot more sophisticated along with AI and how that can add weight to those incidents. It feels like it’s even harder now to defend against in those real world attacks.

Milad Aslaner:

Absolutely. If you think about it, we come from an industry, go back to antivirus era where we were providing signatures on a regular basis to the organisations and the signature was a known quantity. So you knew something very specific would happen. Well, if we were to detect that very specific thing, then we could also prevent that. Then we said, oh, wait a minute, it’s not just about this one line of a signature. There’s behaviours and patterns that we need to recognise. When we went to that transition as an industry, we said, “Well, we probably want to do this much quicker.” And that’s the era where we said, “Well, waiting for a DAC file is not good enough.” So the vendors in our industry, we said, “Hey, what does that mean in terms of near real-time detections?” But now if you think about it in the era of AI-based attacks, you actually need to think about not just near real-time, but you need to think about how do you actually get to a real-time state and also how do you build the right security controls across your people, process and technologies that can adapt just like the AI will adapt as it learns and fails breaking into the environment.

Adam Myers:

And you mentioned around assumed breach, that’s where we should work from. So our Pen Test team do a lot of testing and we start from that point. And I think it’s something maybe if you could just expand on that, because I think a lot of people, they’ll test that within their incident response plans and perhaps they should be starting there to see how far a hacker could potentially move within their environment. Do you think that’s something that our listeners should take away from this first topic?

Milad Aslaner:

For sure. I think what is important is we sometimes tend to think of, well, it is only a technology choice that we need to take, or it’s only the deployment of the technology, or it’s only the incident response process. Well, it’s only if we were to put all the SOC analysts into a virtual room or physical room and train them, we are done. That’s not the real world. That’s also not how attackers think. And that’s why as long as we think that way, attackers will always have the upper hand. We need to flip the game here. We need to embrace the way, in many ways, attackers are thinking we’re entrepreneurial on getting the mission done. We need to think the same way, which is how do we actually day in, day out, stress test our own systems? How do we actually think of breaking in? If we were tomorrow ask a SOC analyst, a threat hunter in our organisation or within our partner say, “Hey, break in. Let’s simulate our incidence response plan. Let’s understand what actually would trigger in our systems.” Let’s not tell the entire organisation that we’re doing it in order to validate if a critical situation happens that really someone wakes up at 3:00 AM to pick up the phone or pick up their laptop and get the job done.

Adam Myers:

We see that a lot with the tabletop exercises that we actually do and carry out is that we stress test the board, for example, and that’s a good starting point of who actually releases the PR if there’s a breach and who updates clients as well. And all those scenarios tend to unravel a little bit of gaps of whose responsibility is what and who to step in and do things. I think again, what you’re saying there is stress test that and see it in a real environment of how you actually would respond in those specific instances. So leading into our second topic, looking specifically at Russia and Ukraine, what lessons should organisations take from the way cyber operations have been used alongside wider strategic goals?

Milad Aslaner:

I think there’s a lot of learnings in there, but if I were to summarise for me, at least my personal takeaway, physical and virtual warfare is no longer in isolation. We are living in a hybrid warfare era and Russia unfortunately is leading in many aspects the way with that. We can see clear evidence with threat actors like APT 454 or Sandworm, AP29, that are coordinating their attacks together with the military arm in order to disrupt critical national infrastructure in ways to prepare for the physical world or physical army to hit the targets in there. So we are seeing aspects when it comes to service disruption, infrastructure impact, as well as pressure testing civil systems that exist in there. And these are really like spillover risk beyond the immediate battlefield.

Adam Myers:

I think if anyone listened to our last podcast episode with Steve around critical national infrastructure, there’s some really good takeaways there for OT technologies and how that is targeted and some real top tips from Steve on how to mitigate that risk. So I guess Iran is often discussed in the context of the cyber operations and regional tension. From your perspective, what should organisations understand about the risks and how do you recommend they approach them pragmatically?

Milad Aslaner:

When it comes to Iran, I think the difference compared to Russia is that Iran tends to be more espionage-heavy and they tend to target more specific individuals as part of their primary missions. So a lot of the public cases that exist across APTs like APT 34, 35, Muddy Water and so on, it’s really more geared toward like credential theft, but then civilians and long-term access part of that. So again, I think Iran is an example here when it comes to what I mentioned earlier around identity being the entry point to the battlefield.

Adam Myers:

And I guess those basics around detection response and readiness across campaigns is important there and looking at that in terms of, I think they use predominantly proxy groups as well. So there’s things there that maybe our listeners could take away. Have you got any views on that at all or what you think?

Milad Aslaner:

I think in general, what I see with all the adversaries that are out there or the threat landscape, it boils down to not trying to build a plan for a specific APT or a specific country because in reality, what matters is not what’s necessarily just in the media getting covered or what’s the latest threat research in general terms, but what matters is what is the applicability of that to my organisation, to my industry? Because very often you will find that in the specific instances, these missions, these campaigns are carried out by adversaries that are specifically focused on an industry on a sub-segment or specific techniques where we need to get smarter than is understanding what is my organization’s threat landscape, what is the risk profile around that and then build the right security controls across people, process technology for me, not trying to generalise it, but being specific to it. So if I’m an energy provider in Europe, I need to understand what does my threat landscape look like?

Adam Myers:

We do do a lot of workshops as well within industry and verticals and I think that’s really good just to talk within clients that share best practises. And that always for us works quite well. So we do that at some of our events and roundtables. So if any of our listeners are interested in that, then we can by all means bring that to life with other customers and verticals that suit your organisation. Before we jump back here, just a quick word on something which I think helps connects what we’re discussing today. When geopolitics, regulation and supply dependency shape the threat landscape, often the difference is visibility and that’s where CyberLab and Guardsix come in. Guardsix, formerly known as Logpoint, provides SIEM, SOAR capability and log management designed to help organisations detect, investigate, and respond to threats faster. And as a Guardsix partner, CyberLab helps you get real-time capability in practice from onboarding to use cases and fine-tuning those detections. If your organisation is struggling for visibility and needs help with alert fatigue and how to manage things such as SIEM and SOAR, then this is where we can help. And that’s CyberLab, your trusted cyber security partner alongside Guardsix, we can help with those detections moving forward. Back to the episode. So a lot of organisations struggle to turn nation state activity into something measurable. How do you recommend translating what’s happening in the threat landscape into risk and prioritisation and investment?

Milad Aslaner:

No, that’s like I guess the one million euro, dollar or whatever currency our listeners subscribe to, question.

Adam Myers:

Yeah, it could be anything!

Milad Aslaner:

Could be anything! Ultimately, our line of business is risk management. So if I think about it from that aspect, we need to understand the likelihood of these type of things for happening and then build plans around that. I think it’s important to be realistic that just like Rome was not built in one day, this is not going to be done in one day. And I would even go that far and say that from a cyber security perspective, doesn’t matter if we talk like architecture, we talk like incident response processes, threat intelligence – the job is never done. So if we talk about nation-state attacks, we need to understand what is the likelihood of this to target my organisation? No, not every organisation in the world will be targeted by these nation-state attacks. They might be if this is part of a global campaign that they run, but it’s very isolated typically or very targeted. So step one, understand likelihood, can this actually happen to me? Should I anticipate this happening to me? If the answer is yes, then you look into, what is my organisational readiness when this happens? And this could be a number of things like for tabletop exercises to stress test things all the way to your own employees to try things. Don’t wait for the picture perfect, get going. What’s I guess atypical from a vendor to say is think deeply on what is it that you have and what is it that you need? Because only you can make that decision and then bring in the right partners that can bring in the right vendors where needed, where it can compliment your security strategy. It’s your security strategy, it’s not the vendors or it’s not the partner strategy ultimately.

Adam Myers:

And I think you summarised it well there around how do we manage and mitigate risk, I think that’s what we do as a whole. And that often starts for us we see within maybe doing things like a NIST Assessment initially just to benchmark yourself against the industry standard. And that could just be a way of prioritising what’s important to you and your vertical and where your gaps are. Because what I see from those assessments is everyone is different and you have different tools and technologies and you might have a large team that can manage a lot of this or you might be a small team that needs support. So I think my takeaway there would be manage that risk, but start with that sort of benchmark of where you’re at. And then from there you can make those key decisions based off some of the key frameworks that we do.

Milad Aslaner:

100%. I mean, at the end, if you don’t know where you start, it’s pretty hard to build a credible plan on where you need to go. You need to establish the baseline so that you can understand, okay, if this is the base, where do we need to go and then build a roadmap for it. Don’t over-engineer it. What are the short-term quick wins? How do we need to do mid-term and where do we need to go long-term?

Adam Myers:

So those quick wins as well come out relative low cost. I think often we talk of cyber security and we think big budgets and you need to be a large enterprise or a large public sector organisation to spend money on some of the key tools, but often it can be a low cost thing for your business that might actually help you the most. So again, it’s not always big budgets when we talk about this. It is often the quick wins that will give you the most coverage when it comes to managing that risk.

Milad Aslaner:

Absolutely. I mean I would say that even that far, if I think about what excited me to leave one of the bigger category leaders and join Guardsix was essentially also the focus on these lean security teams in Europe. I agree. It’s not just about people tend to think cyber security products are like these super expensive, designed for Fortune 500 organisations, and only they can do the job. Well, they can do the job for Fortune 500, sure. But if you then zoom into specific industries like critical national infrastructure and then even within there, think of, I don’t know, oil and gas, energy and so on. Or you go even out of CNI and you talk about the mid-market. They don’t have the capacity to operate these types of complex solution. They’re looking for something much more simple to use, simple to operate, simple to run that still gets them the, you can say the comfort they need in order to know that someone has their back.

Adam Myers:

Yeah. Amazing. I think that’s so true and I feel that and we’re here to help and that’s what we try to do. We’re trying to manage that risk for you, be that sort of key organisation that you turn to when you need support and often it’s not those big budgets. We can do things that tailor at risk even on low budgets. Let’s discuss data security. So when organisations talk about wanting control over their data, what does this actually mean in practice for control, compliance and security and where do you see that organisations get caught out?

Milad Aslaner:

I think today there is an assumption, a wrong assumption, which is, well, if I need cybersecurity capabilities or competencies or products, I have to go for a US or Israeli vendor. Well, if you think about the underneath reason, well, because most of the vendors in one way or another have their origins there. Now that is not by default a bad thing, but it comes with pros just like it comes with cons. To me, especially in the world that we are navigating on today, a big concern is how much access in theory the US government can have on the data that are stored. And if you then think about cyber security products, we tend to store a lot of critical proprietary information in these systems. So what I start seeing is from the market or from the customers and partners when it comes to data sovereignty that they’re revisiting how much exposure US vendors should be in their supply chain because of things like the US Patriot Act, because of things like the US Cloud Act. And we’ve seen public cases where, for example, in France where Microsoft has admitted that if needed, they have to grant access to the US government irrespective if the data is hosted in their Azure data centres in the region. So I think that there’s a lot of discussions happening now and I can only imagine that this will continue to happen, especially if you then layer in all the geopolitical tension across US-China, Europe with Russia, Iran with US and Israel. I think there will be a much bigger emphasis on data sovereignty and we start seeing isolated not only discussions but evidence of that. If you look into, for example, the Kingdom of Saudi Arabia, I think it was now three, four years ago, they announced that their data needs to stay within the country boundary for their public sector organisation and they have encouraged the private sector to follow and we start seeing similar discussions also in Europe.

Adam Myers:

I think that leads us onto those complex supply chains. You kind of touched on it there. So I guess how should leaders evaluate those dependencies and what actions generally improve security, compliance and control? Because that for me is an area that we have with hack risk along managing supply chain. But what’s your view and take on that, Milad?

Milad Aslaner:

I think you need to think about the layers of it. If you think about what do we need to run our businesses, reality is it will all trace back to some chips that are produced by US, by Chinese factories or companies. So I think there is a difference between what do we expect in terms of data sovereignty and protecting our proprietary data as much as possible, but then there’s also the reality of running your business. What is important going back to from a risk management perspective, mapping this journey out and being really clear inside not just the CISO organisation, but also to the management team to the board on what is actually our exposure as an organisation to these foreign jurisdictions and to these foreign vendors and then assess which of these risks is acceptable and which one are non-negotiable that need to be replaced.

Adam Myers:

Yeah. And it probably starts within that procurement phase, I guess, where it’s contracts, transparency, you discuss an escalation pass, that tends to be where you might even start at that point of managing that risk when you’re onboarding suppliers yourselves. And we see a lot where you might have had a historic relationship with a supplier and you’ve had that maybe over 10 years. We see that maybe that now we probably do a little bit more due diligence a little bit on that just to vet organisations and make sure they work to the standards we expect. But you might have had a relationship for say 10, 15 years and you may have not gone through that onboarding process as much as you might do now if you onboarded a new supplier and what risks they might pose to your business.

Milad Aslaner:

Yep. And that goes back to keep simulating, keep stress testing, don’t take the worst it can do is you just accept, well, “we always done it this way”, because I can bet with you neither the attackers will not say, “Oh, we tried it once we will not try it again.”

Adam Myers:

Yeah, exactly. So I guess this has been a great episode and I’ve really enjoyed talking to you today. So if there was one key takeaway that you would give for our listeners and our audience at Milan, what would that be if you could just give one hot tip on what they can summarise from this episode, what would it be?

Milad Aslaner:

Well, one is difficult – I have a few, but I guess I can package it under an umbrella for you and then I still squeeze in a few other things under that. I guess the umbrella is be aware on what is happening in the industry that you play in, and that is the assumed breach mindset. Now in there, I would say few things important. One is you got to assume identity is already compromised and you got to design your security controls with that mindset. The second one is you got to think of as you build these security control on how do you essentially for the blast radios that will happen, how do you contain it? So it’s not just about prevention, it’s about when the attacker is in your environment, how do you contain them in an area for as much as possible? Third would be how do you eliminate telemetry blind spots? These are reality. There will be blind spots that you have. Go back to what’s the baseline, what do we need to achieve and then map what is the telemetry gap that you have in your systems and then build a plan for that. Fourth would be I’ve seen a game in our space, which is, “oh my god, I have 800 detections, so I’m good!” Quantity means nothing. It’s about the signal-to-noise ratio. It’s about making sure that you have the right detections with the right quality and that is much more impactful over volume because the volume will just kill the team that needs to operate it. What matters is not if you have 800 detections and have, I don’t know, 30,000 alerts per day. What’s much more important is how do you get to a very high, true positive rate with ideally even a less set of detections.

Adam Myers:

I think that leads into alert fatigue, doesn’t it? We see that a lot within organisations that maybe implement tools and technologies and over time it becomes a bit of a challenge to manage. So again, I think a good takeaway there around managing quantities and yeah, definitely something’s factoring with alert fatigue for teams and how they manage it. So that concludes this episode of Tales from the CyberLab. Join us next time for a brand new episode. Until then, Stay Secure.