every week on cyber work listeners ask us the same question what cyber security skills should i learn well try this go to infosec institute dot com free to get your free cyber security talent development e-book it's got in-depth training plans for the 12 most common roles including stock analyst penetration tester cloud security engineer information risk analyst privacy manager secure coder and more we took notes from employees and a team of subject matter experts to build training plans that align with the most in-demand skills you can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals one more time just go to infosec institute dot com slash free or click the link in the description to get your free training plans plus many more free resources for cyber work listeners do it infosec institute.com free now on with the show today on cyberwork i'm joined by francis chanfroka ceo of insight cyber to talk about security problems around ot and iot systems you know this topic is one of my pet concerns and francis treats us to some very surprising stories of intruders in the electrical grid why it's so hard to secure a set of machines that often predate computer technology and the small changes in your community that can make huge differences in the entire security industry it's a bit of bad news and a bit more good news today on cyberwork [Music] welcome to this week's episode of the cyberwork with infosec podcast each week we talk with a different industry thought leader about cyber security trends the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry francis jonfroka is the founder and ceo of insight cyber a cyber security startup developing a new ai powered security service to provide insights and protection against a wide range of threats in cyber physical environments an inventor of key technologies at insight cyber as well as a previous company he founded chanfroka is a noted expert in the fields of data security computer language design compiler implementation network communication and large-scale distributed application architectures having a background in music channel attended the eastman school of music at the university of michigan uh so yeah today our theme is um ai solutions uh in both the iot and the ot sphere so francis thank you for joining me today welcome to cyberwork thank you so much great to be with you uh so to help our listeners get a sense of your personal history let's start out by asking uh how you got interested in computers and tech in in the first place and how that interest uh eventually expanded to include things like cyber security and ai yeah thank you well so uh i'm one of those kids and you've met many of them that started off with a interest in computers just kind of born in and i i was always been interested in them and always also been interested in electronics and so that kind of led me to um what we call the cyber physical world in other words connected machines not just computers but non-traditional devices and machines that are connected to networks and i i was in that real early and of course artificial intelligence and cyber cyber security came along when we were building uh some really large scale systems for enterprise data handling and security just got to be a major thing when the internet got big oh yeah you know and artificial intelligence is there's just so much to say about that it's so transformative in many many ways i i do believe that it changes the way every human activity proceeds and so that's just a real important part of the the background too yeah um so okay well we're going to talk way more about that too because uh yeah i you know we've had a couple different people talk about ai sort of tangentially to other things but i'll be excited to kind of go right into the to the heart of the beast here so um uh whenever i do my my pre-prep for these i like to peek on my guests linkedin profiles as it gives me kind of a quick shorthand to understand your career journey uh you know so yours is quite interesting as it seems that you went right from your schooling into founding the i.t and ot solutions company bayshore networks um were there any other formative work or learning experiences before that yeah i mean i i left out a bunch of stuff sure i worked on wall street for a few years i'm a new yorker um and i also did a lot of work on what industrial controls engineers would recognize as the very early plc's and what we call distributed control systems back then so that's why i said connecting computers to machines has always been big in my career and i also founded a company prior to bay shore called tempest software and we we built a very large scale messaging bus for enterprises and this is right around the time that uh um that uh people were becoming very very interested in the cyber security risks and that just came to the fore and just because we had to solve those problems um that ended up becoming my career now um can you can you talk about uh like the early days of sort of the ics systems that that you mentioned there has it has it changed a lot i mean that i'm i'm always looking for people to talk about ics and infrastructure security and you know and all that because it's it to me it's it's just like one of the hugest imaginable threats just to think of all these different municipal facilities and stuff that are like way wide open because there's no one there to you know but what was it like back in the day because now it seems like you know with with more tech comes more you know possibilities to hack it and more worries and so forth but what was it like back then yes well way back in the early days um it was all about measuring industrial processes temperatures pressures voltages and feeding those data points that telemetry into computerized computer programs that could do more advanced analytics and so this would give you a view into what processes we're doing and also an ability to control them and i remember you know some of the earliest things i worked on oil the oil business controlling new oil refineries you realize we haven't built a brand new oil refinery to any great extent in the united states for over 30 years uh that's a that's a different story but 30 and 40 years ago we were building new refineries that had these industrial these computerized control systems all right and and a lot of that well way way way back then the the the kind of sensors the way that you connected the computer to the physical world was through what we call them field bus that's what engineers call it it was serial rs-485 protocol serial bus you know differential voltages the kind of thing you'd find in a telephone modem from way way back then gotcha and about 30 30 years so 30 25 20 years ago there was a big motion to replace all of that stuff with ethernets with ethernet computer networking okay and the the motivation for that at the time was cost because a lot cheaper a lot easier to manage and what happened at that time at the same same time people said wait a second all of a sudden all of our industrial control uh protocols are now we can connect into our computer applications and we can feed them outside of the shop floor or the substation or the water processing plant feed them into our other computer systems and that just opens up many many many wonderful opportunities to manage your processes better save money control them and this is all really good you won't put that genie back in the bottle because there's way too much business value that is created by it right and that's another long long story that many people have told but of course the security aspect of it comes in in a big way right because now all of a sudden all the bad stuff that is out there uh it has has access if you will sort of jump jump the uh the the gap right right right and one of the things and i don't want to go too deep because you got a lot of questions for this but i think it's important to recognize you know the vulnerabilities we you talk talk a lot about cyber security and everybody's had the cyber security training for computers and we know what it all is firewalls change your passwords don't click on emails links and emails right all that's good advice we all have to follow think a little bit about if you compromise a computer okay you can steal information really really bad you can damage your reputation you can damage your customer service all kinds of bad stuff um and or you can you know take down your email that's really bad for business you can mess up your databases take them offline if you're really good that's bad for business but think about if i can destabilize or make a robot or a water filtration system do things they're not allowed to do or they shouldn't do okay the impact of that is at a whole different level now bad stuff you recover from it but now we're talking about maybe hurting people killing poisoning people yeah absolutely shutting down power grids and you know creating uh you know uh well whatever we can we can avoid the sort of doctor strange love you know comparisons but yeah yeah everything up to that point for sure we can we can also still talk about very uh very cogently as an as always an option to be watched out for oh yeah yeah so um before we get into some of the ot and iot um stuff we're going to discuss i i like to give people a sense of what um a person's day-to-day job is for our guests because i think a lot of our our listeners like to uh you know imagine themselves in these different roles so now that you're the ceo of insight cyber can you tell me about the day-to-day work that you do in that role do you have certain common tasks that you work on every day and how regimented is your everyday do you have anything that gives you the sunday night blues that you worry about you know loose leaf over things like that well we're we're a startup uh we're we've been we're doing very very well uh we're getting a lot of new customers in but i spent a lot of my time building my team all right the most important thing for a ceo of any companies but especially a startup is to build a great team and everything that that involves so that's a lot of my time but most most of what we're doing on a daily basis is we're just working with new customers bringing them into our uh into our uh our system and showing them uh what we focus on is helping people to see what they're not seeing all right see what they're missing because that's really important in cyber all right and um a lot of the problems that people have with managing their cyber defenses is because they don't have good enough visibility or deep enough or uh and that's a very very big job so you know if there's anything that keeps me up at night it's just how bad it is out there as we are looking in our customers environments and we're helping them to see the game more visibility and more detail more insight as to what's going on all kinds of stuff is just coming out of the woodwork and you know you can use your your listeners use their imagination about how bad it is but there's a lot more going on than you know the attacks are determined intelligent stealthy and that's where people kind of miss the problem so that's what we're uh we find ourselves working on a lot yeah whenever i talk to ics people and and related people on here it just feels like i'm talking to like a locksmith that's like walking into a town where no one has any locks on their doors and you're like what are you all doing you know so i mean i i gotta ask about that like how did how did this how did we let this get so bad in the first place well i i think the one word if there is a one-word answer to that it's convergence okay right you yeah i told you the story about how people uh saw great value initially for financial and management reasons and then later just because so much good business insight and value comes from connecting systems together and the industrial control systems and you know i love talking about industrial control so don't let me bore you with this no please i love hearing about it industrial controls as we understand them now the mathematics underneath them which is quite sophisticated been around for a little more than 100 years right well computers have been only been around for 60 70 like that and in computerized control systems for much less than that but the uh and control systems technology is exceptionally mature from a mathematical perspective it's fascinating stuff okay the ways that control systems fail are very well well defined mathematically you know and engineers work with these well-defined situations as soon as you bring bad guys as soon as you bring hackers and malicious actors into the mix all that lovely math flies out the window and you're talking about stealthy people we're trying to hide their tracks and the control systems were designed for robustness they were designed for safety okay they weren't designed for security and it's an old story right but it is really true convergence of these systems when it happened there were no additional controls built in to uh to apply security right you really it's hard perhaps people who aren't so well versed in ics it's hard for them to understand that adding secure computer style security controls to industrial environments exceptionally difficult to do because the processes like to be naked on the metal you know they don't like to have extra packets added in they don't like things like firewalls because it changes the timing of the processes and so there's very little you can do and and and even patching one of the the the big big things everyone you always patch your systems yeah the latest latest security fixes that's almost impossible to do with hardcore industrial controls for a really important reason they're designed for safety they're tested for safety okay and so as soon as even if you change an operating system version just by a little bit just to patch it you've invalidated all your safety testing so people resist doing that yeah yeah yeah so you need another approach to add the security so some of the instability not the instability the insecurity of it is almost kind of baked into the process in a way that it's kind of hard to undo that's you would need to kind of rethink that yeah you're absolutely right you're 100 right well a more positive way to say that is that we just need a different approach okay the approaches and techniques that we use to add security to it systems don't are not as applicable on the ics or industrial or the iot side and so we just need better methodology or different methodology all right let's get into that as my next question anyway uh so what would it take to make a major improvement in the state of our infrastructure security legacy systems and our insecure or unpatchable iot devices i mean if this is a you know way to go if there's a way to go forward with the massive initiative of some sort like like what would that what would that look like or is that doomed to just be a forever a piecemeal repair here and there yeah chris i think that is just a wonderfully framed question and uh you know as i think about it it's like we all would love to have ace forgive me for oversimplifying but a silver bullet yeah a major thing like a moon shot something yeah you could spend i use the phrase of magic gavel you know like yeah yeah sign something in the law everything gets changed and it's all fine yeah there are costs yeah exactly let's recognize it's a problem worth solving just billions of dollars but let's do that well i'm not quite so sure there is one single approach right and we can talk about this because there are people have proposed things like massive isolation of industrial systems uh we could you know there's a lot in what sense in the sense of literally literally closing off the uh the computer networks this has been discussed a fair amount in the power grid in the specific context of electric power where you know you you take all of those assets and they're distributed geographically so so electric power is different from most other ones where like factory floor it's all within four walls right yep you've got one chokepoint ideally where you could close it off power grid it's over thousands of miles of geography okay much harder to do and there has been a lot of thought given by smart people to standing up a completely separate uh closed computer network right or systems of course like an electrical intranet or something or an electrical internet yeah wow think about it that's it's not it doesn't convince me because again all those assets are out there and you can you you can you can physically access them yeah because you've closed one door and opened many others yeah yeah you know i think we we need to get better at monitoring and understanding what the threats are and one of the things i'd like to say very much by way of you know to answer your question right what is what is a major improvement we can make what is a methodology improvement we can make we talk a lot about looking for vulnerabilities i this a standard process with cyber cyber defense is to look at all the machines and all the assets you have map them against known vulnerabilities okay that particular operating system or that application or that particular industrial machine is vulnerable to this kind of an attack and there are databases that big ones and well really well done ones here's the problem with that scale all right i can look across an infrastructure with millions of connected devices in it and i'll find tens of millions of vulnerabilities it doesn't give me a pathway to become more secure all right it gives me all tens of millions of things to look at and i'm not gonna i'm not gonna patch them all yeah okay yeah let's get on that three weeks from now we'll patch everything okay forget about you know how much that's gonna cost us and how many additional problems it creates oh and then three weeks from now we'll have a new list okay we'll start up no it's not plausible so um we we we like in my company and you know my my friends we like to talk about don't look for vulnerabilities look for attacks right yeah look for what is really going on that is really problematic catch it early so you can do something about it and there's some interesting things to that some aspects of that are that matter with industrial because um with industrial you you have the ability to catch things early because here's why and this is subtle and this is interesting um to attack a power station or an auto assembly plant or a telephone central office the bad guy needs to know what's in there okay if you are just attacking windows computers and you find a new vulnerability in windows that's all you need you know just you know find somebody to click on a link in an email and you're in and you can attack them okay with industrial controls you kind of need to know what's in there so that you can you find a vulnerable windows computer that doesn't change that's still part of the attack methodology but once you're in there you want to do a lot of damage so people do recon reconnaissance and they snoop around those networks looking for stuff and when they find something they have to apply some pretty special knowledge to know what they can do to make some damage yeah that's that takes a little bit of time and that opens a vulnerability for the bad guy okay that's a way to attack him so we we like to instead of looking for vulnerabilities because those are everywhere right we look for traces where people are already trying to recon you and we close those off right now what does that mean all right practical that's another huge scale problem and that requires very specialized knowledge you got to know what you're looking for otherwise you're boiling the ocean okay so that's why we said that's a job for artificial intelligence that's the kind of thing that if you had an ai that was well enough training or a suite of ais each with slightly different training looking at different things you could approach that and that's that's turned out to be promising and fruitful for us yeah so the ai is almost like i i keep thinking of this in terms of like you know breaking into like fort knox or something like it's like if you're if if they find an open window but the room that they get into has a locked door or no door then it's of no use you know we've had another guest that said vulnerable doesn't necessarily mean exploitable but um you know and then you know there's other people who have talked about uh selling vulnerabilities that you found to hackers you know like they just find vulnerabilities to find vulnerabilities and leave it to someone else to try and get in there and and so forth so this i mean the ai solution almost sounds like it's not quite like putting like uh you know a welcome mat down for attackers but it's it's it's knowing that there's always going to be activity on the perimeters and you're kind of you know the ai is kind of like these sort of like you know cctv cameras or something that are like seeing russell's in the bushes i think you're right and and it's it it's really easy to oversell ai because there's a you know there's millions of people out there that are talking about ai and overselling it and that's fine uh but you know if you understand what it's good at and what it's not good at it's really good at finding patterns in very very large and high dimensional data spaces and this sort of matches that problem i really love what you said it's like you know if you had a cctv that would just you know if you got them everywhere okay and they're good enough to just tell you when you need to know something and you can trust them to watch to have your back the rest of the time and you've done then you've solved a good part of the problem 99 of the the cameras just show all all quiet on the western front and so uh yeah yeah and i love the way you say 99 and i'll tell you why because this is another thing that i i think is very important about the cyber security mindset we all as cyber sec practitioners have come up with well the bad guy only needs to be right once i need to be right 100 of the time it's the wrong mindset you're never going to be 100 ever and if you try you're just going to spin your wheels but if you find 98 of them you know with 20 or 10 of the effort and cost you've done a lot of good for yourself yeah and also i think that that cuts down the ability or the the chance that you're gonna just burn yourself out because you're you're constantly like waiting for the inevitable thing to happen and yeah have to smash every bug and have to get through you know everything so um yeah so um you know i understand that that money and budgets are always a factor but what are some of the you know we talked about the the ai aspect what some of the logistical issues in implementing these kind of mass security upgrades the uh you know as you said the moonshot or the magic apple or whatever i'll tell you what i think the biggest issue logistically and that also is a really well framed question because that gets to what what people need to plan for network implementation i think that the the bad guys hide their they're incredibly good at hiding what they're doing that's their whole stock and trade if they if they if they do obvious things you'll find them and you'll clean them out okay you're really good at hiding their recon activity so that it looks normal all right and and the only way to get better at that to spot that is with much deeper network instrumentation that's putting sensors not just you know at the the so-called north-south links where the firewalls are but also the east-west okay logistically that's a big challenge because you know it requires manage management effort uh it's potentially unsafe especially in iot environments if you don't do it right so we spent a lot of time years engineering out network sensors that would be easy to install very very widely and very pervasively they do edge analytics so that what they send up to the analytics cloud platform um is very small and very digested all right so they've done some of the work before you and that saves on network logistics right network costs and i think that's really it if you uh uh improve on the network instrumentation then your sim solutions all right and your analytics uh just have a have much more to work with and if the if the goal is to be ai driven ai likes more data the more data you can give it the smarter it's going to be and so that's really the logistic challenge is just to get just to see more you know just put more eyeballs automated your cctv cameras that's the right way to think of it and you know again we don't we don't often have have moon shots anymore and we don't often have these these big unifying independence day style you know like we're all gonna solve this problem together because everyone you know there's there's just so many little things well we'll have to shut our thing down for six hours and that's gonna cause you know we're gonna lose x number of profit or whatever like how do you how do you sort of like bring it all together to sort of like implement this stuff and make it make you know make people realize that it's uh you know important and doable and is not going to you know kill your shareholders or whatever well the the you you're you couldn't be more right with industrial environments um you know industrial production or iot environments then they can't go down they're not allowed to go down right you know you just can't i mean yeah there's a lot of stories we can tell about that so it's just out of the question so the um the the way that the way to approach it is to uh touch those environments as little as possible ideally just putting sensors in okay when we work with new with clients we start off with just a handful of environments electric power company for example will pick you know two or three generators or substations or transmission lines and just we'll put some extra sensors in there and all of a sudden the asset inventory comes back and it's much more accurate than they've seen before and the rogue devices show up the stuff that's not supposed to be there the applications and those just appear almost immediately and it's safe and easy to do and you know at that point then you you we've built some credibility and the customer because they have to manage this whole thing internally with their own various states yeah yeah you're just you're just putting it in place and then sending them to hoping that they're going to use the their new gadget correctly right well yeah but but we have to we we we work with our job is to deliver better cyber security not just not just one more product right to work with them closely to say this is what you have and this is what you've been missing this is what you need to do about it okay so those are the questions we answer for them and at that point we build up trust rapidly one of the things that's always been a challenge with ot with cyber physical is a degree of mistrust between i.t security people and the plant guys yeah they sort of come from different worlds and that's that's a much better problem than it used to be used to be substantial mistrust um but you know that's something you get good at in terms of corporate culture and working with clients to get them past it and it becomes it's it's gradual but if the tools and if if the technology is non-invasive and safe it goes pretty fast so that's basically a solvable problem interesting yeah so yeah you're you're you're sort of you know casting things out here and and you're finding out immediately that you know and it sounds like there's there's there's there could be like access issues like you said there's like rogue systems or there's you know aspects of the network that like oh i didn't realize that was still connected to this thing is there is that a lot of that kind of sort of like cleanup that should have been done years ago right well the the the the the the joke i have well it's not a joke the the the reality we have every time we go to a new environment and it's wonderful because the plant managers are hungry for this information you know and they just it's very difficult to have really really clear and accurate asset inventory and not just behavioral inventory as well what are all those things doing you know including things i might not have suspected and it's like we'll give people an accurate list and they'll we'll always ask so what's in that plan you know uh what do you got on your shop floor well x number of robots x number of plcs and all the other stuff right and they'll give you a a a a network diagram that's probably five years old all right we'll give them back a list and we'll say okay oh what's this what's this what's this what's this all right and it's like someone in some of the cases it's like oh yeah i forgot about that forgot to tell you about that yeah yeah that's out there other cases it's like i thought we retired that two years ago yeah right right well it's still on your network and it's still talking we fired barney five years ago and his his account is still open yeah and the third and the third kind is what on earth is that get the hard hat get on the floor yeah right now have you ever found like sort of like sort of invasive hardware like that did like have you found like you know like the equipment like a bug or something very very rarely like you know single digit percent of the time we will find rogue hardware like that people are good at that people know that trick right what we always find is rogue software yes okay and uh it and it's so and people are good at what they do uh it's just really really hard in a complicated environment to stay on top of everything and sure you really need to know when you've someone has done something made a config change that left a little hole okay that happens today and so it needs continuous monitoring it's not enough just to do a sweep every year and and and close all the holes you got to be you got to know continuously what's going on so you know we find all kinds of crazy things uh yeah i mean just uh and you know what it comes down to chris in so the vast majority it comes down to comes down to unknown malware and malware is the problem right because people get into your network and they do things you don't want them doing um and everybody invests heavily in sweeping their systems for malware well that's great for finding malware everybody's seen before that's already got a signature right so you're sweeping all the the software on your computer all the big names that's got a there's a dll in it it's got a little smudge in it well that's you know no that's not petty or that's this or that or the other malware what we find in the kind of the hallmark of the approach of looking for behavior looking for attacks and progress rather than signatures or vulnerabilities we will generally speaking far more often than not okay the majority of the cases we find malwares we find signs of malware that have no signatures just this morning we were working with a with a client and we told them hey you know what um i think you've got malware on this one particular computer and we gave them the ip address you know i was wondering about that one we just installed that in the front so that one of the uh one of the interns could have some connectivity and i was wondering about it and and we swept it there was no malware on it i told them you got malware on the machine okay all right aren't going to find it and i'll tell you how i know it's because it's doing well it just obviously we're not going to we can't give the you know too much detail but of course but it was doing a very standard kind of a diagnostic uh operation you know it was an smp sweep okay but it was doing it in a way that was quite invasive not normal okay we found another case in a production environment in in over in europe this is last week uh a place that has generated electricity okay there's turbulence generators in there all right and they had we found nine machines in that environment that we're doing ping sweeps not peak swings port scans ports right okay look you sweep around the network looking for open ports and that's a it's a it's a tool a lot of people use those just to know what you got right that's a way of doing acid inventory okay and our ai said eight of those there are you shouldn't be doing that in an ot environment because it kind of destabilizes the switches but that's a low level alert that's you shouldn't be doing ping ping port scans all right that's an i tree tool not an ot tool one out of the nine rai kicked out a high severity alert because it was doing a port scan but there were more than not one but two different aspects of how it did it that were obviously designed to evade detection wow man this is a looking gun they you know did the antivirus these are good guys they spent a lot of money on security and a lot of money on developing practices and expertise but there's no signature for this for this malware so they didn't find it but we found it through the behavior all right and they were like oh my god that's just you know jot your jaw drops because yeah yeah it's obvious it shouldn't be doing that all right and again the bad guys are good at what they do so the behavior was hidden it was it's yeah they they they hide their tracks so you won't attack them and that's what you know and ai if trained properly is good at finding those little signals that are going to go right past your eyes interesting um now i i want to get into some some career stuff and some learning stuff but before that i just i i guess um i didn't really put it in the questions here but can you uh talk a little bit about how uh sort of the iot component of this varies from the otn now you said ot you know it goes back 100 years goes back free computers iot is obviously a much newer thing but is are there any uh wrinkles in the way that you keep iot secure that differentiate it from operating systems there's a lot of wrinkles and uh uh what the way i like to make the way i like to talk about it is well i t is traditional computers on traditional networks okie is non-traditional compute devices on non-traditional networks that are generally owned by somebody not i.t iot is the hybrid iot is non-traditional compute devices on traditional networks and usually what there's 10 000 at least different kinds of iot devices with different functional profiles okay i've got a really great example for you we have i'm not going to name the maker uh household name you go to home depot to buy a home lighting switch those are wonderful i mean you can you can set up the colors in your house you know uh mood lighting different times a day turn your lights on and off when you're not home all that great stuff so and those those are iot devices and they are very restricted functionality okay we think of them as having a job description okay a light switch has a job description its job is to turn your lights on and off and maybe phone home so that your smartphone app can can you know can talk to it so why did we find our ai found a lighting switch in one of our own networks uh that was doing those things and was also looking around for windows file shares on that network to connect to oh and don't tell me i have to get rid of my i like my i like my light function i've done it i push three buttons on my phone and i'm done for the night it's great it's like come on guys so it's like you know that's the kind of thing you want to know about so you either you know pick a different vendor for your you know light switch or whatever it is but that's hygiene right yeah and yeah whether or not they're uh the maker designed that with that's outside of its job description right so what we look for with iot devices they are things that are designed to do very specific narrow tasks unlike computers okay computers are highly general right but any time we spot an iot whether we've seen it or not okay that's important because you know every single day somebody's programming a raspberry pi to do something brand new right okay oh yeah right so but the great thing about iot behaviorally is that they're there to do a job and anytime you see it doing something that probably isn't part of the same job you flag it so that's that's how we approach those and that that's turned out to be very very fruitful and i think you know a lot of the cases with iot i mean it's all about convenience we want the world to be densely connected because there's so much value to that right but we see things like all right here's another example um a company that had a ransomware attack right and they wanted us to figure out where how it got in um the electric car charger in front of the building that looks a lot like an iot device and somehow acquired their network okay and so you know there that's like an iot device that is uh that's in the network and possibly exploitable possibly attackable by all the attackers that are in your network already right and uh we've seen and this is a little bit more scary um uh building management commercial building management the hvac systems okay and the elevators and the close circuit televisions right those are and the economics of building management is extremely critical it's so difficult to spend any kind of money on cyber security and that you know that makes it difficult to be good at it and very often you will find networks that just aren't locked down enough and you'll see the hvac equipment on the same network where people are walking into the building lobby with their ipads and just automatic iphones just uh automatically acquiring the network okay now yeah see so somebody walks into a building right where the the uh the air conditioning controls are literally reachable from the the the guy whatever malware is on somebody's iphone okay i'm not sure i want to be in that building mm-hmm okay and so so that's the kind of stuff you really just want to know about because the economics are so challenging you know we need to come up with and this is part of what we we think we can do and we're trying to do it make it so that that building manager has a cost effective and easily manageable way to spot those problems and knock them out before they turn into trouble right yeah that makes yeah that makes perfect sense yeah i mean because yeah these are things that are are not intrinsically securable you know as an object or whatever like you need to sort of yeah i used to do this right i used to uh pull out of my pocket when i did presentations like a a type k thermocouple right that's on the uh you know the uh on the yellow coiled cord and you're dangling out of your pocket or it's a four dollar part yeah okay you're going to add a 35 you know firmware chip set so that it can be on the network and now you've got a connected sensor okay are you now going to spend a few hundred dollars to to put proper security management on it add a firewall to it or whatever yeah yeah i don't think so it doesn't it doesn't work economically yeah it's not because you couldn't do it if we if we wanted to see that's where the challenge comes from all right so i yeah now i definitely want to uh get to how we address the challenge and how the the the the students and professionals of the future address this challenge i realize that cyber security professionals all get in the industry for different reasons whether it's for love of chasing the bad guy or keeping a company safe or just the prospect of a decent paycheck i wonder if there's a way to get in uh get the word out that cyber security profession should consider aiming their job search at like state and local government local utilities infrastructures i mean is there a way to let cyber security professionals in the u.s know that they could potentially be
keeping their own town or city or municipality safe in a in a real tangible way i think there is and of course the challenge you know the i just did a conference last week up in portland um and and i said uh the bar none the biggest challenge in cyber defense is finding enough qualified people every head is like bobbing up and down this is a room full of seasonals um and so uh i think that there's a lot of scope to partner between private organizations which invest heavily in expertise and as you say the public sector entities right who own or are responsible for the critical infrastructure all right that we all run our lives on um and it's i i think that a a really important way uh of getting better you know no there's a lot of good people in cyber security we don't want to get better people and we want to get more people in that we want to we want to retain them and we want them to enjoy their work okay i think a lot of a lot of the job is just forgive me i it's it's skutt work all right because our the tools and techniques that we use don't give enough highly actionable information and don't give enough depth of visibility so what you will find is very expensive and well-trained young people all right they spend their time writing scripts against you know sim logs okay and your your security login will give you terabytes of data every day from your firewalls and all the other things that generate logging and it's just not good enough information and that's why we think you know if you can apply ai intelligently to take all that huge raw data and boil it out to the handful of events doesn't maybe a dozen a day not not not 500 million a day all right but take the events and turn them into this is really going on this is suspicious it's not normal it's happening right exactly here yep okay now the cyber security practitioners have a lot more to chew on all right and they become threat hunters and strategists as opposed to just script monkeys and i think that's going to be a a big help you know to getting uh young younger people uh and smart people uh because they'll make they'll make much more of a difference yeah see so i think that's a big part of what we can do to make that better for people and i think it's also worth reiterating that you know when sometimes when people hear uh ai as you know it's going to automate all these these low-level processes that there's that kind of uh you know john henry versus the you know the the cutting machine like it's gonna like automate me out of a job but like just like you said the scale of it like it's not it's not like you know oh if you know if i was more hard working i would have found this or whatever like we're working at just a different scale of data and i imagine there's still going to be plenty of work for people who uh sort of interpret these these processes it's just that that could not be more true and frankly the way i like to think i've been thinking about ai for years and years yeah um and and frank there's a really really great book by a japanese author and it's in english it's called the stories of ibis um and uh the the author is hiroshi yamamoto and i recommend that you you will love it it's 20 years old it's a mash up of short stories but he says some things in there about ai he presciently 20 years ago anticipated the technique we call deep learning okay and it says so so many intelligent things about ai and i think i think of an ai as a person okay a person is somebody who starts with basic knowledge basic intelligence and you give him training and he has experience and he learns things so to me you know a a sock consists of a suite of different ais and we use different different ai techniques not just deep learning or one of the other ones we use a bunch of different ones and we train them differently all right so now you've got you know a room with some ais in it and they're like people and then we have some humans in there right right and they're all looking at the same stuff and it's i think it's a very very important principle that there are things ai is good at and things that humans are good at and they are not the same things yeah so we have the ais do the high dimensionality reduction of you know raw events and the humans can do the low level pattern recognition and low dimensionality space plus the semantic interpretation right now you've got a really solid result and so yeah when you when you when that ai told you that there were nine different things running port scans like it didn't necessarily know what the solution to that was like it took it took people with years of sort of cognitive problem-solving abilities to sort of do the next to to carry that information to something actionable right exactly what happened yeah that's right uh so um for people who are just getting into this industry or maybe are listing this this video and are saying like oh my god i really want to do that kind of stuff like what type of of learning do you think they need to do right now are there particular learning paths or or things they should be tinkering around with at home or like what should they be sort of prepping themselves for over the next you know however many months what should they be excited about what should they be poking around in well i think that uh um certainly artificial intelligence is got to be part of every young person's especially not you know if you're if you're technical or you're interested in a career in business you know information at scale transforms literally everything and there's a lot of resources to that um but i think it's it's almost like a game right and i think young people are really good at being figuring out what they're attracted to in in terms of studies and learning but i certainly think that the more you uh get knowledgeable about in uh pay attention in math class all right because a ai is linear algebra okay it's a discrete algebra in a lot of ways all right so learn all that stuff um it's not not that easy but uh that's certainly a thing to do as far as cyber security we really are needing to move beyond the traditional patterns and the traditional methodologies and a lot of that is is baked in very deeply um with you know tools techniques and pre and practices so that's going to take a little bit of time to change but again young people are good at that you know young people don't start out with the uh you know without the preconceived notions and we've already done it this way that's what's good about it so i think they've got a shot um i i think it's less straightforward to find good resources on on cyber because it's evolving so fast right but but ai is is just no end of fun yeah yeah it sounds like it boy you certainly uh you've hooked me in as long as there's not a lot of calculus involved i can do algebra fine but well a little bit i mean derivatives right yeah that's that differential calculus that's easy i would always learn i would always understand the concept in calculus about three weeks after i failed the test so yeah well now you don't pass the test you just you know now i just do it yeah do it to do it yeah so well this has been great so as we wrap up today francis uh feel free uh tell me more about insight cyber and some of the big projects and exciting developments you have in store for the second half of 2022 well we've again we are busy getting our tech out to customers um and so we've got some uh launch events going on later in the year that will be uh so watch for the publicity on that um but there's just an incredible hunger from from the customers that we're seeing to just know more about what's going on in their environments and so we're just uh expanding that rapidly on a daily basis so that's what we're mostly doing nice so what's that a lot of fun oh yeah yeah it's it's clear like you your your excitement is palpable about all of these activities we love to show people our stuff so anybody um you know anybody who wants wants to get a little bit you know see what you've been missing yeah um just get in touch and we'll show you well that's that was my last question for all the beams here if our listeners want to learn more about francis gianfroca and insight cyber where should they go online well our uh our web presence of course is inside cyber inside cyber group um and so that's a that's a great place to start and we've got uh we do linkedin and we do blog posts a lot so that's another place but yeah companies inside cyber and uh thank you for the plug chris love to have anybody come and come and pay attention and ask questions just get in touch with us beautiful francis thank you for all your time and thoughts today this is this has been terrifying but also a blast so thank you there's a way forward okay that's we we will we will get ahead of the bad guys that's clearly that's the game what the game is all about yeah that's the the beam of life that keeps one foot in front of the other absolutely uh and as always i'd like to thank everyone listening to and supporting cyberwork the podcast new episodes of cyberwork the podcast are available every monday at 1pm central both on video at our youtube page and on audio wherever find podcasts are downloaded and i want to make sure you all know that we have a lot more than weekly interviews to offer you can actually learn cyber security for free on a portion of our infosec skills platform just go to infosec institute.com free create an account you can start learning right now we have 10 free cyber security foundation courses from keatron evans our superstar teacher six cyber security leadership courses from cicero chimbonda 11 courses on digital forensics 11 on incident response seven on security uh architecture devsecops python for cyber security javascript security ics and stata ding ding ding and plenty more just go to infosecinstitute.com free and get your learning started today thank you once again to francis chunfroka and thank you all for watching and listening we will speak to you next week [Music]
2022-08-21