Bob Bender and Jim Shook CUBE Conversation

Show video

from the cube studios in palo alto in boston connecting with thought leaders all around the world this is a cube conversation [Music] hi everybody welcome to this special cube conversation you know with covet 19 hitting organizations really had to focus on business resiliency and we've got two great guests here to talk about that that topic bob bender is the chief technology officer at founders federal credit union and he's joined by jim shook who's the director of cyber security and compliance practice at dell technologies gentlemen thanks for coming on thecube great to see you thanks david great to see you thank you so bob let's start with you give us a little bit of background on founders and your role founders federal credit union is a financial institution that has about 225 000 members serving them in 30 different locations located in the carolinas i service chief technology officer uh bringing in the latest technology and cyber resilient uh direction for the company great and and jim talk about your role is this a just a new role that was precipitated by covid or is this something that that dell has had for a while certainly relevant yeah it's actually been around for for a while dave the organization invested in this space going back about five years i founded the cyber security and compliance practice so really my role is most of the time in the field with our customers helping them to understand and solve their issues around the cyber resilience and cyber recovery field that we're talking about but also to do that properly spend a lot of time with organizations that are interested in that space so it could be with an advisory partner with the fbi it might be a regulator a particular group like sheltered harbor that we've worked with frequently so it's just really as you point out taking off uh first with ransomware a couple years ago and then with the recent challenges from work from home and covid so we're really helping out a lot of our customers right now bob i've talked privately to a number of cios and csos and and many have said to me that that you know when covett hit that their their business continuance was really much too deep august uh now you guys actually started your journey way back in in 2017. and and so i i wonder if you could take us back a few years and and what were the trends that you were seeing that precipitated you know you to go on this journey well i think we we actually saw the malware the horizon there and i'll take you back a little further because i i just love that story as you know when we looked at the relationship of dell emc uh we talked to the one percent of the one percent and who is protecting their environment their data capital you know the new uh critical asset in our environment and dell was you know emc was the top of the line every time when we when we looked at the environment and what it required uh to put our assets under protection again we turned to dell emc and said where do we need to go here so you know you look at this mecklenburg county you look at the city of atlanta you look at boeing and i hate to use the examples but very large companies some uh really experienced companies were susceptible to this malware attacks that we just we just knew ourself it was going to change us so the horizon was moving fast uh and we we had to as well well you're in a highly regulated industry as well how did that factor into the the move well you're exactly right we we had on our budget our capital budget horizon you know to do an air gap solution and we were we were looking at that so the regulatory requirements uh we're requiring that the auditors were in every day talking about that and we just kept framing that and what we were going to do in that environment so uh you know we wanted to make sure as we did this purpose-built data bunker that we we looked at everything talked to the experts whether that was federal state regulation you know you mentioned in sheltered harbor there's gdpr all these things are changing who how are we going to be able to sustain a forward look uh as we stand this environment up and you would think and we also stood up a cyber security operations center so we felt very confident in our run books and our incident response that you would think that we would be ready to execute but i'll i'll share with you that we reached out every which way and a friend called me and and was actually in a live ransomware event and asked if i wanted to come on to their site to help them through that uh incident because we had some we had some expertise on our staff that they did not possess at that time so going into that environment spending 30 hours of the last 72 hours of an attack uh came we came back changed we came back changed and went to our board and our executive said we thought we knew what we were doing but when you see the the need to change from one to ten to you know servers recovery to 300 in 72 hours we just realized that our we had to change our plan and we we turned to uh the investment we have already made and what we had looked at for some time and said uh you know dell emc we're ready to look at that power protect uh recovery solution how can you stand this up very quickly so jim i i mean bob was saying that he looked at the one percent of the one percent so these guys are early adopters but but anything you can add to that discussion in terms of you know what what you saw precipitate sort of the activity let's go pre-covered certainly ransomware was part of that was that the big catalyst that you saw it really was so when we started the practice it was kind of following up on the sony pictures attack which only hit sony and that but it was unique in that it was trying to destroy an organization as opposed to just steal their data so we had financial industry really leading the way the regulators in the financial industry saying gosh these attacks could happen here and they would be devastating so they kind of led the way as our practice continued 2016 kind of became the year of ransomware and became more prevalent with the attackers getting more sophisticated and being able to monetize their efforts more completely with things like cryptocurrencies and so as we come around and start talking to bob he still was well ahead of the game people were talking about these issues starting to grow concerned but didn't really understand what to do and dave i know we'll get to this little bit later but even today there's quite a bit of disconnect many times between the business understanding the risks of the business and then the technology which really is the business now but making those pieces fit together and understanding where you need to improve to secure against these risks is a difficult process well i think i i'd love to come back to bob and truly try to understand sort of how you pitch this to the board if you will how you made the business case you know to to jim's point the adversaries are highly capable uh it's a lucrative business i always talk to my kids about roi new numerator and denominator you know if if you can raise the the the denominator that's going to lower the value and that's kind of the business that you're in is making it less attractive for the bad guys but how did you present this to the board was it a board level discussion it was exactly uh we brought uh dell emc power protect cyber recovery uh solution to them and said not only not only you're experiencing and seeing in the news daily these attacks in our regions but we have actually gone out into an environment and watched that attack play out not only that is when we stepped away and and we ran through some tabletops with them and we stepped away and we said you know are you okay do you know how it got in are you prepared for you know to protect now and detect that again within 30 days they were were hit again by the same uh ransomware attacks and and hackers so i hate to say this but i probably fast forwarded on the business case and in the environment the horizon around me players they were they they kind of made my case for me so i really appreciated that top-down approach the board invested the executive invested they understood what was at risk they understood that you know you don't have weeks to recover in the financial institution you know you're you're you're dealing with thousands hundreds of thousands of transactions per second so uh it made my case we had studied we have talked to the experts we knew what we wanted we went to dell emc and said i have i have six months and here's my spend and that's from equipment hitting our uh colos and our data centers standing up standing up to run books and it's fully executed and i wanted an environment that was not only holistic we built it out to cover all of our data and that i could stand up the data center within that environment i didn't need another backup solution i needed a cyber recovery environment a lifestyle change if you would say it's got to be different than your bcpdr while it inherits some of those relationships we we fund it with employees separately we treated the incident response separately and it is really benefited and i think we've really grown and we continue to stress that at uh to educate ourselves not only at the board level but about a bottom-up approach as well with the employees because they're part of that human firewall as well well well i mean i think you've seen this where a lot of organizations they they do a check box on backup or as i was saying before dr but then in this world of digital when a problem hits it's like uh oh you know we're not ready so so i wonder jim if we can get into this solution that bob has been talking about the dell emc power protect cyber recovery solution there's a mouthful there and you got the you got the power branding going on so what what is that all about talk to us about the tech that's behind this yeah it's it's something that we've developed over time and really kind of added to in our capabilities so at its core power protect cyber recovery is going to protect your most critical data and applications so that if there is a cyber attack a ransomware destructive attack they're safe from that attack and you can take that data and recover the most important components of the business and to do that we we do a number of things dave the the solution itself takes care of all these things but number one is we we isolate the data so that you can't get there from here if you're a bad actor even an insider you can't get to the data because of how we've architected it and so we'll use that to update the critical applications and data then we'll lock that data down people will say use terms like immutability or retention lock so we'll lock it down in that isolated environment and then we'll analyze it so it's one thing to be able to protect the data with the solution it's another to be able to say that what i have here in my data vault in my air gap isolated environment is clean it's good data and if there was an attack i could use that to recover and then of course over time we've built out all the capabilities we've made it easier to deploy easier to manage we have very sophisticated services for workers that need them and then we can do a much lighter touch for organizations that have a lot of their their built-in capabilities so at its core it's a recover capability so that if there was an attack that was unfortunately successful you don't lose your business you're not at the mercy of the criminals to pay the ransom you have this data you can recover all right so bob talk to us about sort of your objectives going into this you know it's more than a project i mean it really is a transformation of your resiliency infrastructure i'll call it but what were your objectives going in i mean a lot of companies are are reacting you know and that's it's like you don't have time to really think uh but so what are the objectives how long did it take to walk us paint a picture of the project and what what it looked like you know some of the high level milestones that you were able to achieve well i think several times uh uh dell emc was able to talk us off the edge you know where it really got complicated you know the foundation services is just one of your more difficult conversations one of the top three definitely you you know patch management notification and how you gonna rehydrate that data keeping that window very small to reduce that risk almost completely as you move i think other other areas supply is that we really wanted to understand our data and i think we had we we're on a road to achieving that it was important that if we were going to put it into the vault it had a purpose and if we weren't going to put it in a vault vault let's let's see why that why that would why would we choose to do that why would we have this data why would we have this laying around because that that's a story of our members you know 225 stories of their the ability to move into financial security that story is is now ours to protect not only do we want to serve you in your in the services in the industry and make sure you you achieve what you're trying to but now we have that story about you that we have to protect just as passionately and and we had that um just i think that was two of the biggest things i think the third is that we wanted to make sure uh we could be successful moving forward and i'll share with you that in the history of the credit you know we achieved one of the biggest projects here in the last two years that umbrella of the cyber recovery solution protection was immediate we plugged in a significant uh project of our data capital and it's automatically covered so i take that out of the vendor responsibility which is very difficult to validate to to hold accountable sometimes and it comes back under our control into kind of this this purpose-built data security and cyber resilient you know business strategy that's a business strategy for us is to maintain that presence so everything new we we feel that we're sized that we there's not going to be a rip and replace a huge architectural change because we did have this as an objective at the very beginning jim when you go into a project like this what do you tell customers in terms of things that they really should be focused on to to have a successful outcome yeah i'm going to say first aid not everybody has a bob bender so we have a lot of these conversations where we have to really kind of start from the beginning and work through with our customers if you approach this the right way it's really about the business so what are the key processes for your business can be different from a bank than from a hospital than from school so what are the key things that you do and then what's the tech that supports that and underlies those processes that's what we want to get into the vault so we'll have those conversations early on i think we have to help a lot of organizations through the risks too so understand the risk landscape why doing one or two little things aren't really going to protect you from the full spectrum of attackers and then the third piece really is okay where do we start how do we how do we get moving on this process how do we get victories so that the board can understand and the business can understand we can continue to progress along the way so it's always a bit of a journey but getting that first step and getting some understanding there on the threat landscape along with why we're doing this is very important so bob what about any speed bumps that you you you encountered uh you know what were some of those is oh you know no projects ever perfect what would you run into how'd you deal with it well i would i would say the foundation services were major uh part of our time so it really helped for uh dell emc to come and explain to us and and look at that that perimeter and how our data is is brought into that and size that for us and and make sure it's sustainable so that that is definitely could be a speed bump that we had to overcome but today because of those lifts those efforts invested the run books the uh increase in and new products new data as our our business organically grows is a non-event it's very plug and play uh and that's what we wanted from the start so i again you go back to that conversation one percent of the one percent that's saying who protects you uh we did we followed that we stayed with the partner we trusted the horizon holistically has come back and paid for itself again and again so you know speed bumps uh we just we just aren't we're just enjoying that we were early adapters and we knew that uh you know there i don't want to throw anybody out there but you look about two weeks ago there was a major announcement about an attack that was successful and they they got them with ransomware and the company paid the ransom but it wasn't for the ransomware it was for the data they stole so that they would delete it so we these that's again why we wanted this environment is we needed time to react in the case that these these malwares are growing much faster than we're capable of understanding how they're attacking so it's a now it's one two punch you know where is it going to be where is it going to end well we don't have to uh we're not going gonna likely be patient zero but we're also not gonna have to be up at night worrying that there's a new strain out there we have a little time now that we have this uh secure environment that we know has a has that you know air gap uh solution that was built with the regulatory uh consideration with the legal considerations with the data capital with the uh uh review of malware and and and such you can go back in time and say okay scan this see if i see if i have a problem so again the partnership is while we focus on our business they're focusing on the strategy for the future and that's what we need we we can't be in both places at once how long did the project take and kind of from the point of which you agreed you know signed the contract to where you felt like you were getting value out of the solution uh six months and and i we were adamant i mean i put it off for a year and a half that's two budget cycles basically is what it felt and then i had to come back and ask for that money back because we felt so passionate that our data our critical data didn't need to be at that risk any longer so it was a very tight timeline and again product product on on prem within six months and there was a lot of things going on there so i just wasn't idle during that time i was having conversation with dell emc about our our relationship in our contracts let's build that cyber resilience into the contract let's now we got this you know uh power protect cyber recovery environment let's build it here where you also agree to bring on uh extra hardware or product if i need that let's talk about me being on a technology advisory panel so i can tell you where the regulate uh the horizon of the regulations are going so you can start to build that in let's talk about the executive board reporting of your products and how that can enable us because you know we're not just talking about cyber and and protecting your data we're talking about back then 60 of your keep the lights on i t person was spent with auditors talking about how we were failing you know this product helped us get ahead of that to now where we're data analytics we're uh just analysts that can come back to the business table and say we can stand that up very quickly not only because of the hardware and and the platform solution we have but it is now covered with a cyber resilience uh of this of the cyber security uh recovery platform so that you know i want to ask you about analytics do you feel as though you've been able to go from what is generally viewed as a as a reactive mode into something that is more anticipatory or or proactive using analytics well i i definitely do we we pull analytics daily and and sometimes hourly to make sure we're achieving our kpis and our and and looking at the kris we do risk assessments from the industry to make sure if uh our controls layered of defenses are there and that they will still work what we stood up three years ago so i definitely think we've gone from an ad hoc rip and replace approach to transformation into a more of a threat hunting type of approach so our cyber security operations center for us is very very advanced and is always looking for opportunities not only to improve to do self-assessments but we're very active uh we're monetizing that with a custo arm of the credit union to go out and help others where we're successful so others that may not have that staff and and it's very it's very rewarding for us and i hate to say it sometimes at their expense of being in involved in the event of a ransomware attack or malware event we learned so much the gaps we have but we could take this back create run books and make the industry stronger uh and against these type of attacks well so jim i mean how you said earlier not every company has a bob bender how common is it that you're able to see customers go from that reactive mode into one that is is proactive is that rare is it is it increasingly common i mean it can't be a hundred percent but but what are you seeing as trends it's it's more common now i mean you think again back to bob that's three plus years ago and he's been a tireless supporter and tireless worker in his industry and in his community in the cyber area and efforts like those of bobs have helped so many other organizations i think understand the risks and take further action i think too you know bob talks about some of the challenges with getting started you know in that three-year time frame our protect cyber recovery has become more productized our practice is more mature we have more people more help you know we're still doing things out there that nobody else is touching and so we've made it easier for organizations that have an interest in this area to deploy and deploy quickly and to get quick value from their projects so i think between that some kind of the ease of use and then also there's more understanding i think of what the bad actors can do and those threats this isn't about somebody maybe having an outage for a couple of hours this is about the very existence of a business being threatened that if you're attacked you might not come back from it and there have been some significant examples that might lose hundreds of millions of dollars so as that awareness has grown more and more people have kind of come on board and been able to leverage learnings from people like bob who started much earlier well i i can see the the cfo saying okay i get it i have no choice we're we're we're going to be attacked we know that i got to buy the insurance you got me but i can see the cfo saying is there any way we can get like additional value out of this can we can we use it to improve our processes and cut our cost or can we can we monetize this in some way what's the reality there are you able to find other sources of value beyond just an insurance policy definitely definitely dave you're exactly right we're able to go out there and and take these run books and really start to educate what cyber resilience means and what air gap means what regulatory what what are you required to do and then what is your responsibility to do and when you take these exercises that are offered and you and you go through them and then you change that perspective and go through a live event with other folks and see that you know after 60 hours of folks being up straight it really changes your view to understand that this is we're never gonna there's there's no finish line here we're always gonna be trying to improve the product and why not pick somebody uh that you're comfortable with and uh and and you trust and i think that's the biggest win we have from this is that was a dell emc uh partnership with us it was very comfortable fit we moved from you know backup and recovery into cyber resilience and cyber security as a business strategy with that partner with our partner dell and uh it hasn't failed us and and so it's it's very very comforting we're talking about quality of life for the employee to keep you know you hear that keep the lights on and they've really turned into professionals to really understand what security means uh differently today and what that quality of data is you know reports aren't just reports they're they're they're data capital the data the currency new currency today of the value we bring so how are we going to use that how are we going to monetize that uh it's it's changing it and then i hate to jump ahead but uh we we had our perimeters at one percent of our workforce uh remote and all of a sudden covet 19 takes on a different challenge when when we thought we were doing really good and next we had to move 50 of our employees out in five days and because of that dell emc holistic approach we were protected every step of the way we didn't lose any time saying we bought the wrong control the wrong hardware the wrong software it was a very comfortable approach uh the run books held us our our security posture stayed solid it was again very just it's been very rewarding well that was my next question actually is because you started our journey no no it's okay no because you started the journey early were you able to respond to covid you know in a more facile manner it sounds like you just you know went right in but but but there's nuance there right because you got now 50 or more of the workforce working at home you got endpoint security to worry about you got you got identity access management and and it sounds like you were kind of no problem we've we've got this covered is am i getting that right you're you're exactly right dave we test our endpoints daily uh we make sure that we understand what what residue of data is where and when we we saw that employee shift to a safe environment our most uh you know consideration at that time we felt very comfortable that the controls we had in place again dell and their business partners were gonna we're gonna hold true and be solid and we test those metrics daily i get reports back telling me you know what's missing in patch management what's missing in a backup what's what you know and i'll go back to uh keeping bcp and cyber security separate in the vault we take a approach and of recovering systems daily and now that goes from maybe a two percent testing rate almost to a hundred percent annually so again to your point covid was a real setback but it wasn't we just executed the same run books we had been maturing all along so it was very comfortable for our employees it was very comfortable for our i.t structure we did not feel uh we did not feel any service delays or outages because of that and that and that's in the day when you have to produce that data secure that data you know every minute of every day of every year it's very comforting to know uh it's gonna happen you don't you don't push that button and nothing happens it's it's executed as planned jim did you see a huge spike in demand for your services as a result of covid and and how did you handle it i mean you got you guys got a zillion customers how did you respond and make sure that you were taking care of everybody we really did see a big spike dave i think there were a couple of things going on you know as bob points out the security posture changes very quickly when you're sending people to work from home more people remotely you've expanded or kind of obliterated your parameter you're not ready for it and so security becomes even more important and more top of mind so you know with power protect cyber recovery we can go in and we can protect that most those most critical applications so organizations are really looking at their full security posture what can we do better to detect and protect against these threats and that's really important uh for us we're focusing on what happens when those fail and with that extension and people going home and then threat actors getting even more active the possibilities of those failures become more possible and the the risks are just in front of everybody so i think it was a combination of all those things many many customers came to us very quickly and said tell us more about what you're doing here how does it fit into our infrastructure what does it protect us against how quickly can we deploy and so there has been a huge uptake in interest and we're fortunate in that you know as you pointed out early on dave i we invested early here i'm five years into the practice we've got a lot of people very mature very sophisticated in this area a lot of passion among our team and we could go take care of all those customers bob if you had a mulligan thinking about this project what would you do differently if you had a chance to do it over i would i would i think i would start earlier i think that was probably the biggest thing i regret in that realizing that you don't have you need to understand that you may not have the time you think you do and luckily we came to our senses we executed and i gotta say it was it was with common sense comfortable products that we already understood we didn't have to learn a whole new game plan so so you know i don't i don't worry about that i don't worry about the sizing of the product because we did it we did it i feel correctly going in and it fits us uh as we move forward and we're growing uh at an increased rate that we may not expect it's plug and play again i i would just say stay involved get involved know that what we know today about malware and these attacks are only going to get more complicated and that's where i need to spend my time my group become experts there let why really cherish the dell emc relationship is they from the very beginning they've always been very passionate on delivering products that recover and protect uh and now we're cyber resilient i i don't have to challenge that you'll pay for what you get for what you what you get and i just got to say i i don't think there's much other than i would have started earlier so start today okay so put it off you said earlier though you're never done right you never are in this industry so what's what's your roadmap look like where do you want to go from here with this uh with this capability i i i definitely want to keep educating my staff keep training them keep working with dell again i tell you there's such forward thinking as a company uh they saved me that investment and so so if you're looking at part of the investment it's got to be are you with a partner that's forward-thinking so we definitely want to mature this um make sure challenge it keep challenging keep working with dell and their products to deliver more you again we go to the federal and state uh regulatory requirements you go to the sheltered harbor the aset testing from the ncua regulators uh just uh software asset management you can keep on going down the line this product uh keeps to say it's kind of like the iphone uh you know do you think about how many products the iphone has now uh made not relevant i don't even own a flashlight i don't think this is kind of what the dell uh product line brings to me is that i i can trust they're going to keep me relevant so i can stay at the business table and design products that help our members today jim how about from dell's perspective the the sort of road map you know without giving away any confidential information where do you want to take this i mean i you know we talk about air gaps we talk about i mean i've seen you know i remember watching that documentary zero days and hearing them say oh we got through an air gap no problem so analytics obviously plays a role in this machine intelligence machine learning ai where do where does dell want to take this this capability where do you see that going we're going to you know we've got some things in mind and then we're always going to listen to our customers and see where the regulations are going to and you know thus far we've we've been ahead of those with the help of people like bob i think where we have a huge advantage dave is with power protect cyber recovery it's a product so we've got people who are dedicated to this whole time you know we have a maturing organization in the field to deliver it and to service it and having something as a product like that really enables us to have roadmaps and support and things that customers need to really make this effective for them so as we look out kind of on the product and and thanks for your reminder i don't want to risk uh saying anything here i'm going to get in trouble for we kind of look at things in three paths one is we want to increase the ability for our customers to consume the product so they want it in different forms they might want it in appliances in the cloud virtual all of those things are things that we've developed and continue to develop they want more capability so they want the product to do more things they want to be more secure keeping up as you mentioned machine learning with the analytics is a big key for us even even more mundane things like operational information makes it easier to keep the vault secure and understand what's going on there without having to get into it all the times those are really valuable and then our third point really we can't do everything and so we have great partners whether they're doing delivery offering cyber recovery as a service or providing secure capabilities like our relationship with unisys they have a stealth product that is a zero knowledge zero trust product that helps us to secure some of the connections to the vault we'll keep iterating on all those things and being innovative in this space working with the regulators doing things bob's mentioned a couple times sheltered harbor we've been working with them for two years to have our product endorsed to their specification something that nobody else is even touching so we'll continue along all those paths but really following our customers lead in addition to maybe going some places that they haven't thought about before that's great guys uh you know i have to i have to sort of share that when you talk to sec ops pros you ask them what their biggest challenge is and they'll say lack of talent lack of skills and so this is a great example jim you're mentioning it you've productized this this is a great example of a technology company translating you know it labor costs into r d and removing those so you know customers can spend time you know running their business uh baba jim thanks so much for coming on the cube great story really appreciate your time thank you dave thanks bob all right and thank you everybody for watching this is dave vellante for the cube we'll see you next time you

2020-12-29

Show video