The Catalyst by Softchoice
A podcast about unleashing the full potential in people and technology.
When people and technology come together, the potential is limitless. But while everyone is used to hearing about the revolutionary impact of tech, it can be easy to forget about the people behind it all. This podcast shines a light on the human side of innovation, as co-hosts Aaron Brooks and Heather Haskin explore and reframe our relationship to technology.
The Catalyst by Softchoice
How the war in Ukraine is increasing your cybersecurity risk
In this episode, fill-in host Nicole Francis steps in and meets with Softchoice’s Jeffersen Sylvia to discuss how Russia and Ukraine are using cybersecurity in this modern-day war – and why businesses and IT leaders in North America should take note. Jeffersen takes us through his journey to cybersecurity as an enterprise architect and how the traditional way of thinking about security has shifted, both in the physical sense and from a mindset perspective. Jeffersen talks about how ransomware has become a huge issue over the last several years, how teams have to work together to be effective, and his 10-Point Plan to address and strengthen your weakest links.
Featuring:
Jeffersen Sylvia, Principal Enterprise Architect for Security in the Design Studio at Softchoice
Special thanks to Softchoice voices, Andrea Knoblauch and Shawn Dickson, for lending their honest thoughts!
The Catalyst by Softchoice is the podcast shining a light on the human side of IT leaders and reframing our relationship with technology.
The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology.
Nicole
[The Catalyst theme music] Hello. I'm Nicole Francis, Director of Content and Go-To-Market Enablement at Softchoice, and you're listening to The Catalyst, the podcast dedicated to exploring the intersection of people and technology. I'm normally behind the scenes, but this week I'm covering for Erika, who's out sick. Don't worry, though. We still have a great episode in store for you. [theme music continues then fades out]
Nicole
[pensive music] You know, at the time of this recording, the war in Ukraine has been raging for more than two months, and many of us are watching, anxiously, from halfway across the world. But, there's a side of this conflict that's hitting a lot closer to home. Cybersecurity experts and intelligence agencies have been warning us, since February, to be mindful of increasing Russian ransomware and cybersecurity attacks. And, it isn't just for companies or agencies based in Ukraine, or nearby Europe. It's for organizations of all kinds and all sizes, in the US, in Canada, and beyond. Here's what's freaky: state-sponsored cyber warfare is nothing new. Neither is ransomware attacks, but there's something different here, and the way these attacks are being carried out seems to be increasingly malicious, and downright scary. And, hackers don't seem to be in it for the big payday. They're trying to get your data and simply wipe it out, do as much damage, and cause as much chaos as possible, and I guess that is what war is all about. But, I mean, this show isn't about doom and gloom; we're about offering solutions. So, how can IT leaders get their house in order? Today on the show, we're speaking to a security expert who's gonna help you put your battle plan together. Jeffersen Sylvia is the Principal Enterprise Architect for Security in the Design Studio at Softchoice., and he's gonna tell us about the shift in mindset that's needed in order to react, respond, and overcome this dangerous new world of cyberwar. [pensive music fades out]
Nicole
Jeffersen, thank you so much for joining me today. I wanna start, if you could just tell us about your background, and what brought you to where you're at right now with cybersecurity. Tell us about your journey.
Jeffersen
So, realistically, my journey in security and cybersecurity started as an enterprise architect. So, I've been out there for 20 years, building these infrastructures, and dealing with all of the changing security concerns for about two decades now. And, getting into cybersecurity was kind of a natural next step because, realistically, we've changed how we build IT infrastructures for corporations significantly, over the last 20 years, and now, a lot of companies, especially with what's going on in the world, are figuring out that they are very, very behind in how they're thinking about security, and how they're structured to actually, not only implement, but also to manage what their security posture looks like. And, that's where we love to help.
Nicole
We are recording this podcast in April. Sadly, the war in Ukraine has been underway for a full two months, plus, and I know that cybersecurity has been front and center in that war. It's described as, you know, this "physical and digital war". I wonder if you could just spend a bit of time on what exactly is playing out there between Russia and Ukraine. Like, how are they using cybersecurity in this modern-day war?
Jeffersen
Realistically, the war on the ground is probably 70% of the battle. When we start to look at everything else that's going on, cybersecurity in warfare is paramount because, when we start looking at, you know, guidance systems and radars, and all of the other things that are actual military assets, cybersecurity, and how to thwart somebody that's actively looking for you is a huge advantage, if you can do it. Now, because this is a localized issue between Russia and Ukraine, there are other nation states that are involved and, when we started putting in all of these sanctions against Russia, from other countries that are not physically involved in the actual combat on the ground, now you open yourself up to counterattacks and countersanctions. There isn't a whole lot that Russia can do from a sanction perspective against all of the NATO allies and the countries that are actively putting in the sanctions against, not only Russia as a nation state, but also against the people that are influencing politics, the oligarchs, and the multibillionaires inside Russia. Going after them for sanctions is, basically, a way to put pressure on the Russian government to pull out of Ukraine.
Nicole
Mm-hmm.
Jeffersen
And, what we've seen are massive attacks, not between nation states, but between hacker groups like Anonymous that took down the entire rail system of Belarus, because they were helping Russia.
Nicole
Mm-hmm.
Jeffersen
Though, you've got all of these other independent groups, not only inside Russia, but outside, that are trying to, basically, use this as coverage and leverage to cause chaos in other areas. [rhythmic electronic music] Where we see a lot of this is going after infrastructures, which are very, very weak, globally. When we start looking at power grids and, you know, gas suppliers, and all of these other huge infrastructure companies that are out there, they are very vulnerable to attack, and we see that quite often. [rhythmic electronic music continues]
Nicole
So, I was actually gonna ask you that. I know ransomware is a type of threat, you could say, and we've been sort of seeing that for a long time, but what you're describing here is different, right?
Jeffersen
Yes, very.
Nicole
I wanna circle back to something you said before where, with the sanctions and the activities happening there, there was definitely, back in February, concern that, with these sanctions, that that risk was going to really escalate. So, the risk, more broadly, we were expecting to see a whole lot more attacks. So, I think what you said was, that has, in fact, panned out. There's people participating in this, showing their alliances in different ways. But, have the sphere of those attacks really broadened, you would say, like, well beyond the immediate geography? [rhythmic electronic music continues]
Jeffersen
Yes. Not only have they broadened; they've also changed. When we look at, you know, the history over the past five years, ransomware has become a huge issue. Somebody gets in, usually through some form of social engineering, plants a virus, and it basically locks the company's data until they pay for it. What we're seeing now is that same type of activity to get inside the four walls of a data center or using social engineering to plant a bug into a computer that's attached to the network and get inside. But, rather than asking for ransom to release the data, they're just deleting the data. [music stops] So, this has gone away from hacking groups trying to actually monetize what they're doing, to, again, these are sponsored attacks from hackers, by nation states, that are going in specifically to cause chaos, and nothing more because, if you delete the data and you do it in an effective enough way, now that company and that data is just gone.
Nicole
Mm-hmm. So, Jeffersen, what are you hearing from clients? Like, this is scary stuff. [Jeffersen laughs] It's shocking.
Jeffersen
It sure is.
Nicole
The nature of attacks, changing. What are your clients telling you? What are they worried about?
Jeffersen
What they're worried about is their traditional security. The old castle-and-moat approach to security is no longer really valid. When we start looking at a lot of these attacks, since they're using social engineering and, you know, email phishing, once they're in, the traditional castle-and-moat architecture says, "Okay, I have to keep you out," but, from a hacking perspective, "If I can gain control of a user identity, or user workstation, I'm now inside the castle." So, looking at moving away from that data center-centric type of security mindset, especially when a lot of companies, including financial institutions, now have workloads and data in public cloud computing like AWS, or Azure, or Google Cloud, among many others, they're also utilizing external providers for software as a service, that they don't control what that perimeter looks like anymore. So, the security landscape is now beyond just the four walls of the data center or their corporate office. Now, it's global, and the traditional castle-and-moat architectures don't protect that anymore. So, they have to think differently about how they're securing their applications and their data, and how their users are accessing it, and it's a lot to take on. Changing that mindset and looking at that organizational change management, as a part of security, is just something that most corporations, even security professionals, do not think about.
Nicole
Wow. There was a lot in what you just said there, right? [Jeffersen chuckles] 'Cause what I wanted to sort of ask you was, "What are the things that you're seeing that they're not prepared for?" And, what you've just explained is that there's a few things. There's a traditional way of thinking about security, the perimeter that they had to secure, like the physical components of it, that's shifted completely. So, there's this different approach, from a mindset perspective, that you're saying is the gap, right? They gotta look at it completely differently.
Jeffersen
Yeah.
Nicole
And, in so doing, that creates a fairly daunting task for a team of people that have looked at this in a very traditional way. You referenced, I think, moat-and-castle sort of thing, and so it's that shift that's got folks, kind of, not sure where to go. Does that sound right?
Jeffersen
Yes. What we see, typically, is a very siloed approach to IT and security, in general. So, you will have a department that is only concerned about identity and access management. You'll have another department that's only concerned about end-user devices. Then, you have another completely separate department that's only concerned about data center and servers and making sure the applications are good. And then, you've got a completely other department that's only concerned about networking and firewalls. They rarely talk to each other. They have separate leadership, separate budgets, and, in this new security landscape, moving from a network-based security model, which is, you know, the traditional castle-and-moat, has to shift over to an identity-based security model, and nobody's prepared for it. And, when we start looking at, you know, how we start approaching that, inside large corporations, the first thing that we have to do is start breaking down those silos because now, the identity model crosses over into how you access an application because it may not be in the data center. It may be an Azure, or in AWS, so the firewall and network is now completely out of play. How do we secure the end-user device, because the pandemic broke almost every company's security model, because most companies weren't prepared to have 90% of their users working from home? And, outside of the four walls of the office, and having a VPN connection on all the time, the infrastructures, traditionally, just were not built to support that. They got overloaded. Security got very, very lax because it had to, in order to allow workers to work remotely, in infrastructures that weren't built for it. It's a pervasive issue across multiple different industries, and it really is about breaking down those silos and getting these teams to work together. [The Catalyst theme music] But you have to, basically, shift all of that left and up so that your executive sponsors actually understand all of this big umbrella of security, that they really have to start pulling things back that are traditional and moving forward on things that will actually allow this new security landscape to be effective.
Nicole
The way this war in Ukraine is having an immediate impact on all of us and poses real threats to our security all the way over here in North America, has been a real wake-up call for me. Am I the only one feeling like this? I wanted to know what my colleagues here at Softchoice thought about all of this and find out whether they are surprised to learn about the rising digital risk for all of us, and what they think everyday people can be doing to stay safe. [theme music continues]
Speaker 1
We're definitely seeing a huge increase on the types of malware attacks that are hitting our customers' networks, and they're coming in through their employees, at this point. What we've really seen is the types of attacks are getting easier to launch, and a lot of them are offered on subscription-based models, meaning people can launch them without any technical skills, and so it becomes such an attractive way to go after easy money. [theme music continues]
Speaker 2
No, I am not surprised. The Russians and the cyber-criminal organizations that they harbor, and potentially even support, are not gonna be very discriminatory in who they target. I fully expect things to get much worse before they get better. The Russians are already threatening nuclear warfare, so we know they are already thinking very unconventionally. My biggest fear is a massive cyberattack across multiple fronts that shut down critical infrastructure and retail, which would overwhelm security providers. This could lead to riots, food shortage, and true crisis, all of them without firing a shot at any Western interest. [theme music continues]
Nicole
Some of the easiest things that we can do to help improve our security posture is really think of it as a human element problem. It's so easy to be burnt out and not think about all the little things we do throughout the day that actually have an impact, so things like making sure we're using the VPN, making sure, you know, we're rotating our passwords and using new passwords for different systems actually goes a long way to making sure that we help our company actually stay more safe out there, and thus, all the companies that we interact with are more secure, as a result. [theme music continues]
Speaker 2
Each of us can, and should, do more to protect ourselves and our company. We need to recognize that we're the easiest target to exploit. The bad guys know that most companies employ security technologies to stop legacy attack vectors, so they use social engineering techniques to get us to give up our credentials. The best thing we can do is to be extra vigilant and consider every digital interaction. Let's also use MFA, wherever possible, to make it harder to get into personal and work email accounts. I would also like to see more security awareness training and phishing testing. The more practice people have, spotting social engineering, the better off we will be. [theme music continues then fades out]
Nicole
All right. I wanna get more prescriptive on the solutioning around this, and for our listeners to, sort of, really start thinking about the most practical and efficient ways to get secure, to address the silos you talked about, the weak points.
Jeffersen
Mm-hmm.
Nicole
Those are, in essence, weak points, right?
Jeffersen
Yes.
Nicole
What can they do? Give us some practical... Where should the focus be? What should those steps be? I know you have a 10-point plan [Jeffersen laughs] that you have referred to in one of your blog posts on LinkedIn.
Jeffersen
Yes.
Nicole
Is this where the 10-point plan comes in, Jeffersen?
Jeffersen
It does. The way that we have to approach this is you have to start looking at, "Okay, we can sit here and talk about technical debt," and you know, "Where have you spent your money?" and that is, a lot of times, where we start. "What are you currently licensed for? Where are your major investments today?" because, when we start talking about security, we have to approach it from an agnostic standpoint. I don't care what kind of networking equipment you're working on. I don't care who your identity provider is. What we have to look at is what you're doing well, based on what you've already purchased, "How many things, that you have purchased, are you not using?" and, "Can you utilize them more effectively?" It, basically, is going in there to look, initially, at what that gap analysis is, of what you've bought, allowing you to use it more effectively, and then figure out which points are not covered. That's where you really have to spend your time. We see companies, all of the time, that have six different security products that are sitting on an end user's PC, and only three of them are maybe, A, actually used, or, B, configured correctly. So, it really comes down to, "Let's take a serious look at what you've got today. Let's take a serious look at where you want to be a year from now, and figure out, 'Okay, what can we really tweak inside your organization to allow you to effectively use the products that you've already purchased? Let's get those working correctly. Now let's figure out where your gaps are,'" because now, everything's a moving target.
Nicole
Mmm.
Jeffersen
You've got companies that are actively moving from data center, to move things out into public cloud, or move things out into a separate service provider that's going to be cloud based. When you start looking at that, now you can actually look at, "All right. Where do I really need to spend my network money? Do I need to really start shoring up and buying, you know, hundreds of firewalls, and is that really an effective use of that budget? Or, can we go to something like a Zero-Trust and a SASE model where everything has to go to a central clearinghouse?" It's identity based. It's policy based. I don't care what kind of machine you're on, but the closer to a controlled device you're on, now I can give you more permissions to access something. So, there are a bunch of different ways to move from a network-based security plan into an identity based. And, identity-based gives you much more security because now it doesn't matter where you're coming from. Everything is always secure because, every time you try to go to something, a policy looks at where you're coming from, who you are. It checks that every time, versus, "Once I'm on the network, I'm on the network, and it doesn't matter whether my device gets hijacked or compromised." You're already in, and it doesn't check again until you go out and come back in again. So, it's looking at these new thought processes to go, "Okay. Let's really take a look at where you're spending your money, 'cause all of this is a cost-benefit analysis, and let's figure out where you should be spending your money, figure out how we can remove some of that technical debt, and get you more secure at the same time."
Nicole
I know we see this in other parts of the business: organizations don't necessarily have visibility into all of the equipment, and software, and stuff that they have, and they don't know that stuff's overlapping, or inefficient. There's so much to be said around having that view. So, you mentioned Zero Trust in there. I like to rephrase it as "Trust No One, Ever". [Jeffersen laughs] Right? Question, always, 'cause I guess that's what you've described.
Jeffersen
Yeah.
Nicole
Trust nothing, verify everything. We've been through, I guess you would say, a complicated few years. It's been long and hard, these last couple of years.
Jeffersen
Mm-hmm.
Nicole
And, there's been a lot going on, even before the war in Ukraine. I mean, in the early days of the pandemic, you had healthcare systems being targeted.
Jeffersen
Mm-hmm.
Nicole
Just when you couldn't-- in my opinion-- when you thought humanity couldn't get any lower, it got pretty low, you know? So, one wakeup call after the other. What do you think has changed or, sadly, hasn't changed at all about the way we're treating cybersecurity?
Jeffersen
Nothing really has changed in any kind of substantive way. Realistically, you know, the big push over the last few years has been, "We wanna be cloud first," but from an executive standpoint, it's easy to say, "Okay, we've just made this huge investment into public cloud - I don't care whose it is - and part of that investment says that we, as a company, have to spend X number of dollars in that cloud, in the next three years." And, it's all about speed of getting from point A to point B. Well, there's an old saying, "Slow is smooth, and smooth is fast." The problem is, unless you actually take a step back, during that initial plan to get to the public cloud, you're not doing it correctly, and what ends up happening is, yes, you've moved all of these workloads to the cloud. The cloud is easy to do that with. It's easy to move data. It's easy to take a virtual machine from inside your data center and put it out in the public cloud. The problem is, unless you actually take a step back and do the governance model inside that public cloud, and they're all similar, they're all slightly different, but you have to plan the governance model through your business model. The governance model inside public cloud is your governance model, your security model, your administration model, and your financial model.
Nicole
Correct.
Jeffersen
Unless you take all of those into account, up front, you're going to lose, as you said, that visibility. You're not going to know what is being placed where. You can easily put data that should be staying in a particular physical or geographical region and put it halfway around the globe and not know it. If you do that governance model correctly, now, you can basically put those guardrails in place, and, from a security standpoint, you can actually have security and that governance enable the business to move faster because the guardrails are already there.
Nicole
Yes.
Jeffersen
[pensive music] They don't have the permissions to hurt themselves, or to hurt the company, because I've seen, you know, multimillion-dollar spends because somebody, basically, fat fingered and added a couple of zeros, and, once you've deployed it, [chuckling] you have to pay for it. [pensive music continues]
Nicole
That's right. There's no calling it back.
Jeffersen
Exactly.
Nicole
So, you've described really well, you know, what we call cloud governance. You've said that term a few times, and that is a foundational component of the Managed Cloud portfolio here Softchoice, by the way. [pensive music continues]
Jeffersen
Mm-hmm.
Nicole
Did you find, when you kind of have this conversation with our clients, is there resistance to this? Or is there an acknowledgement that, if they actually looked at these things as you described them, the governance around security, the governance around cost-- which, another phrase that people might know is "FinOps".
Jeffersen
Mm-hmm.
Nicole
That's a phrase that's been coined as tied to controlling your cost in the cloud. Do you find that folks welcome this information, or is there resistance? [music continues]
Jeffersen
Yes. [laughs] They welcome the information, but it really depends on what the structure of the company is that you're talking to, as to whether you're going to get a lot of resistance. If I'm talking to the chief security officer, they know this.
Nicole
Yeah.
Jeffersen
They understand it, but the problem is, if you look at the budget for the security department, it's all about operational security. They don't control the budget of identity and access management, or network, or any of these other things. Going back to the silos before, security actually has very, very little power in most companies, until there's a breach, and then it's the CSO whose head is on the chopping block in front of the board.
Nicole
Right.
Jeffersen
The problem is, now we actually have to get security in alignment with all of these other IT silos that normally don't want to work with security, because security is always telling them, "No." And, the point that we wanna try to get to is using the internal IT organization to help enable security, and, if we do it correctly, it actually makes their jobs easier and helps to enable letting the business do some of the stuff that they're trying to do, from an innovation standpoint, and we can actually give them permissions to do that, without having to schedule IT for a project. So, security, who's normally saying, "No," can now help to enable that business innovation that they've been trying to do for so long, and they can do it in a secure manner.
Nicole
It's almost like, overall and holistically, there's a shift in mindset that's required in, A, how people look at security, first of all, B, the teams, the resources within an organization that are involved in that conversation, and I guess what you were just describing is a bit of teamwork that almost needs to happen to make sure that security isn't, sort of, left off until there's an emergency, and then you pull them in, you know? How can we get everyone at the table together? Because it sounds as though, until that happens, this shift that you're talking about, it's not going to happen, right?
Jeffersen
It's going to happen because it has to happen.
Nicole
Uh-huh.
Jeffersen
Realistically, if you are an organization that has data and applications, on-premise, in a traditional data center model, and you have a cloud presence, which most companies do, you have to start looking at this model because, again, you lose that visibility if you're a pure network security organization, as soon as you leave the four walls of your data center, or your corporate office, and you start going out to Office 365, or Workloads in AWS or, you know, corporate Gmail, that's sitting in GCP. You don't have visibility into any of that traffic, anymore, because all of your security protocols are sitting in this little box over here.
Nicole
Right, right.
Jeffersen
When you can't see that traffic, you can't act on anything that, if you've got bad actors or, you know, all of these other things that are happening from a cybersecurity attack standpoint. Where the network used to be the biggest threat, now it's your end users because they're not sitting inside the network anymore. Remote work is going to be here to stay. There are a lot of companies that are trying to get people back into the office, but we've proven that remote work, and working from home, and bring your own device, these are all viable business alternatives. Companies that went fully remote are still making revenue. Their workers are happier now. We have to have security, and those security protocols, and that mindset of how we approach security has to change, along with all of these other advancements that we've made in remote work and bring your own device. It can easily be done, but it is a mind-shift change from a corporate IT and a corporate-security perspective.
Nicole
How can our listeners learn more, specifically around Zero Trust, for that setting? Cybersecurity? Like, this is your opportunity; where would you send folks to find out more? [Jeffersen chuckles]
Jeffersen
So, Softchoice has what we call the Design Studio, which is our consulting arm of all of the other services that we offer, and we are here to help at all times, and we also have the backup of all of these great professionals that Softchoice has inside of our delivery arm. So, when we come in and help a company develop a strategy of how to get from where they are today, and develop that roadmap of, "Here are all of the individual projects that you need to do, in this specific order," because we don't want that siloed approach. We want a project when it's complete, to help enable the next project for the next department so that all of this stuff is working together, we've got all of the IT professionals working together. And we're not coming in with a mindset of, "We've been doing this for 20 years. We know everything." We are still doing our research and being involved with helping, you know, Gartner and their analysts look in different directions so that this non-traditional security mindset is actually out there on the bleeding edge, even with the analysts that are going out there and doing other research. So, we're helping to rewrite that book as we go. [The Catalyst theme music] But, call us at Softchoice and we can help you make those executive decisions so that we can actually get you to where you need to be, from a security standpoint, which is going to help reform your organization to do your business better. [theme music continues]
Nicole
Excellent. Thank you for that. [theme music continues]
Nicole
So, that was a lot. I don't know if I am more comforted or more terrified. It is a scary world out there. The bottom line is, it's never too late to re-evaluate your cybersecurity position, and to do everything you can to fight back. Keep your data, your customers, and your employees safe. Jeffersen provided some surprising insights about how these attacks are happening but, most importantly, what IT leaders, like you, can do today. We need to change the way we're thinking about security. The approach, up until now, has been siloed, and that, in and of itself, is leaving organizations vulnerable to attack. So, I really hope that our listeners today will, kind of, take all of this in, and really use this opportunity to forge ahead on a different path 'cause we're all in the cyberwar together, whether we like it or not. [theme music continues]
Nicole
Thanks for checking out this episode of The Catalyst. We really love putting the show together, and we hope you enjoy the content as much as we do. If you liked what you heard, please like and subscribe wherever you get your podcasts. The Catalyst by Softchoice is a Pilgrim Content production in collaboration with Softchoice. Our producers are Jessica Schmidt and Tobin Dalrymple, with production assistance from me, Nicole Francis. Check out the next episode of The Catalyst in two weeks. [theme music continues then fades out]