What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
From AI to Quantum: Security's Wild Ride
Interested in being a guest? Email us at admin@evankirstel.com
The cybersecurity landscape is evolving at breakneck speed, and few understand this better than Bob Carver, a 25-year veteran who built Verizon Wireless's security incident response team from the ground up. Our conversation at RSA Conference cuts through the hype to examine what's really happening on the digital battlefield.
Artificial intelligence stands at the forefront of cybersecurity discussions, functioning as what Bob calls "a double-edged sword." While security teams can leverage AI to generate remarkably accurate intrusion detection rules, cybercriminals are simultaneously using these technologies to craft increasingly sophisticated attacks. The democratization of hacking tools has reached alarming levels, with "ransomware-as-a-service" offerings starting at just $200 in Bitcoin—making it easier to launch a criminal enterprise than to open a legitimate business. Beyond ransomware, we explore how attackers have adapted their strategies, now often exfiltrating data before encryption to create additional leverage for payment.
The conversation takes a deeper dive into zero trust architecture implementation challenges, particularly when solutions span multiple vendors. Bob provides practical guidance on micro-segmentation through hardened appliances that offer granular access controls ordinary user privileges cannot override. We also tackle the quantum computing threat timeline—possibly just 2-10 years away—and why post-quantum encryption solutions should be implemented immediately, especially for sensitive healthcare data.
Whether you're a seasoned security professional or trying to understand the evolving threat landscape, this discussion offers valuable insights into where we are and where we're headed. Subscribe to stay informed about the cybersecurity trends shaping our digital future and join the conversation about protecting what matters most in an increasingly connected world.
Growth marketing tips & tech insights from those who’ve done it.
Listen on: Apple Podcasts Spotify
More at https://linktr.ee/EvanKirstel
Hey everyone, it's that time of the year, it's RSAC, the RSA Conference, the get-together for cybersecurity professionals, insiders, industry analysts and more. And I'm here with a true legend in the industry, real practitioner and industry expert, Bob Carver. Bob, how are you? Hey Evan, how are you?
Speaker 2:Hey Evan, how are you Doing? All fine, I'm doing great.
Speaker 1:I'm doing great too. So great to see you face-to-face and I'm really excited to talk about the hot topics that we think are leading into the RSA conference. Before that, for those who may not be familiar with you and your career, journey and body of work, maybe introduce yourself to the folks, the viewers, the listeners.
Speaker 2:Sure, you bet I've been doing in cybersecurity field for over 25 years right now. Started in the financial industry and was doing a worldwide network back then and now after that went to be employee number one for Verizon Wireless to start their security incident response team. So starting from almost ground zero, but anyway, been doing a lot and learned a lot over the years of what works and what doesn't work and of course things are moving quite fast. So it's trying to everybody's trying to keep up with what's going on.
Speaker 1:We are, and that's why I love to chat with you, to get your insights and understanding of trends, challenges, opportunities and more. And, if I understand, you're out of the corporate rat race now. Is that right of trends?
Speaker 2:challenges, opportunities and more. And, if I understand, you're out of the corporate rat race now. Is that right? Yes, I was offered some money to leave and they told me the amount. I said bye. Anyway, I thought I was going to get a couple weeks of respite and be able to catch my breath a little bit, but people started knocking on my door right after they found that I was going to be leaving, so I haven't had much chance to catch my breath. So, anyway, but that's. I guess that's a good thing nowadays.
Speaker 1:That is a good thing, and you're, you know, an amazing content creator and consultant advisor as well. And you know I call myself a tech influencer. I've been known to post and tweet and blog and video videos a fair amount, to say the least. But you influence me, so you're influencing the influencers, so I'm always excited to chat with. You know experts like yourself, so let's dive in, if we would. Rsa sees so many topics, so many areas of discussion. We could probably go for hours, but let's talk about AI, because AI will be everywhere at RSA and every conference this year. So you know what say you? State of AI, friend foe, both, yes. What do you think?
Speaker 2:Yeah, I've been saying this long before. The masses have been saying this. I said AI is going to be a double-edged sword. It's going to have a good edge and a bad edge. So, anyway, we're unfortunately caught up in that and we've seen a lot of that in the news.
Speaker 2:Malware has been written right and left, some very convincing phishing messages have been made and also, I think it's helped people be able to get highly customized methods of compromising people, whether it's in the malware or like writing just the perfect phishing email, that sort of thing. It makes the bad guys get better and better sort of thing. It makes the bad guys get better and better. And, of course, now the people that are protectors, the blue teams, the people that do incident response, that sort of thing they're going to have to get better and better because of this.
Speaker 2:The other thing there's several other things that are a concern. One is that a lot of the vendors that are saying that they have AI, you might have to dig a little deep to see if they're truly using AI or if they're just using some sort of basic algorithm or basic logic. Versus actual AI, versus actual AI. The other thing to be concerned about is a lot of these AI platforms. A lot of them have a lot of vulnerabilities and unfortunately, a lot of those vulnerabilities haven't come to the forefront. We see a few leak out here and there, but I talked to somebody a friend of mine that was a pen tester red team that breaks into systems and companies and stuff and this was months ago. He had over 500 vulnerabilities that he could count and again, if I was to talk to him today I bet you had six or seven, unfortunately, and not nearly all those have been patched or fixed.
Speaker 1:Well, that's kind of shocking, but not unexpected. Meanwhile, big tech players are jumping in to try to bring you know AI superpowers to the analysts and the cybersecurity folks on the ground agent agents that can automate tasks and alleviate the burdens on those teams. Have you had any exposure to any of those AI agents? And they look very promising but, I, guess it's a question of what do they do in practice?
Speaker 2:I think this is definitely a big area and I think there's a lot of companies that should be taking advantage of these Very specifically. They can be looking for the latest and greatest of attacks, various types of attacks, whether it's social engineering attacks or malware attacks or that sort of thing. I actually used some of the not individual agents, but the LLMs to be able to generate intrusion detection rules or signatures to be able to look for various types of traffic, and it was very accurate, probably 95% accurate out of the gate and just needed a little bit of a touch up to be able to get it to 100%.
Speaker 1:Brilliant. Well, the good guys like yourself and the bad guys, both using those tools. In the meantime, you know the ransomware scourge. It continues. The latest buzzword ransomware on demand uh, you're making it too easy what are the? Barriers for cyber criminals. You too could be an entrepreneur. Just jump on the ransomware train what are you? Seeing. What are you seeing with this? New idea of ransomware on demand.
Speaker 2:One of the things I started talking about this.
Speaker 2:I was able to speak several years back in an all-EU conference and then the year after that was back in 2018, and also 2019, I spoke twice at the International Monetary Fund and I said it's easier for people to go into business being a ransomware shop cyber criminal shop than it is for somebody to set up a corner store in a city, because you have all these different rules and regulations and and licenses and that sort of thing.
Speaker 2:But you know to be a cyber criminal and and use ransomware as a service. All you gotta do is have have enough Bitcoin to pay what, whatever their their fee is and some of these start is I've seen them as low as $200,. You know where they can rent malware and start up their ransomware shop, and a lot of times, of course, there may be a big cut, but you can work with somebody else and they'll help walk you through. It's almost like going to school and learning how to be a cyber criminal. You know, but you might pay them some of your cut to make sure that you pull it off successfully.
Speaker 1:So anyway, amazing yeah. And the big question, of course to pay or not to pay? There's been some indication that you know fewer folks are paying ransoms and there's some good news from some of the vendors on backup and recovery that look pretty amazing. We won't call out our favorite vendors, but what do you say on that trend?
Speaker 2:Yeah, For example, some of the governments, some of the legislation that's come out, is they want to make it illegal to pay the ransomware cyber criminals.
Speaker 2:Their ransom I think you know it's going to be more of.
Speaker 2:It really is up to the organization to figure out if they need to pay or not. But also but I would say at the same time that all organizations need to ransomware proof their organization so if they do get hit, they're able to recover, and, of course, some of it as you alluded to there, Evan is having excellent backup systems some of the latest and greatest in technology in the backup systems to be able to recover relatively quickly. But, of course, the other thing, though, is a lot of these guys will exfiltrate the data too, so some of them won't even bother to encrypt your data anymore. They'll just take the data and run, and if you don't pay anything, then a lot of times they'll reach out to your customers or customers in the database or whoever that you do business with in the database, and they'll reach out and they say we're going to post you know, all this information if you don't pay us a ransom. So if they don't get the person that's initially a ransom, then they might get the customers in that data that's been exfiltrated.
Speaker 1:Yeah, lots to unpack there. Yeah, lots to unpack there. The other topic that keeps us up at night supply chain attacks continuing to be more sophisticated. There's open source components everywhere. Now there's third party dependencies. How do we get smart about our supply chain and security?
Speaker 2:It's not an easy thing. Typically, in recent times, people have been given questionnaires. They say, oh, do you have this in place? Do you have this security and that security and the other security? It ends up being a checklist. But that alone, unfortunately, is not enough. But that alone, unfortunately, is not enough. We need to start beefing up the security at every single juncture where data passes from one entity to another entity. Uh, part of that's going to be having a post-quantum encryption in place, you know, with, say, the private key, uh pki, in place, where it makes it a lot harder. And also we're talking about more zero trust, where where only the, the people that are known to be good, are able to get in, they, they, you know, they're going to somehow verify the person, they're going to verify the devices, they're going to verify which data is available and that sort of thing. We're on and on. It's not so much trust and verify as just verify and verify. So much trust and verify is just verify and verify.
Speaker 1:Yeah, zero trust has been an interesting one, it's, you know. I don't know if you call it architecture, philosophy, a framework, but in any case, it still has some pretty practical challenges when it comes to implementation, complexity and performance. Are you seeing zero trust deployed, as sort of envisioned in the model?
Speaker 2:Yeah, I think one of the difficulties now, I think at this point in time, is that you have a lot of different vendors that are doing certain things and say you have a portion of the zero trust done with vendor A, then you have another portion with vendor B, another point with vendor C, and it's the difficulty of making all those vendors' products working together and that's one of the big things that I've been seeing. That's an issue, one of the things. I'm working with a company right now and on their advisory board they have an interesting product. They're doing micro segmentation via a hardened appliance. You know, micro segmentation is typically done. It's sort of almost like a firewall of sorts, but it also has access controls built in almost like a firewall of sorts, but it also has access controls built in and access control saying only this person has this type of access. You know, say through, you know HTTPS, but then they only have this section of the database but they have no admin rights.
Speaker 2:You know so there's a very granular way to be able to lock down that through this micro segmentation, and that itself is a type of zero trust philosophy, as you said, to be able to do that sort of thing. But what the difference is between a hardened appliance and one that's implemented on, say, like a laptop or a server? If a cyber criminal gets admin access to that server or laptop, they can take that entire micro-segmentation protection down entirely, just like they've been able to take down endpoint security Through this being on a hardened appliance. The hardened appliance won't even show up as being a live entity on a network. It just says, well, something used to be here but it's not here anymore and you're not gonna be able to break into it.
Speaker 1:Yeah, scary stuff. And speaking of scary potential futures quantum computing is becoming more and more a reality. Every time Microsoft or Google come up with some amazing breakthrough or more qubits and I get really intrigued and excited. But then you think, ok, there's going to be a possibility of, you know, breaking encryption, state actors breaking encryption in a number of years. And so you mentioned this world of post-quantum cryptography. How far away are we, do you think, and what are the logical steps to be thinking about between now and this inevitable?
Speaker 2:I've heard anybody say between two years and 10 years.
Speaker 2:Two years, oy, that's a little too close to comfort. I am saying that you probably ought to prepare before the two years. If you haven't started, you need to start looking at post-quantum encryption in various entities in your network Probably the first thing to look at, and it is available now. There are several companies that are able to encrypt sensitive parts of a database or sensitive parts of data with post-quantum resistant encryption. Right now Sometimes they call it homomorphic encryption, where you have a certain type of application that you're able to see the data unencrypted while you're working on it and then, but as soon as you're out of that application, you aren't able to identify any of those sensitive areas of the database. But so for like, oh, for example, I mean, what about, like? You know healthcare and of course I know you're involved in healthcare a lot but all the you know people's name, address, phone number and sometimes they even have social security number. A lot of times they have driver's license number.
Speaker 2:That should be encrypted in my opinion, a lot of the healthcare entities haven't got there or gone there yet, but they need to start doing it.
Speaker 1:Yeah, and even our healthcare data. You know, our genomic genetic data. Now, 23andme is potentially going to be sold.
Speaker 2:So it's gone beyond just our phone numbers and ID now it's gone into the core of who we are, which is scary stuff and you probably know I mean if somebody has done 23andMe, you better go into your account and delete all your information, like yesterday, Guilty as charged Exactly. Exactly your information, like yesterday, guilty as charged, exactly, exactly.
Speaker 1:Yeah, and it's really shocking how many digital health apps are out there and have pretty poor security protocols, including a lot of your you know, the EHR type apps that allow you to get into your health data. Many don't even have, you know things like basic two-factor requirements.
Speaker 2:It's really shocking, yeah. And to be honest, I mean I've talked to and you probably have too. I've talked to a lot of doctors and they just don't want to be bothered too much. They say I need to take care of the patient. Well, somehow we need to also take care of the patient's data. Yeah, for sure, because some of those people are going to be financially damaged down the road, unfortunately.
Speaker 1:Yeah, that's a key target, Very, very upsetting. The other thing that's going on is a lot of upheaval in the world of work the way we work, the way folks do remote and hybrid work and the downsizing we're seeing. There's a lot of disgruntled former employees maybe disgruntled present employees employees using over-the-top apps like Signal. Too much politics here, but what say you about the future of work and security, because it's looking pretty challenging.
Speaker 2:Yeah, I mean, and I won't name them, but there was at least one of the VPN companies. I specifically recommended some people to drop them last year because because about every couple of months they would have a vulnerability and then hundreds, if not a thousand or more, were taken over by cyber criminal entities. Wow, uh, but unfortunately a lot of vpns are. I think they're they're reaching closer and closer to the end of their life and companies need to start looking at zero trust type methodologies of being able to connect to networks remotely. Because of this remote access, of course, a lot of companies are trying to bring a lot of people back into the office again, which will help on some of that, but definitely not on all of that. But yeah, they need to look at zero trust type things and also some of the sassy secure access edge type capabilities and see how those stack up. A lot of those might be more secure in the long run for some folks.
Speaker 1:Yeah, absolutely. The other thing that you and I have talked about in the past is the cybersecurity skills gap.
Speaker 2:Yes.
Speaker 1:No offense, but you're not getting any younger. Yes, and sadly though, you look great. Sadly, there's a gap of at least in even the US, millions of cybersecurity jobs. I can't believe all of that is going to be filled by AI? Are we making progress in training and equipping the younger generation?
Speaker 2:of cyber workers.
Speaker 2:You know, I would hope so, but I think there's still some issues. I think there's a lot of management folks that are thinking that they're just going to be able to their first level and possibly second level analysts are going to be able to be replaced by AI. I don't think that's going to happen overnight. I think we're going to have a start, but there's still going to be need people to fill in the gaps and understand how the initial AI triage works and how it's happening and where there's gaps and that and how it's how those gaps can be filled.
Speaker 2:Uh, a lot of employers used to have um, I guess you know more training programs and it seems like there are less companies that are willing to do that, unfortunately. Uh, I I think that the idea that if they're training these people, then they'll go off and get a better job within two years. But in that case, where, if you aren't bringing in interns and people for the initial couple years of training, they need to start thinking about ways of being able to promote those into higher tier jobs instead of just keeping them down at the lower pay rungs and that sort of thing. So, yeah, I think there still needs to be a lot more work to be done.
Speaker 2:A lot of the openings, job openings that I've seen and I'm not actively looking for that sort of thing anymore. I'm doing more contracting and advisory boards and that sort of thing they usually want somebody with so many years of experience and possibly a certification or two, possibly a degree, just depends on the company but they're wanting somebody that's already been trained for a few years at least before, before they'll consider hiring them. So very rarely do I see okay, not an advertised job, at least it's a. We're willing to train you. It's like you better be partially trained before you get there, otherwise a lot of times you're going to get filtered out by HR.
Speaker 1:Yeah, luckily there are a lot of new certifications and self-learning tools out there that didn't exist even a few years ago.
Speaker 2:So that's, good news.
Speaker 1:Yes, In terms of what's next for you. Of course, beyond RSA, you've got DEF CON, black Hat, tons of other events. What are you?
Speaker 2:looking forward to through the middle of the year yeah, um, I'm hoping to be back at black hat this year. Uh, um, interesting that I think after the mgm hack and the caesars hack last year they sort of decided to remove themselves from defcon and defcon had to go to an actual different date than they had before Before you could go Black Hat directly into DEF CON, and there was a gap of several days and they had it at the convention center instead. So we'll see if they have it back to back this year, if they're able to schedule that. But that's the ones that I like to see Occasionally.
Speaker 2:I have been to RSA before. I probably won't make it this year. We'll see about in the future. And there's sometimes some local things that are happening. And also there's a lot of virtual events that a lot of times I'll go to. That a lot of times I'll go to. As a matter of fact, there's a virtual event that I go to, usually on a weekly basis, that a lot of folks that have all different types of experience and they're in multiple countries, that we meet up and discuss things that have been going on recently.
Speaker 1:Yeah, virtual events are fantastic.
Speaker 2:And.
Speaker 1:I will be at RSA, so if you're looking to have, you know, smart conversations that can help position and promote your solution, and happy to have those conversations with Bob as well, and we're always looking for interesting opportunities to educate ourselves and also our audiences, which are probably pretty massive at this point, together we probably have a few million followers out there across all the platforms. I know your LinkedIn channel gets amazing engagement, so I'd encourage everyone to follow Bob Carver and on Twitter at CyberSecBoardroom and keep up the great work and look forward to seeing you, maybe at DEF CON. Maybe I can get out there if I can deal with the August heat in Las.
Speaker 2:Vegas. I'll look my way. Take your Uber between buildings.
Speaker 1:All right.
Speaker 2:Well, great catching up.
Speaker 1:Bob, and congratulations on this brave new world as an independent.
Speaker 2:Yes, thanks Evan, the greatest B2B tech influencer out there.
Speaker 1:All right, I'll take it. Thanks so much. Thanks everyone for listening and watching. Take care.
Speaker 2:Thanks.