Michael van Rooyen:
0:00
Today we’re bringing you part two of my discussion with Glenn Maiden, Director of Threat Intelligence at Fortiguard Labs, ANZ. If you haven’t listened to part one yet, I suggest you do first. If I think about AI machine learning we have to talk about AI.
Glenn Maiden:
0:14
It’s KPI here. It’s a new blockchain.
Michael van Rooyen:
0:17
That’s true. That’s true. And think about the AI machine learning from a transforming of different areas of cybersecurity, both defence and attack. You know how are these technologies being used by the defenders and attackers and what are the implications on threat intelligence.
Glenn Maiden:
0:36
Yeah, so we mentioned. We touched on this before when I mentioned about the 500 human Russians before.
Glenn Maiden:
0:42
And you think of some of the early social engineering attacks. You know, get your free iPhone here or here’s your DHL and it’d have spelling mistakes. You know, in a lot of cases you know it was absolutely obvious that it wasn’t right. So now with AI, we could have an attack. So even using things like voice or video, but definitely written, where it could be as close enough to me attacking you, or a message coming from me that even I wouldn’t even be able to tell the difference. So I think that there’s going to be a real explosion of certainly on the attack side and I can tell you from our perspective on the defender side there’s some quite innovative capabilities coming in. So I mentioned before that. So there’s sort of AI on AI. So we’ve trained our AI as a very sort of standalone system to detect threats both against computers and within the network. So that’s one thing. But we’re also putting Gen AI on the front of many of our systems and we did a demonstration recently.
Glenn Maiden:
1:38
If you imagine you’re the SOC analyst, you’ve got more alerts than you can ever process as a human. You’re looking across five different systems in a lot of cases, maybe 10, maybe 20 different systems. I’ve got to go out, pull logs off one system. I’ve got to transform, maybe run a Python script over to make it be able to be fed into the next system and I’ve got to do all these different things to be able to sort of work out what’s an alert and what’s not. Also, I’ve got to be trained in all these different systems so I know how to interact with them. So we did a test by putting an AI agent sort of on the front of some of our security operations tools and you can just go in like you would with ChatGPT.
Glenn Maiden:
2:17
Tell me more about this threat, tell me where I’ve seen this anomalous IP address elsewhere in my network. Oh, can I please just contain those? Can I make sure that they can’t get anywhere else? So there’s some really nice innovation happening in the defender side, under the very, very true assumption that the security analyst is the unicorn that’s going to be. The one constraint we’re always going to have is smart analysts, smart security engineers, smart responders. There’s just not enough of them and there never will be. But if we can make their lives a little bit easier and they’re not having to go through and do data mining and data transformation and learning five different systems, we can make a lot more their time a lot more effective in defending us If I then pivot a little bit onto a supply chain, because that’s, you know, people always tacking specifically an entity or a targeted attack.
Michael van Rooyen:
3:09
But supply chain is definitely gaining, and I’ll kind of tie the two together here. Supply chain is definitely gaining attention over the years or more recently, and also critical infrastructure is becoming, you know, a real national security priority. I know we touched on it a little bit earlier, but what’s some of the unique challenges that are facing both the supply chain and the critical infrastructure sectors?
Glenn Maiden:
3:28
Yeah, so there’s a lot to unpack there From a supply chain perspective. I mean, we’ve seen and I know I’m going back a few years but SolarWinds, I think, was a really, really good example for us to learn from. So in that particular attack Russian threat actor, so in that particular attack Russian threat actor, their target, their victim was US government and US defense industry, right, so, and if you think of that, well, they didn’t actually attack the US government or the defense industry, at least for not six or 12 or even more months. Before they went through. They were able to compromise the SolarWinds organization and they do a lot of system management tools. They went through and wrote bespoke custom malware that looked like a SolarWinds agent. They wrote custom malware to crazy, yeah, also. But even even in terms of the, the command and control traffic, so that actually was encapsulated into some of those proprietary SolarWinds protocols.
Glenn Maiden:
4:24
So again, I think of myself as a SOC analyst. If I’m looking at this Russian attack, I’m going to see SolarWindsexe running on a server. I’m going to see SolarWinds go back to SolarWinds HQ. I look at that. It’s the right port, it’s the right traffic. That would be so, so difficult to detect. And so once, obviously, once all all SolarWinds customers went and updated, as we tell everyone to do well, we’ve got a patch, we’ve got a patch, we’ve got a patch they went through and then downloaded the malware onto their machines and then, from there, that’s where the threat actor went mad. So supply chain is so, so important, because all these different organizations and these different vendors that we’re using are all all these different organizations and these different vendors that we’re using are all definitely areas where an attacker could get in, if they can’t get into you in the first place.
Michael van Rooyen:
5:10
And then that leads on to critical infrastructure, right, which is, you know, skills gap, a lot more connectivity now into these, you know, processing facilities, critical infrastructure being so important. And same thing, right, you’re not actually trying to target specifically, maybe, the output of the critical infrastructure. But how do we get into those five different mechanisms? Right, could be through third parties, might not be the blast rate of sprinter, but it might be from an external source, right?
Glenn Maiden:
5:32
Yeah, and I think this is where I mentioned before we probably need to have more of a sense of urgency. So in Australia and I guess it’s probably the same everywhere so much of our critical infrastructure is operated by the private sector. And I know here in Brisbane and there’s organisations like ORO we talk cyber every single day of the week. I come from Canberra. The population in Canberra and FedGov is quite well informed about cyber. They know the rules and regulations. They’ve got relatively decent maturity around their networks.
Glenn Maiden:
6:02
Like everyone, it’s always an ongoing process, but I think the further away you get from Sydney, melbourne, canberra, brisbane, north and West, that’s where a lot of our critical infrastructure is. So, whether it’s a mine or a gas plant, that’s where some of these critical processes have been operating probably for 50 years. And now all of a sudden we’re putting a Starlink or something on the top of them and an opening up to those attackers that we mentioned before that are sitting up there in Romania or in North Korea. And again, the legislation that Home Affairs has just come up with is great the security of critical infrastructure. It gives them a baseline, all these critical infrastructure entities and operators. It gives them a baseline level of cyber maturity, but certainly there’s a lot more to do there.
Glenn Maiden:
6:46
So where I always think about back in defence, we would say effects-based operations. If I press a button here, it might actually go through a chain of processes maybe five, 10, or maybe two but the outcome’s still the same. So maybe I want to hit some sort of a processing facility and that might mean that we can’t have fresh bread for two or three days.
Michael van Rooyen:
7:07
So, very, very very frightening stuff, which probably leads on to a little bit of the weakest link in the chain, which is a people issue. Right, and people are generally always kind of some of the root cause of some of the problems, as in the tax, but could be not educated properly around malware or ransomware, all those sorts of things. So we know that cyber is just not a technology issue but it’s also a people issue. How can organizations kind of build a strong cyber culture amongst their employees and stakeholders to help mitigate that? I know, is it hygiene, is it training? Is it more investment? What are your thoughts?
Glenn Maiden:
7:43
I think again and this is a challenge and I’m probably a little bit different I mean, obviously, for organisations like Fortinet and like mine, we’ve got free cyber training for anyone that’s interested in it. But I think, as an industry where we have failed is you know? Again, I think of my mum, or I think maybe of a tax agent that is wearing a cardigan and all they know how to do is you know, do your accounts. And they know that. Well, I don’t know about. You know I pay someone to do my taxes because I just cannot, I cannot comprehend.
Glenn Maiden:
8:12
But at the same token, we say well, you know, tax agent, you also have to understand cyber and it’s such a complicated global threat. I don’t know, I don’t know exactly where it’s going, but I think certainly things like primary school, you know, we give people, we give all our kids sort of basic information around. You know how the economy works and basic mathematics. I think we’ll have to eventually get to the point where every school leaver, whether they’re becoming a hairdresser or a chef or an accountant or even a cyber security systems engineer, will have to get to the point where they’ve at least got basic cyber how to spot a phishing attack, how to have good password hygiene, how to have good backups of your personal data, all that basic stuff which, unfortunately, a lot of people are learning the hard way still.
Michael van Rooyen:
8:53
And you’re absolutely right, and it’s something that will take a little while to get there, and it’s very important that education starts early. It’s not going anywhere right. As we come near the end of our discussion today, I kind of wanted to touch on a couple other points, which is considering your roles you’ve had over the years and leading teams and working with customers, et cetera. What advice would you give security leaders on staying proactive and continuously adapting to the evolving threat landscape or staying ahead of cyber, if that’s their passion?
Glenn Maiden:
9:23
I think the best thing that we can potentially do is have cyber people that can probably just relax a little bit and learn to become more part of the organization. I remember I spoke to the CISO for one of the big four banks this was a long time ago, maybe 10 years ago and he said I’m not, and he was the chief security officer, I’m not the size of this particular bank, I’m a banker and all I have is a whole bunch of levers that I need to sort of push up or push down to make sure that that risk stays in the acceptable level. So you know, if I was that guy and I was, you know, a Nazi SISO no, you can’t do that and you would get to the point where you know that bank would not be able to do its business. So you know, every single thing we do carries an element of risk. That’s just how we can do that as an organization with the lowest amount of risk and the most amount of risk that we’re able to tolerate.
Glenn Maiden:
10:16
So you can’t do that alone as a CISO or a security leader. You have to be working with the business, you have to be working with the people, otherwise they’ll just find work around and again, this is where it’s going actually, michael, which is good. Having cyber as a key part of the business is the important thing, because it’s not a business impediment like it used to be. Having a good cyber culture now and having good cyber hygiene is now a competitive advantage. I would rather do business with someone like Oro, because I know that you care about cyber and I know that you’re going to protect my POI. I know you’re going to protect my sensitive IP If I thought of your competitor down the road where they’re trying to do things for the best price, lowest price, least.
Michael van Rooyen:
11:02
I’m not going to go and work with those guys because I know that the risk is going to be too high. Yeah, fair enough too, and part of that is continuous learning right. It’s all around being as a leader, staying at the forefront of it, understanding it. You’ve got teams, obviously, and lots of ingestion places and lots of sources of data, but it’s really about that continuous learning right and staying updated with that, to be ahead of these things right, and not getting caught out with it.
Glenn Maiden:
11:23
Well, I think so, but also working with smart people. So, from my perspective, as I said before, if I was the CEO of that bank, I would not expect that CEO to be a cyber expert. I would expect him to understand cyber risk and I would expect him to, or she I should say I’m being a bit presumptuous there, a bit old-fashioned he or she should then go and talk to the head of security and be able to have intelligent conversations. What is the best, most relevant controls and systems and devices and people and process for me to protect my organisation?
Michael van Rooyen:
11:55
Considering your career and what you’re doing today and reflecting on your career so far, what would have been some of the most memorable or challenging experiences in the field you’ve worked in, and maybe even threat intelligence. But you get to see some pretty cool stuff, no doubt. And what have you learned from it? Any key learnings from your time in your career? I was lucky.
Glenn Maiden:
12:13
I was very, very lucky. So, as I said, I started out in the 90s just as a bit of a computer nerd, playing around in a lot of cases with hardware you know plugging in Cat5 cables, crawling under floors, cabling. You know building servers. I was one of the first guys to sort of put a server farm together with all those blade servers in Australia in the late 90s. But I got really fascinated by cyber in the early 00s, and not because it was popular then, it was something that not I mean. You know, if you’re lucky, you had a firewall, you know at all, maybe some antivirus on the endpoint, but I was absolutely fascinated about how you could compromise a system or break into a system. So that’s only been in the last few years where that’s become something that’s so important. And now all of a sudden, you know, I get to come and talk to you on a podcast.
Michael van Rooyen:
13:01
I’ve got something worth saying.
Glenn Maiden:
13:03
But that’s been the key for me and I think you know it’s all around. You know when people talk digital transformation and then the invention of the iPhone, you know. So we’re now able to pretty much run our lives with a little pocket, powerful computer in our hand, and the bad guys know that they can make some money out of it. So now, unfortunately and I remember I was so impressed I saw Anthony Albanese sort of sitting up addressing parliament talking about cyber risks. Can you imagine that would have happened, maybe not even that long ago, with Not at all, yeah, not at all, right Even in Kevin Rudd’s time.
Glenn Maiden:
13:35
Did he ever say cyber? Probably not.
Michael van Rooyen:
13:37
No, it would have been an unusual term, right, and now it seems like we’ve just had it around for forever, right? I mean, that’s how quickly things evolve and it’s not going anywhere On that. Do you have any predictions of any significant shifts you see in cyber over the next few years?
Glenn Maiden:
13:53
Yeah, I think so, so I won’t go back into AI. We can probably touch on quantum. So one of my concerns about quantum is about this idea of data harvesting. We know that eventually someone’s going to move enough qubits I think what are they doing now, like 80 or 100 at a time so someone’s going to be able to move enough qubits to make the first quantum computer and we’re not going to read about it on.
Michael van Rooyen:
14:18
X CRN. Yeah, we’re not going to. No, no.
Glenn Maiden:
14:20
So what will happen? It will be, hopefully, one of the good guys, will be one of our Five Eyes partners. Yes, if we’re unlucky, it’ll be one of hostile nation state and again, it’s not going to be on the news. But what they will be doing right now is they’ll be finding where there’s data being transferred, either by over a satellite link or a cable that they might be able to get hold of, and they’ll just be sucking all that into a massive big database somewhere. And once they do have that quantum capability running through a decryption system, bust the encryption, they’ll have access to all this sensitive data. And while it won’t be the most recent, you can imagine just how powerful any of this historic data is, so it could absolutely bring someone unstuck. So I think definitely quantum is going to be a game changer.
Michael van Rooyen:
15:03
Quantum is a fascinating one, because you’re absolutely right. I watched a documentary recently when they talked about the amount of dollars being spent in the US and China to lead the quantum charge. And you’re absolutely right, the quantum charge. And you’re absolutely right. Even one of the recent Gartner symposiums I went to, they were talking about the same challenges, not only around the harvesting of the data, but also that this stuff’s going to be powerful enough to break encryption that we’ve got today. So we have to think about a problem potentially bigger than Y2K, which is how do we re-engineer, how do we re-secure, how do we things like VPN know it could be broken quite easily if they get that right. So it’s a pretty scary prospect to think about and I do believe that it’s closer than people think. Right, you’re right, someone’s going to crack it soon. No one can hold me to the timeline, but I think it’s going to and it’s a quick, and you’re right, no one will hear about it. It’ll be done in some skunk work somewhere that might’ve already potentially.
Michael van Rooyen:
15:52
Yeah, yeah, yeah, I mean this is stuff we know about as as they say. Right, so as we, as we wrap up, glenn any key messages or takeaways you want to share with the listeners before.
Glenn Maiden:
16:02
Before we finish up yeah, I think, don’t panic is probably a good one so as, as, as I mentioned before, like the threat, actors are getting more sophisticated, the attacks are getting more sophisticated. The time for and I didn’t mention this before the time for an attacker to turn a vulnerability that a vendor might disclose into an attack and attack real victims in the wild, that’s all the way down to about four days now. So they’re really, really rapid in deploying a vulnerability or deploying an attack based on a vulnerability. So the time for us, as defenders, to go out and patch these devices is getting hard. So there’s absolutely a lot of challenges around keeping ourselves secure.
Glenn Maiden:
16:41
But I think, from a don’t panic perspective, as long as you’re proactive and you build that resiliency into your systems beforehand, you think about what your assets are, you think about how they’re connected, get your network into a defendable place, and then you go back to the really really old school type of things, like you know role-based access, defence in depth, and it doesn’t matter if you might lose one battle, but you won’t lose the campaign. So I think, as long as we’re thinking about this now, we’ve got a sense of urgency, we’re building that resilience into our people, process and technology. I think we have got a fighting chance.
Michael van Rooyen:
17:16
And the last question for you today is tell me about the most significant technology change or shift you’ve been involved with or you’ve seen in your time. It can be anything. It doesn’t have to be cyber related. It could just be what’s changed the world or what you’ve seen that’s important here.
Glenn Maiden:
17:29
I’ll be showing my age now, but I do think it was probably the iPhone. So I remember, as you do, having your PC with the old dial up internet, and I remember talking to one of my mates that first got DSL and he’s saying I just leave my computer on all the time you don’t turn it off so, and not very, very long after that, we started to put the something more more powerful than that old computer into into our pockets and so all of a sudden, now we’re not only accessing the internet from our homes, but from anywhere.
Glenn Maiden:
18:00
so I think that’s when, you know, obviously the internet had been sort of growing and growing and growing since then. But after that point in 2007, that first iPhone and I don’t know how long it took before the adoption was, you know, pretty much everyone that’s when I think it changed. That basically turned us from people that would go through and occasionally, or you know, use technology in discrete sort of blocks, to having it sitting in our staring into our phones every single day. So I’m saying probably 2007,. 2008 was the game changer.
Michael van Rooyen:
18:29
Look I agree, it’s a fundamental shift, right, and I see people just living and doing everything on their phone. It’s so powerful and so incredible, right. In fact, I saw a cartoon the other day where it was a park bench with two robots effectively AI robots, the ones that they’re trying to invent with the Teslas of the world, et cetera sitting on this park bench. One was reading the newspaper, one was drawing a painting, and all the people were walking past just looking at their phones, completely oblivious, and I thought that just really summed it up the way we’re living, right.
Glenn Maiden:
18:58
Oh, and isn’t it crazy? So we could be sitting here today like now, with our phones sitting right next to us, and have our bank accounts drained while we’re sitting?
Michael van Rooyen:
19:05
here, it’s true.
Glenn Maiden:
19:06
So that’s it is amazing to think of.
Michael van Rooyen:
19:09
Yeah, it’s absolutely incredible.
Glenn Maiden:
19:10
We don’t have to like walk into a bank and get robbed by a guy in a mask. Someone can be draining our bank accounts right now if we haven’t got good cyber hygiene. It is terrifying.
Michael van Rooyen:
19:19
I tried to end on a positive note. You did. Now I’ve ruined it. No, no, no. But look, that’s some considerations. Look, glenn, I really appreciate your time. Catch up in Brisbane. Really insightful conversation today. Thank you very much for having me, no problem at all.
