Jason Duerden: 0:02
If we’re using those language models and those AI models, then the adversaries are using those as well, and so I think that’s already happening, but it’s still the next frontier, where we’re just going to continue to have AI battling AI, with humans assisting the outputs to that.
Michael van Rooyen: 0:17
Today I’m sitting down with Jason Duerden, the Regional Director of Australia. New Zealand Force SentinelOne.
Jason Duerden: 0:24
G’day. How are you Good? Thank you.
Michael van Rooyen: 0:26
Thanks for joining me. Before we start, do you mind giving us a bit of an overview of your history in the tech industry and what has led you to your current role as Regional Director of A&Z for Sentinel-1?
Jason Duerden: 0:37
Feels like it’s been a million years.
Michael van Rooyen: 0:39
You don’t look a million years, by the way, just saying.
Jason Duerden: 0:42
Well, I think cyber does that to you. I think if you ask any cyber professional, they’ll say they feel about 10 years behind. I’ll say 10 years in front of where they are. But yeah, no, I’ve been in the tech industry now 15 years, pretty much straight out of school and all the rest of it.
Jason Duerden: 0:57
I wasn’t really sure what I wanted to do. I think most kids when they’re growing up trying to figure it out and I always knew that I loved technology in one way, shape or form. I didn’t actually study technology skills tertiary education, at uni or anything.
Jason Duerden: 1:13
I studied business and international business but I had a lot of friends who were working in the industry and so once I kind of got through all my travel pieces and did what I call your young thruster years and got that out of your system I decided to get into the industry in a support type role and worked my way through various different types of roles working with tech platforms or architecture, or supporting sales teams and marketing efforts and eventually making my way through to leadership, where I think I found my calling. You found your place in the world, I think so. I mean, some people can be a little bit confronted by the fact of trying to lead people and, you know, pull together a business, but it’s something that I really enjoy and I think having the technical knowledge behind how these systems work and how attacks can unfold has really helped me in my career to be where I am today yeah, that look, that’s super important, right?
Michael van Rooyen: 2:01
I think management, as you said, is an as a skill and some people really take to some, some people don’t. It’s a great call out, especially in our industry, understanding that tech is so important. Sure, you can get good leaders who come from other industries and can lead a team and inspire them and all those good things, but it’s really important, I guess, in front of customers as well as the team, to really understand what’s going on right. It really adds substance. So, really interesting history then. It sounds like you found your calling Again. Appreciate the time today With your role, knowing technical, dealing with technical team, managing a team here on the ground and speaking to partners like us and many other customers.
Michael van Rooyen: 2:35
Can you provide me a bit of an overview on the current cybersecurity landscape?
Jason Duerden: 2:37
in ANZ and how it’s evolved over the years that you’ve been involved in it A lot of different ways. We could take that question. I think, if you wind the clock back pre-COVID, everyone kind of uses COVID, I think, as a point in time in history now that we’ve been through it, but pre-COVID we were really seeing the emergence of product that we obviously work closely with, which is endpoint detection and response, and you know that ability to drive resilience into remediating not if, but when that statement that’s made its way through. You know the realms of cyber over the last number of years and so if you wind back pre-COVID, cyber I think architecture was very much built on that sort of moat and walls scenario and we were really starting to I don’t know whether it’s accept or just embrace the fact that an incident will more than likely happen at some point in time. Right, so you’re really seeing innovation drive really quickly. And I think in Australia and you could put New Zealand, I guess, into the same sort of bucket I think we’re a really interesting place for tech innovation where we tend to be early adopters in certain segments of the market, but the general market is a little bit slow behind potentially the US and some parts of Europe. And so I think, if we fast forward to today, I think it’s no doubt that resilience and remediation has been the key driver for not just endpoint technologies but most security platforms today, and so we’re seeing that play out.
Jason Duerden: 3:53
The proliferation of ransomware is driving that pretty aggressively. That continues to be the number one threat that we observe with our customers and that’s the consequence and outcome. Right, like the leading indicators to that, identity is a massive issue credential theft, phishing but I think the crux of it is the sophistication. Sometimes it’s easy for us to lie on sophistication as the reason and say, oh, it was very sophisticated, we weren’t able to stop it, and that kind of wraps some type of excuse. I think some in some scenarios that is true at a certain level.
Jason Duerden: 4:25
But I think cyber has been democratized and so, particularly on the offensive side, you have ransomware as a service. These groups or individuals are no longer just nation states. Right, like anyone with access to a tool browser can go and download a ransomware payload and send it out. Today, and that’s probably the big difference that’s changed is that democratization, and that’s why we’re seeing not only the big players being attacked but SMB mid market absolutely suffering because they don’t have the skills, knowledge or capabilities to protect themselves, and so I think that’s been a huge thing that I’ve seen change over the last five, six, seven years and I think you’re right the accessibility of these tools.
Michael van Rooyen: 5:04
It doesn’t take that much to work out. There’s no suitable documentation and how to guides effectively and how to do this stuff, and I think we’re also still dealing with younger participants in this area who are, who are more curious, right, can I do that? Can I play that? It becomes kind of a thing. They don’t do long term, but they but just very curious, right?
Michael van Rooyen: 5:20
so just read a couple of manuals, watch a couple of videos and they just want to have a go at not realizing the implications that they’re putting themselves in. If it’s successful and I think that’s the kind of the trajectory we go on people want to play with it. Curious that we’ve kind of made hacking a famous type scenario sitting in rooms with dark screens, etc. We know that’s not the case, but that also have a skills gap. On the other end, right where we’re trying to do defense and offensive capability seems to be more interesting than you know. Things like ai and we can talk about that, but all those add-ons are coming along right I think you even saw like there was a recent group called the com.
Jason Duerden: 5:50
It was a huge, big fbi investigation, a whole bunch of arrests that happened. But their sort of mo was to go and find clever kids online through gaming forums and encourage them to do things for them, and so back to that sort of point of democratization of offensive cyber. That is a perfect example of how maybe not simple but accessible people have become for criminal activity, even if they don’t actually know what they’re doing. That’s right, that’s right.
Michael van Rooyen: 6:16
I mean, I forget the gentleman’s name. You may remember, but he was one of the original hackers, you know, back in the early 90s, late 80s I can’t remember the exact timeline but fbi first of all arrested him and then put him in jail for a bit and then worked out well, this guy’s actually pretty smart and then they end up using him. I forget his name, but, but you may. You may remember, but you know that that’s interesting how we do that. Today that’s happening at a global scale, right? Anyone with internet services can really go and do that on that basis, being able to buy services. You know how do you see the core methods of these attacks evolving? When you meet with customers, what are you kind of telling them to do as their priorities to stay ahead of this?
Jason Duerden: 6:49
ransomware for the most part. You know. When it first started really hitting market was a smash and grab sort of play right like it was very disruptive, destructive. I think everybody who’s been in our industry for a little while now remembers the want to cry, not pet your waves of 20 feels like a long time ago.
Jason Duerden: 7:06
yeah, it feels like a long time ago, but we’re still feeling the effects of that today. Right Back then it was very much. Let’s cause as much disruption as we possibly can and target the industries which will be hardest hit telco sector, healthcare, so on and so forth People that don’t really have a choice but to get back online. With the innovation in protection technologies, the advers had had to also innovate, right like we have to remember that they’re running a business, and sometimes a more profitable business than some of the defensive companies, right, and so when they see innovations in protection, they have to innovate in their offensive capability, and so we’ve definitely seen ransomware can still continues that sort of destructive, disruptive path, but is now more about the data than the actual interruption, and so there’s typically two scenarios that happen Adversary gains access, sits there for a while undetected, and then we’ll exfiltrate the data and then encrypt or just exfiltrate the data and ransom it that way, and so that’s definitely a scenario that we’ve seen unfold.
Jason Duerden: 8:06
We’re also seeing scenarios unfold such as, you know, credential harvesting and theft, which is really important for legitimate access.
Jason Duerden: 8:15
You know, anyone who has RDP exposed to the internet should really not, but it happens right.
Jason Duerden: 8:19
Things go unnoticed, and so that’s a common thread that we see sometimes across the customer base.
Jason Duerden: 8:24
And one of the more interesting things recently I can’t remember exactly who the company was, but I was listening to either a podcast or a news story and it was about this company who, an AI deepfake had recorded either a video or a voice message to a financial controller, head of finance, about shifting money within the company, and they ended up losing $20 million to some threat actor because they’d been able to steal someone’s identity and kind of ransom that identity as a legitimate person, and so that company lost a whole heap of money and it was really fascinating to see that unfold.
Jason Duerden: 8:59
I was actually watching the news yesterday and there was a similar case in the us where a student had created a deep fake about a teacher and they made up all these stories and then the policeman was on the news basically saying that we’d figured out that it wasn’t real, and so I think that’s the next thing that’s happening on that. You know you can call it ransomware, but it’s essentially theft in one way, shape or form yeah, I wonder how we’re going to, as an industry, handle.
Michael van Rooyen: 9:22
You know, two-factor authentication has been one way of mitigating some of the incidents that are happening today, and it’s just only one of many. But how eventually going to be able to do two-factor of a deep fact right? I mean, it’s getting harder and harder. I wonder if ever we’re going to come up with some way of validating that you touch on. If we think about maybe an australian context, then for a sec, australia seems to have more recently amped up its you know stance on on cyber security socky act for ot and a whole bunch of other raft, particularly after some of the breaches that everyone knows about last year, and they’re really trying to drive some legislative changes. In your view, what is the right balance between government-led policies and industry-led self-regulation?
Jason Duerden: 9:56
I actually sit on a policy think tank board within Australian National University. It’s through the Tech Policy Design Centre, one of the projects we’ve been working on. It’s a public project. You can go and have a look online if anyone listening is interested. Some pretty cool stuff there.
Jason Duerden: 10:12
One of the projects we’ve been working on is resilience and risk in the telco sector, which, as you can imagine, has quite a broad view now, where today telco is not just Telstra, optus, tpg, picking up the phone, calling someone, telecommunications is satellite, is data center infrastructure, is social media, like. There’s so many different forms of communication that we have today, and so one of the kind of core principles of that is how do we provide that middle ground, advice, action and policy between public and private sector? And, as you can appreciate, you know, legislation versus innovation is always the constant argument that’s going forward. And so one thing, my personal opinion, is that the my view is at least this government today is making it a priority right, and so throw your political kind of views out, I think. I think the government is doing a good job at making cyber a priority and listening and engaging industry and private sector in their decision making. I think the Sochi Act will be a really interesting exercise, particularly, I think the dates are August 17 or around that time where plans have to be solidified and obviously presented and taken back, and the consequences of that is they’re pretty significant. So it’ll be a really interesting time, I think, in Australian history, particularly with cybersecurity, to see how that unfolds.
Jason Duerden: 11:31
I don’t necessarily know if I have an opinion on whether we should be as aggressive on legislation or not. I think I’d like to see how the current model plays out, because I think there are some significant penalties that exist if we’re not meeting the requirements, which I think in essence, there needs to be some level of accountability, and so I think we’re at a good starting point to do that. The evolution of things like AI frameworks in privacy and we saw in Europe they’ve implemented certain types of responsible AI use so I think it’d be interesting to see what Australia does in following that. I think there’s policy creation that’s in flight, with some enforcement coming. That will be interesting to see how that unfolds. I just wonder, like is the designation that’s existing under these policies broad enough or not, or too thin? And then the penalties are they actually going to make people stand up and do something about it and it might take the first major breach of that policy or legislation with a penalty to come back, and we’ve seen a couple of those over the last 18 months with some of the major breaches that have occurred, and sometimes that makes you stand up.
Jason Duerden: 12:35
One last thing on that, as part of the reform group we had been discussing does Australia need to consider having board level statements? And so a board level statement is something like the anti-slavery that boards have to sign off on. Right, there is a conversation and, I think, a pretty decent groundswell of support for something like that, for cybersecurity aligned to safety and, you know, people’s safety, not just for employees but for, obviously, our communities, and so, again, it will be interesting to see. I think I actually read in. There was a board level cyber policy document that came out from Claire O’Neill’s office with the Australian Institute of Company Directors, which was alluding to some of those details, and so that came out, I think a month ago. Again, recommend it. It’s a good bedtime read if you want some light reading, but I think that’s probably the next wave of responsibility that will come through.
Michael van Rooyen: 13:27
Yeah, look, I agree with all that and I’ve definitely noticed, you know, the Australian government getting a lot more drive behind it. Right, we needed it. The US has obviously been at the forefront of it for a long time, and so has Europe to some extent, and it was great to see that, you know. And then Sentinel-1, you know has been at the forefront of cybersecurity solutions, you know, since its inception. That’s why it exists. Can you share some insights into how your extend detect response XDR? For those who are listening or don’t understand what that is, what the product addresses and how possibly addresses, not only cyber as a whole but more specifically, anything in Australia and New Zealand?
Jason Duerden: 13:56
Yeah, so I mean the outcome that we are working towards is protection, right. That’s what we do is mitigate risk, and we do it in an effective way, and I think if you speak to a SentinelOne customer or a partner, hopefully that’s the feedback that you receive. I feel pretty confident in that, but we’re also we’re there as a partner, right, like I think one of the things we really focus on is the ability to be there in the good times and be there in the not so good times, right, because, at the end of the day, that’s what cyber is all about, and so we really pride ourselves on being that trusted partner and showing up when you most need us. On the technology side, xdr has been one of those platforms where it hasn’t necessarily been adopted right at the top end. You generally see the bleeding edge tech goes to the banks and Defense and all the rest of it. That doesn’t mean they’re not adopting it, just means the initial launch. It was really suited very well to that mid-market SMB, mssp model, because they’re already struggling with lack of resources and too many tools and not enough capability. What we’ve seen at the enterprise level is customers who have been running their own XDR model really adopting the AI capabilities right, and so, if you think about Sentinel-1, we address three to four key areas.
Jason Duerden: 15:06
Ransomware, as we’ve discussed, is continuing and that proliferates through any customer environment.
Jason Duerden: 15:12
As I said, we feel it’s very democratized and accessible, so everyone is a legitimate target today.
Jason Duerden: 15:17
The identity components so wrapping in deep fakes, credential theft, misuse legitimate use of credentials is very difficult to detect, as you can probably appreciate, and so having the ability to combine that with your endpoint telemetry is super valuable and super important.
Jason Duerden: 15:34
Cloud risks is something that we’re super focused on addressing. Made some great acquisitions and innovations in our CNAP platform today, and that’s bringing huge value to customers where, if you think about the workflow of a user, you’re accessing an endpoint, you’re using your identity and you’re more than likely logging into cloud-based workloads and services to do your job, and so, again, that consolidation piece has been super valuable for our customers and our partners. That fourth pillar is breaking down that silo, so not only just having consolidation in threat management and detection, but also consolidation in your cost base. If you’re paying for EDR data over here, siem data over there, cloud logs over here, you end up not only being disjointed from how do I find the root cause of the problem, but I’m paying X X, x X instead of having to pay one cost center, and so that ability to consolidate the threat management and cost management has been super valuable for our customers, and we feel like that architectural difference is what’s helping us win.
Michael van Rooyen: 16:35
Yeah, great, and you guys have done some sovereign type facilities, you know, with your XDR product right for Australia. So that’s one of the key differences as well for your offering for the Australian market. Can you just touch on that for a moment?
Jason Duerden: 16:46
We made the investment, or made the decision to invest, in Australian-based infrastructure about a year ago and it got completed almost four months ago now, and so there’s a couple of reasons we did that. One we believe strong local ecosystem is important to protect our country.
Jason Duerden: 17:02
And so making investments into the local region is important. Being an American company, I think it’s our responsibility to ensure that we’re contributing back to the market, and so infrastructure means that more markets become available for local partners to work in government, healthcare, financial services, and so number one economically. It was a great position for us to help give back to the community because we’re out there selling products and services.
Jason Duerden: 17:27
Number two we feel that, as cyber continues to unfold, residency and data sovereignty becomes more and more important for particularly government clients and particularly industries which are supporting things like the AUKUS agreement. One of the things we’re very, very much focused on is helping our nation build a more resilient future, and and that’s part of why we made that investment and so we’ve delivered the services. It’s an isolated cluster, no data leaves australian shores, and we’ve also gone through our irat protected status to ensure we’ve got alignment with the, the ism, so that gives our customers that real assurance right for those critical customers who need that as a mandate, allows you to really play heavily in the government space.
Michael van Rooyen: 18:05
Leading on from that, you know what do you see as a leader in the space, you know, in the next few years. So are there emerging trends or threats that you are seeing that customers and organizations be aware of?
Jason Duerden: 18:16
yeah, I mean, I think the biggest thing we’re tracking is the ai generated attacks. I think on the defender side, a lot of companies are coming out with generative AI capabilities. SentinelOne has our Purple platform, which is really cool, proving to be hugely valuable for our customers. I’ll tell a funny story. We actually did a really cool internal test on how we would fare from our SE community versus our threat hunting community. I don’t know if you’ve heard this story before, but we have a Capture the Flag event and we’ve got the two groups running. I don’t know if you’ve heard this story before, but we have a capture the flag event and we’ve got the two groups running.
Jason Duerden: 18:48
We gave the SEs our purple tech and we left the threat hunters to do what they do normally. The top I think 15 or 16 were the SEs. Wow. So that’s the level of improvement, efficacy, speed that purple can bring, and so I think, aligned to that, innovation in defensive capability is driven by innovation in offensive capability and we’re really seeing the proliferation of ai driven attacks. Adversaries are not sitting there writing code, like if we’re using chat, gpt for efficiency, not necessarily in sentinel one, but just in the general world, if we’re using those language models and those ai models, then the adversaries are using those as well, and so I think that’s already happening, but it’s still the next frontier where we’re just going to continue to have AI battling AI, with humans assisting the outputs to that.
Michael van Rooyen: 19:32
So AI, it’s good to touch on the platforms you guys are building in relation to AI and everyone’s talking AI and we know that’s really, you know, assisted intelligence, augmented intelligence but you know, let’s talk about briefly the you know the continuous skills shortage, right? So cyber skills have always been hard to get. Yes, sure, there’s lots of tools and services now making it better. From your point of view and what you’re talking to customers about, how do we attract and nurture new cybersecurity talent, both globally and in Australia?
Jason Duerden: 19:58
Yeah, I think we have to. I’ve talked about this topic a few times, and one of the things we try to do is make it fun. I think sometimes we take ourselves very seriously as humans, but particularly in cybersecurity, and I think you know, remembering that what we do actually matters to society is important, but also to have fun while we’re doing it, and so we can create a really cool concept around protecting your company, protecting your country and doing what we need to do to have a better life protecting your company, protecting your country and doing what we need to do to have a better life and so, I think, investments in things like marketing around why it’s important to get into cyber. What are some of the value propositions?
Jason Duerden: 20:33
I’ve seen some cool stuff again coming out of the government in terms of educating the general population and trying to create those cyber heroes.
Jason Duerden: 20:40
We look at firemen and police and ambulance workers rightly so as heroes in society and hopefully one day, kids start to look up to cybersecurity analysts as a type of hero, because we’re just doing the work in a different way, and so we really try and do that. I mean, we launched our first internship program last year, which was really cool. I was super, super proud to see that get up and running Albeit it’s a small internship program but it’s a start and again starting to really partner with some of the universities to develop those skills On the tech side. This is where the AI platforms come in. We’re never going to have enough people right, like as much as we want to and try to and talk about the shortage, that gap’s not going to significantly close anytime soon, and so we need tech platforms to help us do that and not just close the gap, but take the skills shortage from level one analysts to say a level three really quickly. And that’s where the AI technologies come in.
Michael van Rooyen: 21:37
What’s the one piece of cybersecurity advice that you often find yourself giving CEOs and boards that are consistently underestimated?
Jason Duerden: 21:43
Yeah, I always say don’t underestimate the power of burnout on the people. That’s a good one At the end of the day all the cool things that I’ve just talked about with technology and innovation and things that we build. It’s not standalone, right. There are still people involved in this process and it’s the agile people process technology kind of model.
Jason Duerden: 22:02
What we’re trying to do is obviously lower the dependency on the people, and so it’s very common in cyber to have burnout, no matter what part of cybersecurity you work in, right, because it is always on, it is 24-7, whether you’re a defender, whether you’re in marketing, whether you’re in sales, everything we do, we’re all trying to achieve the same goal, which is prevent bad things from happening to companies and people that we care about. And so I think I always say don’t underestimate the power of the people, not just educating them, but their wellness and well-being and making sure they’re happy and safe. And, you know, particularly mental health is, I think, something that gets overlooked in our industry. It’s really easy to get caught up in the day-to-day thousand things that are happening, and I think taking a step back in a moment to check in with people is something you know that I really focus on and advice that I try and give, as best as I can, obviously to other leaders in in our industry.
Michael van Rooyen: 22:52
So that’s a really good piece of advice off that. What is the other advice you give leaders in your space so your peers and people who work for you or customers you know around, staying ahead of rapid evolving threats and technology changes that touch on cyber?
Jason Duerden: 23:05
Yeah, I mean, I always just talk about educating yourself and so participating in forums, turning up to things, reading blogs, being active in your community. I think that’s the only way that we continue to be better and, as I sort of said at the start of the call, being there in the bad times, not only the good times, and so I know this is more of a people sort of answer again, but I strongly believe that all of the things we do in technology innovation will continue. Yes, it’s about how we then take that out into the market with our customers and our partners and how we work together closely, and so that’s the number one piece of advice I give to my team is learn as much as you can and always turn up, always be ready. Don’t underestimate that nothing can happen. Something will happen, and that’s how we keep our customers on the right path as we get near the end of our catch-up.
Michael van Rooyen: 23:51
Today, you know, when a major breach happens, it’s easy to blame a focus blame on someone else, right? What’s the constructive way leaders should think about breaches and to improve resilience for the future?
Jason Duerden: 24:01
yeah, dynamic question.
Jason Duerden: 24:03
I think know the best examples I’ve always seen is the lean into it, right, and so breach occurs.
Jason Duerden: 24:10
You know, nine times out of 10, we see breaches occur because of some level of misconfiguration or blind spot or some area where there was, you know, the protection kind of wasn’t there.
Jason Duerden: 24:21
A user clicks on something, whatever it may be right there’s generally some level of explanation, and so leaning into that, that, understanding it, communicating effectively and communicating in a light that allows progress it’s really easy to get into a sort of blame scenario in breach fight or flight situations and I’ve seen those unfold before but one the more successful ones. They lean into it and understand the root cause and then make a plan to move forward. And so, again, we obviously participate in incident response engagements relatively frequently, some very high profile ones where there is a lot of pressure to understand the results and outcomes and I think, trying to, I guess, not pour cold water on it but remain calm during those times and understand that things have occurred and we have a way to not allow them to occur again in the future. So I think leaning into it is the is the most important thing I’ve seen and jason.
Michael van Rooyen: 25:12
One question that I ask all my people that are on the show is can you tell me about the most significant technology change or shift that you’ve been involved with in your career pre, post and current and you know how does it impact your perspective on cyber security today?
Jason Duerden: 25:25
I think personally it was going from limewire to spotify, so that was a pretty significant shift.
Michael van Rooyen: 25:32
That’s a good one.
Jason Duerden: 25:33
I like that no longer have to wait three hours to listen to a song I think, in cyber, like I mean.
Michael van Rooyen: 25:38
I honestly have to be cyber, by the way, could be any. Any technology change you’ve seen?
Jason Duerden: 25:43
yeah, okay well, just in general, I think there’s plenty of examples of innovation, like the iphone.
Jason Duerden: 25:49
You know, having a computer basically the size of your palm these days, it seems if you were, you know, growing up as a kid in the 90s or even in the 80s, it seems so far-fetched that that would even be possible.
Jason Duerden: 26:00
So that’s a massive advancement. Having a camera in a little device that you can also talk on, that you can listen to music Pretty groundbreaking, it’s pretty cool, right. So that’s probably, as a human growing up in society, that was probably the biggest moment of innovation and change. And I think, as an adult in working in the IT industry, that Gen AI is having that same effect today, right, like even logging into Instagram now and you get the Meta AI little bot that sits there and you can just ask it a question. Even talking to Google, turn my lights on what’s the weather today, what meetings have I got coming up. Some of that, you know, as a kid growing up in the 90s just never would have even thought that that would be a possibility, and so I think that’s pretty cool and maybe scary at the same time. As to what’s going to come next, completely agree.
Michael van Rooyen: 26:43
Well, jason, look the same time as to what’s going to come next, completely agree. Well, jason, look, I appreciate the time again. Thanks for spending the time with me today and, yeah, appreciate it. Awesome. Thanks, mate. Have a good day.
