Securely Connected Everything S2-4: An Evolving Frontier: Navigating Cyber Threats and Defences with Wayne Phillips

Embark on a thrilling expedition into the heart of cybersecurity as we sit down with Wayne Phillips, APJ Field CTO for SentinelOne.

His story isn’t just a climb from desktop support to CTO; it’s a revelation of how the digital defense landscape has shifted, with assets and data needing vigilant guardianship. In our chat, Wayne peels back the layers of cybersecurity strategies, discussing Zero Trust architecture and the significance of Cloud Native Application Platform Protection. Prepare to gain a deeper understanding of the tactics that keep businesses shielded in an era where technological advancements are both a boon and a battleground.

Imagine a world where cyber threats are as cunning as they are relentless—welcome to the current state of cybersecurity, which Wayne Phillips knows all too well. Our conversation ventures into the darker alleys of social engineering, where phishing has evolved past the bait and hook to a shark in the water, thanks to generative AI. Wayne’s anecdotes serve as a stark reminder of the human element’s vulnerability in the face of increasingly sophisticated attacks. We tackle the hard-hitting implications of ransomware-as-a-service and the strategies to fortify defenses against the mirage of deep fakes and the necessity of robust authentication measures.

As we round out our discussion, we touch upon the transformative impact of AI and the open XDR platform on cybersecurity. Wayne brings to light not only the technical aspects but also the leadership challenges, helping us understand how to communicate the ever-present nature of cyber threats to those at the helm of businesses. Through his insights into generative AI’s potential and retrieval augmented generation for threat analysis, we’re offered a glimpse into a not-so-distant future. A future where our protective measures against cyber threats are as quick and intelligent as the minds behind them—a future where knowledge empowers us to stay one step ahead.

Wayne Phillips: 0:02

But generative AI. The fact that you can have an almost sentient conversation with the computer is mind-blowing. I know quite a lot about it and I still don’t understand the maths. It’s akin to fire, like for cybersecurity.

Michael van Rooyen: 0:15

Today I have the pleasure in having a chat with Wayne Phillips, the APJ Field CTO for SentinelOne. Welcome, wayne, thanks for having me. Great Before we get started. Great to have you on the show and to kick things off. Do you mind sharing a little bit about your journey in the tech industry and what led you to your current role as APJ field CTO for SentinelOne? Wow, that’s a lot.

Wayne Phillips: 0:37

Unfortunately I’m old so that’s going to take a while. But I started off on desktop support. So technical start, you know, work my way up to solution engineer, did some work in the mobile space. So I was doing a lot of enabling companies to have a mobile workforce. The iPhone came out. I was part of a system integrator that did a lot of mobile. We tried to find a solution that would cater for the large end of town and financial organisations. We couldn’t find one so we ended up building one. So I ended up being the CTO of that company. The owners launched that. We were actually at Gartner Magic Quadrant bottom left hand corner. You were still on there. Yeah, I think it was the only MDM in the Southern Hemisphere at the time.

Wayne Phillips: 1:14

Then I ended up working for Matrix 42, which was a German company, which was a nice change because they bought the company. So I went to kind of integrate that product into their portfolio and then kind of loved that journey and then really wanted to get into Vendorland just because I’d had the benefit of building tech. I love the idea of adding features and functions to tech and then deploying to customers. So then I went into cloud security when we were building the MDM platform. We had to build the cloud infrastructure, so the whole how to build. So it was like physical to virtual, virtual to cloud, cloud to cloud. So I did a lot of that work and then we were going into building. I wanted to take that into the product world. So I worked for a cloud security company because big loss. And then from there into SentinelOne, cloud and security were kind of two of my things I loved and I wanted to extend that. So then over to SentinelOne where I again started in sales engineering and then worked my way up and now field CTO.

Michael van Rooyen: 2:07

So yeah, great great, so you’ve been at sentinel for four years now. Yes, great great, so a lot happened in the in the cyber space over that time, no doubt oh, massive, especially cloud right as cloud environments.

Wayne Phillips: 2:19

You put things in the cloud and then it was like security was something you bolted on afterwards. Especially with cloud native technologies like kubernetes and containers, it’s a hard concept for the old networking practitioners, security practitioners, to even understand, let alone secure. So that is such a virgining space and now people are adopting security in those cloud native platforms quite aggressively. So that’s a massive change in the last four years considering your role doing field CTO work.

Michael van Rooyen: 2:44

you know talking a lot of customers around tech, obviously, what SentinelOne’s doing, and having a lot of great discussions, and no doubt you’ve been through plenty of security strategies, cybersecurity strategies Could you start by outlining for me? You know kind of what a comprehensive cybersecurity strategy looks like for customers who kind of don’t understand what that is. It’s a hard one.

Wayne Phillips: 3:02

It depends on your maturity, right, but I always like to start with know what you have, know what it is and know whether it’s pratched. You know there’s a kind of like it doesn’t matter who you are, if you can get those three right, you, you get to a certain level. On top of that, comprehensive asset management, and not just for your devices and servers, but network devices ot, iot and and then data right. So people forget to do an asset of where their data is, where it’s stored, what kind of data, what classification it might have and what regulatory requirements. You have to wrap around that, like PCI or GDPR. If you have European data Access control and access management. Usually that’s something you have to wrap around everything.

Wayne Phillips: 3:40

Threat detection and response is kind of now in my realm, and then risk assessments and risk management. So what’s the risk to the business from a cyber perspective? So people in the tech sometimes forget that there’s a business underneath. So you need to make sure you understand the risks to the business for your technology. Endpoint security again another cornerstone of Sentinel-1. And then different things. It depends on how the business, whether it’s on-prem or whether it’s in the cloud, things like Zero Trust. So whether you want to have people roaming around and being able to access a lot of different services.

Wayne Phillips: 4:13

Zero Trust may be one of the architectures you want to apply, and it always makes me laugh when you hear of people touting that they invented Zero Trust. I know three people on LinkedIn say they invented Zero Trust and it’s like customers invented Zero Trust. It was an evolution, right. It didn’t just come out of someone’s brain, it just evolved out of oh, I actually want this thing to work in the field or at home. I want this to happen. Vendors just responded right. So customers invented Zero Trust. Of course. Of course, yeah. And now CNAP right. So Cloud Native Application Platform Protection Right. So cloud native application platform protection how do you secure things in the cloud?

Michael van Rooyen: 4:44

Are people claiming that, that they invented that as well, or not yet?

Michael van Rooyen: 4:48

I think Gartner can say that they invented the acronym but, I think again, customer requirements I want my cloud to be secure, of course of course Because of those workloads and no doubt we’ll touch on that a bit later on, but certainly where the workloads are gone and look from your experience working at SentinelOne you get to exposure to a lot of security threats and issues out there. We’ve seen lots of drive in how these attacks are becoming more sophisticated right In your experience. What are organisations still commonly failing to address to stop these threats proactively?

Wayne Phillips: 5:16

It’s the standard stuff. Unfortunately, it’s the common day. Business email compromise. Very well crafted emails, I mean. Generative AI and large language models now allow you to have properly grammar-corrected emails coming through. Right, and it now looks like the email from the ATO or from Tolls or whatever the source of it is, and I think it’s because we’re better at protecting our environments. Layered security good, edr, epp. So people are going right. I’m going to go after the human right. That’s still the weak point. So business email compromise is still there. And then, pivoting to identity-based attacks right, if you can get someone to put in their username and password into a fictitious site, you have the username and password. Then we’re in the realms of identity, threat detection and response as a response. But yeah, it’s mostly people are trying to attack the people. Social engineering-based attacks is what I’m seeing. I’m seeing all the other sophisticated attacks, but the low bot entry is getting people to do the work for you.

Michael van Rooyen: 6:09

Right. So that human aspect, social engineering, still being able to get humans to make the mistake, not by their fault, but just the way these are getting more and more crafted. I mean, I think I wake up every morning with a new apparently I’ve got a package waiting or coming that’s been misdelivered.

Wayne Phillips: 6:22

Yeah, and sometimes it can be the time of day right. They can just get you at a weak moment Like I remember a few years back now it’s been a while and it really spooked me at the time. But I got a text message. I work in Sydney in Australia and my CEO from the US pinged me overnight and I woke up and I was like I need to respond to this and it took me a couple of seconds to realise that it was fictitious and it was because my brain hadn’t quite woken up that I was like oh well, it may be that time where you click on the link when you just haven’t I don’t know, your kids are screaming or you need to do something around the house and you just for a second drop your guard and that can be all it takes.

Michael van Rooyen: 6:53

Yes, it’s interesting you say that. A similar scenario for me personally was we’d just been acquired into the Orrro Group and I’d had a text message as well from our then CEO. There was timing as well, because I’d obviously worked out we’d just been acquired and I’d get a text from our then CEO.

Michael van Rooyen: 7:07

I could easily have fallen for it, but the giveaway was it was a different number, so then I reached out to the CEO to say have you got another number that I’m not aware of, but they’re just getting smarter and smarter, right, and it’ll just continue to accelerate and that’s us practitioners no-transcript is great. You know just basic things that can really mitigate. You’ve been compromised. Right, because these compromises now across the border between private and work, right that private, personal things really blending quite tightly yeah and on those very sophisticated edge.

Wayne Phillips: 7:43

I have heard of one incident where there was, like I think it was, 18 people on a Zoom call and 17 of them were fake what? So? There was one person and so they’d taken the voice and the video people in the company Wow and they’d faked 17 people in a meeting and made that one person do something.

Michael van Rooyen: 8:00

So it’s like that’s the very I haven’t seen that one.

Wayne Phillips: 8:04

So it’s like that’s the very. I haven’t seen that one. Wow, yeah, that’s yeah. So it probably takes I don’t know 15, 20 seconds video of someone to then, you know, deep fake them, deep, fake them I wonder what we as a community in security are going to do around.

Michael van Rooyen: 8:13

Two-factor authentication is really making sure human is responding to it, and we’ve seen a lot of these captures to try and get you to prompt something. You know how are we going to eventually get around deep fakes like that?

Wayne Phillips: 8:21

you’re gonna have a safe word to come into Zoom today. Safe word is jelly beans.

Michael van Rooyen: 8:25

Correct, it’s like a key exchange like we do under the hood right. So it’s a good point which probably leads on to, for those listeners who don’t know, there’s lots of darkware, black market type services. You know ransomware as a service, as just an example. You know that has really changed the threat landscape. What challenges does this model present to businesses and how should security strategies be changed to adopt for that?

Wayne Phillips: 8:44

Timely. You should ask that because of the Revel Group. One of the guys, ukrainian National, got arrested this week. He did 13 years and it was the Revel Group, so ransomware evil and I remember being on site in North Sydney. It was a company that the incident responder they were using Sentinel-1 to clean up. So I was kind of sent in literally with a USB stick and an agent because the incident responder was from overseas, and they said, oh, can you go and help recover this company?

Wayne Phillips: 9:09

So turning up to like a ransomware event on a Monday, generally after a long weekend, is akin to walking into a funeral Like it’s just, it’s not something you want anyone to go through, it’s something that we really need to protect against. There’s no remorse. They do things like they will enumerate the devices and they’ll find out which ones are high powered and have admin tools and they will wipe those. There’s no recovery from those. So they’re trying to kill off the machines that can protect you. So they’ll go after the security people, the admins, the backup admins, that kind of thing, jump hosts, they’ll just nuke and then they use Active Directory to then deploy their tools. At the time they could turn off Windows Defender using group policy. So they just went into group policy, turned off Defender and it just turned off Defender and their whole environment. They deployed their tools and ransomed everything. So it’s horrible to witness.

Wayne Phillips: 9:58

But with people like Sentinel-1, now that company is protected and a lot of other security vendors have been out there and protected most companies. So the ransomware crews have now upped it. So if they can get in then they start doing data leakage. So rather than just asking for a ransom, they’re going to go all right, well, they probably got good backups. Then we’ll do expel of the data and then we’ll leak it on the dark web. And we’ve seen in the hospital breaches where they’ve started sharing patient data so that customers go all right, well, we don’t want that data leaked, or we don’t want patient data leaked, we’ll kind of pay. So it’s becoming worse, unfortunately.

Michael van Rooyen: 10:30

Yeah, yeah, and you touched on health care as a scenario, and they really are pushing to show the public and people that this can actually have a devastating effect, which is scary for people. What that leads me on to is you touched on an organization that went through a traumatic experience. Must be a sinking feeling when you know you’ve been done to this level. And let’s just touch on the explosion of operational technology IoT becoming increasingly targeted because of the lack of security. And I don’t mean that disrespectfully. What I mean is that the tools and systems themselves haven’t got the capability, like enterprise devices, to take an agent, etc. So, with that, how should organisations re-evaluate their risk in that space?

Wayne Phillips: 11:05

The devices themselves are changing. They’re OT devices but they’re turning into IoT devices. Generally they’re connected to some sort of cloud service. Yes, as these services are building out, then they need to re-evaluate the services they’re connecting to. So just doing a risk assessment and then leaving the risk assessment of the external service? Now you can’t do that. You have to reevaluate that continuously to make sure that the blast radius from an external supply chain compromise isn’t huge.

Wayne Phillips: 11:30

But then the device is connecting between themselves like a firewall, connectivity, isolation, micro segmentation, whatever you want to call it, trying to connect or isolate those machines. But visibility is key, right? So, knowing what devices you have and you know some techniques that we use deception. So thinking of things like okay, well, maybe putting lures in a network so that if an attacker is doing some reconnaissance, they might step on a fake device or a deceptive device and detonate something and then give you a clean signal that someone’s rummaging around but most of the time it’s an insider just thinking oh, what’s that sharepoint server over there or what’s that scarred device doing? But yeah, it’s definitely something that you continuously have to. You know, run a risk assessment over the normal EPP. Edr tools sometimes don’t run on OT.

Michael van Rooyen: 12:12

So you have to think outside the box a little bit yeah, sure, sure, in your opinion, from what you’ve seen in engaging customers, do you think, in time, or from what you’re seeing, that the OT problem is way larger than enterprise? You know problems that we’ve had in the past. I think enterprise has matured. But I’m keen on your opinion.

Wayne Phillips: 12:27

I can’t remember who said it now, but I think that almost everything is critical infrastructure these days. You know, there’s a lot of things that we just rely on Telcos, obviously, energy, you know, power, food they all rely on other services for them to function. So there’s a lot of subcontractors or subcompanies that you could really apply to this critical infrastructure. I guess the answer is, I don’t know, enterprise might be the biggest attack service or the big problem, but OT may also be an issue as well. But OT networks have traditionally been secured a bit more aggressively and have controls and are monitored more aggressively than the enterprise. So time will tell.

Michael van Rooyen: 13:01

I think there’s two paradigms there. There’s a lot of security physical and otherwise, as well as system security on real critical infrastructure power plants, and there’s a lot of conscious thinking there. I then think of the other end of the stick, which is environments where they’ve built new infrastructure. You’ve got a subcontractor to build a particular system, another integrator to build another part of the system as they built it. You know, I think those are the exposure points, because I went to others and there’s no standard and security was always an afterthought, considering some of these have been around for 20 plus years already. So I think that’s the attack surface really yeah, supply chain.

Wayne Phillips: 13:31

Again, it’s an s-bomb right you know, it’s software building materials. It’s something that happens in containers, something that happens in kubernetes, in applications. It happens in the modern stuff. But then you have to go back and have a look at the older stuff. Is it running compromised versions of OpenSSL or whatever? Because you probably haven’t looked at your OT equipment in a while.

Michael van Rooyen: 13:49

Just off the back of that with a lot of large shift in security challenges has been remote working, shift towards hybrid working. Not everyone’s returning to the office. Many organisations are supporting hybrid working three days in the office, two days home, just as an example. What strategies can?

Wayne Phillips: 14:07

organisations implement to secure distributed workforce.

Wayne Phillips: 14:08

I mentioned one earlier which is zero trust, and it’s good right If you can have assertion checks of the device or the human that’s coming in and make sure they stay within standard deviation of the norm.

Wayne Phillips: 14:18

So if that user is coming in and that user normally logs into the app at that time, that’s a very good way of determining whether that user is coming in and that user normally logs into the app at that time, that’s a very good way of determining whether that user is legitimate. Sometimes it’s very hard to determine whether it’s an attacker coming from a similar device using a standard, correct username and password. Generally the attackers want to go after something else or eventually they’re going to break that norm and do something out of the ordinary. So I guess, making sure that you keep that data, you log all of that security data to a data lake and then run correlation across that. So they’re logging in from an endpoint. I can see what the endpoint’s doing. What else is Okta or Azure or Google authentication? Are they coming in from the same place, correlating all of that data to make sure that they’re staying within the norms?

Michael van Rooyen: 14:57

Yeah, fair enough. Look, you touched on earlier extended detection response, or XDR as the industry knows it. As it’s become quickly a vital part of the cybersecurity puzzle, can you just take a sec and tell us about how Sentinel-1, the approach to XDR and how it helps organisations to improve the overall security?

Wayne Phillips: 15:15

I think it was maybe Palo Alto or I think it may be Gartner that came up with the term, but I think it was just driven by customer requests. There’s endpoint detection and response and we just want to extend that to the rest of the security portfolio. We want to see what the file was doing, what identity was doing at the time. So there are three main categories with Sentinel-1. So there are three main functions.

Wayne Phillips: 15:34

If you like Enrichment, so if you have an incident, it’s a way of just enriching that incident. So, for instance, if you’ve got a file-based detection on a device, then you can say okay, where have I seen that file? Did it come through my minecast or my proof point or my email gateway? Was it on a file server somewhere? Was it downloaded through a firewall or through a VPN? See if you can see where this artifact is in my network. And then, if there was a user involved, where’s that user logged in from? Are they logging in from normal places?

Wayne Phillips: 16:08

So enriching the incident to quickly give you an idea of the local information. And then you can ingest all of that data so you can threaten. What was that user doing two weeks ago, you know? Okay, well, this machine looks like it’s been compromised for a while. When did the initial access happen? And then automation? We talked about enrichment and then ingestion, but then automating, right. So okay, well, I can see this device coming in or this this incident happening. Maybe I’ll block something on a firewall or I’ll block something in the email gateway, so automating that response. So yeah, three main kind of components of XDR great.

Michael van Rooyen: 16:35

One of the common challenges that used to be with security solutions is, you know, the amount of ingestion of too many alerts, how central one. You know, kind of streamlined that signal toto-noise ratio, really making sure that security teams and responders are able to prioritise real events.

Wayne Phillips: 16:49

Centre One has got a really good signal-to-noise ratio in the EPP space. We’ve got a really good accurate true positive rate and then a low false positive rate. So if they don’t have that, people get blind to the incidents. One in 10 is going to be a true positive and the others are going to be a false positive.

Wayne Phillips: 17:06

So you’re basically training your SOC to not look for the true positives and go the other way. That’s hard when you take it into a data lake or a seam, because there’s much more data and seams are generally more false positive tolerant than the companies are. So we’ve tried to take that mantra of accurate true positives, low false positives to a data lake environment and we’ve managed to do that. But it’s very difficult to continue on that strain. But yes, things like static ai using behavioural ai. The downfall of static ai is the computer says no and then you’ve got to work out why you know. It’s like working out why a search result was on page two of google. Right, google doesn’t know, it’s the model, just said so. So then we have models that can unpack the malware and work out the threat indicator. So then it feeds back to the human.

Wayne Phillips: 17:49

Here’s the threat indicators. Do they look good to you? And one might be lsas, one might be process holding, and you go, oh, that’s, that doesn’t look good. So you’re informing the human so they can make a judgment on what level of true positive or false positive do they think. And then Gen AI, the new models that have come out recently can then give you that response. It can look at 20,000 lines in a data lake and come back and says you know, 19,842 are normal. Here’s five that look strange. So you’re pulling the needle out of a haystack Find needle. Find haystack, remove haystack. Yes, yes, so it’s those generative AI tools and then giving you the response back in your natural language is you know, is critical.

Michael van Rooyen: 18:26

Yeah, fair enough. Everyone’s talking about AI, machine learning. How does it play in the modern cybersecurity world? So you know, using that to evolve protection for organisations.

Wayne Phillips: 18:34

When we started on this journey, we used static AI back at the beginning, right? So since 2012, we’ve been using static AI models and then building on top of that with behavioural AI. Our EDR was incredibly accurate, which allowed us to do things like auto-remediation, right. So once you’ve got to a certain point, we can do rollback and remediation, which was cutting edge at the time. That’s a long time ago, right, and we’ve matured that over time. We’re now extending that to kind of the XDR stage, if you like. So kind of the XDR stage, if you like. So AI has been through all of our journeys so static AI, behavioural AI, now gen AI, and now we’re using things like retrieval augmented generation for gen AI, which is very cool mechanism where you can use knowledge bases to inform the model, so you don’t have to train the model continuously.

Michael van Rooyen: 19:16

Right, right, okay, great. So that’s always kind of been native right, which would lead on to, you know, automation playing vital role in on how you respond to threats for people listening. One of the key design methodologies that central one has taken from the start is really building on ai, using intelligence and machine learning to really help close that gap on security analysis and, obviously detecting threats in a lot better way but then also a feedback loop, because you can put in a system and I don’t have any incidents while your security is good yeah but I need to, especially in in the MSSP world.

Wayne Phillips: 19:44

Of course I should be saying something yeah, we need to feed that we’re doing a great job for the customer right. Well, one thing we do really well is we then will unwrap the verdict and give you a threat so the human understands what we determine to be malicious and then they can have grow confidence in the solution. So I think that’s something that’s been missing in the ai world is to try and feed back to the end user that they should have confidence. You know the computer said no. This is why the computer said no and we’re even taking the generative ai to a next step where we’re giving you a true positive and you know we’ll be saying, okay, well, the other 74 incidents of this type we’ve seen, 85% of them were also true positive. So reinforcing that this one looks bad, but the other ones we’ve seen have looked bad and they were triaged by other humans. So you’re kind of like you know using the hoard, if you like, or using the market, to then say, okay, well, we think that was bad.

Michael van Rooyen: 20:38

Yeah, that’s a good point, right? So what you’re saying there is, rather than just a nice green dashboard, you’ve got the context and data to prove why that is right. That is all there, but we’ve helped you unpack that, we’ve helped you mitigate it, giving you a score based on a number of variables.

Wayne Phillips: 20:49

Yeah, and historically we’ve had a good, accurate, true positive rate and we had a customer turnover from another competitor just out of the box. They just said look, we weren’t expecting there to be much difference in efficacy between the two, because the reasons they changed was other reasons than efficacy no-transcript, more time doing higher order tasks, and we didn’t expect that. So the false positive rate dropping actually gave them more time to speed up the deployment or do other things in the environment, which is nice to hear. Sometimes internally in a vendor you’re drinking from the Kool-Aid and it was nice to know that when the rubber met the road, the customer went. Well, our machines are running better and we’ve got more time to work internally.

Michael van Rooyen: 21:30

Yeah, great. And your touch on other vendors. How are you guys essentially really integrating with other vendors, knowing that obviously one vendor’s better or from an opinion of being better, but how do you integrate?

Wayne Phillips: 21:40

So we’ve taken kind of an open approach. So we have an open XDR platform, so we use REST API, which everyone uses these days, so we have the open cybersecurity schema framework for XDR ingest. I mean that has two benefits for the customer. An IP address is an IP address. The variables and the key value pairs are similar, so it doesn’t matter whether you’re bringing the data in from a 40-net checkpoint. You know Palo, you can write a query looking for an IP address of that source and you don’t have to cater for the vendor that’s coming in. You didn’t even have to know what vendor it is. And it also means it’s exportable. If you wanted to leave, then you could take that data and put it in an S3 bucket. It’d be a big bucket but you could take that data out and then bring that into another system. That was OCSF right. So those having open standards means you can tightly integrate. We have an easy marketplace.

Wayne Phillips: 22:24

So we actually have some customers in Melbourne that had a security feed and we were like this doesn’t look like a security feed. And they had a finance use case where if someone changed a password or changed the date of birth, that could be someone trying to swap the account to someone in the family, so that’s a security event for them. So they were taking business data like finance data and any date of birth changes or any password changes of a certain. They were classifying that and that actually went into their SOC and they built their own parser for that and they just rang up and said we’ve got 99% of it. How do I do this bit? And it was like hang on, you’ve got an OCSF parser for a finance system. That’s interesting.

Wayne Phillips: 23:02

It was amazing.

Michael van Rooyen: 23:06

You build it and people will use. You know weird, wonderful ways of using it. Well, that’s good to also see a bit of innovation right, interesting use case.

Wayne Phillips: 23:11

Also physical access to buildings. They’re bringing those in as incidents. They’re auditing people logging in and out of buildings. They’re bringing into a data lake Because you can correlate that, because it makes sense. Did the user go into the building, log into that machine and then do something? So if they can correlate a machine that’s on premise with an incident and you know that person didn’t actually come into the building, then it’s probably automated. Or a rat or something.

Michael van Rooyen: 23:35

Yeah, fair enough. I went to a presentation with somebody who was very much deep into the special service in the US. When they even look at some of the cases like Snowden they were talking very much about. If someone actually just had to look at the physical aspects of a contractor coming on the weekends to work, that was a bit of a giveaway. Just that basic physical aspect, which is what you touched on, especially to come in to work on SharePoint that’s that, which is what it was.

Michael van Rooyen: 24:00

That’s correct. Correct and interesting, though I’m keen on your thoughts. Communicating the cyber risks to c-suites can always be a challenge, right? What strategies have you found effective in translating that that to them?

Wayne Phillips: 24:12

I guess quantifying potential losses with risk. It’s very hard to give an idea to a business person without knowing what the risk found effective in translating that to them. I guess quantifying potential losses With risk. It’s very hard to give an idea to a business person without knowing what the risk is to the business. So quantifying the potential breach, present breach impact scenarios for that risk and, I guess, trying to invest in things like executive dashboards. So it’s a continuous conversation and they get the risk week after week.

Wayne Phillips: 24:30

So it’s not something that’s new to them, coming with a very complicated esoteric risk, you might have problems there, but if you come with your sort of standard business risks, then it’ll be easier to get that message across.

Michael van Rooyen: 24:42

Yeah, yeah, it’s interesting. We’ve seen at least I’ve seen a couple of incidents where a customer has used our services to get out of an incident and then, a year or two later, people who don’t understand the importance of it or the relevance of it are questioning why should we renew? We’ve not had the problem again. The problem went away. They’re not realizing it’s an ongoing war, effectively, right, yeah.

Wayne Phillips: 25:02

The other thing is to look at companies in your industry, adjacent industries, and go all right well, they got breached Working out the potential loss to your company. If something like that happened to you and sometimes there’s you know there’s legal ramifications that can happen, just part of them, that they do have an obligation to the shareholders, the company, and there are some legal implications. That also jolts the memory.

Michael van Rooyen: 25:22

Absolutely, absolutely. As we get close to completing our chat today, as a cybersecurity leader yourself, wayne, how do you stay ahead of, you know, the curve of rapidly evolving cybersecurity Kind of? How do you lead your team through these changes and challenges? I’m lucky.

Wayne Phillips: 25:36

So we have, between the rubber and the road, nice, nice.

Michael van Rooyen: 25:42

It’s not nice. Well, if you’re there, you’re going to get squashed right.

Wayne Phillips: 25:44

Yeah, there’s a lot of pressure down there. We get a lot of watchtower feeds. So we have a threat hunting and watchtower group. So I get access to a lot of very smart people group. So I get access to a lot of very smart people, bright boys and dark room groups. Getting data from them and seeing that feed in in our internal internal threads is scary but also informative. And then we’ve got signal labs. Uh, we do reverse you know malware reversing and then we publish a lot of that. So we kind of see that firsthand or anyone can look at signal labs blog and watchtower is for watchtower Pro customers and Vigilance customers. And then I’ve got my own network of people. Over the years I’ve got my Signal and my WhatsApp groups of people going. This will be launched on Monday.

Wayne Phillips: 26:23

The recent DNS VPN about a week’s notice, by the way, don’t tell anyone but, Build your network, be nice to people, be kind, because sometimes you’ll need them and cybersecurity. It’s a hard job and you know we’re all trying to do our best, even my competitors trying to do a good job for everyone, right? So try to be kind to people and and every now and again someone will come back and help you out. Things like showdown, virus, total, um. You know burp suite blogs as well. You know some of the open source stuff besides, and then some of the you know the publications like bleeping computer doc reading, risky biz podcast this podcast there we go there we go yes, yes, so there’s a lot of content out there, you’re right.

Michael van Rooyen: 27:00

And for those who are thinking about entering the industry to work on, it is a pretty small community, right, although we’re a very big industry for what we do deliver and secure. And would that advice be the same advice you’d give, you know, young professionals aspiring to to make an impact in cyber security? You know, just a lot, lot of reading, a lot of research.

Wayne Phillips: 27:15

I guess get your head in the right. It is in the defence of your nation kind of work. If you start it with that mindset, there are some remuneration to you know to happen over the time. Right, everyone likes to get paid. But if you do it to protect the nation and protect companies and do the right thing, then you walk in every day with your head held high. It’s hard, right. There’s a lot of hours, there’s a lot of dark nights where you’re trying to work out why your cube ADM, your cube kettle, doesn’t work. There’s some hard things to get through but there’s some definite benefit. And there’s lovely people in the industry with organisations like B-Side and community sessions.

Michael van Rooyen: 27:49

Yes, yes and look as a wrap up. One question I’d like to ask all people on the podcast is tell me about the most significant technology change or shift you’ve been involved in in your career and did it impact your perspective on cyber. It can be anything right. Think about your whole history in the career.

Wayne Phillips: 28:06

Just to be topical and probably accurate, it’s generative AI. The fact that you can have an almost sentient conversation with a computer is mind blowing, like it’s like space travel. It’s like hang on, you can get a rocket to there, but you know when? When the first rockets went up, there was analog like how, how did you work the maths out? How did that? You know that does? It’s like watching the premier league football. It’s like that’s not physically possible, but it’s just this, just like watching a circus. But generative ai, the fact that you can have an almost sentient conversation with the computer is just it’s mind-blowing. It’s just I still don’t, and I know quite a lot about it and I still don’t understand the maths. It’s just. It’s yeah, this is akin to fire, like for cyber security.

Michael van Rooyen: 28:45

That’s a good analogy. It is absolutely revolutionary and I don’t think we’ve seen the full impact of it as yet.

Wayne Phillips: 28:50

Right, and things like you know, retrieval augmented. You remember the matrix when neo, when they would just plug a, you know almost like a zip drive into a box, and then you downloaded all the information and I could drive a helicopter in a fly helicopter.

Michael van Rooyen: 29:02

Yeah, I remember that, yeah that was crazy.

Wayne Phillips: 29:04

So you know, retrieval, augmented generation, is that you give it a database and then it has that database to do with whatever it wants. So you can give it miter database, you can give it nist, you can give it threat intelligence and then you can go okay, well, give me all lol bins related to apc29 and it can look at a knowledge base to find out what all of the relevant lol bins are today. And then what, what is ap29 and what ises are related to that. So pulling all that information and then threat hunting, then pulling that data and do a statistical analysis of the data and saying, oh, we’re seeing a little bit of lull bins of APT29 on this machine. You know, and these three incidents you should look at it’s. You know, it’s magical.

Michael van Rooyen: 29:42

Yeah, Wayne, thanks for your time, thank you.

Subscribe to Securely Connected Everything

Other Podcasts

Season Four
Discover the riveting journey of Darren Hopkins, a distinguished partner at McGrath McNichol, who transitioned from the Queensland Police Service to the forefront of digital forensics and cybersecurity.
Season One
In this episode, Michael van Rooyen (MVR) engages in a deep dive conversation with Greg Yelas, the regional sales leader at Juniper, responsible for overseeing the go-to-market strategy for the MIST portfolio.
Season Two
Join the conversation with Daryl Isaac, the tech wizard behind Liquid IT, as he shares an intricate tapestry of tales from the IT frontline, tracing back to the dawn of desktop as a service in New Zealand.