Dmitri Alperovitch’s Vision for Cyber Defense
Published 06/24/2024
Originally published by Automox.
Episode Summary
In this episode of the CISO IT podcast, host Jason Kikta interviews Dmitri Alperovitch, author of the book 'World on the Brink' and chairman of Automox's board. They discuss the evolution of IT and cybersecurity over the past few decades, the importance of speed in cybersecurity, and the role of cloud technology in revolutionizing IT management. They also highlight the need for automation in patching and configuration management to keep up with the increasing number of vulnerabilities. Alperovitch emphasizes the importance of basic security practices and the challenges of dealing with third-party applications. The episode concludes with a discussion on Alperovitch's optimistic view on deterring China in the new Cold War.
Episode Transcript
Jason Kikta: Hello everyone and welcome back to another edition of the CISO IT podcast from Automox. Once again, my name is Jason Kikta and I'll be your host today. I'm currently the CISO at Automox as well as an adjunct lecturer at the John Hopkins SAIS Alperovitch Institute. And today we have a really special treat for you. Today, my guest is going to be Dmitri Alperovitch, author of the new book 'World on the Brink', as well as renowned cybersecurity expert, longtime member of the industry and chairman of Automox's board, so board of directors. So welcome, Dmitri, and let's get started.
Dmitri Alperovitch: Great to be with you, Jason.
Jason Kikta: All right, so Dmitri, why don't you, you know, if you would just introduce yourself briefly to our audience. I know a lot of them know, know who you are, but, but for the, some of our newer listeners or younger listeners, it would be really great for them to have a background. Yeah. The, the, the young kids, the young crowd, to have an appreciation of, of how you came up through the industry and, and, came forward to today.
Dmitri Alperovitch: The young kids.
Yeah, I spent over two decades in cybersecurity. Started out in the 90s. I launched a startup doing cryptography with my dad, actually when I was still in high school, then went to Georgia Tech, got my bachelor's and master's degree in what was then called Information Security, now called Cyber and joined a bunch of startups, ended up working at McAfee, which was at the time one of the largest cybersecurity companies in the world. And...
left McAfee in 2011 to launch CrowdStrike, which is now one of the biggest companies in cybersecurity and retired from CrowdStrike in 2020 after taking it public and now focusing a lot of my time on geopolitics, national security issues of China and Russia. I have a think tank called Silverado Policy Accelerator, and most recently, wrote a book which became a national bestseller, 'World on the Brink: How America Can Beat China in the Race for the 21st Century'.
Jason Kikta: Awesome. Well, thank you so much. I really appreciate you being here because I think it's great to get the perspective of someone who's been around for a while and has seen a really a dazzling array of things, a lot of variety over the years and how IT and cybersecurity have evolved over that time, not just because of technology, but because of a variety of forces, market forces.
You know, governments becoming more involved in the internet to include espionage and occasionally cyber effects. But just to start us off, could you talk through, you know, I think you went on a journey very similar to mine where, you know, in, in IT, you know, IT had this sort of growth path of really trying to get adoption and then adoption turned into efficiency and then security came into its own
and started putting a lot of pressure on IT to, you know, maybe move out of very slow, deliberate patching into, you know, faster cycles. And then, you know, we, we realized that, you know, there's actually a balance to be achieved. And I think a lot of where we are today is about trying to optimize those balances, but, but I'm curious for your perspective on how that's looked over the last couple of decades.
Dmitri Alperovitch: Yeah, you know, I've always been a believer in speed and you know, as a military guy, Jason, you'll appreciate this, I firmly believe in the OODA loop concept: Observe. Orient. Decide. Act. And whoever gets through that cycle the fastest is gonna win. And I think it's so true in cybersecurity. The whole point behind starting CrowdStrike was how do we accelerate in the security space that identification, the detection piece, the response piece for...
security personnel? At the end of a day, the way you beat the adversary is not by having the highest walls that they can never climb over, right? Someone is always going to build a ladder to climb over your wall. There's always going to be a zero-day vulnerability that hasn't been patched or there is no patch for or some other misconfiguration or just a user that's going to respond to a phishing email or
or a note that they're gonna get. But that doesn't mean that you're gonna fail, right? Because if you're able to get through that cycle fast enough to detect an adversary, to determine what to do about them, and then to operationalize that action, to evict them, to close the loopholes, to patch the vulnerability, whatever the case may be, that's how you're ultimately gonna win. And you have to do it day -in and day -out, right? So that speed is just absolutely vital, absolutely essential. I coined this concept,
many years ago now, of 1-10-60: The best organizations in my view can detect an intrusion within one minute, basically analyze and investigate within about 10 minutes, and respond to evict the adversary within one hour. And if you're that fast,
there is going to be very, very few adversaries that are going to be able to be faster than you and actually inflict damage on your company, whether it's steal your data or deploy ransomware and the like in that rapid time period. Because if you think about their perspective, they still have to do a lot of work beyond just getting in, right? They may find a vulnerability and they may find a way in, but then they still have to do reconnaissance, figure out where they are, elevate privileges, move laterally,
you know, get to the critical assets and then deploy destructive attacks or stage it for exfiltration. All of that takes a lot of time. So if you're faster than them, you're able to operationalize, particularly within the IT ecosystem, that response, because most of the time, it'll be the security team that identifies the breach, but it will be the IT team that's plugging it up, right? And responding, whether it's doing the password resets or deploying patches or the like.
Jason Kikta: Absolutely.
Dmitri Alperovitch: That's how you're going to win. And that's what attracted me to the cloud, is the ability through the cloud to revolutionize IT management, to be able to take actions rapidly through Worklets, right? Deploy quick Worklets to change your configuration, to deploy patch, to close the vulnerability or wherever the response may be and do it across the entire fleet of your systems or...
you know, target one particular system, that's a game changer to shrinking that time period of response. And that's what we've been missing. Detection, I think, has gotten really advanced in part because of the work that we did at CrowdStrike with EDR and others as well. But the response has been lagging. And I can tell you, I've been in so many situations over the years where we would detect an intrusion at a customer, we would notify them right away.
Jason Kikta: Right.
Dmitri Alperovitch: And then they would struggle for hours, sometimes even days to actually respond to it and kick an adversary out and then you lose, right? So coming back around and actually addressing that response and enabling the IT teams to rapidly and in a very targeted fashion, orchestrate those changes is so vital.
Jason Kikta: Exactly.
Yeah. And it really resonates with me because I, I've, again, I'm, I'm, I'm also along and been around long enough to, to remember when CrowdStrike came out and like seeing EDRs for the first time, listening to incident responders on security teams being worried, concerned, on uncertain that, you know, "Hey, is this thing going to replace us? Is that the intent here?" And like, no, that wasn't.
That wasn't what it was designed to do. It was meant as an augmentation to automate those things that computers are great at: speed, repetition, scale, precision. And it was that assistance that enabled incident response teams to move just so much faster, faster than they could have without it. And it was just absolutely critical. And I see, you know,
efforts to automate within the IT space as just as critical. And I think, you know, IT probably didn't get the same level of peak. Well, it did get a peak of investment, but I think the peaks were more focused around in the nineties, around the adoption phase, but it didn't see that sort of repeat, repeat investment post cybersecurity to the extent of
you know, bringing in those automation tools. And I think that's where a lot of IT teams struggle today is they sit there and they have some degree of automation. And, know, I was talking to a new customer the other day. They had, it was mind- blowing, 400,000 unpatched vulnerabilities on 1,700 systems. That is mind- blowing to me. Talk to another-
Dmitri Alperovitch: That's a ransomware attack just waiting to happen.
Jason Kikta: It is, it is. And they had a patching solution in place and a configuration solution in place that they thought was working for them, but was really only a very partial solution. And so what they came to realize is without really fulsome, thorough, detailed automation, that it was actually causing more of a gap. At least if they were doing
a lot more manual process, they would know there were gaps there. But in this case, they didn't even realize that they had those gaps. And that's so very dangerous.
Dmitri Alperovitch: Yeah, and I'll tell you this, from a technology perspective, there was one thing that was an absolute game changer for CrowdStrike, and that's the cloud, right? That's what enabled us at CrowdStrike to build rapid detection, to bring all this data back into the cloud, to process it, to analyze it.
Jason Kikta: Yes.
Dmitri Alperovitch: It's changing everything, right? Because now you can reach systems that are off the VPN. Someone may be traveling, someone may be working on vacation, but you still have connectivity to the internet, which means you have connectivity to the cloud, which means you can get an update on the state of the system, which means you can take an action on that system and push a patch to it, push a configuration change to it, push a Worklet to do something on that system that's important.
Right. And being able to gather all this data from your entire state instantly is just so huge. You're no longer scanning your systems periodically to try to figure out what is going on. You're getting all that in real time from, you know, an organization that is small as 50 people to an organization that is larger as, you know, 10,000 or 15,000 people or however, however many, right. From your servers, from your desktops, your laptop fleets, et cetera.
That is really, really powerful.
Jason Kikta: Absolutely. And I think it's easy for folks to forget or for new entrants, people who are newer to this field to have no knowledge of that, just how far we've come. I remember in my early days in Marine Corps IT where, you know, you take a scanner like Nessus and you would just, you know, once a month, let's scan the network and we're going to print out paper reports.
And see if, you know, this month was better than last month and okay, let's try to patch a little bit more. And there was no ability to, to action any of that. And so having something that can just sit there in real time and know, what the patch state of that system is, apply it based on your policies because you know, you, the humans remain in control.
But the computer is taking care of the implementation. Like that's just really, really critical. And it's, it's, you know, I think backwater is a great phrase to describe the level of investment that's been put. I mean, there's some really brilliant people in this space, but just the level of investment that has gotten relative to the rest of the tech spaces is just been out of whack. I think with its importance.
Dmitri Alperovitch: You know, Marc Andreessen had this line years ago that software is eating the world. Well, I think cloud is really eating software, right? And cloud's been revolutionizing everything from, you know, security to now IT. And it is just such a game changer in terms of both ease of management, ease of operation,
Jason Kikta: Mm -hmm.
Dmitri Alperovitch: reducing the number of people that you need to operate the software, not worrying about procuring hardware for it and dedicated personnel to manage it and finding data center space and all the rest of it. And it's long overdue for this space of endpoint management, IT management to be appended via the cloud.
Jason Kikta: Absolutely. It's a space that's ripe for innovation. And we try every day to bring more innovation to it because there's a lot to do here. And it's not like it's going to go away. I saw a report just yesterday actually that we hit a record number of CVEs last month, which is, you know, and that's a bit of a double edged sword. I think that, you know,
it's not necessarily indicative that software is being developed with more flaws. We have gotten much, much better at finding it. And we have learned as a discipline to be concerned with things that before that we smell that's theoretical or, well, there'd be no path to target to that. Well, turns out there is.
Dmitri Alperovitch: And that, by the way, is also with the recent problems that the NIST has been having with National Vulnerability Database, right, too.
Jason Kikta: Exactly, exactly. So, you know, 5,000 CVEs, I just looked it up here on the side 5,000 CVEs published in a month last month for the first time, an average of 164 CVEs per day. And that's nearly double what we saw in 2023. So, you know, if that doesn't convey the scope of the
the challenges that IT teams have to deal with to ensure that they are patched and up to date, I don't know what does. And again, you know, you need to be able to distinguish between, all right, I want to do my critical CVEs tonight, my highs this weekend, my mediums and lows at the end of the month. And those functional updates, which are still pound for pound, the majority of patches are functionality updates, you know, improvements, minor bug fixes. Those are fine, but
those don't need to go out every single day and disrupt your business's workflow. Those can be pushed off to once a quarter or whatever makes sense for your organization. But that being able to articulate that policy as a CISO or CIO, as that "secure-your-IT" leader, and then having tools that work with you to implement that, regardless of whether you're on-prem, connected to the VPN, not connected to the VPN, on vacation, or whatever, like that's...
really, really critical. And I'm excited that we're helping move the needle on that.
Dmitri Alperovitch: know, our good friend Rob Joyce, I remember he did this groundbreaking presentation when he was still head of TAO, the offensive unit within the NSA at USENIX, right. And then he said, you know, even if you've got someone like the NSA coming after you or another nation state, the basics are still so important, right? Patching, plugging up misconfigurations, dealing with spearfishing and user privileges and the like because
Jason Kikta: Okay. Right.
Dmitri Alperovitch: even a very advanced adversary will always take the easiest way in. Like no one is going to waste a zero day when you've got 15 known CVEs that are just, you know, up there, up there for the taking for an adversary, right? You're always going to take the path of least resistance. And by the way, if there is no path for least resistance, you might, you might actually ignore that target. Some targets will be important enough that no matter what, this is the mission you're going to take it, but not every target is like that, right? So there's going to be prioritization
that's gonna be based on that and you may allocate a certain time to a particular mission. If you can't do it, you're gonna move on to the next thing, right? And that's why it's so critical even if you're facing the most advanced adversaries to deal with these problems.
Jason Kikta: It, and I think that illustrates a view that I've had, and I'm wondering if this, this, you know, correlates with what you've seen as well that over time, as we've gotten better about patching, better about finding vulnerabilities and dealing with dealing with them, bug bounties, memory safe programming languages, it seems that targeted exploitation has become harder. It is.
It is not just a matter of point and shoot like it used to be 20 years ago, but, opportunistic exploitation that you see ransomware actors doing sometimes state actors that the opportunistic has gotten so much easier because, you know, people have gone from, you know, we had worms back in the day, to, to some extent, and we're not seeing that as much anymore, pretty rare now, but, you know, these mass exploitation events where,
you know, something gets posted to GitHub and we've gone from actors then scanning for it to learning how to leverage publicly available services to Shodan where most ransomware actors today appear to be running their own databases that they were perpetually updating, inventorying interesting bits of the internet so that when something comes along, they can just pull up that list in a moment, you know, test out the exploit and then
fire away and it seems like we've we've kind of pivoted into that space where it's that's
Dmitri Alperovitch: I would say what else has changed is that the targeting has moved beyond just the common applications and the common operating systems to really third -party apps, right? Because there's so much money in this, because these ransomware actors are making some of them, you know, at the top end scale, are making hundreds of millions of dollars. It's really remarkable, right? They have the time and the resources to put in to find the, you know, the move it file sharing program and the vulnerability in that
to leverage it to conduct a ransom operation against an enterprise or a range of enterprises. They're not just looking at Windows, they're not just looking at Mac or Office. It's really spreading way, way beyond that. And this is the challenge, I think, for a lot of companies is how do you deal with not just the automated updates and the Patch Tuesdays for Microsoft, but also like the huge scope of the third -party apps that your enterprise may be relying on
relying on and making sure that those are all up to date.
Jason Kikta: Absolutely. Well, Dmitri before we go, I want to first thank you for coming onto the show. Really appreciate you being here. It's been fantastic. And also I wanted to thank you for your book, your new book, 'World on the Brink,' because I think it's a fascinating look, not only at the possibility of what China may do in Taiwan, but
Dmitri Alperovitch: Great to be with you.
Jason Kikta: But I think what people will be surprised by a little bit is the optimistic tone that you strike in the book because you really do think that we have an opportunity to deter China here, correct?
Dmitri Alperovitch: Absolutely. And look, I encourage everyone to check out the book. You can get it off Amazon or your favorite bookstores, 'World on the Brink'. But it is, despite the title, a very optimistic book because it argues that we have all the advantages to win this new Cold War that I believe we're in with China. And we are the world's greatest economy. We have the world's most powerful military, the greatest alliance networks the world has ever seen, the technological innovation base that is unmatched.
And you know, the big question mark is really do we have the will to use all those resources to make sure that we win the next Cold War and the book is really that grand strategy of victory and defining also what the problem is and why it's so serious I believe we're in a path to really terrible conflict over Taiwan as soon as four years from now and we got to do everything in our power to deter it.
Jason Kikta: Wonderful. Well, thank you so much for being here today, Dmitri. And thank you again to all of our listeners. Stay safe out there, and we will see you next time.
Dmitri Alperovitch: Thanks for having me.
Takeaways
- Speed is crucial in cybersecurity, and organizations need to be able to detect, investigate, and respond to threats quickly.
- Cloud technology has revolutionized IT management by enabling rapid actions and real-time data gathering.
- Automation is essential in patching and configuration management to keep up with the increasing number of vulnerabilities.
- Basic security practices, such as patching, plugging misconfigurations, and addressing spearfishing, are still crucial in deterring adversaries.
- Dealing with third-party applications and ensuring they are up to date is a challenge for organizations.
- Dmitri Alperovitch's book 'World on the Brink' offers an optimistic perspective on deterring China in the new Cold War.
Related Resources
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024