Okay. Hi, everyone. I’m Mirela Ciobanu, Lead editor with the Paypers, a global financial publication, and we are live at cyberevolution. Happy to speak with, Sergej Epp, CISO at Sysdig, and we are going to delve into trends and developments into cyber security, Sergej, happy to have you here with us.
Thank you for the invitation. Thank you. Yeah.
And, yeah, it's an honor to speak with you because, you have so many results, achievements. And I'm curious to know how you came. How, you become an expert in security. What attracted you to this?
So it's a it's a very simple story. I when I was, when I was a kid. So going to school, I started to, to code a bit and, you know, just developed a couple of software projects, and one of the software projects was a web server. And, this was a very simple one click web server. And when I published that later within two days, somebody found of a vulnerability directory traversal vulnerability and back in that and that, you know, sort of made me very angry. Right. Because there was a lot of, there was a first CV assigned and, I've started to spend more time trying to understand what is it all about. And you know, was sucked really into the security and, and would spend a lot of time doing and studying something completely differently. But then obviously I just simply came back because this topic just never. Yeah, never, went away. And, I was more and more attracted, by working in industry as well, trying to understand how can can you really, yeah. Protect, the enterprises and, what's really special about cyber security in general, I guess, is that whenever there's a new tech, blockchain container cloud, as a cyber security professionals, we have always to be up to date. So this is one of, currently, the most dynamic industries out there. And that's what makes so much fun that because, you're always at the forefront of the technological innovations.
And since you mentioned here being up to date, yeah. What are the main threats that are, what could be the, the dark horse, the dark nights that our flag green systems like finance, health care, education in terms of, cyber security?
Yeah. I think, you know, I would start this more from a business perspective. I'm not, derive any technical stress because it's still the biggest threat. This, as we had this already 10 or 20 years ago, is not really understanding your own risks. That's number one. Number two is oversimplification of cyber security, because cyber security in general is very, very difficult to measure. So, whenever, we feel, secure but don't really understand the risks and don't understand the effectiveness of certain security controls or programs. That's a trap, right? Because we can make so many different wrong choices in how to invest in cyber security, what to secure and what not that, it can be a, a dark horse in the end. You know, once, a hacker or somebody knocks on the door so I think what's really important is to understand, what are the biggest risks for your organization and try to simulate this risks. Understand? Okay. What was going to happen then if this, risks are going to materialize, right? And in financial service industry, for instance, we have we've got this red teaming exercise being even forced by regulators, cyber exercises. And, I think this is a very good, way to really understand how how would the hackers, how would the criminals, how would the nation state attackers try to, to get in and based on that and derive the right security priorities for your program. The processes and also the controls. It's always a combination of both. Where can you mitigate with technical controls? Where can you mitigate with, processes? But the most important decision from my point of view is to really have this understanding when do you need more security versus when do you need more secure software as well? Right. And secure processes. So whenever you have a choice to modernize your T-Stack you go first for that part of yeah. Investments. Rather than trying to add on more and more security. So going back to the question, the risks, there's a lot of like more or less tactical risks right now, what we observe. But I think the biggest challenge is really, how do you understand, if the risks are currently present to you right then, and you understand a supply chain risk, which we currently see as a one of the biggest issues right now happening is potentially relevant for information or not. And other risks around, open source, open source, security of supply also enabling into supply chain could be another problem. Ransomware still, a big, big challenge because the groups, you know, who made a lot of money in the past years with ransomware are still out there and they're still being successful. So they're continuing with a big playbook right, they’re continuing to earn money. And, I think as long as we are not able to sustainably solve this problem and really find this threat, actors behind that and, get him in jail, this problem is going to persist for everybody. And they will always find new ways. But, yeah, I think in general, the question is what's really important for your organization, for your specific organization. And, based on that, to ripen the, the, the security programs of controls.
And until we go to. Yeah, how we can, address this because you are going to speak about supply chains, and you mentioned about the supply chain risk and open source, using open source solutions, risks, maybe. Can you delve into, into this, topic to, yeah, present it, presenting with more detail?
Yeah, absolutely. I mean, I think.
Because, you know, sorry for financial institutions, this involves lots of transaction payments. And for them it's, hot topic.
Yeah. Of course. And I think, you know, the entire financial service industry, is built on trust, right. So we understand if one entity fails, it could, it could really impact the entire ecosystem. And that's why we have financial institutions potentially as the most important, yeah. Organizational type, which has to be protected because it has us, first of all, you know, industry impact on other financial institutions, but then also macro economic impact, because if one banks fails with this 2000, it could could be very bad shock wave for, for the entire, you know, economic of a country or if not the world. So, yeah, supply chain is a big problem. And I think this was not so much in focus, during the last year by cybercriminals and by nation state attackers and since the last, let's say, 2 or 3 years, we see a more systematic approach being driven very heavily by specific and nation state attackers. Considering that some of the big targets, they have identified as victims were properly secured, invested more in security, they found a good way just to sneak in through the supply chain, through some small provide us with some some organizations, through open source. And, get the foot into the door through this way, because it was much more easier, right, for them to do that. And I think since then, we also started to see more and more criminal groups like ransomware groups applying the same type of approaches. So instead of now compromising, you know, ten companies, they would compromise a small MSSP company, you know, a small vendor, and then really try to use this as a, as initial a broker to compromise other companies. Right? And then to demand money for that from them. But I think this trend is going to continue. And, I feel with cybercriminal, it's sort of, a bit under control because it's, typically very visible if there are certain breaches happening. Because the motivation is to earn money. If you now bring this back to nation state attackers, who are more focused on espionage and just staying silent and organization, that's where it's becoming very dangerous because we don't know what we don't know. Right. And, we need to assume simply that supply chains have breached today. We just don't know about that. Right. And I think that's where the fun for for us. I see this is starting really trying to, what we call an cyber security assume breach mentality. So trying to understand what would the hacker do if he would be now in organization if you would, on this assets or this identities and trying to play through what the scenarios might be, because we all know there's no 100% security. So, the biggest challenge is really to understand this. Yeah. This, attack vector, this blast radius of potential attacks as well, internally in the company, but and also obviously trying to reflect this back to different, suppliers and, and, they're not just direct suppliers, the suppliers of suppliers. And, that's was becoming very tricky and difficult because you can still control somehow your suppliers by asking them questionnaires, by spending time with them, by doing audits, by trying to do, you know, inspection of their security controls. But then there are some other suppliers of those suppliers, and we saw a lot of attacks where threat actors, nations where the threat actors were motivated, for instance, to hack, cybersecurity vendor who is an, identity provider, for instance, and then tried to hack through this identity provider, other security companies who then have a lot of very, very critical, government entities or other entities. So it was like an attack from one supplier to another supplier to the real targets as well. And, therefore, I think there's, just one conclusion to draw. We are all in the same boat, and, we need, to get more transparency, more clearance, on the risks and on the other hand, try to understand as well, how can we decouple this risks? Right. And, that's also something perhaps we can talk about. But there's obviously this zero trust architecture, zero trust strategy.
But actually, I was about to ask because we scared our audience, you know, everything bad that might happen, this, reflex of, Yeah, bad influence, from provider to provider. So now we need to give them also something positive to look upon. So you mentioned zero trust blockchain. I don't know what technological solutions. And also I think that the human expertise is important. So what panacea we have for, all of you have presented.
Yeah, I mean, I said I think, from a solution point of view, it starts, first of all, was a business risks itself. Right. So trying to understand, if you just look specifically at the supply chain problem, who are your core suppliers and what could be the impact to your organization if the suppliers are getting breach? That's step number one. And then the second step is to understand their risk very often. And security would start with the second step trying to assess all the suppliers and just what the steps on them. Hey, you have to be secure instead of first understanding like from a risk based point of view, which suppliers are really critical to me and which are potentially not so much critical. So I think that's that's important to to make this assessment understand a potential for 99% of, suppliers. I don't even need to care because, it would be just, you know, mine. Impact on my organization. But for this particular suppliers, it's going to be really, really difficult. So I need to prepare. I need to either try to increase the security of supply, which is always very difficult, obviously, but then also trying to, understand how I can cope with a potential breach. And, there are obviously very extreme solutions to say, if the supplier is not fulfilling my security requirements, I could just say, I'm going to contractually, make him liable, for this potential problems and then throw him out or just exchange him. This doesn't really work in practice because cybersecurity, professionals typically don't have this instrumentation. So the better way is just trying to understand how do you build security around this critical suppliers. Right. And I'll give you an example. If this is, for instance, I don't know, a specific application, like SolarWinds, right. Which is running in the organization, TeamViewer and, you know, it, it has certain, access to your critical assets in the organization. So it's getting breached. It can spread lechery within the organization. What you can do is just to set guardrails around that to ensure, first of all, that the assets, the workloads you're running this application, secure it with, you know, with proper runtime security controls or proper, XDR controls, to ensure if this device is breached, we are sort of reducing trust to this device and implementing the security controls to still be able to cope with this, providing then another guardrail or on network protection. So we call it segmentation. Right. So micro segmentation around the specific asset or this group of assets, ensuring that the identity is being used on this specific assets. are only having access to this assets and cannot be misused in any other parts of the organization, which is also very often forgotten. And if you just look at big compromises, even with large tech companies, this is how the lateral movement happened, right? Identity is a big attack. So and I think this is where, where we need to spend more time. Because if your supply chain security topic is often very much focused on, hey, the suppliers have now to do all the security, that's not going to happen. That's not going to happen simply because supply is always having as well multiple customer groups. So they need us both to drive a risk based approach. How much security do I need to do in order to be successful in the market? So I think what's more important is also to understand how do you encapsulate right or what we call zero trust. Again, strategy. Like how do we really, decrease the trust from the supplier or from the installation of the supplier? If they're getting breached. So the blast radius stays very small.
It seems a bit complex to have this concept encapsulating things, but on the other hand, things they need to communicate so well for things to, work well so that you have, I don't know, your bananas, at the supermarket and, Yeah, let's we are at cyberevolution. What are your event takes so far?
I think it's great, you know, to first of all, meet so many diverse security experts, from several fields around, you know, cloud detection, response, identity management, CISOs from large banks, from, industry companies, startups. I think that's, a very great, conference to bring all this audience together in a, very sizable, manner and, have great conversations, discussions. So, enjoyed that so far. So thanks for having me here.
Great. Thank you so much for today's yeah discussion. And we look forward to continue.
Absolutely. Very happy to be here. Thank you.
