Episode Transcript
[00:00:00] Speaker A: If I could automate that step, make that easy, that analyst could be looking at the data instead of spending time trying to find out where it is, how to collect it, how to process it. They could just be looking at it. They could be working out what the hacker is doing and providing that value back to the customer, rather than spending all that time on what is relatively mundane tasks. And so this is what we want to automate. There's so much routine been tasked around doing data capture processing from a forensics perspective, that if we automate that, then people are going to be spending more time on the doing and actually getting the value out of why they do forensics in the first place.
[00:00:40] Speaker B: This is KDCAT as a primary target.
[00:00:44] Speaker A: For ransomware campaigns, security and testing, and.
[00:00:47] Speaker B: Performance risk and compliance.
[00:00:49] Speaker A: We can actually automate that, take that data and use it.
[00:00:54] Speaker B: Joining me today is James Campbell, CEO and co founder from Cato Security. And today we're discussing modern digital forensics. So, James, thanks for joining and welcome.
[00:01:04] Speaker A: Yeah, thanks for having me. I appreciate it.
[00:01:05] Speaker B: So I want to start with your version of modern digital forensics. So what does this mean to you, James?
[00:01:10] Speaker A: To me, it's about making it more accessible and easier for people to do their job. So when I say do their job, I mean, so let's say if you have a detection or there's something suspicious going on on your network, you should be able to go and investigate what's going on to the depths that you need in relatively short order and work out what's going on and whether or not it's something you need to get on top of pretty quickly. And that's what I would call modern forensics. Legacy forensics, I'd call kind of. It would take you a few days to kind of get to that answer, either through calling, through some extra expertise, trying to roll out some tooling, or just trying to get the data you need. Usually it takes a good couple of days when it comes to forensics. And so when I think modern forensics, it's about speeding that up and also making it more accessible to the more general security audience.
[00:02:01] Speaker B: So when you look at the industry generally, would you say more people, more lean toward modern forensics or more legacy forensics?
[00:02:08] Speaker A: I'd say a good portion is actually thinking about the legacy side of things, and although that's shifting. And what do I mean by that? So the reason why it's more on that legacy end is because a lot of the training and education in the industry in that space is still kind of training people up in the world of forensics, in the kind of the older legacy way of doing things. And in all honesty, even when I started as a grad, 16, even 17 od years ago doing forensics, some of the tooling I was using then is still being used today and hasn't actually updated that much. And so part of that is just part of that education system, but it is updating, particularly with a lot of people moving to cloud and there's kind of new cloud technologies, AI, et cetera. There's a lot of people thinking about modernizing this space. And it certainly helps when you start with the education piece and kind of updating the curriculum and the tooling and the way of doing things.
[00:03:04] Speaker B: So you said 1617 years ago, the same type of tooling is still being used today. Why do you think people are using the same tooling? Because, I mean, we're in cybersecurity, we're in technology.
Sometimes tools become very parsay very quickly. So I'm definitely surprised by that. Well, sometimes I am surprised by that. Then the other times I'm like, I'm not so surprised about that. But what are your thoughts?
[00:03:24] Speaker A: Yeah, so I think the one interesting thing is, and to reflect on another part of the skewed industry, if you have a look at the detection space. Right, so kind of 16 od years ago, I used to work for australian signals Directorate. And when we used to go out and talk to government agencies or even industry, we'd be saying, hey, what AV do you use? Like what antivirus do you use? But if you did that today, you wouldn't ask the question, would you? You'd be saying, what XDR do you use? Or what EDR do you use? You'd just assume they already have some form of protection. But while that kind of industry has really kind of modernized and changed pace quite a fair bit when it comes to the kind of post detection, so kind of like investigation element, after you've had that detection with your EDR or XDR now, people don't tend to have an answer what's next? And that's because the legacy space of forensics is kind of slow and it's hard and it requires quite a lot of skill set. And so it's only being traditionally handled by a small few. Albeit that group has been growing and growing and it's a great community, but it's hard to kind of dive deep. And I think part of that is know, kind of sticking with what you know. And certainly myself even a few years ago before I started Cato I was still using tooling, which I started my career in. And it was because it's what I knew and it's how I was taught. And again, I think it's through that education piece and kind of new modern tooling coming out that we can kind of shake up the industry here and make it a little bit more accessible. And so that's kind of what we're here for and what we're all about.
[00:04:59] Speaker B: So you said before, James, you said it's slow and it's hard. What about it makes it slow and hard from your point of view?
[00:05:05] Speaker A: Yeah, so I think it's about the kind of, I think in the first instance, it's about understanding what data you need to capture. And usually that alone, just trying to work out where the data is, getting access to the data you need. When I say data, I mean you might need a whole hard drive. You might need to work out where that server is and where it's plugged into, who has access to it, and how do I get access to it. And then I need to make a clone of that whole server before I can start doing my investigation. And now that's quite a big uplift. You have to go find the right people, you have to go work out where this system is, you have to work out the right permissions, and then finally you've got access to the data, and then you got to go ahead and make a copy of all this. And then I can start my investigation. And so that kind of legwork to just start looking in deep at the data usually takes a good couple of days to do. But by then the hackers have thoroughly probably moved on and doing other things. But this is kind of why a lot of people have kind of just kind of swayed to the detection space. So kind of EDR and the XDR space and just kind of relying on that for investigations because it is faster.
Although the in depth forensic view of the world, it helps you respond in a much better position because you're much better educated about what's going on, what the hacker is taking, what the risks are to your organization. And how do I solve that? The effort to get there is quite high, and so usually it's out of reach for many, and people want to move quickly.
What's sad is that I see a lot of organizations out there who are compromised. They just don't dig deep enough and they'll just go and wipe the machine. They won't investigate because forensics is hard and it takes days and they just want to go and wipe the box and move on to the next day? And so there's been a real kind of battle in the industry, so to say, and where a lot of kind of incident responders and forensics people need to kind of try and convince people that actually, you know what, spending the time on forensics and diving in deep and doing it properly is going to be worth your while at the end of the day.
[00:07:05] Speaker B: Well, isn't that what forensics is, diving in deep?
So why would people be hesitant to digging deep and exploring a bit more and investigating a bit more? Why would people go, okay, we'll just wipe it clean and move on? Where do you think that comes from? Does that come from executives saying, okay, we're going to move on now you're spending too much time. Where does that mindset come from?
[00:07:24] Speaker A: Yeah, a lot of it does come down. The costs. I think a good example would be I did a job once in Europe where it was an iranian apt fret group and compromised an organization, and we had to go and collect 80 different systems. Now, it took us over a month to do. And so while that was the right thing to do, taking a month to do that just to collect the data, it's not even analyzing and processing it right. That's a long time for a hacker to be running around and for you not to be doing something about it. And so naturally, there's got to be a nice balance between getting enough information or enough knowledge and then start actually kicking the hackers off your network. And so you really kind of got to work on that balance. Unfortunately, when it comes to regulation and legal stuff. Well, fortunately or unfortunately, depending on which side of the fence you're on, you do kind of have to do that fire investigation because you do have to understand what the risk is, what data was taken. Are there other backdoors we don't know about, et cetera? And quite often a forensic investigation reveals that. But I guess what we need to do is start closing the gap. Like, it shouldn't be taking us a month. It should be taking us hours or days at worst case scenario to get that data and to start actually providing some meaningful information back. And this is why the industry itself just needs to modernize and it needs to play catch up and make this an everyday thing, not every now and then thing when we have the time.
[00:08:47] Speaker B: Okay, so let's talk about then automation. I mean, it's probably in line with what you said before, that this space is slow and it's hard. So obviously automation is going to increase the velocity and the speed when it comes to digital forensics and digging a bit deeper, et cetera. So talk to me a little bit more about your view then on this front, considering everything we've already spoken about already around things being arduous and a little bit monotonous and a bit slower.
[00:09:14] Speaker A: Yeah, look, I think a big part about making security tooling more accessible has largely been around automation and kind of doing a lot of letting technology do a lot of the heavy lifting. So an analyst or someone who works in security can focus on the important bits or use technology to kind of raise bubble risk to the top so they can see it and it's obvious to them and they can do something about it sooner. And I guess particularly in the forensics game, automation is really key to helping us speed things up. Going back to that ad system example in the way that we automate it now and the way we're trying to modernize it, that one month example of just that data collection process, we can do it within an hour. Now, that is a significant difference when you are responding to an incident. And so really that's going to be game changing for us. And that automation is going to kind of from a data capture, processing that data, kind of doing all the kind of fun things you need to do with that data. That's all going to happen within moments compared to having to manually do things in a very hodgepodge kind of way. And that's going to enable an analyst or a forensics expert to actually go and focus on what really matters. Like what is that hacker doing or focusing on more advanced forensic or deep diving kind of techniques. Because I tell you what, if you've got someone who says, hey, it's been a month, what have you got? And you don't have a lot, it's going to be really hard to convince them to spend another month doing some form of investigation. So if we can kind of speed up that data collection and the processing and all the kind of routine tasks, which definitely comes with the world of forensics, then analysts can kind of focus more on the doing, kind of chasing the bad guys and also learning more as well, and spending time on the more advanced problems.
[00:11:06] Speaker B: Okay, so there's a couple of things in there I want to ask you a few more questions on. So you said before, Hodgepodge, what is that technical term?
[00:11:15] Speaker A: Whenever someone does a forensic investigation out in the kind of instant response world, usually it involves one or two different types of tools to collect data. It usually involves three or four different types of tools to process the data. Half the time, the tools you use to process that data will fail, as in, like they're, they're either the kind of open source solutions which just are a bit flaky or just not very well supported commercial solutions even.
And then by the time that's all done, what tends to happen is they end up putting what we call a master timeline, or a super timeline of all the key events or things that happened on a system or system in a spreadsheet. Believe it or not, that's what it ends up in. Normally it ends up in a spreadsheet as a timeline of events that have happened, and then someone turns that into a sexy report for a customer. And so that's not ideal. And that's a very kind of using five, six, seven different tools to kind of get the job done. And then at the end of the day, you're creating a timeline in a spreadsheet. And that just doesn't feel right to me again, which is why we kind of got to modernize this space. But also from a skills perspective, if you've got someone who is just starting out in the space, for them to have to deal with five or six different tool sets, and five or six different tool sets which aren't very document, aren't documented very well, or are very flaky, especially flaky tools during a crisis situation, it's a very high bar to expect someone just starting out in industry to be able to get full use out of an investigation. And this is why you need normally kind of someone senior to tag along every time.
[00:12:54] Speaker B: Okay, so let's go back just a step for a moment. When you said before automating routine tasks. Now, when AI came, well, AI was already out, but let's say it became more ubiquitous in the last twelve months or so. People seemed to get afraid and were felt scared around routine tasks being automated. What's then your view when you apply an automation lens to routine tasks within digital forensics? Are you still seeing the same pushback and people don't like change and all of that? I've been doing this for 40 years and I like the way I do my job. Are people a little bit more receptive to that, or are you still finding that people are apprehensive when it comes to the automation side of things, given everything that's been going on?
[00:13:36] Speaker A: I'll answer that with an actual example. Say one time we were helping a customer with a forensic investigation. I had this photo of an analyst sleeping on the floor next to a server in the server room waiting for the data capture to be complete onto another hard drive. Now, this is a normal scene for this space because unfortunately it just takes a while. And if you're physically doing it, you kind of got to be there and you got to maintain kind of forensic integrity and keep an eye on data, create log files, et cetera. And there's a big process of that. And you know what? If I could automate that step, make that easy, that analyst could be looking at the data instead of spending time trying to find out where it is, how to collect it, how to process it. They could just be looking at it. They could be working out what the hacker is doing and providing that value back to the customer rather than spending all that time on what is relatively mundane tasks. And so this is what we want to automate. So I don't think we'll get, we'll certainly make it easier to kind of bubble up risk to the top. So through detections and all this sort of stuff and raising things to an analyst to empower them. But first and foremost, there's so much routine tasks around doing data capture processing from a forensics perspective that if we automate that, then people are going to be spending more time on the doing and actually getting the value out of why they do forensics in the first place.
[00:15:05] Speaker B: Yeah, I totally hear what you're saying. So just quick question. How long was that person asleep for?
[00:15:09] Speaker A: No comment. It was at least a few hours.
[00:15:13] Speaker B: Oh my gosh.
[00:15:14] Speaker A: I think they're in the server room for about 8 hours at least.
[00:15:17] Speaker B: Oh my.
[00:15:18] Speaker A: Yeah.
[00:15:19] Speaker B: So going back then, on the value side of things, I do agree you made a comment before saying management or executives say, okay, well, you've been doing this for a month. What have you got? But look, I do understand the question because sometimes people asking the question may not understand it to the fidelity that's required because it is a very specialized area, et cetera. But a month like these things can take a while to really get to the root cause of it. So would you say that's sort of a naive question to ask, perhaps like a month? It's not like it's a year.
[00:15:49] Speaker A: Yeah, I think for someone like me, I get why I need to do it for a month. And it's really important that you kind of find a way which helps customer understand why it takes that long and what's the value they're going to get from that. Because you're talking about people who are in a cris situation that they have never faced before. Right? There's them being hacked.
Most of the customers don't know about hackers and how they work and what the deal is in the first place. And so they're in this situation where they feel like months passed but nothing is happening, whereas obviously a lot is happening, right? We're out collecting data, processing it. We're doing all the bits and pieces we can do, but to them, it feels like not a lot's happening. And so it is about a bit of communication, a bit of education to the customer, make them understand why. And you know what? Sometimes you do need to spend a little bit of time and do it properly. It certainly makes a big difference.
A good example just recently actually, is not too long ago was there was a customer with a ransomware situation, and basically they had an EDR in place, but only had, like an EDR tensor only be great for detection, not necessarily a deep dive investigation. And the consulting firm used the EDR and said, hey, you've been compromised for two weeks. And they're like, cool, let's roll back two weeks. Then we did an intrinsic investigation off the back of that and say, hey, can you just kick the tires, do some quick forensics? And we did the forensic investigation there. And it's like, hey, actually, you know what? You've been compromised for nine months, not two weeks. And in fact, you got re ransomware through the first vector in the first place. And it was because you didn't clean up the first compromise good enough, and they just resold the access to someone else and they got re ransomware. And so if it wasn't for that kind of deep dive, right, as you say, they wouldn't have noticed that actually the backdoor still would have remained even if they cleaned up from the two weeks ago. And then they would have probably got re ransomware. And I don't think there's too many organizations that would last three ransomware events in a row, that's for sure. But it does provide the value, and there's definitely a lot of education out there. But what we need to do is try to provide that value sooner and quicker and start getting some of those answers immediately, within hours, not necessarily days.
[00:18:07] Speaker B: Weeks or months, you say, and I'll read it out. Automation is essential for incident response in a topic around ephemeral infrastructure's transient nature, which may be afforded it a free pass on forensic examination in the past, but that window is closing rapidly. So what do you mean by this statement, James?
[00:18:29] Speaker A: Yeah, so this one particularly resonates with the adoption of cloud. So one of the reasons why we created Cato in the first place is because we had a lot of customers moving to cloud. And whenever it came to doing a forensic investigation in cloud, it was hard. It was actually a bit of a grind, particularly trying to use legacy tools in quite a modern environment. It just doesn't work. It's a round hole with a square peg. And this is why we kind of created Cato. But one of the even more interesting things, which is definitely happening today, is that a lot of people are embracing cloud in the way it should be used. And that's using ephemeral infrastructure.
So that's kind of container technologies. So like microservices, it's like lambda functions, or they're using auto scaling groups, so they're kind of growing and shrinking their computing resources. Right. Which is absolutely sensible to do. That's how you should be using cloud. That's also how you save money as well, is you only use the resources that you need. But what happens if you have a detection on a container that only lasts 15 minutes? What do you do then? How do you investigate that? By the time someone actually goes to investigate, one, they have to work out, how the hell do you investigate in a container in the first place? Which is a complicated thing. And two, if it's 15 minutes, chances are the data is gone. And so this is where there's a big risk right now, where a lot of companies out there are using ephemeral infrastructure or auto scaling infrastructure, particularly in cloud, and they're having loads of detections, but no way to investigate what's actually happened or even to validate if it was an FP. And so this is something that automation is essential for. So as an example, if you have a detection in container, then you know it only lasts 15 minutes. You should have some automation baked in around that to make sure you go and grab the data. Once the detection has happened, before that container spins down, you'll lose it for good. And then. So you can retrospectively go back and work out. Right, was this something we care about? How do we stop it in the future?
[00:20:23] Speaker B: So then would you say, based on what you're saying, which makes sense, this is something that people just aren't thinking about, perhaps because 15 minutes, it's not like 15 hours, and then it's 15 minutes. If they're spitting this stuff up, up and down all the time, that's a lot of stuff to be across and to think about.
[00:20:39] Speaker A: Absolutely. Yeah, it is. And I don't think a lot of people truly understand cloud. Yet I think certainly some of the organizations we're dealing with now are starting to reach out and they're reaching that level of maturity and starting to understand the different risks that cloud brings to the table. I think a lot of people have lift and shifted from on premise to cloud, but without realizing that cloud operates differently, it doesn't operate at the same level that on premise does.
But the market is slowly maturing, but it is happening in the kind of more highly regulated kind of industries first. So, like your financial sector kind of industries, they're starting to get on top of it, which is great to see. Tech industry as well is relatively mature there. But beyond that, there's quite a lot there where I'll talk to a CISO and I'll say, hey, cool, you've got the latest and greatest detection technology, and it says there's a suspicious ip address communicating from your containers, running in, like, what's next?
How do you verify what's going on there? And to be honest, most people can't answer that question. And so this is kind of a scary part about cloud and people's understanding of how ephemeral infrastructure works and the new risks it brings to the table. So it's a great, great technologies out there, but it does bring new risks to the table, and attackers are taking advantage of that. Because if an attacker knows the container is going to go in 15 minutes, then that's like someone doing anti forensics for you, right? Like they can go in there, steal the data, or steal credentials, and then the container is gone and there's no trace. This is a haven for hackers at the end of the day, and we definitely see hackers taking advantage of that.
[00:22:19] Speaker B: So then what happens now? So for people that you said ephemeral infrastructure, 15 minutes, containers, someone steals the data, then there's no way of doing the deep dive and having a look, because it doesn't exist. So what happens then?
[00:22:31] Speaker A: Nothing, unless you've got automation in place. So this is the scary part.
There's one hacker group that we track called Team TNT, and they actually publicly have a website that they list how many systems they've compromised in the cloud any one time. And it's been a long time since I've looked, but last time I looked, there was over 20,000 active systems compromised, primarily containers running in cloud at any one time. We run honeyponning infrastructure. We did one at RSA conference, just to prove a point this year, to show you just one system. So one container running, one service, that was vulnerable and how often it would get compromised. And we ran a competition, I think it was 140 something times during the time of the conference. But basically it worked out to be every 15 minutes the one container got compromised. That's how quick it happens in the cloud. If you have an open service, a misconfigured service, or a vulnerable service, and it's happening all the time. And so most organizations just don't even know they're compromised or have been compromised. There's so much yet to be uncovered, and it's only now people are starting to look or starting to realize this a little bit. We're starting to see more and more and more issues where attackers are taking advantage of this, such as stealing credentials, which gives them wider access to the cloud environment, getting access to databases that the containers have access to, just a few things to name there.
[00:23:56] Speaker B: Okay, this is really interesting, and this has caught my attention a bit more. So I was out with AWS the other day. They had a big media thing on, and obviously they work for AWS, so it's easy for these guys to say, well, of course we understand. I'm like, well, much to your point, James, I'm like, I still don't think a lot of people understand it at all. And my 200 episode was around just security of the cloud and then security within the cloud. So security of the cloud is obviously what cloud providers do, and then security within the cloud is what each customer then does. So back to your point, around the 15 minutes, whose obligation should that be? Because if you look at the cloud providers, they're enabling these containers to every 15 minutes. Let's just go with that as an example. Now, technically it should be the customer, but our cloud providers saying, hey, have you thought about this? Is that a conversation that is entering into the equation? Because again, a lot of customers are not cloud experts, so maybe they are overlooking these things that you're touching on. So where does the responsibility start and stop? And are cloud providers telling people about the problems that you've just listed out here?
[00:25:00] Speaker A: I think it's certainly a combination of the two. Definitely there are a lot of customers out there that don't truly understand the shared responsibility model. So where does the responsibility of the cloud provider versus stop, and then where does it kick in for them? Right? And I think there are a lot of misconceptions where people are like, cool, I'm running in the cloud now, I'm safe and secure. Someone else has got my back and it's not the case. The cloud provider's responsibility is literally just basically to keep the underlying infrastructure secure. And they do go a little bit up and beyond on the old occasion. They'll send you a notification if something's been compromised and stuff. And so there is some element there, but again, it's not really their responsibility when you dig into it. I think to your point, certainly in the earlier days there wasn't a lot of documentation or there wasn't a lot of knowledge in the security space around cloud and the risks that it brings. And so there was definitely a big gap there and I think that's gotten a lot better. But it tends to have been a little bit from the cloud companies trying to create a bit of awareness, which is great, but it's also from the community itself. So the community itself is as I'm sure security community is awesome when it comes to sharing knowledge and leaning on each other. And certainly we're seeing more of that now where people are talking about their experiences with risk in the cloud and the kind of threats that people are facing. And I think that's really helping with an awareness piece and getting your head around it. But it is still immensely complicated. And this is kind of going back to that automation point, right? Is if we can automate some of the complexity out of Cloud, then people can do their day job. Just to give you one example, I had one guy come to me, he's an awesome guy by the way. He works in the US for a big company. And he came to me and said James, look, I've been doing cybersecurity for 20 years. I know how to pull a disk out of a server. I know how to look at net witness logs or whatever it might be. And he goes but how the frick does a Kubernetes container work in AWS?
How do I even access and investigate that? How do I do that? There's not a lot of information out there around it. And he's like I just want to look at System X. I want to be able to click a button and look at system X. I don't really care what type of technology it is. That system has something suspicious going on it. It's a Linux based system. I just want to look at it. And that's true. They should just focus that hey, something weird is going on to this system. Give me the logs or the system itself and I'll look at it and work out what the risk is. I shouldn't have to be fussing about whether it's this type of container, that type of container, a lambda function, an EC two in this data region, Azure VM in this data region under this subscription number 5622. That's just really complicating things. And so now you have a security industry, which now also have to become cloud experts as well. And that is a really tall ask of the industry, I think. And automation is going to be a big part about solving that kind of problem.
[00:28:07] Speaker B: Yeah, great point. And totally, that's understandable. A lot of people have come to me and said, look, I kind of still don't get this whole cloud thing. People have been in the space for a very long time. So you talked about on Prem and then a little bit cloud. Would you say that doing digital forensics when it comes to cloud is significantly harder, more complex than on Prem?
[00:28:25] Speaker A: Yeah, I'd certainly say it is more complex. And the reason why I say that is because, and not to pick on AWS, just use as an example, but I think they have like 300 od services alone. From a technology perspective, it probably is even more than that. And that's a lot of different ways of doing things. And on top of that, it is so like, as an example, you might have say like a development environment for a customer. And all the developers, of course, they've got privileges because it's a developer environment, right? They get to play with whatever they like. And you know what? At a click of the button, they can spin up any type of system. It could even be like a high performance computing system or a different type of database technology or serverless kind of technologies. And they can plug things in, they can spin them up, spin them down, they can do all these sorts of things. There's hundreds of different services, right? And they can do that at a click of a button. Doing that in on prem is a lot harder to do. Like you have to go and physically install a firewall, you have to go and make a router change. They have to do a whole bunch of things which kind of made it harder to make these changes, right? And whereas cloud has kind of completely blown that out of the water, now you've got an army of people who can turn things on and off. Hell, there's a checkbox right in AWS for like s three buckets, right? Enable your s three bucket to be public. You can't do that with on Prem. You can't just go, hey, my data on my laptop is now public. You have a gateway normally that prevents that from happening, and it's a lot harder to make that come into fruition. And so I think cloud just does make it a lot more complex, makes things happen significantly faster as well. So I think with on premise, you have a little bit more control what's going on.
[00:30:13] Speaker B: So where do you think we go from here now as an industry? Like even back to your example that we did sort of press on a lot, the 15 minutes container that could appear every 15 minutes, that's a lot, right? It's a lot for people, and that's only one aspect of cybersecurity. And like you said before, now people got to be cloud experts and understand more about that. So what do you sort of envision then happening as we move forward and back to that cybercriminal game that you mentioned before? That's a lot. That's only going to increase. So what happens now?
[00:30:41] Speaker A: Well, I don't think we're ever going to get away from being hybrid, so I think we still have our on premise systems and we'll definitely be embracing cloud technologies even more and SaaS as well, it goes without saying. And that's only going to continue to grow. And I think security is always a bit of a losing battle. Right? The bad guys only have to find one way in, but the security guys have to secure all the ways in, and that's a really hard task to do and almost impossible. And the only way we're going to do more is by embracing technology itself to solve the problem. So we will always have a skills shortage. We will always have a people shortage in this space because the problem is so big that we're just never going to be able to solve it through just throwing people at it. And so we really need to embrace technology to help solve the problem. So it is a people and a technology problem. It's both of those together that will have the best chance of fighting back. And then on top of that, it's definitely education as well. It's kind of how do we modernize education and how do we get people up to speed quicker when it comes to things like new cloud technologies and the risks that it brings, and how does it operate differently to on premise?
[00:31:53] Speaker B: So when you talk about education, I do agree. Do you think there's just so many things every day? I mean, I'm at the cold faces industry and even I struggle sometimes to keep up. Like, I'm speaking to people like you every day. And so I'm in a fortunate position where this is my job, but other people have actually got to do their day job, and then they've got to listen to this podcast to see, okay, what's James Campbell going on about. So how do people then understand and keep up and be across it and feel like they're ahead of it as well as doing their day job? And I know it's hard, but I just think even a decade ago when I started in this space, things are significantly more. There's always something going on now and there's always someone coming out with a new thing or a new problem. It's just very hard to then keep up. So do you have any sort of practical advice on that front? Or is this something that vendors and cloud providers can do in a better way to upskill and educate people that is palatable and digestible?
[00:32:50] Speaker A: Yeah, well, I think you hit nail on the head at the end there. It's kind of a bit of both, really. It's the community helping itself and the vendors helping itself as well. Right. So it's a little bit of everybody in it altogether to upskill the industry and bring people forward, I guess from the one fascinating things about the security industry and you definitely would have noticed this is your eye. So it's constantly evolving. If it's not something this today, it's something tomorrow, right? And I think that's what makes the community so interesting and what I love about it as well, actually, because everybody's always going to thirst to learn and you're always going to have to be learning, like what's the new thing? What's the latest thing? I guess trying to use technology to help us be smarter about that. So maybe help you focus on one thing over another I think is going to be really helpful for us. As an example, right? Like that whole point I gave before about that one person saying, hey, I just want to click a button and look at system x and it's like, yeah, absolutely. You should be able to do that, right? You shouldn't need to be a container expert. You shouldn't need to know the ins and outs of kubernetes. Maybe the basic high level, right? That's what you have time to learn. Like the basic high level of how that technology works, but you don't have the time to work out the ins and outs. And this is where we use technology to say, hey, here's your button. If you click it, you'll get to look at that system in a way that you already know how to do. And that's like a real enabler. So again, kind of going back to a little bit around the community, that first or appetite to learn is still going to have to be there. I have to say it's always going to be evolving. And then third is kind of think about what sort of tooling or technology, or even just writing your own scripts. What can I do to automate some of the kind of more routine stuff so I can focus on the things that I really need to focus on?
[00:34:43] Speaker B: So, James, is there any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:34:48] Speaker A: Oh, that's a good question.
Look, I think the main thing is just don't feel like you need to learn all the things, particularly around cloud. Right? It's complicated, it's hard. You have experts for individual technologies, even in cloud, so don't necessarily feel like you need to know it all, but certainly embrace it. It is really cool stuff out there, or some really cool technologies, but certainly there needs to be a lot of education around what sort of risks those technologies bring to the table and what can you do about solving some of those challenges and that risk and making other people aware of it as well? I think would be really cool to start seeing because certainly there's not a lot of people that know about it. And I think the more we get the word out there and the more people will look, the more we can start kind of solving this problem together, which will be really cool.
[00:35:40] Speaker C: This is KBcast, the voice of cyber.
[00:35:44] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:35:52] Speaker C: This episode is brought to you by Mercksec, your smarter route to security talent Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out more at merck sacs.com. Today, our.