[00:00:00] Speaker A: Pick something these days that doesn't have a computer involved in it in some way, shape or form. That doesn't mean that everything is a cyber problem. You look on the other side of it, look at things like influence operations and so forth, where they're targeting social media and trying to manipulate elections and so forth. You go, is that a cyber problem? Well, it's cyber enabled, but it's a human and societal problem at the same time. You're not going to solve that necessarily through just clamping down all social media platforms. You've got to educate people to understand or check where they're getting their information from. So it is that bleed, I would say between, yes, it's this technology that enables it, but it is in many cases a business problem or in the influence operations world, it's a societal and understanding problem.
[00:00:44] Speaker B: This is KBCAt as a primary target for ransomware campaigns, security and testing and performance risk and compliance.
[00:00:53] Speaker A: We can actually automate them, take that.
[00:00:55] Speaker B: Data and use it.
Joining me today is Mark Anderson, national security officer from Microsoft, Australia and New Zealand. And today we're discussing to ensure the resilience in a challenging cybersecurity landscape. So Mark, thanks for joining and welcome back on the show.
[00:01:10] Speaker A: Thank you. Thanks for inviting me back.
[00:01:12] Speaker B: So it is a challenging industry. The cyber space landscape is changing a lot. So maybe let's sort of start there with getting your view on the state of cybercrime as we're speaking today.
[00:01:23] Speaker A: Yeah, sure. So I guess I should probably start by telling you where our state of the world or state of view of cybercrime actually comes from. And that comes from the digital defense report that we publish on a yearly or an annual basis. And the Microsoft Digital Defense report is an evolution of what we used to call the Security Intelligence report, which has been published by us since about 2005. The Microsoft Digital Defense report actually appeared first in 2020 and was really a reimagining of that security intelligence report. And we just recognized really that the landscape of cyber was changing. All of a sudden, people were talking about remote workforces and supply chain and increases in criminal activity. So we created a new format where we brought more data from more teams across Microsoft than we'd ever done before. And we also wanted to target a broader audience in terms of consumption. And on that point, actually this year we released, whilst the big report is 130 pages, we actually put exec summaries out. So when I talk about a lot of the statistics that's happening in the world of cybercrime, this is absolutely where it comes from. And in that report, it really talks about cybercrime, nation state threats, critical cyber challenges. But all of it's not doom and gloom, which is good. It also addresses what we've learned and what we've observed. So really you can get into how you address those issues with that context, I guess with that little bit of history of where the information comes from, focusing on the question around, well, what is changing in the world of cybercrime. I think it's fair to say that we, and by we I mean governments, businesses, individuals, have been on the receiving end of a really unprecedented, relentless assault. We live in a time where never before have nation states and criminals been able to operate without restriction in the targeting of technologies and systems, and in the vast majority of cases have been able to do so with little fear of reprisal. And I would suggest that that's reflected in the stats that we see in this place. However, one slight segue on that point, hopefully you recently saw the announcement regarding the identification of the Medibank perpetrator, Alexander Irmikov, and how the australian government and ourselves at Microsoft were to provide key evidence in his identification. So I think that shows that we can fight back. It is resource intensive, but for me it was a great announcement because it's an amazing warning shot, I guess, across the bows and shows that you might think you can hide, but it doesn't necessarily mean you can. So that's probably the good news story. I'd say that's also a recent one, but giving you idea of some of the statistics, at Microsoft alone we have a capability called the MSRC, which is the Microsoft Security Response center. And this is our group that deals with all of our cloud and on premises security cases through to getting things like patches out the door. And this team is supported by multiple other security operation teams. And we've internally seen an annual increase of 23% in the number of cases that we process now. That is huge. And I'm sure that those that are listening to this podcast, I would be very surprised if anyone said their cases have gone down. My conversations with customers, I get the sense that we've all seen that similar rise. So that's pretty much our world. But in terms of the tactics, identity based attacks are absolutely on the increase. Again, I doubt that's a surprise to anyone listening. If you watch the news over the past few months, you've seen headlines around where identity tax are compromising accounts and that's the entry point. And on our platforms we're blocking around 4000 password attacks every single second, and throughout the report that we published, in the period of July 2022 to 23, the average password attacks per month sat at about 4 billion. So 4 billion password attacks every single month. However, in that report period, when you fast forward to January 2023 through to June 23, which is where the report ends, we saw that actually increase by tenfold. So we were seeing 40 billion password attacks every single month. And you go, well, why that increase? Well, unfortunately, these types of attacks are both inexpensive to run and execute, but they're also surprisingly still effective as well. And interestingly, the target sector that bore the brunt of most of that was the education sector. And I think it's important to remember that these stats are global, by the way. So I'm not saying that australian unis were the ones feeling all of this pressure, but why unis? I guess, and in general, and I am absolutely generalizing here and remembering it's a global report, the education sector tends to have a lower security posture with things like lower adoption of technologies like multi factor authentication, all of which makes them vulnerable to phishing and credential stuffing and brute forced attacks. And on that point, actually of MFA, we all know that MFA stops these types of attacks dead in their tracks. However, a real point of caution that we've started to talk about recently is the issue around MFA fatigue. And we did see a high profile example of this with Uber, where the attacker knew that username password combination. And even though the account was protected with MFA, all the attacker kept doing was just dinging the account, and eventually the user, their phone's going ding, ding, ding. And eventually they just got fed up and went and clicked OK, just to make the thing stop. And strangely, when you click it, it does stop. But at that point, you've sort of let the attacker in. So I think it's important, when we think about things like MFA fatigue, it's important to think about what drives that. Well. Number one, incorrectly implemented MFA can be just as bad, because if you're constantly pinging your users with MFA prompts, then they move from it being an event or action that they need to scrutinize or pay close attention to, to one where they just click accept, and one day they will do that, and it will be an adversary behind the scenes. So MFA fatigue is absolutely something that we need to be watching out for. A couple of other areas that we've been really focused on in the report as well, from a cybercrime perspective, human operated ransomware. So this is where instead of what I'll call V one ransomware, where floods of emails go out and whichever unfortunate person clicks the next link becomes the victim. In the world of human operated ransomware, this is where gangs are explicitly targeting organizations. They do their research, they understand what's valuable, they know what they should be paying in terms of market rate. And we've seen that go up by more than 200%. And increasingly, 70% of organizations encountering this new human operated ransomware are now smaller organizations. So by that we mean those with 500 and fewer employees. So human operated ransomware used to be the exclusive targeting of the FSI, the financial services industry, right, and all the big players, but now criminals are going after the smaller ones. So the whole idea that I'm too small to be of interest to cybercriminals is absolutely not true anymore. And interestingly, it's on that from a forensics perspective. Our investigation teams found that 80% to 90% of all successful ransomware compromises actually originated through unmanaged devices. So BYOD, laptops, phones, tablets, things like that. And then I think the last stat in this area that I'll probably give you is an increase in business email compromise. So a moment ago, we talked about the compromise through password attacks. Well, not all attackers are gung ho and run in and start pulling out data or initiating ransomware attacks and destroying computers. Some are in it for that stealthier game of email business email compromise, which, to be quite frank, is just a fancy name for essentially financial fraud. And this is where attackers are inserting themselves into legitimate business processes through these legitimate accounts that they've compromised. So a simple example being like faking an invoice, or changing the details on an invoice and having the funds routed to them. And this type of attack, we observed around 156,000 daily attempts between April 2022 and 2023. So from a purely financial standpoint, it's actually as significant as ransomware. So the question then becomes, well, why is this increasing? Well, we know that the ecosystem in terms of access to capability is changing. Criminals now have access to on demand services to aid them in their deeds, but also new technologies like AI and voice generated AI. Imagine a world where it's no longer just an email you're getting to tell you to pay the invoice, but a voicemail from your boss. Your chances of success are increasing. And it was just the other day, actually, there was a report out where, I think it was a bank in Hong Kong where one of the financial controllers within the bank paid out 25 million USD dollars after a call with what they thought was the CFO of their company, but it was actually a deep fake video. So they're really taking it up a level in the space. So it's really want to watch?
[00:10:05] Speaker B: Yes, I did hear about that. That was wild. And unfortunately that's not going to be the last of it. I want to go back a step. I mean, there's lots of great things you said there, one of which was the small businesses. So you are right.
Never going to happen to me. I'm too small. The other side of that that I look at is hearing from small to medium sized businesses that I don't know, I'm in conversations with or people just I meet randomly and they start talking to me because they know I'm some cyber person is they're like, well, if I go to these big vendors or these big service providers, they just say I'm too small. So do you think that there is that market for smaller businesses? I don't know. Perhaps it gets wrapped up as a managed service for like a small to medium sized business, that they completely outsource it. I'm just hearing that a lot that vendors are either servicing the enterprise market or multinationals or big service providers are just saying, no, you're too small. We only sort of work on deals at X amount. So do you think that perhaps there isn't enough capability servicing that sort of small to medium sized market? And majority of businesses in Australia are at that size.
[00:11:06] Speaker A: You're absolutely right and is an area that we need to address. And it's actually one of the focus areas of the new executive team that was created by the government surrounding the new cyber report. One of the working groups is actually a working group that's concentrating on how do we address helping small businesses. I think there's probably a couple of ways to look at that. Right. I think traditionally, maybe smaller businesses had to build their own IT capability on premises. And in the advent of cloud, whether it's us or other cloud providers removing the ability to have to have a server running in the back room, I think nobody should be running their own email server on premises. Now, if you're a small business, there are so many options out there to enable you to do that. So the more of that that you can offset to cloud providers or somebody that does it as a smaller managed service provider, the absolute better. But I agree that we do also need probably more capability from small businesses providing small business IT services. And it's absolutely a gap and it's one that we do need to address as a country for sure.
[00:12:09] Speaker B: Okay. So going back on one of the stats, you said the identity based attacks, from my understanding, you said 4 billion every single month. But then that increased in the previous year to 40 billion. So do you think this next year, when you come back on the show, this time in a year, that'll be up to, what, 80 billion?
[00:12:27] Speaker A: Yeah, potentially.
When you think about the stats in general. Again, I'll go back to that report that we released last year. And in that report, we talked about the 4000 password attacks per second. And then that's like 4 billion to 40 billion a month. And then if you've seen in the report, we also talk about the fact that globally we synthesize around 65 trillion signals every single day. And that is huge. That was up from three or four years ago. That was around 8 trillion. And just, by the way, I know we keep throwing these trillion words around, and I find sometimes they're really hard to get your head around. So I like to put them in per second. So 65 trillion is around 752,000,000 pieces of information every single second that comes in to our platform. So I know you've got a strong cyber background. Can you imagine building yourself a seam solution that's pulling in that amount of data? It's not just an engineering challenge to pull it in, but then doing something sensible with it. And that's what we've been having to do over the past few years. Like I say, three or four years ago, it was 8 trillion. It's now at 65. And then I think about other things. Like we've got a malware sample zoo that's got about four and a half trillion pieces of malware in again, up three or fourfold from a few years prior to that. So, yeah, I don't think any of these numbers have ever gone backwards in any of the reports that we've ever put out.
[00:13:44] Speaker B: So how do you synthesize that level of information? Like 7 million or something. You said a second. So by 2 seconds in, you're already.
[00:13:50] Speaker A: Up 750,000,000 a second.
When you think about, well, where does it come from? Right? Because, again, it's not all just thrown in one massive data lake. It's a series of pieces. Because if you think about the organizations that we service, right, it's everything from the largest government and enterprise customers in the world through to the small and medium consumers. And you've got corporate assets or enterprise assets like Azure and Office 365. But then on the consumer side, you've got things like Xbox Live and Outlook.com and Skype and Windows. And that's what really accumulates that 65 trillion a day. So they're all in sort of different pockets and they all come in, but you're not necessarily throwing them in one lake and looking at them all in one go. You have different types of queries running over them. So it is an engineering challenge for sure. But even though we have those awesome data sets, it's also about having people that are able to reason over that data as well and know what to look for. So we've got a really strong set of security teams within Microsoft, whether that's the mystic team, which is the Microsoft Threat Intelligence center, which is like a team of dedicated nation state hunters. They're looking for particular pieces of information within that data set, mainly related to things like Russia, China, Iran, North Korea, and a whole bunch of know. Then we've got different teams that are looking for different types of information, like the digital crimes unit might be looking for things that are looking like fraud or looking like scams, et cetera. So it's a real mixture of who uses that data set from all of the different types of teams that you have in the business.
[00:15:16] Speaker B: Now, I just want to focus on the business email compromise. And I was speaking to someone the other day, they are servicing a council and they exactly had this problem. But then when we sort of talked it through, it was like, well, actually it's a business problem that led to this issue as well. So, for example, I don't have all the details, so I'm paraphrasing, but basically large amount of money. There were several instances that gave, like, red flags, like, we haven't paid this supplier before, like XYZ, but also by the time that they were at the 11th hour about to transfer the money over, something had intercepted it.
There was a reason for that. When I was talking to the guy, he was saying, like, well, there were so many instances in terms of business processes that actually haven't been instituted, haven't been followed, haven't been adhered to, which then creates more of a cyber problem. And then I think maybe it's a skewed view of saying, well, yes, cyber, of course, is on the rise, but actually, if you were to peel back the layers, that business email compromise situation was actually stemmed from a business problem. I never really looked at it like that before, and I felt somewhat silly because I'm thinking, well, you're actually right. So do you think that perhaps people don't understand that they have to follow a certain process? So, for example, if it's like, okay, if I'm going to transfer Mark Anderson 250 grand, maybe I should call the company first as the last sort of point of defense before I transfer the money to sort of intercept some of those attacks, as well as doing the other checks and balances. Then along the way it was just sort of saying that there were so many times, there were so many red flags and yet it didn't get sort of picked up on until right at the last second.
[00:16:57] Speaker A: Yeah, you're absolutely spot on. That is exactly it. Whilst we call it a cyber problem, it is a cyber problem in the context that through compromising a legitimate account, like, let's say you're the CFO and I compromise your account and you don't know I'm in there and I'm lurking so I can see how you operate. But ultimately what I'm doing is the thing that I do in order to get the money out is not necessarily an air quotes, a cyber hack. It's how have I interjected and how into the business process, or how have I skewed the business process that's happening within your organization. So you tend to find to exactly what you've just talked about there. Organizations that don't necessarily have solid processes in place are more susceptible to these types of fraud. So if we were dealing, if you and I were running a company and we dealt with all of our invoices and payments and everything through a large excel spreadsheet, that's not great. But if we'd gone away and pulled in, for example, a full on financial accounting system with proper workflows in and all the rest of it, then the likelihood of these types of attacks succeeding are significantly less. So, yeah, you're right, we sort of say the cyber piece is probably the entry point, but it is really the business process that breaks down and falls over, which enables the actual fraud to take place.
[00:18:15] Speaker B: But is this the part that you think people is unaware of? Because they could just turn around and go, oh, well, mark, of course it's a cyber problem, and it's like, well, actually not if you go back the layer, it's actually a people problem and a process problem and your people aren't even really following. Well, actually, I've never paid the supply before. I should probably look into that a bit more if it's manually done. And I just think that perhaps that's the gap in the knowledge from a business point of view that people aren't noticing. Perhaps.
[00:18:40] Speaker A: Yeah, you're absolutely spot on. And it's almost because computers are involved, it is therefore a cyber problem. But pick something these days that doesn't have a computer involved in it in some way, shape or form, that doesn't mean that everything is a cyber problem. You look on the other side of it, look at things like influence operations and so forth, where they're targeting social media and trying to manipulate elections and so forth. You go, is that a cyber problem? Well, it's cyber enabled, but it's a human and societal problem at the same time. You're not going to solve that necessarily through just clamping down all social media platforms. You've got to educate people to understand or check where they're getting their information from. So it is that bleed, I would say between, yes, it's this technology that enables it, but it is in many cases, like in your scenario there, it's a business problem, or in the influence operations world, it's a societal and understanding.
[00:19:32] Speaker B: Problem, because we could all turn around and say, well, everything's a cyber problem. Everyone's got a phone, everyone uses the Internet, everyone operates online. How do you think we close that gap, then? Because I think people sort of dismiss and go, oh, it's Mark Anderson's problem. He's the cyber guy. I'm seeing that a lot more now because you said if there's a computer involved, people just naturally think it's that it problem. I know we've spoken about this for years, but yet the problem still hasn't really dissipated. It's actually gotten worse.
[00:19:57] Speaker A: Yeah, it's funny, I was talking to somebody not long ago about this, actually, where I was saying exactly this whole idea that cyber is not quite made its way over from a generational perspective, because there's still a generation of us that are out there where computers and this it, and this whole idea of having a phone in your pocket and all the rest of it is still new. There's obviously generations that are coming up where this is absolutely natural, and they've never known a world without a mobile phone or a tablet or a computer. So I wonder whether as the generations move through, and for me, cyber should become a life skill as much as crossing the road we all know not to cross in the middle of a visit, road we all know to go up and walk at a, you know, cross at a crossing we know to look left, then look right. All those types of great things. I think, until cyber becomes sort of ingrained to us all as that life skill, I think they'll always blame. There's always an out, if you like to blame cyber and blame computers for the problem.
[00:20:54] Speaker B: Well, you're absolutely right, because people come to me asking me for networking related issues. I said, look, I have no idea on that problem, okay? So you're going to have to find someone else who knows because they just think phone, computer, iPad, router. Carissa must know. So I can relate on that front. And I just think it's important to highlight that because as you would know, being in your role when you start sort of going through the forensics sometimes some of these attacks, it's like, actually this had nothing to do with that. It was so basic. And yet here we are. And of course, it sort of know leads up to being a cyber problem in the end. On that note, I want to get into a few more of the stats now. Just a quick comment on the Microsoft digital defense report, or MDDR, another acronym for our industry, with exactly what we don't need. We will be linking a copy of the report in the show notes for those wanting to dig a little deeper. Now, from my understanding, I read you've gone through a lot of those stats before, which was really interesting, but a couple more were the last report. So 60 trillion signals synthesized. You've touched on that before. 4000 attacks blocked per second. You touched on that. Plus 300 plus unique threat actors tracked, including 106 nation state actors, 50 ransomware groups and others. I mean, I could go on and on and on, but let's focus on that onesie. What are your thoughts then on that? And what does that sort of look like? And a little bit more fidelity.
[00:22:13] Speaker A: Yeah, so you're right. It was 300 plus that we do 160 nation state, the 50 financial and motivated. And then the other categories are also quite interesting as well, like private sector offensive actors, like commercial spyware, things like that. But the 160 nation state actors. So that's a real mix. So predominant nations in that, probably no surprise. Russia, China, around North Korea. And then there's a spattering of things like Lebanon's in there. I think Vietnam made it on a few years ago, et cetera. So yes, those major groups, but then also major countries, but then subgroups within. You know, if you take Russia as an know, in Russia you've got group three main directorates, I guess within there you've got the Russian Gru, which is like where their Spetsnaz and all. So it's like a military unit. And then you've know the SVR and the FSB, which are their foreign and domestic intelligence agencies. And then underneath those you have lots of subgroups as well, so by the time you times that out across all of the other countries, then you do end up with 160. And then plus on top of that, we also, then one of the statistics that's not, I don't think it's necessarily covered it or it might be in the report where it talks about unnamed or sort of groups in development. These are groups where we've seen some of the techniques, tactics, procedures looking very similar to the ones of groups that we already know but we've not been able to fully attribute. So the number is probably greater than the 160. But these are where you're just finding these little subdivisions of capability that's breaking out in these different groups across the world. But it's a huge number and it's growing. Now what I would say though is that of those 160, they're not all created equal. The world like your midnight blizzards. And those types of folks, they are the top of the top. They're the cream of the creme, if you like, in terms of their capability. But then you do have a lot of smaller groups in there as well.
[00:23:59] Speaker B: So in terms of the numbers, would you say that it's increased then from the previous year because we've seen a trend, as you've clearly alluded to today, those numbers just keep going up. So is that more, substantially more than the previous year, would you say?
[00:24:11] Speaker A: It's definitely gone up, but there's probably a little bit of a skewing in that as well. In that we've also grown our teams and our capability and our visibility. So sometimes it's difficult to tell has number of teams grown or has our capability and visibility grown? And therefore we can see more of them and therefore identify more of them. So it's difficult to give like an absolute. I'd say it's probably a mixture of both because we determined within our own organization that it's really important for us to have this capability for tracking these types of organizations, for defending our own platform and defending our customers on our platform. So we've grown our capability and with that we've started to bring in new talent. Most of the folks that work in teams like mystic or MTAC, which is a threat analysis center, the mass majority of them are all x three letter agencies from across the globe. So intelligence, community, military, law enforcement, and they've all got those skills to be able to know and understand what these types of groups do. And then we bring them in and we give them some awesome tools and technology and you let them run free and as you do that these people do what they do best and they find more once you give them the opportunity to. So yeah, it's a weird one. I'm not sure if it's increase or just more viz.
[00:25:25] Speaker B: So maybe let's switch gears now and let's get into critical cybersecurity challenges. So what's your view on this big topic? But yeah, just keen to rattle off whatever comes to mind.
[00:25:36] Speaker A: Yeah, sure, there's probably a couple of areas for me in the critical cyber challenges that we called out in that report. Actually the first one really relates to supply chain resilience and in particular open source software supply chain resilience. And the other side of it is what we've seen in IoT and ot which I think is on a lot of folks radar. But I think the information that was published in the report for me was actually quite shocking and compelling and really got me thinking about the problem in a different way. But if we just start talking a little bit about the open source supply chain side of things, we could easily spend the next hour talking about this in detail. It's actually one of my favorite topics, but I think in the time we have we could probably only really frame the problem and give some macro examples. But if you think about it at that super high level, on one side with open source software, you may be ingesting issues into your organization through code or components or tools you're bringing in to develop your solutions. But also you might be a developer of solutions that you push out to market. So you could actually be the entry point for a threat actor, and then you become the one that pushes the vulnerable pieces out into the world. But I think it's first super important to recognize that open source software is a key component of all modern day development practices. We know that OSS makes up 70% to 90% of the code base used by developers and is present in 96% of modern applications. So it's clearly a crucial dependency for the software industry. And when I say industry, I mean everyone from yourself tinkering around with software development at home all the way through to the largest organizations on the planet. And I mean to give you an example of how much do we use? We use approximately 83,000 unique packages which are then used over 13 million times in our products. So anybody that says still thinks that Microsoft isn't a fan of open source, I'm afraid to say your knowledge is well and truly out of date. And actually we're one of the largest contributors to open source on the planet. It's actually, normally a tussle between ourselves and Google as to who's sort of in that number one slot. If you go to OpenSourceIndex IO and just flick month by month, we're back and forth between each other, and Red Hat's in that solid third place. But in terms of what we've actually observed in that space, I'd say the headline statistic is that we've seen attacks targeting open source software increase by 742% since 2019. And that number is really only going up because open source software, as I said, you'd be crazy to do modern software development without it. Nobody's creating things from scratch. But when we think about that problem, there's probably four broad risk categories.
In those categories, we think about vulnerable artifacts. So things that you're bringing in that have unintentional issues in, or maybe they're good right now, but not good later. So think something like a log four J as an example. Malicious artifacts, which are clearly terrible things to bring in in the first place because they're malicious, but also things like unavailable artifacts as well. Right? I mean, you might think the fact that a piece of code is no longer available, is that really a cyber issue? Well, availability is a cyber issue. It's part of the CIA triangle. And if pieces of code disappear off the Internet and your build pipelines depend on them, then your build pipelines will actually stop and then rogue artifacts. So bits that people have just brought in and inserted into your code, but you've got no way of tracking that that was actually brought in. And back to the good old cyber saying that you can't defend what you know about. So there's plenty of, and I guess I say earlier, I could talk about this topic for ages, but I think one of the things or trends that's changing and has started to change, which has really got me excited about how we start to take control of this OSS world, is the push towards the use of software bill and materials, or S bombs for short. There's another acronym for you that we all need, S bombs. And this is basically like a manifest that ships with your code, right? So if you go away and get a software solution with an S bomb, it'll say these are all of the components which actually make up this solution. And here's all of the version numbers. And if you were tracking the US presidential order back in May 2021 on improving the nation's cybersecurity posture, they talked about enhancing software supply chain, and I think it was section four that said the software provider must provide a software bill of materials for every product, either directly or by publishing it on your website. And in their scenario, it was really for US government purchasing and that was driven by the SolarWinds incident. Right. And knowing what's actually in those products. And I really like this because this is something that we as an organization have always done internally in our own build pipelines, because you need to know what components are in the thing that you're building and where did they come from. And it also means that when something like a log four J hits, you actually just need to go to your database of s bombs and have a little query through it and go, well, okay, do we have that vulnerable component in our network and where is it? But that's on the defensible side. But I also love the idea that as we move towards this world, even changing your purchasing habits. Right. If I'm trying to sell you a solution, the first thing you should probably ask me for is do I have an S bomb? And then I can hand you the s bomb and you can then pull that in and cross reference it with a vulnerability database and come back to me and go, well, there's ten known cves in this that are really terrible, so I'm not going to buy your product until you fix it. It's a really positive move. So for me, I'm quite excited about that and where that's heading. But lastly on that topic, I'd probably also say that we've actually contributed to what's called the secure supply chain consumption framework, or the S two c two f, I think is the acronym for that one.
I know that was one that I keep tripping over as well with my tongue. S two c two f. And it's made available for anyone that's got a dev team in their organization. And it really outlines a set of requirements of how you can improve security around consumption of OSs in your own developer workflow. So it's something that's worth checking out for sure.
[00:31:35] Speaker B: Okay, I want to press on a few questions on that topic. I have interviewed a guy last year that the whole thing we spoke about was open source software. On that note, would you say the s bombs, would that then help with from a governance layer? Because some of the conversation I had last year was around exactly like, especially on your first points around vulnerable artifacts and then malicious artifacts, like people not really knowing. And then, as you said before, you can just look at the s bomb, put in a query to say, oh yeah, okay, we found it, which is a lot easier than perhaps not having that. So would you say that's going to be what helps with that governance layer?
[00:32:10] Speaker A: Absolutely. I mean, it's going to take time to get there. But again, think of a world where, and this is sort of how we did it internally, by the way. So when log four J hit, and this is a real world example that MSRC team that I talked about earlier, which is like that frontline response team, they just looked up in the system because every one of our build pipelines creates those s bomb manifests and therefore that goes into the system so rapidly, you can go through and sort of say, okay, what components do we have and where are they deployed and are they a vulnerable version or not? So that cuts down your response time. So if you think about when everybody had to respond to log four J here locally, I'm sure you've had lots of conversations where people were running around with their heads on fire because they've got third party software from people and they have no idea whether log four J was in there or not. So they have no idea whether the thing they're deployed is or was vulnerable. So for me, as we evolve and s bombs really become a thing, I think it will massively help with governance. I mean, imagine again, like if you're deploying into cloud and every time you deploy a software into cloud, you also upload into the cloud system, the SBoM, and then just let the platform take over. And then one day it'll ding you and say, hey, just so you know, cve blah blah blah is actually going to impact your application that sat out there right now. That's more proactive than you having to go away, find that the CvE has been published and then work out. Does it apply to you? I think we've got to sort of flip it on its head. It's more like proactive.
[00:33:30] Speaker B: So how many people out there do you think that are procured open source software? No. S bombs don't know really what's in it. If there's an issue, what do you think percentage of people are? And then would you say this is 100%? What keeps people up at night? Because they don't know what they don't, what's in it, where it is. If there's a problem, how do we track it? And if we do have to go and do that, it's going to cost more money, more resources, more time.
[00:33:52] Speaker A: Yeah, I don't think there's a great awareness of it. I mean, I've done several presentations on it and everyone's going, oh, I've sort of heard about that. Oh yeah, it sounds really interesting. I mean, even if you look at the government information security manual, the ISm, there's only a couple of mentions to s bomb. So it's really in that infancy right now, I would say. In fact, interestingly, I was part of a team a few years ago that helped startups with mentoring and there was a startup, an australian startup that was making tooling where you could insert your Sbom and do all of that tracking. And exactly what I just talked about there, where you could go in and look up in your SBOm database whether these things existed. And you could tell he's really excited about it, but he's also struggling to sell it because nobody fully understood what the value was at the time. But things like, as I say, log four J and a bunch of others would really sort of bring it to the forefront. But completely, I think it's not been talked about and it's going to take a lot of change as well. I mean, as I say, we've done it internally and we've had to do it especially in the US as well, because otherwise we wouldn't be able to sell to us government. But for a lot of software houses, they're going to have to implement it into their build cycle and they're going to have to start publishing these things out. And that's going to take time and it's going to take a bit of a changing culture or a regulation. One of the two.
[00:35:05] Speaker B: So let's flick over to. Is it the s two C, two F? Is that right?
[00:35:09] Speaker A: That's it, yeah.
It's already stuck in your head. See, how amazing is that?
[00:35:14] Speaker B: Ask me again tomorrow. So talk to me a little bit more about that because again, I'm at the coalface of this industry. Of course, supply chain is just a massive topic that keeps getting covered a lot. So how does that sort of work in a little bit more detail?
[00:35:28] Speaker A: Yeah, so really that's just a framework that we've put out that will break down the ways in which you should be thinking about addressing open source in your environment. So, like that example I gave earlier about those four different categories, so vulnerable, malicious, unavailable and rogue, and then breaks that down into the. Well, how do you need to think about building out your environment when you're using these things? So a good example on that is, well, do you allow your developers to go and fetch things directly from the Internet? Well, no, you'd proxy it out and then ensure that when you've collected an open source piece of code from the Internet, not only do you then store it on a proxy so as an internal server so that you've addressed the unavailable component of it when you've brought it in, you should then also be thinking about running it against known vulnerability databases. If you're a little bit more advanced, then think about how can you run your own code scanning analysis tools over it to look for issues. And then the rest of the framework talks about, well, how would you into your build pipelines enable that SBom type approach to show trail of a, where that package came from and how it went through the build lifecycle and how it came out the other end. So there's a whole framework around how to think about all of those various components and what you should do.
Well, it's quite comprehensive. It is really a crawl, walk, run. Not everybody will be able to do everything on day one, but there's some very simple things that you could do to start with. Like every time you use some open source, check it against a well known vulnerability database, or use so organizations like Google and so forth and others have also created like trusted build. So instead of you having to rely on a component that somebody's built on the Internet and you download the component, well actually trusted organizations like Google will have pulled the source code down and compiled it and you can get the binary directly from them. So it's all little things like that and the whole framework of how to start thinking about that from end to end.
[00:37:24] Speaker B: Okay, I quickly want to now get into maybe some of the stats around critical infrastructure and then the state of iot and OT security, which I think is really interesting.
[00:37:32] Speaker A: Yeah, sure. So in the area of OT and IoT, when I read the report that we put out, it was one of those weird moments when I read it and went, oh, wow, surprising. But then in that same thought bubble, I was like, not really. It's an area that gets talked about all the time as being that weak point in the world of cyber. But when you actually look at the stats versus hypothesizing about it, that was the bit that really set me back a little bit. So just to level set where we get our data from on that, it's actually coming from within a team in Microsoft that's responsible for Microsoft defender for IoT, which is a capability we have, and it's the mixture of their data plus working with industry partners as well. The reason why I found these stats so interesting is because the numbers really do paint a picture and there's probably four stats that really made me sit up and think. I'd say the first looks at devices in industrial control networks, and this is coming from sensors that are deployed in the real world data, and it's pulled back into our telemetry. And these teams found that the data showed that 78% of devices deployed in these networks are vulnerable. Of those 78 with known vulnerabilities, 46% of them cannot be patched. And this is because the vendor no longer exists or it's out of support. And then 32% of that 78 were vulnerable and could be patched, but are not in that sort of remaining 22%. So the 78 and then the 22 of that 20 215 percent didn't have any CVEs and 7% weren't patched. Now just keep that 7% in your mind for a moment. Next stat is 25% of OT devices on customers networks are using unsupported operating systems as far back as Windows 2000. And I'm sure that somebody's listening and going, haha, I can beat that. I've probably got an NT four or an NT 35. One sat somewhere under a desk, but 25% as far back as Windows 2000. And then the third stat was around 57% of devices on legacy firmware. That's to say firmware where there's a more recent version are export to ten or more CVEs, despite there being a more recent version of the firmware that would significantly reduce that number. And in many cases the firmware updates are over ten years old. So that's to say the device hasn't been updated for ten or more years. And then the last one, which sort of blew my mind, was an area, there's an application or a runtime that's heavily used in programmable logic controllers called code Assist. And this runtime bit like think like a net or like a Java type runtime. So code assist is used on things like switching systems, motors, all in industrial settings, and it's used widely in the industry by over 500 manufacturers, supporting all sorts of architectures across the planet. And our team did some extensive research looking at the SDK and found 15 new zero day vulnerabilities in it. So think about that for a moment. This is a runtime that's used to control everything from power grids, water treatment, manufacturing, so threat actors can shut down, tamper, steal information. So for me, when I looked at these stats, he really made me, you know, I knew this was a problem, but the numbers are a little shocking. And it got me thinking, well, how do you solve that? And by the way, this is a Mark Anderson viewpoint versus the report recommendation because I think I'm probably being a little bit more blunt than the professional report would be. But I think this is one of those moments where we really have to have a mindset shift. Right? I mean, for years we keep hearing that these systems in the OT space, such as those that control manufacturing lines or power grids, that position has always been, we don't update these systems because the cost of downtime or failed upgrades is too great. And it's really one of those areas that subscribes to the if it ain't broke, don't fix it methodology. However, I'm sort of going to suggest that that position is no longer tenable. Right. Think cyber as either an extortion tool in a criminal sense, or the disrupt and degrade or disruptive aspect of it in a nation state conflict sense has changed that forever. So I'd suggest that if you're sat in the if it ain't broke, don't fix it crew, then I'd suggest it's probably better to have your own plan to upgrade or replace the system where you can control it, test it first and have a rollback plan. Because if you don't, somebody will probably do it for you, take it down for you, and you have no control over that and your downtimes are likely to be longer and your potential for things like second order effects like industrial accidents, most certainly greater. And I absolutely realize when I make that statement, it's easy to just throw those words out, and it's probably much harder in reality. But I think it's where you've got to push through that too hard headline. Because if you were to take everything that I just talked about there and took it from a general sort of it cyber perspective and replaced all the words that were it and ot and put the word it in instead, you would never accept a position where only 7% of your IT network fleet was patched or you were running computers that had Windows 2000 on it or had patches that were available for over ten years that you hadn't complied to your computer. So as an IT admin, you'd be fired by this point. Right? So for me, it's one of those moments where, yeah, you definitely, well, he's been getting away with it for so long. You've been getting away for it for ten years, so maybe not. But yeah, you just get to the point where you go, is this really where the industry has to have a real introspective look? And I hope it just doesn't take like an industrial accident for somebody to go, oh, yeah, we should really do something about that.
[00:42:51] Speaker B: So I want to go back to the stat. From my understanding, it was 46% that basically just can't be patched. Is that correct that you said correct? Yes. So what happens now?
Does that just mean as an industry, we're just hoping and praying that no one's looking there? Is that what you're sort of saying? Because what happens with that?
[00:43:08] Speaker A: Well, I guess it was one of those moments where you go, well, if you can't patch it, then how do you mitigate it? I guess that's where you have to come up to. Like most things, if you can't fix the problem, how do you mitigate it? Does that mean, for example, well, hopefully it's probably on an air gap network, but okay, might not be on an air gap network. So is there another control that we actually can put around that particular piece of equipment that would prevent that exploit from being exploited? So how do we block the path to exploit? So ideally, when something's that far out of date, you would be hoping that somebody would be thinking about, how do you replace that equipment? Because if it's no longer supported or the vendor no longer exists, then when that thing breaks, it's going to affect your systems anyway. But, yeah, from an it and cyber perspective, it is more of a, you'd have to sit back and think, well, how do I prevent that thing from being exploited? And what are the mitigations that I need to put there?
[00:44:00] Speaker B: Well, I mean, 46% is pretty high, not 6%. And then you sort of went on to say 32% could be patched, but haven't been. So what is that? Look, going back to your earlier point around, there might have to be a severe accident or catastrophic event for people to start paying attention. I mean, we've seen that even with the optuses, the medibank sort of breaches, you don't get to that stage. But I think almost, it forces people hand be like, oh, well, we should have thought of that. Running systems at almost 25 years old.
[00:44:29] Speaker A: Yeah, absolutely. I don't necessarily think I have an answer for it. I think none of us obviously want any form of industrial accident or something to be the catalyst. So probably the only other way that you might see something like that happen is potentially through regulation, maybe. I don't know. That's probably potentially one way that you might find things like these might get pushed along a little bit harder than they currently are today. Because until you actually feel the pain of it. It's one of those things that you can just push down, kick the can down the road, I think is the phrase, yeah, absolutely.
[00:45:00] Speaker B: We don't want that. I just think that sometimes history does repeat itself, and we've seen this over the years. And as much as we want to talk about these problems, people sometimes just don't move because they're like, oh, well, it hasn't happened yet. So is there any sort of final comments and closing comments you want to leave our audience with today?
[00:45:17] Speaker A: Mark? I'd probably say go away and read the report because, I mean, we've just talked about, just skimmed it. It's 130 pages, so it's most definitely go and get yourself a massive cup of coffee and flick through it. But if you don't have the time to do that, as I said earlier, there are shorter versions of it. We did do executive summaries, so I know you have a lot of busy execs listening to your podcast. So if they only want the two and three page version of just the key highlights, you can go and download those separately. And you don't have to go and do the full 130 pages. But I'd suggest going away and have a read of it a because it will give you a view, view of the world in terms know, we didn't cover nation states as a good example today, but as I also mentioned earlier, it's not just doom and gloom. There are some real good practical examples of ways in which you can start to build your cyber defenses based on what our people that are on the ground are actually seeing. Be that through our telemetry and our capabilities in that side, or even teams like the Microsoft IR team that are the team that run in when a customer has an issue and looks around the network and helps them fix and eject the adversary. So there's a lot of learnings from those folks at a global level. So plenty of information in there. And I suggest go away and read it. There's lots of great stuff in it.
[00:46:34] Speaker B: This is KBcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This episode is brought to you by Mercksec, your smarter route to security talent Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize business is scale faster and more efficiently. Find out
[email protected] today our.