Join us as thought leaders from Ohio agencies and the business community discuss their high-level vision and day-to-day objectives in adopting new technologies to revolutionize government IT. SUBSCRIBE to get the latest tech tips & tricks from industry leaders! https://www.youtube.com/user/carahtechtv FOLLOW US ON TWITTER: https://twitter.com/Carahsoft CONNECT WITH US ON LINKEDIN: https://www.linkedin.com/company/carahsoft/ LIKE US ON FACEBOOK: https://www.facebook.com/carahsoft LISTEN TO US ON OUR CARAHCAST CHANNEL: https://www.carahsoft.com/carahcast READ THE LATEST TECH COMMUNITY TRENDS: https://www.carahsoft.com/community
Combatting Cyber Threat in Government
Corey Baumgartner 00:01
Welcome back to Carahcast the podcast from Carahsoft the trusted government IT solutions provider subscribe to get the latest technology updates in the public sector. I'm Corey Baumgartner, your host from the Carahsoft production team. On behalf of Carahsoft and Okta, we would like to welcome you to today's podcast focused around how Spencer would cybersecurity advisor for Sissa and Mitch Spaulding Senior Solutions Engineer of sled from Okta, we'll explore how agencies are tackling cyber threats to protect critical infrastructure and provide secure services to the people of Ohio.
Jane 00:37
Hi, everybody. This is our panel on cybersecurity, the questions that you all want to ask, but many times can't be answered, hopefully be answered by these. Now, that's putting a lot of pressure. But thank you all, thank you all for being here. This has been an incredible, two sessions in a row have been fantastic. And these guys will be just great. So let me introduce the topic if I can. Federal, State and local agencies stand together in the fight to prevent and recover from cyber attacks, as their communities increasingly become targets of hackers from cyber attackers and other cyber criminals. You know that you've seen this in your own communities and probably in your own email, right, the phishing attempts are just out of control. cybersecurity risks range from data exploitation, insider threats, third party vulnerabilities as outsourcing increases ransomware identity theft and fraudulent access to state government services. So let's meet our experts today who will explore how agencies are tackling cyber threats and how they are protecting their critical infrastructure in their individual organizations and states. First, let me introduce Spencer wood. Spencer is a cybersecurity advisor for Sissa with the cyber, which is the cybersecurity infrastructure security agency. Spencer, welcome, please. So tell us about your background and work.
Spencer Wood02:08
Good afternoon, and we get the envious job of between being between you and tacos, which is never a fun thing. So I am one of the cybersecurity advisors here in Ohio with system. There's currently two of us in Ohio are currently in the process of hiring. Two more is director I think just announced from yesterday that we get hired over 1300 people over the past 18 months. So we are a rapidly growing agency board knows we need need to help in the cybersecurity space. And my role as a cybersecurity adviser is literally that to advise on cybersecurity best practices. We try to work left of bow. So make sure that we get and work with organizations to help prevent a security incident. But should it occur, we help with recover and resiliency, with resiliency being really the kind of the biggest part that we try to help organizations with. Alright,
Jane 03:10
great welcome. And also with this Mitch Spalding. Mitch is Senior Solutions Engineer for state, local and education organizations for Oprah. Tell us about your background and your work.
Mitch Spaulding03:21
Hi, everyone. My name is Mitch Spaulding. Yeah, so I'm born and raised from Columbus, Ohio grew up in the Central Ohio area I live in Delaware now. Yeah, a little bit about me, I got my start in identity probably about six, seven years ago, just working with a consulting company to implement identity solutions that then led me to Octo are really kind of found my my passion for Solutions Engineering. And really what I do is I work with state local government entities, education institutions help understand their business challenges and how we can map to solving them from an identity first approach. So that's me.
Jane 03:55
Wonderful. And I'd like to say that our third panelist, Nathan Norris, Deputy Cisco are operations for the Office of Information security and privacy for the Ohio Department of Administrative Services was not able to join us today due to illness. So we thank him for agreeing to participate and hope we can host him on another future panel. Alright, let's start with you. Gentlemen, Spencer, how about with you? How do you work with states like Ohio to support the implementation of the federal government's vision and guidance on improving cybersecurity, such as the Zero Trust cybersecurity framework and the National Cybersecurity strategy?
Spencer Wood04:31
So one of my jobs, again, as a cybersecurity adviser is to work with stakeholders. We work with stakeholders across all 16 critical infrastructure sectors. And if you boil it down pretty much almost everyone is in a critical infrastructure sector and one way or the other, with government being one of those and obviously there's a lot of functions that government runs, whether it's wastewater treatments, transportation, telecommunications, elections, all Sometimes even illogical that we want to make sure that we're there to help support the stakeholders that help support their implementation journey on whatever process they want to take. So for example, if they want to go with Zero Trust, we have a deep bench of technical resources that we can reach back into headquarters, and work with people on that we can also work whether it's that or things like we're by design, we're working directly with vendors to make sure that the vendors are actually baking security into their products. So for example, a automobile, you don't have to buy the safety features, or the security features of the car, for the most part. It has airbags, it has a seatbelt. It has the bloody little parking sensors have the little light on the mirror or the back of camera. Those are all standard safety. standard safety features. Well, software should be the exact same thing. Consumers should not have to be paid extra for some of the very, very standard security and safety features that are out there.
Jane 06:01
Yeah. So let me ask a question. I mean, Zero Trust has a lot of implementation steps that they're looking for agencies to put in place is that this is proving to be a challenge for state and local organizations. So
Spencer Wood06:14
I think anything like Zero Trust, I mean, Zero Trust is a complete mind shift on how you are providing information access. I mean, literally, it is, I trust nothing. And then I have to grant you fine grained control to literally everything. And that is something that's dramatically different than how we've built networks for the past 20 or 30 years. And Zero Trust is a journey. I don't know any organizations, maybe Misha has been lucky enough to work with an organization that says, well, we implemented Zero Trust, we're done. So I
06:49
have not, but it like you said it is a journey. It's something that you work toward, right? Started with one facet of Zero Trust, whether that's identity, whether that's the device, the network, what have you, and then you can build on that and scale and solve other aspects of Zero Trust. But certainly, it's a journey that does take time.
Jane 07:06
And so Mitch, let's continue with you. What are some of the persistent challenges that you see state and local organizations and education organizations experiencing?
07:15
Yeah, so I've worked with a lot of different state local entities in Ohio, as well as education institutions, and you know, outside of, you know, just general capturing and you know, things like that, you know, general security hygiene, one of the persistent cybersecurity challenges I've seen, really gets back to just bandwidth and staffing issues. It's far too common, right? That all these different, you know, entities have great cybersecurity initiatives, yet, they just don't have enough time and resources to fall through and deliver on them. It's unfortunate, but I think a lot of it does get back to just general, you know, IT budget constraint. And also just the fact that there's a vicious cycle with, you know, turnover in, in state and local government, you have individuals, you know, who will join a public sector and see, get trained up, you know, learn the systems for a year or two, then they'll go ahead and take those skills and join a private sector entity right at that time, seen it too often. And then that leads, you know, the individuals who are committed to the public sector mission stretched very thin, and having to manage and maintain the status quo. And oftentimes, the status quo has been, you know, implemented and advantage over the last five to 10 years. And that's not something that's really going to cut it in this day and age against modern cyber adversaries. So when it comes to building resiliency, what I often do from an identity perspective, is I look at areas where identity would have the biggest, most monumental impact in the organization. And whether that's starting with multi factor authentication, layering on multi factor authentication for sensitive applications, they use specific admin accounts and working from there, or, you know, if it's a more mature organization, looking at, you know, role based access control as a whole, you know, implementing a solid Role Based Access Control practice, that'd be the recommendation in that case, or if it's just, you know, optimizing identity, you know, being able to input something like governance for, you know, access certification reviews, basically checks and balances of identity, you know, that's where we go ahead and make that recommendation. That way, of course, we're not, you know, stretching anybody too thin, you know, we're, we have bandwidth in mind. And we're able to basically get something in that makes an impact versus throwing something, you know, something massive at a given entity and expecting them to do something with it. So in addition to that, too, you know, with these different projects that we're working on, we are also looking for areas of, you know, optimization with automation. So being able to basically from an identity perspective, right, implement something like self service, password, reset self service account, unlock in a secure fashion, being able to use, you know, no code workflows, to be able to automate identity tasks, you know, things that basically take away from tribal knowledge developed when different administrators or analysts leave the organization. Those are all areas that we want to help improve. So then that way individuals and entities alike If they can stay cyber resilient, and focus on other important cybersecurity initiatives. All right, great, thanks this
Jane 10:05
great information. I also want to remind everyone, if you do have a question, just scan the QR code. And the questions will pop up on the computer here on my screen. So hopefully get them in for our experts today. So Spencer, let's go back to you and your work at Sissa. What are the main cybersecurity challenges and threats facing critical infrastructure in Ohio? We know that we have seen attacks on critical infrastructure. There's a lot of fear about that, because just how big geospatial not geospatial but geopolitical climate right now? How has that changed over the years? And what's the solution? Is, is insurance the answer for these carriers? What do they do?
Spencer Wood10:44
So mean to kind of that's kind of a two part question. I'll answer the second one first, because it's probably the shortest one. You know, I'm not gonna sit here and advocate when you should, or should that house cybersecurity insurance. At the end of the day, that's a risk mitigation decision that your organization needs to take to say, is it worth paying the cybersecurity premiums in order to have coverage in the event of a cybersecurity incident? Now, what I will say about cybersecurity insurance is, if you have it, make sure you understand the terms and conditions on the underwriting for that insurance. So for example, if the insurance carrier requires that everyone has multi factor authentication, and then as an organization, you decide, you know, what, the police chief or the mayor or the council person, they don't want multi factor authentication. So that's turned on. And during the investigation process and insurance carrier will do an investigation process during the breach, and they find out well, it was the mayor's account was compromised, then they kind of almost have a way to get out of paying for the insurance. Obviously, the terms and conditions will flow and legal get involved in it goes crazy. But make sure that you're at least abide by what all the terms and conditions are, that were established for the underwriting. Now, when it comes to cybersecurity threats, at most state, local government, it was organizations to be quite honest, are facing there are really, I'm gonna kind of put them in two different buckets. You know, bucket number one are cyber criminal actors. They are out, you know, basic ransomware attacks, you know, whether it's starting with business, email, compromise, stolen credentials, not using MFA. I'm working on a case right now where the organization was using MFA, and they had VPN credentials stolen. So that's a case that we're actively literally, so I stepped out earlier was to make a phone call, but that stakeholder but making sure that you're following again, all those best business practices around multi factor authentication, keeping passwords up resilient backups, and things like that. And, you know, as the last panel, I think the gentleman was talking about how, you know, their solutions are able to restore backups very quickly. Well, cybersecurity actors have gotten wise to that, you know, like, wait a minute, a lot of organizations are able to recover. So the first thing they're going to do after they get on your system, after they get persistence, is they're going to start exfiltrating the data. So they're started doing X Ville, because they know a lot of places they're gonna go, No, I'm not paying the ransom. Sorry, I don't deal with terrorist, I'm literally not going to pay the ransom. I'll just recover from backups. Or some organizations will say, I'll just start over from scratch because it's cheaper and easier for us to do that. Well, now we're gonna now the ransomware actors are saying, Oh, well, great. If you don't pay us, we will then basically post your information, your most confidential information on the web. And then, I mean, literally, it's extortion, so that they are exploiting that data, and then using it for potentially extortion for purposes later. So that's something that we commonly see. And then obviously, what you see in the news, a lot nation state actors doing what nation state actors do. Every single nation state actor has their own motives and motivations as to why they are doing things. But a lot of again, a lot of the same basic cyber hygiene techniques. You know, like even Mitch mentioned, you know, making sure that you're patching, making sure you're keeping up we published a catalog called kills are known exploiting vulnerabilities, making sure that, you know, everything is patched when it comes to that, because believe it or not, I mean, we just released a report, I think, two weeks ago talking about the most exploited vulnerabilities in 2022. And a lot of them were patches that came out in 2016 2017 2018. So if organizations had just applied those patches, they might have been a little bit better shape,
Jane 14:56
right? What about third party vulnerabilities?
Spencer Wood15:00
So, third party vulnerabilities are definitely a challenge, I think there are a couple of different aspects. Part of it is also around our Secured by Design Initiative, where we're working directly with large manufacturers and we'll pick an octet, but you know, just because they sitting here, but you know, working with large organizations who sell the software that everyone uses to make sure that they're literally enabling security by default, and baking security and by design, probably a really good or Yeah, I'd say it's a win, it's a really positive win, was the work that Microsoft did. The table again, the work that Microsoft did, around breach of several male accounts that were actually occurring at, I believe, the Department of Commerce, Department of State and a couple other organizations, where our director worked directly with Microsoft's because those organizations were paying for that extra logging. While we were able to work with Microsoft, and through our joint collaboration, defense collaborative, to actually make sure that those set of logs were available to all customers free of charge. So that's kind of things that we're trying to do to change the equation to be again, more secure by design, right out of the gate.
16:18
Yeah, and just to kind of double click on that secure by design point, this is something that NACA is also driving with, you know, some of the different partners and technologies we integrate with. If everyone you know, pulls out their phone, now they can go to SSA dot tax, it's basically a wall of shame with all the different vendors who are charging anywhere from 50 to 100% Extra just to enable, you know, Basic Single Sign On capabilities, which again, that's security by default, right there. So we're trying to work with them basically make it so that way, they're not blocking the security technologies, you know, just basic security hygiene principles, you know, behind the paywall. So in that way, again, everyone can get rid of the passwords, right, they're often you know, being reused and shared amongst individuals. And again, secure by default there. Alright, so
Jane 17:02
let's get back to Zero Trust admin. And if we can, Mitch, talk about the, in a Zero Trust implementation. Identity Management is always one of the major pillars. So can you give us any takeaways that you have experienced with your clients that, you know, gives people an edge on installing or putting in identity management solutions?
17:26
Yeah, of course. So I mean, I think Spencer would probably validate this with me, but like, we were talking earlier, you know, Zero Trust isn't a single solution, single provider, right. If a, if a vendor comes into an office, you know, that you're in and says, hey, I can sell you Zero Trust, you know, out of the box with, you know, a click of a button, you know, they're lying through their teeth, right, it's a journey, it's a, you know, overall architecture approach to solving, you know, for cybersecurity. So what I would recommend there, from an identity perspective is really just prioritizing identity, driving identity first, you know, in any kind of Zero Trust initiative, gets, it's really going to simplify any kind of Zero Trust architecture rollout. And, you know, when you think about it, not only is identity going to be able to provide, you know, stopgap security for your existing security solutions, like, again, you're referencing, they're putting in a, say, on the VPN, that's something that, you know, identity could do, you know, right out of the box right now. But it's also going to make it to them that way, you know, as you go about, you know, acquiring, you know, different Zero Trust technologies, like, you know, secure access service edge technologies to help facilitate, you know, secured network access, identity is gonna already have that integration there to easily go ahead and broker that access to get into those protected resources. And again, you know, put it back, you know, everyone here, it's great, and all that you can have those protected environments with, you know, Software Defined perimeters, but how are you supposed to verify access, you know, verify a user identity before getting into, you know, that kind of environment, if you're not solving for identity on the front end. So, I will note that, and then, you know, in general to, you know, when you are validating, and, you know, going through these different identity solution validate, you know, validations, what I always recommend is look for an identity solution that is going to be neutral and independent, right, that plays nicely with everything, and enables you to capitalize on your existing security investments you've made into other security or Zero Trust technologies. As an example, you know, the identity system should be able to basically take feeds, you know, from your endpoint detection response tool, right? That's saying, hey, you know, this user has a device that's protected with EDR services, or the device, you know, risk of the users trying to leverage to get into this application is relatively low, you know, that should be a signal that's leveraged by the identity solution to make the right access decision. Or again, feeding signals from something like an email security solution. You know, if your email security solutions able to identify very attacked people or you know, people who are likely to be fished, that should be another signal that's collected by the identity solution to enhance you know, that those given individuals authentication requirements, right, but them in a policy that maybe requires more step up authentication because they are, you know, likely to be fished. So that's what I would you know, leave everyone, you know, again, identity can be a really great catalyst for driving Zero Trust initiatives, if you prioritize it,
Jane 20:11
are there automation methodologies that can be used or capabilities that can be used that would help with identity management?
20:18
Certainly, yeah. So from an automation perspective, like I was kind of talking about earlier, you know, we can leverage, you know, rebuilt workflows, right, that are helping Automate, you know, specific actions that need to occur in third party applications. Or you can also use workflows from a security perspective, you know, as an example, you could go ahead and use a workflow to basically say, hey, you know, this individual is trying to log in and access this resource, but they're doing so at 3am at night. And they're trying to, you know, they just logged in from Columbus, Ohio, one minute and 10 minutes later, they're trying to sign in from Singapore, right? Those are all metrics that should be able to be leveraged. And you could then use a workflow, right to automate that and say, hey, you know, let's go ahead and send out an email to the cybersecurity team saying, Hey, this looks a little suspicious, maybe you want to validate that, or, you know, maybe even take them a step further, maybe we want to put that individual in a quarantine group, right, that maybe denies access, or you know, prompts for more stringent authenticator before they can go ahead and access that resource at 3am. On Saturday night, right? So definitely automations are available from a security perspective, to overall improve, again, in identity first approach and Zero Trust.
Jane 21:24
Right? And do you see that growing in the future? Would Do either of you think that artificial intelligence, machine learning, those kinds of capabilities are going to have an impact on identity management? And some of the other Yes, yeah.
Spencer Wood21:41
Say I mean, with all the fear, uncertainty or doubt with artificial intelligence, and you're not saying there aren't some real issues that need to be solved with that. But you know, there's also the pros of artificial intelligence where, you know, kind of like Mitch was talking about where you're taking that signals intelligence, and you're able to enrich it, and detect patterns out of that, you know, whether it's the unnatural movement pattern or wave, and I just saw that that individual put themselves out of office, why are they logging in back in the corporate network, you know, some of that, you know, the day that kind of is artificial intelligence based, and you know, that information, you know, it is gonna be a good thing, when that kind of gets baked into some of the products.
Jane 22:18
So you're already sharing a lot of information with critical infrastructure, state governments and local governments, what kind of services to assist to have, how do you operate? Is it just information that you push forward? Or do you actually go into the team and try to help?
Spencer Wood22:35
So there's a, you know, several different services that we offer, first of all, all of our services are at no cost. So our services, they're already paid for everyone's federal taxpayers, so you're already paying for our services. So we're always gonna say, you know, please take advantage of our low cost services. Those services can be anywhere from cybersecurity assessments. So we'll come in, it's not an audit, but we'll sit down at work with you. And and there's different cybersecurity assessments that we'll go through, whether it's the cybersecurity performance goals, to a ransomware readiness assessment, or let's say you're really concerned about your third parties will do an external dependency mapping is what we call but basically, it's do you got the right controls around for your third party vendors, I will come in, and we'll do a survey for you. And we'll do an assessment. And then we'll give you the results of the assessment, and we'll work with you. And we'll even help present it to your leadership if you want about where areas of improvement for your team, so maybe potentially funding opportunities, potentially, hey, I need a cybersecurity person, we only have we have none. Sometimes, that's literally the recommendations that we'll give. We also provide workshops, where we'll sit down with stakeholders, and those workshops can be anywhere from let's help build an incident response plan, because maybe you don't have it as a response plan. So we'll literally sit down once a month, for six months or two months, or whatever it takes. We'll spend an hour or two a day during that month. And we'll help you build out that incident response plan. And then once you have the incident response plan, or even before that, we'll also work with organizations to do tabletop exercises. And this tabletop exercises can really be focused in two different areas. They can be on the very technical nerdy side when we're talking about ransomware response and literally what switches you're going to throw when it comes to ransomware all the way over two business focused tabletops where we bring in business organization leaders, and we say okay, the IT guys we're busy, the systems have gone away. Now how are you going to perform your critical business functions? So for example, because you know, for us, meanwhile, we want to prevent a cyber incident from happening in the first place resilience for a cyber incident is actually probably our most important function. So because cyber incidents never happened in a good time, they usually happen they Before payrolls, do they happen usually the day before some other major events. They happen before a long holiday weekend. They're always at the worst time. So what we do is we work with organizations to help practice that plan and help build that resiliency. And that resiliency. And I want to date myself here, that resiliency can be as simple. I can pick a niche on this one. Do you know how do you know how to read a paper map match?
25:30
Of course, I do. paper map? Yes. Okay.
Spencer Wood25:33
You'll be surprised how many people and a police dispatch center that are being hired don't know how to read a paper map. And that's a problem that that, you know, because they're dependent on CAD, they're dependent on GPS. And when those systems go away, we've literally had chiefs who had to come in and help the kids were Eriko kids, you know, help them process CAD reports or been literally manually do those CAD reports, because they don't remember how to do map. So we work with like, police jurisdictions and police chiefs and say, Okay, do you have a map wrong in your dispatch center. And let's make sure we do that and just make sure where they're taught and how to do that. And then on the other side assistant services, we also offer protective security advisors, which is people that basically help physically keep you safe. So we'll go through and do facility assessments, we'll do active shooter trainings, bomb prevention, and things like that. The last service we'll talk about is it's a weird one, but it's a really fantastic one is our pre ransomware warning. Technically, it's called the pilots, because that's what Congress has authorized us as, what are our pre ransomware and warning activities. So what we do is, will we have relationships with trusted third party, typically, cybersecurity researchers, sometimes law enforcement, sometimes in the intelligence community, where that we will actually know when there is pre ransomware activity on your network. Because these aren't, you know, these cybersecurity researchers have embedded themselves on the adversaries networks. And sometimes that information is incredibly detailed, it will literally say again, on picking on edge. But it's not just computer because we can know it says Mitch PC one. That's the computer name, that username is in Spalding. And it's this IP address. And it's doing this that threat actor is now pivoting is going to start there in your marine domain controllers, they're doing this doing that. And when I usually have to make those calls, again, they're not at 2am on a Tuesday or 2pm. On a Tuesday, they're usually four o'clock on a Friday, I am throwing every single red flag and organization has it all know who I am, I'm given something that's urgent. And I'm giving it something that has very specific freaky information. So we try to get people to know that we we will call you if we see some of this type of activity. We will call whoever we have to call to get ahold of someone. I have talked to school districts, superintendents, I have talked to the front desk person, I have talked to the Help Desk technician, I talked to the seaso talk to the CIO, basically, there's a person we can get ahold of, we will do that if we have to arrive on site, we will do that. But and we always tell people, if you get a call from us, make sure you can validate us by calling a local FBI office. So the local FBI office, we work with them very closely. They know who we are. You can also call any of the state fusion centers. And you can also call the one 800, Cisco number. And we never actually provide those numbers. We just let people Google them because I'm providing a number that seems catchy too. So we actually want to make sure we actually provide you know, just call the local FBI, call our hotline, call the GM center, and they will go ahead and validate us,
29:00
Spencer really quick, do you have a funny story where someone maybe didn't believe you?
Spencer Wood29:03
Oh, yes. There's a couple different ones. We had a good one. Where they definitely didn't believe who I was. They had the local sheriff, give me a call to make sure I was legit. That was That was fun.
Jane 29:22
We have probably, you know, that's probably a smart thing to do. But that
Spencer Wood29:25
was smart. Yep. That was good. Process. Yeah. And then we we've also had another one where another colleague who was working the incident, and this was in another state, but I hadn't made the initial call because I was the one covering basically that shift that day. And they're like, Yeah, we got the scam call from the Spencer wood guy like a week ago. Like it was. That was Spencer wood. Oh, yeah, that was a legit call and will warn you he was warning you about this pilot. And you know this this issue of Oh, so those are the kind of the two different tails there.
Jane 30:04
It's great. I mean, that's a lot of detail and a lot of information. So, obviously, that's something that everyone needs to be aware of. So if they need to take advantage of it, they can. So I think this question came in, and I'm not sure who it's for. So I'm going to ask you sure, how are professionals monitoring all the reporting, and devices quickly, and then getting the information to whoever needs to get it?
30:29
Yeah, I think a lot of it kind of gets back to the different technologies that are being leveraged in the environment. When it comes to monitoring and reporting, obviously, you know, sim tools are really good at that kind of function, right? Being able to basically aggregate all of your different logs from all your different systems and correlate those to, you know, pinpoint different attack vectors. That's really what those systems are there for, and a lot of different, you know, state local entities, you know, those are, those are the kinds of systems that they're leveraging today to kind of do that. To take that a step further, though, with the device piece. Again, you know, the the endpoint detection response kind of utilities, they can go ahead and correlate that data with the sim tool that's being used, and basically be able to get, again, device posture, right for all the different devices in a given organization, just so now, again, they can assess the risk level of those different devices, and take action on specific managed devices if needed, you know, if again, a given device was flagged, you know, for malware or something along those lines. So those two platforms really kind of come together to provide that kind of coverage. When it comes to monitoring and devices. Are there a lot
Jane 31:33
of false negatives that people have to follow up on? Or how do they weed out the real from the not real?
31:39
Yeah, certainly, you know, I'm probably not the best person to be talking about that. And maybe, you know, Spencer can kind of highlight that piece there. From, you know, an actual implementation perspective. Yeah.
Spencer Wood31:49
So unfortunately, you know, the technology is still not perfect. So you'll get, you will get some false positives, and you'll get some false negatives. Unfortunately, you know, I hate to say it's a great reason why we have jobs is for us to actually run down those those alerts to run them to ground and make sure that they are truly a good thing or, you know, up there was nothing to worry about, or wait a minute, there is something to worry about, especially as the adversaries are starting to change their tactics to more living off the land, where, you know, Mitch signing on at two o'clock in the morning. That's unusual. Maybe, maybe it isn't, you know, this works already busy. Yeah, really busy. But you know, that's unusual. We probably should follow up on that, because there's probably a reason why Mitch, should be logging in at 2am in the morning. So, you know, those are some tactics that, you know, the adversaries are using teller thinking
Jane 32:43
is still required. Yep, absolutely. Yeah. Can't leave it all to machine. Alright. So Mitch, I'm gonna go back to you want to ask if there are other aspects, pardon me of Zero Trust, that are that agencies, especially state and local agencies are really implementing like multi factor authentication, endpoint security? What are your thoughts about that?
33:02
Yeah, so in my experience, when it's not identity, you know, kind of taking the forefront of Zero Trust initiative, it's usually the device, the endpoints, right? A lot of different state and local government entities that I've been working with, they'll go forward and they'll, you know, likely before even prioritizing identity, they'll go ahead and say, Hey, we picked out our, you know, endpoint detection, response utility, you know, to basically handle that device, pillar of Zero Trust. And then from there, right, that's their start of their Zero Trust initiative. There's Zero Trust project, right, where they're working toward, you know, a holistic, you know, cybersecurity posture, you know, where you're not trusting anybody in any kind of, you know, organization. So, again, device is really what I'm seeing being implemented. And again, being able to pick up on those device signals to make sure, you know, if users should be accessing specific information at specific times, that's, again, kind of bridging that gap there with identity. But again, when it's not identity, it's usually the device that's kicking off those kind of implementations.
Jane 33:58
Okay. All right. Great. So let's talk now about the workforce was mentioned earlier. But I'd like to talk about the cybersecurity workforce, because everyone is fighting for the same talent, right, especially in this field, it seems to be the one field that we can't get enough employees to fill. So how do you develop and train and retain a talented cybersecurity workforce? And what are the what are the methods that you've either seen implemented? Or you've been talking to your clients about niche in your case?
34:31
Yeah. So when it comes to, you know, retaining talent, you know, one of the things that I've seen really work well, in a lot of different organizations is, you know, introducing, you know, weekly team calls, right, we're basically everyone kind of gets together, you know, shares what's going on, you know, in the organization, you know, all that good stuff. But more specifically, you know, when it comes to retaining talent, and just showing that that people matter in any kind of organization, what we've done an octave is actually implement, you know, weekly appreciations where you give a shout out to a team member who may be helped you with something that you know You, there was some difficulty that you needed to overcome, right? You know, basically just letting people know that hey, like, I appreciate you, you know, you matter, and you're making a difference in the environment. Those really go a long way. When it comes to retirement, you know, again, just valuing people that valuing people and their hard work. That's something that I've seen really kind of pay off. They're just those appreciations. How did you get in?
Jane 35:21
How did I Yeah, how did they find you? How do they recruit a guy like you?
35:25
So it was actually kind of interesting with with me, I think it was kind of Right Place Right Time, I joined Dr. Right at the height of the pandemic, May 2020. I had already had previous Okta experience and background selling and implementing, aka. So I think it was kind of a, you know, from a technical side, I was like, Alright, cool, like, this guy gets it, you know, he understands, you know, the technology at a base level, right. So that's what really kind of led me to octave specifically, again, in my past, when I was implementing, you know, different identity solutions, you know, I manage a lot of different identity platforms, and, you know, my consulting days, and for me, it was just one of those things where it just made a ton of sense, right, you know, we have 7600, plus pre built integrations to tie into, you know, a multitude of different applications and technologies, like, you know, even rubric here, being able to tie into that via pre built integration, that's huge for a lot of different organizations. And in my consulting days, that saved me a lot of time, you know, when I was working with octave, because I'd go in, you know, set up these different application integrations and matter of like, five to 10 minutes, sometimes, you know, really critical applications and systems, protecting those multifactor. I looked like a superhero for organizations where sometimes that took, you know, weeks and months. So that's why I really wanted to, you know, pivot and join, you know, someone like Octo were getting, we're doing a lot of really good work in the public sector, protecting again, critical accounts, you know, powering the mission of the public sector, all that good stuff.
Jane 36:47
All right, that sounds exciting. What about you?
Spencer Wood36:50
So I think, you know, and it was actually mentioned, I think, on the first panel, where he was talking about, you know, bringing in new talent, bring in, you know, new employees, you know, and I think there's, you know, it's kind of, you know, a kind of kind of two folded, first of all, for your existing staff, you know, we hear a lot and everyone hears a lot like, if I train them, they're going to leave, if I give them new skill sets, they will leave? Well, what's the flip side of that? What if you don't train them, that means they don't have new skill sets, they're not learning, they're not growing. And with, you know, a lot of people they're not growing, and that learning is the reason why they leave, because they want to go somewhere where they will learn and they will grow. And I think he, you know, exploring either non traditional employees to bring into especially cybersecurity. Ironically, some of the best cybersecurity employees are not hardcore IT people, they come from non traditional role, because they think differently. And therefore, they are literally processing information differently, whether I mean, I've had a cybersecurity professional that was a librarian by trade. And you know, what she was, she's amazing, like, just amazing, because she processes information differently, she thinks differently. And then looking, you know, and I think this was mentioned earlier, but looking at some juniors and seniors that are coming up through high school, I mean, a lot of people don't understand, especially in Ohio, you know, we have this fantastic College Credit Plus Program, where literally, you will be leaving high school, sometimes with a two year degree. So so if you can pick them up as a co op during the summer as an intern during the summer, that's a great pipeline to kind of introduce them to your organization to technology, and perhaps every future employee, and whether it's the College Credit Plus program, and I can't remember the name of the actual other program, where they're teaching networking skills like Cisco Academy, in in high schools, where you're leaving with a Cisco certification. Yeah, yeah, those again, those are great programs where they're literally workforce ready, the day they graduate high school. So those are kind of some non traditional places to pull employees from.
Jane 39:07
Yeah, you know, the greatest thing is apprenticeships, yep. I think that there are a lot of students that would be interested in technology fields, especially cybersecurity, because it's such a growth industry, but they think, oh, it's going to require some skill set that I don't have or don't have the capacity for not interested in. We're actually that's not really true. Yeah. So that's really fascinating. All right. So we just felt reached the end of our panel give you the opportunity of, you know, answering one final question and doing a wrap up. What are the next five years look like in the cybersecurity field and what do you expect to see in terms of threats and capabilities to fight them?
Spencer Wood39:45
Oh, that's a good one. I'm going to go with the glass was half full moment. You know, cybersecurity a lot of times is doom and gloom. I think that you know, as a nation, as you know, a lot of organizations are starting to see The importance of cybersecurity, do we have work that we need to do? Absolutely. But as we're starting to introduce things like secure by design, Zero Trust networking, you know, it'll it'll move the threat factor to something a little bit different. We're literally identity will be the most important thing on your network firewalls won't matter anymore. Nothing else will matter identity is the the one thing that will matter, here eventually. But I think, you know, as the US invest in more cybersecurity training for younger individuals, cybersecurity training for, you know, existing IT professionals, second career professionals, you know, different options, I think, the future features. Right,
Jane 40:45
right. I agree with you, I think everybody has become a cybersecurity professional to some degree, at least we're aware of it now. Right? Yep. I mean, how many times you've been fished in the last week? For me, it's, it seems like it's every day.
40:57
And I feel like there's also a better, you know, awareness training around cyber school as well, again, making strides in that regard. So in that way, you know, people have a little bit more background around cybersecurity, you know, they recognize you and not to, you know, click the link from the Nigerian prince, right, and things like that. So we're making strides for sure. But yeah, I mean, you know, kind of my perspective around that, you know, while we are really making really good strides in cybersecurity, you know, from a public sector perspective, I will say, you will start seeing a lot more politically motivated cyber attacks, yes, targets around specific states, right, that maybe introduce legislators that people disagree with. I've seen that happen before. So those states, right, you know, it really any state introducing any kind of legislator, you know, legislation legislation, I should say, they just need to be a little more hyper vigilant around that, and expect, you know, when maybe someone you know, on, you know, Twitter or Reddit, right, they're having some negative impacts to that kind of, you know, Bill or or item that was passed. They just have to, you know, be again, vigilant and make sure that they're protecting the necessary resources.
Jane 42:00
Do you think states will gear up for the upcoming election? There? I mean, there was a debate last night, the first one, and it seems like that was a an issue of contention last year, although it was not proven to be true that there was cybersecurity intervention. But what are your thoughts about that?
42:16
Oh, 100%? Yeah, I think you're gonna see states really ramp up, you know, for this kind of election, again, every state is gonna go, you know, one way or the other, right. And there's always going to be people on every side that doesn't agree with the other person. So however, you know, given states votes, you know, that's going to lead to enhanced, you know, cybersecurity risk, for sure. And again, they just have to stay ready, you know, be, you know, again, ready to operate and take care of any kind of risk associated with the results of a given election.
Spencer Wood42:45
So I know, first of all, I came from the Secretary of State's office previously, so a lot of our election security experience. So I know Ohio is definitely ready for the challenge. And then at the federal government level system, we are working to strongly work with our election partners to advise and offer strategies for them to remit immediate risk. I will also say that election officials are some of the most resilient people that I have ever seen. When it comes to be able to pivot on something like literally, the day before an election, there's a hurricane. or the day before the election, there's a tornado or during the election, there's a tornado, or at 4pm. There's a guy threatening to bring a gun, but yet you still have to make sure people's rights are upheld. So you know, elections, election security is a major item for system. We actually just directly just announced I believe about six weeks ago, some new election security adviser positions that will be complimenting us out in the field, to actually sit down and work with election officials on ways that they can reduce risk. But at the end of the day, we're here to support the local election officials, you know, they're the ones who administer the elections are the ones who count the votes are the ones who do everything. So we're here to help support them.
Jane 44:07
Well, we really appreciate the information. Great information from both of you. Absolutely. Brilliant. Thank you, Spencer woods, Mitch Spaulding for joining us today. And thank you all for being here today for this fabulous symposium.
Corey Baumgartner 44:19
Thanks for listening. And thank you to our guests Terry Behringer, Peter Vanderburgh, Sharon Wilhelm and Jeff phasic. Don't forget to like comment, and subscribe to Kara cast and be sure to listen to our other discussions. If you'd like more information on how Carahsoft can assist your organization, please visit www.carahsoft.com or email us at SLG marketing@carahsoft.com. Thanks again for listening and have a great day.