Navigating the Cybersecurity Landscape with CISO Alex Manea

John: Cyber security, a big topic, right? Too big for a single podcast and more importantly, it's hard to connect piece- parts of different aspects of cybersecurity. Alex Manea, Georgian's head of privacy and security, and I, have put other a series that will connect all the dots for you and give you some insights that will help you as you think about cyber security and how it relates to your company. Alex, you're the perfect partner for me, but let's have you tell everyone why.

Alex Manea: My role is pretty unique because I run our internal IT and security team, but I actually spend a lot of my time working with our companies to help them hire and build out and scale their own security architecture. I also get to work closely with our investment team and help them research new cybersecurity markets and find the most exciting new companies and markets for us to invest in. So it's a pretty unique role because I get exposed to a really broad range of security threats and technologies, I get to talk to CEOs and CTOs and CSOs from across the industry, and hopefully that'll lead us to a great discussion today.

John: When I think about the cyber security market, it's too easy for me to get confused. And no matter how many market maps I look at, there's too many boxes. Oh my gosh, I got one in front of me. I got threat intelligence and endpoint security and incident responses and forensics. And how can you simplify for our audience the basics they should be thinking about when they think about security?

Alex Manea: Yeah. I mean, the reality of security is it is very complex when you actually start getting down into the nuts and bolts, but when you think about it fundamentally, it really isn't that different from physical security or physical safety. Physical security and physical safety are things that we as human beings are actually very comfortable with. So I like to think about it in terms of the analogy of let's imagine that you're building a medieval task and the king of France comes to you and says," Hey, I want a castle that's big and lavish, but I also want it to be secure." How would you go about that? Well, the first question you probably ask him is," Okay, who needs to be in the castle? Who should be allowed there? The king, his court Lord's, ladies, cooks, cleaners? What about visitors and guests? What about when the queen of Spain comes to visit?" So you have to be able to identify who the good guys are and who the bad guys are and make sure that you let the good guys in and keep the bad guys out. That's fundamentally the first part of security, is that identification.

John: So let me stay with you on identity. This is cool because I like this thought about the good guy, bad guy. And I'm sure you're going to go," Yep, John, you're right." Or whatever. This is complex in that I could have the cook in my castle who now wants to poison me or do bad things, and we could have employees that are doing bad things. So it's never going to be black and white, there's going to be almost a spectrum of maybe the queen was the queen of Spain, that she gets probably very special care and maybe gets a special dispensation for whatever, but maybe the cook has to be watched more carefully. That's all. In that, again, we don't want to go through all these products, but that's all in there, right?

Alex Manea: Oh yeah, absolutely. And obviously I'm over simplifying here in terms of good guys and bad guys, the other thing to keep in mind too is the concept of good people and bad people is very contextual. So in the example of the cook, should the cook be allowed in the kitchen? Yes. Should the cook be allowed in the King's chambers in the middle of the night? Maybe not. So you really have to think about it contextually and you have to think about it in terms of the principle of least privileged, to what extent does the cook need access to the castle? To what extent does the king need access? To what extent does the queen of Spain need access? So that's definitely going one level deeper, but absolutely that has to be part of the model.

John: No, actually I really like that and guess I obviously have my IT hat on. It's exactly right. I think about the old example with Uber and Godmo, that every Uber employee could see where every passenger was. No, no, no. And it's not just the cook and where this person can be in the castle, of course it's about the data that an employee might have access to. Now, I know I took us down a rat hole, an eternal issue with employees, but there's much more here. So take us back outside of the castle if you don't mind, tell me what's next.

Alex Manea: The next step to this then is obviously preventing attacks. So in the case of the castle, you obviously want to have high walls on the castle, you want to have a moat around the castle, maybe you want to put some crocodiles there, you want to have a drawbridge, you want to make sure that you have a way of getting in the castle. So in this case, it would be equivalent to your firewall in port 443 within your firewall, you want to have guards, you want to have a lot of obstacles that attackers need to cross. Ultimately the best way to approach it from a prevention standpoint is defense in depth. The more different obstacles that you can put in the attacker's way, the less likely it is that the attacker's going able to cross all of them and ultimately infiltrate your castle.

John: So what this makes me think of is, in all of IT, but maybe even more so in the case of cybersecurity, which we are talking about, if there are point solutions and platforms and you just made the comment there, you should have many obstacles along the way. And I'm not going to ask you for all the answers, but somebody could be choosing from many vendors and get obstacle A in the network and obstacle B in the system or obstacle C somewhere else and obstacle D at the front desk with a security guard and a badge and a gun, whatever. So Alex, do you agree that no matter what, you going to have to pull together, I don't know, an ensemble of different suppliers and technologies, et cetera, right?

Alex Manea: That's exactly how cybersecurity works today, right? So rather than going to a single vendor and getting them to build entire castle for you and having that single vendor as a single point of failure, a lot of people are basically saying," You know what, I'm going to go best of bree. I'm going to get my walls built by one builder, I'm going to have someone who specializes in moats to build my moat, I'm going to have a different person build my drawbridge, but obviously it needs to integrate into the castle design." And so by doing that, essentially what you're doing is you're actually spreading out your risks across all of these different vendors, because now if any one of these vendors gets breached, in theory, as long as you have a defense in depth type of scenario, then you don't get your entire castle breach. Now, of course, in practice, the more vendors you have, the more complex it's going to be, and the more likely it is that at least one of those vendors gets breached. So the basic trade- off inaudible you have in IT then is do you go single platform and do you have a single point of failure that is hopefully relatively unlikely, or do you have several slightly more likely individual points of failure?

John: Wow. Okay. So as I think about this, and I'm a CISO, do I hire a castle architect or do I bring one in as a consultative or do I have a castle architect on my staff?

Alex Manea: It really depends on your specific scenario. So if I look at our Georgian companies, for most of them, I highly recommend that they hire their own castle architects internally, because the reality of castles is they are very, very specific to your environment. The castle that the king of France wants built for him will probably be very different than the castle that the queen of England wants built, because of the fact that, first of all, they have different requirements in terms of their own IT infrastructure, but secondly, they have different threat models. They have different security needs, right? Maybe the king of France is currently at war with the rest of Europe and so he's really worried about that. Whereas the queen of England, maybe she's more worried about internal threats because her people are starving and she's building all these lavish castles. So depending on their individual threat model, you need to build the castle that way. And the reality is oftentimes bringing in external consultant can be a little tricky because they have to figure out what your specific needs are, whereas if you have someone in your royal court that understands your needs already, they can customize that castle a lot better to your needs.

John: So this metaphor is working great, and at the risk of just killing it with a mixed metaphor here. Somewhere along the way, the queen of Spain or the queen of England, or the king of France that moved into this castle, there's a castle somewhere along the way, more than likely it's not a new castle, which means my mixed metaphor is we're changing the wheels on the car while it's driving.

Alex Manea: Yep. We're renovating the castle. We have to upgrade the castle because now there's new technologies out there, there's new attacks, people have invented trebuchet, they're launching things over the wall of the castle. So obviously we need to retrofit it. We need to upgrade and have some better controls in place.

John: And I think to put just the icing on the cake for that point, and I love it, I don't want to wait for my roof to leak before I... Most people when they own a house or their castle, they wait for something to break then they fix it. This is far too important that you don't wait, you've got to constantly be looking around your entire abode and doing all the repairs. It's almost like I've been reading about how to build a house in California to be more fireproof, and you can't have, for example, corners where embers might blow in and get caught in a corner and things like that, how to prevent all that. So we've got to be constantly looking at all aspects of our castle.

Alex Manea: And California is a great example because you need not only fireproof, but you also need to think about earthquakes because the reality is a lot of California lies along the San Andreas Fault. And if you're building a new building in California right now, and you don't have the right earthquake resistance, at some point, in the next 10, 20, 30 years, you're going to be in a lot of trouble.

John: That's a nice example, because it brings home that the environment you're in is so important. Now we think about identity, talk about prevention, what's next?

Alex Manea: So the next piece is detection. So obviously once you have the prevention in place, you need to start thinking about how do we actually detect what the threats are. So in the castle case, you have things like lookouts, you have informants that keep an eye on everything that's happening inside and outside the castle. Maybe there's new people approaching the castle, do those people look friendly or not? Are they armed or not? You also need to keep an eye inside the castle. Is there any unusual behavior happening? Is the cook acting unusually? Did you notice that the cook actually tried to get into the king's bedroom in the middle of the night? Was he delivering him a sandwich or was there a different reason? So you have to think about all of these things and you have to put into place the right detection mechanisms to look for both internal and external threats.

John: How do you deal with issues of if I'm following an employee around, the cook or not? I need to track them, I'm in the securities business. I am reading emails to make sure they don't say buy this stock or sell this stock for your emails. Well, I know that there are some degrees of intrusion, personal intrusion that it's required by regulation. But now if you're an employer or the owner or the king, and you've got to track your employees, can you do it at the doorway level or in all the hallways? How do you begin to think about managing and keeping... Not crossing that line of privacy?

Alex Manea: It's a great question and a question that quite honestly doesn't have a clear answer right now because a lot of those answers are being figured out in real time. Part of it honestly depends where you are in the world and what the legislature is like there. If you look at places like Europe, for instance, they have very tight individual and employee privacy laws. And it might be very, very... It might actually be illegal to be tracking the cook around because the cook has their own rights. If you look at certain other parts of the world, the legislation is very much in the favor of the employer, and the concept of personal privacy is not considered to be one of the key things. I would say in north America, for instance, we're somewhere in between. If you look at most north American companies, essentially, where they draw the line is they say," Look, I'm going to track my employees to the extent that I need to in order to protect my business, but I'm not going to track what my employees personally do on their own home wifi networks, what they personally do when they're browsing YouTube videos, things like that." So it is unfortunately a fairly gray area, but I think as a CISO and as a security leader, it's very important to draw that line because otherwise to your point, John, you risk getting into a lot of trouble around employee privacy rights.

John: I've always had two separate entities of where this is done and everyone who doesn't really care, for the most part, that social media is tracking consumers to the end degree, to the millionth degree. And oh, I don't care, I'm getting a good ad or whatever, I've talked to the millennials or whatever, they're okay being tracked. At the same time, there's governmental tracking, which is a different issue. And there are governments and states say," We will and we won't be using facial recognition," for example. I hadn't actually put the third circle in there, but if I'm doing detection and I'm looking at my employees, it's that same thinking process and I don't even know yet where it sits on the spectrum of allowability.

Alex Manea: So the other important thing to understand here is these aren't ultimately technical issues. They're not technological issues. Technology today can enable the vast majority of use cases. Where we need to focus on is the philosophical, the societal. As a society, we haven't necessarily figured out what is and is not allowable when it comes to personal privacy. And so I think our mindset as a society is still evolving in terms of, how do we balance the need to protect the cook's privacy versus the need to protect the king's safety?

John: Right.

Alex Manea: That's something that, unfortunately, doesn't have a clear answer and I think that needs to come from the regulatory bodies. Right now, quite frankly, we're depending on tech companies to decide that and I'm not necessarily sure the tech companies are the best people to make those decisions.

John: So just before I close this section, let's go back outside on the detection of the folks outside the castle. And to me, some of it is clear. Distributed denial- of- service attacks is something that's hopefully easily detectable, other ways of getting in with sniffers on networks are there. Is that clear cut from a regulation rules and tech perspective? Is that a little simpler?

Alex Manea: Yeah, it is fairly clear cut. I mean, I like the way that you brought up the DDoS attack because the DDoS attack is directly analogous to the castle. In the castle, how would you DDoS a medieval castle? Well, you would have a foreign army that would surround your castle and cut off your food supply, that is the equivalent of a DDoS. And so in the castle analogy, do we have the right to fight off that army? Absolutely. There's no legal issues there. At that point, it becomes more of a technical issue of, can you do that? To what extent are you... Do you have the resources to fight off that army?

John: And if I met at the king or queen who sent me that army, I now need to fight back in both locally and perhaps distantly. So let's go to the next stage here. This is great.

Alex Manea: Yeah. I mean, the last part, obviously, is response. And so there's two parts to response as you alluded to. There's defensive response and there's offensive response. And maybe we'll focus on the defensive side of things, because I think that's a lot easier to understand. Ultimately what you have to assume is no matter how well you build your castle, no matter how well you identify people, no matter how well you detect people, eventually there's going to be some sort of security breach. And so really when it comes to responding, there's three sub- components to that. You need to first and foremost contain the threat, make sure that it doesn't overwhelm your entire castle, then you need to try and eliminate it, in other words, get it out of your castle, and then the third part of it is really the lessons learned. How do we make sure that this threat doesn't hit our castle again? And how do we minimize the damage from that? So that's the defensive part of things. Now, the offensive part of things is a lot tricky, because to your point, you can counter attack the other country. And that's something that national governments are starting to think about and starting to do, but that's a lot trickier from a legal standpoint, because at that point, you become the attacker, you, for all intensive purposes, become the aggressor and you triggering even more issues and you risks starting a cyber war. And that's something that, thankfully, has not happened yet, but given the amount of threats that we're seeing especially between nation states attacking each other, I think at this point, it's only a matter of time.

John: Wow. And I guess our companies are going to have to figure the same thing out and follow their lead but it's something they shouldn't be sticking their head in the sand on.

Alex Manea: Absolutely. Part of the reason I love cybersecurity is because it's always evolving. I mean, I've been doing it for 15 years and I learn new things every single day. New attacks, new defenses, new hackers, it's just a fascinating space.

John: So what fascinates me, and I've had a lot of reading on, and it's still relatively new that it's worth asking you to comment on for me, in terms of getting in through the plumbing and hopping to another person, and it's the SolarWinds attack. How does that map to your analogy and what could or should companies have done about that? You probably need to explain it a little bit, but I'm fascinated by this one.

Alex Manea: Yeah. So for those not familiar with the SolarWinds attack, it's essentially a supply chain attack. So it's not attacking the castle directly, it's attacking it indirectly by attacking somebody who services the castle. So let's say, for instance, that the cook dies and the castle needs to get a new cook. Well, with that new cook, obviously, you need to do a certain amount of vetting on them, but no matter what, you're never going to be 100% sure that that new cook isn't secretly working for another country, or that new cook hasn't been compromised. And so I think what's naturally happening and what we're seeing with SolarWinds and other attacks is IT supply chains are just getting more and more complex. And so it is interesting because you can go down practically an infinite rabbit hole, because let's say, as an individual company, you might have, let's say, 30 vendors, and each of those 30 vendors might have 30 vendors for them, and then each of those 30 vendors might have 30 vendors. And it becomes kind of like a chess ski. In any given chess position, you only have, let's say, 15, 20, 30 different moves, and that's tractable. But if you start looking down a line and you start thinking 3, 4, 5 moves ahead, well, that's 30 times, 30 times, 30 times 30. So the question becomes, as a CISO, how far down are you willing to look ahead and to what extent are you able to assess not only your vendors, but their vendors and their vendors, and obviously that becomes an economic problem. It becomes a problem of, to what extent are you willing to invest resources into understanding the full end to end supply chain versus what are you actually looking to protect? The more valuable your assets, the more you have to start looking deeper and deeper into your supply chain.

John: So one of the pieces, I think about the metaphor, I don't know where it fits in. You've got to make sure that if you've got data, and we talked a little bit about privacy, anonymization of data, this is not quite cyber security, but it really is quite relevant to our discussion, how do we make sure that records are anonymized? That if someone does get in, there's another layer of protection? Should I just consider anonymization of data and good data security practice as just another moat? How should I be thinking about that?

Alex Manea: Yeah. No, it's absolutely another moat. And the thing to understand with anonymity is it's just like security and that it's not binary. So just like with security, it's not," Are you secure? Are you not secure?" With anonymity, it's not... If you ever hear a vendor say your data is fully anonymized, that's not how anonymity works, because no matter what, there's always some way of getting back to the root data. And so the thing to understand is, part of the reason that anonymity is becoming such a challenge in the world is because so much data is being collected about us. And even if those individual records, that PII, is anonymized, the more you have that PII out there, even anonymized PII, the more likely it is that somebody who has access to that full data set, can de- anonymize it and can eventually start detecting you. And that's why we at Georgian have worked on things like differential privacy, for instance, to help with that level of anonymity because we feel like this is going to be one of the biggest challenges of the 21st century, back to your point around social media, you are paying for social media with your data. The reason that Facebook gives you free access is because you give them free data and therefore they can target ads to you. That's the entire business model, and it's a business model that's unfortunately becoming more and more common on the internet.

John: Ransomware. Again, another one of these insane things that just happens everywhere and it's more than just teaching people not to click on that spam, obviously, spam email. There's so much more to it. How do you view that?

Alex Manea: Going back to the castle analogy, once again, ransomware is the equivalent of kidnapping the king's cousin and holding him or her for ransom. It's the modern equivalent of that. And so another way to think about ransomware is it's actually a natural evolution of where viruses first started, which is, if you remember back in the 90s, you would open an attachment to an email and it would delete your hard drive. Ransomware is just the natural evolution to that because here's the thing, deleting your hard drive causes damage but it doesn't actually give any value to the attack. Whereas if I encrypt your hard drive instead and I say," Hey, send me two Bitcoin to this particular address to decrypt your hard drive," all of a sudden, I've monetized my virus. And that's what ransomware is. Now in terms of protecting against ransomware, in theory, it's actually relatively simple because in theory, all you have to do is" back up your data." Now, obviously that's often easier said than done because you have to back up all your data but the other part that isn't often talked about is the fact that you have to properly segregate those backups to make sure that the ransomware can't get to the backups as well and encrypt those. And that's one area that I think a lot of security teams fail. They say," Hey, we have backups." Do we ever test them? No, we don't really know, we just kind of assume that they work. And then are they properly segregated? No, they're actually just sitting on the same machine. And obviously if they're doing that, then the ransomware, if it's properly designed, will spread to that machine and will encrypt the backups as well.

John: Right.

Alex Manea: So ransomware is kind of good news, bad news. The good news is it's relatively easy to fight and we will be able to fight it, but the bad news is, because of the architectural decisions that we made five, 10 years ago, we're seeing a huge surge of ransomware and we need to make the right architectural decisions today to prevent ransomware from hitting us five, 10 years from now.

John: Whew. Talk about making sure you're not just fixing a leaky roof, but you're stepping back and you're looking at your entire house to see what issues might exist. Really important. This has been a great discussion. Now, I want to let our audience know that you've been curating a series of guests for us, and then we'll be drilling down into more of what you set up for us on future podcasts. What's next?

Alex Manea: Well, John, I got to tell you, I'm actually really excited about this series of podcasts because we've gotten some of our top CEOs and CTOs from across our company to really come in and tell us about out their specific areas of security and how they're innovating. And the first one that I'll talk about here really is around identity and around multifactor authentication, which is obviously not a new concept, but it's something that is extremely, extremely important, especially in the modern world of data breaches. One of the challenges with multifactor authentication is quite frankly the usability side of things. And we have an amazing podcast with the CTO of Trusona, Mr. John Summers, who's going to talk to us about their passwordless authentication. And it's a solution that I'm personally really excited about because it's actually a solution that we hear at Georgian have adopted. And it's a solution that works really well.

John: That's spectacular. I think it's great that we're both broad and digging in in key elements to educate our audience. So Alex Manea, thank you so much for taking the time to be with us today. This was spectacular.

Alex Manea: Thank you very much, John. Always a pleasure.