Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Threat Intelligence and AI’s role in Cyber Defense with Palo Alto’s Andy Piazza and Daniel Kroese

Season 2 Episode 11 •

Show Notes

In this episode of Cyber Focus, host Frank Cilluffo sits down with Andy Piazza, a senior threat intelligence leader at Unit 42, and Daniel Kroese, a cybersecurity policy expert, both from Palo Alto Networks. They discuss key findings from Palo Alto Networks’ 2025 Global Incident Response Report, highlighting the accelerating speed of cyberattacks, the growing use of AI in both offense and defense, and the increasing sophistication of nation-state and cybercriminal operations. The conversation explores the intersection of cybersecurity technology, policy, and defense strategies, including the importance of behavioral analysis, public-private partnerships, and the evolving role of zero trust in securing networks.

Main Topics Covered:

  • Findings from Palo Alto Networks’ 2025 Global Incident Response Report
  • The accelerating speed of cyberattacks and data exfiltration
  • How AI is shaping both cyber threats and defensive capabilities
  • The role of initial access brokers in modern attacks
  • Nation-state involvement in cybercrime and adversarial collaboration
  • The importance of zero trust and behavioral analysis in defense strategies
  • Policy recommendations for the next U.S. administration’s cybersecurity priorities
  • The growing complexity of securing multi-cloud environments
  • Challenges in asset visibility and managing cyber risk

Key Quotes:

“So, for example, in 25% of the cases, we saw attackers exfiltrating data within five hours of initial compromise. That’s really, really fast.” – Andy Piazza

“Better cyber defense is a data problem, which means it’s solvable. And what is the best way to solve a thorny large scale data problem? AI.” – Daniel Kroese

“We always talk about nation states or even cybercriminals stealing data. They don’t steal data, they copy it. If they stole data, we would have taken that seriously a long time ago.” – Andy Piazza

“Organizations on average take 6 days to respond to a cyber incident. When adversaries are now exfiltrating data in hours, we can actually have real time statistics around mean Time to detect and mean time to respond.” – Daniel Kroese

“40% of cloud incidents were because there was unmanaged cloud assets that were out there… From a defense standpoint, you can’t secure what you can’t see.” – Daniel Kroese

Relevant Links and Resources:

Guest Bios:

Andy Piazza is a senior threat intelligence leader at Unit 42, Palo Alto Networks, and a veteran of both the cybersecurity industry and the U.S. Army. His work focuses on tracking threat actors, understanding cybercriminal tactics, and helping organizations defend against emerging threats.

Daniel Kroese is a cybersecurity policy expert at Palo Alto Networks with experience in both government and the private sector. He previously served as staff director for the House Homeland Security Committee and as Chief of Staff to former CIA Director John Ratcliffe.

Transcript

1
00:00:00,320 –> 00:00:18,568
Daniel Kroese: How long does it take an organization to detect something might be anomalous? And then how long does it take for you to fully respond and recover from that? We have found historically, organizations on average take 6 days to respond to a cyber incident, when adversaries are now exfiltrating data in hours.

2
00:00:21,760 –> 00:00:41,560
Frank Cilluffo: Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Salufo, and have the privilege to sit down with two leaders in the cyber field from Palo Alto Networks. First, we’re going to hear from Andy Piazza, who is a senior Threat intel leader at

3
00:00:41,600 –> 00:01:01,428
Frank Cilluffo: unit 42 at Palo Alto Networks and a longtime veteran in the field and a longtime veteran in the Army. So thrilled to have you, Andy. Thank you. And also Daniel Cruz, who is a longtime veteran of policy making circles both ends of Pennsylvania Avenue, served for a long time on Capitol Hill,

4
00:01:01,604 –> 00:01:21,506
Frank Cilluffo: staff Director of House Homeland, former Chief of Staff to the new CIA Director John Ratcliffe, and also served at cisa. Thrilled to have both of them here. We’re going to be talking about a new report they just released, and it’s the Global Incident response report of 2025. So, gentlemen, thank you for joining. Andy,

5
00:01:21,538 –> 00:01:41,442
Frank Cilluffo: I thought we’d start with you and I understand you just came off a long flight from Singapore, so thank you for joining us. But thought we’d start with what you think some of the key findings are. The report itself. Sure. I think there’s a lot of great stuff in the report itself. I think it’ll resonate with a lot of different people and different perspectives. The pieces that stuck out

6
00:01:41,466 –> 00:02:01,022
Andy Piazza: to me as someone who my job, as you mentioned, is threat intel. We chase bad guys, as I say, really trying to understand the intent and capability of threat actors. So seeing the speed of attacks coming out of this report. Right. Attackers are really moving faster. That worries me as a defender. Right. That means we also have to be moving faster. We also saw with our own

7
00:02:01,126 –> 00:02:19,472
Andy Piazza: testing using AI and attacks with our Red Teams, we’re able to move faster using that as well. So just that scale and speed that we’re seeing both from the real world from a threat actor perspective and our own testing, that really stood out to me this year. That is, you know, something that I always worry about is, you know, in security field, we track our mean time to detect and mean time

8
00:02:19,496 –> 00:02:39,472
Andy Piazza: to respond. I also kind of think of it as like mean time to attack, not to throw another acronym out there for people to memorize, but just really how fast that attackers are moving. So, for example, in 25% of the cases, we saw attackers data within five hours of initial compromise. That is really, really fast. That means, you know, from a soc perspective, they got to get to that

9
00:02:39,496 –> 00:02:59,114
Andy Piazza: alert and they got to dig in, figure it out, and try to get ahead of the threat actor and block them in five hours. It’s a pretty fast turnaround for most organizations. And are we seeing pre indicators that can sort of help the defender shrink that time? Because ultimately, are they looking for additional credentials or are they going right for the gusto? Day one? So we

10
00:02:59,122 –> 00:03:17,080
Andy Piazza: see a lot of use of what we call initial access brokers, which means the credentials have been compromised somewhere else, whether that was in a previous breach of that organization or on someone’s personal machine that works for that organization. The challenge with that is, you know, if you, you pop my personal machine, you compromise my personal machine, my SoC can’t see that there’s not a whole lot of security tools compared to

11
00:03:17,120 –> 00:03:37,070
Andy Piazza: my enterprise, but that has my credentials potentially from remote login. So we see initial access brokers selling credentials to organizations. That means that attacker, now that second time they come in or the first time they come into the enterprise, they’re logging in as you. They’re logging in with legitimate credentials. That’s a lot harder to. For soc to see. Right now we have to start baselining behavior of where,

12
00:03:37,110 –> 00:03:57,022
Andy Piazza: where do those logins come in. If they’re not using malware, they’re just using tools that are inherent in that organization’s enterprise. Right. We talked about living off the land techniques. Now there’s, there’s no malware necessarily involved. They’re logging in as you using tools that are already installed by your organization. Now we really have to start like doing behavioral analysis and what we call, you know, no normal defined evil makes it much

13
00:03:57,046 –> 00:04:16,338
Andy Piazza: harder. We’re talking about no normal to find evil. No normal defined evil. That’s. That’s a quote from sans Institute training. I’ll give them credit. But it’s really like kind of the premise as a threat hunter, right. You have to understand the behavior that you expect to see and start to look for abnormal things. And is Palo Alto Networks, are you integrating behavioral tools into your.

14
00:04:16,474 –> 00:04:36,350
Andy Piazza: Absolutely. From both products and services side. Right. We have quite a bit of behavioral analysis. Also my team behind the scenes, if customers have their telemetry turned on, my folks are hunting. We have a managed threat hunt service for specific clients. But my researchers were hunting across all telemetry and we’re looking for specific TTPs and behaviors. Of course, we do use indicators of compromise as well, but we really want to focus

15
00:04:36,390 –> 00:04:55,790
Andy Piazza: on those tactics, techniques and procedures, ttps. When we find that behavioral stuff, we’ll notify clients and we’ll also pass the information to the product security teams to be able to enhance our detections. You know, one of the takeaways that I thought was also very interesting in the reports and your findings is the shift, and not that there didn’t always exist, but much more

16
00:04:55,830 –> 00:05:15,594
Frank Cilluffo: disruptive and or destructive attacks. So a little more CNA than CNE or something in between computer network attacks and exploit. And the stats were pretty staggering. 20, 24, 86% of incidents involved some sort of disruptive activity. That’s pretty big. Yeah. The one thing I want to point out there is when you first read that and you’re okay, okay, but

17
00:05:15,602 –> 00:05:35,222
Andy Piazza: ransomware has always been disruptive. What’s more disruptive about that is kind of the first thought that actually hit my head was when I first read the draft. I was like, ransomware has always been disruptive, but we’re actually seeing is these actors intentionally going after, you know, deleting backups or deleting critical systems and really actually not just encrypting data, but really taking out systems or infrastructure and

18
00:05:35,246 –> 00:05:54,902
Andy Piazza: then moving on to additional disruption of extorting customers or reaching out to the customers of customers, trying to get, you know, one of the companies I use for data service gets compromised and they get my data, they’re reaching out to me to try to put additional pressure. So if you’re in the middle of a breach response and now your customers are calling and saying, hey, ransomware operator, talk to

19
00:05:54,926 –> 00:06:14,848
Andy Piazza: me. What are you doing about it? That puts a lot more pressure on that company in terms of extortion. Right. And are you also seeing more from a campaign planning perspective, adversarial use, maybe a DDoS attack coupled with the ransomware incident, or did I miss sort of interpret. No, I definitely think, I mean, if you, if you hear the shift in our language

20
00:06:14,864 –> 00:06:34,790
Andy Piazza: over the last few years, it used to be APT and cybercrime, but really we start now talking nation state and cybercrime because a lot of these cybercriminal goals, criminals, are advanced, persistent threats. Yep, absolutely. They are really. And some of them are proxies for foreign nations anyway. There’s, we’ve seen some overlap this year. We’ve had some interesting response reporting. We have a threat

21
00:06:34,830 –> 00:06:54,772
Andy Piazza: research article out from a few months ago where we believe that, you know, North Korea operated It looks like they operated in hand in hand with play ransomware group or there’s some overlap at least in their initial access brokers. So definitely seen some nation state overlap. But really just seeing you know, some of the techniques, what we call a group metal Libra most track is scattered spider because you know we

22
00:06:54,796 –> 00:07:14,676
Andy Piazza: need more names in the, in this space the way we’ve seen them operate in the networks. I mean they look almost like sysadmins, right? System administrators with, with their skills from a tooling perspective, you know. So that’s why I really want to talk about nation states. And cyber criminals really are in many cases can be apts as well. And even if they are more traditional ransomware

23
00:07:14,708 –> 00:07:34,578
Frank Cilluffo: gangs or cyber crime enterprises, many of them are provided safe haven in countries that we don’t, we lack extradition treaties with. And even if we did, they’re not coughing them up because they, they serve their interests. On occasion they do. But I will say, you know, attribution still does matter, right. We’ve, we’ve been able to impose some costs on threat actors regardless

24
00:07:34,594 –> 00:07:54,536
Andy Piazza: of where they operate from. We’ve had some really good wins in the last year or two. Right. With you know, law enforcement takedowns and disruptions. You know, you look at like lock bit, right. They’re nowhere near the top that they were in their prime. Not a lot of their folks were majorly, you know, arrested or going into countries where we could have interrupted with them. But law enforcement

25
00:07:54,568 –> 00:08:14,514
Andy Piazza: takedown and disruption of their systems have really taken them off the top of the totem pole from a cybercrime perspective. And do you see the ability to scale some of those activities? Because there are so many good examples of onesies and twosies including recouping ill gotten gains. But, but what I struggle with is that’s a one off

26
00:08:14,602 –> 00:08:34,338
Frank Cilluffo: sometimes. How do we scale that? Cause quite honestly, if we want to induce changes in behavior, we’re going to have to raise the calculus to the adversary. I mean honestly I think probably fits better into Daniel’s category of policy. I think we’ve seen the increase in law enforcement

27
00:08:34,434 –> 00:08:54,374
Andy Piazza: disruptions and indictments and stuff as we wins that are snowballing and getting the law enforcement community and the legal community realizing that they can get some easy wins out of this. I mean we from a vendor perspective, I know my partners across a number of companies, we share information with, with host, you know, law enforcement, a number of countries. We’re happy to

28
00:08:54,462 –> 00:09:13,264
Andy Piazza: try to interrupt those operations. We just need, we have the data, we have the visibility, we need the law enforcement partners and the legal partners too. Right. I know plenty of law enforcement are happy to go put cuffs, but they also need the lawyers and attorney generals behind them to go go give them the authority. So as we see more wins, I think we’ll get more policy support for those types of

29
00:09:13,272 –> 00:09:33,072
Andy Piazza: takedowns. And we’re going to pull in the policy discussion in a second. But you mentioned dprk, you mentioned North Korea. And one of the findings that I also found quite interesting was the greater use of insider threats. And when you look at it, obviously the insider threat is always going to be at the very top of the

30
00:09:33,096 –> 00:09:52,704
Frank Cilluffo: list in terms of causing harm. And from the US perspective, whether Edward Snowden or insider threats are always going to be big issues. But what findings did he find on the North Korea case? So the North Korea stuff is really interesting. Is it human enabled cyber or is it vice versa or both? Yeah, it’s an interesting mix. Right. We’re seeing. So my team’s been tracking what we call Contagious

31
00:09:52,752 –> 00:10:12,670
Andy Piazza: Interview and Wage Mole to their major campaigns. Wage Mole is where they’re getting the IT workers embedded into companies. Contagious Interviews where they’re targeting IT workers and trying to infect them. Both those campaigns have been going on for a year plus now. Pretty sophisticated too. I mean LinkedIn and well know what. Stands out to me is you think about previous North Korea campaigns other than them going

32
00:10:12,710 –> 00:10:31,906
Andy Piazza: after kind of the crypto markets, you think they still do, right? They’re still going after those guys. But you think of the previous campaigns, you think of like the big fire in the pan splash, right? Like the Sony’s, the Swift Breach. One big moment, not a long persistent campaign. And with Wagemo and Contagious Interview, we’ve been like I said, the same campaigns for a year plus. And in the case of Wage

33
00:10:31,938 –> 00:10:51,746
Andy Piazza: Mole, we’re seeing that’s again, that’s where they’re getting their employees hired as either contractors or IT staff. Within companies we’re seeing whether it’s Americans or Europeans, depending which country we see them operating, we’re seeing internal employees enabling their operations, enabling multi factor authentication pushes when they need to get the additional codes, or doing physical touches

34
00:10:51,778 –> 00:11:11,720
Andy Piazza: on Yubikeys, those types of things. We also saw them installing keyboard management devices, KVM’s keyboard video and mice devices physically into infrastructure on the back of computers. What’s scary there is those devices have remote access through WI Fi or cellular, which means all of the command and control that we’re seeing going to that

35
00:11:11,760 –> 00:11:31,364
Andy Piazza: network is not going through that enterprise’s security stack that the only tools now is anything that’s on the endpoint. So if they don’t have an XDR EDR type solution, they’re only relying on network security. All of those commands, all that xfill is going across a network that no one else can see. And to transition to a little bit of the discussion, I always thought of North Korea. So traditionally

36
00:11:31,412 –> 00:11:51,300
Frank Cilluffo: organized crime, criminals try to penetrate the state and influence the state. In North Korea’s case, it’s sort of the inverse. It’s the state penetrating organized crime. And they’ve done it pretty sophisticatedly for a country. If you look at midnight and get a satellite shot between the south and the north, one’s lit up like a

37
00:11:51,340 –> 00:12:11,316
Frank Cilluffo: Christmas tree, the other pretty damn dark. So in a way, they’re doing some interesting work. So let’s transition a little bit into the policy discussion. But before I do that, I want both of your thoughts on. And you did capture this in the report, but sort of where AI? So we’ve had a gazillion discussions around

38
00:12:11,388 –> 00:12:31,100
Frank Cilluffo: artificial intelligence and the good, the bad, the ugly and the unknowns on this podcast and also in a lot of our events. But where do you see adversarial AI? Red versus blue? Where do we think this can change? And we’ll let Daniel jump in on some of this here. Yeah, for me, it’s the

39
00:12:31,140 –> 00:12:50,844
Andy Piazza: scalability of a campaign, and I hate naming victims, but this is basically the name of the breach at this point. But you think about the SolarWinds campaign. That backdoor was present, and we believe in thousands of organizations, but the threat actors really only able to operate against probably a dozen or so because they’re using human operators. At that point, we’re seeing both threat researchers

40
00:12:50,892 –> 00:13:10,768
Andy Piazza: and actual, you know, bad guys investing, investigating how to use AI. There was a, I believe it was the black Mamba malware family was written to replace the. Instead of the malware, it was the human operator doing the command and control with an AI bot. So when that malware checks in, it’s giving it additional commands. We think about, I’m no longer limited by how many humans

41
00:13:10,784 –> 00:13:30,612
Andy Piazza: I need to operate a thousand pieces of malware or a thousand infections across enterprises. We can, if we can scale that. And now I can have it collect data, do some lateral movement, do some exfiltration, and then do a kind of ChatGPT style summary of all the stolen documents, give me some bullet points. Now I can have one or two humans impact 1000 organizations.

42
00:13:30,676 –> 00:13:50,612
Andy Piazza: Read that output and Decide, okay, I do want to go dig into that spreadsheet or that database that we stole. That scale is something we haven’t seen before, but it’s definitely doable with the automation and the scalability of AI. And Daniel, let’s pull you in now. So before we get into sort of some of the good work you’ve done on policy priorities for the new

43
00:13:50,636 –> 00:14:10,448
Frank Cilluffo: administration. Administration, let’s dig into this AI discussion a little bit. Yeah, I appreciate that, Frank. So recognizing that we have to be eyes wide open and sober about the threat landscape and how adversaries are leveraging AI to increase the scale, speed and sophistication of attacks, as Andy just laid out, without hyperbole, as a company,

44
00:14:10,504 –> 00:14:29,782
Daniel Kroese: we truly believe that AI is going to be a game changer for cyber defense. It already is. And to illustrate that point, I think there’s a stat from the report we’re talking about that to me perhaps is underappreciated. And that is in 75% of IR cases, logs existed that would have alerted the

45
00:14:29,806 –> 00:14:49,704
Daniel Kroese: defender that something malicious was taking place. So you can either look at that as really frustrating or really encouraging statistic, depending if you’re a glass half fuller, glass half empty guy. I think it shows that we’re actually first in goal. To use a football analogy there, good work has been made by the industry to invest

46
00:14:49,792 –> 00:15:09,742
Daniel Kroese: in tooling and sensors to give us visibility, to give us logs that something malicious might be going on. So then it begs the question, well, what is the bottleneck? What is preventing that investment from yielding better cybersecurity outcomes? And it’s that we’re drowning in data. Those logs existed, we invested in the thing to get the log,

47
00:15:09,896 –> 00:15:29,730
Daniel Kroese: but we couldn’t find it or make sense of it before it was too late. And that really reinforces that. Better cyber defense is a data problem, which means it’s solvable. And what is the best way to solve a thorny large scale data problem? AI. And that’s probably a good segue to the policy conversation. But we can leverage AI

48
00:15:29,890 –> 00:15:49,610
Daniel Kroese: so that it is no longer that it is. 75% of IR cases have the logs. They won’t be an IR case because they would actually be able to identify it before it was too late. And that’s assuming the signal to noise that we are constantly updating what we plug into that learning model though,

49
00:15:49,650 –> 00:16:09,600
Frank Cilluffo: right? Absolutely. And to give you an example, obviously we are a commercial company and our goal is to innovate like crazy to stay ahead of the bad guys. When we have innovation that we think is world class. We want to test it on ourselves first, eat our own dog food. So we have an AI powered SoC called Xiam which ingests data from any

50
00:16:09,640 –> 00:16:29,572
Daniel Kroese: vendor you use across attack surfaces. So with the network, the cloud, the endpoint, attack, surface management tools, Identity beyond, it pulls it all together. So we started testing this out on our own environment. We ingest 59 billion security events a day across our own environment into that tool using AI

51
00:16:29,696 –> 00:16:49,420
Daniel Kroese: that is triaged down to one incident that requires human soc analysis. So you think about that upside down. The time savings there. I’m bad at math and I don’t want to put you on the spot, but that’s serious, right? Yeah. And it frees up people. I think our stats are, it’s essentially a 65 person full time equivalent savings.

52
00:16:49,580 –> 00:17:09,176
Daniel Kroese: Those people can be pushed to more proactive threat hunting. So no longer are analysts overworked and playing an inefficient game of alert whack a mole. They’re actually focusing on staying ahead of the threat. And so that’s a really encouraging stat. And it’s not hypothetical. That is happening today and that can happen for any other organization tomorrow. I think that’s

53
00:17:09,208 –> 00:17:28,700
Daniel Kroese: why we are ultimately cyber defense optimists. And I’m happy to hear that because I always pay attention when something bad happens. And unfortunately it’s a whole lot of the time. But we do need to start flipping the script, flipping the equation. And I do think AI could play a significant role in all of that.

54
00:17:29,080 –> 00:17:48,896
Frank Cilluffo: And this is not to get philosophical, but and certainly not to be the Chinese fortune cookie equivalent of that in 30 seconds. But the old thinking of endpoint solutions alone and moats and the like, that’s dead, isn’t it? So in a weird way, you still need to protect that

55
00:17:48,968 –> 00:18:08,632
Frank Cilluffo: by all means. You still need walls, you still need castles that need to be scaled, but it’s really about freeing up people to do the more proactive. We used to call it active cyber defense related matters. But is that fair? Precisely. And another stat in the report that stood out to me. Sort of like having linebackers, not just a line, right?

56
00:18:08,736 –> 00:18:28,672
Daniel Kroese: Exactly. Football analysis. Yeah. So we started with first and goal, and now we’re talking about layers of defense here. But 70% of attacks we observed had three or more attack surfaces that were leveraged. So not looking for one point of weakness. Network, cloud, endpoint and beyond. Multifaceted attack. Which just

57
00:18:28,696 –> 00:18:48,600
Daniel Kroese: means that your defense has to be multifaceted and you have to be able to ingest data points across all three of those layers in real time and have people do the more. The thornier, more analytical work, which will always exist. I mean, one of my lines is technology changes, human nature remains pretty darn consistent. Maslow’s hierarchy is going to

58
00:18:48,640 –> 00:19:08,616
Frank Cilluffo: always be, I think, in place in one way or another, but I do think leveraged. Right. We can at least balance it out a little bit. Let’s go to your priorities for the new administration. So we’ve done some work on that and dare I say, I forgot to tee up in the intro. You’re one of our newest senior fellows, so we’re thrilled to be able to draw

59
00:19:08,648 –> 00:19:28,322
Frank Cilluffo: on some of your work there, Daniel. But what were your big takeaways? Recommendation number one. And this is a recommendation that we provide to any interested audience right now, not just the Trump administration, national security officials as they’ve come in, but we’ve had, of course, productive conversations with them. Recommendation number one, and it sounds self evident, but I like to triple

60
00:19:28,386 –> 00:19:48,136
Daniel Kroese: underline this one. It is time to focus on cybersecurity outcomes, measurable cybersecurity outcomes. That sounds obvious and self evident, but it is really easy in the cyber industry to fall into an impression put trap. We know the threat landscape is scary. Andy and his team and his colleagues at other companies, they do great work rooting

61
00:19:48,168 –> 00:20:08,102
Daniel Kroese: out all sorts of scary things about the backdrop. And so as a result, what do we do? Well intended efforts across government and industry, new requirements, new funding streams to deploy this thing or deploy that thing. And so we’ve gotten really good at well intended and incrementally helpful efforts to invest in

62
00:20:08,126 –> 00:20:27,990
Daniel Kroese: cyber defense and create new requirements for tooling and sensors. Sort of the final frontier is are those making us safer? How do we know that that investment and deployment is actually making us safer? So bring in a little bit of science to the art. Yeah. And there are exactly and there are two terms that as a or two metrics, as a company

63
00:20:28,110 –> 00:20:47,992
Daniel Kroese: that we really care about and what we like about these is you could explain them to anyone who’s not technical and Andy mentioned these earlier. Mean time to detect and mean time to respond. MTTD and mttr. Those terms describe exactly what you think. They describe how long does it take an organization to detect something might

64
00:20:48,016 –> 00:21:07,916
Daniel Kroese: be anomalous and then how long does it take for you to fully respond and recover from that? We have found historically, organizations on average take 6 days to respond to a cyber incident. When adversaries are now exfiltrating data in hours, we can actually have real time statistics around mean Time to detect

65
00:21:07,948 –> 00:21:27,842
Daniel Kroese: and mean time to respond. So in that recommendations, one of them we put out there, the President of the United States should be able to walk into the White House situation room and for every federal agency see a real time stat on that. What is our detection and response time? That is a huge departure from helpful, well intended previous efforts that, that produce sort of annual

66
00:21:27,906 –> 00:21:47,362
Daniel Kroese: scorecardy type things. But we have the data to have real time accountability for how nimble we are in our cyber defense and then have oversight and investment to improve those metrics. So pulling on that thread a little bit, and this is an item you and I have had many discussions over the years on, is how do we translate sort of

67
00:21:47,546 –> 00:22:06,760
Frank Cilluffo: so government can look at its own networks and whether it’s CISA or others, in terms of looking at the the civilian.gov networks industry, their own. But it’s the magic between the two. Translating the nouns into verbs around public private partnership. Yes, no, yes, absolutely.

68
00:22:07,100 –> 00:22:26,772
Daniel Kroese: But the good news is there’s a lot of what we’re seeing across attack surfaces. You can anonymize who the entity is, it is what are the vulnerabilities are you seeing whether it’s an electric utility, a state and local government, or a federal agency, what are the digital doors that remain open that we need to close? So how can

69
00:22:26,796 –> 00:22:46,468
Daniel Kroese: we take that global view and then understand from a risk management perspective, where’s the best bang for the buck? I’m glad you brought up managing risk because especially when we’re looking at OT environments blending very quickly with it and the broader IIoT sets of issues. I mean, at the end of the day it is about

70
00:22:46,524 –> 00:23:06,400
Frank Cilluffo: managing risk, right? I mean, I don’t think maybe you guys have some real magic bullets there, but we’re never going to be in a position where we can say we can protect everything, everywhere, all the time, from every perpetrator and every modality of attack. Right. So it’s about managing risk, battening down the items that are most essential to

71
00:23:06,440 –> 00:23:26,412
Frank Cilluffo: one’s company, country, agency, whatever the metric is. Is that still the way to think about this? Well, I talk about it a lot now. If you were to start a business today, you would never have on premises, servers or any of that. Everything’s going to be in the cloud, right? Yep. You’re going to give, probably even do bring your

72
00:23:26,436 –> 00:23:45,884
Andy Piazza: own device for the first few years to save some money. Your folks are going to use their own computers and think about that attack service now. Right. You’ve got a bunch of different OS versions and out of date patches and all of that going on in your environment. And you’ve got cloud visibility. I’ve been involved in cloud breaches in the past where it was like software as a service where you get

73
00:23:45,892 –> 00:24:04,684
Andy Piazza: the notification as a client and they’re like, hey, as a, not as an individual, but as a paying, you know, company, you get that notification and you’re like, oh, that’s important to us. Can you give us the logs? And it takes two, three weeks for them to carve out the logs for, for your section. Like in a startup company, first five, 10 years, they’re not going to care about security or not

74
00:24:04,692 –> 00:24:24,644
Andy Piazza: going to prioritize it over everything else. Right. So we’re talking, I think generally we talk about security best practices. We’re really talking about that kind of top 1% of businesses. Most aren’t even able to really understand where their risk and threat landscape is yet. And as a startup, you’re literally prioritizing getting a business up and running. Security is still going to be

75
00:24:24,652 –> 00:24:44,614
Frank Cilluffo: an afterthought, even if you did want to do everything right, because you just can’t afford it. Customers and salaries first, right? Absolutely. Daniel, you touched on the cloud and I will ask you whether or not it should be designated critical infrastructure sector, but that’s a sidebar conversation. But you did mention the cloud in your priorities for the Trump administration as well. Yeah, there’s a

76
00:24:44,622 –> 00:25:04,598
Daniel Kroese: huge cloud migration going on as workloads transition to the cloud for many of the reasons that Andy talked about. It’s more scalable, it’s more cost efficient, it’s more nimble. If you’re a startup, it’s the way that your storage and compute can be dialed up in your garage on day one. That’s a good trend. I think Gartner estimates that, you know. And it pushes it to,

77
00:25:04,734 –> 00:25:24,734
Frank Cilluffo: it pushes the responsibility out of the hands of the individual to others who ostensibly have the wherewithal to protect. Right. I mean, just from a conceptual standpoint. Yeah, absolutely. And you know, I think Gartner estimates that by 2027 or 2028, close to 80% of workloads will be cloud based. So this, this migration is happening. A key feature of

78
00:25:24,742 –> 00:25:44,730
Daniel Kroese: that migration that’s often lost. We’re not just going through cloud migration, we’re doing a multi cloud migration, particularly at the federal level. You’re seeing a lot of efforts at large agencies where they’re not using just one hyperscale csp. They’re sort of the split the baby. You know, let’s, let’s have multiple options, dynamic. And so asset visibility from

79
00:25:44,770 –> 00:26:04,458
Daniel Kroese: a risk management standpoint has always been a challenge. We frequently find that organizations have double the number of assets touching the public facing Internet than they thought they had. And that’s not even including bring your own device to work as we talked earlier, Right? Correct. And then the dynamic nature of cloud, how IP ranges can be spun up or spun down, that just further challenges

80
00:26:04,554 –> 00:26:24,352
Daniel Kroese: the asset visibility issues with cloud security. And then you throw on top, well, maybe it’s not just one cloud, maybe you’re a multi cloud and it’s three or four. So it really comes down to visibility. You can’t protect what you can’t see. And so one of the recommendations in the blog that you referenced is like, let’s embrace the cloud migration and multi cloud migration, but

81
00:26:24,376 –> 00:26:44,042
Daniel Kroese: don’t forget about cross cutting security. You have to have the ability to have visibility across all of your cloud workloads, both visibility and then operational control from a posture management, a runtime security perspective. And that visibility is essential. And that brings up the big supply chain set of

82
00:26:44,066 –> 00:27:03,972
Frank Cilluffo: questions we’re all struggling with. Maybe I’m wrong, but this is years ago that I led an effort for the government, we didn’t have visibility. Is that getting better? Depends. The classic infosec answer. It depends. I mean one of the stats from the report that stood out to me for our incident response report is 70% of the incidents we

83
00:27:03,996 –> 00:27:23,892
Andy Piazza: saw targeted three or more of the attack surfaces of the customer. Whether that’s endpoint, their network infrastructure, their cloud infrastructure, or as we Talked about with DPRK, having humans involved. 70% of the cases just really strikes home, like how complex that threat landscape. Or they did surveillance on all of them and waited till they hit the button. Right. And then you talk about, you know, moving stuff out

84
00:27:23,916 –> 00:27:43,616
Andy Piazza: to the cloud. We see a lot of exfiltration in the cloud. No enterprise in their right mind is going to block cloud IP space by default. Right. Because they don’t want to interrupt business operations. So with threat actors, again, it’s almost a form of living off the land using cloud sync tools and using cloud environments to exfiltrate data. They happen to own that cloud instance instead of the Defender. But the SOC

85
00:27:43,688 –> 00:28:03,264
Andy Piazza: doesn’t necessarily have that visibility or the speed and that visibility and asset management gets a lot harder. When you know, the old days we just dropped agents on endpoints and slowed them down with all the agents. Now we’re talking about not knowing when a new cloud instance stood up or I’ve seen companies where business units Got new software as a service, didn’t go through it. So it definitely didn’t go through the

86
00:28:03,272 –> 00:28:22,850
Andy Piazza: society. You find out because you had a breach that oh by the way we had a bunch of data up in this partners network. Daniel, anything to add to that in. The incident response report? Just to further footstep that point. 40% of cloud incidents were because there was unmanaged cloud assets that were out

87
00:28:22,890 –> 00:28:42,752
Daniel Kroese: there. And so that’s again that’s one of those sort of frustrating or encouraging because it’s fixable stats where 40% of cloud incidents it was an incident because he didn’t even know you had a thing to protect. That’s where the. So if you can just create that visibility now you’re all of a sudden in the game. From a defense standpoint, you can’t secure what you can’t see. And from a government policy

88
00:28:42,856 –> 00:29:02,628
Frank Cilluffo: standpoint, a lot of talk on SBoM software, billing management, all good concepts but it’s largely an analog solution to a digital problem, isn’t it? Because there’s so many parts and parts and parts. I’m reminded of the old parts is parts. The old Wendy’s commercial. But at the end of the

89
00:29:02,744 –> 00:29:22,380
Frank Cilluffo: it it’s hard. It’s hard because I just don’t know if that’s what most companies are thinking. So before they call a Palo Alto networks they do have to start doing some of their own understanding their own environment. Right. So I think the S BOMs really help in a traditional supply chain attack or

90
00:29:22,420 –> 00:29:39,654
Andy Piazza: compromise. We were Talking about the log 4js where, where some type of piece of software got compromised. You know, environments I was in, I was a government contractor at the time. When All4J came out it took us some weeks to figure out which pieces of software had it in there. Yep. So at a minimum that’s going to help us drive down our response time. Right. That mttr. Right. If we call that

91
00:29:39,662 –> 00:29:59,550
Andy Piazza: a key key KPI. Right. Key performance indicator. That response time is huge. I was at another organization when SolarWinds happened. It took us two weeks just to identify all of our SolarWinds servers. A third week quicker than most. Well, I’m telling you, I’m not sure. They still third week to identify that we weren’t and I’ll put this in quotes, impacted. But if you’re on an

92
00:29:59,590 –> 00:30:18,862
Andy Piazza: IR bridge for three weeks straight, even though you weren’t infected, you’re still impacted. We still spent the same amount of time and money. Right. So I do think S boms can help drive that down and I would. Agree with that and they’re well intended but it’s not the panacea in any way, shape or form. Or is it? Maybe I’m missing something. I think, I think identity. If you, if you could only

93
00:30:18,886 –> 00:30:38,672
Andy Piazza: invest in one thing, it would be identity protection. Enforce multi factor authentication for administrators. You know, do identity access reviews. You look at the way we used to control back when it was just simple, right? Quote unquote simple. Active directory and domain controllers, you know, our domain admins, that’s usually if you’re in a smart situation, they had

94
00:30:38,696 –> 00:30:54,944
Andy Piazza: separate login credentials for the domain admin accounts and the domain controller. And we literally had envelopes for the SoC that said break glass and we would lock them in a safe. And that was how the IR team could get become a domain admin. If they were in the middle of an IR case. We went to the cloud. We’re seeing a lot of over privileged accounts. One because we’re just trying to get

95
00:30:54,952 –> 00:31:14,480
Andy Piazza: the cloud to work as we’re migrating. How we do identity management in one cloud provider is a lot different than the other. And we’ll just see that the administrators for the cloud will have all the permissions they need on their regular account. Which means if I pop that single user’s account now I have their admin too. We need to be looking at policies where we say just like we used to do

96
00:31:14,520 –> 00:31:34,174
Andy Piazza: on Prem, if you’re an administrator using a cloud service, you should have a separate account with separate credentials with multi factor authentication in place, separate than what you use as a user. You know, you’re preaching my gospel there. I really do like the idea because at the end of the day, even if you can’t prevent everything, you can be resilient. But to do that you need to, you need the

97
00:31:34,182 –> 00:31:53,780
Frank Cilluffo: identity management tools in place. So Daniel, anything to add on that? I think that also plays into, you know, post SolarWinds Zero Trust, there was a lot of effort in the federal government around that and some initial zero trust deadlines were hit September 30th of last year. But, but that’s a never ending journey. The idea that you’re going to have

98
00:31:53,900 –> 00:32:13,604
Daniel Kroese: continuous inspection and continuous trust verification across all assets, all users, all domains, all applications, all locations. That trust but verify principle, that’s a never ending journey. It’s not just one widget you buy. You did have a concrete recommendation around that zero trust through the lens

99
00:32:13,652 –> 00:32:33,350
Frank Cilluffo: of Volt Typhoon, did you not? Yeah, I think there’s an analog that potentially we could latch onto as a community post Solar Winds, Russian apt, they breached as has been publicly reported I believe nine government agencies. That was obviously a concerning moment. I think to many more concerning was the fact that they sat undetected for another nine or ten months after

100
00:32:33,390 –> 00:32:53,364
Daniel Kroese: that. Yep. And so the response to that was to or one of the aspects of the response was to implement federal zero trust strategy which makes a lot of sense. You need layered defense in response to a compromise like that. You know, in response to salt typhoon. I do think there is an opportunity and there’s no one silver bullet, but there is an opportunity to work with a lot

101
00:32:53,372 –> 00:33:13,140
Daniel Kroese: of the providers of how can we marshal a similar zero trust effort across our telecommunications infrastructure. And of course work is already going there. No one’s starting from scratch because this is just a never ending maturation process. But I do kind of think there is an analog SolarWinds zero trust federal networks, salt typhoon, zero

102
00:33:13,180 –> 00:33:33,092
Daniel Kroese: trust maturation across some of our telecommunications backbone and, and. You bringing up salt and in essence the computer network exploit and espionage. I mean most people would have thought the telcos and they would have let you thought that they’re pretty buttoned down. Was that surprising to you? Well, it doesn’t surprise me because

103
00:33:33,116 –> 00:33:52,814
Frank Cilluffo: everyone. I do think they take it seriously. Like these are serious companies with smart people who have invested a lot in security. So you know, I don’t think it would be appropriate to you know, somehow say that they, you know, starting from scratch or haven’t given due consideration. I just think as a community we always have these moments where you sort of take re inventory and how do you best, how do

104
00:33:52,822 –> 00:34:11,750
Daniel Kroese: you best optimize your security posture and response? And zero trust I think, I think is a place there where we perhaps can double down. And you think it will marshal and mobilize the community to get to outcomes we’re hoping for. I do, I hope so. With every crisis is opportunity and I think that that could be the case here.

105
00:34:12,690 –> 00:34:32,426
Frank Cilluffo: And to differentiate sort of salt from volt from flax from silk, I mean all these typhoons, each one of them is a pretty darn bad day. Collectively it’s a pretty perfect storm. No? Yeah, well, I think it really drives home too as we’ve seen with the salt typhoon, at least the activity that we’re aware of. Again, Microsoft hasn’t published anything that definitively

106
00:34:32,458 –> 00:34:50,644
Andy Piazza: said this is their model. So we’ve attributed some activity to Chinese groups that we believe is probably likely salt typhoon. But without knowing what Microsoft saw first from a technical perspective, we can’t actually say. So you are Using their one to one. You are, you are going with the Typhoon. We have our own. But I will stick with the Typhoons for the ease of the listeners so they don’t have to pull

107
00:34:50,652 –> 00:35:10,606
Andy Piazza: up the Rosetta stone. What is yours? Oh, no, that’s okay. Don’t quiz me. That’s okay. But, but what we saw with the some breaches that were likely Salt Typhoon, if we had a model to compare it to, was the abuse of living off the land, using tools that were already there, using normal protocols of system administrators and using identities that they had compromised.

108
00:35:10,718 –> 00:35:29,500
Andy Piazza: Again, those are not things that SOC alerts. Right. You’re not seeing malware necessarily, although, you know, Chinese groups have plenty of their own malware. Plus they use quite a bit of a mix of publicly available malware. What we saw with Salt Typhoon, specific investigations that we believe that we were on, you know, they were being

109
00:35:30,280 –> 00:35:49,744
Andy Piazza: unnecessarily quiet, but blending in with normal tools and ttps of a system administrator. Right. Again, it makes it really, really hard. You really have to know what normal looks like and you have to have dedicated hunters who are looking for that. If you don’t. If we’re able to free up folks with clearing out any alerts with AI that you’ve only got one alert a day, it means your SoC can go hunt.

110
00:35:49,872 –> 00:36:09,774
Andy Piazza: They can really learn what your environment’s supposed to be doing. And you say, you know, hey, that’s weird. I’ve got two servers talking to each other in an interactive session. That should stand out. But that means you have to have humans going look for that to stand out. And you don’t want to get complacent either because the adversary has a vote in this. They could be a couple steps further. Daniel, how

111
00:36:09,782 –> 00:36:29,640
Frank Cilluffo: would you rack and stack the threat environment right now? Nation state actor apts now I think are equivalent to where the big four were two years ago, actually in terms of some of the criminal organizations. But when you look at the last few years, you’ve seen a combination of operational disruption, which our

112
00:36:29,680 –> 00:36:49,592
Daniel Kroese: report highlights is increasing in intensity. And then you’ve also seen an escalation of what you might think of as more traditional espionage in terms of trying to sit undetected and steal IP and government information and things like that. And so when you marry that together, I think that requires all hands on deck effort. Right. There’s no

113
00:36:49,616 –> 00:37:09,342
Daniel Kroese: ability to, to sit quietly and declare victory there. It requires an evolved approach because incrementalism is not going to stay ahead of that reality. When you’ve got a combination of escalating operational disruption and escalating espionage efforts. Incrementalism isn’t going to work. Not to just

114
00:37:09,446 –> 00:37:29,354
Daniel Kroese: finish off with the buzzword here, but that is why we do think AI is a game changer there, because we have to automate absolutely as much as we can so the really smart people can go hunt for the new novel thing as Andy was talking about. Freed up. Gentlemen, what questions didn’t I ask that I should have? I like the last question. I wanted to

115
00:37:29,362 –> 00:37:49,034
Andy Piazza: hit on that, actually. The kind of where do I rack and stack? I will say, depending obviously on which customer you’re talking to. If you’re talking to the federal government, you know, the nation states are obviously always matter for them. But let’s be honest, we always talk about nation states or even, you know, cybercriminals stealing data. They don’t steal data, they copy it. If they stole data, we would have taken that

116
00:37:49,042 –> 00:38:08,934
Andy Piazza: seriously a long time ago ago because you wouldn’t have had access to your data anymore. They’re copying it, right. So I trying to kill the term steel data. They’re copying it. So it’s a pretty low impact in the short term ransomware, but ransomware, they’re actually real impact on businesses. You know, not just, you know, disruption, but financial impact on businesses.

117
00:38:08,982 –> 00:38:28,852
Andy Piazza: Right. It’s a billion dollar enterprise at this point when you start adding up all of the different groups that are at play. So I say to 99% of organizations I talk to, they need to be looking at cybercrime long before they get nation states. Right. When? Few years ago, when, when Russia crossed the border in Ukraine, every client wanted a threat briefing on what Russia was doing and the impact of

118
00:38:28,876 –> 00:38:48,802
Andy Piazza: them. And I’m like, you need to be worried about ransomware. You’re looking at the wrong. Unless you’re a critical infrastructure owner, operator. Know your threat model, we talk about. Yeah, good, good. Know your threat model. Yeah. And I think having an honest conversation about what are we most likely to see and what’s most likely to have the impact in the next few

119
00:38:48,826 –> 00:39:08,078
Andy Piazza: years, it’s going to be, you know, criminal and even ransomware operators is a hard term now since we’ve seen a lot of them move to just pure extortion without actual encryption. But you need to be looking at those cyber criminals and how are they getting in, stealing your data or copying your data and then extorting you for it. Awesome. Daniel? What questions? Didn’t I ask that I should? I mean, not to

120
00:39:08,134 –> 00:39:27,614
Daniel Kroese: turn the tables. I was hoping for a March Madness prediction. Auburn all the way, man. There’s no, no, no guessing on that one. So we got to get through SEC tournament first, though. Who, who, who? What about you? I’m a University of Washington Huskies fan, for better or worse, so, you know, we had a trial first year in the Big Ten, so we’ll reset and recoup.

121
00:39:27,742 –> 00:39:47,738
Frank Cilluffo: Roger that. Well, it’s going to be. They call it March Madness for a reason, so I don’t have a crystal ball here, and if I did, I’d be betting. Gentlemen, thank you for spending so much time with us today. Thank you for all the work you do every day and appreciate it. So thank you both. Thank you. Thanks,

122
00:39:47,754 –> 00:40:07,636
Daniel Kroese: Frank. Awesome. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and

123
00:40:07,708 –> 00:40:08,340
Frank Cilluffo: stay curious.

Related Content