>>Okay, welcome everyone to the cube conversation here in Palo Alto, California. I'm John furrier, host of the cube. Got a great guest, Brian Gallagin manager of security and operations at Brookfield properties in the middle of all the sites, CSO action, a lot of security, a lot of operations to secure his environ. Brian, great to come on with you. Appreciate it. >>Thanks John. >>So talk about Brookfield properties. What's your environment look like you're in the middle of the security operations piece of it. You've got a great implementation. You got Armas doing some device management work. We've talked about that in the segment there, but broader speaking, what's your environment look like? What are some of the challenges? What's the scope and scale of the security that you're trying to manage? >>Yeah. Brookfield properties owns it's an asset management company and it owns real estate of all kinds. And we're current, we're constantly buying and selling assets. So the biggest challenge is finding out when we acquire company, what is actually in that environment and how quickly can we actually spin up our policies and protection capabilities in, in those areas? So I think uniquely from our perspective, it's a, a lot about finding what, what has been installed over the last decade, what what's secure, what's not secure, what follows our policies. And then what do we do to actually lock those down? Do, can we use the existing hardware that's in place? So we don't have to buy something new and we can use Armas policies to dictate that, or is it something that needs to be potentially removed? Because it is that critical vulnerability. There's something out there being used in the wild that we might actually have to purge that from our >>Environment, you know, facilities and companies you guys bought, and you're buying companies, you're buying assets, you're buying a lot of internet of things. You've got it, environments, you know, all kinds of challenges from, you know, identity, access management to, you know, what's connecting to your wifi networks all over the place. You got a diverse set of things. And one of the challenges in cyber right now is if you're just behind a little bit, you're gonna be vulnerable. I'm not talking about antiquated old, outdated. It we're talking about like getting it up to speed. If you're just a little bit behind you're behind the hackers and the bad guys. So the, the, the constant, you know, bar raising required is a huge challenge. What's your reaction to that? Can you scope the, the scale of this opportunity and challenge? >>Yeah, so you're, you're absolutely right. It's not only are the vulnerabilities changing, but again, our landscapes constantly changing. So being able to try to keep up with that velocity is, is a challenge with our current tool set. So when we actually onboarded with Armas about a year and a half ago, that's one of those things that we were con we were instantly given the ability to increase our visibility past our normal areas, which typically was, was our firewalls. Now we're able to see beyond the firewalls, to the switch level on, on the access points themselves a lot, a lot of guest traffic. I think we talked about in the previous segment, there's a lot of guest traffic on there trying to figure out who's doing what, and are they following the policies that are there. It also gives us the ability to double check our configurations that we have out there. We assume that we're, we're correct. And we do, you know, our annual pen test that we do, but that's something that's not necessarily enough. We, we, one at one once a year, checkin is not enough to be able to prove that the configurations we have is keeping us secure in the way that we think that, that, that we are. >>Yeah. I love the fact that you got the engineering and your title because engineering, the solutions is almost on a, a constant cadence. You have to have the re-engineering and the refactoring of the, of the, of the technology to match in as the changing landscape comes in, whether it's just physical access or more, more devices coming on the network, do you worry about like ransomware and inheriting previous environments, and, and you mentioned earlier locking things down. That's one step, what's your, what's your posture on all this? >>That that's a hundred percent. The biggest, the biggest problem is, is making sure, especially with ransomware we've, we've seen it before, making sure that when we buy an asset, that they have the capabilities to detect deter and potentially clean up in, in, in those circumstances of, of a, like a ransomware malware attack and that kind of stuff. So it's, it's definitely a, a huge concern of ours. So what we, what we're able to do now with Armas is once we buy that company, before we integrate their services with everything else that we have, we're able to actually have that kind of grace period, where they still are functioning a little bit more autonomously and not hooked into our network. We can do that due diligence that maybe we couldn't do prepurchase to see what's actually out there what's vulnerable. What needs to get changed day one, what needs to get changed six months from now, and what can maybe wait a whole sales cycle of two to three years to actually change >>Out? Yeah, Brian, you hit a really hot topic. That's not talked about much in the press or in the media. And that is, is that a lot of MNA, mergers and acquisitions happen, and there's actually ransomware waiting in the wings to actually lock that down pre post acquisition, then ransom on that asset. And so there's not a lot of due diligence or options to say, Hey, you know, make sure you make sure that they're ransomware free prior to the acquisition, not get stuck with an asset and saying that code's gone, or we are, you know, being held hostage. And this is a huge issue. >>It it's, it's all about trust by verify. You know, also like, you know, we're, we're doing surveys with these guys. We're, we're sitting down with the it teams that end up being our partners. And it it's about figuring out what, what have they done and what, what can you actually transition to? Like, maybe there's some gaps here. Maybe there's some improvements we can do. The, the other, the other key piece is making sure that our, our security tools are out there. So we, if we have an expectation that our security tools are on there before we grant them access to the greater Brookfield network, we're able to do compliance checks on things like that. Obviously vulnerability is another one that we actually haven't gotten too far into, but it's another one of those things where we can actually do compliance checks on here's the CVEs that are out there that we wanna make sure that you meet a minimum bar that you have defense against that. Or if you have devices out there that are banned per, per our policy, we're able to do those checks prior to granting greater visibility to the rest of the network. >>Yeah. You know, there's a lot of industry hype around certain things. We have a con congested market of people trying to sell you stuff right. And gonna really empathize with you there. And, you know, there's a big discussion endpoint protection. And then, you know, you mentioned trust and verify earlier, you know, there's kind of this confluence of zero trust, which kind of comes from me like no perimeter. So we gotta have a word that says zero trust. I get that. And then we look at like security supply chain in software, say open source, the word trust is coming out more and more. So, you know, what is it? Is it more trust or zero trust, trust and verified. So you're starting to see this confluence of, of posture. What's your reaction to this, this, these conversations, because I can see where you want to have trust, cuz you're moving across multiple access systems. I can see zero trust cuz trust and verify. What's your take on that? >>Yeah, I'm I, I think as a security professional, I think most of us I wanna say are in that trust, but verify boat definitely closer to the zero trust where we wanna make sure that we, we have a whole list of good policies out there. But if there's nothing to back it up, there's nothing to double check it. There's nothing to verify that you're, you're basically just hoping that it was done correctly. So that's, that's one of those things that is, is definitely huge. I think on our side is we, we trust our, our friends in it to do the right thing. We trust our customers on the business side to do the right thing. That's, that's huge for us, but having the tools to be able to say, are we actually good again without having an incident or having our pen test or pen test friends find it. That's one of those things where we don't have a lot of tools to do that. And like you said, people are always trying to sell you those tools. So being able to transition to something like ouris where we've actually seen the value right off the bat in being able to have that confidence raised that the risks that we've identified are the risks that are out there is, is huge for us. >>You know, as, as physical assets change, you, you acquire more territory, more companies, topologies change, software changes in the cloud with more iteration. I mean, you could have an always on pen test model, right? You gotta have pen test. You gotta have the slack reports. This is a challenge to move across environments. I wanna get your thoughts on the identity and access management. And the big cloud players are doing the same thing you got Amazon's Amazon, it's different from Azure and you got on-premises. So, you know, inter access. Management's great if you have an environment, but interoperability is a conversation that's happening a lot. What's your view on this because everything is changing, but you wanna lock it down and not restrict the growth and the evolution of change. What's your, what's your reaction to that? >>Yeah. With our, with our main identity management platform, that's actually freed us up to be able to give cross access access to employees that we have that maybe do work in multiple systems, or there's an application that's purchased by one group that is not purchased by another group instead of creating a whole new contract for that, we were, we're actually able to utilize that one system to be able to grant access to things that you otherwise wouldn't have. So I, I think having that in our business model where we are very segmented from an it perspective, we have multiple infrastructure teams. We have multiple development teams, multiple infrastructure or multiple networking teams. Being able to have that collaboration where you can share information a little bit better. It has been huge for us. And then from a security perspective, privilege access management, making sure that we can lock down special access, special permissions applications that shouldn't be used at certain times of the day, certain locations, whatever it might be is, is huge for us. And, and we definitely partner with, with all of our, our vendors for that very closely, for the reason that that's where a lot of these breaches happen, where one account gets hit and that that account has more privileges than it should. That's something that keeps us up at night. And again, our, our vendors that we use for identity management, our, our key partners of ours for that >>All great, great insight there, Brian, I really appreciate that final question for you. You know, as a makeup for people who are insecurity, it's kinda like sports, you know, you want to have an athlete that knows the game, you're playing football. You better know the game, you're playing baseball. You gotta know the game you're in. And cyber's one of those games it's got, got a lot going on. What is the, what is the ideal candidate coming outta school or profile? I mean, if you got a quarterback, they gotta throw the ball. They gotta have agility. If you're running back, you gotta have skills. What does the, the tech athlete look like? If you look at a person you're looking at hiring, what does that person look like? What's the makeup of their skillset. Can you share cuz there's not a lot of degrees out there for cyber. You gotta kind of learn it. It's evolving and it's a huge opportunity. What's your take. >>Yeah. And, and I would even say, you know, beyond somebody coming outta the school, somebody transitioning into the field too practical experience is key. And obviously you can't get your foot in the door before you actually have the opportunity to do that. So what are some things that you can do on your own? There are plenty of resources out there that actually give you tutorials on how to do, hacking how to do directory traversal, how to, how to do some of those small things that you can set up a lab, or maybe even there's a virtual lab that's hosted via. There's a, there's a free platforms out there that you can actually do this where you're doing virtual capture the flags. And you're able to post that. I've seen that on a couple resumes. I haven't seen it on a whole lot, but that shows that like not only do you know, you, you know, your fundamentals of it, but now you also understand the mindset of what a hacker is and whether you're gonna be blue team red team or purple team, being able to understand what a hacker can do is huge. >>So my CSO and I have had plenty of conversations where if we see any sort of practical experience, any hacking experience, any technical experience, that's gonna Trump, a lot of the other certifications that you can get. Yeah. Resumes these days. It's, it's a lot of cert chasers. And from our perspective, like that's, that's not as important. It's great to see the, the effort and, and the desire to up your game via certifications, but being able to show practical experience even on these free websites and being able to kind of link your profile to, to that is, is huge. And it's one of those things that's, you're not necessarily gonna get from a, a, you know, cybersecurity 1 0 1 class. You may actually have to go out and find some of those materials. >>Yeah. And then get, you know, you gotta get in, in the flow, so to speak and, and again, thinking like you gotta think like the enemy to beat the enemy. >>Exactly. >>Right. Brian Galligan, thanks for coming on the cube. Really appreciate your insight manager of security and operations engineering at Brookfield properties, man, you're in the center. We got a lot of things going on. You guys doing a great job. Thanks for sharing your, your insights here in the cube. I really appreciate it. >>Thanks, John. >>Okay. This is a cube conversation. I'm Jennifer with the cube. Thanks for watching.