(upbeat music) >> Welcome everybody to VeeamON 2021 you're watching theCUBE. My name is Dave Villante. You know in 2020 cyber adversaries they seize the opportunity to really up their game and target workers from home and digital supply chains. It's become increasingly clear to observers that we're entering a new era of cyber threats where infiltrating companies via so-called Island Hopping and stealthily living off the land meaning they're using your own tools and infrastructure to steal your data. So they're not signaling with new tools that they're in there. It's becoming the norm for sophisticated hacks. Moreover, these well-funded and really sophisticated criminals and nation States are aggressively retaliating against incident responses. In other words, when you go to fix the problem they're not leaving the premises they're rather they're tightening the vice on victims by holding your data ransom and threatening to release previously ex filtrated and brand damaging information to the public. What a climate in which we live today. And with me to talk about these concerning trends and what you can do about it as Gil Vega, the CISO of Veeam Gil great to see you. Thanks for coming on. >> Great to see you, Dave. Thanks for having me. >> Yeah. So, you know, you're hearing my intro. It's probably understating the threat. You are a Veeam's first CISO. So how do you see the landscape right now? >> That's right. Yeah. And I've been with the company for just over a year now, but my background is in financial services and spent a lot of time managing cybersecurity programs at the classified level in Washington DC. So I've gleaned a lot of scar tissue from lots of sophisticated attacks and responses. But today I think what we're seeing is really a one-upmanship by a sophisticated potentially nation state sponsored adversaries, this idea of imprisoning your data and charging you to release it is it's quite frightening. And as we've seen in the news recently it can have devastating impacts not only for the economy, but for businesses. Look at the gas lines in the Northeast right now because of the quality of a pipeline, a ransomware attack. I just, the government just released an executive order this morning, that hopes to address some of the some of the nation's unpreparedness for these sophisticated attacks. And I think it's time. And I think everyone's excited about the opportunity to really apply a whole of government approach, to helping critical infrastructure to helping and partnering with private sector and imposing some risks, frankly, on some of the folks that are engaged in attacking our country. >> A number of years ago, I often tell this story. I had the pleasure of interviewing Robert Gates the former Defense Secretary. And it was a while ago we were talking about cyber and he sits on a number of boards. And we were talking about how it's a board level issue. And, and we're talking about cyber crime and the like and nation States. And I said, well, wait, cyber warfare, even. And I said, "But don't we have the best cyber tech. I mean, can't we go on the offense?" And he goes, "Yeah, we do. And we can, but we have more to lose." And to your point about critical infrastructure, it's not just like, okay, we have the most powerful weapons. It's really we have the most valuable infrastructure and a lot to lose. So it's really a tricky game. And this notion of having to be stealthy in your incident response is relatively new. Isn't it? >> It is. It is. And you know, there are, you mentioned that and I was surprised you mentioned because a lot of people really don't talk about it as you're going into your response your adversaries are watching or watching your every move. You have to assume in these days of perpetual state of compromise in your environments, which means that your adversaries have access to your environment to the point that they're watching your incident responders communicate with one another and they're countering your moves. So it's sort of a perverse spin on the old mutually assured destruction paradigm that you mentioned the United States has the world's largest economy. And quite frankly the world's most vulnerable, critical infrastructure. And I would concur with Director Gates or Secretary Gates rather it is assessment that we've got to be awfully careful and measured in our approach to imposing risks. I think the government has worked for many years on defining red lines. And I think this latest attack on the colonial pipeline affecting the economy and people's lives and potentially putting people's lives at risk is towing also the close to that red line. And I'm interested to see where this goes. I'm interested to see if this triggers even a, you know a new phase of cyber warfare, retaliation, you know proactive defense by the National Security Community of the United States government. Be interesting to see how this plays out. >> Yeah, you're absolutely right though. You've got this sort of asymmetric dynamic now which is unique for the United States as soon as strongest defense in the world. And I wanted to get it to ransomware a bit. And specifically this notion of ransomware as a service it's really concerning where criminals can actually outsource the hack as a service and the bad guys will set up, you know, on the dark web they'll have, you know, help desks and phone lines. They'll do the negotiations. I mean, this is a really concerning trend. And obviously Veeam plays a role here. I'm wondering as a, as a SecOps pro what should we be doing about this? >> Yeah, you mentioned ransomware as a service, whereas RWS it's an incredibly pernicious problem perpetrated by sophisticated folks who may or may not have nation state support or alliances. I think at a minimum certain governments are looking the other way as it relates to these criminal activities. But with ransomware as a service, you're essentially having very sophisticated folks create very complex ransomware code and distributed to people who are willing to pay for it. And oftentimes take a part of the ransom as their payment. The, issue with obviously ransomware is you know the age old question, are you going to pay a ransom or are you not going to pay a ransom? The FBI says, don't do it. It only encourages additional attacks. The Treasury Department put out some guidance earlier earlier in the year, advising companies that they could be subject to civil or criminal penalties. If they pay a ransom and the ransom goes to a sanction density. So there's danger on all sides. >> Wow okay. But so, and then the other thing is this infiltrating via digital supply chains I call it Island Hopping and the like, we saw that with the solar winds hack and the scary part is, you know different malware is coming in and self forming and creating different signatures. Not only is it very difficult to detect, but remediating, you know, one, you know combined self formed malware it doesn't necessarily take care of the others. And so, you know, you've got this sort of organic virus, like thing, you know, create mutating and that's something that's certainly relatively new to me in terms of its prevalence your thoughts on that and how to do it. >> Yeah, exactly right. You know, the advent of the polymorphic code that changes the implementation of advanced artificial intelligence and some of this malware is making our job increasingly difficult which is why I believe firmly. You've got to focus on the fundamentals and I think the best answers for protecting against sophisticated polymorphic code is,are found in the NIST cybersecurity framework. And I encourage everyone to really take a close look at implementing that cybersecurity framework across their environments, much like we've done here, here at Veeam implementing technologies around Zero Trust again assuming a perpetual state of compromise and not trusting any transaction in your environment is the key to combating this kind of attack. >> Well, and you know, as you mentioned, Zero Trust Zero Trust used to be a buzzword. Now it's like become a mandate. And you know, it's funny. I mean, in a way I feel like the crypto guys I know there's a lot of fraud in crypto, but but anybody who's ever traded crypto it's like getting into Fort Knox. I mean, you got to know your customer and you've got to do a little transaction. I mean, it's really quite sophisticated in terms of the how they are applying cybersecurity and you know, most even your bank isn't that intense. And so those kinds of practices, even though they're a bit of a pain in the neck, I mean it's worth the extra effort. I wonder if you could talk about some of the best practices that you're seeing how you're advising your clients in your ecosystem and the role that Veeam can play in helping here. >> Yeah, absolutely. As I mentioned so many recommendations and I think the thing to remember here so we don't overwhelm our small and medium sized businesses that have limited resources in this area is to remind them that it's a journey, right? It's not a destination that they can continually improve and focus on the fundamentals. As I mentioned, things like multi-factor authentication you know, a higher level topic might be micro-segmentation breaking up your environment into manageable components that you can monitor a real time. Real time monitoring is one of the key components to implementing Zero Trust architecture and knowing exactly what good looks like in your environment in a situation where you've got real-time monitoring you can detect the anomalies, the things that shouldn't be happening in your environment and to spin up your response teams, to focus and better understand what that is. I've always been a proponent of identity and access management controls and a key focus. We've heard it in this industry for 25 years is enforcing the concept of least privilege, making sure that your privileged users have access to the things they need and only the things that they need. And then of course, data immutability making sure that your data is stored in backups that verifiably has not been changed. And I think this is where Veeam comes into the equation where our products provide a lot of these very easily configured ransomware protections around data and your ability to the ability to instantly back up things like Office 365 emails, you know support for AWS and Azure. Your data can be quickly restored in the event that an attacker is able to in prison that with encryption and ransom demands. >> Well, and so you've certainly seen in the CISOs that I've talked to that they've had to obviously shift their priorities, thanks to the force march to digital, thanks to COVID, but Identity access management, end point security cloud security kind of overnight, you know, Zero Trust. We talked about that and you could see that in some of these, you know, high flying security stocks, Okta Zscaler, CrowdStrike, they exploded. And so what's in these many of these changes seem to be permanent sort of you're I guess, deeper down in the stack if you will, but you, you compliment these toolings with obviously the data protection approach the ransomware, the cloud data protection, air gaps, immutability. Maybe you could talk about how you fit in with the broader, you know, spate of tools. I mean, your, my eyes bleed when you look at all the security companies that are out there. >> Yeah for sure. You know, I'm just going to take it right back to the NIST cybersecurity framework and the five domains that you really need to focus on. Identify, protect, detect, respond, and recover, you know and until recently security practitioners and companies have really focused on on the protect, identify and protect, right and defend rather where they're focused on building, you know, moats and castles and making sure that they've got this, you know hard exterior to defend against attacks. I think there's been a shift over the past couple of years where companies have recognized that the focus needs to be on and respond and recover activities, right? Assuming that people are going to breach or near breach, your entities is a safe way to think about this and building up capabilities to detect those breaches and respond effectively to those breaches are what's key in implementing a successful cybersecurity program where Veeam fits into this since with our suite of products that that can help you through the recovery process, right? That last domain of the NIST cybersecurity framework it'll allow you to instantaneously. As I mentioned before, restore data in the event of a catastrophic breach. And I think it provides companies with the assurances that while they're protecting and building those Zero Trust components into their environments to protect against these pernicious and well-resourced adversaries there's the opportunity for them to recover very quickly using the VM suite of tools? >> Well, I see, I think there's an interesting dynamic here. You're pointing out Gil. There's not no longer is it that, you know, build a moat the Queen's leaving her castle. I always say, you know there is no hardened perimeter anymore. And so you've seen, you know, the shift obviously from hardware based firewalls and you I mentioned those other companies that are doing great but to me, it's all about these layers and response is a big in recovery is a huge part of that. So I'm seeing increasingly companies like Veeam is a critical part of that, that security cyber data protection, you know, ecosystem. I mean, to me it's just as important as the frontline pieces of even identity. And so you see those markets exploding. I think it's, there's a latent value that's building in companies like Veeam that are a key part of those that data protection layer you think about you know, defense strategies. It's not just you, the frontline it's maybe it's airstrikes, maybe it's, you know, C etcetera. And I see that this market is actually a huge opportunity for for organizations like yours. >> I think you're right. And I think the proof is in, you know in the pudding, in terms of how this company has grown and what we've delivered in version 11 of our suite, including, you know features like continuous data protection, we talked about that reliable ransomware protection support for AWS S3 Glacier and Azure archive the expanded incident recovery, and then support for disaster recovery and backup as a service. You know, what I found most interesting in my year here at Veeam is just how much our administrators the administrators in our company and our customers companies that are managing backups absolutely love our products that ease of use the instant backup capabilities and the support they receive from Veeam. It's almost cultish in terms of how our customers are using these products to defend themselves in today's pretty intense cyber threat environment. >> Well, and you talked about the NIST framework, and again big part of that is recovery, because we talked about earlier about, do you pay the ransom or not? Well, to the extent that I can actually recover from having all my data encrypted then I've got obviously a lot more leverage and in many ways, I mean, let's face it. We all know that it's not a matter of if it's, when you get infiltrated. And so to the extent that I can actually have systems that allow me to recover, I'm now in a much much stronger position in many respects, you know and CISOs again, will tell you this that's where we're shifting our investments >> Right. And you've got to do all of them. It's not just there's no silver bullet, but but that seems to me to be just a a misunderstood and undervalued part of the equation. And I think there's tremendous upside there for companies like yours. >> I think you're right. I think what I'll just add to that is the power of immutability, right? Just verifiably ensuring that your data has not changed because oftentimes you'll have attackers in these low and slow live off the land types of attacks change your data and affect its integrity with the Veeam suite of tools. You're able to provide for immutable or unchanged verifiable data and your backup strategy which is really the first step to recovery after a significant event. >> And that's key because a lot of times the hackers would go right after the backup Corpus you know, they'll sometimes start there is that all the data, you know, but if you can make that immutable and again, it, you know there's best practices there too, because, you know if you're not paying the cloud service for that immutability, if you stop paying then you lose that. So you have to be very careful about, you know how you know, who has access to that and you know what the policies are there, but again, you know you can put in, you know so a lot of this, as you know, is people in process. It's not just tech, so I'll give you the last word. I know you got to jump, but really appreciate.. >> Yeah, sure. >> You know, the only, the only thing that we didn't mention is user awareness and education. I think that is sort of the umbrella key focus principle for any successful cybersecurity program making sure your people understand, you know how to deal with phishing emails. You know, ransomware is a huge threat of our time at 90% of ransomware malware is delivered by phishing. So prepare your workforce to deal with phishing emails. And I think you'll save yourself quite a few headaches. >> It's great advice. I'm glad you mentioned that because because bad user behavior or maybe uninformed user behaviors is the more fair way to say it. It will trump good security every time. Gil, thanks so much for coming to the CUBE and and keep fighting the fight. Best of luck going forward. >> Great. Thank you, Dave. >> All right. And thank you for watching everybody. This is Dave Villante for the CUBEs continuous coverage VeeamON 2021, the virtual edition. We will be right back. (upbeat music)

>>From around the globe with digital coverage of the 2020. Hi, I'm Stu Miniman and this is the Cube's coverage of 2020 online. I'm really happy to welcome first time guests and he is the chief information. You're the officer at Veeam. Thank you so much for joining us. Always loved it. That was a CSO. >>Awesome. Thanks for having me Stu. >>All right, so, so guilt, give us a little bit of your background and you're relatively new than beam, obviously, you know, when you took the job, uh, that the current, you know, global, uh, pandemic, uh, wasn't uh, you know, necessarily right center, but, uh, yeah. Give, give our audience a little bit of who you are. >>Yeah. Yeah. Timing is everything I, um, I have, I bet named for 90 plus days, uh, joined the company just before the global pandemic, uh, broke loose and sort of disrupted our entire, uh, our entire planet. Uh, before that I was, uh, I was the CSO for five years of, uh, uh, systemically important financial services, >>Market utility. >>Uh, but most of my experiences, um, is in government. I was a, I was a federal executive for almost 20 years in Washington, D C where I was a CSO at the department of energy, a Homeland security, Naval intelligence, and a few other places. >>Excellent. Well, that's a great pedigree. We've loved talking to them, public people. Uh, obviously you're already front and center. Uh, they're always okay. Really? I mean, it's a board level. Got, okay. Nope. Uh, dirty, so much of what's going on. Yeah. I have to ask you though with the global pandemic hitting, uh, obviously, you know, work from home is, is, is a big piece of what's going on. Mmm. Give us, you know, kind of your first reaction then they are being new to the role. How do you make it for that? You know, Veeam itself is safe and that you're customers, uh, as they're, you know, dealing with things that, you know, they stay secure. >>That's a, that's a great question. I don't think anyone can say they were a hundred percent prepared for a global pandemic, the likes of which no one's ever really experienced before, at least in the modern age, but, you know, Veeam is largely a, even though we're 5,000 strong and global is largely a virtual a workforce. So a large majority of our, um, our teammates work from home and mobile situation. So, uh, the company has a long track record of providing really innovative and secure tools so that we can conduct our business, both, you know, with our customers, with our sales teams, generating leads, our technical teams, developing product. Um, the technology here is, uh, is, is pretty impressive. I, I will say, um, >>Uh, the impact to our workforce, at least from a virtual perspective, hasn't, uh, ha hasn't been as significant as some more traditional companies, um, being the new CSO here at beam. It's a first time position for the company. Uh, who's taken this topic very seriously. It's a, it has been for me personally, a bit of, a bit of a challenge in building my team, obviously, uh, the InfoSec, uh, space, cyber security space is very competitive when you're trying to hire folks. Uh, and the, uh, the pandemic obviously has made, uh, has made folks think twice about transitioning or starting careers or changing companies. So it's put a little bit, a little bit of a hitch in my step in terms of, uh, overall planning. Uh, but we're moving on to some different strategies and building a team a little, little slower than we had anticipated. >>Yeah, well, it's definitely understandable, but put a free for most people were that awesome a little bit these days and, you know, organizationally, this is a new role. Okay. I worked for the CIO. Are you okay? Yeah. What's been your with some of those organizations, well, dynamic, you know, with CSO lives, sports in the org. Yeah. I think it really depends upon the company's culture, right. That drives where this role sits at my, at my previous company, I've worked four, uh, the CIO who was a corporate officer, uh, here at Veeam, uh, it is a new position, uh, and there's such a significance placed on, uh, cybersecurity because of the expectations around this topic. Not only from our board Mmm. Uh, our customers, uh, uh, are the government regulators and everyone else, uh, this role, my role reports directly into bill large and our CEO, which, you know, fully empowers me as a, as a member of the, of the management team of the entire company to drive the, the, the initiatives that need to be driven so that, uh, we can meet those expectations, which know, I tend to write a rise every year from, uh, expectations of our customers, product features in our, in our products, uh, regulatory requirements and so forth. >>So yeah, um, this space tends to get, uh, more difficult, more complex as time goes on. And I think, uh, that the team has, uh, constructed this role in an operating model that, um, that is going to make it highly successful. Yeah. Well, you know, data security, absolutely critical today's landscape, but, you know, give us your thoughts about, you know, data security and really modernized. Yeah. And you know, what, what is your charter? Okay. Right. Hmm. They know fits in there. Yeah. Yeah. You know, deem is now a us company. Right. And the idea here is to direct, continue to drive growth in, in North America. And one of the key components of that growth, it has to be the U S government. I have a pedigree with U S government. I understand what the requirements are to do business there. So again, back to those expectations, uh, my charge here is to deliver us not only an internal cyber security program that continues to meet and exceed those expectations, but to be able to position our products in a way that not only solves some of the data resiliency issues that the government faces and that are global customers face, but also helped us solve some of these significant cyber security issues that they're trying to manage, you know, in the boardroom cybersecurity is, is, is essentially the number one operational risk now with a lot of focus, uh, across, uh, not only the boards, but all the functional areas of the company, whether it's finance, sales, technology, and security, it's, it's just, it seems to be the topic that everyone's most concerned about. >>And we just want to make sure that we're positioned in a way, um, that, uh, that drives what we're delivering here as a competitive advantage. Yeah. So what, what are some keys to consideration for data security on modern business? >>I'm sorry, you broke up. Could you repeat that question, Stu? Are there any considerations for modern business? Yeah. You know, um, there are, uh, there there's, there's so many, right. I tend to focus on, uh, the simple things for most companies, right? The, uh, the priorities that every CSO ought to have, uh, are around, um, you know, the, the, the blocking and tackling of a risk based vulnerability management program, making sure that your identity of your managing identities so that the right people have the right access to the right resources at the right time. Um, you, you got to have those strong and fast cyber ops because you will have incidents. Right. We all know that, uh, if you're a CSO in a company that's, uh, you're not managing incidents, chances are, you're not seeing incidents, which is probably worse than, um, then not having them. >>Um, the other thing that I've learned, uh, as a key consideration for protecting your company, coming from government is this concept of information sharing and making sure that you're, uh, that you're, that you're not only speaking with your peer companies, but your competitors as well, because they're seeing an awful lot of the same issues that you will see or have seen. And there's really no, the competitive advantage in information sharing amongst the CSOs in, in, in, uh, various industry communities and financial services. I feel like they've optimized that where I came from, uh, I would talk with, uh, CSOs at my competing firms on a, on a weekly basis, uh, comparing notes, talking about threats, understanding threat actors, talking about technology and so forth, just trying to provide for, uh, this sense of collective defense that those in the financial services industry has together. Um, and then, you know, obviously for the last several years, there's gotta be a deep understanding of the differences and managing cyber security in the cloud and what that entails and, you know, holding those vendors, uh, accountable for your security requirements, you can outsource the technology, but you can't outsource the tech, uh, the risk. >>So you, you have to be able to understand how the cloud changes, uh, the risks that you're facing, um, from the internet. Yeah. No, I'm, I'm, I'm so glad you brought up, uh, you know, early in my career. Yeah, yeah. 20 years ago. And, you know, could it be a differentiator and therefore there wasn't necessarily that sharing among your group, or they were very careful how they did things because, Oh, wait, I tried this project. I might have some advantages, you know, as you said, security is something we need to, as a community, get involved with you also brought up. Wow. So if we look at cloud models today, we really, yeah. Okay. Facility model. Mmm. So know how should people be thinking about cloud, uh, how should they be, uh, you know, moving forward, you know, really these multitudes of environments that they need yeah, yeah. >>You know, we could, we could probably have an hour show and talk about some of the scar tissue that I've gained over the years in managing cloud programs. The number one, uh, the number one thing I would talk about, I think it's probably the most important thing is making sure you understand exactly what security services your cloud provider is providing. And don't assume, um, that they're going to meet your requirements. You need to understand what those requirements are, whether or not they fit your business, an operations model and whether or not they're, um, Mmm they're they're capable of meeting the risk appetite that you've set for yourself and communicated to your board. Uh, in, in, in certain, some in certain cases, the default clouds, uh, security services, won't meet those, uh, expectations and you'll have to work with the cloud vendors to augment those in a way that makes, uh, that makes it Mmm, more, uh, acceptable for your, uh, for your risk profile and for your business. >>Um, I've often I talk with peers who, Mmm. Uh, at companies, smaller companies who just assume that the large cloud providers are going to take care of everything that you used to take care of on prem. Uh, and in fact, there are just certain things, uh, that are happening in the cloud that are completely different than on prem situation, as it relates to cyber. And you've got to have a really good understanding of, of, of how those are differentiated, uh, because if, uh, if, if you're making assumptions about the level of cybersecurity services that you're procuring in the cloud, uh, it's probably gonna turn around and bite you at some point. Yeah. It, I, I laugh a little bit. I think please free cloud era. No, yeah. Force let's get somebody that is okay. Lazy or, you know, being a little bit malicious. Okay. Yeah. >>Go against dirty things that you said, well, if you go to the cloud, you know, something's angel, I haven't, I need to make sure, sure. That I've adjusted those settings. Oh, wait. Yeah. There's something I should have looked do too. Let me make sure I adjust those. I think at least, I think cloud providers are, you know, a little bit more engaged after some yeah. You know, uh, kinks in the armor, uh, that, that we're seeing. So, uh, the, the, there have been a little bit more awareness of what's going on. Everybody is engaging a little bit more Mmm. Gil, uh, governance and ransomware things hockey for many years. How does that yeah. Uh, your, your overall discussion, um, you know, governance is probably one of the most overlooked that most important components of a cybersecurity program that's effective. Um, we don't do cyber security just to do cyber security. >>We're trying to meet key business objectives. We're trying to meet customer expectations. We're trying to support technology integration programs and having all of the efforts of the CSO and his Oregon, his or her organization governed, uh, correctly within the corporate structure is just absolutely critical here at Veeam. Uh, the, um, uh, my function has governed, uh, by the border, by the board of directors, as it is in most large companies. So they're interested obviously in the health status of the projects that I'm, uh, that I'm leading the initiatives that I'm driving, the transformations that are occurring across the globe. They're interested in, uh, understanding exactly how the product feature sets and are in our Mmm. And our products are being informed by the experiences of our, of our internal team and what our customers need. Uh, for us, it's very important to provide that oversight and insight into everything that we're doing, uh, at the highest levels, so that, uh, so that our board of directors can have a really good understanding of, um, of overall risk of the, uh, of the organization and what we're facing. >>Final question I have for you, key priorities forward, what should we be looking for work? And yes, that's particularly. Yeah, sure. So we've, uh, we've gone and we've adopted a new security framework. We've adopted the NIST cybersecurity framework version one.one. We're leading ourselves through a maturity assessment based on that framework, we're setting a objective Mmm Mmm. Maturity measures for each of the components of our cyber security program based on the NIST cybersecurity framework. And we're driving some transformation across the globe to make sure that, uh, we're doing everything we can to protect, uh, not only the company, but our customer's data, our products, and so forth. We're also positioning ourselves in a way to, uh, as I said earlier, enhance our business opportunities with, with the U S government and adopting the new cyber security framework is probably right the first step in a long program to, um, to be able to do much more, much more business with, uh, with our government counterparts. All right. Well, thank you so much for joining us. Really pleasure to talk. Very good. Thanks too. Alright. Be back with lots more coverage from online. Thank you for walking. Thank you.