>>Um, >>Welcome to common volt connections. My name is Dave Volante, and we're going to dig into the changing security landscape and look specifically at ransomware and what steps organizations can take to better protect their data, their applications, and their people. As you know, cyber threats continue to escalate in the past 19 months, we've seen a major shift in CSO strategies, tactics and actions as a direct result of the trend toward remote work, greater use of the cloud and the increased sophistication of cyber criminals. In particular, we've seen a much more capable well-funded and motivated adversary than we've ever seen before. Stealthy techniques like living off the land island, hopping through the digital supply chain, self forming malware and escalations in ransomware attacks, necessitate vigilant responses. And we're super pleased today to be joined by Dave Martin. Who's a global chief security officer at ADP. Dave. Welcome. Good to see you. >>Thanks for having me today. It's >>Our pleasure. Okay. Let's get right into it as a great topic. I mean, ADP, we're talking about people's money. I mean, it doesn't get more personal and sensitive than that maybe healthcare, but money is right there on the priority list, but maybe you could start by telling us a bit about your role at the company, how you fit into the organization with your colleagues like the, you know, the CIO, the CDO. Maybe describe that a bit if you would. >>Yeah, absolutely. So we're somewhat unusual in both banks structure and we, one of the ways is aware a I have a very converged organization. So my responsibility extends from both the physical protection of kind of buildings, our associates, um, travel safety through fraud that we see in, uh, attempted in our products all the way through to I'm more traditional, a chief security officer, um, in the cyberspace. And, uh, the other thing that's a little bit unusual is rather than reporting into a technology organization. I actually report into our chief administrative officer. So my peers in that organization now, our legal compliance, uh, so we, it's, it's a great position to be in the organization and I've had various different reports during my career. And there's always a lot of debate in, uh, in, uh, with my kids about where's the best place for the report. And I think they always come back to, it's not really where you report it's about those relationships that you mentioned. So how do you actually collaborate and work with the chief data officer, the CIO, the head of product, the product organization, and how do you use that to create this kind of very dynamic Angela falls to defend against the threats we face today? >>Yeah. Now, so let's just want to clarify for the audience. So when you talk about that converged structure, oftentimes if I, if I understand what your point is that the network team might be responsible for some of the physical security or the network security, that's all under one roof in your organization, is that correct? >>So a lot of the controls and operations, something like firewalls is out in the CIO organization. Um, but the, the core responsibility and accountability, whether it's protecting the buildings, the data centers, the, uh, the data in our applications, the, uh, kind of the back office of all the services that we use to, to deliver value to our clients and kind of the same things that everyone has, the, uh, the ERP environments. Now, all of that, the protecting those environments rolls up to my team from an accountability and governance. >>Got it. So, I mean, as I was saying upfront, I mean, the, the acceleration, we all talk about that acceleration that compression, the force March to digital and that that's solar winds hack. It was like a Stuxnet Stuxnet moment to me. Cause it's signaled almost this new level of excellent escalation by cybercriminals and that had to send a shockwave through your community. I wonder if you could talk about at a high level, how did that impact the way that CSOs think about cyber attacks or, or did it >>Well, I think we're, we're very used to watching the outside world kind of adversaries don't stand to sell our businesses. Don't stand still, so we're constantly having to evolve. So it's just another call to action. How do we think about what we just saw and then how do we kind of realign the controls that we have and then how do we think about our program there, food that we need to address? >>Yeah. So we've seen, uh, when we talk to other CSOs, your colleagues, we, we, they tell us we've made a big sort of budget allocation toward end point security cloud identity, access management, uh, and, and obviously focus on a flatter network. And of course, ransomware, how have you shifted priorities as a result of sort of the last, you know, the pandemic 19 months? >>Yeah, definitely seeing that shift in kind of the necessity of working from home and kind of thinking by what tools that we need to get to our associates, um, to really make them successful. And then also keep our, uh, the integrity of our data and the availability of our services in that new model. And so we've made that shift in technology and controls, reinforced a lot of things that we already had. One thing thinking about the supply chain change that we saw out of SolarWinds is thinking about ransomware defense prior to that was very much around, uh, aligning the defenses within the perimeter of your network, a within the cloud environments. And I really thinking about where do I am inside that environment? Where do I exchange files from what connectivity do I have with partners and suppliers? What services do they provide, um, to support us as an enterprise and what's going to happen if they're not there at a minimum, but then what happens if they have a, some kind of a channel for that can actually drive some of this malware and spread into the network or via some of those file transfer, make sure we really sure shored up the controls in that area, but the, the response is actually part of that. >>How am I gonna react? When I hear from even applying, we're a very customer service focused company, we want to do whatever we can to help. And the instinct of one of our frontline associates, Hey, send, send me that Excel file. I'll take care of it. So now yet we still want to help that client through, but we want to think through a little bit more before we start sharing a, uh, an office file back and forth between two environments, one of which we know to be home, >>Right. That's interesting what you're saying about the change in just focus on the perimeter to the, the, the threats, you know, within, uh, without et cetera, because you don't even need a high school degree or, you know, gray diploma to be a ransomware attacker. These days, you could go on the dark or dark web, and if you're bad, bad person, you can hire ransomware as a service. If you have access to a server credentials, you know, you can do bad things and hopefully you'll end up in handcuffs, but, but that's a legitimate threat today, which is relatively new in the way in which people are escalating, whether it's, you know, crypto ransoms, et cetera, really do necessitate new thinking around or ransomware. So I wonder if you could talk a little bit more about, you know, the layered approach that you might take the air gapping, uh, be interested to understand where Convolt fits in to the, to the, to the portfolio, if you will. >>Sure. And really it's thinking about this in depth and you're not going to be able to, uh, to protect or recover everything. So really understanding, first of all, that, of what is most important to be able to maintain service, what data do you do you need to protect and have available armed with that? Now you can go through the rest of the nest cyber security framework and main things. You're doing the best for prevention, uh, for the detection and response in that area. And then kind of really, uh, interesting when we get to the recovery phase, both from a Convolt perspective and in many tanks where we really want to focus on prevention, but ultimately we'll likely to see a scenario. And even in some small part of our environment, whereas some kind of attack is effective and there, where we're back to that recovery step. >>And we don't want them to be the first time we're testing those backgrounds. We don't want to be the first time that we figured out that those backups have been on the network the whole time, and they can't be used for recovery. So partnering with everyone in the environment, it takes a village to defend against this kind of threat, getting everyone engaged the experts in each of these fields to make sure that we're thinking they understand that this threat and how real it is and what their role is going to be in setting up that protection and defense, and then calm that dark day that we all hope will never happen. What's the, when do you need them? When do you need them to be doing so that you can get back to a restoration and effective operation sooner possibly >>Yeah. Hope for the best plan for the worst. So it's a big part of that is education. Um, and of course the backup Corpus is an obvious target because everything's in there. Uh, but before we get into sort of the best practice around that, I wanted to ask you about your response, because one of the things that we've seen is that responses increasingly have to be stealthy, uh, so that you don't necessarily alert the, the attackers that you know, that they're inside. Is that sort of a new trend and how do you approach that? >>Yeah, I mean, it's always, it's always a balance depending on the type of data and the type of attack as to kind of heroine kind of violent and swept. And obviously you have to be to be able to protect the environment, protect the integrity of the data, and then also balance the games kind of tipping off the attacker, which could potentially make things worse. So always a conversation depending on the different threat type, um, you're going to have to go through. And it really helps to have some of those conversations up front to have tabletops, not just at a technical level to make sure that you're walking through the steps of a response to make it as seamless and quick and effective as possible, but also having that conversation with leadership team and even the board around the kind of decisions they're going to have to make and make sure that youth, that wherever possible use scenarios to, uh, to figure out what are some of those actions that are likely to be taken and also empower some teams. It's really important to be able to act autonomously and quickly you, uh, you don't want to be at 2:00 AM kind of looking for, uh, for the CEO or kind of the executive team to get them out there to make a decision. Some of these decisions need to be made very quickly and very effectively, and you can only do that with empowered upfront and sometimes even automated processes to do them. >>Dave, describe what you mean by tabletops. I presume you're talking to a top-down view versus sort of being in the weeds, but that's some color to that, please. Yeah, >>Yeah, definitely. It literally is kind of getting everyone around the table and at ADP, at least once per year, we actually get the full executive team together and challenge them with a scenario, making sure that they're working through the problem. They know what each of their roles are at the table. And I am lucky to have a fantastic leadership team. We're actually very practiced. We've done this often enough now that they really pull apart really hard problems and think about what that decision is going to mean to me. So come that dark day, if it ever does, then they're not kind of challenged by the never thought they don't they've understand the technical background of why being asked to make a decision to the limitations of what they're responsive to may be. >>So a lot of people in process goes into this, always the case, but let's talk a little bit about the tech. Eventually the backup Corpus is an obvious target before. What are some of the best tech practices in terms of protecting, whether it's that backup Corpus other data, uh, air gaps, maybe you could give us some guidance on that front. >>Sure. Hey, we're not going to be able to protect our things or focus on those favorite children is the, uh, the best advice up front to think about the, uh, the critical components that enabled me to bring things up easy, to go focus on that critical data and that most important half that everyone in the company understands, but all that cannot even start. If you don't have the foundation, the network's not up and running your authentication. So it's good to get a focus, some elements and practice that technical tabletop setting of what, how do you go through recovering an active directory forest bank to a known, trusted state because that's one of the foundations you're going to need to build. Anything else back off on the backup side is made sure that you don't use the same credentials that the, your backup administrators use everyday make. >>There's only the smallest number of people have access to be able to control the backpacks if at all possible and, uh, combo and many backup solutions in there and make sure they're using a second factor authentication to be able to get into those systems and also make sure that some of the backups that you have are kind of offline air gaps can be touched. Uh, and then also think about the duration, talk about the attack, being very smart and determined. They know how enterprises prepare and respond. So think about the, uh, how long you're retaining them, where you're retaining some of the backups, not just incremental is to be able to phone you restore a system, basically from ban that whole from backslide. >>And you're using Convolt software to manage some of this, this, this capability is that right? I'm sure you have a bevy of tooling, but yeah, >>We have a wide range of toning >>And somebody said, consultants said to me the day, you know, Dave, I'm thinking about advising my clients that their air gap process should be air gapped. In other words, they should have him as sort of a separate, you know, remote removed from the mainstream process, just for extra protection. And I was like, okay, that's kind of interesting, but at the same time then do they have the knowledge to get back to, you know, a low RPO state? What do you think about about that? >>So the challenges of any kind of recovery and control design is like making sure that you're make, not making things overly complex and introducing other issues. And also other exposures you're moving out of your normal control environment that you have a 24 by 7, 365 set of monitoring. The more creative you get and you prance are in danger of kind of having control erosion and visibility to that other state. Um, but it is really important to think about even at the communication level, um, is in this kind of attack, you may not be able to rely on email kind of teams, all the common services you have. So how are you actually going to communicate with this village? It's going to take, to recover, to be able to, uh, work through the process. So that's definitely an area that I would advocate for having offline capabilities to be able to have people react, gather, respond, plan, and control the recovery. Even though the, uh, the main enterprise may not be currently function. >>I wonder if I could pick your brain on another topic, which is, you know, zero trust prior to the pandemic. A lot of times people would roll their eyes. Like it's a buzzword, but it's kind of become a mandate where people are now talking about, you know, eliminating credentials to talking about converging identity, access management and governance and privilege access, access management. I mean, what are those, some of the sea changes you see around so-called zero trust. >>Yeah. I think kind of zero trust has become that kind of call to action buzzword. But these concepts that are embodied in zero trust journey are ones that have been around for forever least privilege. And it's how we think about that. You can't go buy a product that I like. I'm just implemented zero trust. How do you think strategically about way you take your starting point and then go on this journey to kind of increase the, uh, the various tools that start to limit improve the segmentation, not only from a network standpoint, from a service standpoint, from an identity standpoint and make sure you're embracing concepts like persona so that you start to break up the, uh, may not get to zero trust anytime soon, but you're able to get less and less trust in that model and to think about it in many different worlds. >>Think about your product access. If you're a service provider company, like we are as well as kind of the internal employee, uh, context. So there's many, um, elements, it's a complex journey. It's not something you're going to buy off the shelf and go implement. But it's one that you're going to have to, again, partner with those other stakeholders that you have because there's user experience and client experience components of this journey, some of which are actually quite positive. Uh, you mentioned penciled us as one of those components in the gym. Certainly something that actually has a better user experience and also can offer a, a better security and freedom from the traditional passwords that you've come to love to hate >>Dave. I know you're tight on time. I got two more questions for you. One is what is the CSOs number one challenge. >>Wow, that's a getting enough slate now. Um, and then he is just staying current with that business environment, that threat environment and the available tool sets and making sure that we're constantly working with those partners that we keep describing to chart that course to the future. So that we're, this is a race that doesn't have a finish line. The marathon gets a little bit longer every year and bringing my peers on and making them understand that it's easy to get fatigued and say, ah, don't worry. Tell me what I've done when we finished this initiative. It's just keeping everyone's energy up and focus on a very long then >>One a and that question, if I may, is, is many organizations lack the talent to be able to do that. You may not, you may, you may have a firmer, but the industry as a whole really lacks the skills and the talent, and really, that's why they're looking to automation. How acute do you see that talent shortage? >>It's definitely there. And I think it's important to realize that the, uh, back to that village concept, everybody has a play here. So what is a smaller, uh, available talent born in the, uh, the security industry is we've really got to be that call to action. We've got to explain why this is important. We've got to be the consultants that have lead brew. What changes are we going to need to make, to be successful? It's tempting to say, oh, they'll never do that. And they're like, we've got to do it ourselves. We will never be successful. And just being the security team that tries to do everything, it's bringing everyone along for the journey. And part of that is just going to be this constant socialization and education of what they need to do and why it's so important. And then you really will build a great partnership. >>My last question, I was kind of been keeping a list of Dave's best practice. I say, obviously, the layered approach you want to get to that NIST framework. There's a lot of education involved. You've got to partner with your colleagues that tabletops executive visibility. So everybody knows what their role is. Kind of the do your job. You've got to build zero trust. You can't just buy zero trust off the shelf. And, and, and, uh, so that is my kind of quick list. Am I missing anything? >>I think that's pretty good. And then I'm just in that partnership, you guys have it, this is a tiring, a hard thing to do and kind of just bringing everyone along or they, they, they can help you do so much, especially if you explained to them how it's going to make that product better. That was going to make that client experience better. How it's going to mean for the CIO, the internal associate experience about it, that this isn't just a Byron adding friction into a, an already challenging environment, >>You know, like frontline healthcare workers, the SecOps pros are heroes. Day-to-day, you don't necessarily hear a lot about the work they're doing, but, uh, but Dave, we really appreciate you coming on and sharing some of the best practices. And thank you for the great work that you guys are doing out there. And best of luck. Thanks for the exchange has been a pleasure. All right. And thank you for watching everybody. This is Dave Volante for the cube. Keep it right there.