>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020. Special coverage sponsored by AWS Worldwide Public sector Welcome to the cubes Coverage of AWS 2020. This is specialized programming for the worldwide public sector. I'm Lisa Martin, and I'm joined by Mick Boccaccio, the security advisor at Splunk Met. Welcome to the Q Virtual Oh, >>thank you for having me. It's great to be here. >>So you have a really interesting background that I wanted to share with our audience. You were the first see so in the history of U. S presidential campaigns with Mayor Pete, you were also branch shape of Threat intelligence at the executive office of the President. Tell us something about about your background is so interesting. >>Uh, yeah, those and I'm a gonna Def con and I teach lock picking for funds. Ease working for Mayor Pete A. C. So the campaign was really, really unique opportunity and I'm glad I did it. I'm hoping that, you know, on both sides of the aisle, no matter what your political preference, people realize that security and campaigns can only be married together. That was an incredible experience and worked with Mayor P. And I learned so much about how campaigns work and just the overall political process. And then previous to that being at the White House and a threat intelligence, role of branch chief they're working over the last election, the 2016 election. I think I learned probably more than any one person wants Thio about elections over that time. So, you know, I'm just a security nerd. That kind of fell into those things. And and and here I am and really, really, really just fortunate to have had those experiences. >>Your phone and your email must have been blowing up the last couple of weeks in the wake of the US presidential election, where the word fraud has brought up many times everyday. But election security. When I saw that you were the first, see so for Pete Buddha Judge, that was so recent, I thought, Really, Why? Why are they just now getting folks like yourself? And you are a self described a cybersecurity nerd? Why are they Why were they just recently starting to catch on to this? >>I think it's, uh like security on the campaign and security anywhere else on credit to the Buddha Judge campaign. There is no federal or mandate or anything like that that says your campaign has toe have a security person at the head of it or any standards to implement those security. So you know that the Buddha Judge campaign kind of leaned into it. We wanna be secure. We saw everything that happened in 2016. We don't want that to be us. And I think Mawr campaigns are getting on that plane. Definitely. You know, you saw recently, uh, Trump's campaign, Biden's campaign. They all had a lot of security folks in, and I think it's the normal. Now people realize how important security is. Uh, not only a political campaign, but I guess the political process overall, >>absolutely. We've seen the rise of cyber attacks and threats and threat vectors this year alone, Ransomware occurring. Everyone attack every 11 seconds or so I was reading recently. So give me an other view of what the biggest threats are right now. >>Two elections and I think the election process in general. You know, like I said, I'm just a security nerd. I've just got a weird background and done some really unique things. Eso I always attack the problems like I'm a security nerd and it comes down to, you know that that triumvirate, the people process and technology people need had to have faith in the process. Faith in the technology. You need to have a a clear source to get their information from the process. To me, I think this year, more than previous elections highlighted the lack of a federal uniforms standard for federal elections. State the state. We have different, different standards, and that kind of leads to confusion with people because, hey, my friend in Washington did it this way. But I'm in Texas and we do it this way. And I think that that standard would help a lot in the faith in the system. And then the last part of that. The technology, uh, you know, voting machines campaigns like I mentioned about campaigns. There's nothing that says a campaign has toe have a security person or a security program, and I think those are the kind of standards for, you know, just voting machines. Um, that needs to be a standard across the board. That's uniforms, so people will will have more faith because It's not different from state to state, and it's a uniformed process. >>E think whole country could have benefited from or uniformed processes in 2020. But one of the things that I like I did my first male and fellow this year always loved going and having that in person voting experience and putting on my sticker. And this year I thought in California we got all of our But there was this massive rise in mainland ballots. I mean, think about that and security in terms of getting the public's confidence. What are some of the things that you saw that you think needs to be uniforms going forward >>again? I think it goes back to when When you look at, you know, you voted by mail and I voted absentee and your ballot was due by this date. Um, you know where I live? Voting absentee. It's Dubai. This state needs we received by the state. Andi, I think this year really highlighted the differences between the states, and I'm hoping that election security and again everyone has done a super fantastic job. Um, sister has done incredible. If you're all their efforts for the working with election officials, secretaries of states on both sides of the aisle. It's an incredible work, and I hope it continues. I think the big problem election security is you know, the election is over, so we don't care again until 2022 or 2024. And I think putting something like a federalized standard, whether it be technology or process putting that in place now so that we're not talking about this in two or four years. I'm hoping that moment, um, continues, >>what would your recommendation be from building security programs to culture and awareness? How would you advise that they start? >>So, uh, one of the things that when I was on the Buddha Judge campaign, you know, like I said, we was the first person to do security for a campaign. And a lot of the staffers didn't quite have the background of professional background of work with security person. No, you know why? What I was doing there Eso my hallmark was You know, I'm trying to build a culture heavy on the cult. Um, you got to get people to buy in. I think this year when you look at what What Krebs and siesta and where the team over there have done is really find a way to tell us. Security story and every facet of the election, whether it be the machines themselves, the transporting the votes, counting the votes, how that information gets out to people websites I started like rumor control, which were were amazing amazing efforts. The public private partnerships that were there I had a chance to work with, uh, MJ and Tanya from from AWS some election project. I think everyone has skin in the game. Everyone wants to make it better. And I hope that moment, um, continues. But I think, you know, embracing that there needs to be a centralized, uniformed place, uh, for every state. And I think that would get rid of a lot of confusion >>when you talk about culture and you mentioned specifically called Do you think that people and agencies and politicians are ready to embrace the culture? Is there enough data to support that? This is really serious. We need to embrace this. We need to buy in a You said, um >>I hope right. I don't know what it could take. I'm hoping so after seeing everything you know, being at the White House from that aperture in 2016. Seeing all of that, I would, you know, think right away. Oh, my gosh. 2018, The midterms, We're gonna be on the ball. And that really didn't happen like we thought it would. 2020. We saw a different kind of technical or I guess, not as technical, uh, security problem. And I think I'm kind of shifting from that to the future. People realize. And I think, uh, both sides of the aisle are working towards security programs and security posture. I think there's a lot of people that have bought into the idea. Um, but I think it kind of starts from the top, and I'm hoping it becomes a standard, so there's not really an option. You will do this just for the security and safety of the campaigns and the electoral process. But I do see a lot more people leaning into it, and a lot more resource is available for those people that are >>talk to me about kind of the status of awareness of security. Needing to combat these issues, be able to remediate them, be able to defend against them where our folks in that awareness cycle, >>I think it ebbs and flows like any other process. Any other you know, incident, event. That happens. And from my experience in the info SEC world, normally there's a compromise. There's an incident, a bunch of money gets thrown at it and then we forget about it a year or two later. Um, I think that culture, that awareness comes in when you have folks that would sustain that effort. And again, you know, on the campaign, um, even at the White House, we try to make everyone apart of security. Security is and all the time thing that everyone has a stake in. Um, you know, I can lock down your email at work. I can make sure this system is super super secure, but it's your personal threat model. You know, your personal email account, your personal social media, putting more security on those and being aware of those, I think that's that awareness is growing. And I Seymour folks in the security community just kind of preaching that awareness more and more and something I'm really, really excited about. >>Yeah, the biggest thing I always think when we talk about security is people that were the biggest threat vector and what happened 89 months ago when so many businesses, um, in any, you know, public sector and private went from on site almost maybe 100% on site to 100% remote people suddenly going, I've got to get connected through my home network. Maybe I'm on my own personal device and didn't really have the time of so many distractions to recognize a phishing email just could come in and propagate. So it's that the people challenge e always seems to me like that might be the biggest challenge. Besides, the technology in the process is what do you think >>I again it goes back. I think it's all part of it. I think. People, um, I've >>looked at it >>slightly. Ah, friend of mine made a really good point. Once he was like, Hey, people gonna click on the link in the email. It's just I think 30% of people dio it's just it's just the nature of people after 20 some odd years and info sec, 20 some odd years and security. I think we should have maybe done a better job of making that link safer, to click on, to click on to make it not militias. But again it goes back, Thio being aware, being vigilant and to your point. Since earlier this year, we've seen a tax increase exponentially specifically on remote desktop protocols from Cove. It related themes and scams and, you know, ransomware targeting healthcare systems. I think it's just the world's getting smaller and we're getting more connected digitally. That vigilance is something you kind of have to building your threat model and build into the ecosystem. When we're doing everything, it's just something you know. I quit a lot, too. You've got junk email, your open your mailbox. You got some junk mail in there. You just throw it out. Your email inbox is no different, and just kind of being aware of that a little more than we are now might go a long way. But again, I think security folks want to do a better job of kind of making these things safer because malicious actors aren't going away. >>No, they're definitely not going away that we're seeing the threat surfaces expanding. I think it was Facebook and TIC Tac and Instagram that were hacked in September. And I think it was unsecured cloud database that was the vehicle. But talking about communication because we talk about culture and awareness communication from the top down Thio every level is imperative. How how do we embrace that and actually make it a standard as possible? >>Uh, in my experience, you know, from an analyst to a C So being able to communicate and communicate effectively, it's gonna save your butt, right? It's if you're a security person, you're You're that cyber guy in the back end, something just got hacked or something just got compromised. I need to be able to communicate that effectively to my leadership, who is gonna be non technical people, and then that leadership has to communicate it out to all the folks that need to hear it. I do think this year just going back to our elections, you saw ah lot of rapid communication, whether it was from DHS, whether it was from, you know, public partners, whether was from the team over Facebook or Twitter, you know, it was ah, lot of activity that they detected and put out as soon as they found it on it was communicated clearly, and I thought the messaging was done beautifully. When you look at all the work that you know Microsoft did on the block post that came out, that information is put out as widely as possible on. But I think it just goes back to making sure that the people have access to it whenever they need it, and they know where to get it from. Um, I think a lot of times you have compromised and that information is slow to get out. And you know that DeLay just creates a confusion, so it clearly concisely and find a place for people, could get it >>absolutely. And how do you see some of these challenges spilling over into your role as the security advisor for Splunk? What are some of the things that you're talking with customers about about right now that are really pressing issues? >>I think my Rolex Plunkett's super super weird, because I started earlier in the year, I actually started in February of this year and a month later, like, Hey, I'm hanging out at home, Um, but I do get a chance to talk to ah, lot of organizations about her security posture about what they're doing. Onda about what they're seeing and you know everything. Everybody has their own. Everybody's a special snowflakes so much more special than others. Um, credit to Billy, but people are kind of seeing the same thing. You know, everybody's at home. You're seeing an increase in the attack surface through remote desktop. You're seeing a lot more fishing. You're singing just a lot. People just under computer all the time. Um, Zoom WebEx I've got like, I don't know, a dozen different chat clients on my computer to talk to people. And you're seeing a lot of exploits kind of coming through that because of that, people are more vigilant. People are adopting new technologies and new processes and kind of finding a way to move into a new working model. I see zero trust architecture becoming a big thing because we're all at home. We're not gonna go anywhere. And we're online more than we're not. I think my circadian rhythm went out the window back in July, so all I do is sit on my computer more often than not. And that caused authentication, just, you know, make sure those assets are secure that we're accessing from our our work resource is I think that gets worse and worse or it doesn't. Not worse, rather. But that doesn't go away, no matter what. Your model is >>right. And I agree with you on that circadian rhythm challenge. Uh, last question for you. As we look at one thing, we know this uncertainty that we're living in is going to continue for some time. And there's gonna be some elements of this that air gonna be permanent. We here execs in many industries saying that maybe we're going to keep 30 to 50% of our folks remote forever. And tech companies that air saying Okay, maybe 50% come back in July 2021. As we look at moving into what we all hope will be a glorious 2021 how can businesses prepare now, knowing some amount of this is going to remain permanent? >>It's a really interesting question, and I'll beyond, I think e no, the team here. It's Plunkett's constantly discussions that start having are constantly evaluating, constantly changing. Um, you know, friends in the industry, it's I think businesses and those executives have to be ready to embrace change as it changes. The same thing that the plans we would have made in July are different than the plans we would have made in November and so on. Andi, I think, is having a rough outline of how we want to go. The most important thing, I think, is being realistic with yourself. And, um, what, you need to be effective as an organization. I think, you know, 50% folks going back to the office works in your model. It doesn't, But we might not be able to do that. And I think that constant ability Thio, adjust. Ah, lot of company has kind of been thrown into the fire. I know my backgrounds mostly public sector and the federal. The federal Space has done a tremendous shift like I never well, rarely got to work, uh, vert remotely in my federal career because I did secret squirrel stuff, but like now, the federal space just leaning into it just they don't have an option. And I think once you have that, I don't I don't think you put Pandora back in that box. I think it's just we work. We work remote now. and it's just a new. It's just a way of working. >>Yep. And then that couldn't be more important to embrace, change and and change over and over again. Make. It's been great chatting with you. I'd love to get dig into some of that secret squirrel stuff. I know you probably have to shoot me, so we will go into that. But it's been great having you on the Cube. Thank you for sharing your thoughts on election security. People processes technology, communication. We appreciate it. >>All right. Thanks so much for having me again. >>My pleasure for McClatchy. Oh, I'm Lisa Martin. You're watching the Cube virtual.