January 18, 2025 • 19 mins
Discover how AI is transforming the battlefield of cybersecurity with Glenn Maiden, Director of Threat Intelligence at Fortiguard Labs, ANZ, as our guide. Whether you're eager to understand how these technologies are enhancing both attack and defense mechanisms or curious about the ways AI is lightening the load for overwhelmed security analysts, this episode promises valuable insights. We delve into the profound impact of AI on cybersecurity strategies, tackling the dual-edged sword of sophisticated threats and innovative defense tools. From the lingering echoes of the SolarWinds attack to the pressing need for secure supply chains and critical infrastructure, Glenn sheds light on the complexities and solutions shaping the current landscape.
Cybersecurity isn't just a necessity; it's a formidable competitive advantage in today's corporate world. Reflecting on the journey from a perceived roadblock to a strategic asset, we emphasize the importance of fostering a robust cyber culture. Leadership and companies must continuously adapt to protect their assets. With the looming advent of quantum computing, we face new challenges to our encryption methods. As we explore this future threat, the call for proactive measures is loud and clear. Tune in to understand why re-engineering security frameworks is not just recommended but essential to safeguard sensitive information in the quantum era.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Michael van Rooyen (00:00):
Today we're bringing you part two of my
discussion with Glenn Maiden,Director of Threat Intelligence
at Fortiguard Labs, ANZ.
If you haven't listened to partone yet, I suggest you do first
.
If I think about AI machinelearning we have to talk about
AI.
Glenn Maiden (00:14):
It's KPI here.
It's a new blockchain.
Michael van Rooyen (00:17):
That's true.
That's true.
And think about the AI machinelearning from a transforming of
different areas of cybersecurity, both defence and attack.
You know how are thesetechnologies being used by the
defenders and attackers and whatare the implications on threat
intelligence.
Glenn Maiden (00:36):
Yeah, so we mentioned.
We touched on this before whenI mentioned about the 500 human
Russians before.
And you think of some of theearly social engineering attacks
.
You know, get your free iPhonehere or here's your DHL and it'd
have spelling mistakes.
You know, in a lot of cases youknow it was absolutely obvious
that it wasn't right.
So now with AI, we could havean attack.
(00:58):
So even using things like voiceor video, but definitely
written, where it could be asclose enough to me attacking you
, or a message coming from methat even I wouldn't even be
able to tell the difference.
So I think that there's goingto be a real explosion of
certainly on the attack side andI can tell you from our
perspective on the defender sidethere's some quite innovative
(01:19):
capabilities coming in.
So I mentioned before that.
So there's sort of AI on AI.
So we've trained our AI as avery sort of standalone system
to detect threats both againstcomputers and within the network
.
So that's one thing.
But we're also putting Gen AIon the front of many of our
systems and we did ademonstration recently.
If you imagine you're the SOCanalyst, you've got more alerts
(01:41):
than you can ever process as ahuman.
You're looking across fivedifferent systems in a lot of
cases, maybe 10, maybe 20different systems.
I've got to go out, pull logsoff one system.
I've got to transform, mayberun a Python script over to make
it be able to be fed into thenext system and I've got to do
all these different things to beable to sort of work out what's
(02:01):
an alert and what's not.
Also, I've got to be trained inall these different systems so
I know how to interact with them.
So we did a test by putting anAI agent sort of on the front of
some of our security operationstools and you can just go in
like you would with ChatGPT.
Tell me more about this threat,tell me where I've seen this
anomalous IP address elsewherein my network.
(02:25):
Oh, can I please just containthose?
Can I make sure that they can'tget anywhere else?
So there's some really niceinnovation happening in the
defender side, under the very,very true assumption that the
security analyst is the unicornthat's going to be.
The one constraint we're alwaysgoing to have is smart analysts
, smart security engineers,smart responders.
(02:46):
There's just not enough of themand there never will be.
But if we can make their livesa little bit easier and they're
not having to go through and dodata mining and data
transformation and learning fivedifferent systems, we can make
a lot more their time a lot moreeffective in defending us If I
then pivot a little bit onto asupply chain, because that's,
you know, people always tackingspecifically an entity or a
(03:08):
targeted attack.
Michael van Rooyen (03:09):
But supply chain is definitely gaining, and
I'll kind of tie the twotogether here.
Supply chain is definitelygaining attention over the years
or more recently, and alsocritical infrastructure is
becoming, you know, a realnational security priority.
I know we touched on it alittle bit earlier, but what's
some of the unique challengesthat are facing both the supply
chain and the criticalinfrastructure sectors?
Glenn Maiden (03:28):
Yeah, so there's a lot to unpack there From a
supply chain perspective.
I mean, we've seen and I knowI'm going back a few years but
SolarWinds, I think, was areally, really good example for
us to learn from.
So in that particular attackRussian threat actor, so in that
particular attack Russianthreat actor, their target,
their victim was US governmentand US defense industry, right,
(03:51):
so, and if you think of that,well, they didn't actually
attack the US government or thedefense industry, at least for
not six or 12 or even moremonths.
Before they went through.
They were able to compromisethe SolarWinds organization and
they do a lot of systemmanagement tools.
They went through and wrotebespoke custom malware that
looked like a SolarWinds agent.
(04:12):
They wrote custom malware tocrazy, yeah, also.
But even even in terms of the,the command and control traffic,
so that actually wasencapsulated into some of those
proprietary SolarWinds protocols.
So again, I think of myself as aSOC analyst.
If I'm looking at this Russianattack, I'm going to see
SolarWindsexe running on aserver.
I'm going to see SolarWinds goback to SolarWinds HQ.
(04:35):
I look at that.
It's the right port, it's theright traffic.
That would be so, so difficultto detect.
And so once, obviously, onceall all SolarWinds customers
went and updated, as we telleveryone to do well, we've got a
patch, we've got a patch, we'vegot a patch they went through
and then downloaded the malwareonto their machines and then,
from there, that's where thethreat actor went mad.
(05:00):
So supply chain is so, soimportant, because all these
different organizations andthese different vendors that
we're using are all all thesedifferent organizations and
these different vendors thatwe're using are all definitely
areas where an attacker couldget in, if they can't get into
you in the first place.
Michael van Rooyen (05:10):
And then that leads on to critical
infrastructure, right, which is,you know, skills gap, a lot
more connectivity now into these, you know, processing
facilities, criticalinfrastructure being so
important.
And same thing, right, you'renot actually trying to target
specifically, maybe, the outputof the critical infrastructure.
But how do we get into thosefive different mechanisms?
Right, could be through thirdparties, might not be the blast
rate of sprinter, but it mightbe from an external source,
(05:31):
right?
Glenn Maiden (05:32):
Yeah, and I think this is where I mentioned before
we probably need to have moreof a sense of urgency.
So in Australia and I guessit's probably the same
everywhere so much of ourcritical infrastructure is
operated by the private sector.
And I know here in Brisbane andthere's organisations like ORO
we talk cyber every single dayof the week.
I come from Canberra.
The population in Canberra andFedGov is quite well informed
(05:55):
about cyber.
They know the rules andregulations.
They've got relatively decentmaturity around their networks.
Like everyone, it's always anongoing process, but I think the
further away you get fromSydney, melbourne, canberra,
brisbane, north and West, that'swhere a lot of our critical
infrastructure is.
So, whether it's a mine or agas plant, that's where some of
these critical processes havebeen operating probably for 50
(06:19):
years.
And now all of a sudden we'reputting a Starlink or something
on the top of them and anopening up to those attackers
that we mentioned before thatare sitting up there in Romania
or in North Korea.
And again, the legislation thatHome Affairs has just come up
with is great the security ofcritical infrastructure.
It gives them a baseline, allthese critical infrastructure
(06:39):
entities and operators.
It gives them a baseline levelof cyber maturity, but certainly
there's a lot more to do there.
So where I always think aboutback in defence, we would say
effects-based operations.
If I press a button here, itmight actually go through a
chain of processes maybe five,10, or maybe two but the
outcome's still the same.
So maybe I want to hit somesort of a processing facility
(07:03):
and that might mean that wecan't have fresh bread for two
or three days.
Michael van Rooyen (07:07):
So, very, very very frightening stuff,
which probably leads on to alittle bit of the weakest link
in the chain, which is a peopleissue.
Right, and people are generallyalways kind of some of the root
cause of some of the problems,as in the tax, but could be not
educated properly around malwareor ransomware, all those sorts
of things.
So we know that cyber is justnot a technology issue but it's
(07:30):
also a people issue.
How can organizations kind ofbuild a strong cyber culture
amongst their employees andstakeholders to help mitigate
that?
I know, is it hygiene, is ittraining?
Is it more investment?
What are your thoughts?
Glenn Maiden (07:43):
I think again and this is a challenge and I'm
probably a little bit differentI mean, obviously, for
organisations like Fortinet andlike mine, we've got free cyber
training for anyone that'sinterested in it.
But I think, as an industrywhere we have failed is you know
?
Again, I think of my mum, or Ithink maybe of a tax agent that
is wearing a cardigan and allthey know how to do is you know,
do your accounts.
And they know that.
(08:03):
Well, I don't know about.
You know I pay someone to do mytaxes because I just cannot, I
cannot comprehend.
But at the same token, we saywell, you know, tax agent, you
also have to understand cyberand it's such a complicated
global threat.
I don't know, I don't knowexactly where it's going, but I
think certainly things likeprimary school, you know, we
give people, we give all ourkids sort of basic information
(08:26):
around.
You know how the economy worksand basic mathematics.
I think we'll have toeventually get to the point
where every school leaver,whether they're becoming a
hairdresser or a chef or anaccountant or even a cyber
security systems engineer, willhave to get to the point where
they've at least got basic cyberhow to spot a phishing attack,
how to have good passwordhygiene, how to have good
(08:48):
backups of your personal data,all that basic stuff which,
unfortunately, a lot of peopleare learning the hard way still.
Michael van Rooyen (08:53):
And you're absolutely right, and it's
something that will take alittle while to get there, and
it's very important thateducation starts early.
It's not going anywhere right.
As we come near the end of ourdiscussion today, I kind of
wanted to touch on a coupleother points, which is
considering your roles you'vehad over the years and leading
teams and working with customers, et cetera.
(09:14):
What advice would you givesecurity leaders on staying
proactive and continuouslyadapting to the evolving threat
landscape or staying ahead ofcyber, if that's their passion?
Glenn Maiden (09:23):
I think the best thing that we can potentially do
is have cyber people that canprobably just relax a little bit
and learn to become more partof the organization.
I remember I spoke to the CISOfor one of the big four banks
this was a long time ago, maybe10 years ago and he said I'm not
, and he was the chief securityofficer, I'm not the size of
(09:44):
this particular bank, I'm abanker and all I have is a whole
bunch of levers that I need tosort of push up or push down to
make sure that that risk staysin the acceptable level.
So you know, if I was that guyand I was, you know, a Nazi SISO
no, you can't do that and youwould get to the point where you
know that bank would not beable to do its business.
So you know, every single thingwe do carries an element of
(10:06):
risk.
That's just how we can do thatas an organization with the
lowest amount of risk and themost amount of risk that we're
able to tolerate.
So you can't do that alone as aCISO or a security leader.
You have to be working with thebusiness, you have to be
working with the people,otherwise they'll just find work
around and again, this is whereit's going actually, michael,
(10:28):
which is good.
Having cyber as a key part ofthe business is the important
thing, because it's not abusiness impediment like it used
to be.
Having a good cyber culture nowand having good cyber hygiene
is now a competitive advantage.
I would rather do business withsomeone like Oro, because I
know that you care about cyberand I know that you're going to
protect my POI.
(10:48):
I know you're going to protectmy sensitive IP If I thought of
your competitor down the roadwhere they're trying to do
things for the best price,lowest price, least.
Michael van Rooyen (11:02):
I'm not going to go and work with those
guys because I know that therisk is going to be too high.
Yeah, fair enough too, and partof that is continuous learning
right.
It's all around being as aleader, staying at the forefront
of it, understanding it.
You've got teams, obviously,and lots of ingestion places and
lots of sources of data, butit's really about that
continuous learning right andstaying updated with that, to be
ahead of these things right,and not getting caught out with
(11:22):
it.
Glenn Maiden (11:23):
Well, I think so, but also working with smart
people.
So, from my perspective, as Isaid before, if I was the CEO of
that bank, I would not expectthat CEO to be a cyber expert.
I would expect him tounderstand cyber risk and I
would expect him to, or she Ishould say I'm being a bit
presumptuous there, a bitold-fashioned he or she should
then go and talk to the head ofsecurity and be able to have
(11:45):
intelligent conversations.
What is the best, most relevantcontrols and systems and
devices and people and processfor me to protect my
organisation?
Michael van Rooyen (11:55):
Considering your career and what you're
doing today and reflecting onyour career so far, what would
have been some of the mostmemorable or challenging
experiences in the field you'veworked in, and maybe even threat
intelligence.
But you get to see some prettycool stuff, no doubt.
And what have you learned fromit?
Any key learnings from yourtime in your career?
I was lucky.
Glenn Maiden (12:13):
I was very, very lucky.
So, as I said, I started out inthe 90s just as a bit of a
computer nerd, playing around ina lot of cases with hardware
you know plugging in Cat5 cables, crawling under floors, cabling
.
You know building servers.
I was one of the first guys tosort of put a server farm
together with all those bladeservers in Australia in the late
90s.
But I got really fascinated bycyber in the early 00s, and not
(12:39):
because it was popular then, itwas something that not I mean.
You know, if you're lucky, youhad a firewall, you know at all,
maybe some antivirus on theendpoint, but I was absolutely
fascinated about how you couldcompromise a system or break
into a system.
So that's only been in the lastfew years where that's become
something that's so important.
And now all of a sudden, youknow, I get to come and talk to
(12:59):
you on a podcast.
Michael van Rooyen (13:01):
I've got something worth saying.
Glenn Maiden (13:03):
But that's been the key for me and I think you
know it's all around.
You know when people talkdigital transformation and then
the invention of the iPhone, youknow.
So we're now able to prettymuch run our lives with a little
pocket, powerful computer inour hand, and the bad guys know
that they can make some moneyout of it.
So now, unfortunately and Iremember I was so impressed I
(13:23):
saw Anthony Albanese sort ofsitting up addressing parliament
talking about cyber risks.
Can you imagine that would havehappened, maybe not even that
long ago, with Not at all, yeah,not at all, right Even in Kevin
Rudd's time.
Did he ever say cyber?
Probably not.
Michael van Rooyen (13:37):
No, it would have been an unusual term,
right, and now it seems likewe've just had it around for
forever, right?
I mean, that's how quicklythings evolve and it's not going
anywhere On that.
Do you have any predictions ofany significant shifts you see
in cyber over the next few years?
Glenn Maiden (13:53):
Yeah, I think so, so I won't go back into AI.
We can probably touch onquantum.
So one of my concerns aboutquantum is about this idea of
data harvesting.
We know that eventuallysomeone's going to move enough
qubits I think what are theydoing now, like 80 or 100 at a
time so someone's going to beable to move enough qubits to
make the first quantum computerand we're not going to read
(14:16):
about it on.
Michael van Rooyen (14:18):
X CRN.
Yeah, we're not going to.
No, no.
Glenn Maiden (14:20):
So what will happen?
It will be, hopefully, one ofthe good guys, will be one of
our Five Eyes partners.
Yes, if we're unlucky, it'll beone of hostile nation state and
again, it's not going to be onthe news.
But what they will be doingright now is they'll be finding
where there's data beingtransferred, either by over a
satellite link or a cable thatthey might be able to get hold
of, and they'll just be suckingall that into a massive big
(14:43):
database somewhere.
And once they do have thatquantum capability running
through a decryption system,bust the encryption, they'll
have access to all thissensitive data.
And while it won't be the mostrecent, you can imagine just how
powerful any of this historicdata is, so it could absolutely
bring someone unstuck.
So I think definitely quantumis going to be a game changer.
Michael van Rooyen (15:03):
Quantum is a fascinating one, because you're
absolutely right.
I watched a documentaryrecently when they talked about
the amount of dollars beingspent in the US and China to
lead the quantum charge.
And you're absolutely right,the quantum charge.
And you're absolutely right.
Even one of the recent Gartnersymposiums I went to, they were
talking about the samechallenges, not only around the
harvesting of the data, but alsothat this stuff's going to be
powerful enough to breakencryption that we've got today.
(15:25):
So we have to think about aproblem potentially bigger than
Y2K, which is how do were-engineer, how do we re-secure
, how do we things like VPN knowit could be broken quite easily
if they get that right.
So it's a pretty scary prospectto think about and I do believe
that it's closer than peoplethink.
Right, you're right, someone'sgoing to crack it soon.
No one can hold me to thetimeline, but I think it's going
(15:47):
to and it's a quick, and you'reright, no one will hear about
it.
It'll be done in some skunkwork somewhere that might've
already potentially.
Yeah, yeah, yeah, I mean this isstuff we know about as as they
say.
Right, so as we, as we wrap up,glenn any key messages or
takeaways you want to share withthe listeners before.
Glenn Maiden (16:02):
Before we finish up yeah, I think, don't panic is
probably a good one so as, as,as I mentioned before, like the
threat, actors are getting moresophisticated, the attacks are
getting more sophisticated.
The time for and I didn'tmention this before the time for
an attacker to turn avulnerability that a vendor
might disclose into an attackand attack real victims in the
(16:22):
wild, that's all the way down toabout four days now.
So they're really, really rapidin deploying a vulnerability or
deploying an attack based on avulnerability.
So the time for us, asdefenders, to go out and patch
these devices is getting hard.
So there's absolutely a lot ofchallenges around keeping
ourselves secure.
But I think, from a don't panicperspective, as long as you're
(16:44):
proactive and you build thatresiliency into your systems
beforehand, you think about whatyour assets are, you think
about how they're connected, getyour network into a defendable
place, and then you go back tothe really really old school
type of things, like you knowrole-based access, defence in
depth, and it doesn't matter ifyou might lose one battle, but
(17:04):
you won't lose the campaign.
So I think, as long as we'rethinking about this now, we've
got a sense of urgency, we'rebuilding that resilience into
our people, process andtechnology.
I think we have got a fightingchance.
Michael van Rooyen (17:16):
And the last question for you today is tell
me about the most significanttechnology change or shift
you've been involved with oryou've seen in your time.
It can be anything.
It doesn't have to be cyberrelated.
It could just be what's changedthe world or what you've seen
that's important here.
Glenn Maiden (17:29):
I'll be showing my age now, but I do think it was
probably the iPhone.
So I remember, as you do,having your PC with the old dial
up internet, and I remembertalking to one of my mates that
first got DSL and he's saying Ijust leave my computer on all
the time you don't turn it offso, and not very, very long
(17:49):
after that, we started to putthe something more more powerful
than that old computer intointo our pockets and so all of a
sudden, now we're not onlyaccessing the internet from our
homes, but from anywhere.
so I think that's when, you know, obviously the internet had
been sort of growing and growingand growing since then.
But after that point in 2007,that first iPhone and I don't
know how long it took before theadoption was, you know, pretty
(18:12):
much everyone that's when Ithink it changed.
That basically turned us frompeople that would go through and
occasionally, or you know, usetechnology in discrete sort of
blocks, to having it sitting inour staring into our phones
every single day.
So I'm saying probably 2007,.
2008 was the game changer.
Michael van Rooyen (18:29):
Look I agree , it's a fundamental shift,
right, and I see people justliving and doing everything on
their phone.
It's so powerful and soincredible, right.
In fact, I saw a cartoon theother day where it was a park
bench with two robotseffectively AI robots, the ones
that they're trying to inventwith the Teslas of the world, et
cetera sitting on this parkbench.
One was reading the newspaper,one was drawing a painting, and
(18:51):
all the people were walking pastjust looking at their phones,
completely oblivious, and Ithought that just really summed
it up the way we're living,right.
Glenn Maiden (18:58):
Oh, and isn't it crazy?
So we could be sitting heretoday like now, with our phones
sitting right next to us, andhave our bank accounts drained
while we're sitting?
Michael van Rooyen (19:05):
here, it's true.
Glenn Maiden (19:06):
So that's it is amazing to think of.
Michael van Rooyen (19:09):
Yeah, it's absolutely incredible.
Glenn Maiden (19:10):
We don't have to like walk into a bank and get
robbed by a guy in a mask.
Someone can be draining ourbank accounts right now if we
haven't got good cyber hygiene.
It is terrifying.
Michael van Rooyen (19:19):
I tried to end on a positive note.
You did.
Now I've ruined it.
No, no, no.
But look, that's someconsiderations.
Look, glenn, I reallyappreciate your time.
Catch up in Brisbane.
Really insightful conversationtoday.
Thank you very much for havingme, no problem at all.
Today we're bringing you part two of my
discussion with Glenn Maiden,Director of Threat Intelligence
at Fortiguard Labs, ANZ.
If you haven't listened to partone yet, I suggest you do first
.
If I think about AI machinelearning we have to talk about
AI.
Glenn Maiden (00:14):
It's KPI here.
It's a new blockchain.
Michael van Rooyen (00:17):
That's true.
That's true.
And think about the AI machinelearning from a transforming of
different areas of cybersecurity, both defence and attack.
You know how are thesetechnologies being used by the
defenders and attackers and whatare the implications on threat
intelligence.
Glenn Maiden (00:36):
Yeah, so we mentioned.
We touched on this before whenI mentioned about the 500 human
Russians before.
And you think of some of theearly social engineering attacks
.
You know, get your free iPhonehere or here's your DHL and it'd
have spelling mistakes.
You know, in a lot of cases youknow it was absolutely obvious
that it wasn't right.
So now with AI, we could havean attack.
(00:58):
So even using things like voiceor video, but definitely
written, where it could be asclose enough to me attacking you
, or a message coming from methat even I wouldn't even be
able to tell the difference.
So I think that there's goingto be a real explosion of
certainly on the attack side andI can tell you from our
perspective on the defender sidethere's some quite innovative
(01:19):
capabilities coming in.
So I mentioned before that.
So there's sort of AI on AI.
So we've trained our AI as avery sort of standalone system
to detect threats both againstcomputers and within the network
.
So that's one thing.
But we're also putting Gen AIon the front of many of our
systems and we did ademonstration recently.
If you imagine you're the SOCanalyst, you've got more alerts
(01:41):
than you can ever process as ahuman.
You're looking across fivedifferent systems in a lot of
cases, maybe 10, maybe 20different systems.
I've got to go out, pull logsoff one system.
I've got to transform, mayberun a Python script over to make
it be able to be fed into thenext system and I've got to do
all these different things to beable to sort of work out what's
(02:01):
an alert and what's not.
Also, I've got to be trained inall these different systems so
I know how to interact with them.
So we did a test by putting anAI agent sort of on the front of
some of our security operationstools and you can just go in
like you would with ChatGPT.
Tell me more about this threat,tell me where I've seen this
anomalous IP address elsewherein my network.
(02:25):
Oh, can I please just containthose?
Can I make sure that they can'tget anywhere else?
So there's some really niceinnovation happening in the
defender side, under the very,very true assumption that the
security analyst is the unicornthat's going to be.
The one constraint we're alwaysgoing to have is smart analysts
, smart security engineers,smart responders.
(02:46):
There's just not enough of themand there never will be.
But if we can make their livesa little bit easier and they're
not having to go through and dodata mining and data
transformation and learning fivedifferent systems, we can make
a lot more their time a lot moreeffective in defending us If I
then pivot a little bit onto asupply chain, because that's,
you know, people always tackingspecifically an entity or a
(03:08):
targeted attack.
Michael van Rooyen (03:09):
But supply chain is definitely gaining, and
I'll kind of tie the twotogether here.
Supply chain is definitelygaining attention over the years
or more recently, and alsocritical infrastructure is
becoming, you know, a realnational security priority.
I know we touched on it alittle bit earlier, but what's
some of the unique challengesthat are facing both the supply
chain and the criticalinfrastructure sectors?
Glenn Maiden (03:28):
Yeah, so there's a lot to unpack there From a
supply chain perspective.
I mean, we've seen and I knowI'm going back a few years but
SolarWinds, I think, was areally, really good example for
us to learn from.
So in that particular attackRussian threat actor, so in that
particular attack Russianthreat actor, their target,
their victim was US governmentand US defense industry, right,
(03:51):
so, and if you think of that,well, they didn't actually
attack the US government or thedefense industry, at least for
not six or 12 or even moremonths.
Before they went through.
They were able to compromisethe SolarWinds organization and
they do a lot of systemmanagement tools.
They went through and wrotebespoke custom malware that
looked like a SolarWinds agent.
(04:12):
They wrote custom malware tocrazy, yeah, also.
But even even in terms of the,the command and control traffic,
so that actually wasencapsulated into some of those
proprietary SolarWinds protocols.
So again, I think of myself as aSOC analyst.
If I'm looking at this Russianattack, I'm going to see
SolarWindsexe running on aserver.
I'm going to see SolarWinds goback to SolarWinds HQ.
(04:35):
I look at that.
It's the right port, it's theright traffic.
That would be so, so difficultto detect.
And so once, obviously, onceall all SolarWinds customers
went and updated, as we telleveryone to do well, we've got a
patch, we've got a patch, we'vegot a patch they went through
and then downloaded the malwareonto their machines and then,
from there, that's where thethreat actor went mad.
(05:00):
So supply chain is so, soimportant, because all these
different organizations andthese different vendors that
we're using are all all thesedifferent organizations and
these different vendors thatwe're using are all definitely
areas where an attacker couldget in, if they can't get into
you in the first place.
Michael van Rooyen (05:10):
And then that leads on to critical
infrastructure, right, which is,you know, skills gap, a lot
more connectivity now into these, you know, processing
facilities, criticalinfrastructure being so
important.
And same thing, right, you'renot actually trying to target
specifically, maybe, the outputof the critical infrastructure.
But how do we get into thosefive different mechanisms?
Right, could be through thirdparties, might not be the blast
rate of sprinter, but it mightbe from an external source,
(05:31):
right?
Glenn Maiden (05:32):
Yeah, and I think this is where I mentioned before
we probably need to have moreof a sense of urgency.
So in Australia and I guessit's probably the same
everywhere so much of ourcritical infrastructure is
operated by the private sector.
And I know here in Brisbane andthere's organisations like ORO
we talk cyber every single dayof the week.
I come from Canberra.
The population in Canberra andFedGov is quite well informed
(05:55):
about cyber.
They know the rules andregulations.
They've got relatively decentmaturity around their networks.
Like everyone, it's always anongoing process, but I think the
further away you get fromSydney, melbourne, canberra,
brisbane, north and West, that'swhere a lot of our critical
infrastructure is.
So, whether it's a mine or agas plant, that's where some of
these critical processes havebeen operating probably for 50
(06:19):
years.
And now all of a sudden we'reputting a Starlink or something
on the top of them and anopening up to those attackers
that we mentioned before thatare sitting up there in Romania
or in North Korea.
And again, the legislation thatHome Affairs has just come up
with is great the security ofcritical infrastructure.
It gives them a baseline, allthese critical infrastructure
(06:39):
entities and operators.
It gives them a baseline levelof cyber maturity, but certainly
there's a lot more to do there.
So where I always think aboutback in defence, we would say
effects-based operations.
If I press a button here, itmight actually go through a
chain of processes maybe five,10, or maybe two but the
outcome's still the same.
So maybe I want to hit somesort of a processing facility
(07:03):
and that might mean that wecan't have fresh bread for two
or three days.
Michael van Rooyen (07:07):
So, very, very very frightening stuff,
which probably leads on to alittle bit of the weakest link
in the chain, which is a peopleissue.
Right, and people are generallyalways kind of some of the root
cause of some of the problems,as in the tax, but could be not
educated properly around malwareor ransomware, all those sorts
of things.
So we know that cyber is justnot a technology issue but it's
(07:30):
also a people issue.
How can organizations kind ofbuild a strong cyber culture
amongst their employees andstakeholders to help mitigate
that?
I know, is it hygiene, is ittraining?
Is it more investment?
What are your thoughts?
Glenn Maiden (07:43):
I think again and this is a challenge and I'm
probably a little bit differentI mean, obviously, for
organisations like Fortinet andlike mine, we've got free cyber
training for anyone that'sinterested in it.
But I think, as an industrywhere we have failed is you know
?
Again, I think of my mum, or Ithink maybe of a tax agent that
is wearing a cardigan and allthey know how to do is you know,
do your accounts.
And they know that.
(08:03):
Well, I don't know about.
You know I pay someone to do mytaxes because I just cannot, I
cannot comprehend.
But at the same token, we saywell, you know, tax agent, you
also have to understand cyberand it's such a complicated
global threat.
I don't know, I don't knowexactly where it's going, but I
think certainly things likeprimary school, you know, we
give people, we give all ourkids sort of basic information
(08:26):
around.
You know how the economy worksand basic mathematics.
I think we'll have toeventually get to the point
where every school leaver,whether they're becoming a
hairdresser or a chef or anaccountant or even a cyber
security systems engineer, willhave to get to the point where
they've at least got basic cyberhow to spot a phishing attack,
how to have good passwordhygiene, how to have good
(08:48):
backups of your personal data,all that basic stuff which,
unfortunately, a lot of peopleare learning the hard way still.
Michael van Rooyen (08:53):
And you're absolutely right, and it's
something that will take alittle while to get there, and
it's very important thateducation starts early.
It's not going anywhere right.
As we come near the end of ourdiscussion today, I kind of
wanted to touch on a coupleother points, which is
considering your roles you'vehad over the years and leading
teams and working with customers, et cetera.
(09:14):
What advice would you givesecurity leaders on staying
proactive and continuouslyadapting to the evolving threat
landscape or staying ahead ofcyber, if that's their passion?
Glenn Maiden (09:23):
I think the best thing that we can potentially do
is have cyber people that canprobably just relax a little bit
and learn to become more partof the organization.
I remember I spoke to the CISOfor one of the big four banks
this was a long time ago, maybe10 years ago and he said I'm not
, and he was the chief securityofficer, I'm not the size of
(09:44):
this particular bank, I'm abanker and all I have is a whole
bunch of levers that I need tosort of push up or push down to
make sure that that risk staysin the acceptable level.
So you know, if I was that guyand I was, you know, a Nazi SISO
no, you can't do that and youwould get to the point where you
know that bank would not beable to do its business.
So you know, every single thingwe do carries an element of
(10:06):
risk.
That's just how we can do thatas an organization with the
lowest amount of risk and themost amount of risk that we're
able to tolerate.
So you can't do that alone as aCISO or a security leader.
You have to be working with thebusiness, you have to be
working with the people,otherwise they'll just find work
around and again, this is whereit's going actually, michael,
(10:28):
which is good.
Having cyber as a key part ofthe business is the important
thing, because it's not abusiness impediment like it used
to be.
Having a good cyber culture nowand having good cyber hygiene
is now a competitive advantage.
I would rather do business withsomeone like Oro, because I
know that you care about cyberand I know that you're going to
protect my POI.
(10:48):
I know you're going to protectmy sensitive IP If I thought of
your competitor down the roadwhere they're trying to do
things for the best price,lowest price, least.
Michael van Rooyen (11:02):
I'm not going to go and work with those
guys because I know that therisk is going to be too high.
Yeah, fair enough too, and partof that is continuous learning
right.
It's all around being as aleader, staying at the forefront
of it, understanding it.
You've got teams, obviously,and lots of ingestion places and
lots of sources of data, butit's really about that
continuous learning right andstaying updated with that, to be
ahead of these things right,and not getting caught out with
(11:22):
it.
Glenn Maiden (11:23):
Well, I think so, but also working with smart
people.
So, from my perspective, as Isaid before, if I was the CEO of
that bank, I would not expectthat CEO to be a cyber expert.
I would expect him tounderstand cyber risk and I
would expect him to, or she Ishould say I'm being a bit
presumptuous there, a bitold-fashioned he or she should
then go and talk to the head ofsecurity and be able to have
(11:45):
intelligent conversations.
What is the best, most relevantcontrols and systems and
devices and people and processfor me to protect my
organisation?
Michael van Rooyen (11:55):
Considering your career and what you're
doing today and reflecting onyour career so far, what would
have been some of the mostmemorable or challenging
experiences in the field you'veworked in, and maybe even threat
intelligence.
But you get to see some prettycool stuff, no doubt.
And what have you learned fromit?
Any key learnings from yourtime in your career?
I was lucky.
Glenn Maiden (12:13):
I was very, very lucky.
So, as I said, I started out inthe 90s just as a bit of a
computer nerd, playing around ina lot of cases with hardware
you know plugging in Cat5 cables, crawling under floors, cabling
.
You know building servers.
I was one of the first guys tosort of put a server farm
together with all those bladeservers in Australia in the late
90s.
But I got really fascinated bycyber in the early 00s, and not
(12:39):
because it was popular then, itwas something that not I mean.
You know, if you're lucky, youhad a firewall, you know at all,
maybe some antivirus on theendpoint, but I was absolutely
fascinated about how you couldcompromise a system or break
into a system.
So that's only been in the lastfew years where that's become
something that's so important.
And now all of a sudden, youknow, I get to come and talk to
(12:59):
you on a podcast.
Michael van Rooyen (13:01):
I've got something worth saying.
Glenn Maiden (13:03):
But that's been the key for me and I think you
know it's all around.
You know when people talkdigital transformation and then
the invention of the iPhone, youknow.
So we're now able to prettymuch run our lives with a little
pocket, powerful computer inour hand, and the bad guys know
that they can make some moneyout of it.
So now, unfortunately and Iremember I was so impressed I
(13:23):
saw Anthony Albanese sort ofsitting up addressing parliament
talking about cyber risks.
Can you imagine that would havehappened, maybe not even that
long ago, with Not at all, yeah,not at all, right Even in Kevin
Rudd's time.
Did he ever say cyber?
Probably not.
Michael van Rooyen (13:37):
No, it would have been an unusual term,
right, and now it seems likewe've just had it around for
forever, right?
I mean, that's how quicklythings evolve and it's not going
anywhere On that.
Do you have any predictions ofany significant shifts you see
in cyber over the next few years?
Glenn Maiden (13:53):
Yeah, I think so, so I won't go back into AI.
We can probably touch onquantum.
So one of my concerns aboutquantum is about this idea of
data harvesting.
We know that eventuallysomeone's going to move enough
qubits I think what are theydoing now, like 80 or 100 at a
time so someone's going to beable to move enough qubits to
make the first quantum computerand we're not going to read
(14:16):
about it on.
Michael van Rooyen (14:18):
X CRN.
Yeah, we're not going to.
No, no.
Glenn Maiden (14:20):
So what will happen?
It will be, hopefully, one ofthe good guys, will be one of
our Five Eyes partners.
Yes, if we're unlucky, it'll beone of hostile nation state and
again, it's not going to be onthe news.
But what they will be doingright now is they'll be finding
where there's data beingtransferred, either by over a
satellite link or a cable thatthey might be able to get hold
of, and they'll just be suckingall that into a massive big
(14:43):
database somewhere.
And once they do have thatquantum capability running
through a decryption system,bust the encryption, they'll
have access to all thissensitive data.
And while it won't be the mostrecent, you can imagine just how
powerful any of this historicdata is, so it could absolutely
bring someone unstuck.
So I think definitely quantumis going to be a game changer.
Michael van Rooyen (15:03):
Quantum is a fascinating one, because you're
absolutely right.
I watched a documentaryrecently when they talked about
the amount of dollars beingspent in the US and China to
lead the quantum charge.
And you're absolutely right,the quantum charge.
And you're absolutely right.
Even one of the recent Gartnersymposiums I went to, they were
talking about the samechallenges, not only around the
harvesting of the data, but alsothat this stuff's going to be
powerful enough to breakencryption that we've got today.
(15:25):
So we have to think about aproblem potentially bigger than
Y2K, which is how do were-engineer, how do we re-secure
, how do we things like VPN knowit could be broken quite easily
if they get that right.
So it's a pretty scary prospectto think about and I do believe
that it's closer than peoplethink.
Right, you're right, someone'sgoing to crack it soon.
No one can hold me to thetimeline, but I think it's going
(15:47):
to and it's a quick, and you'reright, no one will hear about
it.
It'll be done in some skunkwork somewhere that might've
already potentially.
Yeah, yeah, yeah, I mean this isstuff we know about as as they
say.
Right, so as we, as we wrap up,glenn any key messages or
takeaways you want to share withthe listeners before.
Glenn Maiden (16:02):
Before we finish up yeah, I think, don't panic is
probably a good one so as, as,as I mentioned before, like the
threat, actors are getting moresophisticated, the attacks are
getting more sophisticated.
The time for and I didn'tmention this before the time for
an attacker to turn avulnerability that a vendor
might disclose into an attackand attack real victims in the
(16:22):
wild, that's all the way down toabout four days now.
So they're really, really rapidin deploying a vulnerability or
deploying an attack based on avulnerability.
So the time for us, asdefenders, to go out and patch
these devices is getting hard.
So there's absolutely a lot ofchallenges around keeping
ourselves secure.
But I think, from a don't panicperspective, as long as you're
(16:44):
proactive and you build thatresiliency into your systems
beforehand, you think about whatyour assets are, you think
about how they're connected, getyour network into a defendable
place, and then you go back tothe really really old school
type of things, like you knowrole-based access, defence in
depth, and it doesn't matter ifyou might lose one battle, but
(17:04):
you won't lose the campaign.
So I think, as long as we'rethinking about this now, we've
got a sense of urgency, we'rebuilding that resilience into
our people, process andtechnology.
I think we have got a fightingchance.
Michael van Rooyen (17:16):
And the last question for you today is tell
me about the most significanttechnology change or shift
you've been involved with oryou've seen in your time.
It can be anything.
It doesn't have to be cyberrelated.
It could just be what's changedthe world or what you've seen
that's important here.
Glenn Maiden (17:29):
I'll be showing my age now, but I do think it was
probably the iPhone.
So I remember, as you do,having your PC with the old dial
up internet, and I remembertalking to one of my mates that
first got DSL and he's saying Ijust leave my computer on all
the time you don't turn it offso, and not very, very long
(17:49):
after that, we started to putthe something more more powerful
than that old computer intointo our pockets and so all of a
sudden, now we're not onlyaccessing the internet from our
homes, but from anywhere.
so I think that's when, you know, obviously the internet had
been sort of growing and growingand growing since then.
But after that point in 2007,that first iPhone and I don't
know how long it took before theadoption was, you know, pretty
(18:12):
much everyone that's when Ithink it changed.
That basically turned us frompeople that would go through and
occasionally, or you know, usetechnology in discrete sort of
blocks, to having it sitting inour staring into our phones
every single day.
So I'm saying probably 2007,.
2008 was the game changer.
Michael van Rooyen (18:29):
Look I agree , it's a fundamental shift,
right, and I see people justliving and doing everything on
their phone.
It's so powerful and soincredible, right.
In fact, I saw a cartoon theother day where it was a park
bench with two robotseffectively AI robots, the ones
that they're trying to inventwith the Teslas of the world, et
cetera sitting on this parkbench.
One was reading the newspaper,one was drawing a painting, and
(18:51):
all the people were walking pastjust looking at their phones,
completely oblivious, and Ithought that just really summed
it up the way we're living,right.
Glenn Maiden (18:58):
Oh, and isn't it crazy?
So we could be sitting heretoday like now, with our phones
sitting right next to us, andhave our bank accounts drained
while we're sitting?
Michael van Rooyen (19:05):
here, it's true.
Glenn Maiden (19:06):
So that's it is amazing to think of.
Michael van Rooyen (19:09):
Yeah, it's absolutely incredible.
Glenn Maiden (19:10):
We don't have to like walk into a bank and get
robbed by a guy in a mask.
Someone can be draining ourbank accounts right now if we
haven't got good cyber hygiene.
It is terrifying.
Michael van Rooyen (19:19):
I tried to end on a positive note.
You did.
Now I've ruined it.
No, no, no.
But look, that's someconsiderations.
Look, glenn, I reallyappreciate your time.
Catch up in Brisbane.
Really insightful conversationtoday.
Thank you very much for havingme, no problem at all.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.