If you’ve worked in cybersecurity for long enough, breaches begin to seem more like the rule than the exception. Cyberattacks are becoming an inevitability in the modern environment. Since it’s likely just a matter of time, the more practical attitude is to assume a breach is going to happen and build your response plan from there.
In the 11th episode of our Cybersecurity Awareness Month podcast series, we were joined by Steve Stone, head of Zero Labs at Rubrik. He talked about how accessible cheap data storage and analytics have become, why it’s smart to “assume breach” and how the Ron Swanson approach to cybersecurity probably isn’t the best path. Listen to the full podcast here.
The following has been edited for clarity.
Tyler Wall: Cybersecurity Awareness Month is highlighting some key behaviors like multifactor authentication, strong passwords, recognizing phishing and more. What do you think people should be focusing on this month?
Steve Stone: I think there are two things everyone should be focused on. The first is, do you know where your data is? We often talk about cybersecurity and defending environments, but we don’t often talk about where the data we care about is and how much of it there is. So I think that’s the first. I think the second is, what are your users doing? It’s very easy to look at all the breaches and the new zero days and supply chain compromises, but virtually every hacking event that we pay attention to has illicit valid access. So I think if you’re looking at your users and your data, as boring as that sounds, you’re going to cover an awful lot of ground.
Gary Cohen: The field of cybersecurity moves relatively fast. What trends or developments in cybersecurity are you particularly interested in or excited about heading into 2024?
Stone: I’ll give you one that will probably surprise you and one that probably won’t. The one that won’t is generative AI. Everyone is talking about generative AI, but I’m really interested. I think it’s some pretty fascinating technology that’s amazing in some things and not ideally suited for some other things. I’m really curious how both the blue side and the red side are going to leverage this technology, and I think some organizations on each side are going to figure out the right use cases and just blow the doors off whatever they’re doing. And I think a lot of others won’t have the right use cases and aren’t going to really see the power of that technology bear fruit. I’m really excited for what we see for proof positive in the next year.
The one that may surprise you because I think it has been out there for a long time, but I’m really interested to see how it takes shape on the adversary side, is just the sheer accessibility of cheap data storage and really powerful data analytics. These are things that used to be the sole purview of four or five governments, and now they’re everywhere. Anybody can go buy these relatively cheaply, and if you can really harness those technologies, that’s a capability unto itself. I’m deeply interested in seeing how attackers are able to get after those very ubiquitous and now very cost-accessible technologies.
Wall: You’re a well-seasoned cybersecurity individual. Can you share a memorable experience or case from your career that highlights the importance of cybersecurity?
Stone: I’ve been very lucky to be involved in a number of pretty high-level breaches. Those are almost the easy ones, so I won’t pick one of those. I think the event that really hits home to me how important this is — years and years ago when I was at Mandiant, we worked, for us, a relatively small intrusion. It was a little fin crime, financial threat, and I happened to work it just because I was physically located close to the victim. It was a regional supermarket chain. If you live where I live, everyone knows it. It’s pretty popular, not just everywhere, but they do a lot of nonprofit work with food, and they employ a lot of teenagers. My son’s first job was at this grocery chain. They’re very much a part of the community.
We came in very late into their intrusion, and what really blew me away was they were a day away from losing everything. They were one day away from shutting the doors, and this is a family-owned business. You could literally see the employees — you could see the impacts — and we were able to help them really fight to keep their company. It’s one thing to talk about the impact of some of these really large breaches, but it’s something different to look people in the face and know that they might not have jobs tomorrow. Their employees might not get paid. That really gives you something to fight for.
Cohen: You’re talking about attacks. There have been large and small attacks. Some of the big ones have grabbed headlines, like SolarWinds and Colonial Pipeline. What have we learned as an industry from this recent spate of major cyberattacks?
Stone: Oh man, that’s a great question. I think we’ve learned a couple of things. One of the biggest takeaways we should really have our heads around is that no one’s safe. This is an issue for everybody. You can’t hide from it. You can’t pretend it doesn’t happen. I’ve worked at a couple of different companies — here at Rubrik, previously at Mandiant — where we talked about “assume breach.” Breaches are inevitable, whatever the phrasing may be. And I think if any year has borne that out, it’s this year. You mentioned SolarWinds. I was very lucky to be part of the response at Mandiant as we found that, and I got to see firsthand that and work with my peers. It was this fascinating intrusion.
If you look at that event, you’re talking about Mandiant, we worked with Microsoft, who had parts of their environment compromised, and SolarWinds, who’s a leading technology company. If Mandiant and Microsoft and SolarWinds had one intrusion, not to mention the hundreds of other victims, why would anybody feel they’re safe? I just would really issue that as a challenge. That’s the first thing. I think the second thing this year has really taught us is that the fundamentals work. We are always looking for the next piece of cutting-edge technology, as we should, but what really moves the ball are the basics. Everyone hates them. They’re boring and we just keep seeing the same things again and again, but that’s what’s really helped solve these intrusion problems this year.
Cohen: Isn’t that what Cybersecurity Awareness Month is all about? Do the basics. Make it hard for attackers. Make them look elsewhere.
Stone: It really is. I mean, it is about those things like protect your users, protect your data, do the fundamentals, look at authentication, routinely review your architecture and your operations, even if you don’t think there was an intrusion. We’ve been saying these things for as long as I’ve been in this business. I don’t know that the strategic recommendations are any different now than they were 20 years ago. It just happens that they work, and we’re not probably doing enough of them.
Wall: What emerging technologies do you see impacting the field of cybersecurity in the near future?
Stone: It’s hard not to say generative AI again. That’s going to be one of them. When we look at any of those LLMs and the way that technology works, that’s going to be really critical. I think the other suite of technologies — and it could be a range of things — but I’m really fascinated by the integrators, the technologies that do the integration pieces.
I was just reading through Palo Alto’s most recent earnings statement. They gave a 132-slide review of what they see as the cybersecurity market and landscape. They have a very small detail in there, which really stuck out, which is your average security team is using more than 70 security tools. There’s no way you can effectively use 70 security tools. That’s not Palo Alto’s words. That’s me adding my commentary to their analysis. But how we integrate and leverage combined technologies, I’m really fascinated by where that goes and what that can do for us.
Cohen: We’re going to end this by throwing a fun one at you. What is your favorite movie, TV show or piece of entertainment that has something to do with cybersecurity?
Stone: That’s a great question. There’s lots of really good ones out there. I’ll probably go with the sleeper pick of “Parks and Rec.” I’m a massive “Parks and Rec” fan, and one of my favorite episodes of all time was when Ron Swanson tried to remove his digital footprint. It ends up, for those who have seen it, with him actually making it worse and basically creating a meme of himself saying, “Erase all photos of Ron.” I love it because I think we’ve all felt that way. It’s just time to have less of a footprint, time to do less, but you can’t escape it. The harder you try, if anything, you make it worse. Also, how do you not love Ron Swanson? That’s about as good as it gets.
Cohen: I love that show. Is that the one where he throws away his desktop?
Stone: Yep. If only it was that easy. I think we’ve all wanted that to be the way it works, and we all know it isn’t, which is why I really love that whole episode.