Threat Intelligence and AI's role in Cyber Defense with Palo Alto's Andy Piazza and Daniel Kroese

How long does it take an organization to detect something might be anomalous? And then how long does it take for you to fully respond and recover from that? We have found historically, organizations on average take 6 days to respond to a cyber incident, when adversaries are now exfiltrating data in hours.

Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Salufo, and have the privilege to sit down with two leaders in the cyber field from Palo Alto Networks. First, we're going to hear from Andy Piazza, who is a senior Threat intel leader at unit 42 at Palo Alto Networks and a longtime veteran in the field and a longtime veteran in the Army. So thrilled to have you, Andy. Thank you. And also Daniel Cruz, who is a longtime veteran of policy making circles both ends of Pennsylvania Avenue, served for a long time on Capitol Hill, staff Director of House Homeland, former Chief of Staff to the new CIA Director John Ratcliffe, and also served at cisa. Thrilled to have both of them here. We're going to be talking about a new report they just released, and it's the Global Incident response report of 2025. So, gentlemen, thank you for joining. Andy, I thought we'd start with you and I understand you just came off a long flight from Singapore, so thank you for joining us. But thought we'd start with what you think some of the key findings are. The report itself. Sure. I think there's a lot of great stuff in the report itself. I think it'll resonate with a lot of different people and different perspectives. The pieces that stuck out

to me as someone who my job, as you mentioned, is threat intel. We chase bad guys, as I say, really trying to understand the intent and capability of threat actors. So seeing the speed of attacks coming out of this report. Right. Attackers are really moving faster. That worries me as a defender. Right. That means we also have to be moving faster. We also saw with our own testing using AI and attacks with our Red Teams, we're able to move faster using that as well. So just that scale and speed that we're seeing both from the real world from a threat actor perspective and our own testing, that really stood out to me this year. That is, you know, something that I always worry about is, you know, in security field, we track our mean time to detect and mean time to respond. I also kind of think of it as like mean time to attack, not to throw another acronym out there for people to memorize, but just really how fast that attackers are moving. So, for example, in 25% of the cases, we saw attackers data within five hours of initial compromise. That is really, really fast. That means, you know, from a soc perspective, they got to get to that alert and they got to dig in, figure it out, and try to get ahead of the threat actor and block them in five hours. It's a pretty fast turnaround for most organizations. And are we seeing pre indicators that can sort of help the defender shrink that time? Because ultimately, are they looking for additional credentials or are they going right for the gusto? Day one? So we see a lot of use of what we call initial access brokers, which means the credentials have been compromised somewhere else, whether that was in a previous breach of that organization or on someone's personal machine that works for that organization. The challenge with that is, you know, if you, you pop my personal machine, you compromise my personal machine, my SoC can't see that there's not a whole lot of security tools compared to my enterprise, but that has my credentials potentially from remote login. So we see initial access brokers selling credentials to organizations. That means that attacker, now that second time they come in or the first time they come into the enterprise, they're logging in as you. They're logging in with legitimate credentials. That's a lot harder to. For soc to see. Right now we have to start baselining behavior of where, where do those logins come in. If they're not using malware, they're just using tools that are inherent in that organization's enterprise. Right. We talked about living off the land techniques. Now there's, there's no malware necessarily involved. They're logging in as you using tools that are already installed by your organization. Now we really have to start like doing behavioral analysis and what we call, you know, no normal defined evil makes it much harder. We're talking about no normal to find evil. No normal defined evil. That's. That's a quote from sans Institute training. I'll give them credit. But it's really like kind of the premise as a threat hunter, right. You have to understand the behavior that you expect to see and start to look for abnormal things. And is Palo Alto Networks, are you integrating behavioral tools into your. Absolutely. From both products and services side. Right. We have quite a bit of behavioral analysis. Also my team behind the scenes, if customers have their telemetry turned on, my folks are hunting. We have a managed threat hunt service for specific clients. But my researchers were hunting across all telemetry and we're looking for specific TTPs and behaviors. Of course, we do use indicators of compromise as well, but we really want to focus on those tactics, techniques and procedures, ttps. When we find that behavioral stuff, we'll notify clients and we'll also pass the information to the product security teams to be able to enhance our detections. You know, one of the takeaways that I thought was also very interesting in the reports and your findings is the shift, and not that there didn't always exist, but much more

disruptive and or destructive attacks. So a little more CNA than CNE or something in between computer network attacks and exploit. And the stats were pretty staggering. 20, 24, 86% of incidents involved some sort of disruptive activity. That's pretty big. Yeah. The one thing I want to point out there is when you first read that and you're okay, okay, but

ransomware has always been disruptive. What's more disruptive about that is kind of the first thought that actually hit my head was when I first read the draft. I was like, ransomware has always been disruptive, but we're actually seeing is these actors intentionally going after, you know, deleting backups or deleting critical systems and really actually not just encrypting data, but really taking out systems or infrastructure and then moving on to additional disruption of extorting customers or reaching out to the customers of customers, trying to get, you know, one of the companies I use for data service gets compromised and they get my data, they're reaching out to me to try to put additional pressure. So if you're in the middle of a breach response and now your customers are calling and saying, hey, ransomware operator, talk to me. What are you doing about it? That puts a lot more pressure on that company in terms of extortion. Right. And are you also seeing more from a campaign planning perspective, adversarial use, maybe a DDoS attack coupled with the ransomware incident, or did I miss sort of interpret. No, I definitely think, I mean, if you, if you hear the shift in our language over the last few years, it used to be APT and cybercrime, but really we start now talking nation state and cybercrime because a lot of these cybercriminal goals, criminals, are advanced, persistent threats. Yep, absolutely. They are really. And some of them are proxies for foreign nations anyway. There's, we've seen some overlap this year. We've had some interesting response reporting. We have a threat research article out from a few months ago where we believe that, you know, North Korea operated It looks like they operated in hand in hand with play ransomware group or there's some overlap at least in their initial access brokers. So definitely seen some nation state overlap. But really just seeing you know, some of the techniques, what we call a group metal Libra most track is scattered spider because you know we need more names in the, in this space the way we've seen them operate in the networks. I mean they look almost like sysadmins, right? System administrators with, with their skills from a tooling perspective, you know. So that's why I really want to talk about nation states. And cyber criminals really are in many cases can be apts as well. And even if they are more traditional ransomware

gangs or cyber crime enterprises, many of them are provided safe haven in countries that we don't, we lack extradition treaties with. And even if we did, they're not coughing them up because they, they serve their interests. On occasion they do. But I will say, you know, attribution still does matter, right. We've, we've been able to impose some costs on threat actors regardless

of where they operate from. We've had some really good wins in the last year or two. Right. With you know, law enforcement takedowns and disruptions. You know, you look at like lock bit, right. They're nowhere near the top that they were in their prime. Not a lot of their folks were majorly, you know, arrested or going into countries where we could have interrupted with them. But law enforcement takedown and disruption of their systems have really taken them off the top of the totem pole from a cybercrime perspective. And do you see the ability to scale some of those activities? Because there are so many good examples of onesies and twosies including recouping ill gotten gains. But, but what I struggle with is that's a one off

sometimes. How do we scale that? Cause quite honestly, if we want to induce changes in behavior, we're going to have to raise the calculus to the adversary. I mean honestly I think probably fits better into Daniel's category of policy. I think we've seen the increase in law enforcement

disruptions and indictments and stuff as we wins that are snowballing and getting the law enforcement community and the legal community realizing that they can get some easy wins out of this. I mean we from a vendor perspective, I know my partners across a number of companies, we share information with, with host, you know, law enforcement, a number of countries. We're happy to try to interrupt those operations. We just need, we have the data, we have the visibility, we need the law enforcement partners and the legal partners too. Right. I know plenty of law enforcement are happy to go put cuffs, but they also need the lawyers and attorney generals behind them to go go give them the authority. So as we see more wins, I think we'll get more policy support for those types of takedowns. And we're going to pull in the policy discussion in a second. But you mentioned dprk, you mentioned North Korea. And one of the findings that I also found quite interesting was the greater use of insider threats. And when you look at it, obviously the insider threat is always going to be at the very top of the

list in terms of causing harm. And from the US perspective, whether Edward Snowden or insider threats are always going to be big issues. But what findings did he find on the North Korea case? So the North Korea stuff is really interesting. Is it human enabled cyber or is it vice versa or both? Yeah, it's an interesting mix. Right. We're seeing. So my team's been tracking what we call Contagious

Interview and Wage Mole to their major campaigns. Wage Mole is where they're getting the IT workers embedded into companies. Contagious Interviews where they're targeting IT workers and trying to infect them. Both those campaigns have been going on for a year plus now. Pretty sophisticated too. I mean LinkedIn and well know what. Stands out to me is you think about previous North Korea campaigns other than them going after kind of the crypto markets, you think they still do, right? They're still going after those guys. But you think of the previous campaigns, you think of like the big fire in the pan splash, right? Like the Sony's, the Swift Breach. One big moment, not a long persistent campaign. And with Wagemo and Contagious Interview, we've been like I said, the same campaigns for a year plus. And in the case of Wage Mole, we're seeing that's again, that's where they're getting their employees hired as either contractors or IT staff. Within companies we're seeing whether it's Americans or Europeans, depending which country we see them operating, we're seeing internal employees enabling their operations, enabling multi factor authentication pushes when they need to get the additional codes, or doing physical touches on Yubikeys, those types of things. We also saw them installing keyboard management devices, KVM's keyboard video and mice devices physically into infrastructure on the back of computers. What's scary there is those devices have remote access through WI Fi or cellular, which means all of the command and control that we're seeing going to that network is not going through that enterprise's security stack that the only tools now is anything that's on the endpoint. So if they don't have an XDR EDR type solution, they're only relying on network security. All of those commands, all that xfill is going across a network that no one else can see. And to transition to a little bit of the discussion, I always thought of North Korea. So traditionally

organized crime, criminals try to penetrate the state and influence the state. In North Korea's case, it's sort of the inverse. It's the state penetrating organized crime. And they've done it pretty sophisticatedly for a country. If you look at midnight and get a satellite shot between the south and the north, one's lit up like a Christmas tree, the other pretty damn dark. So in a way, they're doing some interesting work. So let's transition a little bit into the policy discussion. But before I do that, I want both of your thoughts on. And you did capture this in the report, but sort of where AI? So we've had a gazillion discussions around artificial intelligence and the good, the bad, the ugly and the unknowns on this podcast and also in a lot of our events. But where do you see adversarial AI? Red versus blue? Where do we think this can change? And we'll let Daniel jump in on some of this here. Yeah, for me, it's the

scalability of a campaign, and I hate naming victims, but this is basically the name of the breach at this point. But you think about the SolarWinds campaign. That backdoor was present, and we believe in thousands of organizations, but the threat actors really only able to operate against probably a dozen or so because they're using human operators. At that point, we're seeing both threat researchers and actual, you know, bad guys investing, investigating how to use AI. There was a, I believe it was the black Mamba malware family was written to replace the. Instead of the malware, it was the human operator doing the command and control with an AI bot. So when that malware checks in, it's giving it additional commands. We think about, I'm no longer limited by how many humans I need to operate a thousand pieces of malware or a thousand infections across enterprises. We can, if we can scale that. And now I can have it collect data, do some lateral movement, do some exfiltration, and then do a kind of ChatGPT style summary of all the stolen documents, give me some bullet points. Now I can have one or two humans impact 1000 organizations. Read that output and Decide, okay, I do want to go dig into that spreadsheet or that database that we stole. That scale is something we haven't seen before, but it's definitely doable with the automation and the scalability of AI. And Daniel, let's pull you in now. So before we get into sort of some of the good work you've done on policy priorities for the new

administration. Administration, let's dig into this AI discussion a little bit. Yeah, I appreciate that, Frank. So recognizing that we have to be eyes wide open and sober about the threat landscape and how adversaries are leveraging AI to increase the scale, speed and sophistication of attacks, as Andy just laid out, without hyperbole, as a company,

we truly believe that AI is going to be a game changer for cyber defense. It already is. And to illustrate that point, I think there's a stat from the report we're talking about that to me perhaps is underappreciated. And that is in 75% of IR cases, logs existed that would have alerted the defender that something malicious was taking place. So you can either look at that as really frustrating or really encouraging statistic, depending if you're a glass half fuller, glass half empty guy. I think it shows that we're actually first in goal. To use a football analogy there, good work has been made by the industry to invest in tooling and sensors to give us visibility, to give us logs that something malicious might be going on. So then it begs the question, well, what is the bottleneck? What is preventing that investment from yielding better cybersecurity outcomes? And it's that we're drowning in data. Those logs existed, we invested in the thing to get the log, but we couldn't find it or make sense of it before it was too late. And that really reinforces that. Better cyber defense is a data problem, which means it's solvable. And what is the best way to solve a thorny large scale data problem? AI. And that's probably a good segue to the policy conversation. But we can leverage AI so that it is no longer that it is. 75% of IR cases have the logs. They won't be an IR case because they would actually be able to identify it before it was too late. And that's assuming the signal to noise that we are constantly updating what we plug into that learning model though,

right? Absolutely. And to give you an example, obviously we are a commercial company and our goal is to innovate like crazy to stay ahead of the bad guys. When we have innovation that we think is world class. We want to test it on ourselves first, eat our own dog food. So we have an AI powered SoC called Xiam which ingests data from any

vendor you use across attack surfaces. So with the network, the cloud, the endpoint, attack, surface management tools, Identity beyond, it pulls it all together. So we started testing this out on our own environment. We ingest 59 billion security events a day across our own environment into that tool using AI that is triaged down to one incident that requires human soc analysis. So you think about that upside down. The time savings there. I'm bad at math and I don't want to put you on the spot, but that's serious, right? Yeah. And it frees up people. I think our stats are, it's essentially a 65 person full time equivalent savings. Those people can be pushed to more proactive threat hunting. So no longer are analysts overworked and playing an inefficient game of alert whack a mole. They're actually focusing on staying ahead of the threat. And so that's a really encouraging stat. And it's not hypothetical. That is happening today and that can happen for any other organization tomorrow. I think that's why we are ultimately cyber defense optimists. And I'm happy to hear that because I always pay attention when something bad happens. And unfortunately it's a whole lot of the time. But we do need to start flipping the script, flipping the equation. And I do think AI could play a significant role in all of that.

And this is not to get philosophical, but and certainly not to be the Chinese fortune cookie equivalent of that in 30 seconds. But the old thinking of endpoint solutions alone and moats and the like, that's dead, isn't it? So in a weird way, you still need to protect that by all means. You still need walls, you still need castles that need to be scaled, but it's really about freeing up people to do the more proactive. We used to call it active cyber defense related matters. But is that fair? Precisely. And another stat in the report that stood out to me. Sort of like having linebackers, not just a line, right?

Exactly. Football analysis. Yeah. So we started with first and goal, and now we're talking about layers of defense here. But 70% of attacks we observed had three or more attack surfaces that were leveraged. So not looking for one point of weakness. Network, cloud, endpoint and beyond. Multifaceted attack. Which just means that your defense has to be multifaceted and you have to be able to ingest data points across all three of those layers in real time and have people do the more. The thornier, more analytical work, which will always exist. I mean, one of my lines is technology changes, human nature remains pretty darn consistent. Maslow's hierarchy is going to

always be, I think, in place in one way or another, but I do think leveraged. Right. We can at least balance it out a little bit. Let's go to your priorities for the new administration. So we've done some work on that and dare I say, I forgot to tee up in the intro. You're one of our newest senior fellows, so we're thrilled to be able to draw on some of your work there, Daniel. But what were your big takeaways? Recommendation number one. And this is a recommendation that we provide to any interested audience right now, not just the Trump administration, national security officials as they've come in, but we've had, of course, productive conversations with them. Recommendation number one, and it sounds self evident, but I like to triple

underline this one. It is time to focus on cybersecurity outcomes, measurable cybersecurity outcomes. That sounds obvious and self evident, but it is really easy in the cyber industry to fall into an impression put trap. We know the threat landscape is scary. Andy and his team and his colleagues at other companies, they do great work rooting out all sorts of scary things about the backdrop. And so as a result, what do we do? Well intended efforts across government and industry, new requirements, new funding streams to deploy this thing or deploy that thing. And so we've gotten really good at well intended and incrementally helpful efforts to invest in cyber defense and create new requirements for tooling and sensors. Sort of the final frontier is are those making us safer? How do we know that that investment and deployment is actually making us safer? So bring in a little bit of science to the art. Yeah. And there are exactly and there are two terms that as a or two metrics, as a company that we really care about and what we like about these is you could explain them to anyone who's not technical and Andy mentioned these earlier. Mean time to detect and mean time to respond. MTTD and mttr. Those terms describe exactly what you think. They describe how long does it take an organization to detect something might be anomalous and then how long does it take for you to fully respond and recover from that? We have found historically, organizations on average take 6 days to respond to a cyber incident. When adversaries are now exfiltrating data in hours, we can actually have real time statistics around mean Time to detect and mean time to respond. So in that recommendations, one of them we put out there, the President of the United States should be able to walk into the White House situation room and for every federal agency see a real time stat on that. What is our detection and response time? That is a huge departure from helpful, well intended previous efforts that, that produce sort of annual scorecardy type things. But we have the data to have real time accountability for how nimble we are in our cyber defense and then have oversight and investment to improve those metrics. So pulling on that thread a little bit, and this is an item you and I have had many discussions over the years on, is how do we translate sort of

so government can look at its own networks and whether it's CISA or others, in terms of looking at the the civilian.gov networks industry, their own. But it's the magic between the two. Translating the nouns into verbs around public private partnership. Yes, no, yes, absolutely.

But the good news is there's a lot of what we're seeing across attack surfaces. You can anonymize who the entity is, it is what are the vulnerabilities are you seeing whether it's an electric utility, a state and local government, or a federal agency, what are the digital doors that remain open that we need to close? So how can we take that global view and then understand from a risk management perspective, where's the best bang for the buck? I'm glad you brought up managing risk because especially when we're looking at OT environments blending very quickly with it and the broader IIoT sets of issues. I mean, at the end of the day it is about

managing risk, right? I mean, I don't think maybe you guys have some real magic bullets there, but we're never going to be in a position where we can say we can protect everything, everywhere, all the time, from every perpetrator and every modality of attack. Right. So it's about managing risk, battening down the items that are most essential to one's company, country, agency, whatever the metric is. Is that still the way to think about this? Well, I talk about it a lot now. If you were to start a business today, you would never have on premises, servers or any of that. Everything's going to be in the cloud, right? Yep. You're going to give, probably even do bring your

own device for the first few years to save some money. Your folks are going to use their own computers and think about that attack service now. Right. You've got a bunch of different OS versions and out of date patches and all of that going on in your environment. And you've got cloud visibility. I've been involved in cloud breaches in the past where it was like software as a service where you get the notification as a client and they're like, hey, as a, not as an individual, but as a paying, you know, company, you get that notification and you're like, oh, that's important to us. Can you give us the logs? And it takes two, three weeks for them to carve out the logs for, for your section. Like in a startup company, first five, 10 years, they're not going to care about security or not going to prioritize it over everything else. Right. So we're talking, I think generally we talk about security best practices. We're really talking about that kind of top 1% of businesses. Most aren't even able to really understand where their risk and threat landscape is yet. And as a startup, you're literally prioritizing getting a business up and running. Security is still going to be

an afterthought, even if you did want to do everything right, because you just can't afford it. Customers and salaries first, right? Absolutely. Daniel, you touched on the cloud and I will ask you whether or not it should be designated critical infrastructure sector, but that's a sidebar conversation. But you did mention the cloud in your priorities for the Trump administration as well. Yeah, there's a

huge cloud migration going on as workloads transition to the cloud for many of the reasons that Andy talked about. It's more scalable, it's more cost efficient, it's more nimble. If you're a startup, it's the way that your storage and compute can be dialed up in your garage on day one. That's a good trend. I think Gartner estimates that, you know. And it pushes it to,

it pushes the responsibility out of the hands of the individual to others who ostensibly have the wherewithal to protect. Right. I mean, just from a conceptual standpoint. Yeah, absolutely. And you know, I think Gartner estimates that by 2027 or 2028, close to 80% of workloads will be cloud based. So this, this migration is happening. A key feature of

that migration that's often lost. We're not just going through cloud migration, we're doing a multi cloud migration, particularly at the federal level. You're seeing a lot of efforts at large agencies where they're not using just one hyperscale csp. They're sort of the split the baby. You know, let's, let's have multiple options, dynamic. And so asset visibility from a risk management standpoint has always been a challenge. We frequently find that organizations have double the number of assets touching the public facing Internet than they thought they had. And that's not even including bring your own device to work as we talked earlier, Right? Correct. And then the dynamic nature of cloud, how IP ranges can be spun up or spun down, that just further challenges the asset visibility issues with cloud security. And then you throw on top, well, maybe it's not just one cloud, maybe you're a multi cloud and it's three or four. So it really comes down to visibility. You can't protect what you can't see. And so one of the recommendations in the blog that you referenced is like, let's embrace the cloud migration and multi cloud migration, but don't forget about cross cutting security. You have to have the ability to have visibility across all of your cloud workloads, both visibility and then operational control from a posture management, a runtime security perspective. And that visibility is essential. And that brings up the big supply chain set of

questions we're all struggling with. Maybe I'm wrong, but this is years ago that I led an effort for the government, we didn't have visibility. Is that getting better? Depends. The classic infosec answer. It depends. I mean one of the stats from the report that stood out to me for our incident response report is 70% of the incidents we

saw targeted three or more of the attack surfaces of the customer. Whether that's endpoint, their network infrastructure, their cloud infrastructure, or as we Talked about with DPRK, having humans involved. 70% of the cases just really strikes home, like how complex that threat landscape. Or they did surveillance on all of them and waited till they hit the button. Right. And then you talk about, you know, moving stuff out to the cloud. We see a lot of exfiltration in the cloud. No enterprise in their right mind is going to block cloud IP space by default. Right. Because they don't want to interrupt business operations. So with threat actors, again, it's almost a form of living off the land using cloud sync tools and using cloud environments to exfiltrate data. They happen to own that cloud instance instead of the Defender. But the SOC doesn't necessarily have that visibility or the speed and that visibility and asset management gets a lot harder. When you know, the old days we just dropped agents on endpoints and slowed them down with all the agents. Now we're talking about not knowing when a new cloud instance stood up or I've seen companies where business units Got new software as a service, didn't go through it. So it definitely didn't go through the society. You find out because you had a breach that oh by the way we had a bunch of data up in this partners network. Daniel, anything to add to that in. The incident response report? Just to further footstep that point. 40% of cloud incidents were because there was unmanaged cloud assets that were out

there. And so that's again that's one of those sort of frustrating or encouraging because it's fixable stats where 40% of cloud incidents it was an incident because he didn't even know you had a thing to protect. That's where the. So if you can just create that visibility now you're all of a sudden in the game. From a defense standpoint, you can't secure what you can't see. And from a government policy

standpoint, a lot of talk on SBoM software, billing management, all good concepts but it's largely an analog solution to a digital problem, isn't it? Because there's so many parts and parts and parts. I'm reminded of the old parts is parts. The old Wendy's commercial. But at the end of the it it's hard. It's hard because I just don't know if that's what most companies are thinking. So before they call a Palo Alto networks they do have to start doing some of their own understanding their own environment. Right. So I think the S BOMs really help in a traditional supply chain attack or

compromise. We were Talking about the log 4js where, where some type of piece of software got compromised. You know, environments I was in, I was a government contractor at the time. When All4J came out it took us some weeks to figure out which pieces of software had it in there. Yep. So at a minimum that's going to help us drive down our response time. Right. That mttr. Right. If we call that a key key KPI. Right. Key performance indicator. That response time is huge. I was at another organization when SolarWinds happened. It took us two weeks just to identify all of our SolarWinds servers. A third week quicker than most. Well, I'm telling you, I'm not sure. They still third week to identify that we weren't and I'll put this in quotes, impacted. But if you're on an IR bridge for three weeks straight, even though you weren't infected, you're still impacted. We still spent the same amount of time and money. Right. So I do think S boms can help drive that down and I would. Agree with that and they're well intended but it's not the panacea in any way, shape or form. Or is it? Maybe I'm missing something. I think, I think identity. If you, if you could only invest in one thing, it would be identity protection. Enforce multi factor authentication for administrators. You know, do identity access reviews. You look at the way we used to control back when it was just simple, right? Quote unquote simple. Active directory and domain controllers, you know, our domain admins, that's usually if you're in a smart situation, they had separate login credentials for the domain admin accounts and the domain controller. And we literally had envelopes for the SoC that said break glass and we would lock them in a safe. And that was how the IR team could get become a domain admin. If they were in the middle of an IR case. We went to the cloud. We're seeing a lot of over privileged accounts. One because we're just trying to get the cloud to work as we're migrating. How we do identity management in one cloud provider is a lot different than the other. And we'll just see that the administrators for the cloud will have all the permissions they need on their regular account. Which means if I pop that single user's account now I have their admin too. We need to be looking at policies where we say just like we used to do on Prem, if you're an administrator using a cloud service, you should have a separate account with separate credentials with multi factor authentication in place, separate than what you use as a user. You know, you're preaching my gospel there. I really do like the idea because at the end of the day, even if you can't prevent everything, you can be resilient. But to do that you need to, you need the

identity management tools in place. So Daniel, anything to add on that? I think that also plays into, you know, post SolarWinds Zero Trust, there was a lot of effort in the federal government around that and some initial zero trust deadlines were hit September 30th of last year. But, but that's a never ending journey. The idea that you're going to have

continuous inspection and continuous trust verification across all assets, all users, all domains, all applications, all locations. That trust but verify principle, that's a never ending journey. It's not just one widget you buy. You did have a concrete recommendation around that zero trust through the lens

of Volt Typhoon, did you not? Yeah, I think there's an analog that potentially we could latch onto as a community post Solar Winds, Russian apt, they breached as has been publicly reported I believe nine government agencies. That was obviously a concerning moment. I think to many more concerning was the fact that they sat undetected for another nine or ten months after

that. Yep. And so the response to that was to or one of the aspects of the response was to implement federal zero trust strategy which makes a lot of sense. You need layered defense in response to a compromise like that. You know, in response to salt typhoon. I do think there is an opportunity and there's no one silver bullet, but there is an opportunity to work with a lot of the providers of how can we marshal a similar zero trust effort across our telecommunications infrastructure. And of course work is already going there. No one's starting from scratch because this is just a never ending maturation process. But I do kind of think there is an analog SolarWinds zero trust federal networks, salt typhoon, zero trust maturation across some of our telecommunications backbone and, and. You bringing up salt and in essence the computer network exploit and espionage. I mean most people would have thought the telcos and they would have let you thought that they're pretty buttoned down. Was that surprising to you? Well, it doesn't surprise me because

everyone. I do think they take it seriously. Like these are serious companies with smart people who have invested a lot in security. So you know, I don't think it would be appropriate to you know, somehow say that they, you know, starting from scratch or haven't given due consideration. I just think as a community we always have these moments where you sort of take re inventory and how do you best, how do

you best optimize your security posture and response? And zero trust I think, I think is a place there where we perhaps can double down. And you think it will marshal and mobilize the community to get to outcomes we're hoping for. I do, I hope so. With every crisis is opportunity and I think that that could be the case here.

And to differentiate sort of salt from volt from flax from silk, I mean all these typhoons, each one of them is a pretty darn bad day. Collectively it's a pretty perfect storm. No? Yeah, well, I think it really drives home too as we've seen with the salt typhoon, at least the activity that we're aware of. Again, Microsoft hasn't published anything that definitively

said this is their model. So we've attributed some activity to Chinese groups that we believe is probably likely salt typhoon. But without knowing what Microsoft saw first from a technical perspective, we can't actually say. So you are Using their one to one. You are, you are going with the Typhoon. We have our own. But I will stick with the Typhoons for the ease of the listeners so they don't have to pull up the Rosetta stone. What is yours? Oh, no, that's okay. Don't quiz me. That's okay. But, but what we saw with the some breaches that were likely Salt Typhoon, if we had a model to compare it to, was the abuse of living off the land, using tools that were already there, using normal protocols of system administrators and using identities that they had compromised. Again, those are not things that SOC alerts. Right. You're not seeing malware necessarily, although, you know, Chinese groups have plenty of their own malware. Plus they use quite a bit of a mix of publicly available malware. What we saw with Salt Typhoon, specific investigations that we believe that we were on, you know, they were being unnecessarily quiet, but blending in with normal tools and ttps of a system administrator. Right. Again, it makes it really, really hard. You really have to know what normal looks like and you have to have dedicated hunters who are looking for that. If you don't. If we're able to free up folks with clearing out any alerts with AI that you've only got one alert a day, it means your SoC can go hunt. They can really learn what your environment's supposed to be doing. And you say, you know, hey, that's weird. I've got two servers talking to each other in an interactive session. That should stand out. But that means you have to have humans going look for that to stand out. And you don't want to get complacent either because the adversary has a vote in this. They could be a couple steps further. Daniel, how

would you rack and stack the threat environment right now? Nation state actor apts now I think are equivalent to where the big four were two years ago, actually in terms of some of the criminal organizations. But when you look at the last few years, you've seen a combination of operational disruption, which our

report highlights is increasing in intensity. And then you've also seen an escalation of what you might think of as more traditional espionage in terms of trying to sit undetected and steal IP and government information and things like that. And so when you marry that together, I think that requires all hands on deck effort. Right. There's no ability to, to sit quietly and declare victory there. It requires an evolved approach because incrementalism is not going to stay ahead of that reality. When you've got a combination of escalating operational disruption and escalating espionage efforts. Incrementalism isn't going to work. Not to just finish off with the buzzword here, but that is why we do think AI is a game changer there, because we have to automate absolutely as much as we can so the really smart people can go hunt for the new novel thing as Andy was talking about. Freed up. Gentlemen, what questions didn't I ask that I should have? I like the last question. I wanted to

hit on that, actually. The kind of where do I rack and stack? I will say, depending obviously on which customer you're talking to. If you're talking to the federal government, you know, the nation states are obviously always matter for them. But let's be honest, we always talk about nation states or even, you know, cybercriminals stealing data. They don't steal data, they copy it. If they stole data, we would have taken that seriously a long time ago ago because you wouldn't have had access to your data anymore. They're copying it, right. So I trying to kill the term steel data. They're copying it. So it's a pretty low impact in the short term ransomware, but ransomware, they're actually real impact on businesses. You know, not just, you know, disruption, but financial impact on businesses. Right. It's a billion dollar enterprise at this point when you start adding up all of the different groups that are at play. So I say to 99% of organizations I talk to, they need to be looking at cybercrime long before they get nation states. Right. When? Few years ago, when, when Russia crossed the border in Ukraine, every client wanted a threat briefing on what Russia was doing and the impact of them. And I'm like, you need to be worried about ransomware. You're looking at the wrong. Unless you're a critical infrastructure owner, operator. Know your threat model, we talk about. Yeah, good, good. Know your threat model. Yeah. And I think having an honest conversation about what are we most likely to see and what's most likely to have the impact in the next few years, it's going to be, you know, criminal and even ransomware operators is a hard term now since we've seen a lot of them move to just pure extortion without actual encryption. But you need to be looking at those cyber criminals and how are they getting in, stealing your data or copying your data and then extorting you for it. Awesome. Daniel? What questions? Didn't I ask that I should? I mean, not to

turn the tables. I was hoping for a March Madness prediction. Auburn all the way, man. There's no, no, no guessing on that one. So we got to get through SEC tournament first, though. Who, who, who? What about you? I'm a University of Washington Huskies fan, for better or worse, so, you know, we had a trial first year in the Big Ten, so we'll reset and recoup.

Roger that. Well, it's going to be. They call it March Madness for a reason, so I don't have a crystal ball here, and if I did, I'd be betting. Gentlemen, thank you for spending so much time with us today. Thank you for all the work you do every day and appreciate it. So thank you both. Thank you. Thanks,

Frank. Awesome. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and

stay curious.