Protect vs. Detect
Every time you see a big cybersecurity crisis or incident – like Colonial Pipeline, Solar Winds, log4j – leaders and Boards rush out to invest more in monitoring and detection technologies, but are we neglecting the "roads and bridges" of data protection and access management? Why do investments in cryptography infrastructure and access and policy management that protect your organization and data remain a harder sell? Entrust CIO Anudeep Parhar and Dr. Pali Surdhar, Director of Product Security share their unique perspectives and why enterprises must make the shift from rewarding the cybersecurity hero that saves the day to celebrating "no news is good news."
Ken Kadet: Every time you see a big cybersecurity crisis or incident like Colonial Pipeline, SolarWinds, Log4j, business leaders and boards rush out to invest more in monitoring and detection technologies. But are we neglecting the roads and bridges of data protection and access management? Welcome to the Entrust Cybersecurity Institute podcast for June, 2022. I'm Ken Kadet. With me is Anudeep Parhar, Chief Information Officer at Entrust, and a member of the Entrust Cybersecurity Institute. Hello, Anudeep.
Anudeep Parhar: Hi, Ken.
Ken Kadet: Our topic today is protect versus detect. Why do the investments in cryptography, infrastructure, access and policy management that protect your organization and data remain a harder sell? To help us figure this all out and talk it through, we've invited our Entrust Cybersecurity Institute colleague, Dr. Pali Surdhar to join us. Pali is Director of Product Security and a longtime expert in data security and encryption. Hello, Pali.
Pali Surdhar: Hey Ken. Hi, Anudeep. Really great to be here. I'm so excited to kind of explore this topic with you guys.
Ken Kadet: I'm going to start with you Anudeep. We've talked about this a little bit and talk to us and talk to our audience about this tension between protect versus detect.
Anudeep Parhar: So this is a really interesting topic, Ken and Pali. It used to be that it was a little bit exclusive in terms of saying that when the perimeter, so to speak, the cybersecurity perimeters were different, protection was the way to protect your organization. There's a lot of technology even back in the day, things like antivirus, et cetera or firewalls, they were invented, so to speak, to put a perimeter of the old school way of doing things. It's like put a perimeter, make sure people don't come in. That's still very valid. So from my seat, it's not protect versus detect, it's actually you got to do both of them. And the balance that CIOs and CISOs and the boards and the C-suites are dealing with is how to have a balance investment in both of them. Like Pali, you referred to early on. So from my point of view, both needs to be done. I think in my point of view, it's better to protect and prevent if you can and invest. It's a harder business case to make because it's protection against something that may or may not happen. But if you are in the response role, it's a lot more easier concept to understand. It's a well understood or acknowledged fact today is that organizations can get breached or they could have ransomware attacks, et cetera. And the natural reaction is, "How do I respond to it?" So the respond business case is a lot more easy to make. But I always push my peer group, as well as the folks that I hang out with is like, "No, our job is to make a case for protection. Put better locks so that you can prevent the future." Ken you and I talk about this stuff, and Pali we've discussed in the past as well. The best thing I can tell my CEO is you explain exactly what happened with a breach or what the cyber issue was and you end the call by saying, "And we were protected. Don't worry about it, we're good." So it's an FYI, "And we are covered." It's a very, very high standard to meet. But that's how I look at it and I think the business challenge comes with how do you work with the organization to balance the investment as well as the business case for both protect as well as detect.
Pali Surdhar: Anudeep, I think that's a really interesting way to look at it because I think there's an element of education within the board as well. I sit at probably one end of the protection cycle. So the whole thing about understanding a kill chain or how we attack a system, it means that you do reconnaissance, you come in at the perimeter and then you dig through the different layers right into the sensitive assets. And I think for the longest time, as you say, it's almost glamorous and attractive to say, "I've defended and I've got metrics to say I've defended against attacks on my firewalls on my edge or the perimeter." It's very difficult to actually say, "Hey, by the way, we managed to actually defend against some attacks or prevent attacks because they weren't even able to get in or they weren't able to do their reconnaissance or they didn't get a foothold." Those things are hard to measure.
Anudeep Parhar: Completely agree. I think in the traditional business financial terms, it's very hard to make a case for cost avoidance or avoidance of certain things. It's always a lot easier to make for an outcome. And therein lies the challenge, right? Is how do you do this and how do you make a business case for protect? Fortunately, the way I see it is, and Ken we talk about this stuff, I think organizations are realizing it. And in my view, one of the biggest drivers for this realization as well as acknowledgement in the industry is just the speed that is required to respond and not to... I'm using air quotes, it's like you have to plan, you have to do a lot more protect even to respond very quickly. Think about ransomware. If any organizations is unfortunately in a situation where have to respond to a ransomware incident, there is a lot of planning and protection that is needed in order to respond to it. It's not a simple decision to make anymore. So I think organizations increasingly are seeing the speed and the level of impact that some of these breaches have. You are forced more and more towards putting protective technology so you can help actually respond to some of these incidents much faster as well. Pali, what do you think?
Pali Surdhar: I've just being muddling that over in my head. And one of the words that stuck in there is actually to do with responding. And I think that right now, as you say, we are in this place where we sit and literally you are in the mode where you respond to something that happens to you. And your argument in terms of saying let's bolster up the infrastructure and make ourselves security aware or more security opinionated, is actually to assume that we are already under attack. And I think that's the state where we are right now is that, "Hey, by the way, don't sit and wait for it to happen. It's already happening." So I don't know whether that mindset resonates with yourself, but that's how I see it. We've got to make sure that we have it. Security is a set of layers. It's not just a gateway at one point. It's basically like an onion. You've got to make sure that you have defense in depth. I don't know whether that sits well with you or whether that's controversial or not.
Anudeep Parhar: No, not at all. And again, it'll be interesting to see from a consumer of cybersecurity, as a colleague, how do you guys see it. In the discipline of protecting or in the IT disciplinary information security discipline pallet, to your point, we don't assume that something may happen. You have to be under the impression, "How do you respond when something has happened? How do you go back and take a look at are you preventing enough?" So that's an absolute where people are looking at it right now. And that happens in terms of even forming governance structures within organizations, to be able to say, "If something happens and when something happens, do we have the appropriate, for example, tabletop exercises? Especially in this hybrid and very global workforce, can we bring people to the table to respond to the set incident to make the decisions?" And as the impact of these incidents is increasing, what happens is you're going higher up in the organization. Some of the decisions you need to make, you need the C-suite, and for some of them like ransom where you need board input as well. And in order to do that, you need to be able to have mechanisms in place where you have tested it, you have done it and shown how are you going to actually do this, and if it happens, how are we going to make decisions? And you have to do tabletops. So you're absolutely correct. You have to assume something has happened, you have to be extremely prepared and do dry runs. So how are you going to make decisions? Because the company's reputation, the revenue as well as your reputation with the customers and the industry is online when something like this happens.
Ken Kadet: The challenge is often that if everybody's under attack, no one is, right? So if we're always under attack, how do you deal with that? And of course when everything starts to hit the headlines, as you guys have been saying, when everything starts to hit the headlines, there's an immediate reaction to go out and figure out how to respond to that, versus that different sense of urgency it sounds like you're talking about to defend all the time.
Anudeep Parhar: So this is really the interesting point. In order to respond, you have to do a lot of preventative work, which is you have to address time, energy and technology in preparing for, Pali like you mentioned, a potential incident. So it sort of goes to the previous point or the topic of the discussion is you have to take a lot more preventative measures in order to be able to respond to the set incident appropriately. It's an interesting time for information technology professionals to be in this space. It's a fantastic time because both ends in terms of the protect technology or the processes and the mechanisms to be able to just put the foundational infrastructure in place. It's not a choice anymore, especially with digital transformation happening pretty much across all industries. There are certain givens, it's equivalent of, not to say it that way, but these are appliances.
Pali Surdhar: Absolutely.
Anudeep Parhar: I don't go to places where there's no heat or cold or water. I don't go to places where there isn't enough protective infrastructure. And we are seeing that it manifests itself in real practical business conversations. Usually in the past when you used to be in CIO rank, so to speak, is like you can go buy a cyber insurance.
Pali Surdhar: That's a really interesting point, Anudeep, the whole thing around cyber insurance and perhaps the legal aspects. And the board actually sits up and listens when there's an element of understanding where the liabilities lie. One of the situations that we're in right now is actually if you look at it and stood back and looked at how the situation works is the guys in black hats can attack anywhere and the guys in white hats have to defend everywhere. And that whole point around the economics of how this thing works means that you're already on a losing game. So we do have to get to a default where we are being able to keep safe and prevent harm. And that's the whole notion of protect rather than rally and defend. So one of the things that I've been thinking about while I was preparing for this discussion was I thought how does it work when people talk about infrastructure and they are now being enticed into the wonderful world of cloud where they have some promises. So the idea cloud providers are saying, "Hey, by the way, you stick your stuff in here, we'll deal with the infrastructure type of challenges. And we can give you some assurance. We can put an ISO badge on it or ISO 27001 badge on this thing and you're good to go." But what they're not actually telling you is actually the biggest problems in that space are your finger trouble, the configuration errors that actually lead to security breaches. So understanding the security model in there, security of cloud versus in cloud is not really well understood. And where you keep your assets and secrets is not understood. But it is quite an emotive topic for me. So I don't know what your thoughts are and I think coming back, that's probably maybe something that reflects on what we've seen on the Ponemon report with some of the values and saying, okay, is it influenced by people shifting to cloud maybe under some kind of false pretense, to my mind. And I know I'm being very strongly opinionated here.
Ken Kadet: No, no, absolutely. And actually, you mentioned the Ponemon report and we've actually just released that into the world. This is the 2022 Global Encryption Trends report that Ponemon conducts every year. And they actually came up with a couple interesting stats. Let me read a couple to you and I'd love to hear your reaction to it. One of the things we saw, which seems to be really good news, is that there was a big jump in companies applying encryption policies consistently. This is IT pros saying, "My company applies encryption policies consistently." And that jumped from 50% to 62% of respondents. So that seems really positive. The other thing we saw is that for encryption rates across several categories, some of them pretty sensitive, either remained flat or dropped. So respondents reporting encryption of financial records dropped from 55 to 45%, payments data from 55 to 43%. And then encryption rates for IP, HR data and financial records stayed pretty flat, but they kind of hovered between 45 and 47%. So I'm curious what this says to you where you see more people are saying, "Yes, we're doing encryption policies and we're applying them consistently." And yet there's still this big gap on how much data's being encrypted. What does that say to you?
Anudeep Parhar: I'll start. I'll be really interested in, Pali, what you think. I think this is inertia. This is really, from my point of view, this we should all be taking note of this stuff. What the data tells me is there is acknowledgement and understanding that this is needed, but executing is not happening. And this is a trap a lot of organizations fall into. Without being too sort of pejorative about this stuff, this is hard work. This is not sexy work in order to protect, right? This is not heroism, this is planning, this is hard work to put the fundamentals and the basic infrastructure in place. And I get really worried when people acknowledge it to say, "Yes, encryption is needed, but I do not have the time or talent or the inclination to actually go encrypt my data." And that's very worrisome. The good thing is the information is public. And that's where people like us, we need to continue pushing in terms of the right policies, the right talent, and the right focus on rewarding this behavior within an organization. You have to actively celebrate the fact that we are putting a lot of these protective controls. This is not a choice anymore for organizations. If we do not do this, you will fall into an incident and it'll look really stupid when you look back at it. "I knew what needed to be done, I just didn't put it." It's kind of like having an alarm system at home that you never use. Then you're twice as stupid. One, you spent the money to get the alarm system. Second, you actually don't use it. So you have to do both of those things. Pali, what do you think?
Pali Surdhar: Yeah, completely agree. I think it's quite concerning when you read it's actually HR data, financial records that are actually not being paid much attention to in that regard. In fact, again, I sort of hop back to the point around education and saying do we actually understand the impacts of these things? We only respond when there's a big breach reported in the papers or when you say there's been a big ransomware attack and that's hitting your pocket. Right now, I don't think there's any legislation or regulation forcing people to follow encrypt records beyond what they do. So I think we're going to talk about compliance later on, which can be a bit of a tick box exercise. So I think what people do is they incentivize to do the bare minimum in security and get away with it because that's what they do, but not for the right reasons. And I'm saying the right reason is do it to be safe and secure. I will bang on that drum for forever because it's my role.
Anudeep Parhar: I see investments going into... As a result of some of this data. I think that's why having some of these studies and as well as having the data publicly available and having a dialogue like we are having about this stuff is we need to shift some investment into putting some of these controls. Discovering having an organization within your IT organization or the broader risk organization to be able to say that we need to actually know where our assets are, not from a traditional asset management perspective, but cryptographic assets are hard. They're very deep in the organization and actually investing willingly as well as very consciously and deliberately into saying, "We got to have discovery exercises to find where some of this crypto is." If you do it once, if you go through that work and create a baseline, in my opinion, that really helps you build on that and put more sophisticated things in place. So from my side, that's one of the biggest things we can do in addition to educating our folks, I think you got to celebrate some of this work, which is very, very difficult for organizations to do because this is the traditional person behind the person type work that just gets done and the only time it gets noticed is if it doesn't work. So you have to celebrate that, "Yes, we are actually protecting this." And then putting in enough investment behind discovery and continuous understanding of your assets as well as where some of these encryption assets sit. And that's a hard exercise, but the good news is there are a lot of new technologies as well as constructs of how to organize are coming into place, and at some point I think we should talk about that as well, Ken.
Pali Surdhar: Anudeep, you talk about assets and encryption assets and I think that might be something that perhaps creates some confusion in the worlds that we live in, because to my mind I would also regard data itself and the aggregation and use of it as an asset. I suppose you take things at face value, but when you put things together, chunks of data from different places, if I aggregate those, allows me to build up a profile or I could either build a threat with it or I could build an extra opportunity. And if we take them in isolation, they seem fairly benign. But I think maybe there's some bits where people are missing the picture as well and saying, "Okay, I'm going to protect pretty much all my crypto keys and that's all I'm worried about. Rather than some of the elements and the metadata that also relates to them." It's quite a tricky one, but when you start looking in the space, it's still part of that kill chain I mentioned before.
Ken Kadet: It's incredibly complicated as you start to get into that. I'm kind of curious, you mentioned compliance earlier and I'm just thinking about what is the role of compliance, and how does compliance help with this kind of prioritization or setting baseline standards? We started out talking about some of those big high profile events and those have really driven a lot of work in regulation, certainly in the US, I think around the world as well. But obviously compliance isn't a one size fits all , or it is a one size fits all, but it doesn't actually protect your data for you. What is the role of compliance? Should the compliance regimes be stronger? Should enterprises and governments address that need for baseline standards? How does innovation help that, sort of thing? What do you think?
Pali Surdhar: So I've got some really interesting views on this and I've probably spent too much time chasing after the different badges like FIPS and Common Criteria and even NATO type sets. Compliance does an interesting thing in the fact that it actually gives you the ticket to go to the ballroom. So you get into the arena and now you can sell to whatever institute or organization that requires it. It also, on the other hand, gives you sort of a bill of health and that's what people seek. So when someone's actually deploying a product that's certified or validated, it's the accreditor who actually accredits an entire solution, will come back and say, "Hey, I've got a tick box on this thing, it has FIPS. I'm happy, I'm good to go". Gives them a level of comfort in that sense. I think compliance can be a double edged sword and it also depends on how you are incentivize. So if you are very honest and careful about how you look at it, again, coming back to the whole security economics of it is that back in the day we used to evaluate against what they call the Orange Book. And at that time the governments paid for that. So they actually paid the fees for the validation or evaluation against Orange Book. It changed with Common Criteria where now vendors have to pay for it themselves. And what that does is it creates the wrong type of incentive. So what happens is certainly the vendor is actually looking for a path of least resistance, and they want the smoothest path through certification. As your sales guy's jumping at you saying, "I need to sell this thing real quick, can you get it through? Can you literally rush it through the certification?" And if you're trying to do something along those lines, I would dare to say that you missed things. So that bill of health sometimes might not be worth the piece of paper that it's on. So you've got to work out how do you attain a balance between doing proper security engineering versus compliance and how you manage that. And I think we do it pretty well at Entrust because we've actually got independent security engineers or security heads, and we try and maintain some kind of separation between the folks who are running the compliance so you can get some form of independent view. I know I'm sort of really literally throwing rocks at our greenhouse here, so I'd be really intrigued to see what you've got to say on this, Anudeep.
Anudeep Parhar: Again from my point of view, I think this is the natural push-pull phenomenon in business. The desire to go fast is always going to win, as it should. We are in the business of making money for our customers as well as making sure that we deliver value to our customers. And any friction usually gets push back. Especially in our industry where your job is to protect your customers, your job is to provide some of this technology for your customers, you cannot just have it as a tick box. You cannot. And I am quite proud to say that the industry at large, not just the cybersecurity industry or the software industry, the industry at large or businesses at large are actually acknowledging it. We are seeing that is especially in say the financial institution sectors as well as government or even large organizations, folks are like, "I will not buy a certain piece of technology if it doesn't meet certain compliance standards." The trend that's happening is that because of talent shortage, because of subject matter expertise, they are requesting their vendors to do it. So the push is to the vendors to say, "You need to provide me a highly compliant, highly assured system. And please prove to me how you're doing it well." So I think that's changing, but it's always been a push and pull. That's a really, really interesting way of looking at it. Personally from my point of view, what you mentioned, the separation of the... To use a soccer analogy cannot be the goalkeeper and the kicker at the same time. You need goalkeeper and a kicker because that's how you're going to be able to do some of this work properly.
Pali Surdhar: Absolutely.
Anudeep Parhar: You brought this up before, Pali. One of the things, it'd be fun to get all of our point of view, Ken, especially from a consumer of technology as well as in an organization. So when you think about some of the protective measures, the traditional way of thinking was firewalls and education, et cetera. You can protect using that, right? There are emerging things, and I shouldn't say emerging, they've been around for a while, they're gaining more notoriety now, processes and mechanisms like threat hunting, ethical hacking to actually proactively try to break your systems so you can figure out where the vulnerabilities are. This is sort of a very interesting mechanism, in my point of view, which is trying to protect by trying to break what you have today and finding vulnerability proactively. So what do you think about that, Pali, and is that a good idea? Is that something the companies should be doing more? I have my point of view, but I'd love to see what do you think.
Pali Surdhar: Yeah, I'll put my heart on my sleeve and say we should be doing more. We should actually red team systems. In fact, some of the components that we have on the products actually have to go through an external penetration test before we re-release them. I think what we need to do is actually have a model to do that on a continuous basis. And it is interesting because we pentest components, it would be quite a fun exercise in some ways to pentest our people because to my mind, I think that's probably one of the weakest links in any security model is what do we do? And we notice that there's a lot of training out there in terms of, "Hey, how do you protect against phish attacks?" And things like this. To my mind, I think those reduce in effectiveness the more times you run them because you actually learn patterns and you can actually answer the questions more quickly and then you're not aware or you're not tuned into anything that might be slightly different or a new type of attack. So the effectiveness is running out. So hey hell to red teaming and purple teaming for not only our components, but if we can do it on our environments, our sites and people, that'd be awesome.
Ken Kadet: Yeah, that's like those now ubiquitous phishing simulations that employees are getting more and more used to, especially in our hybrid world, right? And you sort of feel that little victory whenever you actually catch one and hit the phish button and win against the bad guys as an employee, which is kind of fun. So let's talk a little bit about... I think there's been a ton of advice I think and perspective on what enterprises should be thinking about on this. But let's try to sum it up a little bit. What should enterprises be thinking about and maybe what barriers are there to getting where you need to be?
Pali Surdhar: So I think one of the things that you mentioned at the very beginning in the introduction was the SolarWinds kind of attack. And that for me is a very curious one in the sense that actually it's different from many of the others. So we have seen ransomware, we also see people just selling malware as a service and being able to commoditize attacks. The Sunbursts or SolarWinds attack was very different in that the malware is planted in it. It was in situ for a long period of time, it sat dormant in a build environment. And what happened was that when the Orion software was released, it was signed with a legitimate signing key. And for me, that sort of an attack on the build system itself. So again, going back to the piece where we are saying we need to be more vigilant on the infrastructure itself. Now if you think about it in one way, you're saying, "Okay, what kind of attack was that? I didn't defend it at the firewall stage. It came in, it sat latent on our network somewhere in a build system for a long while, much after our IT guys started worrying about any kind of breaches or any kind of people coming in through unprotected ports." So the lesson I've got, or the thing that I feel that we need to be a little more vigilant about is the whole supply chain question. And that's something that I've got a big bee in my bonnet about. I think we need to be much better on where we source our components from, how we validate the software. Not only software, it's also the hardware components that we receive. So with COVID times, we've seen the whole thing about Chipageddon, there's been shortages of chips. What happens is that the spin from that is that you get a whole bunch of chips that now are sitting on the gray market and purchasers are actually saying, "Hey, can I get a hold of these chips?" Hey guess what? That's a real fantastic opportunity for me to seed the market with fairly fuddy-duddy Trojan devices because everyone wants to get hold of them. So we're getting desperate to buy stuff which doesn't exist, but we are not getting desperate to actually assess them more carefully. And so supply chain, for me is a big one.
Ken Kadet: Absolutely. So one question I have, and Anudeep I think you touched on this quite a bit, is how do we look beyond the software infrastructure to get security assurance? Where do we draw those lines of trust across software, hardware, personnel, et cetera?
Anudeep Parhar: A couple of things. The way I see it is that organizations need to start understanding the infrastructure landscape. There is a common way of looking at it is like you have the information technology assets, then you have operating technology assets. The traditional IT versus OT. OT generally speaking is a lot of operating technology which is physical in nature. You got to take a comprehensive view from an organizational point of view to not only just protect your IT assets or, like Pali mentioned, the configuration of the set assets, but you got to take a look at both of them. Some of that is from purely how you actually do it. In my mind, the reason software exists is to automate and make things easy that were harder to do in the past. That's what machines are and software is just sort of a manifestation of a machine like that. So I think we got to continue investing in that. There's a lot of innovation that needs to happen there and continues to happen to do that. That, plus people and process, I'm stating the obvious, it doesn't work if there's not appropriate people and process controls that are in place as well. And from most C-suites point of view, you got to be able to take a look at these and first believe in it and actually be able to justify the investment from business case point of view, not just threat mongering saying, "Hey, if you don't do this, you're going to get sued or you'll lose millions of dollars." But actually take a look at saying this is why it is important. This is brand protection. This is around taking a look at development of your talent. It's having the appropriate governance and controls in place. So I don't know if that answers the question directly, but it's looking at the IT and OT world and using software as the equalizer of automating things that were previously a lot more sort manual in nature. But you got to have a measurement system around this stuff. And if you don't believe in some of these mechanisms, it's very hard for it. If people think of it only as cost and try to figure out how to get by with bare minimum, you're going to lose.
Ken Kadet: So let's take maybe a last question on this. Talk a little bit about people. How do we shift or maybe create more balance in the IT security mentality between being the hero and saving the day versus getting to that point of no news is good news?
Anudeep Parhar: From my sake, we got a reward planning and protection. As a CIO, it's my job to make sure. It is my ethical and moral obligation and my business obligation to all my stakeholders, my colleagues, my customers, my board, my C-suite, my CEO to be able to put a business case that's meaningful, to be able to say, "This is not from a point of view what the return is going to be on." You got to use mechanisms like enterprise risk management. You got to have internal mechanisms to be able to project risk and to say what the benefit of actually protecting against the set risk would be. And don't wait until these become ransomware, et cetera are in the popular vernacular, then you're behind the scenes already. You're behind already. You have to address these things proactively. That's job number one from my point of view for leadership to be able to make that case.
Pali Surdhar: Yeah, I agree. I think it's still quite a hard thing to manage though, because what you're trying to say is that, "Hey, let's be boring." And that's really good. No news is awesome. If we can't show that we've had these hits on our firewall and managed to fend them off, it's very difficult in the world, as I said before, where you don't actually have a metric to say how you've defended against things. But as we have been laboring on with this conversation today is actually about architecture, infrastructure, how we do things. And to my mind, I think if we were to say measure silence or long periods of silence as value, that's probably a good way to look at things.
Ken Kadet: Exactly.
Anudeep Parhar: And I think there's a lot technology that's coming into play. This is not going unnoticed. If you see some of the investment, even in the private equity world, there is more investment moving towards respond and incident response because that's obvious and understood. But you see an equivalent amount in terms of new innovation and investment that's going into building better technology to understand, to understand your assets, to understand your configurations, to protect against that. There is a lot of work going on in, for example, providing scores, which can help CISOs and other organizations measure some of your readiness for some of this stuff as well. So all is not lost. I think that the tide is lifting everything. But the business decision for C-Suite as well as all leadership within the organization comes as are you balancing one against the other or do you have the wherewithal to actually say you have to invest in both? And the reason is not just to say that we have avoided all risk. This is how businesses are going to succeed in the future. I like to work with organizations who have a very strong protect and defend and respond. Why? Because that makes my life easy and it provides the value that I need to deliver to my customers that much more easy. So I think that's very important.
Ken Kadet: That's great. And let's stop there. I feel like we've learned a ton here. I've learned a ton here and I really appreciated the conversation. Let's wrap up with this question. As you probably usually do hanging around with lots of IT people all weekend, what's one thing you've learned? What's one thing you're going to talk about this weekend that you might want to share? And Pali, let's start with you.
Pali Surdhar: So I think one of my things was, again, when I was looking at trying to get my head round understanding what we are going to be talking about for this podcast is that I came across a book called Sandworm by Andy Greenberg. And I simply recommended it because it traces through some of the history of how some fairly pernicious malware got propagated from the 2014 straight up to even now. And that's some of the precursors to SolarWinds and even our dear friends in the Colonial Pipeline. It's a fascinating journey through how the hacker mindset works and how we can try and understand these challenges better. But I think I'm still having sleepless nights from it because it's quite a frightening story. But it definitely shows that we need to keep our eyes and ears open and up again. And the world changes. We're in a landscape that changes. That's why it's super exciting.
Ken Kadet: Anudeep?
Anudeep Parhar: So around the nerd bar that I hang out at, the conversation has been is what's Elon going to buy next? I'm only half joking because I think this is the conversation around Twitter, public speak as well as the freedom of speech, et cetera, is really interesting from, of course, a social point of view, but also from a technology point of view, to be able to say where the innovation needs to go in order to balance some of this stuff. And there's a lot of interesting points of views which are simply triggered by the simple thought with Elon Musk going buying Twitter. I'd end with one of the funny things I shared with my colleagues, it's where there was a tweet that somebody responded to Elon Musk saying, "You should go by Jira.", and said, "Make it make it more user friendly." I personally thought that was really cool because it brings the conversation into the general vernacular to say, "Oh crap, I didn't know Jira didn't have very good user experience." So I find those kind of conversations, even if they're a little bit sensationalistic, thought provoking and to say, "Okay, how should we look at it?" Because I think that's what they're intended to do. So that's what we are talking about at the nerd bar, Ken.
Ken Kadet: Yeah. And Elon Musk is not nothing but thought provoking and provocative these days, for sure. Well thank you, Anudeep. Thank you, Pali. Thanks to everyone listening to our podcast. The Entrust Cybersecurity Institute is here to share news, analysis, insights and commentary for IT and business leaders charged with protecting and enhancing IT infrastructure. The Cybersecurity Institute leverages insights from Entrust, a global leader in protecting identities, payments, data, and infrastructure. Take a look at our show page for notes and links to our content. Our podcast was produced by Steven Damone, and thanks for listening.