Interviewer/Host (2:34)

But cool.

Caleb Toland (2:35)

Cool. So let's dive straight into the security stuff. So I know your background is a lot in incident response and you're really like a threat researcher at your core. So what aspects of IR are most interesting to you?

Joe Hladic (2:46)

That's a big question. So I've been in and around security now for close to two decades. I've held a lot of different positions. Those positions have matured and changed over time. Things like AI didn't exist obviously back then, let alone when I started. I don't think smartphones really were a thing. I think the iPhone was just coming out. So that also reveals my age. I started actually doing vulnerability research, red team operations, exploit development. Because I came out of school as a programmer, software engineer type. Security wasn't really a degree program back then and computer science was really the only degree program back then. I mean you had hardware engineering, but software engineering was pretty linear in terms of like just computer science degree. You take coding classes, you take architecture classes, stuff like that. Now it's much different. You can go for game development to full stack development to web development. There's, there's all, there's so many different avenues and that in security as well. It's cool to see how things have branched off. But to back to your question, the reason I personally love detection engineering because one, it provided me sort of the best of both worlds. I didn't want to be a programmer like developing software all the time. And I don't necessarily. I, I was an investigator of doing incident response for a while too. But after doing that like dozens if not hundreds of cases, you. That gets tiresome as well. Well, to some people, some people I know are still doing it and they've been doing it for over a decade. With me, I that was part of my journey in terms of discovering what exactly fit me the most with security. So I get to leverage my coding sort of skill set, do a little research and understand the threat actor, understand the, the environment and landscape through investigations. It's sort of a culmination of all the things because you have to know how threat actors are behaving, the techniques they're using and then that informs how you hunt for them in the environments and stuff. And ultimately that's how you develop the Ideas for different detections. And I, I'm speaking more in the terms of not detections like IOCs, like IP addresses or domain names which are just artifacts during an investigation. I'm talking more like behavioral, more advanced sort of endpoint level detection that require immense amount of research and understanding. Not just operating systems, but threat actor behaviors and everything like that. And I would say that that is really where I'd like to spend my time or most of my time is because it, it involves everything.

Interviewer/Host (5:23)

Right, right.

Caleb Toland (5:24)

Seems like you have done a little bit of everything. And I know you've been involved in some really. Or involved in the response efforts to really high profile incidents like the Solar Winds breach. And so working through some of those incidents, you know, throughout your career. What surprised you as you worked through those? And do you see a really big difference in how organizations are addressing breaches today versus back then?

Joe Hladic (5:45)

Absolutely. I think there's different milestones. If you look at the last 10 to 15 years as a timeline for security breaches, incidents, whatever you want to call them, I mean every. It's ancient history now, but the APT1 report was the first public facing release of information where a nation state was attacking private industry.

Interviewer/Host (6:10)

Right.

Joe Hladic (6:11)

That changed that, created an entire industry. And then like a follow up milestone to that, you started seeing things like, let's see. Yeah, there's a lot of like political or attacking the entertainment industry, for instance, where you know, a nation state may be offended by say a movie or some form of entertainment media and a nation state would attack over. Over something like that.

Interviewer/Host (6:36)

Right.

Joe Hladic (6:37)

Where it's more about the narrative or the message and politics.

Interviewer/Host (6:41)

Right.

Joe Hladic (6:42)

And then another milestone after that you'd see the advent of ransomware. Where ransomware started off as like that sort of fake FBI warning where you start up your computer and you see that FBI warning like call the FBI. And it was like the scam. At least that was my memory of like the first iteration of what ransomware was. And that was many years ago. And then it evolved into what it's become advanced cyber criminal operations where they actually have their own sort of supply chain where you have access brokerage, like people who specialize just in selling initial access to other threat actors, then other threat actors buy that access and exploit targets or steal data or perform double or triple extortion. Whatever their motivations are financial or espionage.

Interviewer/Host (7:27)

Right, right.

Caleb Toland (7:28)

And kind of as a follow up question to that, I mean, what do you find is probably the most motivating factor? Is it the financial piece, Is it the political piece? Given That a lot of, you know, these breaches come from state sponsored organizations. What do you find to be the most common motivation for attackers?

Joe Hladic (7:43)

I think it depends on who you talk to. If you talk to me, where a lot of my core investigative experience was before ransomware was very common, where nation state espionage was, was really the fear. So the focus was on AP like stopping, developing advanced techniques to detect them and hunt for them and know who they were and how they operated. That significantly changed. The most impactful incidents went away from like those, that sort of long multi year persistence of, you know, espionage to breaking down the door quickly in the matter of hours and locking down environments to extort money. So I think it's very important to make a distinction. So when you ask a question like that, it's all about intention because a nation state actor, they're not necessarily, unless you're looking at very specific countries, because there are countries that do this for monetary gain. If you look at what the intentions are, the, the cyber, I'd say the cyber crime world has expanded immensely just because there's so much money involved in it. When it comes to. And the, really the one of the main problems is like the international regulations, every you look at the us, the European Union, other countries across the world, there aren't necessarily unified regulations or law enforcement capabilities that make it easy for us to prosecute criminal, like cyber criminal activity on that scale. And it's not like, you know, I, you know, robbing a neighbor's house and then local law enforcement can come and arrest me after they do the investigation. The perpetrator could be in Africa and they're attacking an entity in the United States. Well, what are the political relations around like the complication of say like the local law enforcement come to your house with evidence and with a warrant to make the arrest is not as simple when you're dealing with international relations, because the relationship between the US and whatever country, the, the of origin that, that operator, that perpetrator, threat actor, whatever you want to call them is operating within may make it extremely complicated. So cybercrime in a way has been enabled to flourish I think for many years. It's changing a bit now because we're getting smarter to it and countries are in many ways starting to work more together sharing information. But I can't give you a really straightforward answer to that because we're even seeing now where nation states and criminal organizations are also working together. So you have ransomware gangs also sponsored by nation states in order for them to avoid sanctions. So the intention of the criminal ransomware group might be money, but they might have a secondary objective to get intellectual property or some sensitive information for a nation state that's also paying. So things are a little more complicated, right?

Caleb Toland (10:25)

It's a complicated, like industrial complex that doesn't really have a really simple solution to it or simple answer to that question. So it seems like there's a pretty significant gap between threat researchers who are out there discovering vulnerabilities and saying, hey, this is a problem, and organizations recognizing and addressing those vulnerabilities. What do you think is up with that discrepancy?

Joe Hladic (10:46)

It's another complicated question. So I'll give you, I'll give you an idea on both the offensive, defensive side of vulnerabilities. There are companies or organizations that know about vulnerabilities that others don't. So for instance, like if you look at the threat actor perspective, you might have a broker sell exploits or knowledge of a vulnerability that isn't like, isn't known, it hasn't been reported or published, like as a cve, right? These would be your zero day or O day type of exploits, right? And they can get very, very expensive because once they're known, once they're detected, that's no longer a zero day and the value of that exploit goes down.

Interviewer/Host (11:29)

Right.

Joe Hladic (11:30)

Conversely, on the defensive side, there are red teams, right, that keep libraries of different vulnerabilities, things that they may discover as well as they're doing their, their, their work. And they also have to do their own due diligence of, okay, well, if they do discover a vulnerability of say a software that is not part of their engagement, there are protocols that have to be followed in terms of reporting it to the organization who creates a software, getting that vulnerability patched, releasing it publicly, all meanwhile, you're maybe using that vulnerability as part of your engagement with the client that you're working with. So it's a very, it's also very complicated, right? So you have the due diligence and the sort of ethical path of working with the vendor that is vulnerable as well as the clients that have that software or hardware that are using those using that technology that has that vulnerability. And you have to delicately balance, okay, who do I communicate with first? Because the victims ultimately are going to be the customers and clients of that software or hardware that have that vulnerability. It may not be the vendor directly or it could be, say in like Solar Wind's case, right, where there is a major vulnerability. I can go more into that, but that's more of a supply Chain sort of situation. But to more directly answer your question on I say like an individual organization level, the challenges outside of like reporting and understanding and discovering vulnerabilities, it's what do I do as an organization with the vulnerabilities that are known that are reported as cve? Okay, I mean yes, you have vulnerability scanners and then they, they identify these reported vulnerabilities in your environment and then they may offer recommendations on how to patch, fix, et cetera. But what they don't help you with is the resourcing. Or I, I might have a whole workload or a software release that's going out tomorrow, it's going to impact 10,000 customers. And then all of a sudden there's a vulnerability reported to me about some say third party library that is very critical within the code of our application. What do you do in that situation? Do you push forward with that software release that's everybody's expecting, it's been marketed, it's been. Or do you pull back and delay and fix that patch that ultimately it becomes a risk, Like a business risk management situation of do we release the software, move forward with the vulnerability, make everybody vulnerable, but sort of like fix and flight type of situation. Is it one of those where like we can pass a hot fix or is it something that actually requires a real major backend change, that we have to take it offline and actually release an entirely new compiled version?

Interviewer/Host (14:17)

Right.

Joe Hladic (14:18)

So it's not just cyber risk when it comes to vulnerability. It's also very important from a business perspective because you have to make those decisions, measure the risk of, because a hot fix versus a like a complete software patch. Completely different situation. You need product management, you need scheduling, you need engineers to do all of that work and then you need to dedicate time and they have other priorities and then you have to reprioritize everything. And that might just be one vulnerability, not many. And if you have many, it can further complicate things. So I think there's not a perfect situation like anything. I think a lot of the workflow and sort of processes that like the DevSecOps sort of process, which is sort of a subcategory of the Zero Trust framework in a way is our best current approach in terms of looping in security earlier in the development process, like vetting third party code, like vetting, doing all of that sort of vulnerability research earlier in the process to mitigate the possibility of many vulnerabilities later, even though it might still happen, it's less of a risk or chance.

Interviewer/Host (15:26)

Right, Right.

Caleb Toland (15:27)

I gave you a pretty direct and simple question, but like, the answer is, to your point, it's a very complicated one and it depends on the situation. And oftentimes, I'm sure in like the examples you shared with, like a release of a new feature or capability, then you have to make those decisions really quickly. And it involves a lot, a lot of different people, like you said, because the impact can be quite great. But I kind of want to shift gears a little bit. And I know we were talking about some, some things quite theoretical, but I'd really love to focus on the new report we just released from Rubrik zero Labs, titled the State of Data A Distributed Crisis. That's kind of a loaded title. What a name. Can you kind of elaborate on what the findings of this report are at a high level and what organizations should be doing to mitigate the risks that this, this report identifies?

Joe Hladic (16:11)

Sure. And so this report's gonna be a little different than what I think people are used to. In previous reports, there's a heavy emphasis on data security, posture management. And the reason for that is because in my research, and just experience and understanding some of the challenges that are being faced, and not just an executive level, but at a practitioner level, starts with data sprawl. What is data sprawl?

Interviewer/Host (16:36)

Right.

Joe Hladic (16:36)

An example I always give is, say, Caleb, you have an idea that, you know, Rubrik. It's the next great thing for Rubrik.

Interviewer/Host (16:45)

Right?

Joe Hladic (16:45)

You talk to me, you talk to other people, and we encourage you to do it. So you start writing up a file like, just document, like a, like a Word document, Google document, whatever. It's not sensitive yet, but you share that file with me, with others, your leadership, just to give feedback. So now say there's four people in addition to you that now, you know, have access to that file. Then all of a sudden we agree that this is a great idea and we need to escalate it up to senior leadership or executive leadership. And as the process goes and it becomes a real business plan, that maturation of the file where iterating through feedback and you're rewriting and revising, the sensitivity of that file increases. It may be public information, let alone internal, start to become internal information. But as that, that file matures, more people see it and want to implement or enact it. Then all of a sudden I might be a highly classified file. And when that file becomes classified as such, how do you control access? How do you control where it lives? Because those control, those controls, though, may not have existed when you conceived the idea right when you started sharing the file. So now you have to retroactively sort of look at. And I'm not saying this is done. Okay, this is what the ideal process should be. And it gets very hard at scale. And that's the challenge is that what should happen is that there should be a retroactive sort of assessment of like, okay, who had access to this previously? Do they still need access to. Okay, cut off access to people that no longer need it. Now it's highly classified. You still have access to it since you're the originator and maybe senior and executive leadership are the ones that are in control and then they will delegate for implementation who has access to it in terms of that.

Interviewer/Host (18:31)

Right.

Joe Hladic (18:31)

That's the ideal perfect world situation where you're monitoring who has access to it, maintaining it on a daily basis of like, okay, now it's highly classified, controlling who has access to. But we're also. You have to also take into account where is it living. Say you're using Google Drive and that's where you started the file and that's where you shared it. Okay, well, as you're sharing that file, it branches out like a tree. You're sort of that root node. But as you start that access, share starts looking like a tree where you're branching out. And then maybe those people that you shared with shared someone else or many people and you start seeing this sort of like branching tree of access. Now as that happens, that file could also end up in other spaces than drive. It could be in SharePoint, it could be in Jira, Confluence, Slack, okay, like now, now you're. The data is not just sprawling through an identity space, it's also spreading through a platform space. And that's what data sprawl effectively is, is you have one file that could wasn't sensitive, that matures into something that's highly sensitive and it sprawls into like massive, maybe potentially uncontrollable ways to other platforms and people. Okay, that leads to incredible data complexity. So one of the findings that are going to be really addressed in this report is really addressing that problem. We're going to be focusing on a lot of Rubrik's production data, not just its backup data, showing where a lot of highly classified sensitive data, where it's located, how it's classified, is it pii, is it pci, is it both? And really understanding or providing that context so that security practitioners and executives, one can identify where their data is. Because you can't make decisions or take actions on what to do about the data without knowing or having visibility to where it is and who has access to it. So there's a few challenges, right? There's the lack of visibility, lack of centralized management, and just lack of control in many ways. Like the example I gave. How do you control that spread? How do you do that at scale? Because when you really think about it, as I laid it out, it's a lot of work to do it for one person or one document. What if you have thousands or millions of these files? So that's, that's kind of the. Where data security posture management comes into play is like, well, one you want to start with, what's your data security posture? Where are all my sensitive files? Where are they located? That at least provides me information that then I can start making decisions. I can start writing policies, processes, procedures, I can start working with engineering to automate certain things. So what I told you about with data Sprawl, right? That shouldn't be a person going in and every day and be like, okay, does this person need access or does this person need access? That gets unmanageable very quickly. So you need automation, you need technology to solve these problems.

Interviewer/Host (21:28)

Right? Right.

Caleb Toland (21:28)

And you also, in addition to the report you wrote a blog, kind of talking about this concept of identity is the new perimeter. Do you think these types of innovations within data security will have the most significant impact over the next few years? What's kind of your thinking behind that?

Joe Hladic (21:42)

I think it's a great slogan, but I think it, in many ways it oversimplifies the challenge.

Interviewer/Host (21:48)

Right?

Joe Hladic (21:48)

Like it's a great headline. Like for instance, everybody understands if you're in the cyber field, like okay, yeah, I get it. Because now we're talking about cloud, you know, identity acts as the perimeter to hybrid multi cloud environments because the identity is the one that basically governs access and provides the user the ability to navigate in within their environment, across many platforms and resources, et cetera. The problem is, is like identity isn't a static perimeter, it's dynamic. And what I mean by that is like identities are managed, they're, they're created, federated, expire constantly. If you have the larger, the organization you get, the, the amount of activity that just occurs with identities on a daily basis could be immense. There's access requests to new applications, right? You have a new hire that comes in and they're onboarding. Then they need 12 applications or platforms that are to just to do their job. And then as they do it, they, they, they realize like, I feel like Everybody's gone through this like, oh, I need access to four or five more things because I can't do my job because it wasn't part of my onboarding. And then you have to go through it, do the request. And the problem is, is like who's vetting these requests? Because the oftentimes, like the ones who execute the request and give you access to different resources or applications, is it. And then they loop in your leadership for approval typically.

Interviewer/Host (23:07)

Right.

Joe Hladic (23:08)

That's not a foolproof solution. It's easily manipulated, easily exploited at the.

Interviewer/Host (23:14)

End of the day.

Joe Hladic (23:15)

And then also the problem is, is like identities, they live in different sort of cloud environments, they use different protocols. An identity can span not just multiple machines, but also humans as well. So it's not just a perimeter, it's like, it's one way to frame it, but it's more of like a shifting attack surface. And the reason why I say all of this is because. And identity as a perimeter is kind of, it's not something that I came up with. It's been around for years as a sort of phrasing.

Interviewer/Host (23:42)

Right.

Joe Hladic (23:43)

But it's been popularized because it's simple to understand. But what it doesn't say is like if you think back to what the old network perimeter was, when I say old, it's. They still exist obviously, but there's less of an emphasis on it as a perimeter now. But what did we do to address that perimeter? We implemented visibility and detection mechanisms for policy enforcement. So you know, in firewalls you had things like context rules or content rules, so you could flag things based on the content that, that users are accessing or context.

Interviewer/Host (24:16)

Right.

Joe Hladic (24:16)

And then you had different detection response systems like ndr, like network detection or like things like Snort for monitoring network traffic and packet captures and stuff like that. Similarly, you need that same sort of mindset and practice for the identity. So visibility and detection are paramount because similarly to that network perimeter where you're, you were able to see like DNS requests or where a user was navigating on the Internet and you could block websites, you know, things of that nature. Similarly, the identity is, is acts as that same sort of concept where instead of just websites and monitoring what websites people are accessing, it's about more or less resources. A website is one example of a resource. Now there's resources in multi cloud environments and the. It's a much more generalized environment concept. So I hope that answers your question.

Caleb Toland (25:13)

Yeah, yeah, for sure, for sure. That was great. That was fantastic. So what I'd kind Of like to end in this episode on is looking, you know, towards the future. What are going to be some key focus areas for Rubrik Zero Labs moving forward and are there any things you're keeping an eye on in particular, any vulnerabilities, anything, you know, evolving threats that, that you're keeping a close eye on?

Joe Hladic (25:34)

Great question. I'll try to keep it concise because there's a lot there and I could spend another 15, 20 minutes answering you. So what I, what I will say is Zero Labs moving forward is really going to work inside Rubrikrik to really push forward what we can do in the realm of enhancing our capabilities when it comes to say, incident response and recovery, providing new features and capabilities, working with the product teams and engineering teams to really figure out, like, what are the limits of detection here? What are the limits of hunting? Because we have a large amount of data, it's backup data, but people don't usually look at the backup data until they're ready to recover. So how do we, how do we move that earlier into the pipeline? So like when an investigator is sweeping or scanning an environment, why not loop in the backup data too? So you can also find, in, find a, an image to recover to without having to do that later. So that's one aspect. Another aspect too is like when we talk about the Zero Labs reports. The report that's coming out is really serving as a foundation for future topics that are going to be built on top of it. So we talk about a lot about data sprawl, data complexity leading to data security posture management. Why is that important? Well, that all applies to things like AI. When, when you have data lakes and companies are starting to integrate their own systems and processes with AI, you, you want to make sure that your data lake is secure. You want to make sure that you know where your data is, how it's classified, how it's labeled, what your data security posture is before you start feeding it into an LLM. So we'll talk a little bit about AI and the implications of that. I, I'm really looking forward to the research in that area as well as identity. We have some points around identity in the next report, but I want, I think there's enough to talk at a much larger level and scale around identity and how that works in tandem with data security posture management. They're not separate. The whole point of an identity is really to govern data access and then track it and monitor it so they're intrinsically linked. So I think there's a real opportunity to build upon the report that's coming out spring with a lot of other topics on top of it that all relate to each other. And that's one of my main goals moving forward, is start with this report. It's like any foundation to a house. It's not the most interesting part of the house, but it's the necessary part of the house. And I want to reiterate that.

Caleb Toland (27:58)

Fantastic. Fantastic. Well, I'm looking forward to seeing what's coming in the future, too. Really looking forward to seeing what folks have to say about the report once they get to take a look at it. Joe, thank you again so much for spending some time with us, letting the audience get to know you a little bit better, and looking forward to talking more in the future.

Interviewer/Host (28:14)

All right.

Joe Hladic (28:15)

Thank you, Caleb.