Inside a Cyber Breach: How Attacks Really Unfold

Marisa Magee

[ 00:00:00,250 ]All right. I think we're live and happening.

Marisa Magee

[ 00:00:04,870 ] So good afternoon everyone and welcome. Thank you so much for joining us today for Inside a Cyber Breach, How Attacks Really Unfold, our final session of RMIT. RMIT's online Future Skills Fest. So many memories. Such a good week. My name is Marisa McGee. I'm Product Delivery Manager at RMIT Online. And before I get started... I'd like to acknowledge the people of the Woiwurrung and Boonwurrung language groups of the Eastern Kulin Nation, on whose unceded lands we conduct our business. I respectfully acknowledge... Their ancestors and elders past and present, and I'd also like to acknowledge the traditional custodians and their ancestors of the lands and borders across Australia where we conduct our business and recognise their ongoing connection to country.

Marisa Magee

[ 00:00:50,270 ] Today's session gives us a look inside a real cyber attack, how breaches actually happen, how attackers get in, and the warning signs organisations often miss along the way. We're joined today by Riccardo Galbiati from one of our long-time industry partners, Palo Alto, who will walk us through the real-world impact of cyber incidents. and share some practical insights on how businesses can better prepare and respond. But before I hand over to Ricardo, just a couple of housekeeping items. So this session is being recorded and will be shared with attendees after the event. We'd love for this to be interactive. So please drop your questions in the chat throughout the session. And when submitting questions into the chat. Just make sure you send them to everyone so the full audience and our team can see them. We'll leave time for audience Q &A at the end of the conversation. So without further ado, let me hand over to Ricardo.

Ricardo Galbiati

[ 00:01:44,620 ] Thank you so much, Marisa, and welcome everyone to the last SkillFest of the week. I wasn't aware that was the case. That's really my privilege to be able to close off this awesome initiative. And first and foremost, I'd like to actually thank RMIT for partnering with us and to give Palo Alto Networks also a platform to talk about the important topic of cybersecurity.

Ricardo Galbiati

[ 00:02:06,410 ] Um, and.

Ricardo Galbiati

[ 00:02:08,100 ] I hope that the next few minutes will give you a bit of an insight on what it looks like. To defend against modern cyber attacks and especially where does artificial intelligence play a role in this new dynamic environment that we're facing?

Ricardo Galbiati

[ 00:02:25,970 ] As Marisa mentioned, I am Riccardo Gabbiati. I'm the original chief security officer at Palo Alto Networks. I'm based here in Australia. I'm in Sydney and I've been with the company for 10 years. That's quite a long time in this space, I would say, considering also the fact that Palalto Network has been around for 20 years. So, about the half-life of the entire company. Before we get into the details of cyber attacks and how they unfold, I think it's important to let you know. Who am I here representing? Palo Alto Networks is effectively the largest pure cybersecurity vendor in the world. By size, by number of customers. We focus purely on cybersecurity and we have a specific mission, which is the one to protect our digital way of life. As you can see, we have presence in some of the top organizations in the world. And you might recognize even some logos in here of organizations in the region that trust us and use us as their cybersecurity partner of choice.

Ricardo Galbiati

[ 00:03:28,380 ] RMIT, of course, is in partnership with us. We take care as well of their cybersecurity along the one of many other universities. Financial institutions, large government contractors in the country and beyond.

Ricardo Galbiati

[ 00:03:42,260 ] Now, the major differentiator, I would say, on how Palo Alto Networks has approached cybersecurity over the past 20 years has been the one of... creating platforms. What do I mean by that? Well, cybersecurity in general is a very fragmented space. If we think about it, there are a lot of challenges and, in the majority of cases, there are products that have been built to fix individual challenges in a very disjointed fashion. So, over. 20 years ago, when we initiated this journey of building the largest cybersecurity company in the world. We started with network security that you can see here on the left. That is the world of firewalls, if you will, that were dominating cybersecurity as the only real place where you could do security in the network for the best part of 30 years. So back then, we started simplifying the world. Of firewalls and embedding into what we call the next-generation firewall, multiple capabilities that used to be tools and point products surrounding the firewall.

Ricardo Galbiati

[ 00:04:45,100 ] That effectively became our very first platform that still exists today. And it has evolved since into more virtualized capabilities delivered as a service, providing that security plumbing effectively among all communications, including remote access, for example, perimeter protection, segmentation, and beyond. Then, after about 10 years, I would say, so pretty much the time I started at Palo Alto Networks, we decided to also venture into the space of cloud security and security operations.

Ricardo Galbiati

[ 00:05:15,020 ] Now, these two sound disconnected in theory, but they're very much related to each other. Because the majority of breaches start in the cloud now, and the way to detect them was done very manually and without full visibility. So again, a lot of fragmentation that was primed for consolidation, and we built a platform that takes care of visibility across cloud. And security operations leverage a lot of automation and AI.

Ricardo Galbiati

[ 00:05:41,120 ] And more recently, actually, I would say this year specifically, we started our journey in expanding our capabilities into the identity space. Now, identity has been critical in cybersecurity for ever so long. Um, the question that you want to be answered before you grant any access is: who are you? Are you supposed to have that access or not? And that is all about identification, authorization, and permissions into the environment. So we completed a large acquisition this year of a pure player in the identity space and we are in the process of developing capabilities and enhancing capabilities of the other platforms. With identity included as well. But that's enough from the side of what Palo Alto Networks does. I think that we're all here to talk about... Cyber incidents. Because unfortunately, they're still making a lot of headlines. They are costing organizations a lot of money and reputation. And I think that we also have a problem of desensitization.

Ricardo Galbiati

[ 00:06:43,860 ] to cybersecurity britches. I am pretty sure that most of you in the audience would have been impacted in some way, shape or form by it. Some data breach in the past few years. I know I have personally [and] we tend to see this happening so often and the consequences of this are so unclear. That we tend to kind of dismiss them. And that is actually a big problem because it's creating a constant cycle of business opportunity and maybe even lack of interest in fixing things where they should be fixed, and avoiding more of these headlines. But I guess the question that we should start with is, what are the motives?

Ricardo Galbiati

[ 00:07:23,150 ] Why would someone perform or attempt to breach into an organization? What are their goals?

Ricardo Galbiati

[ 00:07:30,100 ] To keep it simple, I would say the primary driver from the majority of breaches is pure financial gain. We are talking about stealing data and holding it for ransom to get some payments in exchange for returning it. Or even providing a ransom of your systems so you cannot operate until the attacker unblocks or releases from that kind of ransom situation your own operations. Again, at the scope of getting a financial payment. In some cases, these attacks are designed to actually cause a... a direct service disruption. It could be due to larger scale geopolitics machinations, industrial espionage. Beyond that, but effectively not directly tied— specifically to financial gains—however, in some way again could be led towards asking for a ransom unless asking for a payment unless you want to be disrupted in your services.

Ricardo Galbiati

[ 00:08:33,370 ] Now, behind the modis, obviously, there are actors. And these actors vary as well, depending on the type of attacks and the motivations.

Ricardo Galbiati

[ 00:08:41,210 ] The three main areas where we can put and pinpoint who these actors are are the opportunistic types. Those are the ones that effectively tend to recycle existing techniques, attacks, procedures, and tools to cause havoc in the most... uh, distributed way in order to somewhere make some money. They are still very dangerous and can cause a lot of problems to organizations, but they're not as organized as the second category where we have actually fully professional organised cybercrime groups.

Ricardo Galbiati

[ 00:09:16,470 ] Think about this as running a business.

Ricardo Galbiati

[ 00:09:19,520 ] including having support capabilities, having tooling, software development, and services that they can sell to each other in order to make a gain out of cyber attacks. It is not uncommon nowadays to negotiate with this type of— professional cyber groups— on the defensive side to figure out how do I get out of this mess and having on the other side a fully professionally led conversation as if you were talking to a customer support center. But in reality, they're still there to extort some money or for some greater goals than running it. Similarly to running a business. Then there's the third category that is one of the most interesting. As you know, wars around the world are still conducted on the ground and in the air, but there is a huge element of cyber espionage and cyber wars as well. So this is where states sponsor effectively highly skilled hackers to perform tasks against other countries, in some cases even against allied countries, to just gather intelligence and try to find a way to have an advantage in case things escalate.

Ricardo Galbiati

[ 00:10:32,030 ] Now, the typical flow of every attack is not very dissimilar, regardless of the motive or the actor behind it. It tends to start with an entry point. That is the initial attack surface that gets compromised where an attacker gets the foothold in a certain environment. That could be achieved through what we call social engineering, so talking someone into giving you access. Or even in more complex or, I would say, a more articulated way to build exploits that leverage vulnerabilities in software. This requires a lot more skills as opposed to social engineering. But the two can go hand in hand. The next step is, okay, I get a foothold. I have an initial credential access or I have an initial access to an application. Then I need to move from there to where the important information—either the information I need or the information that is critical for the business— lives. That is called pivoting or lateral movement, effectively.

Ricardo Galbiati

[ 00:11:35,570 ] That is achieved moving throughout networks, across systems, escalating privileges, and getting in control of their environment—this is the step number three. Controlling the environment and having the highest level of privileges is the holy grail of any attacker because, at that point, they can decide what to do with that information. Do they want to... obstruct you from using it? Do they want to export it and sell it to someone else? That is the end goal of the mission and they can finally complete their task by that point. So these attacks are mostly performed along these lines, but I wanted to give you an actual, real example of something that we have experienced. Palo Alto Networks runs also an incident response and threat intelligence capabilities, so we have people that study these attackers and they also investigate how they operate. And they've exported to us a few examples of real attacks that they've defended against. This particular attack has happened in the last two years and I can't give particular details on who was the victim here.

Ricardo Galbiati

[ 00:12:41,560 ] But the idea, as you can see, follows that general scheme with a few more details. We had an attacker that leveraged AI to build a phishing content, so an email. That looks very legitimate and very well prepared without spelling mistakes, for example, and at the same time prepared even deep fake voice to be able to converse with an employee of a certain organization. So by sending that email very well-crafted and calling them, and deep faking the conversation behind the wire, they convinced this employee to access a system, thinking that it was a legitimate one, while instead it was a fictitious one. That system, that the attacker led the employee to access, was used effectively to harvest their credentials so as to input your email and password in there so that they could store it. And leverage it onto a supply chain component of that organization in this case, as you can see.

Ricardo Galbiati

[ 00:13:44,160 ] Salesforce Logging with legitimate credentials on Salesforce gave basically the full privileges that the employee originally had to the attacker. And allowed it to exploit certain functions, legitimate functions in the software, to generate reports, for example, about data that Salesforce instance contained, about customer database, sensitive information, financial interaction, etc. And with a simple couple of functions of extraction, they could export that information out of the environment. Now keep in mind that obviously there is a bit of preparation to perform this type of attacks. But up to the point of logging into that application through the exfiltration, that didn't take more than 60 seconds.

Ricardo Galbiati

[ 00:14:31,150 ] So maybe a few days, a few hours of preparation for an execution. That didn't take more than 60 seconds in itself. And that is the big problem that we're having today with cyber attacks, which is time compression.

Ricardo Galbiati

[ 00:14:44,570 ] Attackers are becoming a lot faster. And a lot faster than Defenders, especially. And I will explain the reasons mainly behind this ad. asymmetry in attackers and defending. But the truth is that, again, according to Unit 42, in 20% of cases, exfiltration— so getting into an environment and exfiltrating valuable information that could be used for ransom or for resale purposes— happens within one single hour. While on the defensive side, we are dealing still with manual responses that tend to span into the day's time frame. So we are on the brink of losing this race, and there are a few things that need to be tackled. And I'll talk about that in a moment.

Ricardo Galbiati

[ 00:15:30,870 ] Another important thing that we need to discuss is obviously the initial vector, because if you want to break an attack, you could stop it at each one of those four points that I mentioned before. Entry, pivoting. control and exfiltration. But the earlier you start, the better you place yourself. So understanding where are the more likely entry points is critical. According to our research, as you can see, the vast majority of entry points rely on credentials.

Ricardo Galbiati

[ 00:15:57,820 ] obtained by a phishing. all previously credentials that have been stolen in earlier attacks and then recycled.

Ricardo Galbiati

[ 00:16:04,710 ] for the specific campaign that an attacker would have. Or exploiting software vulnerabilities, this is a very important one. I'll go back to it in a little bit, because software vulnerabilities are obviously exposures that you are running with, that you might not be aware of, and obviously require patching in order to be fixed.

Ricardo Galbiati

[ 00:16:24,380 ] The interesting part, though, is that identity, as I said, was, tends to be at least leveraging 65% of cases as the initial. That is also why, as I said, Palo Alto Networks has recently committed to expand the capabilities specifically in the identity space, because we cannot discount anymore the importance of what it means to enforce proper identity.

Ricardo Galbiati

[ 00:16:50,699 ] Persona controls: so if you have a certain role in an organization and you're authenticated with that credentials, you should only have access to what it matters to you. Not to everything. And the least privilege we allow to every persona, the more we reduce the likelihood of an attacker. Moving beyond the means of their identity itself.

Ricardo Galbiati

[ 00:17:15,260 ] Identity, although, is one of the main attack surfaces, we have experienced actually attacks that involve multiple of them simultaneously.

Ricardo Galbiati

[ 00:17:24,640 ] And again, this is important to consider when we're trying to defend. If we focus purely on each one of these attack surfaces individually, we might miss the big picture. Some attacks have been able to span across eight multiple attack surfaces simultaneously and linking them together as an attack path. So we need to evolve our thinking beyond the point. Product per challenge. Conversation as I was discussing at the beginning and focusing into a more holistic approach, big picture visibility to understand what is normal and what is not.

Ricardo Galbiati

[ 00:18:00,600 ] So the three critical gaps that are currently putting defenders on the back foot compared to attackers are highlighted here.

Ricardo Galbiati

[ 00:18:09,720 ] The first one is the fact that, organically, unfortunately, every organization has been going through a process of incremental adoption of features and capabilities in terms of tools.

Ricardo Galbiati

[ 00:18:21,160 ] They've added them to the stack over time because they were available over time and that created a massive complexity.

Ricardo Galbiati

[ 00:18:27,700 ] Shift.

Ricardo Galbiati

[ 00:18:29,730 ] If you have a complex environment that you are struggling to understand yourself and manage in the first place, then... attacks are going to find gaps in between that connective tissue.

Ricardo Galbiati

[ 00:18:41,410 ] The second part that is led from that complexity piece that visibility becomes very complicated. Again, each one of these tools tends to have its own little silo or backyard of visibility, and it doesn't connect with the rest of the tools. While attackers have become, again, very good at exploiting multiple attack surfaces simultaneously, so we need to enter... into the game of defending with that same visibility, aggregation and context. And finally, identity. We have said it a few times already, but excessive trust in identity is one of the primary risks at the moment.

Ricardo Galbiati

[ 00:19:17,010 ] Using identity properly and mitigating the effects and the span of that identity utilization is one of the best ways to reduce the attack surface and exposure in the first place.

Ricardo Galbiati

[ 00:19:29,040 ] And in fact, these are the main recommendations that we're giving all organizations that are getting ready to face the next cyber attack. The first piece is start with the idea of consolidating your tools into a simpler way of consuming them and managing them. That is exactly the platform approach that we've been discussing at the very beginning and the one that Palo Alto Networks have been investing and betting on for the best part of 20 years. If you convert tools that used to be run and managed individually into functions of a common platform, then it's going to be a lot easier. to deploy new services to consolidate the management and, as a consequence, the telemetry that you can see in the middle. Consolidating telemetry from multiple tools into a huge unified data lake is the best place to get as much context as you can across the entire environment. So by that point, you will not have to look into each tool as an individual piece, but as a... as a piece of the same puzzle, I should say.

Ricardo Galbiati

[ 00:20:32,090 ] And that will give you the opportunity to move away from manual-driven processes and leverage AI where it makes sense, where you have a lot of data to contextualize it with and operationalize response.

Ricardo Galbiati

[ 00:20:46,550 ] The last piece goes without saying that identity uplift is critical.

Ricardo Galbiati

[ 00:20:51,840 ] Now, using identity as a new control plane, some people call it the new perimeter. I don't know if I agree with that particular statement. But the truth is that attackers tend not to break in anymore, but they log in. So uplifting our capabilities into identifying behaviors of each persona behind identities has become critical.

Ricardo Galbiati

[ 00:21:16,840 ] And now we cannot, of course, skim on the topic of artificial intelligence because it has created, of course, a lot of benefits to organizations, or it is in the process of creating a lot of benefits, but it could also create a lot of problems. But let's start with the positive first. Of course, artificial intelligence is here. We are all hearing about it. We are probably hearing too much of it by now. But the gist of it is that AI can help us be more efficient and it can help us do things a lot. quicker and faster than we were used to just a few years ago. Think about developing software a lot faster or resolving operational issues with an AI-driven automation process that didn't exist just a couple of years ago.

Ricardo Galbiati

[ 00:22:03,230 ] But what if attackers on the other side could leverage those same efficiencies on their end? That is the topic of AI as a weapon. I don't know if you have seen the latest Mission Impossible movies where the entity AI was effectively the most threatening potential attacking element in the world and Tom Cruise and friends were fighting against it to try and block it. We're not at that point yet, but I think we've evolved definitely from AI just being good at helping an attacker build better emails without spelling mistakes. Better phishing campaigns, to actually use it as a weapon of offense. And it is news of only a couple of weeks ago now that the latest Frontier AI models, of which Anthropic released only in a preview fashion, the one called Mythos, are becoming a huge concern for the cybersecurity industry as a whole. Now think about a model that can reason like an... a code developer or a hacker understands applications' logic very well can read and write code. In real time and it's got a brain— of a combined army of researchers, thousands of them with their own experience. For the past 10 years. You can leverage this tool and point it to a specific application until it finds a vulnerability.

Ricardo Galbiati

[ 00:23:33,370 ] And if you do, build an exploit, so a mechanism to exploit it in real time.

Ricardo Galbiati

[ 00:23:40,090 ] Now, luckily, Palo Alto Networks has been selected as part of Project Glasswing, which is the way that Anthropic has decided to release in a limited state this type of models. We've tested these capabilities against ourselves. I guess there were product code bases, and we have found— A definite step change in capabilities in detecting things that we were not aware we were doing wrong. So most of them have been fixed now and we have released a few patches. But the worry is for the rest of the world: are we prepared if an attacker was coming after us with this type of capability?

Ricardo Galbiati

[ 00:24:15,010 ] Because you can imagine that the advantage that they will get in discovering vulnerabilities in minutes. Meaning faster than any human. Or even any previous AI tool could.

Ricardo Galbiati

[ 00:24:27,770 ] A new vulnerability is called a zero day because you have zero days to be able to fix it. There is no patch available for it to be fixed. And combining that capability with—uh, automated automating the entire four steps that I was mentioning before the attack flow from the entry point to the pivoting to the control phase and exfiltration and delegating that to an agent that is omniscient and understands how to do those steps at scale. That is going to put a lot of pressure on the defensive side in terms of scale that we need to face and in terms of speed at which we need to react.

Ricardo Galbiati

[ 00:25:06,850 ] And those numbers that I was referring to, exfiltration times, are going to go lower and lower. We have already seen a full-time increase in time from compromise to exfiltration, the one hour. Benchmark. has become now the standard. And 15 minutes is what we expect to be very soon the time between the discovery of a vulnerability in the wild and the initial attempt of exploitation. So it's on us. How do we adapt to this evolving landscape that puts AI in the potential hands of an attacker coming after us? And the answer, again, goes back to a rethinking of the approach— if we are faced with an attacker that not only understands the process of the attack very well, but can delegate to a higher task. We need to defend with AI in our arsenal as well. So the first piece again is extending the visibility across the environments that we're running is paramount.

Ricardo Galbiati

[ 00:26:13,620 ] Remember, if you can see something that point of visibility can become your sensor and your part of enforcement at the same time. Think about having eyes everywhere— a network connectivity is, everywhere an endpoint is running program, everywhere a cloud is running workloads. Each one of those locations should be your new sensor and point of telemetry generation.

Ricardo Galbiati

[ 00:26:38,040 ] That telemetry, as I said, needs to be aggregated into a single place, not anymore into a data pond that belongs to each one of the silos that you're looking at, but into a data lake.

Ricardo Galbiati

[ 00:26:49,430 ] The attacking models, the ones that attackers are using to come after you, are very context aware. The more context they know about you, the more they can leverage it for the AI to function effectively.

Ricardo Galbiati

[ 00:27:01,670 ] On the defensive side, we have to have at least the same, if not more, why not? We should have more context than an attacker from the other side. That is that data lake.

Ricardo Galbiati

[ 00:27:13,070 ] And if we build it that way, then we can use AI exactly in that point. The artificial intelligence will not be implemented to stop attacks in real time. That will happen at the censoring enforcement point. But to detect what normal looks like and where anomalies manifest themselves. An anomaly in a typical flow normally is something to investigate.

Ricardo Galbiati

[ 00:27:38,590 ] And in potential cases, it becomes malicious. So that is where the automation piece comes into play. And automation needs to be driven towards having agents performing that type of task.

Ricardo Galbiati

[ 00:27:51,680 ] This is something that we've applied to ourselves, by the way, at Palo Alto Networks. We are running a security protection center that is... mostly automated. We collect over 500 billion events in a single day. That sounds like an incredible amount of telemetry. But again, we're not asking humans to process that. We're asking an AI to piece it together, understand the connections, and connect the dots effectively, and allow us to respond within seven minutes to any potential risk into the environment.

Ricardo Galbiati

[ 00:28:24,540 ] And that is it from me on the topic of the life cycle of an attack and how best to defend. Marisa, over to you, because I assume we will have a few questions in the... We had a few questions probably in the last few minutes.

Marisa Magee

[ 00:28:38,379 ] Absolutely. The chat has been lit, absolutely lit, since you entered the room. So just farming a few questions here. But the first one for you, and we're actually going to do another one in a second as well, so just to get some... Feeling on where people sit on the confidence scale with cyber attacks, but Question for you, Ricardo. Have you seen organisations misidentify one type of attack for another and what were the consequences of that?

Ricardo Galbiati

[ 00:29:12,510 ] Yes, that is what normally is called a false positive in some cases.

Ricardo Galbiati

[ 00:29:18,110 ] Think about when you have a lot of telemetry, some of it can be misinterpreted, right? Especially if humans are involved in the process.

Ricardo Galbiati

[ 00:29:29,320 ] One attack could be pointing at a certain... goal or certain asset. And in fact, we actually have found attackers to create diversion tactics as well. Performing two attacks simultaneously, maybe one on the infrastructure, to make it look like they want to bring your services down while you're focusing on fixing that, they leverage another entry point. To steal data at the same time. Now, the false positive and diversion tactic again points to the fact that, if we are relying on humans to respond and identify attacks, we're going to fall behind. The new machine learning models that are leveraged, for example, in our platforms, are capable, well, they've been trained on all these scenarios in the first case, and then they have been personalized and adapted to the environment of the organization that we are protecting in that case. So they become very quickly in the space of the first 30 to 45 days. Very aware of what the normality of the environment looks like and what true anomalies or true positives occur when an attack is happening.

Ricardo Galbiati

[ 00:30:35,130 ] Once again, the more telemetry, the more context you give to a human, the more he struggles. But the more you give it to an AI, the more it gets precise. If it makes sense.

Marisa Magee

[ 00:30:44,690 ] Yeah, that does make sense. As Gen I becomes embedded in everyday work, what's the biggest mistake organisations are making when trying to balance? For security.

Ricardo Galbiati

[ 00:30:57,090 ] I think there's two sides to the adoption of generative AI. I think as every technology... It's a new attack surface, right? Every time we adopt something new that we... were not doing even a couple of years ago, we're using it for a certain purpose, but it can be misused or even used against us. So that is the first problem, and it tends to manifest itself especially with shadow AI. If we think about... the need for some employees or staff members to perform a certain task and they don't feel like the organization is giving them the right tool. So they decide to go on a limb and use their own preferred tool. That is something that needs to be addressed. And again, I think the open communication channel both ways— exporting to the business what the requirements are and why are they not met. By a specific tool that might be given already. But on the other side as well, having the organization in control, at least of the visibility of what the employees and the staff members are preferring to use.

Ricardo Galbiati

[ 00:32:05,330 ] Will guide them into not restricting, but recommending, I would say. Did you know you could do this specific task instead with the Gen AI app that you're using with the one they were recommending? That's the first piece. There's a positive side to it, though. I think generative AI in general, especially when it comes to making mistakes. Um, or. Into getting to best practices configuration or even compliance assessments first is going to help us a lot in cutting timeframes, right? If you start with a configuration that is recommended by AI from the very beginning, it's less likely that you're going to introduce exposures as part of that. So it's always a balancing act.

Marisa Magee

[ 00:32:48,380 ] Yeah, yeah. Sounds like it. All right, we're going to pump a poll into the questions now. But while we're doing that, while we're pumping the poll in there, just quickly, Ricardo, what are the top tips you'd give people leaders to make sure their teams are genuinely cyber aware and not just compliant on paper?

Ricardo Galbiati

[ 00:33:07,790 ] Yes, that's an interesting one. Cyber awareness is a big topic. I think everyone agrees that cybersecurity has become a team sport. It's not just IT that needs to take care of the rest of the organization. And I believe, I mean, having headlines talking about cybersecurity a lot helps in making us aware. But I'm a big believer that although presentations like this one bring awareness on what's going on in the world, I believe that people learn more when they are immersed in it. So one thing I've been recommending a lot is running more simulations and gamification approaches to cybersecurity.

Ricardo Galbiati

[ 00:33:44,610 ] Think about rewarding people for spotting, you know, the phishing campaign that has been obviously simulated by the provider. And also teaching a lot, moving away from the culture of blame. The biggest problem in cybersecurity is: I might have done something wrong, but I don't want anyone to know because I don't want to be shamed. And instead of saying, 'Oh, I broke the rules,' I think we should shift to, 'Oh, if I report it, I helped. Secure in our organization.' So rewarding that behavior is going to help with the awareness and the team sport behind cybersecurity.

Marisa Magee

[ 00:34:21,090 ] Yeah, absolutely. And I think you're right. It's just that paradigm shift of moving from, uh-oh, I've got an oopsie here to let's fail forward and get on top of it. I know for myself when I hit this— spam or this is fish— and I get the little.

Marisa Magee

[ 00:34:37,540 ] Fireworks! Oh, you've this was a test and you passed it. I know. I feel pretty good about that. So, how are we going to voucher for it?

Ricardo Galbiati

[ 00:34:44,600 ] Wouldn't it be even better?

Marisa Magee

[ 00:34:47,164 ] So, in terms of being honest, if a suspicious email landed in your inbox right now, how confident are you that you'd spot it? Most people have said that they'd pause and double check, which is a good place to start. I think back in the old days, and I'm authorised to speak on that, because I'm quite old myself, it was actually pretty easy to spot a suspicious email, but it's getting really sophisticated. Now and it is getting harder to spot them. Um, you really do have to stop and check when it's something that's not the norm. Um, and even if it does look the norm, but something's not quite right.

Marisa Magee

[ 00:35:31,220 ] I fully agree. Excellent.

Marisa Magee

[ 00:35:33,370 ] We'll chuck another poll up.

Marisa Magee

[ 00:35:36,710 ] And just while we're doing that, I'll pump one more question at you. The audience poll is going to be: has AI made cyber and data security conversations in your workplace more complicated? So while people are voting on that one.

Marisa Magee

[ 00:35:51,840 ] I'll ask you, Ricardo, is the conversation getting harder now that AI tools are so embedded in the way that people are working?

Ricardo Galbiati

[ 00:36:00,030 ] I think, again, going back to what I said before, it's harder and easier at the same time. The AI conversation can be seen as... we need to adopt AI for multiple reasons, obviously to improve our business efficiencies, to have better user experience. But at the same time, we need to... be ready to face attackers that use those same tools against us. Shadow AI, we discussed, is the biggest immediate problem. But at the same time, if you're an organization that is investing in building AI as part of the organization, for example, I'm thinking of RMIT Research. Departments that are testing these models, etc. There are a lot of options out there on what AI language models you might be using and how they've been trained. Uh, what potential back doors they might have. So, testing and validating these and discovering them as you build them is the way to go.

Ricardo Galbiati

[ 00:37:02,589 ] One interesting element is, for example, I tend to focus, we talked about social engineering, right? Social engineering is when you talk to a person and convince them to give you credentials or access to a certain environment. So, there's no technical requirements to do so. I have this belief that, unfortunately, with AI, prompt injection or writing a prompt that goes around the boundaries of what AI can do is the new social engineering for AI. It doesn't require a particular skill level to be performed. So again, if you're good with language and understand how to prompt properly, you could find a way to circumvent the AI, and that's a risk that needs to be mitigated as well.

Marisa Magee

[ 00:37:45,230 ] Yeah, that's true. I mean, exfiltration within one hour sounds absolutely terrifying to me.

Marisa Magee

[ 00:37:54,220 ] The results are in from our last poll. Has AI made cyber and data security conversations in your workplace more complicated?

Marisa Magee

[ 00:38:03,380 ] 41% are saying definitely more complicated. Just behind that at 38% is a bit. There are a few more grey areas.

Marisa Magee

[ 00:38:12,910 ] Very few have adapted very well. So that's 8%. And honestly, don't know anymore at 13%.

Ricardo Galbiati

[ 00:38:22,560 ] The data conversation associated with that is very interesting because we used to do data prevention on files. You know, you transfer a file or you share a file. Now you're talking to an AI and you might be typing sensitive information to it and where does that go? Are you supposed to share that type of data? And once it's gone, who can read it? That's a whole different conversation than it needs to be. Again, addressed as part of the data policies that an organization needs to be aware of.

Marisa Magee

[ 00:38:54,330 ] Yeah, and I guess it changes, as you said, the whole nature of the data, but also the democratisation of data and the governance of the data as well around that.

Marisa Magee

[ 00:39:03,900 ] Thank you. I feel like policies are getting refreshed every three months at this rate. I might be wrong, but...

Ricardo Galbiati

[ 00:39:10,940 ] I think as long as AI keeps evolving and the way we interact with it, the policies will have to become very... Very much a live document. Let's put it like that.

Marisa Magee

[ 00:39:21,160 ] Yeah, absolutely. And to your point about AI responding to the threat of AI, with the rate that the threat landscape has... Changed now is there a need to sort of fight fire with fire like that?

Ricardo Galbiati

[ 00:39:35,690 ] 100 It's the only way that's that's something that we've been preaching for a few years now and I mentioned in the presentation we have effectively moved our own security operations response time to under 10 minutes now. We used to be in a 24-hour mark, which six, seven years ago was top marks. That was still quick, yeah. That was quick back then, but we anticipated that eventually we would be in a position where attackers would be way faster. And again, they have to be only right once. You know they can try and attack you multiple times, we have to be right all the time, so the workload on our side has gone up. Exponentially, and we cannot focus on human responders or human firewalls as the the barrier, the entry barrier. Humans need to be in the loop. I actually have learned recently a new term from an organization that I was speaking to, 'human at the helm,' actually, not so much in the loop. So they still need to leverage AI as an army of responders under their direction.

Ricardo Galbiati

[ 00:40:40,090 ] But if we don't do that, we're always going to be called out.

Marisa Magee

[ 00:40:43,120 ] Yep. Yeah, absolutely.

Marisa Magee

[ 00:40:46,490 ] Just from an individual perspective, like people going about their normal everyday lives.

Marisa Magee

[ 00:40:53,130 ] Fine and well and good to protect yourself with strong passwords, multi-factor authentication, but how do you, as an individual, avoid being targeted when an organisation is impacted? Is there anything that we can do to minimise that risk?

Ricardo Galbiati

[ 00:41:08,610 ] So the risk, direct to specific individuals, is hard to measure. Of course, in the majority of cases, if we're talking about an enterprise or an attack towards an enterprise, you're just a link in the chain, unfortunately. And you are going to be attacked because you are going to lead to a better to a better flow inside the organization.

Ricardo Galbiati

[ 00:41:29,959 ] Um, again, being part of that team sport, reporting what you see, contributing, if you will, to that telemetry that we say the majority of which is generated by technology. But providing the invaluable input from a, from a person's perspective on. I've seen this being a suspicious event on my end, the email case that we mentioned before and reporting on that early as opposed to hiding behind 'Oh, I clicked it. I hope no one noticed.' That is definitely going to help. If we're worried about being targeted ourselves, the conversation there normally lies on the privacy side of things. So the information that we're going to lose and how that could be leveraged in the future to create fraud.

Ricardo Galbiati

[ 00:42:14,240 ] Or impersonation of our credentials, so that is something that we need to be really concerned about. As you mentioned, there are some basic best practices that reduce by over 90% the potential of an attack targeting you directly. One of them is using different passwords and never sharing or using the same password that you have for work. In your personal devices, I do not know my password. That's the very simple way to put it. I have a password manager that generates the passwords and stores them. And for me, I do not remember any of them. And I can obviously feel into all these forms automatically. The world is also shifting away from password. There is a lot more conversation about passwordless authentications. Certificates and pass keys, if you will, that are more tied into biometrics. Adopting those early will completely cut the legs of 90% of the initial entry points for an attacker.

Marisa Magee

[ 00:43:15,050 ] Yeah, much safer to have an actual password manager rather than leave it up to a keychain or to your browser. Your browser, I suspect, would be significantly vulnerable to those types of attacks.

Ricardo Galbiati

[ 00:43:28,210 ] That's true. In fact, you're giving me a good segue. So actually, one of the latest additions to the platform that I was discussing from Palo Alto Networks is actually a browser. It's an enterprise secure browser that has been designed to... do a few things. Well, uh, protect you while you browse the internet, because as you said, there's a lot of so-called drive-by attacks that you access a website that is designed to compromise the browser. But it does embed a password manager. We built it securely through integration of capabilities from other acquisitions as well. And at the same time, it provides very effective ways of solving those problems that we were mentioning before, like data loss prevention. When you're typing into a generative AI application, the browser can see that while you type. So if we enable that visibility as the user types, again, we can avoid a lot of the initial leakage that might happen.

Marisa Magee

[ 00:44:22,470 ] Yeah. Excellent. I've got one more question for you, Ricardo, and then we'll probably wrap up.

Marisa Magee

[ 00:44:29,650 ] So what would your advice be for someone early on in their cybersecurity career? Where would you focus first?

Ricardo Galbiati

[ 00:44:38,500 ] Interesting. I'm thinking about my journey a little bit, obviously. And I think, if that journey still applies today, I started in network security back 20 years ago, effectively. So that pure firewall visibility of the network side of things. And I think— and I still believe— that that is a must. Although the internet has evolved a lot since then, all communications that are very abstracted now in the nature of how you obtain, access to applications. You don't know what's actually going on in the plumbing, but that part is still fundamental. And it sets up very well the I call it the zero trust mentality. Anything that should be allowed. Only what should be allowed is allowed. Anything else should not be trusted in communications.

Ricardo Galbiati

[ 00:45:27,130 ] And with that, I think should go hand in hand with understanding a lot more of the concept of identity. As I said, it has evolved a lot.

Ricardo Galbiati

[ 00:45:34,550 ] The authorization, authentication. and permissions associated with identities has evolved in the last couple of years as opposed to being just a field in a log line. So those two fields. But more generically, I think, again, going back to the simplification, how do we make cybersecurity easier to implement and adopt? I think focusing on learning a lot of tools simultaneously is probably the wrong approach. It's best to focus on the impact areas. I'm thinking obviously, network being one, protecting the pipes, effectively, where the conversation happens. Yeah. But protecting cloud, as in what happens in the cloud when you're running applications over there, as a general field, not specifically. On a point product approach and then security operations, as I think. Understanding where an attack came from and the components or the moving parts that led to a successful attack that involve, of course, network and cloud and identity altogether.

Ricardo Galbiati

[ 00:46:40,280 ] So there's a lot of connective elements.

Ricardo Galbiati

[ 00:46:43,930 ] But the last piece maybe is actually Moving the conversation in cybersecurity from a purely technical one more to a business and risk conversation.

Ricardo Galbiati

[ 00:46:54,550 ] Cybersecurity risk is business risk nowadays. We can safely say so. So being able to... communicate that at the right level. So focusing and learning the communication of risk, not in technical terms, but in business terminology, is super important for the future of cybersecurity.

Marisa Magee

[ 00:47:14,450 ] Absolutely. Absolutely. Thank you so much, Ricardo, for such an insightful session. And thank you, everyone, for joining us today and being a part of the conversation.

Marisa Magee

[ 00:47:24,380 ] Wrap up. I know that we're running a bit over. If you'd like to continue building your future-focused skills, check out the range of courses and upcoming events from RMIT Online at rmit. edu. au forward slash online. We're also giving away five free future skills short courses. To attendees who share their key takeaways from the session on social media. So just make sure to tag RMIT online so that we can see your post. That's the important part.

Marisa Magee

[ 00:47:55,470 ] That's a wrap on Future Skills Fest for this year. If you missed any of the sessions or you'd like to revisit any of them, you can head to our website and access the recordings, including this session today. Thank you again, Ricardo. It was wonderful to have you. And thanks, everyone, for joining us. Enjoy the rest of your day. Have a wonderful weekend, and we hope to see you soon at another RMIT Online Session.