January 15, 2024

John Verry (00:47.174)
Welcome to yet another episode of the Virtual Cecil podcast with you as always, your host, John very with me today, Kevin Page. Hey, Kevin.

Kevin Paige (00:54.553)
Hey, John.

John Verry (00:56.69)
Alright, so I always like to start simple, tell us a little bit about who you are and what is it you do every day.

Kevin Paige (01:05.456)
Sure. Yeah, my name is Kevin Page. Currently, I’m the VP of Product Strategy and CSO at a cybersecurity company called Uptix. Prior to that, I’ve spent kind of my first, maybe 18 years working for the government as an active member of the Air Force, as a civil service employee, as a consultant for the government, and then kind of moved into the other side of the house.

helping protect commercial companies and now even into the vendor security space. So about 30 years probably kind of being an operator doing security.

John Verry (01:45.239)
Well, first off, thanks for your service. It’s appreciated. I always ask, what’s your drink of choice?

Kevin Paige (01:52.184)
Oh, goodness. Depends on the time of the day. I don’t know, is that a good answer? But I am a coffee-aholic, so I definitely probably drink coffee from like about 6 a.m. to about noon. So probably coffee in the morning is probably my major drink of choice.

John Verry (02:11.938)
Sounds good. So it was interesting, because one of your PR people reached out about being on the show, and they pitched this idea of talking about the idea that, quote unquote, conventional security training really isn’t very effective, and that you had some better ideas on doing that, it had something to do by involving telemetry data in the conversation with them. And I thought that was interesting, and that was the reason I said, yeah, let’s have them on the show. So I started to prep for the podcast, and I looked up upticks, and I was like,

Hmm, CNAP is one of those questions that I’m getting quite a bit. And a lot of the other acronyms that are on your website are acronyms du jour that a lot of our clients are struggling with right now. So I was hoping that maybe we could cover and talk about CNAP and some of the issues there. And I no longer use the kill two, it’s now can we feed two birds with one bag of seeds? A more politically correct version of that. So.

Kevin Paige (03:06.776)
Ha ha ha.

John Verry (03:08.17)
So if you don’t mind, let’s take that tact and I’ll start asking the questions. What is CNAP?

Kevin Paige (03:14.992)
Cool. Yeah, CNAP, I think CNAP is a way to take a look at modern cloud and hybrid environments and figuring out a good way to secure them. And I think when I say that, maybe that doesn’t really make a lot of sense. So we have to kind of think about the history of kind of infrastructure and service and clouds and kind of where we’ve gone and where we’ve been, right? So since I’ve been doing security for 30 years and, you know, been securing data centers for a long time, as well as securing clouds.

I think the idea of people first starting to secure clouds, they didn’t know what to do, right? Like we’re like, hey, the same way that we would secure a data center, let’s secure a server in the cloud, right? And it didn’t work very well, right? Like we can’t like put physical firewalls there. We can’t do physical segmentation. We, you know, it just didn’t work very well. It was very cumbersome. It was very expensive.

The whole idea of the cloud is supposed to make developers’ lives easier and the idea of using things easier, and it got harder, right? And it got very painful trying to do it that way. And the cloud has got new things called APIs, right? The cloud’s got new ways of doing things and accessing information, and we should figure out how to do that. And business drove the need to want to save cost and have speed and efficiency by using

web applications and host software as a service offerings and host all of these things for consumers to use. So as a security professionals, I think when we first started using the cloud and we wanted to use the cloud, we realized like, hey, how am I supposed to configure the cloud? That ended up being one of the biggest issues. And especially when we had to get compliance mandates, we needed to get SOC 2, ISO 27001.

all these compliance mandates to make sure that we’re operationally securing the cloud. And I think that if we take a look at CNAP, a vendor soup, right? I think that there’s a new acronym for everything these days. It gets quite painful. But the idea of it is that like, hey, all of these things over the last eight years that we’ve been trying to do to secure the cloud, let’s bring them together in a holistic manner and figure out how to secure the cloud, right? I think…

Kevin Paige (05:34.488)
I think if we just take a look at it holistically, it’s a little bit of history, right? We need a modern cloud security, kind of monitoring, posture management, brief prevention controls with enhanced visibility and really kind of understanding the risks from when a developer writes code to when it’s running as an application in the cloud for customers to use. So I think that’s how I would try to…

quantify those five letters.

John Verry (06:06.562)
And just to be clear, cloud native application protection. And then there’s that second P, which the vendors like yourself would add, right? For platform, you know, meaning that you’ve got, you’ve got a cloud application that helps secure cloud applications. And then in terms of, yeah, so, and I, you know, would it be fair to say that what CNAP is, is the modern version of what we used to call

Kevin Paige (06:23.172)
You got it.

John Verry (06:35.506)
broad application security. But it’s now updated and revised to reflect, to reflect Agile, to reflect infrastructure as code, to reflect both the capabilities and lack of capabilities that cloud platforms provide us.

Kevin Paige (06:56.108)
Yeah, definitely. We took about 15 different kind of tools and tried to put them in a platform to provide context and help people secure their clouds more efficiently. I think that’s a quick, easy summary of it.

John Verry (07:06.87)
All right, so it’s interesting to me. So let’s talk about some of the tools that are in there. And then, because you see them talked about, you see companies saying this is what they do, maybe they do just that. Some vendors actually do multiple tools and they all use interchangeable terms. So let’s talk about a few of them and maybe you can help us understand what some of these specific capabilities within the CNAP umbrella are.

Right, so we see the phrase CWPP, Cloud Workload Platform.

Kevin Paige (07:42.028)
Yeah, so CWPP, you can take a look at as your endpoints or your other types of things that can operate as a workload, might not be a full server, might be a partial server, might be a container, could be a lot of things, could be, you know, if you’re in Google or you’re in AWS, using some of these functions as a service type capabilities. But at the end of the day, workload protection is taking a look at your server or your server-like capabilities.

John Verry (08:06.382)
Thank you.

Kevin Paige (08:11.776)
and making sure that you’ve got good visibility on what they’re doing, taking a look at vulnerabilities on those guys and just really understanding how they’re working and operating in order to keep them secure, right? So that’s kind of the way that I-

John Verry (08:27.406)
Okay, so if I was talking about a very fundamentally basic AWS infrastructure, that’s ensuring that EC2 is running the way that I expect it to in a secure and compliant manner?

Kevin Paige (08:41.988)
Yeah, I’d say it’s EC2 and the things associated with EC2. So you take a look at your EC2, and your EC2 is probably connected to a database. So anything that’s operating as a cloud workload, so anything that’s in the cloud and operating as a workload, being able to provide that visibility together. I actually think that it extends beyond the cloud. So if you have things connecting into the cloud, your cloud.

John Verry (08:50.574)

Kevin Paige (09:08.536)
workload protection should extend to anything that touches your cloud as well. But I think the easy kind of summary of the CWPP is just like, any workload in the cloud needs protections. And if you’re running an EC2 service on there and you’re running a container and you’re running a database, right? How do I know that all of those things are secure as workloads in the cloud?

John Verry (09:35.114)
I was going to ask you that because you do see some companies out there now that are just, you know, Kubernetes security companies, right? So and they spend a lot of time and energy in that which is that a subset of if you will of CWPP or is that where is that integral to CWPP, right? I mean because you sounded like you were referring to that the Kubernetes container would be covered by that CWPP

Kevin Paige (10:04.344)
I think that, so I consider a Kubernetes workload as well, but Kubernetes as an orchestration engine is a little bit different, right? So to be able to understand how Kubernetes as an application is working, is kind of the next level deep beyond CWPP, right? So…

John Verry (10:22.78)
Okay, would that hold true for Docker then as well from your perspective?

Kevin Paige (10:27.136)
Yeah, exactly right. Because when you’re taking a look at Kubernetes or Docker, or any of these orchestration systems like Red Hat’s got Redshift, and there’s all of these orchestration platforms that exist, really understanding how secure those orchestration platforms are, and probably the containers and the servers that are running underneath them. So we started getting in the supply chain and Kubernetes and any type of orchestration engine

We’re really talking about that application, that Kubernetes engine. It was that Kubernetes API secure that everybody’s connecting to that’s launching containers, that’s launching other capabilities. Is that secure as well? Now the containers are still gonna be CWPP, but when we start talking about Kubernetes and how Kubernetes is managing those containers, now we need to dig a little bit deeper and understand, hey, how’s Kubernetes operating? And how is it?

John Verry (11:14.102)

Kevin Paige (11:25.752)
You know, in a secure way, is it have a real base access control? Is there audit logging happening? What’s east-west traffic and north-south traffic look from container to container or pod from pod in a Kubernetes environment? So you really have to start taking a look at your architecture of your orchestration. I feel like Kubernetes is kind of one to war here, right? So it’s almost safe to say, you know, from a Kubernetes perspective, you know, like, like how is it managing and operating?

inside your cloud, right? It’s almost like you’ve got your cloud, then you’ve got another layer inside your cloud and that Kubernetes layer is that new layer that you have to understand, just like you used to have to understand your cloud, now you got to understand your Kubernetes.

John Verry (12:05.587)
Yeah, it does. It’s funny, when I first started to make the transition, and I think I’m still making the transition because I’ve been doing this a while and beginning to really understand it, it feels a little bit like that movie Inception. And containers specifically feel like Inception to me because you’ve got instances of EC2 running inside and it’s just, oh, my head is starting to hurt here. So just to make sure that…

Kevin Paige (12:20.065)
Oh yeah.

Kevin Paige (12:30.681)

John Verry (12:31.162)
I’m following you, because this is not my area of expertise. The container itself that’s operating. You think that gets covered by CWPP. The the orchestration engine, if you will, and that application that platform, if we will, that’s running. That’s what where these specific Kubernetes style assessment engines or assessment platforms address that. OK.

Kevin Paige (12:56.256)
Yeah, because they’re applications, right? So Kubernetes is an application, just like Docker is an application, right? And you really need to understand how those applications are working, that those applications are secure, that are, and they’re running inside your cloud as well. So, you know, so it’s important to make sure that those applications that can control, they can control your workloads are secure.

John Verry (13:20.366)
Gotcha. So where’s the line between, because it feels like they’re maybe two sides of the same coin between CWPP, the Cloud Workload Platform Protection, and CSPM, which is now becoming a more common, that’s a phrase that drops off of a lot of people’s lips these days, you know, CSPM, which is Cloud Posture Security, Cloud Security Posture Management, or monitoring. Tell me a little bit about what, like how you differentiate those two, because…

conceptually they seem pretty similar to me.

Kevin Paige (13:52.004)
Yeah, conceptually they are, right? I’m just looking at a different thing, right? So from a CWPP perspective, if we simplify it, I’m worried about my EC2 server that’s running inside the cloud, right? That’s the thing that I’m worried about. From a CSPM perspective, I wanna make sure that my cloud is configured correctly. I wanna make sure that default settings are set correctly, right? So if I launch a cloud service, that cloud service meets

certain best practices, certain guardrails. So from a CSPM perspective, I want to make sure that security is kind of baked in by default into my cloud services. So if somebody turns on a cloud service, turns on an S3 bucket, or turns on another service that’s inherently in the cloud, or spins up a new VPC inside of Amazon and then starts launching capabilities in there.

that the ability to access those things, right? Like, hey, SSH has turned off to the internet, so you have to go access the cloud a certain way. S3 buckets can’t be open to the public by default, right? So from a posture management perspective, it’s really about taking a look at that posture of your cloud services, right? So if it’s a Google, Azure, Amazon, or whichever cloud that you may be using.

those default services that are fundamentally provided by those clouds, that those things are configured in a secure manner by default, because usually they’re not, right? Usually vendors make it easy for software developers or system administrators to just be wide open to the internet to make life easy for them to use, right? And from a cloud security posture management, we want to make sure they’re secure, and then we want to validate they’re secure, and then hopefully from a CSPM perspective, we even have to provide to our auditors proof.

that our cloud is set up according to our policies and procedures.

John Verry (15:48.13)
So it sounds like C, and maybe I’m oversimplifying this, but CSPM is arguably a superset of CWPP, and then CWPP probably touched on some other things, because when you run a CSPM tool, one of the things that you might be looking at is an EC2 instance, right? And confirming that EC2 instance is, let’s say, aligned with CIS benchmarks or Azure Security Fundamentals or some standard that we might hold it to. So it sounds to me like what you’re saying is that, yes, you are touching on that from a security and compliance perspective.

But then like when we look at the management plane and we look at all of those other elements that are integral to living in a particular cloud environment, cloud instance, it’s looking at a lot more.

Kevin Paige (16:29.184)
Exactly right, right. I mean, in order to get full visibility, you need both, right? You need to understand your workloads as well as your posture. And that’s why, as we talk about these other services that are a part of CNAP, you’re gonna see that they overlap a whole lot. And there’s a lot of capability that you need from all of them to bring them together. So this idea of CNAP and bringing these tools together in a holistic platform makes sense as we start talking about these things, right? Because…

From a CSPM perspective, I need to know how people launch an EC2, but from a CSPM perspective, I can’t see inside the EC2. So now I need my cloud workload protection to look inside the EC2 instance and the cloud security posture management to make sure that my EC2s are deployed inside a VPC with the correct settings that should be set. So you’ll see there’s direct overlap, and you need both of them in order

John Verry (17:05.247)

Kevin Paige (17:24.854)
a secure cloud environment.

John Verry (17:26.91)
Right, we just think of the chain is going to bite you, right? And security, so it’s having that view of all the things. And I think you probably are just answering my next question, to an extent, because now I think I have an understanding of it. There’s this concept of SIEM with a C, which you see increasingly more cloud infrastructure entitlement monitoring. Is that effectively privileged user account management for the cloud?

Kevin Paige (17:30.367)

Kevin Paige (17:54.212)
Pretty much, right? So if you take a look at some of the tools, I’ll use Amazon as an example, and you take a look at the IAM feature of Amazon, you can create permissions on servers, you can create permissions on users, right? You can create different roles, and you can create probably hundreds of thousands of different capabilities and permission sets. And, you know, and…

From a cloud perspective, we got to the place to realize, like, hey, we need to put permissions on systems. We need to put permissions on users. We need to bring those two things together. And the complexity got very hard. And when the complexity got hard, what do we do? Well, we just give you root level access. We give you admin access to everything, right? And then that leads to data breaches. And that leads to other misconfigurations and misuse.

of SIEM, CIEM, is this idea that, hey, we need to understand permissions, right? And we need to make sure that we’re providing the least amount of permissions for a workload or a user or a server to do its job. And CIEM, in theory, is like, hey, let’s figure out what is needed, minimize those level of permissions, and minimize the ability to get breached, hopefully.

John Verry (19:22.002)
All right, so let’s take a real world example and which pieces help us with this. So, you know, one of the things of course we see is, you know, open S3 buckets are the bane of a lot of companies, right? So we’ve got this idea of like a CSPM tool, I would imagine, if it’s sitting there and it’s sitting on the, forget what log it sits on, and it sees that somebody spun one up, it’s gonna yell and say, I saw it. Now, would you use a, can CIEM, can that?

Kevin Paige (19:46.821)
You got it.

John Verry (19:53.146)
Can that tell us that we’ve configured things in such a way that developer level people have the ability to spin up S3 buckets, but they can’t change that setting? But this guy over here, the product line manager or somebody else, they have the ability to spin that up and they can set it to open. And that way you’re kind of aware of that and you know that is what I intended and it’s actually set that way.

Kevin Paige (20:18.636)
Exactly right, right? So I’d use my CSPM to set my standard security capabilities. Then I would create a role. And I’d want that role to be used for a certain amount of developers that are accessing certain S3 buckets. And I want to give them a certain level of permissions. And then I would use CIEM to make sure that I gave them the right and least amount of permissions necessary for them to do their jobs effectively.

John Verry (20:43.22)
Okay, and those permissions that we’re referring to there, we’re not talking about permissions in the CSPM tool, we’re talking about permissions in the cloud, for the cloud service provider, AWS is an example.

Kevin Paige (20:53.492)
Right, right, like can I delete things inside the S3 bucket? Can I write things to it? Can I, can I, no, what can I do in this particular bucket or in a folder inside the bucket, right? You can get pretty granular these days.

John Verry (21:04.866)
So if you don’t give a CSPM tool, if a CSPM tool is not CIEM enabled, and is it just looking, is it limited to looking at workloads at that point in terms of what it’s looking at? Because it can’t see, right, without having that CIEM capability, it really can’t see, you know, it’s not user aware.

Perhaps. Okay.

Kevin Paige (21:36.048)
Correct. Yeah, it’s not going to be user aware. It’s going to be focused on the number of services in the cloud. And from a CSPM perspective, let’s say Amazon has got 1,000 services. Out of those 1,000 services, there’s probably 10 that 99% of people use. And there’s probably…

John Verry (21:55.542)
You know, Pareto hits again, right? Ha ha ha.

Kevin Paige (21:59.22)
Yeah, exactly right. And from a CSPM perspective, all the vendors are saying like, hey, here’s or Amazon’s telling you like, hey, here’s the hundred most used services. Here’s the best way to secure those services. And then people figure out best practices for use. And the CSPM is just monitoring it consistently and letting you know when either somebody changes it or when the posture kind of validates the known good state.

John Verry (22:29.166)
Gotcha. Now, then a newer one that I heard recently, where you’re hearing more recently, I guess, by the way to say it, it’s been a bit. Everyone’s familiar with EDR and XDR. Now we’re starting to see CDR, which I guess is cloud detection and response. What exactly is CDR and how is that different from what we’ve been doing?

Kevin Paige (22:52.756)
Um, I don’t, so the, the kind of the good thing is that it’s not that different, right? So the, the kind of the cool thing is once you start taking things like EDR, you take CSPM, you take cloud workloads together, you start bringing all this context together, right? Here’s the context of roles. Here’s the context of users. Here’s databases, here’s servers. Um, here’s, here’s how they’re set up.

And now all of a sudden you have all this context that talks about, you know, you got, you kind of have full kind of context on not only like what, what a EC2 is, but what roles assigned to it from a CIEM, is it the right role? Is it the wrong role? It’s connecting to a database. How many ports are open? You start getting this ability to take a look with all the context in place.

John Verry (23:38.958)
Thank you so much.

Kevin Paige (23:43.584)
of your resources in the clouds and their potential vulnerabilities, their potential ways in which a threat actor could take advantage of that particular asset. And you get all that information in one view. So back in the day, all these would be different tools. And I would have to log in, SSH into this server, SSH into this database, go look at my SIEM, pull all these logs together and try to piecemeal together.

a security issue or a security event. Now, with all of this data coming together, now I don’t need to SSH, I shouldn’t need to SSH into a hundred different places. Now I should be able to get all the information kind of at my fingertips about, you know, where I potentially have open risks and vulnerabilities in my cloud workloads or in my cloud features. And I can get it all in one kind of view. So I can get this cloud detection response capability.

to detect potential issues in the cloud with all this additional metadata and context. And then a quick way to respond to it because I’ve got all the data there in order to solve the issue faster. So it’s really, you know, EDR was focused on, obviously on like a laptop endpoint back in the day. And now this cloud detection is focused on your cloud and on kind of hopefully all of the things that are in it, all the risks that are now

open and a quick way to respond and neutralize those particular risks.

John Verry (25:15.886)
So is, would you consider CDR to be preventative in that it’s going to see the fact that the combination of a configuration and an existing vulnerability exist before someone is able to take advantage of it? Or is it detective where it’s saying somebody exploited something and I can use that data to troubleshoot and remediate that issue? Is it both?

I’m trying to, I’m a little fuzzy as to exactly how people are using CDR and what the benefit is.

Kevin Paige (25:49.208)
Yeah, it’s both, right? I mean, I see the biggest use by like security operations teams, right? They can get good visibility into their assets and potential issues inside a cloud environment. And they can get all the data in one capability. So if they want to, if they have the time and effort and energy to go out there and be preventative and review the vulnerabilities, the potential risk exposures.

If you’ve got time to go and do that, that’s great. Then you can be proactive, but at the rate, security teams are usually small, software development teams are huge. So it’s very hard to stay ahead of the game when you’re a 20 person team and there’s a thousand engineers that are constantly making changes on an immediately basis inside the cloud. So usually SOC teams are using the CDR in a response capability to say like, hey, what happened here? How did it happen? And then once they figure out how it happened, they can…

they can use that information to put new guardrails in, put protective things in so it doesn’t happen again. That’s probably the real world way, but yes, it certainly could be used proactively if you have a large enough team at enough time. Ha ha ha.

John Verry (26:59.754)
Gotcha. So, you know, I’m always surprised when I chat with customers, when I bring up the very famous diagram that Microsoft put out where, you know, you’ve got the shared responsibility matrix, I think is what they call it. You know, you’ve got the 10 areas or so down the left-hand side, you know, things that need to be done. And then you kind of go across from SaaS to platform to infrastructure to on-prem, right? And on-prem, you got to do everything.

And people don’t understand on the SaaS, you still own 35% of the original 100%, right? So let’s talk about CNAP. So does CNAP live on the just, that side of the fence, right? Or does the traditional stuff that lives in our realm of responsibility in a SaaS application service provider like user account management and EDR of the systems, right? Cause the data leaves.

the database, or leaves this as application, what pieces are or are not covered when we talk about CNEP.

Kevin Paige (28:03.876)
I think when we talk about CNAP and the shared responsibility model, CNAP is really designed to fill that infrastructure as a service piece. Right? So when you take a look at the infrastructure as a service piece, all of the things that a cloud provider can’t do for you natively, right, is where CNAP comes in. Right? So somebody might need to deploy a cloud workload, they need to patch it, they need to make sure there’s no vulnerabilities on it, they need to make sure that they reduce the amount of…

you know, ports that are open from the internet to it, right? The cloud provider can’t do that for you because it doesn’t know how you want to run your server and run your application on inside that server. So now CNAP kind of fits that piece. Now from that shared responsibility model, the thing that the clouds are like, hey, just everybody be aware, like we can’t protect your application for you because it’s your application. Now you can use a CNAP to really kind of understand, you know, your workload, what workloads are happening.

the posture of your clouds, make sure that it’s set up in a secure way. Take a look at permissions, make sure permissions are set up in the right way. Take a look at endpoints, vulnerability management, you can kind of bring everything together in that shared responsibility model on the infrastructure side.

John Verry (29:11.787)

OK, so that’s actually maybe a good way to frame this for people. So if I got this right, so again, I can’t remember if it’s 9 or 10. For some reason, I think it’s 10. I don’t have to share the responsibility matrix up. But again, as you move from right to left, 6 and 1 half of things are marked as being the responsibility of the SAS provider. And 3 and 1 half are kind of still living in a realm. What CNAP basically does is provides us

in one place platform to effectively ensure those six and a half at the bottom.

Kevin Paige (29:51.428)
Yep, yeah, give you visibility on to what’s going on those areas that you should, that you’re supposed to be paying attention to.

John Verry (29:57.93)
Oh, I’m sorry. I’m sorry. I apologize. We’re in infrastructure as a service, which is more than, which is probably, you know, five or, you know, it’s the ones that added that top group, but that are in that second group in that diagram that would fall into where you guys are providing CNET providers are providing a lot of value to us.

Kevin Paige (30:18.476)
Exactly, the infrastructure. Once you get into the application, the other SaaS piece, now you’ve gone a little bit beyond CNAP, because CNAP isn’t going to look at the permissions inside your application. It’s going to look at the permissions on your infrastructure.

John Verry (30:30.122)
Right. Yes, yeah. Yeah, but that’s the responsibility. I mean, again, no matter what whatever bucket we’re in, SaaS, platform, infrastructure, on-prem, ensuring that you’re managing your users, right? And providing good permissions and commissioning, decommissioning users appropriately. Yeah, that’s always gonna be on you no matter what model of computing.

Kevin Paige (30:54.372)
Exactly right, yeah, I mean you built it, you better protect it.

John Verry (30:59.106)
Exactly. All right. So now let’s circle back to the original idea behind this podcast. We’re in agreement that security awareness education is good. It’s a necessary evil. But in the best-run organizations that we’ve had the experience of work with, even organizations that train a lot and even organizations that do fishing exercises as much as weekly, 4% of your people…

in a good organization are still going to click on those links. So we know it’s not effective. It’s like the concept of zero trust. You have to assume these days that you’re going to be compromised. Now, your tenet, your idea was that if we share telemetry data with end users, that might be better. So what is telemetry data? Is it CNAP data, other data? Kind of fill me in on what your ideas were.

Kevin Paige (31:56.024)
Yeah, you know, we take a look at, you know, I’ve been taking security awareness training myself forever, right? Because I was in the government and we’ve been taking, you know, been mandatory taking videos for, I don’t know, 25 years at this point, probably. And it doesn’t work and people speed through them, right? And they don’t necessarily relate to real life, right? So I think when it, how can you get close to real, as real life as possible?

And what areas do you see that there’s pretty good security in place? And where do you see that things can train well? Where do you see those things and how do they work? I take a look at, like, hey, every time I get on an airplane, I get the same security briefing. That security briefing shows me how to put my seatbelt on, tells me where the emergency exits are, every single time, right? I get into an airplane to get the same security briefing.

Yeah, the dynamics are higher. You could crash and die if you don’t follow them. But at the end of the day, it’s repetitive, it’s repetitive, it’s repetitive. And people really know if you’ve taken an airplane 10 times, you pretty much got it memorized what they’re going to say and how to do it. And I also take a look at, like, hey, I’ve got dogs. When I train my dogs, if I need them to do something, I need to give them immediate feedback, either positive or negative immediate feedback when they do it. If I don’t, then I’m wasting my time.

John Verry (32:52.994)
Thank you.

Kevin Paige (33:21.176)
And I think with humans, we also need the same thing. We need immediate feedback and we need repetitive information. But we only need the repetitive information based on the mistakes that we make. So I think that as we start to rethink how to do security awareness in a way that could actually provide an impact is more specific. So we’ve got a ton of security tools, right? CNAP is one of them, right? But…

We’ve got antivirus, we’ve got telemetry information on our laptop, we’ve got telemetry being like, what websites am I going to? What servers am I logging into? Am I downloading things I shouldn’t? Am I using a secrets management tool? What are all of these actions that I’m doing on a daily basis? Which of these actions are good? Which actions of these are increasing risk and potentially bad?

And when I’m doing good things, like when I’m using my secrets management tool, then I think it would be great that we told users, hey, this is fantastic. You’re helping reduce the risk for your organization and you need to let them know when they’re doing that. You need to let them know either when they do it, let them know on a weekly or monthly basis that like, hey, you’re doing a great job. You’re in the top 1% of the company and keeping us secure, doing a great job. And then the people that are not using it should be the same way. Like, hey.

We know that you’re copying, pasting passwords and using the same four digit password on 1000 things. Like you’re putting yourself at risk and you’re putting your company and you’re putting your money at risk and you’re putting a lot of things at risk, and provide details on how a better way to do it with a link as it’s happening. So I think that from just when I take a look at things that potentially help behavior.

these positive reinforcements and the negative reinforcements, we need to figure out how to use them together based on the data that we already have in our CNAP tools, in our secrets management tools. Who’s taking the videos and takes them in 30 seconds and who takes them in five minutes? Who takes the test at the end of your security awareness training and fails it? Who gets 100 on it every time?

Kevin Paige (35:37.036)
I think each one of these things is a signal, right? And we need to, if we can bring a lot of these signals together and then provide feedback to the users based on the signals that they’re providing, both positive and negative, it, I think that it encourages the more secure choices to be made and doesn’t make the more secure choices seem hard or painful, right? We should make them easy and help people do their jobs more efficiently and make security be like

traditionally hard, like, you know, like, I don’t even me, when it’s that time of the time of the year where I have to take another security video, I’m a see, so I’ve been one for 30 years. I’m still like, damn, I gotta take another one of these videos. All right, let me go do it. Right. And everybody feels that way. Right. So how can we change that feeling and make it not like, Oh, a video you take one time, but just real, um, real feedback based on how you do your work every single day.

John Verry (36:12.75)
Thank you.

Kevin Paige (36:32.832)
I think if we can figure out how to get there, it makes it much more effective. We don’t have to worry about silly fishing exercises. We don’t have to worry about watching a video once a quarter or once a year, right? And we can still use those videos, right? We can get a short video and say like, hey, you copied and pasted your password from a thing into here. Like here’s a little video of, or here’s…

this day and age, we don’t even need a fake video. We can say like, hey, here’s an article based on how this company was compromised and based on what your action was that could put us there. Make it real, bring real world events in based on users actions and make them read it and then people will acknowledge it and be like, oh wow. Yes, this is a, I shouldn’t do this. Oh, and that’s all I have to do is click twice to get this? Oh, and then it will automatically change my passwords for me? Oh.

John Verry (37:08.718)

Kevin Paige (37:28.844)
And then it will make, I can log into passwords, log into places easier by using my fingerprint on my laptop. Like there’s all these things that can actually make life a little bit easier and incredibly more secure than copying and pasting a four digit password. I mean, it’s obviously an easy example to use. That’s horrible. But I do think that we have to figure out how to move into that type of mindset rather than this old mindset of just,

John Verry (37:41.11)

Kevin Paige (37:58.252)
of just thinking like, hey, just watch a video and the ability to secure humans is impossible. Nothing’s impossible, right? We just have to really think about the root of the cause and stop treating the symptoms, right? And stop trying to be compliant. Let’s focus on being secure as opposed to being compliant and taking our video once a year just so that we can pass our compliance mandate.

John Verry (38:25.054)
Yeah, so it sounds like you, you know, if I’m going to oversimplify, you had two fundamental components there, right? One was a little bit share the sausage making and one was, you know, really using real world information, help them understand the potential impact of, of their actions. On the latter, I, I couldn’t agree with you more. Um, and, uh, like we’ve done some of that, even with our own training where.

you know, and of course we have access to it, but we have a big giant password cracking rig that we use during penetration testing. And it’s amazing when you show someone, so you start the video and you say go, and you see the screen go, all three character passwords guessed, all four character passwords guessed. So like, you know, like we’ve got five or six FPGAs, it’s an older rig. But I mean, we can get through seven character passwords in like a minute and a half, and then it gets to eight, it gets a little bit.

But even eight, I think it’s 12 hours, and nine it really jumps. Nine it jumps to like 24 days or something. But it just shows you, like if somebody saw that in real world and realized like, wow, how many passwords am I using on my banking? Excuse me, how many characters am I using on my passing back? And then you go a step further and you say, well, if you’re not using a mix of numbers and letters and special characters, what the variation is. It’s crazy. So I couldn’t agree with you more. I think that’s a great idea.

On the first one, that’s a really interesting idea. And I think it’s a good thought process for the security industry that we need to have a little more confidence in our end users that they can understand and interpret the data that we’re sharing. I think we have a tendency in IT and IS to think we’re the smartest people in the room, and we’re not. And I think we’re hesitant to.

to share the sausage making. A, we don’t want people to question us. B, I think a lot of us love the fact that we’ve got acronyms and you don’t know what the acronym is because I’m smarter than you. Right, I mean every consultant that I know and I’m a consultant so I’m allowed to say this, why are you a consultant? Because you think you’re the smartest guy in the room, right? And you want to show it to everybody and the consultant gets to stand at the front of the room and do that. I think we do have to treat our user base as one that’s more intelligent and trust that we can give them this information and that they can use it effectively.

Kevin Paige (40:28.058)

Kevin Paige (40:51.056)
I agree entirely, right? And I’ve been a part of this for a long time and just kind of watched the evolution from a security perspective. The use of computers, use of applications. I remember the first time I went to a company and they only use SaaS applications. I was like, oh my God, what do I do? You don’t have one server. Where’s our HR at? Oh, it’s on this thing there. Where’s the sales?

John Verry (41:13.763)
Thank you.

Kevin Paige (41:20.28)
data. Oh, it’s in this other sales, uh, sass app. Like, like, where’s our, where’s our user data?

John Verry (41:24.6)
Everyone in my skill sets is worthless. Everything I knew is worthless.

Kevin Paige (41:29.152)
Yeah, yeah. It’s like, oh my gosh. And then how do we secure any of this? Well, nobody ever thought about that. Oh gosh, of course not. Because nobody worries about it until after it’s already an emergency and how to secure it. Right? So, but yeah. And it’s only getting more and more. Right? You know, I mean, we take a look at, you know, where chat GPT and AI is going. Right. And, you know.

John Verry (41:51.154)
I was just smiling to myself. There’s a little smile on my face. The smile on my face was I was like, okay, when AI PP or whatever is the next component that you plug into the platform to deal with the guidance that we just got from the presidential executive order on responsible use of AI. Yeah, you’re absolutely right. Well, that was so funny. I love talking with young people.

Kevin Paige (42:11.202)

John Verry (42:19.426)
that are trying to get into the field of information security. And they have this perception that it’s going to take them years to get, John, you’ve been doing this for 20 plus years. And I’m like, no, you don’t understand. Like all of the knowledge that I have from 15 years, anything that’s older than five years old, it’s legacy, it almost doesn’t matter. I mean, it’s context to understand today, but I mean, it’s a wonderful time to be jumping into the field of information security or application development or any other field, because all of the old crap.

right, is so diminished, right? You can jump in now and you can be equal to a person that’s been in the field for 20 years in a relatively short period of time. It’s an awesome time to be in information security.

Kevin Paige (43:03.032)
It is, yeah, I agree. I definitely haven’t been doing it for so long. I definitely see history repeats itself quite a bit just in the way people approach problems and the way people try to solve something they think has never been solved before. But being able to keep up with the rate of security change, like you said, younger people are used to social media. They’re used to…

They’re used to having a phone in their head and it 24 by 7, right? And understanding how it works and what people are doing with it. There’s definitely a, they have a leg up in that particular aspect. So bringing those two worlds together is great. When you’re building a team, building people that are kind of younger and really understand like the way that people use tools now and then bring other people together that are

understand things that have been done and things that didn’t work well and why they didn’t work well and then mixing them together with newer technologies and why they could work well now is very interesting for security.

John Verry (44:10.346)
Yeah, I hadn’t even thought of that latter idea of yours where they have such a more

a higher degree of awareness of the bulk of the new workforce and how they think and how they work. So I couldn’t agree with you more. Did we miss anything?

Kevin Paige (44:32.532)
No, I mean we talked about so many cool things and we didn’t say, we minimized acronyms as much as possible, which was amazing.

John Verry (44:45.619)
So, give me a real world or fictional character that would make an amazing or horrible see-saw.

Kevin Paige (44:56.308)
So I’ve got one that I think that would be pretty interesting, right? So I would love to see Sherlock Holmes as a CISO from a fictional character perspective. Because his ability to understand people, understand actions, piece together information, I think would be amazing. Now he’d probably have to be on the detection response side. I don’t know if he could be on the side that actually helps.

developers and helps people learn. His personality might make it difficult on the proactive side of the house and explaining why people shouldn’t do things. But after they’ve been done and you need a forensic investigator to come in and solve the problem and show you how to prevent it, I think that he would be the most amazing consultant in the world to show you what not to do and be the smartest person in the room.

John Verry (45:50.962)
Yeah, I think having on the incident response team would be better than having to miss your CISO, right? Because ideally your CISO is thinking about preventing the attack. You know what I mean? So, alright. So if somebody wanted to get in contact with you, what would be the… or someone else had Uptix, what would be the… and Uptix, by the way, for anyone, is U-P-T-Y-C-S. They… you know, I don’t yet know the product very well.

Kevin Paige (45:56.345)

John Verry (46:17.722)
But I’m very intrigued by it having been introduced to it through this conversation and the prep work I did.

Kevin Paige (46:23.952)
Cool. Yeah, yeah. I mean, LinkedIn is always easy, so I’m always on LinkedIn. So yeah, if anybody has any questions, you can always reach me on LinkedIn and then I can direct you to whoever you’d like to talk to or just get involved in a good conversation and debate on why there’s so many acronyms in the world.

John Verry (46:42.494)
Yeah, like I already told you it’s because consultants think that it makes them sound smart. Right. How many acronyms can I squeeze into a single sentence? You know, that’s the smartest guy in the room. This has been awesome. Thanks for thanks for making me a little bit smarter than I was 48 minutes ago.

Kevin Paige (46:49.55)

Oh. Totally. Yeah.

Kevin Paige (47:01.684)
No problem, John. Thanks very much for having me. It was a great conversation.