Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 111
Afternoon Cyber Tea with Ann Johnson 8.5.25
Ep 111 | 8.5.25

Nasrin Rezai on the Frontlines of Cybersecurity

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" where we explore the intersection of innovation and cybersecurity. I'm your host Ann Johnson. From the front lines of digital defense to groundbreaking advancement shaping our digital future we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today I am excited to be joined by a powerhouse in cybersecurity leadership, Nasrin Rezai, senior vice president and chief information security officer at Verizon. Nasrin brings decades of experience in shaping security strategy, policy, and architecture across some of the world's most complex infrastructures. She has also served as co-chair on an FCC federal advisory committee helping to improve the security and resilience of national communication systems. Nasrin, welcome to "Afternoon Cyber Tea."

Nasrin Rezai: Thank you, Ann. Thanks for having me.

Ann Johnson: So I would love to start with the landscape and what you are seeing out there. You've spoken on the evolution of threats and the impact that evolution is having on incident response. What patterns are you seeing emerging?

Nasrin Rezai: Good question. So let's start to kind of frame it, Ann. And you and I've talked about this recently, about what we're seeing on the nation state and cyber criminal front. Then I'll talk a little bit about kind of methods and what we're seeing, especially what we have recently published in the Verizon 2025 DBIR report. So I think you agree with me, Ann, that nation state threat actors and cyber criminals continue the scale, scope, and impact of attack against global infrastructure. That's given and it continues. On the nation state front I would say the most prolific definitely most sophisticated one is China that's focused both on espionage, sabotage, and destructive types of attack including exploiting vulnerabilities in network H devices for what I call initial form of access. And really using many living off the land techniques to avoid detection. Russia continues with their influence operation and they have aligned many of their cyber campaigns with broader what I call strategic and military objectives. Iran has conducted asymmetric warfare operation and at many times masquerading their activities as hacktivism, but really opportunistically also compromising critical infrastructure globally very much focused on industrial control systems. I think you agree with me that there is not anyone in the cyber or HR community in the recent years that -- who hasn't dealt with North Korea. Right? As a set of fraud schemes targeting large and small companies I would say really with garden variety types of attack. Very much focused on cyber criminal activities and generating wealth for the regime. But we're seeing them also being extremely resourceful in cryptocurrency theft. So that's kind of how, Ann, I frame it from an attack perspective, but with a double click with a lot of focus on critical infrastructure. In terms of the attack types what we published in the DBIR report is that we're seeing an increase of exploitation of vulnerabilities as an initial step for data breaches that has grown by 34% and it accounts for 20% of breaches. Third party breaches went up from 15 to 30. That's bane of my existence and you probably you know that all enterprises stolen credential most common form breach at 22. And really this continued what I call sophistication of attack against critical infrastructure. In the area of ransomware there were a few things that were different. Definitely ransomware went up from last year, but in our Verizon DBIR report we state that the median amount paid to groups decreased to these ransomware groups, and that 64% of the victim organizations didn't pay which was up from 50% a year ago. So this also points probably how many companies are doing better in some of the recovery processes and they're unwilling to pay. In the area of AI which is I will probably wrap this question with is that we saw general trends in AI based attack focusing on category of mostly phishing and misinformation. And we haven't yet seen really AI based sophisticated breaches and attack at an industry level. I don't know if this is also your observation, Ann.

Ann Johnson: Yeah. It's really everything you've said is really consistent to what we see in the landscape. I think that when you think about nation state criminals they're -- the funding, the level of persistence that they have, and the focus they have on critical infrastructure is something that we're only seeing increase in recent years whether -- as you mentioned, whether it be espionage or destructive attacks. So if you think about that and think about everything you just discussed, how did offenders think about defense? You know there's multi sector attacks. It's highly focused on critical infrastructure, very well funded, sophisticated, and persistent actors are the lessons we can take. And what aren't we talking about enough? But also what should we be doing for modern defense?

Nasrin Rezai: That's a very good question. And something that I started to talk about, Ann, in different forums is the set of incidents that all telecom in the past year experienced with respect to China as a threat actor and a vector of attack. I'm double clicking on it not so much to talk about who it was, how it was, but it was exactly what you described. We're seeing this continued attack against critical infrastructure and telecom was in the past year a victim of that. And when you think about it there are many lessons to be learned from it starting with maybe their methods. First of all the key methods that they use in the trade craft of this group was use of what I call very much valid stolen credentials. Living off the land techniques on network devices. Continuous movement and pivoting to detract detection and response. And also another element to this was that they were able to move within trusted infrastructure in places that were not -- where communication might not otherwise be permitted. And something else that they were able to do, modifying devices running configuration to be able to make detection extremely difficult and using a variety of tools and techniques to capture additional device level packet data and be able to do more and more of their movement across. So you would say what is different about it. The difference in similarity with some of the other infrastructure based attacks we're seeing that the attack was directly against network and infrastructure devices. It wasn't about going and getting data against a database and the cloud and the application. It was what was within those network devices. To answer the second part of your questions, the lessons that are not being talked about, some of them are very, very basic. Doing the fundamentals. Right? Right. Is as important to do for network and infrastructure as it is for application and data. Access management whether it's multifactor authentication, whether ensuring that we reduce the lateral movement with different forms of access control, and really protecting all critical components of crypto, cryptographic signing key, adopting MFA across the board. Really having good solid standards around safe secret standards and the validation of those was important. The second dimension of the fundamentals and in our mind is about what we call situational awareness. Having proper logging and monitoring across every part of the network. Sometimes the stuff that we don't talk about enough is are we doing proper set of logging and monitoring and do we maintain that for a long period of time. That's really important. The other, the third element of what they were able to -- we have seen pattern wise from an exploitation was manipulating configuration management and being able to take advantage of necessary ports and protocols that sometimes are on these devices that in reality don't need to be there. And they need to really reduce or sometimes completely remove some of these services from these set of devices. And having very clear set of capabilities to monitor that. Sometimes cyber professionals leave that to the network teams and I think that's a governance function with some of these very focused targeted infrastructure type of attacks that we're seeing that I think a more controlled governance structure, technical one, is needed combined with doing proper vulnerability management. End of life support for some of these hardwares and devices is very important.

Ann Johnson: I think what happens is that leaders often overlook network and infrastructure security. They kind of forget about it as they're thinking about modern defenses. And a lot of those devices cannot be updated. Right? It's traditional legacy network equipment that has long lifespans. How do you approach security for those type of devices that can't support what we think about modern defenses?

Nasrin Rezai: Beyond the fundamentals that we just talked about, right, because whether it's a network device that cannot have some of those set of modern -- set of fundamentals, you still can do fundamentals against them, the one that I talked about. Beyond that it's the mindset that says a couple of additional things. Beyond fundamentals you can make it harder for the threat actors to move laterally across your network beyond the devices. So you can in that category you can defend all of your third party network path. You can build a true zero trust construct within your network that says, "Don't trust others and don't trust yourself." The zero trust principle, that thinking about modern architecture, is equally applicable to network devices and enforcement with MFA. Very, very important. The other component of it, Ann, is from that network element that sometimes you can drop a crowd strike on although there are new technologies out there that are actually allowing us to protect them. It's application fundamental, but some basic additional things, putting those user access methods, access to those network elements only through jump posts, and those jump posts need to be managed as a security function. Making sure that all the functional account access are in password vaults and done properly in that fashion. And really getting to a mindset that I say isolating the infrastructure with what I call just in time access methods because just because an individual had access to a network device or a key component of infrastructure they don't -- doesn't mean that they need to always have that access. It needs to shift to a just in time access method. So that's how I would describe it, Ann. Big box is fundamental. The second one is making lateral movement hard with zero trust and more and more identity enabled control. And the third element is making the protection of that network element, an attack against that network element harder for the threat actors.

Ann Johnson: I love that. So even if the devices themselves, right, are unable to be quote unquote managed or protected at the device level there's a tremendous amount of things you can do to prevent lateral movement across the network using modern security. And I think that's -- sometimes I think we get so hyper focused on the device, you know, it's like losing the forest for the trees. We forget about the bigger picture and that we actually still can secure the environment. Can you talk then about how that comes in to play with something like zero trust? What does zero trust mean to you in the context of a global highly interconnected really complex system like a telco? And how could other organizations -- what can they learn from you?

Nasrin Rezai: You know we have in telco built network architectures with an assumption that there are parts to the network you have to trust to a third party. Why? Because if you look at an U.S infrastructure, right, if we had operated every fiber in all of the U.S and that was all our network then we wouldn't have third party accessing our network. But in reality the reality is that all parts of networks globally there's some parts that run on another network. There are parts you have third party for last mile of your network access. There are sometimes you bring third party for certain management or certain functionality. So when you think about that you have to say what is that construct when you think about zero trust. So one ensuring that those -- if any of those trusted models need to exist, how do you put controls around them? One. It's always the basic. Do you know them? Do you have inventory of them? And can you put boundaries around those? Number two is really identity enabling all access method inside your network and the enforcement that we talked about. Number three is places that you don't need it really very, very actively control it and make sure it's removed.

Ann Johnson: I think that is really good context, and I also think there's emerging technologies that will help us. And, as you know, we can't get through a conversation ever without talking about artificial intelligence. So I've heard you mention that AI is accelerating the time from vulnerability discovery to exploitation. How are leaders then thinking about patching and vulnerability management and accelerating their time to address critical vulnerabilities?

Nasrin Rezai: So one of the data that we produce in our DBIR report said that the median to patching for critical vulnerability is still 23 days. So that's not good enough for a time. And you and I both know that time not yet here, but soon will be here where threat actors can effectively leverage AI to really close that gap between discovery of a bug to make it an exploitable. And when that happens the 23 days median is unacceptable. So when I think about how many enterprises do vulnerability management I would say this needs to be a very, very key focus area for us. So in some ways AI in the very near future is going to force us to defend ourselves better. So what are the key requirements? We really need to enable our IT or product teams to really accelerate how they respond to vulnerabilities. It's just this mindset of go patch more is not the right answer. We've got to bring more automation. We've got to bring AI as an enablement to identify more vulnerability, to get on them faster. We need to do more automation and analytics to determine one element of exploitability to response so that we can improve our time to response with respect to patching. I still see many of the companies that we work with haven't invested enough in automation and using AI as an enablement and analytics to make it easier for the application teams to do this faster. That gap if you agree with me, Ann, is going to soon close and that's a big to do for all of us.

Ann Johnson: It is a big to do because, as we know, they have spent decades harvesting vulnerabilities and they -- the nation state actors have a very good, you know, let's say database of where those exist. Our ability to patch and hopefully being able to leverage AI to patch faster is going to be a game changer for the industry. So I want to talk to you. We just have a couple more questions, but this one's a really -- this is really important. I want to talk to you about what it's like to be a security leader in today's era. You said that cybersecurity is a matter of national security. So what does that mean for you? What does that mean for your peers, your accountability, and how should rising security leaders think about their careers?

Nasrin Rezai: It's a big question. So we just talked about some of these major breaches and nation state attacks. I gave you the example of the one that telecom experienced and there have been many, many other examples. So when you think about it we're really dealing with nation state threat actors that are highly resourced, highly organized, and use cyber as a component of their cyber warfare strategy. So one it is important for us to think or not think myopically about the types of attack or techniques or tactics of a particular threat actor and not to think that they will have an integrated approach in a time of a large scale attack. To think both espionage, intelligence gathering, combined with the tech, with destructive attack capabilities to use it as a cyber warfare tool. So in that construct every one of us, every company, and let's use U.S, but also any global companies that are listening to this podcast, they are -- we are a component of national defense for our companies. So we have a responsibility and it's a joint responsibility that I really think enterprises co-own with their government to think about that cyber is now truly is national defense matter. The second part of that, Ann, if you think about it then it goes, "Wow." We've always and for many years talked about the evolving role of CISOs. You know, we started -- you and I go way back when, you know, we were technical leaders and we were doing certain things within enterprises, but the evolving role of the CISO in being at the C level and really working through some of these extremely critical matters. When we were dealing with our incident this was we have 90 million customers on our network. We have large enterprises that use Verizon as their backbone. So that's a very important responsibility and we take that very seriously. So CISOs need to really think about where they're positioned in their organizations and do they have the right responsibility, authority, and scale of their job, and they're aligned properly at an executive level and to the board to be able to deal with incidents at the scales we talked about? And really driving some of the principles that you and I just talked about, applying the fundamental zero trust principles everywhere and preparing for those kind of destructive attacks at a company level and many times with their large partners and the government. That combination of mindset change that cybersecurity's now national defense and the evolving role of the CISO makes this a critical matter that a lot of us have to think about where we are and are we effective in what was -- what's ahead of us.

Ann Johnson: It really is a mindset shift, but I think it's an important one because we are all part of it. You know, whether you're at a hyper scaler like I am, whether you're at critical infrastructure like you are, we are part of the collective defense for the countries that we live and work in. And I think everyone needs to take that seriously. As I meet with, you know, a lot of CISOs, people are taking it more and more seriously. Now we need to enable the systems to do that public private sharing and better private sharing.

Nasrin Rezai: Yes. 100% agree with you.

Ann Johnson: So I always close out "Afternoon Cyber Tea" with a bit of optimism. I like to call myself a cyber optimist. With that in mind, and considering everything we've talked about which was pragmatic and detailed and intended to set the record straight on some things, but you know not the most optimistic topic, right, I know you have -- I know you have optimism. So what are you optimistic about when it comes to the future of cybersecurity?

Nasrin Rezai: One is personal and the other one is it's just a positive side of everything to your point we talked about. Even though the risks continue to be high, I think, Ann, it is still possible with the right mindset, with the right operating model, with a CISO and his or her team thinking that their true business advisor, mindset, and role, and really ruthless use of technology automation and AI enablement we can and will need to tackle this challenge. I think the personal part of it for me is as sometimes difficult this job is it is such a fascinating space to be in. I cannot imagine any other job that allows me to be part of something like this that as a professional like I'm one part business risk leader, one part technology, and one part risk advisor. It just makes for a good exciting career. I guess that's my optimism and that's how I look at it to make it work on a day to day basis.

Ann Johnson: Yeah. I like that. I actually think that is -- I think these jobs are engaging. They're certainly they challenge our brains. But at the end of the day we're doing really good work and we're doing it for a really good reason. We talk about how cyber is mission driven work and I like to wake up every morning and think about that.

Nasrin Rezai: Yeah.

Ann Johnson: Well, thank you so much for joining us. I say you really provided some deep practical advice which I know the audience will appreciate. And I also know how extraordinarily busy you are so I appreciate you making the time.

Nasrin Rezai: Thank you for inviting me. This was really, really good.

Ann Johnson: And many thanks to our audience for tuning in. Join us next time on "Afternoon Cyber Tea." I invited Nasrin on the show because few leaders are as uniquely positioned as her to connect the dots between enterprise security, critical infrastructure, and of course resilience. Nasrin always brings a blend of operational insight and strategic foresight and of course what she brings is shaped by her real world experiences and her decades of leadership. Nasrin is such a great subject matter expert. This was a great conversation. And I know our listeners are going to learn a lot from the insights that she provided. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft