Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 60
Afternoon Cyber Tea with Ann Johnson 10.4.22
Ep 60 | 10.4.22

Cyber Resiliency with Sounil Yu

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea," where we talk with some of the security industry's biggest influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson. And today we are going to discuss the evolution of cyber resilience and what organizations can do today to build resilience for the future. I am joined by Sounil Yu. Sounil is the chief information security officer and head of research at JupiterOne, a cyber asset management and governance solution provider who deliver visibility and security into entire cyber asset portfolios.

Ann Johnson: Sounil is a security innovator with over 30 years of experience creating, breaking and fixing computer and network systems. He previously served as a CISO in residence at YO Ventures, where he advanced the firm's ideation support of up-and-coming entrepreneurs, vetted candidates and concepts of the pipeline and amplified the firm's value-added services to its portfolio companies. He serves on the board of the FAIR Institute, teaches cybersecurity technologies as an adjunct professor, and he co-chairs Art Into Science: A Conference on Defense. Sounil also advises many security startups on their journey to success. Sounil holds a master's degree in electrical engineering from Virginia Tech and a bachelor's degree in electrical engineering in economics from Duke University. He is a certified CISSP and a certified GSEC. 

Ann Johnson: Welcome to "Afternoon Cyber Tea," Sounil. 

Sounil Yu: Thanks, Ann. It's great to be here. Thanks for having me. 

Ann Johnson: I was really excited to get you on the show because I've seen you present, heard you speak many times, and you're a wonderful storyteller. And the content you provide is so rich and dense and gives us a new way to think about the industry. So let's go right into it. Cyber resilience is something that the security industry has been talking about for a long while, but over the last few years, the concept has evolved quite a bit. You have played a really big role in shaping the conversation on cyber resilience, and you've developed multiple frameworks that leaders use today. So from your words, how has the conversation evolved? What are some of the paradigm shifts we are seeing in the industry? And how will that necessitate a new approach to cyber resilience? 

Sounil Yu: Sure, Ann. So one of the challenges that I saw and one of the reasons why I tried to shake up the ecosystem is because I didn't see the conversation evolving as quickly as it needed to. What I saw in the market was the propensity for us to sell solutions - or from vendors to sell solutions that really solved all the problems. And one of the frameworks that I created was this thing called a Cyber Defense Matrix, and it's a simple mental model that helps us understand all the different things that the vendors are selling us. And it became pretty clear as I was mapping out all these different vendors that there was a massive gap in the market for solutions that help us recover against cyberattacks. And as I studied this matrix and as I tried to understand why this was the case, there was a revelation that came about in terms of why we might be missing something in that space, from a timing standpoint and just our thinking standpoint. So this paradigm shift is really - as we move into this stage of recovery, as we try to tackle the space around recovery, just a massive gap that's in the market made it very clear that we needed to think differently about how we tackle that problem. 

Ann Johnson: So when you think about then - that when you think about, actually, the recovery aspect from organizations and a response aspect for organizations, can you tell us a little bit about what your approach is and why you think it's important and why you think we need it now? 

Sounil Yu: Sure. Yeah. So the way to understand is it requires a little bit of storytelling, as you were hinting at earlier. And it became evident as I was looking at the track record of history or the trend of history in cybersecurity that we're starting to emerge into this era of resiliency. So to be able to explain this, let me go back in time. Back in the '80s, one of the things that we dealt with was just the introduction of new IT into our environment. The first set of questions or problems that we had was just understanding, what do I have? What did I just buy? And what business function does it support? Then you fast-forward 10 years, in the '90s, we started seeing viruses. We started seeing people send those ILOVEYOU messages and walk into our networks, and so we needed solutions to be able to tackle that set of problems. And the market delivered on that by delivering things like firewalls and antivirus and configuration guidelines and so on. You fast-forward 10 more years, we're now inundated with alerts from all these tools, and we're trying to find intrusions based on those alerts. So because of the difficulty we had with that, we ultimately ended up coming up with things like SIEMS and intrusion-detection systems. 

Sounil Yu: Fast-forward 10 more years, we're now in the 2010s, and we're having to fight fires all the time. We have to assume breach and the tools and the people that we need are firefighters and firefighting tools. And what was interesting in this pattern is, the '80s, we had an identified problem. The '90s, we had a protect problem. The 2000s, we had a detect problem. And the 2010s, we had a respond problem. For those who are familiar with the words I just used, that is four of the five functions within this cybersecurity framework. So then naturally, the next era, the 2020s, the era that we're in now, is a recover problem. And I'll use the word resiliency as a proxy for the word recovery. But the idea is that we're now in the age of resiliency. And the last decade, we were in the age of incident response. All right. Well, we're in this new age, and we're going to need new solutions because the solutions of the past doesn't seem to address the problems of the present. And it also requires us to think differently about how we tackle those particular problems as well. 

Ann Johnson: So when you think about, you know, as organizations are evolving these approaches - right? - and we're all familiar with the terms, if we've been in the security industry, but I'm sure, you know, organizations think they need to have some philosophical conversations and then translate those into investment and action. What are some of the conversations organizations should be having - things that are practical, right? Because it's one thing to have philosophical conversations and it helps people - right? - conceptually understand what they need to do, but how do those translate into prioritized investments you think leaders should be making to improve their cyber resilience? 

Sounil Yu: Well, the philosophical - the kind of conversations that we need to be having now is around, what is the new way of thinking to tackle this new problem that we have? And by the way, as I mentioned with the timing, the timing is now, and we're starting to see the emergence of recover-oriented or resiliency-oriented attacks. The epitome of that, in our world today, is ransomware. And so that is really driving these conversations beyond just the philosophical ones into specific needs for investment and action to address the ransomware threat. 

Sounil Yu: So if you ask many leaders, whether they're in security or not, you will hear that ransomware is a pretty prevalent threat because it's affecting so many different organizations and so many different institutions across the board and is having some real-life, real-world effects. So it's driving now this question of, how do we actually improve our resiliency to these attacks? But as I mentioned before, one of the challenges that we have is the way that we're approaching that - it's the old way of thinking about tackling that is pervading the approaches that we're trying to take, where instead of trying to design new types of solutions or new types of approaches to address the recover or the resiliency aspect of things, we're actually just focusing on more protect, detect and respond, the older approaches of the yesteryears, in this new problem that we're facing. 

Ann Johnson: So when you think about that, then, and you think about protect, detect and respond and the fact that organizations continue - right? - down that path, how do you shake them up? How do you get them to change their thinking and move into a point where they realize - 'cause I - as you know, I've written a blog a lot and spoken about cyber resilience for the past four years. And as the - you need to understand where your critical business systems are and get them back online as quickly as possible, you know, is the core of it, right? But how do you get organizations moving when they're really tied into the past technologies and the past methodologies and the past architectures? 

Sounil Yu: Yeah. So I took a different approach, which attempted to take a complete break from our old way of thinking. And if I were to distill it into a common framework that we in security are familiar with, it used a whole different paradigm or whole different perspective. And the old way of thinking is what we call the CIA triad in security. And CIA stands for confidentiality, integrity and availability. The new paradigm or the new way of thinking, one that I tried to take a complete break from, is what I call the DIE triad. And DIE stands for distributed, immutable, ephemeral. And the acronym, by the way, is intentional as well. 

Sounil Yu: So the DIE triad takes a complete break from the CIA triad. And specifically, one of the things I'm arguing is we tried to take a DIE approach first before we try to secure anything. And this may sound heretical to a lot of people in security 'cause we oftentimes think security first and so on, so on. But I am actually arguing we need to take security - do security second, with the primary emphasis being, how do we make some system or some data or whatever it is that we're trying to deal with more distributed, more immutable and more ephemeral? Unfortunately, we can't always seem to get to D-I - like, just as much as we can't secure everything completely, we can't also make something completely DIE, either. So it's going to be a spectrum in terms of this range between something that's - requires CIA versus something that requires DIE. But the idea is, let's move a step towards DIE first, and failing that, we then try to secure whatever. 

Sounil Yu: And if this isn't clear for the listeners, let me give you some examples of what I mean by this. So the more something is DIE, the less CIA that's necessary. The more something is ephemeral, let's say - a two-factor token, as an example - then the less I need to worry about the confidentiality of that two-factor token 'cause by the time it's revealed, within a couple of seconds it's no longer confidential, right? If something is highly immutable, then I don't need to worry about the integrity of that anymore. And if something is highly distributed, then I don't need to worry about the availability of any one thing. So the - again, the perspective is consider DIE and CIA to be on two ends of the spectrum. And the goal here is to, instead of trying to secure everything, make something DIE first. 

Ann Johnson: Where do you think the organizations are on that spectrum? 

Sounil Yu: It depends on the - not - actually it's the - not - it doesn't depend on the maturity of the organization. It actually depends more on the - how new or how modern the organization is, as it relates to the tech stack. There's a huge migration to cloud-based environments, and cloud being both on the infrastructure side, on the platform side, as well as on the software side. And as organizations adopt more on the cloud and SaaS side of the world, I think they are actually embracing more of the concepts of DIE, without really even realizing it. The cloud itself is far more distributed, immutable and ephemeral, and in fact, it's designed that way, right? If you think about the nature of doing - using somebody else's resources, you want to design it to be distributed, immutable and ephemeral. Conversely, when you build on prem, you end up with a lot of things that aren't as distributed, immutable and ephemeral, and as a result, you have to protect the confidentiality, integrity and availability of those resources. 

Ann Johnson: So do you think that, you know - and I'm always trying to be an optimist, right? I always am working to be an optimist in cyber. And I agree with you, by the way, that things need to be more ephemeral, that we need to have more just-in-time privileges that expire very quickly, that we need to actually have conditional relationships with data and with access. How long do you think it's going to take the industry to start moving in that direction? And in doing so, do you - what's going to get in their way? 

Sounil Yu: Actually, so a funny thing is, I think that what's going to get in the way is security people. Because effectively, we in security are well vested and well employed and what we're rewarded for doing - CIA. And what I'm actually arguing is that, on the other end of the spectrum, we have a situation where we are not going to be - where we lower our burden for security. And one way, general way that we can think about the type of resources that we oftentimes build in these environments that are in prem, is to think about those as long-lived resources that we have to care about. And one of the analogies I use is that we oftentimes build pets. And these pets are things that we have to care about. We give them a name and so on and so forth. And so because organizations build a lot of pets, we are veterinarians within our IT organizations. Instead of being veterinarians - well, what I'm actually suggesting that we do is become more pet-control officers, where we control and we are very deliberate about how many pets that we choose to adopt. Whenever an organization adopts the new pet, and they have every prerogative to do so, we take on a new burden. And that burden is to take care of that pet and to ensure that they're well-fed and they get veterinary care and so on and so forth. As you know, for many folks, we - there are many people who adopted a pet during COVID, and they're regretting that choice, unfortunately, for some folks. But they can't just - you know, it's horrible to think about leaving a pet without care, right? In fact, they should be prosecuted for that. So likewise, in our IT environments, business owners and business leads must be very intentional about adopting a new pet. And what we want to be able to do is to just be more cautious or more intentional about when we choose to adopt the pet and not have just pets grow rampantly without proper attention. 

Ann Johnson: So do you think pets - and I love that analogy, by the way, because I think it's something someone can really understand - do you think pets are one of the things that leads us to a tremendous amount of technical debt, but also leads us to organizations that have 250 unique security tools in their environment, but it's really unmanageable for them and they're not any more secure? 

Sounil Yu: Yeah, and one - another way to characterize it is, is our problem today - let's take the workforce problem. Is the problem that we have today more based on not having enough workers in the environment or is it based on having too many pets in that environment? And I would argue that having too many pets exacerbates the problem far more than just having not enough workers. So similarly, when we have so many pets in our environment, we have to have lots of different tools. Now, of course, if they were all of the same type of pet, then I'm sure it's much easier to scale and to address that. And that's actually where I think the opportunities for cloud providers really shine because they're not having to deal with thousands of different types of pets. They're dealing with a certain class, and so they're able to scale that much more effectively than organizations that don't have the resources to do that and have to otherwise deal with so many different varieties of pets. So, yeah, I think the fact that we continue to adopt, without clear intentions and without, well, without intentionality, results in having this wide range of tools that we don't really have the talent or the manpower to be able to handle. 

Ann Johnson: I think that until we get to the place where - people become very attached to their projects - right? - and they become very attached to their pets and they don't ever want to give up the project. And I think until we get to the place where people are kind of looking at it holistically and saying we have way too much in our environment that we're not getting return from - but that's a really long journey, has been my experience. So is there anything - let's assume people are going to keep all their pets. Let's assume those pets aren't going anywhere. What else could they do, in the short term? If there were one or two steps, you'd say, look, ok, I acknowledge you're going to keep all your pets, but in addition to your pets, please do these two - one or two things, so you can at least start migrating to a new paradigm. 

Sounil Yu: Sure. And this is what I was suggesting, in terms of our thinking - changing our thinking around - for security, from having to feel like you have to secure everything to thinking around, how do we incentivize and how do we encourage people to build systems to be distributed, immutable and ephemeral instead? And let's take the ephemerality aspect real quickly. The perspective here is that we can - I can tell you when something is about to become a pet just by looking at how old the system is. So if a system starts aging, then by - just the simple fact that it exceeds a certain time frame makes it more pet-like. And if I'm a pet-control officer, the way I would look at that is to say, look. This resource that you created is starting to look more and more like a pet. Can we ensure that we have, if you choose to adopt it - and again, you have every prerogative to do so - then let's make sure that you have the proper veterinary care. Otherwise we'll have to do something, you know, in the pet-control sort of sense to ensure that we don't have unintentional propagation. 

Sounil Yu: One other analogy I want to throw out there for your listeners to help this resonate is, consider within your body - you have many different cells. Consider, what are your longest-living cells in your body? Ann, do you have a thought, in terms of some of the longest-lived - like, what kind of cells might they be? 

Ann Johnson: Wow (laughter). Definitely not skin cells. They're very short-lived. But - just - yeah. 

Sounil Yu: Right. So some of the longest-lived cells are your brains - brain cells, right? And that's well-guarded, right? It's secured by a skull with a membrane and a bunch of other things that help you secure your brain. But your skin cells, which are very short-lived, are entirely exposed. Earlier, you mentioned, how do we embrace this concept and ensure that we control access and so on and so forth? Well, my argument here for the DIE triad is, I don't really care to control access. Think about your skin. The environment has direct access to your skin, right? And it can attack it. And the skin cells are actually programmed to DIE, in such a way that it continues to replenish itself and recreate itself without causing harm. Now, consider this one additional piece, which is, what do you call a skin cell that lives too long? 

Ann Johnson: I don't know. 

Sounil Yu: Well, it's called cancer. What do you do? You cut it out, right? So within our organizations, we need to think more and more around, how do we think of these assets in such a way that we are very conscious and deliberate in keeping these assets as ephemeral as possible, using one of the attributes of DIE? And when it doesn't become ephemeral, you make a decision. Do I want to keep this asset or not? And the worst case is when you have a situation where an asset lives too long and becomes cancer within the organization. It metastasizes, and the attackers take advantage of that and find ways to compromise your environment and affect other pets in your environment, as well. And that's what we're trying to avoid. We want to avoid a situation where people don't accidentally enable these skin cells to become cancerous and then cause other issues in your body. 

Ann Johnson: Yeah, I totally get that. I - you know, it reminds me of a story that I heard from one of our customers in Australia who was talking about the fact that when the railways were built in Australia, they were built by folks who brought over camels to help move - because the supplies that had to be moved were so heavy, right? And there wasn't - this was a very long time ago. This wasn't in modern times. But now the - but they left the camels behind, and the camels are not native. So they've become pests, right? So it reminds me of a lot of our security programs, where folks get tooling that's purpose-built. It's purpose-built to solve a specific problem. But over time, that problem - it doesn't exist any longer, or that problem has changed and morphed. And the tool they bought is really just a pest in their environment, at this point in time. Does that make sense to you? 

Sounil Yu: Yes, it's funny 'cause just with a flip of the two letters, you can go from pets to pests, right? And what we want to be very clear on is, being very intentional to ensure that your pets aren't pests and as - and that they become pests when they're unmanaged and they're untreated. And they become this cancer in the environment. So, yeah, that's a great analogy and a great way to think about it, as well. 

Ann Johnson: OK. I was just trying to, yeah, conceptualize that. But I agree with you. Look, as security, we have to think differently. Like, what we're doing, to date, has been reasonably successful, right? We're probably still one step ahead, but there's still a lot of events. There's - for every event you see on the news, there's thousands events that are happening on a daily basis, and we need to change the paradigm in the industry. When I first heard you speak about the DIE concept, I said, yes, that makes perfect sense. It really, really resonated with me. 

Sounil Yu: Actually, Ann, can I... 

Ann Johnson: Yeah. 

Sounil Yu: ...Chime in on something? So you said... 

Ann Johnson: Please. 

Sounil Yu: ...We're one step ahead. And I'm not sure who we is here, but if you were referring to security, I would actually say we're all - usually one step behind, right? But I believe - one step behind from the attackers. But there is a part of the organization that is persistently one step ahead of the attackers, and that is actually the business. The business has every imperative, every desire to move faster than their competitors, right? And so to think that the attackers, and trying to undermine them, whether they're actual competitors or hackers. But the point being, the business is actually highly incentivized to be as fast-moving as possible. And I think the DIE paradigm actually enables that far more than the CIA paradigm. If you think about the speed of the business, the organization wants to, again, move fast. And having, for example, fewer legacy assets, which are essentially pets, wouldn't that - don't you think that would enable the business to move faster? The more legacy assets, the more things that the business accrues, that requires CIA, actually slows the business down. 

Sounil Yu: So anyway, the perspective of being one step ahead - I think DIE is far more aligned to the business and helping them move faster. And in many ways, that doesn't - the other beauty of the DIE triad is that the business already wants this sort of motion anyway. And it's just a matter of having our security teams and our security leaders think differently about this new paradigm shift. And say, how do we enable the business to build systems that are more DIE and not so much CIA? - which ultimately, again, allows us to have fewer legacy assets to deal with, as well as fewer things to secure. 

Ann Johnson: Yeah, and I think that's the important part. And when I say we're one step ahead, I mean, I know how many breaches we stop on a daily basis versus what actually gets out into the wild. So that's a very specific reference. It has nothing to do with the decades of technical debt that organizations have that they can't handle. And to your point - and I love - here's what I love about the DIE concept. You cannot secure all that technical debt. But if you make access to that technical, that ephemeral, then you can secure the access. And that's actually more important. 

Sounil Yu: Yeah. And the way that the - I would frame that statement is to say, just as much as we can't have something perfectly CIA, we can't have something perfectly DIE, either. The goal here is to reduce all the things that we have to otherwise secure. And because we can't make something fully DIE, we're going to have to fall back and say, you know what? At least - we're going to still have the secure, let's say, the orchestration system. We're going to still have to secure the access, as you're mentioning. There's some elements of which we still have to - may have to still secure. But what we have to secure is far less than having to secure everything else in your environment. 

Sounil Yu: Think about the ratio of your brain cells to your skin cells or to - the ratio of long-lived cells in your body to short-lived cells in your body. It's something like 0.0001% of your body is long-lived cells. Think about that for a moment. It's - that's a - that's such a dramatically small ratio compared to what we probably see in most IT environments, where you just have a lot of things that have to secure. So trying to drill that down to something that's less - or just fewer things to have to corral makes everyone's life easier, especially on the security side. 

Ann Johnson: So I want to change topics just - and it's not - it's something that's just completely tangential. Can we talk about threat intelligence for a minute? I believe, and I think you believe, that collaboration and sharing threat intelligence and doing a better job between private-private sector, public sector, or public-private sector is critical on a global basis. What role do you think this type of collaboration plays in the topic of cyber resilience, and what forms or opportunities to you advocate? 

Sounil Yu: Sure. So this is - I don't always try to be a contrarian, but I'm going to offer another contrarian thought here, which is in the information - threat intelligence side of the world, we oftentimes advocate information sharing. And I would make an argument that we need to stop information sharing. Instead, we need to move towards knowledge and wisdom sharing. And the words are very deliberate here. There is what's called the DIKW pyramid - data, information, knowledge, wisdom. And the goal here is to move up that stack. I don't want to keep sharing data and information because that's honestly of low value. That's more of the what. I would rather talk about the how and the why. And the how and why tie into knowledge and wisdom. 

Sounil Yu: When it comes to threat intelligence, there's only so much value in what you discover. There's much more value in how you discovered it. I don't actually need to know - when you find evil, I don't need to know what evil you found. But I do want to know the method by which you found that evil, OK? Similarly, in the vulnerability space, I don't necessarily need to know what you found broken, but I would love to know how you found it. And we oftentimes share tools, on the vulnerability space, but we don't necessarily share as many tools or patterns in the intrusion, how we found the evil space. 

Sounil Yu: And the reason why I bring this up in the context of resiliency is what we need to share more of in the DIE space is going to be the patterns - the design patterns - for how we build a system to be more distributed, immutable and ephemeral. The tools and the Lego bricks that we're using aren't actually new. Rather, it's how they're being assembled that are remarkably new and different. An example of that is - I'll use a buzzword - blockchain, OK? The underlying technology that undergirds blockchain is not very - is not new. It's how those components were assembled that now create this very distributed and immutable distributed ledger. Now, I haven't figured out exactly that - well, blockchain isn't very ephemeral, unless you're referring to the cryptocurrency that's on it. But, you know, the fact that there's a highly distributed and a highly immutable design pattern has really caught the world's attention. And people are starting to really adopt blockchain as a design principle because of the value that it has in those two elements. And so the perspective here is that we need a way to share more of these design patterns. Just as much as in threat intelligence, I think we need to share more of the design patterns of how we discover badness, not just the evidence or the indicators or compromise of badness. 

Ann Johnson: Yeah, we talk about that a lot - right? - the tools of the trade, the tactics, the techniques. Those are more important, in a lot of cases, than the indicators of compromise or indicators of attack. I completely agree with you that we have to get better about sharing how something happened - the actual techniques that are used by the bad actors - because that will tell us - look, the IOCs and the IOAs, those things you can plug into your machine learning systems and they can track something, is important. But understanding how the actors are operating is often much more important. And we could - you and I could go on for, like - for that - for about - next hour, but we don't have the next hour. So I know you always have a lot going on. Can you share with our listeners what you're working on right now and what's interesting and exciting to you? 

Sounil Yu: Yeah. So actually - let me - I'm going to tie - answer that question with a reference back to the point you just made around what we share. I think one of the things that I was hoping from the Cyber Safety Review Board is this perspective of, given these threats, what type of design patterns were most effective in addressing those particular threats? And as many may know, the Cyber Safety Review Board reviewed Log4j. And unfortunately, I think the whole notion of, what were the safety elements that helped - or the design the elements that helped contribute to an organization not getting - not having to deal with the Log4j issues, it got some mention in the report. But it almost was like a second-class citizen. 

Sounil Yu: And this goes back to my comment that I think we need to share those more broadly and broadcast those out to a much larger audience and give them more prominence. And the way I've been thinking about this - and I emphasize the word safety a couple times here - I think a lot of the things that we do in cybersecurity is actually a safety practice. And unfortunately, our words don't help us here. We say cybersecurity to mean cyber safety. It's like in Spanish - the word for safety and security are the same. But in English, they are distinctly different. And if we were to think about - and let's say, for example, if we added the word food in front of it. Food safety is very different than food security. Food safety is about hygiene. It's about compliance. It's all these best practices for how you work with food. Food security is baby formula and Ukrainian wheat, and there's only so much you can do about that. But there's a lot of things that one can do about food safety, just as much as I think there's a lot of things that organizations and individuals can do to deal with cyber safety. 

Sounil Yu: And the practices that we share, the lessons that we learn, the design patterns that help us maintain a more safe cyber environment, I think we need to do whatever we can to accelerate the sharing of that kind of insight and those type of design patterns. Anyway, that's this distinction between safety and security is something that I've been mulling over to understand the differences and ultimately help us design systems better and to improve our practices, overall. 

Ann Johnson: Yeah, I agree with you. And by the way, I've heard you talk about that before. And next time I have you on - I will have you on again if you're open to it - let's - we can talk about that specifically. And we can also talk about the difference in different types of threat intelligence in more depth. But I want to thank you so much for joining us today, Sounil. We try to send our listeners off with one or two key takeaways about what you think they can do today. What controls would you put in place in your environment today? 

Sounil Yu: Well, I usually end with long live DIE. And the perspective here is that the one control that you can put in immediately is to have a control that looks at the lifetime of your system and alerts you when something goes past an acceptable timeframe. So that acceptable timeframe for me at JupiterOne is 24 hours, which is crazy low. And by the way, my CFO loves that because it means that we don't have resources that are taking up cost - right? - causing more cost. So the one takeaway is, implement DIE by looking at, let's say E first, the ephemerality, and just track the lifetime of your systems and create alerts on those systems that exceed a certain time frame. 

Ann Johnson: Perfect. Thank you so much for joining us. 

Sounil Yu: Thanks, Ann. Glad to be with you. 

Ann Johnson: Many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I invited Sounil on the show because I heard him speak a couple of times on the topic that he has of changing the paradigm of how we do security, from actually securing everything to making interactions and access more ephemeral so that we actually don't have any permanency in our controls, or much less permanency in our controls. It was a fascinating conversation. He's a deep thinker on the topics of, you know, how we think about cybersecurity and what we should be doing in the future. And I'm sure you'll enjoy the episode.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft