Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 83
Afternoon Cyber Tea with Ann Johnson 10.17.23
Ep 83 | 10.17.23

Building Secure Tech from the Start

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" where we explore the intersection of innovation and cybersecurity. I'm your host Ann Johnson. From the frontlines of digital defense to groundbreaking advancement shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I am joined by Noopur Davis, Executive Vice President and Chief Information Security and Product Privacy Officer at Comcast. Noopur is responsible for overseeing the full range of cybersecurity and product privacy functions for all Comcast Cable businesses, including all products and services delivered to residential and business customers. Prior to Comcast, she has held several leadership and technical positions in Fortune 500 companies such as Intel, Chrysler, and Intergraph. Noopur is the multi-industry award winner and is a champion of women in technology serving on the advisory board of Comcast, MBC Universal Tech Women. Noopur is a member of the Institute of Electrical and Electronics Engineers, the Association of Computing Machinery, Women in Cable Telecommunications, and is an appointee to President Biden's National Security Telecommunications Advisory Committee. What an impressive background! Welcome to "Afternoon Cyber Tea", Noopur.

Noopur Davis: Thank you so much for having me here, Ann. And I'm just looking forward to our conversation.

Ann Johnson: Well, you know, I've been looking forward to this conversation because you've had such a fascinating career and you have such a really strategic and important role at Comcast. For the audience's benefit, can you start by telling us how you got your start in cybersecurity and what brought you to your current role?

Noopur Davis: You know, as so much in life, it was something that was not planned. But, you know, I always tell younger women when they ask me, you know, how did you plan your career? I'm like, you don't, you just kind of respond to an opportunity. And you always have to be ready to respond. So, the way I got into cyber was I happened to be at Carnegie Mellon University at the Software Engineering Institute in the early 2000s. And really the profession of cyber was being born then. And a lot of it was happening at Carnegie Mellon. And Carnegie Mellon, you know, this is where the CERT was, you know, one of the first CERTs in the world. And we started to think about moving security to the left. So, this is, you know, what we now call security by design, security by default. And they were looking for somebody who could code. And I happened to still have my coding skills pretty sharp. And that's how I got into cybersecurity, I really started with how do you build secure products. And, by the way, Ann, you don't know this, but one of our very first collaboration partners from Carnegie Mellon was Microsoft. So, one of the very first security development workshops that we built, we actually piloted at Microsoft. So, that's how I got started.

Ann Johnson: That's really fascinating for a couple of reasons. Because secure by design and secure coding is such an important and overlooked and undervalued part of cybersecurity often, people don't talk about it, right? So, knowing you have that background gives you such unique perspectives that others generally don't have.

Noopur Davis: It does. You know, I do find that having that background helps in so many other areas of security. If you sort of know, hey, this kind of action that you take as you're designing a system or as you're building a system, or as you're writing the code, these are the type of vulnerabilities and issues that can lead to. Then let's say you are confronted by a network vulnerability or a configuration vulnerability, or some other, you sort of like go back to that mind map and you've got to go, hm, I sort of maybe know how this can happen. And knowing how something could possibly happen, I think gives you a better chance of being able to respond to it. I'm not saying you're right 100% of the time, you never are. But I think you have a slightly better chance of knowing what might be the cause.

Ann Johnson: Yeah, I think that makes sense. I have an architecture background and from an infrastructure standpoint, and one of the things I've always said is it helps to understand how things work, and understanding how things work helps you understand how things can break.

Noopur Davis: That is super profound. And you said in one sentence what I just struggled to say in 50. So, great job, Ann, I'm going to use that line.

Ann Johnson: No problem. So, you have this huge job, you know, you're the CSO and Chief Product Privacy Officer at one of the largest broadcasting, cable, internet, phone companies, you have tens of millions of customers, they're business customers, they're personal consumer customers, they rely on services of the company. We expect it to work every day when we turn it on. I'd love to unpack a bit more about those customers. They're more connected than ever, they have more devices in their hands and in their homes, what trends are you seeing today and how does that shape how you think about security and privacy for your customers?

Noopur Davis: Yeah, we are really, really lucky and also just have this tremendous responsibility. So, the mission of my team, we're very, very mission-driven, is we protect the incredible technologies and platforms that connect millions of people to the moments that matter. That's our mission. And, you know, the mission was never more important than during the pandemic, you know, people were living their lives on our platform, right, we were going to school, we were working, entertainment, health care, just about anything you could do was being done on our platforms. And just to give you an idea of the scale, we have over 100 million devices in our customers' homes. And the connection between home and the outside world, and, again, also small business, I can't ignore that, we have 2.5 million customers of our business products. That connection is an awesome responsibility. So, for example, we invested in something we called XFi Advanced Security. If you have a Comcast gateway, you just get it by default. And, you know, most of our customers probably don't even know they have it. But what XFi Advanced Security does is anything that is connected to your home Wi-Fi, we automatically protect that. So, you know, if it's going to a command and control or bad IP reputation, or if we see malware, you know, we will try to auto-remediate as much of that as possible. But based on that, we also get tremendous insights. For example, our latest cyber report, we do a report every year, we are now averaging 15 connected devices in our customer homes. The more power users will have, you know, 35 to 50. And the very interesting learnings are the place where we are finding security issues are, you know, in very odd devices like pet IoT, which is like I wouldn't even have thought about something like that, right? So, the number of connected things is increasing. And that definitely increases the attack surface. And most homeowners, most people who use those devices are, you know, not aware of the risk that comes from connected devices.

Ann Johnson: It's so interesting you bring that up because my husband and I have this ongoing debate because he wants everything in the house online so we can just get an app and, you know, use everything. And for me, it's a matter of the tradeoff, right, security, privacy, and the convenience that it will offer, but then we also have a separate network. You know the drill for us security people, right?

Noopur Davis: Totally.

Ann Johnson: And the pet IoT, so all my pets have a geolocator IoT device. So, it's just -- it is this wave of the future that anything that you can put online, you want to put online, and to your point, most consumers don't have a cyber background. So, they're exposing risks, they don't even real about -- realize. Which takes us to this IoT security topic, right? It's been a really hot topic. I know you've done a lot of thinking about this topic, specifically in how devices communicate within home networks -- customers so can you give us your point of view what are some of the challenges that the technology in telecom industries face? And what is your advice to business tech leaders and also to consumers who are navigating these challenges?

Noopur Davis: Another really good question. And, you know, the great news about a lot of this is that people are starting to pay attention. And including our government and others, right? So, you know, we just recently had the trust labeling initiative, right, that the White House and a lot of other agencies have come together and are rolling out through FCC is part of it, and others. And basically, the ask is that if not all IoT devices, at least the critical ones, and the critical ones always end up things that Comcast does and to the critical devices like routers, like cameras, like smart TVs, that we really think about how do we secure them by design and by default. And if we follow some basic security practices that, you know, there is this proposal of a kind of a cyber-health label, it's a trust label that a device can earn and, you know, the label gets attached to the device, which a consumer can then just look at and go, hm, I have some assurance that this device has met some basic security requirements. And then the other part of that program is that because you know that something that is secure today is not secure tomorrow, right? There's a new vulnerability, a newly discovered attack. And so, security is never static. So, the other part of this is that that label will have some kind of a QR code or something that when it's scanned, a consumer can go to a website and find the latest about that device. And I think programs like this are going to help because the topic that we just started with that, look, most consumers don't know cyber and they shouldn't have to know cyber, you know, you don't have to know how a combustion engine works to drive a car. You shouldn't have to know that your pet IoT could be attacked. So, something that a consumer can pick up and look at and say, hm, I have some confidence that this has met some basic security criteria, I think is a really right step in the right direction. At Comcast, you know, we are really excited about this. As you know, you know, we put a lot of effort into -- not perfect, we're on a journey, we have so many more things to do. But we invest a lot in, you know, those routers that we just talked about, right, every line of code that goes into it, you know, secure boot, secure default configurations. So, all of that is to have now capability to say, hey, I can attest to this, I think is a great way forward for consumers.

Ann Johnson: You know, that's like we're so -- and it's something consumers understand, right, it's like the UL labels that we had, and still have. So, it's something consumers are familiar, with which is just incredible. And I'm looking forward to it. Look, I'm super excited about that because it's easy for somebody to understand and it will give you some confidence. Beyond that though, what other -- what does good cyber hygiene look like for the average consumer, someone who doesn't live in this world even? I struggle when doing a briefing with my own family sometimes to explain to them, you know, why they need to use multifactor authentication on their social media accounts as an example, you know. Because they're like it's so inconvenient.

Noopur Davis: It is so inconvenient. And, by the way, I have to commend Microsoft some of -- and to, you know, other companies like Google, the advent of pass keys and things like that are really going to help with that, right, it makes that whole experience easier. But, you know, basic cyber hygiene that kind of thinks that, you know, we sort of try to talk to our consumers about, you know, through everything from emails to on our website, are exactly first is exactly what you said, use multifactor authentication wherever you can. And if you don't want to use it everywhere, then at least use it, you know, in your super sensitive like your bank accounts, your financial, your healthcare accounts like just at least in those areas. The other is be aware of what you've got connected in your home. And look at things like, you know, when I -- if I'm connecting a camera to my home Wi-Fi or, you know, just those basic things, have you made sure that it has a password? Have you made sure that auto-updates are turned on on your devices? Because most reputable device manufacturers will issue patches, right, for your devices. And then the basic social engineering. You know, in my family, we're now -- because, you know, they live with a security person and so they are becoming as hyper-vigilant. But we talk about phishing and smishing, and vishing, right? So, phishing being just through email, vishing through voicemail, smishing through text messages. But any time you get communication from somebody you don't know and it asks you to do something that feels not right, you just don't do it. If you get a message from a bank and it says, you know, click here, don't click there. If it's a bank you do business with, go log into that website yourself, and then find out what the bank wants you to do. Right. So, I think those are the key things. Authentication, especially multifactor authentication. Make sure you have basic hygiene on all your devices, which means auto-updates turned on and things like default passwords, and default configurations just looked at. And third is just, you know, be aware of social media and social engineering in general.

Ann Johnson: Yeah. I think social media, and that will bring me to my next question, next topic because everything you said is good, we say use multifactor authentication 100% of the time for 100% of your users, but social engineering, cybersecurity culture, cybersecurity awareness with all the sophisticated technologies we have, humans still play a huge role when it comes to cybersecurity. And so, can you talk a little -- we drive, you know, or better our CSO, right, drives a culture of cyber awareness and the cybersecurity culture in the company. Can you talk a little bit about that from your context, how does a culture of cyber awareness keep people more secure? What should we all be doing to raise a level of cyber education awareness, and to talk in more plain terms that folks actually understand?

Noopur Davis: Yeah, and, by the way, the messaging can't be the same for all parts of your company. Right? So, awareness for a technologist that is who is, you know, writing the code and building systems and configuring infrastructure is very different than, you know, a call center or a retail store teammate. And your point about speaking the right language is super, super, super important. So, we do a multi-tier approach. Something that we started a few years ago is gamification. We've built a game, we called it CyberSplash. And it's basically, you know, 60 seconds that people can just play every day. You don't want it to be anything, you know, big or that takes them away from work for too long. But in that 60 seconds, we can tailor kind of a message of the day. And, you know, it can be something as simple as answering a question and, you know, by answering the question, we are trying to drive a lesson. So, for example, which of these three things should you look at before you click a link in an email? Right. And then we'll have choices. And if the person answers -- picks the right answer, then, you know, there's all kinds of -- you know, they get to do a little fun play or they'll get virtual awards or avatars or, you know, something like that, right? So, that's a really fun way of doing universal, that CyberSplash is like our universal way of working with everybody in the company. Then there's, you know, the things that all of us do, right, the simulated phishing and the simulated vishing, and all of that. Then there is a program, and we have something we call the belt system of training. And we, by the way, borrow and steal good ideas from everybody, and this was an idea that I heard Chris Romero talk about years ago when he was at Cisco. And I was so intrigued by it, you know, I invited him to come talk to us at Comcast and we implemented that system, and we think we've even surpassed it. But, you know -- so we have a system, it's modeled after martial arts, you know how you start with the green belt and you can go all the way up to the black belt? Well, that's our system. We start with yellow belt, yellow belt is required training for everybody at Comcast -- oh, sorry, white belt is required training for everybody at Comcast. Yellow belt is required for every technologist. Then we get to orange where we start doing journeys so if you're writing code, you have a certain belt that you need to complete. If you're doing infrastructure network, you know, and so on. All the way to the black belt where, you know, that is like super, super, super highly focused on, you know, a very small group of people. So, just to, you know, kind of wrap this up. So, everything from universal gamification, which is just a fun way to get a message of the day out, to targeted role-based training to all kinds of, you know, social engineering simulations. So, we do all of those.

Ann Johnson: That's fascinating. And you put it again in a language people are familiar with and can understand, and then I love the way you said you can't talk to all parts of the organization in the same way because people are at different levels of understanding and sophistication. So, the culture conversation was great and IoT and we just have a few more questions but, you know, we can't go any further until we talk about data, artificial intelligence, and specifically generative AI and security. So, what's your point of view, Noopur, how are you thinking about generative AI and security, what are some of the early use cases you're excited about? And what do you think this innovation is going to do for the industry?

Noopur Davis: So, you've asked, you know, a question that is really near and dear. So, we have -- in our security program, we have three north stars. And, you know, north stars those, you know, I talked about our mission, north stars are our kind of long-term view of success. And our very first one is build security in. And, you know, this is again, biased, that's my background, that's where we started. And, you know, that program is, you know, in its seventh year and probably one of our most mature north stars. Our second north star is around zero trust environment, you know, we're probably about halfway through that journey. And then our third is around data. And, you know, we have struggled with this as I think most security organizations do because we have so much security data, you know, millions of sensors that are, you know, gathering all kinds of information about endpoints and network, and identities and network devices. And, you know, we were really struggling on how do you make sense of all of that. And, yes, there is SIMs and there are other ways of analyzing it but, you know, they are very expensive, you can't do long-term analysis with them. So, we spent years building a security data fabric. And it's sort of changed the way we do security, I have to tell you. It's just again, still learning, still growing. It's a journey, not a destination. But what the fabric lets us do is we bring in information from all of these sensors, we enrich that with other enterprise and other intelligence like, for example, organizational hierarchies, asset systems, authentication systems, badging systems, right? You bring all of this data together with your security data, suddenly you can ask questions that you didn't dare to ask before. So, we use that fabric for everything from like continuous controls compliance to machine learning models that will do behavioral analysis and detection and everything in between. So, now -- and, you know, we're growing and learning and in fact, you know, whenever I would talk to fellow CSOs about this -- and, you know, CSOs share everything because there's no competition among us, right? We are fighting a common enemy. So, there was a lot of interest in what we have built and so we are actually taking that capability to market as a protocol data B. But what you asked is, you know, okay, so you may have your data sort of under control. And, you know, I always hesitate to say that because, you know, there's like no such thing as getting your data perfectly under control. But now along comes generative AI and, you know, large language models and you're sitting there going, okay, I've used traditional AI to my benefit, I've also been worried about traditional AI but now comes this new thing. So, we are worried about, concerned about everything from the policy and aspects of it, right, the governance, you know, everything from if you use a customized model or a general model, you know, what happens to your proprietary information, what happens if your information gets tainted, your secret sauce gets mixed in, you know, there's all kinds of ethical concerns. So, we're looking at all of that and actually partnering with Microsoft in some of those areas. But as a security person, you also worry about. So, for example, my data science team just did a POC to show how you can now be -- generate social phishing -- I don't even know if you call it phishing now because what the team did was just show how can you use Microsoft Teams, for example, right, to engage with somebody but you're really a threat actor, right, and all of that can be automated and then done at scale. And you really feel like you're talking to a human, right, and instead, it's, you know, some clever prompt engineering. So, now -- so you see that and as a CSO, you're like scared, you're like holy cow, I just finished all my vishing, smishing, and phishing, and now there's this new. Now, the same team also showed how we could use generative AI now to help train our people. So, you know, that's the yin and the yang, right, you have the things you have to worry about but then you also go, oh, my gosh, I could use it for goodness as well from a cyber point of view. You know, another really interesting POC that the team just did is, you know, we through our data fabric can do things like come up with a probability score that this person in the organization is the owner of an asset. It's a classic cybersecurity problem, right, like who owns this asset? Not as it says in the SMDV but in real life, right? So, the question then is, you know, how do you reach out to a thousand potential asset owners and ask them, "Hey, we noticed A, B, C, D, E behavior, we think you're the owner of this asset, can you please confirm?" Now, this is something that a generative AI-based chatbot can do so easily, right, it can reach out to 1000 people and try to get answers to questions like that. So, we are very excited about the potential, we are also approaching it with caution to make sure that we are looking for some of these potential areas of potential landmines, right? So, I really think it's -- the future is so amazing. And also just something we have to prepare for.

Ann Johnson: I love how you differentiated AI with gen AI. I love how you talk, not just about the possibilities with real examples but also the risks because it's a really comprehensive topic. And I'm super excited about it. By the way, I think gen AI is going to be a step change. And one of the things you said that I've talked about a lot is being able to train people and being able to have almost like a volunteer firefighter model where you can bring in folks from other part of the organization in times of crisis, right, give them some quick training and have them help you through an event. So, I think there's a lot of promise. I think we all need to be patient as it builds up and also make sure we understand the potential risks. So, thank you for sharing your thoughts. By the way, congratulations. You're now on the President's National Security Telecommunications Advisory Committee and that's just something that's -- it really for you, it's recognition of what you've achieved in your career and what you bring. But can you tell the audience a little bit more about this Committee, what changes it hopes to drive in the industry?

Noopur Davis: Yes, thank you so much. And, by the way, Stewart Charney from Microsoft is Chair of our NSTAC. So, I get to work with him very closely. So, the purpose of NSTAC is really an advisory. And the President through, you know, various channels brings up issues that the country needs advice on. And this could be anything from, you know, how do you prevent abuse of critical infrastructure, that is, you know, one of the committees and the task forces right now, to, you know, what is the most equitable and productive way to use spectrum for wireless communications, to topics like IoT security, right? So, it's really the White House through different means will come to the NSTAC with some problems and then ask for advice. And so, it's really an advisory role. What I love about it is that the NSTAC represents very different sides to a conversation. So, you know, the members have expertise in let's say cloud or critical infrastructure, or wireless communications or a service provider, you know, from a security point of view. Or threat, somebody who really, really understands threats. So, when the advice comes up and is presented to the President, it reflects that multifaceted view of a particular problem.

Ann Johnson: That's really fantastic. And it's great that you have that -- both that access but also the thoughtfulness of the group, right, in driving those problems.

Noopur Davis: It really is.

Ann Johnson: And driving solutions. So, I know you're always busy. You have lots of irons in the fire. I'd love for you to share with our listeners a few of the exciting things that you are working on now.

Noopur Davis: So, some of them are -- you know, they're exciting to CSOs because for a while we adopted Marie Kondo. I don't know if your listeners know who Marie Kondo is but, you know, she had this whole movement around the joy that you can get from decluttering and, you know, getting rid of things that you don't need. So, part of something that is important and really grunt work that I'm super excited about is we are really embarking on a phishing-resistant authentication journey. And for a company as complex as ours, that is not an easy journey, it's going to take a lot of work, we have lots of very different ways that our workforce accesses our systems. So, that is, you know, something that I'm very excited about and, you know, your listeners will probably go why. But, you know, CSOs will understand why, right? But then on the other side, on the very cutting edge side is this work that we are doing with our data fabric and with generative AI. You know, AI we've been using forever. But, you know, we are looking at more and more use cases of how do we use this awesome new capability. And, you know, I mentioned a couple already, you know, for training, for document, you know, like ask-me-anything kind of efforts to, you know, engagement with -- SOC engagement with the rest of the company. So, that is really exciting. Along with that, the IoT security labeling program, we are going to fully participate in that. So, yeah, a lot of things, you know. We do like I said, you know, we have three north stars and then we do yearly goals. We just finished our 2024. We have six priorities, and three of those are what I just shared with you.

Ann Johnson: I really appreciate you sharing those. And those are exciting things, especially, you know, the phishing-resistant authentication is just incredibly important for all of us because, again, users aren't super educated, right?

Noopur Davis: Absolutely. And, you know, we thought MFA had solved the problem. And it doesn't. So, you know, it's like okay, what next? So, yeah.

Ann Johnson: Well, as the attackers keep evolving, we have to keep evolving. That's the -- but, you know, I'm an optimist, right, about cyber. I've been doing this for 23 years. I get up every morning because I'm excited about the potential and what we can do in the future. Can you talk a little bit about how you think about the future, why you're optimistic about how we can defend the digital world?

Noopur Davis: That's a really great question. And I think in our roles, if you're not optimistic, you should just not do this job. Because it can wear you down because there is a constant evolving threat. But that is also an exciting part of what we do. And it is the part that keeps cyber people so engaged in their professions and their careers because you have a mission, you have a constantly evolving and really adversary that's getting smarter. You have technology that is evolving at the same time, going into, you know, new and different directions. And the most, most important part is you have to be enablers of your business. You can't get in the way of the business doing what it's supposed to do, right, that is like super, super important. So, my optimism comes from that ecosystem. And most importantly, the people in that ecosystem because I think cybersecurity people are really where my optimism comes from because they look at all of those facets and are always trying to stay ahead. And I think it's that people when you marry that with the technology, with the progress, with the business, with the capabilities is what gives me the optimism.

Ann Johnson: That's a wonderful answer. Thank you so much for making the time. I know how busy you are. So, I really appreciate you making the time to join me today.

Noopur Davis: Of course. Thank you so much, Ann. It's always a pleasure and I hope I didn't talk too much.

Ann Johnson: Not at all. I think you -- the content was wonderful. And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea". [ Music ] It was a really easy decision to ask Noopur Davis who is the Executive Vice President and CSO and Product Security Officer at Comcast to join me. Noopur has such an extraordinary career, extremely well-accomplished, very knowledgeable, very well-spoken. We had fun on the podcast, we learned a lot, and I know all of you will enjoy this episode. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft