Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the World Talks Security.


Kacy Zurkus:
Hello listeners. And welcome to this edition of our RSAC 365 podcast series. Thank you so much for tuning in. I'm your host Kacy Zurkus, content strategist for the RSA conference. And today I am joined by Peter Tran, who is the CISO and Head of Global Cyber and Product Security Solutions at InferSight LLC. Today, Peter will be talking about how to embrace mobility and the internet of things.
But before we get started, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted.
And now, I'd like to ask Peter to take a moment to introduce himself before we dive into today's topic. Peter, over to you.


Peter Tran:
Thanks Kacy. Wow, the spotlight's on me. Well, my name is Peter Tran. I have about 20 years of information security experience, dating all the way back during my days with the US Federal Government when I was an NCIS agent and things like the Pentagon and other critical infrastructure were being attacked by certain nation states, all the way till working with companies like Worldpay, where we moved 9 trillion US dollars around the globe annually to include Apple Pay and a number of other payment platforms.
And also, working with the pharmaceutical industries and my days at RSA Security, when I was part of the Advanced Cyber Defense Practice, responding to multiple breaches around the globe. Specifically looking at smart cities, smart cars, just the world that we're going to live in and we're living in now.


Kacy Zurkus:
So clearly, it is your wealth of expertise that brings you to us today, especially on this topic of mobility and the internet of things. Peter, I'd love it if you could start by maybe setting the groundwork for today's discussion and share with our listeners a little bit about mobile devices.
Specifically, how many are out there? How much data do these devices generate? What types of data are being generated? All that good stuff.


Peter Tran:
Sure, absolutely. Kacy. So just to lay the groundwork, we're currently in the third platform of IT, meaning social mobile, and moving into the fourth platform of IT, which is essentially described as full digitization or materialization of social mobile cloud IoT and smart living. So just to give you some context, we're talking the difference between just pure play mobile devices and smartphones versus IoT devices. I'll start with IoT and work backwards.
So IoT devices is estimated as of now, 2022, there's roughly 41.6 billion IoT devices. Of the 41.6 you're looking at moving roughly 80 zettabytes, and you don't hear that often. What's a zettabyte? And not to get into the math of everything, but you have megabytes, gigabytes, terabytes, and then you go up and up and up, and then you hit zettabytes.
That's just a ton of data moving across 41.6 billion devices. I mean, it's incredible. And the way you would define a mobile or smart device is, it's mobile, you can bring anywhere you want. It's smart, it makes certain decisions for you based on the applications you're running. And it's connected. So when you have all those three, and you have a multiplicity of 42 billion, it's a lot from a security perspective to even fathom.


Kacy Zurkus:
So how much of that data is personal information for the people that are using the devices?


Peter Tran:
Okay, that's a great question. So I'll move to the now, the here and the now, with people that have smartphones around the world. So in 2022, as of now, there's roughly 6.64 billion smartphones. That's about 83.37%. I'm getting very specific, but it's a qualified data from Statista, which is derived research that says 6.64 billion as of 2022 around the world, smartphones. And that represents 83.37% of the global population.
So if you look at whatever data that's residing on their personal smartphones, that's considered to be personal information. Whatever that is, pictures, videos, banking apps, medical portal apps.


Kacy Zurkus:
Calendar invites.


Peter Tran:
Oh, crazy, right. Absolutely crazy. That's a lot. So you look at the rest of the population, like 16 point something of the rest of the population. They could have mobile phones, but not necessarily smartphones. Underrepresented areas of the world and things like that.


Kacy Zurkus:
Right.


Peter Tran:
So there is a difference, right between IoT mobility and then smart living mobility and smart phones mobility.


Kacy Zurkus:
Okay. I guess the smartphones and smart living is where we want to kind of focus our conversation today and thinking about the idea that we do live in a world in which the physical and digital are increasingly interconnected, and that line between the two is ever blurring. How do we secure these connections to these devices?


Peter Tran:
When you're looking at the zettabytes of data, and you're looking at the difference between mobile phones and IoT devices, those start to be in that fourth platform of IT that I mentioned earlier. It's fully materialized or fully converged. So you have social mobile cloud, then you have social mobile cloud IoT, smart city, smart living, and then you have this convergence that happens.
So for example, you can be walking through a Target and you have your phone that has near field communications, you're walking up and down a certain aisle, it could read proximity, where you're shopping, and your preferences. You're using the Target app. And pretty soon it could calculate, right? You're you're in the baby aisle looking for car seats and diapers and wipes. And then it starts to take that information, says x amount of people are projecting the birth rate might be increasing, or their adoption rates, or whatever the case is.
Where you are physically, and what data can be extrapolated from lifestyle preferences, growing communities, air quality, that starts to converge. And that's just a simple example that everybody can maybe relate to. That all of a sudden, you open up an app and you get coupons or advertisements, things that you were just looking at, people wonder how does that happen?


Kacy Zurkus:
Right, right.


Peter Tran:
It's not, "Hey, the sky's falling. You have no privacy". It's being efficient. It's the efficiency of mobility. I mean, we can talk about the privacy later, but from an efficiency standpoint, it drives the physical world. So now you can drive up to your primary care physician's office and tap an app, say I'm here. And then they can expect to check you in, and you go in, and everything's becoming a lot more efficient.
And so the convergence of that is taken for granted. We don't even think about it. We don't even think about the fact that we can have contactless payments, not have to deal with card. Oh yeah. Just QR codes, et cetera, et cetera.


Kacy Zurkus:
Right. Because convenience is always going to win out in that concern for either privacy or convergence of technology and where our data is going.
I would also love it Peter, if you could talk to our listeners about what are some of the different approaches to using data analytics models? You mentioned the Target example that people can relate to. But you know, when we're talking about monitoring an unprecedented and overwhelming volume of data, how does all that work?


Peter Tran:
So I take examples from other disciplines, such as financial trading platforms or financial markets. The financial markets existed before the internet. You still had tons and tons of data. I'll take stock trading, for example. You have floors, and people writing on paper and trading stocks, right? The madness that happens on New York Stock Exchange you're used to. And then what happens is they had to develop things, move to analytical platforms for predicting volatility and where trading happens the most.
The markets are driven by what's called quans, quantitative analytics and compute power. There's more data models there that can be used in the cybersecurity world with respect to mobility and analyzing vulnerabilities in the world that we live, and driven by mobility. So for example, something called the VIX, it's called the volatility index, and that's built upon mathematical algorithms and machine learning that can predict when markets are unstable. That's the simplest form to do it.
Now you take that same model and you apply it. And I've been doing this for years with respect to applying the data analytics model to say, can I get the 7.9 zettabytes of data fed into those models to help me predict where my hotspots are? Where my most vulnerable spots are.
For example, a smart city is comprised of say public transportation, public safety, healthcare, entertainment. There's different, I call enclaves, within smart living. You know, hospitals and a football stadium, things like that. So when you have mobility, just IoT devices everywhere, and your mobile phone interacting with those, you can start to predict attack path or attack profiles that might be happening based on the data.
So there's a baseline of using artificial intelligence, I know that's a loaded term Kacy like, "Oh, artificial intelligence!", but really what it is, you load in your rules, right? Your data analysis rules. I'm looking for peak data traffic that's unusual, like beyond a certain usual baseline, in and around the area of a healthcare system. So then the machines start to think, and they say, whoa, whoa, wait a second. I'm going to sound an alarm here because there's an unusually high volume of traffic hitting the hospital system.
That could be a potential distributed denial-of-service attack. It could be reconnaissance trying to find a way to get into those systems, all the different IoT systems. And here's the kicker Kacy, is that of all the billions of IoT devices, any one of those can be a pathway in to a critical infrastructure network. So hub and spoke in a bicycle wheel scenario, one hub to many spokes. If you take billions of hubs to then billions and trillions of spokes. So you can see the magnitude of the potential attack servers.
So with that, if you take models from the VIX, volatility indexing, which is a tried and true model and you say, I'm going to feed my smart living mobile environment into that and let it tell me. It's called a data driven decision of saying, Ooh, I have volatility. Like weather systems, digital Doppler radar, looking at that pattern. If you can visualize that and you can see, here's the rain or heat wave or tornado. That's the same kind of-


Kacy Zurkus:
It's a really good Analogy. The visual.


Peter Tran:
Yeah.


Kacy Zurkus:
This is one potential method of seeing sort of those gaps, right? Where your blind spots are. What are some other security solutions for these connected devices that can help people to better secure the zettabytes of data that are continuing to be collected? Because the data's not going anywhere. Right?
You mentioned privacy as something that we can talk about, but it's not just like privacy of data usage. It's the potential of these gaps being exploited. Right? And not being able to identify those pathways is where those vulnerabilities lie. So what's the fix?


Peter Tran:
So here's the good news, right. There's a silver lining here. The good news is that when you talk about cloud, people are like "What's cloud? What's the cloud? Oh, stored up in the cloud". SaaS based security as a service, or software as a service. So software defined security is going to predominantly be the driver for these IoT smart mobile driven environments. We're already there. So I'm just going to say Kacy, we're there. Right?


Kacy Zurkus:
Okay.


Peter Tran:
So where do we go from here is everything we have, that little device that you have in your hand now and I have in my hand now. You hear about, oh, I've got an apple phone and it's like my iCloud storage, right? Where is that? It's not on your phone, it's in the cloud. So all these billions of devices used to have to interact with very traditional data centers, or on premise, or on hardware residing local.
But now that we're moving towards native cloud, hybrid cloud, software defined areas, everything that we interact with is going to be in those infrastructures. Like Google cloud, AWS, Azure, kind of like the big players, right. They own that infrastructure.
When I was working with Abbott Laboratories during the early days of the pandemic, part of that work, and at the very high level, was looking at their cloud environment because their diagnostics solutions were all going to interact in a native cloud infrastructure. Just their own. So it was no longer millions and billions of individually stored points of presence out there.
The device is only a way to interact and have capacity and scale, if that makes sense. No longer to actually be carrying the crown jewels around.


Kacy Zurkus:
I love that. That's great. And I do want to begin to move to wrapping up, but before we do that, Peter, I want you to share with our listeners some words of wisdom before we leave them with this discussion.


Peter Tran:
Well, whenever I'm asked that question, because it's such a highly complex environment, at least on the surface of things. When you hear the term, smooth is fast, when you hear race car drivers out there, it's like, "Hey, smooth is fast", right? Steady is fast. Insecurity with the complexity that we continue to experience, it's called Keep It Simple Security. KISS. Keep it simple. Right? Keep It Simple Security.
Because if you really break it down, it's one mobile device, upon billions, that have to be consistently secured in the same way. Now, when you have billions of different permutations of security patching and security monitoring, that's when you run into the complexities that are we're being plagued with right now.
So standardization, simplicity, consistency, and pervasive visibility would be the focus points, kind of my words, the wisdom, whatever it is you're trying to tackle. If you apply those principles, you will get to a stable state by which you can feel like you have more control than you think you do.


Kacy Zurkus:
So Peter, I want to go back and ask a question about, you made the point of the mobile device sort of being a different security strategy than the cloud, right? But for security teams who have to be aware of their security strategy for employees who may using their personal devices for work purposes, and maybe they're not making those cloud security investments, or cloud storage investments, right?
So what are some things that they need to be thinking about in order to protect the business from the employees who are using personal devices for business use?


Peter Tran:
Yeah. So, there's a very delicate balance there, because when you look at corporations that are embracing the bring-your-own-device strategy for their IT, the BYOD would be, "Hey, bring whatever mobile device you want. We'll give you a reimbursement every month". Because it saves a company money, and then the end user can have their preference in phone.
When you have an MDM that the corporation says, well, you will then grant us the ability to manage your mobile device via MDM. Those MDMs are actually getting a lot better. As far as you download the app, and the app itself is the MDM. So that's a container, right? We hear containers, buckets, F3 buckets in AWS and then in different containers. The MDM manages what cloud services the company is using. So you can get your email via the MDM, but you have to go into the app that has a whole separate container. So with respect to the mobile security, you can still co-locate your data, because it's containerized between the MDM's app itself.
There's a nuance there. Most people are saying, "Oh, you're going to control my whole device", but that's not necessarily true. They only have access to the app that is managing the specific applications that are being hosted in the cloud. So it's a two-pronged approach there, you're still accessing the cloud via MDM securely on your mobile device, and you can still have your personal phone that you bring via BYOD. All these acronyms Kacy, I know, I apologize. You can still have your personal life on that phone and not intermingle the two.
It used to be different though. It used to be, that was an all or nothing proposition. You either let us monitor and manage your entire device or not, so you won't have a phone at all. But it's changed since then. So I hope that helps clarify a little bit around that area.


Kacy Zurkus:
Hopefully, yeah. Let's definitely keep the conversation going on our social channels. And if it brings up any questions, we're happy to engage and see if we can get more answers to mobile and IoT questions from Peter. Because certainly, as you say, the proliferation is not going anywhere, right. It's only going to continue to increase.
Peter, thank you so much for joining us today. Listeners, thank you for tuning in to find products and solutions related to mobile and IoT security. We invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers, who can assist with your specific needs.
And as I mentioned, please do keep the conversation going on your social channels, using the hashtags RSAC and be sure to visit rsaconference.com for new content posted year round. Thank you so much.