The Shiproom / Episode 15 / Johns Hopkins University

– Welcome to “The Shiproom,” you’re on the air. The first cyber attack was a worm that made it through ARPANET way back in 1971. And for about as long as that, my guest has been fighting these types of threats. I’m joined by the chief information security officer at Johns Hopkins University, Darren Lacey. Hey Darren, welcome to “The Shiproom.” I’ve heard you talk about when you look at cyber attacks by the numbers, it kinda puts every organization at a disadvantage, just because an attacker can launch 1000 attacks a day, and it just takes one person clicking on a phishing attack to get compromised. So how do you offset that huge disadvantage? – Everybody who came up doing information security during the 2000s, they came up kinda from network security. – Yeah, perimeter based security. – So we learned about firewalls, and intrusion detection, and all those types of things, and maybe we did devices and those types of things. But what’s really interesting is that the folks before them, a lot of those were crippies. It’s like back to the past.
– That’s right. – My suspicion is that we’ll all have to be crippies a little bit more than we are now. – One of the most interesting things you’re talking about is many in the industry were brought up in that perimeter based security model, but then as the data started to move outside of the perimeter, it starts to move to the cloud, it’s on mobile devices, that model is no longer effective. So I’m curious, when did you recognize that the model was shifting? – I think that’s really useful to think about because what happened about, oh, I don’t know, 10 years or so ago, lots of us in the security space said, well we’re gonna do data-centric security. We’re gonna secure wherever the data is. And what’s actually happened, is that we kinda walked back from that a little bit because with the ransomware and those types of things, we’re actually now thinking in terms of well, it’s not just the data. It’s also these devices, left to their own devices could cause real problems. So now it’s a little data centric, and a little device centric, neither of which are perimeter centric. There was this model, if you wanted to be one of the cool kids 10 years ago, you said, “It’s not about the stuff, or where it is, “it’s all about the data.” And then it’s like, “Well no, it’s really about the device.” Now we’re kind of in this weird state where we have those two things, and then we’re trying to figure out the cloud side of it which is kind of the underlying implication of the whole thing. It’s a three-legged stool that we haven’t really worked out yet. The obvious, the answer to it is always the same. Which is, you have to inspect everybody and everything that’s getting to things. You have to monitor it. And you have to be able to establish the identity and then react afterwards. The answers are pretty much always the same, but the questions are getting really weird. – OK, so you live and work in Baltimore right now. – Yes I do.
– And I love, there’s that one show that was set in Baltimore that was so popular on cable, what was it called? – I don’t know, let’s see, maybe “The Wire” probably. – I was thinking “Ace of Cakes.” You talked about data protection. You talked about device protection. I think the third leg is also identity protections. Talk about these concepts of zero trust. It’s all about ensuring that only trusted users using trusted devices get access to data. And then it’s interesting because different data has different values. You may have different levels of trust on users, identities, and devices. So how do you think about that? – You have the individual, the user. And the individual’s roles, they may shift. But even we leave the aside the roles. Then we have the device that they’re using. And so you have to match that up in some way. So you have to match all that stuff up, and then after that, then you have to ascertain risk. Once you’ve reached the threshold level where Brad is basically on a device that we think he should be on when he’s basically accessing the stuff, once you’ve reached that threshold level, then you have to conduct a risk-analysis, that has to go into, then you start doing math of another sort, not crippie math, but you start doing big-time data analytic, going into machine learning math. That’s where we’re all headed. So we’re all going to do a lot more math than we did in the past. Inside of Microsoft today, just on our commercial authentications, we’re doing almost 700 billion commercial authentications a month, and what that allows us to do is have this view now, where any time anybody comes up to ask for access to data, like to Office 365, just like you said, we can understand the risk of the user, the risk of the device, and then bring that together, what is the holistic risk? And then take actions based upon what the value of the data is compared to the risk. – That’s what makes Microsoft, and other big companies like Microsoft so intriguing in all of this. Because even if you cleanse everything of every kind of identifiers, and those types of things for privacy purposes, you still have this amazing set of data–
– That’s right. – That none of us have. – And I think that’s the thing that is changing the most right now is in this security world, so much of the security, as it modernizes is, who is innovating on data and learning from that data to then help you as you protect your company? – Yeah I mean nobody can do it without you. – Oh man, I would love to hear you say that again. – Yeah nobody can do it without you. The point is that you have the data that we don’t have. And you can profile in useful, non-intrusive ways. You can profile in ways that none of us, as customers can. So we need APIs to pull that data down so that we can do things with it and make the ultimate decisions about whether something is useful or not. – Got a phone call coming in here Darren. Hey welcome to “The Shiproom.” I have Darren with me, who’s on the phone? – Aha, Brad!
– Oh not again. – It’s your boy! The prodigious EAP! Well it’s been a while. But I’ve been looking back into getting into the macabre poem game, if you know what I mean. And since cyber attacks are so scary these days, I wanted to try out some new material on you guys. I was thinking Darren can help since we both live and work here in Baltimore. – Love a good poem. – Are you holding a phone?
– Oh yes. The wifi here is fantastic since we’re closer to the source. All right. I sat one late night clicking, browsing, architecting and warehousing. When my inbox came under attack, I clicked one link and all went black. – That was actually pretty good. – It rhymed. – Next, here now, networking runs securely with confidence hard earned, so surely. To the skies I now beseech! With stolen cred, a massive breach. – Yeah OK. That’s a poem, all right. Sort of.
– Last one! Our office is oft so busy and kinetic, our workers fast, peripatetic. I might never have predicted the way someone made our files encrypted. And now we must pay the amount they ask or watch our data turn to ash. – You raised the game there. I liked the peripatetic and ash. – I gotta look those words up.
– Using peripatetic was really good, I liked that one. – I’ll keep workshopping these but, one last question for Darren! As the CISO, you must be critical of every possible attack vector. And a massive avenue for the attack is through the mobile devices that are going in and out of your network, so how have you chosen to address BYOD, and how do you plan to make that work? – The mobile device life-cycle is following a lot of what we saw with other kinds of devices. What I mean by that is that you start off, everyone goes, “Whoa, this is a problem.” And we realize that security is a second order problem from management. So you’ve gotta have a way of managing the device before specific device security actually becomes meaningful and helpful. Microsoft and other folks are basically spending a lot of resources with Intune, and those types of things, basically managing mobile devices. In terms of the kinds of threats and attacks that we see, computers are overwhelmingly more likely to cause real problems. We got a little bit of time, while we work through device management, and then at that point, security becomes useful. If you throw the security on with kind of poor application management, the security tools will have poor fidelity, they’ll break in unusual and interesting ways, and ultimately they’ll create poor user experiences and poor analyst experiences, and people will essentially push them to the curb. – And that’s one of the things we’ve been working on with Microsoft 365, having these different layers, as you’re talking about, as you get away from the device, or as you get away form the user, be integrated in a way that you have the flexibility as an IT leader, as the CISO to say, OK, I’m gonna have less fidelity here, so I need more here, and the ability to turn that on or off has been a core part, if we think about the security that we bring with Microsoft 365 and how that interlays with the management. – Security’s also a state of mind. You’re going to operate better in the world if you feel safe and secure. – So while we’ve been talking, we have a “Shiproom” learning bot, and it’s been watching, listening to the conversation, analyzing it, and it has come up, believe it or not with the 12 most relevant questions that we should end the show with. But just to make things interesting, you work with a lot of doctors now, so let’s see who has the steadiest hand as we’re answering the questions. Is it weird that the CIA’s on Instagram? – Yeah, that’s weird. – What’s one sport you just can’t care about no matter how hard you try?
– Lacrosse. – How many of the nine Supreme Court justices from 1979 can you name?
– Rehnquist, Marshall, Brennan, White, Blackmun, I want to say Douglas? – What zoo animal would you be the least excited to ride? – I don’t think I’d want to ride a chimp. I think you might’ve lost. Well Darren, thank you for being here. If people want to learn more about you, or more about Johns Hopkins University, where would they go? – – Thanks for being here.
– Thanks for having me. – Hey thanks everybody for being here on “The Shiproom” we’ll see you on the next one. – Are we taking it from the top? How do you make that work? Me? Oh! I’m originally from Baltimore, same as you! My mother was raised in Little Rock. Arkansas! – Hey everyone, now that you’ve watched this episode of “The Shiproom,” I really recommend that you go to and learn how to get started deploying Windows 10 and Office 365.

Leave a Reply

Your email address will not be published. Required fields are marked *