Rodney, thanks for
joining me today.
Appreciate it.
So we're going to be talking
about cyber security, DDoS
attacks.
But how did we get here exactly?
So we really are facing
a really tough period now
from a security point of view.
You're seeing that with
all of the breaches.
But you also have to
understand that when we first
conceived of the
internet, we really
didn't think that we would
be doing the things that we
use the internet for today.
There was no concept of using
it for critical infrastructure,
for things that
relate to life support
systems, remote medicine.
It was really at
that time designed
to be able to share
information amongst scientists
and technical people.
And what's happened is starting
in the late '80s, early '90s,
we've started to
use the reliability.
And it's odd,
because people don't
think the internet is reliable.
But the way it was
designed to be robust,
it really has
allowed us to begin
to use the reliability
of the internet
and the ubiquity of
the internet today
to be able to do things like
sharing video and purchasing
things and doing e-commerce.
But that wasn't on our
minds in the beginning.
And so the problem we've
had all the way along
is as technology
has moved along,
we've had to find ways
of retrofitting security,
if you like, to foot that.
As we bring in new
technologies, the bad guys
tend to find ways around them.
We then bring in other new
technologies to overcome that.
And it's really
it's become an arms
race, where we spend
months increasing
the height of the wall.
And all of a
sudden, the bad guy,
who doesn't have to
clear it by six feet,
just has to be able to crawl
over it, crawls over it.
And they do it all of a sudden.
Hopefully, we see it
very, very quickly.
In many cases, we don't.
So when you hear about
these zero-day compromises.
Those effectively
are compromises
that were identified sometimes
two, three years before
by the bad guys.
And if they're very
good at what they do,
we never pick up on that.
No one finds that vulnerability
until weeks, months, or years
later.
And we then go through the
process of patching it.
And the very nature of patching
sophisticated equipment
and sophisticated systems
allows in more compromises.
So the issue that
we're dealing with
gets worse and worse
every week and every month
as we grow along.
In reality, the
right thing to do
is to begin planning from
scratch for a new internet.
But it's really not feasible.
It's the equivalent
of changing--
you've heard this
metaphor before--
changing the tires on a
bus doing 60 miles an hour.
You can't do that.
So we're stuck with it.
And we have to just
do our best and find
ways of being able to detect
when an attack has taken place,
to be able to mitigate
the effects of the attack,
and then ultimately to
be able to attribute
the attack to a
particular group or party,
and then go after them
through the courts whatever
the means are logical.
Do you think it is
effective and/or logical
and actually even
possible to stop a DDoS
attacker by going
through the courts, work
through the legal system?
As long as we have
jurisdictions where
the very act of committing the
particular crime, like DDoS,
is not a crime in
that country, we're
going to continue to
have the problems.
At this stage,
there are countries
in Eastern Europe where we
don't have extradition treaties,
where the countries they haven't
signed onto any of the cyber
treaties.
So we have to deal
with those problems.
As long as that's the case,
doing it by legislation
is not going to work.
One of the thoughts that
people had in the past
is by what would effectively
be the Balkanization
of the internet, creating
individual islands that
interconnect, and leaving
out those portions
of the world that don't
play by the general rules.
But unfortunately, that's not
practical in today's world.
There are multinational
corporations.
And it turns out
that the internet
is the mechanism that people
use to actually do business.
Interesting.
So is there such a thing
as a safe internet?
There really isn't.
I think people just have to
come to grips with the fact
that the internet, by its
very nature, is unsafe,
and that you will
be compromised.
It's interesting.
I sit sometimes in
rooms with executives
from companies large and small.
There might be 200 or 300 CISOs
or CIOs in the conference.
And I ask them
purposely, I say, anyone
who's actually identified or
anyone who's suffered a breach
or a compromise in
the last three years?
And about half the
hands will go up.
And I'd [? encourage people ?]
[? to ?] put more hands up.
And then the reality
is that those
who didn't put their hands
up are the people that either
just don't want to admit it,
or haven't yet discovered
that they've been breached.
But I will guarantee
that every single one
of the people in that room
has been compromised already.
Wow.
Well, with that
information in mind,
is there anything
that companies can
do to prepare themselves for the
inevitability of a breach then?
There's an enormous
amount they can do.
One of the things that we've
seen over the last year or two
is that companies
that get compromised
and don't have a plan in place,
not just a technical plan
for mitigation or
incident response,
but companies that don't have
a preplanned playbook that
talks about how, if they're
public companies, how they deal
with the public markets, how
they deal with the press, how
they deal with their boards, how
they deal with their employees,
how they deal with customers,
if they don't have that in place
beforehand.
If you think about it in the
traditional military world.
You're in the middle
of a firefight.
That's the wrong time
to be working out
what your escape route is.
So in the military, no
matter what kind of action
we get involved in, we always
preplan the escape plan
or a fallback plan or
an extraction plan,
depending on what
kind of operation.
Somehow, most companies
don't do that.
What they should be
doing is creating
a playbook early
on that defines,
first of all, when something is
identified, who gets notified,
what the process is when
they get notified internally,
what the message should be.
They should all have a
very practiced message
that goes out to the press or
goes out to public relations
organizations.
They have to be able to work
out how they communicate
with employees.
It's very interesting
that, in many cases,
when you see a company get
compromised or breached,
and it's very public, one of
the first things that occurs
is the key employees,
the A players
begin to cast around looking
for another employer to go to.
So you start to have your
key staff want to jump ship.
They're talent.
This is the time
for them to leave.
So you need to find a way
being able to keep those people
there, keep them engaged.
So you have to have all of
these things prepared upfront.
You have to practice
it regularly.
I believe that if the
operational folks aren't
practicing at least once a
month, maybe more than that,
maybe spend three or
four hours practicing
what steps you take when
you go through a compromise
or a breach.
If you don't do that,
you're going to be arrested,
and you're going
to make mistakes.
There have been a couple
of breaches of companies
as a technical
repository that's used
by many developers in
the world called GitHub.
And GitHub suffered
a breach in, I think,
July of this year, 2017.
But within a very,
very short time,
they were communicating with
customers, with partners,
with vendors, with the press
about what had happened.
They talked about what steps
they were taking already,
what things they were
putting in place.
And they were very, very
visible and transparent in that.
Then you had about
the same time,
there was a very
large breach, as you
know, with one of the
credit reporting companies.
And in that particular
case, what was notable
wasn't so much that
the breach occurred.
The truth is, in many cases,
especially with zero-days
involved, companies, I mean, you
really can't stop the breaches.
But what was notable there
is that the public relations
part of it, the way that
the company communicated
with the rest of the
world was very, very slow
and was sort of
behind the eight ball.
And they were reactive
in everything they did.
And that probably
did much more damage
than if they'd actually
had a playbook in front
and came straight out and
said, this is what's happened.
This is what we're doing.
So having that playbook
is more than just
knowing technically what to do.
It's also knowing what you
should do as a company.
Interesting.
So you're making the argument
that the CTO or the CISO
needs to also get on board with
the marketing department, who
also needs to get on board
with the call center,
because they only
do function as one.
Is that correct?
Without question.
The CISO, it's unusual,
you just don't find it,
is the CISO should be
going out regularly
for lunch with the
chief marketing officer
and whoever it is that
heads public relations.
They should be going
out on a regular basis,
just to talk about,
first of all,
to build a
relationship with them.
In larger companies, there
isn't that close relationship.
The technical folks
and the marketing folks
just don't normally
get together.
They need to be
working together,
especially at a senior
executive level,
and to become comfortable
with each other
and to trust the information
that's going to be provided.
But it has to also go all
the way up to the boardroom.
The reality is that,
at a board level,
your board members
should understand and be
comfortable the
company has a playbook,
and they have a part to play.
It's much easier if you're able
to point the press to a board
member rather than having
the board member being caught
unawares by a call
from press to say,
we understand that there's been
a compromise in your company.
What are your comments?
And absolutely, you have to
keep your CEO in the loop.
OK.
Now and I know you said
there is no way to,
that everything
can be compromised.
But is there a certain
type of DDoS defense,
or is there any kind
of posture that people
can take to protect their
organization from being
compromised?
So there are absolutely
ways of being
able to, first of all,
mitigate, first of all, detect.
So the first thing you
want to be able to do
is detect that there's
a compromise occurring.
You then want to
be able to mitigate
the effects of that compromise.
You can either do it yourself.
Certainly, some
companies do that.
But depending on what
kind of company you are
and what your core
competency is, in many cases,
it's better to bring
in well before.
So when you have a
moment of normalcy
during your normal
operations, be
able to bring in
outside companies.
Once again, it's that
old fire fight metaphor.
You want to bring
in companies that
are specialists in being able
to detect and mitigate and help
you defend.
So you may have,
and I'm sure it'll
happen in a normal company,
the CISO and the CIO
have, even if they're
following best practices,
they have the best that
they're able to do.
But at some point, they may
need to look for outside help,
to look for, effectively,
overflow capabilities.
And you want to be
able to do that before.
For example, in the DDoS, so
you bring up the DDoS world,
and obviously, we're talking
about DDoSs currently,
in the DDoS
mitigation world, it's
highly unlikely that the
average company, even
the average large
company would be
able to afford the
investment needed to mitigate
against a very large attack.
You have to understand that from
the bad guy's point of view,
they generally, no
matter who it is,
if they have a botnet
in place, they probably
built a botnet that's large
enough to take down anyone.
But that's an asset.
And so the way that
they normally start off
is they'll start off
with a small attack
and watch for the effect.
And then they'll
increase and add
bots and machines
to launch attacks
at your system, all the time
measuring it, until such time
as they reach the
desired effect.
So there will come a point at
which all of your own resources
are saturated.
What you need to be
able to do at that point
is call in the resources
from the outside provider who
are specialists in that
field and have them begin
to take over the mitigation.
Because if anyone is
going to be able to do it,
it's probably going to
be the larger companies.
There are also
some technologies,
depending on what
it is out there,
where there are
unique things that
can be done to help mitigate
the effects of an attack.
From a bad guy's point
of view, you always
have to try and understand what
the objective is of an attack.
And the attack could be
as simple as purely trying
to disrupt your normal business
all the way up to being
able to use it as a
smokescreen or as cover
for a larger or a
different kind of attack.
So for example, using DDoS
to take all of your attention
away from your core
systems, and then
to drop some form of malware
through either some kind
of peer to peer contact
or through a zero-day
through your website, or
just through an email.
People are much
less likely to be
cautious about what they
get in the middle of one
of those firefights.
So you need to be aware
of that, and to realize
that, if that's
the objective, now
you go back to the human
factor, which is you
have to train your employees.
Part of the training
that goes in advance, we
may be using an outside
company, but when we use them,
this is what it's
going to look like.
Because if the bad
guys are above average
in terms of what they do, and
they understand that you're
going to be using a
third party company,
they'll begin to
craft malware that's
hidden in a message
that looks like it's
part of the mitigation
of that attack.
Why?
Because they understand
that your employees aren't
used to receiving communications
from the third party
mitigation company.
So you've got to know
upfront who your mitigation
partners are and have
your employees trained
that when there's
an attack underway,
this is how they'll communicate.
They're not going to use email.
They're going to use this
kind of messaging system.
Or when the emails
come in, this is what
they'll have in their headers.
So you have to understand
this kind of thing,
because the modern attackers
absolutely do understand that,
and they do take
advantage of that.
Interesting.
When you talk about mitigation
companies and solutions,
you said use big ones,
but are they all the same?
What should companies be looking
for when evaluating mitigation
companies?
It depends on what you're
trying to mitigate.
So if you're mitigating malware,
so the dropping of malware,
you want to make sure the
company that you're using
has a track record
and is respected
in the industry
for being able to,
number one, respond very
quickly, and number two,
have a solution for that
particular kind of malware.
I mean, that's logical.
That's what we're
saying is logical.
But when you get to
some of the attacks,
for example in DDoS attacks,
if we talk about that
specifically, you really have to
understand that, in most cases,
a DDoS attack, the
most effective ones
are volumetric attacks, which is
when they're designed to really
overrun your normal resources.
Well, the larger the
company, the chances are,
the more likely they
are to be able to deal
with a volumetric attack.
So what you want to
make sure of in a DDoS
in the case of a company
with DDoS mitigation,
number one that they
have sufficient capacity.
Number two, they
have a mechanism
of being able to take over
from you very, very rapidly.
Or if you are a company
that worries constantly
about being attacked
and you are a target,
you may want a provider
who are able to give you
protection 24/7, which means
that your traffic is normally
going through them.
And that's an
always on provider.
You want to make
sure that once again
that they have a
track record, that you
talk to some of
their other customers
who've actually
been under attack,
and ask them how the company
behaved under attack.
And then what you
want is a company
that will also,
from time to time,
will go through the
exercise with you.
So you want them to
be a partner with you.
You want to--
I know that most of
the CISOs and the CIOs
who are watching this are
probably aware of the fact
that they have
diesel generators,
and they have other processes.
And on a regular basis, they go
through training where they'll
switch to the
generators on a weekend,
for example, just to
make sure it works.
They need to be doing the same
thing in the DDoS world, which
is how do we really make sure
that our processes are working
for switching over?
Well, you're going to
have to choose a time,
and maybe allow a very small
DDoS to be attacked as part
of your exercise and make
sure that you actually
have the processes in place
to successfully do it.
So the truth is, practice makes
perfect in that kind of world,
not just you, but
also your providers.
So make sure your
providers can do that.
OK, and you mentioned
volumetric attacks.
And we know about
the Mirai botnet.
But for the people out
there who may be listening,
but aren't as focused on Mirai
or what exactly IoT is, how
would you explain that to them?
So the funny thing
is that IoT has
become this buzzword over
the last three or four years.
Oddly enough, IoT is not new.
IoT has been around for, gosh,
I can remember in the late '70s
and early '80s, where
we had devices that are
no different to devices today.
One of the original ones was
a Coca-Cola vending machine
at Carnegie Mellon University
in the computer science
department, where there
was a vending machine that
vended Cokes and Sprites.
They're not have been
Diet Cokes at that time.
And it was on the ground floor.
And the computer science
engineers there would have
to walk down three or four
floors to the vending machine
only to discover that it was
either out of bottles of Coke--
it was probably bottles in
those days, maybe cans--
or that the Cokes had just been
refreshed, and they were warm.
And so very, very simply, they
wired the various elements
of that Coke machine
and connected it
to the university network.
And what they were able to
do now from their own room
was to actually
connect to the machine,
and, number one, check if
it was full, and number two,
check on how long it had
been since the Cokes had
been put in there, so
they knew if it was cold.
That was an IoT device.
It was an internet of things.
So from that time, we've
had many, many devices
that connected to the internet.
It's just in the last
three or four years,
we developed this
buzzword of IoT
as more and more
everyday devices
are connected, all the way
from heart, blood pressure
monitoring systems to
cameras and baby cameras
to burglar alarms to industrial
machines to all the way
to the health management
systems on airplanes.
And therein lies the problem.
Because in many cases, the
security portion of that
isn't as advanced as the idea
behind the internet of things,
or the IoT kind of devices.
And so what you have is a
proliferation of low cost
devices all
designed, ultimately,
to connect to the
internet and to be
controlled via the internet.
And those devices
are, unfortunately,
because of the lack
of foresight or even
with foresight, lack of interest
in spending or because of price
pressure, have been developed
and distributed, many times
with either no security or
with very basic security.
User and password, or admin
and admin as default passwords.
The bad guys have
discovered that.
And whereas those
devices in the early days
might have been connected
to very carefully controlled
networks where there was
not very much bandwidth,
what you now have
is, for example,
in the United States
and parts of Europe,
you have 100
megabits of bandwidth
or even 200 to 300 megabits
of bandwidth at a home.
So when you get your home
account for your 30 or 40
pounds or euros a
month, you're actually
getting an enormous
amount of bandwidth.
Those devices are
now capable of being
used as effectively cannons
using all of that bandwidth.
And the truth is that there
is more bandwidth out there
at the end of
consumer connections
than anyone has the ability
to actually mitigate.
So the internet of things
has now become a real issue.
First of all, because of
the proliferation of them.
They're everywhere now.
Secondly, because
the lack of security.
And third, because
in many cases,
they're not patchable
or upgradeable
for security vulnerabilities
in the field.
They weren't designed that way.
So if you think back to
your family and your home,
I won't say you, because
you're technically savvy,
but the average
household, to ask someone
to go through the
process of patching
a doorbell camera or
maybe even a picture frame
that has the grandkids
photographs in it.
Those devices, if
they are compromised,
it's almost impossible to
have someone understand
that that's where
the vulnerability is
and how to patch it.
The ISPs, it's very
difficult for them to do it,
because the cost of
trying to reach out.
If you think about it, people
have been half trained.
So if you get an
email that tells you
that you have a device
that's compromised,
your initial reaction is,
that's a bogus email already.
So it becomes very
difficult and very expensive
for ISPs to do it.
So if we're going to
solve the problem,
we have to take a much
more holistic view of it
and start all the way from
manufacturers of chips
and working all the way out
through ISPs to end users.
So you said earlier that we must
messed up with the internet,
because we didn't design
it with safety in mind.
And now we have the
internet of things
that we messed up, because
we don't have safety in mind.
Is there getting
any of this right?
So the only thing
we can possibly do
is get better at
recognizing when
we are compromised in order to
be able to do things about it.
And that means even households.
So for example, ISPs
are beginning now,
certainly the more advanced
ISPs are beginning now
to go through the
process of being
able to analyze what normal
looks like with providers.
And once they're able
to not just providers
of their bandwidth upstream,
but also of their customers.
And what they're
able to do is be
able to detect
very, very quickly
that a particular customer's
system or connection isn't
behaving like normal.
So that kind of thing has to
move through the lifecycle
of internet packets.
And until we do that,
it's going to be
a very, very difficult battle.
But it is happening.
One of the problems
is that while it
might be possible to do
that in some countries,
there are other countries
that either don't
have the government
discipline to do it,
or they don't have the
interest in doing it,
or they can't afford it.
So it's one of those
things that's going to--
there's going to come a point
at which some pain is going
to have to be inflicted on the
parties who may be innocent,
but are part of the problem.
So the great thing we always
talk about with the internet
is that we talk about
that it's really
the community that matters.
But the tragedy of
the commons is real.
And so in the
internet's place, I
believe that we're going to
have to see some much more
dramatic events,
not just the fact
that 140 million sets
of personal information
were leaked.
But, and it's a
terrible thing to say,
that we will start
to see loss of life.
At the point that we
start to see loss of life
as a result of the
weaknesses of the internet,
you may get people prepared
to take more action.
You can think back to
seatbelts in vehicles.
It wasn't until someone
actually measured
the number of people
who were killed,
who could have been saved by
some better form of restraint,
that you then had
seatbelts coming into cars.
Now, you can't buy
a car without one.
And they save
lives all the time.
But it wasn't until
someone actually talked
about the lives that were lost.
The internet is not
just this esoteric thing
that gives you movies
and allows you to send
emails and chat to relatives.
It really does
today support things
that can affect life and death.
It's just like I said,
taking us all the way back
to the beginning
of the discussion,
we didn't expect that this
is what it would be used for,
so we never built those
kinds of controls in.
We're now at the point where it
is being used for those things,
and we have to get it right.
Wow.
And do you think something
like that is inevitable?
So I believe we've seen
cases of it already,
but they haven't been
either governments
or individual parties have been
very hesitant about identifying
that.
But there's absolutely
no question in my mind
that it's already
happening on a small scale.
But it's going to take a
large scale event for people
to sit up and take notice.
Wow.
OK, well, going back to the,
if I may just refocus this,
back to the CISOs, whenever
you speak with them,
what do you normally tell them?
What kind of questions
do you hear them ask?
So it's interesting,
because, by and large,
the CISOs and the CIOs really
are aware of the problem.
The biggest difficulty
they find is
being able to convince
their management that there
are steps can be taken.
At some of the seminars
that I teach at
and I give speeches at, I
provide some of the solutions.
Our company at Neustar, we
have a number of solutions.
We're not the only ones.
We're obviously one of many.
And c CISOs and CIOs really
have a great interest
in making use of our services.
But they're continually
fighting this budget battle
with executives.
Because until there's
a major breach,
companies see this
more as, well, the CISO
is just trying to
build a larger budget.
But if you think back to any
of the major breaches that
have occurred, and
you look at what's
happened in those companies, and
every one of those companies,
it's reached a point where
the CISO's budget has finally
been improved.
But it's being done
after the fact.
It's not the kind of thing you
want to do after it happens.
You really need it upfront.
And until we can
get to the point
where boards and
senior executives
understand what's needed,
we're going to suffer.
One of the things that may
make a difference, of course,
is legislation.
So in the European Union,
the new legislation
that takes place
next year is going
to have a significant
difference, because it's
going to apply pain points and
hold people accountable for not
following best practices.
That's going to make a change.
But once again, it's going
to make a change in Europe.
And unless we look at Europe
as an isolated enclave,
if you like, from an
internet point of view,
the other countries
outside of it
will continue to have
their bad habits.
So it needs a global
movement, and that's
something I think that's
going to be very, very
difficult to get.
In the interim,
companies can only
do what they can within
their own networks.
And that's where you start
to follow best practices,
use or outsource or bring in
companies from the outside that
are specialists in those
areas, whether it's
in DDoS, whether it's in the
DNS space, which is obviously
an area of great vulnerability,
whether it's in malware
and phishing, if
it's in pure hacking
and exfiltration of data.
Companies really have to do
whatever they can internally.
But they need to also spend
an equivalent amount of effort
in being able to detect
and mitigate or minimize
the damage.
The damage will occur.
And short of legislation,
do you recommend
that companies talk to one
another about what's going on,
what they're seeing?
One of the very effective
things that can be done
and that we've seen
bits of, certainly
in the financial sector,
in not only in the US,
but also in Europe, we've
had the financial sector
build a mechanism that
allows for sharing
of knowledge
between competitors,
which is very unusual.
But obviously, the
financial sector
is the one where the
pain is felt first.
The famous adage of,
why do you rob banks?
Because that's
where the money is.
So it's no different
for cyber criminals.
But we have to find a way being
able to share information,
not just between
companies and competitors,
but also between the
government sector.
In many cases, the
government sees
things that come about as
a result of intelligence
gathering that would
be very useful provided
to the private sector.
But it's not in the DNA of
the intelligence community
to share information outwards.
They're very possessive
of it, and they're
very protective of it.
However, one of the
other things we know
is that 90% of
government infrastructure
actually relies on
the private sector.
So you would think
that, at some point,
the governments
of the world would
have gotten to trust
the private sector
and to be sharing
information, knowing
they're protecting themselves.
It's a very difficult
thing to do.
Here in the United States,
we've tried that for many years.
And it's only the last year
or so that we're actually
seeing that kind of thing
happen in a reasonable way.
In other parts of the world,
it's not been that successful.
Interesting.
Now you mentioned DNS earlier.
And I believe you have
some background with DNS.
Is that correct?
I have quite a
bit of background.
Yeah.
That was a softball.
How would you recommend that
companies shore up their DNS,
since you mentioned some
of the vulnerabilities?
From a DNS point of view,
I think, first of all,
people have to understand
how important DNS is.
DNS is sort of the glue that
holds the internet together.
It's the equivalent of the
white pages or the telephone
directories that occur.
I may know exactly who you
are and where you work.
But without knowing your phone
number, I can't reach you.
And that's the
way it used to be.
In the internet, that's
the same thing is true.
Computers are used to
being referenced by number.
Humans can't remember
phone numbers.
Phone numbers also
change as you move.
You may be a little
too young to remember.
But for many of us, when you
moved from one neighborhood
to another, you had
to get a new phone
number, because of the way
the central office was set up.
In the internet world,
that still goes on.
And the way that
we get around that
is by just knowing
that you're Travis
Abercrombie from Neustar.
So that becomes a
unique identifier.
You're the only Travis
Abercrombie at Neustar.
But your phone
number could change.
If I was able to dial you by
your name and your company,
you could change
your number any way
you wanted, as long as there
was some kind of cross reference
or some kind of interpretation
that converted from your name
to your actual phone number
with whatever it was.
And every time you moved, you
go back to that directory,
and you would change it.
It would be up to you.
I would never have to know that.
In the internet, that process is
called the domain name system.
And it's the thing that
allows you to match or to map
IP address numbers to names
and domain names or host names
to IP addresses.
So it's fundamental.
The bad guys learn
very early on,
the early 2000s, that despite
whatever infrastructure someone
had, multiple web servers,
multiple mail servers, if you
could disrupt the DNS
process, people wouldn't
be able to get to them.
And that would be
effectively a wonderful way
of being able to take a company
down or to disable a company
or disrupt it.
And so the DNS
has been a target.
The next question you may ask
is, well, why is that the case?
And part of the problem for
that is that the protocol itself
was designed at a
time when we didn't
worry about the security.
So it was designed
to be very robust.
And in a funny way, DNS
is incredibly simple.
But the elegance is
unbelievable in its simplicity,
the things that are in place.
And the bad guys have
learned how to corrupt that.
So we've been working on
things like DNSSEC, which
is the DNS Security Extensions.
We've been working
on things like BGP,
or border gateway protocol,
routing security in order
to protect that infrastructure.
The sad thing is, in
the technical community,
I think we're now in year number
18 of the working group that's
trying to define and get
DNSSEC deployed globally.
And most the people who are
involved in the CISO, CIO world
know if they know about
DNS, they probably
have heard the phrase DNSSEC.
We still aren't there yet.
One of the other problems
is that the technology
has moved on to where DNSSEC
is not a great protection.
There are other things that can
protect you in a different way.
So we are now looking
for alternatives or ways
of enhancing DNSSEC.
Because on its own,
it's almost a problem
looking for a solution.
It should have been a
solution for a problem.
But it's really the
other way around.
So we've had to find ways of
being able to modify that.
And there's something
called DANE, D-A-N-E,
for those who want
to go and look it up,
which is a movement to actually
combine two different forms
of security both for routing
and DNS that should make it much
more secure.
But then the bad guys
have all of this runway
in which to do things.
So at the end, we'll
solve this problem.
By which time, the bad guys
will have found another way
to compromise.
But for the last
20 years, this has
been a great vector
for the bad guys,
and they continue
to make use of it
with compromises and
attacks and hacks.
And there have been
some very visible ones.
There was one in 2016 where
a number of the social media
platforms were affected, I
think around June of 2016.
And that was because
a DNS provider
was on the receiving end or
victimized by a DDoS attack.
And that particular
provider was a provider
for some of the key
pieces of social media.
Well, the world
knew all about it
not because the DNS
company was down,
but because the things
that relied on the DNS
failed almost immediately.
So DNS is really critical.
But most people outside
the very technical world
have no idea that
it even exists.
They need to start
thinking about that
and how you protect
against it by using,
it's one of those things
where you probably want
to use companies that have
built infrastructure that's
specifically geared towards
protecting against DNS failures
and compromises and attacks.
So it's just getting back
to the earlier question,
what do you do as a CISO?
You look for the professionals
in a particular field,
go through whatever
due diligence,
talk to all of their peers,
and then find yourself
an alternative as an
outsource provider.
And you have maybe
two or three of them
to be able to provide you
some kind of redundancy.
But you want to bring in
the professionals for that.
Unless your business is the DNS
business, or the DDoS business,
or the DDoS mitigation
business, or the malware defense
business, you may not want
to be doing that yourself.
You may want to
use professionals.
Well, way to knock that
softball out of the park.
So let me follow that up with
another softball, if you will.
I heard you architected
something called DNS Shield.
What exactly is
that for people who
may not be as familiar with it?
So one of the things
that the internet
and the vulnerabilities
of internet at large allow
is for the fact that traffic
goes over a public network.
And you can interrupt it
at any of those points.
Because DNS is so
critical, one of the things
that in a perfect world is
for the DNS infrastructure
to be protected.
However, that really goes
against the whole tenant
of the internet.
The internet was supposed to be
a public set of infrastructure.
And all of the control plane,
so all of the signaling for that
would be going across
the public internet.
It's just it's one
of those things where
you've got the
pipe, and everything
goes through that pipe.
Well, one way of
being able to try
and short circuit the bad
guy's ability to compromise DNS
is if you're able to
create private connections
between the DNS servers, the
authoritative or the authority
DNS servers.
And I don't want to go down
that rat hole, because that's
a whole other session,
we could do another time,
is that you really
have in DNS, you
have the authority
side, which is you,
deciding what your phone number
is going to be when you put it
in the directory.
And on my side, my
assistant, whom I
ask to find your phone number.
Her job is to go and
wander around the internet
until she gets the correct
phone number from you.
And that's how DNS really works.
So in that particular case, if
I could have your directory,
you make your changes
directly with my assistant,
there's not going to be an
issue in that particular case
with anyone else
being able to corrupt
or cause any issues
with changing the number
and sending me over the
phone call to someone else.
So DNS Shield is a technology
that we developed a while ago
that allows us, as
a large DNS company,
we're one of the
largest in the world,
to be able to provide all of
the entries that we know about,
that we have the
authority to publicize,
to be able to take that
and be able to move that
into the very large ISP networks
where most of the users are.
And not use the public
internet to transfer that data.
And that makes it much more
difficult for the bad guys
to interrupt it.
Their way of interrupting
would be somewhere
in the path between the two.
If they can't get to that path,
that path is now protected.
So it's an idea that I came
up with some while ago.
As a company, we
have it implemented.
So far, we're the only
company that does that.
But it's the right thing to do.
And hopefully over time, others
will work out how to do it.
But for now, that's one
of the major things.
In fact, in our company,
probably 35% or 40%
of all of the DNS traffic or
the DNS queries that we see,
we actually respond to over
this private infrastructure
that's completely protected
both from attacks and also
from normal hijacking of
entries or compromise.
Interesting.
Well, that's all
the time we have.
Thank you so much for your time.
Yeah, thanks for having me.
Yeah, my pleasure.
And I don't mean
anything by this,
but there are two
people that I never want
to read me bedtime stories.
One is Stephen King, and
you are the other one.
I'm sorry to hear that.
But thank you again, and once
again, thanks for your time.
Appreciate it.
