Welcome to cyber security today on the weekend. My guest today is Eran Barak. He's the CEO of data security firm MIND, and we're going to talk about. Insider threats. Now we accept that most threats are insider threats. If something's done by somebody or not done by somebody and it leads to an infiltration. But most of these are innocent or at least not intentional. They might be foolish or things that where people should know better.
But in the end they didn't think they were going to cause any damage. And that's What's behind it all, but there is a more insidious, intentional set of actors who represent a threat to companies. And that's a wide range of different situations.
And for some, what they're doing may seem like an innocent act, the proverbial salesperson who takes the client list, and, but there are even more insidious actors, people steal company secrets all the way up to nation state actors who infiltrate a company. And that's what we want to talk about today. Iran, welcome. First of all, to the program. Thank you so much. Thank you, Jim, for having me. And, it's very close to my heart, this subject we are talking about.
So we'd love to share, our knowledge. Why I wanted you on the program, I gave a sort of a broad brush in there. What, if you were describing the types of insider threats how would you describe them? Yeah. I think you nailed it. There are many insider threat. We call them sometime insider lazy. And there are, users who basically leaking.
I do like that, quote unquote data just to make their work day-to-day work convenient, but they don't actually understand the risk that associate with this kind of, activities. And then there are, other kind of, users that, as you said yourself, if I am now a sales guy living in my job and moving to another company, I might want to take my Rolodex and all my contacts with me to my next job, and this also creates a risk. And obviously it's part of the company's IP.
And the last thing, which you mentioned as well, this is more on the. Non innocent, intentional kind of insider threat where you really want to leak data, outside the company. And so how do you watch for these insider threats? Yeah. So what we do here at MIND and the reason we founded MIND is basically to protect sensitive data. There is a. Area today called data loss prevention, and that is basically tools that are deployed in order to prevent these data leaks.
So basically imagine that you are able to monitor. Each and every data who has access to that, who is downloaded, who is basically moving it inside the company, outside the company, and then also add the protection layer where you can really block this user from doing that . Now, there are many solutions out there that can give you this visibility.
The problem with them is they are after the fact, so I can tell you this data was leaked, and I can tell you by who, or this data moved, but the data already moved. But he's in North Korea now, so it's a done deal. Exactly, but if you are able to block it in real time, then obviously you can, reduce a lot of risks. So in, in doing this, you've encountered a lot of different scenarios.
Tell me about a couple of the, what are the ones that most haunt you, or at least should be most worrying these days? Yeah, I think you talk about, you talked about COVID, that we've seen more and more, especially here in the U S by the way, I'm originally Israeli. But in the U. S., the remote work became more dominant. Now we see maybe some more big companies are calling their employees to come back, but still, it's not the norm. The norm is still working remote.
And then you see these subcontractors, that are basically working remote, and, they can fake their identity. You never know who is on the other side.
In fact, you can, and we heard it, by the way, firsthand for some, walkers that interviewed for some, admin kind of positions where you have access to all the company's I. t and basically this creates a risk on these companies because if you don't have him internally in your company, you don't see the guy and Then you basically give your keys to all your crown jewels sometimes and we heard about the north korea scheme that, you know, that now just these days in the news, where,
some North Korean employees are basically being an IT in many us companies, great. I don't know what the numbers are. I don't know if you have a better sense of what they are. I know. Anecdotally, because we do stories on it, that there have been significant companies that have been fooled and have hired people into I. T. There've been at least two farms that I know of in the U. S. that were broken up where people were actually.
American citizens were actually enabling these people by providing workstations and IP addresses in the U. S. So we know that there's been quite a few of them. I've heard people say everything from your, probably your company's, if you have remote work, you probably you've got one in your company already. Yeah, I don't have the actual numbers, as you said. It's also what I read like yourself on the news. But I can tell you that from what we have seen in mind, it's real. You can definitely see.
I told you. You talked about this it workers, but sometimes you hired people, for example, to manage your sales force. As an example, it's a CRM system, right? And then you basically give someone all the secrets just for this platform and basically you can do whatever you want and have access to all your customers. And basically leak data around that. That is something that new that came out of this conversation for me.
There are all kinds of roles where people could have all kinds of access, which brings us back to this whole idea of understanding who has access to what and why. which I think is probably one of the things we should always be thinking about. I was a big believer in saying, if you're granting permissions, why do the people need them? What do they do with them? And when do they not need them? Because that's the other thing that happens is, and this, you could have roles that. That's great.
Now you got me scared. I'm sorry. No, but you think about it. Somebody will come into a role. They'll be that person. They'll have all kinds of access. Nobody will ever check on it again. The next person we hire into that role, we duplicate their access. They may not need it anymore, may not even be part of the job anymore, but unless somebody's actually going through and saying, you need the least possible access? Why do you need this? Why do you need this? You're going to replicate that.
How do I know this? I used to run a security department way back in the old days and we built model profiles. It's easier. Got this type of job. You need, you get this type of access. Get out of my office. Exactly. Exactly. Exactly. That's true. And this is go back to what I mentioned the insider. Lazy, right?
And it can come in a different, like you mentioned right now, in a different shape and form, as you said, you want to make things more efficiently and you just create these profiles and in one, two clicks, you basically create a new profile for a new employee and here you go. But as you said, maybe it's not necessarily need all this access. One of the things that we are doing here at Mind is we start with obviously what calls today the market posture with divisibility.
Basically, we integrate to all these data sources that you have where sensitive data lies. And then we are able to tell you who has access to out where the data is. And what kind of data right? And more than that, and what I mentioned before, because we have this protection layer as well, we are really, we really monitor and block any data moving and or any data movement.
Yeah. So basically, in the end of the day, what do you want is to be able to know where your data is and who has access to that 24 7 and basically able to monitor it in a way that you can really restrict who has access to what in real time, and by that you reduce the risk that you just mentioned. And, as you said, if you already grant access to someone, you want to make sure there is explanation around it and why it needs that then basically give it as a temporary access, right?
Because you don't need it all the time. So we have the north korean. Infiltrators There's also another story that came out this week and you think about it and that's that the people who May have what they think is good intent. Mark Zuckerberg fired 20 people this week, because he said that they had leaked information either about meetings or policies and presumably because they thought if I get that out into the open, then people will spot this and maybe our company will do the right thing.
Hard to fault them, but probably not the thing that you want happening in your company. Especially these days where again, going back to remote work, right? And you create these dynamics where you call employee to come back. Many of them might leave. You may cut some employees. So then, as we mentioned in the beginning, you need to watch carefully, about these employees because, they're going to take data with them that for you as a company, as an owner of a company, it's sensitive data, right?
But they want to ask information from you most likely. So you want to be able to first monitor that and second block that the best way to do that is obviously if you know in advance that you're going to cut these employees. So you already put it in your systems, that protect your data and be able to monitor that and then flag it if needed. Are there specific signs that people should watch for to be proactive about this?
Yeah, I think if you put the right threshold, you can look about the amount of data that is being downloaded as an example or uploaded. Depends from which side of the house you look at that. This is one area where you can basically understand that something is wrong. I would say it's the, it's one of the critical sides even, right? If you see someone uploading or downloading, more than the normal amount of data, then there is a flag hours of work, right?
Today we have access to our companies from everywhere, anytime. This is advantage, but disadvantage at the same time that we talk. If someone is now logging in the weird hours. So ask yourself why and monitor that as well. Although I'm not sure that's as good a trigger as it once was. People work long and different hours these days but there are occasions, I think that we don't, where we don't think about it is, and I don't know whether how well systems are set up to track it.
And that is, I know that I have access to that data. The question I'm asking is why would you want touching that data? That's a difficult thing for a, for an IT system to spot. Yeah, that's true. That's true. This is it's a more complex and hence I think you need more tightened policy around this sensitive data. So you're right about that, that, if someone has an access to that, the fact that he's downloading or uploading not necessarily means he's doing something malicious.
But again, if this is still in the company's perimeter, that's fine. But if your policy is around this data going outside your company. Which can easily be done. Imagine if you upload now your, some of the data to your own box account or Gmail account, right? So then this is where you need to kick in some protection controls.
Yeah. Yeah. And of course, in recent news, I don't think we could escape the idea of right now there's I don't know if they're 10 or 20 kids and they are kids 20 to 24 crawling around the American government, downloading data and having access to some of the most sensitive data in the world. I, my opinion, but all of those kids are compromised by now. And you're from Israel you've come from a country with a highly professional security group.
There's nothing, I cannot believe that North Korea, Israel, maybe others probably China, Russia have all pounced on these kids. And if they've made, if they've made a single mistake, they're hacked. How do you deal, now that's an extreme but people are targeted all the time. There was a case even in my neck of the woods where someone was the girlfriend of a biker. And working in the police department, this happens all the time where people are compromised.
How do you, how do, what's your advice for people in trying to deal with that? Listen, this is it's, I always say it's missiles, right? You first develop the the more the attack, and then you come with a defense, right? So you always behind as a defender. You always need to assume, as you just said, and I agree with you that you've been hacked, and things will get leaked and I guess you need to do the best you can on the physical and virtual side.
When it comes to security to, to protect that there is no any silver bullet when it comes to that, unfortunately, otherwise you and I won't be here on this call if we had this silver bullet. Yeah, I've always said that if all software and all processes cybersecurity, I would not have a podcast. Yeah, exactly. Exactly. Completely agree with you. Yeah. So I guess it starts from a good process. When you scan and hire people, right?
And then, even if they do have access, so you also give the minimum access possible. Meaning that, as you said yourself, even if you now hire a new employee, you don't just replicate the profile. You really tailor made, especially to IT or some high level employees with more access. That they really have access to what they need. And I would argue that maybe, from a hiring perspective, you never want to give, um, the keys to the, all your crown jewels to one person.
You always want to distribute that so you can, manage the risk when it comes to. To losing data and IP. Yeah. Yeah. One of the things that I've been saying, and I don't know whether it falls into the technical piece of this is there was a time when employees were loyal. I know, cause I've been around long enough to have worked through it. There were times when we took care of the company's information. I don't know if that loyalty still exists anymore and probably for good reason.
If you're dispensable then especially if you're talking with AI right today. So yeah, no, that's it. That's right. I didn't think about that way. But I think you're right. And, one thing we have seen, and it's it's more old news, but, during COVID, because everyone work remotely, I heard new, I heard where employees basically work for few companies at the same time. I've actually.
I've actually had somebody, it this happened, but it took me some time to figure out why this person was not reachable at certain times and was not, and it was just, they couldn't turn around the work. And my, one of my, one of my my. Cohorts at work said they have two jobs. Yeah. At least. Oh, yeah. And as long as they're not working for a competitor at the same time, that'd be, yeah. But, and it's hard to say, but yeah, I agree with you.
I think it's a different generation these days and everything became more globalized. So you can really walk from everywhere to, to, and anywhere to any company these days. And, this is again, advantage and disadvantage, right? There is a very, a lot of upsides to that, but a lot of downsides and yeah. So it is a bigger threat. And I think we've gone through a number of scenarios. You know, how do CISOs get a handle on this? How can we, how can CISOs control this threat?
I think, it's a combination of data and identity. And it starts on the more physical side and, screening and scanning. And when you hire someone, you really need to do a really good background check. Before you hire, especially to jobs that you mentioned before the I. T. And especially someone like yourself who knows a lot about what it takes to bring this I. T. Guys. And then, obviously put the right programs in place. Either it's a data protection program or inside the risk. Program, right?
And I would argue you should combine that they go hand to hand and you need to make sure that you really have a grip on your where your data is. And what is your IP? What you are willing that might be compromised. I know it maybe sounds bad, at the end of the day, we can't control everything. You need to come with this very tight strategy and understand, everything that, that's related to your data and especially for your sensitive data, obviously.
Yeah, and we presume, maybe I'm wrong, we presume that people have done a data analysis. We toss around these terms like crown jewels. We presume that people know what the crown jewels are. I don't know whether people think in terms of, What, whether they're the disclosure of data, which could be fairly innocent. In other words, you may have your top secrets of your business, but there's other data that if it was disclosed, could be embarrassing, I presume that people do.
I presume that they're doing these types of data analysis. They may not. If they haven't, I would suspect that they need to. I don't know how you make cybersecurity work if you don't understand the various levels of data, because there's all kinds of data you can't, you only have so many resources, you can't spend all your time protecting data that is. Has no risk of exposure or destruction. I guess that's the first thing. What else goes into an effective program? Yeah, I know.
I think you're right. And I think there is also even today. You talked about yourself being in security years ago. If you think about how development is done today, it's all cloud based. And you can really replicate sensitive data in a very easy way. So you give a database access to one of your developer, you can replicate that just, for development and testing purposes. But then you forget about it, right? Or you can basically move data around different SaaS apps.
Today, everything is on the cloud, right? I always say today, the CISO job is very hard. Because. Years ago, 20, 30 years ago, it's all was in the perimeter, right? You had an on prime file shares. You have all these stuff that were more contained today. It's not anymore. You, and in fact, you have both today. Because, we all talk about moving to the cloud, moving to the cloud. Yeah, we are working on the cloud, but we're still working on prem as well.
So now you need to basically protect both fronts. So what you really need to do is make sure you have the right controls. And you need to really work with security controls, where they have both capabilities to this kind of old. Environment on prem and cloud and are able to protect all your crown jewels or your sensitive information on both fronts. Yeah. And do that. And yeah, and even the movement, we've talked about this, the movement doesn't have to be malicious.
I'm I have been an absolute critic and I will confess to it of Amazon for the leakage of S3 buckets. And the reason I've been, I've done that is I went on and tried to, because, and I'm no longer a functioning technical employee. I don't do this hands on every day, but I went on and I went and said, here, I'll set up the security for something. I've never been so confused in all my life. No, I might not be the smartest guy in the world.
You may be able to say that, but I could see how these mistakes were made. And you look at the user interface and say if we have to give people the tools to protect our data if they can make mistakes so easily and by witness, they happen all the time, then we should be improving that user interface as well. But what other tools could we, what other. Things could we do what technically aren't we doing that we could do? First of all, you need to have a good data retention program.
We at MIND found many companies where they don't have a retention program to their data, meaning they just saw everything everywhere for. Whatever time infinity amount of time. And this is by default, not good . There is a lot of data that you don't really need, and some of them is sensitive, as you said, or can be embarrassing if it's been exposed. So you need to have a good data retention in place. First and second, we talked again about the controls, right?
So you need to make sure you have a controls that are up to date. And as an example, your sensitive data is not necessarily just a traditional sensitive data, right? You talked about the customer data or we talk about the credit cards and things like that. But, you have many companies out there that are, for example, manufacturer. Or company is coming from the health care, right? With lab results. This is data that you need to know how to classify. And obviously, today.
It's a harder job because I think years ago you can still be able to put, a few employees in place and let them classify and label everything manually. These days are gone. The amount of data that exists today is absolutely growing exponentially and you only need machines to do that. And I would argue if you're still doing things manually. You'll be out and you put yourself in a risk you need to adapt. No, I think you've hit the nail on the head there.
That's was, I was thinking about it and you've got to be careful in this business. There's one thing to be a commentator and I can be a critic and I can say you should be doing all these things. I was a CIO. I know. That sometimes you don't have the time. Sometimes you don't have the resources. And when people come in and the worst thing in the world is to be a security consultant who comes in and says, I've got all these templates. I need you to fill out, to classify all your data. Oh joy.
And so I get that. So you're saying that one of the advantages today is that we actually can use systems to be able to classify our data. 100 percent and even classify very complex data. The fact that the AI made such a progress, obviously, again, talking about pros and cons.
There are a lot of risks that comes with this AI, but when we talk about classification in particular, that it's a lot of pros and, many of them related to classification and the fact that you can classify much more accurate in a faster and a way, and basically a, be able to cover See you. Bye everyone. Huge amount of data that would take you, months or years if you would do it manually.
This is something that we need to take advantage of and I'm with you on that one because that's one of the biggest things, the people say 80 percent of corporate data is dark data. People don't even know what's in it. This is where I get to the other piece of this. When you look at trying to classify your data and I get it, you should get rid of data you don't need, but the whole point of AI.
Was it gave us access to data that we might have thought we didn't need just because we couldn't reach it. So this is the dilemma, right? If I get rid of the data, I'm going to miss that big aha moment when I relate two pieces of data and get an insight. I'll never get it. Yeah, no, that's true. Yeah. And I'm sorry to interrupt you, but on that, I have philosophy in life, if you didn't touch something for a year in your life. It can be closed. It can be whatever. Then I guess you don't need it.
It's true that what you mentioned, if you want to get some insights and, related to specific areas in your company, it might help you. But again, what is the risk associated with that? And so you need to calculate that as well. But if you can analyze it, you can come closer to making a smart decision. That's what I'm, what you set me thinking about was saying, Oh, geez, cause that's always the problem. Classifying the data, you can have all the meetings you want.
You can get out the PowerPoint and the templates and you can walk around every department and try and figure out what's there. And you're still going to have an imperfect picture. And I guess the argument. For not using it, if you, if I use AI, I might have an imperfect picture. You could have an expensive, imperfect picture or a less expensive, perfect picture. That's pretty good.
So have you, when you've looked at this and you've done, you've obviously done this with your clients, have you gotten insights? Have you seen lights go on? Have you seen people go, wow, okay. I understand something better now. Yeah, . Again, especially when it comes to a more complex, sensitive data that they were not able to classify with traditional tools.
And they were like, yeah, basically, as you said, the how moment that they didn't know these data exist, even in this specific data repositories, as an example. And this was for the, okay, we need some controls on that. They didn't even know, right? You can't protect something. That you don't, you are not, you don't know of.
So this is what the second thing I want to say, because you mentioned we talked about AI, and I know it's a hot topic and I would say another driver for data leakage is as you said about now looking for data with AI. So there are a lot of tools out there, what they call AI enterprise search. So for example, if you implement these tools in your company, You as an employee has access to that. You can search for any data in the company. Now get that if this data is not restricted.
You as a low level employee, as an example, can have access to the most top secrets data of your company without anyone knowing about because now this data is exposed to you. And then all the scenarios we talked about earlier in this call basically can happen. And so this is very it's a huge driver today for many companies before they adopt this AI enterprise tools.
And to make sure they deploy these data controls in place and this should be ongoing because the data is something that is very dynamic, right? You create data every day, all day. And so yeah, it's going to be interesting and I hadn't thought about it in those terms either. And that is the propensity for being able to do greater level of search. Correct. And especially when you've got that.
That interim step, and that is traditionally, if we've got traditional file storage that's what you've got, but if you have an AI that searches your file storage, now it's not going to start the classical means it'll be vectors. It'll be different things, but you now have data that could be accessible. You didn't think, or you didn't think about protecting in the same way, but is that, yeah, that's going to be a struggle. So it's imagine it's like what you mentioned about.
The the identities, right? If you hire a new employee, now you have this profile. So you say, okay, is the R& D is based basically similar to this employee. So let's replicate his access and give it to him. Same with data, right? You are now created new, especially when data is created on the cloud, which is what we do most days, right? How often you open a new document just on your device, you're mostly created in G Doc in, Office 365.
But then it comes with a default kind of access that Mainly and oftentimes are open to everyone in your company or maybe less restricted that you would want. So you need to make sure that you have, again, controls that basically enforce. I haven't even thought this through in terms of got co pilot or Gemini, you may have some tools to restrict access. I actually don't know that yeah so today I, these companies like talking about co pilot and Microsoft did a very good job today to, apply.
On the office 3 65, but again, think about any average company today, even here at MIND, right? We use many different tools. You don't use just the stuff, right? You use a lot of tools. So how you make sure it's aligned across these tools. And this is something that it's hard to do. Especially, and I've said this before and probably I'm a broken record on it. We are in for the greatest amount of shadow IT that we've ever seen in history.
And that it's all coming in, in the name of AI, much of it being smuggled in. Or used without permission because people aren't going to ask permission there if they find a way to do their job and it's some neat little program, they're going to use it and correct. And again, this is go back to it's not it's an, it's innocent employees, right? They don't try to do things malicious and they just try to do a more efficient and better.
Okay. So we, I don't want to, I don't want to just admire the problem. We talked a little bit about this and say, we have to do a better job at classification and we can use AI to do that. Are there other things that CISOs should be looking at and saying, wait a minute, we need to think this through as well? Yeah, so I think again, you're right. I look at it like you build a building or a home, right? You first put the foundation.
The foundation is discover and classify all the data you have, because you said it yourself, right? You sometimes have data you didn't know even exist. So you first need to discover. Once you discover and classify, you need to put your policy. On top of this data, this is another layer, ? And the policy can be anything from, as we talked about here, how you share the data with subcontractors or with inside the company, a threshold about the amount of data you can download and upload.
And many other things around sensitive data . And once you have this policy in place, you can basically surface data risks or data issues, I would call them. And then you can start cleaning them, right? Proactively. You don't need to wait for this data to move in order to block, to be leaked. You, in fact, you would prefer that everything would be clean 24 7. And you won't need to care if data moves because you know when this data moves.
It moves in the right direction or to the right the right folks. But then you need to also make sure you have these controls about when data moves. So you are protected there as well if sensitive data is moving to not the right direction. And in the same way that, we talked about using AI to classify data, the building of policies is a huge effort. Are there ways to accelerate that or make that smarter?
100%. Yeah, 1%. And I would say, again, not just smarter, even more efficient because today you can build policies with AI and you can push them back across different data storage and. And basically have the same exact policy across all your data stores. And so you're saying that they're again using AI to develop the policies. That would at least give you the groundwork, because like I said, nuts and bolts work.
And if we had tons of people who were working in cybersecurity, which we don't and if we had those people who are our most, I don't want to say the most intelligent, but had the best communication skills, the best analytical skills, which we don't. So we always have these things we should do that are good for us. But you're saying right now, We could make a good application of AI to be at least able to get the 80, 20 or 90, 10 rule of policy development in place. Correct.
That's actually, and then you can have this, very high demand folks that and that you need to hire to basically focus on what matter. And you can fine tune this policy, but they don't need to start it from scratch. They already have a head start. And then they can come on top and just do these fine tunings. Instead of, doing it all day long and waste their time, as you said. And obviously you would never cover everything manually. Anything else they should do, that CISOs should be doing?
You should always think that you are exposed and your data is being exposed and just be aware and, put the right controls with the right resources. And always adjust to the technology that is out there, meaning that you can't protect data today with technology that has been around 20 plus years because what was true for 20 years ago, it's not true for today.
And that doesn't mean that you don't need the 20 years ago as well, because, as I said, companies and we all as moving forward, but we still hold for some past kind of technology and you need to have both. Kind of technology in place, 20 years, 20 weeks in this environment is a lifetime. I'm talking about AI years, the way we talk about dog years, it's like it just, it happens so quickly. That's maybe a new term that you need to invent that's true.
I'll have to, yeah, I'll have to, yeah, everybody can send me five cents every time they use it. There we go. I'll fund the program. My guest today has been Iran Barak, a, from a company called Mind and has obviously put a lot of thought into this idea of being able to deal with insider threats and the control of our data. Any last words for our audience, Ira? No, again, thank you so much for having me, Jim, here and, keep doing the best you can to protect your data.
It would be leaked, but try to minimize as much as possible. Yeah. I'm an optimist. I believe that the data has already been leaked. I just have to find out where it went to and that's our show. Thank you very much. Thank you to our audience for joining us. If you're having a cup of coffee on a Saturday morning and listening to this or wherever you are, maybe your work, thanks for listening and we'll catch you with the news on Monday morning. And once again, I'm your host, Jim Love.
Talk to you soon.