The Zero Trust Strategy

As software and data management systems have evolved, so too have the methods (and volume) of cybersecurity threats targeting them.

Along with the expanded surface area for risk that have come with the widespread shift to cloud technology, increasingly sophisticated tools have ushered in a new wave of ransomware attacks on everything from hospitals and social media platforms to financial institutions and oil pipelines.

Moreover, the sheer volume of data now compiled and stored by organizations can be compromised from non-criminal events such as natural disasters and operational errors. How can organizations and individuals keep their data secure when risk is at an all-time high?

“Now, the time has come for folks to assume everything is compromised, because most of the large enterprises in the country have already been hacked. And there is a footprint of that intent sitting in every enterprise,” says Rubrik CEO and co-founder Bipul Sinha, whose zero-trust security company focuses on helping businesses protect themselves – and recover – from ransomware, cyber attacks, and other events that compromise data.

Rubrik, which has been partnered with Greylock since 2015, now works with nearly 4,000 customers across more than 50 countries. While organizations have traditionally focused on infrastructure security and avoiding attacks, Sinha says more organizations are understanding the equally important need to have tools for high-quality data recovery and backup.

Sinha joined the Greymatter podcast with Greylock general partner Asheem Chandna and New York Times cybersecurity reporter Nicole Perlroth, who is the author of  This is How They Tell Me the World Ends: The Cyberweapons Arms Race.  They discussed the current world of cybersecurity including ransomware, the talent shortage, how cryptocurrency is creating new points of vulnerability, and the need for everyone to adopt a “zero-trust” strategy to protect their data.

You can listen to the podcast here.

Episode Transcript

Asheem Chandna:
Hi, everyone. Welcome to this edition of Greymatter, I’m Asheem Chandna, a partner at Greylock.

We’re very privileged and fortunate to be joined today by two friends and colleagues: Nicole Perlroth, an award-winning reporter of the New York Times and author of an amazing book on cybersecurity that has been nominated for the best business book of the year by both the Financial Times and McKinsey.

And Bipul Sinha, CEO of Rubrik, a rapidly growing late-stage, privately-held, zero trust data security company, with close to 4,000 customers.

So today we’re going to talk about the state of the security market, evolution of cyber attacks, and cyber arms, and the underground ransomware trends and where things may be headed.

So, let’s start with introductions. Nicole and Bipul?

Nicole Perlroth:
Sure. Well, thanks for having me on Greymatter, one of my favorite podcasts in the valley.

I got started in cyber sort of fortuitously. I had been covering venture capital at Forbes, and I was the one who perhaps made a huge mistake in resurrecting the Forbes Midas list, which ranks venture capitalists by some of their deals. And so I was writing some cover stories about some people who had invested early in Facebook (like Peter Thiel), and the New York Times caught notice of this and they basically called me and said, “We’re looking at you for this job, but we’re not sure you’re going to want it.” And I said, “How bad could it be? You’re the New York Times, I’ll take whatever it is.” And they said, “It’s cyber security.”

And I remember just thinking, “Oh my God, I’ve gone out of my way to learn as little about cybersecurity as possible. But I will go, I will do these interviews. I will tell my grandchildren that the holy New York Times invited me into the building one day.”

But I brought a list of cybersecurity reporters that I thought that they should hire instead of me.

I went through 13 interviews that first day of half hour interviews. And over and over again, I said, “Here are some names of really qualified cybersecurity reporters that you should hire.” And a couple editors finally said, “Listen, we know you’ve brought this list. The truth is that we’ve actually interviewed everyone on your list and we had no idea what they were talking about. So you’re hired.”

I think they thought I could cover cyber security on some corner of a blog on the New York Times website. Which is what I did for maybe a couple of weeks.

But then the New York Times was hacked by China. And I had this incredible opportunity to essentially embed with our security team and Mandiant at the time, which was a little known security startup. And we watched as the guy we called the Beijing summer intern rolled into the Times network every day around 9:00 AM Beijing time and rolled out around 5:30. And that was really my first experience with, Wow! This is what American companies are dealing with now. They are expected to defend themselves from advanced nation state-backed threats. What are we doing about this? Who is coming to save us? Where’s the cavalry here?

That basically began a totally different bid, and I still call myself a cybersecurity reporter, but the truth is I’m really a digital espionage and digital sabotage reporter.

The number of countries that have come into this game is just endless.

I’d say that every country in the world, with the exception of Antarctica, is now stockpiling hacking tools and zero-day exploits for a rainy day. If they don’t have the talent themselves, there’s now a whole market that’s crept up to meet their demand.

So, every week my job changes. Just when you think you really know this space, something happens over there and you realize you didn’t know it at all. And it’s exciting. It’s never boring. New things are happening all the time. But unfortunately, too many businesses and even government agencies are still woefully vulnerable when it comes to cyber defense, and that continues to be the same story, over and over again.

AC:
Yeah. Thanks, Nicole. That’s fascinating. And I feel I should also mention in the introduction that, it’s been amazing to kind of watch you over the years at the New York Times and you’ve literally broken every major story that’s happened in cyber on the globe so, yeah, I’d say a huge thank you just on behalf of everybody for that as well.

Bipul, introduce yourself and also tell us about the Rubrik journey, and what’s taking you towards today’s focus at the company towards zero trust data security?

Bipul Sinha:
Thank you Asheem. Great to be back on Greymatter. And, Nicole, great to see you and amazing to hear from you.

My name is Bipul Sinha, co-founder CEO of Rubrik. My quick background is I’m an engineer-turned venture capitalist-turned entrepreneur. Rubrik is a zero-trust data security company, and we are focusing on helping businesses around the world to protect themselves and recover from ransomware and other cyber attacks on data, as well as other natural disasters and operational errors that prevent applications from working properly.

So, in terms of the Rubrik journey, we started our company about seven and a half years ago with this thesis that data and security have to intersect, because if you think about it, with the advent of the cloud with what is happening in the world around us, infrastructure has become a commodity. And if you think about what businesses truly own in terms of their IT asset, it is really their data. And data is the core IP for every business, and they are buying a number of tools and technologies from prevention to detection, to everything else to protect that data.

But, [with] all the tools and technology, an average enterprise has 40, 50 tools, and technology to prevent a cybersecurity attack or to detect it is failing. So our vision was, Can we take this inside out?

Think about data as your core asset that is cyber-resilient, and assume everything else is compromised. And in a zero-trust manner, can you resilver your infrastructure with the data when the attack happens, so that you are never down and you always recover? That has been the vision of the company.

In the last seven and a half years we’ve gone from zero employees to over 2,000 employees, close to 4,000 customers across 55-odd countries and we are helping businesses and governments around the world repair and recover from ransomware.

AC:
Thanks, Bipul, that’s an amazing mission and sometimes folks ask like, “Hey, what’s the top challenge as companies go to the cloud?” And I often think perhaps the top challenge is data security, for large companies as they go to the cloud.

Nicole, a couple more questions in your way. Because of the work you do, I’m kind of curious, how do you protect yourself on the internet? Or are there things you do which you would encourage others to do as well?

NP:
Yeah. I mean, I think at some point on this journey, I reached this fork in the road where you decide, Am I going to live off the grid with a tinfoil hat on my head the rest of my life? Or am I going to just do the best that I can?

And I think what I decided a long time ago was – and I think this is a question everyone and every company and every government agency should be asking themselves – which is, What are your crown jewels? What’s the one thing that if that gets hacked, it’s game over?

For journalists like me, that one thing is your sources. And so I do go to tinfoil hat extremes to protect my sources. There are some people I will only meet at this one place on this one date twice a year. We don’t drive, we don’t Uber, we don’t bring devices. And we never communicate digitally. And that is the extremes I’m willing to go for that one person.

During the pandemic that was really difficult and so, it became using Signal for my really sensitive communications. Making sure that I have two-factor authentication enabled on as much as I can. Making sure that it would be really hard for someone to trace me back to a sensitive source, that kind of thing.

And then, for the rest of my life, I just do the best I can and usually that means never clicking on a link or attachment without carefully inspecting the sender, or making sure two-factor authentication is enabled and updating my software and doing all the boring things that everyone has told us forever that we needed to do. Backing up our data and making sure that that data is protected so that when we are hit with a ransomware attack it’s not game over.

But that’s my advice to everyone. If you do those basic things. If you’re backing up your data, you’re using multi-factor authentication, if you’re being vigilant about who you’re sharing information with, which links and attachments you’re clicking on, you’re going to be better off than 90% of the people out there and so that’s what I say, perfect OpSec has always been a pipe dream. But that doesn’t mean that we shouldn’t do the best we can.

And unfortunately, I think, one of the sad realities is that, all this news they’ve been covering the last 10 years gives people this impression sometimes, that there’s nothing they can do to keep out a nation state threat or a ransomware attack. and – as Bipul can speak to – that couldn’t be further from the truth.

So, that’s my advice, is think about what your crown jewels are and think about the best ways to protect them and then do the best you can for everything else.

AC:
In your book you talk about groups such as Shadow Brokers. And you talk about how these groups are exposing just how vulnerable nation states are to attack. These groups are also dumping hacking tools online now.

So, how does this change the game? And also do you think groups such as Shadow Broker can ever be caught?

NP:
So, this is the reality we’re living, and we’re so far away from the Cold War world of two superpowers with nuclear weapons. That is just the old world. The new world is, we have to figure out how to deal in a world where transnational actors can be just as powerful in some cases as nation state actors. And where even the best of the best nation state agencies like the NSA can itself be hacked from the inside out by an insider threat that could dump its most precious hacking tools online, for North Korea to use, for Russia to use, for cybercriminals to use in ransomware attacks. That’s the world we are living in now.

Unfortunately, I don’t think too many people even know or have ever even heard of the Shadow Brokers. But the Shadow Brokers were a group, or one person that dumped the NSA’s best kept hacking tools and secrets online over a period of several months, between 2016 and 2017.

And just given the timing of that dump, the initial suspect was Russia. Because this was all happening during some of the Russian interference in the 2016 election. And whoever the Shadow Brokers were, they were posting these memos online written in sort of a Borat-esque mock Russian tone. They wanted you to think that perhaps they were Russian. But all my reporting suggested that no, this had to be an insider. They had too much cultural knowledge. They were posting too many code words that only people inside the NSA’s TAO group would know.

And the other thing is the tools that they were posting were so heavily guarded. They were kept on these things that are called ops disks, although I doubt they were floppy disks. I think they were USB drives. They weren’t something that you could just grab off the internet or off some server somewhere. Certainly some of those tools could be pulled from a server that was used in these attacks but not all of them, to the degree to which they were stolen.

So, ultimately the leading suspect is definitely an insider and I wouldn’t be surprised if it turns out to be someone who was a disgruntled employee of the NSA or even TAO. Because when you interview a lot of these people from TAO, they all talk about the mission. And then they all talk about the bureaucracy, and just how hard it is to stay in that job over a long period of time, particularly now when they have so many lucrative and exciting job opportunities at Palantir, at Google, at Microsoft, where they are really on the front lines of a lot of these threats. Not in the same way that you can be at the NSA, but I think unfortunately, this is a big problem.

We really need to think about how to deal with a huge cyber security talent shortage. There’s half a million vacancies of cybersecurity jobs around the world. How to get those people into government and not just at the NSA but at DHS where they’re working on defense, that’s a huge problem.

And so I think it’s going to force us to be creative with incentive structures, with perhaps your partnering with the private sector on things like tours-of-duty, where they loan out some of their best and brightest to go work on these problems, might be one idea.

So yeah, I think in the end Shadow Brokers is probably most likely an insider and it’s pretty astounding that it’s been five years and we have yet to see charges brought. And that just gives you an idea again, of just how vulnerable even the world’s premier intelligence agency is in this case.

AC:
Well, that’s very interesting. And it’s also interesting because when I talk to chief information security officers of large companies and you ask them what’s the one thing that worries them the most? A very common answer, if you’ve asked people just that one thing, people will say they can protect against a lot of things, but protecting against insiders is just very, very hard, especially in very large organizations.

NP:
Yeah, we saw that at Twitter, with the Saudis. They couldn’t find out who the people were, who were criticizing them on Twitter. So what did they do? They planted spies as employees inside Twitter. And these were qualified engineers. How do you not only as a company, how are you expected to deflect against nation state attacks? How are you expected to now vet potential recruits for whether or not they’re a nation state spy? These are crazy times we were living in.

AC:
Yeah. Just in your work, you’ve spent a lot of time studying and talking to folks in the cyber underground. What may not be widely understood or known just about the cyber underworld?

NP:
Well, I think the big thing is… And this is what led to my book. I think people didn’t understand how many trade-offs that our own government was making on cyber security and the name of what we traditionally considered to be national security. And I don’t think they realized that US government agencies were actively paying hackers in many cases to turn over zero day exploits. The code to exploit vulnerabilities in Microsoft Windows and iOS. Not so that government agencies could fix these holes, but so that they could exploit them for espionage or counter-intelligence or the next Stuxnet.

And that’s why I wrote the book: let’s drag this thing out in the open. Because unfortunately these days cyber security and national security are one and the same. And we need to understand that the incentives here are not always aligned in favor of further cyber security.

So that’s a big one. And just exploring that market was fascinating. And exploring the characters involved was fascinating and finding out that yes, it is just like you would imagine in the movies. People are going to these hacking conferences and doing deals in hotel rooms where their nation state agencies or their representatives are buying this code from hackers from all over the world, to add to their stockpiles. I think that’s just not something that people understand.

I also think they don’t understand that China, which for a long time was doing a lot of its IP theft using phishing attacks, has now told the nation’s engineers, by the way if you ever find a zero day exploit, you are not allowed to publish it online, you have to give the state right of first refusal.

Now I’ve been going to hacking conferences for years where teams from Tencent were the ones dominating these hacking competitions and basically presenting the best and brightest of vulnerability research. They don’t go to those conferences anymore, they’re banned from attending them. I mean, now we’re in COVID so it’s a different world, but they are now forced to give the state right of first refusal.

We don’t mandate that here, so that’s another kind of disadvantage we’re at as a free market economy and a democratic country. And there are a lot of disadvantages that we’re at as a democracy in this space so, I think people don’t understand that that component is at play here and that we might’ve had first-mover advantage in terms of our offensive capabilities, but that is slipping. And unfortunately we’re still woefully behind on defense.

AC:
Yeah. Wow! That’s pretty mind blowing. I mean, one can only imagine if the US government had a policy like that – just the uproar that would be there across the population.

So maybe let’s spend a few minutes and talk about ransomware. So, Bipul, perhaps you can start and just talk a little bit about what you’re seeing around ransomware with large enterprise customers? What can Rubrik do for customers in this area?

BS:
So, if you look at what has happened in the whole cyber security market, traditionally, there has been a lot of focus on infrastructure security. What I call it outside insecurity, that [question of] how do we prevent attacks from happening? How do we detect attacks? And it was all centered around compute and network.

But what has happened is, with the advent of crypto with massive digitization that has happened in the last five, 10 years, the surface area has dramatically expanded, but the capabilities of these outside insecurity tools have not. And people are buying tool after tool to plug the next hole and the next hole and the next hole of a leaky bucket. As the whole cryptocurrency/Bitcoin has now started, crypto has become a way to hold things at ransom and get payment without the prying eyes in their view of the government.

Data security has been the core goal of every cyber security tool to protect; the crown jewel. But now it’s going unprotected because attacks have become more psychological. It’s a cat and mouse game. So the businesses are now rethinking their security strategy. And many CSOs and CIOs tell me that instead of preventing every leak, we need to think about “How do we protect the crown jewel, at the crown jewel?”

If you think about the world we are living in, it’s kind of like everybody’s living on the freeway, the door opens to freeways. Anybody driving on the freeway can come into their house. So you need to have doors and locks and everything else, but where your safe is, you need to have protection or a shield around the safe, assuming that somebody will figure out how to get into the house. So that’s what the zero-trust principles of inside-out security [are].

And in the ransomware, folks are now thinking about (in addition to prevention and detection, which you have to do because you don’t want to keep the door open, but you need to have tools and technology and people around analysis), that you will get attacked is not the question of if, it’s the question of when.

So when you get attacked, do you have tools and people and processes to analyze what has happened? And then recover and containment: Do you have tools and technology to be able to contain and recover?

So that’s the analysis and recovery is where Rubrik plays. It’s our vision and that’s what we have been educating in the marketplace – you need to have tools to tell you what’s the vast radius of ransomware. [You need] tools to tell you if the sensitive data PII and other sensitive content which could be your IP, could be whatever is important, was it involved in such an attack? And then do you have the sufficient data to be able to go back into an operating mode by resilvering the infrastructure?

I mean, take for example, this was a crazy case of attack at Colonial Pipeline. A major infra company like an infrastructure oil company gets attacked. Even after paying $5 million or thereabouts to the bad guys, they get a decryptor key that is so slow that they have to go back to the backup and recover the whole data from backup. And in fact, the CEO went to the congressional hearing and said, “We could recover quickly because of high quality backup.”

So it shows that the cyber security zero trust umbrella has to go from prevention, detection to analysis and recovery. And for far too long we have been focused on the first two pieces.

Now the time has come for folks to assume everything is compromised, because most of the large enterprises in the country have already been hacked. And there is a footprint of that intent sitting in every enterprise. The question is from there, when do they get attacked? In the sense that we are compromised. And folks have to really rethink this whole way of planning as we are compromised, unless there is a trusted identity there is no trust.

AC:
Nicole, what do you think ransomware means for crypto?

NP:
Yeah, I mean, when I first covered the first ransomware attacks, they were in Europe. This was eight, nine years ago. They were in Europe. There were individual PC users being told they needed to go to a pharmacy and get an e-gift card for 200 euros and give them [the cybercriminals) the pin.

Then came Bitcoin and Monero and everything after that. And now it’s $50 million in Monero. And if you need to pay with Bitcoin there’s a 25% markup for that. So, everything Bipul said is correct. Cryptocurrency has enabled these very brazen ransomware attacks. And for a while I thought, okay, “Ransomware is going to be the Achilles heel for cryptocurrency. This is really going to force governments to bring the hammer down.”

And I think partly that’s true I mean, I think for different reasons, but we just saw what China did with Bitcoin.

But what was interesting (and this really gave me a much more nuanced take) is what happened after Colonial Pipeline. After the DOJ and the FBI announced that they were able to claw back some of Colonial Pipeline’s ransom, I called up some former treasury officials whose job it was at the treasury to do counter intelligence and financial intelligence. And what they said to me blew my mind. They said, “Yeah, sure. Cryptocurrency has enabled ransomware attacks. That there’s no denying that. But we’re now able to track those payments in real time, in a way that would have taken us years of tracking down the front company in the Seychelles, to recoup that ransom. And now we’re able to just do it along the blockchain and surprise cybercriminals.” The blockchain is not as anonymous as you might think it is.

And sure, at the end of the day it still requires good old-fashioned police work to get those private keys to that private wallet. But governments have proven they’re capable of that.

I think the question is, Is what they did with Colonial Pipeline sustainable or scalable? And I don’t think we know the answer yet.

But one thing that’s interesting is that there is a huge new crop of blockchain intelligence companies emailing me all the time, who say that they’ve figured this out and that their biggest customers are government agencies, law enforcement agencies who are very interested in the tools to track these ransom payments in real time. So we’ll see where that goes. But I think there’s a lot of promise there and there will be no doubt a lot of demand.

AC:
Yeah. Wow! Well, that’s very interesting. So, maybe a question for both of you, just a high level question which is, we’re chatting five years from now, do you think the overall state of cyber is going to be the same? Do you think it’s going to be improved and better or do you think it’s going to be much worse?

NP:
I don’t know if this is a controversial take or maybe a provocative statement, but in my mind, ransomware is penetration testing the United States right now. They are exposing just how vulnerable we have been. And they are giving us visuals to this vast ocean of cyber threats that the three of us have been tracking for more than a decade.

And we’ve talked about this before, suddenly Americans are asking How are we this vulnerable and how do we protect ourselves? And they’re demanding that the government do something. And we’re talking about things like zero trust and an SBOMB – Software Bill of Materials – and demands are being made of software vendors in ways I’ve never seen before, particularly after the SolarWinds attack.

So, I think we are having a moment that’s more than just a passing news cycle. I think that we have an administration right now who has put top people in the job and sure, they face serious structural challenges in addressing these issues. But I think that we’re not just going to be continuing with the status quo of America as a country that is becoming one of the largest and ripest attack surfaces in the world.

I think, finally, people are understanding that there needs to be more accountability here, of corporations that we entrust our PII data to, vendors that we give great access to our networks and on and on down the chain so, I think we’re still in for a little bit of short-term pain, but I hope five years from now, we’re going to have seen ourselves turn a corner.

AC:
Sounds like the sequel to your book is going to be from the NBOMB to the SBOMB.

NP:
Oh yeah, no. No. The sequel to my book is a cookbook. Or a book about gardening.

AC:
Completely understandable.

Bipul, any thoughts on where we’re looking five years out?

BS:
I think the perspective that the technological progress and continued digitization of our professional and private lives will continue to increase the surface area. And as with the increased surface area, as we are plugging in holes, the government will get a lot smarter and corporations will get a lot smarter, people will get a lot smarter, but the problem will not shrink.

In my mind, the problem is and will continue to be a significant problem, but it will shift from a soft underbelly to more of a difficult attack, but we’ll continue to see more and more attacks. And eventually it’ll all boil down to the cost of doing business. Just like when you swipe a credit card transaction there is a certain small percentage of fraud in credit card transactions.

And the company has to go and make sure that they cover that cost and underwrite that risk.

Similarly, in all our digitization activities, there are some costs. Call it a rent that people have to pay for cyber security, and it’ll continue to be a significant problem. And what is more interesting is, as the cyber new frontiers in saving or continuing to kind of bolster our national state, it’ll lead to a completely new set of attack vectors that would emerge, because we are also thinking about the number of satellites and implication of the satellites. So, Can satellites be hacked? Can the cars that we are driving be hacked? Can these things turn into a weapon of mass destruction?

So there’s a number of vectors that are emerging. So I feel the future will continue to be a cat and mouse game, with good and bad fighting each other.

AC:
Thanks so much to both Nicole and Bipul for your valuable insights and perspectives. Super interesting and really important conversation and look forward to continuing this again in the future. Hopefully sometime soon. Thank you.

BS:
Thanks, Asheem.

NP:
Thank you so much. It’s been fun.