Listen in as our experts discuss how network and security are connecting people and devices and making “Connect from Anywhere” a reality. Our experts will explore through the lens of several industries and discuss resiliency in IT and network deployments.
Since its launch in 2019, markets worldwide have adopted 5G, with 5G connections predicted to exceed one billion by the end of this year. From healthcare to retail to manufacturing, telecoms are actively deploying 5G across industries.
With Industry 4.0. the size and complexity of these IoT networks create vulnerabilities that require extra layers of security. To mitigate risk and enable the successful implementation security and resiliency on the edge is getting more and more critical
Listen in as our experts discuss how network and security are connecting people and devices and making “Connect from Anywhere” a reality. Our experts will explore through the lens of several industries and discuss resiliency in IT and network deployments.
Hear from our experts Chris Novak, Managing Director Cybersecurity Consulting, Verizon; Jennifer Varner, Managing Director US Cybersecurity Sales at Verizon; and Kris Lovejoy, Global Practice Leader, Security & Resiliency, Kyndryl.
Nel Akoth 00:02
On today's episode, we will be discussing the convergence of two very hot topics, cybersecurity on the edge. We'll explore the cyber implications of 5G and how it's impacting companies and individuals across the globe. Before we live on the edge a bit, I'd like to introduce the esteemed guests joining me today from both Verizon and Kyndryl. With me is Jennifer Varner, Managing Director, US Cybersecurity Sales at Verizon. We have Chris Novak, Managing Director Cybersecurity Consulting at Verizon. And one of the most passionate people I know on this topic, Kris Lovejoy, Global Practice Leader for Security and Resiliency at Kyndryl. So thank you all for joining me today for this great discussion. We have all heard the buzz around 5G. It launched back in 2019 and the markets worldwide have adopted it. It is actually predicted that 5G connections will exceed 1 billion by the end of this year. Both Kyndryl and Verizon recognize that. The size and complexity of these IoT networks create vulnerabilities that require extra layers of security. And now to secure at the edge is more and more challenging. So today with our experts, we'll deep dive into making "connect from anywhere" a reality. We will also highlight a number of industries where this is truly top of mind. And with that, let's jump in. So Jennifer, I'm going to start with you. Many of us recognize Verizon as a consumer mobile network provider, where you are truly a powerhouse. But Verizon is also so much more than that. Can you help listeners understand the role that telecom and Verizon in particular play in deploying 5G? And how does cybersecurity impact deployment?
Jennifer Varner 02:18
Great question, Nel. Thank you very much for having me participate and today's podcast. So Verizon, right. We feel telecom is really leading the way. The telecom organizations have the experience to really drive the infrastructure and manage networks globally. But for the first time in our nation's history, we're really building a greenfield network, right? Traditional connectivity, whether it be copper, DSL, broadband, cable, or some of the traditional architecture, 5G really gives us the ability to build from the ground up. So what we see is this extensive mobility and IoT device density, private networks, things that are happening in the telecom space that haven't in the past. Private networks are still very new and companies are still defining what their use cases are, and how they're going to use the additional low latency, the additional device density, and how they're going to see their future progress. But we're also seeing this expanding threat surface in massive ways with things that traditionally never connected to an IP network. So while 5G is one of the more secure networks we've seen, there's an opportunity here to build ecosystems with security first as a mindset. And, there's still a need for these additional security controls as companies look to adopt 5G.
Nel Akoth 03:49
Building an ecosystem with security first. So Chris Novak, let me draw you in on the thread. With that as the backdrop on Verizon's role in the 5G space, and cyber security's impact on deployment. How should we think about cybersecurity broadly at the age. What are some of those most common vulnerabilities you see with companies deploying edge technology today?
Chris Novak 04:15
I think when we look at cybersecurity at the edge, I think there's really kind of two edges, if you will. One is kind of our edge as an ISP, as a network provider, being a big player in the 5G space. And that edge, typically when we talk about that, we're typically talking about things like mobile edge compute, where we actually have customer compute and workloads that are actually happening at our network edge. The edge in which it essentially touches the rest of the world or the internet. And obviously, cybersecurity is critically important there because if you've got compute workloads, applications, data, etc. The need for security to be wrapped around that, wherever it exists, is obviously of critical importance. And then you also have the customer edge side where typically we would think of things like moving more of your endpoints closer to your perimeter, or maybe even moving them out to cloud or other kind of as a service type of configurations. And all of that, again, similarly pushes more of the apps, more of the data, more of what I would say organizations are traditionally concerned with in terms of exposure, or as you mentioned, possibility for vulnerabilities, pushing that all closer to the outside world. The more we put out there, the more we put closer to the edge, the more opportunity there exists for threat actors to enumerate them, to try to find vulnerabilities, for example, and to exploit them. In fact, if you refer back to something like our data breach investigations report it's shown us throughout the years that a lot of these attacks that we see are largely opportunistic in nature. So when you consider the fact that if you're expanding the possible surface area of what you can attack, that ultimately means we're probably going to see more attacks. So all the more reason we need to be vigilant on that cybersecurity fronts all the way out to the edge wherever it may be.
Nel Akoth 06:05
And that really leads me really well to Kris Lovejoy. You’ve worked with Kyndryl customers nearly every day around these topics. And in fact, you and I have explored this very topic of zero trust in one of the discussions we had on a previous podcast. So what's the role of zero trust when thinking about the complexity of the growth in 5G coupled with the growth in IoT and edge technologies? In fact, is there such a thing as zero trust?
Kris Lovejoy 06:31
I want to step back. And before I get to zero trust, which I think is an important discussion, I want to draft off of a few of the things that Chris and Jennifer were saying. As Chris was describing the definition of "what is an edge?" has changed quite a bit within 5G. Now in a 5G world, the world is enabled such that things like robots and cars can send and receive data via, mobile base stations that form a network. Now, those mobile base stations have to be as close to the device that is creating the data as possible. And this is really critically important, because this allows for high volume, low latency kind of communications. So shortening the distance, again, between the device like the car and the base station, is critically important. What that means is that a lot of the functions, like authentication, etc, that used to be well controlled in the center of the network, are no longer in the center of the network. They're out of the edge. So some of those core network functions now are existing very, very, very close to us as we're driving down the highway. These mobile base stations that have been deployed, they are not necessarily the most secure devices that have ever been created and deployed. So keep in mind, they themselves can be subverted. The other issue is that the 5G devices, the IoT devices that you put on those networks, they themselves may not necessarily be secure. And so they are subject to manipulation. So as you're thinking about the roll out of 5G, if you are a producer of 5G devices and you are putting those 5G devices onto a network, you have to think very long and hard about the security and resiliency of the technology that you're building and deploying. Zero trust doesn't necessarily fix that problem. It enables us to reduce the risk, but secure by design, this is a fundamental concept that has to happen within the development process. And I don't see a lot of our customers doing that as effectively as possible. That's number one. Number two thing that zero trust isn't going to necessarily fix is the AI issue. Now keep in mind, this data has to go somewhere. So all of these devices are creating a lot of data going largely into the cloud and into these large scale analytics tools. Is anybody protecting the data that is being used to actually train the machine learning models? Not necessarily. So the other gap that I see is organizations are producing a lot of data, they talk a lot about how they monetize the data. What they're not really thinking about is the security, not around the algorithm per se, but around the data corpus that's being used to train the algorithms. Fundamentally, the concept is this: What we're going to be doing in a zero trust environment, is we are going to assume that we are going to implement a default deny sort of model, which means that I am going to assume that no user and no technology can interact with me and my technologies on my network unless I accept them or I authorize them to do so. Now you can achieve that goal in a number of ways. You can achieve that through network technologies. You can achieve it through Identity and Access Management Technology, etc, etc, etc. But it's basically the implementation and instantiation of a philosophy using a number of different technologies to get you to that particular outcome.
Jennifer Varner 10:24
Kris, that was very comprehensive, right. And I think one of the conversations that we're having with our customers is around the zero trust policy enforcement that also now has to be closer to the edge as well. So when we get into zero trust architectures, which yes, there's NIST, DOD and lots of things out there, right, that are being published that our customers are trying to align to. But ultimately, they're trying to figure out, "How do I speed up the policy enforcement that zero trust architecture is really going to require?" And I think that's going to be a challenge for our customers as we go forward.
Nel Akoth 10:59
And I want to pick up the element of regulation, because I think, Jennifer, you started on it a little bit. So Chris Lovejoy, I'm going to bring you back on this, in terms of what the potential impact is of regulatory changes, like the four day requirement for reporting breaches. What would that have on our customers detection and response capabilities?
Kris Lovejoy 11:19
You know, it is the wild west out there when it comes to regulation. I don't think we, in the industry, truly understand the impact that all of these data localization, data sovereignty, digital localization, resiliencey requirements, critical infrastructure requirements, just this pile of new requirements coming out, is going to impact our organizations. What I would say is this: Zero trust, and all of these data localization and data sovereignty sort of privacy requirements do not go hand in hand. The harder you make it to actually monitor, the harder it is to actually perform the security task. And this is another one of those policy things, the dichotomy between privacy and security, that we don't really talk about. But this is a big, important, fat, thorny, ugly issue that we've got to talk about, because these things don't coexist very well. There has to be some rationalization, particularly when it comes to the implementation and fight of zero trust infrastructure. In a multinational climate, where monitoring is impossible, it is going to be really hard for us to actually gain any level of control over security.
Nel Akoth 12:35
Now, Jennifer, with the rise in mobile devices and IoT, as we've just talked in the last couple of minutes, how would you recommend companies approach the security and resiliency across all platforms? Be it on-prem, cloud edge, or hybrid? And from what you're seeing, what are the implications of deployment across all industries?
Jennifer Varner 12:57
Great question. I think mobile security is still such a significantly weak spot in security for organizations, right? And the move to bring your own device really did not help that. So over the course of the past, we've seen significant threats surface in the mobile space. And we're hearing about it now in the financial industry, and right as we speak. So I think organizations do need to focus on this in their mobile and IoT security risk. There's an increased threat target around even phishing, smishing, vishing, that specifically targets mobile devices and mobile users. I think we're going to continue to see this proliferation of these devices, create concerns and additional incidents. I think having that zero trust transaction level architecture and strategy is going to be critical to be an enabler of the business, but it's not going to be everything. And so having things such as mobile threat defense, having things such as mobile device management, having technologies, policies, and incident management, and having all of this feedback into SOCs are going to be really critical as we go forward. And we're not seeing all of that today. There's a lot of this that isn't monitored and isn't looked at, and it's continuing to rise in the threat landscape.
Nel Akoth 14:14
I can imagine. And Chris Novak, do you see this issue in all industries? Or are there some particular industries that lend themselves more?
Chris Novak 14:25
Yeah, great question. I think we really ultimately see this in, I would tend to say, all industries. Because I've yet to see an industry that is immune or doesn't have a challenge that they might be struggling with as it relates to cyber. I think there are some that really stand out as having been impacted, maybe more heavily or more visibly. For example, the payment space, for years, was a big area of focus. People were very concerned about the impacts to their credit card, their debit card, their bank account, their brokerage account, their retirements. And then we saw home mortgage fraud and all sorts of other things that ensued, based on the cyber landscape. And so the threat actors typically focus on whatever industry they feel is the soft one or the one that is most likely to pay. So we also see areas of softness and willingness to pay, if you will, in things like health care, manufacturing, transportation, and places like that. So I think it's going to move around and we're going to continue to see it happen in a lot of these different industries.
Nel Akoth 15:27
And with that, I want to jump into a little bit on recovery and resiliency. So I'm gonna start with you, Kris Lovejoy. When you're working with Fortune 500 companies, how do you recommend to them in preparing IT systems? Not if, but when an attack happens? What are the key considerations these leaders need to be thinking about?
Kris Lovejoy 15:51
There's a couple of things that are happening, that are all coming together that are leading people to really focus on this concept of cyber resilience. So for instance, for the board directors there's more sort of engagement on this particular subject. They're getting guidance from the SEC, that they have to sort of do a better job of identifying potentially material or significant events. So there's a set of regulations that are now coming out, particularly out of Europe, which seems to be kind of the the first place that where a lot of this stuff comes out, and there's a new requirement called DORA that just hit the landscape. And what it says is, essentially, organizations need to prepare to recover. Really understanding if a business critical service were to go out, how long could you afford to be out? And what would it take to have all of the right systems and processes in place to bring yourself back?
Nel Akoth 16:47
Now I want to shift gears a little bit again into use cases and bring this to life for a lot of our listeners here. I'm going to touch on a couple of industries, because we briefly talked about it that all industry's are impacted. But I want to hone in and talk a little bit more. And we'll start with an industry we can all relate to, and that is retail. So retail industry has been disrupted by the pandemic with businesses being challenged to digitally transform in order to serve their customers in new ways and different ways. And those new capabilities are here to stay. But this new digital retail experiences often involve technologies like IoT devices in the stores and edge computing. So Chris Novak, what are the typical security challenges you are seeing from our retail customers?
Chris Novak 17:40
You're exactly spot on that the pandemic disrupted a lot. And in fact, for a lot of organizations, one of the first challenges we saw out of the gate was that they had kind of shuttered a lot of their operations because people weren't out and about. And so we encountered situations quite simply that were just when an organization started reopening, and when stores started opening again, and seeing customers, they literally didn't have systems that were up to date. They didn't have systems that could be properly connected. They were maybe months or even a year plus out of patch compliance and things like that. Those are just the basic fundamentals. But then the other areas that we saw, as they started kind of getting caught back up, were in the areas of things like other types of fraud, because as we're working more in this kind of hybrid or remote type of nature, people are used to now interacting with people that they've never met. Working with people entirely remote that now there's a difficulty in terms of authentication, if you will. Is this person who they say they are? Should they have access to the things that they're requesting? So we see a lot more things like spoofing or more broadly, things like social engineering attacks that have happened in that space. One other that I'll mention is that around a lot of retail moved more heavily towards online and ecommerce. They really beefed up that presence, because that's how a lot more people are shopping. And so we also saw an increase in things like denial of service or distributed denial of service attacks against that kind of infrastructure, because maybe the way that the threat actors typically targeted that environment was more physical, in-person on prem. Now they're moving more to targeting the E commerce directive, if you will. Let me go into another industry, healthcare. Again, an area we can all relate to. The healthcare industry has been undergoing transformation to electronic health records for years now. Now with different institutions being at different levels of maturity in that journey. But again, government regulations, and the HIPAA specifically for this industry, make security a key factor.
Nel Akoth 19:45
So Kris Lovejoy, what are you hearing from our customers around their cyber concerns and compliance as they shift to the electronic health records?
Kris Lovejoy 19:56
You know, in a weird way, there's a lot of similarity between the retail industry that we were just describing and life sciences. What I don't think people recognize is the extent to which our legacy infrastructure, the real estate that has not been updated, has grown. Because you think about COVID, over that two, three-year period, organizations were forced to shift their investments into these new digital transformation programs. They never got rid of the old stuff. Then all of a sudden, the world came back again. Now you've got the new stuff, which has to remain because nobody wants to go back to the old world, but you also have to have the old world stuff being operated at the same time. So now you're a CISO, and you're sitting there, and you've got a whole bunch of technology that was rolled out there for existential reasons that you had absolutely no control over. So security by design, haha, that didn't happen. You've got to go back and fix that. At the same time, you've got all this legacy infrastructure that you need to deal with. So I think one of the big things that I hear from a lot of organizations like health care and retail that are so focused on enabling these co-existent environments of sort-of the physical and the logical, what I hear a lot is just the need to simplify. And this is not a radical thought. But one of the things that I'm beginning to see is organizations are beginning to consider the renewal or the modernization of these legacy infrastructures that may not necessarily have been patched or managed as effectively as they could have been over the years and have gotten older and older. Meanwhile, they've got all this new stuff. What I'm hearing is that they're taking the advantage of the economic headwinds that we have to engage in these radical simplification programs. And they're thinking about it on two levels. One is just working with the CIOs to reduce the legacy environment, modernize the infrastructure, and thus reducing the attack surface by virtue of being able to implement new technologies with security by design. By the same token, they're also engaging in radical control simplification programs. Because the other problem has been that we've built up a lot of security tooling, and the security tooling doesn't necessarily integrate well together. So the big trend that I see is this thought that we've got to reduce the attack surface by integrating all of these technologies together. And I think that when you think about, "How is it that I'm going to be able to comply with something like any of these new sort-of regulatory requirements?" One of the easiest ways to do that is to simplify the environment and have less that has to comply with the regs. It seems almost trite to say, but I think the CISOs that I know that are engaging in these conversations, more are pushing forward the modernization agenda as not just the way in which they can sort-of force growth in the organization, but also reduce risk. It's been a winning value proposition for them.
Nel Akoth 23:04
Now, when I think of rapidly changing industries, I also think about manufacturing. In a large part due to the challenges brought about by the global supply chain issues. So companies are challenged to manufacture at a higher rate and pace, and more efficiently than ever before. Jennifer, as you think about all that change in the manufacturing industry, and you couple that with the global energy crisis, how critical is overall security? Have you noticed any specific trends?
Jennifer Varner 23:36
Security is definitely critical in manufacturing Ford auto, right. When I think about manufacturing, Ford auto, and the conversations that we're having with customers are around efficiency. How do they how do they have less waste? How do they gain more agility? How do they get more scalability? But there's this underpinning of automation and, of course, availability that has to be there. And how manufacturers will adapt to market signals and headwinds and supply chain issues very quickly. So one way is to, of course, hire more people, but that's impossible to do, and will not be cost effective. So automation is key when you think about that. It's drones, autonomous vehicles, ATVs, autonomous logistics, robots. Things that could be very dangerous, and life critical in a manufacturing environment, but also very disruptive. So you can't have these devices impact those new automations and impact business without embedding those security controls from the outset. These are conversations that we're having, as well with customers that are saying, "How do I shut down communication immediately with machine if I see that a bad transaction has gone through? How do I shut the machine off right away so that life limb isn't impacted so that the entire chain isn't disrupted?" And how you maintain that availability is really critical to our customers. I think that they're having these conversations regularly on how to do it without impacting the overall agility, right, and make security an enabler of this business of manufacturing is a real challenge.
Nel Akoth 25:21
And, Chris Novak, I'm going to wrap up the segment with you on, just going through that thread again that says it's requiring quite a bit of new technologies both from an OT and IT perspective. What are the typical challenges in this space of selecting the technologies both from an IT and an OT angle?
Chris Novak 25:43
Sure, I think there's a handful of things that have been problematic in that area over the years. One is, we were talking about how a lot of cybersecurity started with the data, manufacturing has really not been thought of as an area where there's a lot of data. So cybersecurity is probably one of the industries that it was kind-of last coming to, if you will. And so we see a lot of legacy old technology that the notion of today's cybersecurity just isn't easily applied to it, or it's just not easily executed. And then we also see a lot of challenges – we see the IT/OT divide, where the IT part of the organization has typically all the say, probably gets a lot of the budget, and is thought of as the place we apply cybersecurity. OT oftentimes is kind-of relegated to the manufacturing or the factory floors. And it's kind-of almost in a lot of cases out of sight, out of mind. And I think it's starting to change now, because a lot of organizations, especially those that are very heavy in manufacturing where that is the lifeblood of their revenue, they're now recognizing if there's a cyber incident that impacts the manufacturing operations or the factory floor, everything comes to a stop. In fact, I had a great conversation with a CISO of a household manufacturing organization everybody would know and he said, "Look, we are already operating at 103%. If you can turn the dial to 10, we clicked it a few more clicks past that. That's how our manufacturing operations are already operating. If we were to have a ransomware event, denial of service event, or something else that hits our manufacturing operations, every minute of downtime would be three weeks of recovery time just to get caught back up. So that's a minute, it's going to take us more than a minute to even realize something's gone wrong. It's gonna probably take us hours to figure out how we get back moving again. We need to really narrow that IT/OT divide, and figure out how we get the OT side of the spectrum kind of up to date.
Nel Akoth 27:44
Wow, what a great example. I always feel like this industry-based discussions or use cases that you've just shared with us, Chris Novak, bring some of these concerns and considerations to life. Wow, time has flown, Chris Novak, Jennifer, and Kris Lovejoy. Let me say a big thank you for sharing your expertise and experience with our listeners. If they're anything like me, they are walking away with a renewed sense of awe and appreciation for the rate and pace at which technology and the associated cyber considerations are evolving. We've had such great conversations and great examples that are very relatable and definitely top of mind for a lot of businesses now with so much advancement in IoT and edge computing companies in all industries. So it's critically important to have these discussions around how to maintain security and resiliency through all that. I'd like to say again, thank you for joining me on this segment and a huge thank you to our listeners. Until next time, I'm Nel Akoth and this is the Progress Report.