Sign up to our Newsletter
This transcript was generated automatically by AI. If you find any mistakes, please email us.
[00:00:00] Announcer: Hello, everyone. You're listening to Cloud Next, your go-to source for cloud innovation and leaders insight brought to you by Global Dots.
[00:00:00] Ganesh: It's 2 a. m. Your phone breaks the silence, signaling an alert, a [00:00:20] potential breach. The race against time begins. It's a moment every tech professional dreads, and we all know it only too well.
[00:00:27] In today's episode, we're diving into the world where strategy, technology, and the human element collide. A world where a single oversight can lead to sleepless nights and interrupted vacations. Where the line between security and operational [00:00:40] flow is razor thin. I'm Ganesh, and joining us today is Yanis Lasmanis, CISO at an online gaming company renowned for its technological innovation.
[00:00:50] Yanis has extensive experience in cybersecurity, particularly in addressing the unique challenge of the online gaming sector. Together, we'll explore the unique strategies that set apart effective [00:01:00] cybersecurity practices, and the common pitfalls that even the savviest companies can fall into. We'll delve into the nuances of SIEM and SOC, unraveling the behind the scenes stories.
[00:01:10] Peace. Yannis, before we dive into the questions, uh, tell us a little bit more about your role, uh, what it entails and what your responsibilities are.
[00:01:17] Janis: Hey, hello everyone. So [00:01:20] yes, my name is Yannis. So I am chief information security officer in Evolution Group. Uh, I'm within the company more than 10 years already.
[00:01:30] So, uh, in general, my responsibilities are taking care of information security, cyber security, physical security. So all the aspects [00:01:40] of the, the, the security.
[00:01:41] Ganesh: There's, uh, it sounds like a lot on your plate and, uh, uh, knowing quite a few CISOs like I do, that generally leads to quite a lot of sleepless nights.
[00:01:51] That's true. Let's start in a, in a, an upside down way. Uh, I'd like to start with. What not to do. So what do you think are [00:02:00] some of the most common mistakes that other companies make when approaching security?
[00:02:04] Janis: This is a really good question. So in my experience, I would say companies purely focus on the solutions they, they found in a market and buy.
[00:02:14] Or fixing some issues they have. So, and probably that's the biggest [00:02:20] problems they have, because if you choose some of the solutions, uh, some services, so you need to work with those ones. You need to find you and you need to monitor those. It's just like additional instrument for you to make sure that actually it's work.
[00:02:35] So you need to look at it. Uh, configure it, monitor it [00:02:40] on, if not daily, then weekly for sure.
[00:02:42] Ganesh: Why, why is this a mistake for them in the industries? You think this just adds, create too much noise because there's too much tooling to look at? What's the, what's the pitfall of that?
[00:02:51] Janis: Once you buy some solution, so it will not fix your problems because your problems are unique.
[00:02:58] Uh, you need to fine tune that [00:03:00] the solution works for you exactly. for your risks, for your threats, to protect your assets. And that system, which you buy, do not know about that, I would think. So, and this is why you need to tell the, the system, what actually it needs to protect.
[00:03:18] Ganesh: Makes sense. And I, [00:03:20] I would agree with you that, especially in the world of IT software sales, there is a hope or a dream that a particular tool is just going to solve all your problems.
[00:03:31] Like by taking a zero trust solution, suddenly everything will be fine, or by having the best, uh, internet firewall, gateway, web application [00:03:40] firewall, or bot protection, then suddenly your problem is solved. Whereas actually a lot of the times it's, it's not about a tool, it's about culture a lot of the time.
[00:03:50] What makes Evolution's approach or your approach to security different or unique?
[00:03:55] Janis: It's approach of dynamic mix of various things in the [00:04:00] company. It's one of those could be being adoptable of new things, of new directions companies going. Uh, of course, staying informed. So, if you know things so you can react to those one and you can start to plan your activities [00:04:20] and constant customization of your defense.
[00:04:24] Ganesh: So when you say constantly customizing your defense and staying, staying current or staying on, on top. What are some techniques that you have for that? How do you personally stay current?
[00:04:36] Janis: Security field, it's constantly growing and all [00:04:40] the tactics, all the approaches, how the bad guys are trying to penetrate the companies, get into the companies, steal the data, constantly changing from day to day.
[00:04:51] So the tool you configured a year ago, probably is already out of date today. Uh, this is why you need to [00:05:00] customize that one according to your needs, according to your data, about your tools you are using, about direction where the company's going, uh, the tools developers or the accountancy or the HR is using.
[00:05:13] So you constantly need to change that one. And of course, evolution is a company [00:05:20] who works together. to achieve the goals. So, um, the change is happening and change happening constantly. And in the security field, you constantly need to be on the top on those changes.
[00:05:32] Ganesh: And for people who don't know about Evolution, um, it's a online gaming.
[00:05:39] So you can [00:05:40] think of it as, um, an online casino with real players there in the background. And given the sensitivity and financial nature, of your site. What are the most challenging threats that you face and how do you respond to them?
[00:05:57] Janis: I would, I would give a comment on about the [00:06:00] evolution as a company.
[00:06:01] It's not the online casino. So we are the service provider for the casinos. So actually we are the IT company providing the services. About the attacks. I would like not to emphasize only one type of attacks because this business [00:06:20] area is Really, really interesting for the bad guys. So, uh, there is constantly and daily, uh, attacks in various, uh, attack kinds.
[00:06:34] Like data breaches, ransomwares, distributed denial of attacks, uh, [00:06:40] fraud and cheating. Of course, we have insider threats as well. So we have everything. And the main goal is not to lose our uptime. Mm hmm. And
[00:06:51] Ganesh: when you're, when you're looking at your, you know, you listed a very wide range of different attacks there from DDoS to fraud to, to [00:07:00] all these kinds of things.
[00:07:01] Um, I'm imagining that you see some very advanced ones given the fact that there's a real financial reward if people can beat your system. How do you balance the strategic mindset and the practical tools in cyber security? evolution. We're [00:07:20] looking at what tools you take on board. How do you do that and maintain robust security at without disrupting business operations?
[00:07:27] So how do you, how do you have a, a highly secure environment without causing any slowdown in there?
[00:07:33] Janis: I would say this is the most challenging part in security field because no one cares about [00:07:40] security once something bad happens. So only then security is brought in and this is really, Big challenge to complete, uh, to achieve.
[00:07:49] I would say one of the main aspects of that one is clear communication, uh, clear communication across all the stakeholders. It's [00:08:00] definitely user friendly policies so that everyone understands why it's needed and what will be the result of that. I will repeat myself again, it's adaptability and flexibility because We are constantly growing and the market is changing.
[00:08:17] The attack vectors are changing constantly. So [00:08:20] you need to be on the top. In other words, you need to run in the same pace as the bad guys do.
[00:08:25] Ganesh: Makes sense. I, from my own experience being involved in, um, solutions architecture at previous companies, I know that, uh, security was always, you know, The last thing, like you said, [00:08:40] that people think about it's, it's always the last thing and something that I've come up against in my past is because of the slowdown that is added by building applications to be secure by design.
[00:08:54] And so thinking about security from the very first step led to a culture [00:09:00] of secrecy, I would say, or people trying to build things. Um, in a secret way so that they, they didn't have to pass the security standards. Is that something you've come across and how do you deal with that challenge or the, the idea that you're Yes,
[00:09:18] Janis: of course, [00:09:20] being there, seeing that, uh, I guess, uh, I would say everyone, uh, Uh, have been in such kind of position, so where someone tries to hide something and not to tell something.
[00:09:33] And this is why it's this clear communication it's needed. So when, why this is a biggest challenge you need to [00:09:40] describe, actually, I would say in the company, I'm always saying the seeing is believing. So And it's a job for the security team, the red team part. You break the systems, you show everyone, so and then everyone understands.
[00:09:55] Yes, they were right.
[00:09:58] Ganesh: That's [00:10:00] possibly a, a nice tip for any other CISOs listening out there, breaking the system is often the best way to show The, the reasons why you need security. Um, I had a, a, a great colleague of mine who was the head of security and he kept on telling people [00:10:20] that the, the way they stored their passwords across multiple platforms wasn't safe and that they could be hacked.
[00:10:27] Their, their, their company, um, work, maybe mail could be hacked using a. because they'd used their password somewhere else. And, uh, he very famously set up a screensaver in the [00:10:40] boardroom with all of their passwords that he'd been able to get off the dark web. So the screensaver was all these passwords and he, he invited all of the board members in and It told them again about the importance of security and then pointed them to the, to the screensaver and said, are there any words up there that any of you recognize?
[00:10:59] And obviously all [00:11:00] the guys, their faces were looked really shocked because their passwords were floating around on the screen. But. That always stayed with me as like a very powerful way to, to win the hearts and minds. And I think
[00:11:13] Janis: that's, that's correct. So you can tell no matter how times you would like, no one will trust [00:11:20] you.
[00:11:21] One time you just show them and you get the respect.
[00:11:25] Ganesh: And I think that's it, you know, the, the, you can, you can have that clear communication why we're doing it, et cetera, et cetera. You, I, I feel like a security team and a CISO team needs to have this wow factor or [00:11:40] this, um, an unforgettable display of hacking or something like that.
[00:11:44] It needs to be seen so that. Uh, it remains part of the culture.
[00:11:49] Janis: Let's say that the security team just need to gain the respect in the team, in the company. And so, and there are many ways how to get that respect and, and, [00:12:00] and by showing by example, so that's one of the ways. So
[00:12:04] Ganesh: talking about trying to win people over or trying to get respect from the team, what's the one thing that.
[00:12:11] You wish you knew before becoming a CISO.
[00:12:14] Janis: I will, I will come back to the, the communication. So the communication is the key to success. [00:12:20] So my background is really purely technical. So I'm technical guy in the background. And when you sit with the Unix, uh, servers, there is no need to a lot of talk with them.
[00:12:33] Uh,
[00:12:33] Ganesh: I w I would say it's. I would, it's probably the biggest problem with, uh, IT [00:12:40] security is, is the relationship between security departments and developers generally. I
[00:12:46] Janis: read somewhere that, uh, and it's still in my head that security need to be, need to enable business, not to stop it. Yeah.
[00:12:54] Ganesh: I think that's the, that's the most common misconception is that the IT security is [00:13:00] there to somehow.
[00:13:01] Stop business or to somehow get in the way. Um, uh, so, and I think that's where the, the culture of mistrust comes from, or the culture of hiding comes from that. So sticking with your experience, what would you say is the biggest challenge or possibly the biggest mistake that you made as a security [00:13:20] professional?
[00:13:20] Janis: Biggest challenge and mistake. I would say the same thing as I mentioned in the third, on some of the first questions, relying. Solely on technologies only. So I have a really great story about, and I have some slides available as well. [00:13:40] Um, how we implemented the same solution in the company. And, and there is a lot of lessons learned from that one.
[00:13:47] So yes, you really, I would say put all cards. Uh, on, on, on one solution and hoping that it will fix your issues. But after the year, you understand that [00:14:00] it's not the truth.
[00:14:02] Ganesh: I, I know I have a personal, um, a personal love for seem solutions and sock solutions and soccer as a service solutions. And I know that it's something close to your heart because I've seen one of your articles on that.
[00:14:19] But, [00:14:20] um, essentially. A seam is not a sock. And, uh, to, to anybody listening, well, can you give, can you give us a simplified guide to this or what's, what's your, what's your story for that?
[00:14:33] Janis: So when companies are trying to gain this visibility. Uh, they start [00:14:40] to collect all the log files, um, all the security events, all the information they can find outside, uh, not only outside, only as well from their own systems, uh, they start to implement number of solutions like CM, where you feed in information from [00:15:00] all the available log sources.
[00:15:02] And then your expectation is that some. Magic will happen and the system will tell you where the problem is, but actually the system tells only where the problem is based on the rules that someone configured in the system. [00:15:20] And if you have not prepared for that one and have not analyzed your assets, attack vectors, and classified what's critical for you, probably it will not work.
[00:15:31] It will give you a lot of noise and that's it. And probably you will still miss the essence out of [00:15:40] that one and will not solve your problems.
[00:15:42] Ganesh: And I would say also probably Noise is one of the biggest problems that CISOs and security professionals face already. So if you're going to start pushing all your messages into a seam, and you're now collecting every [00:16:00] possible message, the chance that you're just going to increase, The, the level of noise for yourself is quite high if you don't have a system for that.
[00:16:08] Um, and again, there's, there's ways to approach that machine learning tools to reduce the amount of noise that comes out of the seam or using SOC as a service. But if you are [00:16:20] deciding what you're going to collect, it seems pretty key to me. If you decide you want to collect everything, you know, Do you actually need to collect everything?
[00:16:29] Because, um, you, you could create an awful, awful amount of noise
[00:16:33] Janis: in that scene. I would definitely recommend everyone at the beginning to define what's [00:16:40] needed and then stick to that one and configure only what's needed. Otherwise, it will give a lot of noise and not needed information at all. Yeah,
[00:16:51] Ganesh: totally agree.
[00:16:52] I know from speaking to CISOs on a weekly basis that the budget is the hugest problem for them. Um, [00:17:00] what, what advice would you give to people who are looking to prioritize their budget or to try and get more budget?
[00:17:05] Janis: Don't focus on the technologies, focus on your problems and start small and you will find a way how to achieve the All the, the, the, the cake you would like to get
[00:17:18] Ganesh: focus on, focus on the, [00:17:20] focus on the problem, start small and you will get the cake.
[00:17:23] I like that. Yes. And talking about yourself and your business and that cake. So how do you, when, how do we measure success? How do we know when we've got the cake, what KPIs? Do you use internally that you found useful, or what [00:17:40] KPIs could you share with other CISOs that you think could be useful for other companies?
[00:17:43] Janis: If you look from the security perspective, there is always a good question. Is zero identified weakness as good? Or a hundred identified weaknesses is good for the company. And no one has this answer because [00:18:00] the day to day life will just show what is a real situation and uptime availability of the systems will show how secure you are.
[00:18:10] Ganesh: So that's. That's the, the, the landscape as it is at the moment. Um, if we were to like [00:18:20] shift our view into the future, um, what predictions do you have for new security solutions in 2024 or, or the way that we're, if we're heading in it security generally
[00:18:33] Janis: predictions. So yes, artificial intelligence is coming, uh, with number of new solutions.
[00:18:39] [00:18:40] Uh, everyone will try to somehow penetrate. Uh, the, the, the, the victims network, uh, humans, humans will still stay the weakest point, especially together, together with artificial intelligence technologies like, uh, face voice. recognitions, [00:19:00] face recognitions, everything related to that one.
[00:19:03] Ganesh: Would agree with that one.
[00:19:04] And it does make me laugh that since, since ever I worked in IT, the weakest part of security was the human. And, you know, 18 years later, The, the weakest part of any system is still the [00:19:20] human. So I don't expect that's going to change at some point in the future. Um, Yes,
[00:19:26] Janis: that's true. And many companies are just focusing on one control.
[00:19:32] to fix their problems, but probably that's not enough. You need to be at least three, four, five layers of [00:19:40] the security just to be sure that actually, because humans fail and humans do mistakes and, and that's normal. And then if a human makes one second mistake, you will have still two, three more [00:20:00] additional layers of protection.
[00:20:01] Ganesh: Good, solid advice. Defense in depth, I think, is definitely, you know, this makes perfect sense. Um, DDoS is, is on the, is glowing, you know, been on the rise since forever, but DDoS is really, really, Um, [00:20:20] continually on the rise and every, every side's being attacked. And what are some of your recommendations in order to protect yourself against these kind of, uh, more advanced attacks?
[00:20:31] Janis: Yes. Our days. So there is no way you can protect your business from the volumetric business attacks without some third [00:20:40] party, uh, service provider who mitigates it for you. Uh, there is plenty of service available there outside, which you can use, but the using only the service without configuration, again, the configuration will not solve your problems.
[00:20:57] Because there is, uh, [00:21:00] packets per second, which can be used as attack. The volumetric or bandwidth, uh, attacks, which can be used. Uh, your application is unique. Uh, with specific APIs and access points on your side. So you need to tune those systems. [00:21:20] In the best scenarios, there is a solution which you can use to test your DDoS mitigation posture so that you can be sure that your configuration is proper and will mitigate your attacks on you.
[00:21:37] Ganesh: That's actually a great tip. I [00:21:40] completely agree. It's something that I'd forgotten about, but yes, the hiring a denial of service attack type tool to, to point at your own website is highly, highly advisable, um, in order that you know that your, your denial of service works. I would also add that, uh, [00:22:00] Other technologies that people possibly didn't look at, um, or is maybe just a bit more modern, um, is DAST tools.
[00:22:09] So, uh, dynamic application security testing, whereby you Uh, it's, I think of it as a pen tester in a box, really, [00:22:20] but typically companies used to only get a pen test once a year, whereas now you can just run it as part of your CICD pipeline. Um, every time you release a new API, you automatically run a pen test against that.
[00:22:34] So, you know, to, to be constantly testing your own entry points is a [00:22:40] super great tip.
[00:22:41] Janis: So you can have. Many tools as you would like to have, uh, as a controls for your system, but you need to test your systems as well. So to understand how good is your configuration, does you meet your goals? What you actually agreed before [00:23:00] buying those solutions.
[00:23:01] So, and. It's not like setting up the system, setting up the box and forget about that one. So you need to work with that one.
[00:23:09] Ganesh: Um, great. Yanis, uh, thank you so much for your time. Um, anything else you'd like to add or any closing remarks for our listeners?
[00:23:18] Janis: No, nothing came [00:23:20] in my mind. Thank you for the conversation.
[00:23:22] Ganesh: Thank you for taking the time. We really, really appreciate it. And thank you for fighting the good fight and spending the time with us today.
[00:23:31] Janis: Okay. Thank you.
[00:23:32] Ganesh: This episode was produced and edited by Daniel O'Hana and Toma Mouviton. Sound editing and [00:23:40] mix by Bren Russell. I'm Ganesh the Awesome, a Senior Solutions Architect.
[00:23:45] And if you're ready to deep dive and start transforming the way you approach security, then the team and myself at GlobalDots are at your disposal. It's what we do, and if I don't say so myself, we do it pretty well. So have a word with the [00:24:00] experts, don't be shy, and remember that conversations are always for free.
[00:24:04] Find us at GlobalDots. com.