Preserving Your Social Brand: The New Threat Factor - An Interview with Mike Price, CTO of ZeroFox
Interview with Mike Price, CTO OF Zerofox:
Cyber Security Dispatch: Season 1, Episode 12
In this episode, we welcome Mike Price, CTO of ZeroFox. ZeroFox is a social media and digital protection platform built for enterprises. In this episode, we explore the new risk of brand impersonation used to hijack revenue and customers and how enterprises are finally starting to see why this is so important. We discuss why security never appears to be top of mind when it comes to social and how ZeroFOX works to protect companies who are being harmed by the behavior of others on social. We round off the conversation with an interesting discussion on crypto money and debate whether the home is becoming a new target for hackers with the rise in home-based technologies, such as the Alexa virtual assistant.
Key Points From This Episode:
- Learn more about Mike, his background in the industry and his role at ZeroFOX.
- Find out why security never appears to be top of mind when it comes to social.
- Are people more welcoming of digital intruders versus in-person intruders?
- Mike shares his views on social interaction from an enterprise perspective.
- How ZeroFOX assists companies who are being harmed by behavior on social.
- Why is crypto mining such a big issue right now and are consumers at a security risk?
- Is the home becoming a new target for hackers and how consumers can protect themselves?
- Discover whether Mike sees a battle between AIML and data privacy.
- And much more!
Links Mentioned in Today’s Episode
ZeroFOX – https://www.zerofox.com/
ZeroFOX Twitter – https://twitter.com/ZeroFOX?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor
ZeroFOX LinkedIn - https://www.linkedin.com/company/zerofox/
Mike Price – https://www.linkedin.com/in/michaelmprice/
Cambridge Analytica – https://cambridgeanalytica.org/
Alexa Virtual Assistant – https://www.digitaltrends.com/home/what-is-amazons-alexa-and-what-can-it-do/
Starbucks Incident– http://www.philly.com/philly/news/starbucks-philadelphia-police-viral-video-investigation-race-ceo-protest-20180415.html
Doctor dragged off the United Airlines flight – https://en.wikipedia.org/wiki/United_Express_Flight_3411_incident
Welcome folks to another edition of Cyber Security Dispatch. This is your host Ashwin Krishnan. In this episode, titled Preserving Your Social Brand: The New Threat Factor, we speak to Mike Price, CTO of ZeroFox. We explore this new risk of brand impersonation to hijack revenue and customers and how enterprises are finally starting to see why this is so important. We round it off with a discussion on crypto money.
[0:00:32.9] Ashwin Krishnan: All right. Welcome Mike –
[0:00:33.8] Mike Price: Thank you.
[0:00:34.4] AK: – to the Cyber Security Dispatch. This is really a series of podcasts we're doing for our customers, as well as people who are interested in security and generally where it's headed. Why don’t you introduce yourself and then we can deep-dive right in?
[0:00:49.2] MP: Yeah, sure. My name is Mike Price. I'm the Chief Technology Officer at ZeroFOX. Our company's focused on security as it relates to social media, that's what we work on. I've been working on it for about four years now. Our company's been around for about five years. I eat, sleep and breathe social media security.
[0:01:08.9] AK: Okay great. Couldn't come at a more topical time with everything that's going on with Facebook and Cambridge Analytica. What is it about social that you think causes people to let go, or lose their guard? Is there something about it that's so compelling, that security is never top of mind?
[0:01:24.3] MP: Yeah. I mean, there's a short answer and a long answer to that. If you look into the topic in detail, you'll find that the people at the sort of biological level have a certain need to communicate with others and to connect to others. It comes very naturally to us to talk to folks and to tell folks a lot about ourselves and to divulge a lot of information, to try and form connections, even where there might be a little bit of risk present. Most people are default open in terms of who they connect to and what they talk about. I think from there, a lot of the security issues stem on social media in particular.
[0:01:57.6] AK: It's interesting you mentioned that, because for me, I mean, as somebody who writes about, it boggles my mind that we have a doorbell and we screen people before they enter our house. But we bring in Alexa and we bring these IoT devices into our home, which are living and breathing and essentially simulating data that can be shared. At a cognitive level, are we more welcoming of these digital intruders versus you and I?
[0:02:24.2] MP: Yeah. I mean, it seems like things are certainly evolving for maybe 10, or 20 years ago from when I was a kid or something like that, where you have a lot of tech that's out now that makes your life a lot better in a lot of ways. Alexa, or some of these types of personal home assistance. I mean they just make your day-to-day life easier. There is certainly a privacy trade-off in the sense that you don't necessarily know what's happening with the data behind the scenes.
Certainly, you want to trust the brands and the companies that manage this data, but then there's often times other information that comes out that shows that maybe your data is not being handled with the utmost concern for privacy. It's a bit of a convenience versus privacy trade-off it seems.
[0:03:02.1] AK: Yeah, it's interesting. I mean, the one interview I did earlier is really about privileged access. Where the conversation ended was pretty interesting. We're talked about privileged access to look at who has control of social. Because it's got to the point right now where Twitter and Facebook and LinkedIn and other forms of social media is really where the keys to the kingdom are.
In some sense, it's still important to talk about switches and routers and applications and data base and so forth, but increasingly the focus is an erroneous tweet, or a LinkedIn update which shouldn’t have gone in, can cause major damage. From your perspective given where ZeroFOX is coming from, are you starting to see the same heightened awareness, or sensitivity when it comes to social interaction from an enterprise perspective?
[0:03:51.8] MP: Yeah, I mean, that's absolutely the case. I mean, five years ago when we started the company, the premise of the company was basically that social is and is going to become the dominant form of communication. Yet, there were already security issues and we felt that it was very likely that we would see even more. There was really very little attention being paid to security by the networks themselves, by the enterprise, security folks, by consumers in general.
That was the premise of the company. Over the last five, years we've seen nothing but really growth in the volume and types of problems that have manifested on social. In the last couple of years in particular, a lot of people have come to understand in our point of view and have come to join the ZeroFOX customers, for example. These days, most enterprises are definitely recognizing that there's meaningful risk to their organizations from a whole host of different kinds of issues, and they're getting on board with the fact that it's very costly to build out and administer a program on their own, and so they're coming to us for protection around that.
[0:04:49.9] AK: Let me ask you something which is also manifested by the instant gratification of communication that social brings about. Whether it's the Starbucks CEO Kevin Johnson having to respond within 12 hours of this incident that happened at Starbucks in Philly, or a doctor getting pulled out of United Airlines in Nordstrom and O'Neill's having to respond.
There is also an expectation that the companies have to be on top of the game, right? From your perspective, how do you marry something which actually puts a layer of caution and you have to oversee what somebody does and doesn’t do. But if a company or a business is not responding real-time, then essentially their reputation is in the mud. How do you reconcile these two?
[0:05:29.8] MP: Yeah. I mean, I think that the risks that we see are the risks that we deal with aren't so much related to precaution around how companies are expressing themselves on social. It has a lot more to do with whether companies are being somehow harmed by other people's behavior on social. This is one of the core things that we deal with.
It could be the case that a major enterprise has a major social media presence, but they haven't learned how to manage the security of those social media accounts. It could be the case that their brands are being abused on social. We deal much more with other people harming the enterprise's use of social than we do at trying to help the enterprise control its own message. That's what I would think when I think about that one.
[0:06:12.7] AK: Given your pretty extensive security history, let's switch gears and go away from social for a bit. Crypto mining. I know you've been quoted in articles about that. It's still a lot of black magic and voodoo over here, right? Explain in basic terms why is crypto mining such a big issue right now, and how as consumers, our servers and our PCs and our AWS (Amazon Web Services) could get used for this purpose?
[0:06:40.6] MP: Yeah. I mean, long story short, the way that new cryptocurrency comes to exist is through this process called mining. Mining generally relies on this – a lot of heavy use of competing resources. Basically, the more computing resources you have, the more you can mine, the more cryptocurrency you can come up with and the more money you can make at the end of the day.
Given the fact that you can basically turn computing resources into money, then for some folks there's an incentive to get their hands on as many computing devices as they can, as many computers or servers as they can, with or without permission basically. I think that, I have a lot of respect for the goals of cryptocurrencies. I'm a big fan of it. Certainly, it makes it a little bit easier in a way for cyber criminals, so to speak, or bad actors, so to speak, to go in and hack into machines.
Whereas before, maybe they needed to do something with that machine, or steal some information from that machine. Now just the machine has a value to it, which is a little bit new and a concerning trend in that regard.
[0:07:36.1] AK: That actually leads into the question of how does a consumer who barely understands what they have in their home device today? Now their computers are being used for crypto mining, they have listening devices at home, they have connected coffee machines, connected TVs. Is the hackers’ mentality now is saying, “Hey enterprises are okay from a target perspective, but they have a lot more sophistication when it comes to security controls.” Is the home becoming a new target? If so, how does a consumer even come to terms with, “Hey is my home secure?”
[0:08:11.6] MP: I'm not sure that I've witnessed a trend that says that folks are hackers, or these types of folks are gravitating away from the enterprise and more towards the consumer. I think that it's always been the case that consumers have been a target of nefarious activity. A lot of the malware that we've seen over the last 10 or 20 years, I suppose has been something that's really affected the home quite a bit and a lot of the EB industry was born out of protecting both consumers and the enterprise, right?
I definitely think that the surface area, so to speak, for consumers is getting bigger and bigger. Now you have smart homes which have a lot of devices and things like Alexa, our personal home assistants, and Smart TVs, and basically everything's becoming smart and connecting to the internet. A lot of the internet-of-things aspect of this is just putting every home and the average consumer much more onto the internet, exposing them a little bit more.
From the cryptocurrency side of the house, I think most folks are using an exchange as opposed to storing this stuff on their local systems. They can do regular things like make sure that their home computers are secure with some endpoint security. They'll probably avoid a lot of problems with that, but there's still a big question as to how to lock down all the other custom devices, like the Alexas and the other internet connected devices that aren't your home PC? Yeah.
[0:09:28.5] AK: Given that we’re at obviously 2018 and we’re at day one over here, what are your thoughts in terms of what we can expect to see on the show floor starting tomorrow and what some of the big announcements are going to be?
[0:09:37.5] MP: Yeah. I guess, I'll have to wait a little bit to walk the floor and to get a better sense for what the trends are going to be like this year. I mean, I think that there is certainly going to be a lot around the leveraging of machine learning and artificial intelligence. That's one of the big things. There's a lot around higher-level analytics around how we handle incident data, or threat data and draw more conclusions from that data at a faster pace. We'll see. There's a lot of interesting new areas of InfoSec that are being productized. I look forward to walking the floor and checking it out.
[0:10:07.4] AK: That leads me to one last question, which is do you see a battle between AIML which really requires large data sets, and data privacy which really is I need to reduce the amount of data that I collect, either because of GDPR (General Data Protection Regulation), or because of other regulations coming? Do you see that being something that is going to play out over the course of next two to three years where you have data scientists saying, “Hey, I need more data.” Privacy experts, or within the organization or regulatory authorities coming in and saying, “Hey, you got a limit the amount of data you collect.” How do you think that's going to play out?
[0:10:37.6] MP: I think at the current point in time, it's a little chicken and egg depending on the organization. It's a little tough for data scientists to just directly leverage the arbitrary data that a company has. Oftentimes they'll set out to build the data set that they're looking to train their ML on or something like that.
I could see there being a risk of these data sets being built for the purposes of training some AI system, and then maybe those data sets either just being grown perpetually over time or not discarded. There's probably a bit of a risk of that. I guess, we'll have to wait and see how that unfolds honestly.
[0:11:07.3] AK: Good. I mean, that's a good – because there is no good answer to that and I’ve asked quite a few people. It is something that we have to reconcile with, right?
[0:11:14.8] MP: Yeah. I mean it's tough, because the potential for AI is huge, and the productivity gains that we might see from that are probably unlike anything we've really seen before, or at least in some regards. Advancing systems that are able to recognize images, or to do different really you know, things like that, whatever it might be, I mean in many ways it's in our best interests, but you certainly can't do that without training machines on things. There is just the interesting pros and cons there, so yeah.
[0:11:41.9] AK: Cool. Any last words for our audience before we wrap-up?
[0:11:44.8] MP: No, but definitely check out the ZeroFOX website and we hope we can do a little bit of social media protection for you too.
[0:11:49.3] AK: All right. Thank you everybody.
[0:11:52.9] MP: Thanks.