hey everyone well we've made it here to prague so this time we're checking out the q bit conference here in the czech republic in prague and this is one of the favorite uh conferences when i mean talk with people very practical very hands-on and very strong in security focus so we're going to check out uh some of the sessions we're going to try and track down some of the speakers and try and get a word with them and we're going to check out this beautiful city that i'm in here of all right we're back and i'm here with another one of the presenters joseph slovik who just did a fascinating talk on supply chain risks um and demystifying the supply chain and talking a little bit of breaking it down as i just said in some layman's terms for me breaking down some complex uh complex topics but i wanted to joe maybe you could uh introduce a little bit what you're talking about so the primary idea behind the discussion was first examining what a supply chain intrusion is because there's lots of confusion around what that means how that's done and then using that understanding to show that it's actually not that easy for adversaries to do and because of the difficulties associated with a successful supply chain intrusion there's actually a lot of opportunities for network defenders to spot or to mitigate against these sorts of intrusions instead of them just being some sort of scary mythical there's nothing you can do about the supply chain no actually if you're doing security right there's quite a lot that you can do and to try to again demystify uh that sense that supply chains are these spooky indefensible sort of uh intrusion vectors yeah i love that one slide that you had in there that was about uh adversaries only have to be right right ones defenders and you thought that was that was complete complete um and i'll apply this for anything that adversaries do whether you want to apply this to something like the cyber kill chain model or something like looking at the miter attack framework or techniques that adversaries have to do lots of things to be successful in an intrusion and supply chain attacks almost double those uh number of touch points because they have to breach both supplier as well as impact and eventually maintain some level of control in their ultimate victim environment and if we flip the script so to speak between adversaries only have to be successful once like no adversaries have to be successful every single time whereas defenders we only need to spot them once in order to kick them out successfully as long as we do our ir correctly and i think that's a very helpful uh way of looking at things that people need to all right last question two key takeaways from your presentation what do you reckon what would you want key things two key things for tenants to make take away key things are honestly takeaways that are applicable for security in general because whether you're talking supply chain or ransomware or whatever visibility is key if you don't have visibility you're kind of screwed anyway and people having well trained enabled curious people that are looking into that visibility that's how you catch a solar winds that's how you catch a county that's how you catch a sand worm in your environment and if you don't have those two things visibility and people to investigate what you're picking up through visibility you can't do security in my opinion awesome thanks so much for your time joe and check out that talk online if you can [Music] so hey everyone we're back here at cubic and i'm here with one of the speakers ben pittsburgh uh hopefully i got the name right but uh hey ben i was just gonna ask you if you could maybe give a couple of key points of what your your talk was on okay cool so about organizations that are moving to a need to share state of mind and a default to share a state of mind uh like the business is pushing for more data sharing with user within the organization because that makes the business grow and how do you do it in a secure way that's awesome and what would be like two key points that you want people to take away from your talk today so two key points i would say a brace yourself because it's coming like if you if you don't have a program already it would make sense that you would will have such a program focus on your sensitive data focus on knowing where your sensitive data always as well as then protecting it and making sure that security is part of the entire process of the data operations [Music] all right we just had him come to the end of the qubit conference we're finishing up but i've managed to track down one of the speakers uh sheik i was going to ask you a couple of questions about what your presentation was on some of the problems that we we tackle around looking at cyber security from an offensive security perspective so it's really about being able to challenge uh your controls your configuration and look for the gaps so just as an attacker would in the same fashion we're trying to look for open doors look for the ability to exploit certain vulnerabilities and it doesn't have to always be let's say a cv or a patch or an update um it can be as simple as a misconfiguration a bad password and all of that is you know looking at security holistically and trying to sort of help people think about um how to keep their house in order um but to do it in a way that's easy um and it can be measured right so over time you have the ability to be able to continuously challenge your security controls and ask those important questions does something change that's now made us vulnerable um to an attack um and what does it look like from an attacker perspective so i think that's the key thing really it's about looking at the attacker perspective well that's it cupid has come to the end and i'm back in my hotel room uh just getting ready to pack up i thought i'd share a little bit about my thoughts on the conference overall uh i'm rocking my get guardian hat i've realized i haven't uh done any branding this video so this is this is it my nod ticket guardian but cubit was an awesome conference it's quite intimate uh although there was quite a few amount of people there there's the two tracks the executive track and the technical track and their technical track was actually technical uh often you kind of get these technical tracks and there's a lot of vendor pictures and not the case we had some real interesting conversations and the guest lineup that cubit put together was really quite extraordinary had speakers literally from all over the world coming in and they included fbi agents obviously some some vendors were there but we had some pretty serious technical practitioners um and people that had their you know their boots on the grounds that were working into giving really practical advice so overall i think cubit was obviously a fantastic conference and i think it'd be good for you if you're definitely a security practitioner i think you have to have some kind of involvement with your hands in the ground for this particular conference because you know it's very practical advice at least i was mostly in the technical track so at least on that side but a fantastically run confidence and i kind of say food was epic desires conference food goes qubit 10 out of 10. so i look forward to hopefully attending again next year and cuba has a bunch of other conferences that you can check out too [Music] you