[podcast] IAM in Monterrey with Arturo
In the final episode of 2019, Jeff talks with Arturo Cordoba, Senior Advisor on the Cyber Security team with CEMEX in Mexico. They discuss the PEMEX ransomware attack, the ups & downs Arturo experienced with his IAM program this year and starting an IAM group in the Monterrey, Mexico area. If you are in the Monterrey area and want to be part of the group, reach out to Arturo on LinkedIn!
Jim and Jeff hope you have a happy holiday season and will be back in January 2020 with new episodes.
We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!
Podcast #25 Full Transcript:
Identity At The Center #25 - IAM in Monterrey with Arturo
Jeff: Welcome to the Identity at the Center podcast. I'm on the road visiting my good friend Arturo here in Monterrey, Mexico. This is my last week of travel for 2019. I'm excited to be in Monterrey and see the mountains, it's gorgeous here. By the wayn the weather is perfect. It's like 50 degrees Fahrenheit, which is great for me. Clear skies and mountains all over the place. It's awesome. I thought I'd be a good time to catch up with Arturo Kind of close out the year and talk about some of the different IAM experiences. So welcome again to the podcast, Arturo.
Arturo: Hi, Jeff. Thank you for having me.
Jeff: Thanks for setting aside some time.
Arturo: And, you are very lucky right now because we are having, as you say, very clear skies right now so you can have other pictures from the mountains.
Jeff: I hope to get some good pictures from our top of the hotel here. So let's dive a little bit into. There are some recent news around IAM in Mexico and that was Pemex getting hit with ransomware. Depending on who you talk to or which article we read, it was either not a big deal, according to the company line, but there were other articles that were quoting inside sources saying it was a much bigger deal than maybe it was being let on and systems were down for much longer and they thought the ransom was five million in Bitcoin, which is quite a bit. Has there been a discussion in the Monterrey IAM community around that topic and how that might affect other things?
Arturo: I think in generally, the cybersecurity community has been along with the Pemex hack a few weeks back. There were some other companies in Mexico that were affected by the same type of attacks. I don't have details where the same type of malware sample or something different.
But at the end, they were different companies that got hacked using these ransomware attacks. And I feel like in here in Mexico, different than in the US, we have very tight regulation in terms of communicating properly these kind of incidents.
Some of them, they weren't public because they was in the public or a bigger company like Pemex in this case. And I think that I might agree with you that the issue is more about the communication because we don't really know. It was something important in terms of to the company or not. And so a lot of big cases that are happening in some other countries, the good thing that we have in some cases. Is that communication was very effective. Actually, there are certain articles that they highlight the very Good action of the company after the incident was properly communicated, either the public or the customer, the customer got affected. So some of the hacks at the end, I think that Martin be ready to prevent the hack because he was able to prevent or not in some cases, yes or not. Would I think that the ultimate Bonny's, they were able to react properly after they attack or after they have the intent.
And I believe that the things to highlight or the companies who are more or we as a professional, we say, OK, these guys seem like they're doing a good job or they were prepared to react. Are they the good ones? In the other hand, we have the companies who cannot react or they're having misleading communication of the incident.
In this case, I think that makes because a company of the government. Officials are saying one thing. Some other experts feel there are some internal self-less through a partner or something different. I think that the details were more around the communication in this particular case.
Jeff: Yeah, I think it makes more sense than I guess it is. I'm glad you brought that up that Pemex is a nationally controlled petroleum company. So my understanding from what I've read is the hack affected more on the billing side of things and sort of back office didn't really affect what may be customers of Pemex might have seen, but probably more affected B to B type of things. So people who maybe have a financial relationship, whether you're a creditor or some sort of biller within the organization might have seen some more effects.
But that does make me wonder. Because the communication was vastly different. Basically, you talk, it's fine. Everything's a control versus boy. Things are real here behind the scenes of floors of computers are down, can't do whatever. And I think I still feel like even in the US, that's still something that companies struggle with. It's the response to this. So, there's tons of information out there. But really the focus that people are taking now is it's not if we get hacked, it's when we get hacked how we're gonna respond to it. So it's interesting that the hack also that Pemex face was also seen in the US. So companies like Merck, I believe there was like a shipping company. Mersk, I think is what it was. They had a very similar profile and they think that maybe those hacks were done by the same group.
So there's clearly a targeted, environment here that people that are using this specific ransomware were looking for very specific profiles for companies to try and breach.
Arturo: Right. And in some other thing that I just read this week is about how these type of hacks and certain others have happen a few weeks back are gaining the attention of the hackers because they say, well, they're that target That seems to be easy to hack. Right. And then so they are probably tried to look deferent company based in Mexico that they can Mexico or Latin America, that they can take advantage of this.
Jeff: Yeah, I feel like the there's an opportunity if I'm looking for the target to breach companies that maybe in the small and mid-size range that don't have the technical controls in place, things around privilege access management or maybe their users are all local administrators.
And I drop a thumb drive in the parking lot and, the person is trying to be helpful. I wonder what that says or they're curious and they plug it into their machine and bang. Now I've got their stuff and all their friends. So it is just so I think something that companies are starting to pay attention more to.
But at some point, there will have to be some investment to try and mitigate that through security training, security awareness. And then, you know what the technical controls to try and block those things from happening in the first place.
Arturo: Yeah. And I think that all these things are good in general because drag the attention off the top executives and they start making decisions based on these environment in general.
But on the other hand, we have that all the same as the guys are based their speech on, oh yeah, these probably some magic bullet help you with everything, including ransomware, which is if you are not very deep into technology and you are a manager who doesn't have deep wounds or standing about everything, you can probably try to buy something to help you ransomware, having something entirely different and things like that.
So you have to be cautious in making do this.
Jeff: Yeah. I mean, you saying that salespeople might not be honest? There are products that would never. I know some very good sales folks, shout out to my guy, Tim, he is he's really good. And there are a lot of really good sales folks that really do a good job, a position where they can help and where they can't. I feel like there is way more, especially having sat on the customer side for so long. Oh, yeah. This is the magic bullet. Like you said, it will solve everything, solve all my problems, et cetera. Doesn't exist. Right. Even the best magic bullet that is out there will only reduce the chance of something happening. Will not outright eliminate it.
Arturo: But after a while, you start to identify back into pie where even with the war that they are using, you will never do. You guarantee you not any guarantee to get. Exactly.
Jeff: Let's talk a little bit about IAM work done specifically this year and kind of the program that you've been working to set up here.
What are or what is the biggest IAM accomplishment that you're most proud of for twenty nineteen?
I'll put you on the spot here. So give you a second to think about it.
Arturo: One of the things that I'm really proud of is that this year at the beginning of the year we accomplished to enable two factor authentication to the whole thing. I think that it took us some time to actually go in and communicate and being the user into that at the beginning.
But eventually, after almost four months or rolling out the solution to more than 22 case of user, I feel like we did.
I mean, it's something I think that is very a good milestone for our security both through and also it's like, OK, we're moving forward in terms of. Security or will you serve.
And yeah, it's like big steps in terms of security.
And based on that, you start gaining more traction on different security feature that you can enable that on with these, in the near future or two year probably because it should mean should be password less or less.
Something related to that. So we are step-by-step. Right. But this is the first step, I think. So I will say that is the first one.
Jeff: That's a big one. MFA is huge. And for twenty three thousand people. And that's across the globe, too. That's right.
Arturo: Different culture, people Who doesn't want to their phone for that. And so the other thing is that technology right now using these conditional access or these context of day authentication in order to make decisions. It also helps to write now because otherwise we'll be more complex or even impossible, I would say, because we are not having these conflicts of the user.
You cannot lowering the friction of the end user and at the end that will kill you. So you are going to from MFA every time that they are sent, you need to be too much for it.
Jeff: So being able to take advantage of that conditional access as part of the MFA was probably a big help. Right.
Arturo: Yeah. And in your case, without that, it would have gone. It will be like just a certain amount of user starting condition but not like Target today.
Jeff: Well, that's great. I think that's a pretty good goal or a pretty good achievement for the year for sure.
Arturo: Yeah. And that's the second one that important I thing is moving out things are around formalizing the important and never too related with that because he's so complex conversation and it's difficult to get the message through top management.
Jeff: Yeah, I know you and I have had several conversations special over the last several months making sure that the message of IAM is being communicated effectively and received at the executive level so that you can set up these programs and you've got to win through MFA. So, yeah. You know what? That went well and it's providing value to the company. We've reduced risk. What else can we do? Martin, help. That's. I think that was an important conversation to have. And I'm glad to hear that that worked out, the way that it did. That's I think that's very good. So let's flip the coin. What's something that maybe you wish had gone better in 2019 or something that, you know, along those lines of going better?
Arturo: I will say this is probably is related to the IAM program implementation or trying to really formalize the IAM program. And I will say that is everything related with politics. I remember that last year that you were here and you were saying about, OK, the IAM program and everything you read the IAM program is more politics and processing equal than 10 times the rest of the things like technology and new toys for for the company.
And I was Politics. Yeah, I get it.
We need that board at the end.
I think that because of different teams internally here in the company and a culture and the type of politic you think that you should lead the company path, think that could be better or we can improve that. And how you were probably tried to make some connections internally, try to convince more people having or looking to expand sponsorship that we have internally.
And I think that this is different based on every company, based on the organization and where you see it and the organization and the organization chart as well in culture.
So probably politics here if you go with kind of different the US. So I need to watch more house of cards.
Jeff: Yeah, it could be house cards, could be Game of Thrones. Hopefully not as bloody as either. this is the real world, right?
Yeah. People have thoughts and opinions and, that's something that, earlier in my IAM career was something that I wish I had done a little more effective job in previous roles as understanding the politics of it. Yeah. Because you get when you're working, neck deep in IAM a lot of things make sense. But there are larger discussions that are taking place above that can certainly impact the ability to get things done. So. Being able to make relationships and, play the game sometimes of bringing people in and understanding what their motives are and the psychology behind it. And I think politics is a huge part of it. And I know that, whenever I'm working with clients and customers this year, there's a quote from Forrester that I always like to use and I can't think of it exactly right. The moment but politics is included as part of that quote. And it's the reason I like it so much because it's one of the only quotes I've seen that includes politics as this is something to account for as part of your IAM program.
As you know, being able to play that game, understand it, kiss the babies, shake the hands, you know, a politician, you know, being parts of the picture.
Arturo: And I'm getting back on that mean going back twelve month ago. It wasn't the same person in terms of politics either. So I hope next year that it so happened.
Jeff: From a resolution standpoint for twenty twenty. Did I just. Is that one of the resolutions you'll have. Is it from a 2020 perspective when IAM is politics?
Arturo: Yeah. It is politics. Yes. And but he's also about started growing day of professional networks including I mean inside a company for sure. But also outside's tried to find folks working on the program for IAM. I mean, you said they've seen a lot of companies here in Mexico, to be honest right now, there's not any IAM community getting together or having something like that since I saw day all day job that I did with the different user groups around the US. And one of my ideas for next year or one of the resolution that I have is to start over local group here in Monterrey. And I think that one of the biggest challenge is to find the right people, because here those guys are saying people who are working on identity. They are either developers working in some user interface or some application. So they are tagging themselves as a developer. And that coding and developer and some other folks are working more on security side. So they are security professionals, not yet proficient.
So I need to go in deep, dive into a ring a come with me and let's talk about the identity.
So he's going to be at the beginning that way, tried to identify the people taken by people just to join us and start talking about different topics are on their identity. So hopefully next few months we will have some community here.
Jeff: Yeah, that'll be great, I think. Do you think that you'll run into resistance with. Why are you talking to me? Like, what are you trying to do? Like. Will people be guarded at first?
Arturo: No not really. I mean, they're very open in there. I mean, I always see the I.T. community very, very friendly.
So and if you're always trying to share knowledge, they will be open if you are trying to gain in probably the sale. My sales friend will kill me, but usually in this case, gang of events, when you advertise the meeting, you have to say that is a feel or feel sales for you.
There is no selling nothing. And it's just information. And you need to be clear about that because otherwise you will be. Yeah, people got scary and they won't attend. What if you are saying, OK, I was just talking about this topic, information.
Jeff: So what I'll do is in the show comments for this, I'll put your Linked-In. So if you're listening in Monterrey or close by in Mexico and want to help Arturo with setting up an IAM group, I'll put your information so they can reach out to you.
Arturo: Actually in the next few weeks how we start sharing both on LinkedIn as well, to have more information about that. And hopefully by the end of January, we'll try and set up the first one.
Jeff: Very cool. So for next year. Are there any conferences that you might be interested in attending? Because sometimes those are great hubs to be able to talk with other people.
Arturo: Yeah, actually happened last time when I met people from IDPro in identiverse in Washington this year. So yeah, I am willing to attend identiverse to be one of them.
In general, for me, I never attend Black Hat before, so it's still on my bucket list. So I went to Black Hat.
Jeff: Black hat black. That's interesting, because it's not. Really, and IAM focused show. But there are certainly IAM topics because how did breaches happen? Typically through credentials, right. So being able to understands how that happens is important. It can be expensive sometimes to go, but I found a cheap way to get to Black Hat. If you're not able to get the full funding for the full pass, which is usually like two thousand dollars or three thousand dollars in us, you can also get a what they call a business hall pass, which is only five hundred dollars. So you can still go into the business hall. Talk with the different vendors who are there and see some of the sessions. So that's an option that I've used know several times over the years as a way to say, OK, well, sometimes funding for conferences might be hard to come by. What if I could get in there a little bit cheaper and save some money? So that could be an option for folks who are listening that have never been to Black Hat. It is. It's a great conference to go to. I mean, definitely lay back. Definitely casual. You'll see everybody wearing suits and ties down to shorts and t shirts and everything in between. It's a fun one to go to. Big two is like thirty thousand people. I think that go to it, but sometimes can be expensive. So an option to consider might be something like a business I'll pass. And that would also apply to things like the RSA Conference.
Arturo: I never attend RSA, some other item in list , but I heard from that conference that hotels how like crazy.
Jeff: It's ridiculous. It's San Francisco. So there's already, the built in cost of that. But yeah, I think that's the biggest knock on RSA is it's a huge conference. It's in a great city, a great city that happens to be really expensive. So unless you have a way to deal from a hotel perspective, that's another one that's tough to get to. Another one that I'll try and save money on sometimes is I'll just get the conference, the business hall pass and spend all my time going back and forth between the different two different expos that they have. And sometimes they include keynotes as part of that. So there are ways around it. But yeah, it is really expensive.
Arturo: it should move to Las Vegas.
Jeff: I've received surveys in the past that they might be considering that. I know Oracle. I think recently signed a three year deal with the city of Las Vegas. So they're moving out of San Francisco and moving to Las Vegas. Their show and the hotel costs were one of the reasons they cited as being there. And that's that's a big loss for San Francisco. I think it was a sixty four million dollar loss to the economy per year. That's because of them leading that conference, leaving the city. So I love San Francisco, my favorite Disney World. But yeah, it's expensive. And I hope they start to recognize that and maybe try to figure out a way to make it a little bit easier to have conferences there, because otherwise Las Vegas is going to eat the world because they're so well designed and relatively affordable when it comes those sorts of things.
Arturo: Yeah. And I mean, I heard that RSA is huge conference and is going to be difficult to move some smaller cities. But what I like from Identevrse is that they are moving each year in deferent city. So these like a tour so you're attending every single year, you know that you are going back to the same city. And you have nothing new to see you or something like that. So you will enjoy the city of you never being there.
Jeff: I think this year it's in Denver, I believe in Colorado. So that'll be nice, will be different than Washington, D.C., that's for sure. It won't be as hot and humid as it was this year.
I hope the weather people who want to go skiing, they'll be, I think, relatively close to do that or outdoor type things. And previous years, it was New Orleans and Chicago. And yeah, they do a good job of picking cool spots to kind of go to. And hopefully people are able to extend their trips, go for a few days for identifiers and then add on a couple days to either do a vacation with families and stuff like that. So that'll be pretty cool.
All right. Well, I wonder to have a kind of a quick conversation and take advantage of the time that we've had here and kind of get your thoughts down and accost you with our podcast again.
Arturo: No, we always happy to have this conversation and all of the offline conversation that we have while you are here. And thank you for having me again.
Jeff: I appreciate it. Just as a kind of a note for folks who are listening, just want to thank everyone who's been listening throughout this entire year. This is actually episode number twenty six over the last six months. So we started the show back in the first week of July of twenty nineteen. And Jim and I had been putting out content every week. It's been a learning experience for both of us as are doing this. We've never done a podcast before. I've never done anything close to this as far as editing. So you know, we're learning on the fly and I think that, things have gotten a little easier and faster as we're going along and we hope that folks have enjoyed the ride. So far, we both have time coming off our time. Time off. Coming up next, few weeks. So this is probably going to be our last show for the year. I'm assuming. So we plan on picking back up in early January, so we're going to take a couple of weeks off here for Christmas and New Year's. Let our respective cases of holiday brain clear up as a media fact. Yeah, from the New Year's for the folks that are working in IAM operations over this break. May your systems stay up and running. May your password reset calls go very smoothly because you know, everyone's going to call January 2nd with I forgot my password. That's when the seasonal spikes. So I want to thank everyone for listening. Hope everyone has a great holiday. And we'll talk with you guys early next year in 2020. Take care!