Skip to main content

Perspectives Home / CISO CIRCLE

Is Your Organization in Step with AI? Check on Your Data Tenancy.

Forget the lone-wolf mentality of a single SOC. Today, it’s all about cross-sector collaboration and information sharing

headshot of Zak Brown and Cory Minton

In a recent conversation with Mikhail Falkovich, CISO at Con Edison — one of the largest energy companies in the United States — we discuss major learnings from his 20 years in cybersecurity. During the interview, one resounding message was echoed: defending against cyber threats is a team sport. Forget the lone-wolf mentality of a single Security Operations Center (SOC); it’s all about cross-sector collaboration and information sharing through ISACs and CRISP (Cybersecurity Risk Information Sharing Program).

Mikhail also shared his best practices surrounding the use of AI, as well as defense against AI-powered attacks. This includes how data ownership matters and how keeping your data in-house minimizes the threat of data leakage.

And given that AI will also lower the barrier to attack for bad actors, Mikhail mentions that “protections need to be ready, especially against social engineering.” Cyber defense in general should have both breadth and depth, which entails multiple layers of security, along with multiple controls at each layer, including multi-factor authentication.

To hear my full conversation with Mikhail, tune into the episode below.

For more insights on how generative AI will shape cybersecurity, read State of Security 2024.

Note: This is an auto-generated transcript, which may contain errors.

Cory: In this episode of Spunk's Perspectives podcast, Paul Kurtz Field, CTO and Chief Cyber Security Advisor here at Splunk, sits down with Mikhail Falkovich, chief Information Security Officer at Con Edison. Enjoy the conversation.

Paul: Yeah, it's been a while since we've been able to catch up and it's good talking to you today and you know, maybe to just start off, can you give the audience a little bit of background of like your role there at Con Ed and, and a little bit of your background?

Mikhail: Sure thing. And Paul likewise glad that we're able to catch up. And thank you for inviting me for this. So, my name is Mikhail Falkovich, which I'm the Chief Information Security Officer for Con Edison.

And in Con Edison, we provide critical infrastructure services for the customers in New York City, specifically electric gas and steam services. I've been performing my role here almost eight years at Con Ed. And before that, I've been working on it, regulatory and cybersecurity efforts within the utility industry more than 20 years. So, it's it's been an interesting journey but love the mission. I have a great team of cybersecurity professionals here at Con Edison where we keep our ability to deliver gas, electric and steam service in a safe reliable and secure manner.

Paul: Great. Thank you for that background and just, you know, for the audience. I've been in the cybersecurity business around the same amount of time as you Michel. Unfortunately, maybe a little bit longer. So, but I got my start in cybersecurity while serving at the White House and it was a director of counterterrorism and then picked up the Cyber portfolio. And since that time, I've been working in Cyber one way or another and I'm currently at Splunk obviously and serving as a chief cybersecurity advisor as well as what we call field CTO working with our, our customers. And it's, it's super great to be, you know, with you here today, but I can't thank you enough for, for being here.

And II, I guess maybe the, the, the place I would start is, you know, from your perspective, what are the, what are the big priorities that you have there Con Ed from a, from a security point of view and and how would you, how have those priorities kind of shifted or if they have even shifted over the past couple of years or so.

Mikhail: Sure, sure thing. So and I, I would break it up into maybe 33 priorities that I have. and I played 11 bucket If you will is internal capabilities, specifically the ability to protect the company, data and company assets and the ability to respond to events to detect and to respond to events. It is crucially important and data analytics plays a big part in that understanding of our asset base and ensuring that the right protections are applied to the right assets and then having the processes and automation and the the capabilities to again, to both apply the necessary controls and then detect the anomaly and then respond to the anomaly in an effective way.

The the second bucket would be collective defense. And the idea there is in the utility space. We, we like to collaborate with not only others in the industry but even cross sector and with the government to ensure that we take a kind of a, a unified approach to, to defense and and that has been invaluable in our efforts. And we continue to kind of push for a stronger private public and public, private sharing of information, which I I think is going very, very well.

The third focus is continuing and changing regulations. Cybersecurity as a field has grown significantly, the risks have grown, the threats have grown and the regulation has grown and continues to grow. So, being part of those conversations about what are the right controls and what are the right requirements to be applied and the right behaviors to be achieved by our organization, by the industry overall.

Paul: You know, when you think about, you know, the first item you you highlighted was, you know, internal just to the degree you're comfortable, can you talk about how you might use splunk and, and internally to help with security?

Mikhail: So Splunk provides us the ability to process a lot of big data, right? Whether it be logs ingests from other tools and then analyze them and provide us with both the, the focus that we need to act on particular events and the automation that we need to help process through many events, right? Or many activities that we see. And additionally, there are multiple tools that have eased our cybersecurity Operations Center's ability to, to be effective.

I mean, I attack analyzer is an example where we're utilizing the the both the A I capability, the machine learning capability that Splunk has. And then he is able to present to us in a way that we can consume it and take action on it efficiently that, that, that's a tremendous benefit of, of being a customer and it just to expand on, on that a little bit and it just doesn't necessarily have to be about its funk.

But III I think one of the things I really think about a lot is, you know, given that we don't have enough humans to go through data and to deal with each particular issue as arises, the role of automation can, can you talk a little bit about how kind it uses automation and a and its importance in inside, you know, it could be, it could be use of.

Paul: So it, it could be, you know, other forms of how to, how do you converge data? I know Splunk may be a part of that, but just in general, I think automation is a pretty important role in security today.

Mikhail: And we actually do use sp spunk for our SOAR capability. The, the challenge that we try to solve with with that function is the multiple manual steps that our staff needs to perform for specific workflows. And the it's actually not easy. Regardless of which source platform you that anyone uses, right? It is very critical to understand the value proposition of the playbooks and creating the proper maps and the proper workflows to automate and then ensuring that those automations don't necessarily automate in the wrong direction because sometimes you can automate the wrong thing and you, your goal is to actually improve the efficiency of your team.

So, we always try to evaluate the work flows that are necessary And then automate those things that are beneficial. We don't wanna do automation for automation sake. So, so in the end, we have to always analyze which workflows need to be automated to to improve the efficiency of the SOC. Because sometimes if you automate the wrong thing, you will actually get more manual work, which sounds not intuitive but that it's always a balance.

Paul: Yeah, I I agree that eat as much as automation might, you know, the blood is a necessary piece in order to maintain security. It's, you gotta make sure automation is so to speak, doing the right thing. And that's maybe a maybe a good way to, you know, talk a little bit about a, I, I think I would be remiss if we didn't talk about A I at all. It seems to be all that, all the jabber that's out there. Where does, where does A I, you know, fit for you all? And that can be how you look out from a threat perspective and it also could be how it works from an internal perspective.

Mikhail: So I'll, I'll talk about it, I guess in two ways, one way is from a, from a tooling perspective and A I is not necessarily new, right? So even in your in your capabilities that you provide, you utilize machine learning all the time, right to, to give us to give us those trends and, and kind of again, help us focus on the right things.

The the challenge with A I right now is that it has become readily available to, to pretty much anyone. And some A I solutions are what's called public and some are private, I think in today's world whether it's A I for security or A I for operations, we just need to make sure that the business use cases are well defined and that, that data protections inherent to the use of A I are implemented correctly where we have tendency for the data that we share with the A I provider if you will, right.

So in those instances where the A I is captured within a tool such as Splunk, right? So the data is clearly within our tenant. But in other cases, A I capability needs to be curated to to an organization's users so that the data is maintained within the bounds of the organization, I think, I think it's, it's critical that the risk of data loss and the threat of data loss is significant.

And when we think about, let's say adversarial use of A I, yes, there are cases that worry me and some more than others. impersonation is a concern, of course. But just social engineering in general, let's say, oftentimes I hear that the phishing emails are gonna get better. I assume that the phishing emails are already the best that they are. I don't think you needed A I for that capability. It's again, just more available for others where there may have been a language barrier before and there will be less of one now. But our protections need to be built for the most targeted social engineering attempts.

Paul: Thanks for that background. I, you know, for our part, you know, it's not the way we look at A I is, you know, we want to do it in partnership with our customers and you know, what are the needs and uses that the customers are identifying. We have, you know, we have a, a copilot that's out there that, that does does assist our customers. And as you like, as you excuse me, as you said, we've been using machine learning for some time.

One of the things I'd I'd like to try to do is backs step a little bit to collect defense. And this happens to be an area that I've spent a lot of time on. , in fact, when I came to,,, to spunk, I, I came,, from Splunk after starting a company called TruStar and TruStar was in the,, intelligence management business. And we really wanted to, you know, promote information sharing.

And lots of times I think we, we hear that in, you know, information sharing is a zero sum game. You know, I give up something and I don't necessarily get anything in return and, you know, I'd like to speak to it, you know, I, I believe it's actually a non zero sum game that, you know, the, the collective, if it's really truly working together, everybody wins, at least in some, in some small part.

Could, could you expand a little bit on when you think about collective defense, you know, how that is enabling the broader critical infrastructure to broader energy infrastructure and power generation infrastructure as you, as you work with, with partners and just in general, you know, philosophically, well, how far do you think we are in a continuum of really working together across across the sector?

Mikhail: Sure. And Paul, excellent question. And this is very, very close to my heart because I, I try to get multiple collective defense efforts kind of moving across the industry. One such effort that I'll highlight is our partnership with the EISAC. So obviously, for different critical infrastructure sectors, there are different is a s and I encourage everyone to, to work and engage with their is a for, for that, let's call it the the ground floor of information sharing.

Oh, but we, we took it a step further. There is actually a partnership with the government and the is a and industry where there is a cyber risk information sharing program, it's called Crisp. and participants in that program actually do share both threat intel. And sure, I'm gonna say live analytics or close to live analytics to, to, to get that, that awareness across the industry. I it's a, it's a tremendous effort and again that it, it's one of the best examples of both industry to industry and industry with government information sharing.

The there are other many programs which we, we can engage or anyone can engage with the critical infrastructure sector. Once such, I, I'll highlight CIA cyber hygiene and other services that they provide more or less free of charge. And that, that boosts everybody's capability, right? And I mean, that's not free of charge. I mean, we pay our taxes, but the, the value proposition is that the government cares and and they are absolutely supportive of our efforts and specifically within cybersecurity. I would say that lately I in, in the past few years, the the sharing from the government to the private sector has been much more detailed, much more active and actually consistent of a lot of guidance and expectations which was less so before.

So I'm, I'm very, very happy to see that additional engagement from the government to share with the private industry. And likewise, I'm seeing sharing across multiple organizations within the sector, across the sector and even in kind of like that, that local and state level, we have partnerships and let's call them trust, circles of trust where we communicate with other utilities. And we also communicate with our partners in New York City Cyber command as an example, right? Those open conversations or sometimes they're closed conversations on their NDA. That's by the way, the best way to share if you have an NDA with someone. But where it's relevant, we gotta, we gotta come at this as a team sport. It's not everybody for themselves.

Paul: Yeah, I at the risk of having this being cut out from the podcast, there's a movie out there called The Arrival. I don't know if you've ever heard of it. But it's a sci fi flick. It came out, it came out several years ago where, you know, the aliens come down, come down to earth and, and so to speak, you know, land in 12 different locations and, and everybody aspires to, you know, take on the aliens. But on the aliens are actually trying to help and the only way they can solve the problem is by in working to save the planet, so to speak is by working together.

Mikhail: Well, just like the new movie reference that you, you mentioned where you had to work together the utilities have a concept of mutual assistance and that actually gets enacted when a storm that comes in is, is bigger than anyone utility can handle or, or in general that we need, we need to bring electric service back up as soon as possible.

So, we rely on the relationships we have with the other utilities to actually come and help in case of need and likewise, we are ready to help one other's need. That same concept has now been translated And in cyber security defense as well. And so this is a great time to be a, a part of collective defense efforts. We're making great strikes.

Paul: Yeah, it, it's it's super, it's super heartening to hear how far you know, we'd come along and the first time I was introduced to the whole idea of information sharing to date myself was 1999 in the wake of PDD 63. where we started trying to, you know, pull each sector together to wrap up here. You know, for, for the everyday listener who might be out there, who cares about? Well, how do I improve my own security? Do you have any advice in your, in your role? What can they do to you know, help improve their vulnerability and, and, and, and make themselves more secure?

Mikhail: There, there, there are a couple of things that I'll say, well, and, and I always try to articulate kind of my cybersecurity strategy as defense in depth and defense and breadth, which means multiple layers of defense and then a different controls at each layer. So multiple controls, right? So that's defense and breadth and as, as we build out those defenses and as people consider the different controls to utilize. I'm a big proponent of multi factor authentication and you will see the government guidance actually providing that recommendation over and over again in pretty much any publication.

It, it is, it is a, a good mechanism and I'd say, don't use it just once, use it at multiple defense layers within the organization. And the other thing that I'll, I'll say is people don't often translate the corporate level controls to their personal lives. But I would say that even as personal individuals that may be listening to to this podcast, I would urge them to think about which services are important enough to you where it will be painful to lose them or to have them be compromised.

And I would say go and evaluate whether you have multi factor authentication deployed on those services, whether that be a credit card or linkedin or other interesting or rather important function that you use day to day. oftentimes multi factor is available, but it's not readily advertised as, as I've seen for, for, for different applications, but it is there and I encourage everyone to I encourage everyone to adopt that policy for those functions that are critical to them.

Paul: Yeah, I think, I think that's super important. And then, and a little bird told me about a week and a half ago, it might be good to put multi factor authentication in on linkedin. I checked that box.

Mikhail: That’s excellent, Paul. I’m very happy. 

Cory: Thanks for listening to this Perspectives podcast by Splunk. Be sure to subscribe to this show on whatever platform you're currently using.

Speaking of podcasts, you should also check out the security detail podcast by Audra Streetman and Kirsty Payne. They explore cyber threats across a variety of industries with some of the most trusted names in cybersecurity and don't forget to check out for blogs, featuring the latest executive takes on today's security and technology topics by leaders and four leaders. Thanks for listening.

Read more Perspectives by Splunk

December 8, 2023 • 19 minute watch

Improving Global Cyber Defense Starts With Trust

Perspectives Podcast: Executive highlights from the World Economic Forum’s Annual Meeting on Cybersecurity.

MARCH 4, 2024 • 4 minute read

On Road Maps, Strong Board Relationships and Passionate Security Teams: A Q&A with Soriana CISO Sergio Gonzalez

The Chief Information Security Officer of one of Mexico’s largest grocery chains weighs in on the key ingredient for a successful security team, managing risk and more.

February 9, 2024 • 4 minute read

5 Ingredients for a Robust Cybersecurity Culture

What it takes to help every part of your organization understand the function and value of security.