On the 8th episode of Enterprise Software Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal Security, talk with John Hoyt, Chief Information Security Officer at Clemson University. As a college and premier research institution founded in 1889, Clemson has over 28,000 students, nearly 6,000 faculty and staff, and operates a small city - leading to complex security and technology challenges. In this conversation, John discusses unique security requirements at Clemson, the evolving role of AI in cybersecurity, and the transformative potential of AI in academia.
Quick hits from John:
On the unique security requirements at Clemson: “It's a small city. We do have everything going on. You have researchers and students that live on your network. You have a power plant, you have water treatment, you have a police department, you've got everything. And you are trying to secure all of that and keep tabs on it.“
On AI’s potential to help with threat detection on larger networks: “So how do you keep up with all those pieces to look for unusual patterns? You have to understand what normal is. And it helps you to be like a human intrusion detection engine. When you know, you have looked at these logs a thousand times and so “this” log stands out. And having AI help you with that for your organization is a bit scary, but I do think it is possible already. It is just something connecting those dots to help you.”
On AI’s ability to give defenders an upper hand: “I think that we can get into setting traps for adversaries, like honeypots. It gets me excited the more we can do that. I've done a bit of that with some of these folks that are trying to scam our students. I sent them some documents with canary tokens, those are really interesting. AI could help us enhance that because it's a pain to manage and troubleshoot those things. But I like the proactive defense, where you're not just waiting for the bad thing to happen.”
Book Recommendation: Storyworthy by Matthew Dicks
Evan Reiser: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud, real-world examples of modern attacks in the role AI can play in the future of cybersecurity.
I'm Evan Reiser, the CEO and founder of Abnormal Security
Mike Britton: And I’m Mike Britton, the CISO of Abnormal Security.
Evan: Today on the show, we’re bringing you a conversation with John Hoyt, chief information security officer at Clemson University. As a college and premier research institution founded in 1889,
Clemson University has over 28,000 students, nearly 6,000 faculty and staff and operates as a small city - leading to complex security and technology challenges.In this conversation, John discusses unique security requirements at Clemson, the evolving role of AI in cybersecurity, and the transformative potential for AI in academia.
Maybe kick us off. Can you tell us a little bit about your role at Clemson?
John Hoyt: Yeah. So I am the chief information security officer for Clemson University, um, located in Clemson, South Carolina. I get questions like, are you really in charge of all the information security for the university? Because we're, as part of I.T. they kind of see us in that bucket and like, no, really we are responsible for all the security for the university. That's everything. The policies, the compliance. monitoring, detection, all the gambit, all the good stuff.
Mike: So, one of the things that I'm always interested in is understanding what's a unique aspect of your cybersecurity program at Clemson that someone outside of higher ED might not appreciate?
John: One thing, it's a small city. We do have everything going on, you've got researchers, you've got students that live on your network. You've got a power plant, you've got water treatment, you've got a police department, you've got, you've got everything. And you, you've got all that you're trying to secure and keep tabs on.
And I've got an interesting story that kind of highlights that with a student. And a lot of people think that students must be hacking your stuff all the time. Fortunately, knock on wood, that's not really the case. But, one evening, one afternoon, actually. One of my students that worked for us as an intern in our SOC, he let us know that Clemson was on Brian Krebs, Krebs on Security's blog, and I was like, wait a minute.
What? You know, and, uh, he, sure enough, it was a story about this, this student who was a student, current student at Clemson, had interacted with him, and Brian had written an article about DDoS Extortion services, service providers. And this kid was like a co owner of this company that were like, kind of like the mafia, you know, it's like, hey, you know, we'll protect you, but we're also the ones that are doing the knocking you over.
And this kid was interacting with, with Brian Krebs and he got irritated with Brian and ended up DDoSing Brian off of Skype, which was like phase one. And then he ended up, like Brian Krebs had, Krebs on Security had like the largest DDoS attack ever on his network, on his site. And he was offline. This was like 600 gigs.
This is like, came later was the Mirai botnet related attack. Well, I was like, wait a minute, is this happening on our network? Did this kid, is he doing this on our network? What happened? We investigated, looked into it. Fortunately, he had not done anything at Clemson. And he ended up actually getting arrested because I was thinking about his name sounded familiar and he had actually kind of hacked into one of our websites at Clemson and it was, it was innocent enough at the time, but there were some dots connected there like, wait, wait a minute, maybe he did something here and he did something at Clemson.
And so the police department went and took all his stuff, put him in jail, and then found out later that he'd kind of already been working with some three later agencies. He wasn't the big fish, right? He was just a kid that was mixed up with the wrong folks. So fortunately, they slapped him on the wrist, but it was a, it was definitely an interesting day.
Fortunately, I haven't had many of those happen, but that was one that changed things up.
Evan: I appreciate you sharing the story and, um, I've heard somewhat similar stories from other, you know, CISOs that work in higher education. And that's the thing that's been, um, you know, me coming from the more commercial side.
I think it's been most impressive for me. It's like, It's not like you're just protecting like one organization, right? It's like a whole city, right? You got the, like I said, the power plant and the police department. And, uh, the scope is probably a lot bigger than most people realize. They just think about students. They forget about faculty and the research components and, you know, all the other different facets that make the university a university.
John: When I came, like, from corporate, I realized quickly that faculty were the secret sauce, right? And they were like, you couldn't just go tell them, no. And I was like, wait a minute, you know, we can't just go put all these things in that we could do in corporate.
And so it's not quite that simple, but yeah, that was a eye opening moment for me.
Evan: Do you mind talking a little bit about, um, you know, how the, you know, security program or kind of threat landscape has changed right over the last, maybe, five, 10 years, just with the rise of cloud software and, you know, SaaS applications. I imagine, you know, what your program looks like today is probably a lot different than it did, you know, 10 years ago when you were there.
John: Yeah, it's interesting. We are kind of behind when it comes to the cloud and SaaS. Our CTO, probably about three or four years ago, put the hand up and said, hold up, we are a cloud, we can be the cloud. And then, you know, there's some truth to that. It was interesting, but the train was on the tracks, like, this is what we got to get ready.
We got to figure out how we're going to do security in the cloud. And then it derailed. But now the train is back on the tracks, right? SaaS is the new hotness for us, and the cloud is on the train. I think there's some advantages to that. We're able to kind of learn a little bit from the experiences of others that have gone through this and have had to figure this out.
It's still new to us. So I'm in these meetings where we're reviewing the contracts, right. For the SaaS providers, which is good. It's good that we're in those conversations, but, it's about the data, right? Where's the data? The, um, the spice must flow, the data's everywhere, and how do you keep eyes on it?
Mike: So as you guys are making this journey to SaaS and, and cloud and everything, where do you feel you're going to need to make some additional investments in your security program that are going to provide some disproportionate value to protect against these new threats for you?
John: I think that I kind of have the plumber mentality, that focusing on the fundamentals, focusing on what we know the base, the bedrock of security, and trying just to keep those and do a really good job with those fundamentals. No matter what the new, newness is, right, just trying to use that and use those principles to apply to those same areas.
It is new and it's different, but I think if you can focus on that, it'll keep you on the straight path. And then I think investing and continue to invest in training and your people, and in tools that can help your folks be more proactive, right? If there's tools that do help reduce the lag and the alerts and things like that, that can help you be more proactive. I kind of call it checking the doors and handles on the doors and the, and the windows at night, right? I still go and check all my doors before bedtime, it's just a habit I have. But I think that the more you can be in that mode, the proactive mode, the default aggressive mode, the better. So anything that can help you do that and be that.
Mike: And I imagine with researchers and students and faculty and a variety of constituents, there's probably always a demand for new technology, the latest and greatest, whatever is out there. How do you, how do you kind of keep up with that demand from all the different groups as well?
John: Yeah, that is definitely a challenge. Researchers are, they want to do the newest. Like, for example, AI, right, they want to be in our researching AI. And so we are just trying to be in the conversation, talk to them about data security and privacy and try to give them good information. I mean, some universities, they're building out their own private AI environment.
We're not there. But mainly in the, in the purchasing part of it, when, if you can be in that decision tree when folks are going out to purchase new whatever, and not that you're trying to be a roadblock, but you're there to understand what data is going to be there, what data classification, you know, are they doing the appropriate security controls? I think that's a good mechanism that we try to take advantage of is like the step process of, you know, you, you're going to go buy this new thing. Well, let's make sure that we're, we're on the line.
Evan: Obviously, like, you know, you can't be a cybersecurity vendor, right, in 2023 without, you know, layering on a lot of, you know, AI messaging. The other kind of theme I've heard from some of our customers is, like for all the reasons we're excited for the world to use AI for all the productivity reasons, right?
All those benefits are also benefits that criminals can take advantage of. How do you see that kind of playing out in security and what implications are there for, you know, in terms of how you think about your, how your security program evolves over the next year or two or three, right? Just to combat these criminals and now have, you know, way better tools and technologies.
John: Yeah, I think it needs to be in step. You know, we're always a little bit behind the adversaries, but I think the awareness of it, just being aware of it, trying to keep tabs on what the new trends are, it's going to push us to move into to adapt, right?
So trying our best to do that.
Mike: So along those same lines, have you seen any or heard of any recent attacks that you thought were pretty innovative or unexpected?
John: I think the thing that scares me is voice cloning AI. There's a recent article on CNN about scammers using that to impersonate kids and have it call the parents and say, hey, somebody's got me, I messed up, then, then the guy gets on the line and he's like, yep, send, send us a million dollars or whatever. Right. And it sounds like you're your son or daughter. And of course you're going to freak out. I don't think that's going to be too difficult. I mean, we see all the time, the impersonation attacks either from people impersonating faculty, but I think it's going to be easier to impersonate the president, other executive leadership who have more data that's out there that they can go use to, to create things like, voice cloning. And the easy button I've seen that works, unfortunately, it's just somebody impersonating the president or an executive and says, Hey, you know, are you available?
Right. And people were like, yes, I'm here. And imagine you get a phone call and it's the president and he's talking to you and he's like, Hey, you know, I need some gift cards. I don't, I don't, whatever. Right. I mean, um, but I think that's definitely, that's coming. Unfortunately.
Evan: John, just one, one follow up question to, to what Mike said. We're going some direction, right? And I think all, all three of us are nervous about how criminals will start using more of these new technologies, whether it's AI or workforms or automation.
Help us like fast forward a little bit to the future, right? If we're like, we're talking again in three years, right? Or five years, right? When it comes to like the security program, what things become like more important to focus on? What's less important? Like what are some of the trends there and how does that affect your strategy or kind of your roadmap for your team?
John: Yeah, with AI too, there's already practical uses for that, right?
Like create me a script or interpret this script. Look at this error, this log message and help me decipher it. That's stuff that we, we can use and use today, right? That's, that's real actual use cases for that. I think big scale. It's funny. I was listening to a podcast, uh, Tim Ferriss. And he had, uh, John Romero on there from the creator of ID Software co founder that created Doom and Doom was like my very first video game ever, but he was talking about how video game AI, and, um, this is very big brother, but like how they use video game AI to kind of control all the, the NPCs, the non player characters in the game, and they know what they're supposed to do and here's the rules.
And I was like, wow, what if, what if AI was used to kind of monitor an entire organization and what's normal, right? Like, oh, wait a minute, this person's doing something they shouldn't do as if it, not, this is the matrix, but right, like a big video game and you have AI who knows the rules and they're trained and it's your AI, whatever.
I don't think that's too, too crazy anymore. It used to be like, no, that's, that would be super science fiction. But, um, I don't, I don't know. We'll see.
Mike: See, we talked about how threat actors are using AI, and you even mentioned some possible uses of AI on the defender side. How do you kind of go about and assess and look and see, you know, these particular areas in my program would be great to find a solution that leverages AI, or kind of walk us through, how do you figure out where to use new technologies and where to use AI in defending Clemson?
John: So, I was fortunate enough to go on a trip to Israel for Cyber Week, and I'd never been there before. I was really impressed with just the cyber capabilities. I mean, you kind of heard about it, but to see it firsthand. Of course, like you said, Evan, everything has AI baked in and they're so, they're such a entrepreneurial society.
Like all they do is like you go in the military, you get out and you're going to start a company and there's startups everywhere, but it's potentially a bubble, right? Where it's going to, everybody's going to have it. So how do you evaluate what's actual useful for you as a new tool set? I do think it's, you know, just the stress test, just the, hey, how is this gonna, how does this actually work for us? There's a lot of that. It's got it, it's built into it, but does it actually function? Does it work? Does it make your life easier? I used to be like, this is so far out, we're not going to see a real legit tool anytime soon.
I believed in it, but I didn't really believe it until I recent, and knew that that's, okay, no, this actually does make a difference and does help us. So I think this is, sticking to those fundamentals and like, hey, how does this help us achieve our goals to find bad things faster and be more proactive, right?
And just stick to those.
Mike: And when you think of these advancements, John, how do you think it's gonna shape the cybersecurity workforce? When are you going to have to kind of change your hiring practices or what do you think that impact is going to be?
John: I think that it's going to be another tool in the toolbox that you want to expose. So we work with students. We have a student run SOC, which is cool because we've had that since 2016. They intern with us and they work with us and then we try to keep them if we can. They go make big money, but we try to keep them. But like, I think it would be optimal if as they're in at work, if they're working with us, they're able to get that experience while they're in school as much as possible.
I do think, like you mentioned, Evan, universities are a slow behemoth, right? Change is not, it's not fast. So adding and updating curriculum is not simple. But I do think the universities that are going to succeed are going to connect the two. They're going to see cybersecurity and AI. Hey, let's make a course.
Let's build something here and use both of these and prepare these students for careers, especially in cybersecurity. I mean, imagine looking and you're looking through resumes and you're like, look, you had projects and you were working with AI and, and we already have all this stuff, that this is what the cool thing about a university, you've got researchers that are doing next level AI research. You've got your students right there. You've got cybersecurity combining all the three.
Evan: So John, looking for your kind of like contrarian view here. My question is, what do you think will be true about AI's impact on cybersecurity that most people would disagree with or most people think is maybe science fiction today?
John: Kind of going back to what I said before, well, is it possible to have an AI that monitors everybody and everything and looks for that weird, we're doing this already, right? We're doing our your EDR is like you, you never type these commands, right? You never use InMAP. What if you're scaling that up? And we're doing it in email, we're doing you're doing it in different pieces.
But if you connected all those to the Skynet master brain, right? And you're, looking for unusual activity because you can't do it, everybody's everywhere. They're remote. They're on campus, with our people, they're all over the world. So how do you keep up with that? And with SaaS, they're logging in, they're not coming into you first, they're going straight to that.
So how do you keep up with that to keep all those pieces together to look for the unusual, which I do fall back on tremendously all the time. You have to understand what normal is. And it helps you to be like a human intrusion detection engine. You know, you're like, I've looked at these logs a thousand times.
And so this log stands out. Right. And having AI help you with that for your organization. It's a little bit scary, but I do think it's possible really already. It's just somebody connecting those dots to help you.
Evan: Is your kind of hypothesis there that if you look how, your SOC is working or how you handle forensics or incident response, you're like, essentially, I have a bunch of humans that are going through all this stuff and looking at behaviors and then making their own judgments that, hey, this looks weird, right?
It's not what I've seen before. And is your kind of hypothesis that Hey, well, if the team is doing that today, if you're not, if I got it, you know, my, my human team today doing that with the data I have, certainly that same data could be analyzed by an AI in the future to kind of get to a similar impact is, is, is that kind of like. you know, how you're thinking about it or maybe something else.
John: Yeah, I think so. I think it's, um, today, right? It's logs and alerts. I think it's the scientific piece of the science fiction piece of that is the other everything that you're not looking at in a SOC. Maybe. That's the more future outlook on that.
Evan: What we'd like to do at the end, just do kind of a quick lightning round, just get some of your quick, one tweet takes. Mike, do you want to kick it off for us? We've got three questions.
Mike: Sure. So, John, what's the one piece of advice you would give to someone stepping into their first CISO role at a university?
John: I would say work to build those relationships with leadership. The more you can get their buy in and their understanding in across the board, the better it's going to help you. And it sounds like a given, but it really makes a tremendous difference when you have their support and that you have their backing and they understand the risk. If you can get on the same page and be there as an advocate for them, then it's huge.
Evan: What would be your advice for one of your peers who's a CISO or a kind of security architect or an aspiring security analyst who wants to kind of just get up to date latest technology, how do they stay up to date?
John: I'm a hands on person. I think get in there, get dirty, right? There's so many things I wish I had when I was coming into security that you can play with, right? There's so many, many, many things that you can get in there and just start it up, fire it up, do all the things that are out there. Stand up your own server.
All those good things, I think, are legit because people that are getting into security today. I see it from our students, they don't have the, the hop to I.T. and then security because the need is so big, they go straight to security. So they miss, there's a gap there of actual I.T. work where, you know, like, databases and networking and system administration, um, you miss that.
But I think those are super important because those are the groups that you're working with side by side to help them out.
Mike: So, John, on a personal side, what's a book that you've read recently, or maybe even an audiobook you've listened to, that's had a big impact on you and, and why?
John: Storyworthy by Matthew Dicks is an amazing book. Everybody talks about storytelling. And nobody actually gives good, I think my opinion, practical advice on what that is and how to actually do good storytelling. And he's like very like, he has a good opinion. He has an opinion. He doesn't keep it willy nilly. He's like, this is what you should do. This is what you should not do. And that was like, really been eyeopening for me. It's amazing.
Evan: What up and coming technology are you most personally excited about? Could be in or out of security.
John: The more I, I think that we can get into setting traps for adversaries, like honeypot like things.
I just like that a lot. It gets me excited when I, when the more we can do that. I've done a little bit of that with some of these folks that are trying to scam our students. Sent them some documents with like, I think it's canary tokens, right? And like, oh, I see where you are, right? I think those are really interesting.
And I think maybe AI could help us enhance that because it's a pain to deal and manage and to troubleshoot and all those things. But I really like just the proactive defense, right, where you're not just waiting for the bad thing to happen.
Evan: John, thank you so much for joining. It's been a pleasure to talk to you as always and looking forward to chatting again soon. That was John Hoyt, chief information security officer at Clemson University.
Mike: Thanks for listening to the Enterprise Software Defenders. I'm Mike Britton, the CISO of Abnormal Security.
Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can always find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog.
Mike: This show is produced by Josh Meer. See you next time.
Hear their exclusive stories about technology innovations at scale.