Microsoft CTO Avi Yoshi discusses emerging threats and the challenges of cloud migration.
This week, we welcome Avi Yoshi, CTO and Solution Sales Leader for Microsoft Israel. With over two decades of experience in IT, Avi’s passion lies in harnessing technology to drive innovation and foster positive change.
In this episode of Speed Data, Avi discusses the biggest threats on the horizon, including AI-enabled attacks and data poisoning, why migrating to the cloud is more challenging than you’d think, and why mastering the cybersecurity basics can be the biggest weapon in your security arsenal.
#Microsoft #Cybersecurity #CISO
Speed Data: Avi Yoshi
[00:00:00]
Megan Garza: Welcome to Speed Data, quick conversations with cybersecurity leaders. I'm your host, Megan Garza. I'm excited to welcome Avi Yoshi, CTO and Solutions Sales Leader for Microsoft Israel.
Megan Garza: Thank you so much for being on the show, Avi.
Avi Yoshi: Thank you, Megan. I'm very excited to participate in the show, and I hope that our audience will have a good time.
Megan Garza: I know they will. With over two decades of experience in the IT industry, Avi's passion lies in harnessing technology's potential to drive innovation and foster positive change in our rapidly evolving world. Avi guides organizations through the complexities of public and hybrid clouds, ensuring they maximize their potential, and uses the transformative power of generative AI to create intelligent data driven solutions.
Megan Garza: Avi bridges the gap between technical and non technical stakeholders, [00:01:00] ensuring seamless communication and collaboration, and is skilled in data and application security, data analytics, endpoint protection, and application modernization. Avi, how did you get started in cloud security?
Avi Yoshi:
Avi Yoshi: Yeah, I'm too old, so probably I'll not remember all the details, so, uh, but I will try to, you know, to bring the most important one. I started, by the way, being as a simple networking technician. Okay, this was my real background, so I was very experienced in networking. But then, quite fast I moved to network security.
Avi Yoshi: It was, you know, somewhat a natural movement for me. So this is where I, you know, I exposed myself to Firewall, to IDS, to DDoS. So I learned all the network security, in depth. because it was correlated to my networking experience. And I think that, uh, later on, I, in my career, I moved to, um, private cloud company.
Avi Yoshi: It was VMware that, um, when moving to VMware, I exposed mostly to [00:02:00] virtualization, and then, you know, shifting towards security in the landscape of, uh, compute or virtualization compute. So Moved beyond the network and security and Bimmer was a player in that promote private cloud technology. So this is where I also develop myself to cloud security and of course in the last three years being the CTO at Microsoft Israel, which is a public cloud putting lot of my time around cloud security in many, many Aspects, uh, if it's, uh, infrasecurity, data security, endpoint, servers, uh, really, in Microsoft, I'm enjoying, you know, touching a very wide, broader of technology aspects due to the fact that Microsoft is playing mostly around everything, uh, in the tech area and the solution areas, uh, that we're providing to our customers.
Avi Yoshi: So, and in every angle. By the way, including CRA, MERP, and local [00:03:00] NOCOD, I find myself investing many of the times around regulation, compliance, and security. So probably it's every day and every hour I'm dealing with security stuff.
Megan Garza: Yeah. And speaking of cloud security, what do you think most organizations misunderstand about cloud security?
Avi Yoshi: Yeah, so, I was in, you know, in, two side of the court. So I, came from the on-prem, um, side when I work, uh, at, Vier mainly. So I worked with the IT that provided solutions and system for the on-prem. So I was used to see how they are working with security controls within their on-prem.
Avi Yoshi: And now that I'm in and in Microsoft trying to migrate those customer to the public cloud, I see that, you know, the customer are trying. To mimic and replicate, not just the same technologies and solutions, but somewhat the same methodologies. Um, from the on prem to the cloud, which is [00:04:00] Unfortunately, cannot be mimicked, um, it's not the same.
Avi Yoshi: I think the main, main principle that, um, you know, security, um, operations needs to understand when moving to cloud, this is a shared responsibility ecosystem when you are moving to the public cloud. You need to know that you will not control 100 percent of the asset because Partly, it's a shared responsibility with the cloud provider, with the hyperscaler, that taking some controls, um, on your, I would say ecosystem or environments, because the cloud provider needs to protect his environment too, and is also obligated, uh, to put the controls on the infrastructure, uh, where the customer are not exposed, because they are not owning the infrastructure.
Avi Yoshi: The end to end infrastructure. I think this is the main gap that I see because by not, um, you know, understanding this philosophy that yeah, it's a shared responsibility and let's, you know, Let's understand what I need to do and what the hyperscaler is [00:05:00] doing, and I need to, um, put my, um, my faith with the hyperscaler also.
Megan Garza: Yeah. If you would just assume that your SaaS provider or IaaS provider is going to take care of everything and you don't have to worry about securing any of the data, that can be problematic.
Avi Yoshi: I do agree. I do agree.
Megan Garza: And what do you foresee as the biggest threat or risk to cybersecurity on the horizon?
Avi Yoshi: Oh wow, I think that this is a very important question because maybe if you will ask me the same question in two weeks from now or one month from now, maybe we will add additional, I would say, threats to the list, because yeah, this, um, you know, this domain is really involving, I see it in a bold sense.
Avi Yoshi: Unfortunately, we see huge involvement on the bad guys. That, you know, always find new methods and new tools to overcome our fences and mitigations that we want to do. So this is one hand that we also always need to be on watch. And the second thing, I think that also a [00:06:00] lot of innovation and re innovation around the cyber security defense.
Avi Yoshi: Especially with the AI. But if I need to list at least the biggest threat that I see currently, you know, in high risk in this area, the AI enabled data, I think this is something that every organization, every CISO, even organizations that just, you know, thinking about AI, using AI, or implementing AI, something that, uh, look, um, in a way, what the attackers will do with such, let's call it, weapon in their hands.
I think that now, phishing involved with the AI can be much more sophisticated, that the AI can really mimic Very smart phishing attacks.
Avi Yoshi: So now it's become even more, I would say, important. Data poisoning is an area that I think that many customers do concern. I think that also Varonis is playing a huge, huge [00:07:00] role in data protection, and I'm sure that Megan, you see the same about those risks of data poisoning. It's not just data poisoning.
Avi Yoshi: Grabbing my data or stealing my data is actually manipulating my data, my training data for AI, and then the attacker can manipulate the outcome without stealing the data. So this is a very concerned topic, uh, that I see. And I think that the most one that I see as an uplift is the nation state actors that are playing out there.
Avi Yoshi: And this is very, I would say, important stuff because if a nation wants to, nation attack or nation state actors wants to attack not just countries, but But also institute, very important institute, I think that this is something that, you know, they have the time, they have the resources, there's the sophistication.
Avi Yoshi: And I think, you know, um, um, such organization needs to, to look for, uh, very broader defense mechanism.
Megan Garza: So then what is the best way to defend against an AI driven attack?
Avi Yoshi: So I think that, you know, at the end, it all [00:08:00] starts with hygiene. So, not, of course we understand what, why hygiene is important in, in real life, but hygiene in cyber security is, I think that starting from hygiene. Patching and updating regularly, okay, with system. I think that this is the most important.
Avi Yoshi: Always keep your software up to date It's it's like sound, you know, very common. Of course, I need to patch and I need to update. It makes sense But not all organization are excel in that domain. I think that starting and being very Obsessed around this, um, uh, patching and updating is something that, uh, at least, uh, is the top in my list.
Avi Yoshi: authentication is the second one. We see, we, we see in Microsoft huge, um, I would say, uh, increase in, uh, password attack, um, um, area. Um, the number of attacks around the identity and password, uh, stolen passwords is in rise. And I think that, [00:09:00] um, customer needs to take into consideration the, multi factor authentication for every service and for every application.
Avi Yoshi: And even for the old application, I do see that, you know, customer says, okay, for my next generation application, SaaS application, yeah, MFA, but what will I do with my 20 years old system that is not supporting MFA? There are solutions, there are technologies in place that can also bring MFA to those kind of, old legacy systems.
Megan Garza: And like you said, sometimes it's as simple as just the basics, you know, patching, MFA, the things that you might take for granted that, oh, everybody already knows that, but to your point, they don't always do that. So, what advice do you have for other security leaders on first steps when discovering a vulnerability or exploit attempt?
Avi Yoshi: First run. Run and hide. Maybe someone else will take it. No, I'm just kidding. Um, I can, you know, give some examples, but I think [00:10:00] that at the end, you know, at least when I meeting CISOs and, you know, security leaders, I think that, um, they are quite focused, and, and I think that they are putting this as the first priority in their organization, so I'm quite relaxed when I'm meeting those kind of, um, of leaders, but I think that the main thing that I see is, of course, assess the situation.
Avi Yoshi: We know the, nose to ratio. Uh, so we don't need to, you know, every, event or incident that, that is coming into soc, the soc room needs to alert the entire, uh, organization because at the end it'll be, you know, false alarms and, and, and probably. We'll miss the real stuff. So this is one to assess the situation in real because you need to pay focus on what is really happening and not on the white noise.
Megan Garza: And what skills make security professionals great at what they do?
Avi Yoshi: I think that, you know, uh, the skill is that, um, if after 20 years of, dealing with [00:11:00] security attacks and all the pressure, they are still in the, in that role. I guess they have the right, uh, recipe, uh, for being security professionals. But I think that analytical thinking is, uh, is a must have, um, skills, uh, in, in the security area.
Avi Yoshi: Because, you know, in that, uh, security, the involvement of a very smart attack and advanced attacks, you need to analyze complex situation. In order to really understand between all the noise, and to isolate between all the noise, the real event or the real incident. So it's a complex situation where the attacker is always trying to be very unique and to create attacks that has never seen before.
Avi Yoshi: And the defenders, those security professionals, needs always to be, you know, in advance of analytical thinking. I think it's something that is very important, collaboration or teamwork. You are not, uh, you know, uh, security is a team effort and, uh, we need to play as a team in order to gain [00:12:00] advantage over, those attackers.
Avi Yoshi: Uh, attention to details, uh, I think that, uh, this is where, uh, and it's always a correlate with the analytical thinking, I think, I think it's go together. And adaptability, I think, you know, staying current and, and adjusting, because it's an evolving area. Okay, new attacks, new technology, new defense, so, you need to be very adaptive because this is not a stagnation area that, you know, once I did some, I know something for 10 years, this is what I need to know and that's it.
Avi Yoshi: Uh, you need to evolve and adapt yourself to changes.
Megan Garza: Yeah, it's constantly changing.
Avi Yoshi: I agree.
Megan Garza: Can you share the one thing that you wish future cyber security professionals knew?
Avi Yoshi: Wow, I think, you know, answering that in advance, the future. I think that, again, importance of continuous learning. I think that this is the really important stuff, um, because if you know the back, if your background is quite solid, okay, but you are, uh, continuously [00:13:00] learning. If it's through intelligence, if it's, uh, what new threats are coming and learning, uh, from others, what there was exposed, and you're bringing this, you know, insights, okay, and knowledge, uh, internally to yourself, I think that this is, the most important, I think, that, what they need to hold quite strong.
Avi Yoshi: Because we cannot know two years from now or five years from now what will be the new technology or, Whatever, but your knowledge, evolving knowledge, is your power.
Megan Garza: And lastly, if you weren't in cyber security, what would you be doing?
Avi Yoshi: I would like to be a Pastry Chef.
Megan Garza: A pastry chef! Oh, you would get along with my husband.
Avi Yoshi: yeah. you know that planned it in advance. I do have a certificate.
Megan Garza: Really?
Avi Yoshi: pastry chef, but I'm planning it, you know, when I will not be able to adapt myself to the changing landscape on technology and security, and maybe I will, [00:14:00] I will go to that route. frankly saying, I don't see myself, you know, not being in this area more than 20 years.
Avi Yoshi: I love technology, okay, in every aspect of it. I think that this is the energy. For me because I always like to learn and I always like to be on the let's say the good side the protectors think that this is the challenges and and you know, you want to have challenges In your personal life.
Avi Yoshi: I think that also in work And this is the talent challenges, to our customers and to do good, and the ecosystem.
Megan Garza: Okay, so now I have to know, what is the best pastry or recipe that you make?
Avi Yoshi: So I learned the French cuisine, uh, in that regard. So, um, the entire tart, I would say landscape that you can imagine,
Avi Yoshi: So it's very precise, like in my work. Yeah, it's technical and stuff like that, you need to prepare in advance, you need to have a plan when you are reaching to this one. So I think that, you know, it's correlates with my [00:15:00] profile. Because Pastry can be really, it's very accurate, it's like, you know, doing some kind of engineering.
Avi Yoshi: it sounds like me, so I 20 years from now, maybe I will do it for my child, and stuff like that. But maybe on our next time, Megan, I will bring something, yeah, maybe.
Megan Garza: please do. Well, thanks for joining me on Speed Data today, Avi. I enjoyed chatting with you. I know our audience appreciates your insight around the importance of continuous learning. Thank you again.
Avi Yoshi: Thank you, Megan. Pleasure.