Tech Trends Episode 8 Transcript
Anish: So Jason, thanks very much for joining us today.
Jason: Thank you for the opportunity.
Anish: So it feels like every day, there's a new breach or vulnerability or some sort of cyber announcement that comes out, right? The FBI analysis says this is a multibillion-dollar financial problem for the industry. From your perspective, what are the biggest threats in cybersecurity today?
Jason: The first you should understand is that we are living in a world where the adversary is funded in the billions to your point. And the capabilities that they're bringing because of that type of an investment are pretty sophisticated.
Jason: In terms of how that manifests itself, there's a couple of big ones that we’re tracking right now. The first is business email compromise and been around for a while but that's where you're basically spoofing the CEO, trying to get your financial people to move money around where it shouldn't. The second is crypto ransomware, and this is an attack where they basically break into your system in some way or get somebody to click on something somehow. It gets virus or malware on that computer and then it starts replicating to the whole environment and so you wake up the next morning and all of your systems are down. There’s some sort of ransom message on your screen.
Jason: You have to respond to that in that sort of emergency situation.
Anish: So let's talk about business email compromise. What is that? How does that work?
Jason: So it's basically where you're tricking someone in the treasury or financial area to send money to somewhere that they shouldn't. And the way that it has really manifested itself over the years has been a progression of: used to be they’d spoof to CEO’s email and send it in the Treasurer or the CFO or that sort of thing. Maybe they’ve even looked at LinkedIn to see who the people were. Then they’ve moved on to actual hacking of the real email, whether it was actually hacking into the CEO’s email or hacking into maybe a supplier that you normally send invoices. And they're continuing to use more and more technical ways of proliferating it. But the bottom line is it's trying to get money to the wrong place.
Anish: So basically what you're saying is it’s somebody convincing you through-- under false pretenses to execute a transaction and one of the challenge of that is that’s a completely legitimate transaction, right? Somebody's authorized to make the transaction with access to the account, going through all the hoops, and they're on the hook for that loss. What advice do you have for companies that are faced with business email compromise attacks?
Jason: Yeah it's simply have multiple controls.
Jason: So just don't rely on an email and then you push the button.
Jason: Especially if it's a high-value transaction, you think it's coming from the CFO or CEO, call that person on a known number, or actually walk over to their office or that sort of thing. Have multiple controls.
Anish: Okay. I know you mentioned ransomware; so let’s talk about ransomware. How does that work?
Jason: Yeah, so just imagine you wake up one morning and you come into work, into the office, and all of a sudden all of your computers have the same message on it that says that your data’s all encrypted and the only way you get it back is if you pay me some sort of ransom. If you have prepped ahead of time and you've got good data backups and that sort of thing, then you call IT and say, “hey, can you restore all of our data?” And that happens and you go away. If you didn't have really good data backups and system backups for all of your different systems, then you’re in a different scenario where you may need to call external council, or an external forensics provider, or law enforcement, and have a conversation about, do you pay or do you not pay? We don't recommend one way or the other. We do recommend that you prep for this sort of thing ahead of time and you think through it. Certainly, having good relationships with law enforcement, for example, ahead of time would help us facilitate that conversation if you needed them in an emergency.
Anish: But if you have a plan, you have a recovery plan for any sort of resiliency event, it opens up your options a lot more, right? You’re more likely to be able to recover without paying, is the idea, right?
Jason: That's exactly right. This is just a different scenario associated with your other recovery capabilities. It could have been a your data center got flooded, or your cloud provider went down, or whatever it was. This is just another iteration of something that could cause you an outage.
Anish: So business email compromise ransomware, we hear people talking a lot about things like the advanced persistent threat and intellectual property theft. All these seem to be much more focused on corporations, right? It doesn't feel like that long ago that we were seeing a lot of these attacks against individuals, right? The phishing attacks that have a business proposition for you, things like that, right? What's changed?
Jason: Yeah, I think the biggest thing that's changed is they’ve figured out how to monetize the medium market and the small market companies.
Jason: And it's been really successful. So that's the issue is you've got billion-dollar funded adversaries who are now figuring out they can monetize the small business relationship. That's why we're seeing this.
Anish: We’re going on bargain basically.
Anish: Okay, alright. We talk a lot about recovery with ransomware, right? Obviously, you'd much rather spend time and effort and money on prevention if you can, right? But how do you strike that balance between spending money on prevention, on detection, and on recovery and response?
Jason: The first message I would give to any CEO out there is, you're on the internet, you're in a really bad neighborhood. You're going to have an issue at some point. So plan for that, do whatever you need to do to sort of walk through a scenario, or figure out from your IT department how things would work in an emergency. So that's first and foremost. Second is you will not prevent everything. So you should not spend all of your budget on trying to prevent everything.
Anish: You’d love to be able to prevent as much as possible up front, right? But what does that prevention look like? How do you think about technology versus people versus other things?
Jason: Yeah, so it's always people, process, and technology. But it's important to know that there are multiple cybersecurity or information security frameworks that are publicly available and adopted by many many many companies worldwide. So, picking one of those things and then implementing the framework is certainly the best way to know that you're being comprehensive. Now the other flip side to that, though, is there's a certain number of controls within those frameworks that take down the risk a lot faster than others.
Jason: So certainly anything like traditional firewalls, right, that's not particularly sexy, but having good firewall rule management, and that sort of thing, is certainly out there. Looking at email and anything coming into the company or out of the company through email is another really good thing to do. If you look at the number of attacks that happened throughout the years, phishing is always, every single one of them somewhere in there is phishing or they actually emailed the data out of the company through an email. Then looking at simple things like patch management and keeping your systems up-to-date and current. That's sort of technology currency is another really good one. You do a handful of things like that and combine that with a good employer awareness program and really restricting who gets admin access, you can really knock down the risk pretty quickly.
Anish: So basically, what you're saying is it’s the basics, it's the hygiene sort of things that get you the majority of the way there.
Jason: That's exactly right.
Anish: Okay let's shift gears a little bit, right? A lot of discussion about the cloud. We've been talking about adopting private cloud for the last number of years, right, in the industry. How does security change when you're thinking about public cloud?
Jason: There's a paradigm difference in how you should think about the public cloud, and in particular infrastructure-as-a-service public cloud. And it's really important to note that the provider is no longer responsible for all of the security. There's a shared responsibility model where the provider is responsible for the security of the cloud. But the customer, the client that's implementing it, is responsible for the security in the cloud. So how you design that is extremely important. And how you interoperate with their capabilities is extremely important. Very different paradigm. When you're doing that design process, you have to then think through all of the options that the cloud provider gives you, give you the capability to actually build a cloud environment that is much more securable than what you might have done on premise because they're cutting edge technologies and tools that they give you. There’s cutting-edge visibility, cutting-edge telemetry, all these sorts of things you can get out of there if you implement it right. But again, shared-responsibility model, you have to implement it right. So you can do things wrong relatively easily if you are not using all those capabilities in the right way.
Anish: So they give you a lot of flexibility. You have to know how to implement it, you know what you're doing to make sure you're not inadvertently introducing a problem.
Jason: That's exactly right.
Anish: Got it, okay. So cloud is one of many emerging technologies. I guess not so emerging anymore. But a lot of new technologies we think about, right? We've had a lot of conversations around other emerging technologies: blockchain, artificial intelligence, quantum, etc. How do you think about evaluating new and emerging technologies from a security point of view and enabling innovation while not turning into, as you say, the business prevention department, right?
Anish: And keeping the business going.
Jason: That's exactly it. My view, any information security program, the reason that exists, is to safely enable business. So from that paradigm, you have to be able to evaluate all of these different types of components that a business might want to implement. And look at it from a gamification standpoint, right? What's the threat environment this is going to go into? What are the components that the threat actor might actually go after? How could they actually break the technology and then how can you counter that ahead of time before you implement it, or during the implementation phase so that you’ve thought through all of these types of things that are going to be happening in the environment specifically to that technology.
Anish: So basically, in corporates and threat modeling, or some evaluation of technology up front before you deploy it, right?
Jason: That's right.
Anish: So you know how it works and you know someone might break it so then you can build up the controls for it as well.
Jason: That's right, that's right. But also do that while balancing speed and how much of that are you going to do and how quickly?
Anish: And as much as people like to always focus on the negatives, right? A lot of these new technologies actually provide you a lot more security capabilities as well, right? Machine learning, block chaining, and couple.
Jason: That’s absolutely right. And certainly the cybersecurity space is using a lot of those jargon and vernacular right now in various levels in sort of truth as well. So you have to certainly evaluate each technology in and of itself.
Anish: Okay. It's often been said that you can't go it alone, right? That maybe cybersecurity is a team sport, as you’ve said in the past. What sort of partnerships are available for people, either across the industry or with governments or other folks like that to help companies sort of get farther ahead in the space?
Jason: The importance of intelligence, I think, cannot be underestimated in this space. We're literally living in a world where CISOs are trying to be weather predictors on a planet where there's a new type of weather every quarter. So from that standpoint, you have to constantly look at what's changing, how do I deal with it, how do I know that that's changing, etc. And there's a multitude of ways that you can do that. But the first I would say is partner with law enforcement well in advance of actually needing law enforcement help. Go to your local FBI field office or Secret Service field office, local law enforcement, whatever it is. Make sure you have those local relationships before you actually need them. The second is there's a large number of industry-wide information-sharing and analysis groups that are out there. Most critical infrastructure industries have those, but a lot of companies have just gotten together and form them as well. And then the third is there's a lot of suppliers out there that give you threat intelligence, or market intelligence, or tech intelligence for that matter. What’s changing in the tech space. You need to kind of keep track of all those things, but the bottom line is there's a lot happening around you. You're not sitting sort of static in the middle. The world is constantly changing and constantly evolving. You have to have the intelligence to know what are those changes and what could the impact be.
Anish: Yeah and don't be limited by what you have yourself. You can leverage all of these other resources to do that, right? And law enforcement generally is very receptive, even of small companies that want to be proactive and reach out to them as well.
Jason: Absolutely, absolutely.
Anish: Finally, what advice would you have for companies that are maybe-- might be a little bit smaller, maybe don't have as much resources as some of the large companies out there in terms of how to build or expand or mature their information security program?
Jason: Yeah, the first thing is make somebody accountable for it by name. So don't throw it over and say “IT is responsible here.” No! Name the person that is actually going to be responsible for managing this risk. The second is that person should look at the information security and cybersecurity frameworks that are out there, pick one, and then implemente it in the order that adversaries are currently attacking, patch management, access, phishing, that sort of thing. So implement those controls first. And then the third is assume that you are going to have an issue at some point and exercise a fake version of, “we just had a really bad day” and then walk through-- once you've gotten sort of a handle on things, walk through how would you respond. Who would you call?
Anish: Like a simulation.
Jason: A simulation, absolutely. So that you’re really, as a business, well prepared in advance of anything actually happening.
Anish: Yeah, I think one of the point around this as well is most businesses manage risk for a living, right?
Jason: That’s right.
Anish: This is just another risk that needs to be managed, right? You do have to figure out what that risk tolerance is the same way you would with your credit risk or your operational risk or any other sort of things out there, right?
Jason: That's absolutely right and you want to be really deliberate as a business leader with your information security accountable person, whoever that is, what your risk appetite is, what are you actually okay with losing or having being down in or how long, or those types of things. What is your risk tolerance and make sure that they're operating within that tolerance.
Anish: Right. Jason thanks very much for joining us.
Jason: Thank you.