In this week’s episode, Randy covers the Hive Ransomware Group, the reemergence of Scarab APT, and a few stories that have nothing to do with insects…
Featured stories include:
In this episode, Randy Watkins covers the biggest stories on our news feeds today: the Oscars and the Okta Breach.
See how many Will Smith movie references Randy can fit in a minute, and starting at 1:09, get filled in on the latest information about Lapsus$ – a juvenile threat group causing adult problems.
Join CRITICALSTART CTO and SON OF A BREACH! podcast host Randy Watkins as he talks with IDC Program Director, Security Services, Craig Robinson. The two discuss the Critical Start sponsored IDC white paper, “In Cybersecurity Every Alert Matters”.
The two share their thoughts on:
Special thanks to Craig Robinson!
Any guesses on our next series in the podcast? Stay tuned to find out on SON OF A BREACH!
IDC Thought Leadership White Paper, sponsored by Critical Start, In Cybersecurity Every Alert Matters, US48277521, October 2021
Building on the success of a next-generation firewall business, Palo Alto Networks is now leading across multiple competencies in the cybersecurity space including network security, cloud security and security operations. Palo Alto Networks has a unique ability to integrate new technology quickly to compete in new verticals, so for more insight on how they’re accomplishing this we talked with Tim Junio, SVP of Products, Cortex at Palo Alto Networks and former CEO of recent Palo Alto Networks’ acquisition Expanse.
Tim was conducting cyber operations for the CIA before he was old enough to drink, performed consulting work for DARPA and helped to build out cyber operational capabilities for the U.S. military. He explained how a once DARPA prototype became what is now known as attack surface management technology and how it’s now evolved into Palo Alto Networks’ Cortex Xpanse today.
“Going back to 2013-14, when we were first thinking about what ultimately became the core technology for Cortex Xpanse today, we observed that the Internet was kind of a mess,” Tim stated. “As soon as we started looking at a large scale for exploitable systems, we found a huge number. The premise for defenders back then was to try and do penetration testing and always be looking for weak links. But the idea that you can in an automated fashion find exposures as soon as they come up, like within minutes, was not a reality that defenders were prepared for.”
Tim compared this situation to what Palo Alto Networks’ Cortex Xpanse is accomplishing today. “Now it’s really taking an attacker’s view of the organization,” he shared. “It asks key questions such as: ‘What applications are exploitable? What systems are available? Are there any misconfigurations?’ It is the bane of security if you don’t really know what you’re protecting against; if you don’t really know what it looks like. So it made sense for Palo Alto Networks to make this acquisition.”
The right formula for security acquisitions
“After folding in multiple acquisitions over the years, Palo Alto Networks has gotten even better at this process. Before the acquisition of Expanse even closed, we were talking about where our technology could plug in, including the obvious fit with Palo Alto Networks’ next-generation firewalls to ensure that we’re actually protecting the entirety of an internet protocol space. But there are also some not-so-obvious areas including areas for co-development such as Prisma Cloud. We were able to work with this cloud security product to provide a combined view with Xpanse that can show the customer unmanaged cloud assets and find vulnerable systems within cloud environments so that they can be brought under proper management through the Prisma Cloud product.[1] ”
Tim went on to explain how Xpanse is helping Palo Alto Networks to build out data lakes that contain a wealth of security information. He described how they have been prototyping attack surface data to gain a better understanding of how mergers and acquisitions can alter the security situation that a business is facing. “When you add in the complexity of mergers and acquisitions, and business units operating globally, an organization may not really appreciate the vulnerability that it’s facing,” Tim shared. “We show up to customers all the time and remind them, ‘Hey, you’re doing this joint venture, did you know you’re using Alibaba’s cloud? You’re not just an Azure shop anymore.’ And they realize they weren’t centrally tracking that as an organization.”
How Palo Alto Networks defines XDR
Evolving from the early days of attack surface management technology, XDR brings next-level thinking to the entire concept of vulnerability and threat detection and mitigation. Who better to define what XDR means today than Palo Alto Networks, the company that first coined the term and the thinking behind
it. When Tim was asked about the essential criteria that should fall into the expectations for XDR, he replied that the most important idea is the evolution of endpoint detection and response. “Protection, prevention and detection requires joining endpoint data with other data,” he shared. “Basically, if you’re dependent on only one source of information at a time for security, you’re going to miss sophisticated attacks.”
Tim believes that combining endpoint data with network security data is an essential place to start. “If you look at the prior era of endpoint protection, that is where you started to have behavioral analysis and looking at things happening locally on a machine,” he said. “And that obviously was a huge leap in technology that was efficacious for a while , but then adversaries adapted and started doing a better job of obfuscation. We needed a new approach and joining endpoint data with network data gave us new kinds of visibility. If you’re looking across different data sets your odds dramatically improve that the attacker is unable to obfuscate across everything.”
Not simply more data
But Tim also clarified the importance of not just consuming data for its own sake. “I think that is the difference between XDR and SIEM,” he stated. “Security Incident and Event Management was supposed to be the answer to this problem of the modern SOC. But there are too many alerts and people are overwhelmed, so it doesn’t stop enough attacks. When we look at a data ingestion model, we need to ask if we’re providing anything useful or just aggregating. How much of that data is used in true correlation? While SIEM let’s you do that in a highly-manual, human-driven way where you need to do much of the data normalization yourself, XDR starts with the highest quality, most important security data where the intent is not to take 200 different data sources and run queries over them.”
“The difference in how an XDR product would work versus SIEM would be that XDR would normalize between datasets so that you actually know the relationships between them for the highest quality data and then you run advanced analytics on top of them,” Tim continued. “For XDR the data integration component is fundamental. For our own XDR we do the data integrations natively for the product. We create what we call a story. A story is basically the joined relationships between different data sets, starting with our endpoint agent from Cortex XDR and our next-generation firewalls. But we also bring in third-party data and we’re perfectly happy to work with competitor’s data, make that available within XDR and joined with either the next-generation firewall or our endpoint.”
Tim concluded by providing a glimpse of what this will all look like as part of the next evolution within Palo Alto Networks Cortex XDR 3.0 platform[2]. “If you’re a customer of XDR 3.0 and you’re connecting XDR endpoint data, plus let’s say data from Amazon Web Services plus data from our next generation firewalls, we’re going to be running our analytics over all of those datasets and we’ll provide you with scored alerts across the datasets within the XDR unified console,” he said. “I would add to that we’re also pushing results into workflows. Our XDR product is a playbook automation product where we can automate a wide range of responses and have hundreds of integrations built into that product. If we can’t automate it, we can at least augment the workflow automatically for human analysts and provide as much context as possible to speed up the time-to-respond. If you look at this holistically overall, I think that there are four pieces here: There’s the gathering of data, the integration of data, the analysis of data, and then the workflow. And I think what’s really hard is to get all of those things to work well together. And so where we’re really starting to excel is within that overall integration component.”
Source: https://www.paloaltonetworks.com/blog/prisma-cloud/manage-unmanaged-cloud-prisma-cloud-and-cortex-xpanse/
Source:https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-launches-cortex-xdr-for-cloud–xdr-3-0-expands-industry-leading-extended-detection-and-response-platform-to-cloud-and-identity-to-detect-and-stop-cyberattacks
With the acquisition of Scalyr, SentinelOne® is carving out a unique position in the security space not through it’s acquisitions, but through how limited and targeted its acquisitions are in practice due to its ability to innovate internally. We wanted to get the inside track on this innovation and how SentinelOne is applying it to the XDR space, so we talked with Yonni Shelmerdine, AVP of Product and Head of XDR for SentinelOne. With experience in an elite Israeli intelligence unit, as well as a deep private sector career in cybersecurity, Yonni brings a unique perspective to what it takes for XDR to be successful.
When it comes to SentinelOne, Yonni feels that the organization runs its security product management like a business, instead of focusing on one specific field, which has led to significant success in owning the entire business problem of cybersecurity for customers. “I wouldn’t say that we necessarily have some secret sauce that no one else has in terms of building products,” he shared. “But I do think that we’ve done a better job of evolving what we have into exactly what the market needs, as opposed to just completely starting from scratch each time we notice a new problem.”
Customer-Defined XDR
Yonni explained how this philosophy drives SentinelOne’s approach to XDR. “When we set out to define what XDR was going to mean for us, we focused on making sure that it was going to have a foundation of what we’re already good at. We asked ourselves what is it that is driving this thing called XDR? And our conclusion was that the market recognizes the approach that EDR took seems to work. If you recognize that prevention isn’t sufficient, you are going to need to focus on how efficiently you can answer: Who, what, why, when, where, how—and then do something about it. It seems to be the right formula and I think we also recognize there’s a reason it’s called XDR and not X-IEM or X-OAR. XDR does seem to be an evolution of EDR, obviously with more data sources and with more response actions, and there are some key parts of EDR that we recognize are going to be the crux of our approach to XDR. This includes using metrics such as mean-time-to-respond, mean-time-to-investigate and mean-time-to-detect as our beacons to answer: ‘Are we going in the right way?’”
“At SentinelOne, that’s how we approach EDR now,” he continued. “We determined that this was going to be about ingesting data, but not necessarily ingesting all of it. We’re not ingesting for the sake of ingesting. We’re ingesting for the sake of reducing mean-time-to-detect. We now facilitate much more automation than we did last year, and we’re going to be facilitating even more in the months to come. We ask ourselves, ‘Does it help reduce the number of screens you need? Does it help reduce the number of analysts you need? Does it help reduce the years of experience they need in order to solve this really complex problem?’ And then we set about deciding what we were going to build.”
Putting the pieces together
Yonni discussed their Singularity™ Ranger® product as an example this approach stating, “Ranger evolved into not leaving behind any IOT features, but now it can give you a complete picture of what’s happening in your network and give you the ability to actually do something by deploying each Sentinel agent. This was born out of the needs of our customers and partners to do exactly what people need it to do.”
The recent acquisition of Scalyr shows another variation of this idea, as Yonni explained it adds not only new capabilities to SentinelOne’s portfolio, but it also represents a commitment to the existing customer base that still predominantly uses EDR. “The difference is that now the most advanced customers, such as CRITICALSTART can run even more complex and rapid queries,” Yonni stated.
He went on to describe how this is all part of SentinelOne’s “laser focus” on XDR, with Ranger and Scalyr components adding to a much larger and comprehensive strategy as part of its XDR efforts. “Our approach to XDR is to look at it as a combination of things that we as SentinelOne can do, as well as the things that one of our customers’ stacks can do,” Yonni explained. “We have no intention to stop with tools built by SentinelOne and we’re introducing options for a customer to respond to an event with their identity tool, their Cloud Access Security Broker and various other tools. We are very much open to using the entire tier for the customer’s arsenal to respond in the most efficient way or use the entirety of our arsenal to respond in the most efficient way—whichever is the right fit for the situation.”
When asked whether XDR is going to replace SIEM, Yonni responded: “Will it completely kill off SIEM? I think there’s probably quite a bit of runway before that happens.” But with SentinelOne’s customer-and-market-centric approach, XDR seems to be poised to take the baton on cybersecurity and pass it to the next level of threat remediation.
Conference badges have evolved from paper and plastic to collectable mini-computers of all shapes and sizes, coveted and collected by security professionals and enthusiasts. The rise of #Badgelife signifies one of the most creative offshoots of security conferences, with its underground culture of hardware art and ingenuity.
In this episode of SON OF A BREACH!, CRITICALSTART CTO Randy Watkins welcomes badge creator Florida Man, a/k/a Jonathan Singer, to celebrate the allure of #Badgelife, reveal how deep the culture runs, and share tips on how to get started in the community.
Tune in to learn:
Both fun and functional, digital badges celebrate computers and the security around them at the hardware level. Many are intentionally hackable so you can take control of the lights, noises, and other built-in features.
Singer shares some favorites from his extensive badge collection, which you can see by watching the recorded video of this podcast episode. Watch on YouTube. Link here https://youtu.be/KB1fyD0Gcdk
Jonathan Singer is SIEM and SOAR Practice Lead at GuidePoint Security, with certifications including GPEN, GWAPT, GCIA, GCFE, and CEH. He is a self-taught badge creator, who launched his first digital badge at Bsides Orlando 2013. Singer also shares his passion for cybersecurity and hardware on his YouTube channel.
While Microsoft took a hit to its security reputation with Windows Defender 2016, the Big 5 Technology powerhouse came back strong with a rise in both capabilities and rankings among third parties like Gartner, Forrester and MITRE. With the expanded capabilities coming out of Microsoft Azure Sentinel, Microsoft’s portfolio ties together with additional data feeds to enable customers to detect threats earlier and respond more effectively. It’s why Ann Johnson, CVP of Security Compliance and Identity for Microsoft, was high on our list to interview for the second installment of our Rated XDR series. Listen to the podcast below.
In a review of the top XDR solutions for 2021, Gartner Peer Insights, Microsoft held a 4.5/5 star rating over 158 reviews. Microsoft’s 365 Defender made the Forrester Wave and Gartner Magic Quadrant Leaders in the most recent reviews. In the latest MITRE Carabanak+FIN7 Evaluations for EDR, Microsoft had an overall detection rate of 86.78% between telemetry and analytic detections.
We found Ann’s job title insightful into the new thinking driving the Microsoft approach to security. “When we think about security compliance, identity and management holistically, we don’t think they can be separated,” Ann shared. “With the increase in global regulations and the increase in attacks on our customers, we feel that these ideas need to be operationalized more seamlessly. “We’re certainly seeing a huge push in identity right now as attackers go after credentials to try and take over accounts to leverage for lateral movement. That’s why we’re seeing an effort to pull all these things together.”
Microsoft’s approach has been to build native security capabilities into the solutions they were already offering to their customers. “It’s amazing to see the roadmap that was laid out three years ago and how well it’s been executed,” Ann stated. “If you just think about a recent acquisition, like Risk IQ, we’re going to invest more than a billion dollars in security this year…It’s about understanding the customer’s problems really in depth. We think about outcomes more than we think about tooling.”
Azure Sentinel delivers stronger outcomes through XDR
Ann described how she was sitting in a room with her colleagues several years ago discussing how there needed to be a better way to handle security event management. They decided that there needed to be a cloud-native version of SIEM which was more scalable and automated. Since they didn’t believe this type of tool existed, they decided to build it and make it native to Microsoft Azure. “We didn’t want this to be your traditional SIEM, where a box was checked or something was logged, but no one ever used it to pull data out. We wanted this to be a great data aggregator to give actionable feedback to the SOC that was meaningful, but also to automate as many low-level tasks as we could. There are smart humans are working on hard problems and we’re telling them which hard problems they should tackle first. And it’s all part of the XDR strategy. If you think about Microsoft Defender for Endpoint and Microsoft Defender for Office and Microsoft Defender for Networks and IOT and Azure, they all aggregate to an XDR solution where you can do hunting and forensics within the platform.”
“You should have an EDR capability that ultimately comes into XDR. So that applies whether that’s servers, storage, network, an IOT environment or actual end points—all these different places are where we have Microsoft Defender capabilities today. You have the detection and response capability, but before you even get to Sentinel, you could actually do hunting and forensics. (And at the Sentinel level) we want it to be the master brain of your SOC and to the extent that we cannot, you or an organization like CRITICALSTART can build SOC capabilities on top of Sentinel and have it be extensible and make it easier for your SOC admins to react to something quickly, so a breach doesn’t turn into a major event. We have a big, bold vision, but we also don’t know everything the future holds, which is why it’s so extensible.”
Ann went on to discuss how Microsoft is utilizing machine learning to take advantage of the advancements in AI, but that one of their most important principles is automation. As an example, she stated that if there are a trillion signals, with a million that could represent a threat, then the goal is to automate 999,000 of them. Then out of the remaining thousand, prioritize until the top five are identified that SOC analysts need to focus on at that very moment. This correlation of alerts enables continually less, but ever more important alerts to go to analysts for human review and intervention.
Stop threats before they happen
Ann believes human input will be even more important in the years ahead. “People always ask me, “let’s see how technology can replace humans,” she shared. “My response to that is never. Human intel and understanding of the behavior of the attackers and where they’re going to go next and what they’re going to try to do all needs to be part of predictive analytics. That’s why I want to make it easier for customers by just automatically being predictive and blocking stuff that potentially comes into their environment. I think you’ll see a natural convergence of XDR and SIEM into one thing—we just have to make sure that we get it right. We want simplicity of tooling and automation of tooling. The goal is that we want customers running their businesses and not worried about their security tooling. The point when cybersecurity becomes a mature industry will be when there are no longer cybersecurity departments and when everybody’s problem is cybersecurity. Whether you’re a developer or an operator, you’ll still have a SOC. Cybersecurity needs to be everybody’s job from the first line of code.”
“And I’m optimistic on achieving this outcome,” Ann concluded. “I’m always optimistic because we have really smart people trying to solve hard problems. But at the end of the day, we need to work to become more integrated into the fabric of everything that happens within an organization.”
CrowdStrike is on a roll. With the recent acquisitions of Humio and Preempt Security, they’ve added serious capabilities to an already robust security portfolio. That’s why CRITICALSTART CTO Randy Watkins spoke with Ajit Sancheti, former founder and CEO of Preempt and current VP of Identity Protection for CrowdStrike, to gain his perspective on the role XDR plays in CrowdStrike’s strategy as part of the first installment of our 5-part series: Rated XDR.
Ajit shared with us his opinion of XDR versus SIEM, and CrowdStrike’s vision of what a completed XDR solution looks like. He explained the role of an XDR platform for a zero-trust approach, and how to make it frictionless for the end user.
Warning: Rated XDR may not be suitable for legacy security vendors.
Early in the discussion, Ajit discussed why Preempt targeted identity management so heavily, utilizing the active directory in particular, and how this delivers a unique mesh with CrowdStrike’s endpoint-centric focus. “Why did we choose active directory?” he related. “It’s a mess, but it’s also the place where all identities are stored. Typically four out of five breaches have something to do with compromised credentials. And if someone’s trying to get the credentials, it’s the active directory that they want to compromise.“
Ajit went on to explain that at the beginning of the COVID-19 pandemic, the two common themes they were hearing from customers were concerns over remote work and controlling identities. And he really feels that CrowdStrike is headed in this direction as part of a comprehensive security package. “I couldn’t be more excited because I think the fit of our architecture with the core CrowdStrike Falcon Endpoint Protection Platform is just seamless and we’re starting to see the benefits of it,” he shared.
“It definitely fills some gaps in not just visibility, but also control, which I think is very unique and customers are starting to circle around to it,” added Randy. “I really think the focus is on endpoint, identity and applications, whether they’re SAS, cloud—whatever—and CrowdStrike is definitely moving towards that fashion. They can audit the software that’s installed on the end point. Now you can look at the different user interactions with that software…And then kind of bake that into whether or not they should have a certain level of access to a machine. It’s really coming through into a much broader picture for both visibility and enforcement.”
XDR presents the data that matters
A common theme discussed by Randy and Ajit was the massive amounts of data generated from all of these different sources and the difficulty faced by SIEM platforms ingesting it as the amounts and sources of this data continues to grow. “The basic thought there is that we are getting hit by very sophisticated attackers,” Ajit explained. “And we’ve been called in and there’s no telemetry (on the customer side). The telemetry that you need to figure out what happened just doesn’t exist. And the reason is that people cannot afford to collect it with this exponential data growth. I think right now organizations are saying that unstructured data is doubling every 40 months…What CrowdStrike is doing is providing the ability to log and answer everything…it’s index free and cloud native in real-time. It gives ingest data, which allows you to redefine XDR in a manner that says, ‘Let’s go find the data sources that really matter rather than saying bring all the data and consider this to be a next generation SIEM.’
“Think of it more as a security use case,” he continued. “What are the security use cases we’re trying to solve? How do we want to solve it? Our focus is on building XDR so that it answers these security use cases. I also think that if you look at the CrowdStrike story, we have so many good partners that do so many great things. So we want to bring in their indicators into our platform. And that’s how we want to leverage XDR. We can get to the point where we can solve these questions, not just by CrowdStrike’s native data, but with the partners that we work with in the industry that are really focused on these security use cases.”
During the discussion, Randy raised the idea of a compliance auditor versus a compliance assessor. He highlighted how an assessor wants to understand the intent behind the control and to ensure that an organization is actually meeting that intent. The hope is that XDR will become a mitigating control for SIEM by providing more meaningful data feeds that will fulfil the security intent.
Zero-trust becoming the norm through XDR
The CrowdStrike team are solid believers in the zero-trust security model and Ajit explained how XDR can help make this model reality without providing an undue burden on users. “If you look at any kind of logging solution, it’s near real-time, or as close to real-time as possible, but it’s still not real time,” he stated. “What I want to know about the user is what are they doing now? That’s where I think XDR helps us is to get a better and more comprehensive view of the user over time.”
Through XDR, suspicious behavior such as logging into an application the user has not worked with before can be tracked and compared against typically normal user behaviors. It can recognize patterns and assign a risk score to determine when the activity is suspicious enough to warrant action.
Ajit feels that the telemetry XDR provides for security will solve increasingly complex use cases over time, and that SIEM vendors will need to decide whether they will work with the technology or risk getting replaced by customers. Randy agreed with this as he concluded, “There’s definitely going to be a lot of catch-up work for some of these vendors that have been either only looking at their own data for telemetry, or they don’t have a backend that will support the ingestion of third-party data for additional telemetry. It seems like the mission statement behind XDR is to accomplish what we really wanted to get out of SIEM, which was how do we lower dwell time of an attacker in the environment.”
While these are a few of the highlights, be sure to listen to the full podcast of episode 1 of Rated XDR . And tune in for the next episode where Randy talks with Chief Product Office of the freshly IPO’d SentinelOne.
We admit it. We haven’t quite gotten the cadence down on our SON OF A BREACH! podcast series. Yes, it’s been a while since our last episode on ransomware.
That’s why changes are coming.
Podcast host and CRITICALSTART CTO Randy Watkins explains all in episode 7, with a quick update of why and how the series is taking a new direction.
Tune in to Episode 7 of SON OF A BREACH! below.
Noting the production time required to get each episode release-ready, Watkins says, “It took roughly five business days from the point in time we recorded it to the point in time we released it. Now obviously, if you followed SolarWinds or any of the recent events, five business days changes everything.”
Seeing the need for a different approach, Watkins solicited feedback from listeners through LinkedIn.
“I asked, what would you like to hear more of – current events, thought leadership, interviews, or tech reviews?” he says. “The first and foremost thing was thought leadership.”
Our listeners have spoken, and in upcoming podcasts Watkins will lead thought-provoking interviews with leaders on bleeding-edge technologies. We’ll explore what problems they’re solving and why, the actual risk to your organization, and the impact they’re having on security in general.
In an upcoming series of episodes titled “Rated XDR,” Watkins will talk with leaders from CRITICALSTART integration partners including CrowdStrike, Microsoft, Palo Alto Networks, and SentinelOne about extended detection and response.
“It’s going to be a great series,” Watkins says. “Tons of solid information, and we’ll look to keep more of that coming out on future episodes.”
Ransomware attacks and cybercriminal gangs continue to make headlines as they create the highest severity and most frequent losses for insurance carriers. Unlawful hackers take control of systems and try to force companies to pay huge amounts to unlock them.
Episode 6 of our SON OF A BREACH! podcast series takes a closer look at the growth of ransomware, the exorbitant payouts, and tips for understanding the complexities of cybersecurity insurance and getting the right coverage for your business.
Joining host and CRITICALSTART Chief Technology Officer Randy Watkins is insurance risk management expert Doug Jones, senior vice president and principal at RHSB Insurance.
Tune in to Episode 6 of SON OF A BREACH! below.
A third-generation insurance broker, Jones began developing his expertise in insurance risk management more than 30 years ago. Having focused on technology-oriented risk and cybersecurity insurance for more than 20 years, he says ransomware falls outside of traditional risk modeling.
“Bad actors are more sophisticated, so we’re seeing a big change in the market trying to absorb all these losses,” he says. “That’s changed the way (insurance underwriters) look at risk, and it’s largely driven by ransomware.”
Jones says ransomware has forced carriers to be much more discriminating and thorough in their underwriting process.
“That’s where we’re starting to see a change in underwriting,” he says. “There’s different applications required now that haven’t been done in the past. And some brokers are now offering additional things to try to help companies put them in a better light for pricing with insurance carriers.” Jones says these include vulnerability scans, security assessments, and penetration tests.
Because of the complexities of cybersecurity insurance, he says every carrier offers something different. “Be sure you’re dealing with someone who can help you navigate that landscape,” he advises. “Don’t just look at buying an off-the-shelf product.”
Q&A on Ransomware and Insurance with Doug Jones The following is an abbreviated Q&A based on Watkins’ conversations with Jones in Episode 6 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Cybersecurity insurance has really been gaining popularity over the last six years or so, as organizations look to exercise their options and transfer the risk. What are the underlying principles of cyber liability insurance?
Jones: A cyber liability policy is actually a combined policy that has both third-party liability and what we refer to as first-party coverage. The liability coverage is when a third party is making a demand against you. First-party coverages I like simply defining as additional expenses as the result of a cyber incident, and that can include notification, crisis management, PR, forensics, legal costs, extortion, business interruption, data restoration – all those additional expenses that you can incur as the result of a cyber incident.
Watkins: The number one threat facing a lot of organizations right now, or that they’re purchasing the liability or cybersecurity insurance for, is ransomware. Is ransomware, something that’s natively covered, or does it have to be stated in the policy as an additional add-on for ransomware?
Jones: It is not automatically included in the policy. Highest frequency and severity losses are with ransomware. It’s typically included in a policy, but not always. So when you see, oh, I’ve got ransomware, you also need to look at what’s the retention on that? Does it have a sub limit? Right now we’re seeing insurance carriers offer coinsurance on that. So your coverage may be more limited than what you think.
Watkins: If a company is already going through and either performing security assessments, or they’re considering these assessments in line with cybersecurity insurance, are those things that help lower the premium or help expediate the process of getting the cybersecurity insurance put in place?
Jones: Absolutely. Where that was many times overlooked in the past, especially for average risk, now they’re being required to look at that. Almost every carrier right now has a separate ransomware application, and they’re asking a lot more security questions around this. And some of the main things they’re looking at are multi-factor authentication. Backups are really important. You know, are they off site? Are you segmenting it? Are they encrypted? Employee training is being required? Endpoint detection and response is something really important that carriers are looking at. And remote desktop protocol is a big thing. If you don’t have a good answer to these questions, you’re being put in the bad group, so to speak, and you’re losing market leverage, because the majority of cyber insurance carriers will not even consider underwriting your risk.
Watkins: I know a lot of folks don’t know where to start in terms of, hey, we would like to get cybersecurity insurance coverage, or renewal is coming around and we want to shop it just like car insurance. So where can people start, and where can they learn more about the services provided by RHSB and yourself?
Jones: First of all, know that this is a complex insurance product where every single carrier offers something different. So be sure that you’re dealing with someone that can help you navigate that landscape. Don’t just look at buying an off-the shelf-product. We’re happy to help anyone and you feel free to reach out to me. My email address is [email protected]. People can reach out to me directly, I’m happy to help.
Ransomware attacks and cybercriminal gangs continue to make headlines as they create the highest severity and most frequent losses for insurance carriers. Unlawful hackers take control of systems and try to force companies to pay huge amounts to unlock them.
Episode 6 of our SON OF A BREACH! podcast series takes a closer look at the growth of ransomware, the exorbitant payouts, and tips for understanding the complexities of cybersecurity insurance and getting the right coverage for your business.
Joining host and CRITICALSTART Chief Technology Officer Randy Watkins is insurance risk management expert Doug Jones, senior vice president and principal at RHSB Insurance.
Tune in to Episode 6 of SON OF A BREACH! below.
A third-generation insurance broker, Jones began developing his expertise in insurance risk management more than 30 years ago. Having focused on technology-oriented risk and cybersecurity insurance for more than 20 years, he says ransomware falls outside of traditional risk modeling.
“Bad actors are more sophisticated, so we’re seeing a big change in the market trying to absorb all these losses,” he says. “That’s changed the way (insurance underwriters) look at risk, and it’s largely driven by ransomware.”
Jones says ransomware has forced carriers to be much more discriminating and thorough in their underwriting process.
“That’s where we’re starting to see a change in underwriting,” he says. “There’s different applications required now that haven’t been done in the past. And some brokers are now offering additional things to try to help companies put them in a better light for pricing with insurance carriers.” Jones says these include vulnerability scans, security assessments, and penetration tests.
Because of the complexities of cybersecurity insurance, he says every carrier offers something different. “Be sure you’re dealing with someone who can help you navigate that landscape,” he advises. “Don’t just look at buying an off-the-shelf product.”
Q&A on Ransomware and Insurance with Doug Jones
The following is an abbreviated Q&A based on Watkins’ conversations with Jones in Episode 6 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Cybersecurity insurance has really been gaining popularity over the last six years or so, as organizations look to exercise their options and transfer the risk. What are the underlying principles of cyber liability insurance?
Jones: A cyber liability policy is actually a combined policy that has both third-party liability and what we refer to as first-party coverage. The liability coverage is when a third-party is making a demand against you. First-party coverages I like simply defining as additional expenses as the result of a cyber incident, and that can include notification, crisis management, PR, forensics, legal costs, extortion, business interruption, data restoration – all those additional expenses that you can incur as the result of a cyber incident.
Watkins: The number one threat facing a lot of organizations right now, or that they’re purchasing the liability or cybersecurity insurance for, is ransomware. Is ransomware, something that’s natively covered, or does it have to be stated in the policy as an additional add-on for ransomware?
Jones: It is not automatically included in the policy. Highest frequency and severity losses are with ransomware. It’s typically included in a policy, but not always. So when you see, oh, I’ve got ransomware, you also need to look at what’s the retention on that? Does it have a sub limit? Right now, we’re seeing insurance carriers offer coinsurance on that. So your coverage may be more limited than what you think.
Watkins: If a company is already going through and either performing security assessments, or they’re considering these assessments in line with cybersecurity insurance, are those things that help lower the premium or help expediate the process of getting the cybersecurity insurance put in place?
Jones: Absolutely. Where that was many times overlooked in the past, especially for average risk, now they’re being required to look at that. Almost every carrier right now has a separate ransomware application, and they’re asking a lot more security questions around this. And some of the main things they’re looking at are multi-factor authentication. Backups are really important. You know, are they off site? Are you segmenting it? Are they encrypted? Employee training is being required? Endpoint detection and response is something really important that carriers are looking at. And remote desktop protocol is a big thing. If you don’t have a good answer to these questions, you’re being put in the bad group, so to speak, and you’re losing market leverage, because the majority of cyber insurance carriers will not even consider underwriting your risk.
Watkins: I know a lot of folks don’t know where to start in terms of, hey, we would like to get cybersecurity insurance coverage, or renewal is coming around and we want to shop it just like car insurance. So where can people start, and where can they learn more about the services provided by RHSB and yourself?
Jones: First of all, know that this is a complex insurance product where every single carrier offers something different. So be sure that you’re dealing with someone that can help you navigate that landscape. Don’t just look at buying an off-the shelf-product. We’re happy to help anyone and feel free to reach out to me. My email address is [email protected]. People can reach out to me directly, I’m happy to help.
The science and art of security come down to two things: quantifying and managing risk. Do both of those things well, and you’re much better positioned to prioritize your exposures and protect your organization.
In Episode 5 of our SON OF A BREACH! podcast series, CRITICALSTART CTO Randy Watkins kicks off a two-part series focused on the finances behind security. Our CFO Andrew Kaufman joins Watkins to calculate the value of security and the cost of risk for your business.
“I don’t think you can ever take a risk profile to zero, especially in cybersecurity,” Kaufman says. “You never know what else is out there and what threat actors are doing and concocting. …The goal is not reducing your liability to zero, it’s about reducing your liability to a point you can get comfortable around.”
Tune in to Episode 5 of SON OF A BREACH! below.
Kaufman’s accounting and financial leadership includes more than 16 years of experience in software, technology, and creating internal controls in financial reporting, particularly for high-growth technology firms. With that experience, he’s able to bring calculations of “cost impact x probability = quantifiable risk” to life with real-world examples.
“There are going to be times where the cost is just too high to mitigate the risk,” he says. “We recognize there is an open liability, but the cost to either install internal controls, or place technology around it, may be too high. That may be a point in time we look at transferring risk. That’s where the cyber risk policies and cyber risk insurance have really stepped up in the last several years.”
Q&A – Quest for Limited Liability with Andrew Kaufman
The following is an abbreviated Q&A based on Watkins’ conversation with Kaufman in Episode 5 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Let’s start with talking about quantifying and managing risk. As CFO, how would you start in calculating risk if you’re a CISO?
Kaufman: Cybersecurity really was bred out of a compliance checkbox approach. There’s regulation: how do I stay in tune with that regulation, and stay compliant with that regulation? But that doesn’t really, objectively go after the risk associated with a cybersecurity attack. I think from the CISO seat, it needs to be less about mitigating controls and more about outcomes. What are the potential outcomes that could happen from a cybersecurity breach, or a malware incident, or anything like that? What are those outcomes and what am I trying to prevent? Then you start looking at how much risk is associated with each one of those events.
Watkins: Risk is impact times probability. We’re looking at what’s the cost of this going to be if it happens. That often seems to be the point where a lot of people get stuck. Where do those dollar amounts come from?
Kaufman: For every organization, you’ve got to think about what is the potential that I’m going to have downtime, or I’m going to have loss of revenue, or I’m going to have a denial of service that’s going to cause me this amount of heartburn. It’s really getting down to each organization’s operations and understanding how a potential cyber event may affect that organization. So if an attack puts me out of commission for a day, what are my operating costs for that day? What is my loss of revenue for that day? If I lose data, what is the cost of going and spinning up backup? And how long will it take me to get back online?
The CISO doesn’t necessarily have to do this in a vacuum. They may want to quantify certain amounts of things that could occur in a cyber breach. But the CFO can help come behind that with true dollar figures of loss of revenue, costs associated with downtime, all of those things.
Watkins: You can spend all day qualifying and quantifying the risk, but you have to make a decision on that risk eventually. Once you have the risk calculated by the dollar amount, then what would you expect to see put into that?
Kaufman: The threat landscape today is not going to look the same as it does six months from now, with how fast threat actors are moving, evolving, etc. Once you get to that probability-times-cost output, it’s really important to run sensitivity analysis on it. In the event your probability changes, what type of change is that going to make to my overall exposure risk?
And it’s important that this doesn’t only occur within the CISO’s organization. So it’s getting others involved, it’s bringing this information to light at the executive level. You’re seeing a lot more corporate governance board involvement in cybersecurity risk, because it’s become such an area of major liability. And so you want to bring those (calculations) to those individuals, and let them also ascertain whether they think the outcomes, the dollar amounts, and the probabilities associated, seem reasonable.
Episode 4 of our SON OF A BREACH! podcast series celebrates International Women’s Month with security visionary Didi Dayton, a partner at Wing Venture Capital. Dayton joins host and CRITICALSTART Chief Technology Officer Randy Watkins for timely insights into security growth investments and the expanding female influence in cybersecurity.
Dayton tells Watkins one of her favorite leadership quotes is by Beyoncé, who she describes as an amazing businesswoman. “What she said was, power is not given to you, you have to take it. And I really love that,” says Dayton.
“The way I’ve done it in my career is by owning the data and managing the data in such a way that I could get insights from it,” she advises. “I always made arguments that were driven by data. When you do that, no one can argue with you, because it makes business sense. You know what you’re talking about, it’s your data, you built it, there’s no argument.”
Tune in to Episode 4 of SON OF A BREACH!
Dayton is responsible for Customer Markets and Programs at Wing. She has held executive positions in sales, channels, and alliances for more than 20 years across multiple successful cybersecurity companies, including hyper-growth organizations such as Websense, FireEye, and Tanium.
Dayton has received CRN’s prestigious Channel Chief award four years running, and she was named to the 50 Most Influential Channel Chiefs and the Power 100 Women of the Channel.
Her advice to women for success in leadership, particularly in cybersecurity, is to be in the room when decisions are being made, and to break the circle. “If you see a circle of men talking, figuratively or actually, just use your elbows and gently break into the circle and take your place,” she says.
“Be confident about everything you do,” Dayton adds. “The way you do that is you develop your skills. You present, you negotiate, you learn about finance, you learn about things that are outside of your comfort zone. That will give you confidence. Then hang out with people that boost you up. Because that’s where the power comes from, is from within.”
Q&A – Celebrating Women in Cybersecurity with Didi Dayton
The following is an abbreviated Q&A based on Watkins’ conversations with Dayton in Episode 4 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Which leadership traits have allowed you to be successful in both sales and channel roles in the various positions you’ve held over the years?
Dayton: I think the best sales leaders can juggle a lot of pressure, and a lot of different kinds of pressures all at one time. They really are able to stay laser focused on hitting the number, and also helping their customers solve complex problems. Channel folks also do hit a number, but it’s indirect. Both require a lot of humility. … I see the difference between the two as sales are more mavericks and builders, where channel folks are more consultants and scalers.
Watkins: Can you describe some situations that helped you get that sense of humility?
Dayton: I think it comes from working with a team, and as a team, it comes from recognizing that some people are better at doing things than you are. It does require humility to be able to step away from something you think you could do and allowing your team to do it on their own and do it better.
Whenever I start a role, I think about succession planning. How can I build up this skill set within my team so this thing can run itself, and ideally, I can work my way out of a job and on to the next one?
Watkins: How are you contributing to the investment strategy at Wing, in the existing portfolio companies, and the customer community they’re building?
Dayton: I’m always passionate about finding really cool technology. I love talking to customers, geeking out about what are you seeing out there, what’s interesting, and then also trying to help them solve complex issues. A big part of that is just listening…and helping people find what they need. Sometimes it’s other people, sometimes it’s ideas, sometimes it’s technology, sometimes it’s tools and services.
Watkins: What is Wing looking at that’s bleeding edge, or what is the focus of the investments right now?
Dayton: Really where we live is two to three to five years in the future. And that’s what makes a great VC, is their ability to anticipate the trends and really identify a way before it’s obvious.
With the attack surface being so much larger, obviously, phishing is a huge vector, and we’re seeing a lot of ransomware play out. Now there’s a whole other headache around asset inventory, and unmanaged assets. All of that is very difficult to defend with the workforce not even being in the office. So, SASE is a lot more relevant, and we’ve added to that in our investments, DLP for endpoint, identity and digital trust, and privacy protections.
Watkins: Security is a male-dominated industry, but it’s definitely been growing in terms of the female contributions across functions, from sales to channels to engineering and executive leadership. What mentor figures did you have?
Dayton: I had a lot of mentors. For example, my CEO at SurfControl was Pat Sueltz, and she would call it Pat ‘Sueltz’ like ‘results,’ because it was really hard to spell. She was a badass in every way. And same with the Chief Legal Officer at FireEye, Alexa King. She’s handled some really tough waters recently, and she’s just unflappable, and ridiculously intelligent, and just amazing.
I love the women on your team. Tera (Davis) is fantastic at just smoothing everything out. You’d never know what she does behind the scenes and yet she does everything. She’s definitely someone to look up to in terms of building an amazing business.
Join Randy Watkins and other special guests on SON OF A BREACH!
While women’s numbers in cybersecurity lag behind men, female leaders in our industry continue to pioneer the way forward. Episode 4 of our SON OF A BREACH! podcast series celebrates International Women’s Month with security visionary Didi Dayton, who joins host and CRITICALSTART Chief Technology Officer Randy Watkins for some timely insights into security growth investments and the expanding female influence in cybersecurity.
Dayton is a partner at Wing Venture Capital, responsible for Customer Markets and Programs. She has held executive positions in sales, channels, and alliances for more than 20 years across multiple successful cybersecurity companies, including hyper-growth organizations such as Websense, FireEye, and Tanium.
She successfully led sales and channel teams at companies such as Symantec, Arrow, and Cylance (now Blackberry) through 12 M&A and integration activities. Didi has received CRN’s prestigious Channel Chief award four years running, and she was named to the 50 Most Influential Channel Chiefs and the Power 100 Women of the Channel.
Tune in for expert perspectives on:
Dayton and Watkins also deliver shout-outs to some of the leaders who have influenced them most in their careers – who just happen to be women.
Watkins also provides highlights of how SolarWinds testimony before the Senate Intelligence Committee became a blame game, plus the recent attack against Microsoft Exchange Servers by a suspected Chinese-based attack group.
Do you know how to find the right talent and skillsets to build up your Security Operations Center? Or are you looking to start or enhance your career as a security analyst and want to know what training and certifications will take you to the next level?
Either way, don’t miss Episode 3 of our SON OF A BREACH! podcast series. Host and CRITICALSTART Chief Technology Officer Randy Watkins welcomes Jordan Mauriello, CRITICALSTART SVP of Managed Security Services, for an insightful look at how to find, train, and develop the type of talent needed to rock your SOC.
Mauriello has military, government, and corporate backgrounds in cybersecurity, with experience in everything from penetration testing and malware reverse engineering to physical security, executive protection, and training. His visionary approach to leadership focuses on coaching and engaging highly technical personnel in the workplace.
Tune in for expert perspectives on:
Before the deep dive with Mauriello, Watkins highlights the ever-evolving SolarWinds saga and the latest in nation-state sponsored activity by Russia, China, and North Korea.
What do a $10 billion funding request for cybersecurity, a massive collection of 3.2 billion passwords hitting the web, and the godfather of threat detection have in common?
Among other things, they’re all featured in Episode 2 of our new SON OF A BREACH! podcast series, “Chuvakin be kidding me,” available now.
Tune in to hear host Randy Watkins, CRITICALSTART’s Chief Technology Officer, share his perspectives on recent news topics:
Joining Watkins for this podcast episode is threat detection and security expert, Dr. Anton Chuvakin, who currently focuses on security solution strategy for Google Cloud.
For several years, Dr. Chuvakin covered security operations and detection and response topics at Gartner, where he was Research Vice President and Distinguished Analyst at Gartner’s Technical Professionals (GTP) Security and Risk Management Strategies team. He has authored several books and published dozens of papers on the topics of security information and event management (SIEM), log management, and Payment Card Industry Data Security Standard compliance.
Watch Out for These to Get the Most Value From SIEM
Some organizations falter with SIEM utilization, log management, and detection correlation, Dr. Chuvakin says, due to a variety of reasons.
“I have encountered more projects killed by mismatched expectations than anything else,” he says, adding that lack of headcount, talent, and sufficient resources to keep SIEM running, and lack of a use case approach have “sunk a fair number of projects, too.”
He also observes, “Lately, the frustrations of trying to make good insights, good security insights, out of bad data have kind of boiled over.”
Tips for Approaching SIEM and Detection Use Cases
Dr. Chuvakin recommends organizations step back and consider use cases before they actually implement SIEM in their environment.
“Start thinking, okay, what are my use cases?” he advises. “Am I buying for compliance? Reporting? Am I buying it to support my incident responders? If I’m detecting threats, what kind of threats? … What sort of data do I need to get?”
Instead of approaching SIEM as a huge detection project, Dr. Chuvakin suggests coming at it as “a sequence of use cases where you iterate, you learn, you implement simpler ones, and then you grow to others.”
Perspectives on Detection and Response Models
While at Gartner, Dr. Chuvakin coined the term “endpoint threat detection and response” to describe what was then a new family of tools designed to increase visibility by using endpoint data. From that came extended detection and response (XDR), which uses multiple data sources for even more visibility in detection and response.
Asked for his thoughts on XDR, Dr. Chuvakin says his perspective has evolved over the years. “My initial reaction a couple of years ago about XDR was kind of annoyance. But at the same time, it was invented at a competing analyst firm, so it’s sort of a normal reaction.”
He says he remains a SIEM fan, but the starting point for detection can be EDR as a viable alternative. “If you expand from that point, you become extended from EDR, and that’s XDR. So, to me, the XDR is a security threat detection monitoring model where the EDR leads, and then other things extend from that.”
Want to learn more about cybersecurity options for your organization? Contact us today.
Additional Resources:
It’s no secret – there is a severe talent and resource shortage in cybersecurity, but what is the impact it’s having on our businesses? CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security, talk about strategies to address cyber defenses given these shortages.
Full Transcript:
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—
JM: Probably the next biggest problem in security outside the signal to noise ratio problem is talent, resources, and resource shortages. If you’re not a core competency in security or technology and then you’re trying to hire security and technology professionals, well now are you going to compete with organizations who are going to pay a premium for those because those resources are going to bring in revenue for those. I think it’s a big problem we see out there. Obviously, there’s a massive talent pool shortage, but it’s also so competitive for cybersecurity resources today.
MB: It’s funny. When I was back in the Senate, and this was a long time ago, 2005-2006. I actually introduced legislation to try to create scholarships at State University level for the creation of cybersecurity courses. You’re absolutely right. There is an absence of well-trained cybersecurity. Other nation-states like China have basically institutionalized the cyber hacking. They’re training all these cadres of soldiers to learn how to do this. I’m not saying we set up hackers, but I think in terms of understanding what the IT security dynamic is, we need to do a lot better of that with our institutions, our educational institutions. In the absence of that, a lot of companies are uncomfortable with offloading that responsibility of monitoring and responding to network threats. First of all, it’s expensive a lot of times and secondly, you don’t necessarily have control of everything that’s in your environment.
MB: A lot of companies might be dealing with sensitive information. Again, having insurance, having a well-qualified vendor, those are steps along the way, but there should be other strategies where you can internalize your cyber defenses so that you can give assurances to the board of directors, to your shareholders, to your customers and frankly to your staff that you have worked through all the different possibilities of what cyber could mean and you’re going to continue. You’re going to make sure that the systems you’ve set in place will create a business as usual environment.
JM: That’s a great answer. I think it’s a great way to approach the board is that you’re talking about helping keep business as usual as the primary goal and focusing on your core competencies.
What role does the government play in cybersecurity? Is it a private sector or government responsibility? Find out what CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, and Michael Balboni, President of Redland Strategies, and former Senator, assemblyman, advisor to Homeland Security, had to say about this issue and more.
Full Transcript:
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—
JM: One of the things that I was really interested to talk to you about today and get your thoughts on specifically was, what role do you see Senate and Congress playing in cybersecurity here in the near future? Obviously, I think you were a big proponent of even some of the involvement, the debate that happened over the last couple of administrations. How do you see some of that playing out here in the future?
MB: Ever since the Bush administration, after the 9/11 attacks, there was a focus on cybersecurity. As the threats began to evolve 2004, 2005 there were changes to the way we did intelligence or changes on the outskirts of the cybersecurity. What happens is every time there’s a bill that Congress or the Senate puts forward to try to set up goals for what cybersecurity, cyber resiliency, cyber compliance should look like, they will always be shot down. A lot of times, it was the US Chamber of Commerce that would come in and sit there and say, “You know what? We don’t think that changing the rules by which people play is going to be an effective strategy because the rules change as the threat changes, as the landscape, as the IT develops and evolves.” What’s happened, is the administrations, whether it’s Bush, Obama, Trump where they’ve all come back and they’ve said, “Let’s do it by presidential directive.”
MB: It actually morphed into Obama, the Homeland Security privilege … sorry, cyber resiliency, which I think was the first way they started and they had a presidential directive that basically set up a guideline. Now what’s also happened is that the regulatory agencies, the Securities and Exchange Commission, the CMS, the Office for Privacy and the Health and Human Services, they’d come out with very rigid guidelines as to how do you protect personally identifiable data, how you protect patient health information. They’ve set up all these requirements that really follow the National Institute of Standards and Technology Standards that a lot of people sit there and say, “Okay, this is what we ought to be doing but they’re more advisory at this point in time than actually you have to comply with them.” We’ve seen the goalposts of what constitutes a cyber secure society move as different players get involved if an industry is regulated.
MB: If you went to the library of Congress and when you grabbed into the shelf and wanted the book on cybersecurity and in the United States, you wouldn’t find it. There’s all sorts of different rules and regulations, and therefore you have a different kind of compliance bandwidth on that. Congress and the Senate are trying to wrestle with this all the time. They know the threats and the huge issues as it place to local government but then there’s this big issue that you and I’ve talked about it.
MB: What is the role of government in cybersecurity? Is it a private sector of responsibility and not a government responsibility? It’s two schools of thought. One is, you view cybersecurity as bricks in a wall, and every time a corporation does something that makes us more secure, every time a government agency does something that’s more secure, it builds up the wall of defense.
MB: Therefore, there’s a real role that the private sector needs to take on their own. We should incentivize them to get really serious about cybersecurity. The other school of thought is it really is the government’s responsibility. If God forbid, the Canadians became bellicose and started attacking Plattsburgh, New York right on the border. Certainly, you’d have all of DODs assets coming into Plattsburgh and protecting them. There’s the school of thought that says, “No, no, no, no, no. This is a national security initiative and a priority, and therefore the federal government should be funding, they should be providing expertise and they should be providing monitor and response to any type of cyber incident.” We’re really good. We have not as a country, we’ve really not come to one decision as to how we’re going to handle cybersecurity.
JM: Yeah, I think it’s a fascinating thought that you shared about. If we looked at kinetic warfare, the response is always that the federal government absolutely is responsible, but we see so much happening in the cyber warfare landscape where it is nation-state actors, given attribution is always a challenge in any of these cases, but we do know based on the sophistication and even other intelligence mechanisms that we’ve had these kinds of issues. How do we draw that line? How do we find out what is the right response? How much should the federal government be involved? What is their responsibility? I think it’s a challenge in something that we’re going to continue to be working through over the next 5-10 years and the next following administrations too as well.
In next-gen cyberattacks and vulnerabilities, you’re fighting the unknown. Building a catalog of trusted behavior to use as a baseline to determine what falls outside normal business variances is one such strategy to change the paradigm of response. CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security and President of Redland Strategies, talk about trusted behavior and evolving strategies.
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—
MB: Maybe we need to change the whole paradigm of how we look at threats. Are we looking for the bad or should we look at behavior in a trusted kind of way? And maybe build a database, a registry, if you will, to be able to catalog what are the normal course of business operations that we know are trusted behavior and maybe create that baseline that if there’s a variance of that, that we can instantly go and say, “Whoa, that’s what we have to take a look at,” and everything else, you push it back and say, “No, no. Not coming in.” I think that might change the paradigm of response. I’m really interested in that strategy.
JM: Obviously, we agree with you on that one fundamentally as it’s part of our model even here is working off of a model where you’re building a trusted behavioral registry. I think that’s a paradigm shift that the industry has to seize. We constantly play this game where we’re chasing the known bad and always looking for how to identify bad in a higher fidelity mechanism or to add more detail enrichment to known bad, so that we can find it in this massive sea that we talked about earlier.
JM: It’s not working for a couple of reasons. You just talked about the attacker advantage. The attacker advantage is they only have to be right one time, right? We only have to be wrong one time to lose. The expectation that we would hit 100% as defenders is unrealistic. That’s why we have to have that resiliency. I think that’s why the model, the paradigm for analytics, for how we look at data insecurity has to be shifted so dramatically because we are not catching up. We’re definitely falling behind when it comes to that mechanism.
MB: We’re really obsessed with the infrastructure of security and we’re not data-centric. It goes back to your original comment about how we triage what we need to protect. You don’t need to protect everything. No, you don’t. I’m not saying that you should tolerate intrusions, tolerate breaches, but you should at the very least focus all of your efforts on protecting the main point of your company, your business, the people you serve, which is their data and the data you have as your company.
MB: From that perspective, we’ve got to be able to stop anything from getting into that environment. The question becomes “How do we do that effectively, timely?” One of the things that really gets me crazy is when I hear about the dwell time stories, that is the amount of time that malware will sit on a network before it’s discovered and addressed. In that time, so much damage can be done.
MB: As we talked about beforehand, surveilling the network for vulnerabilities, surveilling the network for assets that you might want to raise up in terms of their profile, we want to go get this stuff and then being able to use, to recognize other avenues to get into other networks. A lot of times, what we’re seeing now is that one of the attacks that that will be used is to take a network and make it to a bot network and basically commandeer that network and say, “Okay, now we’re going to use it and we’re going to attack others,” and then you send a note to the network administrator saying, “By the way, we’ve compromised your network. We’re going to use your network to attack others unless you pay this amount of ransom.”
JM: There’s no lack of invention or creativity from the development of different threat factors, but there is a lack of imagination when it comes to how we prevent those things from happening because we’re stuck in his defense, this castle keep type of mentality.
JM: I completely agree and I think you’re right. You see all these different creative mechanisms in the attack. You’ve talked about turning it into a botnet, whether that’s for attack or even for what we call crypto-jacking today. They’re going to take those systems and use the computing resources to mine cryptocurrency. We have all these creative mechanisms. Again, getting back to monetizing that threat. I think the dwell time remarks are dead on. I think some of the reports we’ve seen from some of the big players doing threat intelligence in our space, they’re scathing analysis of our industry’s capability when we’re looking at dwell times in excess of 45, 80, 120-day dwell times as averages in different sectors in our industry.
JM: You definitely see this massive difference in organizations and capability and there’s not a standard set maturity.
How do you stop the burgeoning field of cybercrime? From ransomware to malware as a service, the monetization of security threats is growing. Yet given this literal fire hose of threats, how do security teams efficiently and effectively identify real threats? CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security, have some thoughts on this issue.
Video Transcript:
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is, and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going and the impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—
JM: One last thing I’ll ask you before we wrap it up here today. If you could make one recommendation to C-suite executives about cybersecurity and risk, what would that recommendation be today?
MB: The recommendation would be to spend time thinking about your data and what needs to be protected. How are you protecting it today and is there a better way to identify the threats? The old metaphor I use is if you knew where a fire was going to break out during the year, you knew the day and the time that a fire was going to break out, even on a place like my home area of Long Island with 3 million people, but you knew where a fire was going to break out, you would only need one fire department.
MB: They could go there and they can wait, what’s going on? The same analogy works with, if you knew where threats were coming from and you could actually resolve and get rid of so much of the uncertainty and only focus on the things that really mattered that went after your core data and you could stop that, that’d be such a better use of time, much more cost-effective and frankly give you the surety that you have the ability to identify and stop a threat. That’s really where I want CISOs to get to.
JM: That’s great. Well, I so much appreciate your time. Thanks for being here with us.
MB: It’s been great working and collaborating with you. This is a really important topic.
JM: It’s a pleasure. All right. Well, thank you guys for joining us today. We appreciate it and hope you enjoyed our topics.
How will wars be fought in the future? Are we keeping up with the times in cyber warfare as a nation? As these questions linger, one thing we do know: the U.S. has woefully under-resourced the country’s cyber defense as we have not decided which critical assets need protection. Former advisor to Homeland Security Michael Balboni shares insights with CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, on cyberwarfare and what the U.S. needs to do to prepare.
Full Transcript:
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
MB: Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—-
JM: How do you think specifically when we talk about how wars are going to be fought in the future and we look at it what national defense mechanisms we have and how those have to change. How do you see that evolving and do you think that we’re staying up to speed and with the times from a cyber warfare perspective as a nation?
MB: I think that we have woefully under-resourced our cyber defense. The reason why I said that is because we have not decided what are the critical assets we need to protect. You can decide that there’s a triaging of national assets and national vulnerabilities that we need to fix collaboratively, that the private-public partnership should and is the model, particularly if you adopt some of the standards like that NIST standard we referred to before. At the same time we haven’t really decided, “Well, is it power plants we need to really focus on? Is it healthcare?”
MB: We’ve seen the “WannaCry” ransomware attack and the Ryuk attack that have convinced the world, “Boy, it’s pretty easy to get a worm into a network, be able to search across the entire network, find vulnerabilities in that.”
MB: In the case of WannaCry, of course it was the Windows program that had been unsupported, unpatched and then spread throughout the world, throughout the globe, and have potentially dramatic impacts on how things happen. Of course, whether it was the British hospital network, whether it was the Maersk shipping where ports actually were close to being shut down, these things that have a global impact, we have not figured out first of all how to classify them. Is that an act of war? If you knew, if you could really prove that a particular nation-state perpetrated this act, is that an act of war? Do you go from the digital to the kinetic? In addition, our intelligence community, we want to know who is attempting to get at us.
MB: We want to know their level of sophistication. We want to know what assets they have available to them. We want to know where they’ve been beforehand because everybody in the cyber world understands that it’s not like you weaponize a payload, distribute it into a network, and then immediately begin executing commands to either steal data or to interrupt the operating network. They may lay dormant, dwell time is what we call it, where they’re going to wait and they’re going to basically surveil the operating environment and see what other vulnerabilities exist to see what other assets they could go after. Map that and then get that information out to their controllers to say “So, here’s what you could go after. You tell me where and when you want to go after.” There’s no immediacy of the attack and response.
MB: The last piece is we walk around with our cell phones and we have more computing power on our cell phones than they had on the first lunar lander.
MB: It’s ubiquitous computing. Matter of fact, there’s a statistic that by 2023, I believe it is, there will be 7 billion phones on the planet. Much more than obviously the population of the earth. Each one of them has the ability to communicate, to calculate, to transmit data, and therefore, become a single point of entry into a network.
MB: How do you secure all those endpoints and how do you make sure that people are aware of the fact that they have a vulnerability that they’re walking around their pocket with? A lot of information needs to get out there. A lot of understanding, awareness, and then strategies and solutions.
Full Transcript:
LW: Welcome. Thanks for joining everyone, my name is Lee Waskevich, vice president of security and networking strategy here with ePlus. Today, I’m joined by Randy Watkins with CRITICALSTART.
RW: Hey! Thanks for having me on.
LW: Absolutely, absolutely. appreciate you joining us.
LW: So, we’re going to run through a few different questions today, mainly regarding manage detection and response. We’re seeing a ton of activity in speaking with our clients around the subject, customers that are dealing with attack vectors, moving workloads into the cloud. They’re struggling with retaining talent or training talent, being able to provide a strong sense of security operations. From your vantage point with CRITICALSTART, why do you see MDR is gaining so much attention.
RW: There’s a lot of traction in the space and there’s multiple reasons for it. Something that we come across, pretty generally when customers are looking at MDR, is the ability to provide 24×7 monitoring.
RW: So, that’s something that is kind of being amplified in terms of importance because of nation-state sponsored attacks or crime-based attacks that are overseas. And they operate on much the opposite schedule than a typical eight to five security team does. So, just that availability of 24×7 response is driving the overall MDR market.
RW: Another thing that we see pushing us forward in terms of MDR momentum is operationalizing technology. I’m sure everybody’s seen it or been there, done that. But you look at the technology that a customer has or that an organization has, and they’re not using any of it. It’s kind of there but it’s not plugged in, or it’s plugged in and nobody is looking at it. And what that results in this is kind of wasted resources. And as resources are so limited, organizations really have to take advantage of everything that they have and that means fully operationalizing their technology.
RW: Well, you kind of talk about the lack of resources in the space and how hard it is to attract and retain those resources and, you know, kind of transferring that risk of the resource is a good choice for organizations that want to be able to operationalize their technology.
LW: Ok, great. Yeah, we see that as well. You know, consulting with clients and their security program, relooking at their architecture, we see a lot of shelfware out there. You know, they’ve made good, strong choices, but I think they get drawn into the day to day type stuff and they never go back and optimize, they never go back and integrate those technologies. So, a service like MDR helps to put a lot of that operational piece together.
LW: How about from the size of organizations that are good candidates for MDR. Can you comment on what you see in terms of who makes a good customer for Managed Detection and Response?
RW: Yeah. So, when we started the MDR business about five years ago, we really thought that our average customer size was going to be between 500 and 1,000 users. We figured that was a sweet spot and we really looked at it like that because we figured the larger organizations, the enterprises, people with 5,000, 10,000, 50,000 users. They were going to have a more mature security program. And we started to really market towards the SMB space, that 500 – 1,000 users.
RW: Well, what we found after the first year was our average customer size is about 1,500 and growing. And it was because, although we’d love to assume that large organizations have much more secure environments, that wasn’t necessarily the case.
RW: So, now what we see is kind of broad adoption of MDR from the 10-person dentist office, all the way up to, you know, we have customers that are 100,000 users. And it’s because of what you just talked about.
RW: They’re continuously going from implementation to implementation to implementation. They never really get to operationalize the technology. So, they install a SIEM, they install IBS, they install an EDR, but they’re not really getting anything out of it, because when they get done installing it, they move on to the next project. They never get to resolving those alerts. So, even the larger organizations are having a difficult time getting the resources to both implement and operationalize the technology.
RW: So, right now our average customer size is probably somewhere in the 8,000 users range, but we have customers that are 100,000 endpoints, we have customers that go through MSPs that are 10 endpoints. There seems to be no bounds as to what a good market for managed detection and response is.
LW: Ok. So, it really can cover any size and scope of an organization as long as they have the guidance to see, “Hey, we really need to spend some, some focus on operationalizing things.”
LW: You know when you, when you look at managed detection and response, you know, the detection and response piece was, you know, kind of came along for the ride with endpoint detection and response. We saw technology providers, software, around that endpoint shift over the past 18, 24, 36 months. Why do MDRs focus so much on the endpoint and how does CRITICALSTART use that in relation to their service?
RW: There’s two main reasons that we focus on EDR. One, it’s a definitive source for information. And what I mean by that is, if you think from an analyst perspective what you’re going to do when you get a firewall alert or an IDS alert or a, I mean, most types of alerts. If I get for instance a blocked outbound C2 communication, the first thing that goes through my head is, “what’s happening on that endpoint that is causing it to communicate outbound to a C2”, right?
RW: So I’ll want to identify the process that’s trying to communicate the user contacts, how did that process get there. I really want to dig in and figure out, not the nature of the network request, but what’s making that network request.
RW: So, that’s the first reason. The second reason is because the endpoint is the best place for response. I mean, there’s really two places you really want to be able to respond and that’s on the endpoint and via Active Directory with disabling user accounts.
RW: We really look at the endpoint as a way for us to, you know, we have managed detection and response, we look at the endpoint as a great way for us to respond.
RW: We did, for a while, block things at the firewall and what we found was users are mobile. They would take their laptop home and all of a sudden they’re beaconing out again. So, that’s why we have a focus on endpoint.
RW: Now at CRITICALSTART, we make very, very deep technical integrations. What we do is, we’ll use API’s to pull in the alerts that are created by these different endpoint products, and then we use the API’s to go back and get additional information, as well as performing those response actions.
RW: So really, we’re making our integration so tight that our analysts and our customers can work through our platform to do just about everything they can do inside of that endpoint. And what that does is it breeds efficiencies.
RW: The endpoint is really a strong place for us to kind of leverage the technology to not only create the service but also gain that efficiency of keeping all of our analysts in a single queue, in a single platform.
LW: Okay. All right great. That makes a ton of sense. I think another unique aspect is your model for resolving alerts, right? Many SOCs and MSSPs and customers that try to do it on their own, they deal with alert fatigue because there’s so many events and things like that coming in. Can you talk about how you accept risk and the models that you have around resolving alerts?
RW: Yeah. So, in terms of risk acceptance, we don’t, right? Because that’s on the customer to do. When you look at, I think it’s important that you called out MSSPs, MDRs, as well as internal SOCs. They all suffer from same issues, which is we’ve looked at security products we’ve looked at manufacturers to be extremely effective at detecting attacks.
RW: The problem is, when you’re effective at detecting attacks, you’re typically over detecting as well, right? It’s always better to err on the side of a false positive.
RW: So looking at how MDRs, MSSPs, and in-house SOCs, looking at how they respond to these alerts that are coming in and the false positives. There’s really two ways that we’ve seen organizations deal with this. The first was what we call input-oriented, where you’re essentially shutting off speeds and feeds that are maybe lower fidelity or that garner too many alerts. And the problem with that approach is, you’re accepting unquantified risk. I mean, you’re accepting risk that you don’t quite know you have because you turned off the product’s ability to detect that risk.
RW: So that kind of makes the product was effective and what ends up happening is, you get breached and you go, “Why didn’t we pick this up?”. Well, because you had to turn off the rule
RW: The second way that we see is called prioritized or priority oriented. This one is extremely common. We see it in SOCs, we see it in different MDRs and MSSPs. And this is where you kind of start at the top of criticality and you work your way down the stack until you run out of resources.
RW: So, “Hey, we’re going to look at criticals. If we have enough time, we’ll look at highs.”
RW: Most organizations never get to the mediums and lows. The problem with that is you’re accepting quantified risk. So now you know that it’s risky, you have it up on the board in your SOC but you say, “Oh, it’s a medium. We don’t have the resources for the organization that the business is going to accept that risk.”
RW: And that one’s kind of dangerous because we have pretty well-documented cases of multiple times when an alert has shown up in a SOC, but it was a medium or low and it got kind of brushed off, and then it resulted in significant breaches, executive-level turnover, massive disclosure, billions of dollars in loss.
RW: So, when we started the MDR. The goal was to not do any of that. Hot tip for anybody watching, if you want to accept risk, you don’t have to pay anybody to do that. You can just do that by yourself.
RW: So our model seeks to accept no risk. So what we do is, we look at every single alert that a product generates, that a security product generates, and we resolve every single alert that comes in, so we’re not accepting risk and we’re not limiting the effectiveness of the product.
LW: Ok. Yeah, makes a ton of sense. You’re taking it all in. You’re the ones making the determination on that through your technology, through your skills and training. Alright. Excellent. Yeah, that makes a ton of sense.
LW: I think another important piece, outside of you mentioned how you do so much around technology integration, you’re leveraging the technology stacks that a customer has, but there’s also a people component to this, right? Because when a customer interfaces with their service provider, especially as security service provider, many times it’s over email, or they’re picking up the phone and calling someone. Can you talk a little bit about CRITICALSTART’s culture and the analyst retention rate that you guys have?
RW: Yeah. So, we consider ourselves a technology-enabled service. And when you look at the spectrum there’s kind of two sides and then the middle. So the two sides, you have MSSP on one side. They view this as a people problem. We’ll throw more people at, throw more people at it, throw more people at it. That usually results in high turnover, because you’re not solving the underlying problem.
RW: But then there’s a SaaS model. The SasS model says this is purely a technology problem and we’re going to create a platform that does all this automatically.
RW: And then there’s kind of tech-enabled services that sit in the middle and that’s where we are.
RW: So what we did was we created the platform first that helps us resolve every alert. And then we found a way to kind of avoid analyst burnout. If you look at the number one reason of analyst turnover, it’s because they’re all looking at the same alerts over and over and over and over every day, and there’s no resolve. So, we built a platform that allows us to get rid of that problem by resolving every alert, and then once we see it once, we’ll automatically resolve it in the future.
RW: Well, what that has led to is a 99% employee retention across all of our SOC analysts. We’ve lost one analyst last five years. And what that means is, we can spend a tremendous amount of time, energy, resources, money training these analysts to be fantastic, world-class analysts. There’s an old adage I love to refer to: would you rather train an employee and risk them leaving, or not training an employee and risk them staying? Well, if we solve the problem of them leaving then we can sink the resources into training them and making the world-class analysts.
RW: So, all of our analysts go through about 160 hours of training before they ever touch or see customer data. After that when they become an official tier-one analyst, they know how to get to become a tier two and that involves x86 and 64-bit programming classes so they can start the reverse malware. Now that’s just at tier-two. There’s tier-three and four as well. They get into threat intelligence and campaign identification, as well as different leadership roles.
RW: So really what we did was, we created the technology that really encourages people to stay and it kind of gets rid of the mundane, so every alert they open up has the potential of being a new APT, a new piece of ransomware, a new piece of malware. And then we train them to really dive into every single one of those alerts and what the result is, is a fantastic service for customers where they feel like they have a world-class SOC at their fingertips because they actually do.
LW: Gotcha. No, that makes total sense and it does provide, I think from putting myself in the customer’s shoes, a higher level of confidence in the resources that are helping me to operate my security and to help detect and respond against those threats. So that’s great. Thanks.
RW: To add on there, what we see is customers being able to elevate their resources, because of our resources. So we go into a lot of organizations especially these ones that have 10, 15, 50,000 users. They already have a security team. It’s not enough to provide full 24×7, but there is a security team there.
RW: And a lot of times when we come in, the analysts on the team they’ll start to have this whole “are you outsourcing my job” type mentality. No, no, no, no. We’re taking the tier-one and two. We’re gonna escalate things to you to be responded to. You get to elevate your position to incident responder to pentester to threat hunter. You get to get rid of this, “Hey, I’m looking at all of these alerts today,” and you get to really move into, “I’m going to find something unique, interesting, truly different inside of my environment.”
RW: So, our resources and the training that we put into that really kind of allow the customer to elevate their limited resources to positions that are more valuable to the company.
LW: Right. Yeah, that’s especially true right now. Especially as budget are tightening and others want to make sure the resources are being used for what they were hired to do or what they had the capabilities to do.
RW: Exactly!
LW: That’s where the strengths going to be. Very much agree.
LW: Last question, we’ve been having this conversation a lot around, you know, this is being recorded in Fall of 2020, so you know since the march time frame, since everything that’s gone on globally this year. What has changed in your world since that time and what you’re seeing from both, you know, the CRITICALSTART standpoint of the security spectrum, if you will, of all of these threats and alerts, as well as your dealings with clients.? Any insights you could provide there?
RW: It’s been a rough couple of months, right? I mean, a lot of organizations trying to adapt and figure out how to keep their business operational during this time of COVID. We’re seeing a lot of users go into work remote, including the security team. And that’s what most organizations are, that we’re talking to, or dealing with, or that we’re exposed to, is “hey, how does my security scale across all these remote users?” Because when users go home, regardless of whether they’re using a corporate asset or a personal asset, they’re more likely to do things that maybe aren’t work-related that generate more and more alerts. So, what we’re seeing is a lot of users going to work from home or working remotely and then a spike in alerts, but because the security team is now all remote there’s an inherent efficiency loss. So, you have more alerts, you have less efficiency on the security team, and you have to deal with every one of them because hackers see this as a great opportunity.
LW: Yeah, exactly.
RW: From an attacker’s perspective, never let a crisis go to waste, right? So, we’re seeing massive email campaigns with a ton of COVID attachments, we’re seeing a lot of drive-by downloads, we’re seeing a lot of spear phishing, we’re seeing a lot of email compromise, we’re seeing a lot of whaling. I mean, kind of all the attacks are starting to bubble up, not just because COVID is a great excuse to send out an email, but also because it’s very difficult for me to kind of yell across the room and says, “Hey, are you sure you want me to transfer this money”.
RW: So, this whole remote worker issue combined with the hot topic of COVID for attackers to leverage, is really just spiking the alerts. From our perspective on the business side, we’re seeing a lot of customers come to us saying, “how do we remedy this.” And we have a pretty obvious answer, you know, Managed Detection and Response. Let us take the tier one or tier two and some of the response capabilities, use your limited resources to help deploy policy or provide user education, and let’s see if we can drive up the security posture of the organization although everybody is remote.
RW: So, it’s kind of this perfect storm that we’re trying to fight against and it’s a unique battle.
LW: Yeah, exactly. We see the same thing from the ePlus side and it’s about helping that customer to drive their program forward. So yes, this Managed Detection and Response becomes a very, very important piece of that. And dealing with, you know, preying on the curiosity of people, preying on the fact that everyone is so distributed, there’s a lot of weak areas of the chain, if you will, that can be exploited and without the proper controls and without proper emphasis and focus on it, it’s really difficult for organizations. And we see it every day in the news, something different on either a breach type attack, a lot of ransomware being hit. All those pieces can be mitigated to a degree with the proper precautions being taken. So awesome. I appreciate that.
RW: Yeah and that’s another reason why we focus on the endpoint. Gartner has their triad of logs, network, and endpoint, and nothing against network, but when all of your resources are distributed and once you have always-on VPN backhauling all the traffic, network kind of wanes in importance,
RW: But you’re going to have an agent, right? So, we focus on endpoint because it allows us to reach out and touch those remote resources and still maintain some level of visibility and protection even when the users are working from home using a SaaS-based application.
RW: We’ve had to find better ways to go out and work with those remote resources. A lot of customers that are we’re talking to are reevaluating their endpoint solution to make sure that it’s the right one because now that’s growing in importance. We’ve done a lot of consultation with ePlus and customers saying, “Hey, let’s have ePlus work through all your different requirements and find the right solution, then we can sit on top of it and manage it”.
RW: One of the big perks for CRITICALSTART is, we don’t just tie into one solution. We support multiple endpoint products. So, ePlus can really go in, do some consulting with a customer and say, “Hey, based on your requirements your organization, this is probably the best solution for you,” and CRITICALSTART can then come on over top do that tier one and two to really not just promote the resources necessary, but also the correct solution.
LW: Right and bringing that full circle then they’re faster time to operation, right? And actually finding that efficiency with the purchase that’s being made, with the investment that’s being done, rather than trying to sit there, integrate slowly roll it out. With CRITICALSTART services on top right away, you’re immediately recognizing that value. Awesome.
LW: Well, thank you, Randy. Once again this has been Randy Watkins, CTO with CRITICALSTART. Don’t let the guitars and black t-shirt fool you. It’s not Dave Grohl even though a few times I thought it might have been. I’m sure Dave Grohl knows much about MDR, but again this is Lee Waskevich. I’m vice president of security at ePlus. Thanks for joining.
RW: Thank, Lee.
“Security is really the art of handling risk” – Randy Watkins, CTO of CRITICALSTART.
It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small-to-medium-sized businesses (SMBs) and small-to-medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.
CRITICALSTART is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.
Recently our CTO, Randy Watkins, spoke to Byron Acohido of The Last Watchdog about the difference between ‘risk-oriented’ versus ‘controlled-based’ security and how quantifying risks is the first step to defending network breaches.
Read Acohido’s blog and listen to the full podcast interview
The Last Watchdog | October 4, 2019
In cybersecurity, humans will always have a role to play. Security incidents need critical decision-making factors that require human analytics. CRITCALSTART’s Jordan Mauriello and Michael Balboni, President of Redland Strategies, and former Senator, assemblyman, advisor to Homeland Security, have some thoughts on the role of humans and where machines fit into cybersecurity.
—
Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is, and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going and the impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
Thanks for having me Jordan, and thanks for your service to the country in the military.
Thank you very much, sir. I appreciate your support.
—
You definitely see this massive difference in organizations and capability and there’s not a standard set maturity. We have some customers that we walk in and we can’t believe how mature they are. Great leadership and they really understand the problems, they know the industry and generally, what we see are guys who have the right experience, come from backgrounds that we’ve kind of expect with the technical understanding and knowledge.
A lot of times they’re from government cybersecurity roles and they have the understanding of how to come and identify and begin to protect a threat. But, we don’t have a standard that we’re committing to either as well. Even though we have some great ones. The NIST cybersecurity framework is fantastic, but how many organizations are actually committing to and doing that today? It’s very, very few.
It’s amazing how many corporations that I’ve seen from a $25 million to a $100 million capitalization that don’t even have a Chief Information Security Officer. It’s their IT guy and their physical security guy and never the twain shall meet that. It’s still that divide. I think that obviously one of the key requirements under NIST is to have a Chief Information Security Officer, have one person who’s responsible for not only setting up the different security architectures, but then monitoring the network, devising a response protocol and being able to call out to different vendors so that you can bring people in and say, “First of all, let’s do a penetration test on my network.” Really, really crucial. Let’s have a vulnerably assessment, periodically. Let’s have training of staff. We always say that defense should be totally, completely automated. Not always. There is a human interface. It’s very important.
It depends upon where in the kill chain, that is the Lockheed Martin developed set of steps that an attacker has to take to make something a weapon, and insert it into a network. Where along the kill chain can a human interface come and recognize the threat and stop it? We’ve kind of lost it. We want to say, as they say, the Terminator kind, machine versus machine. There should be no humans involved. Well, no. That’s not exactly correct. Humans have a role to play. It’s just perhaps further down the line when a threat has been identified and is a resolution to that threat, then the human can play a role in that.
Yeah, I completely agree. I think the importance of artificial intelligence and machine learning has been massively overplayed in our space right now. They become buzzwords and everybody wants to throw them in their technology and say they have ML or AI. The reality of it is it’s still a very limited technology set. You cannot do causation with AI or ML today.
Explain that to me. What do you mean by causation?
An AI and ML cannot answer why something happened for you. When you’re getting to what should be the human interface point in security, maybe you’re using some sort of analytic engine to distill down data. You get an incident that requires analysis and you want to ask, “Why did this happen? What’s the root cause of this incident and can I prove that known good or known bad?” That requires a human. It’s a critical decision making factor that requires human analytics and the machine can’t do that for us yet. Nobody in the world can with AI yet.
Now that’s not to say it won’t. In fact, I think one of the fathers of modern machine learning and AI, Judea Pearl, wrote a great book recently and I highly recommend, called “The Book of Why”. He’s talking specifically about this problem. We can’t do causation yet with AI and ML. We still need to understand that it’s use case-specific, that it applies to certain things, that it can do detection for us, that it can produce maybe some visibility mechanisms we didn’t have before. The end of it, when you’re answering, “Why did that happen and what do I need to do to respond,” that’s a human and it still needs to be a human.
With multiple data points that exist in organizations, how do you know what you need to protect? What constitutes reputational damage or breach for you as a company? CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, and former Homeland Security advisor Michael Balboni share insights on securing data and how to protect your most valuable assets.
Full Transcript:
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
—
JM: You know, we haven’t even necessarily decided what to protect. One of the things that I see even as a consultant in doing CISO work for organizations is going in. The first question we’re always asking is “What are the crown jewels? What do you need to protect? What’s important to your business? What constitutes reputational damage or breach for you as a company?” You start with that question and I think often from a national defense perspective that we’re not properly gathering the data on what that answer is. I don’t think we necessarily know exactly what things are the most important to us. We look at the defense systems themselves and we look at DOD and we say, “Okay, well here are our military assets. Let’s protect those vehemently.”
JM: What about the supporting infrastructure? Are we doing enough to protect SCADA systems and critical infrastructure here in it? I think to answer to that, like you said, is it’s woefully uninvested or under-invested and we’ve seen that generally too out in the field as we go out there. We’re very often surprised as we walk into organizations who we would expect to be at a very high standard to see that the decisions around risks that are being made in those organizations are definitely not what we would expect.
MB: In the board rooms, typically board members don’t have an appreciation of the exposure that cyber provides them. They may have a pretty good understanding of what their regulatory requirements are, but they’re not in the weeds as to what steps are being done every day to make sure that their network is safe and operational. A lot of times, they believe that the mission of the corporation, the mission of the board, and that’s what you drive to, and cybersecurity is kind of a one-off. “Yeah, okay. We got to check that box,” but in checking that box, you don’t ask the deeper probing questions and that’s because it’s frankly just too complex.