Do you really need hundreds of questions to know if you want to work with a vendor? Won’t just two or three well-pointed questions really give you a good idea?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Nick Selby (@fuzztech), CSO, Paxos Trust Company and co-host of Tech Debt Burndown podcast.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Kenna Security

This image has an empty alt attribute; its file name is KennaBanner2.png

Full transcript

Voiceover

Ten second security tip. Go.

Nick Selby

A lot of times we take a lot of precautions at work, but them we forget about our home network and all of the different things that could be leaking information about our lives. So my ten-second tip is to set up a pie-hole server, essentially a DNS blocker, for your home. It runs on a raspberry pie for free. You can sink hole all of the traffic from your IOT devices that you don’t want sending information to vendors who have parked things in your house.

Voiceover

It’s time to begin the CISO security vendor relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I’m the producer of the CISO series and joining me, the co-host of this episode of the podcast is Andy Ellis, operating partner over at YL Ventures. We’re available at CISOseries.com. Our sponsor is Kenna Security and we couldn’t be happier with Kenna Security, they’ve been a long-running sponsor and supporter of the CISO series. They do a lot of vulnerability management, in fact I could say our sponsor is CISCO because they just got purchased by CISCO as well. So they’re both sponsors for that matter, but more about Kenna Security later in the show. I’m excited about our guest today because he’s responsible for something that I think is a brand identifier of you, which is this vendor rebuff email that you send out, after a vendor request, a form letter is sent out to explain why you are not going to respond and how to get on the radar and I want to bring in our guest too and mention because he is responsible, and I do not know this story, so I’m eager to hear it. Our guest is Nick Selby who is CSO of Paxos Trust Company.

Nick Selby

Thanks for having me.

David Spark

Andy, how is Nick involved here?

Andy Ellis

About four years ago, a group of CISO were chatting in a common rant about sales emails received and comparing the worst. I said the worst part is the person who keeps replying to themselves in repeat emails.

David Spark

They’re trying to be funny.

Andy Ellis

Nick says, why not just say no to them? I’m thinking what are you talking about? It’s a sales development rep. The lowest paid person in sales, you know who this is. Why not just tell them to go away and they will. And I’m like, that’s a genius idea.

David Spark

I don’t know if this is a genius idea.

Nick Selby

To be more clear, what I was saying was not you should be nice, but if you don’t say something, then there’s a chance that you are busy, distracted or on vacation. What you want to do is, you want to say definitively and politely go away.

Andy Ellis

I’m a little kinder but needed that forceful message. That was the origin. I started to write this email, I’m not going to write it every time, I’ve got to have a template. So I came up with the idea, I’m just going to write a FAQ of every question I could imagine they had. And then I would update it every so often when I’ve got a new question. And unfortunately now I have to update it again, because now that I have multiple different gigs, I’m getting emails on all of those that are targeted differently. So I needed to have a slightly different version of the vendor rebuff mail. But I just went and checked and it was four years ago.

Nick Selby

I got an email two months ago from a vendor, who said, “Okay Nick, I heard you talking about this with Andy. I know what it is that you’re looking for, let me give it to you straight.” And it was kind of like that scene in Tootsie, when he said exactly what she would expect a guy to pick her up with. And it was just absolutely terrible, because I didn’t want what he had to sell. And I’m like, I’m sorry, yes, you did everything right. Go away.

David Spark

So there’s no winning, Nick?

Nick Selby

There is winning. Sometimes a good pitch comes along and I’ve heard about them or sometimes or I feel it makes sense and want to find out more. I’m usually brusque as I want to get to the point of how much is the cost and how do I buy it. They want to ease me in, but my time is valuable.

Andy Ellis

What I learned from this and talking to sales reps, being in sales is like the Nigerian 419 scam. If you’ve ever read those scam emails, you read them and you’re like, “My goodness, they’re implausible.” Because what the Nigerian 419 scammers have figured out is, they want to get to a no, fast. If no money getting wired to them they do not want to spend any time on you. My realization is a sales relationship should also be this. Get to no fast. Over 99% of communications between sales and a prospect will end in a no. Every minute that you spend not getting the no that you’re destined to get is a wasted minute. Don’t try to turn every no into a yes. Find the yes by first getting rid of all of the obvious nos.

Nick Selby

That’s good. In an intelligence of all kinds, don’t try to collect all the things that match. Get rid of all the things that don’t. That’s perfect.

David Spark

Good tips. Andy’s form is a block post and there’s link to it. I’ll offer this tip, use text expanders, I use Phrase Express as I have so many form responses for different things. I live off that thing.

Andy Ellis

I just set them up as signature files and use it as my whole response.

David Spark

Try Phrase Express, it’s free.

Andy Ellis

I’ll check it out.

David Spark

Let’s jump into this.

It’s time to measure the risk.

00:06:18:16

David Spark

When sussing out security vendors, you want to understand the risk they are introducing to your organization. Nick, you mentioned previously that those analyst questionnaires vendors need to fill out, say nothing about their true risk. Instead you have made a point to create an anti-checklist manifesto. It’s still a survey, but much shorter. With these ten questions, what you ultimately want to know is how well are they aware of their own risk, thereby insuring their concern about your risk. Is that set up correctly?

Nick Selby

Yes generally. I was talking to Halvar Flake and he has this new company that does everything right. But he doesn’t have a SOC 2 and people are using a SOC 2 certification as a litmus test. If you don’t have that, I’m sorry but we can’t buy it, thanks a lot, here’s your parting gifts. That’s not what it was intended for. I started to look at what is it that we’re trying to do? We’re not trying to make people go away or staunch creativity or not get involved with innovative new technologies. We’re trying to understand do they care about risk in a way that we care about risk? Do they care about risk in a way that we can understand that, either they’re not going to increase our risk surface or overall risk? Or do they understand what risk they do in such a way, that they can articulate how they’re going to increase the risk and why we should do it anyway? So that we can measure risk to reward. This is how this should be. Instead we have spreadsheets from hell that are created by accountants and delivered by auditors to measure cyber security risk. None of those people have anything to do with the assessment of risk. So, what can we do to make this easier, and no more than ten questions at the top.

David Spark

You’re just boiling down do they care about their own risk. And if they don’t care about their own risk, you can forget about them caring about yours. Andy?

Andy Ellis

The benefit of the checklist is it tells you if somebody is tall enough. Do they know how to fill out a checklist? Are they enterprise ready or not? If they can’t fill out a checklist, there’s probably other problems. I like the questions that Nick asked.

David Spark

Give us a couple of those.

Andy Ellis

Do you have static credentials? If so talk about how you’ve audited them and why. Do you do code changes in the same way? These are all questions that are often buried deep in those checklists, but not clearly highlighted. Both approaches are missing is the next step for, is more of the self audit. How are we going to use your technology? It doesn’t really matter how somebody is securing something that you don’t care about, if they’re not doing anything for you. Your PR firm who got a press release early, you’re not going to care at this level of detail. But if suddenly you’re handing them your entire customer list, you care a bit more about their security practices. Throughout my career I’ve received and completed these checklists, my hint is if you’re a vendor completing a checklist, the only correct answer is yes. Don’t ever say no to any question.

David Spark

So you’re recommending to lie?

Andy Ellis

No. if you have to say no, then that’s the control you have to go fix to say yes.

Nick Selby

I ask if you have static credentials and the answer should be no.

Andy Ellis

That’s an answer where it should be no. Because the question would be on the normal standard checklist would be, have you eliminated static credentials. In this case the answer is yes. Always give the correct answer.

Nick Selby

I agree with what you’re saying, but I want it to be clear that this is the PISA means Preliminary Information Security Assessment. It’s not the end. It’s the beginning. I also notice to your point, the way this typically works, is the business teams go out and find the gizmo that they want. Then they punt it down the hall to legal compliance and InfoSec. The thing is already done. I want to put this, are you tall enough to ride this ride, before the business team select something. Now we know that we’re not wasting our time. They have good candidates and we already got rid of anybody who is unsuitable from the beginning.

David Spark

Get to a no quickly.

Andy Ellis

And to Nick’s point, measure success. Whatever your program is, whether it’s 200 questions or 10, how often did you change the business’s mind? Or alter a vendor’s practices. If the answer is never, you’re wasting your time.

Nick Selby

100% and also make sure that your checklist is up to date. I spend a lot of time talking about firewalls, which is like talking aeroplanes.

We’ve got listeners and they’ve got questions.

00:11:14:05

David Spark

Fan of the show, Frank Grimaldi of Zachry Group has a problem. Hopefully you can help. “A criminal/threat actor has registered a domain name similar to my company. They added “inc” at the end. And is mass contracting vendors to obtain credit lines and purchase goods while acting as an agent of our company. Normally, I contact the registrar, explain the situation and submit to them some form of evidence and they take down the domain in swift fashion. In this case the domain was registered at Registered.It, an Italian company, and I can’t get them to budge. I have submitted numerous complaints to abuse@register.it. They’ve repeatedly ignored my requests and have turned a blind eye. This has been going on for a few months.” Andy, what recourses does Frank have?

Andy Ellis

A normal suggestion is there exists companies who can outsource this to. They will go, find the companies doing this, they’ll submit the take down request. If that’s not working, to toss to Nick. There comes a point where you do want to get law enforcement involved, as somebody is going to be harmed and they’re going to start filing a claim somewhere. So you want to start the paperwork first, to be involved in that case, rather than finding out later that somebody was defrauded on behalf of your company.

Nick Selby

Getting to law enforcement, usually those companies,, this is like you can change your own motor oil but most people don’t. These guys do nothing but this. The one that I use they are so good at this, I’ve never waited longer than 30 days even with the most belligerent, obstinate host. They’ll go after it. Definitely your legal team doesn’t have the chops to do this.

David Spark

What are you searching to find a company that does this?

Nick Selby

You’re searching a domain take down. All sorts of different terms to use.

David Spark

If somebody contacts you directly, will you give them the information?

Nick Selby

I would.

David Spark

We can ping Frank Grimaldi with this information.

Nick Selby

Of course. The thing that I do that’s really important, there is a script called DNS Twist, you can download on GitHub. Homographs, sound alikes, look alikes, I mean things that look like it, CISCO with an L, outlook with a Q, these are things that sound like it but look like it. These things are going to be registered, especially the more popular your company gets, the more of these you are going to get to phish your customers. What you want to care about is you want to keep a list of those people are registering these domains, but you really care about when they are setting up an MX record, an A record, when something is going live. That is when you want to move to take it down as then they are just about to weaponize what they’re got and start to try to trick people posing as you. A lot of prevention is good. Get in there and learn who is going after you first. Then when they are setting it up, move to take them down. My advice is get a professional to do that.

Andy Ellis

It’s also just way cheaper.

Nick Selby

If you don’t want to run that script, there is a service for about four bucks a month called DNS Twister.report. And they will do what I just described. You can run this free, but you can also change your own oil. It’s a good service.

Sponsor – Kenna Security

00:14:54:07

Steve Prentice

With so many vulnerabilities affecting so many organizations, how do teams know what to focus on? This is not just a security problem. IT administrators, people who work on desktop clients who are on Linux infrastructure or on exchange servers, these are the people who are often responsible for updating the systems and making sure things are secure on their own environments. This is the challenge of a security collaboration. Dan Mellinger, Director of Corporate Communications for Kenna Security explains how his company’s risk-based vulnerability management approach, can help on the human side.

Dan Mellinger

Everyone’s got a role to play in cyber security and at Kenna, on the vulnerability management proactive hygiene side of things, we help IT teams and security teams achieve better security outcomes.

Steve Prentice

This removes the need for teams to fight each other on who’s right or which is more vulnerable or which systems can or cannot be taken down.

Dan Mellinger

We help security and IT teams identify the 5% of vulnerabilities that really matter, what they really need to go look at and should ideally address to avoid the vast majority of threats that are out there. And then they can track that through. So now that they know, these are the vulnerabilities that matter, can we take these systems to run a patch? They don’t need to spend time debating what’s the right course of action. They can take more time to figure out how to achieve that action.

Steve Prentice

To find out more, visit Kennasecurity.com.

It’s time to play What’s Worse.

00:16:31:03

David Spark

We give you two scenarios, they both stink, you choose which one is the worst which is essentially a risk-management exercise. My co-host always goes first and you can agree or disagree with Andy.

Andy Ellis

I win if we agree and David wins if we disagree.

David Spark

You’re right. This comes from Ross Young, the CISO of Caterpillar Financial Services Corporation. Scenario number one is you have a CIO who wants to avoid going to the Cloud. Or you have a CISO who wants to avoid going to the Cloud. Which one is worse?

Andy Ellis

Easy for me, the CIO as we need to go to the Cloud. If you’re not planning on going to the Cloud, you’re in some very strange niche or you’re doomed. So like 20 years ago, we don’t have an Internet plan. Those businesses are mostly gone. You need a Cloud plan. If the CIO doesn’t want to go the Cloud, you’re not going. If the CISO doesn’t want to go to the Cloud, you’re hiring a new CISO.

Nick Selby

I agree. This one is a really easy one.

David Spark

Yes, essentially the CIO is the first barrier to entry. If the CISO doesn’t want to go, it doesn’t matter, the CIO has already made the decision.

Nick Selby

Exactly. The CIO who doesn’t want to go the Cloud is a proxy for a CIO who doesn’t want to do a lot of other things because they’re not understanding contemporary software or contemporary delivery. And they’re certainly not understanding how to create things that are cheaper, better and more automated.

Andy Ellis

It’s really telling how quickly Nick and I agree because we basically just said that the CISO and the CIO are not peers. One of them can get stuff done, the other one can’t.

David Spark

A good point. Even though this was an easy one, we have never had this specific discussion of the CIO making the decisions up front and the CISO has to respond no matter the decision.

Andy Ellis

It’s doable but as a CISO, if you want to drag your business to the Cloud, you don’t get to make the decision to have it happen, you have to do a campaign that is going to, over time, move the business to the Cloud. It just takes a lot longer and a lot of political capital banked up, because you have to get other stuff done as well.

Nick Selby

This is not only CIO, CISO, this is CISO, any senior executive who wants to get this. We don’t have a CEO but if the head of risk wants to do it, the head of legal wants to do it, the head of marketing wants to do it, the head of product wants to do it. They’re going to win. It is a fair statement to make that that’s the way it should be. Tell us what you want to do, we’ll help you.

We don’t have much time, what’s your decision?

00:19:34:05

David Spark

An incident is happening. You know little and you want to know more, so Nick, what are the three areas you look to see what’s going on? What’s going to begin to reveal what’s happening?

Nick Selby

How do I know that the incident is happening? I’m told that there is an incident?

David Spark

You’ve been told. At the beginning you’re blind.

Nick Selby

There is an incident. The first thing, once I’ve understood scope, whether it’s an end point or similar, assuming that this is something in our production environment, the very first thing that I’m going to look for is out bound DNS requests. What is this thing talking to, whatever it is. I’m starting to look into our log management system to see alerts related to things that we might have set up about, things what we care about. Are any of the lines that we care about that indicate, lateral movement, ex-filtration, or something hitting the systems that I care about? Are those trip wires going off? The third one I’m looking for is customer complaints or SLA complaints from downstream or primary customers. Are they already upset or is there time to figure this out? But first thing I want to know is stuff inside my network talking to an all consonant.RU domains? Or other obvious command and control.

David Spark

Excellent answer. Andy, do you agree with Nick’s list of three, or do you have your own list of three?

Andy Ellis

I have a similar list. Top on my list is similar to Nick’s last one. I look at Twitter. Anybody commenting in a way that I need to react to, as sometimes the comments from outside are more insightful than the knowledge I might have inside.

David Spark

And as a consumer, I do that. If I’m trying to log on to something and it’s not working, is this me or is this global? I go to Twitter to figure that out.

Andy Ellis

I’m assuming I don’t have the suite of telemetry that I’m used to. I’m going to call my network operations team and ask them what they’re seeing. They might be seeing weird things that they don’t realize are tied into this incident. At Ofcom, we had a mailing list that went to every technical person in the company. During an incident that’s where you’re sending mail. Anybody can see the subject line of what the impact is. The hope is some random person would admit to a change and be responsible and not realize it cascaded down through 15 other systems and blew up the network and now it’s the front page article on the New York Times. But that can happen. Those are my top two. I like Nick’s idea of look for weird outbound traffic, where’s that network connectivity going to? We would sometimes look at how much production traffic there is versus what the routers are reporting. So is there a sudden big spike in router traffic that none of your production traffic matches to? That’s an ex-filtration happening.

Nick Selby

That’s a good one.

David Spark

Second question. Outside of doing just table top exercises, what types of preparations do you have in place to know you are well prepared for any incident? What three things are in place that can handle that?

Nick Selby

These are the same preparations that people should be doing anyway, especially with the rise of ransom-ware. The first thing is can we fail over to something and will it come up when we expect it? The only way to do that is to actually do it. Your back up strategy has to include restoring from back up on a very regular basis or you don’t know if what you’re counting on is actually going to work. Secondly, in an absolutely worst case scenario, the defecation has hit the ventilation, can we follow the breadcrumbs? Are there breadcrumbs to follow? The first thing is do we have those logs that we can use? Are they immutable? Are they in a different place? Can we reconstruct what’s happening without having to do forensics on every box in our network? If you have one single log that is the most valuable log, I keep saying this, it’s internal DNS requests for external things. That is really important. It’s the first question that I ask when I show up as an incident responder.

David Spark

Andy? Same question.

Andy Ellis

The single biggest one is making sure you have an incident process that you know works. So many companies have a security incident process and a technical incident process. They look nothing like each other. You’re exercising your technical incident process daily and your security incident process, hopefully never. But when you have a security incident, you don’t have a process now. People are trying to figure out what to do, who to call. Use your technical incident process. You should have one incident process for your business, because you have to bring in legal and PR and customer support, whether it’s a performance issue or a security issue. It’s the exact same steps. Make sure that is a process that is exercised and that part of your incident review process isn’t just learning about what failed, but learning how the process failed. What did we get wrong? Did we not escalate to the right people? Oh look, we were making statements on Twitter but nobody in PR had vetted them. Maybe we need to think about how to get PR involved a little bit earlier so we can respond to people. These are all the things you have to go through, so exercise the process. A good process trumps having a few good defenses in place because there’s always an incident to beat your defenses, but the process helps you quickly recover.

Nick Selby

Really good. We also get two incident response companies that are trusted and talk to them regularly. Usually you can get a no cost retainer. They just want to know that they’re going to be the first phone call. You can sign an agreement. It’s a no cost retainer. You know what your hourlies are, when you pay the money, they come faster. Get them on contract and talk to them. So you know who you’re going to call when things get out of hand and your internal incident response programs are not enough. Now you know exactly who you’re going to call. And you’re not going to have to start advising them that you have Outlook, that you have this, they are already familiar with your infrastructure, your environment and even your people. That’s a great investment of time.

What’s a CISO to do?

00:26:47:15

David Spark

How should CISOs and CIOs share cyber security ownership? There’s some interesting quotes from a variety of CIOs and CISOs in this article by Michael Hill on CSO On-line. Painting with a broad brush, it appears CIOs were more strategic about tools and CISOs are more strategic around overall cyber strategy. Andy, how should CIOs and CISOs divide the responsibilities and has that shifted over time?

Andy Ellis

I think it’s shifted over time. If the CISO doesn’t work for the CIO, let me just treat these as separate functions. The CIO should have a security operations organization that is responsible for the security tools that are part of the CIO infrastructure. Whatever the CIO is responsible for operationally, they should be responsible for the security of that. Like anti virus, CISOs are not expected to run anti virus, we expect the CIO to be responsible for this. We expect the network engineering team to be responsible for firewalls. And the CISO is responsible for ensuring that those programs exist, are mature, healthy, appropriate, identifying gaps and providing that independent line of reporting back up to the board and to the CIO. The CIO is going to delegate that responsibility because they’re better managers than we are. We’re reporting back that the networks rules are lame. We need to go deal with that and that’s our responsibility to help identify that to the business. We should remember that a CISO, the IT infrastructure is not our only remit. We have to do this across the entire organization, interacting with HR around personnel security issues and the information security issue there with whoever is in production, with marketing. We touch every one of those domains. We have a broader and more strategic risk focus and we fill in that security operations where people don’t have the expertise to do it. For the CIO specifically, they should own the security operations for their domain.

David Spark

Nick?

Nick Selby

Well I don’t have a CIO.

David Spark

But someone is running the infrastructure though? Is that you?

Nick Selby

Yeah. It’s VP of engineering. That’s the same as putting me in charge of finance. That’s a bad place to be. So if we take a look at VP of engineering, they have control over the destiny of not only the strategic direction of where they want our stack to go, but also the tactical implementation of different things through their different teams. So it ends up working out the same. I look at it as my job to understand what the gaps are, same as Andy, and report up so that they have independent confirmation that what they have decided on, while it might be generally good, it requires the following changes or additions to be made. And ultimately, my job is to make them look good in the same way the vendor’s job is to make me look good. So, all I can do is give them accurate and sometimes, passionate reporting of things missing, but it’s their call to blend that with their strategies and their business goals along with their technical implementations.

Closing

00:30:33:08

David Spark

Excellent point from both of you. This show was so packed with information. More than other shows before. Thank you very much Nick. And Andy as well. Nick, I’ll let you have the very last word, hold tight here. The second question I always ask our guests is, are you hiring? So have an answer for that as well. I want to first thank our sponsor, Kennasecurity AKA CISCO these days. Congrats by the way for getting acquired by CISCO but more importantly, thank you so much for being a phenomenal sponsor of the CISO series. For vulnerability management, look to Kennasecurity. Andy, any last thoughts about our discussions today?

Andy Ellis

I’m definitely going to have to update my vendor rebuff email now that I both work in the start up world as an advisory CISO and as an operating partner, so it’s a little more tailored. Very dense conversation with Nick, in a positive way.

David Spark

It was a dense conversation. This is such a tight show. Happy with it. So Nick, you have podcast of your own called The Tech Debt Burndown podcast. Look for that. It’s also available at techdebtburndown.com and there will be link on our show. Any last thoughts and are you hiring?

Nick Selby

Yes, we are hiring like mad. We are growing and creating unbelievably successful products.

David Spark

You’re hiring in security?

Nick Selby

We are specifically hiring in security but also product, in marketing and in engineering, across the board. Go to Paxos.com/careers and feast upon the cornucopia of available opportunities to help us grow and change the world.

David Spark

Any other last thoughts on our discussion today?

Nick Selby

No, I think that we’ve covered everything. I really enjoyed this. I love talking to Andy, it’s been great to meet you and the questions were fun. I wish the choice was a little bit harder. That was actually good to see Andy and I just leaped immediately to the same answer.

David Spark

Even though it’s not harder, that conversation was one we have not had on this show. And it needed to be had.

Nick Selby

And both choices were bad. It’s just which one was worse.

Andy Ellis

I could have argued the other side which is that you’d rather have to replace your CIO than your CISO. As CIOs are more prevalent in the industry than the CISOs. So easier to replace.

David Spark

That would be another good What’s Worse scenario. Who to fire?

Andy Ellis

You can give that one when Mike’s on the show.

David Spark

Mike don’t listen to this episode. Thank you Andy. Thank you Nick. Thank you Kenna Security and thank you audience as always for your contributions and listening to The CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”