If we’re going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly.
Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Scott Scheferman (@transhackerism), principal strategist, Eclypsium.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, Eclypsium
Full transcript
David Spark
If we are going to turn the tables against our adversary’s, everything from our attitude to our action, needs to change to a format where attacks and breaches are actually not normalized, and we know the what and how to respond to it quickly.
Voiceover
You are listening to “Defense in Depth.”
David Spark
Welcome to Defense in Depth. My name is David Spark. I am the Producer of the CISO Series and joining me for this very episode is Geoff Belknap, CISO over at LinkedIn. Geoff, the sound of your voice.
Geoff Belknap
Hello Friends, and welcome to another “Defense in Depth”.
David Spark
Thank you. Our sponsor for today’s episode is Eclypsium. Thrilled to have them back again sponsoring us, and they have brought our sponsored guest, who has also brought our topic of conversation, because it is based on an article that he wrote. Scott Scheferman, who is the Principal Strategist over at Eclypsium, posted this article on LinkedIn that received accolades for its forward thinking and evolving a security team to be a stronger force against attackers. And he boiled it down to four As, and let me summarize this for you. A number one is Attitude. No more “when, not if” messaging around security. Let us stop actually normalizing the breach and normalize getting in front of the breach. Second is Acceleration. Having knowledge and having knowledge to know how to respond to it quickly are two extremely different stages of readiness. Third is Anticipation. Understand the “why” so you know what is coming next. And last is Action. When you get the knowledge, actually do something with it. Really nice summary, people were really excited about this sort of very forward thinking way of examining leadership in security. And I am thrilled to bring our sponsored guest on Scott Scheferman, Principal Strategist from Eclypsium. Thank you for joining us Scott.
Scott Scheferman
David, thank you for having me appreciate it.
How do we make this everyone’s concern?
00:01:54:21
David Spark
We are going to begin with attitude and here are a couple of quotes. Arti Arora Raman of Titanium said “being pro-active in our efforts to neuter the threats and impacts produced by current day cyber attacks is key to winning. Taking a passive approach based on the idea that compromises are inevitable cuts at the root of our ability to fight and win against persistent and well resourced adversaries.” Pamela Gupta of OutSecure said “we have to move past the data breach mentality and realize that, in addition to data breaches, it is the copious amount of data that is being collected by “legitimate” application that poses a grave risk, especially when it is in foreign platforms” So, it is weird that security is not just being attacked, but how are your friends behaving with your data? Yes, Geoff.
Geoff Belknap
First of all, I will just say, I love that we are talking about this article. Because one of my least favorite things is when somebody publishes one of these articles and says “you know what CISOs needs to do?” and I always think, you know what you need to do is go jump in the lake. But I will say I really enjoyed reading Scott’s breakdown here. I think, to your point David, if we talk about attitude, it really is about having the right mindset and I think, to Scott’s point, it can be too easy to latch onto a defeatist mindset, or maybe get stuck in the dull-drums of “this stuff is hard and it does not go as fast as you want.” It really is helpful to think you can get ahead of these problems, you can live in a world where it is not just like, well we are going to get breached no matter what we do. While that reality might be the case you do not have to operate a strategy for your work based on that forgone conclusion that you’re just going to fail. You can succeed. There is an option there for us.
David Spark
Alright. Scott I throw this to you. What is your take on how the people reacted to your article, specifically Arti and Pamela here, on the topic of Attitude?
Scott Scheferman
I am glad you grabbed both of those. I’ll say they both said that much more eloquently than I did in the Blog, so I appreciate the way they’ve described these things. I think it just echoes the kind of a C change that we’re hopefully upon which is coming out of that 2013 through 2017 era of assuming the breach and kind of just working on resilience and we’re so excited that now we can pro-actively, ironic word, “hunt” for the adversary that is already in our environment. And Geoff, you were just saying, that is all true and you do need to assume a breach, but only when you’re talking about resilience, not when you’re talking about the entire strategy and legacy you’re building as a leader and a team that you’re building. And I think that’s where the rub has come. This industry is just brainwashed and beaten people into thinking that I need to buy all the things, I need to be super good at finding stuff after the fact and be resilient after the fact and focus so much on that. And I lived through that with incident response, I lived through that with 15 years doing DoD cyber. All of that’s very true, but there’s not enough emphasis on what I call that invisible factor of time and I think we’ll probably talk about that a little bit more as we go forward.
David Spark
Scott, I wonder how much in your mind, like we often talk about or at least I do on the show, that we’re going through this transaction where being a CISO originally was, you were the smartest engineer in the organization and now it’s really, you have to be a Senior leader. How much of this do you think, some of the people with this mindset are stuck in that old view of, I am just a technologist, I am not a business leader?
Geoff Belknap
Good question.
Scott Scheferman
I love that question. You went to Black Hat DEF CON this year and it was like, I don’t know, half as many people and it was almost like it was like ten years ago. It felt great because you’re finally able to talk to people who are not in a rush. A lot of the conversations I had was like catching up conversations because I hadn’t seen people in a couple of years. And you talk to people and you’re right, they’re still kind of stuck in this… they are defeated and part of that is because, like you said, Geoff, it’s brutal out there. That’s the truth, there is no silver lining there. But part of it too is that the industry doesn’t have enough leaders that step in, lift up, enable and teach a team how to thrive, and teach a team things like cadence. If you play soccer enough you learn that what matters on the field is not which team is more sophisticated or has better skills, but rather the one that keeps a better cadence, a faster cadence against the other guys. You learn that anticipation means looking at the other player’s hips, not their eyes, because they’ll stake you out with their eyes, but you need to think about their hips. [LAUGHS] These kind of things, leadership traits, are just lacking in our industry because I think we’ve been so beaten down, and so the whole point of the Blog was just to try to lift people back up and bring leadership back into the spotlight, because that’s how we fix it, especially when we’re so understaffed and under resourced.
How do I start?
00:06:40:06
David Spark
Our next A is Acceleration. Sean Quinn of SentinelOne said “I particularly agree that many targeted/impacted companies have the tools to provide the visibility, the talent to use them but still lack the ability to act fast enough to make it matter. Speed is critical and every CISO should be thinking about how they can accelerate their teams ability to respond before the bad actor can do damage.” Max Justice of Abile Group said “Between Attitude and Acceleration they need to Analyze.” So he was requesting a fifth A here. “Don’t simply scan the valuable data the fancy tools provide, actually Analyze it.” So, we’ve got a speed issue and an Analyze issue. Where does the right answer lie, Scott?
Scott Scheferman
You use the word speed, and my A’s used to be like… I use the word velocity, which is the same as the word speed, but I started to realize it’s not about just going fast, otherwise people are trying to go fast for speeds sake. Velocity is speed towards a certain destination, but acceleration is actually getting faster as you go. You have to be faster because your adversary is getting faster, they’re not waiting around. As we said earlier, the time advantage is what they’re taking advantage of. We are thinking in research they’re sophisticated, they’re not. We’re way more sophisticated, way more advanced. We have more researchers, more trolling. Don’t let the media and the industry tell you differently.
David Spark
Yes. How many times have we heard a report of, “it was just a sophisticated attack” and those of us in security go “No, it was not sophisticated?”
Scott Scheferman
I think we sometimes say sophisticated when we mean successful, because it makes us feel better.
David Spark
Yes, because nobody wants to think, oh this doofus did something and we fell for it.
Geoff Belknap
Certainly not.
David Spark
Alright Scott, I am sorry, go on.
Scott Scheferman
No, you nailed it. [LAUGHS] Acceleration, doing something faster. So, how do you do that? Well, you have got to start with base lining. When you do Play Books, do you time your time books? When you do patch management, you send it over to SecOpsto patch that Fortinet VPN into place and they don’t do it, but they said they’re going to do it. The process is there, the people are there, the capability is there. Everything is in place to actually do the thing, but it doesn’t get done, or it doesn’t get done fast enough to matter. So WannaCry, we all learned our lesson, we thought. 30 days goes by after the Microsoft patch, nobody patched, we got whacked, now patch the same damn thing.We could have patched, we could have gotten ahead of this and we just would have learned our lesson to get better and faster at doing this but nobody thinks about it in terms of speed, they think about it in terms of completion or accuracy. Threat researchers drive me nuts in security, Mal-ware analysts drive me freaking nuts.
David Spark
I was thinking about this in the game of basketball. I don’t know how much basketball you play, but most sports are like this. In basketball you literally just need to be one step past your opponent to get the score. It’s just a step. You don’t need to be miles ahead, just a single step and that’s all you’re really looking is, how do we close it so they are not one step? Yes, Geoff.
Geoff Belknap
Yes absolutely. We, in the security industry, spend so much time just trying to be ahead of wherever an attacker is in that kill train, wherever they are in the stage of an attack and that’s really all you need to do. You can choose whatever your analogy is, you don’t have to outrun the bear, you just have to outrun your opponents. I like thinking about it this way, where it really is about acceleration. Everyone already has a certain amount of velocity. I am sure if you talk to every security team you can find they’d all say, we are going at light speed, like we are going super fast everyday, but it’s about closing the gap between how long does it take you to go from detection to action? How long does it take you to execute those actions, and can you reduce that time? To some extent this is where I will even say sometimes that a great response, a great playbook that can be executed well consistently, you can accelerate the amount that you have executed, is almost better than prevention. Obviously, prevention is always the thing you want, but if you can go super fast, from detection to action to excluding that attacker from your environment, that’s as good as having prevented it in the first place. It is all about increasing that velocity.
David Spark
This is different than just saying resiliency, isn’t it Scott? Speed to action is different than resilience. What is the difference here?
Scott Scheferman
Yes, you call that speed to action, I like that. Resilience tends to put you on your heels. It tends to assume the breach so much that you are thinking about not just left of like bang, like talking about in play books, but almost like it just shifts the focus so much mentally that your team is so cued in on being resilient and unready to assume that breach that they haven’t spent the right cycles and the opportunity cost to actually get ahead of a breach and get ahead of what you might call Boom. Boom is different for everything. For malware it’s when it drops and it executes and you get encrypted, or when it’s a privacy breach where you get your VPN compromised, you think it’s creds but it’s really not. It was an exploit two months prior that gave the actor A the creds, that we sold it to actor B that came in through creds. You think you have a creds problem when really you have an exploded VPN device. It’s because you didn’t do the things you needed to do and you know better to do, but you’re so overwhelmed and so busy moving light speed because you’re in such SoC mode, instant response enrichment through hunting mode, that you just didn’t do the thing that could have made the difference. It’s this opportunity to cost trade principle. We have limited time, limited resources, limited technology spend, a limited way to actually tool and architect your whole stack and how to angle that stack, right? I think we’ve angled the stack too much towards resilience.
00:12:19:10
Voiceover
Why is everyone so confused?
David Spark
Third A, Anticipation. Dani Derrick of Eclypsium, your company said, echoing your comment when companies announce upcoming capabilities, “Don’t let marketing inform your strategy.”…”an attempt to market an easy button. Cybersecurity has never been, nor do I think will ever be easy.” This was an interesting comment in this Anticipation, is that you want to educate yourself at to what is going on, but there is this pull from all the tools that are out there, that “Hey, if you get our product it’ll solve all your problems, or solve these problems.” Where do we control our own thinking but still be open to what vendors have to tell us. Scott?
Scott Scheferman
So, the WannaCry example is a great example because it’s [UNSURE OF WORD] here at Eclypsium. We worry about hardware and firmware vulnerabilities, right? Imagine like not patching and hitting again, just like it did, but instead of it hitting the master boot record which flashed your hard drive and you had to replace those, which was bad enough, imagine the exact same actor, which by the way, [ABT20] Russian GRU really good at firmware attacks, Anticipation. Imagine the same actor just dropped a Eufy and bricked the devices instead. Now you have operational environments and IT both, that you can’t restore. There’s literally indefinite downtime and what does the impact look like that? You might try to call that a Black Swan event, but it is not. It is super dumb easy to go from a spear phishing email to bricking a device these days, it is not impossible. These are open source sign tools. These are tools, tactics, procedures that hacking team documented in 2015 that are still out there and being used by like MosaicRegressor. Even when we’re just looking at the firmware narrow example, we’re not anticipating enough as a country, as a strategy, as critical infrastructure and let alone as an organization, let alone as a practitioner, and certainly let alone as a leader of an organization to properly articulate to the board and an entire supply chain below you, what your actual risk is to an impact that will have indefinite consequence. And especially against a backdrop of supply chain, chip limitations, shipping lags, etc. We’re just not doing it right, man.
David Spark
Hold on, let me throw this to Geoff. What is improving your Anticipation Geoff?
Geoff Belknap
I think there’s a lot of things here that can improve your Anticipation, not least of which is the thing everybody says you should do and that very few people do in a real way, which is just Threat Mal. Understand what adversaries might be after you, what kinds of things you might have to worry about. I mean, if you have, I guess this probably doesn’t apply to anyone, but if you have zero PII, or monetizable data or anything like that, then maybe Ransomware isn’t the number one threat for your business and you shouldn’t spend time looking for a vendor or building playbooks for it. Now, that’s not what I’m saying, definitely decide for your business what the right way to go is, but there’s a fair amount of time you can spend for your organization thinking about the actual threats that impact you and just preparing for those. Then there’s time you can spend and there are certainly vendors you can engage, that will help you keep an eye on whether those threats are increasing, decreasing, or whether there is a new threat coming your way, but it does take effort. And really, I think the thing underlying Scott’s entire article here is, as long as you’re not stuck in assuming that no matter what you do you’re screwed, you’re breached, you can really focus on the kinds of things that are actually going to impact you that might actually hurt your business. I think that attitude is a winning attitude.
Nothing will happen until we take action.
00:16:03:15
David Spark
We are going to discuss the last A here. Action. Rick McElroy of VMware, whose been on the CISO Series before, was echoing your comment, “does that device actually get patched, and get patched “fast enough to matter?” He added a new metric. “Mean Time to Matter,” because we have done “Mean Time to Remediate” but he’s doing MTTM, “Mean Time to Matter.” I’m going to ask you, what do you think of that Geoff, and could you think you could calculate that?
Geoff Belknap
I don’t think you can calculate it. I would love to hear that I’m wrong and I’m sure I will in the comments. I think so often we as security leaders get down this path of like, I have this great idea for metric, and then what we find out is, you cannot really calculate what you’re preventing. Which, at the end of the day, that would be the key denominator you need here to really decide your metric. In terms of principal, I love where Rick is going with this. I think Scott made this point earlier, or at least I know I read it in the comments here. A lot of times security teams already have the things they need. They already know what’s vulnerable, what patch to apply, what machines it needs to go to, but an organization certainly needs to all be involved in security, not just the security team and get those patches out and get those things updated, or get mitigations in place and sometimes it’s very difficult to do that before it matters, before there’s impact, before there’s another attack. Certainly the hardest thing in my world is helping people understand how much time until the next attack? Well, I have no idea, it could be right now. It loses credibility when you say “the skies falling, it could happen tomorrow, we are in super risk.” So, that part is hard. But, the really important here is you have to take action and you have to help your organization hold itself accountable to that action.
David Spark
Scott?
Scott Scheferman
I love the quote. Rick’s a good friend, like he is for I’m sure everybody here. “Meantime to Matter”. Let’s pick a example to make it real, Threat Intelligence. You have a threat and Intel team, they produce products for you. Why? My Navy experience doing Cyber, the Admiral allows wants to have an Intelligence Report, bottom line up front. Why? He wants to build or make a decision fast enough to matter in the context of the mission. When he or she can’t, it’s because they don’t have either trust in the data; there’s not enough boots on ground national intelligence, or didn’t arrive fast enough. Quite literally the report didn’t come fast enough. When you look at a Threat Intelligence Program you can retroactively understand whether or not your intelligence is arriving to you as a decision maker, or to your tools to make autonomous automated decisions. Both are good examples, to say, did I have that intelligence that I paid so much for and I enriched and I correlated and I did everything else in the Cloud to get high fidelity with, did I have it in time to matter? You need to understand on the kill chain for you, in your organization, your MITRE ATT&CK if you want to use that scenario, what are those times that matter? Where are the choke points? Where’s the juncture where the adversary gains an upper hand that you can’t recover from? It might not be when the Malware detonates. Geoff, to your point earlier, you might want to put emphasis on being resilient faster, like on the back half of the kill chain, right? Other organizations that have like a multi-national organization and they have like 5,000 VPN appliances, maybe patching those things really, really fast is the most important thing you can do right now, and not putting that decision off.
David Spark
Let me ask that very question you were just asking to Geoff, as I think that’s interesting. How well do you know the attack kill chain or your patching environment that you ask yourself, historically these are the things that have mattered the most, so we need to double down on that? Do you have that kind of conversation with your team Geoff?
Geoff Belknap
The short answer is yes, absolutely. The longer version of this is, I don’t just have it with my team. I have it with the site engineering teams and the IT or enterprise engineering teams because, I eluded this earlier, I can only do so much on my own. LinkedIn has hundreds of thousands of running workloads between corporate and production. My team can’t go out and manually update or take those offline. We’re working with partners. It’s a matter of making sure that they are all engaged, that they have plans and processes and they know how to execute this well. But it is also really important to discuss, what are the most important parts? Because if I have to go to a site engineering lead and say “Hey, you know these half million running workloads we’ve got, or whatever it is, take them all down right now, patch them all at once.” That’s not how it works. The way that is winning is having that discussion with your partners and say, we need to start here. We will prioritize or focus here, because that is where we are most vulnerable. That’s the difference between being Chicken Little “Sky is falling”, and being a trusted partner to the business, being a good leader, a good steward of the business’ best interests.
Closing
David Spark
That brings us to the very end of this Podcast and I want to use this last few minutes in our episode to ask “what was your favorite quote, and why?” I am going to start with you Geoff. Scott you’re second. Geoff, what was your favorite quote and why?
Geoff Belknap
Oh boy, this is a tough one. I really like what Rick said about “Mean Time and Matter”. I know this is the ending quote. Trust me I’m not taking a easy route here, but so much of what we do is art and science. Scott talked about an Admiral knowing whether he can make a decision fast enough. Whether your decision is fast enough is really up to the CISO to decide intuitively. Like, is this fast enough, are you getting information, are you able to act on it fast enough? We have to be okay with that. Frankly, I think some of our senior leaders are okay with the CISO deciding intuitively what is fast enough, as long as you have that credibility built up. I think Rick’s quote here is fantastic.
David Spark
Excellent alright. Scott, I think you liked the same quote too, am I right?
Scott Scheferman
Yes. What I am going to do, and we did talk about it to Geoff’s point, so I’m going to do a fun one just really fast. Do you remember after the Marriott breach, I think Brian Krebs wrote an article and he echoed something you hear all the time, which is, “the attacker only needs to be right once for you to get breached, whereas the defender always has to be right.”
David Spark
We’ve heard this many times. I didn’t realize that was attributed to Brian Krebs.
Scott Scheferman
I don’t think it is but I think he echoed in his Blog after the Marriott breach. Brian is a good guy, a good friend, like we do this Threat Intelligence, good stuff, right? But the thing is, imagine that quote upside down. The defender only needs to be right one time, at the right juncture, to prevent a breach, and you need to force the attacker to be right at every single one of their steps if they want to accomplish their objective. You have control, and so if I have one message to David and Geoff, it’s, this is back to attitude. It’s my domain, this is 1990s stuff but it’s still applicable. It’s my domain, my tools, my stack, my cadence, my team. I want to take all the control I can possible take to retain that defender advantage, whatever it is for you.
David Spark
That is a great attitude, and when you think about the kill chain, they have to be right all the way through the kill chain. You just have to stop them at one point. I like it. All right, let’s wrap this show up. I’m going to let you have the very last word here Scott. I want to thank your company, Eclypsium for sponsoring this very episode of the Podccast. Thank you very much Eclypsium, and for being a great sponsor of the CISO Series in general. I always ask our guests, are you hiring? Geoff, I know you’re hiring because you mention it every single time. Feel free to mention again. Also, I need last words.
Geoff Belknap
I am hiring and I think this is a great topic to talk about. We are looking for people to join the team, that want to think through these kind of problems across each of these aids; how do we take action, how do we take our attitude, how do we accelerate what we are doing? If that sounds like you, and if you want to work on those problems at the scale of LinkedIn, LinkedIn.com/jobs, come find me.
David Spark
Excellent. Now Scott any final words on this topic, and please make a pitch for Eclypsium or any specific offer you have got for our audience.
Scott Scheferman
Yes, so the quick pitch is, we literally figure out the firmware problem and address that at the X66 level as well as all your networking appliances and VPN’s etc., and we’re able to get you in front of the attacker, because we find the villains, the back doors, the implants, the supply chains, the threats, the counterfeits, all that stuff. We make a very complex hard problem really, really easy and I know that’s the easy business pitch, but the truth is the firmware problem is extremely complex. We make it at least easy enough to actually do, for those organizations that want to get that job done.
David Spark
If you like the methodology that Scott is spousing, it sounds like they’ll help you go down that line, yes Scott?
Scott Scheferman
That is right. And the final thing I want to say David, if you don’t mind, and Geoff you just echoed it, is this industry needs leadership and it needs new blood. Those two things together can create magic and there are so many brilliant devs and unfortunately a lot of them are moving to the Crypto space right now, building the Web 3.0. We need to find a way to keep those folks interested and active and feel like they are solving hard problems, not 30 year old problems that we’re beating our head against the wall. Even though those 30 year old problems aren’t going away, there are many new problems ahead that we need solve [UNSURE OF WORD] from Cyber that aren’t even being addressed at all. LinkedIn would be a great platform for that kind of talent to be able to come in and actually make that difference, because if we don’t do this, there is a bow wave of new stuff coming that even the old guards not going to know what to do, with all their wisdom [LAUGHS] they’re not going to know what to do with adversarial machine learning attacks, all the stuff that’s coming around right now with China and NAI, predictive AI. Not just predictive AI but AI that actually forces action. How do we address that at that macro scale because we’re not there yet, and we need hackers and new blood to fix this problem. It’s a Call to Arms man.
David Spark
Thank you very much Scott and Geoff. Thank you to our audience for all your contributions, and for listening to “Defense in Depth.”
Voiceover
We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.