Defense in Depth: Preventing Ransomware

What is the most critical step to preventing ransomware? Security professionals may be quick to judge users and say it’s a lack of cyberawareness. Could it be something else?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Rebecca Harness (@rebeccaharness), CISO, St. Louis University.

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is VMware

Full Transcript

David Spark

What is the most critical step to preventing ransomware? Security professionals may be quick to judge users and say it’s a lack of cyber awareness. Could it be something else?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth, my name is David Spark, I am the producer of the CISO Series. Joining me on a regular basis, and for this episode in particular is Geoff Belknap, who is a CISO over at LinkedIn. Geoff, thank you so much for joining.

Geoff Belknap

Thanks, David and, hey everybody.

David Spark

Our sponsor for today’s episode is, VMware. VMware; they’ve been a phenomenal sponsor of the CISO Series and we greatly appreciate their support. More on VMware later in the show. But first, Geoff, I want to talk about today’s topic, ransomware. It’s hot with the kids today and they’re rock and roll and the drugs and everything else, but it has nothing to do with that, no. Ransomware, it just keeps cranking up, over and over, and we’re all desperate for solutions and, Yehudah Sunshine, of odix initiated a poll and discussion about what the security community believes is the one critical step to preventing ransomware. Overwhelmingly respondents said employee education with backups a distant second. Geoff, what was your initial reaction to this poll and the ensuing discussion, which was huge, with about 120 comments?

Geoff Belknap

I was not surprised at the result and I think this is more indicative of security professionals’ wish that there was a simple solution to this problem, that we could just educate our way out of this issue and, while I definitely believe that education is a big part of whatever security program and whatever security outcomes you’re trying to drive, I’m not sure I’m a believer that education is going to pull us out of where we currently are.

David Spark

That comes up on this very show and we’re going to talk about that very issue. And, one person who I know has been dealing with ransomware issues, or trying to create a better preventative ransomware environment, is our guest today, who I’m thrilled to have on board. It is the CISO for St. Louis University or, as the locals call it, SLU, Rebecca Harness. Rebecca, thank you so much for joining us.

Rebecca Harness

Thank you. Happy to be here, David.

How do we handle this?

00:02:29:06

David Spark

Brian Turpin of Amrock said, “Humans don’t want to believe they are at threat. People believe it will never happen to them. They ignore blatant facts and data out of numbing for comfort versus admitting the reality others want to take from us. Once you admit threat is real, security becomes common sense, but only with acceptance.” And Gilbert Nims of Presidio said, “Emphasize that employees who feel appreciated at work tend to embrace company policy. If a crap leader is running a company, or team, employees are going to care less about something bad happening to their team or company. If you don’t have employee buy-in, you’re doomed before you start.” So Geoff, I’m going to start with that last quote and also whether people believe this is a threat. How do you get people to actually care about this issue and make it part of their environment?

Geoff Belknap

I think, like so many things that we talk about, especially on this podcast, this comes down to a great example of relationships matter and building relationships with your executive team, with your constituency, that really matters, but, in this case, what’s really going to impact or cause drag on your program is, if you don’t have a good relationship with your users. If you don’t have a good relationship with the people that you’re supporting, the end users, not your executives, your product professionals, they’re not going to take it seriously and you’re definitely going to feel frustrated that they’re not taking it seriously. But you have to understand where they’re coming from and you have to be in this together. If not, I think it’s to the point, if you don’t have buy-in from the employees, even about what they can do or what you can do, you’re doomed before you start, for sure.

David Spark

Rebecca, let me ask you this, do you see this as a frustrating environment? Speak to this whether at your current, or other organizations, but, everyone wants to believe they’ve got a positive, strong environment, but every organization’s made up of multiple leaders, so, sometimes there’s only so much you can do as a security professional, if there are management issues going on somewhere else. That’s going to trickle down to be a struggle for security.

Rebecca Harness

Yes, that’s certainly true. One thing that I always look at is, I see my job as keeping people safe and helping them be successful at their job, and so I try and be that champion of a positive culture and atmosphere when it comes to cyber security. When I was reading through this poll and the responses, you could tell it was a lot of security professionals that wrote those responses because the ideal was, “Let’s blame the end user, they just don’t care about cyber security.” The reality is, I think most people care about cyber security. Nobody wants their employer to be breached, they don’t want that disruption at work, but the reality is it’s not in their top five of concerns. So, I understand the frustration but I think we also have to be realists and understand that any security control that is dependent upon a human to make a decision is, ultimately, going to fail. We, as security leaders and professionals, have to plan for that and prepare for that and make sure that we can survive that activity when, ultimately, someone makes the wrong decision in their daily work.

Geoff Belknap

Such a good point. I feel like so many times people that we work with in the security space forget that there are other people that work in the company where security is just not in the top five of the things that they are worried about. To your point, it doesn’t mean they don’t care about it, but do you really want the accountants to be thinking about security before they think about working the financials? No, you don’t and, if we’re depending on that, we’re going to fail.

David Spark

But the question is, there’s this top down need of overall caring for the company and then the fact that each has their part in responsibility but, even though I’m not in cyber security, I need to worry about this because it’s now a big problem. And, like what you said, there’s a lot of complexity going on here because, even though we want people to be aware, we also realize this isn’t going to solve our problem, even if they are aware, because everyone makes mistakes. Even if you have the most cyber aware team, you’re going to have some mistakes. Rebecca?

Rebecca Harness

That’s very true, and if you look at the CIS, critical security controls, security awareness and education is pretty far down that list and that is a prioritized list of, if you want to stop and prevent a cyber breach, that’s the type of thing that you want to follow that guidance. So, there’s a lot of controls in advance of that, and that’s where having a multi-step plan and executing that plan with purpose and rapidly is really your best response to preventing a major cyber attack or a ransomware attack.

What are the best practices?

00:07:16:11

David Spark

Mark Dobson of, NextUse said, “Users need training from day one in an organization, then regular reinforcement training, as well as special training when new threats start trending.” And, the author of this post, Yehudah Sunshine of odix said, “Cyber education is only valuable if you can make it 

interesting and engaging for your staff.” And lastly, Karen Tulloh of AT&T Cybersecurity said, “The training has to be so good that the employees are focusing on cyber security at home and sharing it with their friends.” Rebecca, I want to toss to you on this. You were just saying, at the end of the last segment, in the CIS top 20 that education is actually pretty far down the list, but this was the top way to solve this problem, according to all these cyber security professionals. I have to assume it’s going to do a heavy reduction. To what level are we going to have to educate to get some reduction and, as per Karen’s comment at the end, can training be so good that they’re doing it at home?

Rebecca Harness

I think it absolutely can. A few years ago I attended a conference and the leader of the cyber security program for the Missouri State Highway Patrol was there and he said they actually gear their security awareness training program around things people can do at home to protect themselves, protect their bank accounts, protect their families, because they found that those same concepts translated very well to their job at work and it made the audience more interested in taking that training. We do something similar at the university. Earlier this year I created a new position, People Centric Security Engineer, and the whole focus of that job is to make security consumable for the average person at the university, whether that be faculty staff or student. That’s one of the things that we look at quite frequently is, how do we make that consumable? How do we make that interesting? I think one of the best outcomes that we’ve seen out of this is through our phishing simulations that we do on campus. We advertise that in a very positive way; we let them know that some weeks this month we’re going to be doing this campaign. We offer five Amazon $20 gift cards if they click that little phish alarm button, and we’ve seen a huge increase in the number of people identifying legitimate phishing messages. A lot more interest in cyber security because we made it fun and we gave them something that they can practically do to help the cyber security program. And that’s driven awareness and interest overall and how can they do their jobs in a more secure way and that’s been huge for the university.

Geoff Belknap

That’s a really cool idea. What do you call it again?

Rebecca Harness

A People Centric Security Engineer, and I actually hired a seven-year veteran of our helpdesk team. So, he did a career transition but somebody who had been out there in the community and the university, everyone was very familiar with him, just the right attitude and everything to make that a successful position.

Geoff Belknap

What a cool idea. I think about a lot of this, as I said before earlier in the show, is relationship driven, relationship centric. I frequently say, people that have been trained, or are self aware about cyber security enough, that they care about it at home as much as they care about it at work, like, you’re winning, those are your champions. Orienting around that experience that people have with your training, or with your security team, is a great way. I’d love to hear more about that. What were you looking for when you hired a People Centric Security person? What was the main thing you were hoping to drive?

Rebecca Harness

We have a very diverse audience at the university; 15,000, 25 hundred faculty members, a huge healthcare system. Lots of different personalities and needs and business drivers across the university. I was really looking for someone that can get out, into that culture. We have 80 buildings on campus. We have a campus in Madrid, Spain as well, so we have an international audience. I was looking for someone that would really get out into the world, was familiar with the campus, was familiar with the culture and some of our terminology, what life on campus is like and could incorporate in security concepts into that. Again, it all comes back to keeping people safe and helping them be successful and, if you can help them be successful while you’re making them more secure, it’s going to be a great natural outcome for the university. Personality was huge, great ability to write with empathy and reader-centric writing, those were key things that I was looking for in that individual.

Geoff Belknap

It feels like this is the goal that we should be going for when we’re thinking about education. Alright, we can educate people and then we will have lower ransomware attacks, but, this is probably more the appropriate goal.

David Spark

This one to many, training program effort that just seems great. I went to school, I learned a lot, but I didn’t retain a lot. You could have the best education and yet it never flows so directly, but if it becomes ingrained in the culture with everybody participating, like what you’re doing, Rebecca, that seems a total win-win and, ultimately, what you would shoot for.

Rebecca Harness

Absolutely. One of the things that we also look for is we’re also setting out security awareness training, things for people to take. One of our key things there is, how do we keep it within three and five minutes? Very consumable, bite size chunks. And that seems to really resonate well with the audience. We don’t get so much push back of having take it a lot more often and it’s, so far, been working out great for the university.

Sponsor – VMware

00:12:42:00

Steve Prentice

VMware is a brand extremely well-known for providing virtualization software in the web hosting field, but, with its acquisition of Carbon Black and Lastline, it has now become a powerhouse in security. Sandra Wenzel is a Cyber Security Transformation Engineer for VMware, who works at the internal security operations center, to help CISOs, help their companies.

Sandra Wenzel

Things I feel that are very important, especially for CISOs, are understanding and evaluating the assets you have, so being able to take valuable information of the assets that are owned, assets that are typically not known about, especially in the public cloud, or cloud in general, and being able to accurately assess them.

Steve Prentice

This means becoming more proactive when it comes to defense.

Sandra Wenzel

So, moving away from this alert driven process, where your security operations folks get an alert and they act on it, to more of risk-base analysis, to say, “Okay, we have this host up and running, it has these vulnerabilities tied to it, based on the application,” because again, we’re very application aware, being on the hypervisor, and also looking into the processes that it runs and saying, “These processes are going to cause us this much risk.” It’s being able to accurately evaluate those assets and inventory and say, “This is our blast radius and our risk exposure having these,” and understanding how that, in turn, helps you with your security outcomes and programs and being able to prioritize, control our vulnerability management.

Steve Prentice

For more information visit, VMware.com and, while you’re there, be sure to also register for Sandy’s presentation, Anatomy of the VMware SOC, at the upcoming, VM World Online, October 5th through 8th.

What else is required?

00:14:25:24

David Spark

Judai B said, “No matter how much training, you still have to have viable backup.” And, Tom Wodraska of the, Federal Reserve Bank of St. Louis, “Backups don’t prevent ransomware from occurring. They help you recover after you get hit.” And, Andor Demarteau of Shamrock Information Security said, “I’don’t rather focus more on prevention rather than clean-up at the end.” There was a good amount of conversation about back-up, back-up also being second to training, but here’s the thing that I found very interesting about this back-up conversation. In the 130 comments, nobody said, “By the way, back-up is not going to stop you from when they threaten to release all the data they stole from you,” which is a core part of ransomware as well!

Geoff Belknap

It is now.

David Spark

Yes, very much so now, yes. They realize, we’re going to get some money out of them somewhere, even if they do have a great back-up as well is, I think, the theory. Geoff?

Geoff Belknap

Ransomware today, we really have to keep in mind two things and I think this section really helps us get there; one, back-ups are great, because if you can’t prevent something being able to respond to it effectively and deterministically, is almost as good as preventing it in the first place. Obviously, the best thing is never for that to happen, but if you can give your organization the comfort of, “We can recover from this, we know exactly what to do,” that will do until prevention comes along. And the other part, that I think some of the security community is missing writ large, not everybody, obviously, is that this has shifted. A few years ago, ransomware was still a problem, but we were looking at it as it was really an end point centric problem. Occasionally something terrible happened and it jumped from an end point to a file server or file sharer, something like that. But now, ransomware has really become, effectively, an enterprise sales motion for criminal gangs that peddle in extortion, and now this is a tactic that they love to use to peddle extortion, or really to monetize access or blocking access to you to be able to run your business. And they’re going to do it. So, back-ups are great it’s going to help your business succeed and get back to business.

David Spark

You need back-ups minus ransomware; you just need back-ups.

Geoff Belknap

It’s good to have back-ups, it’s good to patch, it’s good to do education. All these things are great and you should be doing all of them and it turns out, those things probably help you more than anything else survive ransomware. What’s your perspective on this, Rebecca? Because my perspective is very much the software and the tech industry, and I gather from my friends in academia that it might be a little different perspective.

Rebecca Harness

And I don’t know that it’s a whole lot different in our environment. Again, because we have such a large healthcare system, in addition to the university itself, we’ve got a lot of things to consider there. For us, it was really a matter of a multi-pronged approach, consider multiple things at once, be working on multiple workstreams at once. I attended a conference in Colorado about two years ago, and the State of Colorado had a major ransomware strike and the leader of their cybersecurity organization told a story about they had a plan and they were ready to do all the right things and they were executing that plan, but they were just simply going too slow. They were moving agency by agency, across the State of Colorado, putting in new end point protection products and that sort of thing, but the reality is, they were just moving too slow and so they got hit. Again, I think that’s where us as, cyber security leaders, need to focus on what’s our plan? How are we executing it? How are we using our influence within the organization to gain that buy-in, so that we can make those changes quickly and stay one step ahead? Nobody’s safe from ransomware. Part of my strategy is, I always want to be the most difficult target. Ransomware gangs are like any other organization. They’ve got resource issues, they don’t have enough bad guys to hit all the organizations at once, so they’ve got to pick and choose. I want to be the last one that they choose.

Can this problem get even more complicated?

00:18:18:21

David Spark

Andor Demarteau of, Shamrock Information Security said, “Let’s add supply chain security. Ransomware being deployed as patch on their own product and companies worldwide falling victim.” Now, this is really important because even though all of you have amazing education, if you’ve got a compromised third party, as we have seen in very recent ransomware attacks, that’s not going to help. And, Moe Alsubu of, ASHP said, “Security training and awareness is definitely a key preventive measure, however, having other proper security controls are also crucial.” And, Thomas Lloyd, “You cannot rely on your employees to protect anything. Human error will always be there.” Lastly, Jesse D of, Elevate said, “It’s a funnel chart, where each control helps to reduce the overall volume and therefore probability of an alignment of a specific attack vector against a specific vulnerability.” I like Jesse’s comment there. We talk about, we did want to know the one thing but, heck, this is a defense in depth, process, right Geoff? We’re just trying to reduce risk like anything else.

Geoff Belknap

And that really is. I’m interested in what Rebecca thinks but my perspective on this, maybe it’s too fatalistic, is you can’t really have a ransomware specific security strategy. The way you prevent ransomware, because ransomware is just a set of tactics to compromise you and extort you in a way that some other attacker might as well, is to have that depth of defense, to have layers, to have education, to have different controls, to understand where you’re vulnerable and to focus your efforts there. What do you think, Rebecca?

Rebecca Harness

I’m going to reference what I did when I first came to the university a couple of years ago. We took those critical security controls and then we balanced that against the cyber kill chain model, and that helped drive our program. So, we looked at that and determined, what are the things that we can do in the next six months? What are the things that we can practically accomplish? Because you’re not going to implement a 150 plus controls overnight. You’re going to have to pick and choose and prioritize. Where are we most vulnerable? And then we took that and, then as we’ve had cyber security incidents over the last couple of years, every time we have one that’s a little bit more concerning than we would have liked, we actually use that cyber kill chain model to find out, “Okay, where did our programs fail? How can we never fail there again?” That’s helped us out tremendously in order to rapidly build our cyber security program and also to have that conversation with others. So, whether it being university leadership, or the board of trustees, that’s what we reference in order to help them understand how we’re protecting the university.

Geoff Belknap

I think that’s such a good way to think about it. I’ll be curious to see what the listeners think of this analogy. In aviation, there’s this concept of the height versus velocity chart, especially with helicopters where you want to have enough altitude and enough forward velocity so that if you have an engine problem, you’ve got enough time to recover from that. So, in security, if we think about height as the maturity of your program; the more mature your program is, the more flexibility you have to absorb some loss of velocity, forward momentum, the progress you’re making in the program. But if you lose both of those things, you’re uniquely susceptible to one of these attacks, or a major incident happening. So, it’s constantly on top of security professionals to make sure that you are increasing your maturity, you’re increasing your velocity, so you can recover.

David Spark

I love that analogy. It’s interesting, you’re creating yourself more room to operate. When you keep reducing your room to operate then the margin for error becomes greater and greater, I guess?

Geoff Belknap

Exactly. You’re less likely to be able to recover from a mistake or an incident.

David Spark

Is this something you can truly see when you create a security program? “Hey, we’ve got more space should this happen?” Or, is it just more philosophical at this point?

Geoff Belknap

I’m curious what Rebecca thinks, because I often find myself looking in the metaphorical mirror going, some of this is just feel and there are metrics, but security’s a hard place to be driven by metrics because it always comes down to you can’t measure what didn’t happen. I don’t know. What do you think, Rebecca?

Rebecca Harness

Yes, it’s more of a qualitative measurement than quantitative and that’s where years of experience and education and having group conversations really come into play, and what could we have done better here, or what can we do better in the future? Where do we feel like we’re at risk? And it all circles back around to where we started with this whole conversation, which is, people are going to make mistakes. Whether they be end users or IT professionals or IT administrators, people are going to make mistakes. So that’s where we have to look at that defense in depth, those extra controls that we can put in place, in order to account for that.

Closing

00:23:03:03

David Spark

Good point. And that brings us to the end of our conversation. This was great. This was a packed discussion. By the way, I believe what we did is we took the conversation that the author, Yehudah Sunshine, wrote and I think we extended it. While there was great conversation, I felt, and I don’t want to knock people, but I felt it was extremely limited in terms of how far they all could go. So, I hope the people who participated got some value out of this as well, because I know I got value out of the discussion and our conversation here. Now, we come to the point where I ask, what was your favorite quote and why? And I will start with you, Rebecca, what was your favorite quote and why?

Rebecca Harness

I think my favorite quote was from Moe, “Security training and awareness is definitely a key preventive measure; however, having other proper security controls are also crucial.” I really couldn’t agree more. You’ve really got to look at it as a broad approach, what are all the things that I can do so that I do have defense in depth?

David Spark

The most security aware person can fall victim, easily.

Rebecca Harness

Absolutely.

Geoff Belknap

Can and do.

David Spark

And I’m sorry, Geoff, you were about to say, I want your favorite quote as well.

Geoff Belknap

I was going to pick Moe, but instead of re-hashing that I think Moe had some really good insight, I’m going to come back to slightly a different direction and go with Karen, from AT&T Cyber Security, “Your education program has to be so good that employees are focusing on cyber security at home and sharing it with their friends,” that it becomes part of the way they approach life, not just a thing they do while they’re at work, because then you’re really getting some benefit and so are they.

David Spark

It’s always top of mind, that’s the thing, you want it to be top of mind, like someone who trains in martial arts, that there’s an additional sense that you’re always at the ready.

Geoff Belknap

Yes. I would say, I don’t want it to become top of mind, I want you to go about your life and your day, but I want it to become reflex and I want it to become part of how you live.

David Spark

Not top of mind, reflex, better way to describe it. Excellent. I want to thank our sponsor again, VMware, for sponsoring this episode and being, again, a phenomenal sponsor of the CISO series. Rebecca, I want you to have the very last word here, and I always ask my guests if they’re hiring, so please be able to answer that. Geoff, any last thoughts for our audience and our guest?

Geoff Belknap

I think the thing I’d stress is ransomware is complicated and it’s getting more complicated and it’s harder than just education or a single bit of prevention. Stay on top of it, your education program is going to be fantastic, but you really should just be looking at your fundamentals.

David Spark

And Rebecca.

Rebecca Harness

What I’d like to do is just remind people to have that plan and think about all the ways that an attacker is going to reach out and touch your organization. So, web-facing services, end users browsing the web or end users electronic communications, emails obviously being the most important there. And then, develop that plan and then work on that plan and make sure you’re working on multiple things at once. This is not something that you want to do sequentially, you need to be working on a number of things concurrently in order to have the most success.

David Spark

And, lastly, are you hiring over at, SLU?

Rebecca Harness

I know in IT we are hiring. I don’t have any open requirements in the security team right now, but our IT department is almost always hiring.

David Spark

Excellent. I want to thank our guests again, Rebecca Harness, CISO over at St. Louis University and my co-host, Geoff Belknap, CISO over at LinkedIn, who I know is always hiring, correct Geoff?

Geoff Belknap

Always. And not only am I hiring, a bunch of people of LinkedIn are hiring, you should check it out.

David Spark

It’s a great platform to find a job or to hire someone. I want to thank our audience as always, for their amazing contributions and your participation and listening to, Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.