What can we do to reduce the damage of a breach and the duration of detection and remediation?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Dave Klein (@cybercaffeinate), director, cyber evangelist, Cymulate.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Cymulate
[David Spark] What can we do to reduce the damage of a breach and the duration of detection and remediation?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me for this very episode is Geoff Belknap. You also know him as the CISO of LinkedIn, but his favorite job is being a co-host to this podcast. Am I correct, Geoff?
[Geoff Belknap] Yeah, I think I’m in the top two of all co-hosts for this specific episode, and I couldn’t be more tickled about it.
[David Spark] Actually, you’re the top for this episode.
[Geoff Belknap] I guess, yeah, I’m the number one co-host for this show. Wow. Look at that. I feel like I’m a diamond platinum co-host member of the CISO Series.
[David Spark] I want to mention our sponsor for today. They are Cymulate – know, control, and optimize your cybersecurity posture. They are responsible for bringing our guest today, who I will introducein but a moment, but I want to introduce our topic today. Geoff, with a little prodding from me, you asked the LinkedIn community the question I posed in the tease. What are you doing now to reduce the damage of a breach and the duration of detection and remediation? So, how can we shorten the time, make things sort of less? Not as painful, if you will. And specifically, from the angles of technical and first-party controls being put in place, and how the non-cyber staff has helped. So, those are kind of the two areas we’re looking at. So, did you get any insight from what the community responded?
[Geoff Belknap] I did, as always. When you post a question like this on LinkedIn, you get a lot of engagement and a lot of thought. And the main thing that I took away, that I’m a real big fan of, is we are not leaning on strictly technical controls anymore. And certainly, they’re helpful and they’re valuable, but where people are really focused is on engaging those allies that they have in the organization, you can call them non-technical or at least non-cybersecurity staff, to really be stakeholders in making sure that a breach or that a security incident doesn’t damage the whole organization. And I love it, and I can’t wait to talk to Dave about this.
[David Spark] Ah! That’s the person we’re going to be talking to. We have an expert…
[Geoff Belknap] Oh, what a good guess.
[David Spark] …on this very subject. In fact, our sponsor guest from Cymulate, director and cyber evangelist Dave Klein. Dave, thank you so much for joining us today.
[Dave Klein] Great to be here, David and Geoff. It’s awesome.
Why are we blaming users?
[David Spark] Duane Gran of Converge Technology Solutions Corp. said, “Because a lot of privacy breaches are honestly acts of human error, one thing I pushed for strongly was a no blame culture so that staff knew I would be their advocate to resolve issues. Demonstrating rapid ownership saved our client relationships in a stressful situation, and in some cases made them stronger.” And then Dutch Schwartz of Amazon Web Services pretty much echoed what you said, Geoff, “Culture and leadership are the best levers you can activate to engage all employees. Without that, it’s just your security staff with superhero capes and vulnerability matrices fighting off the enemies.” You don’t really want that. By the way, I love the visual that Dutch created there, yes.
[Geoff Belknap] I do because I feel like, more than just a funny visual, it’s an apt metaphor because look – if you’re not engaging the culture, if you’re not cooperating with your leadership and building a narrative that people can get ahold of, you are just this weird dude wearing a costume running around the halls, and people are like, “What is wrong with that guy?”
[David Spark] By the way, you should actually do that. How awesome would that be?
[Geoff Belknap] You should give it a shot once or twice. But I think the metaphor stands because, look, if you’re not engaging with people, people are looking at you like you havea third eye because they don’t understand how you’re impacting the business, why this stuff matters. You have to engage the users; you can’t blame the users.
[David Spark] Good point. All right. So, how do we bring them into the fold, Dave?
[Dave Klein] I think that’s a great thing, you can’t be blaming them. And we did a survey recently called the breacher survey, where we interviewed over 900 enterprise leaders across the world. And what we found is yes, users were the top cause. And more than just phishing, by the way. We had a category that talked about other things they would do within their environment that would cause a problem. But the key is, really, to educate those users and do it in a way that’s non-threatening, that’s non-punitive, that helps them. And the education has to go far beyond just phishing education. It has to be a lot more about usage and safe usage and stuff like that.
[David Spark] I want to ask you a question about the not blaming the users issue. It is one thing to say, “Well, we won’t blame you. Just let us know.” But I think deep down, the user’s still a little afraid. How do you get them to that point? And I’ll tell a very brief story.
Ironically, I was about to record an episode of our other podcast with Mike Johnson and the CISO of Atlassian, and the very moment I was about to hit the Record button, a phone call came in from my sister. And she did something stupid. She clicked on a link, and it obviously caused something to happen. And she was very nervous, she didn’t know what to do. And I said, “You’re in luck. I’m with two experts right here.” [Laughter] And both of them said, “Contact your IT department immediately. Let them know that this has happened.” And so that’s what she did. But she wouldn’t have known to do that because she was so scared and like, “Oh, my God. I made a horrible mistake. I don’t want anybody to know.” So, I’ll start with you, Dave. How do you really make it clear? Like, “We’re not going to blame you. You really just need to tell us.”
[Dave Klein] I have two stories on this. One is for the positive responses to phishing campaigns and other things, we often find that different companies are now taking things that we do and test, and people have either on their Slack channel or other ways to communicate, “Hey, look at this. I caught this one. It wasn’t our CEO. It was a phishing testing thing.” And people go, “Yay. Way to go.” So, they’ve gamified it.
Now, on the people who do click on the link and things go bad, my favorite story was – and I forget the guy’s name, but the former product manager at Cisco for IPS went to DEF CON and ended up on that board. What’s that board called?
[David Spark] Oh, the wall of shame.
[Geoff Belknap] The wall of shame.
[Dave Klein] The wall of shame. Oh, no, no. Wall of Sheep.
[David Spark] Which by the way, Andy Ellis has gone off about how much he hates that thing…
[Dave Klein] Right. The Wall of Sheep.
[David Spark] …and I agree.
[Dave Klein] The Wall of Sheep.
[David Spark] Wall of Sheep, Sheep. Yes, Sheep.
[Dave Klein] It’s the Wall of Sheep. And the best part of it was instead of being negative and saying, “They got me, but it wasn’t fair,” he was like, “You got me, okay,” and he did a whole talk track on being on the Wall of Sheep and talked about, “Hey, we all have things to learn. So, sometimes when you’re the mentor, even if you have to make up the story because you would click on the link, sometimes that’s helpful too on the negative side, that it shows that it’s okay.
What’s going on?
[David Spark] Jonathan Waldrop of Insight Global said, “Another key here is to practice your response. Tabletop exercises, incident response walk-throughs, and similar technical and non-technical scenarios are key to understanding the gaps in your processes. The importance of this cannot be overstated. These events should involve your non-cyber counterparts.”And Larry Rosen of Avanade said, “Wargame, wargame, wargame,” so echoing what Jonathan said, “Without practice, even the best of plans will fail. Not saying practice makes perfect, but lack of practice leaves you much worse off when the real world comes a-knocking.” Geoff, I’m going to ask you. You’ve done tabletop exercises, correct?
[Geoff Belknap] Of course.
[David Spark] Can you point to when you had some kind of an incident, but “Thank God we did that tabletop exercise because these people knew how to communicate,” like, could you actually see a one-to-one correlation?
[Geoff Belknap] I don’t know if I’ve ever had a direct, like we did a tabletop, and then three weeks later we ran into something where you can draw the conclusions. But I think whenever you do a tabletop, it is great for everyone. You can see sort of them getting it during the tabletop. Look – tabletops always go a little more slower and a little more halted than a real event goes, and it’s great because people have the room for their brain to engage and process without the fear that’s sort of like the adrenalin rush that comes from a real incident. And what I love is you see the mistakes come out in those tabletops, and you see the thought process shift. So, I think I learn more in the tabletop about how people are evolving the way that they think about an incident than I do in an actual incident because in the incident, it becomes instinctive. And I think where I’ve seen improvement is that it becomes more and more instinctive. You’re not waiting to make decisions, you’re not waiting to see how it goes, you’re making faster, better, higher-quality decisions.
The other thing that I really love about practicing and rehearsing is it gives everyone a chance to think about, “How do we engage the user?” Again, how do we talk to the person who clicked on something, who reported something, etc., and how do we reinforce that as a positive experience for the person that otherwise is terrified that they’re about to get fired, that they might have just ruined the whole company? And that’s really important because if you don’t develop the habit asa security team, as a company, of making it a safe place to report an incident, a safe place to have made a mistake, you are not going to find out about those mistakes until it is way too late.
[David Spark] Yeah, that’s the key line right there.
[Geoff Belknap] Exactly. All of that is something that you are going to develop, and that you are all going to learn during a tabletop.
[David Spark] Dave, have you seen experiences with repeat tabletops where you actually – because Dave was talking about they’re a little bit more slower, halting that. Repeat tabletops go a little smoother over time, that’s the hope, yes?
[Dave Klein] Absolutely. And that’s what we do at Cymulate, right? We deal with the ability to test the people, your processes, your incident response plans, your SOC, and your security controls to do just that. You think of every other part of our life, whether it be food, whether it be transportation, whether it be our homes, everything is tested these days. And this is so essential forcybersecurity and bringing everyone into the mix to do that. That practice is the way you find out where the gaps are, where the misconfigurations are, where you have something that isn’t planned that actually works better than the way you originally had it planned. And so it’s really kind of important to optimize your response. AndI think what’s really important, as Geoff said, is it becomes second nature, it becomes muscle memory, and so then when a real incident occurs, people are able to respond effectively and faster than before.
[David Spark] So, you’ve done lots of tabletop exercises. Close us out with one really good tip about running a tabletop that you don’t think most people do that is very valuable.
[Dave Klein] The key is to have a good combination of people involved. You have the technical staff; you have the cybersecurity staff. And then have some of the businesspeople, have some of the users involved as well, so you get the whole combination and balance of understanding the business risk with the user risk and again, the technology behind it.
[David Spark] Do you find there’s a lot of “Aha!” moments happening during tabletop exercises?
[Dave Klein] Tons. Tons of them. I mean, a great example, there was one I saw recently where they were testing things against ransomware, and it was a simulated attack of ransomware, and the technical staff was happy that they were able to solve it in a 24-hour backup. And again, they weren’t actually doing the 24-hour backups, “Well, this part we’d delay for 24 hours and back up,” and a business guy says, “No, no, no. We can’t be down for a day. We need to be back quicker. We need to figure out another way of doing this faster if it really occurs.”
How do we determine what’s most important?
[David Spark] Sherman Homan of Stonebridge Solutions said, “The ‘boring basics’ are neither boring nor basic. Change management, patch management, identity and access management, and end user education, and organization buy-in are the foundation for any cybersecurity program.” And Patrick Benoist of CBRE said, “The same as always – reduce risk by focusing on basic hygiene and then enhancing controls from there. Putting in advanced tools while you fail to remediate known vulnerabilities and basic risk behaviors is the height of arrogance.”
So, Geoff, you were laughing at that right there. I mean, this is the theme that we echo again and again and again – the fundamentals of cybersecurity. But they’re just saying that if you do this, this will solve the grand problem of reducing the damage of the breach, duration of detection and remediation, which is what we’re all talking about here. Is there something within the fundamentals you think is core to this mission that we’re discussing?
[Geoff Belknap] Yeah. I think, look, Sherman is exactly right, the boring basics are… When people ask me like, “Oh, what’s the sexy stuff in cybersecurity?” I was like, “It’s the boring stuff.” The boring stuff is the most exciting, and the place where you can move the needle the most. I think asset management is especially one of those things where if you’re not fully in the cloud yet, it is really hard. But frankly, the good news is there are a ton of tools out there that make it much easier to get a handle on this. The number one tool I would recommend is be in the cloud because then your asset management becomes just a matter of programmatic fact, it’s very easy to get a much better handle on that.
But I’m sort of laughing at Patrick’s comment here because I think he’s exactly right. There are definitely organizations that I see sort of make the mistake of, “Well, we don’t really patch or know what we have, but we’re going to put it in this really advanced thing that will find everything that’s wrong.” And man, I understand. I’ve been there too where you have been fighting the organization, or you just feel like beaten down and you want to push money into the problem, but frankly, that’s not always the solution. I do think, frankly, if you are on your path to correcting the basics, adding some advanced technology or some new widget, it’s not a bad idea. Like, it can certainly add some value, but it can’t distract from the real prize which is, look, we all know we need to eat right and exercise more. You can’t shake weight your way out of this, so you’re going to have to just do the hard work.
[David Spark] Shake weight your way out of this. I like that.
[Geoff Belknap] I can’t wait for this to be the poll quote that we use on LinkedIn or on Twitter.
[David Spark] It very possibly would.Dave, what element of the basics… Although to quote Yaron Levi who’s CISO over at Dolby, who said, he goes, “I don’t like to call it the basics because it ain’t easy. Basics makes it sound easy.” He refers to it as “the fundamentals.” Is there an element of the fundamentals you’ve found that has the most bang for the buck in terms of the issue we’re talking about? Or reducing pain, I’ll say, overall.
[Dave Klein] In reducing pain, I find that we’re in an era where least privilege, multi-factor authentication, and identity are key. I think those are the biggest fundamentals that have the biggest bang for the buck. I also think that EDR…is out of the early part of adoption, is now something that everyone needs to do, right? I think if you look at attacks and how they change all the time, that’s also now become what I consider fundamental as part of what they do and things like that.
[David Spark] So, Wendy Nather had famously said – she works over at Cisco,Duopart of Cisco – and she famously coined the term “the security poverty line,” that there’s a lot of companies that are below that. Do you run into clients yourself, Dave, that are way below the security poverty line, don’t have the basics like EDR and some level of identity protection? You’re like, “Yikes. We got to just get to the bare minimum here.”
[Dave Klein] I think that some of it is due to resource constraints.
[David Spark] Yes.
[Dave Klein] But I think today that what’s really important is the whole emerging process of MSSPs. And by the way, this is true for those who have resources, that a good CISO is going to say, “This part of my spend is going to be for MSSPs to reduce the expenditure and make it possible.” So, I think there is a poverty line, but it’s more around not being able to understand what you have to be able to give up and allow a MSSPdo it for you.
[Geoff Belknap] Yeah, I think the scary thing is that there’s a lot of organizations that don’t know where that poverty line is for them, and I think some of the work is figuring that out and understanding can this organization get to a point where they’reover the line, where they can get to a maturity, where they can really protect themselves, and that’s a hard discussion to have.
[Dave Klein] It is, Geoff, I think it is. I think the other thing that weaves into this conversation is discovery. In some cases, there are those who have all sorts of things out there they’re not even familiar or know about. So, the key is is that as part of every acumen, you should be able to do an external attack surface audit and be able to see, “Hey, we have so many Exchange passwords out in the wild, we don’t have the appropriate DKIM records to make our email secure, we don’thave secure DNS, we could be hijacked.” There’s all sorts of things that people can do in discovery to find assets they didn’t know they had and to find also where you’re vulnerable.
How do we make this everyone’s concern?
[David Spark] Yunus Bhuiyan of Orca Security said, “The ideal scenario is that security becomes a company effort/initiative, and something to constantly strive for if that’s not the case. In my opinion, that will…” being that it becomes a company effort or initiative, “…in my opinion, that will help significantly reduce the ‘boom’ you feel during a breach.” And I think this is a nice bookend to Dutch’s quote earlier on as well. Dave, I mean, this seems like kind ofthe theme of what we always talk about on our shows of “get everybody onboard in cybersecurity.” I mean, that seems like if all hands are on deck, people will reduce pain, yes?
[Dave Klein] 300%. I mean, business impact is such today of cyber events, that it has become top of mind to everyone. And it needs to be, right? Because there’s not an industry out there where if your IT disappeared, you wouldn’t feel business impact, and so it’s important. It’s front and center among everything else.
[David Spark] Geoff?
[Geoff Belknap] I wholeheartedly agree. The hardest part of any security job is trying to convince the organization, if they’re not already convinced, that security is really important, that security is part of the path to success and growth for that organization, and if you land that, if the organization… And what Imean by the “organization” – if the board, if the CEO, if the executive team, if they all are bought in that security is a value-add, it’s a differentiator, it’s part of their success strategy, then you will absolutely limit the impact of breach. You will find it much easier to introduce new controls, introduce new cultural processes. Whatever you need to do, it just becomes – I’ll steal from Dave – 300% easier, which I believe isa verified fact by Gartner now. It becomes far easier to succeed in every hard thing you’re trying to do in security if the company is bought in.
Now, the trick is it doesn’t automatically rain money and head count from the sky, you still have to figure out what the right level of investment is for the business. But when people believe that that is core to their success, you will find greater success in security, and everybody will be better for it.
[David Spark] That’s a key thing. They have to believe that everyone being onboard is a key to the success, and that’s an interesting note to close on. Thank you very much, Geoff.
[David Spark] All right, Dave. We’ve come to the portion of the show where I ask our guest and my co-host which quote was your favorite and why. So, I will ask you, which quote was your favorite and why?
[Dave Klein] I really liked Jonathan Waldrop’s quote on practiceyour response to the tabletop exercises. To me, that is the key, is getting out there, practice in a continuous fashion, and doing these tabletop exercises are a really good way to get success.
[David Spark] And itcan demonstrate this very last quote from Yunus of once everyone’s onboard, things really change.
[Dave Klein] Yes.
[David Spark] All of these quotes are nicely tagged together. Geoff, your favorite quote.
[Geoff Belknap] I got to tell you, David. This is one of those shows where I have a really hard time picking. These are all really solid bits of advice, and I want to toot my own horn like, “Good job Geoff and David coming up with a great LinkedIn thread for this advice. But because I have to pick one, I think I’m going to go with Yunus here. I really feel like this sums it up well. The ideal scenario is that security becomes a company effort or initiative, and something to constantly strive for. And if that’s not the case, you really have to work at that because otherwise, you’re going to have trouble reducing the “boom.” I think Yunus is exactly right. This is the sweet spot; this is what makes a really good security leader even better is getting this right. So great point, Yunus.
[David Spark] All right. Well, that comes to our end of our show. I want to thank our guest Dave Klein, who is the director, cyber evangelist for Cymulate. And by the way, Dave, I’ll let you have the very last word. Two things I would like to know – A, are you hiring? And B, any special offer, anything you want to recommend to our audience on checking out Cymulate? By the way audience, if you don’t know how to spell it because it’s not spelled any way that you think it was – which is the way all cybersecurities are spelled, none are spelled correctly or by any kind of dictionary that one might find anywhere – it is C-Y-M-U-L-A-T-E. And that’s a dot-com. Right, Dave?
[Dave Klein] You got it.
[David Spark] Okay. But I’m coming back to you in a second. Geoff, any final words?
[Geoff Belknap] Hey, if you are wondering how to have this hard conversation with your organization, and you’re trying to communicate that security is really important, let’s chat about it on LinkedIn. And if you think that you’re really good at having these conversations and prepping [Phonetic 00:22:51]your organization, come find me, I’d love to talk about working with you.
[David Spark] Who wouldn’t want to work with Geoff? Now, Dave – anything you would like to tell about Cymulate to our audience, what you guys are doing, any special offer, and are you hiring?
[Dave Klein] Absolutely. We’re the security continuity partner for enterprises, using attack simulations to collect data, also from all sorts of you third-party security controls and first-party security controls to help you run a better cybersecurity program, right? So, with us, you’re able to optimize your security controls, your incidence response plans, minimize risk, and maximize business to technical communication and prioritization of things.
[David Spark] Who doesn’t need this?
[Dave Klein] You need this. So, you can go to our website cymulate.com for more information.
[David Spark] All right. Are you hiring?
[Dave Klein] Absolutely!
[David Spark] Everyone’s hiring. How much of a struggle is it for you to find people, Dave?
[Dave Klein] It is. It’s a very big struggle. It’s a very big struggle, and we have many open positions and looking for people to join us,great company.
[David Spark] Well, you could work for Dave, you could work for Geoff. Maybe one day you could work for me because we may be opening up new positions soon as well. But not in cybersecurity. We greatly appreciate the sponsorship from Cymulate. They’re a great new sponsor with the company, so we thoroughly appreciate that. Thank you, Geoff. Thank you, Dave. And thank you to our audience as well. We greatly appreciate your contributions. And if you see a great discussion online, please let me know about because we can turn it into an episode of Defense in Depth. And it doesn’t necessarily need to exist on LinkedIn, we find the majority of them there, but I’ll take it from anywhere you can find it. Thank you for contributing and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn, or on our site CISOSeries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to Defense in Depth.