Are security programs drifting from a prevention to a resilience strategy? If so, are you truly operating in a resilient environment? Or are you still acting in a prevention stance but you know you should be resilient?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest David Ratner (@davidhratner), CEO, HYAS.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, HYAS
[David Spark] Are security programs drifting from a prevention to a resilience strategy? If so, are you truly operating in a resilient environment, or are you still acting in a prevention stance, but you know you should be resilient?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, and you can hear him again right here, it’s Geoff Belknap, the CISO over at LinkedIn. Geoff?
[Geoff Belknap] Hey, everybody. Thanks for coming back. Let’s do this.
[David Spark] We are going to do this. Our sponsor for today’s episode is HYAS. They’ve been a phenomenal of the CISO Series. We love having him. HYAS. By the way, may sound confusing to you, so let me spell it to you. It’s HYAS.com. You can find it online. HYAS, security that protects and clears a safe path for innovation to follow. And let’s get to the topic at hand here, Geoff. Security professionals have eventually come to the realization that they can’t stop all cyber-attacks. I’m not saying that this was discovered yesterday. We’ve known this for a while. Yet most of the security products out there kind of claim to, “Oh, we’ll stop X number of attacks.” They focus on what they stop, what they prevent. Now, what organizations understand is the need to withstand and triage attacks. When we get hit, how can we handle it. It’s a resilience strategy, not a prevention strategy. So, what does that strategy look like? How does your security stack change when you choose resilience? Which most of us should be thinking about if they’re not already there. What are the controls and their measurement, and how are you managing assets? And do you think about this consciously that we have a resilience strategy versus a prevention strategy? Because I don’t think you can have one without the other.
[Geoff Belknap] Yeah, it’s definitely not a choice of one versus the other. It is a choice of what’s your mix of investment between those two halves. Just like you might choose what’s my build versus buy strategy. You’re going to choose how much effort, and what the return on your investment is going to be in your resilience side of the house. Or I might say detection and response might be the way I think about it in that category. And what’s your prevention strategy. Because there are definitely various different points of dimension in returns on prevention, and there is… It feels like sometimes there’s unlimited return on detection work. But you really have to split between the two. And who better to talk to us about this today than our guest.
[David Spark] Our guest, yes. You remember I mentioned our sponsor, HYAS. Well, guess what? Their CEO, right here with us to talk about this discussion. So, our sponsor guest is none other than David Ratner, the CEO of HYAS. David, thank you so much for joining us.
[David Ratner] Hey, David. Hey, Geoff. Thank you so much for having me.
Nothing will happen until we take action.
[David Spark] Nick Ryan of Baker Tilly said, “You can’t prevent everything, but you can cover much more ground with resilience.” And Brandon Helms of Golden said, “Investing in detecting misuse will net the team a stronger understanding of X, as well as move the needle to lowering risk.” So, these are two sort of basic philosophies of why you should take on resilience. Do you think these are good takes, Geoff?
[Geoff Belknap] Yeah, I think… And you know what? Like you said, we didn’t just invent resilience yesterday. People have been thinking about it for a while. I think the label resilience really helps us encapsulate all of the things that make up our attempts to respond, and detect, and all the other work that isn’t strictly prevention. So, I think in this case, Brandon Helms, the [Inaudible 00:03:54] king of cyber and my former colleague, is exactly right. If you invest fairly heavily in detecting misuse, not only do you get the benefit of understanding the system that you’re operating more thoroughly and more deeply, you are indeed lowering risk. Because the better you are at finding when somebody is abusing the system, the better you are at understanding the risk there. And in most cases, you just can’t prevent 100% all of that misuse. So, the better you are at responding to that, it’s almost as good as having prevented an issue with any given system. And of course if you could get to 100% prevention, we would do that instead. But this is a good tradeoff between the two.
[David Spark] David?
[David Ratner] Yeah, Geoff, I agree with you that it’s not an either/or solution and that you need to incorporate both. But what Nick Ryan really said and really spoke to me is that notion of you can’t prevent everything. And so if you live in a world where you can’t prevent everything and detecting a supply chain attack is incredibly difficult, or detecting that North Korea has paid one of your employees to plant malware is incredibly difficult, and… In a world where it’s very hard to prevent everything, if you don’t have some aspect of a resilience strategy looking inward at what has gotten in and what’s happening internally then you’re going to be flying blind.
[David Spark] I like what you said, Geoff, when you’re saying we’re putting kind of name on this category. The fact that we’re in ways looking at prevention and resilience as two equal halves to some extent…that if it has a label on it and it’s a strategy, and you’re supposed to put funding towards a strategy, it seems like it’s being taken a little bit more seriously, yes?
[Geoff Belknap] Oh, absolutely. Any time you can make this concept more accessible to a board, or an executive team, or even your own team if you’re building something new and you’re trying to bring them along…anytime you can tell the story better and that narrative can land, that’s a better outcome for everybody.
[David Ratner] I think it’s important to tell that story and really label it. One of the stats that I read recently that was really scary is just how many small and medium businesses actually go out of business within a year after a big ransomware attack. They’re investing entirely in a prevention based strategy. But if something does get in, they have no way to keep the business going, and there’s nothing around business resiliency. There’s nothing around business continuity, and it’s incredibly important to compliment what you’re doing as you build walls around your enterprise with a resilience strategy of what’s going to happen if something does get in, and how do I detect it before damage happens.
[Geoff Belknap] Yeah, the good news is these were all really expensive options that were really only available to larger enterprises like my own until somewhat recently. We’ve only just started bringing some of these more…and it’s weird to call them exotic… But to the sort of small and medium business commercial side of the sectors, we’ve just started bringing things that are like, “Here’s a backup program that you can run on every device. Here’s a way to store state of your keys systems.” All of those things before required pretty complicated systems, and now it’s much more accessible. So, I’m glad we’re talking about his more broadly.
[David Spark] One of the things… I was at a meetup yesterday, and one of the things that came up is when a company pays off ransomware, it says we’re not resilient. And there’s an enormous target on their back. So, if you’re not resilient, what you are saying, David… We’ve seen so many young companies go out of business after one ransomware attack. That one payoff is just going to say to everyone, “You’re about to get hammered.” And unless you build a resilience strategy overnight, you’re going to have a tough time surviving.
[David Ratner] Absolutely. And, look, backups are clearly important. But it’s dramatically easier to have a resilience strategy that detects misuse inside your network before it ever gets to a ransomware encryption stage and having to recover from backup versus doing anything else. I really believe heavily in resiliency from the perspective of looking inward in terms of what’s going on inside the network before you ever get encrypted.
How do we handle this?
[David Spark] Jerich Beason over at Capital One said, “Resilience is the recent revelation that whether we detect or prevent attacks in all situations we need to be able to operate under duress.” Gisele Plessis said, “Resilience is how to respond positively to that stress. Companies have to be proactive to adapt to their day to day goals whatever new frustrations, last minute obstructions to lead their business and the world to a new design future.” This is just like any kind of military training, David, is just being ready and doing tabletop exercises, and having the systems in place, and everyone knowing what they need to do when a ransomware attack happens, and dealing with things like micro segmentation to minimize the blast radius. Kind of just what are we going to do if and when this happens. Yes, David?
[David Ratner] Yeah, look, fire drills are bad for business regardless of when they happen. And it creates chaos internally, which then creates chaos for your customers, can create PR nightmares, can drive business downward. Fire drills are just bad for business. And so you need to have a strategy that focuses on giving you the visibility of what’s happening. I’ll say this multiple times, but controls are only as good as the visibility you have in order to monitor them. So, if you don’t have the visibility of what’s going on then you can’t implement the controls that you need in order to drive your business forward and avoid those kinds of fire drills.
[Geoff Belknap] Yeah, I think I guess my one knit here is I’m like fire drills are okay. It’s not okay if it’s unplanned, and you’re getting a free attacker provided fire drill. But generally I think you’re exactly right, David. You want to have the kind of visibility that will let you have some comfort and confidence that you are going to detect and be aware of when something goes wrong in your environment. That is what goes beyond prevention. Prevention is affectively saying, “Nothing is ever going to go wrong with this environment. I have completely eliminated the chance that somebody will be able to abuse this environment.” And that’s a fallacy. It’s a farse. You can completely prevent things that you know about, but you really just can never predict the way a 16-year-old kid someplace is going to abuse the system that all of your expensive engineers have built over the years. If you’re not ready for that, if you’re not disciplined, if you’re not trained in how to respond to that, you’re going to react with stress, and crises, and fear.
[David Spark] And you’ll make mistake.
[Geoff Belknap] And you’re going to make mistakes, and people are going to get angry. And it is going to affect your business. It’s going to be a big distraction. If you have that visibility, it’s not going to be a worry. It’s going to be something you’re confident about how you respond. You’re going to know the impact on the business. Your comms people are going to know how to respond. It’s a much, much better path.
[David Spark] Let me just ask a quick question for both of you. Think about the situation where either it’s something that could have happened to yourself in your own environment or you saw it to happen to others in the environment, and it was a really bad situation and was handled beautifully. And you know that there was a lot of work that went behind it to make it handled that beautifully. You know what I’m saying? No one gets it right the first time. There was a lot of practice beforehand. Like any athlete, if you will. What is that thing that gets a person to that point that they can handle the tough situations smoothly? Because we’ve all said breaches are going to happen. The whole question is how you handle it. David?
[David Ratner] It’s a good question, David. And it’s not always just the tough situations. It’s sometimes the new devices or the new evolution of how you want to run your enterprise. And specifically I’m thinking of the fact that recently connected coffee pots came on the market. And you have employees who would bring them into the office, and all of a sudden you’re now seeing attack vectors through a connected coffee pot where five years ago no one even thought of that. And so often times it’s a resilience strategy, which is thinking about, “Well, what would happen if?” “Okay, so I have these walls up. But what happens if something gets through my wall? How do I have the visibility into what happens? How do I have the control to quickly shut that down independent of if it got through my walls?” And too many people think just about the wall, and they stop there.
[David Spark] That gets to the thing that was mentioned at the beginning of what does your security stack look like now that you are resilient.
[Geoff Belknap] Yeah, I think it’s a great question. In my experience, a more resilient environment is something that reflects not just preventative controls but detective and response and recovery elements and controls. So, sometimes this can be as easy as you have something in Slack or Teams that helps you coordinate your response to an event, so you can get all your legal, and comms, and privacy, and security engineers in one place. That’s not a fancy tool necessarily, but it turns out to be very affective. The other things that you might have might be things that might be backup software or might be things that might roll back changes or might recover things that are lost. But you also might see things that are just keeping track of what you promised you would fix after the last breach that you had or after the last phishing attack that you had. Most organizations will now, if they’re focused on resilience, sit down and talk about what went wrong, why did that phishing attack work. It’s not training. We’ll always do a little bit more training. But what are the things we can do respond better to that, to contain the bad actor better, to roll back passwords faster. And then again, just track these things. It can be as easy at Jira or some other ticket taking tool is now a part of your security stack. Because you’re thinking about security as a process to run, not just as a set of tools.
Does it play nicely with others?
[David Spark] Yasir Ali of Polymer said, “Prevention based approach is still easier to get champions or internally. Metrics are clear, and you are stopping the bad guys. Resiliency is a slog. Metrics are harder to prove, and it requires work over a sustained period of time.” And Nathan Hunstad of Code42 said, “Resiliency though is incredibly important for new risk or ongoing, not necessarily malicious risk.” The coffee pot example, as you said. Going back to Nathan’s quote, “Such as unintentional data sharing. Having some resiliency that allows for time to prevent a problem from spiraling out of control thanks to some just in time security.” So, I want to mention that last part of Nathan’s quote here is, “Having some type of controls that buy you time when something happens.” This is part of a security stack and also part of what you would fund a resilience strategy, yes, Geoff?
[Geoff Belknap] Yeah, absolutely. I think the things that buy you time, at least the way that I interpret them, are the comfort in knowing that you can recover from this. Now, you have…especially if you’re using Code42 or something like that, you can go, “Well, great…” Let’s say that I’m working in an organization that’s now dealing with a ransomware attack. I have the comfort that I can respond to this and take a little bit of time and figure out exactly what the scope of this attack might be. And maybe I can figure out where it came from before I have to go to the wall and start yanking out network cables to prevent the spread because I might have some resiliency tools in my pocket going, “It’s okay. We can take an extra hour to figure this out because I can recover from this.” That lets you respond much differently than how you might respond… If you relied only on prevention, if you were hoping the tough, crunchy outside would never allow somebody to come into the delicious marshmallow center, you are now in big trouble. And you are going to respond on fear. You’re not going to respond on logic. So, I think really important to kind of give yourself that buffer.
[David Ratner] Yeah, Geoff, I think that that buffer is incredibly important. If you do get encrypted, knowing that you have backups, knowing that you have policies, knowing that you’ve practiced resiliency is really important. But I also think that that buffer is equally important before the encryption stage as well. And if you have the visibility into what’s going on inside your network then you can have that early warning signal that that malware somehow slipped through your prevention. It somehow slipped through your wall. And it’s now beaconing out, and that visibility can be that early warning signal to allow you to be resilient against that attack because you can now shut down that attack before lateral motion starts, before it ever gets to an encryption stage. And you have the time and the resources to go do that in a proper way rather than running around with your hair on fire.
[Geoff Belknap] I think that’s a great point. I’ll tell you what… This sort of triggers another memory here. I actually see it the other way around from Yasir’s point. I think it is harder to prove the value of prevention based approach because you ultimately have to prove that nothing happened. You have to go, “Okay. Well, I bought this piece of software, implemented this infrastructure. And it prevented X, Y, and Z.” The problem with that is you can’t tell if it prevented those things. That’s not really detectable. You don’t know the total addressable market.
[David Spark] Well, a lot of these tools say, “We stopped X number of attacks.” I’m quoting Wendy Nather. She used to have this great line of, “I really don’t care how many raindrops your umbrella stopped.” [Laughs]
[Geoff Belknap] I think that’s a great point, and I would never go against Wendy. I think the thing that is really affective to show is if you have a resiliency strategy, the thing that happens all the time, especially the larger your organization is is you’re going to have incidents. And the things you absolutely can show finance and executive leadership is every time you have an incident, you’re responding to it more affectively. You respond to it quicker. And the disruption of the business is lessened, and that is a thing that over time you can absolutely demonstrate and build that investment strategy on top of.
What aspects haven’t been considered?
[David Spark] TC Niedzialkowski, CISO of Nextdoor, said, “If you think prevention is expensive, wait until you see the price tag for resilience.” Eric Herman of Public Information Limited said, “Resiliency is a characteristic of prevention. Therein lies the answer. If you’re drifting as a security program, you have more fundamental problems to solve.” So, these are some contrarian views on the resiliency. One says you can’t even get to resiliency if you’ve got issues with your prevention strategy. And TC thinks, “Well, it’s expensive to build a resiliency program.” David, you don’t necessarily believe that, do you?
[David Ratner] No. In fact I don’t believe resiliency needs to be more expensive. Resiliency is really about visibility. And you can get that visibility in a not super expensive way. It’s about do you have the visibility you need to have the controls in place. As our networks have grown, and expanded, and moved to the Cloud, and multi Cloud, we’ve lost that visibility. And so resiliency is just about putting it back in. But it doesn’t have to be more expensive. It doesn’t have to be dramatically more expensive than a prevention based wall. And in fact I think the two partner very well with each other.
[Geoff Belknap] Yeah, I agree. And you know what? Knowing TC a little bit, I think what he’s saying here may be a little tongue in cheek is, “You think prevention is expensive? Look at the cost if you’re not resilient.” If you’re not ready to respond to…
[David Spark] Yeah, I think maybe that’s where he’s going with that, yeah.
[Geoff Belknap] Yeah, that’s where the cost really comes into play. And I think that’s why everyone has come to terms with you need early warning signals. You need metrics that give you hints of what might be going on. You need…especially if you have an incident response or a detection engineering team, you need anything that will give them some signal or where to start an investigation of where to look. Because those people will find the problem if there is one. But you have to have somewhere to look, and you don’t want the thing to be, “Hey, there’s broken glass on the floor, and things are missing.” You would rather it be like, “It sounds like somebody has been jiggling the door locks. We should look into that.”
[David Ratner] It’s similar to your check engine light on your car. Having the check engine light go off doesn’t really tell you much. Having the right dashboard and the right level of visibility so you can identify this particular machine is doing things that it really shouldn’t allows you to actually focus your response in a timely manner and in an efficient manner, in a manner that’s not a super hair on fire fire drills and allow you to go contain something before it really gets started.
[David Spark] I want to get back to something that was brought up at the very beginning, Geoff, and that is resiliency becomes part of your overall strategy and that it’s not all one or the other. But we are seeing that we’re drifting more to resilience because there’s more of an acceptance of, “We’re going to inevitably get hit.” And I feel that more so today than yesterday and more so than the day before. A, do you agree with that? And B, are budgets moving towards spending more on as David mentioned…more to awareness, more to visibility?
[Geoff Belknap] Yeah. Do I agree with that? Absolutely. Although I think the really important nuance here is what it used to be is this thought that a breach is a capital B breach that you’ve been completely taken down. Your systems are offline. All your data is gone. And the reality is, “Well, now there are lower case B breaches, which is like maybe somebody got a phishing email and clicked on it. Or maybe somebody accidentally installed a piece of malware. And you’re responding to that before it becomes a capital B breach and becomes massive. But let’s be honest – your prevention systems have failed. Now you’re responding to that. And if you have a very resilient system, you’re responding very quickly to that. you’re responding as soon as possible so that it doesn’t move laterally. It doesn’t become something that spreads or causes more damage. And that’s what the day to day looks like, I think, for a lot of my peers if you’re responding to these kind of things. So, you have to live with it. You cannot have a defense strategy that does not include some component of resilience.
[David Spark] David, I’m going to let you close with this. When potential customers come to you, what is the situation they’re in that they know they need more of? Is it just visibility?
[David Ratner] We get customers coming to us in a variety of different states. Maybe they just have an incident and have just cleaned it up, and they’re now trying to figure out a new strategy for their stack. Or maybe they’ve had this on their strategy for a long time, and they’re not getting around to actually implementing that strategy. But regardless, in general they are accepting of the fact that breaches will happen. Again, to Geoff’s point, maybe it’s little B. But they’re accepting the fact that the world we live in is that there’s constant unrest, there’s constant pressure, and there’s always attacks going on and that you need to have the visibility in place to implement the right level of controls so that those little Bs don’t become big Bs, and you can deal with them affectively, efficiently, report up to your board and your management team and your customers that you have the business under control an that you can drive it forward with confidence.
[David Spark] An excellent point to close on. Thank you very much, David Ratner. Thank you very much, Geoff. Now we come to the point of our program where I ask which quote was your favorite, and why. And I will start with our guest, David. David, which quote was your favorite, and why?
[David Ratner] Oh, it was definitely Nick Ryan’s from Baker Tilly. Very, very direct. You can’t prevent everything. I think that especially over the last couple of months, we just went to RSA. We went to Black Hat. So many people still talking about preventing attacks. Yes, it’s important to have prevention as part of your strategy. But you absolutely can’t prevent everything. If your strategy is focused on preventing everything, you’re going to miss everything that gets into the soft, squishy center as Geoff talked about.
[David Spark] Good point.
[Geoff Belknap] Yeah, I really like what Brandon Helms said. But since I already mentioned it, I’m going to give Nick Hunstad a little bit of credit here. Resiliency, though incredibly for new risks or ongoing, not necessarily malicious risks such as unintentional data sharing. Having some resiliency that allows for time to prevent a problem from spiraling out of control is really important. Give yourself some of that buffer.
[David Spark] And that is very key. All right, David, I will let you have the very last word. I want to thank David’s company, HYAS, for sponsoring. Again, it’s spelled HYAS for those of you who are not aware. We ask… It’s all in capital letters. David doesn’t know why it’s all in capital letters. Just it’s been like that for a while, so just accept it. Don’t question it. But if you want to write it in lower case letters, I don’t think he would be that upset about it. Probably when you type it into your web address, you’ll put lower case letters, and you’ll get the right address.
[Geoff Belknap] Just remember it stands for Have Yourself Some Awesome Security.
[David Spark] There you go.
[Geoff Belknap] Pretty sure that’s what it is.
[David Spark] We’re pretty sure. They accept non-malicious acronym suggestions. First, Geoff, for those of you who don’t know… I kind of just repeat it for him. He’s always hiring. And if you wouldn’t want to work for Geoff, I don’t know why. But he is hiring. He will be available if you would like to talk with him about working at LinkedIn. Just email him. Right? That’s how it works, yes?
[Geoff Belknap] Or you could try… There’s this fantastic website…
[David Spark] Called LinkedIn.
[Geoff Belknap] …if you haven’t gave it a shot called LinkedIn.com.
[David Spark] You can actually contact him via LinkedIn.
[Geoff Belknap] A great way to connect. Any job listings we have are always on that fabulous little website.
[David Spark] All right. Now, David, I’ll let you have the last word. And any kind of plug, or offer, or special thing you want to tell people, to tell our audience, of ways they can connect with you. Let’s hear it. And are you hiring?
[David Ratner] So, number one, yes, we are hiring. Number two, anyone who wants to connect with me is always welcome to on Geoff’s fabulous website, LinkedIn.com. But you can also go straight to www.hyas.com and click on the link, request a demo, all those kinds of things. HYAS, we serve customers, everyone from fortune 5 all the way down to small, little law firms. Because everybody is lacking the visibility that they need to move forward in today’s ever changing environment. HYAS really focuses on how do we give them the confidence to move forward, implement resiliency, implement proactiveness, make sure that they have a complete strategy to make sure that they can move their business forward.
[David Spark] Excellent. That is awesome. Thank you very much, David Ratner. Thank you very much, Geoff Belknap. Thank you to our audience. We greatly appreciate your contributions to the show. We’ll mention it again, HYAS.com. That is our sponsor’s web address. Go check it out and request a demo if you’d like to see how awesome they can help you find and put visibility into your environment. We thank everybody for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.