July 14, 2020 • 46 mins
While the world struggles with the chaotic realities of COVID-19, cybercriminals are pouncing. In this episode of Tech Stuff, Jonathan Strickland chats with Wendi Whitmore, VP of IBM Security X-Force Threat Intelligence, and Allison Ritter, Program Leader, IBM Security Command Center, about how they are helping businesses stay prepared and resilient within a rapidly evolving threat landscape.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
In this episode, we're going to cover a topic that
all too often only gets attention when something goes horribly wrong.
That is cybersecurity. And before we get into the interview,
let me hit you with some facts. In the United States,
the cost a company incurs in the wake of a
data breach has been on the rise. According to the
(00:22):
Ponamon Institute, costs have increased by one hundred thirty percent
since two thousand and six. So a data breach that
would set a company back three point five to four
million dollars in two thousand and six would cost eight
point one nine million dollars in twenty nineteen. A single
compromised record costs one hundred and fifty dollars on average,
(00:46):
and that's just the average. For some companies, like those
in healthcare, the cost can be much higher due to
the nature of the data. The report found that more
than half of data breaches come as the result of
a malicious attack. And one important thing to keep in
mind about this report is that it was for twenty nineteen.
(01:08):
We are in a different environment today with more potential
attack vectors, and while the tricks of the trade haven't
changed much over the years, the number of opportunities for
attack are on the rise now. With all that in mind,
I sat down virtually speaking, we were all remotely isolated,
(01:28):
with Wendy Whitmore, VP IBM Security X Force Threat Intelligence,
and Alison Ritter, program leader at IBM Security Command Center.
We talked about the challenges that companies face today as
our concept of the workplace is changing, and how companies
can best prepare themselves for the worst day. Ever, here's
(01:49):
our conversation. I think we can get the obvious out
of the way. We can state that a priority for
any business in the twenty first century needs to be
on cybersecurity. That is pretty obvious. But what has become
more complicated, I would think, would be this shift we're
seeing now that we're in an era of let's say,
(02:12):
momentous events where we've seen a real move to decentralization.
A lot of people are working from home and that's
kind of changed the nature of business. Has that impacted
sort of the focus of cyber threats as well? Are
we seeing changes in that realm? Wendy, yes, I would
(02:33):
say we absolutely are. You know. The good news, though,
is it hasn't shifted in terms of such new and
novel types of attack techniques. But I think what's really
shifted is the volume of attacks as well as the frequency,
and then the attack surface. So when I say attack surface,
you know what I mean is there are millions of
(02:53):
more computers that are now connecting from remote locations into
devices and applications and systems that previously were within the
same network. So that gives the attackers a bigger attack
surface from the external side of that, right, all these
new systems that were online that are no longer behind
these firewalls. But then also it opens the corporate entities
(03:15):
to potentially more of an attack surface because of the
fact that they might have overnight, you know, enabled the
ability for their workers to work remotely, and perhaps they
don't have the right types of authentication or enough authentication
on their systems where these attackers can take advantage of,
but ultimately where their users need to connect to do
(03:36):
business and to do their work on a daily basis.
And we've definitely seen issues in the past where even
within these well protected systems, we can see failures. Often
I argue in tech stuff that the weakest link in
a company's cybersecurity process often isn't necessarily the technology It
(04:00):
can be the implementation of that technology, but it often
falls to a weak link in the the use of
that technology. So user error, you could argue, I think
leads to a lot of those I imagine that that
this decentralized approach has created enormous opportunities to exploit that
(04:21):
because people are having to navigate a new workspace, they're
having to access systems in ways that they haven't before. That,
as you say, are are a little a step outside
of the immediate control of a lot of these businesses.
So can you talk a bit about sort of the
nature of that, Like this attack surface, what are the
(04:45):
sort of attacks that you typically see, what's kind of
the nature of it? Well, okay, so let's take that
question from a couple of different angles, right. So, one
is just the ability to exploit human error, which we
are all going to be prone to do. Right, So,
if you're looking at it from the attacker perspective, they're
kind of saying, hey, great, look at this. There's all
(05:05):
this chaos going on in the world right now. There's
new ways of working. But people who are now working
remotely that maybe didn't before are also doing things like
checking their email more regularly and they're checking social media
sources and news sources because they want to know what
are the local regulations where I live, what's the current
counts in terms of how many people are being infected.
(05:28):
And so since March we have seen a six thousand
percent increase in spam related to COVID nineteen. So that's
coming into users directly, so maybe your personal email accounts,
but it's also coming into work email accounts unfortunately. And
each one of those systems that I mentioned that previously
used to be inside of a network and is now
(05:50):
not may or may not have the same types of
personal protections on it, right in forms of firewalls and
antivirus and endpoint detection that it had when it was
on the interior of their network. And so from that perspective,
human error and humans are always going to be a
huge part of the attack surface, right, So we've all
got that, you know, as if we don't have enough
(06:11):
things to be concerned about right now, we're going to
add that to the list. And then as the pandemic
has shifted and as it continues to go on, there
is obviously a huge influence on testing, on vaccine research,
on the development of a vaccine and processes and procedures
that are all going to make all of us more secure,
(06:33):
and so now you not only have those. When we
talk about spam, we're often talking about cyber criminals, right
who are financially motivated looking to steal information, maybe looking
to conduct ransomware attacks. But when we shift over to
the vaccine research and the testing, we're then really looking
at nation state actors who are looking to capitalize on
the theft of intellectual property and make sure that they
(06:55):
can protect their citizens and potentially turn that research into
financial gain as well. So it's a pretty tumultuous environment
right now. I mentioned that the attacks themselves are not
necessarily all that new and novel or exciting, but the
volume of them, and combined with the increase of tax
surface as well as just the general day to day chaos,
(07:18):
has made it a pretty interesting environment to say the least. Yes,
I think interesting is a great word for it. It's
one of those nice catch alls in your work, Wendy,
have you noticed any particular sectors or industries that are
particularly being targeted by cyber attacks in this era? Right now,
(07:40):
we're absolutely concerned about critical infrastructure, and when I say
that though, that's kind of a big list, right of organizations.
So that's everything from the obvious like hospitals who are
providing healthcare to people who are sick. It's the medical insures,
it's the whole infrastructure and ecosystem on the medical side.
It's also financial services industry, and they're supporting infrastructure and
(08:03):
supply chain as well as energy and oil and gas
and really any of these organizations. It could also be
food supply chain, right, All of those things that we
need now to work perfectly more than ever are also
potentially at risk. And so what we look at and
what we're concerned about most our ransomware attacks to those
type of organizations. We know the continual targeting and theft
(08:26):
of intellectual property will go on as it always has.
But if we can stop some of these major ransomware
breaches from being effective and from stopping business for our clients,
that's really what we're concerned about helping out with. I
think one of the things we've learned we being sort
of the layman I include myself in this in the
(08:48):
wake of this pandemic, is how incredibly interconnected all these
different pieces are, and if you do put yourself in
the mind of someone who is attempting to exploit the
the chaos. Then you can think, well, then you want
to target whatever links appear to be the most vulnerable
(09:09):
at any given time. And this kind of brings us
over into something that I wanted to speak with Alison about. Alison,
you have a pretty cool job in that you help
architects scenarios for companies so that they can have a
simulated cyber threat attack sort of a worse Day ever scenario.
(09:32):
Can you talk a little bit about what that's all
about and what goes into planning this sort of thing. Yeah,
So having a well tested and really thought out plan
is key to any incident response piece that you'd be
working on with in a company. So where I work
is really working on creating custom scenarios for organizations to
(09:54):
go through and handle. Really a day in the life
of a cybersecurity attack, something that would go on. It
is really, like you said, your worst day that could
possibly happen within an organization. A plan is really only
part of the solution, So you also need to find
out if your company is ready and able to execute
and work through that plan. And that's where my team
(10:16):
comes in. With helping to test out that plan within
your organization. We run a fully immersive and gamified cyber
range as part of IBM Security Command Centers. Within the
command centers, we test and train companies in order to
practice their response to a cybersecurity attack. Now, when I
say test, it's not just reading through your plan and
(10:36):
answering questions. We put your plan into action by throwing
your entire response into a full on simulation of a
cyber attack. The most effective response plans that we found
are really tested and rehearsed multiple times through different types
of attack scenarios. So, for example, you could be testing
(10:56):
a ransomware response, DIDOS attack in threats. All of these
areas are important to test and train when dealing and
handling a cyber attack. And you know a lot of
people think that these are technical responses, that this is
something that you know, it's really for your security operation centers,
your IT areas, but actually, as cyber response plans are
(11:18):
best executed by the whole of business response, So dealing
with individuals from human resources, communications, finance, legal, all of
those individuals come into play when handling the cyber attack.
So we work with all of those within the cyber range.
That's absolutely fascinating. And as you point out, like I
(11:38):
think a lot of us think of cyber attacks and
the response to them in very Hollywood terms, just because
the way the media tends to portray this sort of stuff,
where you have the people just furiously typing, maybe two
people typing on the same keyboard, which we all know
works incredibly well, that clearly is not an accurate representation
of what actually happens. And I'm sure there are a
(12:01):
lot of people out there listening who are working in
their IT departments, perhaps they are leaders in their IT departments,
and maybe they're thinking about this for the first time.
So do you have any thoughts about even just the
process of getting started and building a response plan? How
does someone go about doing that? Yeah, that's a great question.
I think a lot of organizations have, and I think
(12:24):
at times they can feel overwhelmed on where do I start?
You know, I don't know how to get started. It's
this huge thing, and you know, to be honest, what
we see is there's still three quarters of organizations that
don't actually have a plan in place, so no incident
ave response plan, no playbooks on specifically, how do we
respond to a certain kind of attack. So first and foremost,
(12:45):
put it on paper, right, start somewhere, Start with names
of your personnel, their contact information, their email addresses, and
their roles, and literally start there, and then from there
start looking to build out different components right of the organization,
so cross functional departments, who they're, who those leaders are,
what applications are responsible for, and really getting an understanding
(13:08):
of what roles and responsibilities different team members are going
to play. Then, as we look at organizations that are
more advanced, what we would encourage them to do is
certainly to have specific playbooks for certain activities, right, so
a ransomware playbook, a thective intellectual property playbook, any type
of things along those lines. And then once you have
(13:30):
those in place, then we look at testing them. So
increasing the frequency of testing them. If you can be
testing quarterly at least one of those scenarios, your organization
is going to then identify where the gaps are. And
if you can do that in advance of an attack
or doing it for you, you're going to be much
better prepared to respond effectively to an attack. I imagine
(13:52):
part of that also comes into how you communicate this
Both internally and then externally. We've probably I'm sure we
could all list off examples in the past of companies
that have had a data breach, for example, and kept
that quiet for maybe up to a year before news breaks.
(14:13):
And honestly, I feel that the longer that goes, the
deeper the sense of loss of trust tends to follow.
There's almost a sense of betrayal among the various stakeholders,
whether it's a customer or a client or whatever. So
is communication a part of that playbook? Is that something
(14:34):
that you help develop as well? So communication is absolutely,
I would argue the most important part of the whole
thing today, and I'll let Allison definitely talk more about
how we train that in the range. But what we
talk to our clients about in these situations is that
there are components that you can do in advance. So
things like having what we call a holding statement, which
(14:54):
is some sort of a statement that if press breaks
and you're not potentially ready to share information that you've
got a canned statement prepared and ready to go. That
is going to put you in position where it appears
that the organization is on top of things that they're
communicating with their clients and that they are investigating the situation.
In so many of these cases today, it's not just
(15:15):
about what the response was to the event, but it's
the communication of it and the public's perception of that
communication as well as your customers and clients' perception of
that that can cause reputational damage. Or on the plus side,
even in the wake of some of the worst breaches
we've seen in history, we've seen leaders who have come
out and done a fantastic job of communicating about it,
(15:38):
and they've actually built even more goodwill and trust in
their client base as a result of one of these breaches.
That's something that Allison and her team share on a
daily basis within the range. So Alison, I'd love to
hear your perspective on it. I'd say a great deal
about my area is working on how we get the
attendees to engage within the scenarios, right breaking you away
(16:01):
from your everyday life and now simulating something a cyber
attack that could be possibly simulating your worst day in
that organization. So something that you know we think about
when creating these we're really testing you and training you
to emulate these business and security issues that would be
taking place and all of the stories that we work on,
and these experiences are based upon real life incidents and
(16:22):
stories that are from the field and kind of like
top headlines that we're seeing. So in order to create
these simulations, we use a method called really experienced design
that creates real life situations that not only pull from
real life stories, but also feelings such as like panic
and uncertainty. And these areas are really kind of this
(16:43):
experimental learning where in order to fully learn what you
need to do, you have to experience it firsthand. So
we want to drop you into a scenario and have
you go through that so you know, for example, something
that you might be dealing with, like Wendy said, is
going through a holding statement, having to actually put that out,
test you and put you firsthand into what we call
(17:03):
the hot seat. It's a live broadcast studio where we
drop you in full green screen lights and we turn
that camera on and ask you questions from a real reporter.
It's up to you to answer and how do you
deal with that? You know, many people find out once
they go through I need to go back and take
some time to learn how do you answer some of
these questions? How are ways that you would go through that,
because again, the brand and reputation of your company is really,
(17:26):
you know, a big piece of this, so keeping that
up is something that we work on. And all of
this comes through these kind of emulating and you know,
simulating these scenario pieces. Allison, one of the things that
you and I share is a background in theater and
as someone who is in theater and who has participated
in various theatrical events where you are simulating something. To me,
(17:50):
one of the magic parts of theater is that people
actually will experience those reactions even in a simulation. You know,
you have removed yourself from any real danger, you are
not in a legit dangerous situation, but your your body
and your mind still goes through those reactions. Do you
(18:10):
witness that in these simulations. Do you actually see people
having those kind of emotional responses and that's a big
part of learning how to respond appropriately when this happens
in real life? Yes, exactly, You're spot on having that
we you know, the whole piece is really creating that
adrenaline rush, seeing your heart rate go up, you know,
as soon as you see your headline, you know, splashed
(18:32):
across you know, front page and in the news. That's
creating something really for you internally, and so what we're
doing is creating it in a safe space. Right, this
is a space where you know, we want you to
fail in here versus out in the real world. We
want you to understand what you would need to do
if you did have something that took place and now
you need to respond to that. So in order to
(18:52):
do that, we use lighting, sound design, interactive apps to
create and evoke this emotion. You know, we have an
individual come through and they said it almost created like
a level of PTSD from a previous tyber attack. They
came through and said like, wow, this is like really,
I know that I'm in a simulation, but my heart
and mind sort of take me to this other place
(19:12):
where now I'm really feeling what it's like. And that's
the whole thing of practicing and having this muscle memory
of going through it. Right, you're just rehearsing and rehearsing
and understanding, and like Wendy said, you know, doing these
every quarter can really help for you to really understand
what you would need to do in order to deal
with that, and that pressure might then go down because
now you know how you work with you know, the
(19:34):
attack and the next steps of what you need to
do to process it. Yes, I think it's much better
to have that visceral reaction when you're in a practice
stage than to have it when you're having to deal
with a real world intrusion or a data breach or
something along those lines. You definitely want to be able
to look back on that training you've had and rely
(19:56):
upon that muscle memory, as you say, rather than have
to to soldier on and put that response plan to
test without ever having actually done it. It's that's I
would love to actually be a fly on the wall
on one of these It sounds truly amazing to me,
and and the sort of stuff that I've seen in
in like hacker movies, but never thought that anyone actually
(20:20):
did it, So that's phenomenal. Wendy, can you talk a
little bit. Are there any common traits that you see
among companies that are really good at recovering from these
sort of of threats of these sort of attacks. Are
there certain things that you can identify and say these
(20:40):
are our markers sort of best practices that are common
across different industries. Well, I think, first and foremost it's
because they have access to an incident response team. Right, So,
whether that's an internal team or whether they choose to
use and leverage an external team. The reason that you
want people there is actually right along the lines of
what you two are talking about, which is you want
(21:01):
people who have had a lot of practice in this,
right who have responded to events. I will say, you know,
I've been doing this almost twenty years, and I still
when I get the first phone call from a client
it's a new client that we know there's a situation
going on, I get the adrenaline rush, you know, because
I want to know, Okay, what are the details that
are going to share with me? Who's the potential attacker?
What do we need to do? In my mind is
(21:22):
racing of all of these different things and actions we
need to take. But because I've been through it so
many times, I'm able to then really harness that and
channel it into a productive, credible discussion. Right, here's what
we need to do, Here's the actions we need to take.
Here the things not to do right now, here's the
evidence to preserve. So the more that organizations have access
(21:43):
to personnel like that and those skills, the more successful
they're going to be because they're going to reduce time
that it takes to get answers. And when you talk about,
you know the age old verbiage that time is money,
that is extremely true in attacks because the more time
that you can save, right, or the less time you
(22:03):
take to get answers, the more money you're ultimately going
to save because you're exposing your organization to less risk
throughout that entire time. And so, first and foremost, if
we want to look at who's successful, it's they have
a team of people who can respond to the incident.
That said, then those team of people also have things
like technology in place that gives them the visibility to
(22:26):
answer questions. Because if you can answer questions really quickly, again,
then we can make decisions for the business. Whether that's
taking a system offline, whether it's taking an entire part
of the network offline because of the risk that is exposed.
Those are all decisions we can make. So the quicker
that we can do that based on visibility, the better
I like that. That answer goes back to what you
(22:48):
were saying earlier, Wendy, about that first step of building
a response at all involves getting that list of names
and their contact information and the roles that they play
drives home that when you have something like this happen,
obviously your first response is oh no, and your second
response is what do I do? And having that list
(23:10):
of people who have very specific job roles and ways
of reacting to this is absolutely of critical importance. You
reduce the amount of time it takes to even know
who you're going to turn to. It's one of the
worst feelings in the world is receiving information and literally
not knowing where you need to go in order to
(23:32):
resolve it. So having that in place, I think, as
you point out, is absolutely critical. Alison, do you have
any specific sort of lessons that the companies tend to
learn in this simulation, apart from the fact that a
simulation can be almost as terrifying as the real thing. Yeah,
I mean one of them, i'd say, is just a
(23:52):
lot of organizations realize that they need to test their
plan and go through it. That's i'd say, like the
first piece. But one of the things that you were
just mentioning about, you know, the types of people that
go through and the response and pieces like that. One
thing that we've found is those with military or first
responder training have responded very well within these types of
(24:13):
response challenges, you know. And a thing I think we
look at from that is those are the ones that
are really trained in incidents that have taken place for them,
and they're not really shying away or pushing it away
onto someone else's issue. They're taking it on and leaning
into that situation and really you know, moving forward quickly
with it. We tend to see those are the ones
(24:33):
that get up, answer the phone and handle the situation.
So taking kind of a lesson from that, you know.
And another piece that we'd say is just that many
learn to understand that cybersecurity is a whole of business response.
It's not just that it. We need to see everyone
within your organization taking part and understanding that there's now
a cybersecurity culture that needs to go you know, take
(24:54):
place and go within you know. Another thing is looking
at it from a you know, a top down approach,
looking at cybersecurity awareness, this idea of good cybersecurity culture
that comes from the top of your organization and can
trickle down within the rest and just making sure that
your teams have are empowered to take steps to immediately
react without hesitation right, giving them that power to say,
(25:17):
you know what you need to do. You've practiced and rehearse,
and these are your steps that you would need to
take out of curiosity, Alison, do you have a particular
type of threat that you've seen where the response has
been frequently lacking? Is there a place that people really
need to focus on? I guess is what I'm trying
to get at. Yeah, I would say a big piece
that you know where people lack is the response to
(25:40):
media and communications. That side of it isn't always thought about, right. Yeah,
you're dealing with the technical you have teams that are
trained in that, but then when it comes to putting
out that holding statement, even communicating internally to your teams
so that they're not sending out messages or putting things
out you know they're wondering what's going on. You can
put these sort of hold statements internally within your organization.
(26:02):
And something that we also practice is called a leader's intent,
where we have the team write out a leader's intent
for your entire organization. And this gives you like a
purpose and an end state of what you would need
to do. If there was some sort of piece that
took place, So it gives them everyone in your company
that right and that kind of goal of what they
would need to do. As a member of the media,
(26:23):
I can certainly understand how we can be intimidating. So,
I mean, our job is to spread information and sometimes
you really need to contain it for the moment so
that you can do the right thing. So I certainly
can appreciate that from my perspective. Oh, yes, we use
you as the bad guys all the time. I mean,
it's fine, it's fine, wen They your team recently released
(26:50):
a threat Landscape report on cloud environments. Now, obviously, over
the last two decades, we have seen an incredible migration
to cloud services. There's so many companies out there that
are dependent upon either a hybrid cloud strategy or a
lot have even moved almost all of their processes to
the cloud. What were some of the things that you
learned in that and that you released in that threat
(27:14):
landscape report. Yeah, you know, I think they're pretty consistent
with the things that we've seen in the field with
our investigations. And you know I mentioned earlier about time
being money and not being never truer than in the
case of a data breach and data breaches in the
cloud are not any different actually, right, They are primarily
motivated around financial gain. So that's really the most common
(27:37):
motivation for the threat actors that we see targeting those
and you know, I think the it relates primarily to
data theft, right, So data that's hosted in the cloud.
One of the things we consistently see is that organizations
who move data to the cloud will kind of have
this false idea that you know, Okay, well, now it's
(27:58):
someone else's responsibility and so I'm kind of absolved from
the responsibility of protecting that data. And unfortunately that's not
the case, right, And so we see a huge amount
of misconfigurations. About forty three percent of attacks that we
see in the clouds in the cloud, excuse me, our
result of misconfigurations of that And you know, oftentimes, again
(28:19):
it's kind of unclear as to whether it's the hosting
provider or the actual data owner who felt like, you know,
maybe they were pointing fingers about who was actually responsible
for those attacks. But you know, I think the reality
is that we are going to continue to see more
and more of those types of attacks as more organizations
move to hosting data in the cloud. That to me
(28:41):
is incredibly interesting Wendy, because I the first thing I
think of when I think of the possibility of moving
things to the cloud is a reticence of letting go
of something in that I think about the old days
when everything is self contained. But it is interesting to
think of it from the other perspective of the idea
that you're absolving yourself of responsibility by putting it onto
(29:02):
potentially a cloud provider. And in either case it's a
destructive way of thinking, and I think it does point
back to your earlier point about this is another example
of how a response plan is absolutely critical to any
business that whether you are overseeing your systems internally or
(29:23):
whether it's on the cloud, you have to have that
plan in place. It isn't enough to just say, oh,
well it's in safe hands. I can just brush my
hands and walk the other way and never have to worry. So, Allison,
does your team work on creating scenarios that involve things
like cloud environments. Yes, very much. So. You know that's
(29:45):
a big area. You know that we're seeing companies go towards,
and that's something that we're highlighting and working on within
the range. Yes, we have organizations that test and train
within the space. And something that we look at is
we put you in this a fictitious company right that
you're going through, and we put it now as a
cloud first environment, and we give participants best practices on
(30:07):
manning managing those cloud attacks and the response to them. So,
you know, we look at the you know, migrating to
the cloud, which introduces new security risks and different challenges,
and we take participants through really a fictitious multi cloud
organization that is about to experience a cyber attack and
what you would need to do in order to support that,
What do you need to do in order to kind
(30:27):
of stop and you know, what are those responses to
dealing with it now that it's in the cloud, and
this gives you still a chance to deal with it
protecting your customers, your employees, your brand, but all of
that within the cloud, and how your organization would be
handling it with these cloud environments. Out of curiosity, do
you have members of your team who are essentially filling
in the role of people who are working for this
(30:49):
fictional cloud service provider and do they have to interact
with the people going through the simulation. Yeah, so we
have they're kind of like our actors in a way,
but they're trained experts in cloud, cloud resources, open shift,
all of this sort of area, you know, when you're
dealing with it. So we definitely are you know, have
(31:10):
these experts that are there and they're interacting and putting
in those pieces. So when you know a client or
an attendee in that is asking questions and going through it,
there are sort of these real life in a way
actors that come in and ask these questions and have
these real life scenarios that would come out and play through.
That's fascinating. So but it is it's incredibly valuable, right
(31:31):
because other than that, you would just have people talking
through their response plan and if there's no one that
they can bounce off of, and if the control is
outside of the company, it really would be a frustrating experience.
So having that where you have that extra piece in
there and you can figure out what the resolution is
to one stop the attack and then to move on
(31:54):
to your next phase, that's absolutely important and critical. Obviously,
I have another question for for really for both of you,
but Wendy, maybe you can take first crack at this.
This is where we put on prognosticator hats. It's where
we look into the future, which we all know is dangerous.
And yes, and often we have to we have to
(32:15):
couch things, which is perfectly fine. But how do you
see the cyber landscape evolving now, especially given this decentralized approach,
which I imagine for a lot of companies is going
to become the normal mode of operations, even once we
emerge from the pandemic. Right, you know, I think we're
(32:37):
going to see write a prolonged period of a little
bit of instability. Right, how do people work from home?
Does part of the workforce work from home? Park go
back to the office. There's going to be just a
continued kind of dynamic shift, and I think that's going
to make a lot of people uneasy. Right, So from
that perspective, I think we're going to continue to see
(32:57):
attackers take advantage of that. I think are some things
that organizations can do to be much more successful at that,
things like implementing multi factor authentication for remotely accessible devices
and systems and applications. That's going to be critical. Right,
regardless of whom you have working in an office or not,
(33:19):
you'll be able to then secure that data a little
bit more because attackers will continue to take advantage of that,
I think will continue to see more online scams. As
the election season within the US is coming up, you're
going to continue to see more related to that. And
then once vaccines are available and once more testing is
readily available, we're going to continue to see a lot
(33:39):
more scams related to that. So individual users will need
to really, I think, learn to protect themselves a little
bit more effectively. And that multi factor authentication I mentioned
for example, is also great for you to implement personally,
So things like on your online banking accounts, on your
personal email accounts, your social media accounts, having multi factor
(34:01):
authentication most of those now most applications have that built
in that people can take advantage of. And then also
doing things like having a password manager, so using that
there's lots of free ones you can use, so that
one you don't have to memorize your passwords and that
you're not using the same ones over and over again.
We know that the number of breaches is going to
(34:22):
continue to increase, the number of compromise networks and systems
and accounts will continue to increase, and at this point,
over sixty percent of the breaches that we see are
leveraging data that's already been stolen somewhere else or a
vulnerability that's already been exploited and is out there and
known to the public. So if we can all do
our best to kind of take our part and our
(34:43):
actions that are going to help secure our own environments,
then the better off that that's going to translate to
our corporate environments and just to overall security. Yeah, I
can't tell you how many times I've rolled my eyes
at reports of a data breach where passwords were shared,
and you see that the most common passwords are things
(35:05):
like password or one, two, three, four, five six or whatever,
or password one so that you have the one numeral
in there. And I think a big part of cybersecurity
from an individual standpoint, and please correct me if I
am off base, because you're the experts, but I think
a large part of it is the idea of you're
trying to just reduce the number of opportunities an attacker
(35:26):
has to take advantage of you, and the more opportunities
you eliminate, the less valuable you are to the typical attacker. Because,
as you had mentioned, earlier. Time is money, even on
the attack side, and an attacker is far more likely
to go after a target that they view as being
vulnerable than to waste time on targets are that appear
(35:49):
to be more savvy from a security perspective? Am I
more or less on track there? I think you're ready
to be an incident response consultant because that's one of
the things that we say. Basically taking the language you
just use, shifting that to a corporate environment. The fundamentals are,
we want to increase the amount of time it takes
for the attacker to meet their objective right to accomplish
(36:11):
their goal, whatever that may be, to steal information, to
break in, etc. So we increase the time it takes
them to do it, and we decrease the time it
takes your organization or the good guys right to be
able to identify it. So if we can marry those
two together, then we tend to make your organization less
of a target than other locations because the attackers are
going to have to work harder, they're going to use
(36:32):
more resources, they're going to have to spend more money
to get the job done, and more than likely they're
going to move to somewhere else where they can accomplish
that much faster. I'm glad I got something right. Well,
let me ask this also, Are there are there tips
or strategies that you think companies and individuals should be
(36:52):
following beyond making a response plan. I think one of
the big ones is finding a way to unicate policies
and processes and good security behaviors to people in a
way that is really instructive. I know that almost every
company out there now has the mandatory video or presentation
(37:16):
on security. What do you think are things that really
people need to focus on, our companies need to focus
on in general to help improve security overall. Well, something
Allison I'm sure is going to talk further about is
about building a security culture right and building that into
really the fabric of your operations. I think and tell
(37:38):
people at all levels of an organization feel like security
is their responsibility and they're empowered to make decisions on it.
Until they do that, an organization is always going to
struggle right to make decisions effectively. So that's a huge
part of it. The communications, having them planned and prepared
in advance so that you're ready to go once an
attack actually occurs is also critical, and then shifting to
(38:02):
some of the more technical components, things like I mentioned
multi factor authentication on remote devices. That's absolutely critical, but
also making sure that you have backups of your most
sensitive data and that you've tested those backups. We have
an organization we're working with right now, major ransomware outbreak.
They had all the best technology in place and all
(38:24):
of the best procedures for having backups, making sure they
were offline and not connected to the network at all times,
but they had never tested them. And whence they did,
they realized they couldn't actually restore them because the data
wasn't replicating correctly. So, you know, we talk about testing
our incident response plan, also test your most sensitive data
in those backups, because if you have access to that
(38:45):
and you are attacked and you are the victim of
a ransomware attack, you don't even have to engage in
any of those discussions. You can say, Okay, it's going
to take us six hours, twelve hours, twenty four, whatever
the case may be, to get access to that data.
But we have it, and it's just a matter of
getting access to it and restoring it and then certainly
securing the ability for the attackers to successfully do that. Again,
(39:08):
we want to prevent that as well. I feel like
a lot of those lessons can be applied not just
in the corporate culture, but in our personal day to
day operations as well. This thought of taking security seriously,
it's interesting to me because I'm old enough to remember
when no one wanted to use the internet to buy
(39:30):
anything because everyone was worried about security. They're thinking, I
don't want to put the numbers that are on my
card onto this computer thing and have it sent out
to everybody. And oddly enough, now we're in a world
where a lot of things that would drastically improve security
are either an afterthought for some people. They never consider it,
(39:51):
or they think of it as an annoyance. I know
people who find multi factor authentication to be irritated, Oh
I have to type in my that six digit code
that just got sent to my smartphone. And explaining to
them that this is a way in order to make
it harder for an attacker to find that exploit, whether
(40:11):
it's in a company or it's in your personal information.
I think that is incredibly valuable, and I want to
see that culture adopted at large, not just in companies
but beyond as well, Alison, any other little tips or
tricks or any any fun ways to terrify people that
(40:32):
you would like to share before we wrap up. Yeah,
I mean just you know, for my area, it's where
can we get you? What are those things we like
to almost think really like a hacker in a way,
and what are those areas that we can take advantage
of and then show you what those are? And that's
really what we're you know, working on within that. But
you know, like when you said all of these areas
(40:52):
to you know, to stay cyber safe, working on that
as you know, a security culture, even having those security
culture pieces at homes, staying cyber safe at home with
your family and kids, that can kind of just penetrate
that within your you know, entire self and bring that
into your organization. I'd say, you know, those are areas
and just practice, practice, practice, keep those plans going, keep
(41:13):
going with those tests, you know, emulating those experiences and
making sure that you're really taking those plans into action.
Out of curiosity, Allison, does your team look at a
response plan in advance and then look to see if
there are any potential holes in that response plan? So
that you can demonstrate that this is something that they
(41:34):
the client really needs to focus on in order to improve. Definitely,
we'll take the response plans, study them, and then create
scenarios that are specifically designed to possibly you know, go
around or you know, penetrate certain areas that they might
be missing. We also take it where we might not
have any insight and show that there are you know,
openings and holes that might you know, appear. A lot
(41:58):
of it has to do with human human interaction, things
that we might miss, things that are happening, So it's
kind of taking all those in and then showing where
you need to add those within your plan. So definitely
that's an area. Yeah. I think of that a lot
in terms of things like learning a martial art where
you practice practice, practice, practice, and then you're ready to
(42:20):
show off to someone and say, all right, i'll show
you how you get out of it. Here, grab me
from behind. Someone grabs you from behind. Oh no, no,
not like that. You need to grab me from behind
this way so I can get out of it. And
you think, well, that's not how the bad guys are
going to do it. They're not going to attack you
at your strongest point. Just because you really practice that.
So I think that again, the service you're providing is
(42:42):
incredibly valuable. And as we're seeing the landscape change, I
think it's going to be important for more and more
companies to really focus on this, to continue to focus
on it. You don't want your story to become the
next big scandal. You want your story to be a
success story of how you were able to respond in
(43:05):
a in an agile way, an effective way, and a
way that was responsible both to your company, to your customers,
to your clients. That those are the stories we want
to see. We want to see because we know the
bad guys aren't going away. We know that they're not
going to just stop, but we do know that we
can work better at responding to it and make sure
(43:26):
that the actions we take are more effective and that
people don't feel like they are left out in the
lurch and there's nowhere to turn to and you're just
you're just going through the absolute worst feeling of your life.
We want to prevent that as much as possible. You can.
You can save that for the stage, and then in
(43:48):
real life you can have the actionable plan. Do you
have any other last thoughts you would like to share
before we conclude. I think I've learned a lot in
this conversation. First of all, I mean I've learned I
definitely want to see one of these simulations because I
think it would be incredibly informative. And also I've learned
(44:13):
that I probably need to update my password manager. Yeah.
My last thoughts would be, do not be part of
the people that believe they don't need to change their passwords? Right.
We mentioned that, you know, we hear about breaches happening
on a daily basis, and then so many people just
kind of think, oh, well, now they happen all the time,
so it's no big deal. Just keep my passwords the same.
(44:35):
Don't do that. Please change your passwords, Please use a
password manager. And if you've got questions on other things
related to things we talked about, you can also visit
ibmsecurity dot com and read more about all of the
services that we have to offer. We'd love to chat.
I again want to thank Wendy and Allison for their
time and their expertise. I am convinced that companies absolutely
(44:59):
need to have an incident response team and a response
plan in place to deal with cyber threats. Reducing the
attack surface is important, but making sure you've got the
right plan and people ready to go should the worst
happen is absolutely critical. It reduces the cost of an
attack dramatically, and when you consider the cost we're talking
about isn't just the significant financial cost, it's also how
(45:24):
others perceive your company. It's an imperative. We've seen companies
large and small take massive hits to their credibility as
a result of attacks. I hope one day I get
to see Alison and her team at work, and her
description of people going through real world emotions even in
a simulated event reminded me of how we can experience
(45:45):
stuff like fear and trepidation even when we're in a
virtual environment. But it's better to have that experience in
a test run than the real thing. That's all from
this episode of Smart Talks. To learn more about IBM's
cyber security services, visit IBM dot com, slash Security Slash Solutions.
(46:11):
Tex Stuff is an iHeartRadio production. For more podcasts from iHeartRadio,
visit the iHeartRadio app, Apple Podcasts, or wherever you listen
to your favorite shows.
In this episode, we're going to cover a topic that
all too often only gets attention when something goes horribly wrong.
That is cybersecurity. And before we get into the interview,
let me hit you with some facts. In the United States,
the cost a company incurs in the wake of a
data breach has been on the rise. According to the
(00:22):
Ponamon Institute, costs have increased by one hundred thirty percent
since two thousand and six. So a data breach that
would set a company back three point five to four
million dollars in two thousand and six would cost eight
point one nine million dollars in twenty nineteen. A single
compromised record costs one hundred and fifty dollars on average,
(00:46):
and that's just the average. For some companies, like those
in healthcare, the cost can be much higher due to
the nature of the data. The report found that more
than half of data breaches come as the result of
a malicious attack. And one important thing to keep in
mind about this report is that it was for twenty nineteen.
(01:08):
We are in a different environment today with more potential
attack vectors, and while the tricks of the trade haven't
changed much over the years, the number of opportunities for
attack are on the rise now. With all that in mind,
I sat down virtually speaking, we were all remotely isolated,
(01:28):
with Wendy Whitmore, VP IBM Security X Force Threat Intelligence,
and Alison Ritter, program leader at IBM Security Command Center.
We talked about the challenges that companies face today as
our concept of the workplace is changing, and how companies
can best prepare themselves for the worst day. Ever, here's
(01:49):
our conversation. I think we can get the obvious out
of the way. We can state that a priority for
any business in the twenty first century needs to be
on cybersecurity. That is pretty obvious. But what has become
more complicated, I would think, would be this shift we're
seeing now that we're in an era of let's say,
(02:12):
momentous events where we've seen a real move to decentralization.
A lot of people are working from home and that's
kind of changed the nature of business. Has that impacted
sort of the focus of cyber threats as well? Are
we seeing changes in that realm? Wendy, yes, I would
(02:33):
say we absolutely are. You know. The good news, though,
is it hasn't shifted in terms of such new and
novel types of attack techniques. But I think what's really
shifted is the volume of attacks as well as the frequency,
and then the attack surface. So when I say attack surface,
you know what I mean is there are millions of
(02:53):
more computers that are now connecting from remote locations into
devices and applications and systems that previously were within the
same network. So that gives the attackers a bigger attack
surface from the external side of that, right, all these
new systems that were online that are no longer behind
these firewalls. But then also it opens the corporate entities
(03:15):
to potentially more of an attack surface because of the
fact that they might have overnight, you know, enabled the
ability for their workers to work remotely, and perhaps they
don't have the right types of authentication or enough authentication
on their systems where these attackers can take advantage of,
but ultimately where their users need to connect to do
(03:36):
business and to do their work on a daily basis.
And we've definitely seen issues in the past where even
within these well protected systems, we can see failures. Often
I argue in tech stuff that the weakest link in
a company's cybersecurity process often isn't necessarily the technology It
(04:00):
can be the implementation of that technology, but it often
falls to a weak link in the the use of
that technology. So user error, you could argue, I think
leads to a lot of those I imagine that that
this decentralized approach has created enormous opportunities to exploit that
(04:21):
because people are having to navigate a new workspace, they're
having to access systems in ways that they haven't before. That,
as you say, are are a little a step outside
of the immediate control of a lot of these businesses.
So can you talk a bit about sort of the
nature of that, Like this attack surface, what are the
(04:45):
sort of attacks that you typically see, what's kind of
the nature of it? Well, okay, so let's take that
question from a couple of different angles, right. So, one
is just the ability to exploit human error, which we
are all going to be prone to do. Right, So,
if you're looking at it from the attacker perspective, they're
kind of saying, hey, great, look at this. There's all
(05:05):
this chaos going on in the world right now. There's
new ways of working. But people who are now working
remotely that maybe didn't before are also doing things like
checking their email more regularly and they're checking social media
sources and news sources because they want to know what
are the local regulations where I live, what's the current
counts in terms of how many people are being infected.
(05:28):
And so since March we have seen a six thousand
percent increase in spam related to COVID nineteen. So that's
coming into users directly, so maybe your personal email accounts,
but it's also coming into work email accounts unfortunately. And
each one of those systems that I mentioned that previously
used to be inside of a network and is now
(05:50):
not may or may not have the same types of
personal protections on it, right in forms of firewalls and
antivirus and endpoint detection that it had when it was
on the interior of their network. And so from that perspective,
human error and humans are always going to be a
huge part of the attack surface, right, So we've all
got that, you know, as if we don't have enough
(06:11):
things to be concerned about right now, we're going to
add that to the list. And then as the pandemic
has shifted and as it continues to go on, there
is obviously a huge influence on testing, on vaccine research,
on the development of a vaccine and processes and procedures
that are all going to make all of us more secure,
(06:33):
and so now you not only have those. When we
talk about spam, we're often talking about cyber criminals, right
who are financially motivated looking to steal information, maybe looking
to conduct ransomware attacks. But when we shift over to
the vaccine research and the testing, we're then really looking
at nation state actors who are looking to capitalize on
the theft of intellectual property and make sure that they
(06:55):
can protect their citizens and potentially turn that research into
financial gain as well. So it's a pretty tumultuous environment
right now. I mentioned that the attacks themselves are not
necessarily all that new and novel or exciting, but the
volume of them, and combined with the increase of tax
surface as well as just the general day to day chaos,
(07:18):
has made it a pretty interesting environment to say the least. Yes,
I think interesting is a great word for it. It's
one of those nice catch alls in your work, Wendy,
have you noticed any particular sectors or industries that are
particularly being targeted by cyber attacks in this era? Right now,
(07:40):
we're absolutely concerned about critical infrastructure, and when I say
that though, that's kind of a big list, right of organizations.
So that's everything from the obvious like hospitals who are
providing healthcare to people who are sick. It's the medical insures,
it's the whole infrastructure and ecosystem on the medical side.
It's also financial services industry, and they're supporting infrastructure and
(08:03):
supply chain as well as energy and oil and gas
and really any of these organizations. It could also be
food supply chain, right, All of those things that we
need now to work perfectly more than ever are also
potentially at risk. And so what we look at and
what we're concerned about most our ransomware attacks to those
type of organizations. We know the continual targeting and theft
(08:26):
of intellectual property will go on as it always has.
But if we can stop some of these major ransomware
breaches from being effective and from stopping business for our clients,
that's really what we're concerned about helping out with. I
think one of the things we've learned we being sort
of the layman I include myself in this in the
(08:48):
wake of this pandemic, is how incredibly interconnected all these
different pieces are, and if you do put yourself in
the mind of someone who is attempting to exploit the
the chaos. Then you can think, well, then you want
to target whatever links appear to be the most vulnerable
(09:09):
at any given time. And this kind of brings us
over into something that I wanted to speak with Alison about. Alison,
you have a pretty cool job in that you help
architects scenarios for companies so that they can have a
simulated cyber threat attack sort of a worse Day ever scenario.
(09:32):
Can you talk a little bit about what that's all
about and what goes into planning this sort of thing. Yeah,
So having a well tested and really thought out plan
is key to any incident response piece that you'd be
working on with in a company. So where I work
is really working on creating custom scenarios for organizations to
(09:54):
go through and handle. Really a day in the life
of a cybersecurity attack, something that would go on. It
is really, like you said, your worst day that could
possibly happen within an organization. A plan is really only
part of the solution, So you also need to find
out if your company is ready and able to execute
and work through that plan. And that's where my team
(10:16):
comes in. With helping to test out that plan within
your organization. We run a fully immersive and gamified cyber
range as part of IBM Security Command Centers. Within the
command centers, we test and train companies in order to
practice their response to a cybersecurity attack. Now, when I
say test, it's not just reading through your plan and
(10:36):
answering questions. We put your plan into action by throwing
your entire response into a full on simulation of a
cyber attack. The most effective response plans that we found
are really tested and rehearsed multiple times through different types
of attack scenarios. So, for example, you could be testing
(10:56):
a ransomware response, DIDOS attack in threats. All of these
areas are important to test and train when dealing and
handling a cyber attack. And you know a lot of
people think that these are technical responses, that this is
something that you know, it's really for your security operation centers,
your IT areas, but actually, as cyber response plans are
(11:18):
best executed by the whole of business response, So dealing
with individuals from human resources, communications, finance, legal, all of
those individuals come into play when handling the cyber attack.
So we work with all of those within the cyber range.
That's absolutely fascinating. And as you point out, like I
(11:38):
think a lot of us think of cyber attacks and
the response to them in very Hollywood terms, just because
the way the media tends to portray this sort of stuff,
where you have the people just furiously typing, maybe two
people typing on the same keyboard, which we all know
works incredibly well, that clearly is not an accurate representation
of what actually happens. And I'm sure there are a
(12:01):
lot of people out there listening who are working in
their IT departments, perhaps they are leaders in their IT departments,
and maybe they're thinking about this for the first time.
So do you have any thoughts about even just the
process of getting started and building a response plan? How
does someone go about doing that? Yeah, that's a great question.
I think a lot of organizations have, and I think
(12:24):
at times they can feel overwhelmed on where do I start?
You know, I don't know how to get started. It's
this huge thing, and you know, to be honest, what
we see is there's still three quarters of organizations that
don't actually have a plan in place, so no incident
ave response plan, no playbooks on specifically, how do we
respond to a certain kind of attack. So first and foremost,
(12:45):
put it on paper, right, start somewhere, Start with names
of your personnel, their contact information, their email addresses, and
their roles, and literally start there, and then from there
start looking to build out different components right of the organization,
so cross functional departments, who they're, who those leaders are,
what applications are responsible for, and really getting an understanding
(13:08):
of what roles and responsibilities different team members are going
to play. Then, as we look at organizations that are
more advanced, what we would encourage them to do is
certainly to have specific playbooks for certain activities, right, so
a ransomware playbook, a thective intellectual property playbook, any type
of things along those lines. And then once you have
(13:30):
those in place, then we look at testing them. So
increasing the frequency of testing them. If you can be
testing quarterly at least one of those scenarios, your organization
is going to then identify where the gaps are. And
if you can do that in advance of an attack
or doing it for you, you're going to be much
better prepared to respond effectively to an attack. I imagine
(13:52):
part of that also comes into how you communicate this
Both internally and then externally. We've probably I'm sure we
could all list off examples in the past of companies
that have had a data breach, for example, and kept
that quiet for maybe up to a year before news breaks.
(14:13):
And honestly, I feel that the longer that goes, the
deeper the sense of loss of trust tends to follow.
There's almost a sense of betrayal among the various stakeholders,
whether it's a customer or a client or whatever. So
is communication a part of that playbook? Is that something
(14:34):
that you help develop as well? So communication is absolutely,
I would argue the most important part of the whole
thing today, and I'll let Allison definitely talk more about
how we train that in the range. But what we
talk to our clients about in these situations is that
there are components that you can do in advance. So
things like having what we call a holding statement, which
(14:54):
is some sort of a statement that if press breaks
and you're not potentially ready to share information that you've
got a canned statement prepared and ready to go. That
is going to put you in position where it appears
that the organization is on top of things that they're
communicating with their clients and that they are investigating the situation.
In so many of these cases today, it's not just
(15:15):
about what the response was to the event, but it's
the communication of it and the public's perception of that
communication as well as your customers and clients' perception of
that that can cause reputational damage. Or on the plus side,
even in the wake of some of the worst breaches
we've seen in history, we've seen leaders who have come
out and done a fantastic job of communicating about it,
(15:38):
and they've actually built even more goodwill and trust in
their client base as a result of one of these breaches.
That's something that Allison and her team share on a
daily basis within the range. So Alison, I'd love to
hear your perspective on it. I'd say a great deal
about my area is working on how we get the
attendees to engage within the scenarios, right breaking you away
(16:01):
from your everyday life and now simulating something a cyber
attack that could be possibly simulating your worst day in
that organization. So something that you know we think about
when creating these we're really testing you and training you
to emulate these business and security issues that would be
taking place and all of the stories that we work on,
and these experiences are based upon real life incidents and
(16:22):
stories that are from the field and kind of like
top headlines that we're seeing. So in order to create
these simulations, we use a method called really experienced design
that creates real life situations that not only pull from
real life stories, but also feelings such as like panic
and uncertainty. And these areas are really kind of this
(16:43):
experimental learning where in order to fully learn what you
need to do, you have to experience it firsthand. So
we want to drop you into a scenario and have
you go through that so you know, for example, something
that you might be dealing with, like Wendy said, is
going through a holding statement, having to actually put that out,
test you and put you firsthand into what we call
(17:03):
the hot seat. It's a live broadcast studio where we
drop you in full green screen lights and we turn
that camera on and ask you questions from a real reporter.
It's up to you to answer and how do you
deal with that? You know, many people find out once
they go through I need to go back and take
some time to learn how do you answer some of
these questions? How are ways that you would go through that,
because again, the brand and reputation of your company is really,
(17:26):
you know, a big piece of this, so keeping that
up is something that we work on. And all of
this comes through these kind of emulating and you know,
simulating these scenario pieces. Allison, one of the things that
you and I share is a background in theater and
as someone who is in theater and who has participated
in various theatrical events where you are simulating something. To me,
(17:50):
one of the magic parts of theater is that people
actually will experience those reactions even in a simulation. You know,
you have removed yourself from any real danger, you are
not in a legit dangerous situation, but your your body
and your mind still goes through those reactions. Do you
(18:10):
witness that in these simulations. Do you actually see people
having those kind of emotional responses and that's a big
part of learning how to respond appropriately when this happens
in real life? Yes, exactly, You're spot on having that
we you know, the whole piece is really creating that
adrenaline rush, seeing your heart rate go up, you know,
as soon as you see your headline, you know, splashed
(18:32):
across you know, front page and in the news. That's
creating something really for you internally, and so what we're
doing is creating it in a safe space. Right, this
is a space where you know, we want you to
fail in here versus out in the real world. We
want you to understand what you would need to do
if you did have something that took place and now
you need to respond to that. So in order to
(18:52):
do that, we use lighting, sound design, interactive apps to
create and evoke this emotion. You know, we have an
individual come through and they said it almost created like
a level of PTSD from a previous tyber attack. They
came through and said like, wow, this is like really,
I know that I'm in a simulation, but my heart
and mind sort of take me to this other place
(19:12):
where now I'm really feeling what it's like. And that's
the whole thing of practicing and having this muscle memory
of going through it. Right, you're just rehearsing and rehearsing
and understanding, and like Wendy said, you know, doing these
every quarter can really help for you to really understand
what you would need to do in order to deal
with that, and that pressure might then go down because
now you know how you work with you know, the
(19:34):
attack and the next steps of what you need to
do to process it. Yes, I think it's much better
to have that visceral reaction when you're in a practice
stage than to have it when you're having to deal
with a real world intrusion or a data breach or
something along those lines. You definitely want to be able
to look back on that training you've had and rely
(19:56):
upon that muscle memory, as you say, rather than have
to to soldier on and put that response plan to
test without ever having actually done it. It's that's I
would love to actually be a fly on the wall
on one of these It sounds truly amazing to me,
and and the sort of stuff that I've seen in
in like hacker movies, but never thought that anyone actually
(20:20):
did it, So that's phenomenal. Wendy, can you talk a
little bit. Are there any common traits that you see
among companies that are really good at recovering from these
sort of of threats of these sort of attacks. Are
there certain things that you can identify and say these
(20:40):
are our markers sort of best practices that are common
across different industries. Well, I think, first and foremost it's
because they have access to an incident response team. Right, So,
whether that's an internal team or whether they choose to
use and leverage an external team. The reason that you
want people there is actually right along the lines of
what you two are talking about, which is you want
(21:01):
people who have had a lot of practice in this,
right who have responded to events. I will say, you know,
I've been doing this almost twenty years, and I still
when I get the first phone call from a client
it's a new client that we know there's a situation
going on, I get the adrenaline rush, you know, because
I want to know, Okay, what are the details that
are going to share with me? Who's the potential attacker?
What do we need to do? In my mind is
(21:22):
racing of all of these different things and actions we
need to take. But because I've been through it so
many times, I'm able to then really harness that and
channel it into a productive, credible discussion. Right, here's what
we need to do, Here's the actions we need to take.
Here the things not to do right now, here's the
evidence to preserve. So the more that organizations have access
(21:43):
to personnel like that and those skills, the more successful
they're going to be because they're going to reduce time
that it takes to get answers. And when you talk about,
you know the age old verbiage that time is money,
that is extremely true in attacks because the more time
that you can save, right, or the less time you
(22:03):
take to get answers, the more money you're ultimately going
to save because you're exposing your organization to less risk
throughout that entire time. And so, first and foremost, if
we want to look at who's successful, it's they have
a team of people who can respond to the incident.
That said, then those team of people also have things
like technology in place that gives them the visibility to
(22:26):
answer questions. Because if you can answer questions really quickly, again,
then we can make decisions for the business. Whether that's
taking a system offline, whether it's taking an entire part
of the network offline because of the risk that is exposed.
Those are all decisions we can make. So the quicker
that we can do that based on visibility, the better
I like that. That answer goes back to what you
(22:48):
were saying earlier, Wendy, about that first step of building
a response at all involves getting that list of names
and their contact information and the roles that they play
drives home that when you have something like this happen,
obviously your first response is oh no, and your second
response is what do I do? And having that list
(23:10):
of people who have very specific job roles and ways
of reacting to this is absolutely of critical importance. You
reduce the amount of time it takes to even know
who you're going to turn to. It's one of the
worst feelings in the world is receiving information and literally
not knowing where you need to go in order to
(23:32):
resolve it. So having that in place, I think, as
you point out, is absolutely critical. Alison, do you have
any specific sort of lessons that the companies tend to
learn in this simulation, apart from the fact that a
simulation can be almost as terrifying as the real thing. Yeah,
I mean one of them, i'd say, is just a
(23:52):
lot of organizations realize that they need to test their
plan and go through it. That's i'd say, like the
first piece. But one of the things that you were
just mentioning about, you know, the types of people that
go through and the response and pieces like that. One
thing that we've found is those with military or first
responder training have responded very well within these types of
(24:13):
response challenges, you know. And a thing I think we
look at from that is those are the ones that
are really trained in incidents that have taken place for them,
and they're not really shying away or pushing it away
onto someone else's issue. They're taking it on and leaning
into that situation and really you know, moving forward quickly
with it. We tend to see those are the ones
(24:33):
that get up, answer the phone and handle the situation.
So taking kind of a lesson from that, you know.
And another piece that we'd say is just that many
learn to understand that cybersecurity is a whole of business response.
It's not just that it. We need to see everyone
within your organization taking part and understanding that there's now
a cybersecurity culture that needs to go you know, take
(24:54):
place and go within you know. Another thing is looking
at it from a you know, a top down approach,
looking at cybersecurity awareness, this idea of good cybersecurity culture
that comes from the top of your organization and can
trickle down within the rest and just making sure that
your teams have are empowered to take steps to immediately
react without hesitation right, giving them that power to say,
(25:17):
you know what you need to do. You've practiced and rehearse,
and these are your steps that you would need to
take out of curiosity, Alison, do you have a particular
type of threat that you've seen where the response has
been frequently lacking? Is there a place that people really
need to focus on? I guess is what I'm trying
to get at. Yeah, I would say a big piece
that you know where people lack is the response to
(25:40):
media and communications. That side of it isn't always thought about, right. Yeah,
you're dealing with the technical you have teams that are
trained in that, but then when it comes to putting
out that holding statement, even communicating internally to your teams
so that they're not sending out messages or putting things
out you know they're wondering what's going on. You can
put these sort of hold statements internally within your organization.
(26:02):
And something that we also practice is called a leader's intent,
where we have the team write out a leader's intent
for your entire organization. And this gives you like a
purpose and an end state of what you would need
to do. If there was some sort of piece that
took place, So it gives them everyone in your company
that right and that kind of goal of what they
would need to do. As a member of the media,
(26:23):
I can certainly understand how we can be intimidating. So,
I mean, our job is to spread information and sometimes
you really need to contain it for the moment so
that you can do the right thing. So I certainly
can appreciate that from my perspective. Oh, yes, we use
you as the bad guys all the time. I mean,
it's fine, it's fine, wen They your team recently released
(26:50):
a threat Landscape report on cloud environments. Now, obviously, over
the last two decades, we have seen an incredible migration
to cloud services. There's so many companies out there that
are dependent upon either a hybrid cloud strategy or a
lot have even moved almost all of their processes to
the cloud. What were some of the things that you
learned in that and that you released in that threat
(27:14):
landscape report. Yeah, you know, I think they're pretty consistent
with the things that we've seen in the field with
our investigations. And you know I mentioned earlier about time
being money and not being never truer than in the
case of a data breach and data breaches in the
cloud are not any different actually, right, They are primarily
motivated around financial gain. So that's really the most common
(27:37):
motivation for the threat actors that we see targeting those
and you know, I think the it relates primarily to
data theft, right, So data that's hosted in the cloud.
One of the things we consistently see is that organizations
who move data to the cloud will kind of have
this false idea that you know, Okay, well, now it's
(27:58):
someone else's responsibility and so I'm kind of absolved from
the responsibility of protecting that data. And unfortunately that's not
the case, right, And so we see a huge amount
of misconfigurations. About forty three percent of attacks that we
see in the clouds in the cloud, excuse me, our
result of misconfigurations of that And you know, oftentimes, again
(28:19):
it's kind of unclear as to whether it's the hosting
provider or the actual data owner who felt like, you know,
maybe they were pointing fingers about who was actually responsible
for those attacks. But you know, I think the reality
is that we are going to continue to see more
and more of those types of attacks as more organizations
move to hosting data in the cloud. That to me
(28:41):
is incredibly interesting Wendy, because I the first thing I
think of when I think of the possibility of moving
things to the cloud is a reticence of letting go
of something in that I think about the old days
when everything is self contained. But it is interesting to
think of it from the other perspective of the idea
that you're absolving yourself of responsibility by putting it onto
(29:02):
potentially a cloud provider. And in either case it's a
destructive way of thinking, and I think it does point
back to your earlier point about this is another example
of how a response plan is absolutely critical to any
business that whether you are overseeing your systems internally or
(29:23):
whether it's on the cloud, you have to have that
plan in place. It isn't enough to just say, oh,
well it's in safe hands. I can just brush my
hands and walk the other way and never have to worry. So, Allison,
does your team work on creating scenarios that involve things
like cloud environments. Yes, very much. So. You know that's
(29:45):
a big area. You know that we're seeing companies go towards,
and that's something that we're highlighting and working on within
the range. Yes, we have organizations that test and train
within the space. And something that we look at is
we put you in this a fictitious company right that
you're going through, and we put it now as a
cloud first environment, and we give participants best practices on
(30:07):
manning managing those cloud attacks and the response to them. So,
you know, we look at the you know, migrating to
the cloud, which introduces new security risks and different challenges,
and we take participants through really a fictitious multi cloud
organization that is about to experience a cyber attack and
what you would need to do in order to support that,
What do you need to do in order to kind
(30:27):
of stop and you know, what are those responses to
dealing with it now that it's in the cloud, and
this gives you still a chance to deal with it
protecting your customers, your employees, your brand, but all of
that within the cloud, and how your organization would be
handling it with these cloud environments. Out of curiosity, do
you have members of your team who are essentially filling
in the role of people who are working for this
(30:49):
fictional cloud service provider and do they have to interact
with the people going through the simulation. Yeah, so we
have they're kind of like our actors in a way,
but they're trained experts in cloud, cloud resources, open shift,
all of this sort of area, you know, when you're
dealing with it. So we definitely are you know, have
(31:10):
these experts that are there and they're interacting and putting
in those pieces. So when you know a client or
an attendee in that is asking questions and going through it,
there are sort of these real life in a way
actors that come in and ask these questions and have
these real life scenarios that would come out and play through.
That's fascinating. So but it is it's incredibly valuable, right
(31:31):
because other than that, you would just have people talking
through their response plan and if there's no one that
they can bounce off of, and if the control is
outside of the company, it really would be a frustrating experience.
So having that where you have that extra piece in
there and you can figure out what the resolution is
to one stop the attack and then to move on
(31:54):
to your next phase, that's absolutely important and critical. Obviously,
I have another question for for really for both of you,
but Wendy, maybe you can take first crack at this.
This is where we put on prognosticator hats. It's where
we look into the future, which we all know is dangerous.
And yes, and often we have to we have to
(32:15):
couch things, which is perfectly fine. But how do you
see the cyber landscape evolving now, especially given this decentralized approach,
which I imagine for a lot of companies is going
to become the normal mode of operations, even once we
emerge from the pandemic. Right, you know, I think we're
(32:37):
going to see write a prolonged period of a little
bit of instability. Right, how do people work from home?
Does part of the workforce work from home? Park go
back to the office. There's going to be just a
continued kind of dynamic shift, and I think that's going
to make a lot of people uneasy. Right, So from
that perspective, I think we're going to continue to see
(32:57):
attackers take advantage of that. I think are some things
that organizations can do to be much more successful at that,
things like implementing multi factor authentication for remotely accessible devices
and systems and applications. That's going to be critical. Right,
regardless of whom you have working in an office or not,
(33:19):
you'll be able to then secure that data a little
bit more because attackers will continue to take advantage of that,
I think will continue to see more online scams. As
the election season within the US is coming up, you're
going to continue to see more related to that. And
then once vaccines are available and once more testing is
readily available, we're going to continue to see a lot
(33:39):
more scams related to that. So individual users will need
to really, I think, learn to protect themselves a little
bit more effectively. And that multi factor authentication I mentioned
for example, is also great for you to implement personally,
So things like on your online banking accounts, on your
personal email accounts, your social media accounts, having multi factor
(34:01):
authentication most of those now most applications have that built
in that people can take advantage of. And then also
doing things like having a password manager, so using that
there's lots of free ones you can use, so that
one you don't have to memorize your passwords and that
you're not using the same ones over and over again.
We know that the number of breaches is going to
(34:22):
continue to increase, the number of compromise networks and systems
and accounts will continue to increase, and at this point,
over sixty percent of the breaches that we see are
leveraging data that's already been stolen somewhere else or a
vulnerability that's already been exploited and is out there and
known to the public. So if we can all do
our best to kind of take our part and our
(34:43):
actions that are going to help secure our own environments,
then the better off that that's going to translate to
our corporate environments and just to overall security. Yeah, I
can't tell you how many times I've rolled my eyes
at reports of a data breach where passwords were shared,
and you see that the most common passwords are things
(35:05):
like password or one, two, three, four, five six or whatever,
or password one so that you have the one numeral
in there. And I think a big part of cybersecurity
from an individual standpoint, and please correct me if I
am off base, because you're the experts, but I think
a large part of it is the idea of you're
trying to just reduce the number of opportunities an attacker
(35:26):
has to take advantage of you, and the more opportunities
you eliminate, the less valuable you are to the typical attacker. Because,
as you had mentioned, earlier. Time is money, even on
the attack side, and an attacker is far more likely
to go after a target that they view as being
vulnerable than to waste time on targets are that appear
(35:49):
to be more savvy from a security perspective? Am I
more or less on track there? I think you're ready
to be an incident response consultant because that's one of
the things that we say. Basically taking the language you
just use, shifting that to a corporate environment. The fundamentals are,
we want to increase the amount of time it takes
for the attacker to meet their objective right to accomplish
(36:11):
their goal, whatever that may be, to steal information, to
break in, etc. So we increase the time it takes
them to do it, and we decrease the time it
takes your organization or the good guys right to be
able to identify it. So if we can marry those
two together, then we tend to make your organization less
of a target than other locations because the attackers are
going to have to work harder, they're going to use
(36:32):
more resources, they're going to have to spend more money
to get the job done, and more than likely they're
going to move to somewhere else where they can accomplish
that much faster. I'm glad I got something right. Well,
let me ask this also, Are there are there tips
or strategies that you think companies and individuals should be
(36:52):
following beyond making a response plan. I think one of
the big ones is finding a way to unicate policies
and processes and good security behaviors to people in a
way that is really instructive. I know that almost every
company out there now has the mandatory video or presentation
(37:16):
on security. What do you think are things that really
people need to focus on, our companies need to focus
on in general to help improve security overall. Well, something
Allison I'm sure is going to talk further about is
about building a security culture right and building that into
really the fabric of your operations. I think and tell
(37:38):
people at all levels of an organization feel like security
is their responsibility and they're empowered to make decisions on it.
Until they do that, an organization is always going to
struggle right to make decisions effectively. So that's a huge
part of it. The communications, having them planned and prepared
in advance so that you're ready to go once an
attack actually occurs is also critical, and then shifting to
(38:02):
some of the more technical components, things like I mentioned
multi factor authentication on remote devices. That's absolutely critical, but
also making sure that you have backups of your most
sensitive data and that you've tested those backups. We have
an organization we're working with right now, major ransomware outbreak.
They had all the best technology in place and all
(38:24):
of the best procedures for having backups, making sure they
were offline and not connected to the network at all times,
but they had never tested them. And whence they did,
they realized they couldn't actually restore them because the data
wasn't replicating correctly. So, you know, we talk about testing
our incident response plan, also test your most sensitive data
in those backups, because if you have access to that
(38:45):
and you are attacked and you are the victim of
a ransomware attack, you don't even have to engage in
any of those discussions. You can say, Okay, it's going
to take us six hours, twelve hours, twenty four, whatever
the case may be, to get access to that data.
But we have it, and it's just a matter of
getting access to it and restoring it and then certainly
securing the ability for the attackers to successfully do that. Again,
(39:08):
we want to prevent that as well. I feel like
a lot of those lessons can be applied not just
in the corporate culture, but in our personal day to
day operations as well. This thought of taking security seriously,
it's interesting to me because I'm old enough to remember
when no one wanted to use the internet to buy
(39:30):
anything because everyone was worried about security. They're thinking, I
don't want to put the numbers that are on my
card onto this computer thing and have it sent out
to everybody. And oddly enough, now we're in a world
where a lot of things that would drastically improve security
are either an afterthought for some people. They never consider it,
(39:51):
or they think of it as an annoyance. I know
people who find multi factor authentication to be irritated, Oh
I have to type in my that six digit code
that just got sent to my smartphone. And explaining to
them that this is a way in order to make
it harder for an attacker to find that exploit, whether
(40:11):
it's in a company or it's in your personal information.
I think that is incredibly valuable, and I want to
see that culture adopted at large, not just in companies
but beyond as well, Alison, any other little tips or
tricks or any any fun ways to terrify people that
(40:32):
you would like to share before we wrap up. Yeah,
I mean just you know, for my area, it's where
can we get you? What are those things we like
to almost think really like a hacker in a way,
and what are those areas that we can take advantage
of and then show you what those are? And that's
really what we're you know, working on within that. But
you know, like when you said all of these areas
(40:52):
to you know, to stay cyber safe, working on that
as you know, a security culture, even having those security
culture pieces at homes, staying cyber safe at home with
your family and kids, that can kind of just penetrate
that within your you know, entire self and bring that
into your organization. I'd say, you know, those are areas
and just practice, practice, practice, keep those plans going, keep
(41:13):
going with those tests, you know, emulating those experiences and
making sure that you're really taking those plans into action.
Out of curiosity, Allison, does your team look at a
response plan in advance and then look to see if
there are any potential holes in that response plan? So
that you can demonstrate that this is something that they
(41:34):
the client really needs to focus on in order to improve. Definitely,
we'll take the response plans, study them, and then create
scenarios that are specifically designed to possibly you know, go
around or you know, penetrate certain areas that they might
be missing. We also take it where we might not
have any insight and show that there are you know,
openings and holes that might you know, appear. A lot
(41:58):
of it has to do with human human interaction, things
that we might miss, things that are happening, So it's
kind of taking all those in and then showing where
you need to add those within your plan. So definitely
that's an area. Yeah. I think of that a lot
in terms of things like learning a martial art where
you practice practice, practice, practice, and then you're ready to
(42:20):
show off to someone and say, all right, i'll show
you how you get out of it. Here, grab me
from behind. Someone grabs you from behind. Oh no, no,
not like that. You need to grab me from behind
this way so I can get out of it. And
you think, well, that's not how the bad guys are
going to do it. They're not going to attack you
at your strongest point. Just because you really practice that.
So I think that again, the service you're providing is
(42:42):
incredibly valuable. And as we're seeing the landscape change, I
think it's going to be important for more and more
companies to really focus on this, to continue to focus
on it. You don't want your story to become the
next big scandal. You want your story to be a
success story of how you were able to respond in
(43:05):
a in an agile way, an effective way, and a
way that was responsible both to your company, to your customers,
to your clients. That those are the stories we want
to see. We want to see because we know the
bad guys aren't going away. We know that they're not
going to just stop, but we do know that we
can work better at responding to it and make sure
(43:26):
that the actions we take are more effective and that
people don't feel like they are left out in the
lurch and there's nowhere to turn to and you're just
you're just going through the absolute worst feeling of your life.
We want to prevent that as much as possible. You can.
You can save that for the stage, and then in
(43:48):
real life you can have the actionable plan. Do you
have any other last thoughts you would like to share
before we conclude. I think I've learned a lot in
this conversation. First of all, I mean I've learned I
definitely want to see one of these simulations because I
think it would be incredibly informative. And also I've learned
(44:13):
that I probably need to update my password manager. Yeah.
My last thoughts would be, do not be part of
the people that believe they don't need to change their passwords? Right.
We mentioned that, you know, we hear about breaches happening
on a daily basis, and then so many people just
kind of think, oh, well, now they happen all the time,
so it's no big deal. Just keep my passwords the same.
(44:35):
Don't do that. Please change your passwords, Please use a
password manager. And if you've got questions on other things
related to things we talked about, you can also visit
ibmsecurity dot com and read more about all of the
services that we have to offer. We'd love to chat.
I again want to thank Wendy and Allison for their
time and their expertise. I am convinced that companies absolutely
(44:59):
need to have an incident response team and a response
plan in place to deal with cyber threats. Reducing the
attack surface is important, but making sure you've got the
right plan and people ready to go should the worst
happen is absolutely critical. It reduces the cost of an
attack dramatically, and when you consider the cost we're talking
about isn't just the significant financial cost, it's also how
(45:24):
others perceive your company. It's an imperative. We've seen companies
large and small take massive hits to their credibility as
a result of attacks. I hope one day I get
to see Alison and her team at work, and her
description of people going through real world emotions even in
a simulated event reminded me of how we can experience
(45:45):
stuff like fear and trepidation even when we're in a
virtual environment. But it's better to have that experience in
a test run than the real thing. That's all from
this episode of Smart Talks. To learn more about IBM's
cyber security services, visit IBM dot com, slash Security Slash Solutions.
(46:11):
Tex Stuff is an iHeartRadio production. For more podcasts from iHeartRadio,
visit the iHeartRadio app, Apple Podcasts, or wherever you listen
to your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.