September 15, 2024 • 22 mins
Financial institutions have been a leading target for cyber crime since the dawn of the internet. But phishing schemes have become far more intricate, and cyber heists go beyond stealing money from a bank. JF Legault, Deputy CISO at J.P. Morgan Chase, explains how he leads cyber defense on the front lines of work — and lays out a strategy to transform teams into early detection networks. Then David Adrian from Chrome unpacks how web browsing protections, robust monitoring, and a real-time view of threats can fit into this kind of strategy to maximize resilience to a cyber attack.
This episode is sponsored by Chrome Enterprise.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
We can go back to a quote from the Depression
era bank robber Willie Sutton. He had this infamous quote
that said, like, I rob banks because that's where the
money is.
Speaker 2 (00:11):
Old fashioned bank heights aren't so common today, but modern
financial institutions protect more than just money, and finance is
consistently in the top three most targeted industries when it
comes to cyber attacks.
Speaker 1 (00:23):
There's accounts, but there's also a lot of strategic information
with regards to transactions and the likes, and that's what
continues to make financial institutions a target for this.
Speaker 2 (00:37):
That's JF Lego.
Speaker 1 (00:38):
I'm w chief Information Security Officer at JP Morgan Chase.
Speaker 2 (00:42):
As a leader of cybersecurity operations for the bank and
its clients, JF thinks constantly about every opportunity that an
attacker could exploit, from software bugs to natural disasters.
Speaker 1 (00:53):
Whether the scenario will be a technology outage, whether it
be whether a threat actor could use that as a lure.
We've actually seen, you know, like fake donation sites. When
there's a natural disaster right where people are looking to
donate to earthquake relief for hurricane relief, the.
Speaker 2 (01:13):
Bad guys are there and by setting up fake disaster
relief websites, the bad guys can harvest any credentials that
come with those well meaning donations. This is just one
scenario and a bigger trend that JF seeing where cyber
attackers set traps to compromise team accounts.
Speaker 1 (01:28):
We're seeing more and more threat actors using you know,
search engine optimization to present fake websites. When somebody's doing
an online search, the website will come up at the
top versus a legitimate when they're looking for and then
they get the ability to deliver malicious software. So that's
like a really interesting trend that people should think about.
(01:52):
You know, we'll use to train people to look for
phishing based on like grammar and urgency and things like that.
That's changing.
Speaker 2 (02:02):
Fishing and browser based attacks are evolving to catch us
where we spend our money, our attention, and our working hours,
and as work itself happens more consistently in web browsers.
JF sees the role of a cybersecurity leader evolving too.
Speaker 1 (02:16):
I've been doing this for like twenty five years now.
That overall evolution, and we used to call it computer security.
Network security was very infrastructure focused, and then there was
an evolution to information security. You know, when I look
at the role today, a lot of it and most
of it is really how do you secure a business?
And I think that's where strong cybersecurity leaders are evolving towards,
(02:41):
is like how do you interface with your business? How
do you understand the practices? There's an evolution in a
variety of technologies that help bad guys sell. You also
need to adapt based on the evolution of just the world.
Speaker 2 (03:02):
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked.
I'm your host, Kate Fazzini. I've been a cybersecurity professional
and journalist for over twenty years, and on this podcast,
I'm talking with leaders in gaming, finance, and manufacturing about
what security looks like in a workplace that's moved to
(03:25):
the cloud. Much of what we think of as cybersecurity
was pioneered in financial services. In fact, a bank created
the first CISO rule, and banks invented many of the
guidelines that are now standard across a range of industries.
According to the IMF, around twenty percent of all reported
cyber incidents in the past twenty years have affected the
(03:45):
global financial sector. So today I'm speaking with JF about
what he's learned as a leader of cybersecurity and finance.
Speaker 1 (03:53):
Really, my role is twofold. One is to represent cybersecurity
in the lines of businesses, but it's also to hear
where they're heading towards from a business strategy standpoint.
Speaker 2 (04:06):
And I'll find out why he's flipping the script on
enterprise security from simply defending the perimeter to transforming whole
teams into early detection networks. Then I'll chat with David Adrian,
security product manager for Chrome, about how businesses can implement
this kind of strategy and set up a strong monitoring
system to protect their teams. Going back to the trend
(04:30):
of cyber attackers using fake websites as phishing lures, JF
talked me through each step of their attack path.
Speaker 1 (04:37):
A lot of it starts with the endpoint. It starts
via email or web browsing. Credential theft continues to be
a driver of this and phishing phishing from two standpoints,
either the credential theft that I mentioned, but also delivery
of malwer via those channels is normally step one. What
(04:58):
we continue to see in terms of exploitation is things
like you know, not having multi factor authentication on remote access,
on remote log in, or an element of like push fatigue.
There are multi factor authentication solutions that send a pop
up and then people just end up hitting the yes
button somehow because they're just tired of seeing it.
Speaker 2 (05:21):
But tricking someone into signing into a website is just
the first step, and.
Speaker 1 (05:25):
I think what's important for organizations is that there's multiple
steps that are carried out by an actor. I think
understanding these attack paths of how actors operate and carry
out their activity is hugely important because the more you understand,
the more you can design layered control. So what if
(05:47):
an actor is able to obtain credentials, Well, those credentials,
if you've got multi factor, they won't work right. They
might get them part of the way, but they won't
get them logged in. Let's say they're able to get
logged in. Well, actors are going to start carrying out
some element of reconnaissance on the network. So how would
you detect that reconnaissance or how would you detect them
(06:11):
setting up a foothold on the network. So it's really
about as early detection as possible and understanding those early
indicators of an adversary being present on the network.
Speaker 2 (06:24):
One of the biggest threats that JF and I talked
about was an ongoing rise in ransomware attacks, where attackers
don't go directly after a bank's money or even its data. Instead,
they try to paralyze the bank itself, which can have
serious consequences for the greater business world.
Speaker 1 (06:41):
The financial services ecosystem interfaces with utilities, infrastructure, all of
the clearing and settlement, payment providers, the third parties that
we rely on day to day.
Speaker 2 (06:53):
And protecting that entire ecosystem at a global scale that's daunting.
So I asked Ji of how to secure a high
stakes perimeter that goes way beyond the bank.
Speaker 3 (07:03):
Fauld.
Speaker 1 (07:04):
What's made this so interesting for bad guys is when
you look at organizations that are historically stored sensitive information
or process sensitive information, they have been highly regulated, they've
had a lot of focus in terms of building up
security controls. But by focusing on the disruption the availability
(07:25):
aspect right like, ransomware, operators are now able to target
a variety of organizations that don't store transactional information, that
don't store personally identifiable information, and that causes broader disruption
and I think that's why we take our role incredibly
seriously in securing the broader financial ecosystem.
Speaker 2 (07:47):
That is a great answer because I think to the
consumer or the banker who needs availability, it kind of
doesn't matter if it's down because of ransomware or a hurricane.
It's just wait, is it coming back up? And what
is the alternate?
Speaker 1 (08:00):
Yeah, and I still remember back in my early days,
we had one vendor that had a data center in
Florida and another women in California. So you basically have
a data center in hurricane territory and you have another
one in earthquake territory. And you might go like, why
is this part of your role to think like site
resiliency strategy with clients, Well, our clients operate in a
(08:24):
bunch of different industries and if they can't move money
because people can't go into the office and they can't
work from home, that has a direct impact on their
day to day operations if they can't move money. And
I think that's why ransomware has had such an impact
because it attacks confidentiality, and integrity and availability, so actually
(08:45):
three elements of the CIA triad, and that causes broader
disruption and I think that also gains more focus because
organizations are actually stricten as a result of these attacks.
Speaker 2 (08:58):
You know, businesses are always online now, especially after COVID,
lots of people working remotely having to be on at
all times. Customers expect you to be available at all times.
Another source of constant surprises, I imagine is the third parties
that you had to work with, and the hundreds and thousands,
maybe hundreds of thousands. So how do you manage resilience
(09:20):
when there are all of these other factors in the
form of vendors and other companies that you're hinging your
operations on. How do you deal with that in terms
of resilience.
Speaker 1 (09:31):
You know, you mentioned the pandemic. The pandemic was a
vector for adversaries. Everybody was after information for the pandemic, right,
so it became a very interesting lure for bad guys
to send like phishing emails, set up fake websites, So
it became like a lure for social engineering. And then
companies shifted very very quickly to work from home, and
(09:53):
by doing so, they may have exposed infrastructure that may
not has been as secure as it should to be
exposed to the Internet and that gave threat actors a
path into some organizations, but it also affected business practices.
There were organizations that were ready for it, that had
(10:15):
been working their resiliency plans for years for pandemics. The
financial services sector is one of those areas where it's
basically part of our DNA to build out strong resiliency
and recovery mechanisms. And our role is to work with
our business to rethink some of the controls and get
the message out, the awareness message out to our clients.
(10:40):
And it gets really interesting when you start to break
down resiliency and recovery for organizations as a result of
things like a ransomware event.
Speaker 2 (10:52):
Then I am also thinking of vulnerability management, which we
kind of never it's not very fun to talk about.
Speaker 1 (11:00):
I think vulnerable management foundational to everything, right.
Speaker 2 (11:04):
The patching, the kind of day to day You know,
there's a lot of talk about alert fatigue, but you
have people who need to access the web, who are
on their browsers from wherever they are all the time.
How do you deal with web browser security? What is
sort of the best practices today versus what they were
when you first started.
Speaker 1 (11:22):
That's a great question. I get the point around alert
fatigue and volumes. But it's really about thinking through the
entire life cycle of that attack. So going back to like,
how do you drive awareness for employees not to click
on links. If they do click, how are you filtering
the sites that they're going to that could be malicious.
(11:46):
Interestingly enough, most systems that assist in like categorization of
websites have a functionality that blocks. Uncategorized websites mean websites
that are too new to have a category associate with them,
and oftentimes these are the ones that the threat actors
(12:09):
have just recently set up to look like a legitimate
website that you know somebody will click on, and you
can actually see a significant reduction of that browsing risk
if you're eliminating websites that are too new, that have
just been stood up, that have like a certificate mismatch
(12:31):
and things like that.
Speaker 2 (12:32):
When you think about enterprise security and finance, and especially
about protecting teams, what are the most critical threats that
you're watching out for.
Speaker 1 (12:40):
I think there's two aspects to this. We often talk
about how do we protect the workforce, but it's also
like how do we use our workforce? As the first
indicator of an attack or of targeting. So you know,
one of the things that's like hugely important is how
do you mine the reports that you're getting from end
(13:03):
users around cyber issues or targeting. We test our employees
for phishing on a quarterly basis. The first thing we
were doing was we were measuring click rates and then
we thought to ourselves, well, let's start measuring the reporting
rate because what we want to know is if somebody
(13:25):
is going to get this, are they going to forward
it to us? But then it was also measuring the
forward rate, meaning people's reaction often with a phishing email
is they send it to their colleagues and they go,
is this legit? So they're actually amplifying the adversaries reach
by forwarding it to a bunch of people who may
(13:47):
click on it who would have never gotten it. So
it's really how do you think through the awareness for
people with the most common types of attacks, But also
so how do you turn your entire workforce into early
detection sensors where they're reporting what they're seeing to the
(14:09):
cybersecurity organization so they can promptly take action on it.
And that is a game changer in the early stages
of an attack because people will notice, hey, there's something
wrong here. I have never seen this happen before. It
might be a glitch, but it also might be a
(14:30):
bad guy, a threat actor that's doing something that's absolutely
unexpected that just revealed their presence on the network. Organizations
need to be ready and continuously adapting to the threat landscape.
Speaker 2 (14:49):
Jf's strategy called out the importance of monitoring for potential
threats and risky activities, but when monitoring means catching a
fake disaster relief website leaders need to recognize how opening
a browser for work shapes people's behavior.
Speaker 3 (15:02):
Security certainly isn't top of mind for most users. Most
of the time, they're trying to get their work done,
and they're probably also trying to get their life done.
Speaker 2 (15:10):
That's David Adrian, security product manager for Chrome.
Speaker 3 (15:14):
For most people, browsing the Internet may not seem like
a big deal, But if you're an administrator for a
bank or other organizations that have a lot of customer data,
then keeping your employees safe on the web should be
even more top of mind.
Speaker 2 (15:26):
He told me how he would approach protecting teams from
cyber attacks that take advantage of search.
Speaker 3 (15:32):
Chrome runs a feature called safe Browsing, which attempts to
warn on sites that are known to be fishing, sites
known to be malware, and it doesn't reveal what sites
that you're visiting. You can opt into a version of
it called Enhance Safe Browsing, which is able to do
the checks in real time by sending them back to
the safe browsing server. That could be a good sort
(15:53):
of trade off to make if you want additional protection
against malware and against phishing, regardless of they're being fished
at work or fished at home on their work device.
And in fact, safe browsing is like such a popular
feature that it's also an open API leveraged by some
other browsers.
Speaker 2 (16:11):
So of course you're dealing with data on these vulnerabilities
that is at the scale of Google, So you have
access to a great deal of very relevant data about vulnerabilities.
And not only that, but what of those vulnerabilities can
actually lead to a problem.
Speaker 3 (16:28):
Absolutely. Yeah, Google is crawling the web every day for
its search engine, and as part of that, it's also
seeing malware, and that sort of same crawling is powering
safe browsing, and safe browsing is something that you just
get out of the box with Chrome, among other end
user features like site isolation, then we have other features
that are built with enterprises and businesses in mind. For example,
(16:50):
with Chrome enter Price Premium, you can implement filters based
on website categories that you've defined, and you can get
reporting that shows how your teams are handling those filters. So,
for example, our people get fatigued by their alerts and
clicking through regardless. Having that kind of information means teams
can get visibility into what's happening in their fleet and
they can take action based on their findings.
Speaker 2 (17:10):
This is great because one of the big intractable long
time problems in cybersecurity is just a lack of visibility
into process and how things are working in the web,
apps and web browsers, which is realistically how people are
actually working today in the modern office workspace.
Speaker 3 (17:28):
Absolutely, And like the old way of looking at this
would just be what programs did you launch? And it'd
be like, oh, well you launched a web browser and
it's like okay, well what does that mean? Right? You
could have done anything inside of that now, So you
need to know what's happening inside.
Speaker 2 (17:40):
Yeah, and thinking about where the work is actually happening right,
because too often, I think in security we've gotten used
to looking at the people in a certain way. They're
just people making mistakes, people forwarding emails, people clicking on
dangerous links. We look at people and see them as
weak points. But so we could be treating every one
of those people as a point of defense. What do
you think about this growing emphasis on resiliency and managing
(18:03):
threats and what is the role of teams in creating
that resiliency.
Speaker 3 (18:07):
Yeah, I think this idea of cybersecurity resilience is becoming
more and more popular, especially in the financial services sector
where the stakes are really high. Breaches are going to happen,
and mitigating and responding to them should be something that
takes five minutes, not five days or five years. I
talked last time about how strong an identity is really important.
(18:27):
Once you have strong identity, you can start doing access
controls and authorization and limiting who has access to what
instead of everyone having access to everything. The more that
you can do that, and then you conpair that with
audit logs. Audit logs are the key to any security monitoring.
Speaker 2 (18:44):
Yes, and whenever you compare different pieces of information that
you have vulnerabilities. With audit logs, for instance, you start
to get that matrixed view which allows you to take
action in a much more meaningful way.
Speaker 3 (18:57):
What you want is that people regular day to day
web browsing is instrumented and understood as a baseline, so
that when something anomalist happens, it's detected as being anomalists.
You can't have an anomaly without a baseline. Ideally, you
want that detection to happen automatically, whether that's just because
you've it's something very simple like blocking a copy paste
(19:21):
from your CRM and it's some sort of public document,
or it's something more complicated about detecting a download from
a site that normally doesn't have a download. And then
where Chrominer price premium can really help is identifying the
non standard usage, is the anomalies and remediating those. You
can get an audit log of all of the events
(19:41):
that are happening in Chrome, all of the user interactions
and so on, and that is exposed through the cloud,
either directly to you via APIs, or it can integrate
with a sort of third party sim provider and hook
into your security team's workflow to look for anything out
of the ordinary, whether that's through integrating with data loss
(20:02):
prevention or just more specific rule sets on hey, this
thing looks different than normal. And then in that world,
you're not relying on the users to always make the
right decision, but you're trying to detect when the users
haven't made the right decision or are doing something weird.
And then if you've paired that with all of the
other best practices, then hopefully your time to mitigation is
(20:25):
very fast and it's actually a very low impact event
if something bad did happen.
Speaker 2 (20:29):
Yeah, I know, we have so many amazing technology solutions now,
but it also reminds me of how difficult it can
be for a security team to implement the new technologies
that they want to have. And that's where again we
go back to the people involved. You really have to
have strong leadership who are listening in to their security
teams and their experts and able to make the right
(20:50):
decisions for the company in terms of what kind of
security measures are going to work the best for them
and the level of visibility that they want.
Speaker 3 (20:59):
Absolutely, I think that's this move to management becoming something
that the security team or whoever is responsible for security,
that the management of the web browser or of a
phone or of the device is actually a security product,
like rather than just an IT product, because all of
sort of modern security operations is about identifying who's logging
(21:23):
in a web browser and securing that web browser, whether
that browser is on a laptop, that browser is on
a phone, it's on a company owned phone, or it's
on a personal phone. It's ensuring that whatever device the
user is going to, some browser signing it on has
some minimum security posture. You've strongly authenticated them, you can
wipe data if you need to. And all of these
things might have previously been something that you'd just been like, oh,
(21:46):
that's something that just it has to deal with for
IT related reasons, and it's like, you know, actually, these
problems are really deeply central to the security story of
a modern workplace as well.
Speaker 2 (21:59):
To learn more about how the most trusted enterprise browser
can help protect your organization, visit Chrome Enterprise dot Google.
Next time, on security Bookmarks, i'll talk to Curtis Minder,
a renowned ransomware negotiator, about the security challenges he's tackled.
In the manufacturing industry.
Speaker 4 (22:18):
We have been the manufacturer of this particular product for
almost one hundred years, and the way that we manufacture
this product and the materials we use to manufacture this
product are our trade secret. I am concerned that that
information has left the building, and I won't know about
that risk for some time until a competitor of mine
makes the exact same product in five years from now
(22:38):
and puts me out of business.
Speaker 2 (22:40):
Security Bookmarked is a podcast from Bloomberg Media Studios and
Chrome Enterprise. Subscribing your podcast app so you don't miss
our newest episode. I'm Kate Fazzini. Thanks for listening.
We can go back to a quote from the Depression
era bank robber Willie Sutton. He had this infamous quote
that said, like, I rob banks because that's where the
money is.
Speaker 2 (00:11):
Old fashioned bank heights aren't so common today, but modern
financial institutions protect more than just money, and finance is
consistently in the top three most targeted industries when it
comes to cyber attacks.
Speaker 1 (00:23):
There's accounts, but there's also a lot of strategic information
with regards to transactions and the likes, and that's what
continues to make financial institutions a target for this.
Speaker 2 (00:37):
That's JF Lego.
Speaker 1 (00:38):
I'm w chief Information Security Officer at JP Morgan Chase.
Speaker 2 (00:42):
As a leader of cybersecurity operations for the bank and
its clients, JF thinks constantly about every opportunity that an
attacker could exploit, from software bugs to natural disasters.
Speaker 1 (00:53):
Whether the scenario will be a technology outage, whether it
be whether a threat actor could use that as a lure.
We've actually seen, you know, like fake donation sites. When
there's a natural disaster right where people are looking to
donate to earthquake relief for hurricane relief, the.
Speaker 2 (01:13):
Bad guys are there and by setting up fake disaster
relief websites, the bad guys can harvest any credentials that
come with those well meaning donations. This is just one
scenario and a bigger trend that JF seeing where cyber
attackers set traps to compromise team accounts.
Speaker 1 (01:28):
We're seeing more and more threat actors using you know,
search engine optimization to present fake websites. When somebody's doing
an online search, the website will come up at the
top versus a legitimate when they're looking for and then
they get the ability to deliver malicious software. So that's
like a really interesting trend that people should think about.
(01:52):
You know, we'll use to train people to look for
phishing based on like grammar and urgency and things like that.
That's changing.
Speaker 2 (02:02):
Fishing and browser based attacks are evolving to catch us
where we spend our money, our attention, and our working hours,
and as work itself happens more consistently in web browsers.
JF sees the role of a cybersecurity leader evolving too.
Speaker 1 (02:16):
I've been doing this for like twenty five years now.
That overall evolution, and we used to call it computer security.
Network security was very infrastructure focused, and then there was
an evolution to information security. You know, when I look
at the role today, a lot of it and most
of it is really how do you secure a business?
And I think that's where strong cybersecurity leaders are evolving towards,
(02:41):
is like how do you interface with your business? How
do you understand the practices? There's an evolution in a
variety of technologies that help bad guys sell. You also
need to adapt based on the evolution of just the world.
Speaker 2 (03:02):
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked.
I'm your host, Kate Fazzini. I've been a cybersecurity professional
and journalist for over twenty years, and on this podcast,
I'm talking with leaders in gaming, finance, and manufacturing about
what security looks like in a workplace that's moved to
(03:25):
the cloud. Much of what we think of as cybersecurity
was pioneered in financial services. In fact, a bank created
the first CISO rule, and banks invented many of the
guidelines that are now standard across a range of industries.
According to the IMF, around twenty percent of all reported
cyber incidents in the past twenty years have affected the
(03:45):
global financial sector. So today I'm speaking with JF about
what he's learned as a leader of cybersecurity and finance.
Speaker 1 (03:53):
Really, my role is twofold. One is to represent cybersecurity
in the lines of businesses, but it's also to hear
where they're heading towards from a business strategy standpoint.
Speaker 2 (04:06):
And I'll find out why he's flipping the script on
enterprise security from simply defending the perimeter to transforming whole
teams into early detection networks. Then I'll chat with David Adrian,
security product manager for Chrome, about how businesses can implement
this kind of strategy and set up a strong monitoring
system to protect their teams. Going back to the trend
(04:30):
of cyber attackers using fake websites as phishing lures, JF
talked me through each step of their attack path.
Speaker 1 (04:37):
A lot of it starts with the endpoint. It starts
via email or web browsing. Credential theft continues to be
a driver of this and phishing phishing from two standpoints,
either the credential theft that I mentioned, but also delivery
of malwer via those channels is normally step one. What
(04:58):
we continue to see in terms of exploitation is things
like you know, not having multi factor authentication on remote access,
on remote log in, or an element of like push fatigue.
There are multi factor authentication solutions that send a pop
up and then people just end up hitting the yes
button somehow because they're just tired of seeing it.
Speaker 2 (05:21):
But tricking someone into signing into a website is just
the first step, and.
Speaker 1 (05:25):
I think what's important for organizations is that there's multiple
steps that are carried out by an actor. I think
understanding these attack paths of how actors operate and carry
out their activity is hugely important because the more you understand,
the more you can design layered control. So what if
(05:47):
an actor is able to obtain credentials, Well, those credentials,
if you've got multi factor, they won't work right. They
might get them part of the way, but they won't
get them logged in. Let's say they're able to get
logged in. Well, actors are going to start carrying out
some element of reconnaissance on the network. So how would
you detect that reconnaissance or how would you detect them
(06:11):
setting up a foothold on the network. So it's really
about as early detection as possible and understanding those early
indicators of an adversary being present on the network.
Speaker 2 (06:24):
One of the biggest threats that JF and I talked
about was an ongoing rise in ransomware attacks, where attackers
don't go directly after a bank's money or even its data. Instead,
they try to paralyze the bank itself, which can have
serious consequences for the greater business world.
Speaker 1 (06:41):
The financial services ecosystem interfaces with utilities, infrastructure, all of
the clearing and settlement, payment providers, the third parties that
we rely on day to day.
Speaker 2 (06:53):
And protecting that entire ecosystem at a global scale that's daunting.
So I asked Ji of how to secure a high
stakes perimeter that goes way beyond the bank.
Speaker 3 (07:03):
Fauld.
Speaker 1 (07:04):
What's made this so interesting for bad guys is when
you look at organizations that are historically stored sensitive information
or process sensitive information, they have been highly regulated, they've
had a lot of focus in terms of building up
security controls. But by focusing on the disruption the availability
(07:25):
aspect right like, ransomware, operators are now able to target
a variety of organizations that don't store transactional information, that
don't store personally identifiable information, and that causes broader disruption
and I think that's why we take our role incredibly
seriously in securing the broader financial ecosystem.
Speaker 2 (07:47):
That is a great answer because I think to the
consumer or the banker who needs availability, it kind of
doesn't matter if it's down because of ransomware or a hurricane.
It's just wait, is it coming back up? And what
is the alternate?
Speaker 1 (08:00):
Yeah, and I still remember back in my early days,
we had one vendor that had a data center in
Florida and another women in California. So you basically have
a data center in hurricane territory and you have another
one in earthquake territory. And you might go like, why
is this part of your role to think like site
resiliency strategy with clients, Well, our clients operate in a
(08:24):
bunch of different industries and if they can't move money
because people can't go into the office and they can't
work from home, that has a direct impact on their
day to day operations if they can't move money. And
I think that's why ransomware has had such an impact
because it attacks confidentiality, and integrity and availability, so actually
(08:45):
three elements of the CIA triad, and that causes broader
disruption and I think that also gains more focus because
organizations are actually stricten as a result of these attacks.
Speaker 2 (08:58):
You know, businesses are always online now, especially after COVID,
lots of people working remotely having to be on at
all times. Customers expect you to be available at all times.
Another source of constant surprises, I imagine is the third parties
that you had to work with, and the hundreds and thousands,
maybe hundreds of thousands. So how do you manage resilience
(09:20):
when there are all of these other factors in the
form of vendors and other companies that you're hinging your
operations on. How do you deal with that in terms
of resilience.
Speaker 1 (09:31):
You know, you mentioned the pandemic. The pandemic was a
vector for adversaries. Everybody was after information for the pandemic, right,
so it became a very interesting lure for bad guys
to send like phishing emails, set up fake websites, So
it became like a lure for social engineering. And then
companies shifted very very quickly to work from home, and
(09:53):
by doing so, they may have exposed infrastructure that may
not has been as secure as it should to be
exposed to the Internet and that gave threat actors a
path into some organizations, but it also affected business practices.
There were organizations that were ready for it, that had
(10:15):
been working their resiliency plans for years for pandemics. The
financial services sector is one of those areas where it's
basically part of our DNA to build out strong resiliency
and recovery mechanisms. And our role is to work with
our business to rethink some of the controls and get
the message out, the awareness message out to our clients.
(10:40):
And it gets really interesting when you start to break
down resiliency and recovery for organizations as a result of
things like a ransomware event.
Speaker 2 (10:52):
Then I am also thinking of vulnerability management, which we
kind of never it's not very fun to talk about.
Speaker 1 (11:00):
I think vulnerable management foundational to everything, right.
Speaker 2 (11:04):
The patching, the kind of day to day You know,
there's a lot of talk about alert fatigue, but you
have people who need to access the web, who are
on their browsers from wherever they are all the time.
How do you deal with web browser security? What is
sort of the best practices today versus what they were
when you first started.
Speaker 1 (11:22):
That's a great question. I get the point around alert
fatigue and volumes. But it's really about thinking through the
entire life cycle of that attack. So going back to like,
how do you drive awareness for employees not to click
on links. If they do click, how are you filtering
the sites that they're going to that could be malicious.
(11:46):
Interestingly enough, most systems that assist in like categorization of
websites have a functionality that blocks. Uncategorized websites mean websites
that are too new to have a category associate with them,
and oftentimes these are the ones that the threat actors
(12:09):
have just recently set up to look like a legitimate
website that you know somebody will click on, and you
can actually see a significant reduction of that browsing risk
if you're eliminating websites that are too new, that have
just been stood up, that have like a certificate mismatch
(12:31):
and things like that.
Speaker 2 (12:32):
When you think about enterprise security and finance, and especially
about protecting teams, what are the most critical threats that
you're watching out for.
Speaker 1 (12:40):
I think there's two aspects to this. We often talk
about how do we protect the workforce, but it's also
like how do we use our workforce? As the first
indicator of an attack or of targeting. So you know,
one of the things that's like hugely important is how
do you mine the reports that you're getting from end
(13:03):
users around cyber issues or targeting. We test our employees
for phishing on a quarterly basis. The first thing we
were doing was we were measuring click rates and then
we thought to ourselves, well, let's start measuring the reporting
rate because what we want to know is if somebody
(13:25):
is going to get this, are they going to forward
it to us? But then it was also measuring the
forward rate, meaning people's reaction often with a phishing email
is they send it to their colleagues and they go,
is this legit? So they're actually amplifying the adversaries reach
by forwarding it to a bunch of people who may
(13:47):
click on it who would have never gotten it. So
it's really how do you think through the awareness for
people with the most common types of attacks, But also
so how do you turn your entire workforce into early
detection sensors where they're reporting what they're seeing to the
(14:09):
cybersecurity organization so they can promptly take action on it.
And that is a game changer in the early stages
of an attack because people will notice, hey, there's something
wrong here. I have never seen this happen before. It
might be a glitch, but it also might be a
(14:30):
bad guy, a threat actor that's doing something that's absolutely
unexpected that just revealed their presence on the network. Organizations
need to be ready and continuously adapting to the threat landscape.
Speaker 2 (14:49):
Jf's strategy called out the importance of monitoring for potential
threats and risky activities, but when monitoring means catching a
fake disaster relief website leaders need to recognize how opening
a browser for work shapes people's behavior.
Speaker 3 (15:02):
Security certainly isn't top of mind for most users. Most
of the time, they're trying to get their work done,
and they're probably also trying to get their life done.
Speaker 2 (15:10):
That's David Adrian, security product manager for Chrome.
Speaker 3 (15:14):
For most people, browsing the Internet may not seem like
a big deal, But if you're an administrator for a
bank or other organizations that have a lot of customer data,
then keeping your employees safe on the web should be
even more top of mind.
Speaker 2 (15:26):
He told me how he would approach protecting teams from
cyber attacks that take advantage of search.
Speaker 3 (15:32):
Chrome runs a feature called safe Browsing, which attempts to
warn on sites that are known to be fishing, sites
known to be malware, and it doesn't reveal what sites
that you're visiting. You can opt into a version of
it called Enhance Safe Browsing, which is able to do
the checks in real time by sending them back to
the safe browsing server. That could be a good sort
(15:53):
of trade off to make if you want additional protection
against malware and against phishing, regardless of they're being fished
at work or fished at home on their work device.
And in fact, safe browsing is like such a popular
feature that it's also an open API leveraged by some
other browsers.
Speaker 2 (16:11):
So of course you're dealing with data on these vulnerabilities
that is at the scale of Google, So you have
access to a great deal of very relevant data about vulnerabilities.
And not only that, but what of those vulnerabilities can
actually lead to a problem.
Speaker 3 (16:28):
Absolutely. Yeah, Google is crawling the web every day for
its search engine, and as part of that, it's also
seeing malware, and that sort of same crawling is powering
safe browsing, and safe browsing is something that you just
get out of the box with Chrome, among other end
user features like site isolation, then we have other features
that are built with enterprises and businesses in mind. For example,
(16:50):
with Chrome enter Price Premium, you can implement filters based
on website categories that you've defined, and you can get
reporting that shows how your teams are handling those filters. So,
for example, our people get fatigued by their alerts and
clicking through regardless. Having that kind of information means teams
can get visibility into what's happening in their fleet and
they can take action based on their findings.
Speaker 2 (17:10):
This is great because one of the big intractable long
time problems in cybersecurity is just a lack of visibility
into process and how things are working in the web,
apps and web browsers, which is realistically how people are
actually working today in the modern office workspace.
Speaker 3 (17:28):
Absolutely, And like the old way of looking at this
would just be what programs did you launch? And it'd
be like, oh, well you launched a web browser and
it's like okay, well what does that mean? Right? You
could have done anything inside of that now, So you
need to know what's happening inside.
Speaker 2 (17:40):
Yeah, and thinking about where the work is actually happening right,
because too often, I think in security we've gotten used
to looking at the people in a certain way. They're
just people making mistakes, people forwarding emails, people clicking on
dangerous links. We look at people and see them as
weak points. But so we could be treating every one
of those people as a point of defense. What do
you think about this growing emphasis on resiliency and managing
(18:03):
threats and what is the role of teams in creating
that resiliency.
Speaker 3 (18:07):
Yeah, I think this idea of cybersecurity resilience is becoming
more and more popular, especially in the financial services sector
where the stakes are really high. Breaches are going to happen,
and mitigating and responding to them should be something that
takes five minutes, not five days or five years. I
talked last time about how strong an identity is really important.
(18:27):
Once you have strong identity, you can start doing access
controls and authorization and limiting who has access to what
instead of everyone having access to everything. The more that
you can do that, and then you conpair that with
audit logs. Audit logs are the key to any security monitoring.
Speaker 2 (18:44):
Yes, and whenever you compare different pieces of information that
you have vulnerabilities. With audit logs, for instance, you start
to get that matrixed view which allows you to take
action in a much more meaningful way.
Speaker 3 (18:57):
What you want is that people regular day to day
web browsing is instrumented and understood as a baseline, so
that when something anomalist happens, it's detected as being anomalists.
You can't have an anomaly without a baseline. Ideally, you
want that detection to happen automatically, whether that's just because
you've it's something very simple like blocking a copy paste
(19:21):
from your CRM and it's some sort of public document,
or it's something more complicated about detecting a download from
a site that normally doesn't have a download. And then
where Chrominer price premium can really help is identifying the
non standard usage, is the anomalies and remediating those. You
can get an audit log of all of the events
(19:41):
that are happening in Chrome, all of the user interactions
and so on, and that is exposed through the cloud,
either directly to you via APIs, or it can integrate
with a sort of third party sim provider and hook
into your security team's workflow to look for anything out
of the ordinary, whether that's through integrating with data loss
(20:02):
prevention or just more specific rule sets on hey, this
thing looks different than normal. And then in that world,
you're not relying on the users to always make the
right decision, but you're trying to detect when the users
haven't made the right decision or are doing something weird.
And then if you've paired that with all of the
other best practices, then hopefully your time to mitigation is
(20:25):
very fast and it's actually a very low impact event
if something bad did happen.
Speaker 2 (20:29):
Yeah, I know, we have so many amazing technology solutions now,
but it also reminds me of how difficult it can
be for a security team to implement the new technologies
that they want to have. And that's where again we
go back to the people involved. You really have to
have strong leadership who are listening in to their security
teams and their experts and able to make the right
(20:50):
decisions for the company in terms of what kind of
security measures are going to work the best for them
and the level of visibility that they want.
Speaker 3 (20:59):
Absolutely, I think that's this move to management becoming something
that the security team or whoever is responsible for security,
that the management of the web browser or of a
phone or of the device is actually a security product,
like rather than just an IT product, because all of
sort of modern security operations is about identifying who's logging
(21:23):
in a web browser and securing that web browser, whether
that browser is on a laptop, that browser is on
a phone, it's on a company owned phone, or it's
on a personal phone. It's ensuring that whatever device the
user is going to, some browser signing it on has
some minimum security posture. You've strongly authenticated them, you can
wipe data if you need to. And all of these
things might have previously been something that you'd just been like, oh,
(21:46):
that's something that just it has to deal with for
IT related reasons, and it's like, you know, actually, these
problems are really deeply central to the security story of
a modern workplace as well.
Speaker 2 (21:59):
To learn more about how the most trusted enterprise browser
can help protect your organization, visit Chrome Enterprise dot Google.
Next time, on security Bookmarks, i'll talk to Curtis Minder,
a renowned ransomware negotiator, about the security challenges he's tackled.
In the manufacturing industry.
Speaker 4 (22:18):
We have been the manufacturer of this particular product for
almost one hundred years, and the way that we manufacture
this product and the materials we use to manufacture this
product are our trade secret. I am concerned that that
information has left the building, and I won't know about
that risk for some time until a competitor of mine
makes the exact same product in five years from now
(22:38):
and puts me out of business.
Speaker 2 (22:40):
Security Bookmarked is a podcast from Bloomberg Media Studios and
Chrome Enterprise. Subscribing your podcast app so you don't miss
our newest episode. I'm Kate Fazzini. Thanks for listening.
Hosts And Creators
Joe Weisenthal
Tracy Alloway
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com