May 13, 2024 • 28 mins
In this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses.
King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies for sizable businesses and outlines how smaller establishments could face heftier costs.
Offering valuable advice, Felicia provides business-centric recommendations on methods of dealing with a reported incident. She addresses important issues such as identifying data breaches and managing downtime during a crisis, stressing the importance of having a contingency plan for extended recovery periods.
Moving on to supply chain risks, King critiques the increasing trend of outsourcing in the IT sector. She cautions against granting upstream providers unrestricted access to systems, noting counterparty risk as an area demanding heightened vigilance. Deeper discussions on access control, audit logs, automated compliance reporting, and other factors in selecting an efficient identity and access management system also unfold.
King further navigates the topic of APIs - the lifeblood of numerous industrial integrations - offering crucial insights into associated risks. She concludes with a call for a mindset shift required to tackle supply chain attacks effectively.
In contemporary threat landscapes, relying solely on the cybersecurity kill chain is a losing battle. This episode underscores the need for encompassing multiple defensive strategies for cybersecurity, such as multi-factor authentication, and conditional access for all accounts. Real-time analytics, endpoint protection strategies, and a zero-trust posture are championed as critical for preventing malicious activities and providing swift threat responses.
We delve into the pros and cons of network layer security, a powerful yet complex technique requiring specific expertise. When appropriately utilized, it presents a scalable solution managing traffic filtering and robust protection from supply chain attacks. The episode concludes with the importance of having a solid incident response plan as a vital proactivity measure in cybersecurity.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
You're listening to Breakfast Bites, and I'm Felicia King. Today I'm going to
talk about incident response and supply chain attack.
Now, that shouldn't be too scary, but it is.
So supply chain attack has been really taking off as a premier attack method, and I'll explain why.
(00:22):
And in many cases, the supply chain attacks are being effective with a file-less
malware that is loading and residing exclusively in memory using privileged access,
using access that these processes loaded into memory, that they've been legitimately granted.
(00:50):
Because someone allowed the process to be there.
So supply chain attack is probably the biggest problem that's existing right
now because it's being so effective at evading quite a lot of the other security
risk mitigation approaches that have historically been used.
(01:11):
And the importance of this discussion is I want to provoke everyone's mindset
set to think about how it is that you're going to harden your environments further.
What can you do? What new paradigm do you have to utilize for this?
And of course, let's start off first with what's actually the risk?
(01:32):
Well, I'm going to draw it out for you.
If you look at just recent statistics about successful attack costs.
So if your organization has been the recipient of a successful attack,
then on average, that cost is $301 per employee or $440 per endpoint.
(01:59):
Now, keep in mind that some organizations may be very tech heavy.
So they may have a lot of employees, but only maybe 30 out of 150 of them are
accessing the computer system.
But they may actually end up having more computer systems than they have employees
(02:21):
that have access to computer systems.
Now this is because in many organizations, they are very tech heavy.
They have specialty business line applications.
So it's important to keep those things in mind as you're thinking about,
Oh, well, how much could this cost my organization?
(02:42):
Now, the other thing I will draw to your attention is that incident response,
even when you have just a perception that something has happened,
so you have, let's say, an indicator of compromise and then you need to respond,
you may not necessarily have a confirmation that that That indicator of compromise
(03:11):
has turned into a successful attack.
So you still need to do something about it. You still need to execute your incident response plan.
So first off, I hope you have an incident response plan. So whether or not you have one,
it simply is going to improve your time to execute that response plan effectively.
(03:39):
And the quality of that response.
You could still have an effective response on an ad hoc basis in a small organization,
but it may be difficult to get the parties, get the right parties involved at
the right time in these sorts of things.
So let's just look at what an incident response may look like.
(04:02):
Now, if you have something that's not deemed to be a reportable incident,
then you may decide you're going to respond to that 100% in-house.
You're still probably going to have to dedicate three to four people for multiple
days to just simply go and deal with these indicators of compromise and mitigate
(04:28):
the risk from those things.
So, you know, you do the math on that. You figure three to four people full
time, multiple days doing that. So you've got the opportunity cost of these
people aren't doing the other profitable work in the organization.
They're basically doing exclusively, you know, remediation mitigation work.
(04:50):
So it's very expensive. And I think it ends up being a dollar amount that's
frankly much more expensive.
Than $440 per endpoint. So when you look at those statistics that have been
gathered, those statistics are coming from primarily larger organizations,
so organizations with more than 1,000 employees.
(05:12):
And so for them, $440 per endpoint times 1,000, that gets up there to be quite a lot of money, right?
But in the SMB, I think it has an even more substantial impact impact because
the dollar amount is still going to be large and the impact is more difficult.
(05:33):
And, you know, it's never going to come at a time when you choose.
You don't get to choose when this happens because it's fundamentally a response
to an indicator of compromise.
So now let's take incident response one step further. Let's say you have a reportable incident.
So I'm not going to spend any time here talking about what the difference between
(05:55):
a reportable and a non-reportable incident is, because that is highly subjective
to the industry that you're in,
the governmental regulations that your business is subject to,
as well as the relationship and terms and conditions of the cyber security insurance that you have.
Okay, that's way outside of the scope of this discussion, and it's highly,
(06:15):
highly specific to your business.
So, let's say as part of your incident response, you determine this is going
to be a reportable incident, you're going to contact your insurance company and.
So now what? Well, more often than not, the cybersecurity insurance company
is going to require you to do certain things.
(06:35):
For example, they may require you to keep all of your systems up and running,
not necessarily connected to the internet, but you can't reboot them and you
can't use them anymore either.
So they've now said you have to take your entire environment and put it in stasis
so that they can bring along their forensic investigators to do a forensic analysis
(07:01):
on the situation that's there.
And they may even be attempting to identify what data was leaked.
And actually, that is a very, very, very crucial component of incident response
is to determine in what data has been breached.
(07:25):
So they may have these requirements upon you.
Now, if they do have those requirements upon you, and you haven't figured out
what this is in advance, and you got a real nasty wake-up call,
because they're probably going to say, look, you know, our incident response
team is going to be there in a week and a half or two weeks.
You can't use your systems in the meantime.
And, you know, you can't even start a recovery, not on that hardware.
(07:49):
Well, so now Now, what's your option? Well, I guess you better go out and buy
a whole bunch of new computer hardware, and that includes your servers, by the way.
Now, another wake-up call for you is that you can't exactly lay your hot little
hands on computer equipment that quickly.
Sure, maybe some PCs, but not servers necessarily.
(08:10):
So, did your incident response plan have a mechanism whereby you could quickly...
Bring backups of your servers online in another format.
Something to think about there.
So how long is it going to be before you can have your people working again?
(08:35):
And let's say you're a business that runs payroll for, I mean,
not only your own employees, but let's say you were doing it for customers.
So how long can they tolerate you being down and you not being able to run payroll?
Good question. Something to think about.
So incident response is actually
(08:56):
the having like proactively done incident response planning is the number one
thing statistically proven to reduce the cost of any breach.
And I'm going to say this again because it is critically important that you understand this.
(09:18):
Proactive incident response planning efforts are the number one thing that you
can do to reduce the cost and impact of any breach.
So who's doing them? I hope you are.
I hope you're working on that. I hope you're partnering with your IT service
(09:41):
provider to get that done.
I hope you're having proactive conversations with your insurance company about this.
Okay, now I want to turn and pivot here onto this topic of supply chain risk.
It's a bit of a hot button for me because for years I have been talking about
(10:03):
counterparty risk and have been feeling as though sometimes I'm the only one
in the wilderness talking about counterparty risk.
There is such a penchant by IT service providers to outsource,
outsource, outsource, and to not effectively understand that.
(10:25):
How to vet that counterparty risk. I mean, I think it would be interesting to
do an honest evaluation of how many vendors any particular company is using.
How many vendors are they relying upon for what?
And what access do they have? I mean, these are all part of the things that
(10:47):
you should be doing as part of your incident response planning,
is also evaluating the counterparty risk that's coming from your vendor relationships.
So when we do vendor risk management, planning, counterparty risk assessment,
you know, access control is super, super crucial.
(11:08):
And we just generally do not want to be selecting any technologies that is going
to give anyone delegated administrative rights to anything because ultimately,
you know, we are responsible responsible, and we don't want other fingers in
the pot touching anything.
Now, that's not a prevalent attitude, I think, in our industry.
(11:30):
In our industry, it seems to be a rather prevalent attitude to outsource.
And I think that that needs to be changed. More thought needs to be put into
not outsourcing to other upstream providers and then giving them access.
And then we need to be talking also about role-based access control,
(11:50):
by what mechanisms exist in the system for role-based access control and multi-factor
authentication enforcement,
IP access control restrictions, conditional access, audit logs,
automated compliance reporting.
I mean, I could go on and on, right? These are the things that people need to be thinking about.
(12:12):
Even just simply selecting an identity and access management system,
you know, is it, can you do context-based entitlement to the data?
Can you do classification of data per tenant in a multi-tier,
multi-tenant scenario?
Again, role-based access control, multi-factor authentication enforcement,
(12:33):
force password changes if it's required.
And these are things that you really need to be deeply thinking about.
And if anybody's wanting this list, you can certainly reach out to me.
I'll be happy to get you this list of some of the things that we think about,
which is not exhaustive. If I wrote down an exhaustive, if I actually like provided
(12:54):
an exhaustive list, it would just be ridiculously long.
And much of it is, much of your counterparty risk assessment that you're doing
is very, very uniquely specific to your organization because everybody uses
different technologies.
One of the things that really needs to be much more deeply paid attention to
(13:17):
is APIs, so Application Programming Interfaces, so API integrations and API access.
The lack of IP access control restrictions for API integrations is rather disappointing,
yet many systems don't have them.
And there's a huge push in the industry for all of these integrations to be occurring.
(13:41):
So people are hooking up all these API integrations and not really understanding
what all it's going to end up doing and what the risk is from that integration.
So before you do hook those things up, then you better do a serious evaluation of that risk.
Okay, I'm going to move on to these supply chain attacks in a deeper level,
(14:06):
because it's going to cause a mandatory shift in paradigm.
And it's necessary. It's absolutely necessary.
The threat landscape nowadays is such that anyone who is still using exclusively
the cybersecurity kill chain,
and if they're not doing it at a deeply technical enough layer,
(14:31):
which I will say a cybersecurity kill chain is still a very,
very critically important approach.
It's not the only component of the approach, but even in the context of the
cybersecurity kill chain,
I think it's important that we get into some specificities about particular
strategies that need to be changed in your paradigm. So let's get into that.
(14:56):
I think 2021 is going to be the year that any account that doesn't have multi-factor
authentication on it is going to be compromised.
You've just got to have multi-factor authentication because the potential for
a credential to get compromised is high.
(15:17):
That's just what it is. And when you consider that if you do have a credential compromise,
then how many of your credentials have gotten compromised simultaneously,
and can you actually assess the extent of those?
So just simply having a strategy that says, I'm going to go around,
(15:41):
I'm going to change passwords.
By itself, that's not really something that you can execute in a timely fashion
with 100% certainty that you've closed the barn door on that.
What you can do is take an approach that says, we're just going to proactively
use multi-factor authentication on everything.
And we're going to use conditional access and IP access control restrictions
(16:06):
on everything as much proactively as possible.
Now, not all systems support everything, and not all scenarios are going to
have the same context, meaning you can't use the same MFA solution or strategy for everything.
So there's definitely some brainstorming and strategy that you have to do here.
(16:27):
I would absolutely not recommend trying to do this on your own unless you're an IT security expert.
Now, if you are an IT security expert, then it's your role to sit down with
your customer base and get them to get this deployed and to do it in a way that
it increases end user awareness simultaneously.
So commonalities that have been recently seen in attacks are just,
(16:50):
of course, these weak credentials. That's number one.
And then there's outdated and unpatched operating systems and applications.
And I'm not going to beat on the dead stick on this one here,
because I just recently did a podcast on the entire topic of patch management.
I just, I'm not going to go through that again.
Then the next commonality seen in the attack is a lack of advanced detection
(17:13):
technologies that aren't enabled and misconfigurations and unsecured devices
okay so this goes to that whole thing that yes the cybersecurity kill chain
is still a valid approach but not in its entirety.
You need to have a lot of endpoint protection strategies, a lot of picking up
(17:35):
of those events, sending those events, sending that telemetry data someplace
to be analyzed for artificial intelligence,
integrated real-time analytics,
looking for indicators of compromise,
patterns of attack, and then kicking off as close to real time as possible alarms
(17:57):
to the knock and sock analysts.
And couple this with the requirement to have a zero trust posture now.
So that zero trust posture says, you know, here's this thing that's trying to execute.
We're not going to like download and execute and then scan it later.
No, no, no. We're just going to block it until we've really scanned it and really deeply analyzed it.
(18:21):
And I've talked before about how you have to have this zero trust posture, zero trust framework.
So now I'm going to get into what is actually an incredibly effective technique,
but very hard to achieve because it's very complex and it requires an incredible
(18:42):
amount of skill to execute, but it's totally possible to do.
And it's not bad to maintain it once you've got it put in place.
And I think a bit of a problem is if an organization says,
you know, look, we know and we understand how effective network layer security is as a strategy,
(19:04):
but then we think that we're going to manage it with in-house assets and you
don't happen to have a network security architect on staff,
then that's not a sustainable model.
I I don't think it's a realistic expectation to think that your internal IT
manager is going to be able to effectively maintain this configuration because
(19:27):
we're talking about incredibly complex proxying,
very, very complex and specific change control that has to be done.
Very granular application control, tiered access control methodologies.
Security zone creations at the network layer.
(19:48):
You have to classify all your devices and then create a security profile for those.
And you're literally handling the traffic filtering for those devices at multiple
layers simultaneously as part of that process.
That hierarchy through which the traffic needs to pass and the methods by which
(20:11):
that traffic is being analyzed.
You know, there is no one approach here that's going to work.
So for years, I've talked about micro segmentation as a strategy and it is very, very effective.
So let's talk about this and how it relates to the supply chain attack. Okay.
(20:31):
SolarWinds and some other supply chain attacks, this is basically how they've
worked, where the baddies had compromised an upgrade file at the software vendor.
So then customers of that software go out and they grab that update.
And then, so they're downloading that update and they're putting it on their servers.
(20:55):
And then they install the update. More often than not, these supply chain attacks
are not utilizing malicious XEs.
They're utilizing a hacked DLL that then, once it loads into memory,
(21:16):
it starts an egress, meaning an outbound connection, to its payload.
And then it downloads this payload, and then it starts to do nasty things.
So, you know, we already talked about the counterparty risk management,
supply chain management, looking into your vendors' practices as to,
(21:37):
you know, what they're doing in order to protect those updates from being malicious code included.
That's one thing. But at the network layer security method here,
if you have a
security posture for that server or these groups of servers that literally restricts
(22:01):
the ability for that server to talk to anything external other than some very
explicitly defined resources,
then most likely that supply chain attack will be foiled.
The payload will not be able to be downloaded.
(22:25):
The malicious memory resident DLL will attempt to make an outbound connection
to something that the network layer security does not allow it to connect to.
And one One of the reasons why network layer security is so effective is because
it has a tremendous amount of scale.
(22:47):
I mean, if you had 50 servers and you have a single network layer security solution.
Then you get all the economies of scale from that.
You're managing network layer security in this one system, and it's scaling
out for these 50 servers.
But it's also that if there is something malicious on that endpoint,
(23:08):
on that particular server, that is able to successfully defeat endpoint protection,
or let's say it's able to effectively defeat the firewall rules that are on
that particular endpoint.
It has no ability to go and modify
(23:29):
the ACLs at the network layer or to disable the security scanning apparatus
that is applied to those packets as they traverse through the network.
And if you are combining these rules with an alarming notification system saying
(23:59):
like, look, when this thing happens,
then that's something that we want to have some artificial intelligence see
if that's happening in a correlated event with something else.
Or we want to flag that as maybe a medium-grade alarm for the.
SOC analysts to take a look at, you know, whatever it is that you're doing,
(24:21):
you know, maybe on some of these special assets, you want to utilize a level
of heightened awareness.
And that would be a good call. I mean, you're, again, we go down to this topic
of classification of devices.
Devices, the rules that you're going to apply to the accounting PCs are going
(24:43):
to be different than the marketing PCs.
And this also means end user training where, you know, the marketing person
can't be doing banking from, you know, they can't be like, oh,
well, you know, the marketing person and the banking person are all the same.
And they're going to just do this all from, you know, the computer that has the marketing profile.
(25:04):
Because inherently, a marketing person is going to feel that they need access
to a lot of sketchy things, Facebook being one of them.
Can't tell you how many alarms we see on a daily basis associated with malware
(25:25):
URLs being hosted on Facebook.
I mean, we're literally talking about thousands of interactions that are being blocked.
And it's like, if you want to get hacked, go look at Facebook,
go right ahead and do it because there's so much malware that's being hosted
(25:46):
through there. It's pretty outrageous.
So, clearly, if you have that data,
you should know that you shouldn't be attempting to do your online banking from
a computer that is being allowed to talk to these marketing-related resources.
And the same thing applies to your servers.
(26:09):
You're going to have a different security profile for something that's an application
server, potentially, versus something that's like a domain controller or an
identity and access management system or a SQL server.
I mean, that SQL Server may be in its own little enclave.
And then you may have additional encryption technologies on top of that.
(26:31):
That's like in stasis data at rest encryption.
You may have specialized encryption at the communications layer,
at the traffic layer as well.
So I want to make sure that you understand here.
That it's critical that you define and classify these resources according to
(26:57):
the security profile that they should have at the network layer,
and then go extremely granular at that network layer in terms of the security rules.
End users will most likely find it irritating and frustrating initially,
initially and it is critical
(27:18):
that executive management supports this
initiative and if you are
a business decision maker please understand that if you don't take this approach
on a proactive basis you're literally talking about a business destroying event
that could have been prevented You know,
(27:43):
and if you think you're not the target of the attack, think again.
Just absolutely, you've got to rethink that again. And if you don't have an
IT service provider that has the capability to execute on these things,
even just coming up with these strategies and talking to you about them.
(28:04):
If they say, oh, we outsource our SOC, that's kind of a bit of a question mark
for me, because if they're outsourcing their SOC, then how is that SOC supposed
to actually know what alarms are legit and not?
I mean, I don't find that an outsourceable component.
And if anybody's interested in having that conversation with me,
(28:26):
please reach out to me and we can set up a time to have that discussion.
Discussion so that's it for today's show i hope it has provoked some thoughts
and it will at a minimum cause you to go work on your in response plan.
You're listening to Breakfast Bites, and I'm Felicia King. Today I'm going to
talk about incident response and supply chain attack.
Now, that shouldn't be too scary, but it is.
So supply chain attack has been really taking off as a premier attack method, and I'll explain why.
(00:22):
And in many cases, the supply chain attacks are being effective with a file-less
malware that is loading and residing exclusively in memory using privileged access,
using access that these processes loaded into memory, that they've been legitimately granted.
(00:50):
Because someone allowed the process to be there.
So supply chain attack is probably the biggest problem that's existing right
now because it's being so effective at evading quite a lot of the other security
risk mitigation approaches that have historically been used.
(01:11):
And the importance of this discussion is I want to provoke everyone's mindset
set to think about how it is that you're going to harden your environments further.
What can you do? What new paradigm do you have to utilize for this?
And of course, let's start off first with what's actually the risk?
(01:32):
Well, I'm going to draw it out for you.
If you look at just recent statistics about successful attack costs.
So if your organization has been the recipient of a successful attack,
then on average, that cost is $301 per employee or $440 per endpoint.
(01:59):
Now, keep in mind that some organizations may be very tech heavy.
So they may have a lot of employees, but only maybe 30 out of 150 of them are
accessing the computer system.
But they may actually end up having more computer systems than they have employees
(02:21):
that have access to computer systems.
Now this is because in many organizations, they are very tech heavy.
They have specialty business line applications.
So it's important to keep those things in mind as you're thinking about,
Oh, well, how much could this cost my organization?
(02:42):
Now, the other thing I will draw to your attention is that incident response,
even when you have just a perception that something has happened,
so you have, let's say, an indicator of compromise and then you need to respond,
you may not necessarily have a confirmation that that That indicator of compromise
(03:11):
has turned into a successful attack.
So you still need to do something about it. You still need to execute your incident response plan.
So first off, I hope you have an incident response plan. So whether or not you have one,
it simply is going to improve your time to execute that response plan effectively.
(03:39):
And the quality of that response.
You could still have an effective response on an ad hoc basis in a small organization,
but it may be difficult to get the parties, get the right parties involved at
the right time in these sorts of things.
So let's just look at what an incident response may look like.
(04:02):
Now, if you have something that's not deemed to be a reportable incident,
then you may decide you're going to respond to that 100% in-house.
You're still probably going to have to dedicate three to four people for multiple
days to just simply go and deal with these indicators of compromise and mitigate
(04:28):
the risk from those things.
So, you know, you do the math on that. You figure three to four people full
time, multiple days doing that. So you've got the opportunity cost of these
people aren't doing the other profitable work in the organization.
They're basically doing exclusively, you know, remediation mitigation work.
(04:50):
So it's very expensive. And I think it ends up being a dollar amount that's
frankly much more expensive.
Than $440 per endpoint. So when you look at those statistics that have been
gathered, those statistics are coming from primarily larger organizations,
so organizations with more than 1,000 employees.
(05:12):
And so for them, $440 per endpoint times 1,000, that gets up there to be quite a lot of money, right?
But in the SMB, I think it has an even more substantial impact impact because
the dollar amount is still going to be large and the impact is more difficult.
(05:33):
And, you know, it's never going to come at a time when you choose.
You don't get to choose when this happens because it's fundamentally a response
to an indicator of compromise.
So now let's take incident response one step further. Let's say you have a reportable incident.
So I'm not going to spend any time here talking about what the difference between
(05:55):
a reportable and a non-reportable incident is, because that is highly subjective
to the industry that you're in,
the governmental regulations that your business is subject to,
as well as the relationship and terms and conditions of the cyber security insurance that you have.
Okay, that's way outside of the scope of this discussion, and it's highly,
(06:15):
highly specific to your business.
So, let's say as part of your incident response, you determine this is going
to be a reportable incident, you're going to contact your insurance company and.
So now what? Well, more often than not, the cybersecurity insurance company
is going to require you to do certain things.
(06:35):
For example, they may require you to keep all of your systems up and running,
not necessarily connected to the internet, but you can't reboot them and you
can't use them anymore either.
So they've now said you have to take your entire environment and put it in stasis
so that they can bring along their forensic investigators to do a forensic analysis
(07:01):
on the situation that's there.
And they may even be attempting to identify what data was leaked.
And actually, that is a very, very, very crucial component of incident response
is to determine in what data has been breached.
(07:25):
So they may have these requirements upon you.
Now, if they do have those requirements upon you, and you haven't figured out
what this is in advance, and you got a real nasty wake-up call,
because they're probably going to say, look, you know, our incident response
team is going to be there in a week and a half or two weeks.
You can't use your systems in the meantime.
And, you know, you can't even start a recovery, not on that hardware.
(07:49):
Well, so now Now, what's your option? Well, I guess you better go out and buy
a whole bunch of new computer hardware, and that includes your servers, by the way.
Now, another wake-up call for you is that you can't exactly lay your hot little
hands on computer equipment that quickly.
Sure, maybe some PCs, but not servers necessarily.
(08:10):
So, did your incident response plan have a mechanism whereby you could quickly...
Bring backups of your servers online in another format.
Something to think about there.
So how long is it going to be before you can have your people working again?
(08:35):
And let's say you're a business that runs payroll for, I mean,
not only your own employees, but let's say you were doing it for customers.
So how long can they tolerate you being down and you not being able to run payroll?
Good question. Something to think about.
So incident response is actually
(08:56):
the having like proactively done incident response planning is the number one
thing statistically proven to reduce the cost of any breach.
And I'm going to say this again because it is critically important that you understand this.
(09:18):
Proactive incident response planning efforts are the number one thing that you
can do to reduce the cost and impact of any breach.
So who's doing them? I hope you are.
I hope you're working on that. I hope you're partnering with your IT service
(09:41):
provider to get that done.
I hope you're having proactive conversations with your insurance company about this.
Okay, now I want to turn and pivot here onto this topic of supply chain risk.
It's a bit of a hot button for me because for years I have been talking about
(10:03):
counterparty risk and have been feeling as though sometimes I'm the only one
in the wilderness talking about counterparty risk.
There is such a penchant by IT service providers to outsource,
outsource, outsource, and to not effectively understand that.
(10:25):
How to vet that counterparty risk. I mean, I think it would be interesting to
do an honest evaluation of how many vendors any particular company is using.
How many vendors are they relying upon for what?
And what access do they have? I mean, these are all part of the things that
(10:47):
you should be doing as part of your incident response planning,
is also evaluating the counterparty risk that's coming from your vendor relationships.
So when we do vendor risk management, planning, counterparty risk assessment,
you know, access control is super, super crucial.
(11:08):
And we just generally do not want to be selecting any technologies that is going
to give anyone delegated administrative rights to anything because ultimately,
you know, we are responsible responsible, and we don't want other fingers in
the pot touching anything.
Now, that's not a prevalent attitude, I think, in our industry.
(11:30):
In our industry, it seems to be a rather prevalent attitude to outsource.
And I think that that needs to be changed. More thought needs to be put into
not outsourcing to other upstream providers and then giving them access.
And then we need to be talking also about role-based access control,
(11:50):
by what mechanisms exist in the system for role-based access control and multi-factor
authentication enforcement,
IP access control restrictions, conditional access, audit logs,
automated compliance reporting.
I mean, I could go on and on, right? These are the things that people need to be thinking about.
(12:12):
Even just simply selecting an identity and access management system,
you know, is it, can you do context-based entitlement to the data?
Can you do classification of data per tenant in a multi-tier,
multi-tenant scenario?
Again, role-based access control, multi-factor authentication enforcement,
(12:33):
force password changes if it's required.
And these are things that you really need to be deeply thinking about.
And if anybody's wanting this list, you can certainly reach out to me.
I'll be happy to get you this list of some of the things that we think about,
which is not exhaustive. If I wrote down an exhaustive, if I actually like provided
(12:54):
an exhaustive list, it would just be ridiculously long.
And much of it is, much of your counterparty risk assessment that you're doing
is very, very uniquely specific to your organization because everybody uses
different technologies.
One of the things that really needs to be much more deeply paid attention to
(13:17):
is APIs, so Application Programming Interfaces, so API integrations and API access.
The lack of IP access control restrictions for API integrations is rather disappointing,
yet many systems don't have them.
And there's a huge push in the industry for all of these integrations to be occurring.
(13:41):
So people are hooking up all these API integrations and not really understanding
what all it's going to end up doing and what the risk is from that integration.
So before you do hook those things up, then you better do a serious evaluation of that risk.
Okay, I'm going to move on to these supply chain attacks in a deeper level,
(14:06):
because it's going to cause a mandatory shift in paradigm.
And it's necessary. It's absolutely necessary.
The threat landscape nowadays is such that anyone who is still using exclusively
the cybersecurity kill chain,
and if they're not doing it at a deeply technical enough layer,
(14:31):
which I will say a cybersecurity kill chain is still a very,
very critically important approach.
It's not the only component of the approach, but even in the context of the
cybersecurity kill chain,
I think it's important that we get into some specificities about particular
strategies that need to be changed in your paradigm. So let's get into that.
(14:56):
I think 2021 is going to be the year that any account that doesn't have multi-factor
authentication on it is going to be compromised.
You've just got to have multi-factor authentication because the potential for
a credential to get compromised is high.
(15:17):
That's just what it is. And when you consider that if you do have a credential compromise,
then how many of your credentials have gotten compromised simultaneously,
and can you actually assess the extent of those?
So just simply having a strategy that says, I'm going to go around,
(15:41):
I'm going to change passwords.
By itself, that's not really something that you can execute in a timely fashion
with 100% certainty that you've closed the barn door on that.
What you can do is take an approach that says, we're just going to proactively
use multi-factor authentication on everything.
And we're going to use conditional access and IP access control restrictions
(16:06):
on everything as much proactively as possible.
Now, not all systems support everything, and not all scenarios are going to
have the same context, meaning you can't use the same MFA solution or strategy for everything.
So there's definitely some brainstorming and strategy that you have to do here.
(16:27):
I would absolutely not recommend trying to do this on your own unless you're an IT security expert.
Now, if you are an IT security expert, then it's your role to sit down with
your customer base and get them to get this deployed and to do it in a way that
it increases end user awareness simultaneously.
So commonalities that have been recently seen in attacks are just,
(16:50):
of course, these weak credentials. That's number one.
And then there's outdated and unpatched operating systems and applications.
And I'm not going to beat on the dead stick on this one here,
because I just recently did a podcast on the entire topic of patch management.
I just, I'm not going to go through that again.
Then the next commonality seen in the attack is a lack of advanced detection
(17:13):
technologies that aren't enabled and misconfigurations and unsecured devices
okay so this goes to that whole thing that yes the cybersecurity kill chain
is still a valid approach but not in its entirety.
You need to have a lot of endpoint protection strategies, a lot of picking up
(17:35):
of those events, sending those events, sending that telemetry data someplace
to be analyzed for artificial intelligence,
integrated real-time analytics,
looking for indicators of compromise,
patterns of attack, and then kicking off as close to real time as possible alarms
(17:57):
to the knock and sock analysts.
And couple this with the requirement to have a zero trust posture now.
So that zero trust posture says, you know, here's this thing that's trying to execute.
We're not going to like download and execute and then scan it later.
No, no, no. We're just going to block it until we've really scanned it and really deeply analyzed it.
(18:21):
And I've talked before about how you have to have this zero trust posture, zero trust framework.
So now I'm going to get into what is actually an incredibly effective technique,
but very hard to achieve because it's very complex and it requires an incredible
(18:42):
amount of skill to execute, but it's totally possible to do.
And it's not bad to maintain it once you've got it put in place.
And I think a bit of a problem is if an organization says,
you know, look, we know and we understand how effective network layer security is as a strategy,
(19:04):
but then we think that we're going to manage it with in-house assets and you
don't happen to have a network security architect on staff,
then that's not a sustainable model.
I I don't think it's a realistic expectation to think that your internal IT
manager is going to be able to effectively maintain this configuration because
(19:27):
we're talking about incredibly complex proxying,
very, very complex and specific change control that has to be done.
Very granular application control, tiered access control methodologies.
Security zone creations at the network layer.
(19:48):
You have to classify all your devices and then create a security profile for those.
And you're literally handling the traffic filtering for those devices at multiple
layers simultaneously as part of that process.
That hierarchy through which the traffic needs to pass and the methods by which
(20:11):
that traffic is being analyzed.
You know, there is no one approach here that's going to work.
So for years, I've talked about micro segmentation as a strategy and it is very, very effective.
So let's talk about this and how it relates to the supply chain attack. Okay.
(20:31):
SolarWinds and some other supply chain attacks, this is basically how they've
worked, where the baddies had compromised an upgrade file at the software vendor.
So then customers of that software go out and they grab that update.
And then, so they're downloading that update and they're putting it on their servers.
(20:55):
And then they install the update. More often than not, these supply chain attacks
are not utilizing malicious XEs.
They're utilizing a hacked DLL that then, once it loads into memory,
(21:16):
it starts an egress, meaning an outbound connection, to its payload.
And then it downloads this payload, and then it starts to do nasty things.
So, you know, we already talked about the counterparty risk management,
supply chain management, looking into your vendors' practices as to,
(21:37):
you know, what they're doing in order to protect those updates from being malicious code included.
That's one thing. But at the network layer security method here,
if you have a
security posture for that server or these groups of servers that literally restricts
(22:01):
the ability for that server to talk to anything external other than some very
explicitly defined resources,
then most likely that supply chain attack will be foiled.
The payload will not be able to be downloaded.
(22:25):
The malicious memory resident DLL will attempt to make an outbound connection
to something that the network layer security does not allow it to connect to.
And one One of the reasons why network layer security is so effective is because
it has a tremendous amount of scale.
(22:47):
I mean, if you had 50 servers and you have a single network layer security solution.
Then you get all the economies of scale from that.
You're managing network layer security in this one system, and it's scaling
out for these 50 servers.
But it's also that if there is something malicious on that endpoint,
(23:08):
on that particular server, that is able to successfully defeat endpoint protection,
or let's say it's able to effectively defeat the firewall rules that are on
that particular endpoint.
It has no ability to go and modify
(23:29):
the ACLs at the network layer or to disable the security scanning apparatus
that is applied to those packets as they traverse through the network.
And if you are combining these rules with an alarming notification system saying
(23:59):
like, look, when this thing happens,
then that's something that we want to have some artificial intelligence see
if that's happening in a correlated event with something else.
Or we want to flag that as maybe a medium-grade alarm for the.
SOC analysts to take a look at, you know, whatever it is that you're doing,
(24:21):
you know, maybe on some of these special assets, you want to utilize a level
of heightened awareness.
And that would be a good call. I mean, you're, again, we go down to this topic
of classification of devices.
Devices, the rules that you're going to apply to the accounting PCs are going
(24:43):
to be different than the marketing PCs.
And this also means end user training where, you know, the marketing person
can't be doing banking from, you know, they can't be like, oh,
well, you know, the marketing person and the banking person are all the same.
And they're going to just do this all from, you know, the computer that has the marketing profile.
(25:04):
Because inherently, a marketing person is going to feel that they need access
to a lot of sketchy things, Facebook being one of them.
Can't tell you how many alarms we see on a daily basis associated with malware
(25:25):
URLs being hosted on Facebook.
I mean, we're literally talking about thousands of interactions that are being blocked.
And it's like, if you want to get hacked, go look at Facebook,
go right ahead and do it because there's so much malware that's being hosted
(25:46):
through there. It's pretty outrageous.
So, clearly, if you have that data,
you should know that you shouldn't be attempting to do your online banking from
a computer that is being allowed to talk to these marketing-related resources.
And the same thing applies to your servers.
(26:09):
You're going to have a different security profile for something that's an application
server, potentially, versus something that's like a domain controller or an
identity and access management system or a SQL server.
I mean, that SQL Server may be in its own little enclave.
And then you may have additional encryption technologies on top of that.
(26:31):
That's like in stasis data at rest encryption.
You may have specialized encryption at the communications layer,
at the traffic layer as well.
So I want to make sure that you understand here.
That it's critical that you define and classify these resources according to
(26:57):
the security profile that they should have at the network layer,
and then go extremely granular at that network layer in terms of the security rules.
End users will most likely find it irritating and frustrating initially,
initially and it is critical
(27:18):
that executive management supports this
initiative and if you are
a business decision maker please understand that if you don't take this approach
on a proactive basis you're literally talking about a business destroying event
that could have been prevented You know,
(27:43):
and if you think you're not the target of the attack, think again.
Just absolutely, you've got to rethink that again. And if you don't have an
IT service provider that has the capability to execute on these things,
even just coming up with these strategies and talking to you about them.
(28:04):
If they say, oh, we outsource our SOC, that's kind of a bit of a question mark
for me, because if they're outsourcing their SOC, then how is that SOC supposed
to actually know what alarms are legit and not?
I mean, I don't find that an outsourceable component.
And if anybody's interested in having that conversation with me,
(28:26):
please reach out to me and we can set up a time to have that discussion.
Discussion so that's it for today's show i hope it has provoked some thoughts
and it will at a minimum cause you to go work on your in response plan.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.