Panel Discussion held at Cyber Security Summit – Atlanta – 2022
As we adapt to the new normal in wake of the COVID-19 pandemic, some businesses have returned to the office while many continue to work from home or are shifting to a hybrid workforce. Regardless of where your team is in today’s flexible work culture, it’s important to make sure your data is secure.
This panel will discuss the various factors that contribute to the increase in threats facing the remote and hybrid workforce and the solutions needed to stay secure. Our lineup of Industry Experts will offer their insight & explore best-practices on how businesses and their IT Security Teams should address risks such as ransomware, insider threat, phishing, unsecured devices and lack of training.
Mari Galloway (00:11):
Welcome to the Atlanta Cybersecurity Summit. This panel is talking about securing the hybrid and remote workforce. I’m Mari Galloway. I am the CEO and a founding board member for the Women’s Society of Cyberjutsu, a 501(c)3 national non-profit, providing hands on training to women and girls looking to enter and advance in cybersecurity. I’m also a sales engineer for a major cybersecurity company. So happy to be here with this great panel of folks today. So we’re going to start with Tony to give introductions of who he is.
Tony Goulding (00:41):
Thanks Mari. Yes, my name’s Tony Goulding. I’m a Cybersecurity Evangelist. Although my real day job is I’m a senior director of technical product marketing for Delinea. And I’ve been in the space for too many years that I care to divulge, but I’m looking weather beaten and worn, but it’s an exciting time to be in security that’s for sure. So I’m happy to be here and looking forward to the discourse.
Mari Galloway (01:05):
Awesome. Welcome Tony. Jasmine.
Tony Goulding (01:07):
Jasmine Henry (01:08):
Thank you, Mari. I am Jasmine Henry. I am field security director at JupiterOne. I’ve accidentally spent my career at cloud native startups and I’m a big fan of graphs.
Mari Galloway (01:20):
James Christiansen (01:22):
Hey everybody. I’m James Christiansen. I’m vice president and CSO here at Netskope, 25 years plus in security leadership started out as Visa as our first chief security officer onto General Motors, the worldwide CSO, and then experience. So a lot of different roles as leading new security organizations is my favorite and really excited about our panel today.
Mari Galloway (01:47):
Welcome. We are too happy to have you here, David.
David Anteliz (01:51):
Yeah. Hey everybody. Good afternoon. David Anteliz here, technical director here at Skybox Security. I’ve been in the industry roughly about 30 years or so. I started working on cell phones way back with Motorola in the flip first phone. I was actually a quality assurance engineer back in the day. So morphed my way.
Tony Goulding (02:09):
Loved that phone.
David Anteliz (02:10):
So I’m excited to be here, happy to be joining this exciting panel and talking about security.
Mari Galloway (02:16):
Awesome. Welcome. I used to have one of those Motorola phones too. Den.
Den Jones (02:21):
Hi folks. Den Jones, chief security officer at Banyan Security, and I joined there in December. So I joined the dark side prior to that being a vendor. Prior to that, I worked for Cisco and Adobe where I ran enterprise security in both companies. And yeah, I’m a big fan of the flip phone and I may look a little younger, but I’ve been in this industry for about 30 years as well. So I got some scars along the way, so great panel. Great discussion. So looking forward to it.
Mari Galloway (02:50):
Welcome. Happy to have you and last, but certainly not least Jose.
Jose Barajas (02:55):
Hi everyone. My name is Jose Barajas. I’m the global director of sales engineering here at AttackIQ. So I do have sales in my title, but I also lead the research on behalf of the company with the minor ingenuity group. In my background prior to AttackIQ, I spent 10 years reverse engineering malware, developing sandboxing technology, doing MLI stuff with CNCs before it was cool. That’s my background. So highly technical and looking forward to contributing to today’s discussion.
Mari Galloway (03:25):
Awesome. So this is going to be an awesome panel. So I’m really excited. So let’s just jump right in. So David, let’s start with you as more employers and employees are choosing to be remote over returning to the office. How can organizations go about quantifying the risk this poses?
David Anteliz (03:39):
Yeah, so definitely the new paradigm has basically introduced a lot of different threat factors and a lot of surface area for the bad guys to attack. And some of the things I think that I’ve seen in the industry or companies as a whole, is that when rushing to getting those remote people on there or those remote services turned on, there may not have been all of the blocking and tackling in terms of being able to secure the environments appropriately or taking into consideration some of the nuances such as home networks, et cetera. So I think they need to take a step back and take a look and have a little bit of introspection and be able to understand what was actually put in place. What did we just go and do to ourselves?
David Anteliz (04:21):
And how did we expand that landscape? Because ultimately, if you don’t understand, you know what you don’t know. And then if you don’t actually tackle these things head on and just hope that they go away, it grows like the princess and the pea, the problem just keeps stacking and stacking and stacking, and you never get to revisiting your security, your networking, your cloud. You never get back to that because you continue to try to bolt on new products, new solutions in hopes that you get back to addressing the original problem. And in this case we just added a whole lot of new infrastructure and we’re not entirely sure what we just did to the overall state, whether it be compliance or policy management, et cetera.
Mari Galloway (05:04):
Okay. Jose, what are your thoughts on that?
Jose Barajas (05:10):
Yeah, I think adding to what David said, I think rule number one is let’s keep the business going. So I think a lot of people rolled out a lot of VPNs because now everyone was working from home and what we found from my perspective, which is testing their controls are working, we found a lot of folks that made a lot of assumptions about their deployments, expectations that certain VPNs are going to be filtered just like the corporate network. And that simply wasn’t the case, on top of that, the home network complexity as well, I think was a difficult thing for folks to manage.
Jose Barajas (05:43):
I think it’s been a difficult task to keep the business afloat. I think now we’ve had plenty of time though to go back and look at the strategies that we’ve applied while rushing through things and think about how do we actually manage this going forward, because this isn’t going away. Even if you’re asking your employee to go back to the office, they don’t want to go back to the office. They want to spend three out of the five days out of the week at home. And what this means is as security operators, we need to consider that as a new norm and think about out that infrastructure. Just like we think about the interior today.
Mari Galloway (06:20):
James Christiansen (06:22):
Yeah, no great question. As we think about it here for a second our security architectures, our IT architectures were built on a premise that we had people in the office and data in our data centers and we know that whole paradigm is changing and how it changes really affects how we need to look going forward. As we move to cloud, we move to remote workers. When you asked about how do we quantify the risk and risk management is usually a function of likelihood and the business impact of a breach. And it’s very difficult. It’s more of an art than a science when you start quantifying it. But I always look at what I call the three Rs. When I go into and I start on a new organization, the first thing I want to know is what makes this revenue? What makes us rich?
James Christiansen (07:09):
So how do we gain revenue? Is it customers? The process? What is it? What would ruin us? Is it is IP leakage? Is it customer data leakage? What would ruin us as an organization? And then thirdly what regulations do we need to comply with? Because that’ll help inform how I want to manage the risk going forward and finding that balance. It’s not risk elimination, it’s risk management. And making sure you’re aligned with the culture of your company is so important. I’ve seen CSOs that are good of people that just go head to head with the culture and they don’t last very long. You’ve got to understand the culture you’re working in and try to make sure you are matching that culture. And then gaining visibility is the first thing you’re going to do. We’ll probably talk about that more later, adapt to trust. But for now I’ll leave it there. Mari we’ll get into more as we go.
Mari Galloway (07:57):
Awesome. Great point. So back to you, Jose, you mentioned something about folks going back to the office. So what can be done to avoid employees, bringing bad cybersecurity habits back in to the office space when they go back?
Jose Barajas (08:10):
Yeah. As you ask that question, I’m thinking of people having a password on a sticky note on their computer. And I think something as simple as that are the things that through training and other mechanisms, when you remind folks about why it’s important to not do that. Talking about the risk and the impact. That’s very low when you’re at home. No one’s going into your home office, but at the office, there’s a lot more people that are going through there. So the things that you might have slipped on are simply not going to be okay to doing the office.
Jose Barajas (08:40):
I think just refreshing that training, reminding folks why it’s important. And what I found is when we did training for our team recently, and the training that we picked, a lot of it really focused on why it impacts you directly as well. Not just the business, but why these practices or practice should have, regardless of whether you want to protect the company or not, because it impacts you. So I think training, training, training, but at the same time making it so that the folks understand that this is important for them in their daily lives, not just specific to the organization is what I found the most positive feedback amongst our team here.
Tony Goulding (09:15):
Yeah. I’d like to make a point if I may just jump in. At home, my wife has become my CSO. Just so everybody knows that she’s always slapping me down for doing bad things. But I think a couple of points I want to raise one is basic cyber hygiene, security hygiene, I mean more important than ever. I mean I’m a vendor and I’d love to sell product, but at the end of the day, cyber hygiene, basic blocking and tackling, it’s so important, especially with so many more people remote. But one of the things that we found with our customers over the last couple of years is the acceleration of cloud migration projects. So projects that were maybe planned for two or three years down the line were suddenly rapidly accelerated in order to accommodate this new dynamic.
Tony Goulding (09:57):
And the result of that is more risk because more people are putting stuff into cloud and maybe they haven’t quite assessed the risk or the new dynamics or the nuances of new use cases that need to be accommodated. How do I take my security on premises and lift and shift and also apply it to what I have in the cloud. Does it even apply? Is it legacy software that just is not designed and architected for this type of hybrid model? So I think that’s also introduced a lot of risk into the equation. That’s certainly what we’re hearing from our customers.
Den Jones (10:28):
Yeah. And Tony, I mean, if you don’t mind, I’ll jump in. So it’s funny because everything I heard so far 110% agree and I love the three Rs as well. That for me is brilliant.
Tony Goulding (10:37):
Yeah, that was good. I’ll remember that.
Den Jones (10:38):
Yeah. 2018 though. I worked in Adobe, we ran enterprise security and this is before COVID and the one thing our team really started to think of was the number of users already working remote and the number of apps already in the cloud. And that was not slowing down any. We instantly said, well, wait a minute, we need to shift and think of a new way to secure the environment. And we do not think about Zero-Trust Enterprise Network, or ZEN thing. And ironically enough, we finished it before COVID so the time everyone went to work from home, we’d already assumed the networks were dodging. We didn’t trust them. We’d already assumed everyone was working from home. We assumed that although they weren’t, we’re like let’s do that anyway. And I think when you get into the mindset and I do agree, the training angle to this is vitally important, but when you get into the mindset, assume everyone’s working from home and accessing apps that are always anywhere, your users shouldn’t worry about where do they work and they shouldn’t worry about where the apps are.
Den Jones (11:41):
Where’s the data. Who cares. They shouldn’t care about it. And I think when we’re training people in the future to move forward, is we don’t care where you are. You shouldn’t care where the apps are. We’re going to secure the transport end to end. And you shouldn’t even care about that either. And I think Jose, going back to your point on the training, I wanted to shift this years ago, I heard I was a DevCon and I heard someone make this speech about training. And instantly is no one gives a crap about your corporate training. Train people as if they care about their bank account, their social media and their kids. Everything you train them there, they will bring back to work and that will protect your data. If you try and tell them, let’s protect our data, they’re like, I don’t care. I’m getting a paycheck.
Den Jones (12:26):
Let me go home and make sure the money’s in the bank. And they don’t think about protecting their bank account. So MFA, use MFA in your bank accounts, if not, do you do not like your money? If you don’t like your money [inaudible 00:12:39]. Let’s assume you like your money. [inaudible 00:12:42] MFA on the go. And the minute they realize what MFA is, they’ll bring it back. All these points I think are brilliant. And I think it is we’re in a slow shift right now where we need to as an organizing understand, or our customers understand the dynamic has changed. It’s worked from anywhere to anywhere. And then the training needs to adjust to go along with it. And as does compliance. A lot of the compliancies that we’re up against, they’re asking for really outdated practices and even that for needs to adjust.
Jasmine Henry (13:17):
Oh, well, I feel like I’m in the presence of greatness. There’s been so many fantastic points made. I mean, I think to Tony’s point, there was really a dramatic shift at the beginning of COVID and how quickly businesses work. There’s these new expectations that in the past deploying a remote payment app, a Telehealth app may have been an 18 to 24 month innovation cycle today. Those projects are compressed into weeks. And there’s some really great research from Harvard business review analytics that this is the new normal. We are never going back. And actually to Den’s point the way that businesses are enabling developers to hit new use cases, new markets, new customers overnight is they’re creating these self-service platforms to really simplify the process of innovating quickly and maybe developers don’t need to make every decision.
Jasmine Henry (14:06):
And I think that’s mindset we need in security is really embedding security into process and meeting folks where they are. So that security decision are always, always the easiest decision. It shouldn’t ever be extra work. It should be there in their workflow. In terms of bad habits, I think that the question really needs to be reversed, how can CSOs enable the business, enable business workflows. I think, especially in today is job market where talented employees have a lot of choice in how and where they work. We need to make their jobs easy. These are our customers, our internal customers, and our job is to enable them.
Mari Galloway (14:50):
Great points. Great points. Tony, what are your thoughts? What should we put in place to help this whole situation?
Tony Goulding (14:59):
So obviously, I’m a vendor. We provide software to help protect against data breaches and ransomware attacks. So there’s a human element obviously, and we’ve skated around that pond to a certain degree. And I liked what Den was saying about teaching people how to fish almost. It’s like being sensitive to your own data and then maybe you’ll bring those good best practices into the organization. From a software perspective, again, I guess like Banyan, we have embraced the concept of a Zero-Trust approach to trying to mitigate the risk of falling foul to some of these attacks. And Zero-Trust has had a lot of airplay and it’s not a product. It’s a philosophy, it’s an approach. It’s a set of best practices, but aligning our product to the principles of Zero-Trust has gained us a lot of attention, a lot of traction, certainly in our customer base, but it’s very, very simple. I mean it’s not rocket science.
Tony Goulding (15:54):
I mean, at the end of the day, a ransomware attack, for example, either a human initiating it or some automation, some bots that are trying to move laterally from server to server to encrypt data, they can’t do anything unless they get elevated rights. And to be honest privileged accounts with full rights are the bane of all of us, we’d love to eliminate them. In the event that we can’t, we want to take them away from people who historically we’ve implicitly trusted with those accounts, because again, they’re human beings and they’re fallible. So we want to start from a perspective of taking away those rights, bringing everybody down to an untrusted level, a least privileged level, basically, and only granting privileges just in time when the need arises for a limited time, allowing them to perform their activities.
Tony Goulding (16:43):
Let’s say off the back of a help desk ticket, that’s asking them to perform something with privilege, giving them those rights on an as needed basis, maybe through a workflow where somebody is approving that activity, but then taking those rights away so that the risk profile is always low. You’re reducing them down to a level of least privilege for everyday functions. And those privileged accounts that you can’t eliminate, you stick them in a vault and you let the dust gather on them. You don’t allow people to access those unless it’s an absolute emergency. So from a software perspective, we advocate the principles of Zero-Trust and of course the executive order from Biden in May of last year was also advocating that type of approach to security and really taking away that implicit trust that we’ve always given to people and continuously evaluating what their rights are, what they should be allowed to do and trying to govern according to that type of principle.
Mari Galloway (17:41):
Great points. So you mentioned multifactor authentication, Den we’re going to come to you on this one. So does multifactor authentication eliminate the risk posed by employees using their personal devices for work?
Den Jones (17:53):
Tony Goulding (17:56):
It helps. [crosstalk 00:17:56].
Den Jones (17:58):
Yeah. And it’s funny, because what Tony’s talking about when I was in Adobe selling a vision of Zero-Trust to the executives and I hate that term really, because this was 2018. So I feel like I’m the one band that came up with a decent album and then for five years later you’re playing the same [inaudible 00:18:17].
Tony Goulding (18:17):
Den Jones (18:17):
And all I’m doing is I’m repeating the same songs. And rather than getting bogged down on the term, it’s really outcomes. So there’s outcomes. So MFA is for me table stakes of protecting your data. When I’m going to authenticate, MFA and not SMS MFA, the verifies, and the those guys, the push ones. They’re awesome. But that doesn’t tell you what the device is that you’re on. It just tells you that the user is more likely the user, but we were doing analytics and some security intelligence in both Adobe and Cisco as part of our whole program. And we were determining that there’s still people in that audience a hundred thousand people that click the verify even though it wasn’t them that was actually trying to log in. So we know bad actors can instantiate and force a user to stupidly click a button.
Den Jones (19:12):
The next thing for us is device posture. I want to make sure that the devices you’re coming from meet a minimum bar. So during the authentication, in both installs, we divert authentication traffic to do a posture check of a device and all I’m checking for, is does it have malware protection on it? Is it [crosstalk 00:19:34]? Is it patched? I mean, we’re not talking about rocket science, but we are talking about, let’s do a couple of tweaks and changes along the way so that authentication isn’t just logging in with my username and password because when that’s compromised or when your device is compromised, if you’ve got five devices, I don’t want to whack your account and prevent you from working on the other four devices, let me look at the device that’s compromised and then deal with that. So I think MFA it’s table stakes, but we need to go beyond MFA.
Mari Galloway (20:09):
Jose, what are your thoughts on that?
Jose Barajas (20:12):
Yeah, the thought that come to me is earlier, I believe that Jasmine mentioned needing to establish a process and I think that’s exactly right, make it easy for folks to do the right thing is what I found has worked out really well for us. For example, an application getting set up, we’ll just use username and passwords, multifactor authentication, we’ll figure out the permissions later and that never happens. So I think my advice for folks is take the time to slow down, get those components right so that going forward, people are actually doing the right thing without having to think about it. And one example that I found in my organization the first few times that happened, the developers quickly realized that if we set up Okta full SSO on their phone, they have a little popup, they hit, yes.
Jose Barajas (20:55):
They don’t have to go grab a number type out the number or have to deal with any of that stuff. And what that’s cause is we’re like, hmm, let me make sure I set that up, because I don’t want to get that MFA. I don’t want to copy over the number. And that’s just a good example of how you set them up for success to begin with. You’re making their lives easier, which means people want to have an easier life. So they’re going to gravitate towards that naturally that’s what I’ve found. So those are the thoughts and feedback that I have based on the conversation so far.
Den Jones (21:21):
Yeah. Jose, we’ve done the same thing at Adobe. We’ve done a self-service portal using APIs going to Okta so that our engineers and anyone launching an application could do that. We ended up with 3,000 apps that are Okta enabled. So I mean, it’s crazy if you make it self-service.
Mari Galloway (21:40):
I love Okta. Just going to say that now. So much easier for me to just click the button, but Tony, any thoughts on this?
Tony Goulding (21:47):
That’s funny. I mean, you mentioned just easier for you to click the button. I mean, I was going to comment on the fact that again, from a software perspective, we’re trying to secure access to stuff, but I think one of the key things today is just not getting in the way. To a large degree, one of the things we’re trying to focus on is automations is trying to do things behind the scenes, not get in the way, not cause friction. Especially in environments that a lot of our customers have DevOps. They’re developing up in the cloud and the DevOps folks will sidestep stuff. They will find a way of bypassing if it impacts their agility. And so I think a modern approach to security, irrespective of what layer of the stack you are working on is to get out of the way, it’s to automate, it’s to remove that friction.
Tony Goulding (22:35):
And coming back to MFA. Don’t do MFA if you don’t have to. To Den’s point, if you’re using AI, you’re using behavioral analytics to look at the user and say, is this within the normal behavioral profile of that user? That’s be been established over time, a single sign on. If not then, okay. Maybe we do MFA. If it’s worse than that, then maybe block them and get somebody to investigate. But if at all possible step out of the way, do your job step out of the way, do it in the background and reduce that friction.
Den Jones (23:05):
Yeah. And Tony, we built a security intelligence team at both cisco and Adobe and that was the whole goal of that team. If you think about a lot of accounts can’t use MFA. So if they can’t use MFA, but they’re genetic or system accounts, they’re usually always following the same pattern. They’re going from one device to another device that very rarely changes. The minute you see that deviation, then you say, hey, I got a problem over here. Getting out the way is absolutely our job. I mean, they’re meant to do their job without being slowed down. We’re meant to secure that workflow.
Tony Goulding (23:41):
James Christiansen (23:41):
I was thinking about as you talked, Den and Tony about the term Zero-Trust and I don’t like that term either because every time I go to a board or an executive team, I talk about Zero-Trust. I look at and go, oh, he’s just a security guy. He doesn’t trust him.
Tony Goulding (23:56):
Don’t trust the security guy.
James Christiansen (23:57):
It’s really changed in this from a strategic perspective, from Zero-Trust where it was really brought out when we had people start working remotely to a more a continuous adaptive trust. And let me illustrate, you actually jumped on a couple of those points. We can now in a transaction in real time, see the device is a secure device, is a known device. Not unknown. We can understand the application they’re using, it’s a high risk application, low risk application. We can look at the location. Was it coming to and from? Where’s the data to and from? Is that a high risk area that is flowing to? We can look at the user behavior if they’ve been behaving normally, and we can look at the data context, we can actually see if it’s sensitive data or not. Are they going to ESPN?
James Christiansen (24:41):
Yeah. Don’t care. Are they moving our board minutes somewhere, I care a lot. And then we can look also at the authentication level and what we can do with all this is we can adapt that trust. We can be more adaptive. We can say, hey, they’re going to ESPN, don’t care. Don’t need single sign on or MFA. Hey, they’re going to go access at our corporate OneDrive the board minutes. That’s okay. But now they’re at their iPad, I want to actually restrict that access. I will let them edit it, but I won’t let them download it. So being adaptive is really about enabling our business to do things we never could before. I would’ve had to deny that and now I can enable it. And that’s what I think we need to focus on as the security practitioners.
Tony Goulding (25:24):
Yeah. I agree with him.
Mari Galloway (25:24):
Awesome. Great conversation around that. So let’s switch gears a little bit. Let’s talk about insider threats. So most insider threats are actually non-malicious. How can employers effectively educate their employees on good cyber hygiene to minimize the risk of non-malicious employees who may be vulnerable to cyber attacks? Let’s start with Jasmine.
Jasmine Henry (25:46):
Sorry. I really had trouble getting to the mute button there. That’s a great question. And I think that I have different opinions on a lot of these topics, which is okay. And I think the two biggest things be transparent with your people and also understand your own impact and your role in the process. I’ve been in the position before in my career where I’m at a company that’s growing and it’s grown from 20 employees to 200. And you have to look about into putting additional controls into place as a company grows and I have been very transparent. My people I’ve had security office hours, you can come see what I can see in my EDR solution. Be very transparent about what data you’re collecting, why and really work to foster trust with your folks.
Jasmine Henry (26:34):
And that can really I think I mean, it improves everything if there’s same relationships with security, but it also mitigates some risk of people trying to go around controls, break controls, be sneaky because I think that’s been a lot of an inadvertent error comes in. And so at the second point understand your impact. James gave a great example of going to espn.com, which recently it’s been March madness. If you’ve got ESPN filtered in your acceptable use policy, people are going to go to sketchier websites that are more likely to have malware. Do you really care if people are Googling Britney Spears on the clock, if it makes them more productive, probably not, just be reasonable, let people be people and be transparent about what you’re doing. Just keep them secure and why.
Tony Goulding (27:23):
Mari Galloway (27:26):
David, what are your thoughts on that?
David Anteliz (27:28):
Yeah, I look at it a little bit from the context of consistency, in delivering a consistent message to your employees because oftentimes I think we confuse the people that we work with or the people that we take to protect with differing messages. So we come across this is what we’re going to be working on these phishing activities or this type of training and the security side. And then we change gears because we’ve heard or there’s some new process or new solution that comes out and we’re trying to gear ourselves towards that. And then ultimately we never get to where we really want to be. And that’s truly effectively change the hearts and minds of those that are tasked with using the system and making sure that they’re engaging in healthy habits security wise. Now, also understanding internally, where can you go from place to place access control?
David Anteliz (28:19):
Again, getting back to Zero-Trust, understanding point A to point B, should that be allowed? Should that not be allowed? Who has access to that? As we move to the cloud, that’s expanded all that the perimeter end of itself. What is the new perimeter? It can be anything. It can be somebody’s home router or their laptop at home, or Joey’s Xbox at home because it’s attached to the same network. So those are the new paradigms that we’re having to deal with. And it all comes down to with how can we secure the access that we can’t control, whether it is in the cloud. We put a lot of it on the cloud providers there to provide that level of security, but the onus also too falls on the individual user, as well as the company that’s tasked with deploying that for the customer. So I think there’s a lot of different facets in which we have to look at and have again introspection on to truly understand who has access to what at what levels and what is that level of privilege.
Mari Galloway (29:18):
Awesome. Jose, do you have any thoughts on that?
Jose Barajas (29:22):
Yeah, I think I definitely agree with what David said there. I say that all the time, the perimeter dead. And what that means is that’s just not enough. We need to make sure that everything passed that is working. So I think that’s the first step. I think the other thing too, James earlier mentioned we have so much data at our disposal, so much context. Let’s leverage it, let’s use it. We know exactly where they are. We know their network history and that it was the same person browsing the same thing. So therefore we can trust that person versus maybe impossible travel, which is a very simple rule that we can add, but it’s a great way of preventing things. So I definitely want to double click on those. I think I like those too. Something else that I’ve done in my career is we do a threat of the day.
Jose Barajas (30:06):
Threatoftheday@company.com and start building a sense of competitiveness amongst your organization. Now folks, for example, apparently our CEO has way too much time on his hands and he’s sending malware to our teams. Asking for their phone numbers and to call them. Those are the things that everyone forward to threat of the day now. They post it on Slack, they post it on teams and they’re like, hey guys, I just noticed this, let’s be vigilant. Let’s watch out. So building that culture, building that competitiveness and at the end of the month, we say, hey so and so, you submitted the most threats this month. And that’s just a way of getting everyone continuously engaged, continuously communicating. So there’s a lot of things that we can do that are not highly technical to James’s example earlier that are still going to be very effective for us as an organization.
David Anteliz (30:51):
And if I may add one thing on top of what Jose just said. We, as an industry have made things clandestine black ops secretive and we’ve made it murky to even talk about security at that level. So they believe that it’s mysticism or some type of sorcery that is actually occurring in the back end when the reality is it’s a simple approach and to your point all those different types of controls would fall into play and make a difference, I would think.
Mari Galloway (31:22):
They probably would. James.
James Christiansen (31:24):
Yeah. As you think about starting an insider risk program, let’s take it from that perspective. First thing I’m going to tell everyone out there is you need to create a culture. We’ll talk about process and technology. I mean, we could literally do the whole seminar on just insider threat and go through case studies, et cetera. But you look at it, culture’s the most important. Do you create a culture where people feel empowered and rightfully so to report something that doesn’t look right. That they’re not going to get somebody in trouble or that they can say, hey, this just looks a little weird. I’ve run investigations for all the companies I mentioned earlier, the biggest events I ever managed were insider threat events, all of those, the millions and millions I spend on IPS, IDS, everything else didn’t spot them.
James Christiansen (32:12):
It was an employee that saw something, didn’t look right in a number of these cases. And I think that’s the first thing, create that culture then put guardrails around the folks and make sure they’re trained, of course. Training’s important, but real time training, not the stuff we do annually, like as they’re doing something risky, there’s now technologies, you can actually say, hey, what you’re about to do is a high risk. Here’s a better way to do it. That’s the way to actually train people, give them that moment of education they’re truly applying. And then of course, now we’ll get more to the technical side having a methodology and a framework like a FAIR or ISO 3001, or COVID pick your standard, pick your framework, but then put it together and use that now to do a kill chain analysis.
James Christiansen (32:58):
Everyone should be doing kill chain analysis out there and saying in these malicious and non-malicious insiders, where do I have my control points? Where can I spot it? Where can I prevent it? And man, you’ve got to get visibility first in this hybrid cloud environment. If you don’t have visibility, if you can’t see it, you’re not going to be able to prevent you not able to manage it. And it will happen all the time. People trying to do the right thing, just doing it a wrong way is your biggest malicious insider. That’s where you need those guardrails. Culture first, right?
Tony Goulding (33:30):
Yeah, exactly. No, I agree with that. I will switch gears slightly more on onto the technical things. One of the observations that I’ve had with customers that I talk to is rule and policy fatigue. So for a whole variety of reasons, I mean, a lot of security solutions rely on static rules and policies that you have to craft and maintain over time in order to do the right thing, make the right access control decisions. And a lot of it departments don’t have the time or the desire or even the smarts to understand what rules and policies do I need to craft in order to mitigate the risks associated with my particular IP or my business or whatever it is.
Tony Goulding (34:13):
Going back to, again, not wanting to belabor the point, but AI and behavioral analysis can help with the insider threat there because arguably those insiders, they know their way around. They know how to bypass things. They know where things live. They can be very much harder to detect going back to what James was saying. So the use of behavioral artificial intelligence or machine learning, or whatever can as a non-static rule based approach to looking at the behavior of the user and seeing if it’s anomalous that can help detect insider threats, as well as the hygiene that we were just discussing.
Mari Galloway (34:49):
Love it. Perfect. Love the answers, love this discussion. David, did you want to say anything else about how companies can get started with insider threat programs?
David Anteliz (34:58):
I think really important, just reach out, talk to somebody. A lot of times I think people or organizations become stagnant or afraid to ask, just because of whatever, whether we be too proud to beg too proud to ask.
Tony Goulding (35:12):
Too proud to beg.
David Anteliz (35:14):
I mean, just have a conversation reach out to a peer, reach out to somebody. If you don’t know how to get started, there are plenty of organizations that are experts in this field that can walk you through and become thought leaders for you, and actually have that conversation and understand this is what you’re trying to accomplish. Or these are the goals that you’re trying to achieve as an organization. How do we protect the revenue? How do we protect the assets and the intellectual property? Those are the things that sometimes they don’t want to release. They don’t want to share that info, but you should and you should be a little bit more open with that process. And then just go ahead, ask it’s not just more just reading magazines or publications, but it is having that person to person conversation, at least with somebody who has already done that journey.
Mari Galloway (35:57):
Tony Goulding (35:58):
Yeah. If I might interject here, just another brief interjection, one of many. I worked at a company where we actually recruited employees, who themselves had been hacked and fell foul to phishing attacks. And they became internal advocates. Because very often I think as individual employees, we may be reluctant to reach up or sideways to other parts of the organization to get advice or to alert or whatever it happens to be. But if you’ve got somebody sitting next to you who you know has fallen foul of this, they can be an advocate. They can guide you. You’re more likely to say, “Hey, what do you think about this?” kind of thing. And that worked very well as part of that cyber hygiene and educating people and getting people who are motivated, because they’ve been subject to this before. They’ve fallen foul of this before to be an advocate and help their peers overcome these challenges.
Mari Galloway (36:48):
That’s a great suggestion and a great point. I’m going to have to take that back to work. All right, we have time for one more question and this one’s more about infrastructure and how to determine which company data and infrastructure is the most important to protect and who should have access to that data? Jasmine.
Jasmine Henry (37:06):
Sure. Is that privileged access management as well?
Mari Galloway (37:10):
Jasmine Henry (37:11):
Oh wait, sorry.
Mari Galloway (37:12):
Jasmine Henry (37:13):
I see it now. Yep. So sensitive items. So this is a challenging one because the correct answer is that sensitive critical assets should be tagged at the time they’re created. Enforcing that in practice is extremely difficult. And I think I’ve mentioned to you before Mari, that I have sat there and tagged critical assets in my security systems, which is such a time consuming manual pain, it’s unreal. So I think that making it easy for developers to tag critical assets at the time that they are created so that you don’t have to tag things within your security systems. And then just also automating asset inventory. In today’s world, the entire asset life cycle can happen without somebody manually touching it. We’re not manually deploying laptops anymore. We’re auto scaling. So that I think that we need completely automated asset discovery so that we can understand what we have and then protect it.
Mari Galloway (38:15):
Awesome. Tagging is fun. Not. James, what are your thoughts?
James Christiansen (38:20):
Yeah, you’re looking at this, we talked a little bit earlier, I think about the golden nuggets and knowing where your data is as you’re trying to manage risk. As you’re thinking about this new hybrid environment we’re in, yeah we’re going to be that way for a while. I’m hoping the rest of my career because I want to work that much longer. We’ll be in hybrid mode. So as you start to think about how you’re going to manage this, we’ve talked about Zero-Trust or what I turn to adaptive trust. But if you haven’t looked at secure service edge, or SSE as part of Gartner, it’s an architecture. It’s not a product, but it’s a platform consolidation. And it has a lot of really attractive elements from the security perspective or the practitioner. It’s consolidation of those platforms down to a single platform, configurations. They tend to be the number one breach just somebody misconfigured that’s because we’ve made it so complex.
James Christiansen (39:09):
The 25 years I’ve installed by 700 different security solutions at this point, well now we got to move away for now we’re going to need to consolidate them we’ll get better operations. We’ll get reduced complexity and reduced cost of doing these things. That’s where we’re bringing in the VPNs, next generation VPN, we can’t do appliances. We can’t scale them. We can’t move quick enough. We can’t be agile. So we go to the next generation and go more private apps type processes. I think that’ll really happen. And I see it happening all the time. In fact that whole project’s probably the number one, as I’m talking to CSOs across the nation, the number one thing they’re looking at is how do I do cloud transformation and how do I bring an adaptive trust process in to this overall architecture, that make sense you guys?
Tony Goulding (39:56):
Den Jones (39:59):
Yeah. So it’s funny as you’re saying that James I’m like, yeah. This actually all goes back to the industry of there’s so many vendors trying to sell you their next best widget. And the reality is there’s a couple of themes here as Jasmine talks about transparency, as we talk about simplicity and we talk about the culture of the organization, the problem is all we’re trying to do is protect some data. But at the end of it, we start saying, okay, we need 5,000 widgets and different things and this and this and this and this, and what’s the next fancy fad out there that everyone should adopt.
Den Jones (40:35):
You end up with more tools and technologies than you have people in your security team. Things become more complex. You’re following more frameworks and more regulations and more and more and more and more of that. And your users can’t keep up with all the policies we’re thrown at them. You got to do this, you got to do that. So I think as we’re moving forward as an industry, really getting down to some really simple, simple things. So we’re trying to look at the infrastructure, the environments, I even say, like someone said to me, oh, you can’t do Zero-Trust until you do asset management. And I’m like, what are you talking about?
Den Jones (41:07):
What do you mean? Think of even asset management, there’s two classes of assets. There’s this stuff that the end users are using to access the data you’re trying to protect. And there’s this stuff that we’re using to run on our business, to enable services and protect the data. The back end stuff we should have had that asset management nailed years ago. You build computer infrastructure, record the thing. The other stuff, all the stuff that we’re trying to like the wild west and the end points, people should do something better when they’re doing the authentication. So we’re not letting assets authenticate. And actually as they are authenticating, record the asset and back to Jasmine’s point be really transpiring on what is it we’re recording about you and about the asset. We were doing insider threat stuff and all of this in my days in Adobe and different regulations around the world require different levels of things to be told to the users in different countries. In France and Germany, what you share with them about what your recording’s really, really important.
Den Jones (42:11):
So when I think of infrastructure, I break it into two classes in the world with all the wild west of the end points. And how do we record that? And then there’s the back end stuff that we really should have a better story about. Sadly, we don’t. I’ve spoken to many people that still struggle to do asset management there too. I look at this like it’s within their grasp to use the data that we’ve got. And again, I’ll go back to security intelligence. It’s our number one thing that I think the industry fails to really use to our infinite wisdom, because we gather so much log information that we only use it when shit hits the fan. And it’s like, come on, guys, let’s jump in and use it a upfront. Let’s use it to our advantage.
Mari Galloway (42:56):
Awesome. Thank you. So we are at time. So I want to get everybody’s final thoughts on the panel today in which you want to share out to the world. Jose you’re up first.
Jose Barajas (43:08):
Yeah, I think a lot of the stuff that we brought up is basics. I think in sports, we always make us practice the basics. And I think before we get to the latest and greatest technology, let’s make sure that stuff is working. I think that’s my feedback to the folks. And from my perspective, just like we’re unit and regression testing our application capabilities to make sure that they’re functioning, we should be doing the same for our cybersecurity control. That’s what I’ll leave the folks with.
Mari Galloway (43:32):
David Anteliz (43:34):
Yeah. I would say understand in your landscape, have some visibility, try to obtain some visibility and how things are traversing through the environment and what actually we have to Den’s point, asset management, being able to have a repository of that information on what and who is communicating to what on the back end. And then on the user side, how are those devices being used? What is on them? What vulnerabilities perhaps might exist on them and then be able to correlate against each other so that we have a fuller understanding holistically of how that traffic is traversing and what’s being protected or not for that matter.
Mari Galloway (44:10):
Jasmine Henry (44:12):
I’m grateful to be here. I think that the people in the room give me hope for the future. I’m hearing a lot about a more people focused future of security, where security enables the business. We’re not the department of no anymore. We are meeting people where they are and putting security into their workflow so that they can experience a more seamless, simple approach to security.
Mari Galloway (44:34):
Awesome. Thank you. So thank you all for joining us today. We hope that you had an enjoyable time. Please visit everyone at their booths today and have the conversation continue. Enjoy the rest of the conference.
Tony Goulding (44:48):
Thanks everybody been pleasure.
Jasmine Henry (44:49):
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.