The Prescience Challenge in Cybersecurity [PART 1] - Ep. 126

The next two weeks we catch up with SC Media Editor-in-Chief Jill Aitoro for a two-part discussion on the latest hot cybersecurity news drivers. Such as the continuing Microsoft Exchange hacker feeding frenzy and continuing discoveries from the SolarWinds supply chain attack. Both of which raise more questions than answers in how we collectively solve for these security challenges, including pathways such as legal requirements for notifications, who do you notify and who is notified first. Security ratings systems for software suppliers and businesses. Managing such a system on a global scale across organizations small and large. We also explore the role of superadmins. It’s where the line of offensive strategies against nation-state attackers should be drawn for enterprises.

In celebration of March 2021 as Women’s History Month, we discuss the path forward for enabling future female business leaders in security. The power of mentoring and advocacy for the upcoming generation of diverse leaders and thinkers across the industry. To solve what is admittedly one of the most significant challenges of the modern era – cybersecurity.

Jill Aitoro - Editorial Director, CyberRisk Alliance

Episode Table of Contents

  • [00:39] In the Trenches of Journalism and Prescience
  • [06:47] The Prescience of Breach Notification and Information Sharing
  • [14:25] The Concept of a Rating System For Software
  • [23:16] The Prescience of the Zero Trust Philosophy
  • About Our Guest

In the Trenches of Journalism and Prescience

Rachael: We've got Jill Aitoro from SC Media, Editor-in-Chief, and Editorial Director at Cyber Risk Alliance. She's been so deep in the trenches of journalism across government defense, security tech, you name it. I am so excited to have you here today.

Jill: I'm so happy to be here. Thank you so much for that very warm introduction.

Eric: Good morning, Jill. You're the most well-rounded on cybersecurity.

Jill: We need to know just enough about a lot of different things.

Eric: I've always found that journalists have this holistic perspective. If you're on the vendor side or you're on the government or the user side, you're biased. But journalists have the best picture I've found in our time on the podcast and meeting with you.

Jill: I think the effort is always to try to speak to all the different players in a situation to get the full story. So I know that's what we make the attempt to do in all cases. I'm hoping we're pretty successful most of the time.

Rachael: Absolutely. We want to kick off with the hot news of the moment, Microsoft? You found this fantastic quote that Jill had included in her article in December 22nd. It’s the SolarWinds attack from Kevin Mandia.

Eric: You interviewed Kevin Mandia, "If your supply chain is compromised, so are you. Since the networks so often get connected." That was in response to an article on the 22nd of December. Let me call it a UNC2452 or Holiday Bear as that was happening or not happening, but we knew about it.

Nothing Has Changed

Eric: FireEye did their disclosure, Microsoft was engaged. Everybody's starting to shut things down. We know what's going on. But as Rachel let the cat out of the bag a second ago, that’s actually a quote from eight years ago.

Jill: Nothing's changed. When everything was going on with SolarWinds and FireEye for that matter, Kevin Mandia was out there chatting about this. He was talking about it, being very transparent, credit to them for that. I recalled immediately that I had interviewed them. At that point they had released a big report.

Jill: If I'm remembering correctly, China had infiltrated our networks and it was a massive report, got a lot of attention. It rang so familiar and it was all about the supply chain. It’s about the risks that are tied to partnerships in small and medium businesses. I went back and found the article, because I couldn't remember it entirely.

Jill: I was working in Washington Business Journal at the time. It could have been pulled in place in all of the reporting we were doing now. I did obviously, but it is amazing. So much has not evolved. I think as far as maybe we all hoped it would have by now.

Eric: I too find myself going back and looking at things I wrote years ago. You high-level what you wrote, but you don't remember all the details. Then you read and you’re like, "Oh yeah." And then you put yourself in the current day and it's like, "Wow. I could publish this today. It still applies."

Jill: I know in that particular story you're making reference to, there's terrific work being done and has been for the last eight years and beyond.

We’re Not Getting at the Solutions

Jill: But, I do think that there's a tendency for us to talk about the problem. This could happen and we keep talking about it. Whether or not we're getting at the solutions to be able to prevent those, that's a lot harder to do. We all talked a moment ago, a catastrophe happens and then you'll say, "Oh, okay. Here we are." And you need to act.

Eric: I would argue, we don't talk about the problem, we talk about the events. We talk about the circumstances. We're alluding to the Microsoft Exchange vulnerabilities that were announced. We speak very clearly and sometimes openly about the events, but we don't talk about the real problem.

Eric: As my friend Dimitrio Petrovich would say, we have a China, Russia, Iran, and North Korea problem. We don't have a cyber problem. So we don't talk about deterrence. These attacks just keep happening. And as we were saying, it's been a rough couple of months or years.

Jill: It's been a really rough couple of months. There's a lot now and maybe that's promising of discussion of what needs to happen. Now, the big question is, will it move beyond discussion of what we should do to actually doing something? There are lots of opinions on the idea of breached notification and disclosure.

Jill: That's been emerging quite a bit on the Hill. It came up in the hearings that involved SolarWinds and FireEye. Interestingly it got general endorsement from industry as well in terms of needing to notify the government when a breach occurs. But with a lot of caveats of, "Well, this could be hard on small businesses, so maybe they don't have to do it."

The Prescience of Breach Notification and Information Sharing

Jill: What about liability? The government needs to make sure that companies are going to be held liable for these things. Those are very important questions. But they're the same questions that have been brought up repeatedly when we talk about breach notification and information sharing.

Jill: With these philosophical issues and challenges, we need to figure out how to compromise. And to move forward in a way that everyone is comfortable with, or else we're just going to be talking about them again in five, eight, 10 years.

Eric: We have to make the topics of priority. We've got to get to a compromise, get to a resolution of, "This is what we're going to do."

Jill: "This is what we're going to do." Maybe it's the law they're talking about. We're also hearing a tie to Microsoft. There was some reporting out of the Wall Street Journal. Apparently, they are hearing that Microsoft thinks that this latest hack had to do with information being leaked. That’s part of their disclosures to partners.

Jill: I wonder if Microsoft or companies like it ate going to clamp down and are they no longer going to share as much information? Is that what the results should be? We all talk about the importance of threat Intel sharing and so forth. So the knee-jerk reactions aren't helpful either I would argue.

Jill: There needs to be a comprehensive plan for how to get ahead of these situations. It needs to involve industry, the government, and the Intel community beyond Congress. They need to get together and understand what needs to happen. So there will be more productive progress in terms of how we're dealing with all these.

The Prescience of the Constituents About Vulnerabilities

Eric: Jill's referring to a March 13th Wall Street Journal article. It came out on a Saturday. They basically pre-briefed certain constituents about vulnerabilities. It got out because if the actor is Chinese or of Chinese origin as everybody is stating, it is on the Exchange breach. That has impacted hundreds of thousands of Exchange servers or customers.

Eric: The adversary basically went berserk and just started putting back doors into businesses. Just going wild, really irresponsibly. Probably I'll put a dollar down that somebody let it out and the adversary heard about that. It was on some forum, somebody talked to somebody.

Rachael: They would have to. Before that patch happened, there were anticipating or proceeding the patch. All of the speeding frenzy started happening. How about that when they did it out of cycle as well? Their Patch Tuesday was out of cycle.

Rachael: Something's going on that is very suspect and the aggression here. I keep saying feeding frenzy, but that's what it feels like just piranhas just agagagaga.

Jill: There were surges of attacks. There's been talk of automation. Probably, it also happened that they utilize automation in terms of their approach and techniques.

Jill: It’s interesting too because it's sometimes deemed as less sophisticated to utilize an automated approach in attacks. But when you combine it with the more people-focused approach, it has this mass scope.  We saw that potentially happens.

Eric: We saw on Holiday Bear, reportedly about the Russians. But the adversary was very clean. They cleaned up after themselves, they moved, they removed as much evidence as possible. Then we see in the recent Microsoft attacks of early March here. I think it was March 2nd.

Multiple Web Shells on the Same Vulnerable Systems

Eric: Somebody found out and the adversary reportedly the Chinese basically installed web shell back doors to give them remote control. In some cases I saw there were multiple web shells on the same vulnerable systems.

Eric: So I agree, I think it was automated. Machine learning, AI, whatever systems they were using to just blast it out recklessly. It's a very different approach from a likely, very different adversary.

Jill: In fact it seems that Microsoft's patch was after almost the phase one, if we want to call it that way. They announced the patch. Then there was this window of opportunity before everybody applied that. That secondary attacker came in and did a surge, but it was different than what has been seen before. It's still funny.

Eric: And the brazenness. But once again, what are the consequences? What do we do? Hundreds of thousands of organizations have this issue. Most don't even know if they have the issue.

Jill: Microsoft keeps saying it. I don't know what else they can do. Prioritize this patch, do it now. Do it now. They made it available. The entire version that is no longer supported by Exchange. They're saying, "We're even going to allow it for you. Here, do it. Just to get it under control." But even that I sometimes question. I don't know what the solution is.

Jill: But the fact that we rely so much on patch management who squash some of these situations from really getting out of control. That's a challenge too, because you get to the small, medium businesses not to pinpoint them, but they have fewer resources.

The Prescience of What You Need to Look for in Your Systems

Jill: They are sometimes challenged in making sense of all the intelligence and coming out of industry. It's hard to rely on that. You talked about something, the Microsoft situation, but even SolarWinds. It really went well beyond SolarWinds As we know there were other attacks.

Jill: Making sense of all that intelligence and knowing what you need to look for in your systems. That's the whole nature of the supply chain risk. It's difficult to pinpoint and know what the solution is there. How companies can get out the solutions for their own enterprise for their own organization. That is a challenge.

Eric: I think there isn't a fix, but I think it needs to be at a higher level. If I equate software, it's made by people. People make mistakes. Equate it to the automotive industry. Cars are made by people. We still have recalls, we still have things that break. That's going to happen.

Eric: How do you handle it? What do you do? Is there a better way to protect ourselves though? Because people make mistakes, vulnerabilities will exist and people have ill intentions. Some people do and they will try to exploit those mistakes. So what do we do about it?

Eric: How do we take it to a higher level so we're better prepared, so we do something? Because the average CISO, IT administrator, InfoSec person, what does she do in her role to say, "Okay, I did my best today to protect this organization, this agency, this business, my home. It's a hard problem.

The Concept of a Rating System for Software

Jill: There's this new, I think it was the Biden administration. It's been brought up by the Cybersecurity Solarium as well. There’s this concept of a rating system for software. It has been coming up, it was likened by the administration to restaurant ABCDEF. Well, restaurant rating.

Eric: The grading system almost whether food quality. Cleanliness.

Rachael: Credit score.

Jill: Whether it took that form or it took some other sort of rating for software, that's coming out as a suggestion. But then you also worry in terms of, who's going to establish those? Is it fair to the company necessarily?

Jill: That could make or break the success of a company if for whatever reason they landed at a C. It's just how that would actually get executed is tricky.

Eric: We're kind of getting that. With CMMC, we're almost getting to a rating system because there are assessors, FedRAMP. On the government side, I would point to those two areas as places where the government is actually almost launching a rating system.

Jill: Does it need to extend to industry and to commercial software. That's hard. I think most would say, "Oh we couldn't go later."

Eric: Costly. How do you enforce that? If you go back to the rating system for restaurant examples they're done at the state and local level. There are no federal ratings. So how do you do that? And then how do you audit a Microsoft? Microsoft's been beaten up pretty badly here with Holiday Bear and this latest attack right on Exchange. But the attack surface is so vast.

Comparing the System of a Qualified Rating System for Microsoft

Jill: How can you compare it to a system of a qualified rating system for something like Microsoft? Is it the same system that would be applied to a small little piece of software?

Eric: Like an Intuit Tax Software or something. This is where the journalist in you will come out because you've got that holistic approach. What if we give Microsoft a D minus. What are you going to do about it? It's Microsoft.

Jill: We had this conversation at our meeting this morning. How can you take this software that has so much scope, so much code at the core? And how can you do an analysis? These fundamental technologies, what do they even mean anymore? Is everyone going to rip out software from their systems because they didn't get a B or higher?

Jill: It's really hard to understand how that would actually function or work. Was it like a good housekeeper badge of approval? "Hey, this is what we got, but I know how to make it so it means anything."

Jill: Or so that it would have stopped the SolarWinds or stopped the Microsoft situation currently. I don't know if putting something like that in place would have actually made a difference.

Eric: Exchange was used in Sunburst, exchange was used to X field data. It wasn't even a vulnerability in that case, they were using the tools against them. Maybe if you secure all the boundaries, you secure all the supply chain efforts, you secure the cloud since you're not in the boundaries and all the mobile endpoints, somehow, you get the users to do all the right things.

People Don’t Have a Prescience of What Is in Their Network

Jill: It's after all of the other theories that got in there before you did those things and are just linked.

Eric: Let's look at Sunburst or the new Microsoft Exchange breach. Most people don't even know what is in their network right now.

Jill: In their network, connected to them.

Eric: I want to be careful here. We're getting a lot of interest from a technology perspective now that the horse has left the barn to use that phrase. Organizations are calling us saying, "Hey, we don't want this to happen again." It wasn't catastrophic but after Sunburst, we need to talk about this now.

Eric: Things we had been working as a vendor on for three, five years, there's somewhat of a catalyst. I have a lot of customers who really can't answer the question.

Eric: I've yet to see a government agency answer the question about, "Are their networks clear? What did the adversary access, what did they do? Where are they? What have we done to remediate? Are we confident that we don't have any adversarial efforts or activity on our networks?

Jill: No one's saying that.

Eric: "Are we comfortable?" "We're good." They can't.

Jill: All they're saying is, "We haven't found anything as concrete." But that doesn't necessarily mean anything in the long-term. So it is incredibly risky. To your point it's almost unfortunate. Right now, companies are raising their hand and saying, "Okay, we get it. What do we need to do? Tell us what we need to do “right now."

Eric: There's no good answer.

Almost a Cultural Shift

Jill: The answer is so difficult. This is why I think about that conversation with Kevin Mandia eight years ago. It didn't necessarily result in this huge impact. There are all these hands that raised and say, "Oh, we got to do something about it." Because the answer is not always clear or it's different for every organization, it's very complicated.

Jill: They shrink back after a little while or they do something that maybe is a bare minimum. They're like, "Okay." Then we move on. We're never going to have all the answers. It's not like we can suddenly say, "Oh, we got to get better. That way we can answer that question definitively for every organization." It's never going to happen.

Jill: It's almost a cultural shift that needs to happen in terms of companies, enterprises. Small to large understanding that this needs to be a more active interaction with the vendor community and with the government. To understand where their vulnerabilities are and evolve with the threats. I don't know whether the resources are even available for enterprises to be doing that.

Eric: I'm going to go back to physical security for a moment. If we go back a hundred years, we wouldn't have all these gates and security cameras. Every alarm system and everything which we have now because time has progressed. Do you think we'll see the same type of evolution in tech, in InfoSec? We'll become more aware of generational change.

Rachael: Are we kind of getting there, multi-factor authentication? I feel like everything from people subscribing online to logging in at work, we all have this crazy amount of multifactor authentication. Heaven forbid I don't have my phone with me to be able to hit that little code.

The Prescience Challenge on the Zero Trust Philosophy

Rachael: I feel like we're getting there. It's also incredibly frustrating at least when I'm wearing my consumer, I'm a super lazy human being hat and there are always workarounds. I am not going to lie. When I'm at work, and I find a workaround, I shouldn't say this out loud. I'm like, "Woo. Yeah, I got my work done. I found a way to do it fast."

Jill: That's a problem too and it's physical security, it's pretty black and white. You say, "Okay, we don't want to let people in. So we're going to put up a gate and we're going to monitor everybody that walks in and out." With IT, the big challenge is, we want to close it up some of the time to some people. But not everybody.

Jill: We want to have this particular company able to have access to this specific information. But not that company and not that either. There's so much complexity. Not that I call physical security simple. We've seen that in recent months even, but it's complicated.

Jill: We're still figuring it out. It wasn't that long ago that everything was endpoint security. Now the Zero Trust philosophy is really taking hold. There need to be working in conjunction with one another. Figuring out how to execute on that is a big challenge.

The Prescience of a Hybrid Cloud Environment

Eric: I wouldn't say the analogy falls apart entirely, but it definitely is as we're going through digital transformation. We're saying we want to open things up, make them more accessible. At the same time we want to secure them and lock them down. If you have a bank, all the security you have is to protect the bank. You let customers in, but it doesn't quite hold up.

Jill: Plus you on top of it, incorporate something like a file competing where your data resides. How it transitioned in a hybrid cloud environment and so forth. It requires different security parameters to be put in place. So, it's challenging. The march forward in technology always brings with it new security considerations. That's why year after year and decade after decade, there's always going to be something to talk about.

Rachael: With that, we're going to pause today's episode of, To The Point with SC Media Editor in Chief, Jill Aitoro. Please be sure to come back when we pick up part two with Jill and you won't want to miss it. Until then, see you next time.