Interviews | July 5, 2019

Good Relationship With Cloud Providers Essential to Enterprise Security

Wendy Nather
Head of Advisory CISOs, Duo Security


Q1. Wendy, what can CISOs do to become more effective in their roles these days? What are some of the things they should avoid doing when communicating with management and business on cyber risk?

Being more effective in the CISO role these days means upping your social engineering game—and by that, I mean influencing people and negotiating. The security team used to be seen as a control organization: "We make the policy, and we enforce it." But what works better is when the security team acts as a service organization: "How can we help you meet your security goals?" Security has to become more collaborative, as the organization loses direct control over where its users, endpoints and applications are located, as well as who manages them. When a user can be anywhere geographically and has a personal device rather than a corporate-owned one, you have to focus on what you can still control from the enterprise side.

This collaboration has to take place both internally, with your management and business units, as well as externally, as organizations rely more on third-party providers. A lot of security and risk management today involves procurement and contract processes. CISOs have to be able to influence the entire lifecycle of a business relationship, from the requirements collection through RFPs, subscriptions, upgrades, incident management, and even contract termination.

When CISOs are communicating with management and the business on cyber risk, it's important to avoid binary thinking and technical jargon. The most common disconnect I see between CISOs and business leadership is estimating the probability of a cyber attack. They might agree on the potential impact, such as a certain magnitude of financial loss, but they won't agree on how likely it is to happen. This is what leads to arguments over budget and timelines; the business won't spend money to prevent something it doesn't think will happen. It's important for the CISO to understand the business point of view and take into account not just cyber security risk, but the rest of the business risks, when bringing proposals to the boardroom table.

Q2. What do organizations need to understand about the zero-trust model? What are some of the questions they should be asking when starting on the journey to zero-trust?

The most important thing to understand about the zero-trust model is that it's just that: a way of thinking, a design pattern, a concept. It's not a specific technology or product. If you decided by default not to trust anything that wants to connect to your resources, what would you need to establish in order to trust a user, a device, or a workload enough to grant that access? The new perimeter is any place where you make that access control decision, and it's going to vary based on your environment, the sensitivity of your data, and the span of control you have.

When you're thinking about your workforce, you'll need to verify users through multi-factor authentication and check that the devices they're using are secured, even if you don't manage those devices directly. When you're thinking about workloads, either in the cloud or in your data center, you need to make sure they're connecting securely using encryption, and only allowing access between processes and applications that actually need to talk to one another. When it comes to the IoT and other devices in your workplace, you need to control their access to the network and make sure that they are segmented appropriately.

Some of the questions that CISOs should be asking themselves are:

  • How are we verifying users today, and how frequently do we need to re-establish that trust?
  • How do we know what devices our workforce is using to access our data, and what do we know about the security state and management of those devices?
  • What assumptions have we been making by default about the location and trustworthiness of users and their devices, and do we need to revisit those assumptions? For example, do we rely on an IP address and assume a user is coming from an office location? Do we automatically assume everything on our corporate network is secure?
  • Do we have good visibility into what applications we run, and how they communicate with one another? How could we spot unauthorized access?
  • Do we know what Internet-enabled devices we have in the workplace (such as HVAC systems, manufacturing, video conferencing, badge readers, cameras, medical equipment, etc.)? Who manages their connectivity, and are those connections authenticated?
  • What technologies do we already use for security controls that could be enhanced to require more verification in a zero-trust model?

Q3. What is Duo Security's focus at Black Hat USA 2019? What can attendees expect to hear from your company at the event?

Zero Trust has become an industry buzzword, but it's an approach Duo has been advocating since launching the first commercial implementation of Google's BeyondCorp security model in 2016. It ties back to Duo's longstanding mission of democratizing security. Security shouldn't be expensive or mind-numbingly complicated. Basic security hygiene, such as MFA is extremely effective in reducing the #1 cause of breach: stolen credentials.

Duo will be talking about how to address the largest component of a zero trust strategy: securing the workforce. Establishing trust for every access request from employees, contractors, partners and their devices - whether they are personal or corporate-owned. This can be done quickly and easily using MFA with custom policies - without getting in users' ways. Security must be easy and not require a privacy trade-off. A security product only works if people actually use it.

In addition, Duo is well represented at Black Hat with earned briefings on application and chip security as well as on building a diverse team:

  • Shifting Knowledge Left: Keeping up with Modern Application Security
  • Inside the Apple T2
  • Woke Hiring Won't Save Us: An Actionable Approach to Diversity Hiring and Retention

Austin Murphy
Vice President - Managed Services


Q1. You talked recently about organizations having to deal with not just a cybersecurity skills gap but also a capacity gap. What exactly is the distinction between the two and why does it matter to organizations?

Correct, I don't think that attackers are smarter than defenders, nor do I think they work harder. However, they do have an asymmetrical advantage in that they can leverage the same attack patterns against many organizations, and each of those organizations traditionally have to defend themselves individually. There are not enough trained, experienced defenders to address problems effectively for all organizations working independently. In addition, incident handlers' skills age and atrophy very quickly if they don't get continuous exposure to the latest threats as they are evolving. This is why we recommend that organizations consider partnering with service providers for components of their information security program. There are many parts of a comprehensive program that inherently need to be done in-house, such as security architecture design, user awareness training, and threat/vulnerability management. These components require cross-functional integration with other areas of business and are better executed on in-house. Other areas such as threat monitoring, incident handling and tactical remediation can be done more effectively by [using] an outsourced provider with specific focus on those disciplines.

Q2. How has the use of managed services providers by enterprise organizations evolved in recent years? What's your advice to organizations on how to optimally use MSPs to improve security capabilities?

CrowdStrike has observed that in the past Managed Service Providers were used to address regulatory compliance requirements for 24x7 monitoring, and to essentially filter out the noise. Many MSPs have had a slide in their pitch deck showing how they filter thousands of individual alerts and identified only a few — critical issues the customer needed to focus on. This approach may satisfy regulatory compliance, but historically it has not offered much real risk reduction and still leaves the organization responsible for investigating and remediating issues themselves. Also, by filtering out and ignoring lower severity events, they are missing the opportunity to address threats before they become critical issues.

As reported in the CrowdStrike Global Threat Report, there is increasing collaboration between eCrime actors. One example of this collaboration is that botnet managers, who previously monetized their attacks through fraudulently simulating clicks on advertising content — known as click-fraud — have begun offering to sell their access to other crime groups that focus on ransomware. This means that a low-threat click-fraud malware infection could be ignored for several weeks and then suddenly be used to deploy ransomware and cripple IT operations for a company. We are observing leading service providers increase the scope of their responsibilities to include containment and custom prevention countermeasures designed to increase the speed at which they disrupt an attack, providing a greater level of security. The best providers in this space are now offering not only containment and prevention, but also remote remediation. The CrowdStrike Falcon Complete team remotely remediates thousands of low-level compromises every month, which stops commodity incidents from erupting into breaches and reduces the strain on IT operations teams that no longer need to constantly reimage infected devices.

Q3. From a managed services standpoint, what are CrowdSrike's plans at Black Hat USA 2019? What's your main messaging going to be at the event?

CrowdStrike will be discussing our Falcon Complete product module at the booth, at this year's event. Falcon Complete is CrowdStrike's most comprehensive product bundle—providing endpoint protection delivered as-a-service and backed by a breach prevention warranty of up to $1M. This product offering exemplifies a core CrowdStrike message that the Falcon platform unifies the technologies, intelligence and expertise required to successfully stop breaches. We know that when dealing with attackers, every minute counts, so come join us at booth #904 and see how CrowdStrike Falcon platform technology, driven by CCFA/CCFR certified experts, delivers the performance required to outpace the adversary.

Timothy Wilson
Co-Founder and Editor-in-Chief

Dark Reading

Q1. From your vantage point as the editor-in-chief of Dark Reading what were some of the most notable developments/changes in the cybersecurity industry over the past year?

Although many new threats have emerged in the past year — and some are definitely serious — I think the biggest shift is what's happening in the enterprise and in the datacenter. There is a wholesale shift toward the cloud happening, and it necessarily changes the way security professionals think and work. The old school thinking about creating a defensible "enterprise network" is rapidly being replaced by the need to develop a security strategy that extends across cloud service providers as well as software-as-a-service and cloud applications.

For the security team, these cloud environments represent an entirely new way of thinking. For one thing, there's no easy way to guarantee visibility into all the data you might need in order to diagnose security problems. You can only see what the service provider allows you to see, which in some cases is fairly limited. If there's an incident or a breach, it's not just your team that has to respond — you must rely on your cloud service provider to work with you on incident response. A good relationship with your cloud services providers is essential to the security of the entire enterprise. You're relying on them to provide visibility into the security data you need, and to be a good partner if an issue occurs.

Cloud security also requires a completely different mindset, and it can be difficult to master for those who have been doing traditional perimeter-based, on-premises security for many years. In the cloud, boundaries are drawn very differently — not only in the enterprise, but between applications and data. You can set up multiple accounts or instances for different applications, and vary the rules of each to help maximize security. You're not creating a single enterprise security policy — you're creating many policies for many applications and sets of data, and counting on your service provider to help you enforce them. It's a completely different way of thinking, and those who try their old, on-premises security policies and practices to new cloud environments are missing out on the value and potential of cloud services.

Of course, that's just one of the shifts we've been seeing in the data center and the security department. But it's a good example of how things are changing. Whether it's mobile networking, supply chain security, or the Internet of Things, security pros are increasingly finding that the things they are responsible for securing are increasingly outside their sphere of control. Today's security teams aren't trying to build walls and defend them. They're trying to build visibility and policies that extend across a wide range of networks and computing environments.

Q2. How have expectations for cybersecurity news reporting and analysis changed in the years since Dark Reading first launched? What do your readers want and expect from you these days?

When Dark Reading launched in 2006, the laws requiring companies to report security breaches were just starting to go into effect. In those early days, it could be difficult to find news because breaches weren't broadly reported. And security researchers weren't the rock stars they are today — many were working in obscurity.

I think the value that Dark Reading has provided to the industry — and this is mainly through the effort of Kelly Jackson Higgins, our executive editor and top reporter — is that we've helped bring security research to light. Vulnerability research has evolved to be both critical and cool, and we've had a chance to bear witness to that evolution. Our reporting also has helped enterprises to see that they aren't the only ones experiencing breaches — we report on at least one or two doozies every day. Breaches can happen to any organization, and the only way this industry can get better is to acknowledge failure and share what we've learned. Security pros are still reluctant to share those experiences, but it's a lot better today than when we first started.

In 13 years, Dark Reading has gone from startup website to the industry's most known cybersecurity news site. We've gone from two people to a whole team that not only writes news but also produces research, webinars, ezines, and both virtual and live events. But we're not stopping there. On July 8, we launched a new, features-oriented section called The Edge, which provides a different perspective on security reporting. The Edge is a platform for the Dark Reading team to publish in-depth features, trend stories, and expert-written content that aren't available in our main news section. You can think of The Edge as an analog to the Sunday magazine in your local daily newspaper — it's a vehicle to publish features, perspective, and entertaining copy that the daily staff doesn't have time to produce. We hope it will give security professionals some help in learning about best practices as well as emerging threats and technology trends.

Q3. What are Dark Reading's plans at Black Hat USA 2019? What do you wanted attendees to know about your publication and brand?

At this year's Black Hat USA, as in past years, Dark Reading's most visible contribution will be the live Dark Reading News Desk, which will be physically located at the entrance to the exhibit floor. The Dark Reading News Desk provides hours of live coverage of the show, streamed across the Web, so that both attendees and non-attendees can get some insight on the important vulnerabilities that are being disclosed at the show. Hosted by Dark Reading senior editor Sara Peters, the News Desk offers interviews with top speakers and technology providers and provides insight on the news being broken during Black Hat USA week. It's definitely something that security pros will want to check out, especially if they can't be at Black Hat USA.

In addition, Dark Reading does more coverage of Black Hat than any other publication on the Web. Last year, we wrote more than 40 stories around the show, recognizing that virtually every Briefings and Arsenal presentation is breaking news — we're learning about new vulnerabilities, threats, and tools that we didn't know about before. From a news perspective, Black Hat USA is the biggest event of the security industry's year, so we do everything we can to cover it. We even publish a special, daily newsletter for show attendees and Dark Reading subscribers so that you can get a recap of what's happening every day of the show.

Finally, through partnerships with the Black Hat team, Dark Reading is fortunate to be able to participate in the conference program itself. Dark Reading editors will moderate four different sessions during the show, including two in the Sponsored Workshops environment and two in Innovation City. We'll participate in the annual Black Hat CISO Summit. And we'll show some of the first fruits of our growing partnership with research and consulting firm Ovum, which began when Informa LLC acquired Dark Reading's parent company last year.

Sustaining Partners