![Solution Spotlight: Rebuilding trust in the wake of tech calamities. [Special Edition] - podcast episode cover](https://assets.metacast.app/images/podcast/artwork/fllKtEpW)
You're listening to the CyberWire Network, powered by N2K. This is a forward-thinking show brought to you by the folks at Calibra. They're the leaders in data intelligence. You're going to hear first-hand from all sorts of people, industry titans, innovators, executives from some of the largest companies as they dive into the hottest topics in data.
You're going to get insights into everything from popular things such as AI governance and data sharing down to more nuanced questions like how do we ensure data readability at a global scale. So, while data may be shaping our world, data citizens' dialogues is shaping the conversation. I want to encourage you to follow Data Citizens' Dialogues on Apple, Spotify, YouTube, or wherever you get your podcasts. Check it out. We thank Data Citizens' Dialogues for sponsoring our show.
Imagine a world-class graduate education that's accessible, flexible, and designed for career impact. That's Harvard Extension School. Build actionable knowledge and skills in challenging online classes taught by Harvard faculty and industry experts. Explore new opportunities and expand your network with high-achieving professionals from around the world. Hard time learning, real world impact. This is Harvard on your terms. Learn more at extension.harvard.edu slash Spotify.
My dad works in B2B marketing. He came by my school for career day and said he was a big row-as-man. Then he told everyone how much he loved calculating his return on ad spend. My friends still laugh at me to this day. Not everyone gets B2B, but with LinkedIn, you'll be able to reach people who do. Get a hundred-dollar credit on your next ad campaign. Go to LinkedIn.com slash campaign to claim your credit. That's LinkedIn.com slash campaign. Terms and conditions apply.
LinkedIn, the place to be, to be. Hello and thank you for joining us for this N2K CyberWire special edition. In today's solution spotlight, N2K's Simone Petrella interviews Alex Stamos, CISO at Sentinel-1. They got together at the ISC-2 Security Congress 2024 to discuss lessons learned in 2024 and what it could mean for 2025. So we're here at the ISC-2 Security Congress for 2024 and I know you are going to be chatting with the audience, both in person and virtually here in a bit.
But one of the things I wanted to start with was 2024, where the landscape started, and what in your opinion were some of the more significant breaches or attacks of 2024 that are shaping the way that we think about the cybersecurity industry? Yeah, we've had a crazy year. So the keynote today is I'm pulling three incidents out. Not all traditional breaches. One of them is. But three incidents I think is really shaped the cybersecurity landscape and I'm pulling different lessons out.
So those three things are I'm talking about the cybersecurity review boards report of the Chinese intrusion into Microsoft and the follow on Russian intrusion in a Microsoft. But especially the lessons to learn of what happened with China and Microsoft, which actually happened last year, but the report came out this year and has a lot of lessons for us.
Multiple security incidents that came out of the snowflake multiple breaches, not of snowflake themselves, but other customers, and then the massive crowd strike outage, which has had real massive repercussions for the security industry and for CSOs that deploy security products.
Well, I think it's a great segue because as a CSO now on vendor side, but also having been within the corporate side as well, what are some of the things that you think you're taking away as a CSO when you think about those events? Yeah, so I'll take this in order. So the Microsoft one, I mean, that, you know, so the I recommend all CSOs to read if you haven't yet, the cybersecurity review boards report about Microsoft.
You know, the technical specifics are very specific to Microsoft, right? These are bugs that are specific to how did Microsoft build their authentication system for office online and how were their key stored and stolen by the Chinese and then eventually used to read the email of people who worked for the US government.
It was eventually, you know, this, this is not a breach I was discovered by Microsoft is discovered by folks who worked for the government and then told Microsoft that it happened. But the lessons that everybody can learn, even though the bugs are specific to Microsoft are a couple one, half finished security projects will kill you, right?
If you look at like step by step of what happened side of Microsoft, almost everything in there, Microsoft knew about and they're working on it. They just weren't done yet, right? You know, one of the things I'm going to have do, you know, for a little audience participation in the keynote today is I'm going to have everybody raised their hand if they don't have partially finished projects on their risk register, right? And I expect nobody to raise their hand.
It was just true for an EC so is we have things that we know our weaknesses that we've been working on and perhaps three years, right? It's it's sometimes it's easy to get to 80% done 90% done. It's like a windows progress bar. You can say 99% but actually finishing turning, you know, turning off that last server, getting rid of that last key is impossible because you have some dangling dependency.
And you know, one of the lessons there is like the attackers don't care if you're 99% done. If it if that key works if that servers up, they'll use it right. And so it's one of the lessons I think that's really important there is like you sometimes you have to push through that last 1% because that residual risk is so big.
I'm sure Microsoft wishes that they had pushed through whatever it is that last little bit that kept them from turning off that old 2016 encryption key would have saved a lot of a lot of pain for them. It sounds like the average the kind of if everything's a priority then nothing is a priority. Exactly.
Another lesson there is like we've we've built really flat homogenous networks right, you know cloud computing is great in a lot of ways, but what's happened is the biggest beneficiaries been Wall Street right is that Wall Street has forced CIOs to kind of squeeze out all of the excess cost of running IT. And so you have IT budgets at public companies. They've gone rid of all the fat and now you have a small number of people providing services to a huge number of internal customers.
And the ratios of the number of system and their dev out engineers versus the number of containers or end systems is spectacular thousands and thousands of machines per admin. And that's great until a bad guy gets their hand on one of those systems right. And so like one of the things we'll be talking about in the keynote is that friction is not necessarily bad thing, especially the administrative level is that we got to embrace friction a little bit more.
Microsoft in this situation built keys that worked across every single one of their customers. And so if they had built a little less of a modern system, they would have had natural fireworks in there and it would have cost them more it would have been a little more difficult in some ways, but it also meant would have meant that it would not have been so easy for the Chinese government to penetrate their systems.
And again, there's specific specific to Microsoft, but you see the same pattern at every company of well, why not just make everything flat and easy because it's so much easier and simpler for us. And I think like that's a natural progression of where cloud is taken IT architectures, but the reality is is we just got to we got to see that there is a natural benefit to friction, especially at the administrative level.
I know you also are going to talk about snowflake, but do you think that that's a friction that we also should be embracing as a cybersecurity community in industry two because your third example is CrowdStrike. And that's an example where it behooves a frictionless environment to have one primary. Yes, you know, provider, but when it's tied to something that it's so fundamental to what we actually rely on.
Yeah, I mean, that's a great example of, you know, the fact that it is very likely for a company to have one EDR product means that if it breaks, if it either fails because it misses something, it misses it everywhere. And if it breaks, it breaks all your systems at once. Now, you know, CrowdStrike in particular made specific, you know, they made specific architectural decisions that were extremely risky. And I think, you know, they certainly are not going to make the same mistake again.
Most companies would not make that mistake, but you still could see failures from products where you can have, you know, every EDR product is at some kind of conflict or something. And certainly they all miss things, right? And I do think that has raised up the question for people like, hey, should we, you know, maybe go 50-50 with security products.
Certainly a number of companies have decided great our primary and our business continuity sites are going to run different security features. I know like one of those airlines that was involved, they had like an operation center that was this beautiful operation center that had, you know,
rose and rose of computers were these professionals work very, very, very tirelessly to, you know, move, move airplanes around and move crews around and like deal with, oh, no, there's, there's a hurricane coming. So we've got to reroute everything and, you know, they were incredibly hard to do that. And they had CrowdStrike on all the machines and they have an identical operation center 30 miles away and has its own generators and its own power grid, but they're also running CrowdStrike.
So it doesn't matter that everything was physically separate within seconds of this entire machine, this entire building blue screening, the second machine, you know, operation center blue screen, they will not make that mistake again, right? That second operation center is going to have a different security products, different firewalls, different switches. Now you can't get rid of windows, Microsoft has a monopoly there.
What we can do is you can run on a different Azure tenant, you have a different Intune tenant, you can run n minus one patching for windows. And so I think this is again, we're having non homogenous networks of embrace infricion of having your primary and your BCP site.
Be quite different from an IT perspective. It's a big pain. This is versus man graders might come into Andy where you end up paying this is a man greater to run your BCP site for you and to make it as different as possible is going to be worthwhile. We'll be right back.
Hey everybody, Dave here. I want to talk about our sponsor legal zoom. You know, I started my first business back in the early 90s and oh, what I would have done to have been able to have the services of an organization like legal zoom back then.
Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business of the taxis, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there.
Well, legal zoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business to make it official today at legal zoom dot com. You can use promo code cyber 10 to get 10% off any legal zoom business information product, excluding subscriptions and renewals that expires at the end of this year.
Get everything you need from setup to success at legal zoom dot com and use promo code cyber 10. That's legal zoom dot com and promo code cyber 10. Legal zoom provides access to independent attorneys and self service tools legal zoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services LLC.
When it comes to ensuring your company has top notch security practices, things can get complicated fast. Vanta automates compliance for sock to ISO 27001, HIPAA and more saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer facing trust center over 7,000 global companies like Adlacian, Flow Health and Quora use Vanta to manage risk and prove security in real time.
Our listeners can claim a special offer of $1,000 off Vanta at Vanta dot com slash cyber. That's vant.com slash cyber for $1,000 off Vanta. Vanta. It's hard for me to think about this conversation and not think about the impact that we this kind of has on the workforce for 2024 or 2025. So ISC 2 is, you know, his release there's workforce study. It's kind of the first year that things have stagnated from a cyber security professionals globally standpoint.
It's actually been decreasing a bit in the United States. Are we getting to the point that a lot of these friction points should also kind of be a reminder to get back to the principles of we also need to spend enough time having redundancy in the humans that we actually have performing this work. Right. Yeah, no, I think so. And I think the crash rate outage prove that.
I mean, that's one of the things all these people learned was it's great to have one admin per 10,000 boxes until you have to reboot 10,000 machines. Like, you know, some of those airlines weeks later, I was still seeing blue screens and airports. And it's because they don't have the people to go out there with the speakers. Yeah, I believe the burnout conversation for another day.
Yes, right. But, but it's, I mean, it is a legitimate issue of like when things go wrong. Yes, one to 10,000 is a ratio that totally works and everything's working perfectly. And when it hits the fan, you know, not having that kind of slack space is a problem. And I do think we have cut too quickly. People have, I think, made assumptions around automation and hi-brotamation and orchestration systems and such that aren't necessarily accurate.
And I do see this all the time with companies that in, you know, before I took the season roll at 10,01, I was supervising the DFR team and working with companies from a consulting perspective. And I would deal with breaches all the time where they didn't not just have the right security people. They didn't have the IT capacity to deal with a breach, right? It's like, oh, we've got to rebuild laptops. We don't have the people.
We've got to rebuild our, you know, our Oracle database and our production systems. We don't have the people because we barely have enough people to keep things taken over normally because we've cut to the bone. And so I do think, and you will pay out the nose when you call PWC or Deloitte on a Friday evening at 6 p.m. to help you recover from a ransomware incident.
They will charge you the maximum amount possible. And in the end, the CFO will not see that savings over the five year period that they thought they would get from cutting all those IT folks. So I do think CIOs need to be thinking, looking big picture of what it is like when you go down to having 95% of the people necessary to run during normal operations because over a five year period,
nobody just has normal operations, something bad will happen every six months. And you need to have the slack space to be able to handle that. Yeah, hard to keep that long term perspective in mind sometimes. So when you're trying to justify your budget in front of the CFO, who's like, well, it's been two years, nothing's happened. You're like, oh, you're going to penalize me for doing a good job. Yeah, yeah. I mean, I can make something happen, right? Like it's definitely not the kind of, yeah.
You'll be interested to see what happens when you do that. That's exactly. Okay. What changes do you anticipate in the cybersecurity field as we looked towards 2025 as a result of some of the challenges we did face this year? Do you see anything changing as a result? Are we going to make headway on some of the barriers we've had? Yeah. So I mean, I think for security vendors like ourselves, there's a lot more questions being asked about how are we not blowing things up?
So, you know, I, one of the things I talk about in the keynote, I actually throw up a screenshot from a still from the bridge over river, which is a screenshot I actually use in class. I think it's Stanford on Fridays and my students don't know what that picture is. Right? So it's great. There's a lot of, there's a lot of more. I don't have the only gray hair in this audience. Yeah, there's generation all kind of commentary. So it's good. So there's people here know what the movement is, right?
Yeah, and people who listen to podcasts know about that movie. So I don't have to explain that, you know, this is a picture of the bridge. And so it's like sural Guinness and his very sweaty khakis in front of the bridge and talk about like, you know, CIOs built this beautiful bridge of architecture of IT architecture. So it's being incredibly reliable. And then security teams, our job is we rig this bridge of C4.
And we blow up the bridge in case, you know, the moment we see an enemy train coming over it. Right? Like what we do is security teams isn't immediately destructive. I mean, you just listen to the language we use. Right? Like we block things. We isolate. We kill processes. We build systems that break the normal flow of IT to stop bad guys from doing things. And that's fine. I mean, that's what's supposed to be bad.
Post-crab strike, what's happened is CIOs have been like, wait a second, I build this beautiful super redundant system in all these clouds and all these availability zones. And then I give sock analysts to this huge red button that says destroy all enterprise value. Right? Yeah. Why do I do that? And so I think one of the things that change is that security vendors and security teams themselves now have to justify to the CIO and the CEO and boards. Why do we have this power?
And I think that's actually a good thing. It's a good thing for vendors to say, okay, well, yes, we're actually much more careful than crash strike and how we architect our kernel module. We're much more careful on how we test. We're much more careful how we deploy. That was always true. But now we have to document it. So that's good. We're documenting that better. We're proving that better to folks.
But it's also then we have to build our product to help teams operationalize that better. So I think this is one of the things that you're going to start to see security products in 25 and 26 and going forward. Is it's going to be a lot easier to build a product so that sock analysts to can do their job without having the destroy enterprise value button.
Because traditionally it's been you get unborted one of these products and right next to do your job normally is to kill everything button. And it's not super easy to build things in a default secure. It's not super easy to build it so that there's two keys to launch the nuclear missile. And those are the kinds of things that companies have built, but it was had to be extra. You had to build a bunch of frameworks to do that and such. And that should become the default.
I think it should become the default night. And a lot of ways not just on the security side. Do you think that that's something that is a lesson that's also will be applied on the corporate side where they're evaluating vendors and actually having to make decisions. Yes, I hope so. I hope like what happens is corporate teams think about, okay, what is our workflow here? How are we going to because you know, like I said, any are security products break company.
Crowds are the only people to break the entire world, but security products break companies all the time. It's almost never the products fault. It's almost always somebody inside the company uses the product to shoot the company in the foot.
And then they they blame the company. And this is not no offense to any sent a one customer to listen to this. I'm not talking about you. You're not the ones who I know blamed us because you did something. It's not you. I'm talking about somebody else. Right. Clearly, clearly not in consulting where I used to come from where it was like, no, actually, how do we tell you the problem is you. Yes, exactly. Yes, yes. But like it's possible. I have been on phone calls.
We're on like, you know, okay, you want to blame us. You're clearly paying us for our job is to take the heat. But you're the guys who pushed the button that actually did this and that happens all the time. And so I think like companies need to think through, okay, what is our normal flow here of a piece of malware comes down.
We, you know, it is communicating up to an IP address. We're going to decide that that IP address is malicious. How do we decide that that IP address really is the command control server. And that is not the corporate proxy server or the corporate DNS server, which it happens. And that once you block that corporate proxy server, you cut off all the computers in the network from the corporate proxy server. And you break the entire network. Right.
Those are kinds of process things that aren't appropriately thought out of, they have to be thought out of and then products that cars and other security products need to support that make that easy for that kind of flow to be supported in the company so that like somebody says I want to block this and then it goes to their manager.
Right. Or, you know, with AI now, it gets smart enough to be like, it looks like you want to block the corporate proxy server. Have you, you know, Clippy pops up and says I think Clippy itself is probably copyrighted. But we can have like our own Clippy.
Right. Like, I guess I you're the first person in many, many years who have actually referred to Clippy in a positive way. So yeah, well, like, you get positive security Clippy, like pops up and says it looks like you're trying to destroy the entire enterprise.
You know, maybe I can help you by saying like, you shouldn't do that. And so I do, I do think there, there are going to be some positive changes there. And I do think JNI has some real positive opportunities here to speed up defensive cycles. Right now it's being used in positive ways.
To make queries faster, right. And so like for us, we call it purple where you can instead of you could always ask, show me all the laptops that downloaded a new piece of software from a Russian IP address. Right. You could always ask that. But you'd have to write this huge query at the bunch of quotation marks and you'd have to know exactly what you're doing. You know, take you 20 minutes. Right.
Now you just write that in English and you hit enter and it does it for you. And that's great. But taking that data and doing something with it's a whole nother step. So we've gotten that first part down. And I think that that's the next phase to is then turning it like, Oh, great. Now you give me that list.
I salute all those computers and being able to type in in English. I salute all the computers. You just gave me a list for and then making that implement in three or four minutes would be incredibly powerful. And that is something I'm excited about because that turns what used to be a multi hour project during which during those multiple hours.
Bad guys were totally active going east west. They know that they're in a fight with you. They're putting more back doors in place. They're creating more ways for them to maintain persistence. And so if you can turn that from a multi hour process into a couple of minutes, then that gives defenders the advantage.
Well, I think it's a great ending point to make because it's a little bit more of a boost to get us from those 80 to 89 to 99% completed projects. Maybe more towards 100. So we don't have those. Yeah, often like awful risk registers. Yeah, yeah. Alex, thank you so much for taking the time. I think it's going to be a fantastic talk and appreciate you sharing your knowledge with everyone here in the ISC to community. Thank you so much. Thank you.
That's N2K's Simone Petrella speaking with Alex Stamos from Sentinel 1. We appreciate Alex taking the time to speak with us. And we appreciate you listening to our show. Thanks. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere.
This means poor visibility security gaps and added risk. That's why CloudFlare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.