Episode 14 is a Round table discussion with the TSG Cyber Security Team as they talk about the fact that you’ve probably already been compromised on a security level. How to prepare for the when – it’s not a matter of if, it’s a matter of when you’re going to get compromised and next steps.
How secure is secure? Find out this and other answers as Penny Conway uncovers some interesting facts about cyber security with the Connection TSG.
Protect, Detect, React. Detection and reaction are the most critical parts of a strong security solution.
Listen to more TechSperience podcasts.
This is the transcription of the TechSperience podcast – Episode 14
Penny Conway:
Good morning and welcome to another episode of Connection’s TechSperience. I am your host, Penny Conway Conway, Senior Program Manager for Workplace Transformation. And I have quite the expansive panel here with me today, our technology solutions group here at Connection. And instead of me introducing every single one of you and what you do for us here at Connection, I’m gonna go around the table a little bit. Bill Virtue let’s start with you. What you do here in the Technology Solutions Group, and what has brought you to the podcast today?
Bill Virtue:
Bill Virtue. I’m a manager and the security practice here at Connection, and my responsibility is on the demand operation side, so what most people refer to as presales.
Penny Conway:
Excellent. Steve Nardone?
Steve Nardone:
Good morning. SteveNardone, I’m the Director of our Cyber Security Solutions practice, a part of TSG. Really happy to be here today. My whole mission and function in life is to help Connection’s customers figure out what their cyber security risk is and then put plans together to help mitigate or control all those big, bad, ugly things that happen out there in the world on a daily basis.
Penny Conway:
Excellent. And Mitch?
Mitch Tanaki:
Mitch Tanaki, I’m a Senior Security Engineer in the security practice. I help out with everything from presales, post sales. I focus on open testing and network security architecture.
Penny Conway:
Excellent. And Rob, I- you were telling me that you were fulfilling a dream here on the podcast today.
Rob Di Gerolamo:
Yeah. Yeah, dream come true, so thanks for having me. Rob Di Gerolamo, I’m a manager within our cyber security solutions practice. Primary responsibilities are on the project execution side of things, so when we’re delivering these solutions and services for our customers, it’s making sure they’re going smoothly as well as working really closely with our engineering team on solution and service development.
Penny Conway:
Awesome. Well thank you all for joining us here today. You know, looking at cyber security and cyber security month is in October, the business is booming around security, both in consumer life and in enterprise life, and I actually read a statistic the other day that said that the security industry- cyber security industry is supposed to be a $170 billion industry over the next three years.
So, we want to talk a little bit today Steve, with you and your group really about what security means, not only for us as consumers, but what it means on an enterprise level, and what we should really be doing in terms of risk management, which is one of those great like, buzz words, buzz phrases. So, Steve, tell us- give us an introduction to general cyber security, enterprise security and help us set the stage for today.
Steve Nardone:
Sure. So you know, we have a philosophy in TSG and the cyber security practice that may be a little bit different than what most people think about and that is, essentially, when we talk about risk and threat, we say it’s not a matter of if. It’s not even a matter of when. You probably already have been compromised and you just don’t know it. And we believe that because the cyber security professionals are a little bit at a disadvantage with the skills, capability, time, budget, that the malicious actors have out there in the big, bad world.
So, we try and focus on advising our customers to think about that as a philosophy, and really, what we typically say is prepare for the when. Right? Be prepared for when a breach does occur ’cause it is going to happen.
Related: If you Connect, You Must Protect
Rob Di Gerolamo:
I think what’s good about that, Steve, is all the members, or many of the members of our have walked a mile in our customer’s shoes, right. A lot of us have industry experience where we’re responsible for managing threat, understanding what that is, and- and how to manage risk. And that statement around, is it not a matter of when, it’s a matter of now and how do you protect your stuff and protect your systems now. It’s because we’ve all pretty much experienced that. It’s happened to all of us.
Penny Conway:
So I think one of the- one of the things when you and I’ve heard this from customers as well just kind of talking to them about general and user devices and user security, is how secure is secure? I mean, we look at this $170 Billion industry, and everyone’s got kind of all of the buzz words around security. Optimizing, and risk, and threats, and … You know, someone might think that they’ve purchased something that has them completely covered from end to end, but I think at the end of the day, a lot of customers don’t even understand what might be duplicating efforts on their network or their end user devices or if they’re even adequately prepared. So when you- when you’re working with a customer, what is the first thing that you sort of start to evaluate about what’s going on and understanding their level of security today?
Steve Nardone:
Yeah, so I think Mitch and Bill could probably talk about more detail about technology, but let’s address one of the key issues that a lot of the customers we work with face, and that is, they believe that they can go out and buy technology and install it and they’re 100% safe. And we all know in the security business it’s people, process, and technology. There’s no such thing as a silver bullet, one size fits all security solution.
And in reality, you know, I’ve been saying this all year in- in some of the talks that I’ve been doing. Cyber security is really three parts art, one part science. So there is no real scientific model that you can say do this and you’re going to be secure. It’s really an analysis of your risk, of your threat, and trying to figure out what the best process is.
But Bill, I know you’ve dealt with a lot of security technology, what’s your thought on- on some of the challenges customers are facing with current technology?
Bill Virtue:
Well I think one of the biggest things is customers don’t understand what their own requirements are. They really don’t even know where to start. So being able to get inside the customer environment and understand what it looks like, and help the customer shape the requirements, and then start to look at the different technologies that might fit those requirements.
Mitch Tanaki:
And I think a lot of people go for the cool technology first without trying to figure out what they’re actually trying to solve. We see a lot of cases where they buy the next great malware thing, but it turn- it- it fails because to Steve’s point it’s art and science, and you know, as I’ve been in this industry longer, I’ve always hated policies, procedures, and documentation. But when it comes down to it, that’s what keeps you secure is having repeatable policies and procedures and actually knowing what’s in your environment, how is it- how it’s configured, and how to respond to certain things.
Nowadays, DLP, for example in the cloud. It’s easy, they offer it, it’s a- it’s a little toggle that you just twiddle and then it’s green, and now you have DLP. But there’s no thought … or, there’s usually very little thought behind the process. Well what am I trying to protect? What is DLP gonna flag on? And then when it flags, what do we do?
Penny Conway:
Right. (laughs)
Mitch Tanaki:
So that’s …
Bill Virtue:
And that starts with the- with the requirements, right?
Mitch Tanaki:
Yes.
Bill Virtue:
Like, where is my sense of content? What are the policies wrapped around that? How do I protect it? You’ve got to start at the beginning. That’s hard for customers.
Mitch Tanaki:
I mean, it’s cool to have the next- next gen security solution here, but without that … figuring out what you actually want to accomplish and how you want to do it, I think that’s the most important part.
Steve Nardone:
Yeah, one of the biggest fears of the cyber security profession, going back, you know, eight or 10 years ago, was that the CIO was on an airplane reading a magazine and the latest and greatest cool thing that was advertised for security was the thing that we were all now talking into install from a product and a operational perspective. And it, you know, it is not of the right path to just look at technology. So we talk about… our mantra is protect, detect, react, which really detection and reaction are the most critical components of a good security risk program today. ‘Cause if you’re not thinking about, again, how to identify when something bad happens in your environment, then you’re not thinking the right way.
Steve Nardone:
I think the average is about 169 days right now, mean time, to detect an event in your environment. And somewhere around 70 days to actually be able to rectify that. So you know, risk owners are really struggling to keep pace with, you know, all those malicious activities that are happening out there with advanced malware, to include ransomware. So it’s really important that you- you have a good program. You know, the art and science piece is really important to understand.
And the other part of it as well is you have to understand what your business operational challenges are because if you integrate security in your environment and it makes your business process difficult to maintain, then you’re introducing more risk in your environment than- than not.
Penny Conway:
Right. You know what’s really … what’s something I find really interesting about the whole security world in general, is that I- I feel like us, as consumers, have no problem welcoming security risks into our everyday lives with … I think we were talking a little bit earlier before we hit record was all about, you know, nest cameras, and Alexa, and all of these things that are watching, listening, and learning, what’s going on. And so us, as consumers, have really felt like we can open the door and then we go to work and we go, oh, everything has to be secure, nothing can get in. I can’t share my data, no one can see my data. So how do you … Do you guys face that when you’re out talking to a customer trying to like, wrap their heads around what’s safe and what’s not safe in terms of that new tech? I know you’re not dealing with technology, but there’s sort of consumer brain against what they’re trying to do on an enterprise level.
Steve Nardone:
Yeah, so from an IoT perspective, right. Think about Internet of Things, which is the new buzzword. We are finding that consumer technology is making its way into the, into the corporate space as well because it’s so easy to integrate. So, you know, we talked a lot about risks. There was a- a breach that happened in a casino in the United States not too long ago, and the breach occurred by essentially getting into the thermostat control in the fish tank that was connected to the internet, and the attackers were able to get in, get on the network, and begin to steal data out of the casino before they were identified.
Most IoT technology has those same types of risks, and what’s happening in the corporate world is they’re installing the technology and not thinking about those risks, like the passwords, are openly available in the configuration files, and they’re not changing the passwords, and so on. So it is a- it is a pretty dangerous world.
Bill Virtue:
Different type of phishing attack, right, Steve?
Penny Conway:
(laughs) That’s a true phishing attack.
Steve Nardone:
Yeah. And I think Rob can probably talk in great detail about, from a consumer perspective, how IoT has penetrated his life. You wanna share that, Rob?
Rob Di Gerolamo:
Well, let’s preface with, being a security professional doesn’t mean I need to live in a bunker. But I have about 14 or so connected devices from a couple of Alexa devices, to a couple of light bulbs, thermostats. It’s the tradeoff between convenience and do I have a nest ’cause I’m, you know, away from my home and I forgot to turn down my thermostat and I want to be energy conscious, so I do that. Or do I just keep my thermostat from, you know, however long ago and it’s all hand dialed. So I prefer the convenient side of things. But with- with considerations around protection. I need to know what the devices are, what’s on the network, and how- how am I managing them, so.
Steve Nardone:
And that level of awareness is important from a consumer prospective. If you’re installing the stuff in your home, be aware that you have to have an extra … you know, a little extra diligence and paying attention to the- the potential risks associated with that, which Rob certainly is fully capable of doing. I, on the other hand, do not have any IoT enabled devices in my house. I don’t have a Facebook account, so I’ve- I’ve gone the Draconian model-
Rob Di Gerolamo:
He lives in a bunker.
Steve Nardone:
Yeah.
Penny Conway:
He lives in a bunker.
Steve Nardone:
Not necessarily a bunker, but you know, I think there are ways to be able to secure this technology and, you know, if you started doing some research you’ll find that there are IoT protection devices that are consumer available that you can put in your home that will help you provide an extra level of security. I just haven’t gotten there yet with the analysis. But you can.
Penny Conway:
So, looking at Steve, when you say that, you know, you’re, kind of what you guys look for- look at as a practice is protection, detection, and reaction. So let’s start with protection. How do you go in and what’s the- the consultative experience look like when you’re kind of looking across that landscape, and how do you even kind of now set up that basic protection for a customer in an enterprise space?
Steve Nardone:
Yeah, Bill, you want to talk about the SLO?
Bill Virtue:
So, the security landscape optimization is an assessment that we developed a few years back and it really looks at that customer environment, so the- complete customer environment. Their endpoint, their network, their data security, their operational security, how they manage risk and security technology in their environment, and then governance risk and compliance, any mandates they’re trying to meet. And that’s really our starting point for getting an understanding of what a customer environment looks like, what technologies they already have deployed, and then dialing it back to really understand where are the risks in the environment. And that SLO assessment sort of draws that out.
Penny Conway:
Do you find that customers have a- a general understanding of maybe where their weak points are? Or how often do you find, you know, yourselves doing that SLO and you’re discovering things that they had no idea that they were open, or you know, the potential threats that were there for them?
Bill Virtue:
Well, for the most part, when we’re done with the assessment and we share the risk back to the customer, they get a sense for, yeah, that’s kind of what I expected to see. I knew there was risk and it’s kind of where I saw, or I thought I had risk. But it’s the details that we draw out of the assessment that they’re unaware of like, where really are the risk, where- where’s the root of that, and how do I- how do I remediate the risk now. So that’s also something else we help with.
Related: How to Secure Your Business Critical Assets
Penny Conway:
Have you guys just ever seen a complete mess after an SLO? Like, oh my god. (laughs)
Steve Nardone:
Oh yes.
Mitch Tanaki:
One of my favorite SLOs, you mentioned earlier in the introduction about duplication of efforts. There was two teams, you know, same company, but they were siloed. They both bought the same product they did not realize they had double spent on the same product, and you know, it was- it was kind of an eye opener. You know. Sometime- in some instances, security is a lone wolf. They just say no to people, but you know, we just want to help. And like, we don’t want to be a hindrance to the business process. We just want to make it secure. You know, going from living in a bunker to installing any IoT thing in the world, there’s- there’s a hap- there’s a happy medium. Security shouldn’t be looked at as a hindrance. It should help facilitate the business function. I mean FedRAMP-
Penny Conway:
Yep.
Mitch Tanaki:
Which is huge. Anyone wants to deal with government contracts if they’re in the cloud, they need to be FedRAMP certified.
Penny Conway:
Right.
Mitch Tanaki:
And getting that certification even though it’s a long, drawn out process once they got that, it made them do certain things to, you know, at least the minimum basic security stuff. So, government can use it, it’s secure, and it also opens up a bunch of business opportunity.
Penny Conway:
Right. People hear that the government’s using something and they go, “Oh, we must … that must be safe. We should use that.” (laughs)
Steve Nardone:
Well they’re very- they’re very good about process and control, and so, you know, generally, if you’ve got through and you’ve been approved to work in a government environment, you really have sort of checked a bunch of additional boxes, which is really good. And so, you know, commercial corporations can learn from that as well by looking at the same kind of technology, right.
But you know, there is, you know, interesting, analysis that needs to take place associated with overall technology. And, you know, you asked the question about, have we ever seen a mess with the SLO. So you know, there are like, 27 technology components and 11 process components in the SLO, and we score them based on a heat map, right. So red’s bad. Aand we’ve had a few where you know, red has been predominant, right. Very high risk across the spectrum.
But again, in those environments … You know, the other question you asked, the customer usually is not overly surprised about that. The interesting part about this process is they have a pretty good handle. I’d say it’s probably 75% of what we find, they say, “Yep, I kind of expected that.” 25% is, “Hey, this is a revelation that’s really important that we address,” so.
Mitch Tanaki:
Yeah. The important thing about the SLO, it’s, we’re measuring risk based off of their viewpoint. So it’s not us coming in saying, “Oh, that’s very risky.” It’s them telling us how they feel what the risk is. You know, it- it does help out a lot, a lot of our customers like the the report ’cause it’s, you know, easy to read. It has red bad, green good.
Penny Conway:
Right.
Mitch Tanaki:
So they can share it and use it to justify, you know, additional purchases, and it helps them do a long develop a long term strategy as opposed to just buying, you know, point solutions or the next great next gen thing.
Rob Di Gerolamo:
And another thing that’s great is it’s this consultative approach. Clients don’t really get that, right. They don’t get to leverage expertise in the industry to say, “This is the stuff that we’re doing today, how does that relate? Or what would you- What’s your take on it?” Right? They don’t get that sounding board, and it’s really important. The customers just love that experience. I think it’s- it’s huge.
Penny Conway:
Yeah, and I think when you look at how big the industry is going to be, I and the- you know, the beginning of that first was of the 70- $170 Billion, is that just in the last year, $5 Billions have- has been invested from venture capitalists into all of these new startup security companies. So I think everyone’s looking to sell a product, to sell that piece that makes a customer go, “Oh I’m secure because I installed this.” And they’re not getting that consultative experience to know where their weaknesses are, what the full, you know, full picture looks like for them. And it sounds like the SLO process can really help them with that.
So once you get through that SLO process, and you see where their weaknesses is- weaknesses are you now move into the- the detection phase. And so, what does that look like for a company that you’re working with where they’re now seeing what’s hitting their potential firewall or getting past their fire- firewall?
Bill Virtue:
Well as- as- as part of the SLO, we make recommendations on how they mitigate risk that we uncover. So that recommendation is, you know, to Rob’s point, that’s really that roadmap of, I have all this technology, I- I really don’t know whether or not it works well for me. You’ve uncovered the risk in my environment, now make some recommendations on how I can lower that risk. And that’s part of the SLO as well, and customers really appreciate that because they do get that experience from all of us on the team where we see all different types of customers, all different kinds of technology, so. That’s really what they’re looking is that kind of help.
Steve Nardone:
And we do cover all three of those components as part of the SLO. So you know, for example, detection is talked about with advanced threat, threat sandboxing. We talk about reaction with security information event management tools and log management. And then we talk about process as well. So we give the customer a really good perspective of their overall ecosystem risk. But then what we want to do is get in there and validate with very deep technical security testing to determine where they have flaws and vulnerabilities and how those things might be exploited.
So that’s really sort of the next step in really trying to validate, whether or not they have the appropriate detection and reaction capability in the environment.
Mitch Tanaki:
And that- that point helps the question we hear probably every time we get on a call which is the, can you help me with I don’t know what I don’t know.
Rob Di Gerolamo:
That’s right. And that- that testing and analysis really helps with that, right. It- it helps understand where the actual risks are the- on the systems that-
Mitch Tanaki:
And as well as inventory, right. That’s a huge thing is understanding your asset inventory.
Penny Conway:
Right.
Mitch Tanaki:
That helps as well.
Penny Conway:
So are you seeing … and- and kind of when you’re working with customers, we know that data is the new currency. That’s what we- we keep hearing. And we’re seeing a lot of attacks on state and local government. Of course, the big companies like Equifax and the big Target hack of the- what, that was just a couple- couple years ago. Where we’re seeing, you know, huge enterprise companies have these hacks that are really effecting consumers and the data that, you know, might be out there from a consumer level.
But I’ve- I’m wondering, and it’s just my general curiosity. Do you think that there are … eh, there’s more hacking happening, more of that phishing, more of those threats that are taking place within companies, and there’s kind of like, an embarrassment about saying what’s going on, or that they’re being hacked? Do you think it’s kind of like, a hush hush? Or are people, you know, getting more secure and kind of locking that down? I’m wondering kind of what the landscape looks like. Is there an embarrassment when you get hacked? Or should it be public news?
Steve Nardone:
Well, that’s a great question. You know, and of course many states and many corporations have rules and regulations associated with when they need to be able to notify associated with a breach, right. You mentioned a couple of big ones. You know, Marriott was one that just hit a little while ago as well. You look at, you know, in the government, right, you had several. City of Atlanta, city of Baltimore. So, all of those are- are events that are- are continuing to happen.
But I think, you know, we see sort of two different types of personalities when we’re dealing with risk owners. One is, you know, somebody that really wants to make sure that they understand and have risk documented completely and thoroughly and have a roadmap, a risk register, a risk roadmap of how they need to actually remediate the risk.
And then on the other side of the coin is, you’ve indicated there were risk owners that think if- if they know I have risk in my environment, I look bad. And we try and- and encourage anybody that doesn’t think about understanding risk and risk management and good skills to work with us to help us create a strategy so that they can develop that roadmap.
Steve Nardone:
But you know, as far as- as notification is concerned you know, w- we typically see pretty good response in the companies we work with as far as when they need to notify.
Mitch Tanaki:
But on the whole, I think you know, a lot of peop- a lot of companies are getting breached and they’re just not notifying because again, you know, brand, they don’t wanna-
Penny Conway:
Right.
Mitch Tanaki:
Diminish their brand standing and embarrassment. I mean, there’s countless companies that- that got breached because, you know, someone stood up a web server for testing, never took it down, so going to the know what you have before you can protect.
Bill Virtue:
I also think there’s breaches that go unreported too. There’s a lot of thing that happen that just don’t get reported. But every state does have a breach notification law, so it depends on the number of records, the type of data things like that, whether or not they have to notify law enforcement, or HR, or legal. So, you know, it is two sides to it.
Penny Conway:
Yeah, it’s- if it’s worth reporting.
Bill Virtue:
That’s right.
Penny Conway:
So looking at the- the entire kind of cyber security topic, and you know, showing customers where their weak points are, on where areas of improvement are, but I think what kind of wraps all of this around is just general awareness about security. Not only for those stakeholders, but for end users. Like, the people who are actually maybe making them susceptible to attacks through their everyday behavior. So what do you guys seeing or have opinions on sort of that awareness for users themselves around cyber security and security in general?
Rob Di Gerolamo:
It’s- it’s easy to- to say this, but it’s- it’s pretty much a fact, right. The users are the winkes- weakest link in any organization, right. Their- they want to be helpful, they want to encourage other people by- by helping them, so they’re going to open emails, they’re going to click links, and when we get the question, how do I stop phishing attacks, the best way is to train your users, right. And that’s … it might start with knowing how bad the problem is, so doing some actual phishing testing, understanding how bad or prevalent the issue is in your organization, and then focusing on those users that might be susceptible to opening those emails or clicking the links.
That’s where a lot of the breaches were- you see in the industry are starting from, right. It’s from these emails that are, you know, someone’s masquerading as HR saying open this file, it’s important, or please fax over some money ’cause we, you know, you have an invoice that’s been outstanding for 45 days and someone transfers a whole bunch of money over to somebody.
So, it really is helping train those users. Going through, you know, either it’s you’re developing your own training program, getting some help with doing the testing, getting some help building out that program, but that really is the part of that you can’t stress enough, that users really are the weakest link in the chain, and- and knowing how to help equip them to understand when something is real and when it isn’t, is very valuable.
Steve Nardone:
Yeah, we always talk about the fact that if you’re a cyber security professional protecting an environment, you gotta get it right every time. If you’re a hacker, you only need to get it right once. That’s one of Mitch’s favorite sayings. He uses it all the time. But the ability to be able to train users to really respond to that.
There’re two really and critical things that are important from a- an awareness perspective. One is to create an environment where your users know what to do if they see something, right. So you hear it in the airports all the time. If you see something, say something. It’s really critical that they know exactly what their- their response should be. If they feel like something is happening either from a physical security perspective or a technical security perspective. And the other is to do phishing testing and social engineering testing on a regular basis to actually measure your employees capability to be able to respond to those things that are happening. ‘Cause again, we all know phishing and ransomware are rampant out there right now today.
Penny Conway:
Right. Right. And becoming more sophisticated every- every single day.
Steve Nardone:
That’s correct.
Penny Conway:
Yep. So awesome. We have a lot more to talk about. I’m gonna have you guys back to talk about, with a couple of our partners, to talk a little bit about endpoint security, cloud security, and all of that great stuff. Thank you so much for joining me for this episode of Connection TechSperience, and for all of those of you who are listening, please reach out to our technology solutions group so you can understand where your potential weaknesses are and how we can help give you a roadmap to protect against them. Thanks so much, guys.
Steve Nardone:
Thank you.
Mitch Tanaki:
Thanks.
