Dispelling Cybersecurity Myths

December 18, 2017 • Amanda McKeon

In this episode, we have a conversation with Gavin Reid, chief security architect at Recorded Future. Before joining Recorded Future, he helped design the systems that protect organizations like NASA, Cisco, and Fidelity.

We’ll get his take on the state of the industry, and why he believes there are a number of cybersecurity myths that are in need of being dispelled, including the notion that companies need to “do more with less.”

Are boards of directors finally getting up to speed and recognizing the realities of their defensive postures? What are some of the most effective ways to make sure the basics are being taken care of, all while managing the practical challenges of the busy day-to-day demands of a modern corporate environment? The tools are available, according to Reid. The trick is knowing how to best implement them.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 36 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

In this episode, a conversation with Gavin Reid. He’s the chief security architect at Recorded Future. Before that, he helped design the systems that protect organizations like NASA, Cisco, and Fidelity. We’ll get his take on the state of the industry, and why he believes there are a number of cybersecurity myths that are in need of being dispelled, including the notion that companies need to “do more with less.” Stay with us.

Gavin Reid:

I came to Recorded Future from Lancope. Lancope is a NetFlow appliance anomaly detection type device. I was their VP of threat intelligence. We looked into threats and how they were detected, and in particular, how do we make the product better based off of the types of typical threats that were going on. Previous to that, I set up Fidelity’s very first threat intelligence team and I led their cyber intelligence group. That included penetration testing, audit, and Red Team. And then, before Fidelity, I spent 15 years, more or less, at Cisco. The last two, I led Cisco’s threat research and big data teams called Track, at the time. Those teams ended up combining with Sourcefire’s VRT, their vulnerability research team, to form the much larger team now known as Talos.

And for the decade before that, I started Cisco’s CERT. That team started with me, had steady growth over a decade to … There’s around 100 people on it now, with all the typical things you would feel associated with an enterprise CERT. And back in 1999, I came to Cisco from NASA at the Johnson Space Center. At NASA, I started doing IT architecture, and eventually, took a role in charge of IT security for the site.

Dave Bittner:

Well, that’s exciting. NASA is certainly … I bet you that’s the part of your resume that a lot of people say, “Oh, tell me more.”

Gavin Reid:

I’ve got tons of war stories. And really, what happened at NASA — I was an admin of a number of VAXs. One of them that I adminned sort of got hacked. So, what happened is, there were a couple of university students in France that were telnetting to this machine and using it. They were using an astronaut’s email to send messages back and forward to each other. So we looked into that, and it was a misuse, but it wasn’t really malicious. The inspector general, who is the police for the government in the United States, they took an interest in it.

From there, I ended up getting all of the security projects that came my way. And then I formalized that with a role — I think the first role in charge of security for the IT groups at NASA.

Dave Bittner:

As you moved through different organizations, and you’ve dealt with threat intelligence, is threat intelligence very similar from place to place? How does it change depending on what the mission of a given organization is?

Gavin Reid:

Yeah, there’s obviously some commonality. Coming from, initially, the public sector, we did threat intelligence back at NASA, way before. I think the government, overall, has done this for a much longer time than the private sector has. Only recently has the private sector realized that it’s really just a matter of due diligence to pay attention to what your adversaries are doing. And then, take that knowledge and those capabilities to help protect yourself.

Dave Bittner:

So, we’re coming up here on the end of 2017. As you look at the landscape, where do you think we are when it comes to cybersecurity?

Gavin Reid:

We’re at an interesting time. As people, we want — at our fingertips — to be able to access all data, all the time. We want reviews and directional maps on how to find it. But at the same time, somehow, to not share any of our own personal information would make all of that possible, right? The internet’s promised we can finally have our cake and eat it. In a similar dichotomy, we’re at a weird place where we have cybercriminals and nation states on one side, and organizations and the public on the other, which is kind of weird. And that vulcanization has led to the private sector forming Pinkerton-like vigilante teams to bolster cybersecurity in much the same way as played out in the Wild West at the end of the 19th century.

So it’s an exciting time. There’s a lot of activity, not all of it super positive.

Dave Bittner:

Yeah, let’s dig into that a little bit. When you compare it to the Wild West, what specifically do you mean?

Gavin Reid:

Well, if you think of … The Wild West was an area that didn’t have a whole lot of really, really strong policing going on, which allowed for a lot of criminal activity to continue. That’s exactly what’s happening in the cyber realm today — legislation as the capabilities of the different government agencies, as the problems with interagency and global cooperation. All of these have compounded to make an area where criminality can exist without the normal penalties that we’ve seen previous to the cyber age.

Dave Bittner:

And how do you see that evolving?

Gavin Reid:

Well, for a while, it’s going to be more of the same. It’s going to take a while to pick up. And I think one of the big parts of this evolving and changing for the better, for the good guys, is for organizations to realize their own responsibility, their own rules in protecting themselves. I think, up until now, that’s sort of been put to the side for a number of different reasons. The organizations are woefully unprepared for the types of activities that they’ve seen play out in the news over the last five years.

Dave Bittner:

I’m thinking of social norms. Particularly, I’m thinking about how GDPR is going to be kicking in next year. That’ll have an effect all over the world in terms of how people have to deal with privacy. It strikes me that the Europeans have a different approach to privacy than we have here in the United States.

Gavin Reid:

Yeah, absolutely. I wish that America was taking more of a leading role in some of these privacy efforts. But you’re correct. Europe has championed, especially, the rights of individuals to control a lot of the data that surrounds them that’s now available online. We’re playing second fiddle to that.

Dave Bittner:

As we’re looking at the security situation these days, are there any things that you consider to be myths that are holding us back?

Gavin Reid:

Yeah, I think there’s a number of things that have made this situation worse. For one, we don’t need to be preparing for worst-case scenarios. I keep hearing that cyberattacks are increasing in complexity. We spend a lot of time and effort worrying about crazy, well-funded attacks that we see played out in the movies. This sort of thing is exemplified whenever an enterprise is breached. The CISO talks about how extremely sophisticated the attackers were. Of course, they would. You don’t want to say some script kiddie used a well-known exploit against an unpatched browser to get in, but that’s exactly what’s happening over and over and over again. So, for the last 10 years, I’ve been saying, “You will get breached, most likely through email. Hackers will command and control your environment over the web and move laterally.”

That’s been how the big hacks have happened. However, I may need to change that. The new method is this: Search for API key, credentials, and Git or a paste site. Log into an AWS bucket or backup, go directly to profit. But I think that attack is going to be around for the next 10 years.

More myths — user training is another good one — the idea that we train the user to detect hacks. It’s a bit like if the Water Authority said we’re responsible to test our own homes and businesses for intermittent poisoning. I think we need to provide a safe platform for people to do normal internet stuff. Until we have, all the user training in the world won’t help. And not to go into a rant here, but the sell of user training, in my mind, can be directly linked to CISOs who don’t really want to attack the real issues, because that would be hard.

This gives the CISO a project win that looks good but doesn’t really impact IT or cost too much. It’s security theater with very little value. And lastly, the bandaid myth. You’re super familiar with this. For years and years, we’ve created hugely complex IT infrastructures. We prioritize cost, functionality, and security, often not even invited to the table. This has set up a situation where doing real security means a complete overhaul or re-architecture of all the crap that came before. Organizations, people — they’ve been loathe to do that. And so, enter the security vendor with a, “Install this block on top of your crap” model that promises to fix the problem. However, we’ve seen time and time again that it doesn’t.

I met last month with a CISO who had a really refreshing approach. What the CISO said is, he came into a new role. He said, “Look, we’re not going to do any of the normal things that a CISO does.” Typically, a CISO may come in, they have a couple of flagship projects. They get them on the ground, they do some deployments, and then they move off to their next role in a couple years. He said, “I’m going to be here. And what we’re going to do is, we’re going to do the stuff that you think you’re already doing, but you’re not, like patching. We’re going to start doing patching, but really doing patching.”

If you’ve worked in the cybersecurity world, you’ve got to know how courageous that CISO was in saying that, because that would go down in most organizations like a ton of bricks.

Dave Bittner:

How so? Is it that the patching … Is it an easy thing to put off?

Gavin Reid:

For one, organizations, the board, the senior-level executives, whoever the CISO reports to, they’ve been told that they’re doing patching and that they’re doing patching effectively for the past 10 years.

So, the idea is that they’re going to bring in some new talent, some new blood, and what they’re going to do is, just do what they think they’re already getting. It doesn’t sound as sexy as a new anomaly detection, advanced malware radar to incident, to remediation, automation type project sounds.

Dave Bittner:

Yeah, it also strikes me that there’s this inherent disproportionality, where it’s that old story about how the defenders have to be right all the time, and the bad guys only have to be right once.

Gavin Reid:

Exactly, yeah. Doing 80 percent of the patching is definitely better than doing none, but it’s only really, totally effective when you’re doing 100 percent of the patching all the time. That’s a continuous thing, right. It’s like saying, “I want my beard to be 100 percent shaved all the time.” There is a point of having good value for capability that people need to look at. Unfortunately, we’ve been erring way on the, “Let’s just do as much as we have to. And the other 20 percent that doesn’t get patched will hopefully get done on the next round.”

Unfortunately, that’s led to a huge area of opportunity for hackers who often don’t have to probe an environment too much until they find a way in.

Dave Bittner:

When you look at the organizations that you cross paths with, how well-prepared do you think they actually are?

Gavin Reid:

Unfortunately, we have a bunch of organizations that are really part of the problem. They’re only doing what is mandated. They’ve not invested appropriately to protect their own organizations. And over and over again, we attempt to do more with less in IT. Rarely are we cutting the budget on capability or functionality, and security is often critically underfunded. This has led directly to the mess that is cybersecurity in 2017.

Dave Bittner:

Do you think that’s shifting, though? Do you think boards of directors are starting to look at cybersecurity in terms of risk and allocating appropriate funding for it?

Gavin Reid:

I think, yeah. I think we’ve seen some breaks in that ceiling. We’ve seen … I wouldn’t say whole verticals, but we’ve seen organizations inside of verticals who’ve just gotten sick of it, and who’ve said, “Hey, look, we are going to re-architect our infrastructure. We are going to spend the money necessary. We are going to make things sometimes harder to access, not easier, because it’s worth it, because we care about what we’re protecting. We care about our customers enough to do that.” That is, unfortunately, not where everyone’s at though. It’s just, I would say, some points of excellence in certain areas.

Dave Bittner:

So, in your estimation, what sorts of things do we need to do differently?

Gavin Reid:

I suggest that, collectively, we stop playing the blame game here. We stop blaming users. Stop looking for magic-box solutions. Stop blaming our governments and legislation. Stop blaming the hackers. If you have an area where there is a lot of money, a lot of capabilities, a lot of intellectual property, and it’s connected directly to another area that doesn’t, it’s only natural that there’s going to be some osmosis, and the people are going to look for that.

I suggest that we need to start looking into the organizations themselves, and we’ve got to collectively start doing the basics. So, vendors have been all too happy to send boxes that you deploy, and you set on autopilot and kill bad stuff without human intervention. I would argue that we’ve become over-reliant on that sort of technology, when it comes to managing security and interpreting threat. These automated technologies, they’re very effective at common problems, but they don’t do so well at finding human, multi-partied attacks. For that, we need security platforms, not tools, that talk to each other and enable, not replace, your incident response team. We need the right people to run them.

Where technology helps is, it extends the accuracy and the capability of your team, not replaces them. We need to protect what needs protection, and really protect it. Even if that means making it harder to access and more expensive, which has always been, “Hey, you can do some security here, but don’t make it any harder. Don’t make life harder.” This means things like compartmentalization, active management of access, patching. Everyone says they do patching, but very few do it well. To do those sort of things, we need to know where the organizationally important data is. We need to treat that stuff differently.

We have to log the living daylights out of accesses to that organizationally important data, and have people that are paying attention to its use. That is, unfortunately, very rare. It’s rare for organizations to even know where their stuff is. It’s even more rare for them to have people paying attention to accesses to that stuff. It’s easy to set up an IDS, and say, “Hey, look for common attack types.” It’s way harder to look at who’s using the data that we know is important to our organization, and why.

So, we’ve got to resource this appropriately. The pain is going to continue until we stop cutting expenses with security. And lastly, people, people, people. People, not machines, are the fix to this problem.

Dave Bittner:

What do you say to people who would push back on that and say, “Gavin, I have to keep this organization running. This is a business after all. You’re advocating that we change the spark plugs in the engine while the engine is running.”

Gavin Reid:

Yeah, exactly. I would say that if you have to re-architect your entire IT environment in order to deploy security, that’s indicative of some deeper problems with how you have things set up. So, for those people, they’re the ones that probably most especially need to look into doing it. If it’s an easy fix for them to deploy better security and capabilities, they’re a pretty modern network. It’s the ones that have been around for a long time — those are the ones that actually need the help the most.

Dave Bittner:

What’s your advice for people in terms of determining how best to incorporate threat intelligence into what they’re doing?

Gavin Reid:

Yeah, so, we’ve got a ton of tools for doing incident detection that are deployed at most large organizations. Those tools are only as good as the intelligence that we can play into those. So, once you’ve worked out what your vertical, specific needs are, then getting intelligence that supports those needs, that’s extensible, that’s easy to use, that you can be certain of the accuracy of the data both doing automatic pulls of data, and pushing that data. And then, doing more analysis on that data to see if there’s a technique that you could be using against the hackers themselves. All are very, very important parts of your threat intelligence capability.

Incident response is as much of a fix for an organization’s cybersecurity woes as fire alarms are for stopping fires. There are a lot of well-known, effective methodologies to harden your organization. Make sure you’re investing in them.

Dave Bittner:

Our thanks to Gavin Reid from Recorded Future for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.