January 2, 2018 • Amanda McKeon
Whether you felt 2017 flew by or you just couldn’t wait for it to be over, from a cybersecurity point of view there’s no question it was an interesting year. There was something for everyone, including ransomware, botnets, major data breaches, IoT issues, as well as business and policy concerns.
Our guest today is Dr. Chris Pierson. He’s the CEO and founder of Binary Sun Cyber Risk Advisors, and a familiar voice for those of us who follow cybersecurity. Dr. Pierson serves on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee and is a distinguished fellow of the Ponemon Institute.
Together, we’ll take a look back at 2017 and try to make sense of what it all means as we head into the new year, what 2018 may have in store for the cybersecurity industry, and how best to prepare.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 37 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Happy New Year to you all, whether you felt 2017 flew by, or you just couldn’t wait for it to be over. From a cybersecurity point of view, there’s no question it was an interesting year. There was something for everyone, including ransomware, botnets, major data breaches, IoT issues, as well as business and policy concerns.
Our guest today is Dr. Chris Pierson. He’s the CEO and founder of Binary Sun Cyber Risk Advisors, and a familiar voice for those of us who follow cybersecurity. Dr. Pierson serves on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee, and he’s a distinguished fellow of the Ponemon Institute.
Together, we’ll take a look back at 2017 and try to make sense of what it all means as we head into the new year, what 2018 may have in store for the cybersecurity industry, and how best to prepare. Stay with us.
I think, for all of us, there were many surprises that we encountered in 2017. I mean, first and foremost, who thought that the resurgence of destructive malware would hit us so hard? Ransomware had always been something that we were dealing with in small parts, but never was there the ability to take down global companies, take off healthcare institutions, take these companies offline, or so dramatically impact their bottom line in one fell swoop. I think the weaponization of ransomware this past year has been very, very interesting to look at. It’s almost akin to ’98, to 2001, 2002, when malware was being destructive and hitting MP3 files. That has been expanded in a galactic proportion in 2017.
I think that the ability of the attackers to really take up our time and efforts in dealing with ransomware has been a success from the attack perspective. From the defense perspective, not so well. We have 300 million dollars at least that Maersk is reporting losses on, and Merck — 270 million dollars that they dialed into for their insurance, cybersecurity insurance. So, these are major institutions that were majorly impacted by destructive attacks. I think we’ve seen a lot of that in 2017, and we’ll see a lot more in 2018. It really calls into question not our advanced knowledge of attack, but whether we actually have the basics down pat or not, and that’s what is most concerning as we take a look back at 2017.
I think, in addition, the number of, types of, and severity of data breaches, and the amount of dwell time that has existed within those organizations has been concerning in a number of different areas. The new revelations from Yahoo, the new information that we got from the Equifax breach. I mean, just earth-shattering breaches, not just in terms of the number of people or the types of information, but the reverberations that that has for all people involved in anti-fraud efforts, customer identification efforts, know your customer efforts. These databases that serve as the basis for knowledge based authentication, bank and payment verification, these are the systems that have been compromised. This data is out there in the wild. It really calls into question how, from a strategic perspective, we deal with those items going forward in terms of knowing who our customer is, or our identity management aspects of things.
In addition, the politicized environment of cybersecurity in 2017 with … Was it Russia? Wasn’t it Russia? The politics of the election, the politics of the attack, and still, I mean, it’s January first, and still, the news cycle on the impact of the DNC attacks and different hacks during the election still continues to reverberate, and many questions are still left unanswered. Those are some of the things that we were dealing with in 2017 that I think will have far-reaching consequences as we move forward, and really impact what we do from a corporate perspective, what we do from a government’s perspective, and what we do from a country perspective, in terms of cybersecurity and its impact on critical infrastructures.
Even the latest in mid December regarding the industrial control system hack in the Middle East and the emergence of the Tritan malware in that attack. Obviously, a successful attack in terms of getting in — unsuccessful in terms of accidentally tripping safety systems. But when we take a look at what the threat matrix looks like going forward in 2018, there was a lot left in the wake of 2017, and I think we’re going to hit the ground running in 2018, so a lot of different things to be worried about, a lot of different things that we need to talk about, and definitely a busy year.
You know, it’s interesting when you talk about some of the policy issues. I think one of the things that people point out to President Trump, they say cybersecurity was something that his administration has taken seriously, and despite all of the Russia questions, I think the notion that we all need to do a better job with cybersecurity seems to be one of the things that is non-controversial, in a bipartisan kind of way.
I think that is correct. I mean, look, cybersecurity is not about Republicans, Democrats, or any other political group that you ascribe to, it has nothing to do with that. It, at its base, has two fundamentally … You have two different groups that are part of it, the ones and the zeros — that’s it — and we want them to be in balance. We want them to both win, to both succeed. Cybersecurity is not about political party, not about affiliation. It is absolutely about making sure that those systems that are sacred to us, especially those critical infra-social systems, are being protected. There’ll be the right policies in place, we have the right external outreach in place in terms of State Department work, and that we have the right types of responses in alerting and communication systems throughout the country, and throughout the world.
I think that there’s a lot that still is left to be done in terms of cybersecurity policy. We have not yet lived up to the aims of the executive order. By that, I mean, the deadlines that were required under the President’s Cybersecurity Executive Order all started the toll in July, August, September, and October. Those are the different timelines that were established that we had. Quite honestly, we’ve missed just about all of those deadlines. All of them. That I see as being a negative. It’s not Republican or Democrat, we’ve just, on paper, missed nearly all of those deadlines, and therefore, we’re going to be late to the game in terms of trying to put in place smart communication systems to battle, smart legal tools to go ahead and fill in some of those rough areas, and smart defensive mechanisms to be able to deal with and cope with these attacks.
I really would wish that we had taken a look back to 2008 and looked at presidential guidance for the 44th presidency, for the 45th presidency just this past year ago, as well as some of the different cybersecurity executive reports that have come out. There are a few notable ones, and taking a look at … In 2017, the low-hanging fruit. The low-hanging fruit is not politicized, it doesn’t have any sway with one party or the other, or any one branch of government or the other. It literally is the low-hanging fruit, it is the stuff that cannot be destroyed by any reasonable cybersecurity expert. If we had, in the interim of getting full response to the executive order, if in the interim we had just taken care of the low-hanging fruit that’s been with us since 2008 and brought that forward, we would have had immense movements forward.
I don’t think we’ve lived up to what we said we were going to do in the executive order. I think we’ve also, from a world-stage perspective, crippled the Department of State. I mean, pushing cybersecurity further down into the basement, into the bowels of the State Department, forcing the individual, Chris Painter, who is leading that group in terms of the outreach to other countries, out of that position, I think is a big negative for our policies on world stage, for our communications on the world stage. So, I have some concerns in this area. I don’t think that it’s over in terms of, “We should all just fold it up and go home,” but I do think we have to figure out — really, starting today — what are we going to get accomplished in 2018, of those things we said we were going to do in 2017, and what things does it make sense to happen in 2018? What must we focus on?
So, let’s switch gears and talk about 2018. Looking forward to the coming year, what is your take on what our stance is — what our posture is? In terms of preparedness coming from the last year, where do you think we stand?
I think that from a … You really have to break it up into a few different areas. From a government’s perspective, I think that we’re woefully behind. I think that, once again, we should be enacting many of the different recommendations from the reports that we’ve had for the past decade, and instituting the low-hanging fruit and making some changes, making relevant changes, and/or trying to go for some of the big-bang options. We have a window of opportunity by which global tensions continue to escalate around cybersecurity, and I think we need to pay some attention there.
From a corporate perspective, I think that there are … Well, there’s a lot of work that needs to be done. A lot of work that needs to be done. I think a few different things that I see in terms of predictions and areas that we need to work on, one is the need for speed. Kind of, the Top Gun, “I feel the need for speed.” The threats are coming faster, the risks are coming faster, the reverse engineering of exploits is absolutely amazing. The business case around backwards engineering, reverse engineering, deconstructing, decompiling, patches, examining notes on different vulnerabilities by our cyber adversaries is really amazing. That business process is fast, and we need to be faster in understanding our tax service from a production perspective and a corporate perspective. We need to be better at understanding what’s in the wild, and we mostly need to understand its relevance. How is this going to impact us? How does it relate to us? What can we do about it? That threat intelligence component is going to get only more crucial to corporate success in 2018.
We saw the same thing … I mean, we had a number of different things in 2017 that people needed to jump on. So, the weaknesses in WiFi that needed to be jumped on, the expanse of ransomware and the speed at which it traveled, number of different problems with … as I mentioned before, reliances upon KDA anti-fraud, and other types of systems. So, we need to get faster. We need to be faster, we need to move faster as it relates to threat intelligence and what it means for us, so that we are much more poised for a fight that we can actually win and have success on, especially as it comes from the corporate perspective.
You know, I think many people would say 2017 was the year of artificial intelligence, certainly in terms of what people were putting out there from a marketing point of view. As we head into the new year, do you think that’s going to continue?
I do, but I also think that there’s a duality here. Let me explain that. So, from a defender’s perspective, signature-based, exclusively signature-based tools are going to still be an important part of the corporate environment and corporate landscape. They are part of the basics, they’re part of the backbone. Our reliance on it needs to be adjusted depending what the threats look like and what is happening. We need to do a lot more in terms of the whitelisting and other different controls, but more importantly, we need to make a serious push of using AI to our advantage from a defensive posture this year.
I think you saw a lot of folks dabbling in it in 2017. RSA conference was chock full of … Everything had AI on the inside — even my coffee came with AI — but I think we really need to figure out … You’ve seen a little bit of compression in the market, a little bit of consolidation in the market. Maybe some of that was vaporware, maybe some of that was half-formed ideas — but smart people nonetheless — and they are sucked into larger organizations. Microsoft making an acquisition, Amazon making an acquisition. You have a few different planners out there making some smart acquisitions. Even the antivirus — traditional antivirus companies, I should say — serve to bolster their own behavioral analytics tools and capacities through the acquisition of some AI leaders. But that’s … I mentioned the duality. That’s AI on the defense side.
On the attack side, I think, in 2018, we’re going to see a lot more use of AI. Some of the big releases in November at the AWS conference were involving AI: AI in cameras, AI in technology. The AI engines and testbeds that they have are easy to access, very easy to play around with, especially on the camera side right now. We see a lot of motion there from the young startups in the venture capital community.
I think what we’re going to see is attackers playing around with AI a lot more. They are going to say, “Wow, instead of just taking me and my knowledge of how to use this attack vector, how to use the common tools that I have at my disposal for attack, putting that into some type of programmatic methodology … If you see this, then do that. If you see this, then move here. If you see this, then stop the attack and move over to another area.” I think we’ve seen this, but very much in a hardcoded fashion. “If this, then that,” but no real learning, no behavioral analytics, no behavioral movement there. I think what we’re going to see is attackers using artificial intelligence a lot more in 2018, and the only way to combat that is going to be through the use of AI by defenders, in terms of spotting that. So, this arms race is only going to get more combative this next year, but there is a duality there of AI.
You know, one of the things I think when I look back on 2017, and maybe a little before that, back into 2016, is that the attitude of boards of directors toward cyber threats and toward shifting the thoughts toward risk has been real, has really happened and taken hold. What is your take on that side of things as we head into the new year?
Yeah, this is probably one of the biggest areas that cyber defenders, that chief of information security officers, need to have their arms around. Cybersecurity is a strategic business issue. Cybersecurity is a strategic risk issue. It always has been, but only, more attention is being paid to it now. Boards are very interested, especially after looking at Target, Equifax, Yahoo, even Uber. I mean, Yahoo — you have the entire databases going out the backdoor and a nice clipping of their price. That sale to Verizon. In terms of Equifax, you have a clearing of many different individuals after it’s totally unknown what, really, the cybersecurity risk posture was of that company, of that environment, or I should say, retirements that happened. With Uber, you have a gross misunderstanding in cybersecurity as it relates to breached data, whether legally cognizable breached data or not. Still, something like that from a private company perspective has immense weight, immense value in terms of the value of the company and the monies that were brought in by Uber this past year.
So, you have a lot of different things that are here. Cybersecurity is not just ones and zeros, but what we traditionally have is CISOs, CSOs, that are in the role of cybersecurity, that came up through the IT organization. They know the ones and zeros, they know it well in terms of an operational perspective. They learn it a little bit better in terms of strategic perspective, and they’re learning, right now, how to deal with it in terms of a risk perspective, but only marginally. I actually don’t think that learning how to deal with it from a risk perspective is the end game. It’s understanding how cybersecurity is a business advantage to the company, a strategic business issue. That’s what the board is concerned about. They want to make sure that the company can succeed, that the company is competitive, that the company has balanced risk, but what they want to know is, how can marketing bring our company further ahead? How can partnerships bring our company ahead? How can corporate financing bring our company ahead? And how can this topic of cybersecurity push our company ahead?
Aso, with each of those topics is the, “How could it weigh us down?” But that’s only one side of the coin. Risk, which is where most CISOs need to be now — and just aren’t — is only 50 percent of the equation. The other 50 percent is, how can you strategically push business ahead? And for that, we’re going to need players at the board level, and at the companies that have been in the CISO position, been in the legal positions, been in business positions, so that they can serve as an intermediary between the board and executive management.
What I actually think is going to happen in 2018, quite honestly, is there are going to be a lot more folks that have cybersecurity expertise that are business people, that are asked to serve as advisors to boards, and asked to join boards of directors. This is an area that, in terms of the business judgment rule, people have to really, really be on their toes in business judgment rule, have to be on their toes in terms of boards and how they operate. I mean, these are different and unique groups of people, different and unique beasts. They really are concerned about the governance, strategic risk, strategic business opportunities. Cybersecurity is going to be part of this in 2018, and I think what we’re going to see is, we’re actually going to see this go a little bit in terms of the legally required area of, you must have somebody for public companies on your board who is an expert in cybersecurity, kind of the way things went with Sarbanes-Oxley back in 2002, 2003. You must have a financial expert on the board, you must have a cybersecurity expert on the board. I just think that there is no way to get around this, and with the right people serving in those levels, I think companies can be much more successful, much more business savvy, and it would also give cybersecurity a better voice.
What is your take in terms of the importance of threat intelligence for companies trying to establish their posture to protect themselves?
Yeah, you know, it’s really interesting how threat intelligence has really morphed over the past … Maybe even five years. That there’s been a wholesale morphing of threat intelligence as an add on if you have enough money to do it, to where we are now, which is really a … It is an absolute necessity for companies to have cybersecurity threat intelligence baked into their program. Let me explain why. With funding being an issue, with resources being an issue, with more importantly, the analytical skill sets and capabilities of those persons that you’re employing, that time limit is fungible there. You only have so much time that your people can spend on analyzing and assessing and interpreting the attack surface, things that are coming at them in the wild, and its relevance to the organization.
There is no substitute for having expert cybersecurity threat intelligence come in as a part of your company cybersecurity program, and even beyond that, into the development program as well as the operational program, really this SecDevOps model. Threat intelligence there tells you a few different, critical things. Number one is it tells you what is happening external to you. So, what is really happening out there. You need to know that because you need to then morph and adjust your own internal program and figure out what does this mean to me? How does this impact me based off of the types of controls that we’re using, the type of platform we’re using, what we actually do in terms of our product service? That’s number one.
Number two, how does this impact my customers? Three, how does this impact my vendors? And we’ve seen a large list over the past few years of vendors being the breach point for other companies, and it’s only going to continue. So, cybersecurity threat intelligence allows us to look at what is happening out there and say, “How do I make this relevant to me? How is it relevant to me, and what type of action do I need to take?” That’s the key here. With limited resources, limited budget, limited time, limited time of our individual experts who serve on our team and know our environments, what do I want to pay attention to? The only way to get that information is through threat intelligence information sharing. Cybersecurity threat intelligence has to be baked into the programs now. I think you could have made an argument years ago that it was nice to have. I don’t believe that that was true for 2017. I most assuredly do not believe that that’s going to be true for 2018.
The speed of the risks, the threat environment that’s out there, are just too big to take on yourself. You need meaningful, actionable advice, meaningful, actionable intelligence so that you can go ahead and take care of business. It simply has to be that way. It should have been that way in 2017. I suppose if you’re a little late to the game, or you’ve been running this as more of an ad hoc program, this needs to be fully baked into your environment, and your team. Team, not just cybersecurity team, the infrastructure team, the engineering team. So operations, development, security — it’s got to be.
Look at the number of AWS S3 buckets that have been exposed out there over the past year. I mean, the list goes on and on. Fortune 500 companies — some Fortune 100 companies — making sure that we have the right intelligence passed to the development team, the engineering team, that are spitting up these resources so that they know that this is an issue, know that people are searching for this, know that this is a weakness, is worth its weight in gold. We have to get there, we have to bring everyone along with us. Threat intelligence is that important lifeline for the security team in terms of its partnerships with others, as well as the team itself.
Do you think, looking at the new year, we’re going to see the same sort of rate of investment in cybersecurity as we saw in 2017? Do you think we’ll see consolidation? What’s the business outlook?
Yeah, I think that’s a really important question. I think that … And they did this about a year ago in December of 2016, and had said that there was a lot of good seed money that had been pushed out there to the market. There were a lot of good Series As out there, but that it would be a little harder to make the jump into Series B funding — so, the larger eight to 20 million dollar type of funding — and that as a result, you would see some market consolidation. I think we did see some market consolidation from some companies that were not hitting the ski slope necessarily as fast as they thought. They were definitely burning more money than they perhaps should have been, and so you did see some market consolidations there.
I also think you saw a lot of consolidation around AI. So, those platforms that were touting their AI capabilities, but were a little slow in terms of getting more than a handful of customers to join them, really were great acquisitions for some larger players in the market. I think that you’re going to see some of the same stuff, at least in the first half of 2018. I think in the first half of 2018, we’re going to see some of these smaller firms, smaller companies, that are in between an A and a B round, or the B round isn’t lasting as long as they would like, get picked up for the 50 million dollar to 100 million dollar mark. I mean, 50 million dollars is, really, a nice area of opportunity for companies to gain a jump on talent. You acquire companies because of talent that they have — product or service — and you acquire them to get a faster jump on the engineering the solutions that you want to bring to bear. And in some cases, customers, if they have a certain channel, a certain sector, that they’ve been more successful in than others, also serves as an interesting lure.
I think that you will see that continue for the first half of 2018, but I also think that we’re going to see a lot of new funding, especially in the areas of industrial control systems, happen in 2018, as well as third-party supply vendor areas, as well as cybersecurity operators. So, not the folks that are providing and building new products, something that solves a problem, but folks that are actually solving the whole problem. In other words, you see certain segments of the market say, “Give me your cybersecurity. We’re going to take care of it for you.” I think that there are some interesting opportunities there, as well, in terms of green space.
So, I think that the first half of the year we’re going to see some of the same from 2017, definitely consolidation, but we’re going to see some new and interesting areas get investment in 2018. I mean, the AWS conference, and a lot of that applies out to Azure and Google as well, the ability to push out to the market entire databases, entire engines front to back that are cycling around the topic of AI. And I used the camera analogy earlier — these are going to start whole new segments of the market in terms of products and services. It might not be cybersecurity products and services, but products and services, nonetheless. I think that is going to spur a lot more investment in cybersecurity, in IoT, and in some other different areas as these devices affect both our corporate and personal lives, but there will be definitely a pick up this year.
I want to start to wrap up with you. Let me put you on the spot here to close out. Do you think, in 2018 … Do you think we’re going to gain on the problem? Do you think we’re going to lose ground? Or do you think we’re going to hold our own?
I think what we’re going to see in 2018 is a much more calamitous attack than we’ve seen before. That’s on the negative side, but I think that we’re going to see something where there is a cyber adversary that has an “oops” happen — they didn’t mean to take something down, like the Triton attack in the Middle East, or some malware performs differently than expected. I think we’re going to see some type of industrial control system critical infrastructure mishap, and maybe that it was targeted, maybe that it was planned for the future, but I do think that we’re going to see something that’s more real, more palpable there. I think we’re already starting to see that happen, and that may be many different reasons; maybe something that’s on purpose, but more likely than not, I think it’s going to be an error, or by a real rogue group of individuals. I think that that will definitely be to our detriment, and we’ll be behind the ball there.
However, as it relates to the potential for home, personal cybersecurity, I think that there’s a potential that we become more cyber secure as products become unusable. In other words, ransomware that impacts IoT devices. Just the past week over the Christmas holiday, we had Sonos and Bose speakers being able to be taken over and “Rick Rolled” by third parties. These are expensive pieces of equipment. People are outfitting their homes with these types of speakers, and having the speaker be bricked is going to cause the customer market to demand better cybersecurity, to demand cybersecurity baked in on the front end, to demand privacy baked in on the front end for their IoT devices, their connected speaker, connected cars, connected whatever, that they have at home. I think that that is going to change, to some extent, the mentality of those companies, of those engineering teams, to be more mindful of cybersecurity as they’re building their product. I see that as a positive.
I also hope — and am very hopeful that we will start from a government perspective — we will start to push forward on the executive order, start to push forward on the long list of things that we need to do to have better cybersecurity, policy around cybersecurity, and some change in some different laws in that area, as well. Every single day I look at the venture capital space here, the investment space here, and I am really enlightened by what I see in terms of the amount of entrepreneurship, the amount of investigation, the amount of curiosity, the amount and degree and creativity that is being expressed by these companies every single day working on these hard issues, and by the VC community’s willingness to support these different areas. I think that we’re actually going to solve a lot in 2018. It’s going to take us a little while to get there, but I’m actually looking forward to it, and looking forward to that continued curiosity and product enhancement improvement that we’ve seen from many new companies in 2017, and look for a lot more in 2018, as well.
Our thanks to Dr. Chris Pierson for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online.
The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.