Last August, we kicked off a monthly talk show series called Ed TALKS (edtalks.io). Each month I bring cybersecurity leaders together to debate various topics. We took December off to recover from the end-of-year madness ☺ but we'll be back at it again in January 2021.
As 2020 draws to a close, I reflected on our first-ever Ed TALKS this year and decided to summarize what I learned. There were definitely some surprises, and a lot of consistent themes, despite the variety of the shows:
- Back to Basics: Security Principles in Technical Roles
- It's Not Me, It's You: Kicking 3rd-party technology risk to the curb
- Cloudy at the Breach: Your Software, Your Data, Your Loss
- Paying it Forward: Securing Technology in the Payment ecosystem
The Big Picture
There were three major themes of agreement across twelve security leaders:
- The cloud is having a major impact on all business
- Cybersecurity is fundamentally a people problem
- Technology isn't the answer
Regardless of the topic, the cloud came up in discussion… a lot! Of course, I expected it during "Cloudy at the Breach" but it also came up in "It's Not Me, It's You" and "Paying it Forward" and "Back to Basics" too. Five years ago, I heard a lot of companies talking about "moving to the cloud" –replacing the old data center model with infrastructure as a service (IaaS) from Amazon Web Services and Microsoft Azure. Apparently, many of them have finally done it and are realizing there are many new risks to consider. Charisse Castagnoli of InstaPay and John Masserini of Millicom both discovered Shadow IT when they noticed skyrocketing corporate credit card bills. Masserini said it was as easy as "Pop in a credit card, you get a server." Castagnoli called it "getting around your ridiculous procurement rules." Even Fred Pinkett of Absorb Software said, "moving your stuff to the cloud doesn't move the responsibility to your cloud vendor."
During the "Back to Basics" talk, I asked the experts what the most critical or underutilized principle was. Mark Merkow from Health Equity said defense-in-depth, but specifically application defense-in-depth because there's always "the assumption that somebody else is taking care of this for me" when it comes to security, and this is most true when deploying software applications in the cloud. As organizations embraced the cloud and moved applications to the cloud, they just assumed that so much security infrastructure and controls and protections came with that move to the cloud… and they absolutely couldn't have been more wrong.
Gartner claims that through 2025, 99% of cloud security failures will be the customer's fault. None of three cloud experts in "Cloudy at the Breach" agreed with that figure; BUT, all three did say the number would be pretty high - "in the 90s" was the general sentiment. Satish Janardhanan of Accenture pointed out that "at the time when a good over 90% of legacy applications rushing toward the cloud were originally designed and developed, the cloud did not exist…. So those applications, if they move on a lift-and-shift basis, oh, boy, are they vulnerable!"
There were two prominent themes when my guests talked about cloud security: IAM & crypto. Identity and access management was flagged as the most common misconfiguration flaw, but there was also general agreement that it's tough to get right. On the other hand, encryption (or lack thereof) was overwhelmingly viewed as nothing more than human stupidity or negligence. That isn't something that anyone said is tough to get right - it's just something that many people don't do (often unintentionally.)
This was another universal theme throughout all Ed TALKS – every one of the cybersecurity experts considers security fundamentally to be a people problem. Noted author and speaker Ira Winkler was the most vociferous about this point. Referring to his latest book, You Can Stop Stupid, he points out that security professionals need to plan for both malicious and unintentionally negative actions. He said, "With the realization that users are not going to be perfect, it's then up to the systems designer, developer, maintainer, security professionals to proactively expect the stupid, for lack of a better term, and put countermeasures in place to mitigate the likely losses."
Kara Gunderson of CITGO agreed. She said, "according to the National Association of Convenience Stores, over 60% are single-store operators…. individually owned and independent operators. All they want to do is sell smokes, Cokes, and gas. They want to plug stuff in. They just want stuff to work. And when stuff doesn't work, they say, just bypass the firewall and just make it work."
When it comes to software development, Mark Merkow and Satish Janardhanan had very similar thoughts. Merkow flat out declared, "It's a people problem. If we didn't have people involved in software development, we wouldn't have 98% of the problems we do." And when giving his final word of advice, Janardhanan succinctly quipped, "Make sure you build talent and skill among the people who are developing code… That's my number-one thing to do. Train software teams on security."
Nazira Carlage of Salesforce.com had a positive spin and a word of advice as well, "Education and awareness, enablement, and then lastly, empowering. I think empowerment is a big thing. If you empower your people to do the right thing and give them the right tools, I think it could be very powerful."
Tech? Not so much
Typically, when cybersecurity nerds come together, the talk inevitably goes down a technical path. Not so with these the 2020 Ed TALKS. These cybersecurity experts are also shrewd business people and often find themselves in the unenviable position of trying to explain security (or why security) to people whose job is primarily something OTHER than security. They take that responsibility seriously as they focus more on the principles and practices and less on the technology that helps enable the same.
Josh Corman of DHS's Cybersecurity and Infrastructure Security Agency (CISA) co-authored the Rugged Software Manifesto (ruggedsoftware.org) years ago. In his words, "Those who write software and create digital infrastructure carry an awesome responsibility that the world is increasingly dependent upon, but software is not nearly as dependable as steel and concrete. So we wanted to take those hard disciplines of engineering and put some of that responsibility into the heart of the folks making digital infrastructure - the enlightened folks that care about software security and resilience have to carry an asymmetric amount of the burden to educate, inform, and inspire."
Uma Chandrashekhar of Alcon stated that security principles are being ignored because of technology. "They're being taken for granted with technology that's being thought of as the solution." She said it's up to security professionals to "make it easy to understand, for people to implement, regardless of their function."
Uma's comments were the other side of the same coin Ira Winkler talked about when he told security teams to expect the stupid and put countermeasures in place. He quipped, "Behind every stupid user is a stupid security professional."
Industry veteran Phil Agcaoili offered up some practical, actionable advice to security professionals that doesn't require anything sophisticated, "turn on URL filtering, block ads, and also go ahead and block uncategorized URLs" he said. Uncategorized URLs to Phil means a URL, domain, or website that the content security system didn't know or wasn't categorized as sports, entertainment, news, etc. If it didn't have a category, it was blocked. When he implemented this as a CISO, his team reported, "we're only seeing four to five compromised systems per quarter now instead of per week when we turned off uncategorized URLs."
Surprise, surprise, surprise
There was also a surprise that emerged in the 2020 Ed TALKS. Threat- and risk-based approaches to security were proactively offered as hallmarks of effective programs. I've always been a big believer in threat modeling, but I was quite surprised at how frequently it came up. And the passion with which my guests spoke about it warmed my heart. It's a positive sign for our industry. Let me summarize and recap some of those highlights.
Charisse Castagnoli talked about her 3rd-party risk management approach - she walked the group through a basic threat modeling exercise without ever mentioning threat modeling at all.
"It all starts with knowing your assets" she said. "You've got to bucketize the asset that's going to be involved with that software. I don't care if it's from Salesforce, Amazon, or your neighbor's kid down the street. It's really all about the assets that are going to be in there. In fact, we bucket by high/medium/low, and then 'oh, heck.' I do have an 'oh, heck' category because I have no business if I have no payments. Our payment processor got hit by that storm that went through Iowa and went dark. Fortunately, we had a business continuity plan. It was painful, but we managed."
Josh Corman pointed out that the US Food and Drug Administration "does, in fact, now explicitly require a threat model for all new medical devices." But he also pointed out, "there are 10,000 MDMs or medical device-makers. There are not 10,000 safety-critical threat modelers." But the activity of threat modeling is well known and practiced, even if not under that specific name, as illustrated by Charisse's example in the previous paragraph.
Josh talked about using threat modeling approaches with product managers by creating abuse cases alongside use cases - or just augmenting existing use cases.
"If there's a business requirement to handle 10,000 concurrent connections at peak business hours, we would add a sentence, while sustaining a denial-of-service attack of 10 gigabits per second." He concluded that with threat modeling "You're helping them achieve what they already wanted to achieve more completely."
Mark Merkow talked about threat modeling in the context of user stories.
"We talk about building security and shifting left starting from the beginning and all of that. The one powerful method of doing that is implementation of requiring security as acceptance criteria for user feature stories. In other words, use the acceptance criteria as guardrails for how those features are going to get implemented and force them to think about it from the very beginning, instead of waiting to the very end and say, oh, shit, we've got these kinds of problems that we should have solved through threat modeling, through effective reuse of known secure architectures, etc."
Vlad Joanovic of Microsoft summed it up nicely, underlining the importance of software teams "understanding the different threats and compromises and really thinking about the whole system from the entire lifecycle of an app and considering all aspects of where security can be compromised."
Check out edtalks.io to watch all previous talks and for information on joining us for the next live Ed Talk panel.
"For two decades, I’ve been fortunate to have crossed paths with respected industry luminaries and practitioners. On a regular basis, I invite them to discuss practical approaches to securing the software ecosystem based on today’s realities: complex tech stacks, evolving threats, motivated attackers, mounting regulations, and unsettling skill gaps."