SBN

The Hacker Mind Podcast: The Internet As A Pen Test

Small to Medium Business are, today, the target of APTs and ransomware. Often they lack the visibility of a SOC. Or even basic low level threat analysis. Chris Gray of Deep Watch talks about the view from the inside of a virtual SOC, the ability to see threats against a large number of SMB organizations, and the changes to cyber insurance we’re seeing as a result.

VAMOSI: Something has changed in the last five years, and demonstrably so. Small to medium businesses are being targeted more and more. And why is that? Well, unlike large organizations, small to medium businesses lack the full accompaniment of network defenses. So they’re often unprepared when a nation state APT choses to focus on them.

A lot of SMBs do not have security operations centers or SOCs. They have IT contractors who can provision laptops and maintain a certain level of compliance and security. But if there’s an advanced persistent threat or APT lurking on one of the small or medium business networks, how would that organization know. And if if the threat were distributed through several SMBs, again, how would any of them know.

I’ve spoken about this before, about managed service providers or MSPs. They can provide that additional security, remotely. I want to talk more about the privileged position they have when it comes to these larger threat. These virtual SOCs are providing greater visibility into these low noise attacks on smaller and medium sized organizations. And, as my guest will say later in this podcast, these virtual SOCs are like pen testing the internet..  

[MUSIC]

VAMOSI: Welcome to the Hacker Mind, an original podcast from Mayhem by ForAllSecure. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I want to explore the world of how best to mitigate active threats against smaller organizations, from the point of view of someone who sits inside a virtual SOC.

[MUSIC}

VAMOSI: In EP 49, I talked with Huntress, a managed service provider that discovered the ransomware affecting customers of Keysea. They were able to do so because they were plugged into a number of clients that were affected. And because they were plugged into those clients, they were able to limit the spread of the ransomware. There are a number of other managed service providers. 

GRAY: Absolutely. My name is Chris Gray, and I’m the Vice President of customer success for Deep Watch.  Deep Watch is an organization that started off primarily as a virtual SOC for our clients, specifically focusing on meditation and response. 

VAMOSI: SOCs, either physical or virtual, are not a one size fits all model. For one thing, as the organization grows, so does it’s need for more analysts.  That’s where having a SOC as a virtual or managed service makes sense

GRAY:  All sizes of companies should be doing it for different reasons. For some of the smaller companies, they simply don’t have the personnel capability the time I talk to customers regularly and have the conversation with them. You don’t necessarily want to spend the money and the time getting good at something that you really don’t want to don’t need to get good at in the first place. And the end result of that being not that you don’t need to do it, but it may be something that’s, you know, far easier to outsource to a specialist provider. In a way and then you consume the outcomes. As you move into the mid range companies. The same model happens. They have those security capabilities. Typically they have a greater span of control across the platform and the capability capability across the platform in the industry as a whole. But even they need that additional help. 

VAMOSI: A few years ago, the number of remote workers was few enough that IT departments could reasonably handle the individual situations. Today, I work at my second all-remote company. It makes sense; we can hire the best people from around the world. We’re not longer limited to the local market. On the other hand, that means all of our remote equipment is potentially vulnerable to attack, and thus the need for a SOC, either physical or virutal.

GRAY:  This has been exacerbated quite a bit. From the COVID perspective. We’re all aware of the talent shortage that we talked about and all these other kinds of issues. Your security operations profile was really it’s your eyes and ears facing what the bad man or woman is trying to do to you from an organization standpoint on the outside with global unrest and everything else this you know, we’ve got organizations that are being targeted in ways that they weren’t necessarily even considering a couple years back. So this rolls out to them from the larger scale companies, a lot of the larger companies they absolutely have the ability necessarily from a funding capability perspective or from a security program perspective to create their own, if you will, however, many of them are finding again, there’s, there’s a benefit from the perspective of having someone else who’s doing this work that specialized in their area. There’s a benefit in this, you know, when we’re talking from the perspective of security, cyber insurance and other things of that nature of having an external set of eyes having an EDR capability that’s been done by professional organization to make that easier for them, as well as from the perspective of the SEC in some of the requirements that are coming down with and just the awareness that people want in general, having a partner who this is what they do, they have a broader spectrum of visibility than necessarily you would as an organization, they see hundreds of organizations not just that yours, this also helps them so there’s really not a one size fits all. The general assumption on this is that more and more people are doing it for any number of reasons to include the ones we just talked about.

VAMOSI: So what verticals stand out as customers for a virtualized SOC?

GRAY:  Good question. There are a number of verticals that stand out. I would go so far as to say that almost all of them are involved in this. Almost all of them come into this where and when I’m saying Trick question that’s not on you. That’s not that on a nuanced level. There are a lot of organizations who back to the previous comment of don’t try to do what you don’t want to do. That’s fed up a lot, as well as just highly regulated organizations’ critical infrastructure. Organizations, things like that, that need to have that visibility. If I had to say who were some of my most common ones, finances or financial systems, those are always large, they’re heavily regulated, they tend to be widely spread and expanded. My healthcare is always going to be one again, it’s a vertical healthcare and education, both where you have large amounts of very sensitive information, but not necessarily the budgets to secure it effectively. And we’re starting to see more and more. You read about supply chain failures left, right and sideways these days. And that’s not just the physical supply chain that’s also on the virtual supply. Chain. So from software, media, everything else of that nature. You’re starting to see a lot of those organizations invest more heavily in this attraction perspective, because again, they have so much to watch and it’s so difficult to edit. That’s where even if they’re still doing it themselves, they are definitely looking for partners who can help them cover in the areas where, you know, their capability may not be quite as hard and fast as it should be. so other people can help cover for any inherited or undeveloped as of yet since may exist.

VAMOSI: There’s another advantage to having a virtual SOC — they see more than the traffic to your own organization. In other words, they can detect something that will be affecting others and prepare those organizations against that attack.

GRAY:  I have conversations with clients on a regular basis. You’re sitting by your campfire. You can tell me what color the flames are, how much is popping, how much smoking and all that but in the night, that’s pretty much what you can see. Deep watch we have the benefit of being able to sit about 100 yards higher than you and look out across this field of campfires and trend the information and bring it together. That’s one of our big value ads on this is we have our our advanced threat. Threat teams, our intellect teams on all this where that is their purpose on life is to your point not only help our customers understand what the threat landscape is, but also be able to identify trends, actions that are happening early and then spread that out across all of our consumer environments, whether they’re being affected by it or not. The intelligence we gather from one organization can then be a plant throughout our ecosystem. And it is a great benefit to our customers. They are all very interested in this right now and very receptive to any advice we want to give.

VAMOSI: THey’re receptive because they’re seeing other organizations their size getting hit

GRAY:   I mean, to your point. Scary time. Yeah. And they’re always scared. They’re never picking a time when things aren’t spooky. The point being now that the world is becoming smaller. And it’s forcing people to converge on their actions as opposed to handle things but we really can’t balkanize things anymore. We can’t just, you know, bust things up into small parts and say this is my world because again, internet is a pen test and we’re all in this together.

And we’re also on the cusp of ChatGPTs on everyone’s terms. That’s an example of AI. AI will be used maliciously. But AI is also going to be incorporated at a much higher level into the defensive operations to the point where mistakes, attacks and defenses are all occurring at machine speed and it’s going to be a continued equalizer. So yeah, we’ve talked a lot about a lot of things that are kind of terrifying, but at the same time, all of this is driving innovation. And that’s kind of the history of the human race. We find a problem, we move past it so we can find the next problem. But, you know, it’s catching up. And this is all being driven from a financial and capability perspective and everything else. 

{MUSIC}

VAMOSI: So if Chris is actively monitoring the threat landscape. Does this mean that he looks at like configuration and updates and issues that are within the companies or you’re looking at active threats that are happening now that can affect the companies

GRAY: Within scope. Primarily the second. I mean, we’re looking at what’s going on where our teams are monitoring, you pick a fee that comes in as a threat intelligence platform. fee, and we’re there we do our own in house customer development on this as well very heavily from the perspective of am I looking at your threat landscape, we have roughly three services that we offer that directly tie into that we do endpoint detection and response and the management side there where I become the administrator for our clients on that piece of revenue. We do the same thing for firewalls. So we’re playing at that level. The third piece that we’re doing on that is through our vulnerability management program where I’m not necessarily the human being who is fixing all the issues but we sit down with our clients to understand what matters to ensure that their scans are being run regularly and effectively that we’re deduping identification from an IP perspective or a system name to help them get control over the vulnerabilities that they have in their systems in their environment as well as to help them prioritize those and validate whether or not remedial actions have been effective. So while I’m not going to log in as root or admin on the bottom for a lot of those kinds of scenarios, I absolutely help our clients understand based upon industry knowledge based upon what we see, etc. This is what you should be concerned about. And then there’s the flip side of it where I’m not. I don’t serve my clients best when they use one of my services. I’ve served them best when we combine these. So if I find these vulnerabilities and I find these weaknesses, I may be able to fix them depending on the platform as well as then take that information, live it back into the NVR platform so that I can ensure that although I know these systems are vulnerable, they may not need to fix them yet. I can increase the sensitivity of reporting on those so that they’re not only getting awareness of the issue. They’re getting enhanced monitoring and alert capabilities that drive out as part of the combined wheel of life within the Deep Web services.

VAMOSI: Cybersecurity insurance. I know that’s kind of a controversial topic. Should you do it, should you not?

GRAY:  Well, I mean, depending on who you talk to, there’s a very large expectation that within a couple of years, a significant number of countries in the world are going to come back with what the requirements are and how you play with it. Should you do it or should you not? That’s like any insurance policy if you don’t, you’re going to have to be able to explain why. And you’re going to be explaining why as an organization, your internal capabilities meet or exceed the coverage that you would otherwise be provided as part of the result of a cyber insurance policy. cyber insurance as a whole was changing heavily. It started off pretty easy to get. You fill out a one page piece of paper and you get cyber insurance. Then 2020 2021 The first part of 2022 happened, ransomware went wild and so many of the cyber insurance companies they were reading were against the ropes and struggling because the payouts were written against what were initially rather loose policies. Turned into continuous conflict. We’re seeing that changing some in the latter half of 2022 ransomware actually kind of appears to be flattening off. My personal belief is that that’s not gonna last it’s a false indicator. Losses are down but severity is up. So yes, there’s not as many but the ones that are hitting are there. Double extortion is going to continue. If you’re familiar with that entire concept of not only am I going to threaten you from a ransomware perspective, but I’m going to exfil all your data in the first place. So I’m going to hit you if you don’t want me to lock your system up. I’m gonna charge you once and then oh, by the way, pay me again. So I don’t dump this on the wiki links or something somewhere like that. Ransomware as a service is a thing now. There’s money to be made, someone will make it. So all in all. I’d like to say there’s a dip which might have caused people to question whether or not cyber insurance was necessary. It’s not really a dip. Like I said, I believe it’s a false positive. And on top of that, social engineering woes are growing, that’s becoming more and more of fraudulent payments, just all these other things. So where there’s a gap, the pieces pick up. So with all that said, Do I see cyber insurance going away? No. 

VAMOSI: That’s interesting. Where ransomware is subsiding, then other forms of attacks are rushing in. It’s not like data breaches are going away, they’re shifting. And these nuances are being noted in the insurance industry.

GRAY: Here’s the hope. Here’s the golden carrot, as ransomware has dipped down a little bit that’s given a lot of the professional insurance organizations a chance to get their underwriting set up better. We’re actually seeing as opposed to what’s in the red a geometric rate of increase on cost and the opposite side curve with regards to what they want to cover. The insurance organizations have had a chance to do what they did, which is let’s, let’s get all of our actuaries in a room and find out where we’re making money, where we’re losing money, what we can do better and how we can get this going. So the underwriting processes are becoming easier. That all being said, it’s gonna make it harder for smaller companies to enter the market. But it will. It’s kind of like it’s kind of like case law. As more and more people do this and show that they’re doing it well that will enable that that is more than likely going to increase competition in the market which will lower prices, but the days of a blanket policy that covers those are gone. Policies are getting easier to underwrite. They are getting easier to bring out but they’re becoming more and more specific as to exactly what they cover. 

VAMOSI:  Now that’s less of an umbrella. If you’re in the line of fire in a cold or hot war with another country, then you may no longer get that benefit.

GRAY:  One of the big topics that undoubtedly everyone knows more than they want to know about is geopolitical unrest. We’ll use the Russia Ukraine scenario. Things like nation state activities kind of fall into the realms of acts of God. I can’t insure against it. There’s not much I can do. For you, you’re just going to have to deal with it. So again, we’re at a really interesting inflection point right now. It is getting more and more people thinking about ditching their cyber insurance because the cost benefit ratio was really not there. But now we’re starting to see some of the costs and some of the variables be defined much better, which is going to encourage people to come back here because again, it’s like any insurance. You owe it to me as a consumer of your company, as an investor, as a stockholder, as just someone who you want to trust. You owe it to me to be able to explain to me why your activities are not negligent. You know you’re not getting insurance just because you don’t want to spend the money. I don’t care. It is the world now and you’ve got to be able to address it. And that puts companies in a rough spot. 

VAMOSI: That’s an interesting scenario. Say you have something that’s clearly in the critical infrastructure, maybe even life critical. You can’t have them fall victim to a ransomware attack. So maybe the government steps in and makes it easier for that organization to get insurance?

GRAY:   One of the other questions that you know has been a big one in the last year, so is should the government come in and subsidize, subsidize and establish a base insurance capability? And that’s extremely rife with conflict as well because if I as the government come up similar to FEMA or some other organization like that, we’re putting that in plain sight. All companies I’m giving you the ability to at a low cost get $150,000 worth of cyber insurance. Yeah, we’re all good. But that then also lets me know as a malicious user, as a hacker, if you will, that every mom and pop out there has $150,000 that they can spend on me. 

VAMOSI: Oh, right, that wouldn’t be good if the criminals knew they was a minimum they could get from these organizations. Now you’re kind of putting a price on all the covered entities. Still, they need to be covered, somehow.

GRAY:  So in an effort to make more people covered, I’m potentially also increasing the attack surface. Maybe I don’t need to go after fortune 100 companies, maybe I just want to spread myself thin across the mid market, knowing that there’s an opportunity to get paid. This is an interesting question, and it’s I know we’re talking about just the insurance but you can see very rapidly how government oversight regulatory involvement, all of these, they’re coming into play in this they’re going to have to and it’s going to make this an interesting couple of years. If it’s not going anywhere it’s going to stay. The question is just going to become what’s it going to look like?

VAMOSI: There’s been a lot of discussion about companies are hesitant to call something a nation state attack when it was because if the company does that, that absolves the insurance company.

GRAY: It’s a two edged sword. You’ve got companies on both sides saying this. You’ve got insured companies saying because one of the things that’s come out with cyber insurance now is you have to prove to me that you’re doing good security work. You have to show to me that you’re using multi factor authentication that you’re doing vulnerability scanning and mitigation that you’re harming your niche. you’re aligning to a framework, whatever. These are becoming. Like I said today at the one page application, now it’s here’s War and Peace, fill it out at your leisure. So you got some of the companies who are covered who will absolutely throw their hands up. There’s no way you could have expected me to cover for this. I’m a little company that makes $1.2 million a year to block this. I would have had to spend a million of that just on cybersecurity. That makes no sense. That’s why I have insurance. Okay. Makes perfect sense. The insurers on the other hand, turn around and say this policy was to protect someone who makes $1.2 million. This was not a policy for a nation state target. So thank you for admitting that this was a nation state actor because that just disqualified you from yelling up payout or significantly reduced it. I don’t I’m not trying to make anyone out to be a villain in either case. This is the business model. But again, it shows where there’s a lot of squishy ground all around this. This is a very new industry. You know, we’re talking about a couple of years old, and like any financial decision, I make the joke that security cybersecurity people were newcomers to this space of financial security. They’ve been doing this since the first person decided to try and float a bowl of rice across the river somewhere, you know, in the cradle of civilization to sell in a neighboring village. actuaries have so much data that they can play with, with regards to our world. We’re still very new. We’re in our infancy and data is proliferating at a rate that it never has before which should give us greater intelligence as to how to play the game. But that data proliferation is also advancing capabilities both offensive and defensive. At rates we’ve never seen, so enjoy. It’s a conflict rich environment.

[MUSIC]

VAMOSI: Chris has a unique viewpoint, able to see situations around the world. We talked about Ukraine, and how they are able to defend themselves against Russia’s attacks.  What about China? What about Taiwan’s defense from China?

GRAY:  Yes, it’s very interesting. When you look at what we’ve got going on, right now. The Russia Ukraine scenario, although let’s not downplay the lies, that it’s affecting the strife, it’s causing economic damage and everything else but it is, amazingly enough, staying in this one little localized area, and everyone almost has the ability to treat this like it’s a case study. I want to get some weapons here and when I pay a little bit of money here, I’m gonna get some support here. What effect does that have? It’s almost like we’re doing a global global economics case study as to what happens and how it happens. China is absolutely watching this because the invasion is not going the way that everyone expected it to go. The support by Western nations, more than Western the support by nations back in Ukraine right now. It’s a very interesting indicator of what countries are willing to do. China invaded Taiwan. It’s not just going to be Taiwan, they’re going to be facing as for example, in this case, you know, the United States has come straight out and said they are our military ally. We will help protect them. That’s no one in the West held their hands to Ukraine and said we’re rolling in and opening the door we’re coming to help out. There’s there’s significant differences. So I’m sure without a gap China is putting a large amount of interest into what’s happening. How’s it rolling out? What is the feel of the people back home? How far are they willing to support this? You know, all of those aspects, that’s something that they are. There are hundreds of doctoral thesis papers that are being written right now. I am certain regarding all this because it’s a freebie. They’re getting to watch the modern, global perspective on how something like this can be dealt with and use that to guide their own actions.

VAMOSI: I mention this because what I’ve been hearing is that the model might have been that they could go in on cyber and reduce the amount of kinetic force necessary and we’re not necessarily seeing that play out in Ukraine.

GRAY: We’re not, which has been very interesting. I think a lot of people expected Russia to have more of a cyber capability than they did. China has it. Let us not equivocate about that at all. They absolutely have it. And is it a thing? The cyber realm enables me to strike at people that I would never be able to fire a bullet. I will give you an example. Let’s go back to 911 and the chaos that happened in New York. Cool. Well, what would have happened if a malicious crime group would have been part of that and they would have turned the phone numbers for all emergency services lines into I don’t know. helpdesk lines for washing machines. What would have imagined the level of chaos is the infrastructure components which are here to protect you suddenly were completely unavailable. That’s not out of the realm of capability and possibility. Imagine what would happen if we were facing an invasion and suddenly someone is getting into critical infrastructure and water is not flowing. There’s no gas, my toilets don’t work, their supply chain issues and I can’t get food into the grocery stores. I can be fighting a war in Europe and have someone completely attack our infrastructure inside the United States, which is something historically has kept us rather safe from a world war perspective. The world wars have typically been fought in the European theater, or Eastern Asian theater. But what if I can come home? And that’s the one thing that cyber lets us do is I can follow you anywhere because we’re talking milliseconds from a jump across the ocean. I don’t need to put people on the ground. I’ve got people sitting right here who can be there. As quick as I can think about it. So it’s, it’s real. We are seeing the first conflict where openly cyber warfare is being engaged but to your point, it’s a lot less than I think where many of us expect it to be. It’s giving rise to some horrifying concepts. They’re weaponizing people at home. I mean, you saw this where anonymous was basically saying Tell me who you are and what your skills are. I’ll find a way to put you in a cohort, you can strike back against the bad guy. You’re taking non military people large amounts of skill, you’re politicizing and enabling that as a weapon of war. Wow. That’s a big step. And why should we expect that to stop?

[MUSIC]

VAMOSI: The Payment Card Industry Data Security Standard or PCI DSS has, for example, very strict requirements. With the requirements, we’ve seen credit card breaches decline, maybe because of that, maybe because of other reasons, but it seems like PCI DSS could be deemed a somewhat successful model, however, you can self attest or you can bring in an outside company to attest that you are following all the guidance and principles and you get a better rate for doing so.

GRAY: So PCI is something I’m very familiar with. I used to run the PCI services for QSAC and I’ve been to a que si of two different types for years. And the point of all of them being it is a status that is an industry regular regulation. That is an industry requirement that is a sectoral enforcement model, and it is great. And no offense intended to PCI Counsel at all whatsoever. Whenever you self attest or you get an audit performed. That is an attestation for a point in time. Yes, the expectation is that you will maintain that level of compliance at all times, which is a viable goal. It’s also very difficult, especially if you’re talking about PCI. You’re talking about hundreds of controls across potentially hundreds of system 1000s of systems depending on what your scope is. And this is the same thing for the insurance model. It is becoming more and more prevalent that the insurers are coming to you and saying show me what you do. Do you have these controls in place? Does this minimize you know, things we’ve kind of talked about already EDR XDR MDR all the things that we do these are things that these companies are looking for. And these are benefits of you ensuring that you have multi factor authentication that your mobile strategy is solid, that you’re, you know, one of the big things that we’re seeing now is that almost every open source code library that everyone uses everywhere has multiple vulnerabilities in it. So show me as your insurer that you are doing appropriate application of our DevOps security so that I know that you’re not putting a broken thing into play, before you even start. These all matter. And these are the kinds of controls that you’re taught PCI that’s a standard like that would entail the problem. Being in the short run PCI is a very specific standard oriented towards systems which store, process or transmit credit card information. That could mean so much, but it also gives you the ability to lower that scope and constraints that scope and control what your area of surface management is. When we’re talking about cyber insurance. I’m talking about my company, all of it, my ubiquitous presence, be it whatever it could be. It’s hard enough and the PCI Council’s had to deal with the risk based approach where one size does not fit all. I’m trying to achieve an outcome from a security perspective, not a specific activity. And that’s taking years and multiple iterations of the DSS to come to peace with okay, I can name 17 global security frameworks, pick one and then apply it across your entire organization. It’s a matter of scale. It absolutely is an idea. It absolutely is going to be something that they leverage to try and say, Are you doing the following fantastic TINs that I expect? Because if not, no, I’m not going to insure you or I’m going to show you for this much and it’s going to cost you this much. These are the factors that are coming through. And yeah. I don’t feel like I’ve really given you a good answer from the perspective of is it going to happen? It’s already happened. But how is there going to be a golden standard? No, I think the insurance agencies are literally going to say based upon breaches, we see the following security control capabilities that have the biggest effect on mitigating or minimizing the results. Get those and then come talk to me that so rather than strict, strict control language, I think it’s gonna be more of a capability model.

VAMOSI: That’s on the data collection side. There are also benefits to the end user as well, such as increased privacy.

GRAY: But back to the quick thing you brought up before privacy requirements are going up, and that’s a good thing. You know, in a historical view of privacy, there was kind of the European model, which is why you have to explain to me why I should ever let you have my data. There’s the US model, which is you have to explain to me why I shouldn’t know everything about you. And then there’s the people that I call the poor, squishy targets are the ones who are attempting to operate in both who have to come up with fairplay laws that work in either direction. The European model has more respect, if you will, for the individual’s rights. And that is where we’re going. That’s what’s being said, you can look at CCPA and all these other things. What we’re talking about is GDPR light, and it’s  coming across the borders. So we will see more and you will continue to see the concept of privacy by design. Push forward, you will see the drivers that have happened in the last couple of years be at the breaches be it hybrid workspace. So everyone’s working from home and now my company’s perimeter is this desk I’ve got in my house. You’re seeing convergence of data. So whereas it used to be sectoral health information, PII, financial data, it’s all being conglomerated within that, which will again drive this you’re seeing the digitization of the world, how much business do you do on your phone? That even a few years ago, you had to go into a bank and sign paperwork, and now I’m digitally signing things and sending it out. The Metaverse if you will all of this, this is all driving the change. And the good news about this is from the perspective of those of us who’ve got to enable it’s terrifying because there’s so much work to be done. 

VAMOSI: Work to be done on the organization side. How does that benefit organizations? Their customers are starting to notice. 

GRAY: But from the perspective of the end user, if you will, there’s more focus on protecting their data, I think than the public ever has been in the past. And that’s a good thing. It’s got to change the way that we operate. You know, you’ve read the cybersecurity strategy that’s just come out where security is being pushed onto the manufacturer. No longer is it you can throw out whatever you want to and it’s on us to make you safe now. How about secure and privacy secure and private by design? But let’s run it that way. So there’s your there. There’s a lot of things which are driving change, but that’s not. We’re talking that appeared negative but that’s no different than any other point in time in history. There’s always change which is driving evolution. We’re hitting a point in time now where cyberspace is becoming a common space, because more and more of our lives are in it. And this is going to drive some outstanding changes. 

VAMOSI: So staying with privacy. I am wondering if is personal information or is it source code? 

GRAY:  The Internet is a penetration test. If you are connected to the web that someone’s writing by potentially an automated or AI driven Blackhorse daily attempting to steal whatever you have, and do people target organizations based upon what they have and the data they had? Absolutely go talk to anyone in healthcare and talk about how PHI is one of the most lucrative targets that are out there. Go talk to any organization out there that has large amounts of IP and is someone you know or someone that is trying to steal that data daily. Yes, they are. But we can’t discount the noise which is just people trying to do things in the first place. There’s absolutely talking about it. It makes the world go around and is malicious if you will. So the hacker mindset is absolutely something that is more of a business now than it ever has been. I read an article the other day that was just purely depressing. And it was talking about how some of the criminal organizations that do this, operate in places where they’re not necessarily punished. They’re advertising effectively on job boards and offering better pay and benefits in many of the defensive security organizations that this is a business. I was reading an article earlier this morning where someone literally said there’s a lot of layoffs going on in the IT space and if someone who’s a technical professional who’s trying to feed their family gets laid off that fuzzy line between which side of the law Am I operating on that gets a little bit questionable whenever you’ve got to eat so right now, we’re in many cases as a as an industry, are we creating our own enemy, if you will? I don’t I don’t know how much I believe in that. I think that people that tend to stand on the white hat side will tend to stay there but I also know that desperation causes a lot of issues and how many 1000s of people have been laid off in the last couple of months. There are points to be made on either side. But do I see them attacking one more than the other? The bigger your profile, the more you’re going to be targeted? And that’s really the difference? Again, I can ride by and throw it all on OWASP Top 10 set of scripts the Metasploit at you and either pocket perimeter or not and establish in and then start trying to do all the normal fun things I would do. Absolutely I can do that. I may be noisy when I’m doing that because I’m generically targeting you. If I’m coming at you because you’d have something specifically I want you’re going to be facing a you’re going to be facing a significantly different skill set that’s coming at you a significantly different amount of funding. And that’s even causing some I’m sure you’ve read or heard about. It’s kind of interesting how a lot of criminal groups have actually started kind of pulling back a little bit because they realized, especially in the past tense here of the conflict between Russia and Ukraine. They’re being very careful to establish non attribution. I don’t want someone to know who’s coming at who did this because they will. They’ll come back after me. You can see some of these large scale crime rings that have been put out of business recently. The anonymity of the internet is coming to an end in a lot of ways and given how cyber attacks are becoming ubiquitous and viewed as a meme as a component of national strategy and national security. Hahaha boys will be boys girls and the girls were just having some fun and stealing a little bit of stuff that doesn’t work as well anymore. You cross a line to where now it’s not just the nation state that’s trying to hack you. It’s a nation state that’s trying to stop you. And that’s an interesting escalation of warfare.

VAMOSI: So it’s both logical and illogical that these large criminal organizations would turn toward SMBs. It makes sense; they have fewer defenses. But on the other hand, it doesn’t make sense if you only get a little bit of information from each. You’d have to target a large number. 

GRAY:   We have our advanced threat teams and our threat hunters who work within this. Those two orbs work hand in hand, one being more of a centralized model and then one being more of a customer specific threat hunting model that works within our squads. In the customer environment. They are absolutely monitoring everything that’s going on out there. They’re absolutely taking the feed, integrating or integrating that into our platform into our capabilities. That’s what’s expected of someone who plays in this. That’s not even an advanced capability. That’s table stakes. That’s why you pay me money so that I can leverage economies of scale, have more shared intelligence necessary that you as a company want back to might be good at what you want to be good at. I don’t necessarily want to be that I want a partner who’s going to do that on my behalf. And then I get the outcome of a more secure environment, a more aware environment, a better hardened infrastructure. So yes, we pay a lot of attention to it. Are we involved in counter hacking and anything else like that where you know, we’re upgrading? No, that’s not our that’s not our role. Our role is we’re security operations. We’re defensively minded.

VAMOSI: A non-cybersecurity defense comes from regulation. The General Data Protection Regulation or GDPR question, or even CCPA in the US.  I’m wondering if these regulations have helped to call out data protection and get companies to start thinking about where their data is stored and how it is managed, if that has proven to be an overall benefit.

GRAY:  Without a doubt. You brought up PCI before I remember when what would become the PCI Council came before the National Retail Federation United States and said you’re going to do all this stuff to secure credit cards, and everyone laughed at them, and said, we can take checks. And then a year or two later, no one had a checkbook anymore. And suddenly everyone’s listening to these people. The same thing has gone on about security. We’ve kind of come full circle. And now data is the element. It’s not that we’re not client servers. We’re not necessarily mainframe, you know, none of these models. We’re pushing this back down to where data is the element that matters. And as a result of that, understanding, the basic blocking and tackling from a security perspective, which is what are my assets, where do they reside? What are they used for? How are they transmitted? Where’s their weakness in the process? How do I handle Yes, this is a conversation that has always been something we struggle with. But privacy which is enabled by security, but which is not security in and of itself. It is becoming a massive driver, especially with the fines that are associated with it. And pushing increased awareness on this because people want to, well, yes, but also because they have to, I mean, there’s you can take a look at the fines that have been passed from a global perspective. And I mean it’s no joke. Billions of dollars of strife, it’s playing in here that the people are starting to see. So it’s absolutely driving this and when you realize that some I forget who it was to set it by 2024 75% of the worldwide population will be protected by some sort of modern privacy regulation. This is not going away. This is blowing up and 75% I do remember that 170-5% of the countries already have some sort of data localization mandate in place, which means you have to know where your data goes. So it’s not optional. The privacy laws and everything that’s pushing this out, it’s it’s a requirement now and it will drive better security because again, if you don’t know where the gold is, then every place is Fort Knox. It’s just kind of what it is and we’re trying to constraints go apply controls for security and privacy and an effective manner and all this and that involves minimizing your your landscape as much as possible, so you can do it well.

VAMOSI: The point is, other countries and regions have data protection laws, the United States doesn’t have a national data security law.

GRAY: Well, boy, you can’t  say that. And you can’t say that holistically. Um, a lot of the United States is still very much our privacy rules are sectoral. So they’re industry specific. If you will, you go back and look at HIPAA and things of that nature where those have been around forever and what the privacy rules are. But for the first time, effectively, we’ve got a lot of things like the American data privacy protection act at EPA, that thing. It has not yet been passed, but it’s on the board. This is a federal data privacy law. You’ve got and you got flips I mean, you used to have COPA, which is you know, the children. Now you’ve got POSA which restricts what kids can see and kind of the Coppa 2.0, Children and Teens Online Privacy Protection Act. This kind of protects what people can do with that data. So we’re seeing federal rollout or consideration of laws at a level that we’ve never really seen before and then you when you get down into the state levels, I mean, 10% of the states they’re saying are going to be covered by privacy laws for sure. In 2023. And they’re evolving things out. I mean, you’ve got you know, you talked about the CCPA. It was kind of the first GDPR-ish European model privacy law but the United States or Washington came back with a counter argument and the Washington Privacy Act, which hasn’t passed yet. But a whole bunch of other states turned around, looked at that and said, I liked that framework. Let me grab it and modify it. So right now, we’ve got, you know, you’ve got CCPA. Yeah, you got the Maryland personnel, you got Maryland, you got Virginia, you got Colorado, you got Connecticut, you’ve got Utah, you’ve got all these different laws that are in place. Now. That’s not necessarily a good thing. Because that means we’re back to conflicting regulations and who you have to do and what you have to do in my past. I had a privacy breach and I had to notify all 50 states because there’s no way to when I didn’t necessarily know the retail company, I didn’t necessarily know who was where and why. So I had to notify all and you have to pick the high watermark and press it out that way because otherwise it’s more expensive to do the piecemeal coverage than it would be just to necessarily treat things one might. An interesting thing that we’re seeing now though, is privacy splitting. It’s not just about my virtual data, if you will. Another big one that’s popping up right now is our biometrics privacy. You’ve got Texas, Illinois, Maryland, Washington, all these places are now saying my fingerprints, my retinal scans, all this kind of stuff is every bit as critical of information as anything else. And some of these places don’t have any legislation with regards to basic privacy requirements, but they do address biometrics. So we’ve got a lot of laws that are in various stages of the process. Again, that terror point for me GDPR came out and everyone kind of said, Okay, that’s the law. And we’re seeing in Europe now where localized laws are superseding GDPR; they can’t necessarily make it weaker, but they can make it tougher. And that is indicative of how quickly the cyber landscape changes. A law that was good. A law that just came out was written two years ago, and the world has evolved since then. So this thing may already be a couple of years behind. And then it’s just going to continuously iterate. And if you’ve dealt with very many people who’ve attempted to become compliant with GDPR, or the cross border data transfers, you know, some of the stuff that’s coming out now for the EU and the US for data, adequacy, laws and all that. It’s really hard for companies to get too good, because the targets move before they’ve even been fully put on the board.

GRAY:  If you look back at it, it’s kind of amusing to ask the question if you go back far enough to the rainbow series that had different defenses to use when it was a mainframe based world. Stop for a second and consider your question about data. That was a data security model 60 years ago, and we’re coming back to it. So if we’ve been here before we walked this ground it’s just evolving our tools. 

VAMOSI: I’d like to thank Chris Gray for coming on the show and talking about the benefits of a virtual SOC and the need for cyber insurance, among other things. Small to Medium businesses are, today, the target. And they lack the defenses that larger organizations have had years to develop. Fortunately there are ways to distribute those defenses. 

*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Robert Vamosi. Read the original post at: https://forallsecure.com/blog/the-hacker-mind-podcast-should-smbs-have-cyber-insurance